18-24 June 2021

COVID-19

Ottawa In Talks With Provinces, Territories Over ‘Proof Of Vaccination’ Passport for International Travel

Intergovernmental Affairs Minister Dominic LeBlanc says Ottawa is in talks with the provinces and territories about creating some type of “passport” containing proof of vaccination against COVID-19. LeBlanc says while health information falls under provincial jurisdiction, Ottawa’s goal is to provide Canadians with a document to verify vaccinations against the coronavirus if they want to travel outside Canada. LeBlanc says the government may provide Canadians who want to travel soon an interim document to verify vaccinations. Canada Is Launching a “Vaccine Passport” Next Month

OPC Therrien Urges Proper Safeguards for Vaccine Passports

Privacy Commissioner of Canada Daniel Therrien told the House of Commons Standing Committee on Access to Information, Privacy and Ethics Canada’s COVID-19 vaccine passport application needs sufficient purpose limitations and user safeguards. Therrien said there are “issues about protection of that information” that require a detailed review process “that we have not yet done.” Therrien spoke confidently about arriving at a “privacy-sensitive and protected” solution.

Access, Privacy, Enforcement: Lawyers Say Canada’s Plan for Digital Vaccine Passports Raises Thorny Issues

The prospect of digital vaccine passports being required for Canadians embarking on post-pandemic travel has some raising concerns over privacy, accessibility, and enforcement.  Immigration lawyer Alex Stojicevic says the most obvious concern is that those who don’t have access to the proper tech will face barriers to travel. He also has concerns around who will be reviewing people’s proof of vaccine. He says people should not be required to hand their phones over to Canada Border Services Agency: Stojicevic says there are a number of other thorny logistical issues — including the fact that each province within Canada is approaching immunization in a different way, and sharing different data.  Privacy concerns are also being raised by the Canadian Civil Liberties Association. According to Executive Director Michael Bryant: “We need to make sure that that data, held internationally, is kept secure and private and isn’t used for other purposes and other agencies, other than its intended purpose of international travel. It’s one thing to require people to waive their privacy rights at the border. It’s quite another thing to ask people or require people to waive their privacy rights once they are in Canada, travelling between provinces or entering public facilities or using public services.”

Nova Scotia Privacy Commissioner Calls for Strong Vaccine Passport Privacy Protections

Nova Scotia Information and Privacy Commissioner Tricia Ralph called for future vaccine passports to have proper privacy protections in place. Ralph called for a privacy impact assessment to take place in a letter to the provincial government.

Biometrics / Identity

EU Privacy Watchdogs Call for Ban on Facial Recognition in Public Spaces

The European Data Protection Board and European Data Protection Supervisor teamed up to call for a ban on the use of facial recognition in public spaces, going against draft European Union rules which would allow the technology to be used for public security reasons. “A general ban on the use of facial recognition in publicly accessible areas is the necessary starting point if we want to preserve our freedoms and create a human-centric legal framework for AI,” EDPB Chair Andrea Jelinek and EDPS head Wojciech Wiewiorowski said.

Denham Issues Opinion on UK’s Public Facial Recognition Deployments

U.K. Information Commissioner Elizabeth Denham offered a Commissioner’s Opinion regarding the use of facial recognition by private and public entities in public spaces. Denham explained “data protection and people’s privacy must be at the heart of any decisions to deploy (live facial recognition)” and the opinion aims to set “a high bar to justify the use of LFR and its algorithms.” The opinion, according to Denham, is based off law and “six ICO investigations into the use, testing or planned deployment of LFR systems.”

Civil Liberties Group Urges Liberal Party to Stop Using Facial Recognition Technology

The CCLA is calling on the governing Liberals to “cease and desist” using facial recognition technology to verify the identity of people voting in candidate nominations, saying it “takes unfair advantage of its exemption from Canadian privacy laws.” Further, it “sends the wrong message to municipal, provincial and federal election officials that this technology is ready for prime time,” reads the letter signed by executive director Michael Bryant and privacy, technology and surveillance program director Brenda McPhail.

Unemployment Applicants Say Facial Recognition Service Caused Benefit Denials

Some U.S. unemployment recipients say incorrect identity verification by ID.me’s facial recognition technology led to denial of unemployment benefits. The service uses applicants’ biometric information with official documents to confirm identity, but some said the technology failed to correctly identify them, putting applications on hold.

Regulators Launch Campaign Against Spy Cameras, Hidden-Camera Videos

The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Public Security Bureau and the State Administration for Market Regulation announced a three-month campaign against spy cameras and hidden-camera videos. The regulators say online platforms and camera developers that do not address privacy violations will be “severely punished” in accordance with laws and regulations. The campaign follows passage of China’s Data Security Law, slated to take effect 1 Sept.

Health Privacy

Niagara Health Patients First in Ontario to Access Diagnostic Scans Under One Digital ID

Patients at Niagara Health are among the first in the province who can access their diagnostic records such as an x-ray, CT scan, MRI, or ultrasound through Ontario trusted account, a unique patient digital identity service on the Niagara Health Navigator mobile app. Similar to the ease of online banking, patients can view and manage their diagnostic records from the convenience of their mobile device and can choose to securely share access with family members, family doctors, specialists and other care providers. This is powered by PocketHealth, a service that receives digital diagnostic records from the hospital, organizes them in a secure account and stores them for patients to access at a small fee. For more information on the Ontario trusted account, visit https://mytrustedaccount.ca

UK Health Department, NHS Publish Draft Health Data Strategy

The U.K. Department of Health and Social Care and the National Health Service released a draft data strategy that will provide patients more control of their health and records. The strategy proposes ease of access to data for patients and medical professionals while also simplifying data sharing practices. The NHS noted its plan comes with a commitment “to using data lawfully, with respect, and holding it securely with the right safeguards in place.” Additionally, the NHS committed to publishing a transparency report on data use by 2022.

Mobile / Location

CNIL Releases Draft Recommendation on Retention of Traceability Data

France’s data protection authority (CNIL) launched a public debate over its draft recommendation relating to terms of retention and use of data logs. One of the purposes of data logs, particularly in multi-user systems, is to ensure traceability of access and actions on the information systems within an organization facilitating security policy compliance. When it comes to retention periods for data logs, the CNIL recommends a period not exceeding six months to one year is sufficient except for cases when a legal obligation or particularly significant risk would require another retention period.

Commission D’access a L’Information Du Quebec Issues Guidance on Employee Geolocation Tracking

Commission d’access a la information du Quebec has issued guidance on employee geolocation tracking [see here in French and English trans here].

Online privacy / Surveillance

Study Reviews Pandemic-Era Employee Monitoring Trends

Software designer Surfshark released its Employee Surveillance Report highlighting trends in employee surveillance from March 2020 to March 2021. Surfshark scraped searches for “bossware” surveillance tools across the world and found the use of and interest in employee monitoring was most prevalent in Sweden, the U.S. and Norway. The study also found one in five businesses are deploying surveillance technology while 62% of companies do so to collect productivity data. The report goes on to compare various monitoring tools and discuss potential employee privacy tactics.

Dutch Organizations File Claim Against Tiktok Over Children’s Privacy

In a claim against TikTok, Dutch consumer protection organization Consumentenbond and the Take Back Your Privacy Foundation say the company should pay $1.5 billion euros for illegally collecting and selling children’s data for targeted advertising. The organizations also said TikTok should delete children’s data it has maintained. “TikTok’s way of working is pure exploitation and the company is earning hundreds of millions a year from children,” Consumentenbond Director Sandra Molenaar said.

Law Enforcement

RCMP Body Camera Pilot Project Wraps Up in Iqaluit

A pilot project in which Iqaluit RCMP officers wore body cameras while working has wrapped up but concerns about accountability and trust remain. Last fall, the Iqaluit RCMP launched a trial run increasing the number of Iqaluit officers wearing cameras, until all 53 were equipped in February. According to Legal Aid, officers wore the cameras at work, but they would be turned on only after the initial interaction, or in some cases, the arrest. Also, the camera only points in one direction, so it doesn’t capture everything. “There’s no guarantee that even if there is an image that is damning of police that police will release it,” said a professor.

LAPD Provided with Free Surveillance Cameras for Promotion

Ring gave Los Angeles Police Department officers free devices or discount codes to market its surveillance cameras. According to emails obtained by the Los Angeles Times, the company encouraged officers to “spread the word” about its doorbell’s ability to “reduce crime in neighborhoods.” ACLU of Southern California Senior Staff Attorney Mohammad Tajsar said the relationship highlights “a lack of clarity as to where the public sector ends and private surveillance capitalism begins.” A Ring spokesperson said the marketing campaign ended “years ago.”

Data Sciences

EDPB, EDPS Issue Opinion on Proposed AI Rules

The European Data Protection Board and European Data Protection Supervisor released a joint opinion on the European Commission’s proposed artificial intelligence regulation. Notably, the opinion proposed a ban on AI-powered biometric recognition technologies and potentially discriminatory AI systems in public spaces. In a joint statement, EDPB Chair Andrea Jelinek and EDPS Wojciech Wiewiórowski said the ban is a “necessary starting point” for a “human-centric legal framework for AI,” also noting the biometric deployments in combination with AI “means the end of anonymity in those places.”

Study Looks at Advances, Long-Term Impact of AI

A new report from Pew Research Center and Elon University’s Imagining the Internet Center found 68% of responding developers, business and policy leaders, researchers and activists do not believe ethical principles focused on public good will be employed in most AI designs by 2030. The report includes written explanations from professionals, including Google’s Chief Internet Evangelist Vint Cerf, who said, “There will be a good-faith effort, but I am skeptical that the good intentions will necessarily result in the desired outcomes.”

NIST Seeks to Quantify User Trust In AI

The National Institute of Standards and Technology is looking to quantify user trust in artificial intelligence. The NIST is accepting public comments until July 30, saying it wants to identify areas of mistrust in AI and promote informed decisions in its use. A user trust score will be used to measure items such as the age, gender, cultural beliefs and AI experience of an individual using an AI system, while a trustworthiness score will explore technical concepts.

Security / Breaches

Humber River Restores Computers After Malware Attack

Humber River Hospital is continuing to work through the shutdown of its computer systems in response to an extensive malware attack last week. The hospital had deactivated all of its computers as a safety precaution against the attack, which was a form of ransomware. Because the organization caught the malware early, it believes that it avoided the loss of data and has not received demands for a ransom.

Kroll Releases ‘2021 Data Breach Outlook’

Digital service provider Kroll published its “2021 Data Breach Outlook,” which reviewed the effects of data breaches on its clients in 2020. The report shows a 140% increase in data breach notifications compared to 2019, with the most affected industries being health care, education and financial services. Kroll said the rise in incidents is linked to a combination of remote work, the evolution of ransomware, impacts to supply chain attacks, and heightened awareness to privacy rights and regulations. SEE ALSO: Cybersecurity Firm Reports 116% Increase in Ransomware Attacks | A survey released by Cybereason found 80% of organizations that paid demands in ransomware attacks experienced a second breach, 46% believing it to be caused by the same threat actors.

CISA Highlights How Solarwinds Attack Could’ve Been Prevented

The U.S. Cybersecurity and Infrastructure Security Agency highlighted how established security recommendations could have stopped last year’s SolarWinds cyberattack, Reuters reports. In a letter to U.S. Sen. Ron Wyden, D-Ore., the CISA said had victims configured their firewalls to block outbound connections from the servers running SolarWinds, it “would have neutralized the malware,” adding those who did so avoided the attack.

Danish DPA Offers Ransomware Guidance

Denmark’s data protection authority, Datatilsynet, posted guidance on best practices to combat ransomware attacks. In a video, Datatilsynet IT Security Specialist Allan Frank offered advice on mitigation tactics as well as proper system backups. Additionally, the DPA issued a checklist of actions organizations can take to reduce the threat of ransomware, including employee awareness, system patching, filtered emails and more.

17 June 2021

COVID-19

UN Agency Details New ‘Digital Seal’ As Countries Mull COVID-19 Vaccine Passports

The International Civil Aviation Organization (ICAO) is paving the way for the creation of COVID-19 vaccine passports. In a press release, the ICAO says it has made new “technical specifications for a visible digital seal.” The ICAO said the seal stores datasets for “test and vaccination certificates” in a two-dimensional barcode which can be made of paper or “screen-based.” “Border control and other receiving parties can verify the data against established requirements efficiently and seamlessly, including through the use of traveller self-service kiosks and processes.”

Nova Scotia Privacy Commissioner Calls for Strong Vaccine Passport Privacy Protections

Nova Scotia Information and Privacy Commissioner Tricia Ralph called for future vaccine passports to have proper privacy protections in place. Ralph called for a privacy impact assessment to take place in a letter to the provincial government. “They can be a valuable tool for Canadians, but my concern is they be done the right way,” said Ralph. “My concern is they be developed in a way that would not collect too much information or disclose too much information than is really necessary.”

Human Rights Commission Wants Cautious Approach to COVID-19 Vaccine Cards 

The Manitoba Human Rights Commission urges caution in the wake of the province’s plan to issue COVID-19 immunization cards to people two weeks after they get their second vaccine dose.    The MHRC said requirements for people to provide proof of vaccination for work, access to public services or housing could potentially discriminate on the basis of disability, religious belief, political belief, social disadvantage and age. Manitoba Human Rights Commission ‘monitoring’ province’s COVID-19 vaccination card, incentives | Mayor questions vaccine card privacy | COVID-19 ‘vaccine passports’ could be abused in Manitoba, legal experts warn

Survey: 56% of Americans Don’t Trust Vaccine Passports to Protect Data

A survey conducted by Help Net Security gauged Americans’ attitude toward the security measures implemented by vaccine passports. Of the 3,000 Americans polled, 56% said they do not trust vaccine passports to keep their data secure. The study also found 58.5% of respondents said vaccine passports should not be required to attend sporting events, schools or other areas and events.

Biometrics / Identity

Privacy Commissioners Issue Draft Guidance on Police Use of Facial Recognition Technology

The OPC and the provincial / territorial privacy regulators have jointly released draft guidance on the use of facial recognition technology by police agencies for public comment. The draft guidance covers federal, provincial, regional and municipal police agencies, but not other public organizations such as border control or organizations in the private sector such as private security companies within its scope. But parts of the guidance may provide insight to organizations seeking to ensure compliance with privacy and human rights legislation, said the regulators. See also: Mugshots to megabytes: facial recognition has made privacy protection more urgent than ever 

Congress Weighs Moratorium on Facial Recognition and Biometric Surveillance Technologies

A group of congressional Democrats re-introduced the Facial Recognition and Biometric Technology Moratorium Act of 2021 [Senators Markey’ press notice)

Canadian Government Launches Plans for Digital identity

The Government of Canada has launched the latest iteration of its digital strategy, which includes a continued effort to introduce secure digital identities for citizens. In the Digital Operations Strategic Plan (DOSP) 2021–2024, CIO Marc Brouillard said that the COVID-19 pandemic has “significantly accelerated the global shift to online services” and praised civil servants’ efforts. However, Brouillard said, the government needs to go even further to make digital services as seamless as possible. Alongside creating a single digital identity for citizens, other plans include Shared Services Canada (SSC) working to consolidate departments’ networks with a wholesale shift to “cloud-first networks”.

Maryland City Bans Facial Recognition and Other Biometric Updates

The Baltimore, Maryland, City Council approved a moratorium on use of facial recognition technology by residents, businesses and most of city government. The city’s police department is exempt from the moratorium.

DHS Planning Biometric System Update

The U.S. Department of Homeland Security is preparing to transition its 27-year-old biometric systems to its new Homeland Advanced Recognition Technology in December. The rollout is not expected to be fully operational until DHS addresses three outstanding risk management best practices cited by the Government Accountability Office. In the meantime, DHS and fellow national security entities will continue using the Automated Biometric Identification System, which stores biometric data on foreign nationals for travel, trade and immigration.

TikTok Has Started Collecting ‘Faceprints’ and ‘Voiceprints.’

Recently, TikTok made a change to its U.S. privacy policy, allowing the company to “automatically” collect new types of biometric data, including what it describes as “faceprints” and “voiceprints.” TikTok’s unclear intent, the permanence of the biometric data and potential future uses for it have caused concern among experts who say users’ security and privacy could be at risk.

Europe Needs to Back Browser-Level Controls to Fix Cookie Consent Nightmares: NOYB

European privacy group noyb, which recently kicked off a major campaign targeting rampant abuse of the region’s cookie consent rules, has followed up by publishing a technical proposal for an automated browser-level signal it believes could go even further to tackle the friction generated by endless “your data choices” pop-ups. Its proposal is for an automated signal layer that would enable users to configure advanced consent choices — such as only being asked to allow cookies if they frequently visit a website; or being able to whitelist lists of sites for consent (if, for example, they want to support quality journalism by allowing their data to be used for ads in those specific cases).

Youth and Children

Report Surveys EU Children’s Privacy Standards

The U.S. Law Library of Congress published a report exploring children’s data protection standards in 10 EU jurisdictions, including the EU’s own overarching regulations and policies. The other nine countries analyzed were France, Denmark, Germany, Greece, Portugal, Romania, Spain, Sweden and the non-EU member U.K. The report dives into current landscape for children’s data protection in each case study before analyzing the protection of children in regards to targeted advertising.

Online Privacy / Surveillance

Google Agrees to UK CMA Commitments on Phasing Out Cookies

Google agreed to a series of commitments with the U.K. Competition and Markets Authority over its plan to phase out cookies via its Privacy Sandbox proposal. The commitments include limits on how Google can use user data for digital advertising after third-party cookies are removed and informing the CMA 60 days before it starts to remove cookies to give the agency an opportunity to reopen its investigation.

Google Announces Privacy, Data Security Measures for Workspace

Google announced new privacy and data security measures within its Google Workspace. Client-side encryption will give customers control of encryption keys and make customer data indecipherable, the company said. Google also announced new phishing and malware content protection for Google Drive and launched Drive labels, which enables users to classify files to ensure proper handling. The feature also works with Google Workspace’s data loss prevention and Google Vault capabilities to enhance data loss prevention.

New Privacy and Security Features Coming to iOS and macOS

Apple has unveiled improvements to iOS designed to keep your email private, crack down on data stealing apps, and help you find lost devices.

Location Privacy

Vehicle Location Data Appears to Identify People, Addresses

While Otonomo’s vehicle location data is supposed to be pseudonymous, a Motherboard investigation linked the data to vehicle owners and movements. Data from Otonomo was used to track drivers’ locations and identify their likely home addresses and identities. Electronic Frontier Foundation Staff Attorney Adam Schwartz called the data a “privacy nightmare.”

Law Enforcement

Bitcoin is Traceable, Colonial Pipeline Investigation Shows

Federal investigators’ recovery of $2.3 million of the $4.3 million in Bitcoin that Colonial Pipeline paid to hackers in a ransomware attack shows cryptocurrencies may not be hard to track. While cryptocurrency can be transferred without a bank’s permission, it can also be tracked and seized by law enforcement, and each payment is recorded in a permanent ledger. “It is digital bread crumbs,” said former federal prosecutor Kathryn Haun. “There’s a trail law enforcement can follow rather nicely.” SEE ALSO: The Fed’s Digital Dollar Would Be ‘Nightmareville’ for Privacy  and Bitcoin network approves privacy update as scrutiny increases

ICCL To Sue IAB Tech Lab Over Real-Time Bidding Allegations

The Irish Council for Civil Liberties is filing a lawsuit against the Interactive Advertising Bureau Tech Lab for alleged EU General Data Protection Regulation violations. The ICCL will file the suit in Hamburg, Germany, arguing real-time bidding systems, used by IAB member companies, harvest users’ personal data. “A retailer might use the data to single you out for a higher price online. A political group might micro-target you with personalised disinformation,” said ICCL Senior Fellow Johnny Ryan.

Mobile / Location

Apple CEO Says EU’s Proposed DMA Threatens iPhone Security, Privacy

Apple CEO Tim Cook said the European Union’s proposed Digital Markets Act will threaten the security and privacy of iPhones. While Cook said parts of the proposal are good, he criticized others, like language that would lead to installation of applications outside of Apple’s App Store. “It would destroy the security of the iPhone, and a lot of the privacy initiatives that we’ve built into the AppStore or the privacy intrusion labels and app-tracking transparency,” he said.

Data Sciences

Experts Doubt Ethical AI Design Will Be Broadly Adopted as the Norm Within the Next Decade

According to Pew Research Center, a majority of developers, business and policy leaders, researchers and activists worry that the evolution of artificial intelligence by 2030 will continue to be primarily focused on optimizing profits and social control. They also cite the difficulty of achieving consensus about ethics. Many who expect progress say it is not likely within the next decade. Still, a portion celebrate coming AI breakthroughs that will improve life.

ICO Calls for Views on Anonymisation Guidance

The UK ICO has published a call for views on the first draft chapter of its anonymisation, pseudonymisation and privacy enhancing technologies draft guidance. This first chapter is part of a series of chapters of guidance that the ICO will be publishing on anonymisation and pseudonymisation and their role in enabling safe and lawful data sharing. The guidance supplements the ICO’s Data Sharing Code of Practice.

Accounting Firm to Invest $12B in AI, Cybersecurity Hires

Accounting firm PricewaterhouseCoopers is planning to invest $12 billion over the next five years in hiring 100,000 new employees in artificial intelligence and cybersecurity. As companies face increasing scrutiny on issues including data privacy, PwC U.S. Chairman and Senior Partner Tim Ryan said, “It’s critical that our people have those skills.” The firm also plans to offer new products featuring artificial intelligence and machine learning, Ryan said, and is considering acquiring other companies to grow offerings.

Security / Breaches

G7 Commits to Action on Ransomware, Digital Privacy

The G7 group has urged Russia and other countries that may harbour criminal ransomware groups within their borders to take accountability for tracking them down and disrupting their operations. Meanwhile, the G7 also committed to ongoing collaboration towards a “trusted, values-driven digital ecosystem” and an “open, interoperable, reliable and secure internet” that is unfragmented, and supports freedom, innovation and trust to empower users. “We support the development of harmonised principles of data collection which encourage public and private organisations to act to address bias in their own systems, noting new forms of decision-making have surfaced examples where algorithms have entrenched or amplified historic biases, or even created new forms of bias or unfairness.” The summit further addressed issues around internet safety and countering far-right hate speech, whilst protecting fundamental human rights and freedoms such as freedom of speech and expression.

03-10 June 2021

COVID-19

European Parliament Finalizes COVID-19 Certificate Program

The European Parliament announced final approval of the EU’s COVID-19 certificates. Citizens will be issued a quick response code carrying information proving vaccination, negative test result or recovery from a COVID-19 infection. All EU member states will accept the certificates proving vaccination, negative test result or recovery from a COVID infection. It should facilitate free movement and contribute to restrictions being lifted gradually in a coordinated manner. It should apply from 1 July 2021 and be in place for 12 months.

Canadian Commissioners Adopt Resolution on Pandemic Privacy and Vaccine Passports

Canada’s federal, provincial and territorial information and privacy commissioners issued a joint resolution calling on governments around the country to respect citizens’ privacy rights during and after a pandemic. The resolution includes 11 principles Canadian governments can implement to modernize “legislative and governance regimes around freedom of information” and make privacy a priority.

Manitoba Launches New, Secure Immunization Cards for Fully Vaccinated People

Fully immunized Manitobans will now be able to travel without having to self-isolate for two weeks upon return with a new, secure immunization card that will be available to people two weeks after they have received both doses of a COVID-19 vaccine, Premier Brian Pallister announced today.

Vaccination Records Raising Privacy Concerns in California

The California Public Department of Health’s digital Immunization Information System holds information of California residents who received a COVID-19 vaccination, raising concerns over health data. Privacy advocates say current regulations do not prevent vaccine data from being leaked or sold into data markets, and raised concerns over weakened confidentiality laws and vaccine verification systems.

Hong Kong Residents Can Store Vaccine Records in Leavehomesafe App

Hong Kong residents can now store vaccination records or test records in the LeaveHomeSafe COVID-19 contact tracing application. Biometric or password authentication is used to unlock phones when attempting to access records. Data is saved locally on devices and users can remove the records at any time. The Privacy Commissioner for Personal Data was consulted to ensure the app’s compliance with the Personal Data (Privacy) Ordinance. SEE ALSO: A study from the Surveillance Technology Oversight Project that found vaccine tracking applications are ineffective and raise privacy concerns.

Biometrics / Identity

European Commission Proposes a Digital Identity for All EU Citizens

The European Commission has proposed a framework for a trusted and secure European Digital Identity (interchangeably referred to as ‘European e-ID’). In essence, the European Digital Identity will be available to all citizens, residents, and business in the EU, enabling them to prove their identity, access various services and share documents from their European Digital Identity wallets. The EC states that the European Digital Identity framework will be based on three pillars:

  1. Availability only to who wants to use it;
  2. Widely Useable; and
  3. Users remaining in control of their data.

OPC Finds RCMP’s Use of Clearview AI Violates Privacy Act

The OPC found the RCMP’s use of Clearview AI services violated the Privacy Act. The RCMP matched photographs against individuals in a database provided by Clearview, which OPC determined violated Canadian privacy laws last year. “The use of (facial recognition technology) by the RCMP to search through massive repositories of Canadians who are innocent of any suspicion of crime presents a serious violation of privacy,” said Privacy Commissioner of Canada Daniel Therrien.

Human Rights Commission Urges Facial Recognition Ban

The Australian Human Rights Commission is urging the federal government to issue a temporary ban on “high-risk” use of facial recognition pending legislation. The commission recommends introducing legislation “that regulates the use of facial recognition and other biometric technology,” establishing an “artificial intelligence safety commissioner” and notifying affected individuals “where artificial intelligence is materially used in making an administrative decision.”

Feds Planning to Use Biometrics at Canada-US Border

Canada’s border agency has an “urgent need” to hire a global technology firm to help develop a biometric strategy in response to rapidly evolving issues including COVID-19. The CBSA issued a notice of procurement inviting 15 firms to submit proposals for immediately setting up an Office of Biometrics and Identity Management. The chosen contractor would help the border agency develop a plan to “manage, evolve and adapt” the use of biometrics while considering its relationship with other federal departments and international partners. The OPC had not been consulted about the border services agency’s procurement notice.

National Technical Spec for Digital Credentials to Provide Greater Privacy and Security for Canadians

With a growing need for reliable methods to confirm digital identities and documents as the economy pivots online, the Standards Council of Canada (SCC) has engaged the CIO Strategy Council to develop a technical specification that will bring widespread use of digital credentials a step closer. The new technical specification will set minimum requirements to ensure that digital credentials and trust services are interoperable between businesses and governments and create a seamless experience for users. Once agreed upon, the requirements will form the basis of conformity assessment solutions to provide consumers with confidence when sharing their digital personal information.

Class-Action BIPA Suit Alleges Unlawful Voice Assistant Use

A US federal court will consider a class-action suit from McDonald’s customers in Illinois alleging the fast-food chain violated the state’s Biometric Information Privacy Act. Plaintiffs claim voice assistants were utilized at McDonald’s drive-thru windows throughout Illinois and collected consumers’ biometric information without their express consent.

Mobile / Location Privacy

CBP’s Asylum Seekers App Brings Privacy Concerns

A U.S. Customs and Border Protection mobile application to help manage the information of asylum seekers is receiving backlash from privacy advocates. The CBP One app employs facial recognition, geolocation and cloud technology to collect, process and store the sensitive information. Despite privacy impact assessments from the Department of Homeland Security deeming the app as necessary,

Police Arrest Hundreds Using Data Gathered Through Backdoored Chat App

The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets. This week, several law enforcement agencies worldwide searched hundreds of locations in a coordinated effort using information collected from the ANoM app. The raids led to 224 arrests, the seizure of 3.7 tons of drugs, and the disruption of 20 “threats to kill.

Law In Hong Kong Would Connect Identity to Mobile Phone Numbers

A new law in Hong Kong that would require people to provide their real name and personal details to register mobile phone numbers, including prepaid SIM cards, is raising surveillance concerns. The policy would take effect in September. Assistant Professor at the Chinese University of Hong Kong School of Journalism and Communication Lokman Tsui said it is an invasion of privacy. “The Hong Kong government continues to make policies that show they don’t trust their own citizens,” he said.

Mexican Registry for Cell Phone Users Sparks Privacy Concerns

Mexico has approved a plan to register biometric data, names, and addresses of cell phone users in a database, in what activists say is an alarming decision. The Mexican government has already failed several times to protect personal data.

Amazon Sidewalk Brings Mobile Device Privacy Concerns

Amazon Sidewalk, a shared network initiative for Amazon devices set to roll out June 8, is raising privacy concerns. At launch, Sidewalk will automatically enroll devices, including Alexa, Echo and Ring products, into these networks unless users update their personal device settings. The sharing could potentially leave users’ devices and information, such as cameras and browsing histories, open to nearby devices within a local Sidewalk network.

Apple Unveils New Privacy Features for iOS 15

Apple unveiled a new slate of privacy features to debut with iOS 15 this fall. The upcoming operating system will include a “privacy report” that informs users about which applications collect their personal data.

Online Privacy

Max Schrems’ Privacy NGO, Noyb, Submits Hundreds of Draft Complaints to Companies Across Europe About Their Cookie Law Compliance

Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply [press notice]. noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

FPF, PTA Release Privacy Tech Report

The Future of Privacy Forum and Privacy Tech Alliance released a new report titled “Privacy Tech’s Third Generation: A Review of the Emerging Privacy Tech Sector.” The report looks at the evolving privacy technology market, analyzes trends and predictions, and identifies five market trends and their implications for the future. Key themes include the COVID-19 pandemic’s role in accelerating global marketplace adoption of privacy tech and the role of regulatory compliance in driving initial privacy tech purchases.

Youth Privacy

CNIL Offers Children’s Privacy Recommendations

France’s data protection authority, the CNIL, released eight recommendations to improve the protection of minors online. Based on results from an April 2020 public consultation, the CNIL suggestions include increased parental supervision and controls, further exercising of minors’ rights, and a focus on age verification and consent. The regulator also noted it launched workshops to gain further perspective from minors. The CNIL announced a public consultation on a draft framework for processing minors’ data in relation to the social and medical care sectors. The public comment period ends 31 July.

Dartmouth Ends Unfounded Cheating Investigation After Students, Rights Groups Speak Out

The Dartmouth Geisel School of Medicine has ended its months-long dragnet investigation into supposed student cheating, dropping all charges against students and clearing all transcripts of any violations. This affirms what EFF, The Foundation for Individual Rights in Education (FIRE), students, and many others have been saying all along: when educators actively seek out technical evidence of students cheating, whether those are through logs, proctoring apps, or other automated or computer-generated techniques, they must also seek out technical expertise, follow due process, and offer concrete routes of appeal.

NYC, Kinsa Partner to Distribute Smart Thermometers in Elementary Schools

Technology company Kinsa is partnering with the New York City Department of Health to distribute up to 100,000 internet-connected thermometers in elementary schools. Data collected by the smart thermometers and an accompanying application will be aggregated, anonymized and made available to local health officials.

Surveillance

Stakeholders Pen Open Letter Urging Global Biometric Surveillance

A coalition of more than 175 stakeholders signed an open letter supporting a global ban of biometric recognition technologies that aid mass surveillance efforts. The coalition, led by Access Now, claims the various tech deployments undermine civil liberties as they “identify, follow, single out, and track people everywhere they go.” Stakeholders added “no technical or legal safeguards could ever fully eliminate the threat” posed by biometric technologies, which indicates “they should never be allowed in public or publicly accessible spaces.”

Amnesty International Maps 15,000 Surveillance Cameras Used by NYPD

Human rights organization Amnesty International mapped the location of more than 15,000 cameras in Manhattan, Brooklyn, and the Bronx, used for surveillance and facial recognition searches by the New York Police Department. The cameras have been used in nearly 22,000 facial recognition searches since 2017. “Whether you’re attending a protest, walking to a particular neighborhood, or even just grocery shopping, your face can be tracked by facial recognition technology using imagery from thousands of camera points across New York,” said AI Researcher Matt Mahmoudi. [New Yorkers Are Watched by More Than 15,000 Surveillance Cameras]

Data Sciences

UK ICO Issues Draft Paper on De-Identification for Comment

The U.K. Information Commissioner’s Office opened a public consultation on the opening chapter of its draft guidance for anonymization, pseudonymization and privacy-enhancing technologies. The first of the seven-chapter guidance explores “the legal, policy and governance issues around the application of anonymization and pseudonymization in the context of data protection law.” The first consultation is open through 28 Nov.

CANON Publishes Report on De-Identification

The Canadian Anonymization Network (CANON) has recently published its report “Practices for Generating Non-identifiable Data” which was funded by the OPC. The report provides some definitions to ensure consistent terminology (which is a problem in this space), and presents a series of case studies of organizations implementing various approaches for creating non-identifiable data. It concludes with lessons learned across all of the case studies about current practices across multiple private and public sector organizations.

Australian Department of Health Notes Deidentification, Genomic Information Challenges Within Privacy Act

In a submission to a review of the Privacy Act 1988, the Australian Department of Health asked for government guidance on deidentification and genomic information. The department said, “any changes in the Privacy Act that require additional protections in relation to de-identified, anonymised, and pseudonymised information … will need to be supported by appropriate guidance and expertise in order for implementation to be effective.” It also noted “uncertainty and inconsistency” around genomic information within the scope of the Privacy Act.

Census Releases Guidelines for Controversial Privacy Tool

After three years of fierce debates, conflicting academic papers and a lawsuit, the U.S. Census Bureau announced guidelines for how a controversial statistical method [called Differential Privacy] will be applied to the numbers used for drawing congressional and legislative districts. The method is meant to protect the privacy of people who participated in the 2020 census, though critics have claimed it favors confidentiality at the expense of accurate numbers. [See also: Harvard Researchers Discourage Differential Privacy Use in 2020 Census]

Security / Breaches

Cyber Attacks More Sophisticated, Data Exfiltration ‘Not Going Away’: Risk Expert

The pandemic has proven to be fertile ground for cyberhackers. Despite this, fewer organizations surveyed by the Canadian Internet Registration Authority expected to increase human resources dedicated to cybersecurity in the next 12 months, according to its 2020 Cybersecurity Report.

Highlights

US Agencies Share Updates on Ransomware Protections

The U.S. Department of Health and Human Services’ Office for Civil Rights shared updates from the White House and Cybersecurity and Infrastructure Security Agency on protecting against ransomware threats. Addressing an increase in the number and size of ransomware incidents, a White House memo called on the government and private sector to protect their organizations with recommended best practices. An OCR fact sheet included information for organizations regulated by the Health Insurance Portability and Accountability Act.

May 28 – June 3, 2021

COVID-19

7 EU countries roll out vaccine passport

Bulgaria, the Czech Republic, Denmark, Germany, Greece, Croatia and Poland made the digital green certificate available to citizens Tuesday. The certificate shows whether an individual is fully vaccinated against COVID-19, recovered from the virus or received a negative test over the past three days. See also: Privacy Commissioners Comment on Vaccine Passports; Ombudsmen from across Canada warn provinces of domestic COVID-19 vaccine passport pitfalls; Canadian Privacy Commissioners Issue Joint Guidance on Vaccine Passports

CoE, Parliament reach provisional deal on COVID-19 certificates

The Council of Europe and European Parliament reached a provisional deal on COVID-19 certificates. Under the deal, member states will not be able to store information gathered through the certificates. Entities processing personal information will be made public to allow citizens to exercise their rights under the EU GDPR. The European Parliament Committee on Civil Liberties, Justice and Home Affairs also endorsed the digital COVID certificates.

New York vaccine passport gaining traction amid privacy questions

More than 1 million New York Excelsior Passes — the first government-issued vaccine passport in the U.S. — have been downloaded since it was introduced in March. Some states banned the use of vaccine passports, citing privacy protections, while technology professionals warn of fraud possibilities. Surveillance Technology Oversight Project Executive Director Albert Fox Cahn downloaded a different individual’s Excelsior Pass using information from social media posts and Google in 11 minutes.

Identity / Biometrics

EU Commission proposes a trusted and secure Digital Identity for all Europeans

The Commission has proposed a framework for a European Digital Identity which will be available to all EU citizens, residents, and businesses in the EU. Citizens will be able to prove their identity and share electronic documents from their European Digital Identity wallets with the click of a button on their phone. They will be able to access online services with their national digital identification, which will be recognised throughout Europe. [Report from the Commission to the European Parliament and the Council on the evaluation of Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS)]

Digital wallet unveiled in EU

The European Commission announced its proposal for a digital wallet that would store payment details and passwords and be accessible via fingerprint or retina scanning. The application would allow citizens to access government websites or pay utility bills using one identity. Users could also store official documents on the app.

Facial Recognition in the News

New York City Biometrics Law Takes Effect in July 2021

Following the municipal ban on the use of facial recognition technology in Portland, Oregon, New York City’s more expansive “biometric identifier information” law, set to go into effect July 9, 2021, will ban the sale of biometric data but permit the use of biometric identifying technologies with posted notice to customers in “simple language” to be prescribed by forthcoming rules

Online Privacy / Surveillance

NGO issues 560 cookies complaints, plans 10K more

Advocacy group NOYB sent 560 complaints to companies in 33 countries alleging unlawful deployment of cookie banners under the EU GDPR. NOYB Founder Max Schrems argues the violators do not provide a “simple yes or no option” for cookies but instead “use every trick in the book to manipulate users.” The group claims it will send up to 10,000 more complaints by the end of 2021 through its own automated system that detects cookie violations.

Mobile / Location

Amazon Sidewalk brings mobile device privacy concerns

Amazon Sidewalk, a shared network initiative for Amazon devices set to roll out June 8, is raising privacy concerns. At launch, Sidewalk will automatically enroll devices, including Alexa, Echo and Ring products, into these networks unless users update their personal device settings. The sharing could potentially leave users’ devices and information, such as cameras and browsing histories, open to nearby devices within a local Sidewalk network.

Law Enforcement

Richmond public CCTV cameras subject to function creep

Richmond may be one of the most ‘surveilled’ city in Canada now that 110 closed-circuit TV cameras have been installed at major intersections, including those leading to Vancouver International Airport.  Four years ago, Richmond adopted a $2.18-million “predictive traffic management” plan with footage also available to settle disputes like who actually was at fault in a crash. In 2018 B.C. Privacy Commissioner Michael McEvoy raised no objections to the plan after reviewing it because the traffic cameras deliberately collected low-resolution video that obscures faces and licence plates. To further ensure a privacy firewall, McEvoy also insisted that the city — not the RCMP — manage the data. Because Richmond accepted McEvoy’s guidance, its traffic management cameras are exempt from FIPPA. Now, Richmond now wants the province’s blessing to jettison all of that. The mayor and council of the city with British Columbia’s fourth lowest crime rate want the cameras zoomed in, transformed from benign traffic monitoring into high-resolution surveillance.  

Human rights groups say digital surveillance of immigrants raises privacy concerns

Human rights groups are urging the Biden administration and U.S. Immigration and Customs Enforcement to end a digital surveillance program that uses GPS-tracking ankle monitors and facial recognition technology to monitor immigrants. The groups said the SmartLINK application, one app used in the program that requires immigrants to check in with facial recognition and location confirmation, “raises a number of privacy and surveillance concerns.” They called for “solutions that put an end to all forms of immigrant surveillance and detention.”

Security /Breaches

Ransomware: avoidance and response

Ransomware is on the rise. A 2020 report by IBM demonstrates the commonality of these attacks, indicating that ransomware is by far the most common form of cyber attack in the world. It is also one of the most common cyber threats in Canada according to the Canadian Centre for Cyber Security (the “CCCS”). The CCCS stated that ransomware is becoming an increasingly common threat and that it is one of the cyber threats most likely to affect Canadians. It is thus understandable that Canadian IT professionals flagged malicious software attacks (including ransomware) as the most significant cyber risk according to the Canadian Internet Registration Authority’s 2020 Cybersecurity Report.

Phishing campaign targets government agencies

Microsoft said the group behind the SolarWinds hack launched a phishing campaign targeting 3,000 email accounts at more than 150 organizations, including government agencies.

U.S. Reports Health Breach Statistics

The U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website has seen nearly 100 new breaches in recent weeks, while the Office for Civil Rights website listed 251 breaches added this year.

Canada Post reveals supplier data breach involving shipping information of 950,000 parcel recipients

A cyber-attack on a third-party supplier of Canada Post has resulted in a data breach impacting 950,000 parcel recipients. In a press release, Canada Post said it had informed 44 “large business customers” that they had potentially been affected by “a malware attack” against Commport Communications, a provider of electronic data interchange services.

Regulators

ICO seeks comments on guidance on privacy-preserving practices

The U.K. Information Commissioner’s Office opened a public consultation on the opening chapter of its draft guidance for anonymization, pseudonymization and privacy-enhancing technologies. The first of the seven-chapter guidance explores “the legal, policy and governance issues around the application of anonymization and pseudonymization in the context of data protection law.” The examination covers the ability to anonymize datasets, if it can be done effectively and what the benefits are to applying the practice.

EDPS launches ‘Schrems II’ investigations on EUIs, European Commission’s tech use

The European Data Protection Supervisor launched a pair of investigations as part of its strategy to have EU institutions comply with the Court of Justice of the European Union’s “Schrems II” decision. The first investigation centers on the use of cloud services provided by technology companies under Cloud II contracts by EU institutions, bodies and agencies, while the second focuses on the European Commission’s use of Microsoft Office 365.

21-27 May 2021

COVID-19

CoE, Parliament reach provisional deal on COVID-19 certificates

The Council of Europe and European Parliament reached a provisional deal on COVID-19 certificates. Under the deal, member states will not be able to store information gathered through the certificates. Entities processing personal information will be made public to allow citizens to exercise their rights under the EU GDPR. The European Parliament Committee on Civil Liberties, Justice and Home Affairs also endorsed the digital COVID certificates. See also: Proof of vaccination: privacy considerations for businesses.

B.C. Privacy Commissioner says vaccine passport must be secure, used sparingly

B.C. is exploring vaccine passports as proof of immunization for travel, but B.C.’s privacy commissioner warns the province needs to proceed with caution. “How do you make it so that it’s secure, that it only contains the information that it needs to and doesn’t do things like have a centralized database that would track people, for example?” “But there are larger issues as well,” said McEvoy. “Is it something that might be required to enter, for example, a care facility, versus a gym, versus a mall, versus a Canucks game? These are questions that, I think, are larger than privacy issues — they’re also human rights issues, and they are issues as a society I think we have to grapple with. Where is the balance in all of this, where is it necessary to show a credential like that where we think it’s going to make us safer, and where are places where perhaps we don’t need it?”

Yukon Privacy Commissioner releases guidance for ‘vaccine passports’

The Yukon’s Privacy Commissioner, Diane McLeod-McKay, has weighed in on the idea of vaccine passports with guidelines released May 19. The Yukon is set to change its current border restrictions on May 25. Under the new rules Canadians who are fully vaccinated (two vaccine doses plus the waiting period) are not required to self-isolate when coming to the territory from Outside. However, travellers will be required to provide documentation and must also sign a document allowing the government to verify the information via health records. McLeod-McKay said: “I believe in being proactive, I would much rather work with the department to try and make sure that the law is being complied with. We do work quite closely together. So I will be raising that issue with them and hopefully I get a positive response.” See also: What we know so far about Yukon’s plan to verify whether someone is fully vaccinated and CBC Interview with Yukon Premier.

Sask Privacy Commissioner flags privacy concerns over COVID vaccine passports

The Saskatchewan privacy commissioner is flagging concerns over potential privacy encroachments when people are asked to confirm their vaccinations to governments and businesses. Ron Kruzeniski said governments and businesses ought to follow particular limitations when choosing to ask a person to verify they’ve been vaccinated. The first one is “do organizations have the legal authority to ask those questions or to ask to see a certificate or a passport.” Kruzeniski recommended people who are asked to provide their vaccine verification ought to ask the inquiring party: “What are you going to use it for? Are you going to tell me the purpose of your asking? Are you going to collect the least amount of information possible? And do you need to know my date of birth, my gender, my race, my income level, my postal code?” Further limitations should be used once the information is obtained, he explained. “Where and how do you store (the information)? And then the question is whom do you share it with? “It’s my personal health information, it’s nobody else’s … the last question is, ‘once you’re done with it, are you going to destroy it the right away? How long do you need it?” A “supplementary question” worth asking is “are you going to be tempted to use it for another purpose?” he said. “That’s generally viewed as a no-no.” The privacy commissioner also cautioned against only using the word “passport” to describe a vaccine verification.

N.B,. Ombud says don’t forget about privacy when discussing vaccine passports

Speaking on COVID-19 vaccine passports or certificates, New Brunswick’s ombud Charles Murray said “We are asking people about their medical history. That is a very private thing for all of us, and we’ve recognized for years, that’s amongst the most private things I can know about you, is your medical situation. If we’re going to do that, how do we build the best system to protect privacy within that constraint? Because the goal won’t be to protect privacy, the goal will be to protect public health.” Murray’s advice to political leaders should they decide proof of vaccination is required to travel: “Don’t build your document and then say, ‘Oh. Now, what about privacy?’”

Review finds state COVID-19 websites with highest numbers of user trackers

The Markup’s Blacklight scanner found Utah, Hawaii and New Jersey’s COVID-19 websites have the highest amount of advertising trackers and cookies over other states. The Utah website’s tracking technology was found to be connected to Facebook, parent companies of Google, Snapchat, Twitter, LinkedIn and Tapad. A Utah Department of Health spokesperson said the technology is used “for analytics purposes,” while privacy advocates said government entities should express caution in tracking residents’ data.

CNIL authorizes experimental concert to study COVID-19 transmission

France’s data protection authority has authorized a research project by Assistance Publique–Hôpitaux de Paris that will evaluate COVID-19 transmission during an experimental concert. The CNIL was asked to authorize the project as it involves processing sensitive data of 7,500 participants.

Requiring proof of vaccination in workplace breaches HIPAA

The Washington Policy Center argued a state-mandated proposal requiring residents to show proof of vaccine in the workplace before employers ease social distancing and mask requirements may breach individuals’ medical privacy and the U.S. Health Insurance Portability and Accountability Act.

Vaccine badges on dating apps could have legal implications: privacy expert

A few dating apps in the United States, like Tinder and Bumble, are now making vaccine badges available for users to include in their profile. So far, the feature is only rolling out in the U.S., after the White House pushed to have the apps offer special incentives to get people roll up their sleeves. It’s all part of an effort to have 70% of Americans vaccinated by July.

United Airlines will give some lucky people free flights with proof of vaccination

United Airlines is offering a chance to win free flights if you upload your vaccination record to its app by June 22. The new sweepstakes — Your Shot To Fly — applies to MileagePlus members. After uploading your record, you’re automatically entered to win a round trip flight or free flights for a year.

Why we need to seriously reconsider COVID-19 vaccination passports

In a blog post for The Conversation, Tommy Cooke warns against function creep and surveillance associated with vaccine passports and calls for greater public debate and involvement.

Majority of Canadians support COVID-19 vaccine passports for concerts, travel: Ipsos

As discussions of “vaccine passports” circulate in public policy circles, new data from the non-profit Angus Reid Institute finds Canadians largely accepting of the concept in various forms. More than three-quarters say that they would support mandatory vaccination proof for both travel to the U.S. and for international travel. In each case one-in-five disagree. That said, there is a clear preference to reduce reliance on proof of vaccinations in domestic life when compared with international travel. While a majority also agree that vaccine passports could be used at public places in their communities, like restaurants, malls and movie theatres, two-in-five (41%) oppose the idea – suggesting much more difficult implementation.

Biometrics

EU advocacy groups file claims against Clearview AI

Privacy International and Max Schrems’ NOYB filed complaints to European data protection authorities regarding alleged data scraping by Clearview AI. The groups sent filings to DPAs in Austria, France, Greece, Italy and the U.K.. Clearview’s work “goes far beyond what we could ever expect as online users.” Clearview claimed it “has never had any contracts with any EU customer and is not currently available to EU customers.”

California passes voice recognition device bill

The California Assembly passed Assembly Bill 1262, which places limits on the use and retention of voice data collected by connected TV and smart speaker developers. The law does not cover cellphones, tablets, laptops with mobile data access, pagers or motor vehicles. See also: Smart (CA) TVs Are Listening: California Assembly Passes Voice Recognition Device Bill Headed to Senate

EAB advocates for biometric border posts to include privacy-enhancing technologies

The non-profit European Association for Biometrics (EAB) has published a position paper highlighting the biometric technology that can reinforce and re-establish common security and free mobility in the Schengen area post-COVID.

Facial recognition deployed for gambling in South Australia

Facial recognition has been deployed to more than 230 gambling venues in South Australia under the government’s plan to reduce gambling harms in the State, according to a government announcement.

Online Privacy / Surveillance

Google Play Store to Add Privacy Labels to Android Apps by 2022

Following Apple’s recent rollout of privacy labels, Google has announced a similar initiative that will appear on the Play Store sometime before mid-2022. As with Apple’s program, the privacy labels are meant to give end users a quick reference to the range of data that Android apps are asking for.

German regulator probing Google’s data use

Germany’s Federal Cartel Office opened an investigation into Google over its handling of user data. The competition regulator is examining whether Google provides sufficient choices in how it uses data across the company’s various digital services.

Access Now report explores data minimization

A report published by Access Now titled “Data minimization: Key to protecting privacy and reducing harm“ explores combatting online abuses by limiting the amount of information entities can collect. The report’s recommendations include enabling data collection on protected classes for civil rights purposes or to support underrepresented populations, limiting data collected for behavioral advertising and implementing data minimization for machine learning models.

Employee monitoring increases, raising privacy concerns

A report by the Institute for the Future of Work found more companies are turning to algorithmic systems to monitor employee performance, accelerated by the COVID-19 pandemic, but the technology is raising concerns. In a survey conducted by U.K.-based trade union Prospect, the majority of workers expressed being uncomfortable with camera or keystroke monitoring.

Survey examines the current state of employee monitoring

ExpressVPN published a survey revealing the feelings of employers and employees regarding remote work and subsequent employee-monitoring practices. The survey showed 78% of 2,000 responding employers track their employees’ performance and online activity, with 66% of respondents monitoring web history tracking. On the employee side, 59% of 2,000 employees are wary of employer surveillance, and 43% believes the monitoring is a violation of trust.

Study: Australians concerned about privacy in new technology

A study by the Australian Communications and Media Authority found 70% of Australians are concerned about privacy in new technology. The study found 80% of Australians over 65 feel overwhelmed by technological change, with 95% increasingly using the internet for banking, purchases and more. The ACMA said digital use “brings with it a range of risks and challenges — from privacy and security concerns to exposure to misinformation and disinformation, scams, online bullying, and other harms.”

Law Enforcement

The OPP wants to find out if body worn cameras can improve policing

Starting this month, some provincial police officers in southwestern Ontario will start wearing body cameras to see if the technology makes police and the public safer. The year-long study was announced by the Ontario Provincial Police. OPP also said it would not release the findings of the study, when it concludes a year from now. Traffic enforcement and emergency response officers, as well as uniformed officers with the Haldimand detachment, will start wearing the technology in plain view.

Alberta drops plans for surveilling citizens with drones – proposals received much backlash

The government of Canadian province of Alberta was forced to drop plans to surveil the public using drones after the scheme was called out by activists. The dystopian plan was supposed to support safety by highlighting campsites with more than 10 individuals. The plan was discovered by independent political think tank Alberta Institute . The think tank also launched a petition calling for the abolition of the program. See also: Kenney government, the day the drone hit the fan

GCHQ’s mass data interception violated right to privacy, court rules

The UK spy agency GCHQ’s methods for bulk interception of online communications violated the right to privacy and the regime for collection of data was unlawful, the grand chamber of the European court of human rights has ruled.

Youth / Education Privacy

Education software firm addresses security vulnerabilities

A Canadian education technology company lacked a comprehensive information security framework to protect the personal information of hundreds of thousands of students, an investigation by the OPC has found. The IPC conducted a related investigation under Ontario’s Municipal Freedom of Information and Protection of Privacy Act into a complaint against a school board using the Edsby application to manage student attendance [report]. The investigation was launched following a complaint filed by a parent who had discovered security vulnerabilities in a software application adopted by his children’s school board.

Western University switches online exam proctoring services

Western University in Ontario announced it will transition to Proctorio’s online exam monitoring service this summer following student privacy concerns. The school previously used Proctortrack, which stirred privacy concerns with its invasive monitoring tactics. Western said Proctorio “addresses the privacy and security needs of our students,” but the school’s Policy Pitch Association rebutted, saying Proctorio is equally problematic.”

UK ICO highlights Children’s Code case study

The U.K. Information Commissioner’s Office highlighted a case study for its Age Appropriate Design Code. The ICO’s Children’s Code team worked with video game company Square Enix for a workshop on the Children’s Code harms framework. Workshop participants were asked questions about how they process children’s data and the legal bases for using their information. The ICO added it will translate the harms framework into an interactive tool over the coming months.

CRS report details FERPA regulations

The U.S. Congressional Research Service released a report on the Family Educational Rights and Privacy Act’s provisions and applications, detailing the act’s regulations around access to and disclosure of education records, the allowable release of directory information and deidentified data, emergency exceptions, enforcement and more. The report also calls on Congress to amend the law to add a private right of action for parents or students to take action over alleged violations.

UNICEF calls for better governance of children’s data

The United Nations Children’s Emergency Fund Office of Global Insight and Policy published a Manifesto that sets benchmarks governments, organizations and others can follow to develop better governance of children’s data. The Manifesto includes analysis, insights and guidance from 17 professionals in academics, the private sector and more. UNICEF said it wants to “address ambiguous or sensitive areas where there are no straightforward answers.”

Safeguards / Breaches

Ransomware attack compromises RCMP’s ability to issue pay stubs

The RCMP found itself the victim of a growing digital crime spree as a ransomware attack on a federal government contractor compromised the Mounties’ ability to process pay stubs for its more than 20,000 employees.

U of T teams up with schools in Canada, around the world to share cybersecurity intelligence

The University of Toronto is working with schools in Canada and abroad to thwart cybersecurity attacks by sharing data in real-time. For nearly a year, the Canadian Shared Security Operations Centre (CanSSOC), for which U of T serves as administrative lead, has been piloting a threat feed that sends members immediate information on suspicious activity and potential breaches, all while protecting the anonymity of affected institutions. Now, CanSSOC will be partnering with organizations in the United States, Australia and the United Kingdom to extend this intelligence-sharing beyond Canadian borders.

Data Sciences

Regulatory sandboxes on the rise

Emerging Tech Brew reports on the rising use of regulatory sandboxes by regulators, researchers and developers for artificial intelligence development. Researcher and NYU Professor Meredith Broussard said AI regulation is “just getting started,” and a regulatory sandbox “is a really good first step.”

Google, hospital chain partner to develop health care algorithms

Google and hospital chain HCA Healthcare are partnering to develop health care algorithms, giving Google access to patients’ digital health records. The companies said the algorithms will improve efficiency, help monitor patients and guide medical decisions. Identifying information will be removed from patient records before being shared with Google.

AI Surveillance on the Rise

Politico reports on the relationship between AI and surveillance, how the COVID-19 pandemic normalized data collection and tracking, and concerns over the technology. See also: The future of AI regulation in Canada: what we can learn from the E.U.’s proposed AI framework

Regulators

FTC publishes ‘2020 Privacy and Data Security Update’

The U.S. FTC published its “2020 Privacy and Data Security Update.” The FTC recapped its notable privacy enforcement cases from the past year, including final court approval in its case against Facebook and actions against Zoom. The agency also looked back at its cases involving the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act.

U.S. Treasury Announces Cryptocurrency Reporting Requirements

On May 20, 2021, the U.S. Department of the Treasury announced a proposal that would require any cryptocurrency transaction of $10,000 or more to be reported to the Internal Review Service (“IRS”).

2021 May 21

COVID-19:

Canada’s Privacy Commissioners Issue Joint Statement On COVID-19 Vaccine Passports

Canada’s federal, provincial and territorial privacy commissioners are urging governments, health authorities and businesses across the country to fully comply with applicable privacy laws if they develop and implement controversial COVID-19 vaccine passports. The commissioners said that vaccine passports are only justified if solid scientific evidence proves they are necessary and effective in achieving intended public heath purposes and no other less intrusive option is available. The necessity, effectiveness and proportionality of vaccine passports must be established for each use context, and continually monitored. Vaccine passports must be decommissioned if, at any time, it is determined that they are not a necessary, effective or proportionate response to address their public health purposes. [See also: Vaccine Passports and Medical Paternalism]

UK ICO Fines COVID-19 Tracker for Turning Contact Data into Sales Leads

The UK Information Commissioner’s Office has issued a fine for “spamming without consent” [ICO blog & Penalty Notice] to Tested.me, a company that helps UK businesses meet the government’s coronavirus track-and-trace rules. Unfortunately for Tested.me, they also asked for consent to use contact data for purposes other than coronavirus tracking. . Separate to the investigation, the ICO responded to the rise in the use of QR code technology by contacting 16 QR code providers to ensure they were also handling people’s personal information properly.

Access to Information:

RCMP Can’t Find Report into Fatal Shooting by Moncton officer

For the second time in two years, the RCMP says it can’t find a report by an independent agency investigating shootings by officers in the Moncton-area.

N.L. Access to Information Review Wraps Up, in Contrast to Past Turmoil

Recommendations are now pending on possible revisions to Newfoundland and Labrador’s access to information system. Provincial government officials say the system is bursting at the seams, and changes are necessary, but the transparency watchdog says the past five to six years have been a “story of success” through a “world-class” system.”

BC OIPC Calls on Government to Bring InBC Investment Corp Under ATIP Legislation

BC Commissioner McEvoy is urging the provincial government to bring its proposed InBC Investment Corp. (InBC) under BC’s Freedom of Information and Protection of Privacy Act (FIPPA). On April 27, 2021 the BC government introduced legislation to create InBC, a crown corporation that will be charged with managing $500 million in public funds aimed at investing in BC’s business and innovation sectors.

Health:

Surgeon’s Licence Suspended Over Social Media Posts, Surveillance of Patients Without Consent

A Toronto plastic surgeon and self-styled social media influencer has had his licence to practise medicine suspended. In a decision released on May 12, the disciplinary committee of the College of Physicians and Surgeons of Ontario (CPSO) suspended the licence of Dr. Martin Jugenburg — who goes by Dr. 6ix on social media — for six months over inappropriate online posts and for his use of surveillance cameras in his downtown Toronto clinic.

Digital Identity:

Digital IDs Might Sound Like a Good Idea, But They Could Be a Privacy Nightmare

Current discussions of digital vaccine “passports” are just a small part of a much larger movement aimed at creating a digital identity system. The ACLU has released a report looking at digital driver’s licenses and noting many pitfalls and long-term implications for civil liberties, including Increasing inequities. centralized tracking, and poor information security. The ACLU calls on state legislators to insist that the standards for digital driver’s licenses be refined until they are built around the most modern, decentralized, privacy-protective, and individual-empowering technology for IDs; that they make sure that digital identification remains meaningfully voluntary and optional; that police officers never get access to people’s phones during the identification process; and that businesses aren’t allowed to ask for people’s IDs when they don’t need to.

Federal Agency Adopts Verified.Me® for Digital Identity Verification

SecureKey Technologies Inc., a Toronto-based provider of digital identity and authentication solutions, has announced that Employment and Social Development Canada (ESDC) has adopted Verified.Me as the new real-time way to securely verify identity when registering for a My Service Canada Account (MSCA), streamlining the digital identity verification process.

Biometrics:

Commissioner Therrien Says Facial Recognition Risks Not Addressed in Proposed Law

In remarks to Parliament, Privacy Commissioner Daniel Therrien said Canada needs new regulation for facial recognition beyond the proposed update to private-sector privacy laws, and is calling for significant amendments to the legislation. Therrien criticized Bill C-11, the Consumer Privacy Protection Act (CPPA), as inadequate, saying CPPA adds business interests for consideration without adding any consideration of the effects on privacy introduced by new technologies.

Amazon extends facial recognition ban for police

Amazon announced an extension to its moratorium on law enforcement’s use of the company’s facial recognition technology until further notice. The company’s initial one-year ban was set to expire in June. The move follows recent calls from civil rights groups asking Amazon to roll out a permanent ban on facial recognition use by police.

Other Biometrics News

Company Launches Deepfake Voice Clone Program for Celebrities

U.S. software company Veritone announced the start of a new platform that will support the creation of deepfake voice clones. Marvel.AI is being rolled out first for celebrities and content creators to use and license. The platform will build a catalog and marketplace of machine learning-generated voice recordings stored by Veritone and available for purchase with a voice owner’s consent.

Sensory’s new voice assistants do not sacrifice your privacy or send data to the cloud

Santa Clara, CA-based voice AI company Sensory has announced a custom voice assistant that delivers total privacy for its users. This voice assistant does not even need an internet connection. One of the first devices to use the Sensory voice assistant is a new voice-enabled Farberware microwave oven that features a custom, private voice UI. The technology uses a custom domain specific voice assistant that can understand over 150 commands.

Law Enforcement / Surveillance:

Police Departments Adopting Facial Recognition Tech Amid Allegations of Wrongful Arrests

Claims of wrongful arrests stemming from the use of facial recognition technology are increasing. Police in Detroit, Michigan, have now implemented policies limiting use of the tech and requiring police disclosures, while 19 cities have banned facial recognition use entirely.

Community Control of Police Spy Tech

According to EFF, police and other government agencies often unleash invasive surveillance technologies on community streets, based on the unilateral and secret decisions of agency executives, after hearing from no one except corporate sales agents. This spy tech causes false arrests, disparately burdens BIPOC and immigrants, invades privacy, and deters free speech. Many U.S. communities have found Community Control of Police Surveillance (CCOPS) laws to be an effective step on the path to systemic change. CCOPS laws empower the people of a community, through their legislators, to decide whether or not city agencies may acquire or use surveillance technology. Communities can say “no,” full stop.

Newfoundland and Labrador commissioner urges halt on bodycams

Privacy Commissioner Michael Harvey advised authorities in the town of Happy Valley-Goose Bay to end their use of body cameras following an investigation of uses by law enforcement and animal control. Harvey’s office found potential purpose limitation and data minimization issues associated with the current camera deployments. Harvey said the town should consider “entirely abandoning the initiative and re-examine from scratch its approach.”

Amazon’s Ring is the Largest Civilian Surveillance Network the US Has Ever Seen (Opinion)

One in 10 US police departments can now access videos from millions of privately owned home security cameras without a warrant. Ring is effectively building the largest corporate-owned, civilian-installed surveillance network that the US has ever seen. An estimated 400,000 Ring devices were sold in December 2019 alone

22 Automated Speed Cameras Coming to Mississauga Streets

Mississauga is considering expanding the city’s automated speed cameras from two to 22 by the end of 2021, with a budget increase of $467,000. The city says the cameras will rotate to new locations on a monthly basis, and that the locations for each camera are prioritized using a “data-driven approach that considers the severity of speeding in the area and other factors such as traffic and pedestrian volumes, collision history and site suitability.”

The Police Dog Who Cried Drugs at Every Traffic Stop

Public records show that from the time he arrived in Republic, Washington in January 2018 until 2020, Karma the police dog gave an “alert” indicating the presence of drugs 100% of the time during roadside sniffs outside vehicles.   Whether drivers actually possessed illegal narcotics made no difference. The government gained access to every vehicle that Karma ever sniffed. He essentially created automatic probable cause for searches and seizures, undercutting constitutional guarantees of due process.  Similar patterns abound nationwide, suggesting that Karma’s career was not unusual. Despite the frequent errors, courts typically treat certified narcotics dogs as infallible, allowing law enforcement agencies to use them like blank permission slips to enter vehicles, open suitcases, and rummage through purses.

Internet of Things:

NIST Seeks Consultation on IoT White Paper

The U.S. National Institute of Standards and Technology announced a public comment period for its white paper on consumer confidence in Internet of Things security. The deadline for public comments is June 14.

Security / Cybersecurity:

White House Releases Wide-Ranging Executive Order on Cybersecurity

The Biden administration issued a lengthy Executive Order, “Improving the Nation’s Cybersecurity,” on May 12, which it described as the “first of many ambitious steps” toward modernizing U.S. cybersecurity defenses. The White House simultaneously issued an explanatory fact sheet and background press call.   Pursuant to the Order, government agencies will be required to deploy multifactor authentication, encryption, endpoint detection response, and logging and operate under the principle of a “zero-trust” environment. A clear purpose of the Order is to improve the security of commercial software, including by establishing baseline security requirements based on industry best practices. [See also: Companies Prepare for Mandatory Breach Notification Under Biden EO]

NIST Releases Tips and Tactics for Dealing With Ransomware

To help organizations protect against ransomware attacks and recover from them if they happen, the National Institute of Standards and Technology (NIST) has published an infographic offering a series of simple tips and tactics. NIST has also published a more detailed fact sheet on how to stay prepared against ransomware attacks. See also: The Scourge of Ransomware

Breaches:

Cybercrime thrives during pandemic: Verizon 2021 Data Breach Investigations Report

Increase in phishing and ransomware attacks – along with continued high numbers of Web Application Attacks – underscore a year of unprecedented security challenges.

Student Health Insurance Carrier Guard.Me Suffers a Data Breach

Student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders’ personal information. guard.me is one of the world’s largest insurance carriers specializing in providing health insurance to students while traveling or studying abroad in another country.

Mobile / Location / Online Privacy:

Dutch city hit with €600,000 GDPR fine over Wi-Fi counters

The Dutch Data Protection Authority (DPA) has fined the City of Enschede €600,000 for its use of Wi-Fi sensors to measure the number of people in the city centre. The DPA accepted that it was not the city’s intention to track people and found no evidence to suggest that this actually took place. However, it said: “Using Wi-Fi tracking that makes it possible is in itself a serious violation of the privacy law: the GDPR.” The municipality of Enschede is appealing the decision and said the accounts are anonymous and that no personal data has been processed. “We do not follow, we only count,” a spokesperson said.

Why More Young People Are Ditching Their Smartphones

As Covid-19 causes people to become increasingly glued to their devices, growing numbers of Gen Zers are shunning their phones and embracing a way of life that they say is improving their mental health. But how easy is it really to kick the habit?

Recycle Your Phone, Sure, But Maybe Not Your Number

Researchers at Princeton University have shown how fraudsters can abuse wireless provider websites to identify available, recycled mobile numbers that allow password resets at a range of email providers and financial services online [read: “Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States“].

We Found Joe Biden’s Secret Venmo – and Privacy Gaps in The Payment App

BuzzFeed News found President Joe Biden’s Venmo account after less than 10 minutes of looking for it, revealing a network of his private social connections, a national security issue for the United States, and a major privacy concern for everyone who uses the popular peer-to-peer payments app.

Many Canadians Want Government Services Made Available Online Permanently

A recent survey commissioned by ServiceNow found that 69% of Canadians would like to be able to access federal services digitally, while 70% feel this way about provincial services, and 65% about municipal services. Additionally, 74% of Canadians said the pandemic has made them more receptive to accessing government services online. However, not everyone wants to see in-person services replaced with digital counterparts. 46% of respondents said they rely on someone else helping them navigate government systems—28% of these said they require help because they find the process too complicated.

Professionals Launch ‘Dark Patterns’ Reporting Website

A group of privacy professionals and scholars launched the Dark Patterns Tip Line, a website for reporting manipulative online practices. The website educates users on what dark patterns are and where they can be found while also calling on users to report.

Democrats Push Back Against Child Version of Instagram

Four U.S. Democratic lawmakers came out against Instagram’s plans to launch a children’s version of its platform. Citing privacy concerns, they urged parent company Facebook to abandon plans, noting the company “has forfeited the benefit of the doubt” when it comes to protecting users and their interests. The push from lawmakers follows a similar call from 44 state attorneys general a week prior.

Google Announces New Privacy Features

Google announced it will release a suite of new privacy capabilities, including allowing users to delete the last 15 minutes of their search history, a password-protected photos folder, informing users when one of their passwords is compromised in a data breach, and recording which apps have access to an Android’s camera and location information.

Google Analytics Will Soon Work Without Cookies

Google plans to roll out features allowing marketers to gain insights into Google Analytics without having to use third-party cookies or identifiers. Using “advanced machine learning models,” Google will help fill in gaps on incomplete datasets when cookies are unavailable.

Data Sciences:

UK Drafts Automated Decision-Making Framework

The U.K. government published its Ethics, Transparency and Accountability Framework for Automated Decision-Making. The guidance offers seven consideration points, including proper handling of user data, to ensure “safe, sustainable and ethical use of automated or algorithmic decision-making systems.” The government hopes the framework will “improve the general literacy” around artificial intelligence for civil servants and ministers “to support the agenda and provide appropriate challenge.”

Regulators:

ICO’s Data Sharing Code of Practice laid before UK Parliament

The U.K. government laid the Data Sharing Code of Practice, created by the U.K. Information Commissioner’s Office, before Parliament. The code is designed to provide advice to businesses and organizations on how to share data responsibly. The code of practice will lay before Parliament for 40 sitting days before it goes into effect.

Study: Italy, France Doled Out Highest Fine Totals Under GDPR

A study conducted by Privacy Affairs measured the fines issued by data protection authorities under the EU General Data Protection Regulation. Spain handed out 222 financial penalties since the GDPR went into effect followed by Italy with 73. For monetary amounts, Italy had the highest total with 76 million euros in fines with France second at 54 million euros.

French Government Approves Cloud Data Storage

Members of France’s government announced a plan to allow sensitive data storage in Google and Microsoft clouds under a data localization model.

California Considers Consumer Privacy Protections for Smart Speaker Devices

Existing California law regulates the operation of voice recognition features for smart televisions. Manufacturers and their contracting third parties, for example, are prohibited from selling or using—for any advertising purpose—actual recordings of spoken words collected for a specified purpose through the operation of a voice recognition feature. On May 10, 2021, the California Assembly passed AB-1262, which seeks to extend these consumer protections to users of smart speaker devices that have a voice recording feature.

High Court Hands Irish DPC Victory in Facebook Data Transfers Case

The Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission (DPC) regarding data transfers from the EU to the U.S. A win for the Irish DPC, the court decision opens up the possibility that Facebook would eventually have to halt personal data transfers from the EU to the U.S. The case could ultimately affect trans-Atlantic data flows for other companies, as well.

FTC & Privacy: Will the FTC’s Rulemaking Push Result in New Privacy Rules?

The FTC is laying the groundwork to test the scope of its rulemaking authority. FTC Chairwoman Rebecca Slaughter (D) has centralized FTC rulemakings, noting that it was “time for the Commission to activate its unfair methods of competition rulemaking authority” and that she is “excited for this new rulemaking group to explore all the possibilities.” The Supreme Court’s recent decision in AMG Capital Management v. FTC, which curtailed the FTC’s ability to obtain equitable monetary relief, gives Slaughter’s push for rulemakings added urgency.

FINTRAC Updates Guidance on Regulatory Amendments Coming into Force on June 1, 2021

The Financial Transactions and Reports Analysis Centre of Canada [FINTRAC] has recently updated its guidance on (1) compliance program requirements, (2) methods to verify the identity of persons and entities, (3) third party determination requirements and (4) reporting terrorist property. FINTRAC has also published new guidance on prepaid payment products and accounts, the 24-hour rule and travel rule requirements.   The updated and newly published guidance reflects the series of regulatory amendments made to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act [PCMLTFA] and regulations over the past few years, the majority of which will come into force on June 1, 2021.

Events:

Privacy Symposium 2021 Scheduled for June 1 to 3

IAPP is hosting Privacy Symposium 2021, a virtual conference connecting privacy leaders, experts and practitioners from around the world on key trends, challenges and best practices. The event will take place June 1 to 3, featuring discussions on privacy as a key agenda item in boardroom discussions, data subject rights, standards in privacy management and privacy during a pandemic.

13 May 2021

COVID-19

Digital vaccination ‘passports’ coming to Quebecers Thursday, but they have no purpose yet

Starting this week, Quebecers will start getting the province’s long-awaited official digital proof of vaccination. It will take the form of an individual QR code that can be scanned on a cellphone, similar to a boarding pass at the airport. However, it doesn’t have any uses yet — no one will be able to read it for now. Health Minister Christian Dubé said no one will have the corresponding system to read the codes, except for the government. “The first step is just a technology,” he explained.

CNIL issues opinion on health pass project

France’s data protection authority, the Commission nationale de l’informatique et des libertés, issued its opinion on the government’s plan to require proof of vaccination or a negative COVID-19 test to enter certain establishments. The CNIL supports the initiative on the basis the information is not used beyond the COVID-19 pandemic. The agency also asked for the system to be continuously studied to determine whether the plan is still necessary.

NHS app to add vaccine passport functionality 17 May

The U.K. government announced the National Health Service application will be able to function as a vaccine passport starting 17 May, BBC News reports. The feature will be available to fully vaccinated citizens. The app will not be able to show COVID-19 test results; however, NHS will add the capability in a future update.

Report Details Checkpoints for vaccine passports

The Ada Lovelace Institute has published a research report outlining the requirements for a socially beneficial vaccine passport system. Key requirements for governments and developers include:

  • Scientific confidence in the impact on public health
  • Clear, specific and delimited purpose
  • Ethical consideration and clear legal guidance about permitted and restricted uses, and mechanisms to support rights and redress, and to tackle illegal use
  • Sociotechnical system design, including operational infrastructure
  • Public legitimacy
  • Protection against future risks and mitigation strategies for global harms.

Americans Support Vaccine Passports But Not For Work

The polling firm Ipsos announced: “A new Ipsos survey for the World Economic Forum finds that, on average, about three in four adults across 28 countries agree that COVID-19 vaccine passports should be required of travelers to enter their country and that they would be effective in making travel and large events safe.” On May 7 Gallup announced that “U.S. adults favor mandated vaccination certification for travel by airplane (57%) and to attend events with large crowds, such as concerts or sporting events (55%)”. Nevertheless majorities of Americans in Gallup’s survey oppose requiring proof of vaccination for people headed to the workplace, hotel stays, or restaurants.

Surveillance / Online Privacy

250 iPhone Apps Analyzed for Tracking

In March 2021, Wirecutter examined the privacy labels and practices of 250 apps across several categories, including the top apps of 2020, as well as popular games, browsers, weather apps, streaming-video apps, photography apps, notes apps, dating apps, shopping apps, news apps, and health and fitness apps. Among those apps, they found:

  • 60% of the apps had a Data Used to Track You label.
  • Of these apps, 96% used identifiers, 70% measured advertising data, 38% of the apps used location, and 19% used contact info.
  • 57% explicitly mentioned advertising as their purpose for tracking you.
  • 17 apps shared data with third parties without disclosing that sharing on their privacy label.
  • Apps that cost money collect and share less data than their free counterparts do.
  • Weather, shopping, health and fitness, dating and news apps did the most tracking.

See also: Amazon and Apple Built Vast Wireless Networks Using Your Devices. Here’s How They Work

Report: Apple gets 4% US opt-in rate under ATT

Recent data collected by Flurry Analytics shows only 4% of U.S. mobile device users are opting in under Apple’s App Tracking Transparency framework. The average daily opt-in rate worldwide is 12%. Flurry tracked opt-in rates from 2.5 million devices since ATT took effect in April.

Google to shed light on apps’ data practices

Google has announced the Google Play store will launch a safety section aimed at creating transparency on how applications collect, use and store personal data. Frey said Google will devise a policy for the app store “that requires developers to provide accurate information” about their data practices. Noncompliance with the standard will result in an order to fix descriptions or “be subject to policy enforcement,”

CMU researchers show potential of privacy-preserving activity tracking using radar

Carnegie Mellon University’s Future Interfaces Group has demonstrated a novel approach to activity tracking that does not rely on cameras as the sensing tool. CMU researchers are investigating the use of millimeter wave (mmWave) doppler radar as a medium for detecting different types of human activity. The results can be seen in this video — where the model is shown correctly identifying a number of different activities, including cycling, clapping, waving and squats. Purely from its ability to interpret the mmWave signal the movements generate — and purely having been trained on public video data.

Data mining questioned following remote cheating accusations

Accusations of cheating on remote exams at Dartmouth College’s Geisel School of Medicine are raising questions about data mining. The school used the Canvas system to track student activity during remote exams without their knowledge to try to identify cheating. Of 17 accused students, seven have had their cases dismissed. In one dismissed case, administrators said “automated Canvas processes are likely to have created the data that was seen rather than deliberate activity by the user.”

Attorneys general call on Facebook to cancel children’s version of Instagram

A coalition of 44 U.S. attorneys general called on Facebook to stop creating a version of Instagram for children. In a letter to Facebook CEO Mark Zuckerberg, the attorneys general wrote the application could affect the privacy and mental health of children who “are not equipped to navigate the challenges of having a social media account.” Meanwhile, Common Sense Media released a guide on how behavioral advertisements impact children.

Sens. propose bipartisan bill to update COPPA

U.S. Sens. Ed Markey, D-Mass., and Bill Cassidy, R-La., introduced the Children and Teens’ Online Privacy Protection Act, which aims to modernize provisions of the Children’s Online Privacy Protection Act. The bill prohibits collection of data from users ages 13 to 15 without consent, creates an “Eraser Button” on websites to delete children’s data and adds a children’s privacy unit to the U.S. Federal Trade Commission. Markey said Congress must “swiftly put in place strict safeguards that stop” companies from “tracking young people at every turn in the online ecosystem.”

Senators Reintroduce Bill to Amend COPPA

Senators introduced the “Clean Slate for Kids Online Act of 2021” last week. Bill S.1423 seeks to amend the Children’s Online Privacy Protection Act. The bill provides individuals with the right to delete personal information the operator collected from the individual as a child. The right to delete applies even in instances where parental consent was provided for the collection of the personal information. The bill provides limited exceptions to the deletion requirement. Senators previously introduced the “Clean Slate for Kids Online Act” in 2018 and 2019 without success.

NYC Passes Data Privacy Bill on Owners of “Smart Access” Buildings

New York City has passed the Tenant Data Privacy Act [TDPA], which would impose on owners of “smart access” buildings obligations related to their collection, use, safeguarding, and retention of tenant data. The TDPA would require building owners to develop and maintain policies and procedures to address the following requirements: 1) Express Consent; 2) Privacy Policy; 3) Stringent Security Safeguards; and 4) Data Destruction. The TDPA would impose strict limits on the categories of tenant data that building owners would be permitted to collect, generate, or utilize through their smart access systems. Building owners would also be prohibited, subject to certain exceptions, from selling, leasing, or otherwise disclosing tenant data to any third parties. Significantly, the TDPA would also create a private right of action for tenants whose data is unlawfully sold.

Law Enforcement

New B.C. traffic cameras will help investigate crashes, say RCMP

110 new traffic cameras are being installed on B.C. roads to help aid in crash investigations. RCMP and Richmond city officials said the cameras won’t just be taking pictures, but will be constantly recording video to get a better idea of what happens in car crashes. This will help determine fault, as well as gather data about how to make intersections safer. The footage will only be accessed in the event of a collision or if a crime is committed, and the resolution of the cameras isn’t good enough to provide details such as licence plates or facial recognition. If an outside agency wishes to access the video footage, the fee is $375. In order to maintain privacy, B.C.’s Office of the Information and Privacy Commissioner issued a directive that the cameras must not be monitored by the police, or the decision would not be supported. Instead, the footage will be monitored by the city’s transportation department.

Ontario to introduce detectors for contraband cell phones in adult correctional facilities

Ontario has announced that it will implement new specialized devices at 25 adult correctional facilities across Ontario to help detect, locate and prevent the use of prohibited cell phones and to enhance security, said a news release dated Apr. 27. These devices are expected to be fully operational by summer 2021.

The Feds Can Access the Private Data on Your Phone Through Your Car

According to a report from The Intercept, the U.S. Customs And Border Protection has now found a convenient back door to siphon much of the information from the fortress of your smartphone: your car. Even though your car tries to keep you physically safe with airbags and ABS and seatbelts, it’s shockingly inept when it comes to keeping your data safe from the prying eyes of police agencies, per the report from The Intercept. As if that weren’t bad enough, our dumb cars are letting the CBP into our smartphones while we constantly and unknowingly pass data along.

Biometrics / Identity

Biometrics commissioner: Police shouldn’t be banned from using facial recognition

U.K. Biometrics and Surveillance Camera Commissioner Fraser Sampson said police departments should not be barred from using facial recognition technology. Sampson said the use of facial recognition tech should be addressed by law enforcement rather than lawmakers. The commissioner added the use of artificial intelligence will be “inevitable” and an “increasingly necessary component of policing.”

Civil rights groups call on Amazon to ban police use of facial recognition

In a letter to Amazon leadership, 44 civil rights groups called on the company to permanently ban use of its facial recognition software and stop selling the technology to law enforcement. Following national racial protests, IBM and Microsoft indefinitely suspended sales of their software to law enforcement, while Amazon implemented a one-year moratorium that expires next month. Amazon has not said whether it will continue or lift the ban.

Other Biometric News

Anyone can use this powerful facial recognition tool — and that’s a problem

You probably haven’t seen PimEyes, a mysterious facial-recognition search engine, but it may have spotted you. If you upload a picture of your face to PimEyes’ website, it will immediately show you any pictures of yourself that the company has found around the internet. PimEyes is open to anyone with internet access. It’s a stark contrast from Clearview AI.

NYC Creates BIPA-Like Requirements for Retail, Hospitality Businesses Concerning Biometric Information Collected from Customers

Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities. These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers. Customers will have a private right of action to remedy violations, subject to a 30-day notice and cure period, with damages ranging from $500 to $5,000 per violation, along with attorneys’ fees.

These new requirements are set forth in an amendment to Title 22 of the NYC Admin. Code (the “Amendment”), and apply to “commercial establishments.”

Clearview hires DC lobbyists to educate on face biometrics technology

A lobbying firm founded by former Senate aides has been hired by Clearview AI to carry out “education around facial recognition technology.” A bill introduced in April by Senator Ron Wyden (D-OR) and Rand Paul (R-KY) and titled ‘The Fourth Amendment is Not for Sale Act of 2021’, would bar Clearview and any company that obtains data from personal accounts or devise without the owner’s consent from selling the data to government agencies. Clearview is also fighting a consolidated biometric data privacy lawsuit and critics are demanding the Department of Homeland Security (DHS) cease all use of the app.

Calgary retailers launch ID entry

Four Calgary liquor stores are installing entry systems that will require customers to scan identification cards to verify age and ability to enter. The systems have been found to mitigate rising cases of theft, but privacy advocates are wary of potential data breaches associated with the system and its data collection. Office of the Information and Privacy Commissioner of Alberta Spokesman Scott Sibbald said, “There has been no consultation with our office on this project.”

Pandemic gives boost as more states move to digital IDs

With the advent of digital wallets, people are relying more on their phones to prove their identity. Some industry experts estimate that the coronavirus pandemic has sped up the widespread adoption of contactless identification methods by at least a decade. At least five states have implemented a mobile driver’s license program. Three others intend to launch programs by next year, with more expected to follow suit. According to some state officials mobile licenses will give people more privacy by allowing them to decide what personal information they share. However most states with these programs recommend that users still carry their physical driver’s license as a backup. Industry leaders say safeguards will prevent anyone’s information from being stolen, but some critics argue that having so much personal data on a phone is too risky. The National Motorists Association doesn’t believe drivers should be handing their phones over to police, potentially violating people’s Fourth Amendment rights against unreasonable searches and seizures.

Security / Breaches

UK National Cyber Security Centre (NCSC) publishes guidance on securing smart cities

The UK NCSC has published a new set of security principles to help UK authorities secure smart cities and their underlying infrastructure and protect themselves from cyberattacks. Connected Places Cyber Security Principles advises local authorities on understanding their connected places by considering required cybersecurity governance and skills, the role of suppliers, risks and more. See also: White paper: Securing smart city systems against cyberattacks and Cybersecurity: a smart city imperative

NCSC says smart cities a ‘target’ for cyberattacks, urges cybersecurity measures

The U.K. National Cyber Security Centre warned authorities that internet-connected technology used to power smart cities is “an attractive target” for cyberattacks and encouraged them to think about cybersecurity. As these systems emerge, NCSC Technical Director Ian Levy said they should be designed and built properly because “as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors.” The NCSC also released its fourth annual report on its Active Cyber Defence programme.

Report: Remote work leads to increase in email data breaches

A report from Egress, based on a poll of 500 IT professionals and 3,000 remote workers in the U.K and U.S., found Microsoft 365 users have seen an increase in email data breaches. 67% of IT professionals said the increase is due to remote working, while 26% attributed incidents to an employee mistakenly sharing data through email. Of the Microsoft 365 users, 15% experienced more than 500 data breaches in 2020, and 93% reported subsequent negative impacts.

A ransomware cyberattack knocks out crucial fuel pipeline to the East Coast

More than 1,000 gas stations in eastern US states ran out of gasoline after a cyberattack knocked out a crucial US pipeline that supplies much of the region’s gasoline. The crunch in fuel supply has been blamed on a ransomware attack that forced the closing of part of the 5,500-mile Colonial Pipeline that supplies about 45% of the East Coast’s fuel.

Hackers release personal info of 22 D.C. police officers

A ransomware gang that hacked Washington’s Metropolitan Police Department published extensive profiles of 22 officers Tuesday as part of an extortion attempt. The files on current and former police officers are detailed and include personal information such as Social Security numbers, dates of birth, results of psychological assessments, copies of driver’s licenses, fingerprints, polygraph test results, as well as residential, financial and marriage history. The hack is entirely distinct from the attack on the Colonial Pipeline and conducted by a different group, though both are Russian-speaking outfits.

Information on 73,000 Durham students breached in ‘cybersecurity incident’

The information of about 73,000 students may have been accessed during a “cybersecurity incident”
Names of students, date of births, addresses, school locations, grades and class information may have been accessed. The cybersecurity incident allegedly involved a third-party software provider used by Durham Region’s Health Department.

Security researchers find a severe vulnerability that may affect up to 30% of all Android phones

The Check Point security research group claim that 3G to 5G connectivity can be exploited in a way that might allow a hacker to read a user’s messages and even listen in on phonecalls. This flaw involves an interface found on up to 30% of all phones worldwide.

Open source tool automates CCPA data deletion requests

Graduate students at the University of California, Berkeley’s School of Information are developing an open source tool to automate California Consumer Privacy Act data deletion requests. Through a Gmail account, PrivacyBot would enable individuals to send requests to delete data from a list of data brokers and search sites. Consumer Reports Digital Lab Product Consultant Ginny Fahs said “automating the sending of requests is a big win for consumers.”

Sarnia Police, school board investigating ‘inappropriate’ content tied to hacked online classes

Police and school board officials say they’re investigating complaints tied to offensive content after multiple online classes in Sarnia were hacked. An unknown person used language and displayed images to students and staff that were “inappropriate” after gaining access to Google online classroom meetings. Multiple allegations of inappropriate behaviour have surfaced amid students across Ontario spending the bulk of the last year-plus learning virtually due to the COVID-19 pandemic.

Malicious Office 365 Apps Are the Ultimate Insiders (item reposted in full)

Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.

OPC reports privacy breaches double under new Privacy Act

New Zealand’s Office of the Privacy Commissioner reported a 97% increase in privacy breaches in the Privacy Act’s first four months. The OPC said approximately one-third of breaches caused identity theft risk or financial harm. Email errors caused the most breaches at 25%, followed by unauthorized sharing of personal information at 21% and unauthorized access to information at 17%. Privacy Commissioner John Edwards said breaches span industries, adding a summary will be published yearly to help organizations “know where the greatest privacy risks are.”

Biden issues EO to boost US cybersecurity

U.S. President Joe Biden signed an executive order aimed at enhancing U.S. cybersecurity practices and protecting federal government systems. The order “ensures that IT service providers are able to share information with the government and requires them to share certain breach information.” Any data sharing between private contractors and federal government agencies related to breaches will be done “consistent with applicable privacy laws, regulations, and policies.”

NSW Privacy commissioner releases guide for managing risks while transitioning to cloud

New South Wales Information and Privacy Commissioner Samantha Gavel released a guide to help government agencies implement privacy practices when implementing cloud-based technologies. The guide explains privacy risks and potential impacts, including harm to individuals, and provides a framework and checklist to manage risks, including data and training practices.

1-7 May 2021

COVID-19

Canada moves toward vaccine passport rollout

Canadian Health Minister Patty Hajdu indicated the federal government is in favor of rolling out a vaccine passport scheme for international travel. Hajdu also pointed to further developing the ArriveCAN application, originally devised for submission to COVID-19 border measures, to support vaccine passport information. Additionally, an Ipsos poll showed 78% of Canadians view vaccine passports favorably and as a necessity.

CIO Strategy Council seeking input on proposed standards for responsible use of contact tracing data

The CIO Strategy Council is requesting input on its latest proposed standard for the responsible use of contact tracing and monitoring data in the workplace. The proposed standard applies to the governance of current and future use of data that is created, collected, stored or controlled by contact tracing and monitoring solutions. It also applies to the management processes and decisions related to data security and privacy within and between organizations. The standard doesn’t cover the use of contact tracing, monitoring and surveillance solutions applied to public health. The First Edition of CIOSC/PAS 100-6:2021, Data Governance – Part 6: The responsible use of digital contact tracing and monitoring data in the workplace, can be accessed here. Deadline for comments is May 19

Other COVID-19 News

  • The Northwest Territories Department of Health and Social Services announced a data breach involving travelers placed in COVID-19 quarantine in the city of Yellowknife.
  • The Council of Europe’s Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) issued a statement regarding the need for strong data protection for COVID-19 vaccination programs and vaccine certificates.
  • Germany’s Federal Commissioner for Data Protection and Freedom of Information announced the country’s Corona-Warn-App should be used by restaurants and businesses for contact-tracing purposes in accordance with data collection rules under the Infection Protection Act.
  • The Philippines’ National Privacy Commission published a bulletin warning against unlawful data collection with the country’s COVID-19 vaccine program.

Surveillance / Online Privacy

School Mobile Apps Student Data Sharing Behavior

An audit and analysis of a random sample of 73 mobile applications used by 38 schools in 14 states across the U.S. covering at least a half a million users, found that the majority (60%) of school apps were sending student data to a variety of third parties. These included advertising platforms such as Google, to which about half (49%) of the apps were sending student data, as well as Facebook (14%). On average, each app sent data to 10.6 third-party data channels. Some stats:

  • 67% of the public schools in the sample were sending data from apps to third parties.
  • Public schools were more likely to send student data to third parties than private schools
  • 18% of public-school apps sent data to “very high-risk” third parties – i.e., entities that further share data with possibly hundreds or thousands of networked entities. Some stats:
  • Android apps are 3x more likely than iOS apps to send data to third parties, and are much more likely to be sending data to high or very high-risk third parties:
  • Data sent to third parties typically included unique identifiers, thus enabling profile building for students – including those under the age of 13 – by third-party advertising platforms.
  • Data was being sent to third parties as soon as the app is opened by the user – even if they are not signed into the app.
  • In most apps, third-party data channels initiated initial data transfers and ID syncs as soon as the app is loaded.
  • The researchers estimate that upwards of 95% of the third-party data channels are active even when the user isn’t signed in[2].

Speech-monitoring patent a ‘dangerous’ violation of privacy, musicians say

In an open letter to Spotify, a coalition of more than 180 musicians and human rights organizations asked the audio-streaming platform to publicly commit to never use, license, sell or monetize a patent for technology that could monitor and record users’ speech and background noise. The tech is intended to help recommend music, but the group raised data security and other concerns, saying it is “dangerous, a violation of privacy and other human rights, and should not be implemented by Spotify or any other company.”

Video surveillance to be deployed on California Transportation Agency bus fleet

Video surveillance with cloud-based monitoring is being added to the California Transportation Agency’s fleet of more than 400 buses. March Networks’ RideSafe system enables operators to access live and recorded video, as well as search for incidents. The devices will be monitored by March Networks’ professionals who can address issues remotely, including responding to emergency situations and security issues.

Barrie police update city’s surveillance system

Law enforcement in Barrie, Ontario, is nearing the completion of an enhanced surveillance network for the city’s downtown area. A dozen residents have also voluntarily signed on to the camera system’s registry.

Amnesty International announced it is launching a project to uncover the extent of the use of facial recognition technology in New York City. The initiative aims to map closed-circuit TV cameras and other public cameras that can be paired with facial recognition software to track people across the city.

In Moscow, Big Brother Is Watching and Recognizing Protesters

Officials hailed Moscow’s massive facial-recognition camera network as a benign aid to residents that would enforce quarantine restrictions, catch criminals and even let them pay subway fares. Now it’s being deployed to crush dissent against President Vladimir Putin. Police tapped the surveillance system to identify and detain dozens of people who attended last week’s protests in the Russian capital in support of jailed Kremlin foe Alexey Navalny. More than 50 were picked up over the following days, including several journalists.

Signal reveals Facebook’s targeted ad practices

In a blog post, Signal pulled back the curtain on how Facebook uses personal data to serve targeted advertising. The privacy-focused messaging platform publicized a series of Instagram ads it created using Facebook’s advertising tools to show how the social network employs various categories of data into its techniques. [Forbes coverage]

Facebook and Instagram Ask Users to Enable App Tracking in Order to Keep Services ‘Free of Charge’

As a way to convince users to enable tracking across other apps and websites, Facebook is deploying the tactic of telling users that they must enable tracking as part of the App Tracking Transparency framework in iOS 14.5 if they want to help keep Facebook and Instagram “free of charge.”

  • With the release of its iOS 14.5 operating system, Apple has begun to enforce its App Tracking Transparency framework. Applications will be required to offer users an option to either accept or decline to have their information shared with third parties.

Google faces class-action in the UK over alleged iPhone tracking

The U.K. Supreme Court heard arguments in a proposed class-action against Google over alleged iPhone tracking. The case, brought forward on behalf of more than 5 million iPhone users, alleges Google illegally collected personal data by tracking internet-browsing histories. iPhone users between 2011 and 2012 could be owed more than 3 billion GBP. Google Lawyer Antony White argued that under law, claimants could only seek redress if a data breach led to damages.

Survey: Online shoppers express data concerns

A survey found more consumers are using guest accounts when making purchases online, citing data privacy and identity theft fears. 40% expressed concerns over what happens to their data in the online-purchasing process, and 37% said they want more control over data given to businesses, while 13% expressed no concerns. 20% said they were more willing to share data with brands they respect.

CoE adopts Declaration on protecting children’s privacy

The Committee of Ministers of the Council of Europe adopted a Declaration urging member states to bolster protections for children’s privacy and personal data. The council called for increased attention to children’s health data and information collected in educational settings as the COVID-19 pandemic continues to minimize “adverse effects,” such as identifying children who get sick.

Identity / Biometrics

As liquor store thefts rise, ID scanners coming to four Calgary stores

In a partnership with Calgary Police Service, a large Canadian liquor retailer has installed ID scanners in two local stores, with plans to implement the technology in additional stores. The scanners will create controlled entrances, where patrons must present a valid government-issued ID before gaining access. The project is part of a pilot that began last year in Edmonton, which has seen an uptick in thefts at city liquor stores, with more than 2,400 incidents reported to police between January 2020 and April 2021. The Edmonton liquor stores that piloted the scanners saw a 94% reduction in product theft and zero robberies. The pilot project is moving forward into Calgary despite an ongoing investigation by Alberta’s Information and Privacy Commissioner into the use of the ID scanners

British Columbia’s RCMP breaks own facial recognition rules

The BC RCMP broke its own standards on facial recognition by partnering with U.S.-based biometrics service IntelCenter. The deal, signed in 2016, allowed RCMP to access the 700,000-image database, which was created by lifting facial images from social media and other online sources. RCMP Sgt. Kris Clark indicated the deal was only signed to trial IntelCenter’s database.

A false facial recognition match sent this innocent Black man to jail

According to a police report, the evidence presented by the police officers that led to Nijeer’s Parks’ arrest was a “high profile comparison” from a facial recognition scan of a photo from what was determined to be a fake ID left at the crime scene that witnesses connected to the suspect. The facial recognition match was enough for prosecutors and a judge to sign off on his arrest.

China Publishes Draft Security Standard on Facial Recognition

On April 23, 2021, the National Information Security Standardization Technical Committee of China published a draft standard (in Chinese) [Google English trans here] on Security Requirements of Facial Recognition Data (the “Standard”). The Standard, which is non-mandatory, details requirements for collecting, processing, sharing and transferring data used for facial recognition. The Standard is one of many new proposed standards relating to privacy and cybersecurity in China.

Data Sciences

Judicial panel hears census privacy challenge

A federal judicial panel heard arguments over the legality of a differential privacy method rolled out by the U.S. Census Bureau in its work on the 2020 census. The case, originally filed in Alabama, questions the statistical method used to enhance individuals’ privacy while maintaining accurate data. There is no timetable for the panel’s ruling, but any appeal would go directly to the Supreme Court of the United States.

Data Privacy and Cryptography Experts File Brief in Support of Census Bureau

Twenty leading experts, in data privacy and cryptography filed an amicus brief in support of the Census Bureau’s use of “differential privacy”to protect the privacy of census respondents.  The experts, who include inventors of differential privacy, cryptographers, statisticians, legal experts focused on technology and society document the increased risks of attacks due to the availability of large data sets and computing power available to adversaries, and explain that differential privacy is the only known method capable of preventing such attacks while simultaneously enabling the publication of useful statistics

Safeguards / Breaches

Toronto hit by ‘potential cyber breach’ from Accellion file transfer software

The City of Toronto says it suffered a “potential cyber breach” from a hack of data from use of its Accellion FTA file transfer server in January that may have involved the health information of individuals.  A city spokesperson said the office of the CISO has been investigating and only issued a report on April 20. Asked why it took until now to publicly reveal the incident, “The city has not received any ransom demand and we are also not aware that any individual has received a ransom demand as a result of this breach.”  Toronto reveals potential cyber breach

Massive school data breach shows we need better privacy policies

The University of California (UC) system announced that it had been hit with a massive data breach. The locale was a third-party file-transfer application called Accellion. UC was just one of the victims of the international cyberattack, which may have afflicted roughly 100 institutions, also including Stanford Medical School, the Universities of Maryland, Colorado and Miami and Yeshiva University in New York.

Unprecedented’ breach involving PI of 8,900 kids could have been avoided: MB ombudsman

The Manitoba Ombudsman office revealed an August 2020 data breach exposing the personal information of 8,900 children with disabilities could have been prevented. The ombudsman indicated attention to a similar incident 13 days earlier could have addressed the email error that caused the breach.

Feds took two weeks to notify victims of privacy breach

Staff at the Office of Commissioner of Official Languages accidentally disclosed the IP addresses of 1,500 people who had filed confidential online complaints with the office from January 1, 2019.  Staff on April 16 discovered the breach on April 19. However, it took Commissioner Raymond Théberge nearly two weeks to notify internet users of the privacy breach.

Hacking leads to frozen accounts and stopped EI payments for P.E.I. residents

A growing number of P.E.I. residents have had the accounts connected to their employment insurance frozen, and their payments stopped, after the accounts were hacked.  

Whistler Canadian Resort Suffers Ransomware Attack

The Resort Municipality of Whistler (RMOW) in BC was the target of a ransomware attack earlier this week. The incident forced RMOW to shut down its network, websites, email, and phone systems.

New York Department of Financial Services Issues Report on SolarWinds Cyberattack

On April 15, 2021, the New York Department of Financial Servicesissued a report on the recent SolarWinds cyberattack. NYDFS characterized the SolarWinds attack as a “widespread, sophisticated espionage campaign” by Russian foreign intelligence actors and called the attack a “wake-up call” to regulated financial institutions and insurers.

At Least Five US Federal Agencies Possibly Breached Through Pulse Secure Vulnerability

In April, the US Cybersecurity and Infrastructure Security Agency (CISA) directed federal agencies to run the Pulse Connect Secure Integrity Tool and report their findings. CISA says that it is now aware of “at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access.” See also: Pulse Secure Releases Fix for Critical Flaw That is Being Actively Exploited

Experian API Exposed Credit Scores of Most Americans

Consumer credit bureau Experian has fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Data leak makes Peloton’s Horrible, No-Good, Really Bad Day even worse

Peloton exposed sensitive user data, even after the company knew about the leak. Security researchers reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private.

US Task Force Seeks to Disrupt Ransomware Payments

Some of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.  In a 81-page report [overview] delivered to the Biden administration in April

NIST Published Security Guidance for Remote Patient Monitoring

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has published of the second draft of NIST Special Publication 1800-30, Securing Telehealth Remote Patient Monitoring Ecosystem. The public comment period is open now through June 7th, 2021.

NIST opens comment period for guide on HIPAA Security Rule implementation

NIST has opened a comment period for Special Publication 800-66, Revision 1, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule.” NIST seeks comments on ways to improve the guide, as well as awareness, applications and uses for the document. The agency will accept feedback until June 15.

23-30 April 2021

COVID-19

Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t

AppCensus researchers identified a flaw that allowed hundreds of pre-installed Android applications to scoop up contact-tracing data in user analytics and crash reports. UPDATE: A lawsuit filed in the Northern District of California by two California residents accuses Google of exposing sensitive personal and medical data of Android users of its COVID-19 contact-tracing application. The lawsuit states Google violated individuals’ privacy under California law. UPDATE: Dutch gov’t pauses exposure notifications on their app over data leak fears

NWT: Privacy commissioner investigating COVID Secretariat data breach

The NWT Information and Privacy Commissioner (IPC) is investigating a data breach by the COVID-19 Secretariat where the identities of residents self-isolating were disclosed. The email addresses — and in some cases names — were revealed in an email sent out to travellers who were self-isolating. The department will update its Standard Operating Procedures, requiring all mass emails be reviewed by the director, supervisor or manager before being sent.

COVID-19: NHS app to be used as coronavirus passport for international travel

The U.K. will roll out a vaccine passport scheme via an app supported by the National Health Service. The UK Transport Secretary said the app “will be the NHS app that is used for people when they book appointments,” not the NHS’ contact-tracing app.

Garante voices concerns with EU Digital Green Certificates

Italy’s data protection authority, the Garante, sent a formal warning to the Italian government regarding the data protection risks associated with the EU’s Digital Green Certificate program. The Garante indicated the proposed scheme is “seriously incomplete in terms of data protection, without an assessment of possible risks on a large scale for personal rights and freedoms.” The regulator also notes potential issues with data minimization and purpose limitation, echoing the same concerns recently laid out to the European Parliament by a coalition of advocacy groups.

Advocacy groups oppose EU vaccine certificate

A coalition of 28 advocacy and civil liberties groups penned a letter to the European Parliament urging reconsideration of its proposed Digital Green Certificate program. The organizations are “alarmed about the lack of protection for personal data” in the current proposal, noting “no safeguards against surveillance” and that the program “should do the utmost to reduce the data protection risk” once EU member states apply the certificates to other services. 

Hawaii Approves ‘Vaccine Passport’ Travel Between Islands

After much speculation, Hawaii has announced its plan for a vaccine passport program that will allow vaccinated people to travel between its islands without being subjected to quarantines or pre-arrival testing protocols. The Program Will Begin May 11 and will only recognize vaccines received in Hawaii by fully vaccinated travelers.

Biometrics / Identity

ICO addresses data protection in UK digital identity scheme

U.K. ICO has released an opinion on how data protection can be applied to the U.K.’s proposed digital identity framework. The ICO said that the draft framework should be supported by “strong governance and effective data protection safeguards.” The ICO also offers recommendations regarding data minimization and purpose limitation, as well as sufficient technical and organizational security measures. [The Information Commissioner’s position paper on the UK Government’s proposal for a trusted digital identity system]

Vancouver police amending facial recognition guidelines

The Vancouver Police Department began drafting new policies on the use of facial recognition by its units in response to findings by Canadian privacy commissioners regarding unlawful biometric data collection by Clearview AI, whose technologies were used by Canadian police. The department hopes to have the policies rewritten by the end of 2021 and committed to a ban on the use of facial recognition until the policies are finalized.

Appeals court rules Amazon can face children’s privacy claims

The U.S. Court ruled Amazon can face a class-action complaint alleging its Alexa device collects and stores children’s voiceprints without permission. Amazon asked the court to send the case to arbitration, arguing parents agreed to arbitrate claims before using Alexa, but the court rejected that request.

New tool can make photos undetectable to facial recognition software

A new tool developed by DoNotPay, Photo Ninja, uses artificial intelligence to make pictures undetectable to facial recognition software. The tool alters photos without significantly changing them, such as adjusting colors or adding unnoticeable objects, which reportedly confuses facial recognition algorithms. “We are in an AI arms race between good and evil,” CEO Joshua Browder said. “We hope to help consumers fight back, protect their privacy, and avoid stalkers on dating apps!”

Amazon’s contactless biometric payment scanners will be installed in seven Whole Foods stores in Seattle. The Amazon One palm readers match an individual’s biometrics with their credit card information.

The new Petco Love searchable national database uses facial recognition technology to help find lost pets. The tool scans uploaded images to determine whether a lost animal may be at a shelter or taken in by a neighbor.

EDPB Issues Draft Guidelines on Data Protection Aspects of Voice Assistants

The European Data Protection Board has issued draft guidelines on the data protection aspects of using the increasingly prevalent virtual voice assistants [details]. The EDPB’s Guidelines are intended to help organizations identify the risks associated with virtual voice assistants, implement the relevant mitigation measures and provide guidance regarding the application of the EU General Data Protection Regulation. Some key points:

  • Transparency is key but is also not easy to do well
  • Some uses may require consent
  • Data retention should be granular and specific for the different processing purposes.

CIPL Submits Response to the EDPB Guidelines on Virtual Voice Assistants

The Centre for Information Policy Leadership (CIPL) submitted its response  to The EDPB’s VVA Guidelines, arguing that some of the Guidelines are not well aligned with current market practices and offerings and overlook the privacy-by-design controls implemented by some VVA providers. The CIPL said the Guidelines also should be more nuanced and adaptable to account for the differences in types of VVAs and rapid technological developments to avoid becoming quickly outdated. To address this, CIPL makes several recommendations.

Facial recognition should be banned, EU privacy watchdog says

Facial recognition should be banned in Europe because of its “deep and non-democratic intrusion” into people’s private lives, said the European Data Protection Supervisor. The comments come two days after the European Commission proposed draft rules that would allow facial recognition to be used to search for missing children or criminals and in cases of terrorist attacks. The EDPS said it regretted that the Commission had not heeded its earlier call to ban facial recognition in public spaces.

EPIC Calls for Ban on Corporate Use of Facial Recognition in Coalition Letter

In an open letter, EPIC and 24 civil rights and social justice organizations called on elected officials to ban corporate, private, and government use of facial recognition technology, suggesting Portland, OR’s recent ban on facial recognition as a model. The letter also urges corporate leaders to ban the technology within their companies. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition gathered support from over 100 organizations and experts from more than 30 countries.

Online Privacy / Surveillance

Research shows ‘massive amount’ of vehicle surveillance in California

The Electronic Frontier Foundation reports its research, “Data Driven 2: California Dragnet,” based on dozens of California Public Records Act requests and data, shows the “massive amount” of vehicle surveillance in the state. In 2019, 82 agencies collected more than 1 billion automated license plate reader scans, while 99.9% of the data was not actively related to an investigation. “Hot lists” of license plates are created, and data not on those lists is stored, which the EFF argues is “a fundamental violation” of privacy.

Lawmakers urge FTC to investigate Google’s marketing of children’s apps

U.S. Sen. Ed Markey, D-Mass., and Rep. Kathy Castor, D-Fla., are urging the FTC to investigate Google’s “misleading” marketing of children’s applications as compliant with the Children’s Online Privacy Protection Act. In a letter to the FTC, the lawmakers said there is evidence many apps “illegally track children’s behavior and share their personal information without consent” and the commission “must use its full authority” to protect children’s interests.

CARU determines platforms’ software inadvertently collected data in child-targeted apps

BBB National Programs’ Children’s Advertising Review Unit found Unity Technologies did not know its advertising software development kit was collecting persistent identifiers through two child-targeted applications. CARU was concerned Unity had “actual knowledge” its Number Coloring and Cats and Cosplay apps violated the U.S. Children’s Online Privacy Protection Act Rule and CARU’s Guidelines for Online Privacy Protection by collecting information from children under 13. Unity subsequently flagged the apps as child-directed on its platform and is working to delete the data it inadvertently collected.

Data-sharing program gives consumers ability to provide anonymous consent

Intent IQ launched a new opt-in data-sharing program, Data Sharing Choice, that gives consumers the ability to provide anonymous consent. Opt-in pop-ups offer consumers the choice to “Manage Options” or “Accept All.” Intent IQ Chairman Roy Shkedi said DSC “fosters consumer privacy, protects publishers’ ability to rely on advertising as their main revenue source, and grants advertisers the ability to reach desired audiences and measure the effectiveness of their ads.”

Apple begins enforcement of App Tracking Transparency framework

With the release of its iOS 14.5 operating system, Apple has begun to enforce its App Tracking Transparency framework. Applications will be required to offer users an option to either accept or decline to have their information shared with third parties. The Financial Times reports Meanwhile, a group of nine German industry organizations filed a complaint with the country’s competition regulator accusing Apple of antitrust violations tied to the ATT framework. 

Data Sciences

European Commission accepting feedback on proposed AI regulation

The European Commission is accepting feedback on its proposal for regulating artificial intelligence for an eight-week period ending June 22. All feedback will be reviewed by the commission “and presented to the European Parliament and Council with the aim of feeding into the legislative debate.” European Commission Publishes Proposal for Artificial Intelligence Act | EU’s Proposed Artificial Intelligence Regulation: The GDPR of AI | Draft EU Regulation for Artificial Intelligence Proposes Fines of up to 6% of Total Annual Turnover | EU – A proposal for the Regulation of AI offers the first structured approach to regulating AI systems | Privacy and the EU’s Regulation on AI: What’s New and What’s Not?

EDPS voices support for European Commission’s proposed AI regulations

The European Data Protection Supervisor voiced its support for the European Commission’s proposed artificial intelligence regulations. European Data Protection Supervisor Wojciech Wiewiórowski said the agency “stands ready to fulfil its new role as the AI regulator for the EU public administration.” While the EDPS backs the proposed regulations, it once again reiterated its call for a temporary ban on the use of remote biometric identification systems in public areas. [Overview of the proposed EU Regulation]

German commissioner, EDRi comment on European Commission’s proposed AI regulations

European Digital Rights said the European Commission’s proposal to regulate AI does not go far enough to protect citizens from discrimination and mass surveillance. The group analyzed the proposed regulations and offered recommendations for improvement. The Rhineland-Palatinate Commissioner said the AI regulations must be assessed from a data protection perspective and called for loopholes around facial recognition technology to be closed.

The FTC has published recommendations for organizations using artificial intelligence. The agency advises companies to ensure datasets include all necessary populations to avoid outcomes that are “unfair or inequitable to legally protected groups.”

Security / Breaches

Ontario BPS cyber expert panel raises alarm

Last autumn, the Ontario government struck an expert panel of cyber advisors [press notice, members, & web portal & overview] with a mandate to “assess and identify common and sector-specific cyber security themes and challenges encountered by Broader Public Sector (BPS) agencies and service delivery partners in Ontario.” The panel has produced an interim report that noted security under-resourcing as well as failures of governance in the university, school board and health care sectors. The panel made two interim recommendations, one to government and another to BPS entities themselves:

  1. That the National Institute of Standards and Technology (NIST) Cybersecurity Framework be endorsed by the Government of Ontario for the Broader Public Sector’s cyber security practices.
  2. That all BPS entities implement a Cyber Security Education and Awareness Training Program. The content of the training materials shall be maintained to ensure currency of information.

Minister Lisa Thompson’s response [April 14 letter here] to the interim report suggests that the government’s assistance will be indirect, via the Cyber Security Centre of Excellence’s learning portal.

Group seeks to designate ransomware a national security threat

U.S. cybersecurity companies, officials from the FBI and Department of Justice, and technology companies, including Microsoft and Amazon, are urging governments to designate ransomware as a national security threat. The group pointed to the risks such attacks pose to citizens, authorities and infrastructure and called for international coalitions to address the problem and “exert pressure on nations that are complicit or refuse to take action.”

Alert Issued for Scam USPS Package Delivery Postponed Texts

Law enforcement officials are cautioning of a new text message “smishing” scam that involves phony messages being sent from fraudsters posing as members of the US Postal Service (USPS). The messages typically include a link that could potentially expose one to scammers looking to steal personal identifying information. Many who click the phony link have wound up being hacked or prompted to provide new information, officials warned.

FTC promotes data security awareness for corporate boards

The U.S. FTC wrote a blog discussing the importance of corporate boards maintaining a presence in their company’s data security efforts. Boards that are proactive “can set the tone throughout an organization by instilling a culture of security.” Key considerations with boards’ data security undertakings include risk assessment, the difference between security and legal compliance measures, and the importance of learning from mistakes.

Belgian DPA releases data ‘sanitisation,’ destruction recommendations

Belgium’s Data Protection Authority released recommendations on data “sanitisation” and destruction techniques. The document aims to help controllers and processors, information security advisers, data protection officers, and others choose and integrate an appropriate sanitization technique, provide information of various methods available and the results that can be expected, and help the parties comply with certain requirements of the EU General Data Protection Regulation.

Events / Other / Regulators

An emerging tool: Regulatory sandboxes for privacy

A recently published report by Business at OECD (BIAC) explores the potential of sandboxes as a device in privacy regulation. The BIAC report observes that regulatory sandboxes for privacy create opportunities for innovators, with guidance from regulators, to test how cutting-edge, unanticipated technologies and data uses can be deployed in a way that complies with privacy and data protection law. But regulators benefit too: Sandboxes provide them with a close-up view of the most recent advances in data processing and an understanding of the strengths and limitations of existing regulation. Ideally, these insights encourage the adoption of law and policy that furthers effective protections without unduly slowing innovation

Lawmakers introduce bill tackling driver-monitoring systems, distracted driving

U.S. Sens. Ed Markey, D-Mass., Richard Blumenthal, D-Conn., and Amy Klobuchar, D-Minn., introduced the Stay Aware for Everyone Act. The proposed legislation would require the Department of Transportation to study how driver-monitoring systems can prevent distracted driving. The bill would also mandate the installation of driver-monitoring systems based on the study, “which shall incorporate appropriate privacy and data security safeguards.”

2021 April 17-23

COVID-19

France is first EU member state to start testing digital Covid travel certificate

France has become the first EU member state to begin testing a digital coronavirus travel certificate as part of a Europe-wide scheme that Brussels hopes will allow people to travel more freely within the bloc by the summer. The TousAntiCovid app, part of the country’s contact tracing programme, has been upgraded to store negative Covid-19 test results on travellers’ mobile phones and is being trialled on flights to Corsica and overseas départements from this week. The trial will be extended from 29 April to include vaccination certificates, officials told Le Monde, and the system could eventually be adopted for public events such as concerts, festivals and trade fairs, although not for bars and restaurants. Several EU members states are developing similar systems, leading to concerns about how well they will work together. The EU’s privacy watchdogs also warned earlier this month the scheme must respect data protection laws and “have an appropriate legal basis” in each member state.

Big Tech Unleashes Vaccine Passports as Privacy Questions Loom

The IBM-created Excelsior Pass, which debuted last month, is among a growing number of apps that could help Americans safely return to sporting events, theaters, restaurants, and flights. But they’re also raising privacy concerns. The federal government’s decision to remove itself from creating digital passports was made to avoid vaccine hesitancy from those “concerned the government will play too heavy-handed of a role in monitoring their vaccinations,” said a senior adviser for the White House’s Covid-19 response. Overseas, European Union data regulators said plans for digital certificates must preclude access to and use of patient data by governments after the pandemic. The U.K. will test out its own system requiring people to show they are virus-free. And Israel has already launched its version of a vaccine passport called a “Green Pass,” which residents use to enter crowded spaces like concerts or weddings. The International Air Transport Association is testing its own app that could confirm whether someone has been vaccinated or recently tested negative for Covid-19 before being allowed to board a flight. Virgin Atlantic and Qatar Airways are among the airlines running trials on the IATA pass.

Durham launches ‘virtual assistant’ to let people know they have tested positive for COVID-19

The Durham Region health department is moving to a “virtual assistant” to let people know they have tested positive. Those who test positive will receive a text message from the health department, which will include a secure link to complete a personal assessment survey. In some cases, residents who test positive may not receive a text message, such as when they haven’t provided a mobile phone number at the time of testing. The department will gather information on the person’s health status, close contacts and potential exposures to the virus. All information collected is kept confidential and is protected by Ontario’s privacy laws.

Biometrics

BC VPD looks to develop policy for use of facial recognition technology

The Vancouver Police Department is researching current best practices governing the lawful use of facial recognition technology with the aim of drafting a policy before the end of the year. The department’s push for a policy comes two months after Canada’s privacy commissioner blasted New York-based company Clearview AI for violating the country’s privacy laws. Those violations involved Clearview collecting images of Canadians, including children, and marketing its services to law enforcement in Canada. The police acknowledged last year that one of its investigators from its Internet child exploitation unit downloaded a trial version of the service after attending a conference on child exploitation. The officer uploaded one photograph into Clearview’s database in an effort to identify a person to support an investigation concerning the production and distribution of child pornography. In a report that went before the Vancouver Police Board April 15, the department said the use of the software did not assist in the investigation. While the police report makes it clear the VPD will not use Clearview AI again, the department said it “may test other forms of facial recognition software to evaluate service efficacy, as well as to assess privacy, identification and security risks and safeguards.” But Police Chief Adam Palmer assured the police board April 15 that his officers will not use facial recognition technology for investigations until a policy is in place.

Outside advisors study NZ police facial recognition tech use

New Zealand police appointed two outside advisors that will conduct a six-month study on the safe use of facial recognition technology, RNZ reports. Based on U.S. law enforcement, Electronic Frontier Foundation Policy Analyst Matthew Guariglia said he is skeptical. “Once it’s already in the hands of the police, it becomes even harder to take it away from them. Because then they feel like they’re being denied technology, they’ve already worked into their daily routines,” he said.

Lawsuit alleges facial recognition led to wrongful arrest

Civil rights organizations filed a federal lawsuit against the Detroit Police Department on behalf of a Michigan man alleging he was wrongfully arrested and jailed due to faulty facial recognition technology. “The technology is racially biased, flawed, and easily leads to false arrests of innocent people, just like our client,” said University of Michigan Law School Civil Rights Litigation Initiative student Jeremy Shur. CRLI filed the suit with the American Civil Liberties Union and ACLU of Michigan.

Online Privacy

Government puts Facebook under pressure to stop end-to-end encryption over child abuse risks

Facebook faces growing government pressure to abandon its plans to offer users end-to-end encryption to secure the privacy of their messages as the National Society for the Prevention of Cruelty to Children (NSPCC) raises concerns about child protection. warn that end-to-end encryption will severely erode the ability of tech companies to police illegal content, including child abuse and terrorism. The home secretary’s intervention is the latest salvo in a long-running battle by ministers and the intelligence services against the growth of end-to-end encryption.

Surveillance

Loss of privacy is public’s biggest fear as ECB eyes digital currency

Losing the anonymity that comes with paying in cash is the biggest concern among the public of a shift to a so-called digital currency, something the European Central Bank is considering and which would operate alongside bank notes coins, and existing euro payments.  A new survey of eurozone citizens by the ECB found people expect any new digital euro to be private, safe and cheap. An ECB poll showed that privacy when making payments, a key feature of cash that some fear will get lost when switching to an electronic means of payment, was the number-one priority for both private individuals and professionals.  

Canadians grow wary of employee-monitoring tactics

A growing number of Canadians are concerned over employers’ requests to download location-tracking applications while on the job. Apps that have been used include Blip, ActivTrak, Teramind and Hubstaff, and each has its own privacy policy that leads back to employer control. One employment lawyer said employers should “be explaining what the app is for” and “understand where that data is going.”

USPS program allegedly tracks, collects social media posts

The U.S. Postal Inspection Service’s Internet Covert Operations Program is allegedly tracking and collecting Americans’ social media posts, including those on protests, looking for “inflammatory” postings. Postings are then shared across government agencies. While civil rights advocates raised concerns around the post office’s involvement in social media surveillance, the USPIS said in a statement the program “assesses threats to Postal Service employees and its infrastructure.”

Australian court finds Google’s location data collection unlawful

The Federal Court of Australia ruled Google misled users regarding the details of its location data collection retained from its applications. Penalties will be decided at a later date.

Is Google Chrome testing secretive new tracking tool on YOU?

GOOGLE is testing an all-new replacement for browser cookies that track your movements and interests across the web. However, the US company has not provided a way to find out whether you’re one of the millions included in this trial.  EFF has launched a new website called Am I FLoCed, which is designed to allow those included in the latest round of tests from Google to know whether they’re being used as guinea pigs for the new tracking tools. According to Google, around 0.5% of its users are included in the latest round of trials (13,250,000 Chrome users worldwide)

FPF publishes recommendations for AR, VR privacy risks

A new report from the Future of Privacy Forum outlines recommendations for tackling privacy risks associated with augmented and virtual reality technologies. Researchers offered their suggestions for responsible implementation of extended reality tech through the examination of current and future use cases. The recommendations are aimed at platforms, manufacturers, developers, experience providers, researchers and policymakers.

Google supports temporary ePrivacy derogation to fight child exploitation online

Google said it supports a temporary derogation from the ePrivacy Directive to combat the “sexual exploitation of children online.” In its comments on the commission’s consultation on the topic, Google also supports the creation of a center to help with law enforcement and prevention on an EU level.

Data Sciences

MEPs send thoughts on draft AI rules to European Commission leaders

Members of the European Parliament sent a letter to leaders of the European Commission on the leaked draft rules on artificial intelligence. While the MEPs are pleased to see the rules address surveillance concerns, the group also expressed concerns about portions of the draft that need to either be improved or removed completely. A coalition of advocacy groups, led by European Digital Rights, also sent a letter to commission leaders expressing their thoughts on the draft AI rules.

European Commission publishes proposal for AI regulation

On April 21, the European Commission unveiled its long-awaited proposal for a regulation laying down harmonized rules on artificial intelligence and amending certain union legislative acts. The proposal is the result of several years of preparatory work by the commission and its advisers.

Recent moves may signal notable change in AI enforcement

MIT Technology Review reports on the future of artificial intelligence enforcement following the release of the European Commission’s proposal for AI regulation and the U.S. FTC’s post on the subject. The FTC said selling racially biased algorithms could count as an unfair and deceptive practice under the FTC Act.

OPC breaks down privacy-enhancing technologies

The Office of Privacy Commissioner of Canada published a blog post outlining how certain privacy-enhancing technologies can support businesses’ data privacy efforts. The OPC explained the benefits of federated learning and differential privacy, outlining how both employ respective anonymization practices that keep datasets protected. However, the OPC notes both technologies have received mostly “theoretical development” because there have been “few use-cases in businesses.”

Security

UK, US say Russian hackers carried out SolarWinds attack

U.K. and U.S. intelligence agencies accused hackers from a Russian foreign intelligence service of executing various cyberattacks, including the SolarWinds data breach. In the U.S., the accusation was included in a joint advisory from the National Security Agency, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation, also noting five ongoing system vulnerabilities that need patching. The U.K. National Cyber Security Centre issued its own claim placing responsibility on the Russian bad actors.

DOJ launches task force to address ransomware threats

The US Department of Justice has established a task force to address ransomware attacks. ” The task force will seek to increase intelligence sharing among DOJ entities while working to reveal the origins of the attacks, both cybercriminals and their country.

Facebook breach draws EU ‘mass action’ lawsuit

Digital Rights Ireland filed a class-action lawsuit against Facebook over alleged EU GDPR violations stemming from its data breach affecting more than 530 million users worldwide. Facebook said it is focused on efforts to “continue to strengthen our systems to make scraping from Facebook without our permission more difficult.” However, the company also pointed to recent scraping issues for LinkedIn and Clubhouse, adding “no company can completely eliminate scraping.”

Events

The FTC announced the agenda for its April 29 “Bringing Dark Patterns to Light” workshop, which will include panels exploring the characteristics and types of dark patterns, how they affect consumers and communities of color, how they target teens and kids, and best ways to address them.