01-15 November 2013


CA – Canadian Minister: Province to Address Gap

Saskatchewan Justice Minister Gord Wyant has said the government must address a “gap” in privacy protection for private-sector employees. “We, like Ontario and the eastern provinces, have relied on the federal legislation with respect to privacy matters in the private sector,” Wyant said. Referencing calls for change by Saskatchewan Information and Privacy Commissioner Gary Dickson, Wyant added “there’s a little bit of a gap when it comes to that area.” To address the issues, he said, “We’ve consolidated all the labour legislation into one piece, and we think that there’s a possibility of perhaps bringing some regulations forward under the employment act to cover off that issue.” [The Regina Leader-Post]


WW – Brick-and-Mortars Catch Up on Customer Tracking

Brick-and-mortar retailers are using face scanners in an effort to improve such things as staffing, layout and marketing. Many businesses, aware of consumers’ reticence to be tracked, promise to only use the data in aggregate unless consumers give their consent. Shoppers are also increasingly asked to sign up for loyalty card programs that would allow the retailer to track them in exchange for discounts. “They are just trying to get real smart with data in the way the e-commerce guys are smart with data,” said the head of one tracking-device manufacturer. But the chief executive of a customer science company said, “Too much is happening without consumer consent.” [Reuters] See also: [Pandora Looks Past the Tracking Cookie by Mining User Data]

WW – Survey: Shoppers Unsure About Tracking-for-Coupons Model

While consumers are becoming more aware that they may be tracked as they walk around brick-and-mortar stores, “plenty still feel uncomfortable about it.” That’s according to a survey that found that nearly half of respondents said they would find it invasive if a store sent them a text-messaged coupon as they walked past that store. But only 35% said they found it invasive for a website to know their geographic location, suggesting “people are less comfortable being tracked on their mobile devices in a store than as they surf around the web,” the report states. [PC World]

US – Netflix Plaintiffs Say Settlement Doesn’t Help Them

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google. [MediaPost]

Electronic Records

US – Are There “Limitless” Privacy Risks to New Health Exchanges?

A government report on the Affordable Care Act health insurance exchanges details the “high risks” and potential “limitless” privacy concerns with the site. One key official in the Obama administration testified earlier this month that he was not copied on the memo detailing the risks. Centers for Medicare and Medicaid Services Deputy Director and Deputy Chief Information Officer Henry Chao, who “is in charge of … the operations of the agency’s information systems security program,” said, “It is disturbing” that he was not copied on the memo, adding, “This is … a fairly nonstandard way to document a decision.” [Forbes]

US – EHRs Make Audit Trails Much Easier To Follow

Electronic health records have made catching unauthorized viewers much easier. And that has illustrated the frequency with which unauthorized access occurs, such as last month’s notification by Minnesota’s Allina Health System that 3,800 patients’ personal health data had been breached by a medical assistant who had been improperly accessing the information for three years. The Department of Health and Human Services reports that since 2009, 27 million individuals have had their personal health data compromised. [Healthcare IT News]


WW – Microsoft Does Not Encrypt Server-to-Server Traffic

A Microsoft executive told members of the European Parliament that the company does not encrypt server-to-server data traffic. Dorothee Belz, Microsoft EMEA VP for Legal and Corporate Affairs said that the company is “currently reviewing [its] security system.” Belz appeared before a European Parliamentary committee with representatives from Google and Facebook. Earlier, she had stated that Microsoft did not allow “direct access” to its servers. The revelation about the unencrypted traffic between Microsoft servers follows close on the heels of leaked documents that indicate the NSA and GCHQ tapped into such connections between Google data centers to access data. [Ars Technica] [The Register]

US – Exclusive Interview with Lavabit Founder on the Day the FBI Came Calling

Ladar Levison remembers June 28 pretty well. Temperatures reached 108 degrees in Dallas, TX, and Sandra Bullock’s The Heat was released nationwide. But Levison was feeling a different kind of heat that day when the FBI showed up unannounced at his Dallas apartment and told him they wanted access to his company’s computer system—a system he’d designed specifically to protect his customers from the threat of surveillance. The Privacy Advisor describes his legal ordeal and his new business venture, one he hopes protects data in a way his last service, in the end, did not. [Privacy Advisor]

US – US Justice Dept. Files Brief in Lavabit Appeal

The US Justice Department has filed an appellate brief in the Lavabit case. The government maintains that Lavabit founder Ladar Levison’s promise of security to his customers does not exempt him or his company from having to comply with court orders. According to the brief, DOJ wanted the metadata from a single Lavabit account. (Although the investigation’s target is not specified, it is widely believed to be Edward Snowden.) The DOJ dismissed Levison’s concerns that it would use the SSL key it sought to peruse accounts of other Lavabit users. [WIRED] [ComputerWorld]

EU Developments

EU – Reding Says Data Protection Outside of TTIP’s Scope, Calls for an EU NSA

Officials in Brussels say Germany’s plan to push for tough data protection controls for the Transatlantic Trade and Investment Partnership is a “big surprise.” [Reuters] Despite a push from Germany to include data protection rules within the Transatlantic Trade and Investment Partnership in the wake of U.S. spying revelations, European Commission Vice President Viviane Reding says data protection is outside of the EU-U.S. pact’s scope. “The commission’s view and the position taken by all leaders at the recent European Council is clear: Let’s not mix up the phone tapping issue with the ongoing trade talks,” Reding said. Reding has also called for the EU to create its own intelligence agency by 2020 in order to “level the playing field” with the U.S. Meanwhile, U.S. Attorney General Eric Holder says the U.S. is taking note of Europe’s concerns. [Financial Times]

EU – Court Rules Google Must Remove Images from Search Results

A French court has ruled Google must remove compromising photos of a Formula One car racing chief from its Internet search results. The ruling follows Max Mosley’s lawsuit aiming to force Google to filter images that were originally published in a British newspaper. Mosley claimed French law forbids taking and distributing images of someone in a private space without permission, while Google argued freedom of speech. Google says it will appeal the decision. “At this point in time, the pendulum is swinging toward individuals’ privacy and away from freedom of speech,” said one privacy analyst. [The Economic Times

UK – ICO: Cookie Replacements Must Follow Rules

The UK Information Commissioner’s Office (ICO) has acknowledged that it’s aware of initiatives to forego cookies for new tracking technologies and says these new technologies will need to abide by the same rules as cookies. Encouraging a Privacy by Design approach, an ICO spokesperson said companies must be upfront with customers and offer “users a clear choice as to the options available to them.” Meanwhile, Mozilla’s plans to automatically block certain cookies in its browser are on hold after it announced plans to work with the Cookie Clearinghouse initiative at Stanford University on a “more nuanced approach.” The organization now says it’s unsure whether it will adopt the feature. [Out-Law.com]

EU – Garante Provides General Rules Following Outsourcing’s Growth

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, is providing its general rules to protect the privacy of Italian citizens. “At the end of a complex investigation, the Garante stressed the rules to be applied to both companies and government agencies, whose customer care or call centers are located outside the EU.” [Full Story]

EU – Garante, DIS Enter Cooperative Protocol

The Garante, Italy’s data protection authority, and DIS, the country’s intelligence department, have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet.” “At the same time this is a proof of evidence that a different model of cooperation on the ground of the intelligence services is possible. Citizens have to believe that another world is possible and their rights might be protected together with their security and safety.” [Privacy Advisor]

EU – Regulation Implementation May Come Sooner Than 2015 After All

The European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down. [EurActiv]

UK – Message-Sender Successfully Appeals 300,000 GBP Fine

Christopher Niebel has successfully appealed a 300,000 GBP fine for sending spam text messages after challenging “whether the Information Commissioner’s Office (ICO) was right to issue him with a fine for his part in what the ICO considered was a serious breach of UK privacy laws.” Niebel and fellow Tetrus Telecoms co-owner Gary McNeish were fined a combined 440,000 GBP by the ICO last year “for breaching the UK’s Privacy and Electronic Communications Regulations (PECR) for engaging in unsolicited direct marketing activities.” However, an Information Rights Tribunal upheld Niebel’s appeal, ruling “insufficient damage or distress had been caused to recipients to merit the penalty being imposed,” the report states. [Out-Law.com]

Facts & Stats

WW – Breaches More Widespread Than Reported

A new security survey has found that 57% of malware analysts said they have worked on enterprise-related data breaches that were not disclosed. The ThreatTrack Security survey interviewed 200 security professionals. For larger businesses, with more than 500 employees, the number jumps to 66%. The reason behind not disclosing breaches may stem from attempts to save brand reputation or avoid difficult questions from customers and investors. [ZDNet]


EU – Facebook Discloses Gov’t Data Requests

A recent hearing organized by the European Parliament’s civil liberties committee featured Richard Allan, director for public policy for Facebook in Europe, who discussed the number of demands for data by EU governments. Allan said Facebook received 8,500 requests from the EU on 10,000 user accounts during the first six months of 2013. By comparison, U.S. officials made 12,000 requests for data on as many as 21,000 user accounts. Meanwhile, CIO reports on the nuances of Facebook’s updated data use policy and statement of rights and responsibilities. And a new poll indicates four out of five people have changed the privacy settings on their social media accounts, most within the last six months. [New York Times Bits]

WW – Google Transparency Report

According to Google’s most recent transparency report, the US government made nearly 11,000 requests for user information from the company in the first six months of 2013. The Indian government made 2,700 requests of Google in that same period. The company makes note of the fact that the numbers represent only those requests that they are permitted by the US government to disclose. [CNET]

US – Apple’s Transparency Report Includes “Warrant Canary”

Apple has filed its first transparency report, enumerating government requests for data from devices, iTunes, and other content services. Along with the report, Apple has filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking approval to release more detailed information. Apple received the vast majority of its data requests from the US government, but also received requests from the governments of the UK, Germany, Australia, Spain, Singapore, and France. Apple’s report also includes these sentences: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.” The statement is called a “warrant canary” because its absence from future reports would indicate that the company had received such an order. [CSMonitor] [ComputerWorld]

WW – Apple: “Our Business Does Not Depend On Collecting Personal Data”

Apple published a formal report on federal government data requests. In it, Apple says its business “does not depend on collecting personal data … We have no interest in amassing personal information about our customers. We protect personal conversations by providing end-to-end encryption over iMessage and FaceTime. We do not store location data, Maps searches or Siri requests in any identifiable form.” It adds that the U.S. government doesn’t allow it to disclose the number of national security orders “or whether content, such as e-mails, was disclosed” and that it opposes such a gag order. Earlier this week, the company lobbied for restrictions on government surveillance. [All Things Digital]

US – Is California Transparency Law Still Effective 10 Years Later?

The American Civil Liberties Union of Northern California (ACLU) has published a policy paper looking at the state’s Shine the Light law of 2003. The paper looks at whether the law, now 10 years old, is still effective in providing transparency about how businesses handle personal data. “From revelations of widespread NSA spying to high-profile data breaches, the need to know what is happening to our personal information is more important than ever,” the ACLU said. [ACLU] [Losing the Spotlight: A Study of California’s Shine the Light Law]


WW – Microbe Research Raises Privacy Concerns

NPR reports on the American Gut Project , a “citizen science,” crowd sourced, microbiome initiative designed to help scientists learn more about the friendly and dangerous microbes living in and around the human body. Organizers of the project need reams of personal information—including swabbed samples and detailed logs of a subject’s daily diet—to help illuminate the research, but some bioethicists are expressing privacy concerns. One expert said, “If you have privacy concerns at all, you shouldn’t do it.” Though the information is confidential, there’s no guarantee that it will be protected and it’s possible that a volunteer’s DNA samples might inadvertently become public, the bioethicist noted. [Source]

Health / Medical

US – Hospitals Prepare to Digitize Records for Sharing

In Texas, a new program will digitize the medical records of every hospital in the San Antonio region. The data—about 600,000 records in total—will eventually be shared in real time with hospitals, doctors and patients themselves. Patients are permitted to opt out if they wish. Meanwhile, VMware has announced a new service aimed at helping with HIPAA security requirements by providing Business Associate Agreements. “The healthcare IT industry needs trusted, reliable and stable business associates that will help address the appropriate administrative, physical and technical safeguard requirements under HIPAA security rules,” said the chief information officer at Hackensack University Medical Center. [Texas Public Radio]

US – Breach Settlement First to Award Plaintiffs Who Aren’t ID Theft Victims

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds. A report from Becker’s Hospital Review notes that it is the first breach case to extend payments to plaintiffs who were not victims of identity theft. “Settlements for data breach class actions have traditionally not extended payments to class members who have not experienced any fraud or identity theft. Here, though, that is exactly what the sides agreed to, whereby payments will be made to all class members who purchased insurance, even absent any fraud or identity theft,” states Reed Smith’s Global Regulatory Enforcement Law Blog.

Horror Stories

US – One Million Affected in Software Company Site’s Hack

Internet security firm Hold Security says it has discovered that a limousine software company has been hacked, resulting in credit card numbers and other details on close to one million customers being exposed. Jonathan Mayer, a cybersecurity fellow at Stanford University, said Corporatecaronline’s website was running outdated software that made it vulnerable, but “you don’t have to be a big target to be at risk online anymore. This is the new normal, and it underscores the need for improving the regulatory framework.” [Detroit Free Press]

EU – Loyaltybuild Data Breach Affects More Than One Million People

More than 1.5 million Europeans have had personal information compromised by a security breach at Loyaltybuild, a company that manages customer loyalty programs across Europe. International security firm Garda has launched an investigation into the incident, which saw nearly 400,000 individuals’ credit card details exposed. Irish Data Protection Commissioner Billy Hawkes said the financial data was not encrypted. Another 150,000 individuals’ details have been “potentially compromised,” and the breach looks to be the result of an external criminal act, Hawkes said. Meanwhile, in the U.S., hundreds have been affected by a data breach dating back to 2001 in Indiana. [Irish Times] [The Register] [Irish Examiner]

Internet / WWW

WW – At Hearing, Google Says NSA Could Cause “Splinternet”

During a Senate Judiciary Subcommittee hearing on the Surveillance Transparency Act of 2013, Google Director of Law Enforcement and Information Security Matters Richard Salgado expressed concerns that the Snowden disclosures, along with gag orders placed on the company by the U.S. Department of Justice, are hurting U.S. businesses around the world economically and may cause a fractured Internet. Global reaction to the NSA disclosures “could have severe unintended consequences such as a reduction in data security, increased cost, decreased competitiveness and harms to consumers,” he said. [The Privacy Advisor].

EU – Germany and Brazil Present Internet Privacy Resolution to UN

Following reports that U.S. intelligence eavesdropped on foreign leaders—including German Chancellor Angela Merkel and Brazilian President Dilma Rousseff—both nations formally presented a resolution to the United Nations urging countries to extend internationally guaranteed rights to privacy online. Such resolutions to the General Assembly are not legally binding. The U.S. was not specifically named in the resolution. [The Associated Press]

US – NIST Looking for Advisors for Privacy Panel

The National Institute of Standards and Technology (NIST) has announced it is looking for new members to its Information Security and Privacy Advisory Board (ISPAB). The board’s objective is to identify emerging issues affecting information security and privacy and advise NIST’s leadership, the secretary of commerce and the Office of Management and Budget on such trends. A NIST notice states , “Nominees should have specific experience related to information security or privacy issues, particularly as they pertain to federal information technology.” Microsoft Chief Privacy Officer Brendon Lynch wrote about why privacy professionals are needed in the NIST framework process. [Government Security News]

US – NIST Will Review Standard Development Process

The National Institute of Standards and Technology (NIST) plans to review its standards development process. The organization hopes to restore the credibility that took a hit several months ago when news stories broke that the NSA may have included a backdoor in a NIST-approved encryption algorithm. NIST will open its process for public review as well as review by an as-yet unnamed third-party organization. In a November 1 statement, NIST wrote, “Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable.” [Ars Technica]


NZ – Parliament Considers Privacy Principles

The New Zealand Parliament is considering adopting a set of privacy principles that would help protect both MPs and journalists. Privacy Commissioner Marie Shroff, who recently reflected on the evolution of privacy in the past decade, told Parliament’s Privileges Committee “it might be useful for the Privacy Act principles to be used as some sort of a guide within the Parliamentary precinct when difficulties occur over the use of information.” With the Privacy Act and the Official Information Act already established, she suggested there is no need to “reinvent the wheel.” [Radio New Zealand]

NZ – Bill Could Put Cyber Bullies Behind Bars

A new bill being introduced in the New Zealand Parliament could see cyber bullies facing up to three years in prison. The Harmful Digital Communications Bill is backed by Justice Minister Judith Collins and would create a criminal offence for “sending messages or posting material online with intent to cause harm—including threatening and offensive messages, harassment, damaging rumours and invasive photographs,” punishable by up to three months in prison or a $2,000 fine, the report states. The bill would also establish an agency responsible for handling complaints. [The Sydney Morning Herald]

ID – Indonesia May Consolidate Privacy Law

“Indonesian data privacy protection is spread over several pieces of legislation such as the Human Rights Law, ITE Law, Code of Criminal Procedure and others,” but the government is discussing consolidating it into a single law, Lexology reports.

IN – Analysis of India’s Privacy Bill

Neeral Dubey of PSA Legal Counsellors examines The Privacy Protection Bill, 2013 for Mondaq, including the domain and protection of personal data and the punishment for offenses. “Though it has expanded the scope of sensitive personal data, it has not covered all the aspects, like, passwords or other personal details within its ambit,” Dubey writes, concluding, “Though this Bill seems to be a step in the right direction, what it can fetch is a question that remains to be answered. But that can be fathomed only once this sees the light of the day.”

Online Privacy

EU –Swiss Telecom Plans Cloud Service Hosted Entirely Within Switzerland

Swiss telecommunications company Swisscom plans to establish a “Swiss cloud” that will be hosted entirely within that country. The goal is to prevent the NSA and GCHQ from snooping on communications. (Swisscom is majority-owned by the country’s government.) Switzerland already has stringent data privacy laws in place, which is why companies that provide secure communications services use data centers there. Prosecutors must obtain court orders before conducting surveillance. [The Register] [v3.co.uk] [Ars Technica] [Reuters]

US – MIT Launches Big Data Privacy Working Group

The Massachusetts Institute of Technology (MIT) Big Data Initiative, under its Computer Science and Artificial Intelligence Lab (CSAIL), has announced it is launching a new Big Data and Privacy Working Group to bring together industry, government and academia to address and find solutions for problems arising out of the intersection of Big Data innovation and privacy. CSAIL Principle Research Scientist Daniel Weitzner said, “The goal of the group is to encourage long-term thinking on the role of technology in protecting and managing privacy, in particular when large and diverse data sets are collected and combined,” and added, “We have a wide variety of technical approaches to privacy protection but don’t have a good handle on how they might actually work at scale or whether we need to develop new technical tools.” [MIT News]

US – Schools Share $38 Million Big Data Grant

The University of Washington, New York University and the University of California-Berkeley are sharing a $38 million grant to spread Big Data analysis skills to various professional fields. “Our goal is to figure out how to rapidly evolve universities to support and utilize data-intensive discovery,” said Ed Lazowska, eScience Institute founder and computer science professor at the University of Washington. “We have been doing this on a small scale, but now we’ll be able to work the problem at a large scale and as a collaboration among three teams that include some of the strongest faculty at some of the nation’s strongest universities.” [The Seattle Times]

US – Plaintiffs: VPPA Case Should Proceed, Even With Lack of Financial Harm

Hulu users involved in a potential class-action lawsuit are urging a federal judge to allow the case to proceed. The Hulu users have asked U.S. District Court Judge Laurel Beeler to reject Hulu’s motion to be awarded summary judgment in the case, saying that the case should proceed even if they do not prove financial harm. The class members claim Hulu violated the Video Privacy Protection Act (VPPA) by allegedly sharing user data with Facebook and comScore, but Hulu claims that consumers were not financially harmed in the case. The consumers argued, “A violation of the VPPA simply does not require a threshold showing of pecuniary damages.” [MediaPost]

US – Colleges Increasingly Checking Applicants’ Social Media Accounts

According to Kaplan research, 31% of admissions officers visited an applicant’s Facebook page or other social media account last year in determining admissions, a 5% jump over last year. The research is indicative of the increasing role students’ digital footprints play in whether or not they gain admission to college in the U.S. “To me, it’s a huge problem,” said Bradley S. Shear, a social media-focused lawyer. “Often, false and misleading content online is taken as fact.” However, we might all agree that one Bowdoin College applicant’s decision to snarkily tweet mean-spirited comments about fellow applicants while on a tour of the school was ill advised. [New York Times]

WW – Facebook Asks Adobe Users to Change Passwords

Facebook is warning users who also use Adobe that if they are using the same e-mail and password combinations on both sites, they should change that. That’s after the recent breach at Adobe in which hackers stole nearly three million encrypted credit card records and users’ login credentials. “We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said a Facebook spokesman. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.” [KrebsonSecurity]

WW – Closed-Circle Feature Added to Google+

Google has added a new feature to Google+ to ensure private conversations remain private. The feature allows businesses to decide if their restricted community will be open to everyone at the company or more limited, the report states. System administrators can decide whether restricted communities will be the default, but communities open to third parties such as business partners and clients can also be created. [Think Digit]

WW – Google to Limit Windows Chrome Extensions to Chrome Web Store

in January 2014, Users of Chrome on Windows will be permitted to install extensions only from The Chrome Web Store. Currently, users are asked if they want to install extensions when they originate outside of the Chrome store, but attackers have found methods to bypass that warning mechanism. [CNET]

WW – Chrome Canary Detects Suspicious Downloads

The Canary build of Google’s Chrome browser has been updated to include functionality that detects malware attempting to download. A warning will appear at the bottom of the browser window when Canary detects an attempted malware download. Chrome Canary build is the name given to the “bleeding edge” channel of the browser, before it reaches the channel. Most features that are added to Canary do eventually appear in Dev, and then on into Beta and Stable versions of the browser. [ComputerWorld] [The Register]

WW – Firefox Beta Moves Toward Click-to-Run Default for Plug-ins

The most recent beta version of Firefox moves closer to making “click-to-run” the default status for all plug-ins. The new feature will not automatically run plug-ins when pages are opened. Instead, users will see a box warning that the plug-ins the page requires may be vulnerable. Content will display only if users explicitly allow each plug-in. The only exception will be the most recent version of Flash. Other browsers have made exceptions for Flash as well. Google bundles Flash in its Chrome browser, making sure to push out updates when available, so that users are always running the most current version. [The Register]

WW – Microsoft Updates Policy Ahead of xBox One Launch

Ahead of the launch of the Xbox One, Microsoft has updated its privacy policy to clarify how data is collected and used within gaming functions. While Xbox One uses facial recognition to log in users, the data doesn’t leave the console and can be deleted at any time. However, users “should not expect any level of privacy” when it comes to live communication features like chat and video during live-hosted game sessions. Microsoft reserves the right to monitor those communications “to the extent permitted by law.” Users are permitted to disable targeted ads and tracking through an opt-out page. [Ars Technica] See also: [Will Kinect 2.0 and COPPA Play Well Together?]

Other Jurisdictions

BR – Brazil Calls for End to “Excessive Electronic Surveillance”

Following the country’s outrage over the U.S. National Security Agency’s (NSA) spying scandal and calls for new legislation, Brazil has put forth a resolution calling for an end to excessive electronic surveillance. Brazilian President Dilma Rousseff, who canceled a trip to Washington, DC, following reports that the NSA had intercepted data from her office, said the U.S. has broken international law. “Friendly governments and societies that seek to build a true strategic partnership, as in our case, cannot allow recurring illegal actions to take place as if they were normal,” Rousseff said. “They are unacceptable.” [BBC News]

KZ – Kazakhstan Privacy Law Coming Into Effect Soon

Kazakhstan’s data privacy law, On Personal Data and Their Protection, goes into effect on November 26, making it the second country in Central Asia to enact a privacy law, reports Hunton & Williams’ Privacy and Information Security Law blog. The new law will work with the existing sectoral regulations and, while no English translation is available, according to the report, analyses suggest it applies to both public and private sectors.

CN – China Amends Consumer Protection Law

The Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests, reports Hunton & Williams’ Privacy and Information Security Law Blog. The amendments will take effect on March 15 and include increased penalties for violations of consumer rights, a new rule on punitive damages and a ban of unauthorized disclosures of consumer personal information, among others.

BR – Brazil to Consider Online Privacy Bill

Brazil will take up an online privacy protections bill that business groups fear will stymie the free flow of data. The bill, to be considered by Brazil’s Chamber of Deputies this week, would create restrictions on how Internet service providers use Brazilians’ personal data and would require companies to build local data centers in order to do business in Brazil. “Global data flows rely on data centers dispersed all over the world,” wrote a group of 47 industry reps from the U.S., Brazil, Europe and Japan to Brazil’s National Congress. “Thus, in-country data storage requirements would detrimentally impact all economic activity that depends on data flows.” A vote could take place Monday. [Politico]

Privacy (US)

US – Judge: Peer-to-Peer Data Isn’t Protected Under Fourth Amendment

A federal judge in Vermont has ruled there can be no expectation of privacy when it comes to data exposed online via a peer-to-peer file-sharing network. The case involved three men charged with a crime who claimed the police illegally gathered data from their computers using a peer-to-peer search tool and then obtained a search warrant based on that data. The defendants asked the judge to suppress the evidence based on a violation of their Fourth Amendment rights, but District Court Judge Christina Reiss denied the motion, stating the defendants made the data public when they posted it over a peer-to-peer network. Other courts have ruled similarly where peer-to-peer networks are involved. [Computerworld]

US – FTC Denies Company’s Consent Method

The FTC has denied AssertID’s application seeking approval of a parental consent method. The FTC said in a letter to the company that its proposal “failed to provide sufficient evidence that its method would meet the requirements” under the Children’s Online Privacy Protection Act. The company hoped to use a method called “social-graph verification,” but the FTC said in a 4-0 vote there hadn’t yet been sufficient research or testing to prove its efficacy. [FTC Press Release]

US – Internet Association Backs Airbnb in NY Privacy Conflict

The Internet Association—a group of web companies including Google, eBay, Facebook and Amazon—have filed papers in New York arguing that an attempt by the state’s attorney general to compel Airbnb to turn over its customers’ data will set a precedent that could harm online business. “The prospect of law enforcement authorities, regulators and other government personnel being able to obtain broad swaths of information about consumers under no articulated suspicion of wrongdoing would unduly discourage participation in these online services,” the filed paper states. [MediaPost]

US – Parents to Sue NY Education Dept.

A group of New York City parents is planning to file suit “to block the state Education Department from sharing their kids’ data—including test scores and discipline records—with private companies.” The suit, which is to be filed in New York Supreme Court, comes in response to “the controversial $100 million inBloom project being built by the company Amplify,” the report states, noting the parents allege the project “violates the state’s Personal Privacy Protection Law, forbidding state agencies from giving personal info to companies without consent, unless state law specifically requires the agencies to do so.” The suit follows concerns about inBloom raised in other states. [NYDailyNews.com]

US – Man Says Data Broker Is Liable in Harassment Case

A New York man has asked the U.S. Supreme Court to review whether data brokerage companies can be held strictly liable under federal law. The man claims “a data broker illegally sold information gleaned from DMV records to a stranger who later tracked down and harassed him.” A Second Circuit court ruled in July that data broker Softech International could not be held strictly liable under the Driver’s Privacy Protection Act. [Law360]

Privacy Enhancing Technologies (PETs)

WW – Two Tracking Techs Emerge from Hackathon

Last week, online privacy service Ghostery hosted a hackathon to create new user-friendly technologies to enhance online privacy. One team created a browser plug-in to reveal the companies that are tracking users by placing photos of the companies’ top executives on screen. A second top vote-getter focused on measuring the amount of time trackers add to page loading time. The latter system works in tandem with Ghostery and allows users to opt out of tracking. For the next month, users in the Ghostery community have the option to vote for the best service, which will then present its technology at South by Southwest next year. [AdAge]

US – NIST to Update Smart Grid Guidance

The National Institute of Standards and Technology (NIST) is revising its smart grid guidance to address vulnerabilities and privacy issues that have become more of a concern over the past few years. While the U.S. power grid is years away from being a true smart grid, NIST says in the draft of the guidance, “Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the smart grid.” Rebecca Herold, who leads NIST’s Smart Grid Cybersecurity Committee’s privacy subgroup, said the new draft will “allow all players in the smart grid to proactively address privacy issues as they create the wide variety of services and components involved, instead of waiting until after the fact, and after privacy incidents, to try to tack privacy on as an after-thought, which is never nearly as effective—as history has taught us.” [BankInfoSecurity]


WW – SMB Cybersecurity Survey Suggests Many Unaware of Being Attacked

A survey from McAfee and Office Depot of more than 1,000 small and medium-sized businesses (SMBs) found that two thirds were confident of the security of their data and devices. More than three-quarters of the companies said they had not been the victims of cyber attacks. There is a significant discrepancy between those numbers and research, which shows that SMBs are often targeted by cybercriminals. 72% of breaches investigated by Verizon’s forensic analysis unit in the company’s most recent Data Breach Investigations Report were of companies with fewer than 100 employees. It is likely that many SMBs are simply not aware that they have been attacked. [InfoSecurity]

US – Survey Suggests Majority of Breaches in US Undisclosed

According to a survey, more than half of all data breaches experienced by companies in the US remain undisclosed. The study surveyed 200 security professionals who conduct malware analysis; 57% said they had investigated or helped manage fallout from a data breach that was not disclosed by the targeted company. [ZDNet] [CSO Online]


US – CIA Allegedly Engaged in Bulk Collection

A Central Intelligence Agency (CIA) program collects bulk records of international money transfers, including transfers inside and out of the U.S. from companies such as Western Union. Unidentified officials said the program operates under provisions within the USA PATRIOT Act and is overseen by the Foreign Intelligence Surveillance Court—similar to the National Security Agency’s phone records metadata program. One official said, “The CIA protects the nation and upholds the privacy rights of Americans by ensuring that its intelligence-collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws.” Meanwhile, Ars Technica reports on a new social media monitoring service unveiled by LexisNexis to aid local law enforcement in mining social media posts for intelligence. [The New York Times]

UK – GCHQ Spoofed LinkedIn & Slashdot to Access Telecoms’ Internal Networks

According to leaked documents, the UK’s GCHQ spoofed LinkedIn and Slashdot pages to install malware on the computers of certain engineers working for global roaming exchange providers in Europe. Once the malware was on the computers, intelligence agents were able to gain access to internal networks of Belgian telecommunications company Belgacom and its subsidiaries. The method used to infect the computers is known as “Quantum Insert” and was developed by the NSA.[Der Spiegel] [WIRED] [ComputerWorld] [Ars Technica]

WW – As NSA Fallout Continues, Investigations Launched

Dutch and Belgian data protection authorities are leading an investigation “into whether consumers’ personal data on the global Swift money-transfer network can be accessed by the U.S. National Security Agency (NSA) or other intelligence services.” “We will investigate if the security of the networks and databases of Swift containing huge quantities of personal data related to bank transactions, of among others, European citizens, allow for or have allowed for unlawful access,” said Dutch DPA and Article 29 Working Party Chairman Jacob Kohnstamm. In the U.S., advocacy groups including the Electronic Privacy Information Center, Privacy Rights Clearinghouse and Center for Digital Democracy sent a letter to the U.S. Federal Trade Commission calling for an investigation into Internet companies whose networks were accessed by the NSA. “It is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the commission could ignore the consequences for consumer privacy,” the letter states. Meanwhile, a GigaOM report suggests the legacy of Edward Snowden’s revelations about NSA surveillance could be “much if not most of the open web will be encrypted by default.” [Bloomberg]

WW – Google Engineers Angry Over NSA and GCHQ Snooping

Google has begun encrypting traffic between its data centers after leaked documents indicated that the NSA and GCHQ had been targeting the fiber-optic networks that transmit data between Google data centers in a data harvesting operation dubbed MUSCULAR. (For the record, the operation also snooped on traffic between Yahoo data centers.) The traffic was not encrypted before because it was considered internal to the company. Google executive chairman Schmidt was vocal about his feelings regarding the situation, calling the operation “outrageous” and “perhaps illegal.” Google engineers have also vociferously expressed their anger about the situation. [Ars Technica] [ZDNet] [The Register]

WW – Tech Companies Want Restrictions on Gov’t Surveillance

Following news that the National Security Agency (NSA) was tapping into Yahoo and Google data centers, a coalition of tech companies is calling on Congress for restrictions on government surveillance. Google, Yahoo, Microsoft, Facebook, Apple and AOL have asked for “substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms.” Meanwhile, a U.S. senator and privacy advocates are raising concerns that a bill introduced last week to amend the Foreign Intelligence Surveillance Act would give the NSA permission to collect massive amounts of not only Americans’ phone records, but e-mails as well. [MediaPost]

US – House Committee Wants Answers from VA About Cybersecurity Practices

The US Department of Veterans Affairs (VA) is coming under scrutiny from a congressional committee after offering inconsistent explanations for several data breaches since 2010. The state-sponsored cyberattacks have compromised personal information of more than 20 million veterans and their family members. In the past three weeks, the House Veterans Affairs Committee has made six formal inquiries to the VA’s Office of Information and Technology regarding the agency’s IT security practices and compliance with federally mandated standards. The agency has a backlog of unanswered inquiries dating back to June 2012. The most recent round of inquiries arose after it became clear that VA networks were compromised multiple times since March 2010, but officials have been unable to determine what data were compromised. [FCW]

US – Franken and Heller Reintroduce Bill on Surveillance Transparency

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. “The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused,” said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes. [Broadcasting & Cable]

US – NSA Reform Bill Expected; Feinstein Backs “Total Review”

House and Senate lawmakers plan Tuesday on introducing legislation to limit the NSA’s surveillance powers. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials. [The Hill]

US – Surveillance Constitutionality May Be Tested in Court

U.S. federal prosecutors “intend to use information gathered through the government’s warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday, the Justice Department announced it will use “information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act” in a case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a “big deal” that “will undoubtedly set up a constitutional challenge,” the report states. [CNET]

Telecom / TV

US – IBM to Acquire Fiberlink Communications

IBM has announced its agreement to acquire mobile management and security company Fiberlink Communications. “In a mobile-first world, clients require a comprehensive mobile management and security offering. Oftentimes they integrate solutions on their own and take on unnecessary risk,” said IBM’s Robert LeBlanc. “To protect and enhance the complete mobile experience, it’s crucial to secure the app, user, content, data and the transaction. The acquisition of Fiberlink will enable us to offer these expanded capabilities to our clients, making it simple and quick to unlock the full potential of mobility.” [IBM]

US Government Programs

US – U.S. Willing to Consider Reforms

Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB) David Medine said the government is open to changes about how it conducts phone and Internet surveillance programs as long as they don’t undermine the programs’ effectiveness. PCLOB is now examining how to balance thwarting terrorist plots with protecting Americans’ privacy. It will present a report to President Barack Obama on suggested reforms to surveillance programs. In an opinion piece for The Atlantic, Conor Friedersdorf says defenders of digital surveillance programs should apply the logic to the analogue world, where “everyone recognizes the absurdity of effectively outlawing privacy.” [Chicago Tribune]

US – Gov’t Considers Removing NSA from Military Command

The Obama administration is considering removing the U.S. National Security Agency (NSA) from military command and appointing a civilian to lead it. Gen. Keith Alexander is retiring in 2014, and a list of his potential replacements is being compiled. Meanwhile, plans for a European Internet—a direct response to the NSA revelations this summer—is being discussed by German company Deutsche Telekom. The company aims to keep German citizens’ data safe from foreign governments. And Privacy International has announced a new project that seeks to promote data protection within humanitarian efforts. [The Guardian]

US – White House May Consider Civilian to Head NSA

When NSA chief General Keith Alexander steps down from his post next year, the White House may nominate a civilian candidate to fill the position. The NSA has drawn its leaders from within the military since the agency’s inception in 1952. Alexander currently also heads the US Cyber Command, so a civilian NSA director would be considered only if the White House decides to split the two positions after Alexander steps down. A civilian nominee would likely have to face Senate confirmation hearings. A qualified civilian candidate may be difficult to find, as the job requires a depth of technical knowledge and “familiarity with intelligence gathering.” Jim Lewis, senior fellow at the Center for Strategic and International Studies, notes that a civilian NSA director may encounter difficulty providing intelligence for military operations. [The Hill]

US – NSA and Cyber Command Leadership Likely to be Separate

It appears likely that the next person to serve as NSA chief will not have authority over US Cyber Command, as does current NSA chief General Keith Alexander. Both military officials and legislators are leaning toward dividing the positions to prevent abuse of power and to help restore public trust in the NSA. Alexander, who was appointed head of the NSA in 2005 and acquired the leadership role at Cyber Command in 2010, plans to step down from those positions next year. He believes the two roles should be connected because agencies could end up squabbling over resources and decisions. [The Hill] [CNET]

US – States Take Action Where Federal Gov’t Hasn’t

State legislatures around the country have rushed to propose a new series of privacy laws. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” State AGs concurred recently at the IAIPP Privacy Academy. The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. [The New York Times]

US – DHS Submits Annual Report on Privacy to Congress

In her first public communication, new U.S. Department of Homeland Security CPO Karen Neuman posted on the DHS blog that she has officially submitted the DHS Privacy Office’s 2013 Annual Report to Congress . “As the Privacy Office enters our tenth year,” she writes, “we will continue to ensure that DHS stays committed to protecting the privacy of all individuals, and providing the greatest level of transparency and accountability possible.” The report, which stretches to 86 pages, opens with a message from Deputy CPO Jonathan Cantor, who acted as CPO for much of the time the report covers, and outlines how the department accomplished goals related to its privacy and disclosure policy, advocacy, compliance, oversight and workforce excellence. [DHS]

US – Inspector General: DHS Lacks Resources to Handle Online Threats

The Department of Homeland Security’s (DHS) inspector general says DHS has struggled to respond to cybersecurity threats because of “lingering technical, funding and staffing woes.” In an October 24 report, the inspector general said DHS lacks the tools and training needed to track hackers who are after U.S. banks and other businesses and needs more resources in order to be able to communicate threats to its cybersecurity workforce in real time. There is a system to distribute event reports and another for distributing response information, but the two are not connected. The IG’s report makes seven recommendations, including acquiring or developing tools and technologies that can link situational awareness products to cyber incidents. While President Barack Obama has nominated someone for the post, DHS currently lacks a leader. [Politico] [NextGov] [OIG.dhs.gov]

US – Report Finds NSA, GCHQ Mass Surveillance Violated EU Law

A new study reveals that dragnet Internet surveillance by the U.S. National Security Agency (NSA) and the UK’s GCHQ violated European privacy law. The study’s authors, Sergio Carrera of the Centre for European Policy and Francesco Ragazi of Leiden University, have urged the European Parliament to “break the wall of silence,” the report states. Meanwhile, a report in Foreign Policy contends that, in the debate about the NSA’s surveillance programs, “privacy is a red herring.” [ComputerWeekly]

US Legislation

US – Lawmakers Reintroduce Kids’ Tracking Act

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button.” The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. The bipartisan legislation, which has won the support of advocacy group Consumer Watchdog, “would prohibit web giants … from collecting personal information, including location data, on children ages 15 and younger” without permission, the report states, describing teenagers as “a group that is leaving extensive digital dossiers” through the use of social media. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age. [The Hill] [The Washington Post]

US – Judge Rules Wyndham Must Exchange Evidence with FTC, Case Proceeds

A judge has ruled that Wyndham Worldwide Corp. must exchange pretrial evidence with the U.S. Federal Trade Commission in its complaint against the company that alleges breaches at Wyndham and its three subsidiaries comprised more than 619,000 credit card accounts, Bloomberg reports. The company wanted the case dismissed, claiming the FTC doesn’t have the authority to regulate data security. A Covington & Burling InsidePrivacy post noted, “Even if the FTC wins the motion to dismiss, if the court issues a written decision, it is possible that the decision could speak to limits on the FTC’s authority. Companies that are subject to the FTC’s jurisdiction will want to follow this closely.” [Full Story]

US – Is Cali’s “Eraser” Bill the Wrong Approach?

Recently passed legislation in California essentially creates an “eraser” option for children and teens. Yet, privacy advocates are asking why only children would have such an option since, often, younger Internet users are more savvy with their privacy in the first place, whereas older users may not be as sophisticated. Center of Democracy and Technology Director of Consumer Protection Justin Brookman said, “It’s directed towards teenagers, which in itself is kind of vague … If you’re going to have privacy rules, you might as well protect everyone.” IAPP Westin fellow Kelsey Finch recently analyzed this bill along with several others in California. [Al Jazeera]

US – FAA Releases Roadmap for UAS Integration

The Federal Aviation Administration has released an official roadmap for the future integration of unmanned aircraft systems (UAS), also known as drones. U.S. Transportation Secretary Anthony Foxx said, “This roadmap is an important step forward that will help stakeholders understand the operational goals and safety issues we need to consider when planning for the future of our airspace.” The five-year plan unveils three phases, including “accommodation” of existing UAS, “integration of future UAS” and “evolution” to create an adaptable framework for the technology. The roadmap also implies, the report states, that unmanned aircraft will be treated like manned aircraft. The FAA has designated six tests sites, which will help “inform the dialogue” with privacy and civil liberties concerns. [WIRED] See also: [Calo: FAA Plan “Sensible”; Not All Agree]

US – Markey Introduces Drone Bill

Sen. Ed Markey (D-MA) has filed a bill that would require the Federal Aviation Administration (FAA) “to insert privacy protections in its examination into the possibility of allowing drones to be flown in commercial airspace.” Markey explained his Drone Aircraft Privacy and Transparency Act would require the FAA to ensure warrants are in place before using drones for surveillance. “Before countless commercial drones begin to fly overhead, we must ground their operation in strong rules to protect privacy and promote transparency,” he said. [The Hill]

US – SCOTUS Lets Facebook Settlement Stand

The U.S. Supreme Court has let stand a $9.5 million settlement after a Facebook user challenged the agreement objecting to the fact that none of the money will go to the users whose privacy rights were violated. The settlement will go to a foundation to promote online privacy and security, after paying out lawyers’ fees, and stems from Facebook’s use of the Beacon advertising program, which it shut down in 2009 after complaints. While the court didn’t issue a published dissent, Chief Justice John Roberts said it may need a different case in order to reach the “fundamental concerns surrounding the use of such remedies in class-action litigation.” [Bloomberg]

US – Privacy Group Can Finally Start Work as Facebook Beacon Suit Ends

After three and a half years of legal wrangling, the U.S. Supreme Court let stand a $9.5 million settlement between Facebook and class-action plaintiffs, bringing an end to the case triggered by the Beacon advertising program. It is the just the beginning, however, for the Digital Trust Foundation. Created by the settlement and led by Berkeley Center for Law and Technology head Chris Hoofnagle, the DTF will now begin developing grant-making guidelines for organizations seeking a portion of the $6 million in funds allocated for the study of online privacy. [Ad Age]

US – Federal and State Regulators on How to Get “Off the Hook

The FTC has been a busy agency. It has now brought 47 data security cases against businesses to date, and according to FTC Consumer Protection Bureau Deputy Director Daniel Kaufman, there are more in the pipeline. Together with New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US, Kaufman addressed a room full of privacy pros yesterday at the IAPP Practical Privacy Series in New York City on how to avoid the wrath of regulators. [The Privacy Advisor. Full Story]

US – What Privacy Pros Need to Know About the NIST Cybersecurity Framework

As the U.S. National Institute of Standards and Technology moves into the home stretch of creating the Cybersecurity Framework called for by President Barack Obama back in February, we’re now getting a clearer picture of how privacy will be affected by the resulting document. Considering it may end up being part of regulatory structure, it’s incumbent upon privacy professionals, writes Hogan Lovells Partner Harriet Pearson, CIPP/US, that they understand how the framework ties together cybersecurity and privacy. As the date of the last framework workshop approaches, Pearson hits upon the most important points of the draft Privacy Methodology contained in the Cybersecurity Framework in this exclusive post for Privacy Tracker. [Full Story]

US – California’s Tidal Wave of Legislation: A Roundup

For more than a decade, California has stood at the forefront of the privacy legislation wave. Two 2003 California statutes have stood out and, in fact, revolutionized the field: the California Online Privacy Protection Act (CalOPPA), which was the first state law to require websites to post a privacy policy, and the law commonly known as “SB 1386,” the first security breach notification statute. In this exclusive for The Privacy Advisor examines five new laws as well as legislation that is currently pending in California. [Full Story]

US – U.S. Urges EU to Preserve Safe Harbour

Across the globe, fallout from reports of U.S. National Security Agency (NSA) and other governmental surveillance programs continues. Politico reports on U.S. regulators urging their counterparts in the EU not to abandon the Safe Harbor Framework amidst “mounting European anger over NSA spying.” Separately “The CIA is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls,” according to a report in The New York Times. NSA General Counsel Rajesh De has attempted to explain the agency’s telephone metadata collection program by saying, “It’s effectively the same standard as stop-and-frisk”—using “reasonable and articulable suspicion” to identify phone numbers to target. Meanwhile, Google has begun encrypting its internal network in an effort to halt broad surveillance, and Kaspersky has said it is designing products “to detect all malware”—even that sponsored by the NSA. In response to allegations of U.S. agencies spying on EU officials, Spiegel examines what the White House might have known and how the NSA sets its priorities, and Indonesia has backed a UN statement indicating “anger at U.S.-led data snooping,” while Australian websites faced cyber attacks “in protest at Canberra’s reported involvement in the surveillance network.” [Full Story]

Workplace Privacy

US – Employee Monitoring: What’s Allowed and What’s Not?

Employers walk the line between protecting company resources and ensuring productivity and becoming big brother to their staff. Technology is available to monitor everything from computer use to hallways, but just because it’s out there, doesn’t mean it’s okay to use it. This IAPP Resource Center Close-Up aims to help you balance organizational security with employee privacy laws across the globe. You’ll find tools, articles and guidance on conducting background checks, accessing employee data and BYOD, plus learn about differing laws from region to region. [Close-Up: Workplace Privacy]

US – Case Over Workplace Audio Recordings Offers Insight

The proliferation of recording devices in our society offers employees the opportunity to easily record conversations in the workplace, which has brought up interesting legal questions in the 37 states where anti-wiretap laws don’t prohibit recording a person without their knowledge. Philip Gordon writes in Littler Mendelson’s Workplace Privacy Counsel about a recent case in which an administrative law judge (ALJ) rejected the National Labor Relations Board’s (NLRB) stance that workers “have a legally protected right to record their coworkers and managers.” In the case, the ALJ found that the company’s ban on workplace audio recording was lawful, and while the decision is not binding on the NLRB, the decision will likely be appealed to the board and offers important guidance for employers. [Full Story]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: