01-15 September 2013

Biometrics

US – U.S. to Expand Data Sharing Overseas

The Department of Homeland Security plans to expand foreign biometric data sharing. The Office of Biometric Identity Management (OBIM), now five months old, will use a $33 million contract with Accenture to decrease the time, cost and personnel required to share U.S. biometric data with the UK, New Zealand, Canada and Australia. OBIM provides biometric data to federal, state and local governments to deal with immigration violators, criminals and known or suspected terrorists, OBIM’s deputy director said, adding it aims to improve biometric data-sharing and increase interoperability among the U.S. Departments of Defense, Justice and State. Meanwhile, the U.S. and Japan seek to formalize an agreement on sharing fingerprints of convicted criminals. [FCW] SEE ALSO: [US: Ohio scrambles to secure facial recognition system]

WW – Apple Releases Include Fingerprint Sensor

Apple has released two new iPhones, including a model with a fingerprint sensor that can be used instead of a passcode. In response to privacy concerns, Apple says user fingerprints will only be stored on the phone and will not be shared with app developers. The release is symbolic of a number of new on-the-market devices that use biometric authentication tools. A new wristband, Nymi, contains a voltmeter to read heartbeats. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said the wristband’s creator. The biometric devices come on the heels of the recent discovery that even a 55-character password could be broken. [New York Times] [WSJ: Apple’s Fingerprint Feature and Pleading the Fifth] [Apple provides details on Touch ID’s privacy features] [What NSA snoops like about the iPhone] and [Thieves may mutilate owners in bid to gain access to fingerprint-reading handsets, expert warns] and [Canadian company puts password protection a heartbeat away]

WW – NIST: Iris Recognition Authentication Method Needs Some More Work

Federal researchers have reconfirmed the reliability of the iris as an authentication factor. But we’re at least 3 years away from using iris scanning as an advanced method of user authentication for IT systems. What’s holding back iris recognition as an authentication tool to access information on IT systems? According to experts, there are three main reasons: size, cost and culture. Specialized iris-reading cameras are too big to fit into the form factor of a laptop, smart phone or tablet. To be practical, an iris camera needs to be shrunk to the size of a webcam. For now, most iris cameras are much larger. Iris-reading cameras are too costly to be economically feasible to build into user devices – even if they could fit. Iris scanners and cameras cost hundreds if not thousands of dollars each. Imagine what that would do to the cost of a laptop of tablet. Another barrier: The IT security culture. When addressing authentication, many organizations’ IT security groups focus on something the user knows (password) or something the user has (token) and not on who the user is (biometric). That type of thinking needs to change. [Source    ]

Canada

CA – OIPC: GPS Tracking of Employees Is OK

BC’s Office of the Information and Privacy Commissioner (OIPC) has ruled that two elevator companies in the province can continue to use GPS technology to keep tabs on their employees. The employees had filed complaints that the practice violated their privacy. The OIPC did rule, however, that one of the companies must temporarily suspend the practice until it provides better notice to workers about data collection and use. One privacy advocate says the case indicates the need for new discussions about tracking given advances in technology since legislation on the matter was crafted. Meanwhile, Postmedia News suggests appropriate privacy policies can help keep employers out of trouble. [The Canadian Press]

CA – How to Keep Your Home’s Purchase Price Secret

Clients often ask whether I can keep the price they are paying for their home off the title record. The main reason is for privacy. They don’t think it is anybody’s business but theirs. You can do it if you pay the land transfer tax in advance. The tax is usually paid by your lawyer, but you can do it yourself. If that’s the case, you must include these documents with your request: A cover letter from the lawyer; A copy of the original agreement of purchase and sale; The draft deed to be registered on closing; A copy of the statement of adjustments; Three signed land transfer tax affidavits; and A certified cheque payable to the Ministry of Finance for the amount of land transfer tax owing. The Ministry will then provide your lawyer with a special code to be entered on closing, to confirm that the land transfer tax has already been paid. If the house is in Toronto, you will also have to pay the municipal Land Transfer Tax. In order to pre-pay this tax, there is a similar process that must be followed but you have to send the material to a different location. In all cases, what will show on your title after closing is either zero or $2 for the price paid. [Source]

CA – Saskachewan Privacy Commissioner Says SGI ‘Over Gathering’ Information

Saskatchewan’s Privacy Commissioner says SGI needs to stop “over gathering” medical information about crash victims, but the government-owned insurer says it’s not up to the commissioner to pass judgment. The latest report from Gary Dickson details the case of a woman who made an injury claim after a collision. SGI told her they would need medical files related to injuries to her neck and back.

But the report shows SGI gathered all of her medical files, including a reference to a sexually-transmitted disease the woman had years earlier. SGI did not explain why it gathered that information. It also says accident claims do not fall under the Privacy Commissioner’s jurisdiction. The information watchdog disagrees. [Source] [Saskatchewan Commissioner concerned] See also: [Ontario Liberals look for place to store 1.4 million boxes of government records]

Consumer

WW – Survey: 86% of ‘Net Users Mask Footprint; Scared of Peers More than Gov’t

According to a recent survey, 86% of Internet users have taken at least one step to remove or mask their digital footprints online, and 55% have taken steps to avoid observation by certain people—including organizations or the government. The survey, conducted in July by the Pew Research Center’s Internet & American Life Project, examined 792 adult Internet users’ responses. Given recent revelations about U.S. government access to data, Director Lee Rainie said he was surprised to find that respondents were more concerned with hiding data from people they knew than the government or law enforcement. [Full Story]

WW – Consumers: Forget Screen Size, Cameras; Sell Us Privacy

Consumers are now more concerned about privacy in the use of their mobile phones and apps than they are about screen size, brand, weight or camera resolution. That’s according to TRUSTe’s 2013 Consumer Data Privacy Study, which polled more than 700 U.S. smartphone users. Only a phone’s battery life topped privacy when users’ prioritized their concerns. [Full Story] SEE ALSO: [Canada’s Moral Compass Points to Apathy on Online Privacy]

US – Insurer Wants Out of Breach Coverage in ZIP Code Case

Consumers in California, Massachusetts and Washington, DC, are suing Urban Outfitters, Inc., and its subsidiary, Anthropologie, Inc., for collecting ZIP codes during credit card transactions. OneBeacon American Insurance Company says the retailer’s insurance doesn’t cover such privacy issues, the report states, and is asking a federal judge to absolve it of any obligation in the case. [Main Justice]  For a primer on this issue, see Angelique Carson’s report, with a guide to zip code law.

US – Project Aims to Educate About Digital Footprints

A National Science Foundation-funded project called Teaching Privacy and a related online tool lets users track the location of Twitter and Instagram users. Both the project and the “Ready or Not “ tool aim to educate individuals—particularly high school students—about online privacy and how our personal information forms a digital footprint. Expanding on the Ready or Not geo-tracking tool, Gerald Friedland, an International Computer Science Institute researcher working on the Teaching Privacy project, said, “Most people…do not know that if you tweet something this location data is actually publicly available.” The researchers are also working on a study showing that an anonymous account holder of a service such as Yelp can have reviews cross-referenced with location data and timestamps on other services to reveal the user’s identity. [GigaOm]

JP – Tokyo Taxis Alert Passengers When They Leave Something Behind

Each taxi will be equipped with four cameras; one under the driver’s seat, one under the front passenger seat, one on the ceiling and one in the taxi’s trunk. The system works by comparing before and after images of the areas photographed. If the system detects an item left behind, such as a purse or a mobile phone, it instantly sounds an alarm, allowing the passenger to retrieve his or her belongings before the taxi drives off. To address privacy concerns related to the new system, the company claims the system won’t capture clear images of the faces and signs will be posted inside the vehicles to alert passengers of the cameras. It was reported that Tokyo drivers reported to police 210,000 objects left behind in their cars last year. The company also claims that it has recovered a vast range of items from its cars over the years. It says that mobile phones account for about 60 per cent of objects left behind. [Source]

E-Government

US – Employees Improperly Used Driver’s License Database: Suit

18 people plan to file a lawsuit in Minneapolis federal court, claiming that government employees in Winona and more than 50 other Minnesota counties and cities violated their privacy by inappropriately using the state’s driver’s license database. The complaint alleges that “government officials targeted citizens based on their political involvement” and searched private information using the database, commonly used by law enforcement. Attorney Erick Kaardal, who represents the accusers, said he plans to reveal evidence of more than 600 illegal searches by employees of municipalities. The state’s driver’s license database made news last year, when a Department of Natural Resources employee was accused of using it to access the records of thousands of people, the vast majority of whom were women. A February 2013 report from the state legislative auditor’s office found numerous cases of abuse, including a case where 88 law enforcement employees misused the database, and some continued to after leaving their job. The report found that more than half of law enforcement personnel who used what’s called the Driver and Vehicle Services database had searched information on people with their same last name, or searched primarily for either women or men during 2012. “Law enforcement personnel have used their access to driver’s license data for non-work purposes or work purposes that are not allowed by state law,” the report found. The office’s report said monitoring, accountability, and training all need to be strengthened. [Source]

E-Mail

US – Lavabit Owner Appealing Surveillance Order

Lavabit owner Ladar Levison has appealed the secret surveillance order received from the US government that prompted him to shutter his business in August. The details have been placed under seal. The surveillance order forbids Levison from disclosing what the government has asked of him or who its target was. [WIRED]

US – Archives: Federal Workers May Use Secret Emails

Administration officials and other federal workers may continue to use secret government email accounts to conduct official business as long as the messages are safely preserved and turned over when they are sought under the Freedom of Information Act, the nation’s record-keeping agency said. New rules from the National Archives and Records Administration follow an Associated Press investigation earlier this year that found that some Obama administration political appointees used government email accounts that were not disclosed to the public or to congressional officials. On Tuesday, U.S. Archivist David Ferriero told a House oversight hearing that he doesn’t care how many email addresses government officials use. But Republican lawmakers said multiple email accounts, while could be useful for organizing large numbers of emails, may complicate efforts to pinpoint which accounts belong to whom. [Source] SEE ALSO: [Deleted emails in power plant scandal prompts push for training] and [Google lawsuit stirs debate over email privacy rights]

Electronic Records

US – ONC Releases Guidance on Interoperable E-Health Exchanges

The Office of the National Coordinator for Health Information Technology has released guidance in order to facilitate interoperable electronic health information exchanges. While many healthcare providers qualify for Medicare and Medicaid electronic health record incentive payments under the HITECH Act, there are many providers that are ineligible for such payments. The guidance aims to “serve as a building block for federal agencies and stakeholders to use as they work with different communities to achieve interoperable electronic health information exchange.” [Source]

CA – MGS Statement on Commissioner Cavoukian’s Special Report

Minister of Government Services John Milloy made the following statement on the actions taken to comply with the recommendations in the Special Report on the records management practices of political staff: “I want to thank the Information and Privacy Commissioner again for her report and for meeting with me in June. Our government takes its recordkeeping obligations seriously and we are committed to being open, accountable and transparent. Addressing Dr. Cavoukian’s recommendations has been a top priority to ensure that situations referred to in her report do not happen again. I want to thank both the offices of the Information and Privacy Commissioner and the Integrity Commissioner for working with our government on these important issues. The actions we are announcing today address all of Dr. Cavoukian’s non-legislative recommendations, including:

  • Developing a mandatory training program for all political staff to ensure that staff are fully aware of and trained in their records management obligations;
  • Creating a working group of Premier’s Office staff, Cabinet Office staff and Ministry of Government Services staff to clarify and strengthen the government’s records retention policies and practices so that they can successfully be put into practice;
  • Appointing ministers’ chiefs of staff and the Premier’s chief of staff as the persons accountable for the implementation and compliance with records management policies in each of their respective offices and appointing a senior advisor in the Premier’s Office to provide advice and guidance to all offices on these issues; and,
  • Improving archiving requirements by conducting a review of the archiving schedules.

The Premier has also issued a directive to all political staff underlining the serious obligations of staff to manage records in accordance with approved records retention schedules, and to complete mandatory training. [Source] and [Statement from Commissioner Cavoukian in response to September 4 statement by the Minister of Government Services]

Encryption

WW – NSA Undermines High Level of Internet Encryption

The latest leak from former government contractor Edward Snowden reveals the U.S. National Security Agency has “circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, web searches, Internet chats and phone calls of Americans and others around the world,” according to a multi-pronged report by The New York Times, ProPublica and The Guardian . Since 2000, the agency has invested billions of dollars to influence international encryption standards and force technology companies to provide backdoor access to encrypted communications. The ACLU’s Christopher Soghoian said the programs are “making the Internet less secure and exposing us to criminal hacking, foreign espionage and unlawful surveillance,” adding that it “will further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.” [Full Story] See also: [Real privacy means oversight – Op-Ed: Ann Cavoukian, Ron Deibert, Andrew Clement and Nathalie Des Rosiers The Globe and Mail] and [Canada complicit in undermining Internet privacy: Geist] and [US: Johns Hopkins reverses decision forcing prof to pull NSA post] and [US – Poll: Public Doubts Rise on Surveillance, Privacy] and [Ontario Privacy Watchdog Is Not Amused With The NSA] and [Schneier on NSA’s encryption defeating efforts: Trust no one]

WW – Google Encrypts Data Amid Backlash Against NSA Spying

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said. The move by Google is among the most concrete signs yet that recent revelations about the NSA’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs. Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program, which obtains data from American technology companies, including Google, under various legal authorities. Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers. [Source]

EU Developments

EU – MEPs Call for Halt to Anti-Terror Program

Amidst ongoing U.S. National Security Agency surveillance program revelations, Members of the European Parliament (MEPs) are calling for “the immediate suspension” of the Terrorist Finance Tracking Program (TFTP). “I think there is more than enough evidence to call for a suspension,” said Dutch MEP Sophie in’t Veld. The TFTP allows the U.S. Treasury access to data that international bank transfer company Swift stores in Europe, but NSA revelations indicate the U.S. spied on Swift, the report states. German MEP Jan Philipp Albrecht said, “The NSA surveillance is an open breach of the agreement and further undermines the already insufficient data protection given to European citizens under the deal.” [CIO]

EU – New Data Breach Notification Requirement in Effect

SC Magazine reports on the new data breach reporting requirement in the EU. The requirement took hold last week and requires telecommunications and Internet service providers in the EU to report a data breach to authorities within 24 hours of the moment the breach is discovered. Meanwhile, Laura Vivet Tañà examines the proposed EU data protection regulation’s breach notification rule, including such key elements as what should be considered as a personal data breach, the notification requirement and consequences of a security breach. [Full Story]

EU – Safe Harbor May Be Controversial in the EU, But It Is Still the Law

Safe Harbor has become a target for retribution in light of revelations about the National Security Agency’s PRISM program. It has come under fire from Rapporteur Jan Albrecht and the Article 29 Working Party, among others. While various officials have promised reviews and improvements to the framework, none have yet been released. Damon Greer, who directed the EU-U.S. and Swiss Safe Harbor frameworks from 2006-2011, discusses Safe Harbor’s fate. Full Story

Filtering

EU – Mosley Wants Censorship Google Isn’t Willing to Give Up

Former Formula One boss Max Mosley wants Google to set up a personal filter to stop personal images of him from appearing on the search engine. The images of Mosley were ruled to be a breach of his privacy rights by a UK court in 2008. Google is willing to remove links to sites where the images are used, the report states, but says setting up a permanent filter for the pictures would mean an “alarming new model of automated censorship,” the report states. [Financial Times]

Finance

US – CFPB Seeks to Monitor Credit Card Transactions

Officials at the Consumer Financial Protection Bureau (CFPB) are seeking to monitor 80% of all U.S. consumer credit card transactions this year through a controversial data-mining program. A CFPB planning document for fiscal years 2013-17 indicates plans for a “markets monitoring” program as well as plans to monitor up to 95% of mortgage transactions. “This is one step closer to a Big Brother form of government where they know everything about us,” said Rep. Sean Duffy (R-WI) at a hearing on the matter last week where critics asserted the agency’s plans are beyond its authority. [Washington Examiner]

WW – G20 Countries to Share Tax Records to Crack Down on Cheats

Tax records will be shared around the world by 2015 as part of a G20 pledge to crack down on individual tax cheats and global corporations with complicated arrangements aimed at paying as little tax as possible. The topic of taxation in a global economy has become a major political issue of late, as multinational firms like Apple and Starbucks have faced scrutiny over their corporate structures. Further, investigative reports into the use of offshore tax havens by the world’s wealthiest individuals added momentum to the view that governments are getting short-changed of much needed revenue. As business increasingly moves online and international, cash-strapped governments approved an aggressive timeline to adopt the automatic exchange of tax information among the G20. The deal was solidified after China, the last holdout, agreed to the plan just days before the summit in St. Petersburg. A proposed U.S. law requiring foreign governments – including Canada – to report banking information involving U.S. citizens has already ran into concerns from the Canadian government and attracted the attention of Canada’s privacy commissioner. Questions of privacy will likely increase given that the G20 includes non-democratic countries where human rights are a concern, including China and Saudi Arabia. [Source]

FOI

WW – Internet Giants Make New Push for FISA Transparency

As gloomy predictions about the impact of privacy fears on the Internet economy grow ever more frequent, and major concerns about the future of the Internet are expressed, big firms like Facebook, Google, Yahoo and Microsoft have stepped up their efforts in petitioning the U.S. government to allow them to share more about government requests for data with their customers. Computerworld sums up a number of the blog posts from these companies, which outline their legal efforts toward transparency. “The actions and statements of the U.S. government have not adequately addressed the concerns of people around the world,” wrote Facebook general counsel Colin Stretch, in his post. Full Story

US – Yahoo Issues First Gov’t Transparency Report

Yahoo’s first government transparency report indicates the company “received 12,444 requests for data from the U.S. government so far this year” related to the accounts of 40,322 users. Of those requests, “37% disclosed the content of Yahoo accounts, such as words in e-mails, photos or uploaded files. In about 55% of the requests made, the company disclosed information about its users that did not involve content but gave information such as names, location data and e-mail addresses.” To date, the report states, Yahoo has rejected “two percent of those federal government requests.” [The Washington Post] SEE ALSO: [Toronto Mayor Rob Ford’s office on ‘honour system’ to release all requested records]

US – Internet Companies Seek Permission to Disclose Gov’t Data Requests

Facebook, Google, and Yahoo have filed a petition with the US Foreign Intelligence Surveillance Court, seeking permission to disclose more information about secret data requests made by the government. The companies are stepping up their push because earlier efforts, made in the wake of revelations about the existence of PRISM and other government surveillance programs surfaced earlier this summer, were not successful. The companies want to disclose detailed information about national security requests made under FISA. Google has asked that the hearing be made public. [NBC News] [CNET] [ComputerWorld]

Genetics

EU – Proposed DNA Bill in Ireland Leans Toward Destruction

Minister for Justice Alan Shatter has published a bill on the establishment of a national DNA database. The bill takes into account privacy concerns about earlier versions of the bill on destruction of samples and deletion of DNA profiles, among others. Shatter’s bill would allow authorities to take DNA samples from most criminal suspects but the default would be in favor of the destruction of such samples when an individual is not convicted. [Irish Times]

WW – What Happens if Newborns’ Entire Genomes are Screened?

U.S. government is funding studies on what happens if you screen newborns’ entire genomes. The aim of the study is to find out if the data results in better healthcare or simply data overload. “We would like to see if genome sequencing can shed light on disorders that we don’t screen for currently,” said National Institute of Child Health and Human Development Director Dr. Alan Guttmacher, adding there are questions involved. “How do we protect the baby’s privacy? Where will the baby’s genome data be stored, and who will have access to it?” [NBC News] SEE ALSO: [The Privacy Conundrum And Genomic Research: Re-Identification And Other Concerns]

Google

US – Google Case Can Proceed, Appeals Court Rules

A federal appeals court in San Francisco has said a lawsuit accusing Google of illegal wiretapping can proceed. The case involves Google’s Street View initiative, in which Google vehicles collected e-mail, passwords and other personal information from unencrypted home networks. Google wanted the case dismissed, arguing the data it accessed was exempt from the Wiretap Act because it was readily accessible to the general public. The appeals court agreed with an earlier federal court’s ruling, reasoning that, “Even if it is commonplace for members of the general public to connect to a neighbor’s unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store and decode data transmitted by other devices on the network.” [The New York Times]

US – Federal Appeals Court Denies Google’s Bid to Dismiss Street View Lawsuit

The US 9th Circuit Court of Appeals has ruled that Google’s inadvertent harvesting of users’ personal information from unprotected Wi-Fi routers while collecting data for Street View is not exempt from the Wiretap Act and that the company may be held liable for civil damages. Google had sought to have the lawsuit dismissed, arguing that transmissions over Wi-Fi networks are “readily accessible to the general public.” [WIRED] [Ars Technica] [ComputerWorld] [ZDNet] [BBC.co.uk]

US – Google Wants “Precedent-Setting” Case Dismissed

Google has asked for a case against it, concerning its alleged electronic scanning of Gmail users’ e-mails for the purpose of sending targeted ads, to be dismissed. In a San Jose, CA, court on Thursday, Google said “all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” The suit was filed on behalf of 10 people and is expected to be certified as a class-action. It’s also predicted to be a “precedent-setting case for other e-mail providers,” the report states. [Associated Press] SEE ALSO: [Google security exec: ‘Passwords are dead’]

Health / Medical

US – New HIPAA Rules Require Revised Notices; Deadline Looms

Earlier this year, the Department of Health and Human Services Office for Civil Rights released omnibus regulations changing significantly HIPAA’s privacy, security, enforcement and breach notification rules. An article for Boston’s WBUR looks at what the changes mean for patients. Under the changes, covered entities must update and post a revised notice of privacy practices before September 23. In this report for Lexology, attorneys from Wilson Elser describe what such notices must include. Meanwhile, California lawmakers are considering proposing stricter HIPAA regulations. [Full Story] SEE ALSO: [US: Your Cat’s Name Could Soon Be Your “Personal Information”]

US – FTC Files Complaint Against LabMD; Companies Suffer Breach Fallouts

The FTC has filed a complaint against medical testing laboratory LabMD, Inc., alleging the company failed to reasonably protect consumers’ personal data, including medical information. The FTC alleges that in two incidents LabMD collectively exposed 10,000 consumers’ personal information. Meanwhile, the insurance company for Schnuck Markets has filed a lawsuit against the company seeking release from liability after a data breach earlier this year, and The University of Texas has informed patients of a data breach after a laptop containing their personal data was stolen. In Florida, the State Department of Health is the subject of criticism over new proposals regarding an online prescription database. And the U.S. Department of Energy has disclosed new information on a data breach affecting more than 14,000 employees. [Full Story]

US – Surgery Photo Prompts Privacy Concerns

A former patient has filed a civil lawsuit against a Los Angeles-based medical center after her doctor and his assistant decorated her face and took a photo while she was unconscious during a surgery. The state also investigated the case. The incident, as well as another involving a salesman taking a photo of a naked patient without the patient’s knowledge, has sparked concerns about mobile devices in healthcare facilities. “The idea that people are using their cellphone or even have one in the operating room is crazy,” said Deborah Peel, founder of Patient Privacy Rights. “It’s a massive security risk and incredibly insensitive to patients.” [Los Angeles Times] [Surgery photo leads to privacy lawsuit against Torrance Memorial]

Horror Stories

US – Hacker Accesses Two Million Vodafone Accounts

An intruder “with insider knowledge” hacked into a Vodafone server located in Germany and gained unauthorized access to approximately two million customer accounts. Compromised personal information include names, addresses, dates of birth and bank account information but did not include credit card information, passwords, PIN numbers or phone numbers, according to a company statement (in German). According to the report, Vodafone shares fell 0.8% yesterday. The attack was detected earlier this month and was halted. [Bloomberg] SEE ALSO: [Wal-Mart investigates privacy breach at Regina store]

US – Court Reverses Heartland Negligence-Claim Ruling; Case Proceeds

Following the 2008 data breach at Heartland Payment Systems, several banks that had issued credit cards to customers affected by the breach alleged they incurred significant costs by replacing the cards of impacted customers and refunding fraudulent charges, writes attorney Stephen Shapiro. While a trial court dismissed the negligence claim, citing New Jersey’s economic loss doctrine, a Fifth Circuit Court has reversed the ruling, allowing the case to proceed. [Source]

US – Schools, Council Investigate Breaches

The Medical University of South Carolina sustained the largest breach of its history between June 30 and August 21 after a third-party credit card processing company compromised 7,000 patients’ data. Meanwhile, parents of 130 children at two elementary schools in Virginia say their children came home with other students’ sensitive data, prompting fears of identity theft. The Washington Post reports Washington, DC’s privacy officer has “serious concerns” after a paramedic wrote a letter to the DC Council that included a patient’s data, and the University of South Florida is investigating a data breach caused by an employee. [HealthITSecurity]

US – Breach Settlements and Class-Actions Filed

A recent dismissal of a case arising from a credit card skimming attack suffered by Barnes & Noble by the U.S. District Court for the Northern District of Illinois demonstrates the struggle plaintiffs face in trying to articulate injury, write attorneys for Ropes & Gray, LLP. Meanwhile, ModernHealthcare discusses the legal consequences of a recent and massive data breach at Advocate Health Care. MediaPost News reports on both a potential class-action filed in Illinois accusing Google of violating its privacy policy and on Netflix users’ request that a $9 million settlement of a class-action lawsuit be nixed. [Full Story]

Identity Issues

US – Aggregator to Show Users Their Data

Data aggregator Acxiom is planning to unveil a free website where U.S. consumers can view the data the company has collected on them. Users who visit AbouttheData.com will view data on themselves including homeownership status, vehicle details, recent purchase categories and household interests. The site will allow users to click on icons to view the source the aggregated data came from originally. Axciom’s CEO says the company aims to alleviate consumer fears on data aggregation by being more transparent. Meanwhile, a new UK platform allows users to sell direct access to their data to bidding companies. [The New York Times] [US: Acxiom Lets Consumers See Data It Collects] SEE ALSO: [Dear Janice Lokelani Keihanaikukauakahihuliheekahaunaele: Your name is way too long for your ID]

SK – South Korea Steps Up Authentication Measures to Fight Financial Fraud

In an effort to combat cyber fraud, South Korea’s Financial Supervisory Service (FSS) says that as of September 26, 2013, people who conduct online transactions with banks, insurance companies, brokerage firms, and other financial institutions will be required to identify themselves through text messages or automated response systems. [ZDNet] [

CA – Protect New Passport from Hackers: Expert

AS of July 1, Canada joined several other countries and added computer chips to all new passports — they carry the passport information and a digital photo. An airport reader scans the passport and accesses the information on the chip in order to verify the identity of the pass-holder. The chips in the new passports work on radio-frequency identification, the same technology used in security ID cards and door readers. It is also the same technology that some smartphones have, using near field communication (NFC), which lets smartphones communicate by bumping, or lets people pay for parking using their smartphones. An NFC-enabled smartphone can access the data on chip-enabled passports using an app, giving the user access to the data in 30 seconds. The app is one of several similar apps available in the Android app store. If a user can enter the passport number, date of birth of the holder and date of expiry, they can access the information on the chip, including a digital version of the passport picture, with one tap of their phone. Rick Dykstra, parliamentary secretary to Citizenship Minister Chris Alexander, said the passports are still safer than the previous non-chipped versions. “Are they perfect? No. There are always fraudsters and hackers out there who will continue to try to take advantage, but we believe that we’re building a passport that is many times stronger and safer than the previous passport,” Dykstra said. There are ways to protect passports from being read, Neville said, recommending people protect their passports by placing them in RFID-proof cases, which surround the passport and prevent signals from coming in or going out, unless the passport is taken out of the case. American passports, for example, have that RFID-proofing built into their covers so they can only be scanned when opened. [Source]

UK – Government Signs First ID Assurance Contracts for Online Transactions

The UK government has signed contracts with the Post Office, Verizon, Experian, Digidentity and Mydex for the supply of the first live identity assurance services to drive secure online government transactions. The new cross-government identity assurance framework will see the contractors providing a service to enable people to assert their identity online without security concerns. The development of the identity assurance service will be managed by the Cabinet Office. PayPal, Cassidian and Ingeus have also been awarded a place on the identity assurance framework. The GDS (Government Digital Services) has undertaken a redesign of 25 of the most-used transactional public services in a bid to make them simpler and easier to use. The services include electoral registration, patent renewals and Universal Credit. [Source] See also: [Account Takeover: The Fraudsters’ Edge]

Intellectual Property

UK – ISPs to Collect Data on Illegal Downloaders – Reports

Media companies have asked UK broadband providers to collate info on illegal downloaders, which could violate data protection laws. Those caught committing piracy could be subject to internet throttling and even prosecution. In an attempt to clamp down on the illegal downloading of music and films, the British Phonographic Industry (BPI) and the British Video Association have requested BT, Virgin Media, BSkyB and TalkTalk to record information on piracy. The new code of conduct would oblige the companies to gather data on illegal downloaders and store it in a database. The information could then lead to repeat offenders having their internet cut-off or being prosecuted. Internet users will reportedly been given warnings by letter before these measures are taken, reports the Guardian. The move has attracted controversy amid speculation that it may violate the Data Protection Act, as the law says that companies may only retain personal data relating to a client if it is for commercial purposes. The proposal comes as part of a nationwide clampdown on growing internet piracy. Between November 2012 and January 2013, UK watchdog Offcom reported that 280 million music tracks had been pirated, as well as 52 million television programs. Furthermore, Offcom found that 18% of internet users aged over 12 had recently committed internet piracy, while one 9% actually fear getting caught. [Source]

Internet / WWW

WW – Experts Want Web Security Rewritten

Internet security experts are calling for a campaign to rewrite web security following news that the U.S. National Security Agency is capable of breaking millions of sites’ encryption codes. But that’s a task that would be extremely difficult, the experts admit. “A lot of our foundational technologies for securing the Net have come through the government,” said researcher Dan Kaminsky, adding, “As much as I want to say this is a technology problem we can address, if the nation states decide security isn’t something we’re allowed to have, then we’re in trouble.” Meanwhile, Chris Matyszczyk writes for CNET that trusting corporations over the government when it comes to data privacy is flawed logic. [Reuters]

WW – Academics Explore the Intersection of Privacy and Big Data

In anticipation of the Future of Privacy Forum and Stanford Center for Internet and Society workshop on meeting the challenges of Big Data and privacy, Stanford Law Review has released its 2013 Symposium Issue with contributions from academics and other privacy experts. Academic works cover topics such as Big Data rewards, classification and fairness, paradoxes of Big Data, “preemptive analytics” and public vs. nonpublic data. Meanwhile, a new post by Ari Waldman in Concurring Opinions explores the “sociology of privacy.” [Full Story]

Law Enforcement

US – Law Enforcement Surveillance Tools Abound

Ars Technica reports on BlueJay—a “Law Enforcement Twitter Crime Scanner.” The program provides real-time access to the “firehose” of public tweets so police can track suspects, keywords, locations, public events, social unrest and department mentions. The Verge reports on Italian-based firm Hacking Team and how the small tech security firm started from two programmers who created a suite of hacking tools. The Milan police eventually contacted the programmers with the intent of purchasing their hacking tools. Hacking Team now boasts 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.” Meanwhile, a recent Foreign Intelligence Surveillance Court opinion states the Edward Snowden leaks “have engendered considerable public interest and debate about Section 215.” [Source] SEE ALSO: [UK: Dozens of police workers being investigated every year for missing force computers to obtains confidential information]

US – ACLU Report Voices Qualms With License-Plate Scanning

Approximately 75% of U.S. police departments are using or plan to use license-plate scanning technology to help solve crimes. The American Civil Liberties Union (ACLU) says the technology has the potential to collect data on innocent Americans and can be used in ways that violate privacy. “In our society, it’s a core principle that the government doesn’t watch people’s innocent activities just in case they may be connected with a crime,” said Allie Bohm of the ACLU, adding that often “police are retaining this data indefinitely with few privacy protections … It can reveal people’s political views, religious activities and a lot of other personal information.” [Business Insider] SEE ALSO: [AUS: Queensland Premier Campbell Newman says civilians will take place of police in speed camera vans on back of Keelty review] [AUS: NSW Police to be quizzed over numberplate photography data as part of report into privacy]

US – Attorney General Launches Database Probe

Following law enforcement’s increasing use of facial-recognition software, Ohio Attorney General Mike DeWine has requested a review of a law enforcement database. The Ohio Law Enforcement Gateway allows about 300 Ohio law enforcement agencies to access records in a sex-offender registry, driver’s license and motor vehicle registration files and criminal history. There are more than 30,000 approved users. DeWine has formed a working group to discuss safeguards against hacking and privacy violations. [The Columbus Dispatch] See also: [Victoria Police want you to send them photos of distracted drivers]

Location / Mobile

WW – Group Releases Privacy Notice Generator

MEF, a mobile content and commerce industry trade organization, has launched a privacy notice generator for app developers, and the goal, according to the group’s press release, is “to build consumer trust in mobile apps by helping developers apply best practice in the collection and sharing of personal data.” By checking off boxes detailing what data is collected, the free online tool “produces a bespoke privacy policy as HTML code that can be customized and embedded directly into the developer’s application.” Future of Privacy Forum Executive Director Jules Polonetsky said, “AppPrivacy is a useful resource that will help developers effectively and easily create a mobile-friendly privacy policy.” [Bloomberg]

Online Privacy

US – Company Admits Facebook Privacy Violation

HasOffers, a company that provides tools for tracking the performance of online ads, has acknowledged it “recently ran afoul of Facebook’s user privacy policies, and it has had to change its marketing practices.” The company’s CEO noted the company’s “MobileAppTracking platform inappropriately allowed advertisers to obtain device-level attribution and performance data. This was a mistake on our part.” Meanwhile, U.S. Sen. Al Franken (D-MN) has written to Facebook’s Mark Zuckerberg urging the company to rethink plans to use profile photos for tagging suggestions, citing concerns about facial recognition and its ability to track people in the “real world.” [VentureBeat]

WW – Facebook Flaw Allowed Hackers to Delete Posted Photos

A security flaw that allowed hackers to delete any image stored on Facebook has been discovered by Indian researcher Arul Kumar — and he has been rewarded for his efforts. The Facebook flaw, explained in length on Kumar’s blog, exploits the Facebook Support Dashboard. Considered “critical,” the bug works with any browser and any version, but was most successfully exploited through mobile devices. The Facebook Support Dashboard is used to send Photo Removal requests to the firm. Reports are reviewed by Facebook employees, or alternatively reports can be sent directly to the image’s owner. A link is then generated to remove the photo — which if clicked by the owner, removes the offending image. However, while sending the message, two parameters — Photo_id & Owners Profile_id — are vulnerable. If modified, then the hacker could receive any photo removal link within their inbox, without the owner’s interaction or knowledge. Every photo has an “fbid” value, which can be found through a Facebook URL. After the image ID has been secured, then two Facebook user accounts — where one would act as a “sender” and one as a “receiver” — can be used to receive a ‘remove photo link’. Owner profile IDs can be found by using Facebook Graph. [Source]

WW – Will Going Public Diminish Privacy on Twitter?

News that microblogging site Twitter plans to go public has prompted some to ask whether certain privacy functions on the site will have to go by the wayside to help generate revenue. The company plans to exact a $15 billion IPO on $500 million of revenue and, to help boost its bottom line, Twitter may have to do away with its Do-Not-Track option. The report also questions whether Twitter may cease publishing its transparency reports and how much it will comply with foreign government requests to remove or share user data. “As the social media company executes its plans to expand abroad,” the report states, “it has much less of an incentive to get into spats with foreign governments over user data.” [Blouin News]

US – Facebook Delays Planned Policy Changes

Following heat from six major consumer privacy groups, Facebook says it will delay planned changes to its privacy policies. The coalition asked the U.S. FTC to block the changes, arguing they would make it easier for Facebook to use user data to endorse advertisements without their consent. “We are taking the time to ensure that user comments are reviewed and taken into consideration to determine whether further updates are necessary, and we expect to finalize the process in the coming week,” Facebook said in a statement. [Los Angeles Times]

US – Coalition Asks FTC to Block Facebook Policy Changes

A coalition of six major consumer privacy groups has asked the FTC to block coming changes to Facebook’s privacy policies. The coalition—which includes EPIC, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG and the Privacy Rights Clearinghouse—says the changes would make it easier for the site to use users’ data. The coalition wrote a letter to the FTC stating the changes violate a 2011 settlement and order with the FTC. [The New York Times]

WW – HP Launches Regulatory-Compliance Service

Hewlett-Packard (HP) has launched a service that aims to help organizations comply with government privacy regulations. HP’s Data Privacy Services contains a suite of services addressing data sanitization, defective media retention and comprehensive defective material retention. “What we’re seeing is demand for this type of service from customers, driven by compliance and liability concerns about leakage of data,” said an HP spokesman. [eWEEK]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [AdWeek]

Other Jurisdictions

AU – OAIC Releases Draft Guidelines

The Office of the Australian Information Commissioner (OAIC) has released the draft Australian Privacy Principle (APP) guidelines for public feedback. The guidelines outline how the OAIC will interpret and apply the APPs, which go into effect in March of next year, the report states. Australian Privacy Commissioner Timothy Pilgrim said the new laws require government agencies and private-sector organisations to be more open and transparent on data handling. “This will give people a better understanding of how their information will be handled so that they can make an informed decision about interacting with the entities covered by the Privacy Act,” he said. [Computerworld]

AU – Long Delays Before Privacy Complaints Assessed

Australia’s federal Privacy Commissioner has blamed the federal government for long delays in assessing breach-of-privacy and freedom-of-information complaints. Complaints about privacy are not being allocated to case officers until just over five months after submission, taking about 19 weeks longer than the usual four-week period. Separately, freedom-of-information matters (complaints and requests for reviews) are not being allocated to officers for up to seven months. Privacy Commissioner Timothy Pilgrim said that while overall privacy complaints increased by 10% during the previous financial year, “staffing levels have decreased in line with the [office’s] need to meet efficiency dividends imposed by government”. The combination of an increase in complaints and fewer staff was the reason for the backlog, he said. [Source]

SA – National Assembly Passes POPI

Eversheds’ Paula Barrett and Penelope Jarvis examine South Africa’s Protection of Personal Information Bill (POPI), passed by the South African National Assembly this month. “All that stands in the way of POPI becoming law is its translation into Afrikaans and the signature of South African President Jacob Zuma,” they write. Barrett and Jarvis examine the history of the legislation and detail what you need to know about POPI, including the conditions that must be met to process personal data legally and information on compliance and enforcement. [Full Story] and [South Africa: New privacy law will have ‘significant impact’ on businesses]

Privacy (US)

US – FTC Reaches First “Internet of Things” Settlement

TRENDnet, a maker of Internet-connected home video cameras, has agreed to settle with the FTC over charges “that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet,” an FTC press release states, adding, “This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices—commonly referred to as the ‘Internet of Things’ (IoT).” The FTC alleges the business failed to use “reasonable security to design and test its software, including a setting for the cameras’ password requirement.” Under terms in the settlement, TRENDnet must not misrepresent the security of its products and must create a comprehensive information security program and undergo a biannual third-party audit for the next 20 years. The FTC will host a roundtable in November exploring the privacy issues surrounding the IoT. [Full Story] See also: [US: Marketer of Internet-Connected Home Security Video Cameras Settles FTC Charges It Failed to Protect Consumers’ Privacy]

US – FTC Investigating Facebook Policy Changes

The FTC has initiated an investigation of Facebook’s recently altered privacy policy to assess whether it violated a 2011 consent order with the agency. Under the 2011 agreement, Facebook must gain explicit consent from users prior to exposing their information to new audiences. An FTC spokesman said, “Facebook never sought out a discussion with us beforehand about these proposed changes.” A Facebook spokeswoman said, “We routinely discuss policy updates with the FTC, and this time is no different,” adding, “Our updated policies do not grant Facebook any additional rights to use consumer information in advertising … the new polices further clarify and explain our existing practices.” Sen. Ed Markey (D-MA) has sent a letter to the FTC raising concerns about the changes. [The New York Times]

US – Court Rules Nonpublic Facebook Posts Protected by SCA

The U.S. District Court in New Jersey has ruled that nonpublic Facebook posts are protected under the Stored Communications Act (SCA). The case involved a hospital worker who posted to her page a negative comment, which could only be seen by her Facebook friends, about paramedics’ handling of a situation. A Facebook friend then took a screen shot of the post and shared it with hospital management—none of whom had access to the post through Facebook. The employee was suspended and issued a memo saying she had deliberately disregarded patient safety; she then sued on the grounds of SCA violations, among others. The court interpreted the 1986-era language and determined the post is protected under SCA, as it is an electronic communication “transmitted via an electronic communication service” that was in storage and not public. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Microsoft Funds Tech Policy Lab

Microsoft is donating $1.7 million to the University of Washington to found a Tech Policy Lab that will study and test new technologies in order to shape national policies in areas including consumer privacy, security, censorship, public records and wearable devices. Meanwhile, nine out of 10 statisticians believe consumers should worry about privacy issues related to the data being collected about them, and an article in the MIT Technology Review asserts that computer scientists at the National Security Agency are in breach of their own profession’s code of conduct—a list of 16 moral imperatives including “be honest and trustworthy” and “respect the privacy of others.” [GeekWire]

US – Microsoft Says Suit Isn’t Suitable Class-Action

Microsoft says a lawsuit against it seeking class certification should be denied such a designation because “little is ‘common’ among the tens of thousands of proposed class members.” The suit alleges Microsoft violated California’s Song-Beverly Act by asking in-state consumers for personal information without informing them such disclosures weren’t required for credit card purchases to be completed. The August 30 request for class certification says Microsoft’s training and policy documents do not instruct employees to inform customers that personal information disclosures are voluntary. Microsoft says each customer’s experience is varied and some class members knew providing data was voluntary. [Source]

US – LinkedIn Defends Data Practice, Seeks Class Dismissal

LinkedIn is seeking a dismissal of a suit that claims the company was deceptive with its data security and privacy statements. LinkedIn has stated its privacy policy is the same for both its baseline and premium subscriptions and that the plaintiff’s claim is unjustified. “So there is no question that what members are paying for in upgrading to premium services is the enhanced premium tools and capabilities—not LinkedIn’s promise in its privacy policy to secure personal information with ‘industry standards and technology,’” the claim states, while also citing document showing the plaintiff purchased the subscription before privacy statements were included on the transaction page. According to LinkedIn, “Plaintiff’s arguments ignore that the allegedly deceptive statement was not made in advertising or in other materials that can be reasonably understood to be aimed at inducing members to purchase premium subscriptions.” [Main Justice]

US – FTC Seeks Comment on Verifiable Consent Method

The FTC is seeking public comment on a proposed verifiable consent method submitted by Imperium, according to an agency press release. Under a provision within the new Children’s Online Privacy Protection Act Rule, organizations may submit new verifiable consent methods for FTC approval. In addition to seeking comment, the FTC examines whether the method is already covered by existing methods and whether it will ensure the individual providing consent is the actual parent. The comment period will be open until October 9. Full Story

US – America’s Most Privacy Friendly Companies

Forbes reports on the “most privacy-friendly companies” according to privacy experts. Lee Tien of the Electronic Frontier Foundation cites Microsoft, Google, Tumblr and Facebook, while Chris Hoofnagle of Berkeley’s Center for Law & Technology cites B2B services “such as Salesforce, which explicitly says that the data you load into their service is yours, that you can encrypt it and that they will never sell it.” Boston attorney Sarah Downey says Twitter’s “Do-Not-Track” policy puts it at the top, and a number of experts cited companies such as DuckDuckGo, which doesn’t track users’ searches. [Forbes]

US – Court Reverses Heartland Negligence-Claim Ruling; Case Proceeds

Following the 2008 data breach at Heartland Payment Systems, several banks that had issued credit cards to customers affected by the breach alleged they incurred significant costs by replacing the cards of impacted customers and refunding fraudulent charges, writes attorney Stephen Shapiro. While a trial court dismissed the negligence claim, citing New Jersey’s economic loss doctrine, a Fifth Circuit Court has reversed the ruling, allowing the case to proceed. Editor’s Note: More on the possible implications of this case here. [Mondaq]

Privacy Enhancing Technologies (PETs)

WW – New Apps Give Posts a Shelf Life

A proliferation of mobile apps allows users to control who sees their content on social media sites—and for how long. Secret.li, for example, allows iPhone users to post a photo to Facebook knowing it will be automatically deleted either an hour, a day or a week after it’s posted and giving them control over with whom it will be shared. Another app, Spirit, allows users to hashtag tweets so they will auto-delete after a time period of the users’ discretion. “With the ongoing privacy scares, people are thinking about what they put out there now and looking for ways to have more control,” said Spirit’s developer. [Reuters] [Apps make self-destructing posts for Facebook and Twitter with privacy on mind] SEE ALSO: [AUS: A Gift Shop Devoted Entirely To Privacy-Protecting Stealth Gear]

RFID

US – E-Z Pass Tracked for Secondary Purposes in New York City

A recent report by Forbes’ Kashmir Hill revealed how an E-Z Pass is not only tracked by toll booths but also by a New York City traffic management initiative. The news highlights both the benefits of Big Data use and the privacy concerns about secondary use, ubiquitous data collection, anonymization and other topics covered at last week’s Future of Privacy Forum and Stanford Law School event on Big Data and privacy. This Privacy Perspectives installment delves into some of the major takeaways from the event and what these paradigms could mean for businesses and consumers moving forward. [Forbes]

US – New Jersey School Employing RFID for Students and Staff

The Belleville Public School District is using RFID to track students and faculty in the school and on buses as part of a security effort aimed at preventing a tragedy such as that in Newtown, CT, last year. According to the report, the badges will come equipped with buttons to alert authorities to an emergency and will typically be set to “beacon” their ID numbers every 28 seconds to be captured by one of the 190 RFID readers in the school or installed on each of its 21 buses. The system may also be used to eliminate attendance-taking in class or “identify if the same individuals were repeatedly visiting the bathrooms simultaneously, possibly suggesting a drug-use or fighting issue.” Schools in Texas and New York are considering similar systems. [RFID Journal]

US – School District Aims to Stop Bullying by Watching Kids’ Social Media Use

A Southern California school district is trying to stop cyberbullying and a host of other teenage ills by monitoring the public posts students make on social media outlets in a program that has stirred debate about what privacy rights teenage students have when they fire up their smartphones. Glendale Unified School District hired Geo Listening last year to track posts by its 14,000 or so middle and high school students. The district approached the Hermosa Beach-based company in hopes of curtailing online bullying, drug use and other problems after two area teenagers committed suicide last year. The company expects to be monitoring about 3,000 schools worldwide by the end of the year, said its founder. [Source]

Security

US – Hackers Find Ways to Hijack Car Computers and Take Control

In recent demonstrations, hackers have shown they can slam a car’s brakes at freeway speeds, jerk the steering wheel and even shut down the engine — all from their laptop computers. The hackers are publicizing their work to reveal vulnerabilities present in a growing number of car computers. All cars and trucks contain anywhere from 20 to 70 computers. They control everything from the brakes to acceleration to the windows, and are connected to an internal network. A few hackers have recently managed to find their way into these intricate networks. [Source]

WW – Warning Over Security of Baby Monitors

Security flaws in common baby monitors allowed hackers to break into the devices “easily” – and watch silently through hundreds of cameras. The faulty software allowed anyone with the right internet address to freely access the “feed” from Trendnet cameras – and has prompted an investigation by America’s FTC into the safety of “connected” devices. After 700 cameras were accessed, Trendnet has agreed to a 20-year security audit of its devices – and the FTC is to investigate the security of other “connected” devices in November this year. Security researchers have already shown that it is possible to access, for instance, the webcam in a web-connected television – prompting Samsung to issue a warning saying that families could consider covering the cameras when not in use. [Source] SEE ALSO: [TV makers aim to track what you watch] AND [SWE: ‘Lifelogging’ camera shrugs off privacy to seize the moment]

Surveillance

WW – NSA Reactions Abound in U.S., Canada, Brazil

The fallout from Edward Snowden’s U.S. National Security Agency (NSA) revelations is showing no sign of letting up. In the U.S., Sen. Edward J. Markey (D-MA) is asking for details from major cellphone carriers on how many government data requests they receive and how they respond. In Brazil, President Dilma Rousseff is asking legislators to support a bill requiring foreign companies to store data about their Brazilian clients on servers in that country in the wake of the NSA reports. And in Canada, Communications Security Establishment Canada “handed over control of an international encryption standard to the NSA, allowing the agency to build a ‘backdoor’ to decrypt data,” reports indicate. Ontario Information and Privacy Commissioner Ann Cavoukian has introduced a policy aimed at allowing privacy and counterterrorism surveillance to coexist in harmony, while a What’sYourTech report suggests almost half of Canadians “think it’s OK for the government to monitor our e-mail and other online activities.” [New York Times]

US – NSA Shares Raw Data with Foreign Intelligence Agencies

The U.S. National Security Agency (NSA) continues to make headlines, most recently with a report that the NSA “routinely shares raw intelligence data with Israel without first sifting it to remove information about U.S. citizens,” The Guardian reports. Citing a document released by Edward Snowden, the report describes an intelligence-sharing deal between the NSA and its Israeli counterpart. Meanwhile, Yahoo CEO Marissa Mayer and Facebook’s Mark Zuckerberg are hitting back at critics of tech companies, saying U.S. government did a “bad job” of balancing people’s privacy and duty to protect. Tech executives did not tell the public about the NSA surveillance because, Mayer said, “Releasing classified information is treason” and would mean incarceration. [Source] [Source]

IN – Investigation: Gov’t Monitoring 160M Internet Users

An investigation into the upcoming launch of India’s Central Monitoring System (CMS) found “the Internet activities of India’s roughly 160 million users are already being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules and notifications for ensuring ‘privacy of communications.’” The CMS plan has prompted privacy concerns in recent months, but The Hindu’s investigation found the government already has monitoring systems “deployed by the Centre for Development of Telematics for monitoring Internet traffic, e-mails, web-browsing, Skype and any other Internet activity of Indian users.” [The Hindu] [Source]

US – University to Install 2,000 Surveillance Cameras; ACLU Doesn’t Like It

The University of Kentucky is planning to install 2,000 surveillance cameras on campus. The plan has the American Civil Liberties Union (ACLU) concerned about such monitoring. “You’re capturing a lot of information about people who are completely innocent,” said ACLU of Kentucky’s Amber Duke. “That’s a lot of information that could be misused.” [The Huffington Post] SEE ALSO: [Made-in-B.C. web tool offers rare glimpse into world’s most remote, private areas]

Telecom / TV

CA – Wireless Firms Let Ottawa Monitor Devices, Data for Licence to Use Spectrum

When wireless companies apply this week to bid on newly available public airwaves, they will also be committing – again – to an unpublicized accord that governs how they will help police and intelligence agencies monitor suspects. For nearly two decades, Ottawa officials have told telecommunications companies that one of the conditions of obtaining a licence to use wireless spectrum is to provide government with the capability to monitor the devices that use the spectrum. The Sept. 17 kickoff of the auction-countdown process will underscore that commitment, made out of sight of most Canadians because it is deemed too sensitive by the government. Documents show that court-approved surveillance in Canada is governed by 23 specific technical surveillance standards known as the Solicitor General’s Enforcement Standards (SGES). Any firm taking part in a wireless auction can obtain a copy, but the contents are not available to the general public. But The Globe and Mail has obtained past and current versions of the accord, which governs the way that mobile-phone companies help police pursue suspects by monitoring telecommunications – including eavesdropping, reading SMS texts, pinpointing users’ whereabouts, and even unscrambling some encrypted communications. Wireless carriers are told they must be ready to hand over such data should police or intelligence agencies compel the release of the information through judicially authorized warrants. Such information goes well beyond traditional wiretaps, and also includes phone logs and keystrokes. Police and intelligence officials say the surveillance is crucial, given that it can help them gather evidence, make arrests and locate missing persons. [Source]

US – NSA Targets Internet Routers and Switches

According to information in documents leaked by Edward Snowden, while the NSA will target individual personal computers when necessary, the agency concentrates its efforts on Internet routers and switches. Routers are attractive targets because “people are … horrible about updating their network gear because it is too critical, and usually they don’t have redundancy to be able to do it properly,” according to Beyond Trust CTO Marc Maiffret. [WIRED]

US Government Programs

US – Authorities Use Border Crossings to Seize Devices

Newly released documents reveal how U.S. authorities use border crossings to seize travelers’ electronic devices without acquiring warrants to access the data. The “largely secretive process” allows the government to set up a travel alert for an individual—even if the person is not a suspect of an investigation—and then detain, seize or copy files stored on electronic devices. As part of a settlement reached with the Department of Homeland Security, the documents were disclosed to David House, a former fundraiser for the legal defense of Chelsea Manning. “I think it’s important for business travelers and people who consider themselves politically inclined to know what dangers they now face in a country where they have no real guarantee of privacy at the border,” House said. [The New York Times]

US – Govt Using Border Searches to Circumvent Fourth Amendment Protections

Documents recently released regarding the seizure of a laptop and other electronic media devices by border US agents suggest that the US Department of Homeland Security (DHS) may be using “travel alerts” to get a look at data for which they would not otherwise be granted a warrant. The documents relate to the case of David House, a Massachusetts man who had befriended Bradley Manning, now known as Chelsea Manning. Federal officials wondered whether House knew anything about a batch of documents that Manning had shared with WikiLeaks but which had not yet been published. House was placed on a “travel list,” and when he returned from a vacation in Mexico in 2010, federal agents seized his laptop, camera, flash drive and cell phone. The laptop was held for seven weeks, and a year after the incident, US agents said that House had done nothing wrong and they promised to destroy all copies of data made from his devices. The federal records were surrendered after a two-year battle with the ACLU, which sued the government on House’s behalf. The ACLU maintains that “the settlement documents demonstrate that the seizure of House’s computer was unrelated to border security or customs enforcement. It was simply an opportunity to conduct a suspicionless search that no court would ever have approved inside the country.” [ZDNet] [NBCNews] [AtlanticWire]

US Legislation

US – DEA Works With Telecom to Use Data Trove

The New York Times reports on the Hemisphere Project, a partnership between federal and local drug officials and AT&T. For at least six years, according to slides provided to the Times, law enforcement officials working on counter-narcotics operations with administrative subpoenas have had access to “an enormous AT&T database” containing decades of Americans’ phone calls. The government allegedly pays the telecommunications provider to place employees in drug-fighting units. The employees work with Drug Enforcement Agency officials and local detectives to provide phone data, often including location data, going back to 1987. The data—up to 4 billion phone records a day—is stored by AT&T and not the government. “Is this a massive change in the way the government operates?” queried a Columbia law professor. “No. Actually you could say that it’s a desperate effort by the government to catch up.” Meanwhile, in an op-ed, Ginger McCall, founder of Advocates for Accountable Democracy, writes about the future of technological surveillance, noting, “we are doing far too little to prepare ourselves.” [Full Story]

US – CA Senate Passes Breach Notification Amendment

California’s Senate has passed an amendment to its breach notification law that would expand the notification requirement to incidents involving personal information that would allow access to online accounts. SB 46 redefines personal information to include “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” The bill also allows organizations to deliver notifications in electronic form but prohibits them from using an e-mail address that may have been compromised due to the breach. The future of SB 46 hinges on the passing of Assembly Bill 1149 as well; both must be passed and enacted prior to the start of 2014 in order to become law. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Do-Not-Track Disclosure Bill Would Have Broad Impact: Opinion

While California’s Do-Not-Track Disclosure bill (AB 370) has been sent to the governor, it has not yet been signed. The bill would amend the California Business & Professions Code (CalOPPA) to require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals as well as disclose whether third parties may collect personally identifiable information. “If AB 370 becomes law, it will have impact beyond California—CalOPPA purports to apply to any website that collects information from California residents,” Forsheit writes. [Information Law Group]

US – Lawmaker, HIPAA Provision Raise Gun Privacy Questions

A Maryland legislator is asking Attorney General Douglas F. Gansler about the legality of viewing confidential information on potential gun-buyers. Delegate Kevin Kelly (D-District 1B) has sent the AG’s office a letter seeking details on “whether it was legal for state police to allow up to 200 state employees from five agencies to view confidential information about prospective gun buyers,” the report states. Meanwhile, the Office for Civil Rights has sent the Office of Management and Budget a proposal “to lift legal barriers related to the HIPAA privacy rule that may prevent states from reporting mental health information to the National Instant Criminal Background Check,” HealthData Management reports. [The Washington Times]

US – Illinois Gov. Signs Student HIV Privacy Law

Illinois Governor Pat Quinn signed into law a bill to protect the privacy of students with HIV. The law, introduced by state Rep. La Shawn Ford (D-Chicago) means that the state Department of Public Health and local health departments are no longer required to notify school principals of a student’s positive HIV status. Ford has been trying to get this bill passed since 2008, noting that it is “not only important for the privacy and confidentiality for students, but is also important for public health.” [Austin Weekly News]

US – New Jersey 12th State to Pass Workplace Social Media Law

New Jersey Gov. Chris Christie has signed A2878, a law restricting employer access to the social media accounts of employees and perspective employees, making the state the 12th to pass such a law. According to a the terms provide exceptions for certain law enforcement-related agencies and allow for employers to implement and enforce policies on company-issued devices accounts or services; conduct investigations, and comply with requirements of the law. Employers who violate the law may face civil penalties of as much as $1,000 for the first violation and $2,500 for each subsequent violation. [Mondaq]

US – One-Hour Breach Reporting Provision Scrapped

A proposal that would require state health insurance exchanges to report data breaches to federal regulators within an hour of their discovery has been dropped from the final regulation. Instead the Department of Health and Human Services (HHS) will rely on the “strict” breach reporting provisions included in the HHS final rule, to be published in the Federal Register, slated to take effect by October 1. [GovInfoSecurity]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [Adweek]

US – California Suspends RFID Legislation

In the wake of concerns from privacy groups, California legislators have suspended SB 397, which would have allowed RFID chips to be embedded into driver’s licenses and state identification cards. California’s Assembly Appropriations Committee put the legislation on hold “despite it having been approved by the California Senate, where it likely will be reintroduced in the coming months,” the report states, noting, “Had the measure passed, it would have transformed the Sunshine State’s standard form of ID into one of the most sophisticated identification documents in the country, mirroring the four other states that have embraced the spy-friendly technology.” [WIRED]

US – Reps. Call for Delay of Death Master File

Reps. Sam Johnson (R-TX) and Xavier Becerra (D-CA) have introduced HR 2720, which would delay the publication of the Social Security Administration’s Death Master File. According to Allen American Star, if the bill passes, only death information released three years after a person’s death would be made available. The bill is an effort to combat the use of deceased individuals’ information for identity theft.

US – Minnesota Agencies See Spate of Data-Access Lawsuits

Five lawsuits have been filed against officials from the Minnesota Department of Natural Resources (DNR) and Department of Public Safety claiming one DNR official inappropriately accessed the information of 5,000-plus citizens. The employee has been fired and criminally charged in a separate case, but the officials say they are not liable for the man’s violations. Main Justice reports the defendants claim that under the Driver’s Privacy Protection Act there are protections for government agencies intending to shield agency officials from being responsible for violations by others who have access to the database. While the defendants are distancing themselves from the man’s actions, they argue that the act allows states to make driver’s license data available to law enforcement and other agencies and does not impose data access or monitoring rules on states. The former wife of a Duluth police officer has also filed a suit, claiming inappropriate access of her driver’s license data by the Duluth Police Department, St. Louis Country Sherriff’s Office and others. In both situations, plaintiffs claim the driver’s license database offers access to more sensitive information, namely health data and Social Security numbers, but the DNR defendants’ filing rejects these claims, citing an audit of law enforcement use of state databases.

US – States Taking Lead in E-mail, Location Privacy

After delays in congressional efforts to update the Electronic Communications Privacy Act (ECPA), some states are taking matters into their own hands. Texas and Montana have both passed e-mail privacy laws—and Montana went a step further, becoming the first in the nation to pass location-tracking legislation. Maine passed a law requiring a warrant for police to access text messages, and Massachusetts lawmakers are considering an e-mail and geolocation privacy bill for mobile device data. New York and Florida have also announced plans to tackle this issue in their next session. But, as the report states, “state-level laws cover only state-level authorities and can’t compel federal investigators. For that, there must be congressional action.” [The Washington Post]

US – Oregon State Bill Would Track Drivers’ Mileage

Oregon lawmakers have approved a bill that would tax drivers not on the amount of gas their cars burn but on the number of miles driven. The program, which would commence in 2015 with volunteers, would use technology to track drivers’ mileage, but that has raised concerns about government surveillance of driving habits. In response to such concerns, the legislation limits who can see the information reported by tracking devices and requires the state and private entities tracking the data to destroy location information from participating drivers within 30 days of using it for billing, Stateline reports. Full Story

US – Long Shot Bill Would Prohibit NSA from Putting Backdoors in Encryption

A US legislator has introduced a bill that would prohibit the NSA from introducing backdoors into encryption. The bill was originally introduced in July, but has received renewed attention following recent revelations about the NSA’s snooping activities. It seeks to repeal the Patriot Act and the FISA Amendments Act of 2008. As currently written, the bill stands virtually no chance of passing out of committee, let alone reaching the floor. [Ars Technica]

Workplace Privacy

US – University Staff Object to Health Plan

Pennsylvania State University’s introduction of “Take Care of Your Health,” a wellness plan has sparked staff protests and allegations it “is coercive, punitive and invades university employees’ privacy.” Under the plan, nonunion employees must “visit their doctors for a checkup, undergo several biometric tests and submit to an extensive online health risk questionnaire that asks, among other questions, whether they have recently had problems with a co-worker, a supervisor or a divorce,” the report states. Those who do not participate face a $1,200 pay deduction annually. “You can’t force people to disclose the state of their marriage or fine them $100 a month,” one professor said. [The New York Times]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: