Canada
CA – Stoddart: PIPEDA Reform, Enforcement Powers Needed
Privacy Commissioner Jennifer Stoddart, wrapping up 10 years in her office this year, used her keynote address at the IAPP Canada Privacy Symposium in Toronto to lay out her recommendations for reforming the Personal Information Protection and Electronic Documents Act. In short, amendments should include stronger enforcement powers, mandatory data breach reporting, teeth behind accountability and increased transparency measures. [Source] [Canada’s privacy laws inadequate for digital age, watchdog says] See also: [Commissioner Cavoukian marks 25 years of innovative access and privacy leadership in Ontario] and [Ontario power plant cancellations: Information watchdog Ann Cavoukian scolds Liberals for deleting emails]
CA – Government Went Too Far in Surveillance of First Nations Advocate: Report
The federal privacy commissioner says two government departments went too far in their monitoring of a First Nations children’s advocate and her personal Facebook page. Commissioner Jennifer Stoddart was looking into a complaint from activist Cindy Blackstock, executive director of an organization fighting the federal government in court over First Nations child welfare programs. Stoddart says the Department of Aboriginal Affairs and the Department of Justice violated the spirit, if not the intent, of the Privacy Act by compiling information from Blackstock’s personal Facebook page. Both departments have agreed to cease and desist their monitoring, destroy personal information not directly linked to federal policy, and set up a new system to make sure such surveillance does not happen again. The privacy commissioner found no merit to two other privacy complaints from Blackstock. [Source] See also: [Jeffrey Delisle case: CSIS secretly watched spy, held file back from RCMP]
CA – Top Court Won’t Hear Case For Sperm-Donor Dad’s ID
The Supreme Court of Canada will not hear an appeal from a woman who wanted to know the identity of her sperm-donor father. The appeal court said she has no constitutional right to information about her biological father. The court said providing such information would amount to state intrusion into the lives of many people. As usual in such decisions, the Supreme Court gave no reasons for refusing to hear the appeal. [Source]
CA – Security Breach Legislation Suffers Another Setback
The Harper government’s opposition to a private members bill calling for mandatory security breach notification is embarrassing, says privacy expert Michael Geist It’s been nearly two years since the government introduced Bill C-12, its proposed legislation featuring security breach disclosure notification and it looks legislators are nowhere near coming up with a meaningful reform of the country’s online privacy law, according to an Ottawa-based Internet law expert. Conservative MPs in the House of Commons last week opposed a security breach disclosure bill (Bill C-475) introduced by New Democratic Party MP Charmaine Borg even if it was “roughly similar” to their party’s own Bill C-12. “The opposition to meaningful privacy reform is particularly discouraging given the thousands of breaches that have occurred in recent years from within the government itself and its claim to be concerned with the privacy of Canadians,” he wrote in a blog this week. Both Borg’s Bill C-475 and the Conservative’s Bill C-12 include notification requirements to the Privacy Commissioner of Canada in the even organizations suffer certain security breaches. [Source]
CA – Online Surveillance Bill Would Have Unlocked Personal Secrets: Report
The Canadian Press reports on a new study by the Office of Privacy Commissioner Jennifer Stoddart indicating that a bill that would have given police more information about Internet users would have “unlocked numerous revealing personal details.” The report found that the online surveillance bill would have acted as “a digital key” to an individual’s details, Stoddart said, adding, “In general, the findings lead to the conclusion that, unlike simple phonebook information, the elements examined can be used to develop very detailed portraits of individuals, providing insight into one’s activities, tastes, leanings and lives.” The government dropped the bill earlier this year following widespread criticism. [Source]
CA – SK Commissioner Concerned About Securities Amendment Act
Saskatchewan’s information and privacy commissioner says he remains concerned that a bill passed by the provincial government this spring (Bill 65, The Securities Amendment Act, 2012) creates a new right of privacy for corporations. “Privacy law 101 — just a key foundational principle — is that privacy is uniquely the right of an individual. Corporations cannot have a right of privacy. And yet the bill that’s just been passed in fact indicates that corporations do have a right of privacy.” Dickson says the bill “specifically carves certain records out from the scope of the Freedom of Information and Protection of Privacy Act” and the issue could lead to confusion around privacy law in the province. He also speculated that the change “could be exploited” and corporations could now argue that they have a right of privacy. Dickson says his office was never consulted about Bill 65, but has been raising red flags about it since March. He expected a house amendment would address the issues he raised. Instead, his concerns were dismissed — he believes incorrectly — when the bill reached the committee stage.[Source]
Consumer
US – How Data Access May Improve Consumer Confidence
With the increasing data collection capabilities by mobile carriers and household energy suppliers, among others, consumers have difficulties accessing their personal data. “Never mind all the hoopla about the presumed benefits of an ‘open data’ society,” the article states, “In our day-to-day lives, many of us are being kept in the data dark.” Future of Privacy Forum Director Jules Polonetsky, CIPP/US, said consumers may feel more comfortable about having their personal data mined if businesses demonstrate direct consumer benefits arising from collection. [The New York Times]
US – Teens Post More but Manage Privacy Settings
A new Pew Research Center survey indicates that teens are posting more about themselves on social networking sites but are also taking formal and informal steps to manage their online privacy and reputation. The research canvassed 802 individuals between ages 12 and 17 and their parents. 60% of Facebook users used the highest privacy setting while 14% said their Facebook pages are public. ConnectSafely.org Co-director Larry Magid said, “The idea that young people will post anything is not true” and many are “thinking about whether this is something I’d want my grandmother, a college administrator, an employer or a future boyfriend or girlfriend to see.” [USA TODAY]
US – States Drop Out of Tracking Database
Officials in several states are backing away from a $100 million database intended to track students from kindergarten through high school. The database was launched this spring and stores student data including test scores, learning disabilities and discipline records. But parents and civil liberties groups have raised concerns about potential privacy breaches. Louisiana’s superintendent of education withdrew student data from the database in April and plans to hold public hearings on data retention and security. New York, Illinois and Colorado are active participants. The mother of a 10-year-old public school student said the thought of her son’s medical treatments being stored on the cloud indefinitely “feels like such a violation.” [Reuters]
US – Do College Kids Care About Privacy?
USA TODAY explores whether college students are concerned about the personal information businesses access about them as online games, streaming services and social networking sites increasingly give third parties access to the online data they’ve collected. Woody Hartzog, assistant law professor at Alabama’s Samford University, said, “Young people don’t think about privacy of information to third parties. When they get older, it becomes more real. It largely stems from young people not thinking about their information being given to third parties, and maybe not caring.” [Source] [PEW Internet Study]
WW – Teenagers Care More About Online Privacy Than You Think
New research by the Pew Research Center and the Berkman Center for Internet Society reveals that teens are surprisingly shrewd about protecting their personal data on social networks The joint paper found that teenagers are sharing more and more personal information online: 91% of teenagers post at least one photo of themselves (up from 79% in 2006), while 71% post their school name (up from 49%), 53% post their email address (up from 29%), and 20% post their cell phone number (up from 2%). At the same time, teenagers are more and more cautious as to who sees this information: about 60% of teen Facebook users set their profiles to private (friends only), and most report high levels of confidence in their ability to manage their settings. Today’s teenagers are, in the eyes of Pew, walking contradictions, increasingly open despite their understanding of privacy risks (and mastery of the tools needed to combat them). So what explains the privacy paradox? Teens care about privacy in a social context, not a big data context. [Source]
US – P&G Partners with Eye-Tracking Firm
Proctor & Gamble (P&G) has announced a European-based partnership with eye-tracking firm Sticky. The company has been trialing the eye-tracking service and making decisions to cancel ads based on those that aren’t getting seen. “Applying Sticky’s tracking to our digital media campaigns will help us to optimize and increase our ROI on digital marketing investments in some campaigns up to 25%,” said P&G’s head of digital. Sticky uses webcams to record eye movements from page to page. [Adweek]
E-Government
US – IRS Probe Brings Section 6103 into Limelight
As U.S. lawmakers investigate actions by the Internal Revenue Service (IRS) that may have targeted conservative nonprofit groups, some of the fact-finding, is being hampered by Section 6103 of the tax code, which establishes taxpayer privacy rights. Passed by Congress in 1976 after it came to light that Richard Nixon wanted to audit his political opponents, 6103 creates an assumption that taxpayer information is private unless it is needed for a specific investigation targeted at that individual. In the case of the current probe, since it is the IRS, itself, that is under investigation, many congressional questions can’t be answered directly by the IRS, as the answers involve private taxpayer information [Bloomberg]
See also: [US: Data breach puts DHS employees at risk of identity theft]
AU – House Removes Parliamentary Departments from FOI Scrutiny
The Parliamentary Service Amendment (Freedom of Information) Bill 2013 sailed through the Australian House of Representatives in 11 minutes flat. Not a query or concern from any quarter. If they stick together the two major parties have the numbers to push this through the Senate. The bill amends the Parliamentary Service Act 1999 to remove the parliamentary departments and office holders from the Freedom of Information Act 1982. Completely and retrospectively. The Australian Information Commissioner in 2012 had issued guidance that the departments were agencies subject to FOI, and had been since 1999, something overlooked by all and sundry.[Source]
Electronic Records
US – Hospital Creates Portal to Protect Teens’ Data
In an effort to address concerns over children’s privacy when it comes to their personal health records (PHR), Boston Children’s Hospital (BCH) has developed a custom-built PHR portal with separate accounts for patients and their parents. While children’s PHRs are generally controlled by their parents, teenagers have a right to privacy regarding the information they share with physicians, according to BCH’s Fabienne Bourgeois. “The parent has sole access to the patient’s portal until the patient turns 13, at which point both the parent and the patient can have access,” Bourgeois reports. At 18, access is restricted to the patient. [InformationWeek] See also: [Commissioner Cavoukian Commends Government of Ontario for Clarifying Privacy Rights for Electronic Health Records] ANd [Ontario Strengthening Patient Privacy] [ON: City’s disciplinary action not protected: privacy commission]
Encryption
US – Magistrate Reverses Ruling, Requires Man to Decrypt Storage Devices
US Magistrate William Callahan Jr. has ordered a Wisconsin man suspected of possessing child pornography to decrypt hard drives that law enforcement authorities seized from his home. In early April, Callahan ruled that to order Jeffrey Feldman to decrypt the devices would be a violation of his Fifth Amendment rights. At that time, prosecutors had been unable to crack the encryption on any of the devices. But since that ruling, prosecutors managed to decrypt a portion of one of the devices and found content linking Feldman to them. So Callahan reversed his order, writing, “the government has now persuaded me that it is a ‘foregone conclusion’ that Feldman has access to and control over the subject storage devices” and that “Fifth Amendment protection is no longer available to” the defendant. Callahan has ordered Feldman to either provide prosecutors with the passwords necessary to decrypt the data storage devices or provide decrypted copies of everything on those drives. [WIRED] [ComputerWorld] [WIRED] SEE ALSO: [Washington Post] [Forbes] [Cryptome]
WW – Google Will Upgrade SSL Encryption Keys
By the end of 2013, Google plans to upgrade all of its SSL certificates to 2048-bit keys. The change is scheduled to begin in August. Google plans to upgrade its root certificate as well. Certain client software embedded in devices like phones, gaming consoles, and cameras could run into problems with the upgrade; Google has offered advice to help mitigate those issues.[Ars Technica] [h-Online] [ZDNet] [ComputerWorld]
EU Developments
EU – New Data Protection Rules at Risk, EU Watchdog Warns
European Data Protection Supervisor Peter Hustinx highlighted the need to “distinguish the proposal from the rhetoric” in light of the lobbying around the proposed data protection directive. Hustinx addressed the media after delivering his annual report to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee in order to acknowledge the importance of passing the legislation. Failure to do so before the end of Parliament’s tenure would “have serious repercussions in terms of economic development,” said Hustinx. German Rapporteur Jan Philip Albrecht told EUObserver of his concerns that the EU may end up with weaker legislation than it has now—contravening a 2011 vote to create a law at least as strong as, if not stronger than, the 1995 directive. [EurActive]
EU – The Regulation, Its Future and Questions on Profiling: A Roundup
A look through EU headlines from the past week yields a consistent theme: the proposed data protection regulation. Reports highlight concerns voiced by European Data Protection Supervisor Peter Hustinx and German Rapporteur Jan Philip Albrecht as well as worries from charitable organizations that the regulation could impact their ability to reach donors. As Field Fisher Waterhouse’s Eduardo Ustaran, CIPP/E, notes in his recent blog on the regulation and the issue of profiling, “The Working Party appears to sit somewhere in the middle between the commission’s proposal and Albrecht’s approach. That is still a very strict position to adopt, clearly aimed at eliminating the perceived risks of profiling…” [The Privacy Advisor] [Euro-deputies diverge on data protection details] [KPMG: 51% of organisations in UK fail to comply with EU cookie law]
EU – DPA Defines Obligations for Data Breaches
Stefano Taglibue reports on the Italian Data Protection Authority’s (Garante) recent decision defining obligations for telephone companies and Internet service providers regarding potential data breaches. Under the definition, providers must notify the Garante of a breach within 24 hours. Fines of up to 100,000 euros may be issued for failure to notify and of up to 1,000 euros per individual involved for failure to communicate the event to those involved, Taglibue writes. [The Privacy Advisor]
EU – Working Party Explains BCRs for Processors
The Article 29 Working Party has issued an explanatory document on Binding Corporate Rules for processors in response to the outsourcing industry’s request for a legal tool that reflects data-transfer practices today. The document includes clarity on such issues as onward transfers, cooperation and legal enforceability. [The Privacy Advisor]
EU – Ireland: Data Subject Told “Prove Your Loss”
The Irish High Court recently decided that for damages to be recoverable by a data subject for breaches of the Data Protection Acts, the data subject must prove that he suffered loss as a result of the breaches. In the case of Michael Collins v FBD Insurance plc, Mr Collins was awarded damages of €15,000 by the Circuit Court for 4 breaches of the Data Protection Acts by the defendant insurance company. The breaches arose out the manner in which a private investigator obtained and processed personal data of the plaintiff, including a criminal conviction, on behalf of the insurance company defendant, and the failure by the insurance company to respond to data access requests in a timely manner. The only question for the High Court was, in order for the plaintiff to be entitled to damages for breach of section 7 of the Data Protection Acts, did the plaintiff have to prove to the court that he had suffered loss or damage arising from the breaches of the Act. This case will be of some assistance to data controllers and processors in determining what their exposure will be arising from their breaches of the duty of care owed to data subjects under the Data Protection Acts. [Source]
EU – Commissioner Dislikes Xbox’s View Into the Living Room
Germany’s federal data protection commissioner says he’s “unsettled” by Microsoft’s new Xbox One console, launched by the company last week. Commissioner Peter Schaar says the box “records all sorts of personal information” that could be recorded and transferred to third parties. “The fact that Microsoft is now spying on my living room is just a twisted nightmare,” Schaar said. Microsoft says it is not using the box’s system to “snoop on anybody at all.” [Slate]
EU – In Denmark, Online Tracking of Citizens is an Unwieldy Failure
Five years ago, Denmark passed a law requiring telecommunication companies to retain and store customers’ personal data for up to one year. Now, the telecom industry and advocates are calling for changes to the law, citing “an unjustifiable invasion of privacy.” Police say the law hasn’t helped them track criminals, but the Danish government wishes to delay a review of the law for two years. [TECHPRESIDENT]
EU – Google, Microsoft, Yahoo Secret Backers of European Privacy Association
The European Privacy Association (EPA) has revealed that several U.S.-based tech companies are backers. Last week, the Corporate Europe Observatory (CEO)—a watchdog that “works to expose privileged access in EU policy making”—filed a complaint stating the EPA, while working to represent industry interests in EU data protection reforms, did not list any backers on the EU Transparency Register, the report states. A CEO representative said the group’s name conflicts with its pro-industry stance, creating a “confusing…mismatch.” In a press release, the EPA said, “We are immediately clarifying such discrepancies” to ensure that they’re “in line with the guidelines of the European Union.” [IDG News Service]
UK – Court: Compensation Only if Damages Are Due To Breach of DPA
The England and Wales Court of Appeal recently ruled that businesses “do not have to pay compensation for causing distress to consumers if they break data protection laws unless the distress suffered by consumers is linked to the breach itself.” The ruling stemmed from a customer’s complaint that upon receiving damages from a breach case, the finance company involved placed his settlement in a closed account and entered incorrect information about him in their systems indicating his account was in arrears—which was shared with a credit scoring agency. The customer claimed the company had breached the terms of the district court order and asked the court for further damages, prompting the court’s ruling. [Out-law.com]
UK – Commissioner: Serious Breach Offenders Deserve Prison Time
UK Information Commissioner Christopher Graham says people who misuse personal information should face tougher penalties, including prison time, citing a recent case in which a community health manager took personal data from the health center to use for his own fitness company. The man e-mailed data on 2,471 patients to his personal account, and soon thereafter, patients approached by the man began to complain. The man was fined 3,000 GBPs and ordered to pay other legal costs. Graham said the government “must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.” [Public Service]
EU – Garante Issues Fines Totaling 800,000 Euros
The Italian Data Protection Authority (Garante) has issued three orders of injunction against two IT companies—specialized in the data bank sector—and a telecom operator obliging them to pay fines equal to 800,000 euros for violating prescriptive measures already adopted toward them in 2008. “The two companies specialized in the data bank creation had created and sold data banks containing tens of millions of people’s personal data, without having both informed data subjects and acquired their consent,” explains Rocco Panetta. The companies will have to pay fines of 100,000 euros and 400,000 euros, respectively, and the telecom will pay a fine of 300,000 euros. Further orders of injunction are expected against other companies. [The Privacy Advisor]
EU – Facebook Appoints New Privacy Counsel, Gets OK from DPA
Irish Data Protection Commissioner Billy Hawkes says he’s satisfied with the work Facebook has done to meet a four-week deadline to comply with recommendations on improving user privacy. Had the company failed to comply, it would have faced fines of up to 100,000 euros. Following an audit by Hawkes’ office, the company had implemented changes to transparency and user controls, but a number of the office’s recommendations had not been met, prompting the four-week deadline. Facebook has also announced the appointment of a lead data protection and privacy counsel to its Dublin headquarters. [the Independent]
Filtering
UK – ISPs Block Two More Sites Accused of Enabling Piracy
To comply with a court order obtained by the Motion Picture Association (MPA), major UK ISPs have begun blocking two websites that have been accused of allowing downloads of pirated movies. There are now six sites for which industry groups have obtained court orders requiring blocks. The British Phonographic Industry (BPI) has named 25 sites it would like to see be blocked for aiding illegal downloads of popular music. [BBC] [CNET]
AU – Australian Government Shuts Down 1,200 Sites in Effort to Target Just One
In an attempt to block a website believed to be associated with a financial scam, the Australian government shut down 1,200 other sites that were unrelated to the targeted site expect for the fact that they were hosted on the same IP address. Although the Australian government was not initially forthcoming with information the source of the block request, it was finally revealed that the sites had been blocked at the request of the Australian Securities and Investment Commission (ASIC), the country’s financial regulator. The block was requested because the site was believed to be in violation of the Telecommunications Act 1997, which obliges service providers “to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of” Australia. All the other sites were affected because ASIC gave ISPs the IP address of the shared server on which the site was being hosted instead of the suspect site’s specific domain name. [Ars Technica] [SMH]
Finance
CH – Switzerland Eases Bank Privacy Law
Following requests by the U.S. government for information about potential tax cheats, the Swiss government has agreed to ease its privacy laws and allow banks to disclose information on U.S.-based clients to the Internal Revenue Service (IRS). Swiss banks will now be able to deliver client details to the IRS, along with any fines that might be appropriate, in exchange for amnesty from further U.S. indictments. In order for the agreement to proceed, the U.S. would have to ratify a new taxation treaty between the two countries. [The Boston Globe]
EU – EU Sets Deadline for Bank Data Sharing
“EU leaders have agreed that the automatic sharing of individuals’ bank account data, a key measure to prevent tax evasion, should become law across all member states by the end of the year.”. The report references EU President Herman Van Rompuy’s comments at a press conference calling for “member states to complete adoption of regulation covering private savings aimed at ending bank secrecy.” The report follows comments by French President Francois Hollande noting EU countries will start working on an automatic exchange of tax information. [AAP]
WW – Privacy and Data Security: Why Should Investors Care?
As data increasingly becomes the lifeblood of many businesses, the ability to shield and protect that data from mismanagement, hackers and cyberespionage is not only “vital to consumers” but also “critical to investors in publicly held U.S. companies”. “We believe boards have a fiduciary and social responsibility to protect company assets,” they write, “including personal information.” Meanwhile, a new survey reveals that 31% of European businesses have experienced a cyberattack in the last year. Consero Group Founder and CEO Paul Mandell says, “Confidence in information security is likely diminished by the high level of publicity surrounding recent cyberattacks and will likely continue to decline before it gets better.” [The Guardian]
US – Tea Party Group Sues Tax Collectors for Privacy Breach
The NorCal Tea Party Patriots, a northern California-based advocacy group, sued the U.S. Internal Revenue Service for allegedly breaching its federal privacy rights and the rights of like-minded organizations. The IRS has acknowledged that employees in its Cincinnati office targeted for special review groups seeking tax-exempt status as social welfare organizations that were also advocates for limited government and free markets. President Barack Obama has called the conduct “outrageous.” Four congressional committees are reviewing the matter and acting IRS Commissioner Steven Miller resigned. “Under pain of denial of tax-exempt status, the IRS and its agents singled out groups like NorCal Tea Party Patriots for intensive and intrusive scrutiny,” the group alleged today in a complaint filed at the U.S. court in Cincinnati. It seeks group status for “all conservative and libertarian groups targeted for additional scrutiny” between March 2010 and May 2013, together with unspecified money damages for the alleged violation of their constitutional rights and costs of compliance with the unlawful demands. The case is NorCal Tea Party Patriots v. The Internal Revenue Service, 13-cv-00341, U.S. District Court, Southern District of Ohio (Cincinnati). [Source]
US – IRS Sued for Allegedly Stealing EHRs of 10 Million Individuals
A lawsuit filed in California alleges that the US Internal Revenue Service (IRS) violated the Health Insurance Portability and Accountability Act (HIPAA) when it seized electronic health records belonging to 10 million US citizens. The lawsuit, filed by an attorney on behalf of a corporate client identified as John Doe Co., alleges that when the 15 IRS agents raided the company in March 2011, they did not have a search warrant or a subpoena. The seized records include “information about treatment for any kind of medical condition, … and a wide range of medical matters covering the most intimate and private of concerns.” The seized data were in electronic format and were allegedly taken in connection with an investigation into “a tax matter involving a former employee of the company.” The lawsuit is seeking monetary damages as well as a court order requiring the IRS to return the records and remove them from their databases. [NextGov] [Actual Suit]
FOI
CA – Alberta Putting Raw Data Online for Study, Business
Who knew that compared with the rest of Canada, Alberta is a Y chromosome extravaganza, with 101 men for every 100 women? Or that there were six cases of mumps in 2012, that 19% of Alberta men say they binge drink, and that we share the road with more than 3,000 licensed drivers aged 90 or over? And that in Alberta, Big Tobacco isn’t giving up without a fight. In the past decade, the number of men who smoke has remained steady at 20%. The data is among the reams of charts, graphs and searchable tables launched by the Alberta government for intrepid researchers and entrepreneurs to either learn from or spin into commercial gold. Service Alberta Minister Manmeet Bhullar said the service is called the Open Data Portal. “It provides Albertans with a single access point for all publicly available provincial government data.” [Source]
Genetics
CA – Alberta Police Representatives Push For DNA Tests Upon Arrest
Along with fingerprinting and photographing, cops should be also be able to swab suspected criminals’ cheeks for DNA as part of the routine booking procedure, police representatives in Alberta say. Armed with its “Legislative and Police Strategy Targeting Repeat and High Risk Offenders,” the Alberta Federation of Police Associations recently went before federal MPs to call for reforms in DNA collection, parole authorization and other areas of law enforcement. Chief among the items in the proposal is changing the point of DNA collection from the point of conviction — and subsequent court order — to the time of arrest. The thinking, according to newly elected federation director Paul Wozney, is to speed up potential solving of other cases, cut down on the “maze” of court procedures to obtain a warrant for DNA, and expand the list for when a cheek swab can occur to include any indictable offence. [Source] SEE ALSO: [The Art of Turning Discarded Chewing Gum Into Your Portrait]
WW – Google Unveils Object-Recognition Feature
Google’s latest rollout is an object-recognition feature that has thus far flown under the radar. “Photo Search with Visual Recognition” allows users to search for an object on Google’s network and view all photos taken of that object by people in their Google+ circles, the report states. “Of course, the privacy-invading nature of social network ‘upgrades’ has now become such old news that the Google+ feature may go off without a hitch,” the report states, noting, however, that the feature does somewhat mitigate privacy concerns by only allowing searches within established circles. [The Huffington Post]
US – Congress Wants Answers on Google Glass
Eight members of Congress have sent Google CEO Larry Page a letter requesting answers on the privacy implications of Google Glass. “We are curious whether this new technology could infringe on the privacy of the average American,” said Rep. Joe Barton (R-TX), chairman of the bipartisan privacy caucus, on behalf of his colleagues. Google has until June 14 to respond to the inquiry, though a spokesman has written, “We are thinking very carefully about how we design Glass because new technology always raises new issues.” [National Journal]
Health / Medical
CA – HIMSS Analytics Report Finds Hospitals Facing Data Access Challenges
A new study titled “Streamlining Workflows and Access to Patient Data in Canadian Hospitals,” commissioned by Imprivata, specifies how EHR adoption can impact workflow efficiency and data access, and identifies single sign-on (SSO) technology as one of the solutions to streamline access to clinical systems and patient information. Several key barriers to enabling clinicians to seamlessly access patient data are identified in the study, including:
- Lack of integration between electronic systems
- Frequent inability to access information quickly
- Privacy and security concerns. [Source]
US – Smartphone Tracker Gives Doctors Remote Viewing Powers
Ginger.io is a company spun out of the MIT Media Lab, whose app of the same name is in trials with hospitals across the country. The Ginger.io smartphone app logs all activity on a patient’s phone and transmits the data to the hospital, where it can be monitored. “Now,” says cofounder and CEO Anmol Madan, “the doctor or nurse can get a sense of the patient’s life and help as needed.” The app automatically notes changes in phone-use patterns and sends alerts when they are detected, which can keep patients who generally care for themselves at home from suffering dire consequences if they deviate from prescribed medication or therapy. [MIT Technology Review]
Horror Stories
US – Hacker Pleads Guilty, Faces 10 Years
A member of hacker group “Anonymous” has pleaded guilty to hacking a private intelligence firm and several websites. 28-year-old Jeremy Hammond has admitted to assisting in the December 2011 attack on Stratfor Global Intelligence Service as well as hacking the Arizona Department of Public Safety, the Boston Police Patrolmen’s Association, the FBI’s Virtual Academy and an Alabama sheriff’s office. He faces up to 10 years in prison. Hammond said he committed the acts, which gathered the credit card and other personal information of more than one million people, in the name of greater transparency because people “have a right to know what governments and corporations are doing behind closed doors.” [The Huffington Post]
UK – ISU to Pay $400,000 Breach Fine
The Department of Health and Human Services (HHS) has released a resolution agreement following Idaho State University’s (ISU) HIPAA violations dating back to August 2011. ISU will pay $400,000 in penalties for exposing data on 17,500 patients by disabling a firewall for at least 10 months, the report states. HHS found ISU committed violations including failing to conduct a risk analysis of the confidentiality of its electronic personal health records and failing to implement sufficient security measures to reduce risk. ISU has entered into a corrective action plan agreement with HHS. [Health IT Security]
US – Data Breach Puts DHS Employees at Risk of Identity Theft
The U.S. Department of Homeland Security (DHS) has revealed that a vulnerability in a vendor’s system may have exposed the Social Security numbers and dates of birth of tens of thousands of its employees. A DHS spokeswoman said the data was stored in the vendor’s database of background investigations and may have been accessible as far back as July 2009. Meanwhile, the Maine Attorney General’s Office has issued an alert to people who have purchased tickets through online service Vendini. According to the company, a server containing the names, addresses, e-mail addresses, credit card numbers and expiration dates of tens of thousands of people—including many Maine residents—was breached. [Federal News Radio] See also: [NZ: Stalling on privacy report fuels speculation]
US – Reporters Use Google, Find Breach, Get Branded as “Hackers”
Two telecoms are calling Scripps Howard News Service reporters hackers after the reporters discovered the personal data of some 170,000 users of a subsidized cell phone program online. The telecoms claim the reporters violated the Computer Fraud and Abuse Act by using sophisticated and “automated” means to uncover the records, but the reporters say they found the data through a Google search. The data included applications for the Federal Communications Commission’s (FCC) Lifeline program—which contained Social Security numbers—collected for telecoms YourTel and TerraCom by Vcare. FCC regulations bar telecom providers from retaining this data, but, according to the report, Vcare had the applications stored on its servers and posted to an open file-sharing area. [Ars Technica]
WW – Breach May Have Exposed 22M IDs
Yahoo Japan released a statement on Friday that a file with 22 million login names may have been exposed. “We don’t know if the file was leaked or not, but we can’t deny the possibility, given the volume of traffic between our server and external terminals,” the statement notes. The company has posted information related to the breach on its homepage and is contacting those affected, the report states, noting the unauthorized access was discovered on Thursday and could affect 10% of the company’s user base. [InformationWeek]
WW – First Return on Investment (ROI) Analysis for the Critical Security Controls
John Pescatore compares Idaho State University’s (ISU) projected cost of settling HIPAA violations with the US Department of Health and Human Services (HHS) to what it would have cost the university to implement security controls that could have (helped) protect its systems from breaches. The estimated cost to ISU, including the fine, the costs of managing the breach, and the implementation of a Corrective Action Plan is US $1 million over two years. Putting in place certain Critical Security Controls that would have detected the issue that exposed patient data would cost an estimated US $75,000. Even adding in extras like vulnerability assessments and monitoring would put the cost at US $500,000, equivalent to one year’s share of the above cost. [SANS]
US – Drupal Resets Passwords After Breach
Drupal.org has reset all account passwords after discovering that intruders had gained unauthorized access to information on its servers. The intrusion was made through unspecified third-party software on the organization’s servers. Nearly one million accounts are affected. [H-Online] [ZDNet] [Ars Technica] [ComputerWorld]
US – Reporters Who Discovered Unprotected Data Are Accused of Being Hackers
Two telecommunications companies are accusing reporters of hacking after the reporters uncovered a cache of personal data on a publicly accessible server. The Scripps reporters say they found the data, which include Social Security numbers (SSNs) and other personally identifiable information, through a Google search, but the companies maintain that the reporters accessed the data and in doing so, violated the Computer Fraud and Abuse Act. The reporters deny those allegations. The data, which were gathered by a third party company on behalf of the two telecommunications firms, were collected as supporting documentation for families seeking to qualify for the US Federal Communications Commission’s (FCC’s) Lifeline program, which helps low-income Americans obtain phone service. The program allows the telecoms to request the information but specifically says that it may not be retained. [Ars Technica] [SacBee] [NPR]
Identity Issues
US – Court: Best Buy’s ID Check Doesn’t Violate Privacy
A federal appeals court has determined that Best Buy’s driver’s license requirement for returning purchases does not contravene the Drivers’ Privacy Protection Act. The 11th Circuit Court of Appeals agreed with a Florida court ruling that tossed out a potential class-action lawsuit filed by Steven Siegler. The suit alleged the company’s practice of collecting and retaining driver’s license data during a purchase return is not a “normal course of business” use. [Bizjournals] See also: [Two-factor authentication: What you need to know (FAQ)]
WW – Twitter Launches Two-Factor Authentication
Twitter has introduced two-factor authentication for account access. Users who opt in to the feature provide Twitter with a mobile phone number, and whenever they want to log in to their accounts, they will be required to provide their regular passwords along with a verification code which will be sent to the specified phone. The introduction of this feature comes just weeks after several high-profile Twitter accounts were compromised and misused. [Ars Technica] [SC Magazine] [h-Online]
Intellectual Property
US – SIIA Releases Whitepaper on Balancing Innovation and Privacy
The Software and Information Industry Association (SIIA) on Monday released a whitepaper on balancing innovation with privacy in Big Data. In the paper, the SIIA cautions against over-legislation, recommending instead that companies take the initiative to build privacy into their Big Data policies. SIIA Senior Director David LeDuc says there are ways for companies to benefit from Big Data and still protect user privacy, adding that anonymizing consumer data as quickly as possible would be a good step. The SIIA and other industry groups would like to see policy-makers, consumer advocates and other stakeholders come together to create policy. [The Washington Post]
US – Commission Recommends Stronger Action to Protect Intellectual Property
The Commission on the Theft of American Intellectual Property, a private organization, has issued a report arguing that US companies should be permitted to act aggressively to prevent hackers from stealing their intellectual property. The report notes that “hundreds of billions of dollars” worth of US intellectual property (IP) is stolen each year, and estimates that China is responsible for 50 to 80 percent of international intellectual property theft. In addition, “the slow pace of legal remedies for IP infringement does not meet the needs of companies whose products have rapid product life and profit cycles.” The paper also makes a case for creating disincentives to IP theft by making it unprofitable. The report calls for laws to allow intellectual property owners to retrieve or “render inoperable” stolen IP. The process would be helped through increased “meta-tagging,” “beaconing,” and “watermarking,” technology that basically has a phone home effect, letting IP holders known when information has been stolen. [ComputerWorld] [SC Magazine] [ZDNet] [Forbes] AND [Text of Report] SEE ALSO: [Future in Review]
Internet / WWW
WW – Privacy Hampers Research Outcomes
Professors at the Massachusetts Institute of Technology say privacy remains a “big stumbling block” to effectively using Big Data. MIT’s Andrew Lo, Dimitris Bertsimas and Alex “Sandy” Pentland are building Big Data models to predict financial market shifts and crime and improve healthcare outcomes, the report states, but run into privacy issues when it comes time to analyze the data. There are also concerns about individuals being profiled based on Big Data findings. Meanwhile, Amsterdam’s ZyLAB has published a whitepaper warning IT decision-makers about “the dark side of Big Data.” [The Wall Street Journal]
Law Enforcement
US – Swire: FBI Initiative Threatens Secure Communications on the Internet
Recent moves by the FBI to persuade the Obama administration “to support major changes” to the Communications Assistance to Law Enforcement Act of 1994 (CALEA) have prompted a new report from the Center for Democracy & Technology and this latest Privacy Perspectives installment from Peter Swire, CIPP/US, who formerly served as chief counselor for privacy in the Office of Management and Budget under President Bill Clinton. The new changes could open up a range of risks and “harm cybersecurity.” [Source]
CA – Privacy Concerns Raised As U.S., Canada Share Data on Travellers
Canada and the U.S. have swapped biographic information on 756,000 cross-border travellers under a sweeping new effort to catch cheating entrants, according to a new border agency report. The flow of personal data between the countries has so far been limited to information about third-country nationals and permanent residents crossing at four major Canada-U.S. land border points. Next year, however, the bilateral exchange will expand to cover all travellers, including Canadian and American citizens, at all automated border crossings. The project is part of the 2011 Canada-U.S. Beyond the Border declaration and action plan. A chief concern among privacy advocates is minimizing the threat of personal information being used for secondary purposes unrelated to border security.[Source] See also: [Privacy complaint launched over CBSA reality TV show]
CA – Manitoba RCMP Members Watch Porn, Snoop on Spouses, Files Show
From snooping on spouses to downloading pornography, a number of RCMP members in Manitoba have been disciplined for abusing their time on duty and the resources available to them on the job. RCMP documents obtained by CBC News reveal the disciplinary actions taken against 10 members of Manitoba’s D Division between the beginning of 2010 and September 2012. The documents outline cases of members using police databases to keep tabs on girlfriends and ex-wives, using RCMP computers to download pornography, and providing civilians with the results of licence plate searches. The sanctions handed out range from a formal reprimand to a reprimand and the loss of 10 days’ pay, although some of the decisions noted that the members could have faced dismissal from the RCMP. [Source]
US – NYPD Detective Arrested for Allegedly Hacking eMail Accounts
US federal law enforcement agents have arrested a New York City Police Department (NYPD) detective for allegedly hiring a hacking service to break into more than 40 email accounts belonging to NYPD employees and other people. Edwin Vargas also allegedly paid the same group for gaining access to cell phone records. According to evidence gathered from a digital forensic review of Vargas’s hard drive, he had obtained access to three months of cellphone records for at least one individual. Vargas also accessed the National crime Information Center (NCIC) database, which he was authorized to use as a law enforcement officer, but he allegedly accessed information outside the realm of his duties. [The Register] [Information Week] [FBI]
UK – Northamptonshire Police Officers Given Body Cameras
Twenty body cameras have been issued to police officers in Northamptonshire to record incidents for use as evidence in court cases. The cameras operate continuously with a 180-degree sweep and can record in darkness. The Northamptonshire Police and Crime Commissioner said they were valuable in bringing more convictions. Linda Lee, former president of the Law Society, said she was concerned the cameras could be a privacy intrusion. Ms Lee said that because they operated continuously the cameras would pick up a lot about people’s everyday lives, which could be an unwelcome intrusion. Mr Simmonds said that instead of officers having to record incidents on paper and trace witnesses, the court could see and hear the details of incidents in real time.[Source]
Location
WW – Apple Seeks Tracking Suit’s Dismissal
Apple has filed a motion for summary judgment in a privacy class-action lawsuit. The company argues the plaintiffs in the suit—which claims the company uses third-party iPhone applications to access and track users’ personal information—admit suffering “no harm whatsoever” and “still have no idea whether their personal information or location data was actually tracked.” The court dismissed the plaintiffs’ first complaint in September 2011 and dismissed all but two claims of an amended complaint in June 2012. A hearing in this case is set for November 7. [Courthouse News Service] SEE ALSO: [Opinion: Judge’s Phone Ruling Is “Ridiculous”]
Offshore
US – Government Wants Security Research on Car-To-Car Nets
David Strickland, Administrator of the USA’s National Highway Traffic Safety Administration (NHTSA), has told that nation’s Senate Committee on Commerce, Science, and Transportation that he plans to research the security requirements of automated cars and vehicle-to-vehicle (V2V) networks. Strickland appeared before the committee this week and gaped with appropriate metaphorical awe at the likes of Google’s self-driving vehicles and V2V network proposals that would see one car radio another to tell it when heavy braking is required. Such systems, Strickland said, could “potentially address about 80 percent of crashes involving non-impaired drivers once the entire vehicle fleet is equipped with V2V technology.” He’s also worried about what he called “vehicle cybersecurity”, because he believes more technology in cars creates “growing potential for remotely compromising vehicle security through software and the increased onboard communications services” NHTSA has asked for an extra $US2m to research the problem, with the aim of “of developing a preliminary baseline set of threats and how those threats could be addressed in the vehicle environment”. Standards for car-makers are also on the agenda. [Source]
Online Privacy
NZ – Commish: School Sites Lack Data-Use Info
After sweeping a number of websites as part of the Global Privacy Enforcement Network , New Zealand Privacy Commissioner Marie Shroff has announced that many schools and some popular children’s websites “show there is often no information given to users about how their personal information collected via the site will be used and shared.” According to a press release, “We found that in a selection of the larger New Zealand schools’ websites we looked at, very few had any sort of policy at all.” In contrast, many children’s gaming websites had privacy policies that “were usually extremely detailed and lengthy, and the references were often to U.S. or European law.”[Media Release]
US – Website Shows Just How Private Snapchat Really Is
If recent stories showing the permanence of Snapchat’s supposedly ephemeral photo sharing didn’t convince you, perhaps the launch of the new SnapchatLeaked.com will. The startup website allows users to upload photos that have been sent to them, despite the senders’ assumption that they would be deleted after only 10 seconds of viewing. While the site covers up “naughty bits” and doesn’t display a Snapchat ID, there is still some speculation as to whether the site will lead to lawsuits. “All images are user-submitted,” the site’s creators told UK tabloid Metro, “if the person asks to take them down, we do. Most see it as fun and getting ‘Facebook famous’.” [Beta Beat]
WW – Facebook Joins Advocacy Group
Facebook announced on Wednesday that it has joined the online privacy and freedom advocacy group Global Network Initiative (GNI). The affiliation may help to show users that Facebook is taking privacy concerns seriously and also help it navigate expansion in developing countries, the report states. GNI provides guidance on protecting online privacy against government intrusions and reviews members’ practices to ensure they are in line with GNI’s goals. Meanwhile, Facebook CEO Mark Zuckerberg was in Poland on Wednesday meeting with Polish Minister for Administrative Affairs and Digitisation Michal Boni about the global significance of the Polish IT industry. [The Wall Street Journal]
WW – Firefox Cookie Blocking By Default on Pause
Mozilla has postponed default cookie-blocking in its Beta version of Firefox 22 “to collect and analyze data on the effect of blocking some third-party cookies.” The default setting has been criticized by the online advertisement industry. The nonprofit is currently testing a patch created by Jonathan Mayer. In a blog post , Mozilla Chief Technology Officer Brendan Eich wrote, “Our next engineering task is to add privacy-preserving code to measure how the patch affects real websites,” adding, “We will also ask some of our Aurora and Beta users to opt in to a study with deeper data collection.” [PC World]
WW – Future Version of Firefox Will Block Mixed Active Content by Default
A future stable version of Firefox will block mixed active content by default. Firefox 23 Aurora is scheduled for stable release in about three months. Mixed active content is described as an HTTPS secured website that loads some HTTP content, which can make the site vulnerable to a variety of attacks. Users will have the option of disabling the content blocker on a site-by-site basis. [CNET] [Mozilla] [interesting article on the security implications of HTTP/HTTPS mixer-uppers]
EU – German Commission Calls Out Xbox One Privacy Issues
Not all are pleased with the technology behind Microsoft’s upcoming platform, the Xbox One. Speaking with news site Spiegel, Germany’s federal data protection commissioner Peter Schaar likened the next-generation console to a “monitoring device.” “The Xbox continuously records all sorts of personal information about me. Reaction rates, my learning or emotional states. [These] are then processed on an external server, and possibly even passed on to third parties,” Schaar said. “Whether it be deleted ever, the person concerned cannot influence.” Privacy concerns surrounding the Xbox One were brought up immediately after Microsoft revealed that the system’s built-in Kinect features an always-on standby mode that can react to users even when it is “off.” [Source]
Other Jurisdictions
AU – Gov’t Introducing Breach Notification Bill
Privacy Commissioner Timothy Pilgrim has voiced support for mandatory breach legislation. Attorney-General Mark Dreyfus has announced the government will introduce legislation to take effect in March that will require companies to disclose data breaches. The legislation, which the Australia Law Reform Commission has been proposing since 2008, will “require notification of serious data breaches that will result in a real risk of serious harm,” a Gizmodo report states, noting Dreyfus used the announcement of the legislation as an opportunity to chastise organizations for recent data breaches. As current legislation does not require companies to disclose breaches, the report questions “the data breaches we haven’t heard about over the last decade.” [CSO] See also: [Global tech giants to face Aussie privacy hurdles]
AU – Privacy Laws Stop Cops Tracking Refugees
Privacy restrictions are preventing police being told where asylum seekers are living in the community. The Immigration Department has told a parliamentary committee that “due to privacy reasons”, police were not told where boat arrivals on bridging visas are. More than 10,000 asylum seekers who have been released have had initial security checks, but are yet to undergo screening by ASIO. Police have been called to asylum seeker housing five times over assaults from November 2011 to December last year. Four asylum seekers living in the community have since absconded and are yet to be found. [Source]
RU – Russia Ratifies Commitment to Convention 108
On May 15, Russia ratified a treaty to join Convention 108—the “Convention for the protection of individuals with regard to Automatic Processing of Personal Data.” Council of Europe Secretary General Thorbjørn Jagland said he received Russia’s accession from Permanent Representative and Ambassador of the Russian Federation to the Council Alexander Alekseev. The treaty will enter into force on September 1. Russia will become the 46th state to join Convention 108. [NewEurope]
Privacy (US)
US – Consumer Groups Worry U.S.-EU Trade Pact Will Weaken Privacy Regulations
Reuters reports on developments regarding the Transatlantic Trade and Investment Partnership (TTIP), a proposed free-trade agreement between the EU and U.S. Consumer groups have called language in the agreement a “backdoor way” for U.S. businesses to sidestep EU data protection law. Roughly 60 supporters and opponents of the agreement will address a panel convened by the Trade Representative’s office to discuss TTIP this week. [Source] [See also Trade Law and Privacy Law Come Together]
US – Schnucks: Class-Action Suit Should Be Federal
Schnucks Markets claims a potential class-action lawsuit filed against it in an Illinois state court belongs in federal court because of the case’s scope and damages involved. The St. Louis-based grocer has filed a motion for removal. The motion notes the damages the plaintiffs claim exceeds the $5 million threshold for a federal case and that the number of people involved in the claim, from various states, means the case should be federal. Schnucks announced a breach earlier this year resulting in the exposure of 2.4 million credit and debit cards. The lawsuit claims the store was negligent and didn’t inform those affected quickly enough. [Computerworld] See also: [US: As Data Breaches Rise, AGs Emerge As Primary Enforcers]
US – FTC Asks Judge to Reject Wyndham Hotels’ Motion to Dismiss Complaint
The US Federal Trade Commission (FTC) has filed documents asking a US District Court to toss out Wyndham Hotels’ motion to dismiss an FTC complaint against the company after it suffered a number of data security breaches. Wyndham argued that the FTC is exceeding its authority because it is trying to make cybersecurity issues into consumer protection issues, saying the FTC “wants to turn a statute designed to protect consumers from unscrupulous businessmen into a tool to punish businesses victimized by criminals.” But court documents say “the FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it.” The case is significant because “in the absence of comprehensive cybersecurity legislation … the only effective method for cybersecurity regulation by the government is to use the FTC’s enforcement authority.” [SC Magazine] [Lawfareblog]
US – FTC Sends Biz COPPA Education Letters
In light of upcoming rule changes to COPPA and recent pushback from industry, the FTC has issued more than 90 letters to app developers. The letters were sent to companies whose online services “appear” to collect personal information from children under the age of 13. “While the letters do not reflect an official evaluation of the companies’ practices by the FTC, they are designed to help businesses come into compliance” with the impending changes, an FTC press release states. Meanwhile, The Washington Post reports on comments made by Center for Digital Democracy’s Joy Spencer, who said, “Facebook is not doing enough to ensure children under 13 don’t have access to the site,” adding, “That raises a number of concerns about safety and because Instagram then is able to collect personally identifiable information on children, which can be used to target ads toward them in the future.” [FTC Press Release]
US – Privacy Organization Files FTC Complaint Against Snapchat
It’s recently surfaced that Snapchat photos and videos are stored somewhere on your phone and can be retrieved with a few tools. Snapchat hasn’t responded with a fix yet, and this has landed the app in hot water with the Federal Trade Commission. Way back when Snapchat was first launched, Buzzfeed discovered a loophole that allowed cached Snapchat videos to be rewatched on an iOS browser like iFunBox. The Electronic Privacy Information Center has been keeping a watchful eye on Snapchat, and the most recent evidence of Snapchat retrieval has proven reason enough for the privacy organization to strike. Photographer Nick Keck told us used iFile, an iOS browser, to dig up saved Snapchat videos. Photos can’t be retrieved as we reported earlier since photos aren’t cached. EPIC says Snapchat led users to believe their images and videos would “disappear forever.” But in the complaint that EPIC filed with the FTC, the group says the company used “unfair and deceptive acts and practices.”[Source]
US – Does “Neighbors” Photo Exhibit Violate Privacy?
Photographs taken by a New York City artist have residents infuriated. “In one photo, a woman is on all fours, presumably picking something up, her posterior pressed against a glass window. Another photo shows a couple in bathrobes, their feet touching beneath a table. And there is one of a man, in jeans and a T-shirt, lying on his side as he takes a nap,” the report states, noting the photos were taken through their windows by Arne Svenson from his nearby apartment. Although their faces are not shown, the residents “had no idea they were being photographed, and they never consented to being subjects,” raising questions of whether any privacy law has been violated. [The Associated Press]
US – Feds Tracked Reporter’s Movements, Personal E-Mail
In an effort to unmask a leaker who fed a reporter classified information about North Korea, FBI investigators tracked the journalist’s movements in and out of a government building, obtained copies of e-mails from his personal account and also took the unprecedented step of alleging that the reporter engaged in a criminal conspiracy simply for doing his job. Investigators tracked the reporter’s movement using security badge access records as he left and returned to the State Department’s headquarters in Washington, DC, and also obtained two days’ worth of e-mail correspondence from his Gmail account. “Never in the history of the Espionage Act has the government accused a reporter of violating the law for urging a source to disclose information,” Ben Wizner, director of the ACLU’s Speech, Privacy and Technology Project said in a statement. “This is a dangerous precedent that threatens to criminalize routine investigative journalism.” The revelations come in an affidavit filed in an investigation against a State Department security adviser who is accused of leaking classified information to Rosen. [Source]
US – Bloomberg Appoints Privacy Czar
In light of revelations that some of Bloomberg’s journalists were using private client data for reporting, the company has announced it has hired former IBM CEO Samuel Palmisano “to serve as an independent advisor regarding the company’s privacy and data standards.” According to Bloomberg’s press release, Palmisano “will immediately undertake a review of the company’s current practices and policies for client data and end-user information, including a review of access issues recently raised by the company’s clients.” Palmisano will report directly to the Board of Directors and will be assisted by representatives from Hogan Lovells and Promontory Financial Group. [Forbes]
US – Harvard College Dean Who Authorized eMail Searches Stepping Down
The Harvard College dean who authorized secret searches of residential deans’ email messages will step down this summer. Evelynn M. Hammonds acknowledged that she authorized the searches, which were aimed at identifying the source of an information leak about a cheating scandal that emerged at the school in 2012. Hammonds and other administrators maintained that automated searches were made only of email subject lines to determine who had shared a confidential message with someone at the Harvard Crimson newspaper, and that the searches were conducted in an effort to protect the privacy of the students involved in the cheating scandal. The administrators also acknowledged that it was a mistake not to notify the deans of the search either before or after the fact. [ComputerWorld] [CNN]
US – California’s Mobile App Privacy Law Test Case Unsuccessful
A California Superior Court judge has dismissed a lawsuit brought against Delta Air Lines for allegedly failing to comply with state laws regarding mobile application privacy. The lawsuit, filed by California Attorney General Kamala Harris, alleged that Delta had violated California’s Online Privacy Protection Act because it did not disclose how its Fly Delta smartphone app collected and used customer data. Delta argued that the state law is superseded by the Federal Airline Deregulation Act, which says that states may not enforce laws that affect airlines’ fares, routes, or services. Delta maintained that its mobile app was a service and Judge Marla Miller agreed. [ComputerWorld]
Privacy Enhancing Technologies (PETs)
WW – New ‘Clueful’ App Scans Android Phones for Privacy Leaks
Anti-virus firm Bitdefender launched Clueful, a free Android app that tells you how much other Android apps invade your privacy.” Clueful quickly scans your phone to see which apps are installed, and then gives you an overall privacy score ranging from a low of 1 to a high of 100. Clueful categorizes individual apps into high- moderate- and low-risk categories, with high scorers being those apps that “are viruses,” “send your identity to strangers” and “use very intrusive ads.” Moderate risk apps “send your private data to strangers,” such as popular games like “Angry Birds.” Other apps have the ability to read or intercept SMS messages, including Amazon, USA Today and IMDb; the same number might read contacts. Meanwhile, a whopping 42 apps had the ability to track location, including the games “Fruit Ninja.” Clueful is available for installation from the Google Play app store.[Source]
WW – Web-Security Firm Acquires Web-Privacy Firm
Web-security firm AVG has purchased web-privacy firm PrivacyChoice. PrivacyChoice offers a browser extension that analyzes a user’s web activity and indicates their exposed personal information. “Since founding, our mission has been to deliver more effective and more informed choices about how your data is collected, used and shared,” said PrivacyChoice founder Jim Brock. “We saw strong synergies between our approach and the efforts AVG continues to make in empowering people when it comes to their online privacy.” [Venturebeat]
RFID
WW – Chips Pose ID Theft and Privacy Concerns
Rising identity theft of travelers stemming from access to RFID chips in passports and credit cards. Criminals can also access personal data from smartphones via WiFi networks. To help curb such attacks, some luggage companies are inserting RFID-blocking compartments in luggage. Meanwhile, Bruce Schneier, a security expert, writes about the rise of the Internet of Things and surveillance in his latest blog post, noting that “any illusion of privacy we maintain” is “about to get worse.” [The Washington Post]
Security
UK – Smart Meters Need to Be Harder To Hack, Experts Say
By the year 2020 about 30 million British homes will have digital smart meters monitoring their gas and electricity usage, according to government plans. The scheme promises to reduce costs as in-house monitors will make energy consumption more visible and therefore controllable, and will remove the need for estimated bills. However this month the roll-out was delayed by the Department of Energy and Climate Change for more than a year as the government admitted more tests were still needed. One big issue for information security experts is the safety of the data collected by the meters and transferred back to the utility companies. While there are many different brands of meter, the communications hubs which transmit this information often use the mobile data network via a SIM card. “There are two main ways of hacking the meters – through the mobile network they use to communicate, or through hardware hacking – opening the meter up, tampering, altering the firmware or removing the cryptographic keys.” [Source] SEE ALSO: [AU: Hacking: Chinese spies steal ASIO blueprints]
US – Electric Grid Under Continuous Attack
Computer systems at utility companies that make up the US electric grid are under attack daily, according to a Congressional report. Two legislators sent questionnaires to more than 150 companies and received 112 responses. Just 53 of those actually answered the questions, while the rest provided partial responses or information that did not directly answer the questions. More than a dozen of the responses said their systems were under “daily,” “constant,” or “frequent” attacks. One company reported it experienced 10,000 attempted attacks a month. None of the companies noted that the attacks had damaged their systems. The report, “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps,” looks at threats from both hackers and from natural occurrences. The report strongly urges Congress “to provide a federal entity with the necessary authority to ensure that the grid is protected from potential cyber-attacks and geomagnetic storms.” [Ars Technica] [CNET] [ComputerWorld]
US – Report Says Chinese Hackers Accessed US Weapons Systems Designs
According to a confidential report from the Defense Science Board, Chinese hackers gained access to designs for advanced US weapons systems. The confidential report, which was prepared for the Pentagon, did not specify whether the data were accessed through government networks or through contractor networks. According to the report, DOD “is not prepared to defend against this threat. With present capabilities and technology, it is not possible to defend with confidence against the most sophisticated cyber attacks.” An unnamed senior military official told the Washington Post that “in many cases, they don’t know they’ve been hacked until the FBI comes knocking on their door.” [Washington Post] [Reuters] [CNET] [REPORT] See alwso: [Clearwire Will Shed Huawei Hardware]
US – Iranian Hackers Targeting US Companies’ Industrial Control Systems
US officials say that hackers operating on behalf of the Iranian government are targeting industrial control systems at US energy companies in an attempt to damage the country’s critical infrastructure. Thus far, the attacks have focused on gathering intelligence about how the systems operate. Some US officials have posited that Stuxnet, the sophisticated malware attack that targeted centrifuges at an Iranian nuclear facility in 2010 pushed Iran to develop stronger cyberattack capabilities and to retaliate. [The Register] [eWeek] See also: [Syrian Electronic Army Hacked Sky’s Twitter and Android Apps] and: [Australian Official Will Not Confirm Reports of Cyberespionage]
US – Chinese Hackers Accessed Google’s Surveillance Database
The Chinese hackers who broke into Google servers in 2009 and 2010 were able to gain access to Google’s database of surveillance orders from the US government. The information was likely sought to determine which Chinese intelligence operatives in the US were under surveillance by law enforcement agencies there. A Microsoft official recently hinted that Microsoft suffered an intrusion at about the same time, and that the attackers appeared to be searching for information about accounts for which the US government legal wiretap orders. [Washington Post] and [Chinese Hackers Resume Attacks on US Organizations : Source | Source | Source]
WW – Software Security Standards Gaining Traction
At a conference earlier this week, Microsoft announced its support for ISO 27034, an international standard that lays out processes and practices for secure software development. On the same day at the same conference, the Software Assurance Forum for Excellence in Code (SAFECode), an organization that promotes secure software development practices, announced the availability of free training modules on secure coding practice for developers. The first portion of the International Organization for Standardization’s (ISO’s) secure programming techniques document, 27034-1, was released in November 2011. It describes elements of a secure development process, which is useful information for both developers and consumers. [eWeek]
Surveillance
US – AG Tells Senate to Get Warrants to Access Stored Cloud Content
US Attorney General Eric Holder told the House Judiciary Committee that he supports requiring that the government obtain a probable-cause warrant to access email and other cloud-stored content. In April, the committee approved proposed legislation that would alter a portion of the 1986 Electronic Communications Privacy Act (ECPA) allowing law enforcement to access content stored in the cloud, unopened, for more than 180 days. [WIRED] [ZDNet]
Telecom / TV
US – Cell Phone Users ‘Have No Legitimate Expectation of Privacy’ – Judge
A federal judge recently ruled that if someone has their cell phone turned on, their location data does not deserve protection under the Fourth Amendment, meaning law enforcement can track individuals without a search warrant. New York magistrate judge Gary Brown decided in favor of Drug Enforcement Administration (DEA) agents who were seeking his approval over a warrant on a doctor who they suspected was being paid for issuing thousands of prescriptions. The warrant would have compelled the physician’s phone company to provide real-time tracking data from his cell. Brown, certainly to the delight of police, issued a 30-page brief outlining his opinion that, by carrying a cell phone, someone is essentially waiving their Fourth Amendment right to due process. “Given the ubiquity and celebrity of geolocation technologies, an individual has no legitimate expectation of privacy in the prospective of a cellular telephone where that individual has failed to protect his privacy by taking the simple expedient of powering it off,” Brown wrote. “As to control by the user, all of the known tracking technologies may be defeated by merely turning off the phone. Indeed – excluding apathy or inattention – the only reason that users leave cell phones turned on is so that the device can be located to receive calls. Conversely, individuals who do not want to be disturbed by unwanted telephone calls at a particular time or place simply turn their phones off, knowing that they cannot be located.” He goes on to suggest that because there are smartphone applications available that allow users to locate people in their area with similar interests, cell phone customers should not expect their inherent right to privacy to be observed. The American Civil Liberties Union (ACLU) has long been a voice for the American people against governmental overreach and technological surveillance. Chris Soghoian, a principal technologist and senior policy analyst at the ACLU, wrote that Brown’s opinion was “ridiculous.” “There is a big difference between location information you knowingly share with a select group of friends (or, in fact, the world) and information collected about you without your knowledge or consent,” he wrote. [Source]
US – NAI Working On New Mobile Privacy Rules
The Network Advertising Initiative (NAI) is moving forward with plans to eventually issue a set of mobile privacy rules. A draft version is being circulated among members to help provide a code of conduct for data collected from mobile apps. The draft rules cover behavioral targeting and are expected to be finalized by next month, NAI Executive Director Marc Groman, CIPP/US, has said. The rules would require participating companies to provide consumers with an opt-out for behavioral targeting ads but allows ad networks to continue to collect “non-personally identifiable” data for certain purposes, such as analytics, ad optimization and frequency capping. [MediaPost News]
EU – SAP Touts Service That Sells Customer Data from Phone Firms
European software firm SAP has announced a new service that will pull data from its “extensive partner network”—which includes “over 990 mobile operators”—collect and analyze it “without drilling down into user-specific information,” and, disclose the results to subscribers via web portal. SAP said of its Consumer Insight 365 mobile service that “this market intelligence will ultimately allow brands to strengthen relationships with consumers through more targeted and context-specific marketing efforts.” The Wall Street Journal reports on the potential privacy concerns from a service that will “broaden the range of data about individuals’ habits and movements that law enforcement could subpoena.” [CNET News]
US Government Programs
US – Border Data-Sharing Plan to Expand
Privacy advocates have expressed concerns over data sharing between the U.S. and Canada. Since the 2011 Canada-U.S. Beyond the Border action plan, the two countries have shared biometric data on 756,000 border crossers considered third-country nationals and permanent residents. Next year, the data shared will expand to include all travelers. Advocates are concerned the data could be used for secondary purposes. “We have provided questions to Canada Border Services Agency seeking information on how personal information collected may be used and by what other federal organizations and for what possible secondary uses outside of monitoring travel and immigration,” said a spokesman for Canada’s privacy commissioner. [Postmedia News]
US – GSA Seeks Comments on Cybersecurity Standards and Purchasing
The US General Services Administration (GSA) and the Pentagon have issued a request for information seeking input from industry on how best to incorporate cybersecurity standards into government purchasing requirements. Some ideas GSA and DOD are considering include establishing an accreditation program and allowing certain acquisitions to be exempt from cybersecurity standards. The goal is to protect government systems while not impeding market entry for potential new contractors. Comments will be accepted through June 12. [Washington Post] [Federal Register]
US – Vendors Want Cybersecurity Rule Freeze Until Standards are Issued
Federal contractors are asking the US General Services Administration (GSA) to temporarily suspend cybersecurity rulemaking until the government issues national guidelines later this year. The specific regulations may be “well intentioned” but there is concern that rules created now might conflict with the standards that are expected by November. [NextGov] [
US Legislation
US – Bill Would Require Feds to Obtain Warrant to Seize Phone Records
Four US legislators have introduced a bill that would require federal agencies to obtain a court order prior to obtaining phone records. The proposed legislation follows close on the heels of the disclosure that federal investigators obtained phone records of Associated Press (AP) journalists with just a subpoena. The Telephone Records Act, as currently written, allows federal agents to obtain records from service providers with an administrative subpoena to discover basic subscriber information, such as name, address, payment card number, and phone records. The proposed legislation, The Telephone Records Protection Act, protects all Americans’ phone records from being seized by federal agencies without a warrant. Federal agents would need to obtain judicial review before gaining access to those data, and they would have to provide “specific and articulable facts [that prove the requested data are] relevant and material to an ongoing criminal investigation.” The US Justice Department has been roundly criticized for the AP incident, in which they obtained phone records for 20 lines, some of which were the work and home numbers of AP reporters. DOJ maintained that it was following procedure when it issued a subpoena for the information. [WIRED]
US – Senator Introduces Bill to Bolster Fourth Amendment Rights
Sen. Rand Paul (R-KY) has introduced a bill aiming to ensure adequate Fourth Amendment rights when it comes to electronic communications. “The Fourth Amendment Preservation and Protection Act of 2013” requires specific warrants granted by judges for law enforcement to obtain electronic communications data. “In today’s high-tech world, we must ensure that all forms of communication are protected. Yet government has eroded protecting the Fourth Amendment over the past few decades, especially when applied to electronic communications and third-party providers,” Paul said. [Source]
US – Maine Cellphone Bill Could Be Nation’s First
The Maine legislature is set to pass what would be a first-in-the-nation bill requiring law enforcement to obtain a warrant prior to accessing an individual’s cellphone location history. Following last week’s vote by the Senate, the House voted 113-28 on Wednesday in favor of the bill. If passed, the bill would require the warrants with exceptions for emergencies such as bodily harm and would require police to notify individuals within three days that their data has been accessed. LD 415 now goes back to the Senate for enactment. [The Portland Press Herald]
US – Texas Likely to Enact Nation’s Strongest E-Mail Privacy Law
After unanimously passing both houses of the Texas state legislature, HB 2268 has landed on Gov. Rick Perry’s desk for enactment. If signed, Texas would host the nation’s strongest e-mail privacy bill. The proposed bill would require state law enforcement to obtain a warrant prior to accessing any e-mails, regardless of age of the electronic documents. Though the bill would give residents protections from state-level snooping, the bill would not prevent federal investigations. Perry has until June 16 to sign or veto the bill. If he does neither, the bill would automatically go into effect on September 1, the report states. [Ars Technica]
US – Washington Passes Password-Protection Bill
Washington’s governor has signed a law prohibiting employers from asking potential employees for passwords to social media accounts. The bill was sponsored by state Sen. Steve Hobbs (D-Lake Stevens), who said he was pleased the bill passed. “Privacy shouldn’t be a thing of the past that we are forced to sacrifice every time technology moves forward,” he said. Maryland, Illinois, California, Michigan, Utah, New Mexico, Arkansas, Colorado and New Jersey have similar laws. [Associated Press]
US – State Legislative Roundup
Over the past two weeks, several states have enacted or initiated privacy legislation. California has moved forward on a security breach notification law, and Maine has considered a 911 privacy bill. Topping state legislative action, however, are social media privacy laws. From Utah to New Jersey, states are clamping down on the employer practice of requiring employees and applicants to disclose social media passwords. In this roundup, we take a look at these initiatives and some concerns that these social media laws could conflict with the Financial Industry Regulatory Authority. [The Privacy Advisor] See also: [US: NetChoice: California privacy bills are bad for Internet]
Workplace Privacy
EU – Schaar: Busting Employees Online Is Illegal
German Federal Data Protection Commissioner Peter Schaar says job centers that search online for employees abusing unemployment benefits are breaking the law. “Job center employees are under no circumstances allowed to log into social networks or even under false pretenses become online friends with people in order to gain access to their data,” Schaar told a magazine. The report states, only if someone receiving unemployment benefits “is uncooperative and refuses to give out relevant data” can a center turn to the Internet—and, even then, the employee must be notified of the data collection, Schaar added. [The Local]
US – Survey Reveals Employees Not Concerned About Privacy on the Job
91% Accept and Welcome Computer Monitoring During Work Hours: In addition to revealing changing attitudes among U.S. employees when it comes to privacy and the workplace, the survey also showed that employees’ non-work-related computer activities are costing businesses millions of dollars in lost productivity annually, e.g.:
- 100-employee businesses have productivity losses of 13,750 hours annually, equivalent to paying seven full time employees to do nothing all year
- 1,000-employee businesses have productivity losses of 137,500 hours annually, equivalent to paying 69 employees to do nothing all year
- 5,000-employee businesses have productivity losses of 687,500 hours annually, equivalent to paying 344 employees to do nothing all year
SpectorSoft has produced an infographic showing the key findings from the survey:
- 75% of employees accept that employers may monitor their computer activities.
- 16% of employees are “glad” their employers monitor their computer activities.
- 9% of employees were “mad” about being monitored during working hours.
- 49% of employees said their employers monitored their computer activities.
- 69% of employers that have Internet Acceptable Use Policies (IAUP) monitor employees.
- 15% of employers that do not have IAUPs monitor employees’ activities.
“This survey reveals that businesses desiring to strengthen security, improve efficiency and stop bleeding millions in lost productivity need to find ways to control employees’ use of corporate computing resources during work hours,” said Nick Cavalancia, vice president at SpectorSoft. [Wall Street Journal] : See also: [AB: Release of truck driver’s work history violated privacy laws, watchdog says] and [Karen Selick: Get the picketers off my porch]
+++
Privacy News Highlights 