Biometrics
US – Homeland Security Eyes Expanding Biometric Collections at US Borders
Homeland Security officials are working on a plan to vastly expand the collection of biometric information at US borders in an effort to more closely track foreign visitors. The program aims to put in place more biometric scanners, which may include iris, face, and fingerprints, at border crossings beginning in 2018 in an effort to ensure visitors do not leave the US under another person’s passport. DHS has collected biometrics in an entry and exit program since 2004. [The Christian Science Monitor] See also: [Allan Richarz: What, if any, rights to privacy do you have when crossing the border?]
US – Disney World Starts Scanning Kids’ Fingers
Walt Disney World has begun requiring children from 3 to 9 years old to have their fingers scanned when they enter the theme parks, just like older kids and adults. Disney said the new process will help block the use of stolen and shared tickets. Previously, kids’ tickets would have been easy to transfer because they had no finger images attached to them. Parents who feel uncomfortable with having their kids’ fingers scanned can use their own instead. Disney introduced scanners more than a decade ago that used “finger geometry” — pictures of several points on people’s fingers. [Orlando Sentinel]
WW – Wi-Fi Routers Can Identify, Spy on You
Wifi signals can be used to monitor humans—and in surprisingly detailed ways. As people move through a space with a Wi-Fi signal, their bodies affect it, absorbing some waves and reflecting others in various directions. By analyzing the exact ways that a Wi-Fi signal is altered when a human moves through it, researchers can “see” what someone writes with their finger in the air, identify a particular person by the way that they walk, and even read a person’s lips with startling accuracy—in some cases even if a router isn’t in the same room as the person performing the actions. Several recent experiments have focused on using Wi-Fi signals to identify people, either based on their body shape or the specific way they tend to move. Earlier this month, a group of computer-science researchers at Northwestern Polytechnical University in China posted a paper to an online archive of scientific research, detailing a system that can accurately identify humans as they walk through a door nine times out of ten. [The Atlantic]
Canada
CA – Government to Launch Bill C-51 Review
The Liberal government will launch the public phase of its long-awaited national security review with the release of a discussion paper. The government has promised to repeal what it calls the problematic elements of omnibus security legislation, known as Bill C-51, ushered in by the previous Conservative government. The Liberals also plan to introduce new measures they say will do a better job of balancing collective security with rights and freedoms. Among other things, the government has pledged to ensure all Canadian Security Intelligence Service (CSIS) warrants respect the Charter of Rights and Freedoms. This could roll back new provisions allowing CSIS to disrupt terror plots through tactics that breach the charter as long as a judge approves. Public Safety Minister Ralph Goodale has said the government is open to an expansive revamp of national security legislation and policy, not just the handful of promised changes. Goodale and Justice Minister Jody Wilson-Raybould are slated to discuss the consultation at a news conference in Edmonton. They will release a discussion paper as well as a lengthy background document outlining national security issues. [Global News] The consultation can be found here and runs until Dec. 1. [Bill C-51: Liberals says changes to anti-terrorism law coming soon | Federal agencies already using new Bill C-51 information-sharing powers | Making the spies accountable: real change or illusion? | Privacy Advocates Fear Bill C-51 Consultations Will Be Skewed | Trudeau should stop delaying on fixes to anti-terror laws | A Liberal sense of mystery surrounds the future of Bill C-51 | Liberals identify 10 key national security issues for public consultations | B.C. Civil Liberties Association reacts to national security consultation announcement | 8 things you need to know about Bill C-51 | Lawyers at the BC Civil Liberties Association have gone over the bill paragraph by paragraph, and outlined the parts of this massive document that concern them most. For a more comprehensive explanation of concerns, read their Submission to the Standing Committee on Public Safety and National Security | Concerns over Bill C-51 prompt CSIS to brief other agencies on operations | National security review tries to tackle needs of law enforcement in digital world | Anti-terror revamp to stretch into next year as Liberals launch consultation]
CA – CSIS Briefs Government Agencies on Bill C-51 Concerns
The Canadian Security Intelligence Service has moved to tamper down concerns with the controversial surveillance law, Bill C-51. The omnibus bill designed to overhaul CSIS has “sent ripples throughout the federal-security bureaucracy.” To help the relevant agencies that are concerned with the changes, CSIS has intimated it will give them a heads up about what it is doing. For example, “when CSIS is considering the use of threat-reduction measures, CSIS will initiate strategic case-management discussions with the RCMP on the target of the measure… The RCMP may indicate that it needs time to review the information discussed to assess any potential conflict,” and if the two agencies see a conflict, “the matter will be referred for a more senior level discussion.” [The Globe and Mail]
CA – Ontario Court Awards Damages for Family Member’s Disclosure of Mental Health Information
The Ontario Small Claims Court, in Halley v McCann, 2016 CanLII 58945 (ON SCSM), recently awarded a plaintiff $9,000 in damages for breach of privacy. The case arose because the defendant disclosed the fact that the plaintiff had admitted herself to a mental health facility. The defendant is also the half-sister of the plaintiff. It was alleged that the defendant had told three people outside the facility about the plaintiff’s stay there. No other information was disclosed. The Court then awarded an additional $1500 in punitive damages. [Canadian Privacy Law Blog]
CA – ‘Unprecedented’ Number of Online Privacy Breaches Reported in Alberta
Alberta’s privacy commissioner is seeing an “unprecedented” number of breach reports under the province’s Personal Information Protection Act, including e-commerce hacks, ransomware and phishing scams. A 15-member committee is in the midst of reviewing the act, which was last updated in 2010, and this week heard suggestions from 10 presenters. Provincial privacy commissioner Jill Clayton said that while she doesn’t think the act is a broken piece of legislation, she would like to see it tightened in a few areas, including extending it to cover non-profits and requiring organizations to have privacy management programs in place. She said government agencies and law enforcement are increasingly relying on personal information collected by the private sector but, as the law stands, there’s no way for people to know the number, scale, frequency of or reasons for disclosures without consent. [Edmonton Journal] [The Edmonton Sun: Alberta Sees Increase in Data Breaches, Seeks to Improve PIPA]
CA – Ontario Court Orders Video-Sharing Website to Disclose Subscriber Information to School Board
An Ontario Court has issued a decision in a request submitted by a school board compelling YouTube/Google to disclose user information. The video-sharing service must, within 20 days, disclose the subscriber registration and IP information of a particular account holder who may have unlawfully posted a video of a vulnerable student without consent of the students, his parents, or the Board; the Board has requested the video in order to pursue disciplinary and copyright proceedings (the poster is suspected to be an employee). [Ottawa-Carleton District School Board v. YouTube, Inc., YouTube, LLC and Google, Inc. – Order – Ontario Superior Court of Justice | Ottawa Citizen]
Consumer
WW – Study: Government Surveillance Leads to Bad Passwords?
Professor Stanislav Mamonov explains what he sees is the connection between weak passwords, government surveillance, a societal feeling of helplessness, and his research. A 2016-published survey of 400 asked the participants to answer questions about their perspectives toward online privacy and secure their information with a password after reading four news stories about the topic. Mamonov found that those exposed to stories about government surveillance picked worse passwords than those who didn’t. The results were “very unexpected” for his team, leading to an as-of-yet unpublished secondary project to explain their findings. “And the only emotion out of the more than 20 that we assessed that was affected by exposure to government surveillance was the feeling of helplessness.” [The Atlantic]
E-Government
US – House Oversight Committee Report on OPM Breach
According to a report from the US House Oversight and Government Reform Committee, the breach of systems at the Office of Personnel Management (OPM) was due (in large part) to “the longstanding failure of OPM leadership to implement basic hygiene.” The report notes that there were two breaches at OPM. The first, which began in November 2013 and was shut down in May 2014, targeted manuals and technical information about the types of data stored in OPM systems. The second breach targeted personally identifiable information, including background investigation data and personnel records. [www.darkreading | arstechnica | www.theregister | https://oversight.house.gov]
UK – Study Calls Out UK Government for Poor Security Leadership, Practices
A National Audit Office (NAO) study has criticized the U.K. government’s online security practices. Among the 73 teams compromising 1,600 employees with data security duties was a sense of confusion about who to go to for “guidance.” The NAO study also found a “dysfunctional” process of reporting breaches and encryption practices that left many “unsecured endpoints.” A government representative acknowledged that the government was aware of the problems found by the NAO study. “So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two,” the representative said. “We have also appointed the government’s first ever chief security officer.” [BBC]
Encryption
WW – Google Chrome to Warn Users of Unencrypted Websites
Google will start warning users about sites using HTTP rather than HTTPS early next year. When the stable version of Chrome 56 is released at the end of January 2017, the browser will warn users when sites send passwords or payment card data over non-secure, HTTP connections. The warnings are “part of a long-term plan to mark all HTTP sites as non-secure,” according to Google’s blog post. [Computerworld | CNet | The Register | Motherboard | https://security.googleblog.com]
WW – Chrome OS Verified Access API
Google has introduced the Verified Access API, which organizations can use to cryptographically validate Chrome OS devices and make sure that the devices are compliant with security policies before accessing the network. The API uses digital certificates stored in the Trusted Platform Module (TPM). [ComputerWorld | IT News]
EU Developments
EU – Children and Minors: EU DPAs Outline Key Privacy Issues
The ARCADES project, involving Data Protection Authorities producing educational materials on data protection and privacy, has provided guidance on protecting children’s privacy issues at schools. Students should be taught about why privacy is important, types of data considered sensitive, obligations of organisations, how to refuse or consent to personal data collection, and how to modify online privacy settings; it is important that students do not publicly share their address, phone number, or email account, have a clear understanding that content posted or shared will be available to everyone, and know what information can be found if their name or alias is searched. [Introducing Data Protection and Privacy Issues at Schools in the EU]
UK – Ruling Shows ICO Will Use Tiered Approach to Breach Notification
A new ruling by the information rights tribunal suggests that businesses in the UK should be prepared to make multiple notifications to the Information Commissioner’s Office (ICO) in the event of a data breach under new EU data protection laws In the TalkTalk case, the information rights tribunal upheld a decision by the UK’s Information Commissioner’s Office (ICO) in which the watchdog fined TalkTalk £1,000 for failing to notify it of a personal data breach within 24 hours after the detection of that breach. [Out-Law News]
Finance
PCI Council Releases New Card Reader Standards
The Payment Card Industry (PCI) Security Standards Council has released a new standard aimed at reducing fraud originating at point-of-sale terminals. To comply with the PCI PIN Transaction Security Point-of-Interaction Modular Security Requirements version 5.0, point-of-sale card readers must support and cryptographically authenticate firmware updates; must be tamper-proof; and must not leak keys through side-channel monitoring. The new standard will take effect in September 2017. Sources: Dark Reading| The Register| PCI Security Standards]
US – CFPB Levies $100 Million Penalty Against Bank for Unlawful Sales Practices
The Consumer Financial Protection Bureau (CFPB) has entered into a consent order with Wells Fargo to settle allegations of deceptive sales practices in violation of: sections 1031 and 1036(a)(1)(B) of the Consumer Financial Protection Act of 2010. The bank opened deposit accounts and made transfers to those accounts, submitted applications for credit cards, enrolled consumers in online banking services and activated debit cards, all without customers’ knowledge or consent; the bank’s Board is responsible for all compliance with the consent order. The bank must hire an independent consultant to conduct a comprehensive review of its sales practices and implement a compliance plan, and allot $5 million for consumer redress. [Consumer Financial Protection Bureau – Consent Order – Wells Fargo Bank, N.A. [ Press Release]
FOI
CA – OIPC BC Orders Government Agency to Disclose 911 Caller Details
This OIPC order addresses BC Emergency Health Services’ partial withholding of records requested under the Freedom of Information and Protection of Privacy Act. The applicant met the test for disclosure of the caller’s first name and telephone number for a fair determination of her rights; the identity of the caller relates to the applicant’s legal right to sue for damages due to an accident, the applicant has indicated she is contemplating a legal proceeding, and the caller’s withheld identity is necessary to prepare for such a proceeding, regardless of whether the applicant may be able to learn the 911 caller’s identity as part of a court process. [OIPC BC – Order F16-36 – BC Emergency Health Services]
CA – OIPC BC Orders Government Ministry to Disclose Generic Data on Employees’ Grievances
This OIPC order addresses the Ministry of Finance’s partial refusal to disclose records request under B.C.’s Freedom of Information and Protection of Privacy Act. The ministry correctly applied an invasion of third party privacy exemption to most of the data contained within a table, but is able to redact employee numbers, dates and department names and disclose column headings and other generic information. [OIPC BC – Order F16-33 – Ministry of Finance]
CA – OIPC PEI Finds Questions of Accuracy in Information Contained in Responsive Records is Not a Valid Reason to Withhold Access
The OIPC PEI reviewed Health PEI’s response to a request for records, pursuant to the Freedom of Information and Protection of Privacy Act. The public body informed an individual that it did not hold statistics on ambulance response times for all calls in a specific area; however, the public body had custody and control of paper patient care reports that would have satisfied the request, and its assertion that the reports contained inaccurate information is not a sufficient reason to withhold the records. [OIPC PEI – Order No. FI-16-005 – Health PEI]
Genetics
CA – Winnipeg Drivers Asked to Voluntarily Submit DNA Sample for Drug Testing at Checkstop
In the early morning hours of Sept. 8, drivers were being checked at a roadside stop and asked the standard “have you been drinking” question by Winnipeg police officers. After drivers were cleared by police, they were asked if they would voluntarily complete a survey. On the side of the road there were approximately five areas set up with tablets and an area set up by Manitoba Public Insurance (MPI). “We are asking for your help in a voluntary driver safety survey that deals with alcohol, drugs and driving,” read a part of the survey. “(You will be asked) to provide a breath sample to measure the amount of alcohol in your system… If the test shows that you are over the legal limit, you will be asked to let a non-impaired passenger drive, or we will provide you with a free taxi ride to your destination.” MPI said it is using the samples to test for drug usage and are trying to determine a baseline before marijuana use is legalized in Canada. …According to the crown corporation, similar surveys were conducted in Ontario in 2014 and British Columbia in 2010 and 2012, although no data was available for any of those. …MPI said all information is voluntary and remains anonymous. “No names are taken. The information is not shared with anybody else.” Privacy lawyers said it does raise concerns for drivers. Police did not explain their officer’s involvement in the roadside checkstop and survey, as it was an armed, uniformed officer who was the first point of contact with drivers. Police refused repeated requests for an interview. [Global News] See also: [DNA Dragnet: In Some Cities, Police Go From Stop-and-Frisk to Stop-and-Spit]
US – Law Enforcement DNA Collection Sparks Concerns
Police departments in smaller cities are collecting DNA samples from citizens, even if they are not charged or suspected of committing a crime, according to a new report. The cities have begun to assemble their own DNA databases, created with help of privacy labs in order to help law enforcement investigate minor crimes. Privacy advocates are concerned police departments will abuse the power to collect DNA samples, but as consensual DNA collection is a relatively new way to collect data, the rules remain unclear. “There’s no laws, there’s nothing,” said Bensalem Police Department’s Frederick Harran. “We’re in uncharted territory,” he said. “There’s nothing governing what we’re doing.” [ProPublica]
CA – Genetic Information Privacy Bill May Fail Over Lack of Liberal Support
Bill S-201, which seeks to entrench privacy rights around Canadians’ genetic information, will go to second reading just days after the House reconvenes — but its sponsor in the House of Commons, Liberal MP Rob Oliphant, isn’t sure his government will let it proceed. He was told instead the Justice Department has some reservations over the constitutionality of the bill, he said, but wasn’t told what those reservations were. A promised briefing by government officials has not yet happened, he said. Put forward by independent Liberal caucus leader Sen. James Cowan in 2013, S-201 would keep Canadians’ genetic test results private and make it illegal for insurers or employers to demand them, removing the fear of financial penalties that currently give many pause when considering the potentially life-saving testing. It would also add “genetic characteristics” to the Canadian Human Rights Act as a type of discrimination. Critics for the Conservative, New Democratic and Green parties have all confirmed they and their parties will support the bill at second reading on Sept. 20, leaving the government seemingly alone in its uncertainty. Private member’s bills that have issues, even constitutional problems, are usually permitted to go to committee for further study to help correct those problems. Previous attempts to create privacy protections around genetic testing drew criticism from the insurance industry, which is not specifically mentioned in S-201. Nonetheless, those advocating against the bill’s passage have warned that privacy regulations could lead to higher health insurance premiums. The Canadian privacy commissioner’s office said that, as in other countries where similar legislation has been passed, “The impact of a ban on the use of genetic test results by the life and health insurance industry would not have a significant impact on insurers or the efficient operation of insurance markets.” [National Post]
Health / Medical
CA – Health Leader, Nunavut Privacy Commissioner Take Different Sides On Privacy Audit
A top Nunavut health bureaucrat, Chris D’Arcy, has disputed “nearly everything” Privacy Commissioner Elaine Keenan Bengts said before a committee of members of the legislative assembly on the territory’s health department and a recent privacy audit experience. Specifically, D’Arcy maintained that contrary to Keenan Bengts’ report, “the creation of health-specific legislation is a priority for the department of health and the GN [Government of Nunavut] as a whole.” He also argued that unlike what Keenan Bengts said during her time with that committee that “the GN values the role of the Information and Privacy Commissioner as an ombudsman and firmly believes that a positive and collaborative relationship between public bodies and the commissioner’s office provides the most benefit to the GN and all Nunavummiut.” [Nunatsiaq Online]
Horror Stories
CA – Ontario Court Approves Settlement in Home Depot Breach Lawsuit
An Ontario court has approved a settlement in a class-action lawsuit against Home Depot of Canada, Inc. and its corporate parent. Between April and September 2014, Home Depot’s payment card system was hacked, but no evidence of fraudulent credit card charges was found. The settlement was valued at $400,000 for the settlement class members. Home Depot also agreed to create a non-reversionary fund of $250,000 “for the documented claims of Canadians whose payment card information and/or email address was compromised as a result of the data breach during the data breach period.” [Canadian Underwriter]
WW – Olympic Athlete Doping Test Results Leaked
Medical information about Olympic athletes has been leaked, according to the World Anti-Doping Agency. While the leaked information shows that some athletes tested positive for banned substances, all had received therapeutic medical use exemptions, and were not breaking any rules. [Source: ArsTechnica | BBC | Computerworld | Wired]
Identity Issues
US – Privacy Groups ask FCC to Reconsider Anonymized Data Carve Out
A group of more than 30 privacy organizations has written a letter to Federal Communications Commission Chairman Tom Wheeler asking him to reconsider creating a carve out for anonymized data in his broadband privacy proposal. In the letter, the privacy groups say ISPs have failed to demonstrate customer benefits from the carve out, while also stating customers should remain in possession of their own data. The groups believe it would be an “an attractive way for [ISPs] to circumvent the vital consumer protections that will be put in place by this rule.” [Broadcasting & Cable]
Intellectual Property
CA – Thousands of University of Manitoba Students Hit with Illegal Download Notices
Downloading the latest episodes of Game of Thrones and other hit shows has landed thousands of University of Manitoba students in hot water. But the university – despite being forced to pass on violation notices to students illegally downloading content through its networks – is warning students not to fall prey to aggressive collection agencies’ pressure tactics. Joel Guenette, copyright strategy manager with the UoM, estimates that the university has forwarded roughly 6,000 notices to students since the law took effect in January of last year. The notices range from gentle reminders from companies like HBO that its content is available legally through a variety of streaming platforms to more aggressive letters threatening lawsuits and demanding users pay resolution fees to settle their cases. Guenette said it’s important for students to know that at no point does the university provide agencies with people’s personal information or identities. [Source]
Law Enforcement
CA – University Researchers Compile Stingray Study, Call for Change
Everything that is known or suspected about the government’s use of these machines – called “IMSI catchers,” “cell-site simulators” or “Stingrays” – is chronicled in a comprehensive, first-of-its-kind, 130-page study written by privacy experts. Researchers Christopher Parsons and Tamir Israel say it’s time for civil society to debate the pros and cons of IMSI catchers, even if many government agencies still won’t discuss them. ”IMSI catchers pose a particularly insidious threat to real-world anonymity,” write Mr. Parsons and Mr. Israel. Their paper, which is titled “Gone Opaque,” points out that corporations that manufacture IMSI catchers often swear police to non-disclosure agreements. Germany releases annual statistics on that government’s use of IMSI catchers, and that the U.S. Department of Justice has posted the rules that American authorities must abide by. In Canada, RCMP-led surveillance teams are understood to control IMSI-catcher technology and lend it out to smaller police forces shadowing specific suspects. But IMSI catchers also pull digital identifiers from the phones of everybody in proximity, raising many privacy questions. “This ongoing secrecy has the effect of delaying important public debates. Given the potential for IMSI catchers to massively track Canadians who have done nothing wrong other than be near the surveillance device, it is imperative to ensure [security] measures are in place.” The Telecom Transparency Project and the Canadian Internet Policy & Public Interest Clinic-commissioned report suggests routine notification procedures if a Stingray accidentally captures data. [The Globe & Mail] See also: [UK oversight body tipped to examine phone snooping tech in prisons] [Here Is the Contract for the UK’s First Confirmed IMSI Catcher] [Long-Secret Stingray Manuals Detail How Police Can Spy on Phones]
EU – Berlin DPA Investigation Reveals Excessive and Unlawful Use of Silent SMS by Law Enforcement
The Berlin Commissioner for Privacy and Freedom of Information investigated law enforcement use of “silent SMS” in criminal investigations. One third of case files examined did not have an apparent need for use of silent SMS (less intrusive approaches to determine individuals’ locations were not considered), judicial applications were frequently made for collection of traffic data, which were then used to send silent SMS (without justification or disclosure in the application), and reasons for use of silent SMS were not officially recorded. [DPA Berlin – Final Report on Use of Silent SMS in Criminal Investigations]
Location
US – Lawmakers Wrestle With Cellphone Tracking for Missing Persons
Lawmakers are eyeing a deal with privacy advocates on a bill that would give law enforcement officials more access to location data from mobile phones. The Kelsey Smith Act, named for a young Kansan who was kidnapped and murdered almost a decade ago, would require mobile phone providers to give location data to law enforcement agencies in some emergency situations. But privacy advocates on the left and the right are worried about the proposal, fearing it would invite abuse. They have worked to slow down a version of the bill in the Senate that lacks additional protections. Privacy groups are pushing to add a provision to the law that would mandate that the owner of a mobile phone whose location was tracked be notified of the decision. Wessler said police departments should also have to report “basic data” about their requests. Supporters of the bill counter that law enforcement would be given just enough data to find an individual in trouble. [Source]
Online Privacy
US – Student Privacy Pledge Reaches 300 Signatures, FPF Announces
The Future of Privacy Forum and the Software & Information Industry Association’s Student Privacy Pledge has garnered 300 signatures from ed tech companies. The 2014-launched initiative to better protect and secure student data has received the support of President Barack Obama and the National School Boards Association. “As students return to school for the fall and teachers develop their curricula to incorporate the benefits of data and technology, companies that take the Pledge are ensuring that they are accountable for how they safeguard student data,” said Future of Privacy Forum CEO Jules Polonetsky. [FPF Press Relase]
US – OTA Requests Public Call for Comment for 2017 Trust Audit
The Online Trust Alliance has issued a call for public comment on criteria that should be included in its 2017 Online Trust Audit. The benchmarking research evaluated websites across industry sectors for responsible privacy and data security practices. The goal of the audit is to track industry best practices for privacy, provide tools and resources to help companies bolster their privacy practices, and recognize those organizations that do achieve a high level of protection. “In order to maintain consumer trust and confidence and spur the vitality of online services, it is imperative that organizations double-down on security and privacy measures,” said OTA Executive Director and President Craig Spiezle. Twitter and Healthcare.gov were among those that topped OTA’s 2016 audit. [OTA Alliance]
WW – App vs. Website: Which Best Protects Your Privacy?
Both apps and websites leak personal information, including names, gender, phone numbers, and e-mail. But don’t despair. Northeastern researchers, led by assistant professor David Choffnes, have developed an automated system to help you know which platform to use for your online interactions. In particular, the team investigated the degree to which each platform leaks personally identifiable information—ranging from birthdates and locations to passwords—to the advertisers and data analytics companies that the services rely on to help finance their operations. The answer? “It depends,” says Choffnes, a mobile systems expert in the College of Computer and Information Science. “We expected that apps would leak more identifiers because apps have more direct access to that information. And overall that’s true. But we found that typically apps leak just one more identifier than a website for the same service. In fact, we found that in 40% of cases websites leak more types of information than apps.” [Source]
US – Class Action Complaint Alleges App Intercepted Phone Communications Without Consent
LaTisha Satchell filed a class action complaint against Sonic Notify, Inc. et al. alleging unlawful interception of consumers’ oral communications in violation of the Electronic Communications Privacy Act. The mobile app delivered scores, news, and information to users about a basketball team, and integrated beacon technology to allow targeting of specific users to send tailored content, promotions or advertisements; the complaint alleges private communications were intercepted without informing users and without obtaining their consent. [Latisha Satchell v. Sonic Notify Inc. et al. – Class Action Complaint – US District Court Northern District of California, San Francisco Division]
AU – Study: Online Service Providers’ Agreements Problematic?
A UTS’ Communications Law Centre study funded by the Australian Communications Consumer Action Network has maintained that online service provider privacy agreements “have the potential to be interpreted as unfair, unconscionable or misleading under domestic consumer laws.” The study examined consent practices, data sharing, and the time consumers have to look over the long privacy terms. Of particular concern was what the study’s authors considered a generalization of terms that could lend consumers to “challenge [them] under Australian Consumer Law as misleading.” The CLC encouraged companies to conduct more research into understanding users’ attitudes regarding privacy. [CSO Online]
Other Jurisdictions
WW – IAF Reveals Details of Its ‘Effective Data Protection Governance’ Project
The Information Accountability Foundation (IAF) reported on its work creating what it believes is a more Effective Data Protection Governance method when responding to the complexity of information flows, while also meeting the goals of stakeholders. “We believe that, while the ‘tenants’ (sic) or ‘objectives’ of data protection remain the same, today’s complex information ecosystems suggest a need to evolve our approach to achieving these objectives,” writes Peter Cullen. “Data-driven innovation and the organizations that are dependent upon such activities must develop and demonstrate evolved information use governance systems to avoid many of the risks associated with such practices, including policy makers and/or regulatory action.” Cullen details the objective of the project, including enabling an enforcement model providing more capability for regulators and achieving implementable alignments of the EDPG model with existing laws. [IAF] The annual IAPP and EY-underwritten Privacy Governance Report has found that only 34% of privacy professionals expect their companies to certify under the EU-U.S. Privacy Shield.
Privacy (US)
US – 2016 Annual IAPP-EY Privacy Governance Report Released
What’s the mean privacy budget for a company with $1 billion in revenues? What’s the primary reason for a company with fewer than 5,000 employees to have a privacy program? What do manufacturing firms consider to be the toughest compliance task in the General Data Protection Regulation? The answers to these questions and many more are now available in the 2016 IAPP-EY Privacy Governance Report, 126 pages of detailed information from 600 companies around the world that have provided answers to budget, staffing, organizational, and prioritization questions. Further, as this is the second year of releasing the report, there is now directional, year-over-year data showing everything from how companies are progressing with their vendor management programs to the pace of privacy’s integration with the rest of the organization. Finally, we for the first time have data on cross-border data transfer and GDPR concerns and preparations. It is the most comprehensive benchmarking data for privacy available anywhere — and free to download. [IAPP.org]
US – Clinton, Trump’s Privacy, Security Attitudes Analyzed
The cybersecurity and privacy positions of both presidential hopefuls, Hillary Clinton and Donald Trump. Clinton are analyzed. They both “support expanded investment in cybersecurity technologies, as well as public-private collaboration on cybersecurity innovation.” “Trump has been far less sanguine about existing efforts to keep networks safe,” while acknowledging that compared to other nations, the U.S.’s technical abilities were “so obsolete.” Ultimately, “both major party candidates have called for the U.S. to do more to protect itself against digital attacks and to use digital tools to thwart extremist activity and digital communications, the report adds. [Fast Company]
US – Disposal Rule Now Open to Public Comment, FTC Announces
The FTC has opened its Disposal Rule up to public comment. The rule “requires certain persons who have consumer report information for a business purpose to properly dispose of it by taking reasonable measures to protect it from unauthorized access,” and its review is part of the agency’s “systematic review of all current FTC rules and guides.” The FTC is specifically looking to see if the rule has any economic impacts, if it clashes with other laws, its influence on technological advancement, and whether the agency should expand the definition of “consumer information.” The public comment period extends through Nov. 21. [Press Release]
Yelp, 13 Other App Companies Face the Music After Losing Class Action
U.S. District Judge Jon Tigar has ruled that Yelp and 13 other apps are guilty of violating users’ privacy by uploading their personal information without consent. “The court accepted the fact that Yelp only accessed the email addresses of a user’s contacts to help them find friends on Yelp after receiving consent to do so, and did not save or misuse that information,” said Yelp spokeswoman Rachel Youngblade. “Nonetheless, the court appears to state that an online mobile app must inform a user any time data is transmitted from their phone to the online company to make the app work.” The results of the consolidated class action could set a precedent for other plaintiffs’ successes in similar cases. [Courthouse News]
US – FTC to Look into Facebook, WhatsApp New Data Access Plan
The FTC has announced in a letter to the Center for Digital Democracy and the Electronic Privacy Information Center that it will look into Facebook and WhatsApp’s “change of heart” regarding the messaging service’s privacy practices. Facebook will now access phone numbers and other information that WhatsApp had previously not made available, a switch from plans the social media company established when it purchased WhatsApp in 2014. “The crux of the FTC’s analysis will likely turn on the notice that now appears when a consumer opens the WhatsApp app.” The notice alerts consumers to Facebook’s new terms. “But, if a consumer clicks on a ‘learn more’ link, they will see a button where they can opt out of most of the data sharing.” [Fortune]
US – Snowden on Why He Should Receive a Presidential Pardon
Speaking via video from Moscow during an interview, Edward Snowden outlined the case for President Barack Obama to grant him a pardon before Obama leaves office in January. Snowden said his disclosure on the scale of surveillance being conducted by both U.S. and British intelligence agencies was the morally correct thing to do. While the law may say he should be prosecuted, Snowden said, “that is perhaps why the pardon power exists — for the exceptions, for the things that may seem unlawful in letters on a page but when we look at them morally, when we look at them ethically, when we look at the results, it seems these were necessary things, these were vital things,” he said, adding policies and procedures have changed for the better as a result of his disclosures. [The Guardian]
Privacy Enhancing Technologies (PETs)
US – HPE-IAPP Privacy Technology Innovation Winners Announced
The winners of the annual HPE-IAPP Privacy Innovation Awards have been announced, including for this year’s “most innovative privacy technology.” Two companies received the technology award this year. Vysk Communications has invented the QS1, a smartphone case designed to protect and secure voice calling and allow users a multitude of ways to secure their phone. Protenus offers a new platform for health care organizations needing to find a better system for protecting and controlling access to electronic medical records. The platform consists of two distinct services for health care organizations; one focuses on analytics and protective detection, while a second piece provides forensics and investigation solutions. [IAPP.org]
Security
FTC Opens Safeguards Rule to Public Comment
The FTC announced it would be opening the Safeguards Rule under the Gramm-Leach-Bliley Act to public comment for the purpose of evaluating its ability to protect consumer information. The FTC hopes to determine the economic advantages and disadvantages of the Safeguard Rule, as well as potential clashes it has with state and local laws. However, the result of the comments may not necessarily create change due to the nature of the law itself, said Morrison & Foerster’s Nathan Taylor. The rule “by design puts in place a risk-based process that is both flexible and adaptable,” Taylor said. It’s “specifically designed to be able to respond to changes in technology and changes in the threat landscape.” The comment period will extend to Nov. 7. [Bloomberg BNA]
US – FTC Announces it will Provide Guidance on Ransomware
The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware. According to experts on hand for the event, this pay-to-unlock scheme is the most profitable malware in history. FTC Chairwoman Edith Ramirez said not only is it prevalent and dangerous, but there are also many challenges associated with thwarting it, including its rapid proliferation, the vectors of attack and the vast array of harms. [InsidePrivacy] [Privacy Advisor: At FTC Workshop on Ransomware, FBI says: Don’t Pay] [FTC focuses on combating ransomware]
WW – Ransomware is Spreading Through Cloud Apps
The latest report from Netskope, a cloud access security broker, has revealed how the presence of ransomware is spreading through cloud apps. On average there were 26 pieces of malware found in cloud apps across a given organisation. Of these 26, 43.7% of malware found in enterprises’ cloud apps have delivered ransomware, and 56% of malware-infected files in cloud apps are either being shared with internal or external users, or shared publicly. Ransomware accounts for nearly half of all malware found in organisations. [Information Age] [Nearly Half of Cloud-Based Malware Now Delivers Ransomware]
WW – 3 Essential Steps for Responding to Ransomware Attacks
Likely because most victims comply with their demands, the incidence of attacks by ransomware hackers has exploded in 2016. Guidance issued by the U.S. Department of Health and Human Services in July notes that, on average, there have been 4,000 reported ransomware attacks per day thus far in 2016, far exceeding the average of 1,000 attacks per day last year. While it may be tempting to do so, there are serious risks to this approach. Even if the ransom demanded by a ransomware hacker is not prohibitively expensive, an organization victimized by an attack must bear in mind that simply paying off the hacker is unlikely to make its problems go away. If you believe your organization has been victimized by a ransomware attack, you should proceed as follows, carefully documenting each of the steps. [Workplace Privacy Report]
US – NIST Seeks Feedback from Privacy Pros on Special Publication 800-53
During a government workshop this week, the National Institute of Standards and Technology sought feedback from privacy professionals as it begins its fifth round of revisions on NIST Special Publication 800-53. Of particular concern was “the disconnect between security and privacy controls.” However, the Department of Homeland Security’s Jamie Danker said that privacy pros’ “equal footing” with security pros in this regard illustrated the profession’s growth. But no one argued the job is done. After nearly two years of real-world application, it has become clear there are blind spots. Danker said it would be helpful to have information on how to better identify a privacy risk. Sean Brooks, a privacy engineer at NIST, said there is not enough information for identifying and solving problems that don’t involve a malicious actor. Another session member said that SP 800-53 should be written in a way that doesn’t just tack privacy on at the end. Privacy and security should be integrated throughout the document because privacy experts rely heavily on security experts and vice versa. There needs to be more communication between them, attendees said. Other concerns included the inability the lack of metrics for implementation of Appendix J and the lack of an assessment process for it. The agenda for the workshop said the goal was to identity “whether changes should be made in the publication’s fifth revision.” The clear consensus from the day was yes, but what those changes should be was far from decided. NIST welcomes comments on the draft of Appendix J and 800-53 through Sept. 30, with the final draft expected in 2017. [IAPP.org] [GCN.com]
Surveillance
US – Seizure of Cell Site Location Information Should Require a Warrant
An advocacy group submitted an amicus brief in support of 3 individual appealing a district court ruling concerning seizure of cell site location information (“CSLI”) from a phone provider. The government seized the CSLI without a warrant, but the Supreme Court has held that the government should first acquire a warrant under probable cause; no exception applied to the CSLI (there was no hot pursuit, inventory search, emergency aid or exigent circumstance). [U.S.A v. Kenneth Benbow, Mark Pray, and Alonzo Marlow – Brief of the Cato Institute as Amicus Curiae In Support of Appellants – In The U.S. Court Of Appeals For The District Of Columbia Circuit | Amicus Brief | Legal Brief]
Telecom / TV
US – State Officials Warn Against FCC Privacy Regulations
Attorney Generals of 16 states wrote to express concerns over a federal proposal that would regulate the privacy practices of broadband providers while exempting big tech companies, saying it would threaten consumer privacy and complicate “an already complex regulatory environment.” ”If this proposed rule moves forward not only may it be read to preempt important state laws that effectively protect consumers’ privacy, but this new approach will also foster a byzantine regulatory environment rather than clear, enforceable requirements that improve data privacy for all consumers,” the group argued. [Washington Examiner]
UK – Report: ISPs Say Government Surveillance Could Weaken Network Security
According to a report from The Internet Service Providers’ Association (ISPA), the majority of UK Internet service providers (ISPs) say they are concerned that government surveillance will undermine their network security and increase the likelihood that their networks will be targets of attacks. ISPs also say they would like to see the government focus on raising consumer awareness and creating greater consistency in law enforcement’s response to reported cyber incidents. [eWeek | Ars Technica]
US Government Programs
US – Customs Office Has Problematic Data Policies, DHS IG finds
The Department of Homeland Security Office of Inspector General has announced findings that the U.S. Customs and Border Protection’s Office of Professional Responsibility has shared too much personally identifiable information, “putting its mission ahead of protecting sensitive personal data.” A request from Sen. Tom Coburn, R-Okla., catalyzed the review, which found that while the agency did not violate the Privacy Act of 1974, many of its practices were questionable and needed repurposing. “We believe the manner in which CBP OPR shared the sensitive PII showed a lack of regard for, and may have compromised these individuals’ privacy,” the OIG report states. The CBP OPR agreed with the OIG’s guidance to remedy policies and better train employees, and has 90 days to provide the OIG with an action plan. [Federal Times] [Customs investigators violated privacy of thousands]
US – Gov’t Releases Guidance on Senior Privacy Roles
The U.S. federal government has released updated guidance on the role of the senior agency official for privacy (SAOP). The Office of Management and Budget’s guidance asserts the SAOP has to serve in a “central leadership position” and have the “necessary authority and expertise” to lead the agency on all things privacy. The establishment of SAOPs at every agency comes as part of an update to Circular A-130 — the resource for government agencies’ information-management protocols — and follows the establishment of a Federal Privacy Council via U.S. President Barack Obama’s Executive Order, issued in February. In a blog post, Marc Groman, senior advisor for privacy at OMB, said the guidance “recognizes that the success of an agency’s privacy program depends upon its leadership. Further, the guidance joins a growing list of actions this administration has taken to support the federal government’s protection of privacy … to help ensure that agencies take a coordinated approach to addressing privacy and information security.” Most importantly, the U.S. federal government now recognizes the vital role that privacy professionals play in evaluating legislative and regulatory efforts that involve and depend upon personal data. “The SAOP shall ensure that the agency considers and addresses the privacy implications of all agency regulations and policies,” the memo reads, “and shall lead the agency’s evaluation of the privacy implications of legislative proposals, congressional testimony, and other materials.” Time is of the essence. Each agency now has 60 days to look at who’s handling privacy at their agency and then either designate that person to be the SAOP, officially, or choose another person to serve that role. Further, the guidance requires the SAOP to “take a central role at the agency in policy development and evaluation, privacy compliance, and privacy risk management.” Most importantly, however, “agencies should recognize that privacy and security are independent and separate disciplines. While privacy and security require coordination, they often raise distinct concerns and require different expertise and different approaches.” In fact, “the distinction between privacy and security is one of the reasons that the Executive Branch has established a Federal Privacy Council independent from the Chief Information Officers Council,” the memo states. [IAPP]
US Legislation
US Legislative News
- U.S. lawmakers are working towards agreement on the Kelsey Smith Act, a bill that would require mobile service providers to hand over location data to police in an emergency.
- Sen. Ron Wyden, D-Ore., has introduced a bill to stop a procedure change requested by the Department of Justice that would allow the government to hack multiple computers with a single warrant.
- Sens. Dianne Feinstein (D-CA) and Richard Burr (R-NC) have been circulating changes to their discussion draft of the Compliance with Court Orders Act, which received a chilly reception when it was originally released.
Workplace Privacy
WW – Would You Hand Over Your Social Media Account Details for A New Job?
According to one vendor, as of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up. There have been various tools put forth that make it easier for employers to get at your “true” self. Now, there’s another such tool to go beyond just plain old running a search on a candidate. Called The Social Index, the online service promises to rifle through the digital footprints of short-listed job candidates and present employers or recruiters with a report. That report is an infographic that, the company claims, maps out a candidate’s “personal brand.” It crunches data from Facebook, Twitter and LinkedIn. According to a report from Mashable, The Job Index focuses on those three social platforms partly because they’re common, but also because, typically, they’re the ones most relevant to a company’s client activities or reputation. It takes about 30 seconds for the candidate to be analyzed before their “social footprint” is ready. Within 24 hours the report will be delivered to both the client and the job seeker. As of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up. [Naked Security] See also: [This software start-up can tell your boss if you’re looking for a job] and [Your employer may know if you’re quitting before you say so, thanks to Jobrate]
US – Tech Company to Release Sensor-Based Employee Badge
Boston-based tech company Humanyze has developed an employee badge that senses speech and movement to measure productivity, set for October release. The device, dubbed a “Fitbit for your career,” is “slightly larger than … a credit card” and has two microphones to record sounds — except when users go to the restroom. The company maintains that it doesn’t record the content of conversations; that managers cannot look at a specific individual’s data, and that employees choose whether or not to use the badge. “If you don’t give people choice, if you don’t aggregate instead of showing individual data, any benefit would be dwarfed by the negative reaction people will have of you coming in with this very sophisticated sensor,” said Humanyze CEO Ben Waber. [The Washington Post]
WW – IoT-Tricked Office Not a Privacy Problem, But the Future
Staff at Futurice, a Helsinki-based, digital innovation consultancy created an “indoor mapping” system of tracking temperature, bathroom usage, and free desk space which has some worried about privacy, surveillance and data collection, while others maintain connecting offices in this way is the new future of internet of things development. The Futurice model is opt-in, and no data is tracked or stored. “It’s just what’s happening near me right now,” said Futurice’s Paul Houghton. Tools like this are only the beginning, some say. “We’re merely scraping the surface of what could be achieved if more offices look at how they can adopt the internet of things and data to improve everything from operations to sales, and happiness to product development,” said Tech City UK’s Gerard Grech. [The Guardian]
+++
