Biometrics
US – Voice Verification Technology Prevents Impersonators from Obtaining Voiceprints
Computer users have learned to preserve their privacy by safeguarding passwords, but with the rise of voice authentication systems, they also need to protect unique voice characteristics. Researchers at Carnegie Mellon University’s Language Technologies Institute (LTI) say that is possible with a system they developed that converts a user’s voiceprint into something akin to passwords. The system would enable people to register or check in on a voice authentication system, without their actual voice ever leaving their smartphone. This reduces the risk that a fraudster will obtain the person’s voice biometric data, which could subsequently be used to access bank, health care or other personal accounts. “When you use a speaker authentication system, you’re placing a lot of faith in the system,” said Bhiksha Raj, an associate professor of language technologies. “It’s not just that your voiceprint might be stolen from the system and used to impersonate you elsewhere. Your voice also carries a lot of information—your gender, your emotional state, your ethnicity. To preserve privacy, we need systems that can identify you without actually hearing your voice or even keeping an encrypted record of your voice.” [Source]
CA – Quebec Sets Rules For Biometric Identification Systems
In Quebec, employers need to comply with the requirements set in the Act to Establish a Legal Framework for Information Technology, which the Quebec Commission on Information Access strictly monitors. Under the act, both physiological biometry and behavioral biometry are available to employers. Usually, employers choose physiological biometry, which deals with fingerprints to record employee attendance. Kronos Touch ID Technology is used often because it does not store fingerprint images. All it requires is for the employee to enter his or her personal ID code and place his or her finger on a screen.
Biometric identification systems based on mathematical representation technology are acceptable to the Quebec Commission on Information Access as it does not store images, thus it does not infringe on the rights of an individual to privacy. The Act Respecting the Protection of Personal Information in the Private Sector is strict when it comes to employers using biometrics in Quebec. There are nine conditions summarized in its guidelines entitled “Biometrics in Quebec: Application Principles, Making an Informed Choice.” The approach first prompts employers to explore alternative choices other than biometrics. If employers do choose biometrics, they need to secure the consent of each individual or employee to be subjected to biometrics. This gives employees the option whether to give their consent or not, and employees can withhold their consent without providing any justification. Employers need to conduct information sessions so as to acquaint and make the employees understand the “ins and outs” of the biometric identification system and its necessity to be employed in the workplace. Furthermore, employers have to consult with legal counsel to make sure that human rights issues are assessed properly and that necessary legal requirements and reporting obligations to Commission are obliged with. [Source]
EU – Facebook Suspends Use of Facial Recognition Tool in EU
Facebook has suspended the use of its facial recognition tool in Europe. The feature suggests users who could be tagged in photographs posted to the site. Facebook says that the feature has been turned off for new EU users and that “templates for existing users will be deleted by 15 October.” The decision was made in response to recommendations from the Irish Data Protection Commissioner. In addition, Germany has demanded that Facebook disable the service and destroy its associated database. [BBC] [ComputerWorld] [InformationWeek] [v3.uk] [ArsTechnica] See also: [US: To lawbreakers’ angst, mug shot websites spreading]
WW – Airport Iris-Scanning May Be Wave of Future
Iris-scanning technology is being rolled out in select airports. Technology similar to AOptix’s InSight Duo iris scanner may become a standard security check at airports and border crossings around the globe, the report states, making the security experience more efficient. A company whitepaper states, “In an InSight-based eGate, a traveler would pass through border control by first scanning his biometric passport on the eGate and then authenticating his biometric record with InSight.” Privacy concerns loom, however, as researchers recently were able to reverse engineer iris code back into an iris image. Privacy expert Woodrow Hartzog said, “A significant enough breach could render an entire verification system unreliable.” [Ars Technica]
Canada
CA – Alberta Privacy Commissioner Issues Report on Privacy Breaches
Alberta’s new Privacy Commissioner, Jill Clayton, has released a report on the first two years of mandatory privacy breach reporting in Alberta (the “Breach Report”). As of the end of April 2012, 151 breach reports had been received by the Privacy Commissioner. Of these reports, 63 cases (42%) involved a real risk of significant harm. In the remainder of the matters, this threshold was not reached, PIPA was determined not to apply, or the matter was still under review. The Breach Report shows that a majority of the 63 reported cases meeting the real risk of significant harm threshold involved human error or lost or stolen unencrypted electronic devices: 22 breaches were caused by human error. These incidents included inappropriate disposal of personal information, emails sent to the wrong individuals (or viewable to all individuals in a mass email), faxes sent to the wrong person or to an unsecure fax, loss of files and portable memory sticks, and unauthorized disclosure of passwords. The most common form of human error was mail and courier errors caused by delivery to the wrong individual.
– 18 breaches were caused by theft. These breaches were primarily due to office and car break-ins resulting in the loss of computer devices, although in a few cases paper documents were also stolen.
– 14 breaches were caused by electronic system compromises. These breaches were typically found to occur as a result of targeted attacks by external hackers seeking to extract large amounts of data. In one incident, 50 million individuals were affected.
– 9 breaches were caused by a failure to adequately control access to electronic or paper files. One case in particular involved files that were accessible to the public via the Internet.
Where a real risk of significant harm was found, the Breach Report indicates that most of the personal information breached was considered to be of high sensitivity, such as social insurance numbers, drivers’ license numbers, or credit card numbers. The Breach Report also indicates that the following circumstances were likely to lead to a real risk of significant harm:
– where information was apparently stolen for nefarious purposes;
– where recipients could not be determined;
– where electronic devices containing personal information had no encryption and no audit capability, making access possible and unknown; and
– where a large number of individuals were affected and where there was a likelihood that the personal information could be used for a nefarious purpose (such as “phishing” for more personal information).
The Breach Report also offers some commentary on when reporting is not required. Where no real risk of significant harm was found, the personal information involved was typically of low sensitivity. Even where sensitive information was breached, reporting was not required where the organization used strong encryption methods or auditing capability, thus making access to the information highly unlikely. Typically, reporting was not required where recipients were few and known to the organization, or where the information was returned or confirmed destroyed in a relatively short time frame. The Breach Report offers further guidance on prevention of privacy breaches. In addition to measures intended to protect against specific risks to personal information, organizations should implement the following basic steps: [Source]
CA – Newfoundland Passes Amendments to Privacy and ATIP Laws
Despite a four-day, record-breaking, filibuster in mid-June, the provincial Conservative party of Newfoundland and Labrador passed a bill that will radically reduce public access to government information in the province. Bill 29 has drawn widespread criticism from legal experts, opposition politicians and working journalists alike, who have called the bill regressive and draconian. “It’s more of a piece of legislation that sets rules on how not to release things,” Russell Wangersky, an editor and columnist with The Telegram in St. John’s. The amendment to the province’s Access To Information and Protection of Privacy Act (ATIPPA) has the potential to drastically reduce the need of the Newfoundland government to respond to, well, anything, really. Requests that Cabinet determines are “vexatious, frivolous [or] trivial” can now be disregarded. The definition of “Cabinet confidences” has also been expanded to include documents that have been prepared for Cabinet, but which Cabinet doesn’t need to have ever seen or used. Bill 29 took its cue from a review of the ATIPPA, released in January of 2011, undertaken by career NL bureaucrat John R. Cummings, Q.C. Among other high-ranking governmental positions, Cummings has been Newfoundland’s Deputy Minister of Justice, Deputy Attorney General and Secretary to the Cabinet. The new law subsequently implemented 16 of the review’s 33 recommendations. Cummings’ review was supposed to rely heavily on a public consultation process, but Wangersky sees it differently. “The review [to] our Access to Information Privacy Act…was overseen by a former civil servant who had a number of years’ experience turning down Access to Information requests,” says Wangersky. “[Cummings] heard primarily from civil servants and government departments and came up with modifications to the Act that substantially restrict the release of documents and put more and more of a control over what can be released into the hands of Cabinet.” [Source]
CA – Kenney’s Emails Targeting Gay Community Raises Privacy Concerns
For many who received an email from Citizenship and Immigration Minister Jason Kenney about gay refugees, the message raised one important question: How did he know I’m gay? The bulk email sent from Kenney’s MP’s office to thousands was titled “LGBT (lesbian, gay, bisexual and transgender) Refugees in Iran” and began with the salutation, “Friend.” Among the recipients was Meredith Richmond of Peterborough, Ont., who, to her knowledge, had never had any contact with Kenney’s office before. She had no idea how Kenney got her personal Gmail address and seemed to know about her sexual orientation. “It felt really targeted at me,” she said. “I’m not a supporter of the Conservatives.” While Richmond had never directly emailed Kenney’s office, she was one of nearly 10,000 people who electronically signed a 2011 online petition supporting a gay artist from Nicaragua, who was then facing deportation. Toronto community organizer and former NDP candidate Michael Erickson posted the petition on the website change.org. Whenever someone “signed” the petition, the site automatically sent a form letter by email to Kenney’s office with the signatory’s reply email address. It appears those thousands of messages were harvested by the email program in Kenney’s office and saved for later use. [Source] [Elections watchdog mulls regulation of parties’ voter databanks] and [Political Parties Operate Outside Canada’s Privacy Laws] andalso: [MB: Bateman apologizes for 1,500 leaked email addresses]
CA – Toronto Real Estate Board Seeks to Bar Public from Tribunal Hearing
The Toronto Real Estate Board is sticking so vociferously to its claims that Multiple Listing Service information routinely handed out by its own agents is such a violation of privacy in the wrong hands, it tried to have the public removed from a Competition Tribunal hearing. In the face of objections from the Competition Commissioner’s legal counsel and media covering the hearing, Tribunal chair Justice Sandra Simpson agreed that no one would be barred from the hearing. But she asked that MLS data on a handful of homes for sale as of Sept. 17 be edited to remove a number of details before being entered into the public record. That included virtual tour photos of the interior of the homes, the names of the homeowners, mortgage and commission information that is more often than not on MLS listings that traditional “bricks-and-mortar” realtors give out to clients. [Source]
CA – Teen’s Identity in Facebook Privacy Case to be Kept Confidential
A Nova Scotia teenager who wants to sue the people she alleges bullied her on Facebook will be able to keep her name private but won’t be able to get a partial publication ban on the trial, the Supreme Court of Canada has ruled. The case involved a 15-year-old teen known only as “A.B.” who learned in 2010 that a fake profile of her had been set up on Facebook. It included a photo of her and a slightly modified version of her name. The fake profile discussed her physical appearance and allegedly included “scandalous sexual commentary of a private and intimate nature,” according to the court documents. She wanted to launch a civil suit and wanted the court to compel Internet provider Bragg Communications to disclose the identity of the people behind the IP address where the alleged defamation came from. But A.B. also wanted a partial publication ban on the case, to keep the details of the alleged defamation under wraps and her full name kept confidential. This week, the Supreme Court agreed that the teen’s identity should be kept confidential, saying the court has a duty to protect her because of her age. [Source]
Consumer
CA – Canadians Trust That Organizations Won’t Share Their Information” Poll
In asking Canadians what information they’re willing to share with organizations – via consumer loyalty programs, for instance – pollsters found a considerable chunk of the population agreeable to divulging everything from sexual orientation (40%) to health details (31%) to political and religious affiliations (30% and 41%, respectively). “There’s an inherent trust that organizations are going to act reasonably with your information,” says Bryan Pearson, author of The Loyalty Leap: Turning Customer Information into Customer Intimacy. Fully 48% of Canadians say they always or often read the privacy policies of companies Canadians trust that organizations won’t share their information with whom they deal – a surprisingly high figure, Mr. Pearson said. The nationally representative survey, released Tuesday, is considered to be accurate 95% of the time, with a margin of plus or minus three percentage points. It was conducted online throughout June. [The National Post]
US – U.S. Consumers Reveal Surprising Privacy Findings
Research findings LoyaltyOne released this week show that when it comes to privacy, U.S. consumers are still protecting some of their personal information as much as they do their social security number. Of the 1,000 U.S. consumers responding to an online survey, 50% said they’d be willing to give a trusted company their religious affiliation, 49% their political affiliation, 49% their sexual orientation, 36% health information, 26% mental health information, 24% browsing history and 15% for both smart phone location and number of sexual partners. Last on the list is their social security number at 11%. Several of the 2012 questions followed up on a 2011 survey and were structured to measure changes in U.S. consumer sentiments over the past year. For brands intent on deepening their customer relationships, the results signal a concerning trend — trust may be eroding. Some key year-to-year results: 78% of U.S. respondents said they do not feel they receive any benefit at all from sharing information, up from 74% in 2011 Less than half feel that companies use their personal data to better serve the consumer, an 11% slip from 2011 62% said they would share more personal data if it meant receiving relevant product and service offers, down from 66% in 2011. “Consumers are disappointed. For years they’ve provided their valuable information and they’re not realizing something of suitable worth in return,” Pearson said. “If businesses don’t act quickly to demonstrate they have the consumer’s best interest at heart, they risk an erosion of the business-to-consumer relationship.” [Source]
WW – Think Tank: Business Would Benefit by Upping Consumer Data Control
Policy think tank Demos has said businesses would benefit if they granted consumers more control over how their personal data is used. Consumers are suffering a “crisis of confidence” when it comes to information sharing, Demos said. Businesses could overcome this if they have “open, transparent and clear information-sharing relationships with customers” and allow consumers to make an “informed choice” about the ways their personal information is used. “Regulators and businesses need to find a flexible, dynamic framework, which recognizes the diversity of views on the issue, and consider how people can customize and negotiate their relationship with organizations so that it is and feels mutually beneficial.” [Out-Law.com] [DEMOS Report]
Electronic Records
US – HHS, VA Demonstrate PHI eTransfer
The U.S. Department of Health and Human Services and the Veterans’ Administration have demonstrated how sensitive patient data can be transferred electronically while maintaining confidentiality. Developed as part of the Data Segmentation for Privacy Initiative (DS4P), the demonstration showed how a patient could consent to a transfer and how data would be tagged according to sensitivity, requiring further authorization from the patient prior to additional disclosure. Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts said, “This project helps demonstrate that with proper standards in place, existing privacy laws and policies can be implemented appropriately in an electronic environment.” [FierceEMR]
EU Developments
EU – Reding: Data Protection Directive Overhaul Could Save 2.3 Billion in Costs
EU Justice Commissioner Viviane Reding says an overhaul of EU data protection rules could save as much as €2.3 billion in administrative costs. Reding has said a single set of data rules for the EU and a one-stop-shop for data protection will make Europe a more attractive place to do business. The proposed legislation will also provide better access to personal data, Reding and Irish Data Protection Commissioner Billy Hawkes wrote in a recent piece for the Irish Examiner. Ireland will play a key role in shaping the new rules, Reding says, as it is home to many firms handling personal data. [Bloomberg] See [Letter to European Parliament re: European Commission General Data Protection Regulation – US Consumer Organizations] and also: [Article 29 Data Protection Working Party – Opinion 07/2012 on the Level of Protection of Personal Data in the Principality of Monaco – Working Paper 198]
EU – EC Releases Cloud Strategy; ICO Releases Guidelines
The European Commission (EC) has released a new strategy for “unleashing the potential of cloud computing in Europe.” Among the “key actions” in the strategy are “Cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility,” EU-wide certification schemes and a European Cloud Partnership with member states. EC Vice President Viviane Reding said the strategy “will enhance trust in innovative computing solutions and boost a competitive digital single market where Europeans feel safe,” adding, “That means swift adoption of the new data protection framework…”
UK – ICO Issues ‘Viable and Realistic’ Cloud Computing Guide
The Information Commissioner’s Office (ICO) released, on 27 September 2012, a cloud computing guide, recommending, among others, that cloud customers create a clear record about the categories of data they intend to move to the cloud and warns that using cloud services ‘may give rise to more personal data collected…for example, the usage statistics or transaction histories of users may be recorded’. [Source] Information Commissioner’s Office publishes guidelines on the responsible use of cloud computing. [Source] See also: [European Data Protection Supervisor – Formal Comments on DG MARKT’s Public Consultation on Procedures for Notifying and Acting on Illegal Content Hosted by Online Intermediaries]
UK – ICO Releases Google Data Protection Audit Report
The Information Commissioner’s Office (“ICO”) followed-up on a consensual audit and found that the organisation remained at a level of “reasonable assurance”; areas where the organisation improved included introducing privacy as a key theme for internal audit reviews (privacy risk is actively considered in the scoping of audits), the use of Privacy Design Documents in user-facing products (these documents are granular to the different types of products, to ensure the relevant privacy issues are addressed by an appropriate working group), and advanced, mandatory training covering privacy (building on the experience gained through the Privacy Design Document process). The organisation still needs to do more regarding historical projects lacking a Privacy Design Document (a risk-based approach was adopted to roll out Privacy Design Documents, but procedures need to ensure that the right projects are being escalated for review). [Source]
EU – Irish Data Protection Commissioner Released Report of Facebook Re-Audit
A re-audit finds that a social networking website responded to recommendations in a satisfactory way, addressing third party applications (creating an App Centre that standardised the user experience with respect to privacy and creating an audience selector, allowing users to choose who can view their activity with respect to apps), tagging of photos (users have tools to pre-approve tags, un-tag photos, block users who are harassing them with unwanted tags, and remove the record of a deleted tag), privacy and data use policy (new users are met by a “welcome dashboard” that gives a tour of the greatest areas of privacy risk and are given a privacy prompt 30 days after joining, to provide information and choice once they have a working knowledge of the site), and retention (users can delete posts, friend requests, tags and messages on a per-item basis and social plug-in data is deleted for users after 60 days, and non-users within 10 days). Issues that remain on-going include compliance management (all significant changes to the use of personal data are to be approved in a manner set out by the board of directors that takes full account of European data protection requirements), third party apps (a tool to check whether apps’ privacy policy links are live still needs to become operational), cookies (the exact form of consent needed to comply with the cookie law is still being debated among industry and regulatory authorities), and advertising (although the site does not allow targeted advertising based on sensitive categories, advertisers can still use words and terms that are sensitive in nature to filter their ad campaigns). [Source] See also: [UK Information Commissioner’s Office – Submission to the Joint Committee – Pre-Legislative Scrutiny on the Draft Communications Data Bill] and [UK: BBC issues extraordinary apology after airing private conversation with the Queen]
EU – EDPS Calls for Harmonized “Illegal Consent” Definition
European Data Protection Supervisor (EDPS) Peter Hustinx has said the European Commission (EC) should define the term “illegal content” in order to provide clarity on content host responsibilities for removal of such information. Comments by the EDPS come after an EC consultation on reforming rules governing the removal of illegal material posted online. Examples of what the EC considered illegal include content infringing on intellectual property rights, inciting hate, relating to terrorism or invading privacy. Hustinx said he “is of the view that there is a need for a more pan-European harmonized definition of the notion of illegal content for which notice-and-action procedures would be applicable.” [Out-Law.com]
Facts & Stats
US – 94 Million Exposed: The Government’s Epic Fail on Privacy
94 million is the number of Americans’ files in which personal information has been exposed, since 2009, to potential identity theft through data breaches at government agencies. This number — which was just revealed in the latest report from tech security firm Rapid7 — is only the most conservative estimate. When you take into account the difference between reported data breaches, which is what this report measures, and actual incidents, you are talking about a much, much bigger number. [Source]
Finance
WW – PCI SSC Issues App Best Practice Guidelines
The Payment Card Industry Security Standards Council (PCI SSC) has issued best practice guidelines for developers and manufacturers to provide direction in securing mobile device payment processes. The recommendations include isolating sensitive functions and data in trusted environments; using secure code best practices; minimizing third-party access; developing remote payment-disabling functions, and creating suspicious activity monitoring tools. The guidelines also look at ways to prevent the interception of account data in transit. “We have a brand new group of developers that aren’t aware of their responsibility,” said PCI SSC’s chief technology officer. “They are designing good code but don’t know all it’s being used for.” [SC Magazine] [Press Release]
FOI
CA – BC Not So Free With Information: Report
The British Columbia government responds to nearly a quarter of all requests under freedom-of-information laws by insisting it has no records to offer, according to statistics compiled by a group that argues the dramatic increase in such cases raises serious questions about public accountability. The BC Freedom of Information and Privacy Association filed a complaint this week with the province’s information and privacy commissioner, suggesting the trend is either a sign the province isn’t releasing all the information it could or, worse, a symptom of a government that avoids keeping records to skirt the law. The group compiled statistics, available on the provincial government’s website, that indicate the number of such cases has increased sharply in the past decade. In 2002-2003, there were no cases in which the government could not find any records to satisfy a request; today, that scenario accounts for 23% of all requests. [Source] See also: [City of Victoria seeks to limit requests for information] [Saskatchewan Gov’t will look into Workers Compensation Board concerns of Privacy Commissioner] and [NL: Privacy-breach penalties should be enforced, says commissioner]
US – DND Tightens the Screws on Release of Information
Members of the Canadian military have been told to tighten the screws and withhold information, even though it may not be sensitive or a threat to national security. The unusual directive, known as a CANFORGEN, was written last year by the country’s deputy top commander in response to a media story on financial uncertainty facing National Defence. The story was deemed to have contained “information that was not meant for wider or public consumption,” but the data had not been given the designation of either secret or protected. That prompted Vice-Admiral Bruce Donaldson, the vice-chief of defence staff, to instruct those handling information to give everything that passes over their desks – or is posted on the internal department system – a second glance with an eye to keeping it hidden. “Information that is not sensitive to the national interest, and therefore not classified, should also be examined to see if it is sensitive to other than the national interest, and therefore requires an appropriate designation of either Protected A, B, or C,” said the directive, obtained by The Canadian Press under the Access to Information Act. The directive goes beyond reviewing information to protect privacy. “Sensitivity to other than the national interest is not limited to information that is personally sensitive, but also includes, for example, information that is sensitive to the organization, administration, finances or other internal functioning of the department, its relationship to outside organizations, or other government business operations.” [Source]
CA – Commissioner Urges Public Institutions to Join Global Open Data Movement
Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is calling on public institutions to take advantage of emerging technologies to make data available to the public, academics, researchers, and industry, for use in new and unanticipated ways. As long as personally identifiable information is protected from such disclosure, the open data movement bodes very well for introducing greater transparency to government institutions. The global movement towards Open Data makes vast amounts of machine-readable data freely available by way of portals, metadata, and search tools. It is one of the truest embodiments of Commissioner Cavoukian’s concept of Access by Design, by which public institutions proactively release information as part of an automatic process, fostering more transparency and accountability in government. [Source]
Genetics
US – Court to Examine Legality of Warrantless DNA Samples
The U.S. Supreme Court has decided to reexamine the constitutional privacy of an individual’s blood chemistry. In Missouri v. McNeely, the court will decide whether police can take a DNA sample from a criminal suspect without a judge’s approval, the report states. In Schmerber v. California in 1966, the court ruled that police could take a DNA sample without a warrant in an emergency case, such as drunk driving. In McNeely, the court will analyze that ruling after a police officer ordered a DNA sample from a drunk driving suspect, considering it an emergency as his blood-alcohol level would drop over time. [National Constitution Center] See also: [Do Patients Have A Right To Access Their Clinical Sequence Data? – Alison Hall, Senior Policy Adviser, PHG Foundation]
US – ACLU Asks Court to Stop DNA Collections on Felony Arrests
Through California’s DNA database of close to two million samples, more than 10,000 criminal suspects have been identified in the last five years. But the American Civil Liberties Union (ACLU) will argue to the Ninth U.S. Circuit Court of Appeals that the state’s genetic data collection efforts have become “unconstitutionally aggressive…at the expense of civil liberties,” the report states. California’s Proposition 69 allows police to take a DNA sample of every suspect arrested on felony charges. The ACLU says the practice “comes too early in the criminal justice process,” and samples should be taken only from those convicted. [The Washington Post]
Health / Medical
US – Medicare Bills Rise as Records Turn Electronic
“When the federal government began providing billions of dollars in incentives to push hospitals and physicians to use electronic medical and billing records, the goal was not only to improve efficiency and patient safety, but also to reduce health care costs. But, in reality, the move to electronic health records may be contributing to billions of dollars in higher costs for Medicare, private insurers and patients by making it easier for hospitals and physicians to bill more for their services, whether or not they provide additional care.” [New York Times]
Horror Stories
US – Breach Affects 100,000 IEEE Members
The user names and passwords of approximately 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) have been compromised in an apparent breach. The affected data was stored on an FTP server in unencrypted form. The IEEE has as many as 400,000 members worldwide, many of whom are security professionals. The incident was discovered by Romanian researcher Radu Dragusin. [Help Net Security] See also: [Health Agency Notifies 2,500 Clients of Breach]
CA – BC Health Ministry Fires Fifth Worker for Alleged Breach
A fifth employee of British Columbia’s Health Ministry has been fired over an alleged privacy breach. The worker had been one of three who had been suspended, but according to the report, the 30-year government employee in charge of data access, research and stewardship has now been released. BC Health Minister Margaret MacDiarmid has said the issues in the ongoing investigation relate to inappropriate conduct, data management and “contracting-out allegations,” the report states. “It’s been incredibly complex and it continues to be,” MacDiarmid added. [The Victoria Times Colonist] [NextGov] [Vancouver Sun] [Vancouver Sun] See also: [US: Former Howard University Hospital Employee Sentenced For Selling Personal Information About 40 Patients] and [Newfoundland’s Eastern Health says computer software will track privacy breaches]
US – Provider Settles HIPAA Case for $1.5 Million
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc., (MEEI) has agreed to settle with the U.S. Department of Health and Human Services (HHS) for $1.5 million for potential violations of the HIPAA Security Rule. The HHS Office for Civil Rights conducted an investigation after MEEI reported that an unencrypted personal laptop containing sensitive health data was stolen. The investigation found MEEI “failed to take necessary steps to comply with certain requirements of the Security Rule.” In addition to the fine, MEEI will now review, revise and maintain policies and procedures to comply with the rule and will undergo independent compliance assessments for three years. Meanwhile, Lahey Clinic Hospital has alerted patients of a breach. [Source] See also: [UK: Stolen Laptop Contained Children’s Data] and [Hospital Employee Sentenced to Six Months for Selling Data]
US – AvMed Ruling May Open the Door for Liability Cases
The recent AvMed data breach case may open the door for plaintiffs to prove they are victims of identity theft as a result of a data breach. The 11th U.S. Circuit Court of Appeals ruled earlier this month that plaintiffs in Curry v. AvMed sufficiently alleged liability against the health plan provider for the data breach affecting 1.2 million customers that led to identity theft and financial losses for some. “When a company doesn’t live up to the obligation that it’s supposed to…that person has a cause of action for that money he paid toward the protection of his personal information,” said the lawyer representing the plaintiffs. [SC Magazine]
US – Report: Most Breaches Due to Employee Error
Forrester Research has found that most data breaches are caused by events such as employees losing or misusing corporate assets or having them stolen. In the survey of more than 7,000 executives and employees in North America and Europe, 31% said theft or loss was the cause of data breaches, and 39 percent said data leaks on mobile devices are a concern. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” the report’s authors said, adding it’s not only a matter of appropriate tools and controls; only 56% of respondents said they were aware of their organization’s security policies. [COMPUTERWORLD]
Identity Issues
U.S. – State Dept. Admits Passport Form Was Illegal, But Still Wants It Approved
“Early last year, the State Department proposed a new “Biographical Questionnaire” for passport applicants, which would have required anyone selected to receive the new long-form DS-5513 to answer bizarre and intrusive personal trivia questions about everything from whether you were circumcised (and if so, with what accompanying religious rituals) to the dates of all of your mother’s pre- and post-natal medical appointments, your parents’ addresses one year before you were born, every address at which you have ever resided, and your lifetime employment history including the names and phone numbers of each of your supervisors at every job you have ever held.” [Papers Please]
US – Court Rules in Favor of Plaintiffs’ ID Theft Case
The 11th Circuit Court has ruled in a 2-1 opinion that the plaintiffs in a class-action lawsuit sufficiently alleged liability against a health plan provider for a data breach involving identity theft. Two laptops containing unencrypted sensitive information— including Social Security numbers—on 1.2 million AvMed customers were stolen in 2009. In Curry v. AvMed, Inc., the plaintiffs said they carefully avoided sharing their sensitive information digitally but still became victims of identity theft and suffered financial losses. The ruling “gives crucial guidance to plaintiffs seeking damages for identity theft caused by a data breach and to defendants seeking to defend against such claims,” the report states. [Information Law Group] See Curry v. AvMed, Inc., No. 11-13694, 2012 WL 2012 WL 3833035, — F.3d —- (11th Cir. Sep. 5, 2012).
Intellectual Property
EU – French Government Levies First Piracy Fine
The French government has imposed its first fine under the country’s new anti-piracy law. Alain Prevost was fined 150 euros (US $197) for downloading two songs, even though his wife has admitted that she was the person who had downloaded the files. The fine was levied against Prevost because he paid for the Internet connection over which the songs were downloaded. After receiving two warnings about the downloaded songs from Hadopi, the agency that seeks out Internet copyright violators, Prevost terminated his ISP account. He and his wife are divorcing, and he had written to Hadopi, telling them to contact her about the downloaded songs. Their replies were sent to an email address that he no longer had access to. [BBC] See also: [Dutch Court Says Links to Photos Constitute Copyright Violation | Source]
Internet / WWW
WW – Project Founder: Data Subjects Should Take Some Profit
The founder of a large-scale data project says individuals should receive a portion of the profits companies generate by capturing their personal data. The Human Face of Big Data aims to create a digital snapshot of the human race, the report states, by using a smartphone app to ask 10 million people for personal details about their lives. “Big Data is a new asset class, and yet the ones creating it seem to have no say in the process,” founder Rick Smolan said. “Why is it everyone is making money off our browser history except us?” [The Sydney Morning Herald]
US – CSA Launches Big Data Working Group
The Cloud Security Alliance (CSA) has initiated a Big Data Working Group to develop best practices for privacy and security solutions, particularly in government, healthcare and e-commerce sectors. The CSA’s charter document notes “traditional security mechanisms, which are tailored to securing small-scale static—as opposed to streaming—data are inadequate” for Big Data. In addition to developing Big Data security and privacy best practices, the group aims to help industry and government adopt best practices; create coordination efforts between organizations to develop standards; speed up efforts to research privacy and security solutions, and draft research proposals for joint government and industry funding, the report states. [Integration Developer News]
WW – Tech Companies Form Lobbying Group Aimed at Protecting Internet Freedom
Several big technology companies have joined forces to form a lobbying group to protect Internet freedom. The Internet Association was founded in large part to counteract efforts by the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) to influence legislation; both the RIAA and the MPAA lobbied hard for the Stop Online Piracy Act (SOPA), and effort that was ultimately unsuccessful. The Internet Association counts Amazon, Google, and Facebook among its members. [WIRED]
WW – Last of the IPv4 Addresses to be Allocated in Europe
RIPE, the organization that gives out IP addresses in Europe, is down to its last batch of IPv4 addresses. Companies may only make one more request for these addresses, and if the request is granted, they will receive 1,024 IPv4 addresses. All applications must describe how the organization is implementing the new IPv6 address scheme. Until this final batch, RIPE was giving out about four million IPv4 addresses every 10 days. [v3] [RIPE.net] [BBC] [InfoWorld] See also: [Majority of US Government Agencies Will Not Meet IPv6 Deadline | Source]
Law Enforcement
CA – Police Checks Routinely Violate Privacy, Report Says
A new report by the Canadian Civil Liberties Association says many Canadians, especially in Alberta, are having their privacy rights violated because police are releasing non-criminal information in routine police checks. “The status quo is unacceptable,” the report concludes. “There is an urgent need for greater fairness and clarity in the police background check process.” In the past decade, more and more organizations across Canada are requiring police checks before hiring employees or accepting volunteers. In Alberta alone, the report estimates that police run about 160,000 background checks every year. The information released contained not only information about convictions, but also about charges or contact with police which were either withdrawn or did not involve criminal activity. This includes cases involving mental health issues or where individuals were merely contacted as witnesses to crimes. “Disclosing this kind of sensitive information may undermine the presumption of innocence,” the report says. “Employers who receive negative record checks may not fully understand the distinctions between different types of police information, creating significant risk that non-conviction records will be misconstrued as a clear indication of criminal conduct.” The 50-page report calls for standards that would prohibit the release of information other than convictions, except in rare circumstances. It also says non-conviction records should be reviewed regularly and destroyed where warranted. It also says individuals should have a right to be notified on the information in their file and be able to appeal it before an independent adjudicator. While there are laws governing the release of certain information, such as under the Privacy Act and the Youth Criminal Justice Act, the report says there are no set standards for what police services can or can’t collect and release in police checks. It calls the situation across Canada “a patchwork” of policies that may violate Canada’s Charter of Rights and Freedoms. The report says the problem is particularly acute in Alberta, where it says there is too much discretion is left to individuals in police services as to what information can and should be retained and released. The report points to Ontario as an example of good practices. There, the province’s Privacy Commissioner issued an Order regarding the handling of information collected by police. [Source] [Press Release] [Report: Presumption of Guilt? The Disclosure of Non-Conviction Records in Police Background Checks]
Mobile Privacy
US – Proposed Privacy Act Makes Mobile Tracking Harder
US lawmakers have introduced a new bill that will make it tougher for companies or anyone else to track mobile users without consent. The Mobile Device Privacy Act simply makes it illegal for companies to monitor device users without their express consent. The bill was introduced by Rep. Edward Markey (D-Mass.), who is co-chair of the Bi-Partisan Congressional Privacy Caucus. The legislation is a result of concern over last year’s Carrier IQ controversy, which centered on a piece of software that wireless operators installed on smartphones in order to help track network congestion and end-user quality problems, with an eye to improving service. The software, which Sprint and others quickly disabled after the flak started, was meant to be a diagnostic tool but has the capability to be used for ill: Android developer Trevor Eckhart posted a video showing how the software logs text messages, web searches and other activities without the mobile user’s knowledge or permission – promptly setting off big privacy alarm bells. “Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information,” Markey said. “This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to such transmission.” The law requires anyone performing data collection, even with consumers’ opt-in permission, to inform the US FTC and the FCC of their tracking activities. The agencies would be given enforcement power as well. Also, the legislation would require that any tracking software contained on the device at purchase or included in software updates be disclosed upfront, giving consumers the right to refuse tracking. This disclosure must include what types of information is collected, who it is transmitted to and how it will be used.[Source]
WW – Funding Among Reasons for App Security Breaches
A recent survey has found that the majority of companies questioned experienced at least one web application security incident since last year. In the Forrester study, which questioned 240 North American and EU companies, 18% reported a breach had cost their organization $500,000 or more and indicated the incident had a negative impact on their brand. Among the reasons for the security failures were an inability to secure additional funding for technology and processes, a lack of tools for application security and pressure to quickly deliver new products and services. SQL injection was the leading cause of breaches at organizations that had experienced five to 10 incidents since 2011. [Network World] See also: [Over half of Android devices have unpatched vulnerabilities, report says] and [McAfee: New malware is proliferating]
WW – PCI Council Issues Best Practice Guidance for Mobile Apps
The Payment Card Industry Security Standards Council (PCI SSC) has released best practice guidance for mobile app developers and device manufacturers. It said that the main focus of the guidelines is to provide direction on securing mobile device payment processes and the payment environment itself by educating developers in the emerging mobile app market. Key recommendations of the report include isolating sensitive functions and data in trusted environments, implementing secure coding best practices and eliminating unnecessary third-party access and privilege escalation. Developing ways to remotely disable payment functions, in addition to creating tools for mobile apps to monitor and report suspicious activity were also among the recommendations. The guidelines focus on ways to prevent account data from being intercepted while sent or received on mobile devices or from being compromised while being processed or stored on them. [Source] [Press Release] [Guidance: PCI Mobile Payment Acceptance Security Guidelines]
Offshore
UK – ICO Issues Outsourcing Guide for Small and Medium-Sized Businesses
Summary: Where a data processor is used to process data on the data controller’s behalf, the data controller must ensure that suitable security arrangements are in place to comply with the seventh data protection principle (the processor must provide sufficient guarantees in respect of the technical and organisational security measures, and the controller must take reasonable steps to ensure compliance with those measures); if the data processor is located outside the EEA, they must comply with the eighth data protection principle (organisations that transfer personal data to a data processor in a third country will remain subject to the ICO’s powers of enforcement, and continue to be responsible for protecting the data subjects in relation to the overseas processing of their personal data by the data processor). Model contract clauses offer adequate safeguards for the protection of the rights and freedoms for international transfers of data (the clauses are in a standard form which may not be amended, however they may be incorporated in their entirety into a data processing service agreement with an overseas data processor). Before using a non-EEA based data processor, an organisation should consider whether there is any particular legislation in place in the country or territory where the chosen processor is located which might adversely affect the rights of the data subjects whose data is to be transferred. [Source]
Online Privacy
CA – Commissioner: Websites Inappropriately Sharing Users’ Personal Information
A report by Canada’s Office of the Privacy Commissioner says some leading Canadian websites are inappropriately sharing users’ personal information with third parties. Privacy Commissioner Jennifer Stoddart investigated 25 shopping, travel and media sites and found information—including names, e-mail addresses and postal codes—was being collected without consent. Stoddart has written to 11 of the sites, seeking explanations on how changes will be made to comply with Canadian privacy law, the report states. “Our research serves as a wake-up call to all online services to ensure they are complying with Canadian law—and respecting the privacy rights of people who use their sites,” Stoddart said. [Canadian Press] See also: [Experts call for Privacy Commissioner to reveal data leaking Web sites]
US – FTC Supports W3C’s Do-Not-Track Guidelines
The Federal Trade Commission (FTC) says it supports the World Wide Web Consortium’s (W3C) efforts to develop voluntary guidelines for a do-not-track system. “The commission has repeatedly and forcefully called for industry—not government—to implement a do-not-track mechanism that would allow consumers to decide whether to have their online activity…collected,” said FTC Chairman Jon Leibowitz in a letter to Congress. Leibowitz was responding to an inquiry by nine Republican lawmakers on whether the FTC was “empowered to work with an international organization like the W3C,” the report states. Meanwhile, a Georgia man is currently working on an online registry with features similar to the W3C’s do-not-track. [MediaPost] [Do-Not-Track Talks Reach a Stalemate]
US –Policy Limits Hotmail Passwords to 16 Characters
It has recently been revealed that unbeknownst to most Hotmail users, their account passwords have been limited to 16 characters, regardless of whether or not they have chosen longer passwords. A security researcher recently received an error message when he typed in his 30-character Hotmail password; he had never before received the message, and was able to access his account by entering just the first 16 characters of the password. Kaspersky Lab’s Costin Raiu wrote that “To pull off this trick with older passwords, Microsoft has two choices: Store fill plaintext passwords in their [database and] compare the first 16 [characters] only, or calculate the hash only on the first 16 [and] ignore the rest. A Microsoft representative has acknowledged that “16 characters has been the limit for years now,” and noted that “uniqueness is more important than length.” [Source] [See also: [Mobile PCI Standards Released]
US – Twitter Gives Court Protester’s Posts
After months of fighting a subpoena, Twitter has given a U.S. judge the online posts of Occupy Wall Street protester Malcolm Harris. The tweets, which were handed over to Manhattan Criminal Court Judge Matthew Sciarrino, will remain under seal while a request for a stay by Harris is heard in a higher court, the report states. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union have filed an amicus brief supporting Twitter’s appeal. EFF’s Marcia Hofmann called it a “canary-in-a-coal-mine case,” adding “companies will look at this case and say it’s not a good idea to push back against governments we think are overreaching.” [Reuters] [Ars Technica] [CNET] [WIRED]
US – Google Adds Support for ‘Do Not Track’ Within Chrome
The development team behind Google Chrome has added the ‘Do Not Track’ privacy setting in the most recent Canary version of the Web browser. The privacy option will be available to all Chrome users before the end of the year after passing through the development and beta phases. While Google did agree to launch support for the ‘Do Not Track’ initiative earlier this year, the Chrome development team has been extremely slow in adding the feature to the browser. Alternatively, Mozilla added support for the feature in Firefox during early 2011 and Apple added the ‘Do Not Track’ privacy setting to Safari 6. In addition, Microsoft took the feature a step further and enabled the ‘Do Not Track’ function within Internet Explorer 10 without requiring the user to turn it on. [Source] [Source] [Source] [Source]
WW – Wikipedia Releases Search Data to Public But Pulls It After Privacy Concerns
Wikipedia announced they have decided to give away their search data to the public for free. Shortly after they announced this, they decided to “temporarily taken down this data to make additional improvements to the anonymization protocol related to the search queries.” [Source]
US – Confusion Over Facebook Wall Posts Leads to Privacy Scare
Facebook representatives have said recent reports that private messages were appearing on users’ timelines were false. According to Facebook, “A number of users raised concerns after what they mistakenly believed to be private messages appeared on their Timeline,” adding that an investigation revealed “that the messages were older wall posts that had always been visible on the users’ profile pages.” In response, France’s data protection authority—the CNIL—has been asked to investigate the issue. Meanwhile, the Electronic Privacy Information Center plans to ask the Federal Trade Commission to investigate the new Facebook-Datalogix deal and whether it contravenes a recent settlement. [The Wall Street Journal]
Other Jurisdictions
AU – Parliamentary Report Recommends Privacy Amendment Bill
A tabled parliamentary report recommends the House of Representatives pass the Privacy Amendment Bill 2012. The bill would clarify the role and strengthen the powers of the privacy commissioner, address credit reporting arrangements and protect personal information. According to a statement, “The committee has examined the bill to ensure that an appropriate balance between privacy protection and the convenient flow of data has been achieved.” Attorney-General Nicola Roxon said, “Both consumers and governments have a role to play to protect privacy,” adding, “In introducing these changes, the Gillard government is doing its bit to protect the privacy of Australian families.” [COMPUTERWORLD]
AU – Parliamentary Committee Endorses Fines for Breaches
A parliamentary committee has recommended passing a bill that would allow for fines of up to $1.1 million for severe or repeated privacy breaches. The suggested penalties were contained in a report tabled in the Lower House. A Senate committee is examining the bill as well and will report to Parliament this month. The bill responds to the Australian Law Reform Commission’s 2008 report, which aims to update privacy laws given technological advances. Privacy Commissioner Timothy Pilgrim says the fines would incentivize better data protection. Should the bill become law, the committee advises that the attorney general should conduct a review 12 months after implementation. [The Australian]
AU – Coalition Seeks ‘Softer’ Privacy Law
A spokesman for shadow attorney-general George Brandis said that Liberal senators would recommend softening parts of the bill around company liability for privacy breaches following a strong backlash from the industry, particularly the internet sector. If passed in their current form, the new laws would give the Federal Privacy Commissioner the ability to seek court ordered fines against companies and large organisations of up to $1.1m in cases of severe or repeated privacy breaches. Senator Brandis’s spokesman said the coalition would recommend changes to the laws that would limit company liability in cases where they can demonstrate that they’ve taken “all reasonable precautions” to prevent privacy breaches. The recommendations were only one of about half a dozen that the senators were expected to include in a parliamentary report expected to be tabled in the upper house yesterday following a short delay last week. The senators are also expected to make recommendations to make it easier for social networking companies to share information about their members with third parties and for all companies to transfer data about Australian customers. Federal Privacy Commissioner Timothy Pilgrim declined to comment for this report. [Source] SEE ALSO: [Office of the Australian Information Commissioner – Submission to the Parliamentary Joint Committee on Intelligence and Security on the Inquiry Into Potential Reforms of National Security Legislation] and [Australian Security Intelligence Organisation – Submission to the Parliamentary Joint Committee on Intelligence and Security on the Inquiry Into Potential Reforms of National Security Legislation [ Baker & McKenzie Review]
NZ – Commissioner Seeks Data Broker Enforcement Powers
New Zealand’s privacy commissioner is seeking additional powers to monitor companies that collect and sell personal data. Assistant Privacy Commissioner Blair Stewart has said the current version of the Privacy Act clears the way for enforcement only after a complaint is filed, but many citizens do not know of the existence of data brokers. The privacy commissioner has supported a Law Commission recommendation to update the law, giving the commissioner powers to serve compliance notices on organizations. Stewart said, “People don’t tend to complain about certain practices, if the sort of practices go on in the background and they can’t see what’s happening.” [Otago Daily Times] See also: [NZ Prime Minister Requests Inquiry Into Allegations of Unlawful Interception of Communications in Megaupload Case] and [Office of the Privacy Commissioner, New Zealand – Proposed Amendment No 7 to Credit Reporting Privacy Code 2004 – Information Paper] and [EU: Commission to decide on New Zealand’s adequacy in October]
Privacy (US)
US – Supreme Court to Hear Driver’s License Case
The U.S. Supreme Court will hear a case involving whether lawyers can legally obtain personal data gleaned from driver’s license records to recruit individuals for lawsuits. The appeal comes from three South Carolina residents who were solicited by lawyers to join a lawsuit against car dealers, the report states. The justices will determine whether the lawyers’ actions contravened federal privacy law pertaining to the protection of driver’s license records. The federal law does have a lawsuit exception. [Associated Press]
US – Apple Shareholders File Proposal on Privacy and Data Security
Investors in Apple Inc. have filed a shareholder proposal asking the company to publish a report explaining how its Board of Directors is overseeing privacy and data security risks. The proposal, which is intended for consideration by Apple shareholders at the company’s 2013 annual meeting, states that “Unauthorized collection, disclosure, or misuse of personal information can cause great harm to individuals and society – including discrimination, identity theft, financial loss, loss of business or employment opportunities, humiliation, reputational damage, questionable government surveillance or physical harm,” the proposal states. The shareholders assert that “Apple’s Board has a fiduciary and social responsibility to protect company assets which include the personal information of a variety of stakeholders.” In seeking a report, the shareholders state that “investors need to understand more fully how the Board is overseeing” concerns about privacy and data security. The shareholder proposal at Apple was developed in consultation with the Open Media and Information Companies Initiative – or Open MIC – a non-profit organization that works with shareholders and companies to foster more open and responsible media policies and practices. A copy of the Apple proposal is available here. [Source]
US – Exploring Privacy’s Top Thinkers and Practitioners
At the annual Privacy Law Scholars Conference held earlier this year, information privacy law scholars and other top thinkers met with practitioners from industry, advocacy and government to hash out privacy’s toughest and most pressing challenges. Law scholar Daniel Solove discusses the strong conduit that is forming between privacy scholarship and practice, and in three such examples, papers delving into Big Data, hiring discrimination in a Web 2.0 world and operationalizing Privacy by Design are explored. [IAPP Privacy Advisor]
US – Groups Ask FTC to Investigate Facebook Tracking Partnership
Facebook’s in-store tracking partnership with Datalogix aims to show advertisers whether their ads lead to sales. Facebook says the data collection doesn’t violate any FTC regulations because of an opt-out link on Datalogix’s website. The Electronic Privacy Information Center and the Center for Digital Democracy have asked the FTC to look into the partnership. Ryan Calo of the Center for Internet and Society says the opt-out link’s location isn’t best practices, and it’s unlikely that Facebook consulted the FTC before unveiling the initiative. “That opt-out option isn’t easy to find nor is it on the Facebook website,” he said. [The Atlantic Wire] [US – Facebook Now Knows What You’re Buying at Drug Stores]
US – Appeals Court Approves Facebook Beacon Settlement
In a split decision, a US federal appeals court has approved a US $9.5 million settlement in a class action lawsuit brought against Facebook over its Beacon program, which kept track of and posted information about what users purchased from Blockbuster, Overstock, and other sites. The lawsuit alleged that Beacon violated federal wiretap and video rental privacy laws. Under the terms of the settlement, Facebook admits to no wrongdoing, but does agree to put money in a so-called digital trust fund, which would provide grants to organizations studying online privacy issues. Some of those being represented by the lawsuit maintained that the award was too small and that Facebook should not have a seat on the board of the digital trust fund. In a separate case involving Facebook’s “Sponsored Stories” feature, a US District Court judge in San Francisco rejected a settlement that would have had Facebook pay US $10 million to charity and US $10 million to cover attorneys’ costs. He is the judge who approved the Beacon settlement. [Source] OTHER NEWS: [Privacy Advisor: FTC ramping up data privacy enforcement actions] and [FTC – In the Matter of Apogee One Enterprises – Complaint and Stipulated Final Judgement and Order] and [FCC – Enforcement Advisory – Political Campaigns And Promoters Are Reminded Of Restrictions On Autodialed and Prerecorded Calls
Security
US – Report: Mobile Device Theft Tops Risk List
A new report has revealed that the top healthcare privacy risk is the theft of mobile devices. Of the reported breach cases, 52% involved the theft of portable devices such as laptops, smartphones and tablets. Kaufman Rossin Director of Information Security and Compliance Jorge Rey—a co-author of the report—said there was a drop in reported breaches, indicating more organizations are complying with HIPAA, but the rise in mobile device theft “was concerning because physical security is usually your easiest area of risk to address.” [American Medical News] SEE ALSO: Analysis of Apple’s disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn’t break it. [Source]
UK – Body Scanners Removed by Manchester Airport
A UK airport is scrapping passenger body scanners after a three-year trial period ended without a decision from the European Commission. The airport will replace the body scanners with “privacy friendly” scanners. Manchester Airport Group Chief Operating Officer Andrew Harrison expressed frustration “that Brussels has allowed this successful trial to end,” adding, “Our security surveys and those run by the Department for Transport show passengers regularly rate their experience at Manchester as one of the best security processes in the UK, if not Europe. There’s no doubt that body scanners play a big part in these results.” [BBC News]
US – NIST Issues Risk Assessments Guidance
The National Institute of Standards and Technology has issued what could be characterized as the bible of risk assessment. Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government. The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other. [Source] [Full announcement on the CSRC News/Announcement page] [NIST Public Business Affairs Office media release] [SP 800-30 Revision 1] [CSRC Special Publications] S [Draft Special Publication 800-88 Revision 1, Guidelines for Media Sanitization is available for public comment]
AU – Privacy Commissioner: Citizens Concerned About Smart Meter Data
Australian Privacy Commissioner Timothy Pilgrim has said smart meter technology could threaten people’s privacy. “We are starting to see people voicing concern about the level of data that these meters can collect,” Pilgrim said. Customers with smart meters must consent to having their data shared with various third parties, the report states. Pilgrim said companies have an obligation to delete or de-identify personal information that is no longer necessary. An Origin Energy spokesman said its online energy-usage portal is fully compliant with Australian privacy legislation and that the company keeps personal data for tax and compliance purposes. [The Age]
US – Meeting Scheduled to Establish Voluntary Smart Grid Code of Conduct
In response to workshops on smart grid privacy, a task force will develop a voluntary code of conduct for utilities and third parties providing consumer energy use services. The White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation for the Global Digital Economy,” in February. The blueprint contains an outline for a multi-stakeholder process to develop a voluntary code in order to promote consumer confidence. As such, an initial multi-stakeholder meeting will take place December 6 in Washington, DC, and aims to develop the process and a timeline as well as to establish priorities. [Smartgrid.gov]
WW – Risk Report Finds “Sharp Increase” in Browser Exploits
Results of the IBM X-Force 2012 Mid-Year Trend and Risk Report suggest “the landscape has seen a sharp increase in browser-related exploits…along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.” The report notes an upward trend in vulnerabilities. “We’ve seen an increase in the number of sophisticated and targeted attacks,” said IBM’s Clinton McFadden, adding, “As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data.” [InfoSecurity]
Surveillance
US – Rent-to-Own Laptops Secretly Photographed Users Having Sex, FTC Says
Seven rent-to-own companies and a software maker are settling charges with the FTC alleging they spied on consumers using rented computers. Without consumers’ knowledge or consent, the companies captured screenshots of confidential and personal information, logged keystrokes and in some cases took webcam pictures. The proposed settlement bans the companies from using monitoring software and from using deceptive methods to gather information about consumers. It also forbids the companies from using geolocation tracking without consumer notice and consent and from “providing others with the means to commit illegal acts,” among other provisions. [WIRED] [Settlement] [Commentary: Web Cam Spying Settlement Indicates Need for Stronger Privacy Laws] [FTC Wrist Slaps PC Rental Firms For Spying]
US – Report Indicates “Massive Spike” in Tracking
Documents indicate a jump in law enforcement is “real-time surveillance targeting social networks and e-mail providers 80% from 2010 to 2011.” The documents, obtained through a Freedom of Information Act suit by the American Civil Liberties Union (ACLU), also indicate “a massive spike in ‘non-content’ surveillance by federal law enforcement over the last two years, jumping 60 percent from 23,535 cases in 2009 to 37,616 in 2011.” The report suggests “police are using a 1986 law intended to tell police what phone numbers were dialed for far more invasive surveillance: monitoring of whom specific social network users communicate with, what Internet addresses they’re connecting from” and other interactions. [Source]
US – Survey: More Than a Third of Public Fears Police Use of Drones
More than a third of Americans worry their privacy will suffer if drones like those used to spy on U.S. enemies overseas become the latest police tool for tracking suspected criminals at home, according to an Associated Press-National Constitution Center poll. Congress has directed the Federal Aviation Administration to come up with safety regulations that will clear the way for routine domestic use of unmanned aircraft within the next three years. The government is under pressure from a wide range of interests to open U.S. skies to drones. But privacy advocates caution that drones equipped with powerful cameras, including the latest infrared cameras that can “see” through walls, listening devices and other information-gathering technology raise the specter of a surveillance society in which the activities of ordinary citizens are monitored and recorded by the authorities. Nearly half the public, 44%, supports allowing police forces inside the U.S. to use drones to assist police work, but a significant minority – 36% – say they “strongly oppose” or “somewhat oppose” police use of drones, according to a survey last month. When asked if they were concerned that police departments’ use of drones for surveillance might cause them to lose privacy, 35% of respondents said they were “extremely concerned” or “very concerned.” An almost identical share, 36%, said they were “not too concerned” or “not concerned at all.” [Associated Press]
US – GAO Report on Drones Cites Growing Privacy Concerns
A Government Accountability Office (GAO) report has said there are growing concerns about privacy and civil liberties as unmanned aircraft systems (UAS) are introduced to the public airspace. The GAO reported, “Concerns include the potential for increased amounts of government surveillance using technologies placed on UAS, the collection and use of such data and potential violations of constitutional Fourth Amendment protections against unreasonable search and seizure.” The GAO report also revealed that no federal agency “has been statutorily designated with specific responsibility to regulate privacy matters relating to UAS for the entire federal government.” [Security Management]
Telecom / TV
US – Tech Companies Form Alliance To Lobby Washington
Major Internet companies have formed a lobbying group to address regulatory and political issues in Washington, DC. Google, Yahoo, LinkedIn, Amazon, eBay and Facebook are among those comprising The Internet Association. The group will lobby on privacy and cybersecurity issues, among others. The group’s president said it’s the Internet’s “decentralized and open model that has unleashed unprecedented entrepreneurialism. Policymakers must understand that the preservation of that freedom is essential to the vitality of the Internet itself and the resulting economic prosperity.” [Reuters] SEE ALSO: [Commission nationale de l’informatique et des libertés, France – Connected TV: What Challenges for the Protection of Privacy?]
US Government Programs
US – New York to Expand Access to DMV Information by Law Enforcement Agencies
Governor Andrew M. Cuomo has announced a new data sharing initiative that will give law enforcement agencies greater and instantaneous access to information housed by the Department of Motor Vehicles (DMV) through a secure internet portal. This information includes photos of all 16 million New York State drivers and non-drivers, vehicle registrations, drivers’ lifetime driving histories, as well as real-time notifications of traffic violations and other changes to a driver’s record.[Source]
US – White House Draft of Executive Order on Cybersecurity “Close to Completion”
US Department of Homeland Security (DHS) Secretary Janet Napolitano says that the White House’s executive order on cybersecurity is “close to completion,” but added that to ensure the safety of US networks, lawmakers will have to pass cybersecurity legislation as well. There are issues that an executive order cannot address: it cannot provide liability protection as incentives for employing cybersecurity measures and it cannot change penalties for cybercrimes. The president has not yet reviewed the draft document. [NextGov] See also: [Senator Sends Letters to Fortune 500 CEOs Asking About Cybersecurity Efforts] and [State Dept. Legal Adviser Says Cyberattacks Subject to Int’l Laws of War] and [FERC Establishes Cybersecurity Office]
US Legislation
US – Groups Disagree on Proposed COPPA Changes
Privacy advocates are urging the Federal Trade Commission (FTC) to discard a proposal by the Walt Disney Company that would change how organizations meet COPPA obligations. The company wants the FTC to alter its definition of websites “directed at children” and has proposed a “family-friendly” classification. The Center for Digital Democracy has said “children’s privacy would receive much less protection as a result” of the changes. Meanwhile, in its comments to the FTC, the Interactive Advertising Bureau has said new behavioral advertising limits “would restrict children’s access to online resources by undermining the prevailing business model.” [NationalJournal]
US – Senator Introduces Bill Requiring Warrant for E-Mail History
After more than 25 years since the passage of the Electronic Communications Privacy Act (ECPA), Sen. Patrick Leahy is hoping to get the out-of-date privacy law up to speed by introducing a new bill in the Senate Judiciary Committee. The key component of this new bill is that law enforcement officials would no longer have the ease of freely being able to read people’s personal e-mail and online communication — they’d need a warrant first. As the law now stands, police are allowed to get individual’s private correspondence by simply asking e-mail providers for the person’s message history.[Source] See also: [US: Judge preserves privacy of climate scientist’s e-mails]
US – Bill Would Require Police to Obtain Warrants for E-mail, Location Data
A new bill would require police to acquire warrants before accessing U.S. citizens’ e-mail or tracking their cell phones. Introduced by Rep. Zoe Lofgren (D-CA), the bill would require a search warrant for law enforcement access to cloud data or location information, the report states. The bill is backed by Digital Due Process, which comprises companies including Amazon.com, Apple, Google, Twitter and Microsoft. It’s anticipated that the U.S. Justice Department will combat the effort; it has previously warned that such protocols would hinder “the government’s ability to obtain important information in investigations of serious crimes,” the report states. [CNET News]
US – CA Signs Two Social Media Privacy Bills Into Law
California Gov. Jerry Brown has signed two social media privacy bills, making it illegal for businesses and universities to ask for access to people’s social media and e-mail accounts. Brown said, “The Golden State is pioneering the social media revolution, and these laws will protect all Californians from unwarranted invasions of their personal social media accounts.” Assembly Bill 1844 prevents employers from requiring user names or passwords from employees or job applicants, and Senate Bill 1349 prevents public and private universities from requiring students to disclose their user names and passwords. [Mercury News]
US – Senate Panel Delays Privacy Law Rehash
The Senate Judiciary Committee will likely wait until after the presidential elections to overhaul the Video Privacy Protection Act and the Electronic Communications Privacy Act (ECPA). Judiciary Chairman Patrick Leahy (D-VT) said panel members told him “they want further discussion” of the reforms. Earlier this week, several law enforcement groups wrote the committee saying, “Any effort to revise ECPA should involve detailed and careful consideration of the consequences of proposed changes on the ability of law enforcement investigators to conduct their work efficiently and effectively on behalf of American citizens.” [NationalJournal] SEE ALSO: [ Connecticut’s new data-breach hotline goes live Oct. 1] and [New Jersey Senate, No. 1898 – An Act Prohibiting a Requirement to Provide Information to Access an Account on a Social Networking Website by an Employee – State of New Jersey 215th Legislature] and [Departing CA Senator Simitian Hopes Others Pick Up the Privacy Torch]
Workplace Privacy
US – Managing Risks in Implementing Bring Your Own Device Programs
Companies must deal with the following issues in the context of implementing a corporate bring your own device (“BYOD”) strategy – hardware and software standards (determine what the technical minimum requirements a device must meet in order to be released for productive use in the company’s IT-system environment), rights on ownership and licenses (in order to put the device into productive use, it is very likely that the company must dispose of all rights needed to use the device with the existing IT-system environment), access and control rights (for the purpose of having legal certainty, the company must establish clear rules to determine under what circumstances it may access the employees’ devices or monitor their use), transfer rights (the fact that company data resides on the device impacts the employees’ ability to transfer the device to third parties, e.g., in case of maintenance or repair), and data protection compliance (there must be a comprehensive data protection concept in place which spans reasonable technical and organization measures to protect confidentiality of the data, and provides adequate notification of the individuals whose data are processed). [Source: Matthias Scholz, Baker and McKenzie]
EU – EU Proposal Would Complicate Workplace Evidence Gathering
If the EU adopts its new data protection proposal, companies could have a difficult time conducting internal investigations that rely on collecting documents and e-mail from employees. EU regulations already make it difficult for lawyers to gather information—including data stored on company computers and servers, the report states. But the new proposal “eliminates the most convenient way of gathering evidence for U.S. legal compliance purposes,” said DLA Piper’s Jim Halpert. He added that under current law, lawyers can gather information if given voluntary employee consent. But under the EU’s proposal, that consent, “even if freely given,” would be deemed “invalid.” [Corporate Counsel]
US – California Governor OKs Web Privacy Bill
California Gov. Jerry Brown has signed privacy bills making it illegal for employers and colleges to demand ac-cess to social media accounts. Brown announced Thursday that he signed the bill that prohibits employers from demanding usernames and passwords from employees and job applicants. The companion bill makes it illegal for colleges and universities to demand social media user-names and passwords from students. [Source] See also: [US: Lawyer’s Facebook photo causes mistrial in Miami-Dade murder case] See also: [OIPC SK – Investigation Report F-2012-003 – Saskatchewan Workers’ Compensation Board] and [OIPC SK – Investigation Report F-2012-002 – Saskatchewan Workers’ Compensation Board] and [OIPC SK – Investigation Report F-2012-005 – Saskatchewan Worker’s Compensation Board]
+++