Biometrics

US – The Power and Limits of Facial Recognition

Salon interviews Carnegie Mellon computer scientist Alessandro Acquisti to explore why, according to Boston’s police commissioner, facial recognition technology did not help identify the Boston bombing suspects. Among the “three or four potential hurdles,” Acquisti said image quality, available data stored in databases to match images, the high cost of such software and the problem of false positives may have all played a role. Meanwhile, Google Executive Chairman Eric Schmidt and Google Ideas Director Jared Cohen “forecast the raft of new innovation and corresponding threats that will arise for dictatorships, techno revolutionaries, terrorists and you” in an NPR interview.

WW – Apple Siri Retains Query Data for Two Years

Apple has responded to concerns raised by the ACLU about ambiguous information in its Siri privacy policy. Terms, such as “disassociated” and “period of time” have now been clarified by Apple spokeswoman Trudy Muller. Apple has revealed that it retains information about questions users ask Siri for as long as two years, although the company does try to anonymize the data. Siri queries are sent to Apple’s servers, where they are assigned an identifier – not an AppleID or email address – that links the voice files to the device from which they were sent. After six months, the identifier is removed, but the query data are retained to help Apple with product testing and improvement. Muller added, “If a user turns Siri off, both identifiers are deleted immediately along with any associated data.” But ACLU Lawyer Nicole Ozer says Apple should do more, including linking to the Siri privacy policy from its FAQ page so consumers can review data-handling practices prior to purchasing the company’s products. [WIRED] [Ars Technica] [ZDNet]

WW – Will ‘Passthoughts’ Replace Passwords?

A new form of biometric security using brain waves to authenticate users has been developed by researchers from the University of California, Berkeley. Rather than a using a password to gain access, a user would submit a “passthought,” generating a unique signal from brainwaves that may or may not prove difficult to duplicate by a hacker. The recent commercialization of external electroencephalogram (EEG) devices — the researchers used a Neurosky MindSet, which connects wirelessly via bluetooth and costs about $100 — makes this technology plausible. secure, and could someday be used to replace traditional passwords. [Phys.org]

Canada

CA – Committee Calls for Voluntary OPC Guidelines

The House of Commons Standing Committee on Access to Information and Privacy is not recommending the government give the Office of the Privacy Commissioner (OPC) power to fine companies for breaking federal privacy law, instead calling on the OPC to “establish guidelines“ to help social media and data management companies develop practices that fully comply” with the law. The committee voiced concern that “major social media companies, while doing business in Canada, prefer to be governed by laws other than those of this country.” The guidelines would address how websites and data brokers “collect and use the personal information of Internet users”; however, “any direction provided under the proposed guidelines would only be voluntary,” the report states. [Postmedia News] [Privacy watchdog urged to create guidelines for social media and data brokers] [Privacy and Social Media in the Age of Big Data: Report of the Standing Committee on Access to Information, Privacy and Ethics | PDF version]

CA – Canada’s Grapple with Privacy and Freedom of Expression

A recent Alberta Court of Appeal decision that the province’s privacy law is unconstitutional can be seen as potentially rippling through the country at large and setting up a clash between privacy and freedom of expression, as included in the charter passed in 1982. This clash between privacy and freedom of expression is particularly interesting because while freedom of expression is a “fundamental right” under the charter, there is no similar privacy right, except as listed in the legal rights of those dealing with the justice system. [The Privacy Advisor] SEE ALSO: [Data Protection Laws of the World Handbook: Second Edition – Canada]

CA – Government Announces Software to Enhance Airport Passenger Privacy

Minister of State (Transport) Steven Fletcher has announced that the Canadian government is deploying software on Canada’s full body scanners to enhance passenger privacy. The new Automatic Target Recognition software is now being updated to produce a computer generated stick figure rather than displaying an outline of the passenger’s body, the report states. “Our government is committed to ensuring the safety and security of all passengers traveling through Canadian airports,” Fletcher said. [The Herald] See also: [Detector finds smuggled cellphones even without batteries or SIM cards]

CA – Canadian Gov’t Quietly Drops Lawful Access from Cyber-Security Strategy

The government has recently dropped lawful access from its national cyber-security strategy. The 2010 Cyber-Security Strategy telegraphed the intent to bring forward lawful access legislation with a commitment to introduce a bill:

Requiring Internet service providers to maintain intercept capable systems, so that law enforcement agencies can execute judicially authorized interceptions;
Requiring Internet service providers to provide police with basic customer identification data, as this information is essential to combatting online crimes that occur in real time, such as child sexual abuse

Yet earlier this month, the government released its Action Plan 2010-2015 for the Cyber-Security Strategy. It removed all references related to lawful access including the commitment to legislation involving Internet service providers. Given that the document originates with Public Safety – the most ardent supporter of lawful access within the government – the removal of surveillance language provides a strong signal that it is not part of the legislative plan for the foreseeable future. [Source] See also: [N.S. wants ban on spreading images after Rehtaeh Parsons case]

CA – BC Hydro Smart Meters Provoke Class Action Lawsuit

Opponents of smart meters are preparing a class action lawsuit against BC Hydro, alleging installation of the high-tech devices has led to thousands of health, safety and privacy concerns over the last two years. The group estimates that some 200,000 homes would switch back to analog meters if they had the choice. The coalition’s lawyer is now collecting signatures online for the class action lawsuit, which they plan to file in court in the near future. BC Hydro spokeswoman Cindy Verschoor says Stutters’s new analog meter isn’t approved for use in Canada and if something went wrong it could be liable. The only meters BC Hydro does approve are the smart meters, she said. “In cases where a meter’s expiration date is up or the meter is broken, B.C. Hydro has always had to replace the meter with a new meter,” said Verschoor. B.C. NDP Leader Adrian Dix has promised to submit the smart meter program to an independent review if he’s elected premier. [Source]

CA – BC Homeless People Deserve Privacy Too, Says Advocate

An agency that helps homeless people is waging a battle with government agencies over how much personal information to share about its marginalized clients. The Lookout Society, which receives funding for a New Westminster transition house from Fraser Health, is upset the health authority wants details about the residents, including their names, from the agency’s electronic database. The health authority stated it wanted the information to track services clients receive from the agencies it funds, as well as to monitor their progress. “Sending all of this really personal information to government, which hasn’t got a really good track record of holding this information private, is not in the clients’ best interest,” said Lookout executive director Karen O’Shannacery. “And there is a question of whether we can legally release all that information.”[Source] SEE ALSO: [POLL: Should Alberta health cards include photo ID?]

CA – Competition Bureau Loses its MLS-Access Case Against TREB

The federal Competition Tribunal has dismissed a high-profile case regarding access to MLS data on a technicality and awarded costs to the Toronto Real Estate Board. In a decision released last week, the tribunal ruled the case, which accuses TREB of anti-competitive behaviour, had been initiated by Melanie Aitken, former commissioner of the Competition Bureau, under the wrong section of the Competition Act. The densely written, 7-page decision — reached after more than 8 months of preparation and 2 months of hearings in Toronto last fall — came as a surprise to some close to the complex case. [Source]

Consumer

WW – Microsoft Launches Public Awareness Campaign

Microsoft is introducing a public awareness campaign that includes TV, print, billboard and online ads as well as a quiz to determine consumer attitudes on privacy. The quiz aims to get people talking about their attitudes on privacy. “It assesses how much you are interested in managing access to your information online,” said Mary Snapp, Microsoft corporate vice president and deputy general counsel, adding, “It enables you to talk about privacy choices with your friends and family.” Microsoft is rolling out the campaign in Washington, DC, and Kansas City, MO, where competitor Google “might be exposed” an Ad Age report notes. [The Washington Post] See also: [Washington Post: As cyberthreats mount, hacker’s conviction underscores criticism of government overreach]

US – The ZIP Code Data Trail

CNN reports on the data trail established when consumers willingly give their ZIP code to offline retailers when making a purchase. The combination of a name—given during a credit card purchase—and a ZIP code can help data brokers link a consumer’s purchasing habits with publicly available records for the purposes of targeted advertising. Privacy Rights Clearinghouse Director of Policy Paul Stephens said, “For the majority of the country, the ZIP code is going to be the piece of the puzzle that is going to enable a merchant to identify you.” The Massachusetts Supreme Court recently ruled that ZIP codes are personal information, preventing retailers from asking for ZIP codes for marketing purposes. [CNN]

US – Survey Shows Consumers Want Some Targeted Ads

A Digital Advertising Alliance (DAA) survey has shown that nearly 70 percent of respondents would like at least some targeted advertisements. “It’s unfortunate that targeted advertising has been conflated with all kinds of privacy fears,” said DAA Managing Director Lou Mastria, adding that he hopes the study will inform the debate surrounding the necessity of legislation. “We asked real specific questions about the real-world proposition, the value exchange between advertising and the experience on the Internet,” he continued. “And that yields clear answers.” However, Annenberg School of Communications Prof. Joseph Turow analyzed the poll and expressed doubts over the validity of results. [Ad Week]

WW – Study Shows Major Generational Divide On Online Privacy Attitudes

A study published this week by the USC Annenberg Center for the Digital Future found that young adults don’t care as much about online privacy as older Internet users. Individuals between the ages of 18 and 34, known as Millennials, were found to be more willing to hand over their personal data or web behavior to online businesses. Although 70% of young adults agreed that companies should never be allowed to access their personal data, compared to 77% by those older than 35, Millennials were more willing to give up some privacy if they benefited from it, such as receiving coupons or other business deals. More than half of Millennials surveyed said they would be willing to trade personal information for something in return, compared to just 40% of those aged 35 and older. Both age groups agreed, however, that personal data being used for targeted advertisements was a concern. Only 25% of young adults agreed with targeted ads, compared to 19% of Internet users age 35 and older. “Online privacy is dead — Millennials understand that, while older users have not adapted,” said Jeffrey I. Cole, director of the USC Annenberg Center for the Digital Future. “Millennials recognize that giving up some of their privacy online can provide benefits to them. This demonstrates a major shift in online behavior — there’s no going back.”

“We are seeing a whole new set of values driving Millennials in their behavior online,” said Greg Bovitz, president of Bovitz Inc, co-publisher of the study. “The fact that Millennials are willing to part with personal information creates new opportunities for businesses to develop marketing models that capitalize on the wants of this generation of Internet users.” [Source]

CA – Bank Fraud, Computer Security Top Survey of Canadians’ Privacy Concerns

Canadians feel the grip on their privacy slipping away in a world where web sites, mobile devices and even eyes in the sky can track their every move, a new poll suggests. A growing unease over how well personal information is safeguarded is among the findings of a newly released survey commissioned by the federal privacy watchdog. The poll suggests two-thirds of Canadians are concerned about the protection of their privacy — with a quarter of respondents saying they are “extremely concerned.” Many Canadians feel a growing sense of helplessness when it comes to protecting their privacy. Seven of every 10 people think their personal information has less protection today than it did a decade ago. More than half of those surveyed felt they did not know enough about new technologies to determine if their privacy is at risk. The survey also suggests most Canadians are concerned about bank fraud, credit-card fraud, computer security and identity theft. Despite these concerns, the poll found most Canadians remain largely unaware of their privacy rights. Some 63% rated their knowledge of privacy laws either low or in the neutral range. That said, Canadians’ knowledge of their privacy rights is higher now than in previous years, the survey suggests. [Source]

E-Government

US – CFPB Head Defends Consumer Data Collection Plan

Testifying at a Senate Banking Committee hearing, U.S. Consumer Financial Protection Bureau (CFPB) Director Richard Cordray defended his agency’s data collection plans. He said the data collected is not privacy-invasive and parallels techniques already used in the private sector. “The big banks know more about you than you know about yourself,” Cordray said, “And me, too, as a consumer.” The CFPB is currently collecting data from credit bureaus and requesting large amounts of data from major banks in order to improve the agency’s rule-writing and supervisory work, the report states. Sen. Mike Johanns (R-NE) said, “To many people, this is going to sound downright creepy.” Cordray said, “The notion that we’re tracking individual consumers or invading their privacy is quite wrong.” [Bloomberg]

US – US Amasses Big Data on 10 Million People; Banks Protest

The new US consumer finance watchdog is gearing up to monitor how millions of Americans use credit cards, take out mortgages, and overdraw their checking accounts. Their bankers aren’t happy about it. The Consumer Financial Protection Bureau is demanding records from the banks and is buying anonymous information about at least 10 million consumers from companies including Experian. While the goal is to sharpen enforcement and rule-making, banking executives question why the bureau is collecting so much without being more specific about the benefits. [Source]

E-Mail

US – IRS Will Obtain Warrant Prior to E-mail Access

In response to news last week that the Internal Revenue Service (IRS) does not obtain warrants prior to accessing suspects’ electronic communications, IRS Acting Commissioner Steven Miller said the no-warrant policy for e-mails will be abandoned. Testifying in front of the Senate Finance Committee , Miller said it’s currently the IRS’s policy to get a “search warrant in advance” of accessing a suspect’s e-mail, but he said he didn’t know if that policy extended to other electronic communications such as Facebook or Twitter. [CNET News]

Electronic Records

US – New HIPAA Rules Create New Responsibilities

With the final omnibus HIPAA and HITECH rule released by the Department of Health and Human Services in January, there are new concerns for healthcare privacy. Business associates and subcontractors can now be held directly liable for any breach of personal health information (PHI) and are now responsible for breach reporting. Breach documentation must be maintained for six years, and there are new limits on use and disclosure of PHI. Bowen writes that “adherence to HIPAA must be an ongoing, full-time effort,” and “privacy is not a one-and-done; it must become part of the fabric of your organization.” [Becker’s Hospital Review]

Encryption

US – Judge Will Not Force Man to Decrypt Hard Drives

A federal judge in Wisconsin said that forcing a suspect to decrypt his hard drives would violate his Fifth Amendment right against self-incrimination. Judge William E. Callahan called the decision a “close call.” [Ars Technica] [WIRED] [Text of Ruling]

EU Developments

EU – Committee Votes Down PNR Bill

The EU Parliament’s Civil Liberties Committee voted against plans for sharing airline passenger data among EU nations. The plans call for a passenger name registry, similar to a current agreement with the U.S., that would share the names, contact details and payment data of passengers. Dutch MEPs Sophie In’t Veld and Jan Philipp Albrecht welcomed the vote, the report states, noting that citizen rights and the rule of law had been considered first. UK MEP Timothy Kirkhope said the vote was “irresponsible” and accused other MEPs of putting “ideological dogma before a practical and sensible measure that would have seriously assisted our fight against crime and terror.” BBC News provides video of the Parliamentary debate. [PCWorld] [EU parliament committee votes against air passenger data sharing bill]

EU – Coalition: Revised Law Would Undermine Privacy

A coalition of international civil liberties groups is contending that proposed changes to the EU’s data protection regulation “would strip citizens of their privacy rights.” The move to create one regulation to replace the existing data protection laws in the EU’s 27 member states “obviously requires compromise, but many parliamentarians report never seeing lobbying on such a scale before,” the report states, noting the civil liberties coalition, which includes such groups as EDRI and Privacy International, has set up a website “to help concerned citizens contact their representatives in the Parliament.” [IDG News Service]

EU – EDPS Hustinx Outlines Road Ahead for Regulation

As the opening speaker at the IAPP Europe Data Protection Intensive in London, European Data Protection Supervisor Peter Hustinx laid out his predictions for what the much-anticipated EU privacy regulation would finally look like when adopted. Confident that it would meet deadline and be in place by the spring of 2014, Hustinx said, “my impression is that there is a basic consensus that the current architecture of the regulation is the right one…Now the focus is on getting it right, and the key word there is balance.” [IAPP Privacy Advisor]

UK – Former ICO Wants Rewrite of Chapter IV

Noting the prescriptive and inflexible nature of the EU’s draft data protection regulation, Former UK Information Commissioner Richard Thomas used his keynote address here at the IAPP Data Protection Intensive in London on Thursday to outline an alternative framework that would focus more simplistically on outcomes, provide incentives for regulatory requirements and allow for as much self-enforcement as possible. [Source]

EU – Privacy Regulators Criticize Companies’ Tactics

Criticism has been levied by German data protection regulators on Google and Facebook in light of investigations into the companies’ privacy practices. Regulators said the companies have used “delay tactics” and have exercised “impertinent” behavior during the probes, the report states. Federal Data Protection Commissioner Peter Schaar said “Google will keep making attempts to delay investigations through continuous correspondence and always freshly repackaging arguments.” Google was fined by Hamburg’s data protection commissioner earlier this week. A German appeals court has also rejected an attempt by Schleswig-Holstein Data Protection Commissioner Thilo Weichert to require Facebook to allow users to register under pseudonyms. Facebook said, “We’re seeking to have a constructive dialogue with all groups, also with our greatest critics.” [Bloomberg]

EU – Hustinx Outlines Road Ahead for Regulation

EU – Working Party Dislikes EC’s Impact Assessment Template

The Article 29 Working Party has criticized the European Commission’s recommended template for data protection impact assessments (DPIA) on smart meter use. “The submitted DPIA Template does not directly address the actual impacts on the data subjects, such as, for example, financial loss resulting from inaccurate billing, price discrimination or criminal acts facilitated by unauthorized profiling,” said the Working Party. Smart metering is due to take effect in the UK in 2014, but privacy concerns have been raised. [Out-Law.com] [The Working Party’s opinion]

US – FTC’s Brill Looks to Smooth EU-U.S. Privacy “Rift”

The Wall Street Journal reports on comments made in Brussels by FTC Commissioner Julie Brill. “I don’t want to say there’s confusion about the U.S. privacy regime,” Brill told reporters, “but there does seem to be a lack of understanding about how robust it is and how much enforcement work we actually do and how strong the laws are that we do have in sensitive areas.” Brill noted, “Last year we issued what I call our big privacy rethink…Many of the principles we talked about are actually reflected in the proposed EU regulation.” Facebook Chief Operating Officer Sheryl Sandberg said, “I believe there is a perception and fear that because we are American we don’t take privacy as seriously as Europeans do…If there is a single American who cares as much about privacy—just one—as someone in Germany, then we have to understand it.” [Source]

EU – Vote on Regs Delayed Until Late May

A final vote on the EU data protection proposal was scheduled to take place this week, but the Civil Liberties, Justice and Home Affairs Committee (LIBE) has postponed it until May 29-30. Industry is lobbying heavily against the proposal, which they say will stifle business and innovation in member states. John Pooley, of specialist agency the Data Partnership, says the proposed changes “will render both targeting and analytics and almost anyone currently engaged in digital marketing to have to review their current practices.” The delay is being attributed to an effort to concentrate on the fallout over the banking crisis in Cyprus, the report states. [Marketing Magazine]

Facts & Stats

US – The Consumer Cost of a Data Breach

New research has revealed the consumer costs of last year’s breach of the Utah Department of Health. On average, according to Javelin Strategy & Research, “each incident will result in more than $3,300 in losses” and each victim “will spend about 20 hours and $770 on lawyers and time lost from work to resolve the case.” Meanwhile, Bloomberg reports that more clinics and hospitals are investing in biometric technology—such as iris scans—to improve patient safety and curb identity theft. U.S.-based data breaches may have cost the healthcare industry as much as $7 billion a year, according to a Ponemon Institute study. [The New York Times]

Filtering

JP – Japan’s National Police Wants ISPs to Block Tor for Those Who “Abuse” It

Japan’s National Police Agency (NPA) may begin asking ISPs there to block Tor, a network that helps people anonymize their online activity. (Tor stands for The Onion Router). The ISPs would be asked to block people’s use of Tor if those people had been found to be abusing the network. Japanese police were thwarted in their efforts to nab a cybercriminal because he used Tor. The NPA’s plan comes in response to a recommendation from a panel brought together to help decide how to fight crime that is committed with the help of Tor. [ArsTechnica] [BBC] [The Register]

Finance

US – CFPB Head Defends Data Collection Plan

CA – Digital Cash Replacement from Royal Canadian Mint in the Works

Secure chips have already made it into our credit and debit cards. Next up, they could replace pocket change. The Royal Canadian Mint has been pushing forward with its “MintChip” prototype, a digital cash replacement aimed at transactions under $10, since it surfaced a year ago. The Crown corporation is factoring in developer feedback, hiring a product manager and consulting with the financial sector. MintChip, as envisioned, could enable paying someone back by tapping phones together, scanning a QR code to donate to charity, or clicking to spend cents on an online article. However, it’s not known when — or even if — the MintChip will be released into circulation. A Finance Department official said the Crown corporation is consulting with the federal government on potential next steps, and currency changes can require legislative approval. To even attempt to create such a system sets Canada apart from other countries, said electronic transaction specialist Dave Birch. “To the best of my knowledge, Canada is the only mint that’s seriously experimenting with this sort of thing,” he said. [Source]

FOI

WW – Increase in Content Removal Requests from Governments

According to Google’s most recent transparency report, the company received more requests from governments to remove content in the last six months of 2012 than during any pervious six-month period for which records have been kept. Between July and December 2012, Google received 2,285 requests from governments around the world to remove a total of 24,179 pieces on content. The figures for the first half of 2012 were 1,811 requests to remove 18,070 pieces of content. Many of the requests came from governments seeking the removal of content critical of government officials. Google does not automatically comply with content removal requests, but instead scrutinizes the legality of requests and considers each request’s scope. [CNet] [ZDNet] [Google’s Transparency Report]

US – Will Public Release of Privacy Audits Become the Norm?

Last week, Facebook released some details of its FTC-mandated, independent privacy practice audit. This Privacy Perspectives blog post looks into why this could be good for the privacy profession. [Source] [Source] [New York Times: Privacy Practices Up-to-Par, Facebook Audit Reveals]

US – Facebook: Audit Finds Privacy Practices Sufficient

Facebook says that an independent audit found its privacy practices sufficient during a six-month assessment period that followed a settlement with federal regulators. Facebook Inc. said it submitted the findings to the FTC. The audit was a required part of the social networking company’s settlement with the FTC last summer. The settlement resolved charges that Facebook exposed details about its users’ lives without getting the required legal consent. Facebook provided a copy of its letter to the FTC, along with a redacted copy of the auditor’s letter, to The Associated Press two days later. The redacted portion contains trade secret information and does not alter the auditor’s findings, the company said. The audit, which found that Facebook’s privacy program met or exceeded requirements under the FTC’s order, covered written policies as well as samples of its data. “We’re encouraged by this confirmation that the controls set out in our privacy program are working as intended,” said Erin Egan, Facebook’s chief privacy officer for policy,” in an emailed statement. “This assessment has also helped us identify areas to work on as Facebook continues to evolve as a company, and improve upon the privacy protections we already have in place. We will keep working to meet the changing and evolving needs of our users and to put user privacy and security at the center of everything we do.” Facebook did not disclose the full, 79-page report or specific details on shortcomings in its privacy practices that were revealed by the audit. Spokeswoman Jodi Seth said Facebook declined to disclose such details “based on contractual obligations and the possibility of security and competitive vulnerabilities.” The company has asked the FTC to keep the redacted information private, saying it would put it and its auditor at a competitive disadvantage and because it could reveal possible limitations of its privacy program. The name of the accounting firm is also redacted but that information will be released when the FTC responds to the audit. [Source]

Genetics

US – ‘Biobank’ Bill Threatens Genetic Privacy

Minnesota health officials have built an unauthorized state biobank of DNA and health data on individuals. They admitted in testimony to the Legislature that the Minnesota Department of Health has been collecting genetic information for decades without specific legislative authority. They now want the Legislature to retroactively legalize what they did — and let them keep doing it into the future. The department’s biobank legislation — wrapped into the omnibus data practices bills, H.F. 695 and S.F. 745 — is ready for a floor vote in the Minnesota House and Senate. [Source]

Google

WW – Google’s Predictive Search Comes to iPhone, iPad

Google’s predictive search feature, Google Now, uses the cache of data Google stores on individual users to target them with the information it deems most relevant to their needs at any given moment. The feature was rolled out for iPhones and iPads this week and is based on users’ search histories, location information and Gmail confirmations for flights, hotel bookings or restaurants, for example. “We’re providing answers before you’ve even asked the question,” said Google’s director of product development. [CNN] SEE ALSO: [Book Review: The New Digital Age: Reshaping the Future of People, Nations and Business]

EU – Google Chiefs to Face Prosecutorial Appeal in Video Case

Google’s Senior Vice President David Drummond, Chief Legal Officer Peter Fleischer and Chief Privacy Counsel George Reyes head back to Italy to face an appeal brought by the prosecutor of a 2010 case over alleged privacy offences involving a video posted to the now-defunct Google Video service. The executives were originally given suspended six-month sentences, which were then overturned . The report states the prosecutor will now appeal the case to the Italian Court of Cassation arguing that employees can be responsible for content uploaded by users and that services should be responsible for pre-screening user-created content. [PCWorld]

EU – 145,000-Euro Fine for Google

Hamburg authorities have fined Google 145,000 euros for collecting data from unsecured wireless networks while collecting photos for its Street View services. Google has said the collection was a mistake and the company never analyzed the information, which it has expunged. But Hamburg Data Protection Commissioner Johannes Caspar said, “In my opinion this case constitutes one of the biggest known data protection violations in history,” noting that by law, the maximum fine his office can levy for an accidental violation is 150,000 euros. [The Economic Times] [Google Fined a Pittance for Street View Data Collection: CNet | BBC | ComputerWorld | v3.co.uk]

WW – Google Play Store Changes Content Policy

The Google Play Store has changed its Content Policy to require that developers not update apps outside of the store. Specifically, “an app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.” Apps that do not abide by the new requirement will be labeled “dangerous products” and may be removed from the store. The policy change may have been prompted by Facebook’s introduction last month of a silent update feature for Facebook for Android. [CNet] [Ars Technica] [ZDNet] [h-Online]

WW – BadNews Malware Snuck Into Google Play Apps (

Malware known as BadNews has been downloaded from Google Play at least two million times. BadNews was found to have been hidden in at least 32 separate apps from four different developers. The malware was added to the apps after they had been submitted to Google Play. Infected Android devices connect to remote servers every four hours to send harvested data, including device phone numbers and unique serial numbers. The remote servers also instruct infected devices to install a Trojan horse program called AlphaSMS that sends text messages to numbers that incur charges. Google has removed the infected apps. [The Register] [ArsTechnica] [SC Magazine] SEE ALSO: [Facebook Used to Market Banking Trojans]

US – ACLU Files Complaint With FTC Over Android Security Updates

The American Civil Liberties Union (ACLU) has filed a complaint with the US Federal Trade Commission (FTC) asking that the agency investigate major wireless phone service carriers for failing to deliver updates for known security issues in the Android operating system. The complaint alleges unfair and deceptive business practices for failing to distribute the patches and failing to inform customers that their devices are vulnerable to attacks. While Google has issued updates for the flaws, the carriers have not pushed them out in a timely manner. Apple issues its own updates for its phones, but individual carriers bear the responsibility of pushing out Android fixes. [WIRED] [h-Online] [ArsTechnica] [Washington Post] [Text of Complaint]

US – Google Wallet Update Upsets Privacy Advocate

Google’s update to an e-commerce tool used by vendors to manage sales is merely for show, charges a consumer advocacy group, which adds that the company should be more clear about its privacy policies. The update, used in conjunction with Google Play and other services, displays less of a customer’s personal information to the vendor than the previous iteration. The update to the e-commerce tool is rolling out to vendors now and over the next few weeks. But consumer advocacy site Consumer Watchdog says Google’s move is not an “actual” change, and it’s demanding more privacy policy accountability from Google. John Simpson, Privacy Project director at Consumer Watchdog, described his organization’s complaints from February and March filed with the U.S. FTC and the California Attorney General’s office about the Google Merchant Center. “Google was passing on the name, address, and e-mail address of the app buyer. We alleged that it violated policy law and the Buzz agreement.” “Google is a serial privacy violator,” said Consumer Watch’s Simpson, adding that Google’s “statement is pure bafflegab.” [Source]

WW – Google Releases Glass App Developer Guidelines

Google has released “extensive” guidelines for software developers aiming to build apps for the company’s wearable, Internet-connected glasses. According to the report, the guidelines are “much more restrictive” about Google Glass than has been the case with other products because of perceived consumer privacy concerns. Developers cannot sell ads, collect user data or share data with ad companies. A Forrester analyst said, “What we find is the more intimate the device, the more intrusive consumers perceive advertising is.” Google said to developers, “Be honest about the intention of your application, what you will do on the user’s behalf and get their explicit permission before you do it.” [The New York Times] See also: [What is the proper etiquette for Google Glass in a public bathroom? Nothing, really, according to Scoble]

Health / Medical

US – Parents Say HIPAA Risks Public Safety

Parents say there are risks to public safety when it comes to HIPAA privacy standards. At a recent hearing at the House Oversight and Investigation Subcommittee of the Energy and Commerce Committee, parents articulated concerns about HIPAA’s “limiting nature.” One parent, whose son died of a heroin overdose, testified that HIPAA rules prevented him from obtaining his child’s medical data—data that could have contributed to the child’s wellbeing. Some experts say the problem isn’t with HIPAA but with how some organizations interpret it, the report states. [HealthIT Security]

Horror Stories

CA – More Than 3,000 Gov’t Breaches in 10 Years

Documents tabled in Parliament this week show that the federal government has experienced more than 3,000 data and privacy breaches in the past 10 years, affecting more than 725,350 Canadians. Less than 13 percent of those breaches were reported, prompting NDP critic Charlie Angus to say, “As a standard, we should involve the privacy commissioner when Canadians’ privacy is breached,” noting that there may have been circumstances when Canadians were put at risk and not informed. [PostMedia] [Geist: Thousands of government breaches point to need for reform] [Public data breaches at all-time high] See also: [CA: IIROC broke own rules by losing private data — can we believe its explanation?]

US – Health Info Breach at 911 Center

A 911 emergency dispatch center in Monroeville, PA, is notifying all users of the service in 2012 or 2013 that they should “take all necessary steps to make sure that all your personal information is safe and secure.” A complaint alleges the center e-mailed personal information to a former police chief and allowed callers’ medical information to be anonymously accessed using generic user names and passwords. An investigation into the breach is underway, but investigators do not yet have “any specifics on who had access to the system or the dates the system had been breached.” [Post-Gazette] See also: [NL: Another breach of privacy for Eastern Health]

WW – 50 Million Passwords Hacked

Cyberthieves have breached LivingSocial, accessing the passwords of more than 50 million users. It is not yet known how the attackers breached the systems, but the passwords were salted and hashed, the report states. With the passwords, the hackers potentially had access to user names, e-mail addresses and birthdays; credit card and other financial data were not affected. LivingSocial CEO Tim O’Shaughnessy said the company is “redoubling efforts to prevent any issues in the future.” [PC Magazine] [CNet] [The Register] [ComputerWorld]

US – “Unsecured” E-mails Cause Health Data Breach

A Texas-based hospice center is informing more than 800 patients of a data breach after an employee allegedly sent out at least two “unsecured” e-mails containing sensitive patient information. The e-mails in question included recent referrals and admission activity reports, and compromised data included patient names, referral sources, admission and discharge dates and insurance providers. Hope Hospice discovered the breach during a routine security check and has said employees have since gone through additional training. [Health IT Security]

US – Verizon: One In Five Data Breaches Are the Result of Cyberespionage

IDG News Service reports that Verizon will soon publish its 2013 Data Breach Investigations Report, which compiled information from over 47,000 security incidents and 621 confirmed data breaches. The study explored financially motivated criminal attacks as well as cyber espionage. Analysts noted that in “four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim’s network” and that mobile devices and cloud technologies were not major targets. Meanwhile, the British Department for Business, Innovation and Skills says small- and medium-sized businesses (SMBs) are increasingly the targets of cybersecurity attacks, and it will extend its Innovation Vouchers scheme to SMBs, allowing them to apply for funding to invest in cybersecurity. [PC World]

UK – The Guardian’s Twitter Accounts Hijacked

The same group that hijacked the Associated Press’s Twitter feed last week is now claiming responsibility for taking over Twitter accounts belonging to the UK newspaper The Guardian. The Syrian Electronic Army claims to have taken control of 11 Twitter feeds at the Guardian. The attack occurred over the weekend; as of Monday, Twitter had suspended most of the hijacked Guardian accounts. Following last week’s AP incident, which resulted in a phony tweet claiming that there had been an attack on the White House, Twitter announced that it is conducting internal testing of two-factor authentication. [ZDNet] [InformationWeek]

WW – Twitter Warns News Companies to Improve Security

Twitter has contacted major news organizations around the world, warning them that attacks like those against the Associated Press and The Guardian are likely to continue, and advising them to examine their internal policies for using social media. Twitter made suggestions, such as increasing the strength of account passwords and designating just one computer to use for Twitter. [BBC] [ZDNet]

Identity Issues

US – Professor Re-Identifies DNA Study Volunteers

Working with her research assistant and two students, Harvard Data Privacy Lab Director Prof. Latanya Sweeney scraped data on anonymous volunteers who shared their DNA with the Personal Genome Project, re-identifying more than 40 percent of the sample. Profiles of anonymous participants include information on medical conditions, illegal drug use, alcoholism, depression, sexually transmitted disease and medications, as well as DNA sequences, the report states, noting Sweeney’s team was able to discern identity from ZIP code, date of birth and gender “combined with information from voter rolls or other public records.” Sweeney has set up a website to help individuals determine how easily they could be identified by entering those three pieces of information. [Forbes]

WW – Microsoft to Begin Offering Two-Factor Authentication

Microsoft will start offering two-factor authentication to Microsoft Account users on an optional basis. The scheme will be much like those used by Google, Apple, and Facebook in which accounts are protected with both a password and a one-time passcode sent to users in a text message or generated by an authentication app. Users will have the opportunity to designate certain devices as trusted on which they do not need to use two-factor authentication. [ArsTechnica] [ComputerWorld] SEE ALSO: [Microsoft asks: What’s your online privacy type?]

US – AirBNB Starts Verifying User Profiles

Airbnb, which helps people find vacation rentals all around the world, today will start verifying the identity of all users by asking for their real-life papers, the company announced. Airbnb is asking both travelers and those who have property listings to provide two forms of identification for a new verification process. The company will take people’s IDs from Airbnb reviews and social media sites, like LinkedIn or Facebook, and will ask users to fill in information only they would know or scan a photo ID to confirm a match. For now, the company plans to require 25% of its users in the U.S., chosen at random, to complete the process. It intends to expand the requirement worldwide so that all Airbnb members will be verified. [Source]

Intellectual Property

US – Class-Action Incites Music Industry Privacy Concerns

A proposed class-action lawsuit has some in the music industry concerned that artists’ financial privacy will be breached. The proposed class-action was launched against Universal Music Group (UMG) by two musicians seeking damages based on treating income from online downloads as “sales” instead of “licenses.” The plaintiffs’ lawyers want UMG to disclose download revenue tied to particular artists to calculate potential damages. Lawyers for UMG said, “Under plaintiffs’ proposal, plaintiffs’ attorneys and music-industry professionals could review the private financial information of thousands of recording artists with whom they may have adverse relationships and who have not indicated any desire to be part of any class or to be represented by these attorneys or professionals.” [Hollywood Reporter]

WW – New Media Asset Tracking System Introduced

A media industry organization has announced the results of a two-year study on a new coding system that tracks media assets—from video clips to commercials. The Coalition for Innovative Media Measurement said the system would increase revenue by the billions for media companies and help them determine where, when and how content is viewed. One analytics representative said the system would help advertisers specifically tailor ads and allow media companies “to spend less time putting the data together and more time doing analysis.” Meanwhile, a new survey from the University of Southern California reveals that Millenials—those between the ages of 18 and 34—tend to be more willing to share personal information with marketers, particularly when there’s a relevant exchange of information. [The New York Times]

US – Erroneous DMCA Takedown Notices Problematic (April 22, 2013)

The Fox broadcasting company has sent Digital Millennium Copyright Act (DMCA) takedown notices regarding URLs linking to a novel, written by Cory Doctorow, called “Homeland.” Fox produces a television show with the same name; the two are in no way related. Further complicating matters is the fact that Doctorow published his novel under a Creative Commons license, which means its availability on BitTorrent is completely legal, so Fox’s takedown notices are causing legitimate content to be removed from the Internet. There is little recourse in situations like this. The DMCA requires that the takedown notices be issued in good faith, but it is easy enough to blame the erroneous notices on carelessness. In any case, the party whose content was wrongly taken down can recover only costs and attorney’s fees. [ArsTechnica] [DMCA robo-notices have been problematic for some time. For a hilarious (and terrifying) account of copyright shenanigans and DMCA notices, see: http://dmca.cs.washington.edu ]

Internet / WWW

US – ITA Says Safe Harbor Covers Cloud Technology

The U.S. Department of Commerce’s International Trade Administration (ITA) has published a report saying that U.S. companies’ compliance with Safe Harbor principles guarantees sufficient data protection, regardless of whether outsourcing contracts involve cloud computing. The ITA says because Safe Harbor is binding on all countries in the European Economic Area, EU data protection authorities cannot “unilaterally refuse to recognize Safe Harbor certification as a valid means of demonstrating that a service provider ensures an adequate level of data protection,” contrary to an Article 29 Working Party opinion released last year. One expert suggests the ITA has “not recognized some regulatory burdens facing some clients of U.S. cloud providers.” [Out-Law.com] [Source]

US – FTC Urges States to Look at Data Brokers

In a speech to the National Association of Attorneys General, FTC Commissioner Julie Brill urged states to be more active in investigating data brokers for contravening the Fair Credit Reporting Act. The FTC recently sent out letters warning companies that compile data on individual’s rental histories. [Lexology]

US – FTC Seeks Input on “Internet of Things”

The FTC is seeking input from the public through June 1 concerning the privacy implications of the “Internet of Things.” The term describes the ability of cars, appliances and medical devices to communicate with each other and people. Ahead of a public workshop to be held in November, the FTC aims to determine how privacy will be balanced with the benefits of such technology, among other concerns. FTC staff seeks input on the privacy and security implications of these developments.

What are the significant developments in services and products that make use of this connectivity?
What are the various technologies that enable this connectivity?
What types of companies make up the smart ecosystem?
What are the current and future uses of smart technology?
How can consumers benefit from the technology?
What are the unique privacy and security concerns associated with smart technology and its data? For example, how can companies implement security patching for smart devices? What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances? [FTC Press Release]

Law Enforcement

US – Apple, AT&T and Verizon Receive Lowest Marks in EFF Privacy Report

In its annual review of tech companies’ sharing of user data with law enforcement and government, the Electronic Frontier Foundation (EFF) says companies have improved markedly since last year, but the results may still be “sobering.” The EFF grades companies on six categories, including whether they require a warrant to share data, inform users of requests and publish transparency reports. “When you use the Internet, you entrust your conversations, thoughts, experiences, locations, photos and more to companies like Google, AT&T and Facebook,” the EFF wrote. “But what do these companies do when the government demands your private information? Do they stand with you? Do they let you know what’s going on?” [San Francisco Chronicle]

US – Industry, Scholars Back Drone Innovation

The Association for Unmanned Vehicle Systems International has written a letter to Google Executive Chairman Eric Schmidt expressing concerns “that such an influential tech industry executive” would support bottling up a “promising technology.” Schmidt recently expressed concerns about drones. Meanwhile, an op-ed for Wired makes the case for why Americans should not be afraid of drones. George Mason University researchers Eli Dourado, Adam Thierer and Jerry Brito, in a Federal Aviation Adminstration filing, argue that constraining commercial drones to strict privacy policy requirements is “unwise and premature.” Dourado writes, “It’s true that opening up U.S. airspace…will have some important privacy implications to consider. But it’s even more important that we consider the effect of too-early, heavy-handed regulation on future innovation.” [Bloomberg Businessweek]

US – Industry, Scholars Back Drone Innovation

US – SCOTUS: Warrant Needed for DUI Testing

The Supreme Court has ruled that in most cases police need to try to obtain a search warrant prior to ordering blood tests for suspected drunk drivers. The court sided with the defense in Missouri v. McNeely, which argued that taking the defendant’s blood without his consent or a warrant violated his Fourth Amendment rights. Justice Sonia Sotomayor wrote that natural dissipation of alcohol in the blood is not generally a sufficient reason to dispense with the warrant requirement. The court did not offer guidance on when police may obtain a blood sample without a warrant, but the report states Justice Anthony Kennedy said an upcoming case may give the court an opportunity to say more. [NPR]

Offshore / Cloud Computing

WW – Former Hosting Provider Allegedly Placed backdoors on 2,700 Servers

A man who was once employed by hosting provider Hostgator has been arrested and charged with breach of computer security. Eric Gunnar Gisse worked as an administrator at Hostgator from September 2011 through February 15, 2012. He allegedly installed backdoors on more than 2,700 company servers. The day after Gisse was dismissed from his position, officials at Hostgator detected the backdoor application that he had installed. The backdoor was disguised to look like a Unix administration tool. [ArsTechnica]

Online Privacy

WW – Do Not Track Framework Doc Stirs Controversy Ahead of W3C Meeting

There are rumblings within the World Wide Web Consortium (W3C) leading up to next week’s Do-Not-Track (DNT) meeting after a document was distributed among members “rendering the meeting practically moot.” The “Draft Framework for DNT Discussions Leading Up to Face-to-Face“ has been called a “framework,” but privacy groups have called it a “proposal” from the Digital Advertising Alliance (DAA). According to the document, DNT would be off by default. W3C Co-Chair Peter Swire, said, “As the name states, it is a framework for discussion, to help frame a possible agenda for next week’s face-to-face meeting in California.” DAA Counsel Stu Ingis said the document is the result of input from the DAA, consumer groups and other stakeholders. “It’s hard for stuff to happen if there’s no agenda,” said Ingis, adding, “There are a lot of cats to herd.” [AdWeek]

US – CA Lawmaker Proposes DNT Honesty-Checker

California Assemblyman Al Muratsuchi (D-66^th District) has proposed a bill requiring website operators to disclose whether their sites honor consumer requests to disable tracking and if they do not allow third-party tracking of site users. Author Mathew Schwartz calls the bill “a rare note of clarity” in the Do-Not-Track (DNT) debates. Industry efforts stalled last November, causing some members of the Senate Commerce Committee to question their commitment to the initiative. Sen. Jay Rockefeller (D-WV) is pushing for legislation that includes DNT, but not everyone agrees this is the best solution. George Mason University Researcher Adam Thierer says working to educate people while “pushing for greater transparency about online data collection practices” is the right course. [Information Week]

WW – Given “Doxing,” Hackers Need Not Apply

Media reports on the practice of “doxing,” or document tracing. Recently, celebrities have been at the practice’s mercy; Microsoft CEO Bill Gates was recently outed online for having an outstanding debt on his credit card, for example. But doxing data isn’t produced via hacking; it’s “either already public or accessible by, for example, paying an online people-finding service to get a Social Security number and then running a credit check,” the report states. Data is also gleaned from social media sites. One human rights advocate says posting online has widespread implications. “There’s nothing you can do in the electronic world that your boss can’t find and you can’t be fired for,” he said. [NBC News]

US – Sen. Rockefeller On Do-Not-Track, Data Brokers

The data marketing trail is often mysterious and one U.S. senator is working to ensure consumers have legal protections to opt out and correct personal information amassed by data brokers and other online third parties. The range of ways companies gather consumer data—from sweepstakes to online surveys—makes it difficult for users to correct errors in their marketing profiles, the report states. Sen. Jay Rockefeller (D-WV), who recently led a contentious hearing on the current status of Do Not Track, said, “People have the right to be private insofar as it’s possible in the modern world,” though he acknowledged that Do-Not-Track legislation does not address the bigger issue of consumer data collection by data brokers. [The New York Times]

WW – Ramirez: Functioning DNT System “Long Overdue”

In a speech to the advertising industry this week, Federal Trade Commission Chairwoman Edith Ramirez impelled the industry to work with the World Wide Web Consortium to develop a browser-based Do-Not-Track standard. Ramirez’s position surprised attendees by implying that the Digital Advertising Alliance’s (DAA) self-regulatory program doesn’t suffice and championing cookie-blocking initiatives by Mozilla and Microsoft. DAA Counsel Stu Ingis reacted saying, “We keep getting demagogued by the FTC…The DAA’s program covers 100% of the advertising ecosystem,” adding, “The problems have been caused by two browser companies.” Sen. John (Jay) Rockefeller (D-WV) is also pushing for Do-Not-Track and has scheduled a hearing on the issue next Wednesday. [AdWeek]

WW – Flaw in Adobe Reader Tracks Documents

A vulnerability in Adobe Reader could be exploited to track PDF files’ movements. The flaw discloses when and where PDF files are opened and affects all versions of Adobe Reader, including the most recent update (Reader XI 11.0.2). McAfee Labs discovered the flaw and has not provided details because Adobe has not yet released a fix. McAfee also noted that it has detected in-the-wild attacks that exploit the flaw. [ComputerWorld] [v3.co.uk] [SCMagazine]

Other Jurisdictions

US – White House Shifts Stance; FBI Driving Wiretap Bill

The Obama administration is changing its position on the path to creating a critical cybersecurity infrastructure from mandatory standards to a more voluntary approach lined with compliance incentives for private companies. White House Cybersecurity Coordinator Michael Daniel said, “This is a huge focus for my office right now—driving forward and staying on track with the executive order.” The National Association of Federal Credit Unions has urged the Senate to consider cybersecurity legislation. The Post also reports on a government task force crafting legislation “that would pressure companies such as Facebook and Google to enable (FBI) officials to intercept online communications as they occur.” The Center for Democracy & Technology’s Greg Nojeim said the bill is a “non-starter” and added, “They might as well call it the Cyber Insecurity and Anti-Employment Act.” [The Washington Post] [Washington Post: Bringing Wiretap Laws Into the Digital Age]

AU – Privacy Week Sees Calls to Prepare for Changes

At the launch of the Office of the Australian Information Commissioner’s (OAIC) Privacy Awareness Week, Privacy Commissioner Timothy Pilgrim and Australian Attorney-General Mark Dreyfus cautioned businesses to prepare for impending privacy reforms. “Now is the time to change existing systems and practices…The sooner these changes are embedded, the easier it will be to comply with the new measures in March 2014,” Dreyfus said. The OAIC has released guidance to help covered entities better protect personal information. While not binding, Pilgrim said the guidelines send a “clear message about my expectations in this area.” A survey commissioned by McAfee found that 59% of employees responsible for managing customers’ personal information were unaware or unsure of the changes. [ZDNet] [Pilgrim: Build privacy into your systems or risk penalties]

Privacy (US)

US – Posner: Privacy Laws Have Little Social Benefit

“There is a tendency to exaggerate the social value of privacy,” writes Judge Richard Posner of the U.S. Court of Appeals for the Seventh Circuit and a senior lecturer with the University of Chicago Law School. Against the backdrop of the Boston Marathon bombings, Posner discusses the balance between privacy and security, asserting that privacy laws don’t “confer social benefits comparable to those of methods of surveillance that are effective against criminal and especially terrorist assaults.” Posner says critics of surveillance ignore deterrence, and while acknowledging issues surrounding government surveillance of digital information, says surveillance technologies are “also used by our enemies. We must keep up.” [New York Daily News]

Privacy Enhancing Technologies (PETs)

US – Start-Up Lets Users Track Who Tracks Them

A start-up based in Palo Alto, Calif., Disconnect, which helps you track who is tracking you online, this week released its latest tool to help safeguard your browsing history. Its new browser extension works on Chrome and Firefox browsers and is meant to block an invisible network of around 2,000 separate tracking companies. The new Disconnect filter is part of an emerging crop of privacy tools aimed at tech-savvy consumers who want to protect personal data online. Most of these companies – Abine and Ghostery are others – offer at least a basic version of their product free and charge for more advanced versions. Disconnect is offering its filter on a sliding scale. [Source]

RFID

US – Student Attendance Program Raises Concerns

A pilot program in Georgia designed to track children on their way to school using Radio Frequency Identification (RFID) technology is raising concerns among some privacy advocates. The pilot program was announced by East Coast Diversified, a company that specializes in “student transportation and class attendance management systems.” Andrej Jeremic, director of marketing and business development for the company, said, “We don’t track students…We watch for anomalies.” A similar program has been scrutinized in Texas. A representative from the Electronic Privacy Information Center said, “What you’re doing is telling kids it’s normal to be tracked.” [International Business News] SEE ALSO: [RFID Helps Make Marriage Special]

CA – Smartphones Easily Skim Credit Card Information: CBC Investigation

A technology designed to make it easier to pay with your credit card may be putting Canadians at risk of fraud and identity theft, say security experts. Many new credit and debit cards come with chips that allow customers to tap the card to make a purchase. The chips are read by payment machines, used in many retail outlets, and are supposed to be a safe and convenient way to pay for goods. But the chips can also be read with a device millions of Canadians carry with them every day: a smartphone. Using a Samsung Galaxy S3 — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC News was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a credit or debit card. The information could be read through wallets, pockets and purses. Google did not comment on the apps used by CBC in its investigation, but said in an email it would remove any app that violated Google’s developer distribution agreement or content policies. However, the apps tested by CBC were still available following Google’s comments. [Source]

Security

US – NIST Releases “Major Revision” of SP 800-53, Emphasizes Privacy

In what the National Institute of Standards and Technology describes as its most significant revision of the U.S. federal government’s foundational computer security guide since it was first released in 2005, eight new families of privacy controls, based on the international accepted Fair Information Practice Principles, have been added. Security and Privacy Controls for Federal Information Systems and Organizations , known generally as SP 800-53, now includes an Appendix J, the Privacy Control Catalog, and the name of the document as a whole now has “privacy” in it for the first time. [NIST]

WW – Study Says Home Routers Vulnerable to Attacks

Many widely used home routers are easy to hack into, according to a study by a company called Independent Security Evaluators. A test found 13 of the most popular home routers had easily remotely exploitable vulnerabilities that could be used to snoop on or modify network traffic. All of the routers tested were using the most recent firmware and were tested with their out-of-the box default configurations. [CNet] [ComputerWorld]

WW – Reputation.com Hit by Security Breach

Reputation.com, a company whose business it is to manage its customers’ online reputations, has acknowledged that it suffered a data security breach. The company has sent email notifications to its customers. The compromised information includes names, email and physical addresses, and employment information. Some customers’ encrypted user passwords were compromised as well. The company reset user passwords. Experts note that users should not be reassured by companies’ assertions that salted passwords are unlikely to be cracked. Cracking techniques are improving and salting does not hinder the task of cracking for just one password, so if it’s a particularly valuable password, the time spent cracking it is well spent. [SC Magazine] [LA Times] [ArsTechnica]

WW – Targeted Cyberattacks Jump 42% in 2012, Symantec Says

Internet users are seeing less spam but more targeted attacks, according to security software company Symantec. Looking at last year’s security landscape, Symantec’s Internet Security Threat Report 2013 found that traditional spam accounted for 69% of all e-mail in 2012, down from 75% in 2011. Yet, 30 billion spam messages are still sent on a daily basis. Junk e-mails that hawk sex or dating products and services now account for 55% of all spam, taking the top spot away from pharmaceutical spam. Malware is also part of one out of every 291 e-mail messages, with 23% of those malware-carrying messages offering links to malicious Web sites. Around 247,350 malware attacks were blocked every day in 2012, according to Symantec, a 30% jump over 2011. Last year also saw a 42% rise in the number of targeted attacks, averaging around 116 per day, triggering a comparable increase in data theft and acts of industrial espionage. Small businesses with fewer than 250 employees were fingered in 31% of those attacks in 2012. Symantec believes smaller businesses are targeted because many of them don’t have the stronger security employed by larger firms. More cybercriminals are using a special type of targeted cyberattack known as a “watering hole attack,” Symantec noted. The attackers infect a Web site that their targeted victims are apt to visit, exposing the victims to malware as soon as they access the site. Mobile malware attacks grew by 58 last year, compared with 2011, according to the report. Apple’s iOS was hit by 387 vulnerabilities, much higher than the 13 recorded for Android. Yet Google’s mobile OS accounts for a greater percentage of treats due to its larger market share, open platform, and multiple app distribution methods, Symantec said. Symantec’s Internet Security Threat Report 2013 captured information from more than 69 million attack sensors across 157 different countries. [Source]

Surveillance

CA – Researcher: Internet of Things Is “Bit of a Wild West”

The growth of Internet-connected devices is known as “the Internet of Things”—washing machines, overhead lights, smart scales and more that can all be controlled by owners’ mobile devices. The Organisation for Economic Co-operation and Development estimates the average household with two teenagers will own around 50 Internet-connected devices by 2022. “The vast majority of the future devices of this type don’t exist today,” says Stephen Prentice of Gartner. “If you can measure it, then someone is going to have a device to do that and someone will find a use for that data.” Prentice cautions that the regulatory environment isn’t keeping pace with technology, saying, “At the moment, it’s a case of buyer beware.” [The Globe and Mail] SEE ALSO: Opinion – The Internet of Things and a Balanced Approach to Regulatory Intervention] and [2012 EU Public Consultation] AND [Indirectly connected to The Internet of Things]

US – Judge Denies FBI Permission to Install Software on Suspect’s Computer

The FBI may not install specialized surveillance software on a suspect’s computer, according to a ruling from a federal magistrate judge. Judge Stephen Smith said that the order requested by the FBI was too broad and too invasive. The FBI had sought permission to install specialized software on a computer used by the suspect; the software “has the capacity to search the computer’s hard drive, random access memory, and other storage media; to activate the computer’s … camera; to generate [location] data for the device; and to transmit the extracted data to FBI agents.” The judge also took the FBI to task for failing to specify how the operation would be certain to target the suspect and no one else. [ArsTechnica] [ComputerWorld]

WW – Technology Aids Investigations, But at What Cost?

In the aftermath of the Boston Marathon bombings, experts are examining the use of video surveillance and analysis to solve crimes. While technological advances and government use of surveillance enables faster identification and tracking of individuals, the debate over how to balance privacy rights with the needs of authorities continues. Some are concerned that data collected for one investigation—or even for an entirely different purpose, like applying for a license—will be retained and used in unrelated investigations. Some European regulators have expressed discomfort with the level of surveillance in the U.S. “Surveillance doesn’t give more security. That’s our experience,” said Schleswig-Holstein Data Protection Commissioner Thilo Weichert. [The Wall Street Journal]

UK – Group Challenges Gov’t Over Spyware Investigation

Human rights group Privacy International has announced it is challenging the British government for unlawful conduct during an investigation into the export of surveillance tool FinFisher. The tool is designed to monitor communications and collect hard drive data and is capable of conducting live surveillance via webcams. Privacy International says Her Majesty’s Revenue and Customs (HMRC) illegally declined to provide information related to its investigation of the technology’s shipment to countries with “poor human rights records.” The group has filed a judicial review application at the High Court in London. If the legal action is successful, “it could set a precedent for other cases in the UK’” [Slate]

US – DOJ Granted Immunity to ISPs Participating in Threat Monitoring Program

According to documents obtained by the Electronic Privacy Information Center (EPIC) through a Freedom of Information Act (FOIA) request, the US Justice Department granted some Internet service providers (ISPs) immunity from prosecution for their participation in a communications monitoring and interception program. The program, originally known as the Defense Industrial Base Cyber Pilot project, was designed to monitor traffic for indicators of cyberthreats and use the information to help protect systems from cyberattacks. Participation was initially limited to certain defense contractors and their ISPs, but has since been expanded to include all sectors of critical infrastructure. The DOJ provided the ISPs with “2511 letters,” granting them immunity for the monitoring activity. [CNet] [WIRED]

US Government Programs

US – Foreign Intelligence Surveillance Court Approved All Requests in 2012

The US Justice Department sent a report to Senator Majority Leader Harry Reid (D-Nevada) detailing certain activity of the Foreign Intelligence Surveillance Court. In 2012, the court approved every request it received to authorize physical searches or surveillance of people within the US “for foreign intelligence purposes.” There were 1,856 requests in all. [WIRED] [WIRED]

US Legislation

US – Rockefeller: Ad Industry ‘Dragging Its Feet’ On Do-Not-Track

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) had blunt words for the online advertising industry at a hearing on Do-Not-Track (DNT) legislation yesterday. “There’s a broad feeling that the advertisers and data brokers are just dragging their feet,” he said, adding, “And I believe they’re doing it purposely.” In his call for DNT legislation, Rockefeller said he doesn’t believe “companies with business models based on the collection and monetization of personal information will voluntarily stop those practices if it negatively impacts their profit margins.” Digital Advertising Alliance Managing Director Lou Mastria said the previous DNT agreement was “short-circuited” by recent privacy decisions by at least two browser-makers. In a column for Wired, W3C Co-Chair Peter Swire warned of a looming “digital arms race“ that could have damaging effects for everyone involved. The solution? “The same way we defuse any other arms race,” Swire wrote, “through negotiation.” [MediaPost]

US – Officials: Privacy Concerns Will Kill CISPA

“The Senate will almost certainly kill a controversial cybersecurity bill, recently passed by the House,” due to privacy concerns, citing a senate committee aide. Senate Committee on Commerce, Science and Transportation Chairman Jay Rockefeller (D-WV) has said the privacy protections in the Cyber Intelligence Sharing and Protection Act (CISPA) are “insufficient,” the report states, noting the White House has also said President Barack Obama will not sign the bill. The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies heard testimony from privacy experts including Mary Ellen Callahan, CIPP/US, and Harriet Pearson, CIPP/US. Meanwhile, the Department of Homeland Security is also preparing to “deploy a more powerful version” of its EINSTEIN intrusion-detection system, but COMPUTERWORLD reports its deep inspection packet technology is raising “serious privacy concerns.” [ZDNet]

US – House Passes CISPA

The U.S. House of Representatives Thursday passed a version of the Cyber Intelligence Sharing Act (CISPA). The bill aims to encourage the sharing of threat data between the government and private sector. President Barack Obama earlier this week threatened to veto CISPA if it did not include stronger privacy protections. CISPA co-sponsor Rep. Mike Rogers (R-MI) said, “Our goal is to get the Senate to pass a bill…We’d love to get a bill in conference.” An amendment proposed by Rep. Alan Grayson (D-FL) that would have required law enforcement to secure a “warrant obtained in accordance with the Fourth Amendment” prior to searching databases for criminal wrong doing was not included in the bill. [The Washington Post] [White House Issues Formal CISPA Veto Threat]

US – Advocates Ask FTC to Not Delay COPPA

In response to an industry-backed letter asking the Federal Trade Commission (FTC) to postpone implementation of new COPPA rules for six months, privacy groups on Tuesday urged FTC Chairwoman Edith Ramirez not to delay. Signed by 19 privacy groups, including Common Sense Media and the Electronic Privacy Information Center, the letter to Ramirez said the delay is “unwarranted” and would harm children and “undermine the goals of both Congress and the FTC.” COPPA updates are slated to go into effect on July 1. [AdWeek]

US – FTC Releases COPPA FAQs

The Federal Trade Commission (FTC) has issued Frequently Asked Questions (FAQs) to help clarify changes to the Children’s Online Privacy Protection Act (COPPA) that go into effect on July 1. The FAQs cover enforcement, privacy policies and notifications, geolocation data, verifiable parental consent and COPPA in schools, the report states. The FAQ also includes a list of things that covered entities must do, like post a comprehensive privacy policy, provide direct notice to parents and offer parents the ability to prevent further use or collection of their children’s data. [Forbes]

US – Senate Judiciary Passes ECPA Reform

In a unanimous vote, the Senate Judiciary Committee yesterday passed reforms to the Electronic Communications Privacy Act (ECPA). Called the ECPA Amendments Act, the update would require law enforcement to obtain a warrant prior to accessing a user’s private online content. “After years of work on ECPA reform, the time has come for Congress to enact these common-sense privacy reforms,” Sen. Patrick Leahy (D-VT) said. The Center for Democracy & Technology praised the reform. “With the vote today,” CDT Senior Counsel Greg Nojeim wrote, “Congress took a huge step toward finally updating ECPA to ensure e-mails and documents we store in the cloud receive the same Fourth Amendment protections as postal mail and documents we store in desk drawers in our homes.” [The Verge]

US – Sen. Grassley Signals ECPA Reform Support

Sen. Chuck Grassley (R-IA) signaled support for reforms to the Electronic Communications Privacy Act (ECPA). “I would anticipate this year that there wouldn’t be any problem getting (the bill) out at whatever meeting you want to bring it up,” Grassley told Senate Judiciary Chairman Patrick Leahy (D-VT) at a meeting this week. Leahy said he will bring the “e-mail privacy bill” to a vote at the next committee meeting. “I have long believed that our government should obtain a search warrant—issued by a court—before gaining access to privacy communications,” Leahy said. [The Hill]

Workplace Privacy

US – Does HIPAA Prevent Background Check Compliance?

The Office for Civil Rights has issued an advance notice of proposed rulemaking to address concerns that in some states the HIPAA Privacy Rule may prevent states from “reporting the identities of individuals subject to the mental health prohibitor” to the National Instant Criminal Background Check System (NICS). The notice is an effort to get public input on ways to address these barriers, adding, “In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS…” [Examiner.com]

US – Wall Street Takes On State Employee Laws

An “unlikely alliance of regulators and industry groups” is seeking to “carve out exemptions” in a slew of proposed state laws barring employers from accessing the social media accounts of employees or applicants. The Financial Industry Regulatory Authority (FINRA) has stated that financial institutions need an avenue to check “red flags” on personal account misuse. The proposed state laws, FINRA argues, could put investors at risk, the report states. FINRA has reached out to lawmakers in approximately 10 states, asking them to include changes to proposed employee privacy legislation. California lawmakers—in whose state the employee privacy law has already gone into effect—”rebuffed requests” by FINRA and other industry groups to include exemptions. Wisconsin is currently considering similar employee legislation. [The Wall Street Journal]

WW – Analyzing Employee Behavior To Inform HR

An emerging field known as workforce science is using Big Data to analyze worker behavior and apply it to human resource management. The field aggregates and analyzes patterns in employees’ digital history as well as personality-based assessments to guide hiring, firing and promotions, raising some questions about worker surveillance, the report states. “The larger problem here is that all these workplace metrics are being collected when you as a worker are essentially behind a one-way mirror,” says Marc Rotenberg of the Electronic Privacy Information Center. [The New York Times] [Additional Reading]

+++