01-15 March 2014


US – Police Department Wins Right to Use Facial Recognition

A Seattle City Council vote means the Seattle Police Department will now be able to use facial-recognition software to identify suspects caught on video. “We are already doing this work, but it’s manual,” said police spokesman Mark Jamieson. “This would just speed up the process.” The program is funded by a $1.64 million grant from the Department of Homeland Security. [NBC News]

US – With Facial Recognition, You Can Help Shape Self-Regulation

The National Telecommunications and Information Administration has, to date, held two meetings with the ultimate goal of creating a code of conduct in line with the White House’s Consumer Privacy Bill of Rights. In the second meeting, held at the end of February, it was decided that the focus of the talks will be on commercial, not government, use of facial recognition. “So,” writes Leslies Dunlap, a specialist in Internet and technology policy, “it is time for developers of commercial facial recognition technologies and the entities using them to ‘face it’ and take action.” Dunlap looks into the ways privacy pros, technologists, academics, industry, government and privacy advocates can help shape the contours of this technology. [Full Story]


CA – Are You Ready for CASL?

Though the government has promised to help coach proactively through the transition, organizations would be wise to start taking steps toward compliance with Canada’s anti-spam legislation (CASL), which becomes effective July 1. CASL will affect any individual, business or organization that uses commercial electronic messages (CEMs) or transmits data in electronic messages. In short, it requires senders to obtain express consent for commercial electronic messages. Angelique Carson examines the law’s provisions with insights from industry and privacy experts including University of Ottawa Prof. Michael Geist, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic’s Tamir Israel and Industry Canada’s Michel Cimpaye, along with tips on how to prepare from nNovation’s Shaun Brown. ” [The Privacy Advisor]

CA – Student Loans Breach Class-Action Certified

The Federal Court of Canada has certified a class-action lawsuit over a Canada Student Loans privacy breach ”related to a hard drive lost by Human Resources and Skills Development containing personal information about 583,000 student loan borrowers.” Bob Buckingham, one of the lead counsels on the case, called the move a “major step forward,” adding, “The legal team will now focus its energies on moving the matter to conclusion as quickly as possible.” He said there is “significant interest” in the class action. “Anyone who received a Canada Student Loan between 2000 and 2006 from any province except Quebec or the territories of Nunavut or the Northwest Territories can register as potential claimants atwww.studentloansclassaction.com,” the report states. [Nova News Now]

CA – Bell Canada Case: A Challenge to Interest-Based Advertising

Should telecommunications providers be able to use their subscribers’ behavioral information to sell advertising? And are rules stricter than PIPEDA needed for telecoms? A complaint over Bell Canada’s practices brought before the CRTC may end up determining the answers to these questions. Timothy Banks of Dentons Canada LLP writes that if the CRTC agrees with the Public Interest Advocacy Centre and the Consumers’ Association of Canada that “more detailed privacy rules are needed for telecommunications carriers … this could represent one of the most important developments in the evolution of privacy law in Canada since the enactment of PIPEDA.” [Privacy Tracker]

CA – Canadian Officials: Don’t Loosen Control Over Personal Data

A paper presented by Ontario Information and Privacy Commissioner Ann Cavoukian, Berlin Data Protection and Freedom of Information Commissioner Alexander Dix and Prof. Khaled El Emam responds to proposals to change the OECD guidelines. Reducing controls over the collection and use of personal data, they write, would “weaken rather than strengthen” privacy, the report states. “Leaving it up to companies and governments to determine the acceptable secondary uses of personal data is a flawed proposition,” they write. [The Globe and Mail]

CA – Privacy Concerns Raised by Marc Mayrand Over Election Changes

Canada’s top election official is raising concerns about privacy, pointing out that the government’s proposed changes (C-23) to election laws include letting parties have lists of who cast ballots. The document points to two measures that could be privacy concerns:

  • Giving parties a copy of all statements of voters who have cast ballots.
  • Letting candidates’ representatives examine voters’ identification.

Elections Canada officials said parties and candidates can have the information now, but not in a way that would let them collect it in a systemic, broad-based way.[Source]

CA – Amidst Breaches, Clayton Calls for Stronger Laws

Alberta Information and Privacy Commissioner Jill Clayton has asked Health Minister Fred Horne to “strengthen provincial privacy legislation to include mandatory disclosure of all health information breaches.” In her letter Thursday, Clayton asked Horne “to consider amending the province’s Health Information Act, which requires ‘custodians’ to protect the personal health information of Albertans,” the report states, citing the recent revelations about the Medicentres data breach involving the health information of 620,000 Albertans. Meanwhile, CBC News reports a recent University Hospital Centre breach is being called “unprecedented,” andPHIPrivacyNet reports on an incident at a Shoppers Drug Mart where a customer was given a note with a medication name on one side and “the names, medications and phone numbers of five different people” on the reverse. [Edmonton Journal] [Alberta: Health law needs reform, says provincial privacy watchdog]

CA – Opinion: Canada Should Not Enforce FATCA

James George Jatras criticizes the recent “so-called ‘intergovernmental agreement’ to enforce FATCA, the U.S. Foreign Account Tax Compliance Act, in Canada.” Among the issues he raises with that decision are questions about privacy. He writes that “even FATCA’s advocates concede that direct enforcement is ‘wholly unachievable’ due to privacy protection laws in many countries that don’t allow personal data to be sent to unauthorized recipients … The primary purpose of the agreement is to nullify protections under the Bank Act, the Personal Information Protection and Electronics Documents Act, the Canadian Human Rights Code and especially the Charter of Rights and Freedoms.” [Op-ed for The Toronto Star]


US – Pew Report Looks at Digital Life in 2025

As part of a yearlong effort to recognize the 25th anniversary of the creation of the World Wide Web, the Pew Research Internet Project has released an extensive report predicting what the digital landscape will look like over the next 10 years. The report, Digital Life in 2025, is based on interviews with 2,558 experts and technology builders to discuss the future of privacy, cybersecurity, the Internet of Things and net neutrality. “In their responses,” the Pew report states, “these experts foresee an ambient information environment where accessing the Internet will be effortless and most people will tap into it so easily it will flow through their lives ‘like electricity.’” In addition to identifying a number of positive advances, many experts also expressed concerns about diminished privacy. [Full Story] See also: [Canada: Grocery apps save money — and track shoppers]

US – Android Users Proceed With Privacy Case Against Google

A judge has refused to dismiss several privacy-related claims by a group of Android users over allegations the company shared their location data and other personal information with app developers. Despite Google’s argument the claims should be dismissed because of a lack of injury, U.S. District Court Judge Jeffrey White ruled that the consumers can proceed with claims the company violated California law on business practices because of their allegation that their mobile devices’ battery life was shortened due to the data transmissions. The suit dates back to 2011. [MediaPost News]


US – “Raw Take” Order Changed Info-Sharing Policy in a Big Way

Intelligence officials consider a milestone in the history of spying and privacy law: the “Raw Take” order weakened restrictions on sharing information about Americans, the report states, and came down 10 months after the Sept. 11 attacks at the request of the Bush administration. It was revealed via documents provided by former NSA contractor Edward Snowden. Before the order, intelligence agencies could share information gathered from court-approved wiretaps “only after deleting irrelevant private details and masking the names of innocent Americans who came into contact with a terrorism suspect.” But that dramatically changed. [The New York Times]

CA – Statistics Canada Reviewing How It Gathers Data

The federal statistics agency will undertake a comprehensive review of how it collects key data about the Canadian population. The review is outlined in the main estimates tabled in Parliament, where Statistics Canada announced it was cutting its expected spending by more than $21 million — a 5% cut from the estimates it tabled last year. In explaining the changes in its spending for the coming fiscal year, Statistics Canada noted that its will conduct a “comprehensive review of the potential for administrative and other alternative data sources to replace, complement or supplement” the census and National Household Survey. The agency also says its spending will focus, among other things, on redesigning “major survey programs to ensure their continued relevance and effectiveness.” [Source]

Electronic Records

US – Obama Proposes “Cybersecurity Campus” in 2015 Budget

With cybersecurity dominating the headlines, from the massive retail data thefts to the hacks of Bitcoin exchanges that have wiped out millions in wealth, it is perhaps no surprise that U.S. President Barack Obama is calling for budget to address the problem. In his 2015 request, released this week, he calls for a “cybersecurity campus,” a 650,000-square-foot, $35 million building to house cybersecurity experts from agencies such as the Department of Homeland Security and the Department of Justice, International Business Times reports. This would “co-locate key civilian cybersecurity agencies to promote a whole government approach to cybersecurity response,” a spokesman said. [Full Story]


WW – As Breaches Continue, Are Self-Encrypting Drives the Answer?

While breach reports continue—one of the most recent being an “insider breach” at a UK store that resulted in the payroll data of approximately 100,000 employees being posted online—Samsung says self-encrypting drives are the way companies can better protect their own and their clients’ data. Swapping out a PC’s hard-drive disk for a “solid state drive” with “self-encrypting drive” technology is simple and effective, as such drives can’t be disabled and encryption is transparent to users. [PC Magazine]

EU Developments

EU – Parliament Overwhelmingly Votes for Data Protection Regulation

The European Parliament voted with overwhelming support for the proposed European General Data Protection Regulation (GDPR). The procedural move ensures that the regulation, which has been in legislative process for more than two years, stays on the table, even after this May’s parliamentary elections. Covington & Burling Special Counsel Monika Kuschewsky and European data protection expert Eduardo Ustaran provide analysis of the vote and look forward to the next steps in the long evolution of the proposed GDPR and what businesses can expect moving forward. [Privacy Tracker]

EU – Reding Highlights Data Portability While Stumping for New Regulation

Saying “Citizens should be able to transfer their data from one service provider, such as a social network, to another — just as they are able to keep their mobile number when changing telecoms operators,” EU Justice Commissioner Viviane Reding called strongly for passage of new data protection regulation in a speech before the Justice Council. Noting the European Parliament will vote on the data protection package on March 12, she said the Commission supports the Greek Presidency’s language and that “transfers based on adequacy, on so-called appropriate safeguards (such as binding corporate rules) or on well framed derogations which are the exception not the rule” are sufficient mechanisms for international data transfer, which might raise questions about the future of Safe Harbor. However, one report says Great Britain will be bent on filibustering progress. [Full Story]

WW – DPAs, FTC Unveil Cross-Border Data Transfer Tool

After a year of collaboration on the effort, the U.S. FTC, together with data protection authorities from around the world, held a press conference at the IAPP Global Privacy Summit to announce a joint agreement between G29 and APEC countries aiming to aid companies in achieving compliance with global data transfers. Speaking for the group, Isabelle Falque-Pierrotin, chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party, said the tool, called a “referential,” is a “very political and symbolic act” for companies seeking to obtain double certification under Europe’s binding corporate rules (BCRs) and APEC’s cross-border privacy rules (CBPRs). [Full Story]]

EU – A Deeper Look at the Future of Safe Harbor

Recently, the European Parliament not only ensured the proposed EU General Data Protection Regulation isn’t going away, it also overwhelmingly voted to call for the immediate suspension of Safe Harbor, something privacy expert Eduardo Ustaran said “has sent some powerful shockwaves across the business and legal communities in the EU and beyond.” Though the vote was not entirely unexpected, Ustaran writes, “The big question that remains on the ground is whether EU-based organizations that rely on Safe Harbor as a legal basis for transferring data … are doing the right thing or should be looking for alternatives.” Ustaran answers that question and provides insight into the rules governing the future of Safe Harbor. [Full Story]

EU – An EU Perspective on IoT Data Protection

Each day, the opportunities and challenges of Internet of Things technology become clearer. Technology is making information flows easier, but recent news that a smart fridge was hacked and sent out spam brings to the forefront the data protection challenges inherent in this burgeoning landscape. “As European regulators grapple with the challenges and complexities of formulating a technology-neutral data protection regulation, the difficulties of applying ‘traditional’ concepts such as consent, purpose limitation, transparency, data deletion, accountability and security to the data processing activities carried out by an ‘Internet-ready’ kitchen appliance become readily apparent,” writes Field Fisher Waterhouse’s Brian Davidson. [Privacy Perspectives]

EU – Websites Placing Unsolicited Cookies; Lawsuit Ramifications Examined

Websites based in The Netherlands placing “unsolicited cookies” on site visitors’ computers. The sites are “violating privacy laws that stipulate cookies may be placed only after receiving visitor permission,” the report states, referencing a study by two entrepreneurs. “Almost one-third of Dutch sites place cookies onto PCs and smartphones during a first visit and without permission,” the report states. Mondaq, meanwhile, reports on a recent case, Vidal-Hall and others v Google Inc., as potentially having “important ramifications for individual Internet users and businesses who send targeted advertisements to those users.” [Telecompaper]

EU – CNIL Gets Online Investigation Powers

French data protection authority the CNIL has received remote inspection abilities under Law No. 2014-344, passed last week. On top of onsite inspections, document reviews and hearings, the CNIL will now have the ability to remotely investigate violations of the French Data Protection Act, such as whether privacy notices comply or organizations get user consent prior to sending e-marketing messages. [Hunton & Williams’ Privacy and Information Security Law Blog

EU – CNIL Guidelines Address Online Purchases, More

New guidance from French Data Protection Authority, the CNIL addresses online purchases, direct marketing, contests and sweepstakes and consumer tracking. The report looks at each section, highlighting key points from the guidelines. For example, in its section on online purchases, the report explains that the guidelines “make clear that online merchants must limit their use of bank card numbers and visual cryptograms. Once the transaction is complete, the merchants should not store or reuse the bank details of their customers without the customers’ prior consent.” Separately, a Mondaq report examines the CNIL’s guidance for businesses operating in France. [Hunton & Williams’ Privacy and Information Security Law Blog]


WW – Visa, MasterCard Announce Effort to Strengthen Payment Systems

Visa and MasterCard announced they are bringing together large and small banks, credit unions, retailers, makers of card-processing equipment and industry trade groups in an effort to work together to strengthen the U.S. payment system. The collaborative effort aims to advance the migration to chip cards as well as point-to-point encryption. As of late, there’s been industry bickering over who is to blame following recent data breaches at major retailers. Meanwhile, the U.S. Commodity Futures Trading Commission has issued a staff advisory on best practices for financial institutions that must comply with Gramm-Leach-Bliley provisions on data security and customer privacy, and venture capital firms have begun investing in cybersecurity companies with record amounts. [Associated Press] [Source]

SK – Financial Firms Will Face Steep Breach Fines

South Korea’s financial regulator has announced financial firms may be fined as much as 3% of their global turnover when responsible for breaches of personal information. Additionally, clients will be granted an option to revoke consent to provide their personal information. The Financial Services Commission also said financial firms must delete clients’ data after termination of financial transactions and may not share the data with affiliates beyond a given time limit. The proposed measures are slated to go into effect in the second half of this year. [Yonhapp News Agency]


CA – Ottawa Imposes Life-Long Gag Order on Bureaucrats, Lawyers

Ottawa has slapped a life-long gag order on bureaucrats and lawyers working in a number of government agencies dealing with sensitive national security information. The changes enacted this week, and published in the Canada Gazette, reveal employees in 12 government divisions — five of which have been disbanded — are now subject to provisions under the Security of Information Act that permanently binds them to secrecy. Those employees, mostly Department of Justice lawyers and senior bureaucrats at the Privy Council Office, could face as much as 14 years in prison for disclosing “special operational information” without authorization. But while the government maintains the secrecy is necessary to maintain Canada’s most “operationally sensitive” information, critics say it’s designed to discourage whistleblowing and hamper the public debate now swirling around modern state espionage.[Source] See also: [One-fifth of B.C. info requests come up empty] and [Brampton ordered to release winning bid documents on $205M contract] and [Ireland: FOI legislation ‘violates privacy of individuals’, Varadkar claimed]

US – House Passes FOIA Reform Bill

The U.S. House of Representatives has passed the FOIA Oversight and Implementation Act of 2014. The bill would strengthen the Office of Government Information Services, require agencies to update their FOIA regulations, and mandate the use of a single, free website for submitting FOIA requests and appeals and receiving information about the status of the FOIA request. The bill would also require that agencies seeking to withhold information under one of the FOIA’s exemptions demonstrate that there would be a “specific identifiable harm,” tied to the purpose of the exemption, if disclosure occurred. The bill does not address several key transparency community proposals, including recommendations to limit the use of exemptions and to make it easier to track legislative proposals for new FOIA exemptions. The Senate is currently considering a similar bill. [Source]

CA – Internet Firms Play Coy on How They Share Info With Police, Government

Internet companies have hung up on a call by privacy advocates to reveal the extent to which they share subscriber information with police, security services and government. The Citizen Lab at Toronto’s Munk School of Global Affairs reported that Canada’s most prominent ISPs have largely dismissed its requests to publicly explain the nature, scope and circumstances of demands by state agencies for private customer data. The lab, joined by a dozen leading Canadian Internet and privacy academics and civil rights organizations, sent letters in January to 16 Internet and phone companies asking how often, when and why they disclose private and personal information to state agents. Ten companies replied, but generally avoided or refused to respond to the specific questions put to them, said Christopher Parsons, a post-doctoral fellow at the lab who organized the campaign. The project follows a January report to Parliament from the Office of the Privacy Commissioner calling for reforms to federal privacy legislation to curb the “over-collection of personal data” by federal security intelligence services, police and departments. [Source] See also: [Ontario bill would require MPPs to post expenses online]

Health / Medical

US – Study: Healthcare Criminal Attacks Up 100% Since 2010

Though the number of healthcare breaches declined slightly last year, criminal attacks are up 100% since 2010, according to a new Ponemon Institute study. The Patient Privacy and Data Security study also suggests one of the key factors in breaches is poor employee privacy protection practices. “The people in the healthcare industry are good people who sometimes do stupid things, and that is the source of a lot of the problems,” said Larry Ponemon of the Ponemon Institute, adding, “They’re trying to get their work done; they feel under pressure; they’re in the business of caring for patients, and they don’t want to waste time to do more security or take that extra step to protect privacy.” Meanwhile, The Seattle Times reports that Skagit County will pay $215,000 in fines stemming from a 2011 healthcare-related breach. [Full Story] See also: [B.C. family furious teen vaccinated without parental consent]

US – Wesley’s Patient Portal Gives Patients Access to Electronic Health Records

Patients at Wesley Medical Center and its affiliated campuses can now access the hospitals’ electronic medical records anywhere they have an Internet connection, including via a mobile device. Wesley launched Patient Portal for adult patients at Wesley Medical Center, Galichia Heart Hospital and Wesley West ER. Access for pediatric patients is coming soon, Wesley said in a news release. Patients who use the system will be able to see records of allergies, conditions, discharge summaries, hospital visit histories, lab results, medications, medication instructions, radiology reports and upcoming appointments. The information is downloadable, so patients can bring a paper copy to doctor’s visits. Patients will be provided login information at their next hospital visit. [Source] See also: [Telus unit buys B.C.-based electronic medical records company]

Horror Stories

UK – Hacker Blackmail Leads to Fine for Pregnancy Advice Service

The British Pregnancy Advice Service has been fined 200,000 GBP by the Information Commissioner’s Office (ICO) following a malicious hack and blackmailing incident. Though police recovered the data before a hacker could go through with a threat to publish the names, addresses and contact information of women who’d used the service for advice on pregnancy issues, the ICO still chose to fine the charity because it didn’t realize its website was storing the information and it further was not storing the information securely. “Ignorance is no excuse,” said Deputy ICO Commissioner and Director of Data Protection David Smith. “It is especially unforgivable when the organization is handling information as sensitive as that held by the BPAS.” [Full Story] See also: [Privacy breach at London Shoppers Drug Mart stuns customer] and also: [AU: Telstra fined after breaching privacy of 15,775 customers] and [Australia faces lawsuits over asylum seeker data breach]

US – Another 282K Credit and Debit Card Numbers Up for Sale

Another “massive” data breach, purportedly the result of a hack at beauty supply chain Sally Beauty. Cybersecurity blogger Brian Krebs reports another 282,000 stolen debit and credit cards went up for sale on underground marketplaces this week, and he believes they were used “at one of Sally Beauty’s 2,600 stores.” Sally Beauty’s Karen Fugate walks Krebs through their investigation of the breach, however, and says, while suspicious activity was noticed by February 24, they’ve still been unable to find the source of any breach. Meanwhile, CMAJ reports medical data breaches were up 137 percent in 2013 over 2012. [Businessweek] See also: [Attackers trick 162,000 WordPress sites into launching DDoS attack]

Identity Issues

WW – Man Pleads Guilty to Running ID Theft Service

A Vietnamese national has pleaded guilty to running an identity theft service after being arrested last year in Guam by U.S. Secret Service agents. Court records indicate Heiu Minh Ngo “tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans,” the report states, noting, “the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search,” which had a contractual agreement with Califorina-based Court Ventures. Ngo was able to access records there posing as a private investigator, the report states, making “available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.” [Krebs on Security] [US: 200M consumer records exposed in Experian security lapse]

US – New Study Finds Metadata Invades Privacy

Researchers at Stanford University have released findings from a study on the privacy implications of metadata. Using an app designed to mimic NSA metadata collection capabilities, 546 volunteers allowed the researchers to access their calling and texting data. Stanford’s Johnathan Mayer said, “We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window. We were able to infer medical conditions, firearm ownership and more, using solely metadata.” The U.S. government has argued that metadata does not invade users’ privacy. Stanford Center for Internet and Society Civil Liberties Director Jennifer Grannick said the study “adds important empirical evidence to support what is now a growing consensus,” adding, “Metadata surveillance endangers privacy.” [Ars Technica] [US: Volunteers in metadata study called gun stores, strip clubs, and more]

Internet / WWW

US – An Update on the EU and APEC Roadmap

Senior Counsel for Privacy and Information Governance John Kropf together with Malcolm Crompton have recently suggested “that the challenge for global data flows was interoperability but that there was reason for optimism between the world’s two largest economic entities: the EU and the Asia-Pacific Economic Cooperation (APEC).” Since then, the Article 29 Working Party and the APEC Data Privacy Subgroup released their review. “This may be one of the EU’s most significant developments in the area of cross-border data transfers,” Kropf writes, “and potentially positive news for companies operating in both the EU and APEC regions.” [Privacy Perspectives]

EU – Proposition: EU Regulation with U.S. Penalties

Is the often abstract scholarship of privacy academics read by privacy regulators? It would seem that regulators may not have the time or inclination to read such work. On Wednesday, however, it was clear the answer was yes in many respects. Squeezed into a small room in the Rayburn House Office Building in Washington, DC, a handful of privacy scholars met briefly with some of the world’s most influential privacy regulators to discuss the future of public policy and the role of the privacy regulator as part of “Privacy Papers for Policy Makers,” co-organized by the Future of Privacy Forum and Rep. Sheila Jackson Lee (D-TX). [Full Story]

US – In the Privacy Debate, the Conventional Wisdom Is Wrong

Everybody knows the conventional wisdom: United States privacy law is weak and fractured, with neither comprehensive data protection legislation nor a dedicated privacy enforcement authority. The European Union is the gold standard of global privacy regulation, with its omnibus Data Protection Directive and collective force of 28 national data protection authorities. Alas, as is so often the case, conventional wisdom is wrong. IAPP VP of Research and Education Omer Tene lays out just why that is. Meanwhile, Karlin Lillington writes for The Irish Times on “the obvious disjunct between mainstream American and European views on privacy.” [Privacy Perspectives]

WW – The Global Competition Between Privacy Models

“Countries around the world are struggling to decide whether to adopt data protection law based on the proposed EU Data Protection Regulation or to use a U.S. approach to privacy protection,” writes Christopher Kuner of Wilson Sonsini. The result, he notes, is a “competition in global data protection policymaking, with the European Commission on the one side and the U.S. government on the other side, both lobbying other countries to follow their respective models.” Kuner looks into the global competition and analyzes, as an example, the current reform efforts in Japan through the lens of the U.S. and EU data protection approaches. [Privacy Perspectives]

WW – Group Alarmed Over Potential OECD Changes

A group of privacy regulators and experts have raised alarm at a potential privacy change in the Organisation for Economic Co-operation and Development (OECD) guidelines. Ontario Information and Privacy Commissioner Ann Cavoukian, University of Ottawa Prof. Khaled El Emam and German Data Protection Commissioner for the State of Berlin Alexander Dix—all of whom wrote a Privacy Perspectives blog post here—recently published a report expressing concern about a proposal they say will diminish privacy in the OECD guidelines. The report that caught their attention was written by Indiana Law Prof. Fred Cate, Microsoft’s Peter Cullen and Oxford Prof. Victor Mayer-Schonberger—who wrote an earlier blog post here—and recommends restoring “the balance between privacy and the free flow of information … and avoid(ing) suppressing innovation with overly restrictive or inflexible data privacy laws.” Cavoukian has called the proposals “alarming,” the report states. [IT World Canada] [Paternalistic Approach to Privacy Will Deliver Unintended Consequences]

Law Enforcement

US – Seattle Police Department Wins Right to Use Facial Recognition

A Seattle City Council vote means the Seattle Police Department will now be able to use facial-recognition software to identify suspects caught on video. “We are already doing this work, but it’s manual,” said police spokesman Mark Jamieson. “This would just speed up the process.” The program is funded by a $1.64 million grant from the Department of Homeland Security. The plan’s approval follows a recent vote regulating the use of unmanned drones by law enforcement after the city bought two. Now, law enforcement can’t use drones without warrants, except in emergency situations. [NBC News]

Online Privacy

US – Privacy Groups Urge FTC to Block Facebook-WhatsApp Deal

In a complaint filed with the FTC, EPIC and CDD are seeking to block Facebook’s recent purchase of WhatsApp, citing concerns that the sale would harm WhatsApp users by allowing their data to be integrated into Facebook’s large advertising business. The privacy groups have said Facebook has a track record of changing its privacy policy, highlighting the changes it made after it purchased Instagram in 2011. They argue the practices are deceptive because users do not expect privacy policies to change, the report states. “WhatsApp users could not reasonably have anticipated that by selecting a pro-privacy messaging service, they would subject their data to Facebook’s data-collection practices,” said EPIC’s Julia Horwitz. Facebook has said WhatsApp “will operate as a separate company and will honor its commitments to privacy and security.” [The Washington Post]

US – Nonprofit Brings Transparency, Better Privacy to Online Data Industry

A data privacy nonprofit has announced the appointment of inaugural board members, including Allen Brandt and Lisa Grant to help it bring “a revolutionary way of thinking about Internet data.” DataNeutrality “aims to increase awareness of the need for businesses to take control of their data.” In a private-public partnership, the company will serve as privacy and data governance auditor and policy advisor to startup Mezzobit. DataNeutrality Executive Director Sharon Christiansen Geddes said the Internet happens in real time, “and current standards and regulatory processes are too slow to keep pace,” adding the board will help the company spot privacy issues without waiting for industry or regulatory authorities. [Full Story]

US – Plaintiffs Say Viacom, Google Lawsuit Should Proceed

Plaintiffs are arguing that a privacy lawsuit against Google and Viacom should proceed. “Viacom and Google, for their own pecuniary gain, have systematically employed Internet cookie technology to violate minor children’s right to be let alone,” attorneys wrote in papers filed last week with U.S. District Court Judge Stanley Chesler. “Defendants have developed third-party cookies to share video-viewing histories of these children and otherwise to track the contents of the Internet communications of millions of Americans online,” they added. Lawyers for Google and Viacom have argued the case should be dismissed [MediaPost News]

US – EFF Questions Privacy Issues in Getty’s New Free Images

Bloggers and publishers of many stripes are celebrating a new plan by Getty Images to allow free use of its photography—as long as the proper embed code is used. In a post on the EFF website, Parker Higgins notes that many have reason to be excited, but privacy alarm bells are ringing: Getty, as a third-party host, “can possibly get and log your IP address and the exact time of the request” when you view that image on whichever website. Also, because Getty may be so popular, viewers will ping their servers often and from various sites, allowing for correlation of browsing history. Further, Getty has “certainly thought about” monetizing data usage. [Full Story]

US – NAI Reports on Ad Networks’ Privacy-Compliance

The Network Advertising Initiative (NAI) released its annual compliance report, which details Internet ad networks’ compliance with the group’s self-regulatory privacy guidelines. AOL’s Doug Miller said, “In completing the compliance process, we demonstrate to regulators, business partners and consumers that membership in the NAI is not a mere promise to meet high standards.” NAI President and CEO Marc Groman noted, “When self-regulation works effectively, it’s a win for consumers and industry and regulators that have limited enforcement resources,” Meanwhile, leaders from the advertising community are meeting at the White House as part of the president’s review of Big Data and privacy. GroupM’s chief operating officer said the discussion will include “how the ad choices program has helped us treat privacy, that we do it responsibly and have put protections in place.” [AdWeek]

WW – Automating the Privacy Impact Assessment

Privacy compliance can be a complex endeavor, and privacy and security professionals often “believe that their compliance challenges are specific to their company, and subsequently have very little opportunity to collaborate with peers within their own companies,” writes AvePoint’s Dana Simberkoff, “much less opportunities to collaborate with peers within or across industries.” In this post for Privacy Perspectives, Simberkoff presents the new AvePoint Privacy Impact Assessment solution in conjunction with the IAPP “to bring automation to one of the fundamental tenets of a good privacy program.” This new tool “allows privacy teams to develop a Service Level Agreement with their colleagues in IT and the business,” she writes. [Full Story]

Other Jurisdictions

AU – New Laws Now In Effect in Australia

The Australian Privacy Principles are now in effect, replacing the National Privacy Principles and Information Privacy Principles, Smart Company reports. Under the new rules, businesses generating more than $3 million a year in revenue may be fined up to $1.7 million for mining Big Data or sharing or storing information without consent, the report states. One expert said the new laws are going to make it more difficult for companies to build profiles of their customers. Meanwhile, Business Insider reports on Coles’ revised privacy policy, which allows it to share customers’ information with companies in at least 23 countries, noting the policy “was released just before the new Australian Privacy Principles come into force this week, which make businesses list likely overseas recipients of personal data and conform with stricter rules.” And, the country’s healthcare and point-of-sale industries are expected to be “focal points for efforts to improve privacy protections in the wake of new privacy controls,” CSO reports. IAPP Westin Research Fellow Dennis Holmes provides a detailed overview of the newly enacted APPs in this installment of the Privacy Tracker blog. [Full Story]

AU – With Australian Laws Now In Effect, Reports Examine Ramifications

It has been almost two weeks since changes to the Privacy Act went into effect, and newspapers are already reporting on the impact of some of those changes. State privacy commissioners are supporting the changes, quoting New South Wales Privacy Commissioner Elizabeth Coombs as saying, “Individuals now have more rights to find out what information is being held about them and where it is being held.” And a feature in The Sydney Morning Herald considers provisions requiring telemarketers “to disclose if asked, within a reasonable time, where they obtained your number and if it’s come from a third party. ZD Net looks at the impact of reforms on the financial sector, noting “Australia’s big four banks have been forced to provide full disclosure on what information they are collecting about their customers, how it is collected and how it is being used.” [ComputerWorld] [ZDNet]

MX – Mexico’s Regulator Plans to Issue “Abundance” of Fines

Mexico’s data protection authority (IFAI) has issued a statement announcing it will issue “an abundance of fines in 2014 following an unprecedented increase in violations of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties,” Reed Smith’s Cynthia O’Donoghue writes. The IFAI has the authority to issue fines for such violations of up to $1.5 million and up to three years imprisonment for data controllers whose databases are breached under their control, with double penalties for “sensitive data.” [Mondaq]

AU – ASIO Calling for Data Retention Laws

Australia’s federal spying agency, ASIO, “is using the Snowden leaks to bolster its case for laws forcing Australian telecommunications companies to store certain types of customers’ Internet and telephone data for a period of what some law enforcement agencies would like to be two years.” Many law enforcement agencies support the move for a data retention regime, the report states, noting questions remain about what type of data should be stored by Internet and phone providers. “ASIO argues that more people are encrypting their web communications after revelations made by U.S. intelligence contractor Edward Snowden about widespread data collection programs by governments,” the report states, adding ASIO believes this hastens the need for laws requiring providers to retain customer metadata for prescribed periods of time. [The Age] See also: [South Africa lacks a data privacy culture’]

BR – Brazil Drops Local Data Storage Provision

The government of Brazil has dropped a controversial provision in legislation some have dubbed the country’s “Internet Constitution” that would have required companies to store data on Brazilian citizens inside the country. The data storage provision was added last year after certain U.S. National Security Agency surveillance leaks revealed the agency had spied on Brazil’s president. Provisions that remain in the legislation include other privacy safeguards and limits on the gathering and use of Internet users’ metadata. Late last year, Google had testified in front of the U.S. Congres]s that local data storage laws would balkanize the Internet. [Reuters]

PH – Opinion: Philippines Cybercrime Law Has Questionable Provisions

Clayton Wood writes that citizens of the Philippines continue to rally against the country’s Cybercrime Prevention Act more than a month after the Supreme Court signed it into law. While protection against cybercrime is a plus for businesses relying on the Internet, concerns remain over a provision that deals with authorities’ access to the online behavior of individuals and one that makes libel a more serious crime online than in print media. [Tech In Asia]

Privacy (US)

US – Opinion: Pace, Relevance of Legislation Will Increase

Peter Waterhouse writes that between whistleblowing and high-profile data incidents, he expects “the pace and relevance of regulation to increase and improve.” Citing the EU breach notification regulation, which allows for fines of up to five percent of annual revenue, Waterhouse advocates for laws with sharp teeth, imagining what these kinds of fines might mean in situations like the Target and Mt. Gox incidents. “Failing to protect against the latest security events and associated risks will have profound implications for businesses when legislation catches up to technology and gains more teeth,” writes Waterhouse.

Global [Information Week op-ed]

US – FTC’s Kaufman Backs Civil Penalties for Large Breaches

FTC Deputy Director Daniel Kaufman has said companies experiencing substantial data breaches should face civil penalties. If the agency had the mandate to parse out such penalties, he said, businesses would be more motivated to implement strong data privacy frameworks beforehand, limiting the number of large-scale breaches. He emphasized the importance for U.S. businesses to be more transparent and to self-regulate in order to remain competitive globally. The agency does not want to stifle innovation, he noted, adding, “We want to make sure there’s privacy out there, but we are aware there are huge benefits.” Kaufman also said the FTC is nearing completion of its data broker study. [VentureBeat] See also: [Shocked to learn how data brokers are watching you?]

US – Louisiana House Panel Delays Education Privacy Discussion

The Louisiana House Education Committee delayed discussions on a bill to limit information school districts share with the state Department of Education (DOE) due to disagreement over what information should be shared. State Superintendent of Education John White underscored that the DOE needs certain information to establish eligibility for funds, among other things, but the bill’s sponsor, Rep. John Schroder (R-Covington), says the additions White seeks would undermine the aim of the bill. HB 946 would also limit retention of student data and create new ID numbers that would replace Social Security numbers. The bill may be on hold until March 26, according to the report. [The Advocate] See also: [Manitoba: Social media privacy being taught at high school]

UK – Ucas Sells Access to Student Data for Phone and Drinks Firms’ Marketing

Access to the data of more than a million teenagers and students and thousands of their parents is being sold to advertisers such as mobile phone and energy drinks companies by Ucas, the university applications body. The Universities and Colleges Admissions Service received more than £12m last year in return for targeted advertising and sales of the emails and addresses of subscribers as young as 16. The service, which controls admissions to UK universities and attracts 700,000 new applicants each year, sells the access via its commercial arm, Ucas Media. Vodafone, O2, Microsoft and the private university accommodation provider Pure Student Living are among those who have marketed through Ucas, which offers access to over a million student email addresses and a market worth a claimed £15bn a year. The Red Bull energy drink firm promoted three new drink flavours by sending sample cans to 17,500 selected students deemed to be trend-setting “early adopters” in order to create a “social media buzz”. Applicants can opt out of receiving direct marketing, but only at the cost of missing out on education and careers mailings as well. [Source]

US – Court Rules in Favor of Plaintiffs Despite Lack of Financial Harm

A federal court in Florida recently broke the mold of dismissing consumer class-action lawsuits against companies that have suffered data breaches if the consumers haven’t suffered financially. The court approved a $3 million settlement for victims of a personal-health information breach though they suffered “no direct losses or identity theft.” Meanwhile, a small-town Colorado hospital has reported a breach affecting more than 5,000 patients after identifying a virus on its computers, and Umpqua Holdings Corp. has filed a class-action against Target, but this suit is a bit different; it alleges violations of the Minnesota Plastic Card Security Act. [Computerworld] and [Malware threats making anti-virus software ‘totally useless’]

US – Court Rules Eavesdropping Law Unconstitutional

The Illinois Supreme Court has unanimously ruled that one of the nation’s toughest anti-eavesdropping laws is unconstitutional. The 1961 Illinois Eavesdropping Act made it a felony to record a conversation without the consent of all parties involved, but the court ruled the law violates free speech and protections for due process. In People v. Melongo, the court concluded the law’s recording provision “burdens substantially more speech than is necessary to serve a legitimate state interest in protecting conversational privacy.” The justices also wrote, “the statute’s scope is simply too broad.” In a separate case, the Ninth Circuit reinstated a class-action lawsuit against Hilton Worldwide, where the plaintiffs argue the company violated California privacy law by recording service calls. [Associated Press]

US – California DNA Collection Law Upheld

Civil liberties advocates are decrying the recent decision of a special 11-judge Ninth U.S. Circuit Court of Appeals panel, which unanimously upheld California’s law “allowing collection of DNA samples from anyone arrested on a felony” charge . The panel cited a Supreme Court ruling from last year that backed a similar Maryland law, and it rejected an ACLU argument that the California law is broader than Maryland’s and more of a privacy threat because Maryland’s law only permits collection from those charged with a “serious felony” and after a judge finds probable cause. However, the panel did suggest advocates return to a lower court and challenge the law on narrower grounds. [San Jose Mercury News]

US – HIPAA Changes Mean Tightening Up Vendor Relationships

With the changes to the HIPAA Privacy and Security Rules, the responsibilities and relationships between covered entities and their vendors have moved to the forefront of information-security management. Particularly, renewed emphasis has been placed on vendor security management and the responsibility that covered entities bear on performing appropriate due diligence. David Holtzman and Erin McMillan drill down on how to comply with the changes:. [The Privacy Advisor]

US – Google Sued for Student Mining; Wins Class-Action Denial

Google has been sued for scanning and collecting student data in its Apps for Education program and using the data to build profiles of the students. The lawsuit is currently making its way through a federal court in California and is represented by EPIC. The group argues the practice violates the Family Educational Rights and Privacy Act and may violate federal and state wiretap laws. Meanwhile, in a separate case, a federal judge has denied a request to combine multiple privacy complaints against Google into one class-action lawsuit. Though the ruling does not settle the dispute, it is a setback for the plaintiffs. [International Business Times]

US – Privacy Activists, Medical Groups Disagree on MN Infant Screening Program

In Minnesota, a bill to amend a newborn screening law to authorize a bio bank is causing concern for privacy activists. The bill would allow the state’s Department of Health to retain newborns’ blood samples and test results indefinitely but provide parents with the ability to opt out of the program. One lawyer involved in the case that struck down the bio bank in front of the state Supreme Court says the plan should be opt-in, but proponents of the bill say that would hamper research and that the time limit on retention could restrain the ability for diagnoses in some cases. [KEYC-TV]

US – New Jersey Supreme Court Rules Wiretaps Can Cross State Lines

The New Jersey Supreme Court has unanimously ruled that police wiretap warrants apply to phones in other states. Chief Justice Stuart Rabner wrote, “Because of the inherent mobility of cellphones, it would be impractical, if not impossible in some instances, for law enforcement to intercept cellphone conversations if agents could only rely on orders issued in the state where a call was placed or received.” The defense lawyer in the case says the ruling is an affront to privacy rights. [NorthJersey.com]

US – Yahoo Wants Judge to Drop E-mail Suit

Yahoo has asked a federal judge to dismiss a potential class-action lawsuit that claims the company violated the Electronic Communications Privacy Act (ECPA) when scanning the e-mails of users to serve them related advertisements. In papers filed last week, the company argued it does not violate ECPA because users explicitly consent to Yahoo’s practices by accepting its terms of service. Non-Yahoo users have argued that they have never accepted such terms, but Yahoo has countered that ECPA only requires consent from one party in a conversation, adding it does not violate California’s applicable privacy law because applying that law to such cases “would potentially turn ordinary and widespread computer use into criminal activity.” [MediaPost News]

US – Data Security Remains in Congressional Spotlight

Two Congressional hearings this week aimed at unveiling data security issues and the potential for legislation. The Financial Services subcommittee on Financial Institutions and Consumer Credit will hold a hearing to look into the nature of data breaches, what preventative measures are possible and whether technology can play a role in preventing breaches. The Congressional panel said the American public ought to know what protocols should “be in place when private- or public-sector entities mishandle, improperly disclose or otherwise fail to ensure the security of personal financial information.” Additionally, the House Science Committee will hold its own cybersecurity hearing. Meanwhile, a man in Oregon has claimed to have received thousands of faxes allegedly meant for United Healthcare that contain sensitive personal information. [The Hill]

US – Judge: Insurer Doesn’t Need to Defend Accused

A federal judge has said National Union Fire Insurance Company of Pittsburgh, PA, does not have to defend Coinstar and its Redbox, Inc. unit in a class-action that accuses them of “illegally keeping customers’ rental histories and then using the information for marketing purposes.” U.S. District Judge John Coughenour granted the insurer’s motion for partial summary judgment, the report states. Meanwhile, U.S. District Court Lucy Koh has said attorneys representing consumers in a class-action against Google face a “huge hurdle” in obtaining class-action status. [Full Story]

US – “Revenge Porn” Victim Awarded $500K in Civil Case

A jury in Texas has awarded a woman $500,000 in a “revenge porn” case. An ex-boyfriend blackmailed her and eventually published the material on the Internet. Though there is no specific law against it in Texas, two state lawmakers are working on legislation that would make revenge porn illegal. Critics, however, warn such a law could violate the First Amendment. One legal analyst said, “If you allow the state or federal government to restrict your speech in one instance, it could expand and get more restrictive over other matters and nobody wants that.” New Jersey and California have both outlawed revenge porn and other states are considering a similar move. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – Start-ups Betting on Privacy as Selling Point

A growing number of start-ups are “betting consumers will pay at least something to keep their data away from prying eyes.” “The next generation of start-ups, those in the next 10 years that will survive, will be the ones that put security first,” said Wickr CEO Nico Sell, adding, “the benefits of the Internet have been proven and privacy is in demand, and people are willing to pay.” Surveillance and online privacy are also big topics of conversation at SXSW this year , the report states, with speakers such as Julian Assange of WikiLeaks fame and NSA whistleblower Edward Snowden. [NBC News] [Edward Snowden speaks at SXSW, calls for public oversight of U.S. spy programs]

US – Startup Hits $6.3 Million in First-Round Funding

OwnCloud, a young company founded in response to concerns over secure data storage and sharing, has now raised $6.3 million in Series A funding. The company got its beginnings in 2010 when co-founder and CTO Frank Karlitschek concluded new cloud computing services were a threat to data security and privacy and so wrote an open-source code and put a community of developers on the case. The company differentiates itself from competitors by giving corporate IT departments control over where the data is stored, the report states. [The Wall Street Journal] See also: [Future Robots to Keep Your Secrets] and [Price, power, privacy: why trust issues should influence your tech purchases]

US – Startup Allows for Collecting Big Data Without Little Data

Researchers at Max Planck Institute for Software Systems have proposed a novel way to collect Big Data. Their startup, Aircloak, aims to allow for the collection of Big Data without also collecting “little data” about consumers’ lives. Aircloak currently has “no direct rivals,” its cofounder Sebastian Probst Eide said, because most of the leaders in that industry still treat privacy as a “necessary chore” rather than as fundamental to the product’s design. The product uses “cryptographic proof” to indicate to users that it’s completely transparent. “If we were to introduce a backdoor, or if the NSA came along and forced us to do that, it would be visible. People will be able to see it in the code,” Eide said. [Forbes]

WW – FreedomPop Releases $189 Private Phone; Cryptocat Goes Mobile

Not long after the announcement of Silent Circle’s Blackphone, there is already a lower-priced competitor. FreedomPop has launched a $189, contract-free Privacy Phone, which is essentially a Samsung Galaxy S II, but with software that includes encryption for all Internet-based calls and messages, with data traveling through a VPN. The Blackphone will retail at $629 in the United States. Meanwhile, Cryptocat, a web application for privacy chatting, is now available as a free app in the Apple App Store. Cryptocata uses Off-the-Record Message, a “cryptographic protocol for secure Internet messaging,” with servers stored in a “Swedish nuclear bunker,” reports Reason. [Engadget]

US – Wickr Raises $9m for Private Messaging App

Wickr, a private messaging app that allows for encrypted mobile messaging with no data stored by the service, has raised $9 million in Series A funding. The round was led by Alsop Louie, with investments by Juniper Networks and the Knight Foundation. Alsop Louie partner Gilman Louie is joining the company’s board, and individual investors include former presidential advisor Richard Clarke, Lookout CEO John Hering and Human Rights Foundation president Thor Halvorssen, the report states. Currently, Wickr delivers roughly one million messages per month in more than 190 countries, but the report says usage has been doubling “every two months.” [Silicon Valley Business Journal]

WW – Yang Invents New Privacy-Centric Coding Language, Jeeves

MIT PhD student Jean Yang has invented a privacy-centric coding language called Jeeves that allows coders to “readily create privacy settings for an entire application, a master list that could then flow to each new application feature.” With Jeeves, Yang said, “private data such as photos would be attached to policies until the moment they are released. This guarantees that unauthorized viewers may not view a photo no matter what series of actions they took to arrive at a photo.” [Wired]


US – Target Invests $100m+ in Data Security

Following the data breach that cost the company as much as $440 million in profit, Target has announced it is “accelerating the adoption of advanced chip-enabled technology, investing more than $100 million to equip its stores and to issue Target branded smart chip credit and debit cards.” Further, the company is investing $5 million in a new coalition with the Better Business Bureau, National Cyber Security Alliance and National Cyber Forensics Training Alliance to educate the public about cybersecurity and the dangers of consumer scams. [Retail Info Systems News] See also: [Data Risk, Privacy Breach And Insurance Coverage In Canada]

WW – Samsung Devices May Have Backdoor to User Data, Developer Says

Samsung’s Galaxy devices might have a built-in security flaw that could allow for “remote access to data,” a developer claims. The folks behind Replicant, a free and open-source OS that aims to replace proprietary Android components with free alternatives, claim to have discovered a flaw in certain Samsung devices that allows for access “to read, write, and delete files on the phone’s storage.” In addition, the developers said that the flaw has “sufficient rights to access and modify the user’s personal data.” In a blog post detailing the issue, Replicant developer Paul Kocialkowski said the trouble resides in the use of two processors in mobile devices. The applications processor runs the main operating system, while another, baseband processor, is used to handle communications to and from the device. The issue with the baseband processor in Samsung’s devices, Replicant argued, is that it’s using a proprietary Samsung software to handle all the communication — and that software allows for a backdoor to user data. [Source] See also: [US: Smart Device Makers Put on Notice for Poor Security]

Smart Cars

WW – Volkswagen Chairman Calls for Protections on Car Data

Volkswagen Group Chairman Martin Winterkorn says strict protections are needed to prevent government intrusion into the vast amounts of data that will be collected by cars in the future. “The car must not become a data monster,” said Winterkorn from a trade show in Germany. “I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother.” He called for international efforts to ensure data protection and also called for a voluntary commitment from the car industry to protect such data. [Re/code]


US – NSA Plans Revealed for Infecting “Millions” of Computers

The latest revelation from the Snowden files, reported by Glenn Greenwald and Ryan Gallagher, is that “the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.” The report details what it calls “groundbreaking” surveillance technology, at times masquerading as a Facebook server, other times implanted in spam e-mails. The practice dates back to 2009, but in response to questions, the NSA said in a statement that, going forward, signals intelligence will only be utilized to support national and departmental missions for foreign intellitence or counterintelligence. [Intercept] See also: [The NSA Has An Advice Columnist. Seriously] and [Rogers Declines to Call Snowden a Traitor]

US – NSA Says Spying Concerns Trumping Cybersecurity Fixes

U.S. NSA Director General Keith B. Alexander has said the unauthorized disclosures by Edward Snowden—who will speak via videoconference at SXSW—have stymied efforts by the government to prevent cyber-attacks on major U.S. infrastructure. In one of his last public speeches before departing the agency, Alexander predicted that Congress would change laws around the bulk collection of telephone records before passing cybersecurity legislation that could help the government work with private companies in sharing threat data. Alexander has asked for laws that would clear the way for companies to share data with the government about incoming threats—something, he said, that is often prevented by current privacy law, the report states. In a separate but related story, the federal government has filed a lawsuit against Sprint, accusing the company of overcharging federal agencies for wiretapping services, an act, they argue, that violates the Communications Assistance in Law Enforcement Act of 1994. [The New York Times] Meanwhile, a judge has blocked plans by the NSA to begin destroying phone records it collected for surveillance. The Foreign Intelligence Surveillance Court had ruled last week that the NSA could destroy the records.

UK – Optic Nerve: Millions of Yahoo Webcam Images Intercepted by GCHQ

Britain’s surveillance agency GCHQ, with aid from the U.S. NSA, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal. GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not. In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally. Yahoo reacted furiously to the webcam interception when approached by The Guardian. The company denied any prior knowledge of the program, accusing the agencies of “a whole new level of violation of our users’ privacy”. [Source]

WW – Egan: “If People Are Surprised, That’s Not Good”

Facebook Founder and CEO Mark Zuckerberg made public his confusion and frustration over “repeated reports” of government spying. In calling on the U.S. government to “be the champion for the Internet, not a threat,” Zuckerberg said, “They need to be much more transparent about what they’re doing, or otherwise, people will believe the worst.” Transparency for a company like Facebook, one predicated on users sharing personal information with one another, is a huge part of maintaining such trust. This same notion was explained in more detail by Facebook CPO, Policy, Erin Egan [The Privacy Advisor] See also: [5 apps for spying on your spouse] See also: [‘Upskirt’ photos not illegal, U.S. court rules] [Police video released of Justin Bieber urinating]

Telecom / TV

CA – Bell Canada Case: A Challenge to Interest-Based Advertising

Should telecommunications providers be able to use their subscribers’ behavioral information to sell advertising? And are rules stricter than PIPEDA needed for telecoms? A complaint over Bell Canada’s practices brought before the CRTC may end up determining the answers to these questions. Timothy Banks of Dentons Canada LLP writes that if the CRTC agrees with the Public Interest Advocacy Centre and the Consumers’ Association of Canada that “more detailed privacy rules are needed for telecommunications carriers … this could represent one of the most important developments in the evolution of privacy law in Canada since the enactment of PIPEDA.” [Privacy Tracker]

WW – Lookout Releases Free, Open-Source Short-Form Privacy Policy Tool

You know the privacy policy story by now: While ostensibly intended to inform users of what a company will do with their personal data, the egregiously long, riddled-in-legalese documents have evolved into a formality rather than a meaningful contract for users themselves. That’s why Lookout has just released an open-source tool that aims to revolutionize that. “Private Parts” allows app developers to customize short-form privacy policies for their brands or products in five steps, or under an hour. Angelique Carson has the story [The Privacy Advisor]

WW – Apps Alliance, Intuit Release Open Source Mobile Privacy Notice Code

The application developer Alliance, and its member Intuit, maker of Quicken and Quickbooks, announced that Intuit will provide developers with open-source software code to implement at-a-glance mobile app privacy notices. The code will allow app developers to comply with the Mobile App Privacy Voluntary Code of Conduct developed through last year’s U.S. government-hosted multi-stakeholder talks on mobile app privacy. The code, according to a press release, enables developers to incorporate “privacy screens” or simple notifications of what data the app is collecting and with whom it is shared. [Full Story] See also: [C.I.A. Employees Face New Inquiry Amid Clashes on Detention Program]

US Government Programs

US – Snowden Gives Tech Industry Call to Arms

This year’s South by Southwest (SXSW) conference featured a rare teleconference interview with Edward Snowden. Speaking to a crowd of developers and entrepreneurs, Snowden said the NSA is “setting fire to the future of the Internet,” adding, “You guys are all the firefighters. We need you to help us fix this.” He called on privacy activists, cryptographers and developers to build better tools to help protect the privacy of users of technology, reports, which will, he said, “allow us to reclaim the open and trusted Internet.” [The New York Times]

US Legislation

US – FTC Seeks Comment on Proposed COPPA Safe Harbor

The FTC has announced it is seeking public comment on a proposed safe harbor program that’s been submitted for FTC approval under the Children’s Online Privacy Protection Act (COPPA) Rule. Industry groups and others can ask the commission to approve self-regulatory guidelines under the COPPA rule, and companies that comply receive safe harbor from enforcement. A Federal Register notice will be published shortly asking for public comment on the proposed iKeepSafe program, specifically regarding whether the mechanisms used to assess operators’ compliance are effective, whether incentives for compliance are effective and whether it “provides adequate means for resolving consumer complaints.” The comment period ends April 21. [Full Story]

US – Data Breach Reporting, a Struggle for U.S. Lawmakers and Businesses

In the absence of a federal law, businesses are forced to comply with widely varying and ever-changing state data breach notification laws, but there are hurdles in the path to compromise for lawmakers as well. There are five federal bills looking at these issues right now; Covington and Burling published a comparison article on them a couple of weeks ago, and the Associated Press now reports on lawmakers’ lack of consensus on the issue, highlighting some of the key sticking points. FCW reports that a recent hearing of the Financial Institutions and Consumer Credit Subcommittee of the House Financial Services Committee saw law enforcement officials pushing for federal reporting standards, noting they could aid investigators and consumers, and Attorney General Eric Holder called for a national consumer notification law in February. [No Consensus On Notifying Victims Of Data Breaches]

US – U.S. Bill Would Grant Farmers More Privacy

A bipartisan group of senators has proposed a bill that would prohibit the Environmental Protection Agency (EPA) from sharing the personal information of livestock and poultry producers. Agri-Pulsereports that HR 4157 comes a year after the EPA, in complying with a Freedom of Information request, released producers’ personal information to three environmental groups. The information included names, addresses and in some cases phone numbers and e-mail addresses of over 80,000 producers, and the EPA says it has no power to prevent this from happening again.

US – Company Sues Utah for Right to Surveil

Digital Recognition Network, Inc. (DRN) and Vigilant Solutions are suing the state of Utah for banning them from using automated cameras to collect images, locations and times of license plates, claiming that it violates their First Amendment rights. DRN Counsel Michael Carvin says, “Everyone has a First Amendment right to take these photographs and disseminate this information,” arguing that a license plate is inherently public information. ACLU Attorney Catherine Crump says this is “a complicated area where we are going to need to carefully balance First-Amendment rights of corporations versus individuals’ privacy rights,” noting that First Amendment rights aren’t unlimited; “There are circumstances under which the government is free to regulate speech.” [The Oregonian]

US – ECPA Reform Gains Steam in House

Reform to the Electronic Communications Privacy Act (ECPA) is gaining steam in the House of Representatives. Privacy advocates have been frustrated of late, the report states, because reform has been stalled in the Senate. Reps. Kevin Yoder (R-KS), Tom Graves (R-GA) and Jared Polis (D-CO) have introduced the E-mail Privacy Act, and thus far, have 181 cosponsors. A spokesman for Yoder said they’re “pushing to get more.” Mark Stanley of the Center for Democracy and Technology said, “There’s a lot of growing support for that bill … A lot of members of Congress see this as a common sense thing.” [The Hill]

US – Florida Senate Committee Passes Bill to Standardize Gov’t Data Handling

The Florida Senate Committee on Governmental Oversight and Accountability has unanimously approved a bill sponsored by Sen. Jeff Brandes (R-St. Petersburg) that would create a uniform protocol for handling personal identification information within government agencies and contracted websites. SB 782, Government Data Practices, sets out specific required disclosures for contractors, requires agencies to set up appropriate timelines for retention and disposal of data and requires OPPAGA to create a data inventory report to inform lawmakers of what’s being collected and held. [WCTV]

US – Feinstein Calls for Federal Drone Legislation

For the second straight week, 60 Minutes featured a story related to privacy. Sen. Dianne Feinstein (D-CA) said the privacy concerns brought on by the emerging technology are “major,”Politico reports. “When is a drone picture a benefit to society?” she asked. “When does it become stalking? When does it invade privacy?” Feinstein said she spotted a drone looking into her window during demonstrations outside her home; demonstrators have said it was a toy helicopter. “It’s going to have to come through regulation,” she said, “perhaps regulation of size and type for private use. Some certification of the person that’s going to operate it … some specific regulation on the kinds of uses it can be put to.” She also questioned appropriate use for law enforcement, asking, “What’s the appropriate governmental use for a drone?”[Full Story] See also: [US: Feinstein says CIA spied on Senate computers] and [Now Facebook Has a Drone Plan]

US – In Lieu of Federal Drone Laws, States Legislate on Their Own

While there are increasing incentives for both private and public use of drones in myriad applications, privacy advocates are urging states to legislate such use before privacy violations are as numerous. This year, 35 states will consider legislation, some of which include ways to “attract an industry that could generate billions and restrictions on drone use and data collection,” the report states. States are left to legislate on their own in lieu of federal legislation on the matter. [Associated Press]

US – Drones: Aren’t the Laws Already on the Books?

“The grandfathers of privacy wouldn’t argue for new, drone-specific privacy rules,” writes Jeff Kosseff. Rather, the common-law privacy torts they articulated more than a century ago would apply equally to drones as they do to older information-gathering technologies. In part one of a three-part series on drones, Kosseff looks at existing U.S. laws to be considered when it comes to the use of drones for gathering information. Look for part two, on private-sector drone use. [Full Story]

US – Hawaii’s Anti-Drone Bill Put Out to Pasture

SB 2680 would’ve made it illegal for private entities to use drones in the state, but after hearing evidence from ranchers, researchers and cinematographers, Transportation Chairman Ryan Yamane decided not to schedule it for a hearing. “Everybody is using it for different reasons, and so it is key that before we move any legislation forward, that we don’t negatively impact all the value that it’s going through now,” Yamane said. [KITV4]

US – Kansas Senate Committee Passes Drone Privacy Bill

The Kansas Senate Committee has passed SB 409, which would limit the use of drones with recording devices, reports KSN. Sen. Dan Kerschen (R-District 26), the vice chair of the Natural Resources Committee, says this bill is different because it focuses on protecting “private property rights with the use of these aircraft on who owns the property.” The committee helped to define some areas of the bill relating to property rights and search warrants, according to Kerschen. The bill now goes to the full house for discussion.

US – New Hampshire House Votes to Regulate Drone Use

The New Hampshire House, in a voice vote, approved measures to limit drone use in order to protect privacy,. The legislation would require police to get a warrant prior to using data obtained with drones and also limits commercial and institutional use of drones. [the Associated Press]

US – Utah Senate Approves Drone Privacy Bill

The Utah Senate has unanimously approved a bill that puts limits on police use of drones. The bill would require law enforcement to get a warrant before using drones and puts limits on what kinds of data drones can collect and over what period of time. The bill now heads to the House. [Associated Press]

US – Wisconsin Drone Privacy Bill Heads to Governor

The Wisconsin Assembly unanimously passed a bill that would make it illegal to use a drone capable of capturing audio or video recordings in places where individuals have a reasonable right to privacy. The bill also requires that police obtain a warrant before using drones to collect evidence, unless in an emergency situation, and makes it illegal to own, sell or possess a weaponized drone, the report states. The bill now heads to Gov. Scott Walker for signature. [The Republic]

US – Kansas Committee Passes Bill to Share Youth Death Information with Researchers

The Senate Judiciary Committee has approved a bill that would allow the State Child Death Review Board to share information with researchers. Nancy Strouse, executive director of the Kansas Judicial Council, says passing the bill would allow Universities in the state and others to conduct studies, making the state board more effective. “Research can lead to preventions and other strategies that save kids’ lives,” Strouse said. A similar bill died last year, but this one has been amended to require public documentation of those who use the information and why. [The Wichita Eagle]

US – Kentucky One Step Closer to Data Breach Bill

The Courier-General reports that the Kentucky Senate State and Local Government Committee unanimously passed a data breach bill that would require most state and local government agencies to notify citizens of electronic breaches of personal information. HB 5 also requires “public agencies and nonaffiliated third parties to implement, maintain and update security procedures and practices, including taking any appropriate corrective action to safeguard against security breaches,” among other provisions.

US – College Hoops Meets U.S. Privacy Legislation

Rep. Jared Polis (D-CO) is pushing Congress to pass the E-mail Privacy Act and, in doing so, appealing to the all-important March Madness bracket. “Ever think Eric Holder’s March Madness bracket looked a lot like yours? Stop the madness, cosponsor the E-mail Privacy Act!” Polis wrote in his tongue-in-cheek letter to Congress. Polis introduced the legislation last year with Reps. Kevin Yoder (R-KS) and Tom Graves (R-GA). The bill would require police to get a warrant before accessing individuals’ e-mails. The bill has more than 180 cosponsors in the House, and Sen. Patrick Leahy (D-VT) has introduced a companion measure in the upper chamber, which has the backing of some major tech firms. [The Hill]

US – Indiana Anti-Surveillance Bill on Its Way to the Gov

The Indiana Senate and House have both passed a bill that would require police to obtain search warrants before using drones, using cellphones to track individuals or demanding passwords for electronic devices among other restrictions. HB 1009 now heads to the Governor for final approval. [the Indianapolis Business Journal]

US – Maryland Del. Proposes Bill Targeting Tracking in Brick-and-Mortar Retail

Del. Sam Arora (D-Montgomery) has introduced legislation in the Maryland General Assembly that would require brick-and-mortar retailers to provide notice if they are tracking shoppers using their cellphones. HB 924 does not propose to end the practice but to notify consumers of it. Some retail organizations are against the measure; however, and the Future of Privacy Forum has built an opt-out list similar to that of the do-not-call list, but no retailers have pledged to abide by it. [The Washington Post]

US – Maryland Sen. Proposes Cell, License-Plate Privacy Bills

Sen. Christopher Shank (R-Washington) presented to the Senate Judicial Proceedings Committee two bills: one that would limit government access to cellphone location data and one to limit license-plate tracking by police. Shank developed the bills with Sen. Jamie Raskin (D-Montgomery), who submitted a drone privacy bill in January. The cellphone privacy bill would require police to get a search warrant before obtaining GPS data from cellphone companies and would require cellphone owners to be notified of the search within seven days of its completion. The license-plate privacy bill would limit police use of license-plate tracking cameras and would require police to destroy the data after 30 days. [The Associated Press]

US – Maryland Del. Proposes Smart-Meter Privacy Bills

Maryland Del. Glen Glass (R-Harford/Cecil County) has proposed two bills to protect consumer data collected by smart meters. HB 331 would prevent utilities from selling smart-meter data to third parties, and HB 332 would allow consumers to decline the installation of smart meters without having to pay excessive fees. Concerns have also been voiced about law enforcement’s use of this data.

US – Maryland Committees Hear Testimony on Cellphone Privacy Bill

The Maryland House Judiciary Committee and Senate Judicial Proceedings Committee heard testimony both for and against a package of bills that would limit law enforcement’s ability to monitor citizens. The bills would require police to obtain a warrant prior to monitoring citizens through cellphones, limit their use of drones and the length of time license-plate scanning records are kept. Members of the American Civil Liberties Union spoke in favor of the package, voicing concerns that laws have not kept up with technology, and law enforcement officials questioned the need for the laws, adding concerns that they may hamper investigations. [The Capital Gazette]

US – Minnesota Committee Advances Anti-Surveillance Bills

The Minnesota House Public Safety Committee advanced two bills that would require police to get a warrant before collecting data from cellphones and other electronic location devices in most cases, and notify cellphone owners within a few months that their information was accessed, reports the Associated Press.

US – Oregon Cell and License-Plate Privacy Bills Fail

Four privacy bills have been recently proposed. Two bills creating exemptions under Oregon public records laws passed, while two others—involving law enforcement’s use of cellphone and license-plate data—failed. Sen. Larry George (R-Sherwood) has vowed to put together an informal workgroup to create a ballot initiative on privacy protections in 2016. George authored cellphone privacy bill SB 1583, which died in a Senate committee, as did license-plate privacy bill SB 1522. [The Oregonian]

US – Ohio House Considers Social Media Privacy Bill

The Ohio House is considering HB 424, which would protect students, employees and job applicants from having to disclose login information to personal social media accounts. Rep. Heather Bischoff (D-Blacklick), the primary sponsor of the bipartisan legislation, said in testimony that the bill is aimed at establishing what is within employers’ and institutions’ rights to research and “what is considered private with regard to social media.” [The Daily Jeffersonian]

US – Colorado Committee Passes Education Data Transparency Bill

The Colorado House Education Committee unanimously passed a bill that would put restrictions on the sharing of education data. While HB 14-1294 doesn’t go as far as some privacy activists would like, it does require the Colorado Department of Education (CDE) to create criteria for the destruction of data and to publicly disclose the names of organizations with which it shares data; limit that sharing, and ban those organizations for using the data for commercial purposes. The bill also formalizes the process of considering outside data requests and requires CDE to create a “data security template” and publish a data inventory. [Chalkbeat]

US – Bill in Delaware Would See Businesses Shelling Out for Outside Breaches

Sen. Dave Sokola (D-Newark) has introduced a SB 102, which would see entities that experience outside data breaches paying a $1,000 fine for each individual whose personal information was compromised if no actual damages can be proven. Business groups are concerned with the measure and are working with Sokola to find middle ground. Sokola acknowledged that if businesses have a “standard of diligence that they’re in compliance with,” that should be recognized, but he added that consumers can’t be left out in the cold in a breach. Sokola has also sponsoredSB 101, which would increase to seven years the statute of limitations in which victims can bring a civil action for damages relating to a data breach. [WDDE]

US – Delaware House Sees Child Online Protection Act

Delaware Attorney General Beau Biden and Rep. Darryl Scott (D-Dover) have introduced legislation to the state’s House of Reprensetatives that would require web operators to allow individuals to remove content they posted as a minor. HB 261, the Child Online Protection Act, would also prohibit sites and apps targeted at children from advertising products and services that minors cannot legally use. The bill was modeled after California’s “eraser law.” [Law360] See also: [Maintaining kids’ digital privacy is tough but possible]

US – California Sen. Proposes Student Privacy Bill

California Sen. Darrell Steinberg (D-Sacramento) introduced a bill that would help safeguard personal information of public school students, reports Los Angeles Times. While government-funded schools are prohibited from sharing student data, private companies now have access to it through web-based educational tools. Steinberg’s bill aims to close this loophole in California by barring contractors from sharing student data.

US – South Dakota House Passes Student Privacy Bill

Following unanimous support from South Dakota’s Senate, SB 63 has now unanimously passed the House as well. In its fourth iteration, the bill charges the state Department of Education with creating security measures for student data, prohibits the sharing of student data with the federal government and prohibits school officials from asking about a student’s religious beliefs, gun ownership and seven other things. [Rapid City Journal]

Workplace Privacy

US – Employees Can Be Law Firms’ Prime Data Security Threat

Though recent reports claim government intelligence agencies spied on a major law firm and one of its clients, there is a more common threat to firms’ data security,, and that’s its employees. Fox Rothschild Partner Scott L. Vernick said firms must prioritize data security, just like any other business. “To a certain extent, we’ve always been highly mindful of the confidential nature of client data, but I don’t know that that’s translated completely to the thinking that we are just like any other business and so we have to think about data security like any other business,” he said. One key aspect to maintaining data security, he added, is appropriate vendor management. [Mondaq] See also [Maine Governor Resists Online Work Injury Database] and also: [Allowing Ontario’s Privacy Tort To Develop In The Health Information Sphere — For Now]

NZ – New Zealand: Tribunal Decision Significant for Employers

A review of the recent Human Rights Review Tribunal decision in Waters v Alpine Energy Limited, suggests it “contains significant developments for employers over their obligations to withhold and disclose private information.” The decision has made it possible for an unsuccessful job applicant to review such information as other applicants’ CVs. “The decision creates an interesting precedent for the treatment of confidential and personal information. The way through this issue is complex, and it would seem that the available options may differ depending on whether the applicant was successful—and therefore is an employee—or unsuccessful,” Wynn Williams Lawyers’ Matthew Prendergast writes. [Mondaq]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: