Privacy News Highlghts 16-31 January 2014

Biometrics

WW – As Facial Recognition Uses Expand, Privacy Concerns Abound

Companies are working on facial recognition-based “VIP identification” for hotels and other businesses expanding “shoplifter-identification services with parallel programs to help retailers recognize customers eligible for special treatment.” Meanwhile, law enforcement agencies in one California county are “testing facial recognition technology to help identify people in the field. A National Telecommunications and Information Administration event this week is expected to look at issues related to facial recognition technology, the report states, noting that on the topic of facial recognition, the Federal Trade Commission’s Jessica Rich has said, “This is another reason that we need omnibus privacy legislation.” Across the globe, Japan’s National Institute of Information and Communications Technology plans to test facial recognition at Osaka’s train station. [The New York Times]

WW – Facial Recognition Databases Demand “Responsible” Actions

In a column for The Atlantic, Profs. Woodrow Hartzog and Evan Selinger highlight the importance of separating facial recognition apps and large databases in order to protect privacy and relative anonymity in public. “No matter how powerful a facial recognition app is designed to be, it can’t get the job done without being connected to a database that links names to faces,” they write, adding, “the key is to ensure legal and social pressure demands the same responsible behavior from database owners as it does from designers, hosts and users of facial recognition technologies.” Meanwhile, CNET News reports on an augmented reality app planned for Google Glass. The Brain app would lay data from the virtual world—such as a Facebook profile—over what’s being observed in the real world. The company’s chief executive said, “We are trying to develop the platform … to try to anticipate and understand what you need and what you want and then present it when you need it.” [The Atlantic]

Canada

CA – Privacy Commissioner Provides Recommendations to Parliament for the Protection of Privacy Rights In National Security Efforts

On the occasion of International Data Privacy Day, a special report to Parliament by the Office of the Privacy Commissioner of Canada, with specific recommendations to address current issues surrounding privacy and national security, was tabled in Parliament. Building from consultation with a range of experts and civil society, the Office’s report makes a series of recommendations for Parliament to consider in order to strengthen privacy protection.   Specifically, it suggests ways to increase transparency, modernize privacy laws and bolster Parliament’s oversight role. [Source]

CA – Canadian Spy Agency Gleaned Passengers’ Data From Airport’s Wifi

A federal electronic spy agency tracked thousands of people who passed through a Canadian airport using information gleaned from free wireless Internet service. Citing a secret document leaked by former U.S. security contractor Edward Snowden, CBC reported that Communications Security Establishment Canada (CSEC) collected data from passengers’ smartphones and laptops over a two-week period and tracked those devices for a week or longer afterward. CSEC is tasked with collecting foreign intelligence under law and can’t target Canadians, or anyone within Canada, without a warrant. CBC quoted several experts who said CSEC’s actions were “almost certainly illegal.” The document leaked is a 27-page presentation on a “trial run” of the program, dated May 2012, reported the CBC. The technology was to be shared with the so-called “Five Eyes” spy partnership composed of Canada, the U.S., Britain, New Zealand and Australia. [Source]

CA – Alberta to Update Privacy Law

Alberta will “amend one of its main privacy laws this fall to comply with a Supreme Court of Canada judgment that found the legislation unconstitutional.” The court struck down the province’s entire Personal Information Protection Act in November in a case involving a union that photographed individuals crossing a picket line, giving Alberta a year to revise the law. “It is the government’s intention to pass the amendments early in the fall 2014 session to comply with the court’s ruling,” Service Alberta’s Gerald Kastendieck said. The amendments will “focus on unions and picketing,” the report states, noting, “There won’t be a general review of the 10-year-old legislation this year.” [The Canadian Press]

CA – NF Premier Calls for Changes to Restrictions

Newfoundland and Labrador Premier Tom Marshall is calling for the government to launch an “about-face review of access-to-information restrictions that it has staunchly defended.” Bill 29 included changes to the Access to Information and Protection of Privacy Act and was passed in 2012. Critics have described it as “regressive and even dangerous,” the report states. Marshall said, “One of the things I said we were going to do is we’re going to listen to the people of the province. And I think people have real concerns over Bill 29.” Meanwhile, a former inmate at the Ottawa-Carleton Detention Centre who was allegedly attacked by a guard has been denied access to his medical records, Ottawa Citizen reports. [The Globe and Mail

Consumer

WW – Researcher Identifies 212 Data Brokers; Fewer Than Half Allow Opt-Outs

Journalist and author Julia Angwin recently sought to find the information commercial data brokers store about her, she reports on her blog. During her research, she discovered some of the data was incorrect—one broker asserting she was a single mother with no education—and decided to opt out. But less than half of the 212 data brokers Angwin identified offered opt-outs—there are no laws requiring they do so. In this post, Angwin provides two downloadable spreadsheets for users to both identify data brokers and then decipher which of them allow opt-outs. [Privacy Tools] [DATA PRIVACY DAY: 56% are worried about the internet eroding their personal privacy]

WW – Which Information Do Consumers Most Closely Guard?

Though consumers don’t always know how companies collect their data, which often causes a “trust gap,” evidence exists that consumers are still willing to exchange some of their personal information for products and services. Create With Context (CWC) recently surveyed 800 consumers to find out what information they would be willing to give up “in exchange for 50% off three different items: a gallon of milk, a large-screen television and a new car.” This Privacy Perspectives post reveals what CWC’s Ilana Westerman and Gabriela Aschenberger found, including how “97% of respondents said they’d be willing to give up at least one piece of data about themselves in exchange for a discount,” while noting that consumers don’t guard “all their information with equal vigilance.” [Privacy Perspectives] [Has a jealous lover hired hackers to get into your e-mail?] [Needapassword.com]

US – E-Receipts Helping Retailers Do More than Save Paper

Paper receipts are headed toward extinction, as e-receipts increasingly become commonplace. But e-receipts may serve more of a purpose for merchants than is obvious. “Merchants see digital receipts as a way to ‘engage’ with their customers. Translation: They see this as a new marketing channel—an efficient way to sell you more stuff,” the report states. While collecting customer data can be difficult, e-mailing receipts is “a fairly effective and simple way to get accurate contact points for your customer base,” says one CEO. A recent Epsilon International report found that 83% of retailers offering e-receipts did so to obtain a customer’s e-mail address. [Today]

US – Ad Agencies More Worried About Scale than Privacy

At a recent meeting of digital ad agencies, representatives indicated a lack of concern about the future safety of customer data, despite recent hacks at Target, Neiman Marcus and Snapchat. The agencies said clients are excited about hyper-location data tools. Asked what the biggest hurdles may be to marketing on mobile and whether privacy and security were top-of-list, agencies instead cited a need for bigger audiences and getting technology startups to explain how their tracking products work. The director of mobile strategy at Horizon Media said while clients are excited about new data, they rely on the ad agencies to be sure privacy issues are addressed. [Forbes]

E-Government

US – White House Launches Future of Privacy Review

John Podesta, a counselor to the president, announced in The White House Blog he will lead a review on how “Big Data will affect the way we live and work; the relationship between government and citizens, and how public and privacy sectors can spur innovation and maximize the opportunities and free flow of this information while minimizing the risks to privacy.” Podesta will be joined by the secretaries of commerce and energy as well as science and economic advisors and “other senior government officials” to “help identify technological changes to watch; whether those technological changes are addressed by the U.S.’s current policy framework, and highlight where further government action” may be needed. [White House blog]

US – Justice Dept. to Allow More Transparency; More Surveillance Programs Revealed

Ahead of President Barack Obama’s annual State of the Union speech on what many in the privacy community know as Data Privacy Day, the Justice Department agreed to let technology companies disclose more data to the public on national security requests. The agreement will allow companies—including Facebook, Apple, Microsoft, Google and Yahoo—to publish additional aggregate information, including, for the first time, Foreign Intelligence Surveillance Court requests. This roundup for The Privacy Advisor looks into the agreement and what’s expected from Obama’s State of the Union address tonight, as well as new documents leaked by Edward Snowden on the U.S. NSA and UK’s GCHQ surveillance programs. [Privacy Advisor] See also: [Federal government tweets take weeks to produce]

US – State Department Inspector Finds Security Issues Remain Unaddressed

According to an audit report from the Office of Inspector General (OIG), there are “significant and recurring weaknesses in the Department of State information system security program.” The IG was critical of the department’s failure to address security problems found in previous audits. [GovInfoSecurity] [oig.state.gov] See also: [B.C. auditor-general warns of cyberthreats]

CA – Spy Agency’s Work With CSIS, RCMP Fuels Fears of Privacy Breaches

Canada’s foreign-intelligence surveillance agency received nearly 300 requests for assistance from domestic security agencies over a four-year period – a degree of collaboration that is raising alarm bells for privacy advocates. A disclosure from Communications Security Establishment Canada, obtained by The Globe through an Access to Information request, shows the Canadian Security Intelligence Service sought help from CSEC 205 times between 2009 and 2012. The RCMP made 85 such requests during the same time span. These “support to lawful access” figures – which have never been released before – show that close collaboration with other federal agencies is routine for Canada’s electronic-eavesdropping agency.Watchdogs and judges have recently raised concerns that ill-considered intelligence collaborations can lead to illegal wiretapping, wrongful arrests – or even violence against travelling Canadian suspects who are red-flagged to intelligence agencies operating overseas. On Tuesday, the Office of the Federal Privacy Commissioner called upon CSEC to “proactively disclose” just how much it is working with the other federal agencies. [Source] See also: [REPLAY: Ontario Privacy Commissioner Ann Cavoukian’s International Privacy Day 2014 Event “Big Surveillance Demands Big Privacy –

Enter Privacy-Protective Surveillance“] [Source] and [NSA Spying Sends Data to Canada]

US – DHS Warns Contractors of Data Breach

The US Department of Homeland Security (DHS) has notified contractors that sensitive data belonging to their companies, including private documents and bank account information, were compromised in a security breach. The incident affects at least 114 companies that bid on a DHS Science and Technology Division contract last year. [DarkReading] [KrebOnSecurity]

US – Website Marketing Driver Records Scrutinized

Did you know the state sells your driving information and has been doing so for decades? Now the process is ready to be brought online and that’s raising concerns about identity theft. “We’re literally selling the personal information of people who register their vehicles in Connecticut to private insurance companies,” said Sen. Robert Kane, R-CT. Kane said he’s worried about what will happen when the state puts all of that information online. In the past, companies would have to request the information they need and would receive it in large data files. Last year the state made more than $20 million by selling driver’s license information to companies. [Source] See also: [Site lets Swedes snoop on friends’ criminal past]

E-Mail

WW – Yahoo Resetting Passwords After Compromise Attempts

Yahoo has reset passwords for Yahoo Mail accounts that appear to have been compromised. Yahoo said that the attackers had likely stolen usernames and passwords from a third-party database and attempted to use the information to log into Yahoo Mail accounts. Users whose accounts were affected received messages from Yahoo notifying them of “unusual activity on the network.” [Internet Storm Center] [CNN] [ComputerWorld] [TheRegister] [Ars Technica] and: [US: No sixth sense: ‘123456’ is worst password of 2013] and also: [How Canada’s Anti-Spam Enforcers Will Cooperate, Coordinate, Share Information]

Electronic Records

US – Students Expelled After Hacking Into School Computers

A California high school has expelled 11 students “accused of using keyloggers to spy on their teachers’ computer systems, infiltrate the network and change their grades electronically”—the maximum discipline penalty allowed by the education code. The students allegedly worked with a tutor to learn how to hack into Corona del Mar High School’s systems with the goal of changing their grades and stealing tests, the report states, noting police are seeking to interview the tutor. Officials have said they are unsure how many grades were changed, but a total of 52,000 grades issued over a one-year period are being audited. [CNet]

US – ND Leads Nation in Electronic Medical Records Use

In North Dakota, medical records are more likely than other states to be stored electronically rather than in a paper folder. A report this month from the national Centers for Disease Control and Prevention said North Dakota health care providers are ahead of the rest of the country in adopting electronic systems to manage patient records. According to the report, 82.9% of North Dakota’s office-based physicians use a basic electronic health record system. The next highest rate was in Minnesota, with 75.5%. New Jersey’s rate was the lowest, at 21.2%. The study defines a basic records system as one that allows doctors to access patient history, demographics, patient problems, clinical notes, medications and allergies, test results and other information. The national average for adoption of basic systems was 48% in 2013. The average for doctors using any type of electronic records, other than for billing, was 66%. North Dakota is part of a cluster of states with significantly higher than average adoption, including South Dakota, Minnesota, Iowa and Wisconsin. [Source]

NZ – Patients to Run Health Care Online

The face of New Zealand healthcare will change before the year is out as Kiwis are signed into patient portals allowing them to self-manage their medical records, book doctor appointments and chat to their GP online. The new multi-million dollar electronic healthcare system is a hybrid of internet banking and social networking – giving patients a secure account to view their medical records and test results, but also a private platform to instantly message their GP. National health IT board director Graeme Osborne said the patient portal service was “ground-breaking”. It would empower Kiwis to take control of their own healthcare. More than 50 per cent of the country’s general practices would be using the service by the end of 2014, he said. [Source]

Encryption

WW – Cryptographers, Others Sound Off on NSA Programs

There is pressure on the U.S. government to reform the NSA’s surveillance programs, most recently from more than 50 cryptography experts in an open letter published this week. “The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy and the U.S. technology sector is readily apparent,” the letter reads. Meanwhile, the Republican Party passed a resolution at its annual meeting on Friday condemning the NSA’s massive collection of data. Stanford Center for Internet and Society’s Jennifer Granick writes on the Privacy and Civil Liberties Oversight Board’s report that NSA data collection is illegal. [The Verge]

US – Lavabit Case Highlights Legal Fuzziness Around Encryption Rules

The now-defunct e-mail encryption service Lavabit founder Ladar Levison’s fight against contempt-of-court orders. The case involves Levison’s refusal to hand over data on a particular user—rumored to be Edward Snowden—when the government came knocking for it; specifically, they wanted Levison’s SSL keys—which unencrypt encrypted data. Three judges for the Fourth U.S. Circuit Court of Appeals in Virginia are hearing the case, one of whom criticized the FBI agents involved in the case for not working with Lavabit to overcome the technical obstacles that delayed Levison’s eventual compliance. The government does not plan to prosecute Levison for obstruction of justice for shutting down Lavabit, the report states. [CIO] See also: [Footage released of Guardian editors destroying Snowden hard drives] [Footage of the hard drives being destroyed]

EU Developments

EU – German Court of Justice Clarifies Rules on Credit Scoring, Access

Germany’s Federal Court of Justice has clarified data subjects’ rights of access to their credit scores under the Federal Data Protection Act. Hunton & Williams’ Privacy and Information Security Law Blog reports that “while credit reference agencies must disclose all personal data referred to in the Federal German Data Protection Act,” they do not have to disclose their methods in determining the score.

EU – Making a Privacy Law for the 21st Century

With the EU’s proposed General Data Protection Regulation (GDPR) hanging in the balance, some think it a good time to go back to the drawing board. “Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards,” writes Field Fisher Waterhouse Partner Phil Lee, who reflects on what a “21st-century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth.” [Privacy Perspectives] See also outgoing European Data Protection Supervisor Peter Hustinx has agreed to stay on the job until October after the European Commission rejected the candidates seeking to replace Hustinx. [Confusion over EU data protection watchdog resolved]

UK – Court Confirms Privacy Tort and Addresses Meaning of Personal Information

On January 16, 2014, the English High Court of Justice issued reasons in Vidal-Hall v. Google Inc. relating to an appeal of a Master’s decision to allow Google to be served outside of the jurisdiction in relation to claims brought in connection with tracking and collating, information relating to the claimants’ internet usage through the claimants’ Apple Safari internet browser. Importantly for the UK, the High Court explicitly recognized the tort of misuse of private information (at para. 70). Perhaps more far-reaching, at least from the perspective of the ongoing debate in Canada and elsewhere concerning the boundaries of what is “personal information”, the High Court addressed the argument that the information generated by the claimants’ searches and used in interest-based advertising was not really personal information. Spoiler alert. The court followed similar logic as the Office of the Privacy Commissioner of Canada in its online behavioural advertising guidance. [Source]

US – Regulation Won’t Be Adopted Before May Elections

With several member states aiming to water it down, the revised data protection law will not be adopted before European Parliament elections in May. EU Justice Commissioner Viviane Reding and the lead negotiators on the package agreed to set the deadline for before the end of the year. German Green MEP Jan Philipp Albrecht said the timetable established seeks a mandate for negotiations in June, adding, “If it will be possible to stick to this timetable, this would be good news and important.” The member states aiming to soften the regulation—UK, Denmark, Hungary and Slovenia—would prefer to see it turned into a directive instead. [EUObserver]

US – Reding Calls for Billion-Dollar Fines

European Commission Vice President Viviane Reding is calling for larger fines against companies that breach the EU’s privacy laws. Reding “dismissed recent fines for Google as ‘pocket money’ and said the firm would have had to pay $1 billion under her plans for privacy failings,” the report states, noting she believes increased punishments are needed to encourage firms to take personal data use more seriously. Out-Law.com, meanwhile, reports the EU’s Court of Justice “is set to rule in a case involving Google and the judgment could offer some clarity about which local data protection rules will apply to multinational Internet service providers that process personal data abroad but have a business presence in a local jurisdiction.” [BBC News]

EU – EU Has Secret Plan for Police to ‘Remote Stop’ Cars

The EU is secretly developing a “remote stopping” device to be fitted to all cars that would allow the police to disable vehicles at the flick of a switch from a control room. Confidential documents from a committee of senior EU police officers, who hold their meetings in secret, have set out a plan entitled “remote stopping vehicles” as part of wider law enforcement surveillance and tracking measures. “The project will work on a technological solution that can be a ‘build in standard’ for all cars that enter the European market,” said a restricted document. The devices, which could be in all new cars by the end of the decade, would be activated by a police officer working from a computer screen in a central headquarters. Once enabled the engine of a car used by a fugitive or other suspect would stop, the supply of fuel would be cut and the ignition switched off. The technology, scheduled for a six-year development timetable, is aimed at bringing dangerous high-speed car chases to an end and to make redundant current stopping techniques such as spiking a vehicle’s tyres. The proposal was outlined as part of the “key objectives” for the “European Network of Law Enforcement Technologies”, or Enlets, a secretive off-shoot of a European “working party” aimed at enhancing police cooperation across the EU. [Source]

Facts & Stats

WW – A New Handy Guide to Global DPAs

The legal world is still fond of reference books. How many of you have giant binders on your shelves into which you insert this year’s latest update on some area of law or other? For a quickly changing legal environment like privacy, though, your binder fills up fast. Pretty soon, you need another binder. Luckily, we have the Internet. DLA Piper has attacked the problem of surveying the world’s data protection laws and regulations with a handy online and interactive guidebook for which they’ve released version 2.0 just in time for Data Privacy Day. [The Privacy Advisor]

Filtering

WW – Microsoft Hints Overseas Users Can Store Data Outside U.S.

Microsoft General Counsel Brad Smith has suggested that overseas users will be able to store their data outside of the U.S., in what Reuters reports as “the most radical move yet by a U.S. technology company to combat concerns that U.S. intelligence agencies routinely monitor foreigners.” According to Financial Times, Smith said users “should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.” As one example, Smith said, Europeans could choose to store their data in Microsoft’s data center in Ireland. [Reuters]

Finance

CA – Law That Hides Massive Health Privacy Breach from Patients Is Useless

When nearly one-sixth of all Albertans have their medical information stolen, and nobody says a damn thing about it for nearly four months, a lot of people are going to be very angry. Fred Horne, for instance. He’s the health minister. He was also a patient at a Medicentres clinic, the group whose information technology “expert” left a laptop loaded with 620,000 patient records lying around. He makes the crucial point: “We need to think about who was left out of this equation — the patient.” Patients and the public should have been told within days — by the Edmonton police, the Medicentres group and most certainly by Alberta’s Information and Privacy Commission, which was informed right at the start but sat on the information. [Source] [Four other cases of stolen health data in Alberta] [Minister ‘outraged’ over stolen laptop holding 620,000 Albertans’ health data]

CA – Former Inmate Denied Access to Own Medical Records

A former Ottawa-Carleton Detention Centre inmate who was allegedly viciously assaulted by a guard has been denied access to his own medical records. The Ministry of Community Safety and Protective Services refused to provide Jean Paul Rheaume with his medical records from the jail on the basis that the information was a record relating to the ongoing prosecution of his alleged attacker. The Information and Privacy Commissioner of Ontario upheld the decision. This week, Rheaume requested a divisional court overturn that decision. In a court filing seeking to overturn the ruling, Rheaume’s lawyer argued the effect of the Information and Privacy Commissioner’s ruling “is the perverse result that a victim of crime is denied access to his medical records.” [Source]

FOI

US – Will Transparency Calm Concerns Over Government Access?

In light of the agreement by the U.S. Department of Justice to allow Internet companies to disclose more aggregated data on law enforcement requests for access to user information, Hogan Lovells’ Christopher Wolf delves into whether increased transparency will quell concerns over government access. Wolf writes, “The transparency reports, which soon will have greater granularity, should help the world understand that the U.S. is hardly alone in its national security practices and that reform needs to be viewed as a global concern.” [Privacy Perspectives]

US – DOJ Relaxes Gag Order on Government Data Requests

In response to legal challenges from tech companies, the US Justice Department (DOJ) has agreed to relax the gag orders that accompany certain government requests for data. Companies are now permitted to release information about the numbers of National Security Letters (NSLs) and Foreign Intelligence Surveillance Court (FISC) requests they receive; those numbers must be reported within ranges of 1,000. The companies may also release information, again in the broad ranges, of the number of customer accounts affected by the requests. If the companies choose to combine the data for NSL and FISC requests, they may publish within ranges of 250. The data may be published every six months with a six-month delay. The DOJ has also imposed a two-year delay on reporting statistics from the date “the first order … is served on a company for a platform, product, or service … for which the company has not previously received such an order.” [WashPost] [NYTimes] [WIRED] [FISA Court Notice]

Google

SK – Commissioner Fines Google Over Street View

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. [The Korean Herald]

US – Google Privacy Lawsuit Revised, Says Execs Made “Conscious Decision”

Bloomberg reports on a revised privacy lawsuit against Google. The suit alleges the company comingled data across its services and products—in a Google project called Emerald Sea. U.S. Magistrate Judge Paul Grewal ruled in December that the plaintiffs failed to demonstrate harm caused by Google’s actions, and for the case to proceed, the plaintiffs must show how the comingling of data deprived them of the “economic value” of their data, the report states. Thursday’s revised complaint alleges Google executives in 2010 “made a conscious decision to withhold from the public information pertaining to the Emerald Sea plan, including Google’s intention to violate all existing privacy policies that placed any limitations on Google’s ability to combine information across platforms by doing precisely that once Emerald Sea became a reality.” [Full Story]

WW – Second-Hand Chrome Extensions Are Being Turned into Adware

At least two Chrome browser extensions that were sold have been used by their new owners to launch aggressive advertising campaigns. A developer reported last week that after he sold his extension, it was turned into adware. That extension had more than 30,000 users before it was sold. Another developer reported a similar incident. Chrome extensions are updated in the background without user interaction unless the extension’s permissions are changed. The adware, which works in the background to inject specific ads into the sites users visit, violates the Chrome Web Store developer program policies. Google has banned the two now-questionable extensions from the Chrome Store. It is possible that second-hand extensions could be used for more malicious purposes. [ComputerWorld] [ZDNet] [LATimes]

Health / Medical

US – Is Policy Needed for “Personal Representative” PHI Disclosures?

Federal health IT advisors are struggling with whether new policies are needed to address an ongoing and increasingly common HIPAA issue likely to grow as baby boomers age. The issue at hand is caregiver, family member and “personal representative” access to patients’ personal information, the report states; HIPAA’s privacy rule requires covered entities to provide someone authorized under state law to act on a patient’s behalf with access to their personal health data. The Health IT Policy Committee’s Privacy & Security Tiger Team Co-Chair Deven McGraw discussed whether policy should be developed on the matter or if “best practices” recommendations would suffice. [Government Health IT]

US – World Privacy Forum Releases New HIPAA Report

The World Privacy Forum (WPF) has released a new report on a recently added option within the Health Insurance Portability and Accountability Act (HIPAA) on the right to restrict disclosure. Co-written by WPF Founder and Executive Director Pam Dixon and privacy and information policy consultant Bob Gellman, Paying out of Pocket To Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right To Restrict Disclosure looks into this new right as it “will take effort and planning for patients to utilize effectively,” the WPF press release states. [WPF] [AB: Former privacy czar says tougher laws needed in wake of latest health breach]

Horror Stories

US – OfficeMax Blames Data Broker for “Daughter Killed” Mailing

In one of the latest developments in the headline-making story of a targeted mailing sent to a Chicago man with the disturbing words “Daughter Killed in Car Crash or Current Business” as part of the address OfficeMax has said it “unintentionally bought (that information) from a third-party data broker.” OfficeMax requested a mailing list from the broker “for Businesses, Small Offices and Home Offices … NO personal information qualifiers were part of our request; we were not seeking personal information and did not ask for it,” a company spokesperson wrote. “As an additional measure to prevent future mailing errors, we have upgraded the filters designed to flag inappropriate information.” [Forbes]

US – Target Breach Used Stolen Vendor Access Credentials

A Target spokesperson said that the breach that compromised payment card details and personal information of millions of the retailer’s customers came about through credentials stolen from a vendor. A preliminary look at the malware used in the breach suggested that the attackers may have exploited a vulnerable feature in IT management software on the company’s internal network. [GovInfoSecurity] [ZDNet] [Ars Technica] [ComputerWorld] [KrebsOnSecurity] [InformationWeek] See also: [Visa Issued Alerts Last Year About Type of Attack Used Against Target and Neiman Marcus] and [Laptops Stolen From Coca-Cola Contained Unencrypted Employee Data] and [Stolen Laptop Contains Health Data of 620,000 Alberta, Canada Residents] and [Personal information from 100 million South Korean credit cards stolen]

US – LabMD: FTC Investigation Forced Closure

Atlanta-based LabMD shut down its operations this week due to the ongoing FTC investigation over a data breach there, Computerworld reports. LabMD CEO Michael Daugherty says the FTC’s investigation is an “abuse of power” and has accused the FTC of overstepping its authority in its pursuit of LabMD. He added that the small company is “exhausted” from the last four years, during which the FTC has subpoenaed dozens of LabMD employees, required executives to travel to give depositions and requested information from the company. [ComputerWorld]

Identity Issues

US – Twitter Account Lost to Extortionist

A California man claims to have lost his Twitter account to an extortionist who was allegedly holding the man’s other online accounts and services hostage. Naoki Hiroshima has been using the @N Twitter account since 2007 and says that there have been numerous other attempts to steal it. The extortionist managed to gain control of Hiroshima’s domain name and through that, was able to control Hiroshima’s email. Hiroshima surrendered the Twitter handle to regain control of the domain names, and was also able to get the hacker to tell him how he managed to gain control of the domain names in the first place. [TheRegister] [ArsTechnica] [eWeek]

US – FTC Settles Safe Harbor Charges Against 12 Companies

The FTC has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission’s Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.” [FTC]

US – Verizon Releases First Transparency Report

In a press release on its website, Verizon has released its first transparency report for law enforcement requests in the U.S. and “other countries in which we do business.” According to the release, “Although Verizon has released a great deal of information over the past few years regarding the number of law enforcement demands we’ve received, Verizon’s online Transparency Report now makes an expanded data set more easily accessible.” The company said it will update the report semi-annually. Verizon also said it saw an increase in the number of law enforcement demands in 2013, as compared to 2012. [Source]

Intellectual Property

US – Farmers Warned About Sharing Data with Monsanto, Others

Services Midwest farmers can sign up for allowing “big agribusiness” to collect data “minute by minute, as they plant and harvest their crops … promising to mine that data for tips that will put more money in farmers’ pockets.” However, the American Farm Bureau Federation is warning farmers to be cautious, the report states, suggesting such services “could threaten farmers’ privacy and give the big companies too much power.” One participant in an experimental data-sharing system from Monsanto said, “My theory is, if they have my information, and they’re out there working with me, I’m hoping that they’re going to bring me a better product.” [NPR] See also: [This Google Glass user went to the movies. Then he got interrogated for about four hours]

EU – Study Says France’s Three-Strike Policy Has Not Curbed Piracy

A study of French Internet users found that the country’s “three-strikes” anti-piracy policy has had little to no effect on users obtaining pirated content. The policy “has not deterred individuals from engaging in digital piracy [nor has it lessened] illegal activity of those who did engage in piracy,” according to the report’s authors, researchers at the University of Delaware and the University of Rennes. The report does mention another study that found a 20-25 percent increase in sales of French music on iTunes shortly before the law took effect, but they say it was due to “public education efforts” instead of the law itself. [ArsTechnica] [SSRN]

US – Accessing Proprietary Data With Valid Credentials Not a Violation of CFAA

The US District Court for the Northern District of California has dismissed a lawsuit against Keith Freedman, who was accused of accessing and copying information from his former employee’s servers. The suit alleged that Freedman had violated provisions of the Computer Fraud and Abuse Act (CFAA). Freedman used valid credentials to access the information, according to the court, which does not constitute a violation of the CFAA. Freedman was accused of accessing his former employer’s data while using access credentials issued to one of the firm’s customers while Freedman was doing work for both companies. US Magistrate Judge Paul Grewal wrote, “CFAA regulates access to data, not its use by those entitled to access it.” [ComputerWorld] [CourthouseNews]

EU – Dutch Court Lifts Ban on the Pirate Bay

A Dutch court has lifted a ban on The Pirate Bay, allowing Internet service providers to permit users to access the torrent site. The Dutch Court of Appeals in The Hague determined that a ban on The Pirate Bay had proven to be ineffective at stopping piracy. The court found that while the block order reduced traffic to The Pirate Bay, torrent levels did not decline. Users determined to obtain copyrighted material illegally were finding ways of obtaining the content. The ruling also means that the anti-piracy group that brought the original case must now pay ISPs 400,000 euros (US $542,000) in legal costs. That group, Brein, is considering taking the case to the country’s Supreme Court. [BBC] [SC Magazine]

Internet / WWW

WW – New Whitepapers on Cloud Computing

The IAPP has recently posted four articles by Kuan Hon, Christopher Millard, Ian Walden and Julie Hornle of Queen Mary University of London. The articles cover topics including what personal data is regulated in cloud computing, who is responsible for it, jurisdiction concerns and exporting data outside the European Economic Area. [IAPP Resource Center]

WW – IAPP Releases Two New Whitepapers for #DPD2014

Looking for tools to help you spread the message of privacy professionalism through your organization or community? The IAPP has released for Data Privacy Day two new whitepapers. “Privacy Polices: How To Communicate Effectively With Consumers“ is a collaboration between the IAPP, Kinsella Media and Rust Consulting and features new research on how consumers interact with privacy notices posted online. “Privacy 101 for SMEs: The Best Defense Is a Good Offense “ was written by IAPP VP of Research and Education Omer Tene and Network Advertising Initiative President and CEO Marc Groman, and provides practical advice for setting up a privacy program at, for example, a small tech start-up. Both papers are free for download and can be distributed as you see fit. [Privacy 101 for SMEs]

WW – At World Economic Forum, Industry Leaders Call for New Privacy Rules

In a blog post, Microsoft General Counsel Brad Smith has called for “an international legal framework—an international convention—to create surveillance and data access rules across borders” and has said the current legal structures are out-of-date, prompting “some governments, as we’ve learned over the past year … to take unilateral actions outside the system.” Smith is expected to take part in a World Economic Forum (WEF) panel discussion about the public perceptions of surveillance, data security and privacy in light of the NSA disclosures. BT Group Chief Executive Gavin Patterson, also speaking at the WEF, said customers cannot be guaranteed 100% privacy online and called for updates to “murky” data collection laws, The Guardian reports. Meanwhile, DW reports on Human Rights Watch’s call this week for “a clear regulatory framework to keep intelligence services in check.” [CNET News] See also: [Exit records: Crossing the border can be a matter of public concern] [Canada, U.S. to share names from border crossings] and [Dear America, I Saw You Naked]

WW – Edward Snowden Has Been Nominated for a Nobel Peace Prize

Edward Snowden spent the last year revealing some of the government’s most tightly held secrets, kicking off a massive debate about the proper role of America’s intelligence services. Now, a pair of Norwegian politicians have nominated the NSA leaker for a Nobel Peace Prize. In their nomination letter, Baard Vegar Solhjell and Snorre Valen, who hail from the Socialist Left party, said Snowden’s revelations “contributed to a more stable and peaceful world order.” [Source] See also: [Snowden Calls Russian-Spy Story “Absurd” in Exclusive Interview]

US – How To Solve Obama’s Big Data Challenge

Speaking to a group of students earlier this week, White House Deputy Chief Technology Officer Nicole Wong discussed the challenges of addressing privacy when utilizing Big Data and highlighted President Barack Obama’s recently announced Big Data study to be headed by John Podesta. By making these recent remarks and initiating this new study, “President Obama grabbed the Big Data bull by the horns,” write Future of Privacy Forum Co-Founders Jules Polonetsky, Christopher Wolf and Omer Tene. These three privacy experts lay out the potential privacy concerns while addressing “the profound impact of new technologies on Big Data business opportunities,” adding, “Big Data was all the rage in privacy circles in 2013, and now it is achieving appropriate, broad policy attention.” [Privacy Perspectives]

Law Enforcement

WW – The All-New IAPP Mobile App Privacy Tool

With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps. You may now find it difficult to navigate the numerous guidance documents in order to understand what your app or mobile platform can and can’t do with users’ data. The IAPP’s Westin Research Center has launched a new tool to help with compliance requirements imposed by regulators and trade associations in both the U.S. and Europe. [Comparison of Mobile Application Guidelines Tool]

US – Officials Want Rules on Data Breach Disclosures

U.S. law enforcement officials have called on Congress to draft stricter requirements for how retailers and other private businesses should report large breaches of personal and financial data. FBI Director James Comey said political uproar over surveillance and the Edward Snowden leaks have complicated discussions about how to fight consumer data breaches, the report states. “There is the threat of fraud and theft because we’ve connected our lives to the Internet,” Comey said. “We need to make sure that the private sector knows the rules of the road and how we share that information with the government.” Meanwhile, Sen. Jay Rockefeller (D-WV) has qualms with letting a third party store NSA telephone metadata. [Reuters]

UR – Gov’t Locates Riot Participants, Sends Text Warnings

Efforts by the Ukrainian government to quiet violent protests include a text message sent to mobile phone users in the vicinity of the clashes reading, “Dear subscriber, you are registered as a participant in a mass riot.” The interior ministry has denied involvement in sending the texts, as have two telephone providers. Another provider said, “We strictly observe the confidentiality of our users, their telephone numbers and locations.” The interior ministry did say it is using video footage to arrest the most active participants in the riot. The protests were sparked by new laws on public gatherings. [The Guardian] See also: [Canadian police forces looking to arm officers with cameras]

US – San Jose Considers Tapping Private Surveillance Cameras

Under a new proposal to be heard by San Jose’s City Council next week, police would be able to tap into residents’ private video cameras. The proposal would allow property owners to voluntarily register their security cameras for a new database managed by the San Jose Police Department in order to help solve crimes. A spokesperson from the police department said it is reviewing the program’s merits and any privacy concerns. [Emergency Management]

CA – Cavoukian Seeks Limits on Sharing Medical Records With Foreign Agencies

Canadian police forces should only share sensitive mental health records with foreign agencies when a public threat can be demonstrated, says Ann Cavoukian, Ontario’s information and privacy commissioner. Her remarks highlight concerns raised in a Star story about Ellen Richardson, a disabled Toronto woman who was denied entry to the U.S. and missed out on a 10-day cruise because a 2012 “mental health episode’’ came up on a U.S. border computer. Cavoukian’s concerns and recommendation will be the centrepiece of a report she plans to present in April. Her comments came at a time when Canadian border officials are planning to share personal information obtained under a new Canada-U.S. border data-sharing program with other federal departments. The Star revealed that Ottawa and Washington will start sharing their citizens’ travel and biographic data this summer, meaning anyone from Canada travelling to or from the United States by land can have their information passed on to federal departments. [Source]

Location

US – Personalized Ads Super Bowl-Style; SocialRadar Released

As the NFL makes last-minute preparations for the Super Bowl, The New York Times reports on plans to feature personalized ads based on physical location, both in Times Square and at MetLife Stadium. At both locations, the NFL has placed transmitters designed to send ad-based signals to smartphones. “When it rolls out, you will see all this utility for it,” said the University of Washington’s Ryan Calo, “And at some point, the economic incentives will come into play, and it won’t be pretty.” Meanwhile, a new iPhone app called SocialRadar has been released. The app aggregates data from Facebook, Foursquare, Instagram, Twitter, LinkedIn and Google+ and finds users’ social media contacts based on location and shares locations, profile data and recent posts. [New York Times] [4 Unanswered Questions About In-Store Tracking and Privacy]

WW – Researchers Create Android App to Show When Other Apps Track You

A team of researchers has developed an Android app to help people better understand when their location is being accessed, something that happens more often than people think. “All apps that access location need to request permission from the Android platform,” said Janne Lindqvist [cq], who led the research project. “The problem is that people don’t pay attention to these default disclosures.” Android phones display a flashing GPS icon when apps are trying to access the user’s location. But few people notice or understand what the icon is telling them, the researchers found. The app they developed is designed to fix that, by making it clearer to users when other apps are accessing their location data. They tried several methods, including a message that flashes on the device’s screen reading, “Your location is being accessed by [app name].” There’s no obvious way in Android for an app to monitor whether other apps are accessing location, the researchers said, but they discovered they could exploit a method in the Android Location API as “an effective side channel.” They’re in the process of readying their app for the Play Store. It doesn’t have an official name yet, but the working title is the RutgersPrivacyApp. “I’m happy to hear suggestions for a better one,” Lindqvist said. [Source]

Offshore

SK – South Korean Commissioner Fines Google Over Street View

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. [The Korean Herald]

AU – Australian Breach of Privacy Case Dismissed

A police officer’s privacy complaint against the Queensland Police Service (QPS) has been dismissed. The officer “launched legal action against the Queensland Police Service claiming his privacy had been breached when details of a raid on his home appeared in the media,” the report states. The Queensland Civil and Administrative Tribunal dismissed the complaint after finding the officer “had not substantiated his claims against the QPS,” the report states. [Brisbane Times]

AU – Data Privacy Complaints at Record High in Hong Kong

Complaints and enquiries to the Office of the Privacy Commissioner for Personal Data (PCPD) peaked in 2013 are “driven partly by new restrictions on companies’ use of their customers’ personal data for direct marketing.” The PCPD reported Thursday that more than 75% of the “complaints targeted private organisations, while more than half of the enquiries asked about the marketing restrictions,” the Office of the Privacy Commissioner for Personal Data said. The number of complaints received in 2013 was up 48% over 2012, the report states. [South China Morning Post

Online Privacy

US – Suit Accuses Facebook of Scanning Users’ Private Messages

Facebook is facing a second potential class-action lawsuit accusing it of scanning users’ personal messages to each other. In the complaint filed last week in the Northern District of California, David Shadpour says, “Facebook’s desire to harness the myriad data points of its users has led to overreach and intrusion on the part of the company as it mines its account holders’ private communications for monetary gain.” Shadpour says the practice violates California laws. The suit is similar to one filed last late year. [Media Post] See also: [On Facebook, clicking ‘like’ can help scammers]

WW – Whitepaper Imagines Cookie-Free World; Ad Choices Icon Unsuccessful?

A new whitepaper examines how online ads might function in a cookie-less world. The Interactive Advertising Bureau published “Privacy and Tracking in a Post-Cookie World,” which it calls a “first step” toward “eliminating one of the biggest limitations impacting mobile advertising today.” Meanwhile, a TRUSTe report indicates web users are increasingly concerned about online privacy, and new research suggests the Digital Advertising Alliance’s AdChoices icon, used in targeted display advertising as part of its public education campaign, hasn’t been as effective to date as the coalition may have hoped. [Wall Street Journal] See also: [Connected Cars are Here. The Good News Is That Privacy Is Being Taken Seriously]

US – AAA Unveils Consumer Rights for Car Data

The American Automobile Association (AAA) has drafted a consumer bill of rights and is urging industry to adopt it. AAA calls for transparency, choice and security and states car owners should have the right to understand what data is being collected about them, control with whom their data is shared and expect that companies will exercise best security practice. “Many connected car features are made possible through the collection of large amounts of potentially sensitive data from drivers,” said AAA CEO Bob Darbelnet, adding, “Companies collecting, using and sharing data from cars should do everything possible to protect consumer rights as they offer these exciting technologies.” [USA Today]

Other Jurisdictions

BR – 2014 Brings the World Cup and Perhaps New Privacy Laws to Brazil

The Hogan Lovells privacy team explores the impact two proposed privacy laws would have on organizations that provide digital products and services to Brazilian consumers. The Marco Civil da Internet would establish data protection requirements and preserve net neutrality, and the Data Protection Bill would establish an EU-style framework for the processing of personal data. These laws have been in limbo for the past few years, but will the fallout from U.S. government surveillance practices be the inspiration Brazilian lawmakers need to pass provisions, including some that would restrict cross-border data transfers? [Privacy Tracker]

Privacy (US)

US – Justice Department is Investigating Target Breach

US Attorney General Eric Holder says that the Department of Justice (DOJ) is investigating the Target data breach. The DOJ hopes to find the people responsible for the attack as well as people who use the stolen information. DOJ does not normally publicize its involvement in investigations. The Secret Service is also investigating the breach. [ComputerWorld] [GovInfoSecurity] [CNET] [SC Magazine]

US – Terrorism Defendant Challenging FISA Amendments Act

A man who was charged based on evidence gathered by the NSA’s warrantless surveillance programs has filed a lawsuit challenging the constitutionality of that program. Jamshid Muhtorov is a political refugee and permanent US resident from Uzbekistan now living in Colorado. Last year, the Supreme Court ruled against a suit challenging the same law because the plaintiffs in that case could not prove that their communications had been intercepted. [WashPost] [WIRED] [ComputerWorld] [CNET] [ArsTechnica] and [Motion to Suppress] [US: Terrorism suspect challenges warrantless surveillance]

US – Sens. Introduce Data Breach Legislation; Breach May Affect Hotels

A number of U.S. senators have introduced data security and breach notification legislation following the Target and Neiman Marcus incidents. Sens. Diane Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR) and Bill Nelson (D-FL) have introduced the Data Security and Breach Notification Act. The bill would require the FTC to release a set of security standards for businesses holding consumer data. Calls for chip-and-PIN technology are increasing as well. Sen. Robert Menendez (D-NJ) also plans to introduce the Commercial Bill of Rights, noting that, “Target was just the tip of the iceberg.” Representatives from Target and Neiman Marcus will testify before the Senate Judiciary Committee on Tuesday. Meanwhile, a recent PricewaterhouseCoopers survey canvassed those who oversee privacy within their organizations and found that though some data security awareness is growing, “privacy awareness isn’t quite where it should be.” In other breach news, KrebsonSecurity reports that White Lodging, a business with connections to Hilton, Marriot, Sheraton and Westin, has allegedly suffered a data breach exposing credit and debit card information on thousands of customers. [Diane Feinstein]

US – Google Denied Chance to Immediately Appeal Wiretap Ruling

U.S. District Court Judge Lucy Koh has denied Google’s request to immediately appeal her ruling that the company’s scanning of Gmail messages potentially violates the Electronic Communications Privacy Act. That means the ruling will stand for now. Koh’s ruling could have implications for Internet service providers’ common practices—even seemingly innocuous ones like scanning for viruses. “We desperately need clarity on the legal question,” said one law professor, adding it could be months, years or longer before that arrives. [MediaPost News]

US – Will FTC’s Recent Safe Harbor Settlements Quench Europe’s Thirst for Enforcement?

The FTC last week announced it had settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it was business as usual. But does it at least indicate more enforcement to follow? Will the EU be placated? FTC Commissioner Julie Brill said she does not “believe these settlements were reached because of pressure from the European Commission or anyone else.” But some say the settlements were expected and the “ball was in the FTC’s court after the developments in Europe.” The researcher who filed the complaints said he supports all but one of the settlements. [The Privacy Advisor] See also: [Vladeck Discusses FTC Enforcement Past and Present]

US – Plaintiffs Ask Appeals Court to Revive Facebook, Zynga Complaints

Plaintiffs are asking the Court of Appeals, San Francisco, to revive complaints filed in 2010 and dismissed a year later, seeking that Facebook and Zynga “be ordered to face claims that users’ identities and activities on the social networking platforms were disclosed to third parties without their consent.” Judge Richard Tallman said Congress could not have envisioned “the alleged violations of the Stored Communications Act in its ‘wildest dreams’ when it wrote the law,” the report states. He indicated he was “skeptical anyone was misled by the privacy policies that are being challenged” but acknowledged “there has to be substantial value to the information” or companies would not gather it, the report states. [Bloomberg Businessweek]

US – FTC Settles Safe Harbor Charges Against 12 Companies

The FTC has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission’s Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.” [Full Story]

US – SCOTUS to Hear Cellphone Privacy Cases

The Supreme Court has agreed to hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. The two cases—Wurie v. U.S. and Riley v. California—were granted cert by the court. In Riley, police searched a suspect’s text messages, photos and videos, finding evidence of gang-related activity and images implicating him in a separate crime. In Wurie, law enforcement went through the call logs of the suspect. The Electronic Frontier Foundation’s Hanni Fakhoury said, “These cases give the court the chance to determine to what extent the Fourth Amendment applies to newer technologies and whether the breadth and scope of information stored on a smartphone matters under the Constitution. We think it does and hope the Court agrees with us.” [Politico]

US – Is a Constitutional Amendment the Answer to Restricting Data Collection?

Privacy scholar and National Constitution Center President and Chief Executive Jeffrey Rosen has opined that a constitutional amendment may be needed to “prohibit unreasonable searches and seizures of our persons and electronic effects, whether by the government or by private corporations like Google and AT&T.” But Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center, disagrees. Thierer explains why there “are several problems with Rosen’s proposal—legal, economic and practical” and writes “that better alternatives exist to deal with the privacy concerns he identifies.” [Privacy Perspectives]

US – Judge: Plaintiffs Sufficiently Allege Legal Duty in Sony Case

While U.S. District Judge Anthony Battaglia shot down parts of the class-action suit against Sony over its 2011 hacking incident, he did allow certain claims through, including one related to Sony’s legal duty to provide reasonable security. Battaglia wrote that “because plaintiffs allege that they provided their personal information to Sony as part of a commercial transaction, and that Sony failed to employ reasonable security measures to protect their personal information, including the utilization of industry-standard encryption, the court finds plaintiffs have sufficiently alleged a legal duty and a corresponding breach.” [databreaches.net]

US – TeleCheck to Pay $3.5M for FCRA Violations

The FTC announced that TeleCheck Services, a check authorization service company, along with its associated debt-collection entity, TRS Recovery Services, has agreed to pay $3.5 million as part of a settlement. The FTC charged the firm with violating the Fair Credit Reporting Act (FCRA) by not following proper dispute procedures and sometimes not investigating disputes at all when consumers had their checks denied by retailers based on TeleCheck’s information. Further, the FTC claimed TRS did not abide by the “Furnisher Rule,” which mandates that those providing credit information ensure that information’s accuracy and integrity. The settlement amount is the second-largest for a FCRA violation. [Source]

US – MRA Names Top 10 Gov’t Officials in Privacy

In recognition of Data Privacy Day, the Marketing Research Association has published a list of the “Top 10 Government Players in Consumer Data Privacy in 2014.” The list is topped by President Barack Obama for his multi-stakeholder approach to the White House’s Consumer Privacy Bill of Rights and his efforts to “demonize” private-sector data collection. The list also includes FTC Chairwoman Edith Ramirez, Sen. Jay Rockefeller (D-WV), FTC Commissioners Julie Brill and Maureen Ohlhausen, and Sen. Al Franken (D-MN), among others. [MRA] [Stay Safe Online [B.C. proclaims Tuesday, January 28 “Data Privacy Day.”]

US – Rodriguez Is Leaving OCR: A Look at His Legacy

News that President Barack Obama has nominated Department of Health and Human Services Office for Civil Rights (OCR) Director Leon Rodriguez to direct U.S. Citizenship and Immigration Services has spiked the heart rates of some in the healthcare industry. The Privacy Advisor reports on this shift, which would leave the OCR director post vacant for the foreseeable future—and at an historic juncture. While HIPAA passed in 1996, its rules were enforced more like suggestions than federal mandates during the early years. But when Rodriguez took his post as OCR director in 2011, armed with powers granted under HITECH, the tone shifted, healthcare insiders seem to agree. As his departure looms, who will take his place and how will HIPAA enforcement change? [Privacy Advisor]

US – Federal Guidance on Breach Notification Would Ease Way for Businesses

Although many businesses balk at the idea of government regulation, some now appear to want the government to establish federal standards for data breach notification policies. Currently, companies must navigate a jumble of rules in 46 states and the District of Columbia regarding breach notification, which is a compliance nightmare. Legislators opposed to regulation may be hard to convince that the move would benefit businesses. Others are concerned that a national standard would weaken laws in states that havemore stringent requirements in place. [NextGov]

US – Judge Who Ruled NSLs Unconstitutional Enforces New Orders

US District Judge Susan Illston, who last year ruled that the government’s use of National Security Letters (NSLs) is unconstitutional, has since enforced several of those same orders. In March 2013, Judge Illston ordered the government to stop using NSLs as they unconstitutionally impinge free speech. She also ordered the government to stop enforcing the gag order imposed by NSLs that had already been issued. Judge Illston’s logic is that because the Ninth Circuit court will be hearing the appeal of her ruling, it would be best to maintain the status quo until that court issues its ruling. [WIRED]

Privacy Enhancing Technologies (PETs)

WW – Whitepaper Highlights Emerging Privacy Engineer Discipline

A new whitepaper surveying the emerging discipline of privacy engineering has been released. Co-written by Ontario Information and Privacy Commissioner Ann Cavoukian, Stuart Shapiro of the MITRE Corporation and Enterprivacy Consulting Group’s R. Jason Cronk, Privacy Engineering: Proactively Embedding Privacy, by Design “seeks to promote a broader understanding and deeper practice of privacy engineering.” [PbD] In a Privacy Perspectives installment, Cronk wrote, “ Is 2013 the Year of the Privacy Engineer? See also: [Opinion: Privacy Is Not Dead; Innovate for the Future] and [Innovate Privacy for the Future, But Don’t Get ‘Privacy Twisted’]

EU – Privacy Proving to be Tech Industry Driver

With “some of the world’s toughest privacy laws,” “an unusually large number of hackers and security experts” and “a deep appreciation for privacy among the German people,” Germany is seeing entrepreneurs in the wake of the Snowden revelations looking to privacy-focused business models. Germany is now home to start-ups ZenGuard, an encryption service; Blippex, a search engine “built with user privacy in mind,” and Arriver, “a social navigation tool developed on the principle of neutrality.” State-level business support is available to these start-ups through innovation funding programs, and Arriver CEO Felix Langhof says, “The privacy relevance is only just beginning to dawn on all of us.” [Forbes] See also: [Privacy Engineering: Proactively Embedding Privacy, by Design]

US – Privacy Appendix Dropped from NIST Framework

Nearly a month prior to the final release of its Cybersecurity Framework, the National Institute of Standards and Technology (NIST) has announced it will not include with it a separate appendix for privacy controls. According to the update from NIST , a separate methodology for privacy and civil liberties “did not generate sufficient support.” Sources said the appendix was added late in the process and caused trepidation and uncertainty. There were also concerns regarding corporate liability, particularly in the face of a data breach. NIST will instead incorporate a methodology developed by Hogan Lovells Partner Harriet Pearson. In comments submitted to NIST, Pearson wrote, “To incentivize use of the Cybersecurity Framework, the privacy methodology must be clear and straightforward for the private sector to use.” [FierceGovernmentIT]

Security

US – DMA Releases Guidelines on Breaches; Retail Association Launches Initiative

The Digital Marketing Association says it will be releasing new guidelines for best practices on data breach protection. The guidelines will include advice on data minimization, transparency on data use and cleaning and purging instructions. Meanwhile, a liability insurer at KPMG says the firms that need cyber insurance the most aren’t investing in it. Following the Target breach, the Retail Industry Leaders Association has launched an initiative to provide additional safeguards for consumer transactions, and the co-founder of a new service says it has struck the right balance between employee privacy and corporate security. [Broadcasting Cable] See also: [Top 10 Influencers in Government InfoSec]

WW – The Internet of Things: Software Flaw Allows Remote Access to Video

A security weakness in software used in webcams, IP surveillance cameras (also known as webcams), and baby monitors from Foscam could be exploited to remotely view live and recorded video. All the attackers would need to know is the targeted device’s Internet address; in many cases, attackers could bypass the authentication prompt by clicking “OK”. Foscam planned to issue a firmware security update by January 25. [KrebsOnSecurity] [PCWorld] [FOSCAM.us]

RU – Olympics Security Trumps Privacy at Sochi

“Unprecedented” security measures are being taken around the upcoming Olympic Games in Sochi, Russia. With terrorist groups threatening the safety of the participants and fans, Russian President Vladimir Putin has bolstered a “ring of steel” around the venues with “an unmatched level of monitoring in cyberspace,” the report states. With help from the U.S., Canada and other nations, people attending the games have been warned to expect to be under surveillance at all times—including via telecommunications, the Internet and physical movement. [QMI Agency] See also: [Cybersecurity AWOL in State of the Union]

WW – Study Uncovers Tor Sabotage; Privacy Tools Used by 28 Percent Globally

A group of computer scientists has found at least two dozen computers actively trying to sabotage the Tor privacy network. The newly released paper, Spoiled Onions: Exposing Malicious Tor Exit Relays, is one of the first studies to document exit nodes purposely attempting to tamper with encrypted messages between the exit node and the open Internet. Developer Tal Ater has recently demonstrated that a microphone permission policy in Google Chrome can allow any site enabled for voice recognition to transcribe everything in range of the device without the user knowing. Separate research has revealed that privacy tools are used by 28 percent of the online world, or an estimated 415 million users. The GlobalWebIndex (GWI) study also found that 56% of those surveyed said they believe the Internet is eroding their personal privacy. The GWI study notes 11% of all users say they use the Tor network. [Ars Technica] and [SpyEye Developer Pleads Guilty]

Surveillance

US – PCLOB: NSA Phone Program Is Illegal

The Privacy and Civil Liberties Oversight Board (PCLOB) released its report on the NSA program that collects en masse phone metadata, noting it provides minimal benefits to thwarting terrorism, is illegal and should come to a halt, Reuters reports. The PCLOB report goes further in criticizing the programs than did President Barack Obama and his ad hoc review panel. “The Section 215 bulk telephone records program lacks a viable legal foundation under Section 215,” the PCLOB report states, adding it “raises serious threats to privacy and civil liberties as a policy matter and has shown only limited value.” Two of the board’s members—Rachel Brand and Elisebeth Collins Cook—voted against the recommendation to end the bulk collection. The PCLOB is also working on a separate report on the NSA’s Internet surveillance. The Guardian has compiled quotes from groups and lawmakers calling for the end of bulk phone records collection. [Reuters]

US – Constitutionality of NSA Surveillance Challenged in Court

A suspect facing terrorism charges has become the first criminal defendant to challenge the constitutionality of the NSA’s bulk surveillance program. A motion was filed in a federal court to suppress any evidence against the defendant gathered from the warrantless government surveillance under the FISA Amendments Act. The defendant “believes that the government’s surveillance of him was unlawful for the simple fact that it was carried out … under a statute that fails to comply with the Fourth Amendment’s most basic requirements,” according to the motion. In a separate case, for the first time in FISA’s 36-year history, a federal judge has allowed a defense lawyer to review classified evidence gathered under the law. [The Washington Post]

US – How Obama’s NSA Plans May Affect EU Law

President Barack Obama’s plans for surveillance reform, as revealed in his recent speech, “have had a lukewarm reception by European politicians,” writes Field Fisher Waterhouse Partner Eduardo Ustaran. “Such reforms are a work in progress that will extend over months and years, but Obama’s stance is bound to have a very direct effect on existing and forthcoming EU data protection requirements,” he adds. In this installment of Privacy Perspectives, Ustaran lays out his predictions “about the practical impact of the proposed plans in Europe.” [Full Story]

WW – Google Downplays Eavesdropping in Chrome Speech Recognition Feature

Google is downplaying reports that the speech recognition feature in its Chrome browser could be used to eavesdrop on users. A web developer created an exploit that could be used to let a website continue to listen on users’ microphones even after the users believe they have left the site in question. Websites could be less than forthcoming about their actions, and could conceivably open a second window underneath the original site thus allowing the microphone access to remain on even after users believe they’ve left the site. Google says the issue is not a threat because the way the feature is designed, users must enable speech recognition for each site that requests it. When the speech recognition feature is being used, Chrome places a blinking red light in the browser tab and a camera icon in the address bar. [ComputerWorld] [TheRegister] [ArsTechnica] [NBCNews] [BBC.co.uk]

WW – Bulk of China’s Internet Traffic Redirected to US-Based Addresses

Earlier this week, many Chinese websites were redirecting users to a blank page run by a company in the US. Chinese Internet users found they were unable to access websites hosted either in China or overseas that were part of top level domains like .com, .net, and .org. Sites with the .cn domain were unaffected by the incident. The situation did not last long – several hours – but its effect was felt for quite some time after the problem was resolved because users were still accessing cached versions of pages. While Chinese authorities said the incident was the result of an attack, a more likely scenario is a glitch in the way the country’s censorship system was being managed. The company that operates the page to which surfers were redirected runs services designed to circumvent China’s stringent Internet censorship program. [ZDNet] [ArsTechnica] [NextGov] [ComputerWorld] [NY Times]

US – Gov’t to Fund Devices to Track Children With Autism

Sen. Charles Schumer (D-NY) said the federal government will fund voluntary-use GPS tracking devices for children with autism or other disorders that put them at risk when away from their caregivers. The federal government, led by the Justice Department, has already funded a similar program for individuals with Alzheimer’s disease. The new program stems from a recent case where a 14-year-old with autism died after disappearing from his school. The case is still under investigation. Schumer said the program would be voluntary and work in conjunction with local law enforcement. The devices cost approximately $85, plus monthly fees. [Associated Press] See also: [Surveillance of B.C. seniors raising privacy concerns]

Telecom / TV

US – Viacom Hit with Privacy Lawsuit; Group Files Complaint with FTC

Google and Viacom are asking a federal judge to dismiss a potential class-action lawsuit that argues the companies are violating privacy laws at Nick.com, NickJr.com and NeoPets. The lawsuit alleges the companies place cookies on websites visited by children under the age of 13. The plaintiffs allege the companies have violated federal wiretap law, the Video Privacy Protection Act and several New Jersey and California state laws. In a separate case, Consumer Watchdog has filed a complaint with the FTC alleging a planned contact list merger between Google+ and Gmail violates a privacy settlement reached between the federal regulator and Google. [MediaPost News]

US Government Programs

US – PCLOB: Data Surveillance Violates Law; NSA is Wrong Agency for the Job

A new report from the Privacy and Civil Liberties Oversight Board (PCLOB) says “the bulk collection of billions of American phone records violates the letter and the spirit of the law.” Excerpts from the report, which is scheduled to be read at an open board meeting , say the mass collection has “no connection to a specific FBI investigation when it’s being gathered” and the amount of it being “vacuumed up” can’t be considered “relevant.” It also says that under the law, the FBI—not the NSA—should be doing the collecting. Two PCLOB members, however, wrote dissents on that opinion. “The board will vote Thursday on whether to call for an outright end to the phone metadata program and call for more transparency from the government and the secret court,” the report states. [NPR]

US – NSA Announces First-Ever Chief Privacy Officer

The Washington Post reports on the National Security Agency’s announcement that it has named IAPP member Rebecca Richards, CIPP/US, CIPP/G, its first-ever privacy officer. Former Department of Homeland Security (DHS) official Paul Rosenzweig told the Post that Richards, leaving DHS for the new job, has her work cut out for her and civil libertarians are skeptical. However, former DHS CPO Mary Ellen Callahan, said, “She is one of the best privacy officials I have worked with in over a decade and a half of privacy counseling. She works meticulously with the program managers and creators of new programs, and demonstrates an ardent level of diligence and devotion to privacy.” Meanwhile, a report for Federal News Radio says agencies are now treating privacy the way they treated cybersecurity five years ago, as a “classic risk-management issue.” But privacy is “hard to define because it means different things to everyone,” making the role of CPO somewhat less defined than a CSO. [Washington Post]

WW – How App Developers Leave the Door Open to NSA Surveillance

News that the National Security Agency has for years harvested personal data “leaked” from mobile apps such as Angry Birds triggered a fresh wave of chatter about the extent of the NSA’s reach. However the NSA and its U.K. equivalent, GCHQ, hardly had to break much technical ground to hoover up that data. Few mobile apps implement encryption technology to protect the data they send over the Internet, so the agencies could trivially collect and decode that data using their existing access to Internet networks. Documents seen and published by the New York Times and Guardian newspapers show that the NSA and GCHQ can harvest information such as a person’s age, location, and sexual orientation from the data sent over the Internet by apps. Such personal details are contained in the data that apps send back to the companies that maintain and support them. This includes data sent to companies that serve and target ads in mobile apps. “This is evidence of negligent levels of insecurity by app companies, says Peter Eckersly, technology projects director for the Electronic Frontier Foundation. A 2012 study of 13,500 Android apps by researchers in Germany found that only 0.8 percent used encrypted connections exclusively, and that 43% use no encryption at all. Last week mobile app security company MetaIntell reported that 92% of the 500 most popular Android applications communicated some data insecurely. The documents published single out Google Maps as leaking particularly useful data for surveillance purposes. Documents from both the NSA and GCHQ note how search queries intercepted from this app can reveal a person’s movements. A 2008 document from GCHQ states that a system set up to intercept that data “effectively means that anyone using Google Maps on a smartphone is working in support of a G.C.H.Q. system.” [MIT Technology Review] and [Time for a ‘wake-up call’ on smartphone spying: Cavoukian]

US Legislation

US – Criminal Liability in Breach Legislation Could Be a Recipe for Disaster

With recent high-level data breaches, and the introduction by Sen. Patrick Leahy (D-VT) of the Personal Data Privacy and Security Act of 2014, some are hopeful a federal breach notification statute is on the horizon. There is one issue, however, raised by Leahy’s bill that “deserves considerable debate,” writes Andrew Proia, of Indiana University’s Center for Applied Cybersecurity Research and Maurer School of Law. “In addition to creating the federal breach notification law, Section 102 of Leahy’s bill would open the door to criminal liability for anyone who ‘intentionally and willfully’ conceals the fact of a security breach,” he writes, adding, “it would be wise for the information privacy and security community to think critically about whether the bill’s criminal statute would be a prudent addition.” [Privacy Perspectives]

US – Sens. Introduce Anti-Fraud Legislation

Sens. Tom Carper (D-DE) and Roy Blunt (R-MO) have reintroduced legislation that would require certain entities to “better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud,” now called the Data Security Act of 2014. The requirements would supersede current state breach laws and apply to “businesses that take credit or debit card information; data brokers that compile private information, and government agencies holding nonpublic personal information.” [Government Security News]

US – CA Senate Approves Bill Defining Collection and Use; AG Files Suit Over Kaiser Breach

California’s Senate approved a measure Thursday aimed at protecting consumers’ information from being misused, Los Angeles Times reports. The bill, introduced by Sen. Hannah-Beth Jackson (D-Santa Barbara), would limit online merchants’ collection of data to only that which is necessary and would prohibit the merchants from selling the data or using it for marketing purposes. Meanwhile, a recent breach at Snapchat narrowly avoided repercussions under California’s updated data breach law, which took effect January 1, and the state’s attorney general recently filed a suit against Kaiser Foundation Health Plan for a 2011 breach. [Los Angeles Times]

US – Montana Allows Review of Post-Suicide Medical Records

In response to the high number of suicides in the state, Montana legislators have passed a measure to allow a team to review the medical records of all suicide victims as of January 1 of this year. While HB 583 easily passed the House, Rep. Kirk Wagoner (R-Montana City) has concerns about the opt-out nature of the law. The team doesn’t have to ask permission to delve into the medical history of the victims but instead will take into consideration family objections. The Montana Suicide Review Team will look for patterns and make recommendations to lower suicide rates, and Montana’s Suicide Prevention Coordinator Karl Rosston says “None of this stuff is going to be isolating or be able to identify a specific case. This will be a comprehensive of all the suicides and patterns of behaviors. We’re not going to take one isolated incident and say ‘this is what happens’.” [KRTV]

US – South Dakota House Considering Student Privacy Bill

South Dakota’s House Education Committee will revisit SB 63 this week to protect the privacy of students who take educational assessments. South Dakota Secretary of Education Melody Schopp wrote a letter to U.S. Education Secretary Arne Duncan explaining the state cannot and does not link identifiable information to test scores. “We are prohibited to share any personally identifiable information with the federal government,” Schopp said, adding that the education department is in favor of the privacy policy. [South Dakota Public Broadcasting]

US – CA Senate Passes Bill to Protect, Limit Online Data Collection, Retention

The California Senate has passed SB 383, which would limit online retailers “in the amount and type of personal information they could collect” from consumers related to content they purchase and download online. It would also require them to dispose of the data once they don’t need it. Sen. Hanna-Beth Jackson (D-Santa Barbara), the bill’s author, says it would protect consumers from fraud, but online retailers say they need to retain the data in order to spot irregular transactions and allow consumers the convenience of sharing downloaded data between devices, among other reasons. [The Associated Press]

US – Nebraska Citizens Voice Privacy Concerns Over Wages Bill

The McCook Area Chamber of Commerce has voiced concerns over a bill recently introduced by Sen. Tanya Cook (I-District 13) that would see Nebraska companies with more than 50 employees posting the salaries of all their employees annually. Listings would be made without the identities of the individuals but would list salaries, job title, gender, age and years of service. [The McCook Daily Gazette]

US – Judge: CA’s Two-Party Consent Doesn’t Apply to Out-of-Staters

U.S. District Court Judge Josephine Staton has dismissed Annette Jonczyk v. First National Capital Corporation et al, stating that because Jonczyk is not a California resident, the state’s two-party consent statute, requiring both parties to consent to recording a phone call, does not apply to her. At the crux of the case is that First National is a California company and recorded a call, without consent, to Jonczyk, a Missouri resident, and Missouri is a one-party consent state. Staton noted that the California legislature’s intent is to “protect the right of privacy of the people of this state.” “Applying California law to this case would not further that goal. On the other hand, Missouri specifically limited their privacy protection statute to allow a single party to consent to a recording.” [Scott Koller of Information Law Group]

US – Maine Committee Quashes Social Media Bill, Opts for Study

The Maine legislature will form a study commission to determine the need for a law barring schools and employers from requiring access to social media and personal e-mail accounts. After three committee meetings, a bill that would have banned this practice was voted down in favor of the study commission. While lawmakers generally agreed on the intrusiveness of requiring online account passwords, the report states “several wrestled with passing a bill that business leaders opposed because it could limit screening of job applicants, investigation of harassment disputes or protection of proprietary information.” [Portland Press Herald]

US – West Virginia House Passes Social Media Bill

The West Virginia House has passed legislation that would prohibit employers from requiring access to online accounts of employees or prospective employees. Del. Stephen Skinner (D-Jefferson) sponsored the bipartisan bill, which he based on similar legislation passed in Maryland. The bill now heads to the Senate. [The Journal]

US – Indiana House to See Bill Restricting Police Surveillance Techniques

The House Committee on Courts and Criminal Procedure voted 6-1 to advance a bill that would limit law enforcement use of drones, GPS tracking and cellphone searches. The bill would require police to obtain a warrant prior to using any of these surveillance methods in most circumstances. Some questioned the need to include GPS tracking in the bill, as police are currently limited to using the technology in investigations and emergency situations, but one representative noted that putting the limits into law may save court battles over evidence in the future. [Associated Press]

US – Missouri Considers Constitutional Protection for Electronics

Sen. Rob Schaaf (R-St. Joseph) has proposed a bill to amend the Missouri Constitution to include “electronic communications and data” in the items protected against illegal search and seizure. During a hearing last week, no one testified against the measure. The report states that if approved by the legislature, the measure goes on the state ballot in November. [The Associated Press]

US – California Assembly Passes Drone Bill, Including Data Retention, Use Provisions

The California Assembly passed a bill that would set strict limits on police use of drones and the data obtained from them. AB 1327 requires police to get a warrant prior to using drones for surveillance, except in emergencies, but it also requires them to notify the public when it plans to use drones and to delete all data collected by drones within six months unless the data collection was authorized by a warrant or is evidence. Other public agencies can also use drones but would have to obtain a warrant in order to share that data with the authorities. The Assembly passed the bill with a 59-5 vote, and it now heads to the Senate. [The Washington Post]

US – Georgia General Assembly Considers Two Drone Bills

Rep. Harry Geisinger (R-Roswell) has sponsored HB 846, which “would establish specific situations in which it would be legal for drones to capture images and would make it a misdemeanor for anyone to use a drone to capture an image for surveillance.” And Rep. Stephen Allison (R-Blairsville) proposed HB 848, which “would prohibit manned or unmanned aircraft from flying within 100 feet above the surface of a property for surveillance without a search warrant or permission of the property owner.” Hearings are yet to be set on either bill. [The Associated Press]

US – Iowa Considering Drone Privacy Bill

Iowa’s House Public Safety Committee discussed a bill that would prohibit law enforcement from using drone surveillance except in certain emergency situations. The committee plans to make changes to the bill before approving it and will meet again to continue the discussion. [The Associated Press]

US – Minnesota Bill Would Regulate Police Drone Use

Legislation has been proposed in Minnesota to regulate police use of drones. While Minnesota authorities don’t yet use drones, this bill would require a warrant for drone surveillance except in situations of “imminent” danger. [The Associated Press]

US – New Hampshire Bill Would Restrict Police, Public Use of Drones

New Hampshire Rep. Neal Kurk (R-Weare) has proposed HB 1620 to restrict the use of drones by law enforcement and private individuals. This is the second time in two years he has tried to legislate the use of drones in the state. This bill is causing some controversy because it forbids intentional surveillance even in public places, which may infringe on first amendment rights, according to the director of the NH Civil Liberties Union, which, based on those grounds, does not support the bill. [The Union Leader]

US – Utah Sen. Introduces Drone Privacy Bill

Utah State Sen. Howard Stephenson (R-Draper) has introduced SB 167, which would prohibit state agencies from using drones without a warrant except in emergency situations or with written consent. The bill also puts limits on the retention of data obtained by drones. [Deseret News]

US – NJ Governor “Pocket Vetoes” Drone Privacy Bill

Among the 44 bills Gov. Chris Christie (R-NJ) allowed to expire was a drone privacy bill that would’ve required police to get a warrant before using drones for surveillance. The bill passed the New Jersey Assembly with a vote of 74-1. [Philly.com]

US – Wisconsin Assembly Passes Social Media Bill; Senate Passes Mental Health Bill

Senate Bill 223, making it illegal for employers, universities and landlords to require social media login information from workers, students, tenants or applicants, has passed the Wisconsin Assembly, reports WEAU. If the bill passes into law, violators could see fines of up to $1,000. One employment law expert says that if misconduct on social media is suspected, employers can ask for access to the site but not for login credentials. The bill now heads to the Senate for approval. The Wisconsin Senate, meanwhile, has passed the Mental Health Care Coordination Bill, updating Wisconsin law to be more consistent with HIPAA. Currently, state law requires a level of confidentiality for behavioral health treatment beyond that required in HIPAA. The current requirements have been criticized for hampering appropriate treatment by restricting the sharing of patient data with other treatment providers. [The National Law Review]

Workplace Privacy

US – Study Says US Government Workers Do Not Practice Good Mobile Device Security

According to a study from the Mobile Work Exchange, many US federal government employees are not taking appropriate measures to secure their mobile devices, despite established security policies. The report, commissioned by Cisco Systems, focused on tablets, smartphones, and laptops. While physical security seems to be more entrenched – 86% of the workers lock their computers while away from their desks – more than 40% of the 155 government workers surveyed use their mobile devices in ways that put their agencies and the devices at risk for a breach. Issues include using public wireless networks, failure to employ multi-factor authentication or encryption, and 25% do not use passwords for their devices. Also, downloading personal apps and opening messages from senders they do not know. [DarkReading] [MobileWorkExchange] See also: [How To Change Employees’ Poor Password Habits] and [Blancco Backs 2014 Data Privacy Day on January 28 – Jan 28 2014 – Champion of data privacy’ takes leadership role in data erasure for mobile devices, an important focus for today’s security-challenging BYOD trend]

 

+++

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: