01-15 August 2013

Biometrics

WW – PayPal Tests Mobile Payments Using Your Face for Verification

PayPal is rolling out a new trial for British consumers to see if they really can leave their wallets at home. Recently kicking off in London borough Richmond upon Thames, the test includes 12 different merchants set up to accept PayPal payments. Using the PayPal app for iOS, Android, or Windows Phone, potential customers can see nearby participating merchants highlighted on their mobile phones. They can then check in by clicking on the merchant’s name and sliding a pin down the screen. When purchasing an item, the customer’s name and photo pop up on the store’s payment system. An employee clicks on the photo to initiate the payment. The customer then gets a notice and receipt for the transaction on their phone.  Though only a dozen retailers are part of the test, PayPal expects that more than 2,000 merchants will be able to accept the PayPal payments by the end of 2013, Sky News added. And PayPal has grander ambitions beyond this year. [Source]

WW – Intel Drops TV Facial Recognition After Privacy Fears

Intel has confirmed that its upcoming TV service will not include a camera looking at viewers, but it will still record a massive amount of content and store it in the cloud. Intel officials plan to begin selling a set-top box and services later this year that will let users receive live and recorded programming over the Internet, the latest move by a growing number of tech vendors that are looking for ways of leveraging the Web to improve people’s TV viewing experience. The idea was that the camera, through software, could recognise the faces of the viewers, and personalise the programming and ads based on who was watching. The idea of the camera looking into the room and seeing and recording who was watching what content sparked some controversy from people who worried about the data being collected and an invasion of privacy. Huggers said that the camera and its facial-recognition software was postponed for now, not only over privacy concerns but also because the technology did not work well in the low lighting that is found in many TV rooms. [Full story]

Canada

CA – Global Sweep Highlights “Significant” Shortcomings

The Office of the Privacy Commissioner of Canada (OPC) has released the findings of the first-ever Global Privacy Enforcement Network Internet Privacy Sweep, noting “shortcomings in how some online organizations provide information about their privacy practices.” The OPC’s blog includes key details as well as screenshots from the sweep. “While we did see some good examples that demonstrated it is possible to create transparent privacy policies, unfortunately, we also found some sites with no policies or that offered only brief, over-generalized statements about privacy,” said Canadian Privacy Commissioner Jennifer Stoddart, noting one “particularly disappointing example…was a paternity testing website with a privacy statement so skimpy it would fit into a tweet.” [Source]

CA – N.S. Cyberbullying Legislation Allows Victims to Sue

Stricter cyberbullying legislation is now in place in Nova Scotia, giving victims the ability to sue alleged cyberbullies. The protections for victims of cyberbullying are part of the new Cyber-Safety Act, implemented by Justice Minister Ross Landry this week, aimed at protecting victims and holding bullies responsible. If alleged cyberbullies are minors, the new legislation allows victims to hold the bully’s parents responsible. The legislation allows victims to apply for protection orders to place restrictions on, or identify, the cyberbully. [Source] See also: [UK teen’s suicide prompts calls to shut down website that allows anonymous internet bullying]

CA – Via Rail Considers New Security Checks for Passengers

Taking a train in Canada could soon become more like boarding an airplane as Via Rail considers greater scrutiny of checked baggage, more inspections by sniffer dogs and security checks on passengers.  The measures, outlined in documents released under the Access to Information Act, are being considered in direct response to the alleged terrorist plot to derail a train that led to arrests in April, said a Via Rail spokesman. At a House of Commons committee in May, a senior Via Rail official said the train service was considering whether to ask all of its travellers for identification before they board, which does not take place routinely. The spokesman says the idea, including regular checks of passenger names against security databases, is still being studied, but could be a “fairly expensive proposition” given that Via serves 450 communities spanning 12,500 kilometres of track. Via Rail currently does random searches and X-rays of baggage, uses sniffer dogs at stations and observes passengers for telltale signs of suspicious behaviour, Gagnon said. “Our employees are trained to detect body language.” Via Rail briefing notes prepared in May, released this month to The Canadian Press under the access law, indicate the passenger train service is looking at:

  • ensuring all checked baggage can be linked to an on-board passenger, a standard practice for airlines;
  • more frequent patrols by sniffer dogs to scrutinize baggage and conduct walkabouts in Montreal, Toronto, Quebec City, Ottawa and Vancouver;
  • additional security measures for the Via-Amtrak train during the Canadian leg of its journey, including mandatory identification checks on all passengers.

In addition, Via Rail has already implemented two ideas from the working group — beefed-up vigilance training for staff and stricter certification standards for members of the train service’s safety, security and risk management division. There is no timeline for making additional improvements, though a status report is to be delivered at a Via Rail board meeting at the end of August in Saskatoon, he said.[Source]

Consumer

US – Study: Consumer Reaction to NSA Could Hurt Ad Targeting

A study reveals that consumer concerns about online privacy have jumped from 48% to 57% since the National Security Agency surveillance programs were first disclosed in June. The findings, according to the report, could have “huge implications for the targeted advertising” industry because users will likely alter privacy settings and block tracking. The study also noted, if similar trends continue and some browser makers block third-party cookies by default, “the ad industry’s ability to effectively use third-party cookies for marketing purposes will decrease.” The study also found that 31 percent said they now actively take steps to protect their privacy online. [AdWeek]

US – Chronic Retail ‘Returners’ May Be Tracked

The Huffington Post reports on retailers’ tracking of customers’ merchandise returns. Citing fraud and security risks, companies such as Best Buy, JC Penney, Victoria’s Secret and Nike say they must create profiles on individual customers’ returns at their stores. The stores use third parties to create “return profiles” and report back to the retailer, but consumer advocates say the practice violates privacy because of a lack of transparent disclosures. The practice led to a lawsuit against Best Buy recently, though the case was eventually dismissed. [Source]

EU – U.S. & Germany to Enter No-Spying Agreement, Says German Government

The U.S. has verbally committed to enter into a no-spying agreement with Germany in the wake of disclosures about the U.S. National Security Agency’s secret surveillance programs. The verbal commitment was given in talks with the German Federal Intelligence Service (Bundesnachrichtendienst, BND), the sole foreign intelligence service of Germany, the German government said in a news release. This means that there must be no governmental or industrial espionage between the two countries, it said. More common standards for the cooperation of E.U. intelligence services are in progress, the German government added. No further details about the agreement were given. The German Federal Ministry of the Interior reached on Monday could not immediately respond to a request for comment. The no-spying agreement talks were announced as part of a progress report on an eight-point program proposed by German Chancellor Angela Merkel in July with measures to better protect the privacy of German citizens. The plan was drafted “due to the current discussions about the work of the intelligence services,” the German government said. [Source] See also [Germany demands sanctions for US firms over privacy]

E-Government

CA – BC Liberals Did Not Violate Privacy Laws in Ethnic Scandal: Report

The provincial government did not give private personal information to the B.C. Liberal party as part of a controversial outreach plan to woo so-called ethnic voters, B.C.’s information and privacy watchdog said in a report released this week. The findings come after an internal review into the ethnic outreach scandal conducted before the election by Premier Christy Clark’s deputy minister, John Dyble. That review found serious misconduct by public officials, the misuse of government funds and the deliberate use of private emails in a bid to win ethnic votes. Denham said she launched her own parallel investigation to “determine whether there was sharing of personal information between the government and the B.C. Liberal Party, and if there was, whether this sharing was authorized under provincial privacy law.” In her report Thursday, Denham found no contraventions of privacy laws, but did agree there were “significant issues with the handling of personal information that need to be addressed.” [Source]

CA – Canada Studies Britain’s ‘Nudge Unit’ for Ways to Give the Public a Push

It’s known as the “nudge unit,” because its mission is to “nudge” citizens into acting the way the government wishes they would. Pioneered in Britain, it is officially tagged with the 1984ish name Behavioural Insights Team – about a dozen policy wonks, mostly economists, who employ psychological research to subtly persuade people to pay their taxes on time, get off unemployment or insulate their attic. The goal: To make consumers act in their own best interests – and save the government loads of money. Now Canada is looking into this growing field of behavioural economics. Finance Canada documents obtained by The Globe and Mail through Access to Information show Michael Horgan, the deputy minister of Finance Canada, was recently briefed on the activities of the three-year-old British team, which has attracted interest from governments around the world. The Finance Department acknowledges there are potential ethical concerns when governments mix economics and psychology to nudge citizens into making specific choices, but concludes those concerns can be addressed with transparent policies. And there is a potential payoff: With an annual budget of just $1.6-million a year, officials say, the British unit has already saved its government $480-million. One project, which sent court fines by text message rather than by mail, dramatically reduced bailiff interventions and saved nearly $50-million. [Source]

E-Mail

EU – German Providers Tout Secure eMail Services

Just days after two US-based secure email providers shuttered operations in the face of government demands for data, German email providers have begun offering their own secure email services, in which SSL will be on by default. The providers, Deutsche Telekom’s T-Online and United Internet’s GMX and Web.de services, say they will send mail within the country through domestic servers only. However, the companies’ plans provide security only for messages in transit; they do not provide secure data storage. Despite Germany’s strong data protection laws, there are exceptions for security agency demands, and SSL can be intercepted and decrypted fairly easily. The technology media say the secure email tagline is nothing more than marketing. [ZDNet] [ArsTechnica] [NBCNews]

US – Secure eMail Provider Lavabit Shuts Down

Lavabit, the secure email server that Edward Snowden had been using, has shut down. The company’s owner, Ladar Levison, wrote that he had to decide between “becom[ing] complicit in crimes against the American people or walk[ing] away from nearly ten years of hard work.” Levison wrote that although he would like to be able to tell users what prompted his decision, he is not at liberty to disclose that information, leading to speculation that the company received a National Security Letter or a search or eavesdropping warrant. Another encrypted communications service, Silent Circle, has shut down its Silent Mail service, noting, “We see the writing [on] the wall, and we have decided that it is best for us to shut down Silent Mail now.” [WIRED] [The Register] [ArsTechnica]

NZ – Mega to run ‘cutting-edge’ encrypted email

Kim Dotcom’s Mega.co.nz is working on a highly-secure email service to run on a non-US-based server. It comes as the US squeezes email providers that offer encryption and Mega’s CEO calls Lavabit’s and Silent Circle’s shutdown an “honorable act of Privacy Seppuku.” Mega has been doing an “exciting” but “very hard” and time-consuming job of developing both highly-secure and functional email service. “The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side. If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side,” he explained, adding that even Silent Circle did not try to achieve such a feat. According to the company’s founder Dotcom, Mega doesn’t hold decryption keys to customer accounts and “never will”, thus making it impossible for it to read the emails. This also means that Mega by design cannot be forced to rat on its users by intelligence agencies. However, Dotcom earlier told TorrentFreak that a new spy legislation being pushed by the US and its Five Eyes alliance partners – UK, Canada, Australia and New Zealand – may force Mega to relocate its servers to some country exempt from such jurisdictions, such as Iceland. [Source]

NZ – Email Privacy Breaches Inspire NZ Tech Tool

A Wellington tech company has responded to calls from the public sector by launching a new tool designed to prevent email privacy breaches. Several government agencies have already signed up to use the product, including the Financial Markets Authority (FMA) and Ministry of Primary Industries (MPI). Software developer Liverton Technology Group has developed a system called MailAdviser which works at the front end of Microsoft Outlook. Justin De Lille, chief executive of Liverton, said the tool prompts users to double-check messages and attachments when sending to an unsecured or public email address. [Source]

Electronic Records

WW – Exploring Computer-Manipulation of the Mind

Latest research into computer-brain interfaces and the possibilities of sending brain waves over the Internet. Potential uses for brain-computer interfaces include human interaction with computers and other mobile devices simply by thinking. In 2011, scientists published research on Decoded Neurofeedback , a process by which brain activity can be altered. Additionally, Duke University neuroscientist Miguel A. Nicolelis has successfully connected the brain activity of two rats over the Internet and conducted an experiment called a “brain net,” which allowed rats to share information over the web. Nicolelis said he believes humans will eventually be able to communicate over the Internet via brain waves. “I think this is the real frontier of human communication in the future,” he said. [The New York Times]

Encryption

WW – Tor Network Breached

The web anonymity service Tor announced that its network had been breached through a vulnerability in the Tor Browser, and that malicious JavaScript may have revealed the identities of those using the service. Tor allows web users to mask their browsing habits by sending data through onion routers to mask the original header information—including the user’s IP address. As a result, a hidden server network run by Freedom Hosting was taken offline. Freedom Hosting’s owner and operator Eric Eion Marques is currently being held without bail and awaits extradition by the FBI for allegedly distributing child pornography online. Based on the timing of the arrest and the insertion of the malicious code, some speculate U.S. investigators introduced the script. “There are lots of rumors and speculation as to what’s happened,” writes the Tor Project on its blog. “We’re reading the same news and threads you are and don’t have any insider information.” [Naked Security]

WW – Researcher’s Spy Boxes Pick Up Troves of Unencrypted Data

Security researcher Brendan O’Conner recently wondered how easy it would be to monitor—as a private citizen—the movement of strangers on the street. So he built 10 contraptions made of sensors, a tiny computer and Wi-Fi adaptors and proceeded to spy on himself. The data his contraptions collected sent signals to a command-and-control system and included the unique identifiers to his phone and iPad—in unencrypted fashion. “Actually it’s not hard,” O’Connor said. “It’s terrifyingly easy…It could be used for anything, depending on how creepy you want to be.” [The New York Times]

EU Developments

EU – EU Looks to Speed Up Privacy Reforms

The European Commission wants to quicken the pace of passing the proposed data protection regulation, which is currently held up in the European Parliament’s civil liberties committee. Commissioner for Justice Viviane Reding, who in July appealed to member states to place the bill on an EU summit in the fall, said, “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file.” Hunton & Williams’ Bridget Treacy noted, “Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation and some detailed exploration of the key elements of such an approach under the Irish presidency.” EU lawmakers have said they want the reforms passed by May 2014. [EUObserver]

EU – Working Party Weighs In on Purpose Limitation and Big Data

The concept of purpose limitation is a cornerstone of the protection of personal data. It is an essential first step in applying data protection laws since it constitutes a prerequisite for other data quality requirements, contributes to transparency and legal certainty and sets limits on how controllers are able to use personal data. In this exclusive for The Privacy Advisor, Stefano Tagliabue, discusses the Article 29 Working Party’s opinion on purpose limitation and Big Data. [Source]

EU – U.S. Surveillance Spurs EU Efforts to Tighten Data Protection Rules

The EU has reacted to the U.S. National Security Agency surveillance program disclosures, including the determination by some, to enact the proposed data protection regulation by May of next year. German MEP Jan-Philip Albrecht said, “The importance has been made clear now with all these revelations, we need cross-border rules, European rules, to safeguard fundamental rights,” adding, “It makes the world more vivid.” Shearman & Sterling associate Hartmut Häselbarth said the May deadline is ambitious, but in the long run, American businesses with a presence in Europe “will most likely have problems in (the) future.” [The Wall Street Journal]

EU – Ukraine Amends Personal Data Protection Law

On July 3, the Ukrainian Parlaiment amended its privacy law effective January 1, 2014. The amendment will transfer the functions of the State Service of Ukraine on Personal Data Protection to the Ombudsmen, whom data controllers will be required to notify of the processing of “high risk” personal data. There have also been changes to notification periods and the definition of “consent” to data processing has been removed altogether. According to Lexology, “It remains unclear whether previously registered databases will need to be notified to the Ombudsman.” [Lexology]

UK – ICO Publishes PIA Code of Practice

The UK Information Commissioner’s Office (ICO) has published a consultation on a new privacy impact assessment (PIA) code of practice and released a study on PIA and risk management. The ICO first announced the study, conducted by Trilateral Research & Consulting, was underway back in January. The consultation states the new code of practice aims to “help organizations conduct assessments of new projects that involve the use of personal information. The code explains the key principles behind a PIA and suggests how a PIA can be integrated with an organization’s project and risk management processes.” [Source]

UK – ICO Publishes Regulatory Action Policy

The UK Information Commissioner’s Office (ICO) has published a Data Protection Regulatory Action Policy, outlining what the office will consider when deciding whether to initiate regulatory action. Noting that “market factors” may influence the decision, the policy points to some “initial drivers,” including issues of “general public concern,” those due to the “novel or intrusive nature of particular activities” and those stemming from complaints. When asked for clarity on “market factors,” an ICO spokesman said in markets where “consumers demand effective privacy protection…market forces will be driving businesses to deliver better privacy protection, without the need for the regulator to intervene.” [Out-Law]

EU – Italian DPA Releases Rules on Spam and Viral Marketing

The Italian Data Protection Authority (Garante) has released, earlier this month, a set of rules dealing with spam and viral marketing. The provision, named “Guidelines on Marketing Activities and Spam,” is intended to fight the abuses of marketing communications and to promote fair commercial practices towards users and consumers. [Full Story]

EU – French Supreme Court: Undeclared File Sale Is Void

The French Supreme Court’s has ruled that the sale of a file containing personal data that should have been declared with the French data protection authority, the CNIL, and was not must be cancelled. “Having noticed that this rule had not been complied with, the court found such a file to be illegal and unable to be subject to a convention under the French Civil Code,” the report states, noting the sale had to be considered void. “This ruling is particularly important in that it is the first time that the court has applied such reasoning,” the report states, noting it “reminds us of the importance of complying with the obligations attached to the handling of personal data…” [Lexology]

Facts & Stats

UK – ICO Publishes Breach Trends Statistics; Gov’t Leads List

In a recent Information Commissioner’s Office (ICO) blog post, Sally-Anne Poole says statistics indicate carelessness is the cause of much of the office’s enforcement business. The ICO uses statistics to help inform its response to incidents, Poole writes. The health and local government sector leads the list for data breaches, followed by schools and solicitors. The ICO has published a spreadsheet of its civil monetary penalties for the first quarter of 2013 so the public can see such trends. [Source]

US – Data Breaches from 2005 to Present Exceed 500 Million

From 2005 to present, there have been a reported 535,267,233 data records breached in the U.S.. That’s 1.7 times the U.S. population, and the number only reflects reported breaches. “Many, or perhaps most, of the breaches that have occurred over the past decade have no reported number of records associated with them. They’re designated as ‘unknown,’” the report states. Ken Hess writes that, if each record breached represents one account, “just about everyone who lives in the U.S. is at risk of having at least one part of his or her data hijacked from multiple sources. It also means that absolutely no one’s data is safe.” [ZDNet] See also: [High-tech toilet gets hacker warning; nothing is safe]

Finance

US – Senator Concerned About CFPB Data Collection

In a press release, Sen. Mike Crapo (R-ID) has raised privacy concerns about the collection of sensitive financial data by the newly created U.S. Credit Financial Protection Bureau. The ranking member of the Senate Banking, Housing and Urban Affairs Committee, Crapo is concerned about how data is being collected, how many accounts are being monitored, how the data is being used and how many safeguards are in place to protect the data. The Government Accountability Office has agreed to investigate the collection programs. “Recently, cases of privacy abuse” have reached the headlines, Crapo said, “and we now have a federal agency that is using unchecked power to gather data on the spending habits of hundreds of millions of Americans.” The senator plans to hold a press conference on the issue on Monday, August 12. [Source]

US – The Inaccuracies of Data Broker Dossiers

Forbes reports on the inaccuracies that are often found in dossiers compiled by data brokers. Amassing profiles on millions of Americans can be difficult because many people have the same names and can easily be mixed up, and in one example, that caused embarrassment. “Even with so many suppliers sucking up details of our personal transactions at every step and selling them to data brokers,” the report states, “errors plague the process.” The inaccuracy problem has received attention from the Federal Trade Commission (FTC). Earlier this year, FTC Commissioner Julie Brill gave a speech calling for a new policy, called Reclaim Your Name, which would provide consumers with avenues to check the accuracies of their profiles. Acxiom is reportedly working on an access feature.

FOI

CA – Alberta Privacy Commissioner Pushes For Even More Openness

Alberta needs to establish minimum standards to ensure that more government information is made freely available to the public without a fight, says the province’s information and privacy commissioner. That’s one of a series of recommendations made by Jill Clayton in her submission to the provincial government’s review of the Freedom of Information and Protection of Privacy Act (FOIP). Clayton said she wants a legislated requirement for public bodies to commit to “proactive disclosure” of information and minimize the need for formal access requests from citizens. “In my view, that should be sort of the avenue of last resort,” she said in an interview. “Public information should be available to the public.” Clayton said that Alberta has taken some positive steps lately, such as the mandatory expense disclosure policy for MLAs and senior civil servants introduced by the Redford government last fall. But she noted that a 2012 study of four provinces’ FOIP legislation by the Centre for Law and Democracy ranked Alberta’s the lowest. [Source]

CA – Disclosure changes considered for Saskatchewan MLAs

Saskatchewan’s Conflict of Interest Commissioner Ronald Barclay says discussions are underway regarding changing, for privacy reasons, some of what is publicly disclosed by MLAs. “In our legislation, we not only disclose the assets of the members and the spouses, but you also have to disclose the names of any dependent children and also the residences of where the members live,” Barclay said. In his most recent annual report, Barclay comments on requests he received from several MLAs asking whether the legislation related to those requirements should be amended for privacy reasons. “In all the other jurisdictions except ours, those are exempt. For a dependent child, you just put Child A, Child B, Child C and you wouldn’t have to list the addresses of the MLAs,” Barclay said. “I’m going to turn it over to the two caucuses and they’ll have to make a decision whether or not they want to amend the legislation.” The information would still need to be disclosed to the commissioner, but it wouldn’t become public, Barclay said. [Source] See also: [Manitoba: New rules may be needed for political parties asking personal questions: lawyer]

CA – No Privacy Concerns In Releasing Daycare Complaints

Ontario’s privacy commissioner says there are no privacy concerns that would prevent the government from releasing complaints against unlicensed daycares to the public. “My office recently spoke with the Ministry of Education and we clearly outlined that there are no privacy issues with releasing non-personal, business information regarding unlicensed daycare investigations or occurrences,” Ann Cavoukian wrote in a statement. [Source]

Genetics

US – Unprecedented Pact Reached With Lacks’ Descendants

In an unprecedented move, the National Institutes of Health (NIH) announced an agreement with the descendants of Henrietta Lacks, whose cervical cancer cells were taken without permission by scientists 62 years ago, giving them control over which biomedical researchers will gain access to the full genome data derived from her cells, MSNBC reports. NIH Director Francis Collins said it is an “historical agreement” that will “protect the family’s interest and also further their commitment to biomedical research.” In a column for Nature , Martin Bobrow writes on the “growing issue in modern science: access to biomedical and health-related research data.” [Source]

Google

WW – Google Defends Chrome’s Password Manager

A software developer was surprised to find that Google Chrome lets anyone with access to a computer see in plaintext passwords the browser has stored. Google has acknowledged this characteristic of the browser from the beginning and maintains that it is not a security flaw. Google explains that security “boundaries within the OS user account just aren’t reliable,” and the company “doesn’t want to provide users with a false sense of security” by supporting a security scheme, such as a master password, that doesn’t work. “When you grant someone access to your OS user account, they can get at everything.” [WIRED] [SCMagazine] [v3.co.uk] [CNET] [Developer’s Blog] [Google’s Response]

WW – Google: don’t expect privacy when sending to Gmail

People sending email to any of Google’s 425 million Gmail users have no “reasonable expectation” that their communications are confidential, the internet giant has said in a court filing. Consumer Watchdog, the advocacy group that uncovered the filing, called the revelation a “stunning admission.” It comes as Google and its peers are under pressure to explain their role in the National Security Agency’s (NSA) mass surveillance of US citizens and foreign nationals. [Source]

Health / Medical

US – Obamacare Privacy Safeguards “Way Behind”; Violations “Rampant”

The Office of the Inspector General of the Department of Health and Human Services (HHS) says the Obama administration has not set up adequate safeguards to protect U.S. citizens’ privacy under the law. The office says health data exchanges under Obamacare may expose private records to hackers and criminals. The healthcare plan mandates the creation of a “data hub,” accessible by seven different federal agencies, including the Internal Revenue Service, the Social Security Administration and the Department of Homeland Security. A spokeswoman for HHS said privacy safeguards are delayed by at least two months, with the exchanges slated to begin October 1. [Forbes]

US – HIPAA-Compliance Deadline Looms

In an article for National Law Review, Elizabeth Johnson of Poyner Spruill says one of the highest priorities for HIPAA-covered entities required to meet new aspects of the recently updated HIPAA rules is to update business associate agreements. That’s because the distribution, negotiation and execution process can be time-consuming, she writes. “With the compliance deadline only two months away, covered entities must focus efforts to ensure that all updates are complete and new training concluded prior to the September 23 deadline.” [Source]

Horror Stories

US – Alumni, Donors Notified of Breached Server

The School of Forestry and Wildlife Sciences at Alabama’s Auburn University has begun notifying an undisclosed number of alumni and donors that their personal information has been breached. The incident occurred when spreadsheets containing the individuals’ names, Social Security numbers and e-mail addresses, among other data, were mistakenly uploaded to a publicly available server. Meanwhile, a Texas lawmaker is taking action to ensure greater transparency when it comes to state agencies’ cyber threats. [eSecurity Planet]

US – Provider Announces Laptop Theft

California-based Retinal Consultants Medical Group has announced the theft of an unencrypted laptop containing protected health information, reports. The laptop, part of a diagnostic imaging machine, contained patients’ names, dates of birth and genders, among other information. The provider has notified affected individuals, encouraging them to monitor bank accounts and obtain credit reports; however, according to the notification, it is not aware of any access to or misuse of the data. [HealthData Management]

US – Healthcare Breach Affects 32,000

Cogent Healthcare is notifying approximately 32,000 patients in 24 physician groups it manages “that their personal health information may have been exposed online.” The report states that M2ComSys, a company Cogent Healthcare contracted to transcribe patient care notes for some of its physician groups, stored notes that included “patients’ names, birthdates, diagnoses, summaries of treatments, medical histories, medical record numbers and physicians’ names, on a website” that suffered a security lapse. “We are generally unable to identify who accessed the notes,” Cogent Healthcare has said. Those affected are being offered a free one-year membership in an identity protection service. [eSecurity Planet]

CA – Hospital Notifies 1,300 of Breach, Nurse Fired

A nurse has been fired by Canadian-based Norfolk General Hospital for unauthorized access to more than 1,300 patient records. An investigation revealed the nurse allegedly violated the Personal Information Protection Act multiple times dating back to 2004. Compromised data included patient names, health care numbers, dates of birth, contact information, doctor names and reason for visit. The organization has notified affected patients. A Vermont-based healthcare and hospice facility has also announced a breach and notified affected patients after an employee’s laptop was stolen. Meanwhile, Boston Public Schools will redesign student information cards after a hard drive, containing PDF images of 21,054 student IDs, was lost. [Brantford Expositor]

US – Airline’s Second Significant Breach in a Month

For the second time in the past 30 days, U.S. Airways has revealed it has suffered a breach of PII. As many as 7,700 customers may have been affected by the latest breach, which customers discovered when they noticed their frequent flyer miles were missing, and compromised data includes usernames, passwords, birth dates, addresses, security question answers and the last four digits of credit cards. The last breach involved employee data. U.S. Airways said it has restored “all mileage balances as quickly as possible” and will provide free identity-theft monitoring. [Source]

Identity Issues

WW – Twitter’s Two-Factor Authentication

Twitter has made changes to the two-factor authentication system it introduced in May, which used text messaging. The new login verification system for its mobile app uses the app itself to authorize account access instead of communicating through text messaging, which can be less than trustworthy. Users who want to update to the new authentication system need only update their mobile twitter apps. Attempted logins will provide rough locations and information about the browser being used. Twitter acknowledges that two-factor authentication is a work-in-progress and says it will continue to improve the process. [ZDNet] [ArsTechnica] [WIRED] [NBC News]

US – The Inaccuracies of Data Broker Dossiers

Forbes reports on the inaccuracies that are often found in dossiers compiled by data brokers. Amassing profiles on millions of Americans can be difficult because many people have the same names and can easily be mixed up, and in one example, that caused embarrassment. “Even with so many suppliers sucking up details of our personal transactions at every step and selling them to data brokers,” the report states, “errors plague the process.” The inaccuracy problem has received attention from the Federal Trade Commission (FTC). Earlier this year, FTC Commissioner Julie Brill gave a speech calling for a new policy, called Reclaim Your Name, which would provide consumers with avenues to check the accuracies of their profiles. Acxiom is reportedly working on an access feature. [Source]

WW – Microsoft Researchers Develop 3D Passive ID Tags

Engineers in Microsoft’s research division have developed an automatic-identification technology known as InfraStruct, using passive tags operating in the terahertz (THz) band. Instead of encoding data onto a silicon chip, as is typically the case for passive RFID tags operating in the low-frequency (LF), high-frequency (HF) or ultrahigh-frequency (UHF) radio frequency (RF) bands, the InfraStruct system involves building a unique shape or hollowed section directly into a structure, with an ID number or other data physically represented in that shape or section. The InfraStruct concept, still in the prototype stage only, includes a unique method of building a tag into a three-dimensional printed plastic object, as well as a terahertz scanner that transmits an optical-like radiation into the item that is reflected back to the scanner. Software then measures the response of the reflection received, thereby identifying the unique item based on that measurement. [Full Story]

Internet / WWW

US – Apple updates App Guidelines with Eye On Children’s Privacy

Apple has tweaked its guidelines for app developers to emphasize the latest rules regarding children’s privacy. The guidelines have been updated to reflect the latest changes to the Children’s Online Privacy Protection Act (COPPA) and Apple’s renewed focus on education with iOS 7. In the past, COPPA prevented developers from gathering the names, addresses, and phone numbers of children under 13 without parental consent. Since the start of the year, those restrictions have extended to photographs, videos, and audios as well. The specific guidelines now read as follows:

17.3 Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children’s privacy statutes, but must include some useful functionality or entertainment value regardless of the user’s age.

17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children’s privacy statutes.

As part of its new emphasis on the educational market, Apple also updated its guidelines with a new section known as “Kids Apps.” Children under 13 will now be able to have their own individual iTunes accounts. But developers who design apps for kids must follow certain rules, such as including a privacy policy, excluding behaviorial advertising, and requiring parental consent before letting children “link out of the app or engage in commerce.” [Source]

WW – Facebook Posts Online Privacy, Safety Guide

Facebook has posted a new guide for survivors of domestic abuse, detailing steps to protecting safety and privacy while still being able to connect with family and friends on the social network. Facebook teamed with the National Network to End Domestic Violence to come up with the guidelines, which can be found at the Facebook Family Safety Center, facebook.com/safety. Some might suggest that using a fake profile name or not even using the social network at all may be the best course of action. But in most cases, neither is true, Southworth said in an interview during a break in the group’s three-day technology safety summit in San Jose. “It’s not acceptable to tell survivors of domestic violence just to give up their technology,” she said. “What she really needs is that he not able to contact her and if he does, that he is held accountable.” A domestic abuser often tries to gain power and control by isolating the victim from friends and family, she said. “One of the things we advocate is to rekindle connections with friends and family and jobs,” she said. “Some of that can be through Facebook, some of that can be through in-person activities. We don’t think any victim needs to choose to be offline.” Although a small number of survivors might need to change their identities, she said the group is not recommending that course of action as much as before because of it also brings on unintended consequences, such as the loss of a person’s credit history or a nursing license needed to work. And when there’s a legal protective order preventing contact, repeated Facebook posts by the abuser could provide the “compelling digital evidence” needed to convince an officer or judge of a violation, she said. The “Guide for Survivors of Abuse” is generally applicable to any Facebook member to make sure they protect their online privacy and safety, even in a publicly social world. The guide also advises caution when accepting a new friend request. “Unfortunately, some abusive individuals use clever tactics to gain access to a victim’s information,” the guidelines said. “In some instances, abusive individuals maliciously create accounts impersonating a friend of the person they want to connect with.” [Source]

Law Enforcement

US – FBI Employing Hackers’ Techniques

U.S. law enforcement officials are “expanding the use of tools routinely used by computer hackers to gather information on suspects.” Law enforcement calls the practice, which includes remotely activating Android microphones to record conversations on cellphones or on laptops and hiring hackers themselves, “going dark.” The ACLU says there should be legal guidelines on how such hacking tools can be used. A spokesperson for the Justice Department said it makes decisions regarding legal authority to conduct surveillance on a case-by-case basis. [The Wall Street Journal] See also: [Yukon Mounties to star in their own reality show, raising privacy concerns] See also: [License plate scanning: The inside story of a cop who tracks our data] and also: [Predictive policing: Don’t even think about it]

US – NYPD Agrees to Purge Stop-Frisk Databank

The Bloomberg administration has agreed under a settlement announced to purge a New York City Police Department database containing personal information on individuals who were stopped by authorities, and also agreed to pay $10,000 to the lead plaintiff in a putative class action. Christopher Dunn, associate legal director of the New York Civil Liberties Union and lead counsel in the case, said in an interview that hundreds of thousands of names of innocent individuals will be erased from the NYPD database as a result of the settlement.  Legislation signed in 2010 by Governor David Paterson barred the NYPD from retaining stop-and-frisk data when the individual questioned was let go without an arrest or summons (NYLJ, July 19, 2010). But the legislation did not require expunging information on cases where the target was arrested or issued a summons, even if the charge was ultimately dismissed, leaving the city with a partial investigatory tool. On behalf of Lino and Khan and several hundred thousand other citizens, the NYCLU brought a class action arguing that the records should also be expunged. Acting Supreme Court Justice Barbara Jaffe dismissed the case for lack of standing, but she was reversed by the Appellate Division, First Department (NYLJ, Dec. 21). The appeals court revived the plaintiffs’ case, resulting ultimately in the settlement.  [New York Law Journal]

US – IRS Manual Detailed DEA’s Use of Hidden Intel Evidence

Details of a U.S. Drug Enforcement Administration program that feeds tips to federal agents and then instructs them to alter the investigative trail were published in a manual used by agents of the Internal Revenue Service for two years. The practice of recreating the investigative trail, highly criticized by former prosecutors and defense lawyers after Reuters reported it this week, is now under review by the Justice Department. Two high-profile Republicans have also raised questions about the procedure.  [Source]

Location

CA – Live Traffic Map Uses Vancouver Drivers’ Cellphone Data

Drivers in the Vancouver area are unknowingly helping to track traffic congestion, as their cellphone GPS signals are being automatically fed into a new online traffic map. TransLink, Transport Canada and B.C.’s Transportation Ministry have unveiled an online, colour-coded traffic map of the Lower Mainland with real-time updates that indicate areas of congestion. “It tracks your cellphone signals, and based on that, it directs that data online,” said TransLink spokeswoman Jiana Ling. Ling said TransLink does not receive any personal data from cellphone signals and that all personal information is “scrambled and anonymized” before it is pushed to the map. “Cellphone signals within the telecom network gets picked up and stripped off of any personal information at the source,” Ling said in an email statement to CBC News. “TransLink’s data provider then processes the anonymous cellphone signals through a specialized algorithm. This algorithm generates the average speed of commuters on the road network and TransLink posts this information online. The algorithm can only generate the average speed of the road network, it cannot identify the travel patterns of any specific cellphone user.” But Tom Keenan, an online security expert at the University of Calgary, questions how secure the software is. “If they did a good job, the hackers will walk away and say, ‘We can’t get anything.’ If they did a bad job, you can be rest assured that your Uncle Charlie is going to be tracked on the freeway.” Micheal Vonn, policy director for the BC Civil Liberties Association, said TransLink failed to commission a privacy impact assessment for the map, something it is legally bound to do. “In the rush to use these new technologies, the obvious steps for consideration around privacy and security have been missed,” Vonn said. Ling said TransLink conducted an internal review and decided a privacy assessment was not required since the data it receives does not contain any personal information. [Source]  See also: [ON: Desjardins tests device that will monitor drivers’ habits]

US — “Spoofers” Use Fake GPS Signals to Knock a Yacht Off Course

University of Texas researchers recently tricked the navigation system of an $80 million yacht and sent the ship off course in an experiment that showed how any device with civilian GPS technology is vulnerable to a practice called spoofing. Led by GPS expert Todd Humphreys, the researchers used a handheld device they built for about $2,000. It generates a fake GPS signal that appears identical to those sent out by the real GPS. The two signals reach the targeted system in perfect alignment. The strength of the fake signal slowly ratchets up and overtakes the real one. The yacht’s captain offered up his boat for the experiment after seeing Humphreys give a presentation at this year’s SXSW conference. The takeover took place in June while the boat was traveling in the Mediterranean off the coast of Italy. From a perch onboard the yacht, the spoofing researchers shifted the ship’s course three degrees to the north. They also convinced the yacht’s GPS system that the boat was underwater. [Source]

WW – Kids’ App Prevents Tracking and Targeting

A mobile app developer has released a new iOS app that aims to prevent web-browsing data and other in-app activity from being shared with third parties, Broadway World reports. Disconnect Kids also includes an educational function to introduce children and parents to online privacy issues. Features include a mobile tracking blocking function, a comic book discussing online tracking and targeting and two animated videos to help children and parents understand and control their personal data. [Source]

Offshore

WW – IBM Gets Certified Under APEC Privacy Rules

IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters said, “CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections.” Hogan Lovell’s Partner Christopher Wolf told The Daily Dashboard, “APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs.” [IBM Press Release]

CN – China Issues Regulation on Collection and Use of Personal Data

On July 16, 2013, China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”).  The Internet Provisions, which take effect September 1, 2013, provide specific implementation rules for telecommunication and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of “user’s personal information,” based on a more generally addressed national law protecting “personal electronic information” issued in December 2012 and entitled Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (see our previous client alert here). In its final form, the Internet Provisions reiterate most of the specific provisions relating to the collection and use of a user’s PI found in the draft for public comment (see our previous client alert on the draft here).  Now binding, these provisions require TSPs and IISPs to: • Post PI collection and use policies at their place of business or online; • Not collect or use a user’s PI without the user’s consent; • Notify users regarding collection and use of PI, including the purpose, method, and scope of use, as well as avenues for the user to consult or amend the information, and the consequences if a user fails to provide the required information.  (Notably, the final version of the Internet Provisions states that its rules regarding user notice and consent will supersede any other law or regulation on this point, which would appear to include the December 2011 promulgated Several Provisions on Regulating the Market Order of Internet Information Systems.) • Maintain strict confidentiality of a user’s PI; not disclose, distort, or damage a user’s PI; and not sell or illegally provide PI to others; and to • Provide company contact information so that users may provide feedback, and to resolve any complaints lodged by customers within 15 days.

The Internet Provisions also provide that in circumstances in which a TSP or IISP entrusts a third party with PI for the purposes of providing “direct services” to the user, the TSP or IISP should “supervise and manage” the third party’s utilization of the PI and not entrust PI to any third party unable to meet the PI protection requirements set out in the Internet Provisions.

PI Storage and Handling Security Requirements: Significantly, the Internet Provisions mandate the adoption of eight internal security measures in order to avoid disclosure, loss, damage or distortion of a user’s PI, including requirements to: • Establish an internal safety management system and associated workflows for the collection and use of a user’s PI and other related activities, and to confirm the related responsibilities for protecting PI within each department, branch, and position in an organization; • Limit access by employees and agents to data, and carry out supervisory activities over bulk export, reproduction, or deletion of PI, and to adopt necessary measures to protect against unauthorized disclosure; • Guarantee appropriate storage and security measures for the protection of storage devices containing PI; • Conduct access checks for systems containing users’ PI, and adopt anti-virus and anti-intrusion measures; • Record the details for any individual’s handling of a user’s PI, including such information as the time and place of system access; and • Implement telecom security precautions in accordance with relevant MIIT regulations regarding network security.

The Internet Provisions also strengthen government inspection rights by permitting government authorities to conduct “supervisory inspections” that may include requests for all “related materials” as well as permission to enter the facilities of any TSP or IISP to investigate compliance efforts. [Source]

Online Privacy

US – Mayer Resigns from DNT Group

Stanford’s Jonathan Mayer has resigned from the working group tasked with creating a Do-Not-Track standard for the Internet. “We do not have a credible timetable—and we’ve just adjourned for a month. We do not have a definitive base text. We do not have straightforward guidelines on what amendments are allowed…This is not process: This is the absence of process,” he wrote. Mayer’s resignation comes on the heels of his comments in June indicating that if the group could not reach consensus in the month that followed, it would be time to “call it quits.” [GigaOm]

WW – Twitter Retargeting Service Gets Advocate Approval

The Guardian reports on what Twitter’s new retargeting advertising service may mean for user privacy. Users “won’t see more ads on Twitter, but they may see better ones,” the company told its users. While some privacy advocates have scrutinized the plan, others say Twitter’s approach is admirable given its adherence to “Do Not Track” settings and its easy opt-out. The Electronic Frontier Foundation says other companies should follow Twitter’s lead: “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.” [Source]

Other Jurisdictions

NZ – NZ Websites Fall Down On Data Privacy

The Privacy Commissioner says New Zealand websites and apps need to do a better job of telling users what they are doing with people’s information and how secure that information is after nearly a third were found to have flawed privacy measures. Commissioner Marie Shroff made the comments in response to a global survey of sites, including New Zealand examples, which found a large proportion had no privacy policy, an inadequate policy, poor contact information or other concerns. They included websites or apps for schools, legal firms, and retailers. The Global Privacy Enforcement Network sweep of websites checked the transparency of 393 New Zealand sites. The survey found that 125 sites or apps did not have a privacy policy or an equivalent – a finding which Ms Shroff said was disappointing. [Source]

AU – Australia Gunning to Become World Leader in Big Data Analytics

The Australian Government Information Management Office has released its Public Service Big Data Strategy that aims to “position Australia as a world leader in the public sector use of Big Data analytics to deliver service-delivery reform, better public policy and protect citizens’ privacy.” The report discusses Big Data’s role in improving the targeting of services and the ability for businesses to offer more tailored services in accordance with individual and community needs, but it also notes privacy concerns that must be addressed before full benefits are realized. Agencies must develop better practices when it comes to cross-agency data sets and data deidentification, for example. [ZDNet] See also: [Czech Republic: Big Data, Big Deal?]

AU – Provision Could Label Data Transfers as Breaches

A provision in Australia’s proposed data breach notification legislation “could deem the unauthorised transfer of data from Australia to another country a breach.” In an interview, Françoise Gilbert notes, “Europe has been the most adamant at trying to curb the exodus of information outside of Europe without the proper measures…Australia is sort of following this trend and becoming much more serious about the cross-border data transfers.” The proposed law also calls for a requirement for organisations to notify stakeholders in the event of a breach. [GovInfoSecurity]

Privacy (US)

US – House Committee Creates Privacy Working Group

The U.S. House Commerce, Manufacturing and Trade Subcommittee has created a bipartisan privacy working group to focus on online privacy. With Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) as its chairs, the working group will also include Reps. Joe Barton (R-TX), Pete Olson (R-TX), Mike Pompeo (R-KS), Jan Schakowsky (D-IL), Bobby Rush (D-IL) and Jerry McNerney (D-CA). Blackburn said the working group will “seek opportunities where Congress can forge bipartisan agreement to better protect consumers’ sensitive information and foster U.S.-based innovation,” while Welch added that given advancements in technology, it is “more important than ever that we make sure the consumer’s right to privacy is protected.” [Broadcasting & Cable]

US – Judge Rules Apple Can’t Dismiss Class-Action

A federal judge has ruled that Apple cannot dismiss a class-action alleging it let third parties upload user information from applications on their mobile devices. The judge said lead plaintiff Maria Pirozzi was able to make a “causal connection” between statements Apple made about the iPhone and the safety of its apps and her loss, the report states. “Plaintiffs alleged loss is clear: Apple claimed that apps could not access data from other apps…in actuality they can and have.” [ Courthouse News Service]

US – Judge Dismisses Privacy Claim Against Neighborhood Photographer

New York State Court Judge Eileen A. Rakower has dismissed a claim against photographer Arne Svensen that alleged invasion of privacy. Svensen is a photographer who took photos of his neighbors through their windows, without their knowledge, and displayed the images in an art show. Rakower said the photos are protected under the First Amendment. New York’s civil rights laws “yield to an artist’s protections under the First Amendment under the circumstances presented here,” Rakower wrote. [Photo District News]

US – Court: Vehicle Records Must Be Reasonably Cared For Before Resale

A U.S. Court of Appeals has ruled that companies that resell personal information from motor vehicle records are subject to a “duty of reasonable care before disclosing such information pursuant to the Driver’s Privacy Protection Act (DPPA).” The court ruled on July 31 in Gordon v. Softeach Int’l that “Given the nature of information available through motor vehicle records—e.g., Social Security number, medical or disability information and home address—the DPPA’s purpose would be severely undermined if resellers’ disclosures were not subject to a duty of reasonable inquiry.” [Bloomberg BNA]

US — Chief Justice Roberts Underscores the Issue of Privacy

Chief Justice of the U.S. Supreme Court John G. Roberts Jr. says privacy will be the biggest constitutional issue facing the court for years to come. Among the privacy questions that courts have considered:

  • Can police attach a GPS device to the vehicle of someone they want to track without first obtaining a warrant? In a ruling early last year, the Supreme Court said no. To do so is a violation of the expectation of privacy and, thus, of the Fourth Amendment.
  • Can police take DNA samples from those arrested, but not convicted, of serious crimes? The Supreme Court said yes, in a ruling this spring.
  • Are personal emails protected by federal privacy laws, such as those that cover traditional mail? Different courts have reached different conclusions. In April, the Supreme Court refused to take up the case. So who knows?
  • Can police search cellphone data of people they have arrested? Again, courts have issued different rulings. The Supreme Court has not considered the issue yet.

Other issues:  Can employers demand to see the private Facebook accounts of job applicants? Can they discipline employees for what they say on social media? Questions such as these have developed quickly over the past 10 to 20 years and there is no reason to think the pace of change will slow down, such is the rapidity with which technology continues to evolve. The courts can barely keep up, which helps explain Roberts’ view of the issue. These are important, bedrock issues that will continue to work their way through the courts for decades to come. That is not simply an issue for judges, but for presidents, senators and, at root, voters. [Source]

RFID

UK – London’s Bins Are Tracking Your Smartphone

A UK-based authority has called for the end of WiFi tracking by recycling bins placed across London. The “pods” feature LCD screens that show advertisements to passersby, but can also record smartphone movements and other details. The City of London Corporation (CLC) has alerted the Information Commissioner’s Office of the bins, which have allegedly recorded the details of 4,009,676 devices from pedestrians in one week. “Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public,” the CLC said. Financial Times reports the company behind the bins says there is potential to help companies predict “personal habits” of consumers. [The Independent]

UK – City of London Bans Wi-Fi Tracking Trash Bins

The City of London Corporation has asked a company called Renew London to stop using devices embedded in trash bins to gather data from and track smartphones. The high-tech trashcans play advertisements on an integrated flat-screen. The devices in the bins log smartphones’ media access control (MAC) addresses. There are presently 12 tracking devices installed in recycling bins around the city. A statement from the UK Information Commissioner’s Office (ICO) reads: “Any technology that involves the processing of personal information must comply with the Data Protection Act,” and noted that it “will be making enquiries to establish what action, if any, is required.” Renew London has suspended trials of the tracking program. [BBC] [ArsTechnica] [The Register] [v3.co.uk] [ArsTechnica]

Security

US — White House Lists Incentives to Adopt Cyber Security Framework

The White House has compiled a list of incentives that it hopes will encourage private sector companies, especially those that support elements of the country’s critical infrastructure, to adopt practices described in the Cybersecurity Framework. The incentive areas include cybersecurity insurance, grants, and liability limitation. [SCMagazine] [CNET] [ComputerWorld] [Whitehouse.gov]

US – Survey: CIO, CISO Not Part of Insurance Decision

A new survey conducted by the Ponemon Institute reveals that approximately one-third of businesses and public-sector organizations purchase cyberinsurance, but chief information officers and chief information security officers often have “very little influence” in the purchase decision. Among the 638 U.S. organizations canvassed, there is “still a lot of skepticism about whether such insurance is worth the cost,” the report states. [Network World]

Surveillance

US – NSA Is Casting “Far Wider Net” Than Previously Disclosed

While the NSA has publicly acknowledged collecting and searching the contents of Americans’ digital communications without a warrant, it was previously understood that only conversations between Americans and targeted foreign nationals were collected and searched. Now, reports The New York Times, the documents released by Edward Snowden reveal that any communication that crosses the border and even mentions a piece of information connected to a suspect is being collected and searched. The NSA says this practice is legal under the 2008 FISA law. An anonymous senior intelligence official told The Times the NSA “makes ‘a clone of selected communication links’” to gather the information. NSA officials have publicly denied this practice in the past. The ACLU and other organizations are calling this “precisely the kind of generalized spying that the Fourth Amendment was intended to prohibit.” [New York Times] See also: [How A ‘Deviant’ Philosopher Built Palantir, A CIA-Funded Data-Mining Juggernaut] and also: [How Big Data Could Help Identify the Next Felon — Or Blame the Wrong Guy]

US – Obama Meets with Tech Biz; Snowden’s E-mail Provider Shuts Down

President Barack Obama met with CEOs from Apple, AT&T and other U.S.-based technology companies to discuss government surveillance, just days after meeting with privacy advocates, POLITICO reports. On the same day, officials from the FBI, CIA and NSA spoke about cybersecurity, and e-mail service provider Lavabit —which offered high-level encryption services and was reportedly used by whistleblower Edward Snowden—announced it was immediately shutting down its service. Lavabit owner and operator Ladar Levison said it was a “difficult decision: to become complicit in crimes against the American people or walk away” from his company. He added the experience has taught him that “without congressional action or a strong judicial precedent, I would_strongly_recommend against anyone trusting their private data to a company with physical ties to the U.S. government.” Snowden said U.S. tech companies “must ask themselves why they aren’t fighting for our interests (in) the same way.” Additionally, Silent Circle announced it was shutting down its encryption e-mail service. [The New York Times]

WW – Satellite Technology a Boon for Business

The New York Times reports on affordable miniature satellites that will soon be orbiting Earth and sending back frequent, low-cost snapshots from space. The data captured from such technology will be valuable, one expert says, perhaps used by insurance companies to take “before” and “after” views of insured property to validate claims, for example. But some may not be so excited about such surveillance, said New York University Prof. Mitchell Stephens, calling the satellite’s pictures “a Godlike view, looking down from the heavens.” [Source]

UK – CCTV Code of Practice Comes Into Force After Privacy Concerns

The Home Office has introduced a CCTV code of practice to try to curb the excessive use of cameras for surveillance by increasing numbers of private and public sector organisations. However, there is no enforcement of the code and no fines for breaking it.The code, set out by the Home Office earlier this year, acknowledges that CCTV can be vital to security and surveillance, but said it must have a “legitimate aim” and be “compliant with any relevant legal obligations”. In particular, concerns have grown over recent years over the way CCTV is being used for excessive monitoring, such as in taxis, which was deemed illegal by the Information Commissioner’s Office last year. The code states: “This code has been developed to address concerns over the potential for abuse or misuse of surveillance by the state in public places, with the activities of local authorities and the police the initial focus of regulation.” To try and enforce this there are 12 points that CCTV operators must follow that cover a range of issues, from use to data retention and the ability to contact the people running the cameras to access information. [Source]

Telecom / TV

WW – Android 4.3 Keeps WiFi On, Even When It’s “Off”

The latest version of the Android operating system comes with a new feature that some technologists are drawing attention to: Even when a user switches WiFi access off, the device will continue to scan for WiFi networks. This is done “for providing better location information to apps.” However, there is a way to disable this functionality, which is detailed in the article. WPIX, a television station in New York, notes this default setting is raising privacy concerns [ValueWalk] See also: [Baby monitor hacked, spies on Texas child] And also: [Is Advising Clients To Clean Up Social Media After Filing a Lawsuit Questionable? ]

US Government Programs

US – NSA to Create Full-Time Privacy Officer; Obama Proposes Changes

In his first news conference since April, President Barack Obama defended the National Security Agency (NSA) surveillance programs, called for more transparency along with a task force charged with reporting on the programs and proposed four changes to the existing programs. Obama said the NSA will create a full-time privacy and civil liberties officer. The White House released a 22-page whitepaper defending the domestic collection of phone metadata, and the NSA also released a seven-page document detailing its role and authority. [The New York Times]

US – NSA Plans to Eliminate System Administrators

In an effort to reduce the risk of information leaks, the US National Security Agency (NSA) plans to get rid of 90 percent of its contracted system administrator positions. NSA Director General Keith Alexander said that the agency plans to move to an automated cloud infrastructure. Speaking on a panel along with FBI Director Robert Mueller at a security conference in New York, Alexander referred to the recent revelations about the scope of NSA surveillance, noting that “people make mistakes. But … no one has willfully or knowingly disobeyed the law or tried to invade … civil liberties or privacy.” [NBC News] [ArsTechnica] [The Register]

US Legislation

US – SB 1386 10 Years Later and the Path Forward

“Whether or not you view the passage of California’s SB 1386 data privacy law in 2003 as a watershed moment in the information security world, few can argue that its enactment significantly changed the infosec playing field,” writes Randy Sabett for Search Security. Sabett predicts that the trend started by SB 1386 “of increasingly proactive and granular state data privacy laws will continue to evolve” by focusing on the obligations of stakeholders—mainly those that are collecting the data, and he also expects to see federal privacy legislation. “For now though, it seems that there are too many stakeholders with varied interests to get an ‘omnibus-style’ bill on the books.” [Source]

US – Ohio Case Demonstrates Danger in BYOD Policies

JDSupra Law News analyzes the recent case in the Northern District of Ohio demonstrating the tension between employer control and employee privacy when it comes to bring-your-own-device (BYOD) policies. In Lazette v. Kulmatycki, an employer read the personal e-mails of a former employee after she turned in her Blackberry device, thinking she’d deleted the account. The employer was found to be at fault, but prosecutors had to stretch a bit to convict him under existing laws. “At a macro level, this case should be a warning to employers to continue to be careful with personal information in a BYOD environment,” the report states. “The potential liability for employers could be significant.” [Source]

US – Vote Delayed on E-Mail Warrant Bill

The Hill reports on the delay in “a vote on legislation that would require police to obtain a warrant before accessing e-mails and other online messages.” Senate Judiciary Committee Chairman Patrick Leahy (D-VT) had pressed for a vote prior to the August recess, “but at least one Republican objected to the bill,” resulting in the delay, the report states. If passed, the legislation will limit law enforcement’s ability to access private online messages. Currently, the Electronic Communications Privacy Act of 1986 only requires a subpoena to require Internet companies to provide access to such communications if they have been opened or are more than 180 days old. [Source]

US – Will Congress Legislate Glass?

In a world where laws are constantly playing catch-up with technology, Google Glass offers a possibility for preemptive legislation. Four states have introduced laws to ban Google’s wearable computer Glass while driving; casinos and healthcare facilities are also beginning to ban it; it’s not allowed in the Speaker’s Lobby of Congress, and now Congress is trying to figure out what to do about the privacy and legal issues surrounding the device. All before it’s even available for public consumption. [Politico]

US – New Jersey Bill To Allow Warrantless Cellphone Searches Contested

Proving illegal cellphone use was the cause of a car crash can be difficult for law enforcement. So one New Jersey lawmaker aims to make the process easier by proposing legislation that would allow police to search through a driver’s cellphone after a crash without a warrant. Sen. James Holzapfel (R-Ocean) proposed the legislation in June, but privacy advocates have called it unconstitutional. “We’re entitled to have a zone of privacy, and just because technology threatens to pierce that zone of privacy…doesn’t mean we should give up our constitutional protections,” said a trial lawyer and privacy expert. [Source]

US – Court: Gov’t Doesn’t Need Search Warrant for Location Data

A federal appeals court has decided that government authorities can extract historical location data directly from telecommunications carriers without a search warrant. The court ruled that such searches are constitutional because location data is a “business record” and so is not protected by the Fourth Amendment, the report states. The decision could have implications for other government initiatives to collect metadata under the premise that it constitutes a business record. “It doesn’t make it a slam dunk, but it makes a good case for the government to argue that position,” said one expert. This follows a decision Monday on the searches of cell phones in general where judges said they believe it’s a matter for the Supreme Court. [the New York Times]

US – Appeals Judges: Supreme Court Should Decide Cell Search Case

Following the First U.S. Circuit Court of Appeals’ decision Monday not to rehear a case involving whether warrants are needed to search cell phones, “two First Circuit judges said they voted against rehearing the case in order to speed its path to the U.S. Supreme Court.” In May, the Appeals Court decided 2-1 that Boston police needed a warrant to search a suspect’s cell phone, and earlier this month, Justice Department lawyers asked the court to rehear the case. “Ultimately this issue requires an authoritative answer from the Supreme Court, and our intermediate review would do little to mend the growing split among lower courts,” wrote Judge Jeffrey R. Howard, and Chief Judge Sandra Lynch wrote, “The preferable course is to speed this case to the Supreme Court for its consideration.” [The Wall Street Journal]

US – Fifth Circuit Decision “Doomed” at SCOTUS Level

Mark Joseph Stern contends that this week’s Fifth Circuit Court of Appeals decision that authorities do not need warrants to extract historical location data from cell phones “is doomed at the Supreme Court” level. “The Fifth Circuit’s cellphone ruling is almost certain to be reversed in the near future, barring a dramatic change of heart from one of the Supreme Court’s privacy lovers,” he writes. Meanwhile, TIME takes a look at five recent privacy cases in a report examining how the Supreme Court defines the right to privacy. [Slate]

US – Sen. Leahy Introduces FISA Privacy Act

Senate Judiciary Chairman Patrick Leahy (D-VT) has introduced legislation to reform America’s surveillance powers. The FISA Accountability and Privacy Protection Act of 2013—which is cosponsored by nine additional senators—would narrow the scope of Section 215; allow for judicial review of “gag orders” provisions; move up the FISA Amendments Act sunset clause by two years; require the inspector general of the intelligence community to conduct a comprehensive review of the current law and its impact on citizens’ privacy, and mandate the release of an unclassified report for the public on the impact of the surveillance programs on individual privacy, the report states. The Senate Judiciary will host a hearing on privacy and the NSA disclosures on Wednesday. [Slate]

US – Franken Introduces Surveillance Transparency Act of 2013

Sen. Al Franken (D-MN) has introduced a bill that would require more transparency around government collection of broadband and phone info. “The Surveillance Transparency Act of 2013 would expand and improve ongoing government reporting about programs under the PATRIOT Act and Foreign Intelligence Surveillance Act that have been the subject of controversy in recent weeks,” said Franken’s office in its announcement. [Multichannel News]

US – Senators Seek Changes to FISC, Section 215

Sen. Richard Durbin (D-IL) said changes to foreign intelligence surveillance court proceedings are needed and proposed adopting “a real court proceeding” to approve wiretapping requests, The Wall Street Journal reports. “Let’s have an advocate for someone standing up for civil liberties to speak up about the privacy of Americans when they make each of these decisions,” Durbin said, along with proposing the release of redacted FISA court transcripts. In a special to The Washington Post, Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) urge the White House to “end the bulk collection of Americans’ phone records and instead obtain information directly from phone companies, using regular court orders based on individual suspicion.” The prevailing sentiment, The New York Times reports, is that momentum is building in Congress to alter NSA surveillance. [ABC’s This Week]

US – Senate Strongly Presses NSA; Bills Introduced; Classified Docs Released

At a recent Senate Judiciary Committee hearing senators from both sides of the aisle pressed representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata. Committee Chairman Patrick Leahy (D-VT), on several occasions, expressed deep concern about the amount of Americans’ data being collected under Section 215. A number of senators said they were introducing legislation to narrow the scope of the collection of phone metadata. Obama administration representatives said they were willing to “reevaluate” the program. [The Privacy Advisor ]

US – FTC Updates COPPA FAQs

The FTC has updated its Frequently Asked Questions (FAQs) about changes to the Children’s Online Privacy Protection Act (COPPA). Updates include share buttons, actual knowledge and information collected from child-redirected sites. If an app includes a share button that allows children to send or post information, “verifiable parental consent” is required; clarity on the actual knowledge standard is provided, and best practices are offered to third parties that discover personal information from a child-directed site has been collected. Recent COPPA revisions by the FTC went into effect on July 1. [Full Story ]

US – Calls on FTC to Curb Brick-and-Mortar Tracking

Sen. Charles Schumer (D-NY) has called on the FTC to institute rules to allow shoppers to opt out of smartphone tracking at brick-and-mortar retail stores. Schumer said that participating stores are “going to know a lot about you by following you around, even if you don’t purchase, even if you’re just browsing.” He also added that children can be tracked, and collected data may be stored indefinitely. [CBS New York]

US – Woman Awarded $1.44M; Company to Appeal

A Marion Superior Court jury has awarded a plaintiff “$1.44 million after finding Walgreens and a pharmacist violated her privacy when the pharmacist looked up and shared the woman’s prescription history.” The lawsuit alleged, “As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories.” In a statement, Walgreens has said it will appeal, stating it is “a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.” [Indianapolis Star]

US – Utah Law Allowing Administrative Subpoenas Challenged

Legislators are joining privacy advocates in criticizing a Utah law, passed in 2009, that allows prosecutors to obtain Internet users’ information without a warrant. These so-called “administrative subpoenas” allow Investigators to order Internet companies to hand over a user’s name and address, Web session times and durations, local and long-distance phone records and banking information when relevant to cases. The law has been used roughly 1,200 times since its passing. Now, however, privacy advocates and legislators alike are questioning whether the law is in line with the constitution, though it hasn’t yet been challenged in court. Rep. Brian Greene (R – Pleasant Grove) told the Salt Lake Tribune in an e-mail interview that he would favor legislation to scale back the law. Another member of the Judiciary Interim Committee, which has held hearings on the law, Sen. Luz Robles (D-Salt Lake City), said protections should be added to the statute to ensure it’s being used out of necessity, not convenience. Full Story

US — North Carolina Delays Drones with Budget Law

Under North Carolina’s budget law, without the state chief information officer’s okay, no government entity may buy or operate a drone “or disclose personal information about any person acquired through the operation of an unmanned aircraft system” before July 2015. Rep. Jason Saine (R-Lincoln) says the delay is to allow for time to look into concerns about the possibility for police to obtain 24-hour public surveillance abilities. There are exceptions to the rule, and the department of transportation reportedly has plans to acquire a drone in conjunction with the launch of a drone research field. [The Miami Herald ]

US – New York Court Rules DMV-Data Brokers Not Liable for Subsequent Use

The New York Second Circuit ruled that while companies that sell DMV information cannot be held liable under the Driver’s Privacy Protection Act for a purchaser’s use of that information, it “held that companies must uphold a certain standard of care in evaluating statutory disclosure exceptions.” [Law360]

Workplace Privacy

US – Ohio Case Demonstrates Danger in BYOD Policies

JDSupra Law News analyzes the recent case in the Northern District of Ohio demonstrating the tension between employer control and employee privacy when it comes to bring your own device (BYOD) policies. In Lazette v. Kulmatycki, an employer read the personal e-mails of a former employee after she turned in her Blackberry device, thinking she’d deleted the account. The employer was found to be at fault, but prosecutors had to stretch a bit to convict him under existing laws. “At a macro level, this case should be a warning to employers to continue to be careful with personal information in a BYOD environment,” the report states. “The potential liability for employers could be significant.” [Source] See also: [Bra Sizes of Female Detroit Police Officers Emailed to Coworkers] and [NZ:  Sacked woman ordered to show her Facebook pages to prove she didn’t misuse sick leave] See also: [ON: Privacy watchdog’s advice sought for grant-rejection policy]

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: