Big Data
US – Researchers Release Paper on Big Data Pitfalls
Princeton University’s Solon Barocas and lawyer Andrew Selbst have published their paper on “Big Data’s Disparate Impact.” While big data has its benefits, they argue, data mining as a decision-maker “has the potential to reproduce existing patterns of discrimination, inherit the prejudice of prior decision-makers or simply reflect the widespread biases that persist in society,” adding that antidiscrimination doctrines currently on the books aren’t equipped to handle the concerns arising from big data’s pitfalls. [SSRN]
Canada
CA – OPC Annual Report: Online Transparency is “Significant Concern”
In the Office of the Privacy Commissioner’s (OPC) 2013 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), online transparency is cited as “a significant concern.” The OPC accepted 426 PIPEDA complaints in 2013, almost double from the year before (although 183 pertain to one complaint against Bell Canada). “It is becoming increasingly apparent that the protection of privacy demands a partnership between individuals and the corporations with which they interact,” said Privacy Commissioner Daniel Therrien. “Like any successful partnership, this must be based on trust and therefore openness. Now that personal data has become such a precious coin of commerce, the rules governing its collection, use and disclosure must be crystal clear, well-understood and actively accepted.” The OPC dedicated the report to former Privacy Commissioner Jennifer Stoddart. [CBC News] [Canada: Privacy complaints doubled in 2013] See also: Mondaq reports on opportunities for public input on British Columbia’s Personal Information Protection Act (PIPA), including public hearings on September 8 and 9, and written submissions will be accepted until September 19th.
CA – Retired Judge Recommends Spy Agency Increase Protections
Communications Security Establishment Canada (CSEC) Commissioner Jean-Pierre Plouffe, a retired judge, says CSEC should do more to protect Canadians’ privacy. Plouffe said if CSEC intercepts emails made to a person in Canada, such emails should either be marked for deletion or as essential to national security. If deemed essential, they should be reevaluated every quarter to verify whether they are still required. Plouffe recommended the government issue a directive to CSEC on information-sharing with its partners, spelling out how Canadians should be protected, and “CSEC itself should ‘promulgate guidance to formalize and strengthen practices for addressing potential privacy concerns’ involving the Five Eye partners,” the report states. [Reuters]
US – The Supreme Court Decision on IP Addresses and Its Implications
Canada’s Supreme Court unanimously concluded individuals “may have an interest in anonymity on the Internet that should be taken into account in determining whether law enforcement should have warrantless access to subscriber information associated with Internet Protocol addresses.” The court determined Internet service providers’ (ISPs’) terms of service and the Personal Information Protection and Electronic Documents Act (PIPEDA) “did not affect the analysis in the way previous courts had suggested,” writes Timothy Banks of Dentons Canada in this Privacy Tracker post. “The court rejected the idea that PIPEDA permits an organization to respond to a police request that would otherwise violate an individual’s reasonable expectation of privacy.” This decision sets the stage for consideration of other data and has implications for any organization that receives police requests for information. [Source]
CA – Number 25: Dr. Ann Cavoukian – Canadian Power 50
Ann Cavoukian, Executive Director, Ryerson University, Institute for Privacy and Big Data: While few outside the world of privacy regulation know her name, the former Ontario Information and Privacy Commissioner is Canada’s most powerful broker in convincing corporations and government agencies to treat people’s private data with care. “She was more a force of nature than a regulator,” says Jules Polonetsky, of the Future of Privacy Forum, a think tank in Washington, D.C. “She’s used every policy tool, and then some, to advance the Privacy by Design agenda.” Cavoukian’s model encourages corporations, governments and other organizations to embed privacy alongside normal business practices. She counts GE, McAfee and Intel among .her enthusiastic supporters. Cavoukian’s strategy has been to work with companies and organizations to help them achieve their goals, while still ensuring they uphold strict privacy standards. ‘‘If you approach privacy in this way, you will always get a seat at the table,” Cavoukian says. “Otherwise you don’t get heard.” [Canadian Business Magazine]
Consumer
US – Fitbit Responds to Senator’s Public Call for Transparency, Legislation
Despite concerns raised by Sen. Charles Schumer (D-NY), Fitbit says it does not sell personal data to advertisers. Schumer warned of a potential “privacy nightmare” regarding concerns the company sold users’ data to advertisers and called for federal regulations to require it and similar companies to allow customers to prevent their data from being sold. But the company responded by spelling out its privacy policy on its website. Meanwhile, Neustar’s privacy officer Becky Burr tries to alleviate customer concerns over worries about data-aggregating companies like hers in a sponsored post on Business Insider. [Associated Press]
WW – Survey: 80% Want Limits on Third-Party Data-Sharing
GFK has released its Survey on Data Privacy and Trust, in which it interviewed 1,000 Americans in an effort to understand the way they perceive and manage their personal data and how this differs by generation. The survey found 59% say their level of concern for their data has risen in the past 12 months, and two-thirds of respondents from older generations say the government isn’t doing enough to protect their data. “Overall, almost 80 percent of respondents feel that there should be more regulations, preventing organizations from repurposing personal data to third parties,” the report states. [Source]
US – BBB: Cross-Device Tracking Requires Notification, Opt-Outs
The Better Business Bureau (BBB) has warned that, based on its Accountability Program, companies engaging in cross-device tracking—including cookies, fingerprinting and other technology—must provide users with notification and opt-outs. The BBB’s Genie Barton said if companies are “tracking online and they’re going to use the information cross-screen, they need to tell consumers that and make clear that consumers can opt out.” [MediaPost]
E-Government
UK – Ban Junk Mail Companies from Accessing Electoral Roll, Councils Say
Junk mail companies should be barred from being able to buy access to the personal data of millions of people including their names and addresses, council leaders have said. Under present rules marketing companies can buy the details of 1,000 people from the electoral roll for £21.50 and use it to send out junk mail promoting products and services. The data is held on the public version of the electoral roll, meaning any person or company can buy the information. While people can choose not to be listed publicly on the register, very few are aware that they can do so. Councils fear that concerns about junk mail could be deterring people from signing up to vote and are calling for the public register to be scrapped. More than 11 billion items of junk mail are produced each year in the UK with each household getting at least 400. The industry is worth about £250 million. [The Telegraph]
US – Vote! You Just Might Win $50,000
To get people more involved–and prevent further embarrassment–the city is now considering a pilot program that would use lottery-type cash prizes as enticement to get locals to participate in elections. The Los Angeles Times reported that on Thursday night, the Los Angeles Ethics Commission voted unanimously to recommend that the city council begin offering cash prizes to voters randomly as soon as next year. “Maybe it’s $25,000 maybe it’s $50,000,” said [Ethics] Commission President Nathan Hochman. “That’s where the pilot program comes in–to figure out what … number and amount of prizes would actually get people to the voting box.” … “Wouldn’t we get a lot of people who know nothing about politics or the candidates jumping in and voting and just checking the box so they could get a million bucks?” the radio host asked Guerra. “Absolutely,” Guerra responded. But, he added, that might not be bad thing. “That might produce better results. There is no data to show that uninformed voters make worse decisions than informed voters.” (TIME)
NZ – Public Servants See Inappropriate Access of Personal Data
A survey has found that one in every 20 public servants has seen a colleague inappropriately accessing or misusing a client’s personal information in the past year. The finding doesn’t surprise Accident Compensation Corporation client Bronwyn Pullar, who was sent files about almost 7000 other ACC clients in one of New Zealand’s worst privacy breaches in 2012. “I don’t think New Zealanders appreciate the extent to which there is inappropriate and unauthorised use of information,” she said. “It does raise serious concerns about the degree of access Government employees have over people’s private information, particularly sensitive health information.” The survey found that the highest proportion of public servants who saw improper access or misuse of personal files – 7% – was in the district health boards (DHBs). The numbers were 4% in core government departments, 3% in non-DHB Crown agencies such as ACC, and 2% in other Crown entities such as TVNZ. [nzherald.co.nz]
EU – Judge Says Microsoft Must Turn Over eMails Stored on Server in Ireland
A US District Judge in New York has ordered Microsoft to turn over email records stored on a company server in Ireland to US authorities. US District Judge Loretta Preska wrote that “it is a question of control, not a question of the location of that information.” Privacy laws in Europe are stronger than those in the US. [ArsTechnica] [ZDNet]
WW – Facebook Reports Enormous Uptick in Use of Snoop-Proof Email
The social network sends billions of emails to users daily and says adoption of the encryption standard it uses has skyrocketed among webmail providers. The percentage of emails sent from Facebook that are received by webmail providers which support encryption has jumped from less than 30% in May to 95% by mid-July, according to a Facebook blog post. [Source]
Electronic Records
US – National Database Could Streamline Care, But Concerns Persist
There are concerns about state health information exchanges that could one day connect, compiling patient data in a vast national database. It’s already likely becoming a reality as states create health information exchanges that will allow professionals nationwide to access records. While advocates say a centralized storage center makes sense from a patient-care perspective, streamlining access to information and reducing redundancies as well as costs, critics worry about where the data will be stored, who will have access and how it will be used. [InformationWeek]
Encryption
US – NIST Report Urges Tighter Implementation of SSH
According to a report from the National Institute of Standards and Technology (NIST), US companies are not implementing Secure Shell (SSH) appropriately or well. SSH is often used to allow automated communications between hosts. The report says, “The security of SSH-based automated access has been largely ignored.” NIST is accepting comments on the document through September 26, 2014. [The Register] [NIST] [Reading Encryption Keys from Surface Electric Potential Measurement] [Mobile Applications use bad SSL Implementations]
WW – Will Tokenization Be the Way Forward for Data Transfers?
The possibility of foreign government access to personal information has been a hurdle to international data transfers, even between countries with strong ties such as Canada and the U.S. Timothy Banks writes about a report from BC Information and Privacy Commissioner Elizabeth Denham indicating there may be hope for Canada-U.S. data transfer in the form of “tokenization,” a system of de-identifying data using random tokens as stand-ins for meaningful data. While questions remain, Banks writes, “Denham’s openness to considering this method of de-identification illustrates a practical commitment on the part of Canada’s data protection authorities to revisiting the issue of de-identification, which could have broader implications for data processing and data use.” [Privacy Tracker] Timothy Banks writes for Privacy Tracker about a report from BC Information and Privacy Commissioner Elizabeth Denham that indicated there may be hope for Canada-U.S. data transfer in the form of “tokenization,” a system of de-identifying data using random tokens as stand-ins for meaningful data.
EU Developments
EU – Court Rules Facebook Must Respond to Schrems Suit
A class-action lawsuit against Facebook will move forward after an Austrian court said the company must respond to the 25,000 individuals who joined in the complaint alleging the company violated its users’ privacy. Earlier this month, privacy activist and lawyer Max Schrems filed the lawsuit against the social network. The suit alleges Facebook’s data use policy violates EU law, including reusing data without an individual’s consent and unauthorized sharing of user data with third parties. Europe-v-Facebook, the group led by Schrems, is demanding 500 euros per individual in the suit. The Vienna Regional Court ruled Facebook has four weeks to address the complaints but said it can file for a four-week extension. [ZDNet] [Austrian court orders Facebook to respond to privacy suit claims] SEE ALSO: Newly appointed EU Justice Commissioner Martine Reicherts pushed for clearing up the right-to-be-forgotten debate and adopting strong data protection reform soon, according to a Europa press release.
France’s data protection authority, the CNIL, will begin conducting cookie audit on websites in October, and for the first time ever, will be able to do so remotely.
EU – Telegraph Keeping List of Stories Taken Down Under RTBF
Thus far, 250,000 takedown requests have been made under the Court of Justice of the European Union (CJEU) “right to be forgotten” ruling in May requiring Google to remove links to any content that is “inadequate, irrelevant or no longer relevant” or else face a fine. Though the content is not deleted, Google will not list it in its search results. Users searching for a particular topic on google.co.uk will see a message indicating the information has been removed under data protection laws, while those using the U.S. site google.com will be unaffected, even if they live in the UK. The Telegraph has begun a running list of the paper’s content that has been removed from search results. [Source]
UK – Direct Marketing Association Code of Practice – Direct Marketing Association
The new Code of Practice focuses on 5 principles – put the customer first (understand the customer’s needs and offer relevant products and services), respect privacy (act in accordance with customer expectations), be honest and fair (act in a transparent manner, and do not use high-pressure sales tactics), be diligent with data (treat personal data with care and respect, in accordance with data privacy principles), and take responsibility (members are responsible for the actions of their agents and must have records to demonstrate compliance with the Code). [Source]
Facts & Stats
US – Companies Say Users Consented to Uploading of Contacts
Twitter, Yelp, Foodspotting and other app developers are asking a federal judge to dismiss a lawsuit accusing them of violating iPhone users’ privacy by uploading their address books. In court papers, Twitter argues that the users who are now suing previously consented to share information about their contacts by opting in to the service’s “find your friends” feature, the report states. Twitter says the users have no grounds to sue for storing the data. Yelp and Foodspotting have responded to the suit with similar arguments. [MediaPost] See also: [How to Read (and Actually Understand) a Wearable Tech Privacy Policy]
WW – Extending Passwords Best Defence Against Password-Cracking Tools
Longer passwords are harder to decode than those which are shorter but more complex in nature, according to a new study. A technology expert has said that the news has implications for companies’ password policies and for the risks involved in storing encrypted versions of the passwords. “Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure,” Trustwave said. “The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.” Trustwave explained the findings as it outlined the result of a study it conducted into password security. The company built two machines to decipher 626,718 ‘hashed’ passwords and said it managed to work out more than half of those encrypted passwords within a few minutes. It “eventually cracked 576,533 or almost 92% of the sample within a period of 31 days”, it said. [Source] See also: [The password of the future may be your heartbeat — no, really]
Filtering
US – University Bans Social Media, Political Content and Wikipedia Pages on Dorm Wifi
Northern Illinois University enacted an Acceptable Use Policy that goes further than banning torrents, also denying students access to social media sites and other content the university considers “unethical” or “obscene.” A discussion on the ban was brought to Reddit by user darkf who discovered the new policy while trying to access the Wikipedia page for the Westboro Baptist Church from his personal computer in his dorm room. The student received a filter message categorizing the page as “illegal or unethical.” It seems possible to continue to the webpage, but the message warns that all violations will be reviewed. (BetaBeat)
WW – People are More Likely to Self-Censor If Others Online Disagree WithThem
In the age of social media, it may seem like everyone has an opinion to share on the latest news of the day. But a new study released by the Pew Internet and American Life Project has revealed that, in fact, there may fewer opinions on your feeds than you think. Last summer, researchers from Rutgers University and Pew asked 1,800 American adults how likely they were to speak out, online and in person, about the news that former NSA contractor Edward Snowden leaked information regarding domestic surveillance to media outlets. They found that while 86% of Americans would be willing to have a conversation about the issue in person, just 42% of Facebook and Twitter users were willing to post about it on those platforms. The study also found that peer pressure on these sites is alive and well. If people thought their opinions would be well received, they were more likely to post about the topic. But even the thought that some of their followers and friends might disagree led many to self-censor. And the more information people had about the diversity of opinions on their social networks, the less likely they were to speak up, the study found. That unwillingness to speak up also transferred to the real world. [The Washington Post]
WW – Thermal Imaging to Become Smartphone Add-On
Smartphones are getting a new way of seeing: thermal imaging. A group of industry veterans plan to begin selling an add-on camera for smartphones for about $100 or less that will allow for generated color thermal images that can be contrasted with traditional images using a split-screen feature. It may be used for finding lost pets, playing hide-and-seek or spotting intruders, for example. “It’s very hard to hide from a thermal imager,” one expert said. “You can’t get behind a bush—you will show up.” [The Wall Street Journal]
FOI
US – MIT Researchers Create “HTTP with Accountability”
Researchers at the Massachusetts Institute of Technology (MIT) Decentralized Information Group are creating a new tool to stymie the “inadvertent misuse” of sensitive data by unauthorized users. Dubbed “HTTP with Accountability,” or HTTPA, the tool would automatically scan the transmission of private data, allowing the data owner to analyze how it’s being used. Under the guidance of web founder Tim Berners-Lee, MIT graduate student Oshani Seneviratne and CSAIL Research Scientist Lalana Kagal will share their insights on HTTPA at the IEEE’s Conference on Privacy, Security and Trust this July. “It’s not that difficult to transform an existing website into an HTTPA-aware website,” Seneviratne says. “On every HTTP request, the server should say, ‘OK, here are the usage restrictions for this resource’ and log the transaction in the network of special-purpose servers.” [ZDNet] See also: [Canada: SaskTel has under-reported how often the company gives customers’ information to government agencies and police] and [SK: Names of disciplined teachers should be withheld, privacy commissioner says]
Genetics
US – NIH’s Genome Project Data-Sharing Policy Suggests Seeking Broad Consent
The National Institutes of Health (NIH) has released a data-sharing policy promoting the sharing of “large-scale human and nonhuman genomic data generated from NIH-funded research.” The goal is to “speed the transition of data into knowledge, products and procedures that improve health while protecting the privacy of research participants.” The NIH is encouraging those using genomic data to seek “the broadest possible sharing permissions” from participants for the future use of their data, the report states. [HealthData Management] [US: NIH Releases Final Genomic Data Sharing Policy] See also: Advocates in Minnesota are pushing to reinstate a DNA collection law deemed unconstitutional by an appellate judge now that the U.S. Supreme Court has okayed the practice.
WW – Google to Offer Kids Under 13 Online Accounts
Google plans to offer accounts to children under the age of 13 for the first time. Sites typically avoid offering services to children under that age because of the U.S. Children’s Online Privacy Protection Act, which requires parental consent and tightly controls how data may be used. But Google’s new system would allow parents to set up accounts for their kids and control how they use Google services and what information about their children can be collected. [The Wall Street Journal] See also: [Meanwhile, Junkee’s Elizabeth Flux reports on a Google Maps website that reveals, when a user’s location services are on, where the phone has been for up to a month. For the website to work, a user must log in with the same account used on a smartphone and have location services turned on.]
WW – Google Goes Public With Security Audits to Ease Corporate Concerns
Google is taking unprecedented steps to show its cloud, business, and education customers that data protection is its top priority. To prove its commitment, Google is making the details of an independent security audit and of a security compliance certificate available to the public for the first time on its Google Enterprise security site. The SOC 3 Type II audit report and updated ISO 27001 certificate denote security approval for Google Apps for Business, Google Apps for Education, and Google Cloud Platform. Security and data centers are both big business. Google currently employs more than 450 full-time security engineers, and a Gartner study projects that companies will spend nearly 8 percent more on security this year than they did last year. The SOC 3 report and the ISO certificate that Google made public are widely accepted, internationally recognized security compliance standards. The SOC 3 is essentially a shorter report from the same audit as the longer SOC 2, while the ISO certification covers organizational and logical security. [CNET]
AU – Google’s Knowledge Vault Already Contains 1.6 Billion Facts
Google has decided to create the largest store of knowledge in human history and it is going to create it without using human brainpower. Google’s Knowledge Vault is a massive database of facts, built up by an algorithm that autonomously trawls the web and transforms data into useable, bite-sized pieces of information. The predecessor of Knowlege Vault, known as Knowledge Graph, used crowdsourcing techniques but Google realised that humans could only take the project so far; computers could drastically speed up the process. To date the Knowledge Vault contains over 1.6 billion facts. This huge fact reservoir will be the basis of future search engines. Google is currently racing Microsoft, Facebook, Amazon and IBM, who are all attempting to build the same kind of database. The Knowledge Vault will be the foundation for smartphone and robot intelligence. Siri is going to get a lot better at interpreting what you mean when you ask her questions in the future. In the future, virtual assistants will be able to use the database to make decisions about what does and does not matter to us. Our computers will get better at finding the information we are looking for and anticipating our needs. Once the Knowledge Vault can interpret objects on sight, it will become integral to real-time information generation. One day you might be able to walk around, point your phone at an object, ask a question about it and recieve an intelligent response. At the Conference on Knowledge Discovery and Data Mining in New York on 25 August Kevin Murphy and his team will present a paper on the Knowledge Vault. [Science Alert]
Health / Medical
US – Why Psychologists Need Social Media Best Practices
Steven Petrow discusses his concerns with mental health professionals sharing too much about themselves online, particularly on social media sites like Facebook. The issue started when Petrow saw much of his analyst’s personal information because of the privacy settings on the doctor’s personal Facebook account. “At that point, I started wondering,” Petrow wrote, “Are there no social media best practices for mental health professionals?” As of now, there are not, but, he reports, the American Psychological Association (APA) has published “The Internet’s Ethical Challenges,” in which APA Director Stephen Behnke writes, “psychologists have special ethical issues they need to think through to determine how this technology is going to affect their work.” [The Washington Post]
Horror Stories
US – 200 Hospitals Hit Affecting 4.5 Million Patients
Tennessee-based Community Health Systems (CHS) says that intruders accessed its system over a three-month period earlier this year, compromising patient names, addresses, and Social Security numbers
(SSNs) of 4.5 million people. The company maintains that medical and financial information was not affected. CHS operates more than 200 hospitals in 29 US states. The company claims that the attacks emanated from China. Information in CHS’s Securities and Exchange Commission (SEC) Form 8-K filing says that the intruders were attempting to obtain medical equipment device development information, but were thwarted in their efforts. [DarkReading] [BBC] [NYTimes] [ComputerWorld] [The Register] [CHS SEC Filing]
WW – Breach Roundup
South Korea – 70% of South Korea’s population between the ages of 15 and 65—and more than half of South Korea’s total population—may have had their personal information stolen in a data breach involving 27 million people and 220 million records. Sixteen hackers were arrested on Thursday for allegedly circulating the records and conducting money laundering schemes which earned them at least $390,000. The hackers targeted registration pages for online gaming and gambling sites and online ring tone and movie ticket stores.
UPS – UPS announced that 51 UPS locations have been affected by a malware breach. UPS was quick to do the math to assure customers that the breach only impacts about 1% of their 4,470 franchised stores. The Wall Street Journal reports that the breach affected approximately 105,000 customer transactions. The malware may have been in the stores as early as January 20, 2014, but UPS believes the breach began after March 26, 2014. The malware was eliminated by August 11, 2014, so UPS says it’s safe to use your card in UPS Stores now. A full list of affected stores is available on the UPS website. [CNET] [Ars Technica] [NBC News] [SC Magazine]
PlayStation Network – A group named Lizard Squad says it was responsible for a DDoS (distributed denial of service) attack that took down PlayStation Network on Sunday. Sony announced that the network was back online and no personal information had been stolen. Lizard Squad’s attack escalated beyond simply shutting down the PlayStation Network when the group tweeted that there were explosives on board an American Airlines flight carrying Sony Online Entertainment President John Smedley. The FBI is now investigating the bomb threat, and Lizard Squad says it is moving on to target Xbox Live.
JPMorgan Chase – According to security firm Proofpoint, JPMorgan Chase customers are under attack in a phishing scheme called a “Smash and Grab Campaign.” Approximately 500,000 phishing emails have been sent out so far, with 150,000 emails in the first wave. Here’s how it works: after clicking a link in a phishing email designed to look like it’s from JPMorgan Chase, a customer is taken to a login webpage that automatically installs Dyre banking Trojan on the user’s computer, whether or not the customer decides to enter login information. Proofpoint says the attackers are not worried about stealth, and are instead focusing on sending out a high volume of emails in hopes that some percentage of recipients will click on the links. Reuters reports that the attack is consistent attacks by Eastern European cyber gangs.
Backoff – According to a Secret Service announcement on Friday, more than 1,000 U.S. businesses have been compromised by a Point of Sale (PoS) malware dubbed “Backoff.” Seven PoS system providers and vendors have confirmed that some of their clients were affected by the malware. No breaches have been directly connected to Backoff, although there is speculation that the malware is tied to recent breaches such as Target, Supervalu, and UPS. The existence of Backoff was first announced on July 31, 2014, by the National Cybersecurity and Communications Integration Center and U.S. Secret Service.
Onsite Health Diagnostics – Third time is not the charm for Onsite Health Diagnostics. Children’s Mercy Hospital in Kansas City is notifying 4,076 individuals that they were victims of a data breach that occurred two years ago when the hospital registered for a wellness program, according to the Kansas City Star. The compromised information was originally collected in 2012 and stored by Onsite Health Diagnostics. When Onsite discovered the breach, it deleted the old data that had been on its servers ever since 2012. This is the third reported breach involving Onsite this year.
USIS – Two weeks ago, I wrote about a potential breach to U.S. Investigative Services (USIS). At that time, the scope of the breach was not known, but it now looks like up to 25,000 government workers may have been affected by the breach in the Department of Homeland Security, U.S. Immigration and Customs Enforcement, and U.S. Customs and Border Protection units, according to sources in the investigation. USIS has begun emailing those affected by the breach, informing them that their Social Security numbers, birth dates, education and criminal history, and names and addresses of relatives and friends, may have been accessed, according to Reuters.
US – LinkedIn, Capital One Settlements Total Nearly $77 Million
LinkedIn has agreed to pay $1.25 million to settle a class-action lawsuit stemming from a 2012 data breach. The settlement requires LinkedIn to pay up to $50 to some of the users who purchased premium memberships, and the company promises to protect users’ passwords by “salting” and “hashing” them for the next five years, the report states. One lawyer called the settlement “extraordinary” because it provides “significant direct cash to the class and valuable prospective relief.” Meanwhile, users who sued Facebook for privacy violations are asking a California judge to consider U.S. District Judge Lucy Koh’s recent refusal to toss similar claims brought against Yahoo, and Capital One Financial Corp. and three collection agencies have agreed to pay one of the largest settlement amounts in history—$75.5 million—to end a privacy class-action. [MediaPost]
Identity Issues
EU – CNIL on Traffic Measurement, Analysis of Consumer Behavior in Stores
Companies that implement devices which record consumer behavior (through a billboard camera or a mobile phones) are obliged to take steps that ensure the anonymity of data subjects; for billboard cameras ensure that the images are not stored, transmitted or are visible to device providers. Prior to setting up these devices, authorization is required from the CNIL for any system that automatically measures the audience of an advertising device or analyzes the typology or the behavior of people around an advertisement. [CNIL]
EU – Netherlands: DPA Issues Second Opinion on the Benefits of eID
The DPA has issued a second opinion (source document in Dutch) on a report on the public benefits of a new electronic ID system (“eID”). This system is being developed by the Dutch government together with the private sector as an online identification and authentication system that may be used for the exchange of personal data in the context of the online provision of services. The DPA questions whether the eID system will in practice increase security overall compared to the current DigiD-system and is concerned that due to a higher level of security, more confidential information will be shared, which in turn introduces new security issues. [Mondaq News]
Internet / WWW
WW – Ralph Lauren Releases “Smart” Polo Shirt
Designer Ralph Lauren has released a “smart” Polo shirt. The compression shirt has knitted-in sensors capable of reading biological data such as heartbeat, respiration, stress level and energy output. The shirt’s aim is to “improve general wellness and increase physical fitness,” according to the brand. It was developed with a Canadian-based maker of wearable fitness trackers. “Our goal is to create and reflect the ultimate lifestyle, and we believe a healthy and active life is an essential part of that,” said a Ralph Lauren representative, adding, “Ralph Lauren is excited to help lead the industry in wearable technology in this ever-evolving, modern world.” [PC Magazine] EE ALSO: [HP Investigates “Internet of Things” devices and finds plenty of Vulnerablities]
UK –Spies Have Scanned the Internet Connections of Entire Countries
Heise has obtained documents showing that a GCHQ system, Hacienda, can scan every internet address in a given country to see both the connection types in use (such as web servers) as well as any associated apps. The scanning platform is looking for relevant targets and any exploitable security holes; if a target is running software with known vulnerabilities, it’s relatively easy for agents to break in and either swipe data or set up malicious websites that trick suspects into compromising their PCs. Poring over this much data would normally be time-consuming, but there’s a companion system (Olympia) that makes it easy to find useful information within minutes. The technology itself isn’t shocking; anyone can do this, if they don’t mind incurring the wrath of internet providers and law enforcement. However, the global scale of Hacienda is bound to raise eyebrows. Agents had scanned 27 whole countries as of 2009, along with parts of five others — it’s clear that the goal is to have complete national network maps on demand, whether or not they’re really needed for investigations. GCHQ can also hand its findings over to the NSA and other intelligence groups. There are ways to thwart this probing, such as the early version of an internet stealth protocol (TCP Stealth), but it could be a while before you’re completely off the radar. [Source]
Law Enforcement
US – Ferguson Events Prompt Calls for Police Body Cams
Amidst the events swirling in Ferguson, MO, calls for police-mounted body cameras have been increasing, but some are concerned such surveillance could pose significant privacy issues, including the loss of anonymity in public and lack of national guidelines for proper use. The cameras would be mounted either on an officer’s chest or sunglasses to record interactions with citizens and suspects. The Electronic Frontier Foundation’s Jennifer Lynch asks, in a separate report , “What happens to the data after the fact?” UC Berkeley’s Jen King points out that putting secure systems in to protect sensitive data collected by the cameras requires expertise that many departments simply do not have. [New York Times]
US – California Cops Caught Using Police Database to Spy on Potential Mates on Online Dating Sites
Two veteran police officers in Fairfield, California are being investigated for using confidential law enforcement databases to obtain private information about women they met on online personal websites. Sergeant Stephen Ruiz and Detective Jacob Glashoff are accused of misusing the California Law Enforcement Telecommunications System database in order to pry into the lives of women they were interested in meeting on Tinder.com, Match.com, eHarmony.com, and Care.com, according to court documents. Authorities were alerted to the pair’s actions by one of their colleagues, who said that they were on the sites “while at work every day for what seems like months,” and were “often having their own side conversations regarding dating sites.” [The Daily Republic] See also: [The Sexual Predator App With a 100 Percent Conviction Rate]
Location
US – Smart Outlet Startup Raises $1.65 Million in Seed Funding
Zuli, a startup “making a connected outlet with presence detection and energy monitoring, has raised $1.65 million in seed funding from several investors.” That follows a Kickstarter launch in December that raised more than $175,000, the report states. Zuli’s CEO says it plans to partner up with other smart home device-makers interested in the “Bluetooth mesh concept,” which offers presence detection—communicating where a person is in relation to a smart outlet. [GigaOm]
Online Privacy
WW – Attack on TOR Attempted to Strip Traffic Anonymization
The TOR Project has issued an advisory about malicious relays being used to launch an attack on the TOR network that persisted for five months and may have revealed identifying information about the network’s users. The TOR Project says it stopped the attack on July 4. The attack appears to have been designed to unmask TOR users’ identities. It is possible that the attack was launched by researchers at Carnegie Mellon University, who recently cancelled a talk they planned to give at the Black Hat security conference at the behest of CMU lawyers. The TOR Project also said that anyone who used the service or operated the service during that time “should assume they were affected.” [ArsTechnica] [BBC] [ZDNet] [SCMagazine] [v4.co.uk] [TOR Project Advisory]
WW – Analysis of Chrome Extensions Finds Malicious Activity
Researchers analyzed extensions for Google’s Chrome browser and found that many conduct malicious activity, including fraud and data theft. The activity often remains undetectable to most users. Of 48,000 extensions analyzed, 130 were “outright malicious,” and more than 4,700 exhibited signs of suspicious behavior. [ComputerWorld]
WW – Blog Names Unsecure Apps and Services
A Tumblr blog called HTTP Shaming posts a list of apps and services that do not take sufficient measures to protect user data. The site’s creator hopes that making this information known will prompt companies to encrypt data sent over wireless networks. The number of apps and services on the list currently stands at 19. If a case is deemed especially serious, it is not posted until the organization responsible for it is contacted so they can mitigate the problem. [ArsTechnica] [SMH.com] [
WW – App Store Removing Privacy-Friendly Apps
Certain apps are being removed from the Android app store based on Google’s policy of banning apps that interfere with other apps. Disconnect Mobile is one such app that was recently removed from the store; its aim was to stop other apps from collecting data on users. The practice is indicative of the concerns that some have voiced over the amount of control Google, and its rival Apple, have through their app stores. Casey Oppenheim, Disconnect’s co-founder, notes, “There is no reason why you shouldn’t have the same degree of control over the computer you have in your pocket as you do over your computer on your desktop,” but a Google spokeswoman says its policies are “designed to provide a great experience for users and developers.” [Wall Street Journal]
WW – Tumblr Partners With Photo-Scanning Company
Social network Tumblr has reached a deal with photo analysis company Ditto Labs to scan its users’ photos to help companies better understand how their brands are being perceived online. T.R. Newcomb, Tumblr’s head of business development, said, “Right now, we’re not planning to do anything ad-related.” Meaning, for example, if a bottle of Coke appears in a user’s photo, that user will not start receiving Coke ads. “If Coke wants to understand the nature of the conversation (about them on Tumblr) Ditto can sift through and deliver it to Coke,” Newcomb said. According to the report, Tumblr appears to be the first major online company to employ such photo-scanning techniques. [Mashable]
WW – Unlocking the Web’s Black Box
A new tool for tracking personal data online. Called XRay, the open-sourced tool created by researchers at Columbia University reverse-engineers correlations made by web services-for example, Gmail or Facebook ads or Amazon product recommendations-to help understand how the ads or recommendations are served up. “The web today is a big black box,” said one of the researchers. “What’s needed is transparency.” [New York Times]
WW – On “Creepy” Personality Tools and Data Doppelgangers
There is criticism over the amount of user data Facebook may be able to collect under changes to its ad network. Some are also criticizing the U.S. Federal Trade Commission for allowing the company to make the changes, arguing they violate a 2011 privacy settlement. The Post also looks into a new tool called Five Labs that scans a user’s Facebook profile to generate a personality test. Five Labs’ Nikita Bier said the most common response from volunteers who helped with the program was “this is kind of creepy” and many asked if Internet companies would use this kind of analysis on users. The Atlantic examines “why customized ads can be so creepy, even when they miss their target.” [The Washington Post]
US – AOL Won’t Respond to DNT Until Uniform Standard Exists
AOL has disclosed it doesn’t respond to do-not-track (DNT) signals. The company said it may be willing to reconsider its position “if the industry can agree on a uniform do-not-track standard,” the report states. In part of its most recent privacy policy update, AOL inserted a new section indicating how it intends to react when a DNT signal is sent by an online user. [Law 360]
Other Jurisdictions
AU – Australian Legislation Would Give Intelligence Agency Broad Access to Computers
Legislation proposed by Australian attorney general George Brandis would broaden the Australian Security Intelligence Organisation’s (ASIO) access to computers and networks. Some legal experts say that the law could be interpreted to give ASIO access to every Internet-connected computer. Civil liberties groups are also concerned about provisions that would criminalize journalists who receive and publish leaked documents. [ZDNet] [The Guardian] SEE ALSO: At the recent APEC’s Data Privacy Subgroup meetings, Canada submitted its Notice of Intent to participate in the Cross Border Privacy Rules system, meaning, after a favorable determination by the APEC’s Joint Oversight Panel, Canada will become the fourth country to join the system. Supratim Chakraborty writes on India’s data privacy regime. Advocates are calling for laws to keep up with Internet usage in Indonesia. Some say Romanian law requiring registration of pre-paid SIM cards violates citizens’ privacy rights.
NZ – Plan to Expose Breaches of Privacy Act
Privacy Commissioner John Edwards says his office is considering naming and shaming agencies that break the rules on personal information. Mr Edwards said until now, agencies and companies that breach the Privacy Act have rarely been named publicly. He said the new policy would enable the office to be a more effective regulator, particularly in cases of repeat offenders. The Office of the Privacy Commissioner will release a discussion document on the naming policy next week to get public feedback on the idea. In the interim, Mr Edwards said he planned to make more use of the regulatory powers he already had and take a tougher line on privacy breaches. [Radio New Zealand News]
MX – DPA Won’t Challenge New Telecom Law; Advocates Outraged
The battle over Mexico’s new telecom law persists, Global Voices reports, with many citizens fearing the law could mean censorship and an increased level of digital communications surveillance in the country. Privacy advocates are looking to Mexico’s Federal Institute for Access to Public Information and Data Protection (IFAI), but the IFAI voted in a recent plenary session not to challenge the proposed law in the Supreme Court—a decision that sparked backlash on the Twittersphere. The law would allow law enforcement to monitor calls and text messages without warrants and give Mexico’s attorney general the authority to solicit real-time data on cell-phone locations. [Global Voices] Mexico’s Federal Institute for Access to Public Information and Data Protection says it won’t challenge a new law that many fear could mean censorship and an increased level of digital communications surveillance in the country.
Privacy (US)
US – FTC: We Need Comprehensive Data-Security Legislation
While the FTC is responsible for ensuring fair trade practices, it has “been steadily hacking the law to make itself into a privacy and security officer responsible for protecting Americans’ data,” writes Kashmir Hill. It’s come with some controversy, as evident in the case of Wyndham Hotels, in which the FTC charged the brand with “unfair” data practices. Wyndham fought back that the FTC doesn’t have the regulatory authority to oversee data security, and the case is now headed to the Third Circuit. While unable to discuss the Wyndham case, speaking at hacker conference Defcon, Federal Trade Commissioner Terrell McSweeny said, “This reinforces my support—and it’s a unanimous position held by the FTC—that we need comprehensive data-security legislation.” [Forbes]
US – Military Contractors Face New Breach Disclosure and Procedure Deadlines
Contractors for the US Defense Department are facing a new deadline for rules that will require them to report breaches to the Pentagon and to grant the government access to their networks so they can conduct attack analysis. Concerns about the rules include requiring companies to report even minor breaches and allowing the government access to trade secrets and personal information. The rules were part of a congressional Defense Department budget authorization measure in 2013. Director of communications for the Aerospace Industries Association Daniel Stohr said, “Cyber security is increasingly becoming the cost of doing business with the federal government.” [Bloomberg] The American Farm Bureau Federation has filed a complaint in a Minnesota federal court against the Environmental Protection Agency for its public release of farmers’ and ranchers’ personal information.
US – Sen. Questioning Airline Privacy Practices
Sen. Jay Rockefeller (D-WV) has sent a letter to 10 major U.S. airline companies inquiring about their data privacy practices. Rockefeller noted consumer advocates are concerned airline privacy policies “can contain substantial caveats and that it is difficult for consumers to learn what information airlines and others in the travel sector are collecting, keeping and sharing about them.” United, Delta, American and Southwest were among the airlines Rockefeller contacted. “Data collected during ticket purchase can include a passenger’s name, credit card numbers, date of birth, addresses, travel destinations and travel companions,” he wrote, adding, “No comprehensive federal privacy law currently applies to the collection, use and disclosure of consumer travel information.” [PCWorld] Sen. Jay Rockefeller (D-WV) has sent a letter to 10 major U.S. airline companies inquiring about their data privacy practices.
US – Judge Rules LinkedIn Must Face Privacy Lawsuit
Professional services social network LinkedIn must face a privacy class-action lawsuit alleging the company violated its users’ privacy when it accessed their external e-mail accounts, downloaded their contacts’ e-mail addresses and solicited business from those contacts. U.S. District Court Judge Lucy Koh said the practice “could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts or are unable to take the hint that their contacts do not want to join their LinkedIn network,” adding, “In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘we will not … e-mail anyone without your permission,’ LinkedIn may have actively led users astray.” [Reuters]
Privacy Enhancing Technologies (PETs)
WW – Despite Tools, Anonymity Online Remains Difficult—If Not Impossible
Despite the proliferation of privacy-enhancing tools, anonymity online remains difficult to achieve. Some popular web browsers—Chrome, Firefox, Internet Explorer and Safari—offer “private” web browsing. But that kind of privacy only applies to the user’s computer, the report states; websites can still identify computers by their IP addresses. Similar problems exist with cookie-blocking, encryption and browsers like Tor. Meanwhile, new research findings indicate millennials are determined to take back their digital privacy. [Tech Crunch] See also: [Amazon Web Services First Cloud Provider Authorized to Handle Sensitive DOD Data] and [WSJ: For German, Swiss Privacy Start-Ups, a Post-Snowden Boom | WSJ: Can This Little Orange Box Beat the NSA?]
WW – Researchers Create Privacy Wrapper for Android Web Apps
Users can wrap Facebook and other apps to better control their privacy and security, according to researchers from North Carolina State University. On a mobile application, users typically have a single choice to protect their privacy: install the application or not. The binary choice has left most users ignoring permission warnings and sacrificing personal data. Most applications aggressively eavesdrop on their users, from monitoring their online habits through the device identifier to tracking their movements in the real world via location information. Now, a research group at North Carolina State University hopes to give the average user a third option. Dubbed NativeWrap, the technology allows Web pages to be wrapped in code and make them appear as a mobile application, but with user-controlled privacy. Because many applications just add a user interface around a Web application, the user should have equivalent functionality for many wrapped apps, said William Enck, assistant professor in the department of computer science at North Carolina State University. “You can go to any Web site that you want to turn into an app and create your own custom version that can be installed to your phone,” he said. “Permissions are determined by you, the user.” Numerous studies have found that applications routinely use unnecessary permissions to collect data on users. A study released in February by McAfee found that 82% of applications tracked their users. 99 of the top 100 free mobile applications on both Android and iOS had at least one risky behavior, according to application-reputation firm Appthority’s Summer 2014 App Reputation Report. Paid applications were not much more respectful of their users’ privacy: 87% of iOS and 78% of Android apps risked users’ privacy and security. Appthority defines risky behavior as the collection of location information and device identifiers, the allowing of in-app purchases, or the accessing of the contacts database or the user’s calendar. [ARS Technica]
Security
US – Survey Says Companies Not Prepared to Manage Insider Threats
According to the “2014 Insider Threat Survey” from Spectorsoft, more than half of IT and security professionals feel that their organizations are not adequately prepared to deal with insider threats. The study surveyed 255 people at small and medium sized businesses in the US, Latin America, and Europe. Fifty-five percent attributed the lack of preparedness to a lack of training; 51% attributed it to insufficient budgets; and 34% said that inside threats were not a priority. [SC Magazine] See also: Kaspersky Report Shows Users are concerned about online risks but don’t do anything about them.
US – Study: University Networks Less Secure than Retail, Healthcare Sectors
According to a report from BitSight Technology, college and university networks face greater risk of attacks than retail and healthcare networks. Attackers target university systems during the academic year, and many schools do not have the resources to protect their networks. The report says that part of the reason that network security is worse during the academic year is the presence of so many devices that students bring. Universities can also be appealing targets for data thieves because of the abundance of personal data and research data. Also, many schools have partnerships with government agencies, which could put those agencies at risk as well. Most attacks on university systems come from malware, and most of those are from Flashback, which targets Macs. [SC Magazine] [ZDNet] [NBCNews]
US – FBI and DHS Plan to Provide Healthcare Organizations More Threat Info More Quickly
Following a breach that compromised personal information of 4.5 million patients seen at hospitals operated by Community Health Systems (CHS), representatives from the FBI and the US Department of Homeland Security (DHS) say they are taking steps to share more threat information more quickly with organizations in the healthcare sector. [ComputerWorld]
WW – Researcher Finds Vulnerabilities in Antivirus Products
A researcher in Singapore examined antivirus products and found remotely exploitable flaws in 14 of them. Analysis accompanying the results indicates that many antivirus products pose security risks by requiring broad privileges, not signing updates, and delivering updates over HTTP. [SysCan] [The Register] [ComputerWorld]
WW – Android Reset Flaw Allows Data Recovery
Several Android devices, including the Tesco Hudl, are affected by a reset flaw that allows recovery of data that users may believe they have erased from the device. Three separate investigations, which were carried out with used devices purchased through eBay, came to the same conclusion. [BBC] [The Register] See also: [Android Fake ID Vulnerability]
WW – Tesla to Hire Hackers to Find Connected Car Vulnerabilities
Electric carmaker Tesla Motors will hire up to 30 full-time hackers whose job will be to find and close vulnerabilities in the firmware that controls its cars. “Our security team is focused on advancing technology to secure connected cars,” said a company spokesman, adding the focus is now on “setting new standards for security and creating new capabilities for connected cars that don’t currently exist in the automotive industry.” Tesla’s cars are some of the most digitally connected cars in the industry, the report states, with batteries, transmissions, engine systems, climate control, door locks and entertainment systems remotely accessible via the web. [ComputerWorld].
CA – Study estimates 36 % of Canadian Businesses Know They’ve Been Hit by Cyber Attack
More than one-third of Canada’s IT professionals know — for sure — that they’d had a significant data breach over the previous 12 months that could put their clients or their organizations at risk, a cybersecurity study suggests. And as startling as that statistic may be, the actual number of breaches could be higher since the same international study found 56% of the 236 Canadian respondents said they believed threats sometimes fall through the cracks. “Even the best-protected networks have regular security incidents,” says Jeff Debrosse, director of security research for Websense, a U.S.-based security company that commissioned the study. A Statistics Canada report in June said that six per cent of the 17,000 private Canadian enterprises it surveyed had experienced an Internet security breach in 2013. About one-quarter of those reporting a breach — representing roughly 260 companies — said client or proprietary information had been corrupted, stolen or accessed without authorization. The Websense report done by the Ponemon Institute, a private-sector think-tank that conducts independent research on privacy, found 36% of the Canadian companies in the study had experienced one or more cyber attack over the previous year that infiltrated networks or enterprise systems. It also found 89% cent of the Canadian respondents said they personally know another security professional whose company had sensitive of confidential data stolen as a result of an inside threat. It also found 23% of the Canadian cyber security teams never speak with their executive team. Of those who did, nearly half did so only annually or semi-annually, while only two per cent talked weekly with executives about security. “If the conversation is happening less than monthly, that’s a pretty significant problem,” Debrosse says. [Source]
Surveillance
CA – Peeping Drone ‘An Invasion of Privacy,’ B.C. Homeowner Says
A Victoria-area resident says she spotted a drone buzzing around her property, but police say their hands are tied. Laura Moffett says the man, who was flying the drone in a park across the street, was allegedly trying to peek inside her home in Oak Bay. “It’s an invasion of privacy. We have a skylight above, and on the weekend I had my nieces and nephews around playing in the pool, and what if he had been doing it then and taking videos?” said Moffet. But Oak Bay police Sgt. Chris Goudie says the actions weren’t criminal, and police won’t be recommending any charge. “There’s nothing on the books for hobbyists. It’s much like a remote control airplane. Where it’s going to come to our attention is when they’re intruding on people’s privacy.” Last week a Vancouver man filmed a drone flying spying on his False Creek area highrise condo. [Source]
US – Incentive-Based Insurance Programs on the Up, But Who Has Data Access?
Insurance companies are increasingly offering consumers a deal: Let us track your driving and we’ll give you an annual discount if you behave yourself on the road. In theory, everyone wins, as consumers save money and insurance companies attract safer drivers. But such programs generate vast amounts of data, and while insurance companies promise it’s for their eyes only, some experts have concerns that that’ll change—perhaps to a central industry database. And while the big companies aren’t yet tracking driver location, at least one company is testing it. Meanwhile, researchers in Brazil have presented a potential solution to the pervasive problem of distracted drivers: a dashboard camera in front of a driver capable of spotting cell phone use. [The New York Times] See also: [Datenschutzkommission, Austria – Decision DSB K121.998 – Vehicle Monitoring]
US – ‘Smart’ Lighting System Provides Surveillance at U.S. Airport
Newark Liberty International Airport has installed 171 “smart” LED lighting fixtures, attached to the ceiling, that peer down and record the movements of passengers and staff. They’re incredible pieces of technology: Sure they illuminate, and use much less energy than other lights. But each lighting fixture also has computing and networking capabilities. The system includes cameras and sensors that feed data into it. The airport won’t discuss the system’s full capabilities, but we know it can monitor licence plates of cars entering the departure area or the parking lots. [Sourc]
US – Dance Depicts a Farewell to Privacy
“Surveillance” is a new 60-minute dance performance at New York Live Arts this week that looks at an Orwellian Big Brother society. “In a society in which people need to film or photograph everything, what intimacy is left?” writes Alastair Macaulay. The dance is choreographed by Zvi Gotheiner and features depictions of people passing through a body check, ostensibly at a national border, and illustrates a sense of humiliation felt by the subjects of the searches. In another scene, one dancer videotapes another, and later, the camera is turned on the audience. [The New York Times]
Telecom / TV
US – White House Advising Police to Keep Quiet on Cell Data Sweeps
The Obama administration has been “quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods.” The administration, citing security reasons, has intervened in “routine state public records cases and criminal trials regarding use of the technology,” the report states, resulting in police departments “withholding materials or heavily censoring documents in rare instances” when the documents include information about the purchase and use of the surveillance equipment. [Associated Press] [Any government can track your cellphone with right technology] and [Canada: Lost smartphones can lead to anxiety disorders: Study]
US Government Programs
US – CIA Director Apologizes for Unauthorized Access of Senate Committee Computers
CIA Director John Brennan has apologized to the Senate Intelligence Committee for improperly accessing Senate computers during the Senate’s investigation into Bush-era interrogation practices. Brennan called the action “inconsistent with the common understanding” between the agency and Senate overseers. Earlier this year, Brennan denied that the CIA had accessed the computers. [NextGov] [ArsTechnica] [NBC News]
US – NSA’s Search Engine Allows Agencies to Share Data
In the latest leak from Edward Snowden, an internal search engine has been built by the NSA allowing the agency to share vast amounts of surveillance data with nearly two dozen government agencies. Called ICREACH, the “Google-like” search engine shares more than 850 billion records, including phone calls, emails, cell-phone location data and Internet chats. Key participants, the report states, include the Federal Bureau of Investigation and the Drug Enforcement Agency. ICREACH is accessible by as many as 1,000 analysts at 23 U.S. government agencies and can handle between two and five billion new records per day. [The Intercept]
US Legislation
US – California Assembly Passes Groundbreaking Student Privacy Bill
California’s Assembly on Monday approved first-in-the-nation privacy measures prohibiting the use of students’ personal information for profit. The Student Online Personal Information Protection Act was authored by Senate Leader Darrell Steinberg (D-District 6) and passed the Assembly unanimously on a 71-0 vote. The bill “would end targeted advertising on K-12 websites, services and applications” and also “prohibits operators from using any information gained from the use of their K-12 site to target advertising on any other site, service or application,” according to a press release from Steinberg’s office. The bill will now head to the Senate for a vote. [Source] See also: [What Student Data Do Schools Collect?] See also: [Calgary principal apologizes after students’ personal information disclosed]
US – Delaware Passes Legislation Grants Heirs Access to Digital Assets
The US state of Delaware has passed legislation giving a person’s heirs the right to digital assets, such as social media accounts, in the event of incapacitation or death. The Fiduciary Access to Digital Assets and Digital Accounts Act, signed into law by Governor Jack Markell, allows a person’s heirs to assume control of digital accounts and devices just as they would any physical assets and documents. [ArsTechnica]
US – House Passes Bills to Address Critical Infrastructure Security
The US House of Representatives has approved legislation aimed at improving the cyber security of companies that operate elements of the country’s critical infrastructure. One of the bills would create public-private partnerships. Another bill focuses on improving critical infrastructure security technology, and a third bill is aimed at building DHS’s cyber work force. [NextGov] Sen. Ron Wyden (D-OR) discussed the need for outdated privacy laws to be changed in order to “reflect both the Constitution and public expectations.”
US – House Bill Would Require Federal CIOs to Sign Off on Web Site Security
A bill passed by the House of Representatives would require federal websites that retain personally identifiable information to be certified as secure by an agency chief information officer. New sites would have to obtain CIO approval before going live. Sites that are already live and were launched after October 1, 2013 would have to obtain the approval within 90 days of the bill’s passage. [NextGov] JDSupra has published a summary of changes made to U.S. state data breach notification laws.
US – Tennessee Legislature Adds Employee Privacy Protections to “Internet Accounts”
“Accessing information about employees and applicants via their social media accounts just got a bit more complicated in Tennessee. This past legislative session, the Tennessee General Assembly passed the Employee Online Privacy Act of 2014 aimed at protecting employees and applicants from being forced by an employer to turn over access to their social media accounts. The Act makes Tennessee part of a growing number of states enacting similar legislation. Although the Act, which takes effect January 1, 2015, can be seen as a win for employee privacy, it is not an absolute bar to employers using social media as a tool to monitor their employees’ and applicants’ actions. The law still leaves several permissible purposes for which employers may utilize social media in the employment context.” [More] [Source]
US – CA Drone Privacy Bill Moves Forward; Amazon Seeks DOT Exemption
A California bill that would place strict regulations on how law enforcement and other government agencies can use drones passed the California Assembly. The bill would require law enforcement to obtain warrants before using drones except in cases of emergency such as fires or hostage situations. Other public agencies would be able to use drones as long as the purpose is not for gathering criminal intelligence. The bill now heads to the governor’s desk. Meanwhile, the Association for Unmanned Vehicle Systems International has written to the U.S. Department of Transportation to grant Amazon an exemption under Federal Aviation Administration rules that would allow it to conduct immediate outdoor tests of its commercial drones. [Reuters] See also: [Eyes in the Sky: Inquiry into Drones – The Parliament Of The Commonwealth of Australia]
US – California Passes Law Mandating Smartphone Kill Switch
Smartphones sold in California will soon be required to have a kill switch that lets users remotely lock them and wipe them of data in the event they are lost or stolen. The demand is the result of a new law, signed into effect on this week, that applies to phones manufactured after July 1, 2015, and sold in the state. While its legal reach does not extend beyond the state’s borders, the inefficiency of producing phones solely for California means the kill switch is expected to be adopted by phone makers on handsets sold across the U.S. and around the world. The legislation requires a system that, if triggered by an authorized user, will lock a handset to essentially make it useless. The feature must be installed and activated in new smartphones, but users will be able to deactivate it if they desire, and it must be resistant to attempts to reinstall the operating system. Police can also use the tool, but only under the conditions of the existing section 7908 of the California Public Utilities Code. That gives police the ability to cut off phone service in certain situations and typically requires a court order, except in an emergency that poses “immediate danger of death or great bodily injury.” The law doesn’t specify how the system locks the phone, nor what happens to the data on the phone when it’s locked. Each manufacturer can come up with their own system. [PC World]
Workplace Privacy
US – Survey: Some Employees Would Trade PI for Benefits
According to a report on workplace privacy, nearly one-third of respondents said they would be willing to trade personal data to their employers for certain benefits. Conducted by PricewaterhouseCoopers (PwC), the research surveyed 10,000 employees and 500 human resources (HR) professionals worldwide. PwC Global HR Consulting Leader Michael Rendell said, “Just as advertisers and retailers are using data from customers’ online and social media activity to tailor their shopping experience, organizations could soon start using workers’ personal data (with their permission) to measure and anticipate performance and retention issues,” adding, “This sort of data profiling could also extend to real-time monitoring of employees’ health, with proactive health guidance to help reduce sick leave.” [The Financial]
ON – Canada: Employer Asks HRTO for Permission to Access Employer’s Own “Occupational Health and Claims Management” File on Employee
Must an employer obtain permission from the Human Rights Tribunal of Ontario to access medical records held in the employer’s own file on an employee who filed a human rights complaint with the Tribunal? That question is raised by a recent Tribunal decision. The employer submitted that Tribunal authorization was necessary “because there may be a conflict with respect to privacy standards required by applicable legislation. The respondent indicates that the expectations and protections under the Personal Health Information Protection Act . . . for health information custodians regarding disclosure may be different from the duty imposed on employers by the Occupational Health and Safety Act . . . The respondent submitted that the Tribunal has granted the orders it seeks in other cases in which similar circumstances arose.” The employer was likely referring to subs. 63(2) of the OHSA which states: “No employer shall seek to gain access, except by an order of the court or other tribunal or in order to comply with another statute, to a health record concerning a worker without the worker’s written consent.” The case illustrates that employers seeking to use information in an employee medical file for litigation purposes should proceed cautiously and should seek a court or Tribunal order if necessary. [Mondaq News]
+++
Privacy News Highlights 