16-30 June 2013


CA – Poor Data Breach Tracking, Reporting Concerns Privacy Commissioner

Canada’s privacy czar has singled out several federal departments for their lacklustre approach to data breaches, citing a need for better reporting, security and tracking protocols. Jennifer Stoddart’s office has compiled a preliminary list of agencies with potentially worrisome patterns when it comes to the loss of Canadians’ personal information. The analysis is based on departmental figures tabled in Parliament in April in response to a question from New Democrat MP Charlie Angus. The response indicated there were more than 3,000 data breaches over a 10-year period affecting about 725,000 Canadians. After taking a close look at the numbers, the privacy commissioner identified nine departments and agencies that may lack adequate reporting mechanisms, have faulty security procedures or require improved tracking protocols. During a recent meeting, Stoddart urged Treasury Board President Tony Clement to amend privacy law to make reporting of federal data breaches mandatory. [Source]

CA – Gun Registry Data to Be Deleted in Quebec: Court

A Quebec court has sided with the Harper government, saying the province has no right to the federal long-gun registry data. Quebec’s highest court has ruled against the provincial government, which is trying to save data for that province from being destroyed. “Quebec has no property right in the data,” said the 14-page verdict. The data does not belong to Quebec, and the provinces have no control over it. The Parliament of Canada, which considers the data at issue to be pointless and inefficient, and believes that its existence in a registry infringes the right to privacy, can certainly decide to stop compiling and preserving that information,” it noted. Various observers have predicted the issue will wind up before the Supreme Court. The long-gun registry was scrapped in the rest of Canada last year, but remains operational in Quebec following a series of injunctions safeguarding the Quebec data and ordering the registry be maintained while the federal-provincial battle plays out in court. [Source]

CA – Saskatchewan Privacy Rights in Lag Behind Rest of West: Report

Saskatchewan’s Information and Privacy Commissioner says this province is lagging behind its neighbours in Western Canada in both privacy and access to information matters. Gary Dickson, who released his final annual report this week, says citizens of British Columbia and Alberta have stronger rights in these areas than people in Saskatchewan. His second five-year term as information and privacy commissioner ends April 27, 2014. In his report, Dickson says when it comes to access and privacy, “Saskatchewan is still a have-not province.” Dickson said he’d like to see administrative responsibility for privacy and access cases be moved out of the Ministry of Justice, citing concerns that the ministry takes an adversarial role. Another ministry might be better suited to promoting citizens’ access and privacy rights, he said. [Source] SEE ALSO: [Regina police aren’t required to identify pin pad fraud businesses] and [Canadians questioning privacy rights]

CA – Alberta Commissioner Rules Against Secret Trucker Database

This recent decision of the Privacy Commissioner of Alberta (Professional Drivers Bureau of Canada Inc. Case File Number P1884) deals with the collection of personal information of truck drivers by a private service company, called the “Professional Drivers Bureau”. This company collected personal information about drivers from trucking companies, created a database of information, and then offered a search service, by which trucking companies paid a fee for a report on the driver. In that report, the personal information about the driver was disclosed to the trucking company. The personal information was gleaned and compiled into a database over a long period of time, and it became clear during the Commissioner’s investigation that the individuals never consented to this collection, use and disclosure. The Commissioner ultimately decided that the “Professional Drivers Bureau” was in breach of Alberta privacy laws because it never obtained consent directly from the individual truck drivers. [Source]

CA – Alberta Premier Wants Anonymous Online Tool to Report Bullying

Alberta could soon move to implement a system to allow for anonymous online reporting of bullying in real-time and is also looking to give police enhanced powers to combat the harassment and abuse of young people, says Premier Alison Redford. With bullying a hot topic at Monday’s Western Premiers’ Conference, Redford said she would like to follow the path of British Columbia, which brought in an online reporting mechanism as part of its “Erase Bullying” initiative in the wake of the suicide of bullied teenager Amanda Todd. B.C. Premier Christy Clark said the system allows students to report incidents of bullying as they are happening. School personnel are notified immediately as are emergency personnel, if necessary, she told reporters at the premiers’ closing news conference. As a followup, professionals at the district level connect with the school to provide support in dealing with the bully and the victim appropriately. “The important thing about this, though, is that it’s not an app that you load on to your iPhone, because kids don’t want to have a fink app on their iPhone. “It’s an online reporting tool that you can go to on the web,” said Clark, who said there are “thousands” of cases of bullying occurring daily, but youth are afraid to report them because of the potential for retribution. [Source]


US – Retailer Sued for Collecting Customer Zip Codes

Urban Outfitters Inc., is facing a class action in Washington federal court over allegations the clothing retailer collected customer zip codes in violation of District of Columbia consumer protection laws. The complaint, filed June 21 in U.S. District Court for the District of Columbia, accused Urban Outfitters Inc. of asking for customer zip codes in a way that implied the information was required to complete a credit card transaction. The plaintiffs claimed Urban Outfitters, which also owns Anthropologie-brand stores, used the zip codes to track down customer addresses for marketing purposes. [Source]

UK – Biz Launches Data-Driven Car Insurance for Youth

UK-based Tesco Bank has launched a new car insurance service that tracks and analyzes driver behavior to determine policy rates. Called Box Insurance, the company places technology in a customer’s vehicle and uses telematics data from the car, which is then sent to the insurer’s data center for analysis. The Association of British Insurers recently posted an advisory note warning that companies must be transparent about their data use, stating, “Consumers need to trust insurers to treat them fairly and protect their personal information.” Tesco has said it will “keep all your data, including driving data, safe and confidential,” adding that it won’t “share driving data with the police or other bodies without a court order or your consent, unless we suspect fraud.” [Information Age]


CA – Taxpayers Assured Protection When Lodging Complaints Against Taxman

Canada’s taxpayers’ ombudsman is offering help for people who fear there may be a backlash if they lodge a complaint against the revenue department. Ombudsman J. Paul Dube has made an addition to the Canadian Taxpayers Bill of Rights that says Canadians are entitled to lodge service complaints and request formal reviews without fear of reprisal from the CRA. Dube says the new right was created because some taxpayers fear exercising their rights when dealing with the CRA. [Source] SEE ALSO: [Two CRA employees violated privacy laws for years before being caught, reports show] and [ON: Watchdog slams McGuinty’s office over deleted emails]

US – Plans for Data-Sharing Steeped in Privacy Concerns

Virginia state plans to implement a data system aimed at improving student preparation for college and workforce. The talks have been steeped in privacy concerns surrounding student data, which school officials well understand based on recent news on the National Security Agency’s surveillance methods. “This is not the greatest time in government to be talking about the cool data we collect,” said a spokesman for the Virginia Education Department. “It’s right for parents to be concerned about privacy. We share that concern.” The system would allow agencies to share data to track student progress, helping officials to create policies around the most successful routes. [The Washington Post]

CA – New App Could Let Citizens Report Illegal Parking, Get Cut of Fine

A new app called SpotSquad could soon pay people to report parking infrastions to authorities. The concept is simple, says Chris Johnson, co-founder of the app: when someone sees a parking violation, they simply need to open up the app on their smartphone, upload a photo, choose the type of infraction and submit it – the photo is then sent to regional parking authorities who can dispatch a ticket warden. If the tip results in a fine, tipsters get a cut deposited into their bank accounts or donated to their favourite charities – as much as 10 or 20%, says Johnson. The group haven’t yet struck any deals but say they’re open to working with municipalities and private parking lot operators. A similar app already exists in the U.S. Texas-based Parking Mobility runs a program that allows trained volunteers to take photos of cars parked in disabled spots. Rewards are paid out to charities or parking offender rehabilitation programs. The program works because the organization has spent years negotiating agreements with police departments and cities. The group has also launched a pilot project in Vancouver but results have been disappointing. Unlike in the U.S., tipsters are prohibited from reporting on violations made on private property. The Canadian app, SpotSquad, could open up a legal minefield, according to a Winnipeg lawyer specializing in privacy and social media law. Public sector workers who do similar work are bound by privacy laws, lawyer Brian Bowman told CTV Winnipeg. That wouldn’t be the case with this app. “You are empowering citizens and paying them to arguably act as an agent for you,” he said. [Source]


US –Texas Governor Signs Strict eMail Privacy Bill

Texas Governor Rick Perry has signed House Bill 2268 into law. The measure requires that law enforcement obtain a warrant before snooping on email. The law takes effect immediately. The law makes Texas the first state to have a law that is more stringent that the federal Electronic Communications Privacy Act (ECPA), which requires a warrant only for unopened email that is less than 180 days old. [Source] [Source] SEE ALSO: [GEIST: Is the Government About to Can Its Own Anti-Spam Law?]

EU Developments

EU – France Gives Google 3 Months to Address User Data Privacy Concerns

French data privacy body, Commission Nationale de l’Informatique et des Libertes (CNIL), has given Google three months to implement changes to the way it collects and manages customer data. The commission found Google to be in violation of the French Data Protection Act. CNIL’s June 10 decision lists the changes it expects from Google, including explaining to users how the data they collect will be used, and not retaining data beyond the time necessary for the purpose for which they were collected. If Google does not comply with the order, the company could face sanctions. Google is facing enforcement action over privacy practices in several other EU countries, including Spain and Germany. [CNET] [The Register] [ComputerWorld] [Reuters]

EU – Albrecht: Reports Suggest NSA Intercepted Regulation Data

“If the actual revelations on these spying activities are true, then it is completely clear that there have been also interceptions with the activities of this regulation,” German Green MEP Jan Philip Albrecht said of the EU’s draft data protection regulation in response to this weekend’s reports on the U.S. National Security Agency (NSA) allegedly spying on EU activities. Lobbying efforts against the draft regulation by the U.S. government and U.S.-based companies, quoting Albrecht as saying, “Perhaps it’s time to re-discuss once more if we really want to completely exclude national security from the scope of the regulation.” A European Commission spokeswoman has called the weekend allegations “disturbing” and said the European External Action Service has asked Secretary of State John Kerry to respond. [EUObserver] SEE ALSO: [Ars Technica: Students Challenge Firms Over NSA Data Transfers]

EU – Rule Sets Out Data Breach Notification Expectations for Telecoms and ISPs

The European Union has issued new regulations describing the responsibilities of telecommunications companies and ISPs when they experience data breaches. The incidents must be reported to data protection authorities within 24 hours of their discovery. The companies must report the size and nature of the breach, what data were compromised, and what steps they have taken to address the issue with customers. Businesses and consumers will be told of the breach if it “is likely to adversely affect personal data or privacy.” That decision will be made by the national data protection authorities using a test to be provided by the European Commission. Notification of authorities has been required for several years, but the new regulation establishes specific details. Companies can be exempt from the requirements if they encrypt data. [PC World] [ZDNet]

EU – Search Engine Not Controller, EU Court Rules

The EU’s top court ruled that Internet search engines cannot be considered “the controller” of personal data hosted on other websites. EU Court of Justice Advocate General Niilo Jaeaeskinen said in a nonbinding opinion, “A national data protection authority cannot require an Internet search engine service provider to withdraw information from its index.” The case, C-131/12 , stems from approximately 200 orders from Spain’s Data Protection Authority for Google to remove personal data from indexed websites. A spokesman for Google said, “This is a good opinion for free expression…We’re glad to see it supports our long-held view that requiring search engines to suppress ‘legitimate and legal information’ would amount to censorship.” [Bloomberg]

EU – Court Backs Google in Privacy Case

Google must respect EU privacy law but is not obliged to delete sensitive information from its search index, an adviser to the highest EU court said, in a case that tests whether people can have harmful content erased from the Web. The adviser backed the internet search giant’s position that it cannot erase legal content from the internet even if it is harmful to an individual. But he rejected the view of many U.S. internet firms that they are not bound by EU privacy law. “Requesting search engine service providers to suppress legitimate and legal information that has entered the public domain would entail an interference with the freedom of expression,” the Luxembourg-based court said in a statement setting out Advocate General Niilo Jaaskinen’s opinion. While internet-based firms operating in the European Union must adhere to national data protection laws, that did not oblige them to remove personal content produced by third parties, the statement said. “Search engine service providers are not responsible, on the basis of the Data Protection Directive, for personal data appearing on web pages they process.” Lawyers agree that Google’s search algorithms, which hunt and list weblinks based on how relevant they may be, would not be in a position to “know” whether data was personal or not. A final judgment on the case is expected before the end of the year. [Source]

EU – Taking Photos in Private Settings to Be Illegal in Sweden

Sweden has taken the unusual step of making it illegal for take pictures in private environments without permission. The new privacy law takes effect July 1, and it carries with it some strict penalties, ranging from a fine to a jail term of up to  two years. That gives judges some ability to harshly punish someone taking secret video of people in changing rooms, while being more lenient on someone who took otherwise innocent photos in a person’s home. The new law would also make certain other acts illegal, such as installing a camera intended to take secret photos, even if no photos are actually taken. Critics say the law is a bit vague, as everyone’s definition of a private environment is different. A supermarket may be open to the public, but it’s privately owned. Exceptions are made in the law for journalists, though the Swedish Union of Journalists stands in opposition to it. “What’s unfortunate about this law that the parliament has approved is that a professional photographer doesn’t know when he raises the camera to take a picture if he is committing a criminal act or not,” explains board member Stephen Lindholm. “The risk is that pictures that should be taken aren’t because of fear of committing a crime.” [Source]

EU – Italian Garante Concerned About Government Measures

The president of Italy’s Data Protection Authority, the Garante, has voiced concerns about the Italian government’s recent measures aimed at simplifying the country’s data protection code. Garante President Antonello Soro’s concerns are that the government measures are “in breach of the EU Directive, Lisbon Treaty and Italian laws as well.” [Source]

Facts & Stats

WW – Firms Take 10 Hours to Spot Data Breaches, Mcafee Finds

The average organisation believes it would spot a data breach in 10 hours, a McAfee global survey of IT professionals has found. But is that result good, indifferent or an indication of the downright complacent? The firm’s interrogation of 500 decision makers from the US, UK, Germany and Australia earlier this year found that 22% thought they’d need a day to recognise a breach, with one in 20 offering a week as a likely timescale. Just over a third said they would notice data breaches in a matter of minutes, which counts as real-time by today’s standards. In terms of general security, three quarters confidently reckoned they could assess their security in real-time, with about the same number talking up their ability to spot insider threats, perimeter threats and even zero-day malware. All of this was despite 58% admitting they had suffered a data breach in the last year with only a quarter spotting that fact within minutes. When trying to locate the source of the breach – the most important aspect of any detection and remediation regime – a third said it took a day and 16% as long as a week. In McAfee’s view the general optimism buried in some of these numbers belies the probability that many organisations over-estimate both the speed at which they notice breaches and their ability to quickly trace their source. Third parties have backed them up on this, especially a survey from security vendor Trustwave that found that many data breaches take months to spot, with the average being 210 days; 14% take longer than two years. [Source]

MX – Study Highlights Data Breach Concerns

A Unisys study has found that 82% of Mexicans are “very concerned” about data breaches. The study showed that of the survey’s 1,052 respondents, most are concerned about breaches at banks and financial institutions followed by those at healthcare organizations, government agencies and telcos and Internet service providers. “Anxiety related to data breaches in Mexico seems pervasive and continues to persist despite efforts by governments and commercial organizations to secure consumers’ financial data,” the report states. However, the survey also found low reporting for cybercrime. [BNamericas]


CH – Swiss Court Stops Handover of Credit Suisse Employee’s Data to U.S.

A Swiss court has ordered an injunction halting the transfer of a former Credit Suisse employee’s data to U.S. tax authorities. The ruling highlights Switzerland’s difficulties in balancing traditions of personal privacy against U.S. demands for data from roughly a dozen Swiss banks under formal investigation by U.S. prosecutors. Those banks, including Zurich-based Credit Suisse, have been handing over information on their U.S. dealings for months now, part of efforts to avoid indictment and minimise fines for their role in helping wealthy While these banks have clinched special Swiss government permission to deliver business data – but no client files – parliament failed last week to back a draft law covering the wider Swiss banking industry. While the court ruling is for one person’s data, “it will set a precedent and could be repeated for other employees who had access to U.S. clients.”.[Source] SEE ALSO: [Payment Privacy: Are Untraceable Purchases Ever Okay?] and [Bank’s new cybersecurity audits catch law firms flat-footed]


US – FISA Court Says Google and Microsoft May Disclose Procedural Information

The US Foreign Intelligence Surveillance Court has granted Microsoft and Google the right to disclose “procedural information” related to their legal challenges of gag orders that accompany national security requests. These orders prohibit the companies from disclosing details about the data they provide to the government. The companies want to clear their names of allegations that they gave the NSA unfettered access to their servers. Both companies say they provide data only when they receive a legal request supported by a court order. [The Register] [Politico] [CNET] [Source] [Source] [Source]

WW – Google Adds Malware Statistics to Transparency Report

Google will be adding statistics about malware to its transparency report. Google’s transparency report currently documents criminal requests and national security requests from governments worldwide, though it does not include requests from the federal government’s FISA regarding Google’s foreign users. Since that court made headlines this month, Google and other tech companies have been trying to contain the public relations crisis that has resulted from revelations that they have been aiding government surveillance efforts when ordered to by the court. Google has since filed a legal motion asking the government to relax its gag order and allow the company to disclose the number of FISA requests it receives. At the same time, Google said it would also be expanding its transparency report to include new numbers around malware and phishing attacks on the Internet. In 2006, Google started searching for, and flagging, suspect Web sites for its users. It is now flagging some 10,000 sites a day. The company said its transparency report would now document how many people see its security warnings each week, where malicious sites were hosted around the world (and by which ISPs), how long it took for Web masters to clean up their sites, and how quickly Web sites got re-infected after they were scrubbed of malware. As an example, during the first week of June, Google detected 37,000 legitimate sites that had been compromised to host malware and 4,000 sites that were created specifically to host malware. Earlier this year, it took websites an average of 50 days to clear themselves of reported malware. Google has been working on gathering relevant statistics for the last six months and that Google would begin updating its transparency report weekly. [The New York Times] [DarkReading] [eWeek] [CNET] [Ars Technica] [h-online] [SC Magazine] [Google.com] SEE ALSO: [Peter Fleischer: Mirror, mirror on the wall, who is the ugliest one of them all?]


US – Experts Propose Consolidating DNA Databases

This month an international group of nearly 80 researchers, patient advocates, universities and organizations like the National Institutes of Health announced that it wants to consolidate the world’s databases of DNA and other genetic information, making data easier for researchers to retrieve and share. But the security and privacy of the study subjects are paramount concerns, said Dr. David Altshuler of the Broad Institute of Harvard and M.I.T., a leader of the group. “The problems are not yet solved in any general way,” Dr. Altshuler said. “We want to work to solve them.” For years now, a steady stream of research has eroded scientists’ faith that DNA can be held anonymously. [New York Times]

Health / Medical

WW – Health Group Releases mHealth Study; Privacy in HTML5 Era

A new study by a mobile health advocacy group states there is not a “one-size-fits-all” resolution for mobile privacy legislation. The mHealth Alliance report, Patient Privacy in a Mobile World: A Framework To Address Privacy Law Issues in Mobile Health , also has provided a mobile privacy toolkit for using mobile health technology. The evolving nature of mobile technology “makes it difficult, and some may say ill-advised, to create rigid legal rules that may not fit future mHeath applications or worse that may hamper their development in the first place,” the study states. Meanwhile, CIO reports on how to ensure privacy in the age of HTML5. [Thomson Reuters]

CA – B.C. Health Ministry Told to Strengthen Privacy Practices

Elizabeth Denham ruled that there was a “lack of clear responsibility for privacy within the ministry” at the time of the breaches. She believed this was due, in part, to a lack of clear leadership and clarity of roles. “Ministry privacy governance was further weakened by a complete lack of audit and review of employee and contractor functions relating to privacy,” she wrote. “There were no mechanisms to ensure that researchers were complying with the privacy requirements, as stipulated in contracts and written agreements, and to ensure ministry employees were taking appropriate privacy training and following privacy policies. As a result, ministry employees were able to download large amounts of personal health data on to unencrypted flash drives and share it with unauthorized persons, undetected.” Ms. Denham concluded her report with 11 recommendations, including that the ministry implement technical security measures to prevent unauthorized information transfer; create a program to monitor and audit compliance by employees and contracted researchers; and ensure employees with access to such databases participate in mandatory privacy training. The ministry has accepted and will be implementing all of Ms. Denham’s recommendations, newly appointed Health Minister Terry Lake said. [Source] SEE ALSO: [Doctors experiment with social media and apps] NS [US: Ingestible smart pills are a hard act to swallow] and [UK: Health watchdog destroyed report in maternity hospital to spare its own blushes]

WW – For Sale: Ingestible Computers to Monitor Your Health

A new wave of prescription pills can e-mail your doctor after being swallowed. Ingestible computers in pill-form can now monitor health data and share it wirelessly with doctors. The pills stay intact throughout the intestinal tract and are powered through stomach acids. The Electronic Frontier Foundation says such a pill has wonderful and terrible aspects. “The wonderful is that there are a great number of things you want to know about yourself on a continual basis…The terrible is that health insurance companies could know about the inner workings of your body.” [The New York Times]

Horror Stories

US – AG Report Reveals Breaches Affect 2.5 Million in 2012

According to a first-of-its-kind report released by California Attorney General Kamala Harris, 2.5 million Californians had personal information put at risk because of electronic data breaches in 2012. Had companies encrypted data when sending it outside of a network, 1.4 million Californians would have been protected. Retail establishments were the worst offenders. Noting the dangers inherent to individuals’ privacy, finances and even personal security, Harris said companies and government agencies “must do more to protect people by protecting data.” [Source]

WW – Facebook Says Technical Flaw Exposed 6 Million Users

Facebook has inadvertently exposed six million users’ phone numbers and e-mail addresses to unauthorized viewers over the last year, the company said. Facebook blamed the data leaks, which began in 2012, on a technical flaw in its huge archive of contact information collected from its 1.1 billion users worldwide. As a result of the problem, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have. Facebook’s security team was alerted to the problem last week and fixed it within 24 hours. But Facebook did not publicly acknowledge the flaw until the next week, when it published a message on its blog explaining the situation. A Facebook spokesman said the delay was because of a company procedure stipulating that regulators and affected users be notified before making a public announcement. [The New York Times] SEE ALSO: [Facebook’s White Hat Program Helped Uncover Glitch]

CA – BC Lab Loses Personal Info of 16,000 Patients

About 16,000 patients in Kamloops who used LifeLabs’ medical-lab service in the last six years are being warned their personal information may have been compromised. LifeLabs president Sue Paish says a computer was sent to their main office in Burnaby for servicing, and when it was returned the hard drive was missing. The hard drive held the results of ECGs, or electrocardiograms, and was removed sometime last January. Paish issued an apology for the incident and added the information is password protected and requires special equipment to read. Health Minister Terry Lake learned of the breach last week and wonders why it took so long to notify both the government and the privacy commissioner. Lake says he’s been assured by LifeLabs that it won’t happen again. [Source]  Meanwhile, in other news: the personal data of 47,000 Florida teachers was exposed during a data transfer at Florida State University. The personal information was available online for approximately 14 days, according to the state’s Department of Education; Blizzard Entertainment has asked a California federal judge to dismiss a multi-million dollar class-action filed after a data breach, stating the plaintiffs have not alleged “actual harm.” And Seattle: Detective’s stolen laptop puts thousands at risk of identity theft.

US – Carnegie Mellon Publishes Empirical Analysis of Data Breach Litigation

Forbes reports on what organizations can do if they are the unlucky victims of a high-profile data breach. “At a minimum,” the article states, “start providing credit monitoring for victims to reduce litigation risk.” That’s according to researchers at Carnegie Mellon University and Temple University who found a six-fold reduction of being sued in federal court for those who provide credit monitoring. The paper, “Empirical Analysis of Data Breach Litigation ,” also found a 10-fold increase in litigation if the incident was a cyberattack rather than lost or improperly disclosed data. [Source]

Identity Issues

US – Brill Calls for “Reclaim Your Name” Program

Federal Trade Commissioner Julie Brill has called on Congress to legislate a “Reclaim Your Name” program. Suggesting that Big Data brokers are “taking advantage of us without our permission,” the program Brill has called for would establish technical controls allowing users to access the information data controllers have stored about them, then control it and correct it, the report states. The program could work in tandem with the still-being-negotiated Do-Not-Track (DNT) mechanism, Brill said, adding that she urges “the W3C stakeholders to forge ahead and reach consensus” on DNT. The Direct Marketing Association expressed surprise at Brill’s announcement, noting it has been in talks with her recently on increasing transparency. [AdAge] [Text of Speech to CFP] SEE ALSO: [Forbes: Acxiom Access Feature Delayed But Imminent]

CA – Wearing a Mask at a Riot Is Now a Crime

A bill that bans the wearing of masks during a riot or unlawful assembly and carries a maximum 10-year prison sentence with a conviction of the offence became law. Bill C-309, a private member’s bill introduced by Conservative MP Blake Richards in 2011, passed third reading in the Senate on May 23 and was proclaimed law during a royal assent ceremony in the Senate. Richards, MP for Wild Rose, Alta., said the bill is meant to give police an added tool to prevent lawful protests from becoming violent riots, and that it will help police identify people who engage in vandalism or other illegal acts. The bill is something that police, municipal authorities and businesses hit hard by riots in Toronto, Vancouver, Montreal and other cities in recent years, were asking for, according to Richards. The bill creates a new Criminal Code offence that makes it illegal to wear a mask or otherwise conceal your identity during a riot or unlawful assembly. Exceptions can be made if someone can prove they have a “lawful excuse” for covering their face such as religious or medical reasons. The bill originally proposed a penalty of up to five years, but the House of Commons justice committee amended it and doubled the penalty to up to 10 years in prison for committing the offence. Civil liberties advocates argued the measures could create a chilling effect on free speech and that peaceful protesters can unintentionally find themselves involved in an unlawful assembly. They also noted that there are legitimate reasons for wearing masks at protests; some may be worried about reprisals at work, for example, if sighted at a political protest. [Source]

WW – Yahoo Plans to Recycle Dormant User IDs

Yahoo plans to recycle Yahoo user IDs that have been inactive for a year or more. The company is aware of concerns about the old IDs falling into hands of people with malicious intents, but says it is going to “extraordinary lengths to ensure that nothing bad happens to our users.” One concern that has been voiced is that is someone acquiring a Yahoo ID that is linked with someone’s Gmail account could request a password reset for the Gmail account and take control of it. The same thing could potentially be done with social media and financial accounts. Yahoo released a statement noting that “any personal data and private content associated with these accounts will be deleted and will not be accessible to the account holder.” [CNET] [WIRED] SEE [“Own the email, own the person“]

Intellectual Property

US – $675,000 Filesharing Verdict Upheld

The US Court of Appeals for the First Circuit has ruled that a US$675,000 verdict against Joel Tenenbaum for filesharing is justified. In the ruling, the court wrote that although Sony was suing him for just 30 songs, Tenenbaum appears to have made many more songs than that available for sharing. In addition, “During discovery, Tenenbaum lied about his activities. Only at trial did [he] admit that he had distributed as many as five thousand songs.” [Ars Technica] [Document Cloud]

US – US Seized 1,700 Domains Over Three Years in Anti-Piracy Operation

“Operation In Our Sites,” an ongoing effort by US authorities to thwart intellectual property fraud, has seized more than 1,700 websites in the past three years. The offending sites offered illegally streamed sporting events; sold bogus apparel, accessories and counterfeit drugs; and allowed illegal downloads of music and movies. US authorities were
able to seize the sites because the domains – .net, .com, and .org – are controlled by US entities. [WIRED]

US – Pandora Says Music Streams Not Covered By Privacy Law

Pandora is asking the Ninth Circuit Court of Appeals to uphold a decision by a U.S. District Court that the company did not violate a Michigan privacy law by allegedly sharing web users’ music-listening history with their Facebook friends. U.S. District Court Judge Saundra Brown Armstrong dismissed a potential class-action lawsuit that Pandora violated Michigan’s Video Rental Privacy Act by participating in Facebook’s “instant personalization” program. Armstrong ruled the act doesn’t apply when companies “stream” tracks, as opposed to lending, renting or selling them, the report states. The suit’s plaintiff wants his claim revived, but Pandora says Armstrong was correct in her ruling. [MediaPost News]

Law Enforcement

US – FBI Confirms Drone Use, Says It’s Limited

FBI Director Robert Mueller testified to the U.S. Senate that the Federal Bureau of Investigation (FBI) sometimes uses drones for surveillance efforts. “It’s very seldom used and generally used in a particular incident when you need the capability,” Mueller said. “It’s very narrowly focused on particularized cases and particularized needs.” The testimony follows concerns by lawmakers and civil liberties advocates as revelations emerge on the government’s interception of U.S. citizens’ communications via its PRISM program. But the debate on drones has been ongoing. Mueller said the FBI is beginning to formulate privacy guidelines on the technology. [Bloomberg] [Drones Are Easy To Acquire, Lack Regulation]

US – Blood, Spit and Cops: Nationwide Drug Roadblocks Raise Eyebrows

The roadblocks went up at several points in two Alabama towns, about 40 miles on either side of Birmingham. For the next two days, off-duty sheriff’s deputies in St. Clair County, to the east, and Bibb County, to the southwest, flagged down motorists and steered them toward federal highway safety researchers. The researchers asked them a few questions about drinking and drug use and asked them for breath, saliva and blood samples — offering them $10 for saliva and $50 to give blood. It’s not just in Alabama. The roadblocks are part of a national study led by the National Highway Traffic Safety Administration, which is trying to determine how many drivers are on the road with drugs or alcohol in their systems. Similar roadblocks will be erected in dozens of communities across the nation this year, according to the agency. It’s been going on for decades. Previous surveys date to the 1970s. The last one was run in 2007, and it included the collection of blood and saliva samples without apparent controversy, sheriff’s spokesmen in both Alabama counties said. But this time, it’s happening as the Obama administration struggles to explain revelations that U.S. spy organizations have been tracking phone and Internet traffic. Against that backdrop, the NHTSA-backed roadblocks have led to complaints in Alabama about an intrusive federal government. Susan Watson, executive director of the Alabama chapter of the ACLU, called the use of deputies to conduct the survey an “abuse of power.” Even though the survey is voluntary, people still feel they need to comply when asked by a police officer, she said. “How voluntary is it when you have a police officer in uniform flagging you down?” Watson asked. “Are you going to stop? Yes, you’re going to stop.” The agency said the 8,000 drivers expected to take part will do so voluntarily and anonymously, and researchers follow “a highly scientific protocol and complex statistical design in order to accurately reflect the problem nationwide.” [Source]


CH – China’s First-Ever National Standard on Data Privacy

The Information Security Technology-Guide for Personal Information Protection within Public and Commercial Systems (“Guidelines”), China’s first-ever national standard for personal data privacy protection, came into effect on February 1, 2013. The Guidelines, while not legally binding, are just what they purport to be – guidelines – some commentators view these as technical guidelines. However, the Guidelines should not be taken lightly as this may be a pre-cursor of new legislation ahead. China is not quite ready to issue new binding legislation, but there are indications it seeks to develop consistency with other internationally accepted practices, especially following recent data legislation enacted in the region by neighboring Hong Kong and other Asian countries. [Mondaq News]

SK – Presidential Office Hacked

A hacking attack on the presidential office has resulted in the leak of 100,000 individuals’ personal information. The information includes names, birth dates, ID numbers and both online and offline addresses, the report states. Users’ registration
numbers—similar to Social Security numbers—were not affected because they were encrypted. The presidential office has issued an apology and is offering compensation to those affected. [ZDNet]

Online Privacy

EU – Working Group: Default Should Be No Tracking

The EU’s International Working Group on Data Protection has released a whitepaper on online behavioral advertising, reports the Electronic Privacy Information Center. The working group says in its release that World Wide Web Consortium efforts to create a Do-Not-Track mechanism could serve as a “sugar pill instead of a proper cure and would such be useless.” The working group recommends that the default setting be that users are not tracked. [Paper] SEE ALSO: [Forbes: The Web Cookie Is Dying. Here’s The Creepier Technology That Comes Next]

WW – W3C Moves Forward on June Draft; Group Launches Privacy Controls

ZDNet reports on two developments in the Do-Not-Track initiative. First, those participating in a World Wide Web Consortium conference call agreed to accept a draft of the standard in an effort to work toward “Last Call,” when the proposal is brought for a vote. The draft is being dubbed the June Draft. Also, Mozilla has teamed up with Stanford’s Center for Internet Society to announce it is launching its own set of privacy controls on the web. Called a “Cookie Clearinghouse,” it will allow users to create and maintain “allow lists” and “block lists,” the report states. [Source]

WW – IAB Disapproves of Cookie Clearinghouse

Mozilla’s involvement with The Center for Internet and Society at Stanford Law School in an effort to improve Internet privacy is a “Kangaroo cookie court” according to the Interactive Advertising Bureau (IAB). The IAB disapproves of the ongoing project called the “Cookie Clearinghouse,” a control system that allows users to maintain a “block” and “allow” list when it comes to cookies. But the IAB says the system “replaces the principle of consumer choice with a ‘Mozilla knows best’ system.” Mozilla said it hopes the IAB and other industry groups will get involved in the project to better the user experience [CNET].

WW – Creepy Facebook Apps Mine Your Profile for Bikini Shots, Break-Up Status

Facebook isn’t to blame. More and more apps built to take advantage of the Facebook social network’s very social tools are hopping the fence from useful and crossing over into downright creepy territory. I looked at several of these apps, which handle tasks such as searching for photos of your friends in their bikinis to notifying you about people who are newly single, to see just how disturbing they are. Some worked more or less as advertised. Others failed miserably, which is good news, as some of the very concepts made my skin crawl. [Source] SEE ALSO: [New York Times: Data You Can Believe In: The Obama Campaign’s Digital Masterminds Cash In]

Other Jurisdictions

IN – CCTV Not Covered in Draft Law

Those whose images are captured via CCTV in public places “will not be able to invoke the proposed privacy law to seek redress.” That is one provision of the draft privacy bill “likely to be tabled in Parliament’s forthcoming session,” the report states, noting the bill does include the creation of a national body to hold individuals, organizations and others accountable for audio and video recording. The bill “addresses the home ministry’s concern that interception laws must not change and that footage from security cameras in public places are kept out of the ambit of the new law,” officials said. [The Indian Express

AU – Breach Notification Laws Fail to Pass Before Break

The Australian Senate has failed to pass mandatory data breach notification reform laws, which were expected to go into effect by March of next year. The Senate has now taken its break until the next election. The proposed law was described by the Australian Law Reform Commission in 2008 as a “long-overdue measure,” Business Spectator reports. The Senate did pass laws last week requiring commonwealth public officials to report suspected wrongdoing, reports The Register. Meanwhile, a new report says that many Australian data-driven firms are using consumer data to support existing beliefs rather than “achieve fresh insights.” [Business Spectator] [AUS: Banks slam new privacy proposal] see also: [NZ: Govt chief information officer role to be expanded]

Privacy (US)

US – NSA Outlines Steps to Reduce Leaks

To prevent Edward Snowden-type leaks, the National Security Agency is considering a number of measures, including reducing the number of systems administrators it employs, NSA Director Keith Alexander says. The agency also is considering requiring individuals with top-secret security clearance to be partnered to access certain classified documents. Testifying on June 18 before the House Select Permanent Committee on Intelligence, Alexander said the NSA employs at least 1,000 systems administrators with security clearances, most of whom are on the payrolls of government contractors. “About 12 to 13 years ago, as we tried to downsize our government workforce, we pushed more of our information technology workforce, our systems administrators, to the contract arena,” Alexander said. “That’s consistent across the intelligence community.” [Source] [ZDNet] [ComputerWorld] [WIRED] [Privacy groups skeptical of plan to limit NSA’s data access]

US – Former NSA Official Says Anti-Leak Technology Not Deployed

A former NSA cybersecurity official said that when he left the agency in the summer of 2012, there was no anti-leak technology on NSA networks. After Bradley Manning’s alleged data theft came to light, the US Department of Defense rolled out a Host Based Security System (HBSS) to detect unauthorized activity on DOD networks. One of the system’s features is to monitor removable data devices, like those allegedly used by Bradley and more recently by Edward Snowden. The official said that the HBSS was not installed on NSA networks as of last summer. He also commented on NSA Director General Keith Alexander’s plan to have the NSA use a two-person rule for data access, saying that it could prove too cumbersome for specialists who need to do fast-paced work, and noted that “the best safeguard would be locking down the content at the source.” [NextGov]

US – Senators Say NSA Inaccurate on Protections

Two senators on the intelligence committee have accused the National Security Agency (NSA) of publicly presenting inaccurate statements about the privacy protections on its surveillance of millions of Internet communications. However, Sens. Ron Wyden (D-OR) and Mark Udall (D-CO) say they cannot identify the inaccuracies within a factsheet without exposing classified information. In a letter written to NSA Director Gen. Keith Alexander, the senators wrote they were “disappointed to see that this factsheet contains an inaccurate statement about how the section 702 authority has been interpreted by the U.S. government…this inaccuracy is significant, as it portrays protections for Americans’ privacy as being significantly stronger than they actually are.” [The Guardian]

US – Former U.S. Rep. Bono Joins Leibowitz to Co-Chair New Privacy Coalition

A group of the nation’s largest telecommunications companies have founded the 21st Century Privacy Coalition. The coalition will be co-chaired by former Federal Trade Commission Chairman Jon Leibowitz and former U.S. Rep. Mary Bono. Founding members include AT&T, Comcast, CTIA-The Wireless Association, Directv, Time Warner Cable, Verizon and the U.S. Telecom Association. In an exclusive interview with the IAPP, Bono said the coalition has nothing to do with the recent NSA revelations and has in fact been in the works for some time, dating back to when she was still serving as chairwoman for the Subcommittee of Commerce, Manufacturing and Trade. “It was clear there was a need,” she said. [Adweek]

US – New COPPA Rules Take Effect Today; Marketers May Not Be Ready

Jeff John Roberts discusses what COPPA’s new rules mean for marketers. The revised law comes into effect today and can impose penalties of up to $16,000 per violation. Many app developers may not be prepared for the rules, which require parental consent before collecting basic data on children. Fast Company predicts three outcomes following today’s implementation of the law: The privacy business–including Safe Harbor programs and privacy lawyers–will boom; sites will neglect to ask users’ age, and/or a “chilling effect” will take place on the development of educational apps and games. [GigaOm]

US – Advocates: Facebook Settlement Not Enough

At a recent hearing, children’s advocates worked to convince U.S. District Judge Richard Seeborg that last year’s proposed settlement of a case surrounding Facebook’s Sponsored Stories doesn’t do enough to protect children’s information. The Children’s Advocacy Institute argued that minors’ content should be off limits to advertisers, but Seeborg—without indicating how he would rule—noted that his function “is not to craft the perfect policy for minors” but only to say whether the settlement is fair. Seeborg gave initial approval of the settlement last year, but it still needs his final sign-off. [Reuters]

US – FTC, Ireland DPA Sign Enforcement Assistance Memorandum

FTC Chairwoman Edith Ramirez and Ireland Data Protection Commissioner Billy Hawkes have signed a memorandum of understanding (MOU) to “promote increased understanding and communication” between both agencies, an FTC press release states. Ramirez said the MOU “is a step forward for the FTC in cross-border privacy enforcement.” Hawkes said he “very much welcomes this important development, which I believe will have valuable assistance to my office…” [The Privacy Advisor]

US – FBI Scanning Driver’s License Images

The FBI has gained access to driver’s license photos for residents of Nebraska, Illinois, South Carolina, Utah, North Carolina, Delaware, Texas and other states to hunt for suspects in criminal investigations. In memorandums obtained through a Freedom of Information Act request by the Electronic Privacy Information Center, the FBI is authorized to search state databases, which include images and personal information. “The anticipated result of that search will be a photo gallery of potential matches. These potential matches (candidates) will be forwarded to the FBI, along with any associated information stored with the photo.” The agreements between the state motor vehicle divisions and the FBI allow the FBI to use facial recognition systems to compare subjects of investigations to the millions of license and identification photos retained by states. EPIC’s letter explained: “The increasing expansion of facial recognition technology carries with it a number of privacy and security concerns. Facial recognition data is personally identifiable information and improper collection, storage, and use of this information can result in identity theft or inaccurate identifications. “Additionally, an individual’s ability to control access to his or her identity, including determining when to reveal it, is an essential aspect of personal security that facial recognition technology erodes. Finally, ubiquitous and near-effortless identification eliminates individuals’ ability to control their identities, posing special risk to protesters engaging in lawful, anonymous speech. The U.S. Supreme Court has repeatedly upheld the right to engage in political speech anonymously.” [Source] [Police Using Driver’s License Photo Databases in Criminal Investigations]

US – Privacy Committee Hearings on Driver’s License Applicants

A Missouri House committee formed to investigate the Department of Revenue’s scanning of driver’s license applicants’ documents has begun two days of hearings into the controversy. The first witness to testify before the House Bipartisan Investigative Committee on Privacy Protection was Jackie Bemboom, head of the Department of Revenue’s Motor Vehicle and Driver’s License division. She testified under oath that they are not trying to comply with the federal Real I-D Act of 2005, but that several of their procedures coincide with Real I-D. “Real I-D asks for the photo to be on the license,” Bemboom saisd. “Real I-D asks for a database, and we’ve been doing a database since 1939.” But committee member and Osage County Sheriff Michael Dixon said Revenue officials have complied with 34 out of 39 items, giving the impression that the department is trying to comply with Real I-D. Bemboom maintains that the scanning and storing of source documents is being done to combat fraud. The chair of the committee, Republican House Member Stanley Cox of Sedalia, said several officials from Governor Nixon’s office were set to appear Wednesday, but have since canceled. [Source]

US – Privacy Groups Push Back Against License Plate Database

The massive storage of license plate and vehicle data by law enforcement agencies across Southern California is sparking a debate over the privacy rights of citizens in their cars. Through interagency agreements among the Los Angeles and San Bernardino county sheriff’s departments and more than 30 police departments, cameras called Automated License Plate Readers — mounted to police cruisers or in fixed locations — capture the data on millions of cars across the region. License plate numbers and a vehicle location history are then automatically fed into and permanently stored on one of three databases. On average, a cruiser equipped with an ALPR camera can collect data on 10,000 cars in a single shift, according to industry reports. A lawsuit filed by two privacy rights groups says each of the 7 million registered cars in greater Los Angeles has had its license plate scanned an average of 22 times since the program launched. The curation of so much information on personal vehicles has raised the ire of privacy groups, which are beginning to push back against the data mining efforts of Los Angeles County’s two largest law enforcement agencies. [Source] SEE ALSO: [E-License Plate: Wave of the Future or Menace?]

US – Supreme Court Bars Lawyers From Accessing Drivers’ Database

The U.S. Supreme Court has ruled that lawyers cannot gather personal information about drivers from state databases when seeking plaintiffs for potential lawsuits. The court held in a narrow 5-4 vote that the federal Drivers Privacy Protection Act of 1994 does not allow lawyers to seek the information. The case hinged on language in the law that allows access to the data for lawyers pursuing an “investigation in anticipation of litigation.” A group of drivers sued lawyers who had sought the personal information from the South Carolina Department of Motor Vehicles. The lawyers were seeking to file a lawsuit on behalf of customers against car dealerships over alleged unlawful administrative fees. In the majority opinion, Justice Anthony Kennedy said that “an attorney’s solicitation of clients” did not fit into the section of the law that refers to litigation. What the law protected, he added, was the right of lawyers to seek information in ongoing cases in which they already represent someone. The case is Maracich, et al v. Spears, et al, U.S. Supreme Court, No. 12-25. [Source]

US – PCLOB Public Workshop on Surveillance to be Held

Following the Privacy and Civil Liberties Oversight Board (PCLOB) meeting with President Barack Obama last week, the PCLOB has set a public meeting for July 9 to discuss the National Security Agency (NSA) surveillance programs. The PCLOB “will conduct a public workshop with invited experts, academics and advocacy organizations regarding surveillance programs operated pursuant to Section 215 of the USA PATRIOT Act and Section 702 of Foreign Intelligence Surveillance Act,” according to the workshop notice. The meeting will be held in Washington, DC, but the specific location has not yet been announced. [Politico] SEE ALSO: [SWIRE: Why the New Senator Markey May Be the Most Influential Privacy Congressman in History]

US – Video Game Industry Releases Guidelines for Mobile, COPPA

The group that manages privacy self-regulation for the video game industry, the Entertainment Software Rating Board (ESRB), has increased its program to include mobile apps and the upcoming changes to the Children’s Online Privacy Protection Act (COPPA). With COPPA changes to go into effect July 1, the group focused on ways of obtaining parental consent, creating short-form privacy notices for apps and dealing with the expanded definition of personal data to include photos and videos, the report states. Dona Fraser, vice president of the ESRB Privacy Certified program, said “achieving compliance with requirements like COPPA can be complicated, particularly for rapidly evolving platforms like mobile.” The ESRB is also in the process of issuing certifications to its members and awaits Safe Harbor status from the FTC. [AdWeek]

US – The Use of Predictive Policing, Campaigning

New predictive policing programs are being used in Seattle, WA. Using a combination of Google Maps, license-plate readers and computer algorithms, police are able to crunch data to predict where crimes are most likely to occur. Some worry about privacy and civil liberties issues. Meanwhile, Big Data analytics is also being used to better understand and reach out to potential political supporters. Calling it the “new electioneering,” the Times reports on one company that mines online data—particularly social media—and publicly available information to “quantify and measure voter emotion and opinion online.” [New York Times]

US – Database Prompts Call for Monitoring

Louisiana’s Board of Elementary and Secondary Education is appointing a task force to monitor data-sharing in the wake of the Department of Education’s partnership with inBloom, a database created to track student progress. Citing parent and student concerns about the potential for others to access private student data, the report quotes Education Superintendent John White’s comments that the department data will not be sold to outside companies and will be secured behind firewalls. “We’re not suggesting this is a perfect process,” he said. “But we hope we can get to a point where the public understands and trusts that this is being done the right way.” [The Times-Picayune]

US – Ramirez Taps Privacy Expert to Head Bureau of Consumer Protection

The FTC announced Chairwoman Edith Ramirez’s appointment of seven senior staff members, including Jessica Rich, a privacy expert who will now serve as director of the Bureau of Consumer Protection. Rich says that privacy is an area in which the FTC believes consumer protection is very important, and that, in line with Chairwoman Edith Remirez’s emphasis that the agency plans to be aggressive on privacy, the commission will use the tools in its belt to “the fullest extent possible” to protect consumers, including Section 5 of the FTC Act, the Fair Credit Reporting Act and COPPA. [Press Release]

US – Wong Named White House’s Deputy CTO

The Obama administration has announced its hire of Nicole Wong, who most recently worked for Twitter, as the White House’s deputy U.S. chief technology officer. Wong has also served as vice president and deputy general counsel of Google. “She has tremendous expertise in these domains and an unrivaled reputation for fairness, and we look forward to having her on our team,” said Rick Weiss, director of strategic communications at the Office of Science and Technology Policy. [The Recorder]

Privacy Enhancing Technologies (PETs)

WW – Firefox Web Browser to Move Ahead With ‘Do Not Track’ Option

The maker of the popular Firefox browser is moving ahead with plans to block the most common forms of Internet tracking, allowing hundreds of millions of users to eventually limit who watches their movements across the Web, company officials said. Firefox made the decision despite intense resistance from advertising groups, which have argued that tracking is essential to delivering well-targeted, lucrative ads that pay for many popular Internet services. When Firefox’s maker, Mozilla, first suggested in February that it might limit blocking, one advertising executive called it “a nuclear first strike” against the industry. To help navigate the complexities of when to allow tracking, Mozilla has teamed up with Stanford University’s Center for Internet and Society to create a “Cookie Clearinghouse,” which will advise the company on how to tweak its settings to protect users. Makers of the Opera Web browser have also joined the Stanford-led initiative. [Source]

WW – Using Virtual Assistants to Guide Privacy Settings

To help navigate convoluted and complex privacy settings on commonly used websites, CNET News columnist Dan Farber proposes that virtual assistants, such as Siri and Google Now, can be effective tools to give users more control of their settings. Virtual assistant apps could also help educate users on how their data is being collected, processed and shared. “Instead of reading pages of text,” Farber suggests, “users could query a virtual assistant, which could walk them through their privacy settings.” As virtual assistants “gain more popularity, managing privacy and protecting your online persona will be more of a continuous, background process handled by an intelligent agent rather than a sometimes impenetrable chore.” [CNET] [How UI and UX Can KO Privacy]


WW – Organizations are Not Doing Enough to Defend Against Cybercrime

According to the 2013 State of Cybercrime Survey from PwC, “Organizations are misjudging the severity of risks they face from a financial, reputational, and regulatory perspective.” Current defenses against cyberattacks are not effective because executives either do not understand the scope and import of the threats, or they have stopped paying attention. Many leaders are unaware of who in their organizations is responsible for cybersecurity. They also “underestimate the capabilities of their attackers and the damage they can cause.” The leaders also appear not to understand that, while using smart cloud services and other technological advances may help productivity, they introduce their own vulnerabilities. [CSO Online] [PWC Press Release]

US – CERT Issues Default Password Alert

The US Computer Emergency Response Team (US-CERT) has issued an alert warning that “it is imperative to change default manufacturer passwords and restrict network access to critical and important systems.” The alert notes that “critical infrastructure and other important embedded systems, appliances, and devices are of particular concern.” [Dark Reading] [US CERT]


US – Another NSA Revelation: Stellar Wind

The Guardian continues to publish news of secret, warrantless surveillance programs undertaken by the NSA. This week, the paper has news of an operation called Stellar Wind, which ran from 2001 through 2011, collecting “the accounts to which Americans sent e-mails and from which they received e-mails. It also details the Internet protocol addresses used by people inside the United States when sending e-mails–information which can reflect their physical location. It did not include the content of e-mails.” All “communications with at least one communicant outside the United States or for which no communicant was known to be a citizen of the United States” were fair game, approved by the FISA court every 90 days for a decade. [Source]

US – Senators Want “Public Answers” About Scope of NSA Surveillance

US legislators are calling for “public answers” regarding the scope of the National Security Agency’s (NSA’s) surveillance of people in the US. In their letter to Director of National Intelligence James R. Clapper, the group of 26 senators asks if the NSA collected personal information, such as credit card purchases, library records, and firearms sales, in addition to phone records. The senators also ask if the collected data include cell-site location data. [ComputerWorld] [Washington Post] [Text of Letter]

US – Revising What We Know About PRISM

Initial reports about the NSA’s PRISM surveillance program appear to have gotten the technical details of the program wrong. The stories reported that nine major US Internet companies knowingly allowed NSA access to information on their servers. While the information leak discloses the scope of the NSA’s surveillance, the PRISM system described in a leaked PowerPoint presentation apparently helps automate the FBI and NSA requests for data; it does not allow those agencies unfettered access to the servers. PRISM is part of a much larger NSA data-grab, which has been known about for years, in which data are siphoned from the fiber optic cables through which they travel along the Internet’s backbone. Traffic data are gathered as the traffic leaves and enters the US, and are routed to the NSA for analysis. [Source] [Source]

CA – Eavesdropping Agency’s Data Banks Go Unlisted despite Legal Obligation

The Defence Department appears to have broken the law by failing to publish the latest personal information listings of Canada’s electronic eavesdropping agency. Under federal privacy law, ministers are obliged to list the personal data banks — which hold information about individuals — compiled by agencies in their portfolios. However, there is no public listing this year for Communications Security Establishment Canada, known as CSEC, which reports to the defence minister. The omission has prompted University of Ottawa professor Amir Attaran to lodge a complaint with the federal privacy commissioner, who polices the federal law governing personal information. It’s important for CSEC “to be honest about what data it is gathering,” said Attaran, a lawyer who has taken a keen interest in Canadian information law. The personal data bank issue arises amid concerns about the sort of personal information CSEC and its close American ally, the National Security Agency, are collecting. CSEC spokesman Ryan Foreman said the spy service’s personal information banks used to be listed along with other Defence Department holdings in a federal publication called InfoSource, but in future will be cited separately, as CSEC is now a standalone agency. “CSEC is not exempted from the reporting requirements to publish an InfoSource submission. CSEC will be preparing its first independent InfoSource submission for the 2013-2014 reporting period,” Foreman said. “Previously published versions of InfoSource can be accessed through the Treasury Board Secretariat.” [Source] SEE ALSO: [Michael Geist on the perils of government surveillance] and [How to Tell if a Cell Phone Is Being Monitored]

UK – GCHQ Taps Fibre-Optic Cables for Secret Access to World Communications

Britain’s spy agency GCHQ has secretly gained access to the network of cables which carry the world’s phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency (NSA). The sheer scale of the agency’s ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate. One key innovation has been GCHQ’s ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed. That operation, codenamed Tempora, has been running for some 18 months. The existence of the programme has been disclosed in documents shown to the Guardian by the NSA whistleblower Edward Snowden as part of his attempt to expose what he has called “the largest programme of suspicionless surveillance in human history”. “It’s not just a US problem. The UK has a huge dog in this fight,” Snowden told the Guardian. “They [GCHQ] are worse than the US.” Britain’s technical capacity to tap into the cables that carry the world’s communications – referred to in the documents as special source exploitation – has made GCHQ an intelligence superpower. By 2010, two years after the project was first trialled, it was able to boast it had the “biggest internet access” of any member of the Five Eyes electronic eavesdropping alliance, comprising the US, UK, Canada, Australia and New Zealand. UK officials could also claim GCHQ “produces larger amounts of metadata than NSA”. By May last year 300 analysts from GCHQ, and 250 from the NSA, had been assigned to sift through the flood of data. The Americans were given guidelines for its use, but were told in legal briefings by GCHQ lawyers: “We have a light oversight regime compared with the US”. When it came to judging the necessity and proportionality of what they were allowed to look for, would-be American users were told it was “your call”. The Guardian understands that a total of 850,000 NSA employees and US private contractors with top secret clearance had access to GCHQ databases. The documents reveal that by last year GCHQ was handling 600m “telephone events” each day, had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time. [The Guardian] [Source] [Source]

AU – Australian Government Shelves Metadata Collection Plan

The government has shelved a controversial plan to force Australian telecommunications companies, internet service providers and sites such as Facebook to collect “metadata” from Australian users and store it for two years. The government had run out of time to push the plan through before the election, but, after a powerful parliamentary committee raised concerns about it, the attorney general, Mark Dreyfus, confirmed more work was needed. “The government will not pursue a mandatory data retention regime at this time and will await further advice from the departments and relevant agencies and comprehensive consultation,” he said in a statement. [Source]

IN – India to Let Government Officials Access Private Phone Calls and Emails

India has launched a wide-ranging surveillance programme that will give its security agencies and even income tax officials the ability to tap directly into emails and phone calls without oversight by courts or parliament, several sources say. The expanded surveillance in the world’s most populous democracy, which the government says will help safeguard national security, has alarmed privacy advocates at a time when allegations of massive US digital snooping beyond American shores have set off a global furore. “If India doesn’t want to look like an authoritarian regime, it needs to be transparent about who will be authorised to collect data, what data will be collected, how it will be used, and how the right to privacy will be protected,” said Cynthia Wong, a researcher at New-York-based Human Rights Watch. The Central Monitoring System (CMS) was announced in 2011 but there has been no public debate and the government has said little about how it will work or how it will ensure that the system is not abused. The government started to quietly roll the system out state by state in April this year, according to government officials. Eventually it will be able to target any of India’s 900 million landline and mobile phone subscribers and 120 million internet users. [Source]

AU – Australia Building Data Storage Facility

The Australian government is building a data storage facility outside Canberra, the country’s capital, to allow intelligence agencies manage a “data deluge” from the Internet and telecommunications networks. The state-of-the-art facility will support Australia’s Defence Signals Directorate. Some of the information that Australian intelligence agencies receive comes from the US’s PRISM data gathering program. [Source] [Source]

CA – Privacy Commissioners Raise Concerns About Google Glass

Canada’s privacy commissioner and 36 of her counterparts in this country and around the world want to know how Google plans to protect people’s privacy when Google Glass hits the streets. “We would be very interested in hearing about the privacy implications of this new product and the steps you are taking to ensure that, as you move forward with Google Glass, individuals’ privacy rights are respected around the world,” reads an open letter to CEO Larry Page, signed by Jennifer Stoddart and provincial privacy commissioners, as well as those from Australia, Mexico, Switzerland, Israel and New Zealand. Almost from the moment Google announced its wearable computer goggles, privacy concerns were raised about the ability to record people surreptitiously and, in the blink of an eye, post it to the Internet. Among the questions in Tuesday’s letter: What information does Google collect via Glass and what information is shared with third parties, including application developers?; How does Google intend to use this information?; Is Google doing anything about the broader social and ethical issues raised by such a product? Their concerns echo those of the U.S. Congress, which in May sent a similar letter to Google about the “unanswered questions” around privacy. [Source] [CNET News]

Telecom / TV

US – FCC Rules Carriers Must Protect Data

The Federal Communications Commission (FCC) has ruled that telecoms need to safeguard consumer call information regardless of whether they’re using wireless or landlines. An FCC statement says, “When mobile carriers use their control of customers’ devices to collect information about customers’ use of the network…carriers are required to protect that information.” The ruling stems from an investigation into allegations that Carrier IQ was logging customers’ keystrokes. Commissioner Jessica Rosenworcel pointed out that the ruling applies only to carriers, adding, “They do not apply to the manufacturers of wireless phones. They do not apply to the developers of operating systems. Consumers can be confused by these distinctions.” [MediaPost]

WW – Almost Half of iPhone Apps Peek at Your Private Stuff

According to a new study, more than 13% of apps access an iPhone’s physical location while 6% access the device’s address book. Computer scientists at the University of California, San Diego discovered that nearly half of the mobile apps running on Apple’s iOS operating system have gained access to private data. These findings are based on a study of 130,000 users of jailbroken iOS devices, where uses have removed restrictions that keep apps from accessing the iPhone’s operating system. One might assume that the results are skewed because the study participants were using a jailbroken iPhone. However, the majority of applications in the study were downloaded through Apple’s App Store and were able to access the same information on locked phones as well. In March, Apple stopped accepting new applications or app updates that access these “unique identifiers,” or privacy invaders. However, the findings suggest that although this update was made to the App Store policy, many apps can still get that information. Unique identifiers allow the creators of the app and advertisers to track a user’s behavior through all the different apps on their devices. Some apps even associate the unique identifier with the user’s email and other personal information. The researchers developed an app called ProtectMyPrivacy (PMP) that is able to detect what data the other apps running on an iOS device are trying to access. Their application enables users to selectively allow or deny access to information on an app-by-app basis, based on whether they feel the apps need the information to function properly. The team has also added notifications and recommendations for when an app accesses other privacy-sensitive information, such as a devices’ front and back camera, microphone and photos. “We wanted to empower users to take control of their privacy,” said Yuvraj Agarwal, a research scientist in the Department of Computer Science and Engineering at UC San Diego who co-authored the study. “The choice should be in users’ hands.” Nearly all of PMP’s users voluntarily shared their privacy decisions, allowing the researchers to see which apps they believe should be allowed access to their privacy-sensitive data. PMP is able to make recommendations for 97% of the 10,000 most popular iPhone apps. [Source]

WW – Security Flaws in Phone App Library

Vulnerabilities in the GNU ZRTPCPP open-source security library used by some secure mobile phone apps could be exploited to allow arbitrary code execution and crash applications. The flaws include a remote heap overflow, several stack overflows, and information leakage. [ComputerWorld] [The Register

US Government Programs

US – US Administrative Office of the Courts’ 2012 Wiretap Report

The US Administrative Office of the Courts 2012 Wiretap Report notes that 15 wiretaps last year encountered encrypted communications. In previous years, there have been a total of seven other instances. In four of the cases, officials were not able to decrypt the messages. This is the first time that officials have reported being thwarted by encryption “since the AO began collecting encryption data in 2001.” According to the report, there were 3,395 authorized wiretaps from state or federal judges in 2012. The numbers do not include “interceptions regulated by the Foreign Intelligence Surveillance Act of 1978.” [WIRED] [US Courts]

US Legislation

US – Bill Proposed To Strengthen Oversight of FISA, USA PATRIOT Act

Sen. Patrick Leahy (D-VT), with the co-sponsorship of Sens. Lee (R-UT), Udall (D-CO), Wyden (D-OR), Blumenthal (D-NY) and Tester (D-MT), proposed the FISA Accountability and Privacy Protection Act of 2013 to “strengthen privacy protections, accountability and oversight related to domestic surveillance conducted pursuant to the USA PATRIOT Act and the Foreign Intelligence Surveillance Act of 1978.” Privacy Tracker reports on the proposed changes, including allowing challenges to gag orders in court, expanding public reporting of national security letters and requiring a comprehensive review of the FISA Amendments Act by the inspector general of the intelligence community. [IDG News]

US – Federal Baseline Breach Notification Bill Introduced

Sen. Pat Toomey (R-PA) introduced legislation Thursday to mandate a nationwide standard for data breach notification. Sponsored by Sens. Angus King (I-ME) and John Thune (R-SD), the bill would preempt the current slate of 46 state breach notification laws and provide “better protections and swifter responses for consumers.” With a combination of high-profile data breaches and varying state mandates, “Congress needs to provide businesses and consumers with certainty and establish a single reasonable standard for information security and breach notification practices,” the press release states. [Toomey press release]

US – Louisiana Governor Passes Gun-Owner Protection Law

Louisiana Governor Bobby Jindal signed a bill last week that he says protects the privacy rights of law-abiding gun owners. The law imposes fines of up to $10,000 and jail sentences of up to six months on those that publish the names of people who own or have applied for a concealed handgun permit. “The law raises the constitutional question of prior restraint, meaning when the government prohibits speech or other expression before it can take place” [Source] Rep. Jeff Thompson (R-Bossier City) said the bill was a response to the controversial map published last year in a New York paper including the names and addresses of handgun permit-holders within its readership region. According to the reports, Arkansas (SB 131), Maine (LD 345), Mississippi (HB 485), New York (New York Secure Ammunition and Firearms Enforcement Act) and Virginia (SB 1335) have all passed laws to protect the identities of concealed weapons permit-holders.

US – Student Privacy Bill Proposed in Massachusetts

Massachusetts Lawmakers are considering Bill H 331 to prohibit those providers that deliver cloud computing services to kindergarten through grade-12 schools from processing student data for commercial purposes. The bill was filed by Rep. Carlo Basile (D-East Boston) and is a pressing issue as the state is one of five considering participation in inBloom, a Gates Foundation pilot program that aims to help schools simplify computer systems. Rep. Alice Peisch (D-Wellesley) questioned why FERPA doesn’t address the problem; The Lowell Sun pointed to criticisms that 2011 changes to FERPA opened the door for schools to share student data with private entities.

US – New Jersey Senate Passes Drone Regs

Last week, the New Jersey Senate unanimously passed S2702, a bill that sets guidelines for state officials’ use of drones. Permitted uses include criminal investigations and events that “substantially endanger the health, safety and property of the citizens;” however, the use would need to be approved by the agency chief, reports New Jersey.com. The bill also restricts use of both audio and visual recording taken by drones. The bill has been received by the Assembly and referred to the Assembly Homeland Security and State Preparedness Committee.

US – Oregon Drone Bill Heads to Governor

Oregon’s police drone bill (SB 71) passed the House 56-3 last week and is headed to the governor’s desk. If signed into law, the bill would bar law enforcement from using drones to collect information without a warrant, except in specified situations.

US – Texas Broadens Breach Notification Law

While Texas has had a breach notification law on the books for a while now that applies to citizens of states without a notification law, it recently passed Senate Bill 1610, which increases the scope further. The new law applies to everyone affected by a breach—regardless of the law in their state of residence; gives organizations the choice of reporting under Texas law or that of the state of the affected person, and allows written notification to go to the last known address. This law differs from many other state breach laws in its perspective. “While most state laws apply when its residents have been affected by a breach, Texas law applies to persons dealing with personal information who conduct business in Texas,” adding that no matter what the new law requires, “best practice will remain notifying under the law of the state where the affected party resides.” [Source]

US – Nevada Social Media Law Has Broad Scope

Nevada has become the 11th state to pass an employee social media law. Effective October 1, employers may not ask employees or prospective employees for information that would provide access to their social media accounts. Nor are employers allowed to fire, discipline or discriminate in any way against employees or prospective employees who do not share that information with them. One point to note is that the Nevada law defines social media broadly as “any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or services, online services or Internet website profiles,” essentially saying it applies to any online account. So, while the law’s restrictions are narrower than many similar laws, the scope is broader. Nevada joins Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Mexico, Oregon, Utah and Washington in passing a social media law. [Source]

Workplace Privacy

WW – If Nine Of 10 Employees Breach Policies, How Is Privacy Possible?

A survey taken over several years has found that out of 165,000 employees surveyed, 93 percent knowingly violate policies designed to prevent data breaches. Privacy professionals burn the midnight oil crafting policies in line with best practices. But such policies don’t stand a chance at protecting consumer data if the employees charged with practicing model data-steward behavior could care less about doing so. So how can a company ensure that its people are complying with the policies it promises to practice? [The Privacy Advisor] [Financial Times]

CA – Supreme Court Says No to Random Alcohol Testing

The Supreme Court late last week ruled that companies cannot institute mandatory random alcohol testing of employees. “Random alcohol testing is a humiliating invasion of an individual’s privacy that has no proven impact on workplace safety,” said Dave Coles, president of the Communications, Energy and Paper Workers Union of Canada. Communications, Energy and Paperworkers Union of Canada, Local 30 vs. Irving Pulp & Paper, Limited stems from a 2006 policy by Irving that chose an employee randomly by a computer program. The employee showed a zero blood alcohol level but claimed the test was humiliating and unfair. [Source]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: