16-31 July 2014


US – State Police Now Fingerprinting Every Texan

The Texas Department of Public Safety has quietly embarked on a project to take the fingerprints of every Texan old enough to drive over the next 12 years, and add them to a statewide criminal history database. Not only has the department made that momentous decision on its own, it doesn’t even have clear legal authority to do so. [Watchdog.org]

US – Facial Recognition Code Should Protect Minorities, Adolescents

In trying to establish a code of conduct on the commercial uses of facial recognition technology, there’s been much discussion about the potential harms if the technology isn’t regulated. At the National Telecommunications and Information Administration’s July 24 meeting, stakeholders called in a couple of experts to better understand who is most vulnerable. UCLA Assistant Prof. Adriana Galván testified that adolescents are particularly at risk because research indicates they are more excited by “rewards” than adults, which could be exploited by marketers using the technology to recognize age. Rutgers Prof. Jerome Williams discussed evidence of the risks minorities already face in the marketplace that could be exacerbated using technology capable of detecting race. [Source]

US – Franken Appreciates Responses, Wants More Done

Following concerns from Capitol Hill about new technology using fingerprints as passwords, Apple and Samsung sent letters to Sen. Al Franken (D-MN) claiming users’ fingerprints are not stored on their smartphones and are safe from hackers and identity theft. “We agree with you that fingerprint-scanning technology for smartphones can be convenient and beneficial for consumers but must be implemented in a way that safeguards consumer privacy,” Samsung’s vice president wrote. Franken had requested information from the companies on data protection provisions, and while the responses were “mostly good news,” the companies still haven’t taken steps to prevent criminals “from bypassing fingerprint readers with a spoofed print,” the senator said. [The Hill]

US – AG’s Office Reduces Access to Facial Recognition Database

Ohio AG Mike DeWine’s office continues to reduce the number of law enforcement officers statewide who have access to controversial facial-recognition technology. The system was rolled out last year and allows police to run pictures of unknown individuals through a database of 23 million Ohio driver’s license photos and prison mug shots to establish a match, the report states. It’s led to at least one murder arrest, state officials say. But the American Civil Liberties Union and other advocates complained about potential privacy violations. As a result, the number of individuals with access to the system has shrunk from 30,000 to 5,594, according to the AG’s office. [Associated Press]

Big Data

UK – ICO Publishes ‘Big Data’ Guidance, Stresses Fairness and Transparency

The UK Information Commissioner’s Office (ICO) has published a new report on big data and data protection (51-pages) in which it warned businesses to ensure that they process personal data fairly and in a transparent manner when undertaking big data initiatives. In some cases businesses will use new analytics capabilities to make use of existing personal data sets that they have collected. However, in other cases companies will use data collected from third parties to glean information on individuals’ behaviours and attitudes or to personalise services they offer. The ICO warned businesses of the checks they need to carry out to ensure they comply with the Data Protection Act (DPA) in those cases. The ICO said that businesses need to get “innovative” to convey concise information about the way in which they intend to use individuals’ personal data in a big data setting. The watchdog said companies need to update their privacy notices and make sure individuals are aware if they find new purposes for processing personal data when processing that information that were unforeseen when consumers were first told of the reasons for which their data was to be used. Uncertainty over how personal data may be used in future big data projects does not remove businesses’ obligations to explain possible foreseen purposes of future processing to individuals, it added. [Source] [Pinsent Masons, the law firm behind Out-Law.com, called on the ICO to explain “what transparency and fairness looks like” in the big data era.]


CA – IAPP Thanks Ann Cavoukian for Her Service to the Profession

At the recently concluded IAPP Canada Privacy Symposium, Kris Klein, the IAPP’s managing director for Canada, took time from the keynote stage to thank Ontario Information and Privacy Commissioner Ann Cavoukian for her service to the profession. The IAPP captured the moment in a short video that is now part of our new video archive. Cavoukian now heads up Ryerson University’s Institute for Privacy and Big Data, but you can see the emotion with which she left the position she occupied for nearly two decades. [Source]

CA – Average of “Almost One Breach a Day” Reported

“The federal government has quietly logged 101 breaches of Canadians’ private information over the last four months,” citing information released by the Office of the Privacy Commissioner (OPC) indicating “his office was informed of a privacy breach an average of almost once a day since April 1.” The OPC has also weighed in on a hacking incident involving Canada’s National Research Council, stating, “We are following developments very closely due to the potential implication for personal information.” Meanwhile, New Brunswick Privacy Commissioner Ann Bertrand has recommended “ disciplinary measures and provincial charges“ for a doctor who accessed 141 patients’ medical files. [Toronto Star]

CA – Judge Agrees to Hear Telecoms’ Charter Rights Challenge

The Canadian Press reports that Ontario Justice John Sproat “has agreed to hear a Charter of Rights challenge brought by Telus and Rogers after they were asked by police in April to release cellphone information of about 40,000 to 50,000 customers as part of an investigation.” In his ruling, Sproat wrote, “The privacy rights of the tens of thousands of cell-phone users (are) of obvious importance.” Sproat’s ruling follows the Supreme Court of Canada’s June ruling affirming “Canadians have a right to online privacy under the Charter of Rights and Freedoms” and the announcements that followed from Telus and Rogers that they would require warrants “give basic customer information to police or security agencies,” the report notes. [Source] SEE ALSO: Michael Geist writes of last month’s Supreme Court decision and the actions several telecoms have taken regarding data retention following that ruling. The Toronto Star opines, “With giants Rogers and Telus on side, and Bell under pressure to follow, the message should be clear for Ottawa,” suggesting, “The writing is on the wall” for bills C-13 and S-4. Telus and Rogers Communications now require warrants for customer information after the Supreme Court decision. University of Toronto’s Christopher Parsons said if other telcos “start to take a similar position, maybe that would defray the impact of C-13, although it wouldn’t mean that C-13 was a better law.” [Telecoms move in right direction on privacy: Editorial]

CA – OACP Update Guidelines for Police Record Checks

Recently the Ontario Association of Chiefs of Police (OACP) updated their LEARN Guideline for Police Record Checks. We applaud the OACP for taking this important step, which has the potential to have a positive effect on the lives of thousands of law-abiding Ontarians. While the guidelines are voluntary, this is an important step to ensuring a proper and consistent approach to how information is disclosed when police record checks are conducted. We strongly encourage all of Ontario’s 57 police forces to adopt the OACP’s guidance on limiting the disclosure of non-conviction and non-criminal records to a limited class of exceptional circumstances. Similar to the recommendations of our recent Crossing the Line investigation into the disclosure of attempted suicide to US boarder officials through the CPIC database, the OACP recommends police forces to keep mental health police contacts confidential unless exceptional circumstances are present. The position of the IPC has long been that non-conviction and non-criminal information should only be disclosed during the course of a police records check only in exceptional circumstances, consistent with focused, objective public safety-related criteria. [Source] [The Toronto Star: Toronto Police To Keep Sharing Non-Conviction Records]

CA – Police Chiefs Call for Presumed Innocence in Background Checks

Police forces across Ontario are being told to stop disclosing unproven allegations, withdrawn charges and 911 mental health calls in background checks shared with employers, volunteer organizations and U.S. border officials. The Ontario Association of Chiefs of Police (OACP) issued the strong new recommendations this week amid an ongoing Star investigation documenting how the professional and personal lives of innocent Ontarians have been undermined by routine disclosures of non-conviction records. The voluntary guidelines call on forces that sign on to keep mental health police contacts and unproven charges confidential except under exceptional circumstances. OACP is also calling on the government of Ontario to introduce legislation that would compel all of the province’s 57 police forces to follow clear rules about what they can — and cannot — disclose. As it stands, records ranging from police surveillance notes to mental health incidents that never prompted a charge or conviction are making their way onto police background checks and the computer screens of U.S. border officials, the Star investigation has shown. The fallout includes lost jobs and educational opportunities, inability for some people to enter the U.S. and roadblocks to volunteering with agencies that serve vulnerable Ontarians. Until now, only about half the province’s police forces had signed on fully to the existing OACP guidelines, said Cormier. [Source]

CA – Class Actions Seek to Expand Law of Privacy Breaches

Two recently certified class action lawsuits could expand the scope of the fledgling Ontario tort of “intrusion upon seclusion”—the privacy tort first recognized by the Court of Appeal in 2012. The two cases—Evans v. The Bank of Nova Scotia1and Condon v. Canada2—are notable for being, respectively, the first class action to be certified in Ontario based on the tort of “intrusion upon seclusion” and the largest class action involving a digital privacy breach in Canada. Both cases seek to extend the reach of the privacy tort by claiming that institutions are liable when their actions either directly or indirectly compromise the personal information of their clients. In Evans, the Ontario Superior Court of Justice will be asked to determine whether an employer is vicariously liable for its employee’s deliberate theft of clients’ personal information. In Condon, the Federal Court will assess the government’s responsibility for allegedly reckless behaviour by its employees, leading to the loss of thousands of student loan records. Both class actions seek to push the current boundaries of the tort of intrusion upon seclusion. [Mondaq]

CA – Charities May Be Asked for Donor Lists Under CRA Proposal

Canadian charities would have to turn over lists of their donors’ identities to the Canada Revenue Agency under a proposal being floated by the Conservative government. The move is touted as a way to prevent tax-receipt fraud, but some charities are wary of the administrative burden — and the potential close surveillance of groups that criticize government policies. Revenue Minister Kerry-Lynne Findlay made the suggestion behind closed doors this spring to charities officials in Ottawa as the government seeks ways to tighten regulation of Canada’s charitable sector. Findlay asked officials of the Heart and Stroke Foundation, the Canadian Cancer Society and others for their input, as well as their reaction to a proposal to standardize the format, size and colour of official income-tax receipts for charitable donations. The consultation took place before a March 26 media event at which Findlay and Kevin Sorenson, minister of state for finance, boasted about the government’s achievements in reducing red tape for charities. The suggestion about turning over donor lists also came as some charities, subject to lengthy audits by the Canada Revenue Agency over their political activities, were feeling vulnerable and threatened by the Harper government. Findlay’s proposals apparently met with “stunned silence” initially, according to one witness, who requested anonymity. At least one charity official later spoke against them. “You can imagine why neither of these proposals would reduce red tape for charities — and why, given the current climate, there would be significant concern about the intent,” said the source. Pamela Fralick, president and CEO of the Canadian Cancer Society, was also at the closed-door meeting and said the minister was “floating ideas” rather than putting forward concrete proposals. Fralick said she would need to see more details before the society could adopt a position. There are some 86,000 registered charities in Canada, though fewer than one per cent report any political activity. [The Winnipeg free Press]

CA  Other Canadian News

The Globe and Mail reported that, as part of Bill C-24, the government can share Canadian immigration files and other data with foreign governments, and Prime Minister Stephen Harper’s cabinet can now draft regulations “providing for the disclosure of information for the purposes of national security, the defense of Canada or the conduct of international affairs” as well as for the “disclosure of information to verify the citizenship status or identity of any person” to enforce the nation’s law “or law of another country.”

CBC reported that Communications Security Establishment Canada says it cannot be sure Canadian intelligence protects information about Canadians when sharing intelligence data with the other Five Eyes partners.

CASL brought an onslaught of e-mails as senders of commercial electronic messages to Canadians attempting to verify recipients’ consent.

CA – Symantec Study Reveals 93% of People Access Data on Lost Smartphones

Symantec Canada recently ran something of a sting operation to figure out what people generally do when they come across a homeless smartphone. First, the company “lost” 60 smartphones in Vancouver, Calgary, Toronto, Ottawa, Montreal and Halifax. Then it monitored the phones to see what people did with them once they picked them up. The good news is that if you lose your phone, there’s a slightly better than 50/50 chance the person will try to return it to you. Apparently, 55% of people attempted to return the phone to its rightful owner. The bad news is that even those kind souls are pretty nosy and will take a peek at your private data before they give your phone back. According to the Symantec, 93% of people accessed the devices and half looked at private photos. A total of 63% looked at corporate email and a little more than half (52%) opened the password file. 35% accessed the bogus online banking application loaded on the lost phone. The results of the study come hot on the heels of a report from Avast! that revealed many people selling their phones on eBay don’t do enough to wipe their personal data from the device before shipping it to the buyer. The company purchased 20 second-hand cell phones from users on eBay and discovered over 40,000 photos on the phones, including 1,500 pictures of children, 750 photos of women in various stages of undress and 250 dick pics. They also discovered the identity of four previous owners, and more than 750 emails and text messages. [Source]

CA – ON Breach Being Investigated; Post-BC Breaches, Researcher Reinstated

An Ontario woman “is asking how a medical company knew details of her surgery when they tried to persuade her to change surgeons.” Ontario’s Office of the Privacy Commissioner “is looking into how the Centric Health plastic surgery clinic … got the information” about her surgery, the report states. Meanwhile, The Vancouver Sun reports the second of seven individuals who lost their jobs following privacy breaches two years ago and “a mass firing by the BC Health Ministry” has been reinstated. Drug researcher Malcolm Maclure has been rehired as a consultant on research and evidence development, the report states, quoting Maclure as saying, “I feel exonerated.” [Digital Journal] See also: [Saskatchewan: Expert calls for release of critical-incident info]


US – Americans Most Worried About Financial Data

A survey indicates 71% of Americans say they’re “petrified” someone will snoop as they access their bank accounts or other financial data. 57% say they’re worried someone will snoop on their online shopping. Social networks were the platforms that made users most worried, and email came second at 56%. Harris Interactive surveyed 2,100 Americans in June. [CNET] See also: [Businesses Beware: Millennials Could Revolt Over Data-Gathering]

US – People With Higher Job Status Prioritize Security Over Privacy

Privacy and security are two sides of the same coin and it’s sometimes very difficult to find a perfect balance of the two. In most cases, people tend to prioritized one over the other based on their personal choices or requirements. A new study published by Penn State researchers found that people in higher job positions are more likely to sacrifice privacy in the same of security. For the study, researchers analyzed how people in leadership job positions evaluated security and privacy and how impulsive or patient they were in making decisions. They found that those who were randomly placed in charge of a project tended to become more concerned with security issues. “Social status shapes how privacy and security issues are settled in the real world,” said Grossklags. “Hopefully, by calling attention to these tendencies, decision makers can rebalance their priorities on security and privacy.” [Source]

US – Businesses Beware: Millennials Could Revolt Over Data-Gathering

“Millennials care about online privacy—but only to an extent that’s convenient,” Megan Meagher writes, noting they are supplying data brokers with thousands of data points about themselves that are then turned into consumer profiles that can be detrimental to their options as customers. However, she writes, millennials take on causes quickly, and issues that were once innocuous become pressing overnight given online forums like Facebook that allow campaigns to travel at warp speed. Given that, it’s “only a matter of time before marketers are held accountable for any unpalatable practices they undertake involving the use of personal data,” Meagher writes, suggesting companies would be wise to get ahead of such a revolution. [Forbes]

US – Tech Seeks Life After Death for Accounts

There are legal challenges surrounding online accounts after their owners’ death. Estate lawyers and some tech industry representatives say changes to the Electronic Communications Privacy Act allowing for the release may simplify things. [The Hill]

US – OKCupid Experiments with User Data on Whether Love Is Blind

Despite the privacy uproar that was caused when Facebook recently disclosed it had used user data to see “if emotions were contagious,” OKCupid this week disclosed the results of three experiments it recently conducted on users, including whether users rated potential matches’ personality in correlation with their looks. OKCupid’s user agreement does state that, upon signing up to use the site, personal data may be used for research and analysis. [The New York Times]

WW – Coke and Keurig Partner for Drink Data

Emboldened by the useful data gathered from its Freestyle home soda fountains,Coca-Cola has partnered with Keurig to gather consumption data from the company’s new Keurig Cold machines. Launching next year, the machines will allow consumers to make one-off carbonated beverages, including Coke products, and will send data about what people are drinking back to the Keurig and Coke home offices. Coke is Keurig’s largest shareholder. “We’ll know exactly—with the consumer’s permission, of course—what they’re drinking and when they drink it in their home,” The Coca-Cola Company’s Deryck Van Rensburg said. “Imagine what you can do with that.” Coke used feedback from Freestyle to make the decision to bring Cherry Fanta to store shelves. [Quartz]

WW – Research: Sustainably Managing Large Numbers of Accounts / Passwords

Abstract: We explore how to manage a portfolio of pass-words. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore impor- tant attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we pro- pose, model and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and user effort. Our findings directly challenge accepted wisdom and conventional advice. We find, for example, that a portfolio strategy ruling out weak pass- words or password re-use is sub-optimal. We give an optimal solution for how to group accounts for re-use, and model-based principles for portfolio management. [Full paper]


AU – Australian Government Keeping Voting Source Code Secret

Australia’s government is refusing to share the source code for the software used in the country’s elections, claiming that “publication of the software could leave the voting system open to hacking or manipulation.” Experts point out that the source code for voting software “implements a very subtle, complex algorithm,” and needs to be open to scrutiny to find and fix problems. [SMH] See also: [B.C. government needs to fix archiving] ]


WW – Dark Mail Project Seeks to Hide Metadata from Snoops

An email privacy project called Dark Mail aims to hide users’ communications metadata, information the NSA has been collecting wholesale for years. Metadata is usually not encrypted, even when the email messages are. The project is a joint effort between Ladar Levison, who founded security email service Lavabit, and Steven Watt, who in 2011 completed a two-year in prison sentence for writing a packet sniffer for TJX data breach mastermind Albert Gonzalez. The Dark Mail project comprises an eMail client called Volcano; server software Magma Classic and Magma dark; and the Dark Mail protocol. Most email encryption services work within a closed community – users can communicate only with other people who also use the service. But Dark Mail is seeking to move beyond that model; Levison and Watt want it to work with existing email programs. [WIRED] SEE ALSO: a federal judge in New York has granted prosecutors access to a Gmail user’s e-mails as part of a criminal probe. And [Canada: CASL: Still Muddy Waters]

US – Court Says Warrant for Access to All Content of Email Account is Justified

A New York judge defended a controversial order that gave the government access to all content of the Gmail account of a target in a money laundering investigation, holding that courts have long recognized the practical need for law enforcement to seize documents if only to determine whether they fall within the warrant. The opinion, which will likely fuel the privacy debate in the country, is at odds with decisions by judges in several courts including courts in the Districts of Columbia and Kansas, Magistrate Judge Gabriel W. Gorenstein of the U.S. District Court for the Southern District of New York noted in an opinion Friday. The District of Columbia judge had refused disclosure of the contents of an entire email account because that would allow the government to actually seize large quantities of emails “for which it has not established probable cause.” The court in Kansas criticized a similar warrant as it failed to “limit the universe of electronic communications and information to be turned over to the government to the specific crimes being investigated.” The New York court, in contrast, granted on June 11 a warrant that permitted law enforcement to obtain emails and other information from a Gmail account, including the address book and draft mails, and to permit a search of the emails for certain specific categories of evidence. [Computerworld]

EU Developments

UK – Data Protection Fines Drive Up Compliance Elsewhere Across Industry

News of a data protection fine being served prompts nearly half of organisations operating in that sector to review their own data protection policies and practices (19-page / 104KB PDF), according to a survey commissioned by the ICO. Civil monetary penalties (CMPs) have a “clear impact” on how organisations served with the fines manage their own data protection responsibilities, but they also act as a “useful deterrent” to others, the ICO’s report said. Senior managers at approximately 60% of other organisations become more interested in data protection as a result of hearing about fines issued to other organisations, whilst 47% of respondents said that news of a data protection fine prompted them to introduce new data protection training for staff, it said. More than a quarter of organisations also conduct internal audits after hearing about others’ data protection fines, according to the ICO’s report. The ICO also said that it will review the guidance it has issued previously on issuing CMPs in light of the concerns raised during the research exercise about how the ‘substantial damage and distress’ test is interpreted. [Out-Law] [The ICO’s report (19-page / 104KB PDF] See also: [UK – Annual review of social media policies may not address regulatory risks, says expert]

UK – Legal Challenge Lodged Against New UK Data Retention Laws

A legal challenge is to be launched against new UK data retention laws that received parliamentary backing under a prioritised approval process earlier this month. Civil rights campaigners Liberty said it will seek a judicial review of the Data Retention and Investigatory Powers (DRIP) Act on behalf of two MPs, David Davis and Tom Watson. In a statement the MPs criticised the speed with which the DRIP Act gained parliamentary approval and questioned whether the new rules sufficiently protect individuals’ privacy rights. The DRIP Act replaces previous UK regulations on data retention that had implemented an EU law which earlier this year was ruled to be invalid by the EU’s highest court. The Court of Justice of the EU (CJEU) ruled that the EU Data Retention Directive disproportionately infringed on privacy rights enjoyed by EU citizens. Home secretary Theresa May said the speedy approval of the new rules was necessary to plug potential holes in UK intelligence gathering capabilities that could have arisen if the telecoms companies subject to the data retention requirements had stopped collecting the information in light of the CJEU’s ruling. [Out-Law] [Insights on the draft EU Data Protection Regulation from a UK Information Commissioner’s Office spokesperson who said while it is still subject to change, the draft regulation “provides a guarantee for freedom of expression”] See also: [UK – Emergency data retention law could fail same tests as the existing law]

EU – Legal Analysis Containing Personal Data Is Not Personal Data, Rules CJEU

The legal analysis used to support administrative decisions “cannot of itself” be classed as ‘personal data’ even if the analysis contains personally identifying information, the Court of Justice of the EU (CJEU) has ruled. As a result, the Court found that individuals do not have a right of access to the full legal analysis document under EU data protection laws. Under the EU’s Data Protection Directive, individuals have a general right to access the personal data stored about them by organisations. [Out-Law] [The CJEU’s judgment] SEE ALSO: Hogan Lovells Partner Eduardo Ustaran takes a look at what’s changed and the current state of play in the cookie ecosystem, noting DPAs “have realized that a large number of websites are cutting corners” and the fallout that might ensue. Checking In on the State of Cookie Consent

US – EDPS Workshop Examines Role of Privacy in Competition

The European Data Protection Supervisor (EDPS) recently hosted a workshop that determined “the world of ‘big data’ likely will require consideration of privacy in competition matters.” The workshop discussed the policy implications of big data and the digital economy in relation to data protection, competition and consumer protection. A report issued after the workshop noted, “Data protection and competition specialists do not necessarily speak the same language. Laws may currently be applied effectively to address visible large-scale abuses. But the laws seem not to cover the incremental ‘day-by-day drops into the ocean of data’ which are used to construct user profiles, where even seemingly innocuous data can reveal sensitive information.” [Hogan Lovells] See also: [EU: Privacy Officer To Head European Marketing Trade Group FEDMA]

US – Analyzing the Mutual EU-U.S. Distrust Over Privacy

The EU and U.S. have always had differing approaches to privacy and data protection, but since the Snowden revelations began making their way into the headlines, the gap and distrust has grown wider. “To help illustrate the nature of these doubts,” Berkeley Law Prof. Paul Schwartz commissioned a “mini-poll” that asked privacy attorneys in the U.S. and Germany their opinions about each region’s approach to privacy and data protection. Schwartz reveals each side’s concerns and how there “are no easy solutions to differences in EU-U.S. data protection.” “Instead,” he writes, “there are only tough discussions ahead.” Schwartz, in addition, highlights two lessons that can be learned from this analysis. [Privacy Perspectives] See also: Viviane Reding left the European Commission to become an MEP.

EU – Other News

EU ministers have undertaken efforts “to overcome ‘hurdles’ and agree on common rules for data protection laws“ at informal talks hosted by new the seat of the new EU presidency, Italy. Italian Justice Minister Andrea Orlando said, “There would be nothing worse than failing to agree on common rules.”

In the UK, the “Data Retention and Investigatory Powers Bill” was announced in the House of Commons, and BBC News reports that Prime Minister David Cameron “has secured the backing of all three main parties for the highly unusual move.” And here’s an analysis from Bird & Bird lawyer Graham Smith on “DRIP.”

The European Data Protection Supervisor said EU institutions may have to notify him when personal data processing operations “are likely to present specific risks to the rights and freedoms of data subjects.”

LexisNexis published “Company Lawyers: Independent by Design,” a whitepaper from the European Company Lawyers Association (ECLA) that includes a chapter on the role and function of the data protection officer (DPO) under the proposed European regulation, noting, the “required skill set, relationship with management and with the business and the ethical dimension of the role remain at an early stage.” ECLA is collecting feedback on the whitepaper until the end of September.

The Constitutional Court of the Republic of Slovenia “abrogated the data retention provisions of the Act on Electronic Communications,” Slovenia’s Information Commissioner’s Office reports, noting, the decision “represents an important part in the debate about the necessity and proportionality of the use of surveillance measures and technologies in the context of law enforcement and intelligence agencies.”


EU – Court Orders to Block the Pirate Bay are Ineffective

Traffic to The Pirate Bay site has doubled since 2011, even though courts in several countries have ordered Internet service providers (ISPs) to block the site and its founders have been sentenced to prison for various offenses. Nearly 10 percent of users visiting the site do so through a proxy. In a nod to the ineffectiveness of such blocks, a Dutch appeals court recently ruled that ISPs should not block The Pirate Bay at IP and DNS levels because those methods are ineffective. [Ars Technica]

US – NSA: Releasing Snowden Emails Would Violate His Privacy

The National Security Agency says it can’t release emails sent by exiled whistleblower Edward Snowden to NSA officials because doing so would invade his personal privacy. That rationale was one of several given to journalist Matthew Keys, formerly social media editor at Reuters, in response to a Freedom of Information Act request that sought emails sent from ejsnowd@nsa.ic.gov in the first five months of 2013. Keys published the NSA’s response on Thursday. The NSA’s FOIA office, which is dealing with a significant backlog, could not immediately supply a copy to U.S. News. Snowden has said repeatedly he raised concerns internally when he worked as an NSA contractor before he decided to leak documents that exposed the agency’s sweeping – and arguably illegal – surveillance programs. [Source]


WW – OECD Unveils ‘Global Standard’ to Combat Tax Fraud and Banking Secrecy

A new global standard for the automatic exchange of financial information aims to “put an end to banking secrecy” in tax matters and increase transparency, the Organisation for Economic Co-operation and Development (OECD) said. The ‘Standard for Automatic Exchange of Financial Account Information in Tax Matters’, launched by the OECD on 21 July, calls on governments to obtain detailed account information from financial institutions and share the information automatically with other jurisdictions each year. The standard, developed by the OECD at the request of the G20 group of the world’s largest advanced and emerging economies, will be formally presented to G20 finance ministers next September. OECD secretary-general Angel Gurria said the organisation’s message to the G20 “will be clear and simple… the automatic exchange of information standard is ready for implementation”. The standard provides for annual automatic exchange between governments of financial account information, including balances, interest, dividends, and sales proceeds from financial assets, reported to governments by financial institutions and covering accounts held by individuals and entities, including trusts and foundations. More than 65 countries and jurisdictions have already publicly committed to implementing the standard, while more than 40 have committed to making the first automatic information exchanges in 2017. This includes a group of OECD and non-OECD countries which have adhered to the OECD declaration on automatic exchange of information in tax matters (7-page / 1.12 MB PDF) as well as a group of ‘early adopters’. The OECD said more jurisdictions are expected to commit to implement the standard in the run up to the Global Forum Transparency and Exchange of Information for Tax Purposes hosted by the German finance ministry in Berlin next October [Out-Law]


US – Microsoft Makes Privacy Part of Its K-12 Branding

Microsoft’s is striving “to position itself as a protector of student-data privacy” and to back up such claims. The company has spent the last year supporting academic research on privacy and guides for school officials. Earlier this year, its chief technology officer said, “Students are not products … We have a long way to go across the industry … in getting everyone on board with protecting students, and to a great degree, teachers, too.” As maker of many services for schools, and with rising concern about student privacy, the company is focusing on an issue “that has surged in the consciousness of parents and school officials,” the reports states. [McClatchy News Service] See also: [NL: Access to information watchdog in court over attorney-client privilege]

US – San Francisco Announces Open Data Plan

Five months after San Francisco’s appointment of Joy Bonaguro as its first chief data officer, the city has a new open data strategic plan, aiming to improve on its data quality and expand its data-driven decision-making. The city also aims to support the “democratization of consumer data,” the report states, allowing individuals to access data the city stores about them, although confidential data containing individually identifiable information will not be among the data shared. “Given the distributed nature of individual data, we expect this to be a complex undertaking, and we will focus on background research and planning in year one,” the city’s strategic plan states. [Full Story] [San Francisco’s Chief Data Officer wants to help citizens make data-driven decisions] See also: [Canada: First Nation chiefs’ salaries due to be posted under Transparency Act]


CA – Privacy Watchdog Urges Insurers Not to Ask for Genetic Test Results

Canada’s privacy watchdog has called on the country’s health and life insurance industry not to ask applicants for access to existing genetic test results, “until such time as they can be shown to be demonstrably necessary and effective”. The Office of the Privacy Commissioner (OPC) acknowledged that “insurance industries need to collect and use personal information to assess risk”, but said “that a legitimate need does not necessarily give an organisation the authority to collect any and all personal information on the grounds that it might be useful or relevant”. OPC said its call would “effectively expand the industry’s current voluntary moratorium on asking applicants to undergo genetic testing”. OPC said in a policy statement that it had analysed the collection and use of genetic test results in light of existing legislation relating to personal information protection. [Out-Law] See also: [DNA tests: Child’s rights override parents privacy concerns]

CA – Canada Works to Institute a National Missing Persons DNA Databank

The Conservatives’ latest budget, tabled in February, pledged up to $8.1-million over five years starting in 2016-2017 to create a DNA-based national missing persons index (MPI). Public Safety Minister Steven Blaney, the lead minister on the file, told The Globe and Mail he is committed to tabling legislation by the end of 2015. He said it’s “realistic” to foresee the government creating a national MPI and a national human remains index (HRI), both of which could be housed at the RCMP’s existing National DNA Data Bank facility in Ottawa. Mr. Blaney also said it’s within the realm of possibility to cross-reference those two indexes with two existing ones – the crime scene index (CSI) and the convicted offenders index (COI) – to search, for example, for missing people like Lindsey at known crime scenes. The measure is in draft stage, he said, and it’s too soon to know exactly how it will unfold or what the consultation process will yield, including with regard to privacy. [The Globe and Mail]


US – Google Must Face U.S. Privacy Lawsuit Over Commingled User Data

A federal judge has refused Google’s bid to dismiss a privacy lawsuit that claims Google “commingled user data across different products and disclosed that data to advertisers without permission,” Reuters reports. U.S. District Judge Paul Grewal ruled Monday that Google must face breach-of-contract and fraud claims, though parts of the suit were dismissed. Grewal had dismissed two earlier versions of the suit but wrote in his decision this time, “Like Rocky rising from Apollo’s uppercut in the 14th round, plaintiff’s complaint has sustained much damage but just manages to stand.” The suit stems from Google’s changes to its privacy policy in March 2012. Meanwhile, plaintiffs in a class-action lawsuit over Target’s data breach have protested the company’s request that discovery be delayed. [Reuters] See also: [US Supreme Court And European Union Expose Google’s Massive Privacy Liabilities]

WW – Google’s Project Zero Aims to Protect Privacy, Improve Internet Security

Google Project Zero is aiming to find software vulnerabilities and to protect Internet users’ privacy. People should “be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications,” according to Google Researcher Herder Chris Evans. [ZDNet] [CNN] [Googleonlinesecurityblogspot] See also: [Google wants to know how the human body works]

Health / Medical

EU – Data Protection Reforms Should Enable ‘One Time’ Patient Consent

New EU data protection laws should not force medical researchers to seek consent from patients each time they wish to use their data or tissue samples in a new research project, the European Society of Medical Oncologists (ESMO) has said. ESMO warned that “the survival of retrospective clinical research, biobanking, and population-based cancer registries in the EU” would be put at risk if current proposals backed by MEPs earlier this year are introduced into law. It said that the MEP’s plans “imposes, or may be interpreted as imposing, the requirement for researchers to ask for a patient’s ‘specific’ consent every single time new research is carried out on already available data and/or tissues”, and said this would “lead to the necessity of researchers continuously asking patients to ‘re-consent’ for every single use of their data.” ESMO said that it would be better if the new General Data Protection Regulation gave medical researchers the right to use patient data and tissues “forever” on the basis of a “one-time consent” to that use from patients. “This consent could be withdrawn by the patient at any time, but researchers should not be compelled to ask for ‘re-consent’ by patients whenever new research is planned on their data and/or tissues,” ESMO said in a new position paper on the risks of the proposed new EU data protection framework. [Out-Law] [The ESMO position paper on the risks of the proposed new EU data protection rules] See also: [UK – Electronic health records can help simplify drugs trials, study finds] and also: [Will Capitol Hill Relax Healthcare Regs in the Name of Innovation?]

US – Recent HIPAA Cases Indicate Confusion, Misuse of Law

A litany of recent HIPAA-related cases indicates the law is open to misinterpretation and may sometimes provide cover for the health organization involved rather than working in the patient’s best interest. For example, a security guard in Missouri recently threatened a mom taking a picture of her son in the hospital and a Florida nursing home said it couldn’t cooperate with police investigating allegations of a crime against one of its residents. “Sometimes it’s really hard to tell whether people are just genuinely confused or misinformed, or whether they’re intentionally obfuscating,” said Manatt, Phelps & Phillips Partner Deven McGraw. [ProPublica] See also: [Tiny digital doctors to track your health] and [This amazing remote-controlled contraceptive microchip you implant under your skin is the future of medicine] and [Turkey: Our General Health Data Is On Free Trade! Who Wants To Buy?]

Horror Stories

UK – UK Travel Agency Fined for Violating Data Protection Act

The UK Information Commissioner’s Office (ICO) has fined a travel company GBP 150,000 (US $255,000) for failing to adequately protect customer data. By exploiting a coding error on the company’s website, attackers were able to steal customers’ credit card details dating back to 2006. Payment card data had never been deleted from the system and the system had never been tested. The company, Think W3 Limited, was found to have violated the Data Protection Act. [v3.co.uk] [The Register] See also: [US – Thousands Affected After South Carolina Hospital Suffers Laptop Theft] and [AU – Company Informs Customers of Breach Three Years After the Fact]

US – Dept. of Commerce IG Report Finds “Significant” Security Issues at NOAA

According to a report from the US Department of Commerce’s office of inspector general, satellite data were stolen from a National Oceanic and Atmospheric Administration (NOAA) contractor’s personal computer last year, but there has not been an investigation because the employee refused to allow NOAA to conduct a forensic investigation on the laptop. The report also noted other “significant security deficiencies” at NOAA, including unauthorized use of smartphones and thumb drives on sensitive systems. [NextGov] [OIG.doc.gov] See also: [GAO Says FDIC Cyber Security Still Needs Improvement] and also: [More Details Emerge About 2010 NASDAQ Breach] And [CA — Canada: National Research Council computers hacked]

US – EBay to Face Class-Action; Researchers Find Privacy Flaw

EBay is facing a class-action lawsuit after alerting users in May of unauthorized access to its systems. While the company says no financial data was accessed, the plaintiffs in the case allege eBay’s inadequate security led to the breach and have asked for a jury trial to settle the matter with combined claims of more than $5 million. Meanwhile, researchers from New York University have uncovered what they call a “privacy flaw” and “security breach” in eBay’s buyer feedback program allowing any individual to view the feedback. According to the research, “it is relatively easy to match the timestamp of the sale” with the seller’s feedback “and thus identify the item that was purchased.” [PCWorld] [Flaw in eBay lets your spouse know what you are buying]

US – Breach Settlements Come with High Costs

Two separate organizations are doling out funds for settlements following recent breach incidents. Equilon Enterprises LLC’s settlement of almost $2 million. The company, which recorded calls from customers contacting Shell Oil, is paying “to settle a class action alleging its actions violated California privacy laws,” the report states. Meanwhile, Boston.com reports Women & Infants Hospital of Rhode Island has agreed to a $150,000 settlement of “data breach allegations that affected more than 12,000 Massachusetts patients” whose “names, dates of birth, Social Security numbers, dates of exams, physicians’ names and ultrasound images” were allegedly compromised in a 2012 breach. [Boston.com] [Law 360] See also: [Data Breach Bulletin: Russian Hacker Claims To Have Infiltrated Both Wall Street Journal and Vice incl: Wall Street Journal and Vice | European Central Bank | Goodwill StubHub | Self Regional Healthcare | Women & Infants Hospital of Rhode Island] CBS Chicago reported that Illinois Attorney General Lisa Madigan called for a federal agency designed to investigate data breaches, saying, “It just makes sense that somebody has to take responsibility in this day and age for putting in place safety standards for our personal financial information…”

US – FedEx: Drug Indictment Is Result of Focus on Customer Privacy

A 15-count indictment against FedEx was handed down last week alleging the company helped “illegal online pharmacies traffic the sale of prescription drugs,” but the company says the issue comes down to privacy. The indictment claims that since at least 2004, FedEx “knowingly shipped controlled substances and prescription drugs for illegal Internet pharmacies despite warnings from the Drug Enforcement Administration, the Food and Drug Administration and Congress.” But FedEx says it will plead not guilty, arguing it is not a shipping company’s job to prevent the sale of illegal drugs. A spokesman said customer privacy is essential to the core of FedEx’s business and that privacy is now at risk. [Full Story] [FedEx: Drug Shipping Indictment a Matter of Privacy]

US – 72,500 Bank Customers’ Data Breached

Florida-based TotalBank is notifying 72,500 customers their account information was potentially compromised after an unauthorized third party accessed the bank’s computer network. Compromised information may include names, contact data, account numbers, balances and other personal identifiers—such as Social Security numbers and driver’s license number—but, according to the bank, accounts were not accessed. Krebs on Security reports on Indexeus, a search engine that compiles user account data gathered from recent data breaches. The site says it has more than “200 million entries available to our customers”—much of it gathered from “hacker forums that have been hacked, or from sites dedicated to … powerful servers that can be rented to launch denial-of-service attacks aimed at knocking websites and web users offline.” [BankInfoSecurity] See also: [NB: Privacy commissioner urges disciplinary action against doctor]

UK – Dublin Company Alerts 650,000 of Breach

A Dublin company is alerting nearly 650,000 customers that their personal information has been compromised in a hacking incident dating back to 2010. Paddy Power, which provides betting and casino games, among other services, says the data compromised included individual customer names, usernames, addresses, email addresses and more. Financial information was not compromised, however. The company has contacted the data protection commissioner and the police, advised customers to review other sites where they might use the same username and prompted security questions to change that information. The extent of the breach, a result of hackers, was uncovered with the assistance of Canada’s Ontario Provincial Police. [Irish Times]

Identity Issues

EU – New EU Rules on Cross-Border Electronic Identification Finalized

The Council of Minsters’ General Affairs Council voted to support the Regulation on e-ID and trust services at a meeting last week. The Regulation is expected to come into force shortly. The European Parliament previously gave its backing to the new rules in April. Under the new rules, EU countries would have the option of signing up to a ‘mutual recognition’ scheme for e-ID. Many member states have national e-ID schemes that are relied upon for verifying the identity of consumers when transacting or engaging with public services online. In a move designed to boost cross-border trade in the EU, the e-ID schemes used nationally would be recognised by other EU countries if the countries agree to give recognition to the national e-ID schemes operated by those other nations, under certain conditions. Only national e-ID schemes that are “interoperable” could be put forward by EU countries for participation in the mutual recognition regime. The mutual recognition scheme is not expected to be in operation until the latter half of 2018. [Out-Law] [The finalised Regulation on e-ID and trust services]

CA – Privacy Analytics Raises $3.5 Million

Khaled El Emam and his work provides de-identification solutions for the transfer of health data. Now, his software start-up Privacy Analytics has announced $3.5 million in seed financing. Investors include Bell Canada and the Ontario Institute for Cancer Research. While running a research lab associated with the Children’s Hospital of Eastern Ontario, El Emam developed software, now called Parat, that scores the potential risk of re-identifying individuals in shared data while making the health data anonymous. According to the report, Privacy Analytics looks to hire three additional employees by the end of October. [Ottawa Citizen]

WW – How to Go Semipublic in the Google Age

After a longstanding real-name policy, Google+ announced that “there are no more restrictions on what name you can use.” The policy had been criticized by journalists and privacy advocates who said pseudonyms were needed to protect users for valid reasons. Will Oremus writes about a recent article in The New York Times detailing one former college student’s struggles after being raped and how the Times decided to use her first name and face but not her last name. Oremus writes, “And then I realized: Anna and the Times aren’t trying to hide her identity from anyone who’s ever met her. They’re trying to hide it from all the people who never have. That is, they’re shielding her identity from Google.” Meanwhile, BBC News reports a website has been created to list items Google has removed due to the EU’s right-to-be-forgotten decision. [Slate] [You no longer have to use your real name on Google+.] See also: [De-Identification: A Critical Debate: Why de-identification is a key solution for sharing data responsibly] and [On Why Surprise Minimisation Is a Misguided Principle]

Intellectual Property

UK – Digital Economy Act Copyright Regime Shelved by UK Government

Work on a new online copyright enforcement regime under the Digital Economy Act (DEA) has been shelved now that rights holders and internet service providers (ISPs) have voluntarily agreed a framework for educating alleged infringers about the harm of piracy, the UK government has confirmed. [Out-Law]

US – Advocates Hope SCOTUS Ruling Catches Fire

Privacy advocates are hoping the Supreme Court’s unanimous ruling on cell phone privacy last month will have a broader impact than just that case itself-perhaps even leading to the end of the government’s post-9/11 surveillance of telephone records. After all, Chief Justice John Roberts’ cell phone opinion was an “emphatic, emphatic message from the court that digital is different,” said one law professor. The question is, how different? Will it be enough to “topple a 35-year-old court precedent that denied privacy protection to telephone records shared with third parties?” Separately, a federal judge in New York has granted prosecutors access to a Gmail user’s e-mails as part of a criminal probe. [USA Today]

Internet / WWW

US – Is the Internet of Things Getting Too Big?

US presidential policy advisers are concerned that the Internet of Things is simply too large. Companies that are making some of the items, such as refrigerators, “are not information companies, and the effect is that we are much more vulnerable,” according to Defense Policy Board and President’s Intelligence Advisory Board member Richard Danzig. A report from Danzig’s Center for a New American Security suggests that security can be improved by paring down systems to their essentials, so that they may be able to do less, but also will present fewer opportunities for security problems. [NextGov] See also: [NYT: The Next Big Thing in Hardware: Smart Garbage]

WW – Cloud Services Can Impede Forensic Investigations

As governments have moved to cloud services, they have saved money and improved efficiency, but the technology holds some challenges to forensic investigations. A draft report from the National Institute of Standards and Technology (NIST) describes 65 “challenges” forensic investigators encounter when dealing with cloud computing. The report classifies the challenges into nine categories, including data collection, analysis, and architecture. One example of a challenge is email. On non-cloud systems, deleted email messages can often be recovered because they are not truly deleted until they are over-written. Because of the shared nature of the cloud, deleted files are more likely to be overwritten. [NextGov] [NIST Report]

WW – Hackers Find Security Flaw, Offer Enhanced Privacy Option

Nest allows users to regulate the heating and cooling in their homes, but it also might allow hackers with physical access to the device to gain access to its system. A group of researchers from the University of Central Florida found they could do so, allowing them to siphon data and install malware into the system. Acquiring that kind of sensitive data potentially reveals personal details about living habits. They’ll present their findings at Black Hat security conference in August, and they say there may be a “privacy upside.” They’ve written a program that would allow users to stop data from being sent back to Nest headquarters, for enhanced data protection. [Forbes] [Nest Hackers Will Offer Tool To Keep The Google-Owned Company From Getting Users’ Data]

WW – Microsoft Launches Online Take-Down Request Form

Microsoft has launched an online form to take requests from European residents that want to delete old or outdated search results for their names. Google launched a similar form in June after Europe’s highest court ruled it must allow for such a request. Microsoft said it plans to study how many requests it gets before moving to implement any more takedown requests. Meanwhile, a recent Microsoft survey found that 83 percent of American voters agree with a recent Supreme Court decision requiring police to get a warrant before searching someone’s cellphone. [Wall Street Journal]

WW – Samsung Rumored to Have Purchased SmartThings for $200 Million

Samsung may have reached a deal with home automation company SmartThings for approximately $200 million. The service allows its users to remotely connect and control devices in their home—including door locks and lights. The move is part of a larger play by other companies—such as Google, Amazon and Apple—to get into the Internet of Things (IoT) ecosystem and “be the first to own your home and data,” the report states, adding, “What they do with that data will depend on the player.” Additionally, Samsung has joined forces with Google and other companies to launch Thread, a new standard protocol for the IoT. [TechCrunch]

US – Ford and Intel collaborate to make cars that identify their drivers

The trend has been to outfit vehicles with cameras facing outside for the purposes of safety and convenience, but now Ford and Intel are pointing cameras inwards toward the driver for the same reasons. Dubbed Project Mobii, the collaboration was announced during a recent presentation at a Ford conference. Still in a conceptual phase, its stated purpose is to bridge connected cars with the Internet of Things, allowing them to interface more seamlessly with mobile devices for safer usage. The idea of an interior-facing camera is meant to identify who is driving via face recognition, and tailor the in-car experience based on his or her preferences. These could include seat adjustment, radio presets, contacts, navigation maps and more. The car’s internal data connection would also enable car owners to peer into the vehicle remotely using a smartphone or tablet. In recognizing a driver and front-seat passenger, the camera could sense who is reaching for the head unit’s screen and open the system up for unfettered use to the passenger, while locking out the driver. In turn, the passenger would be locked out of any personal information the driver has in the system. Under this scenario, unrecognized drivers wouldn’t be able to start the car unless the vehicle owner approves them through a mobile app. Temporary access can then be given with parameters that can limit top speed, apply a geo-fence perimeter, ban extra passengers and restrict access to the infotainment system. Refusal to abide by the rules would allow the owner to monitor the driver in real time. [The Globe and Mail]

Law Enforcement

US – Wisconsin High Court Sides With Police In Cellphone Tracking Suits

The Wisconsin Supreme Court issued twin rulings stating police had the authority to track suspects through their cell phones, in one case absent a warrant, rejecting claims that the searches violated their rights under the Fourth Amendment.

US – Wisconsin Supreme Court Allows Stingray Use in Murder Case

In a narrow decision, the Supreme Court of Wisconsin upheld a lower court decision permitting the warrantless use of devices known as stingrays, which can track cell phone locations. In this particular case, the court found that while Milwaukee police had not obtained a warrant to use the stingray to determine a murder suspect’s location, a related judicial order served the same purpose. [Ars Technica] [DocumentCloud] [Law36: Wisconsin High Court Sides With Police In Cellphone Tracking Suits]

CA – Millions of Police Requests for Canadians’ Data Every Year: Report

Government authorities have been making millions of requests to telecommunications companies for Canadians’ personal information as far back as 2006, newly released documents show. Internal documents from Public Safety Canada reveal authorities requested telecom companies to turn over “basic subscriber information” at least 1.13 million times a year between 2006 and 2008. That figure matches revelations from the federal privacy watchdog earlier this year that authorities sought subscriber information 1.2 million times in 2011. “It suggests that there have been huge numbers of requests for years now taking place largely below the radar screen . . . without very much public awareness,” said Michael Geist, a University of Ottawa law professor and Star columnist, who obtained the documents. “Basic subscriber information” can include details like name, address, Internet protocol (IP) address, telephone number, email address and local service provider identity. The federal government and law enforcement agencies have argued this amounts to “phonebook information” — police seem to generally request names and addresses — but privacy advocates warn it can lead authorities to more personal and detailed information. [The Star] See also: Opinion: Come Back With a Warrant: How Will the Canadian Government Respond to the Supreme Court’s Reshaping of Privacy Law? ]


US – Panel Approves Giving Police Emergency Access to Cellphone Locations

The House Energy and Commerce Committee has passed a bill that would allow law enforcement agencies to access cell phone users’ geolocation information in emergencies. The Kelsey Smith Act—named after a Kansas teen who was murdered in 2007—was passed Wednesday after being introduced last year by Rep. Kevin Yoder (R-KS). The bill was amended after Rep. Greg Walden (R-OR) pushed for privacy protections—including a court’s required approval to retroactively approve emergency requests for cell phone location information—to be added in the name of finding the “right balance to save lives and prevent abuse,” Walden said. [The Hill]

CA – Database maps Saskatoon, Regina violent crime sites by address

The website www.housecreep.com is a national database of “stigmatized properties.” Plug an address into its search engine and a property’s unsavoury history emerges. The categories run the gamut of human tragedy: Homicide, shooting, stabbing and murder are all covered. So are meth labs, grow ops, dismemberments and mental illness. [Source] See also: [Cat location tracking website stokes fire on privacy debate]


US – Judge Finds Data’s Controller Trumps Its Location

U.S. District Judge Loretta A. Preska ruled that U.S. law enforcement can force Microsoft to turn over emails it stores in Ireland. Preska agreed with the findings of a magistrate judge who approved a sealed search warrant in December as part of a narcotics investigation. It came down to the question of who controlled the data rather than where it was stored. The judge did, however, stay the effect of her ruling to allow for an appeal from Microsoft, the report states. Microsoft General Counsel Brad Smith said the company will “appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the U.S. and around the world.” [Associated Press]

Online Privacy

EU – Update on Right to Be Forgotten

Google’s committee of experts has convened following Europe’s right-to-be-forgotten ruling. The council includes Google’s Eric Schmidt and David Drummond as well as independent experts, but “the entire strategic endeavor is of Google’s making … so should be viewed in that context,” the report states, arguing the company is “creating its own privacy debate forum to grab attention and exert pressure for regulatory reform.” Meanwhile, a report by a UK House of Lords subcommittee says the right to be forgotten “must go,” and Google, Microsoft and Yahoo must this week respond to 20 questions issued by the European Commission on how they will meet right-to-be-forgotten requirements. [TechCrunch] Meanwhile, the Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin and others are critical of Google’s right-to-be-forgotten response. Google’s decision to remove results only on EU search engines and its decision to notify media organizations when links have been removed are noted in the criticism. Italian DPA the Garante has issued a prescriptive rule to Google indicating changes Google should make to its data-handling practices in order to ensure compliance with “the applicable law and EU directive.” Rocco Panetta of NCTM Studio Legale Associato writes that, “[t]his is the first measure of this kind in Europe, and it is a result of a coordinated action with other European DPAs and follows the judgment of the European Court of Justice on the right to be forgotten.” See also: [Public Vs. Private Ain’t So Easy Anymore] [US: CDT’s O’Connor Calls on WP29 To Provide Clear Rules for RTBF Claims]

EU – Falque-Pierrotin Critical of Google RTBF Response

Criticism of Google’s implementation of the right to be forgotten from European data protection authorities (DPAs) continues in a Bloomberg report, which includes comments from Article 29 Working Party (WP29) Chairwoman Isabelle Falque-Pierrotin. “There has been a climate of controversy that’s been entertained in order to maybe endanger the right to be forgotten … It has led some people to say that the right to be forgotten leads to censorship of the press, which is not the case,” she said. Her comments come a day after regulators met with officials from Google, Microsoft and Yahoo. WP29 also released the questions it asked of the companies. Luxembourg DPA Gerard Lommel said the questions will help officials draft their guidelines and provide “food for further discussions in this matter.”

EU – DPAs Unhappy With Google’s Right-To-Be-Forgotten Implementation

European data protection authorities (DPAs) are concerned about how the so-called right-to-be-forgotten decision is being implemented by Google. Regulators plan to meet with officials from Google, Microsoft and Yahoo to discuss the implementation. One particular sticking point, according to the report, is Google’s decision to remove results only on EU search engines, meaning a quick search at google.com would sidestep any takedown request. Olswang Partner Ashley Hurst said, “Google has claimed that the decision is restricted to localized versions of Google … There appears to be no basis for that claim at all.” Another concern for DPAs—including Ireland’s Billy Hawkes—is the decision to notify media organizations when links have been removed. [Reuters] UPDATE: [Google Says RTBF Compliance Is Difficult with User Discretion on “Accuracy”] and [Italy gives Google 18 months to change data use practices]

US – Privacy Groups Call on FTC to Investigate Facebook

The FTC should investigate Facebook’s plan to collect the browsing history of its users, representatives from the European Consumer Organization (ECO) and the Center for Digital Democracy (CDD) have said. The ECO’s Kostas Rossoglou and the CDD’s Jeffrey Chester sent the FTC a letter arguing the company is violating an agreement with the FTC, Bloomberg reports. The groups, which have joined forces and call themselves the Trans Atlantic Consumer Dialogue, said in a letter addressed to FTC Chairwoman Edith Ramirez they “are writing to express their deep alarm.” [Bloomberg] See aso: [Slate: Facebook’s Privacy Pivot] SEE ALSO: [House Committee Questions FTC Authority]

WW – Facebook to Share Demographic Data with Nielsen

Facebook will share the age and gender of Facebook users who watch TV on their cellphones or computers with TV ratings measurement company Nielsen. The aggregated data will then be combined with other data—such as education level or relationship status, for example—to find trends among viewers of particular shows. A spokesperson for Nielsen said the data is anonymized and no personally identifiable information is transmitted between the two companies. But privacy groups are wary of the partnership ; an EPIC spokeswoman said consumers aren’t aware of “the extent to which Facebook is putting their non-Facebook activity to use.” [Journal Sentinel]

WW – Schrems Launches Global Class-Action Against Facebook

Max Schrems, founder of Europe-v-Facebook and initiator of a case Irish courts recently referred to the European Court of Justice, has filed a global class-action against Facebook. Austrian law allows for a group of people to transfer their financial claims to an individual, approximating a class-action. Schrems is seeking 500 euros per Facebook user, and people can join the case by logging in with their Facebook credentials at www.fbclaim.com . He alleges the harm comes from Facebook’s complicity with the U.S. government’s PRISM program. “We have this habit of pointing the finger at the United States, but we’re not enforcing our rights anyway,” Schrems told Reuters. “If we can get a class-action through like this, it will send out a huge signal to the industry overall.” [Reuters] See also: Austria’s data retention law was struck downby the Constitutional Court of Austria, saying, “it violates fundamental European privacy rights.”

WW – Cookies, Canvas Fingerprinting and Transparency

With news this week of new techniques being used to track consumers online—namely what’s being called canvas fingerprinting—Richard Beaumont writes, “The ideas behind browser and canvas fingerprinting have been around for some time now,” adding, “These techniques seem designed to get around standard browser controls that allow users to block tracking cookies relatively easily, but they also have an uncertain status with regard to the EU cookie laws.” Beaumont looks into the issue and argues why now is the time for “website owners to take responsibility themselves, in conjunction with the technology developers.” [Privacy Perspectives] [Research: The Web Never Forgets] [Canvas Fingerprinting is tracking you] [Stealthy Web tracking tools pose increasing privacy risks to users]

US – Brill Concerned About Apps Collecting Sensitive Data

App developers need to give consumers more tools and more choice over how sensitive health data is used. That’s the message FTC Julie Brill voiced at a panel discussion. “We don’t know where that information ultimately goes,” Brill said, noting that information is sometimes shared with third parties. The FTC released the results of a study on mobile health app developers in May, finding that many share data with third parties. In an interview with Reuters after the panel, Brill said “no one is talking about new regulations,” but the FTC has also made it clear that health data requires special protection. [Full Story] See also: [UK: Free Wi-Fi – but it’ll cost you your privacy] See also: AppMakers thanked the FTC for COPPA clarifications. Broadcasting & Cable reports that Morgan Reed, executive director of ACT: The App Association, said the FTC’s release “gives platforms and appmakers more guidance in areas where confusion has persisted.” And Sara Kloek, director of Moms With Apps, said the COPPA FAQ updates are “a major win for innovation and privacy.”

US – Netflix to Help You Hide Embarrassing Content From Your Activity Log

Netflix is testing a new privacy filter that helps users hide guilty pleasure content from their activity log. “At Netflix we continuously test new things. In this case, we are testing a feature in which a user watching a movie or TV show can choose to view in “Privacy Mode.” Choosing that option means the program will not appear in your viewing activity log, nor will it be used to determine recommendations about what you should watch in the future. Not everyone will see this and we may not ever offer it generally,” wrote Netflix’s new director of corporate communications, Cliff Edwards, in a recent press release. Netflix is currently testing the feature with a small group of subscribers across the streaming platform’s various territories. In order to access ‘Privacy Mode’ users have to click on a small globe icon while watching content. This activates privacy mode and doesn’t log what you’re watching in your activity feed. There’s no clear release date for the feature yet and Netflix is apparently still unsure if they’ll release Privacy Mode to all users according to Edwards. [Canada.com] See also: A federal judge authorized a subpoena to Craigslist and Amazon compelling the companies to disclose the personal details of anonymous commenters. Judge Marsha Pechman said the subpoenas would be “intended to learn the John Doe defendants’ identities including names, addresses, telephone numbers, e-mail addresses, IP addresses, web hosts, credit card information, bank account information and any other identifying information.”

Other Jurisdictions

RU – Russian Government Seeking Technology to Break Tor Anonymity

The Russian government is offering a 3.9 million rubles (US $109,500) contract for a technology that can be used to identify Tor users. Tor was initially developed by the US Naval Research Laboratory and DARPA, but is now developed by The Tor Project, a non-profit organization. Tor is used by journalists and others who need to keep their identities hidden for their own safety; it is also used by criminals for the same purposes. The entrance fee for the competition is 195,000 rubles (US $5,500). A new “blogger law,” passed earlier this year and going into effect in August, requires bloggers with audiences of more than 3,000 readers “to register their identity with the government,” but the law could be tough to enforce if bloggers use Tor. [BBC] [ComputerWorld] [Ars Technica] [Hacking Citizen Lab] See also: [Tor Says U.S. Researchers May Have ID’d Users]

RU – Putin Signs Data Localization Bill

Russian President Vladimir Putin has signed a law requiring Internet companies to store all personal data of Russian citizens on servers located within the country’s borders. Officials at the Kremlin said the law seeks to improve “the management of personal data of Russian citizens on computer networks,” and businesses that do not comply will be blocked. The new law could stymy dissent within the country—often expressed and disseminated via social networks such as Facebook and Twitter. The Association of Electronic Communication—a group that lobbies on behalf of Internet companies—said “many global Internet services would be impossible” under the law. [ZDNET] USA News reports that Russia’s new laws could have widespread negative consequences, from a loss of anonymity for bloggers to possible limited Internet access for residents due to the localized server requirement.

WW – Other News

New Zealand Justice Minister Judith Collins announced “significant improvements to privacy laws to ensure stronger protections for New Zealanders’ personal information.” However, ZDNet cited a security expert who suggested the expected proposals “are imprecise and don’t go far enough.”

Japan is set to pass cybersecurity legislation, noting recent cyber-attacks on Yahoo Japan, the country’s space agency, its largest defense contractor and Bitcoin operator Mt. Gox, as well as the highly publicised breach of Sony Playstation in 2011, have all threatened the world’s third largest economy.

The Monetary Authority of Singapore has provided guidelines that “explain the extent to which financial institutions have to observe individuals’ access and correction rights whilst ensuring compliance with their duties on conducting anti-money laundering and terrorist financing checks.”

Human Rights Watch called on Tunisia to amend its draft counterterrorism law “to make it fully consistent with international human rights standards on fair trial, privacyand freedom of expression.”

Privacy (US)

US – Obama Won’t Support CISA Until Privacy Concerns Addressed

A senior Obama administration official says the Cybersecurity Information Sharing Act of 2014 (CISA), which passed the Senate Intelligence Committee earlier this month, needs to have its privacy and civil liberties protection provisions strengthened before the president will support it. “Given some issues that the privacy community has raised, we need to take that into account as we … work on the bill,” said the official. The White House hasn’t taken an official stand on CISA, which aims to help the government receive information from businesses on cyber-threats. Privacy and civil liberties advocates wrote to Obama asking that he threaten to veto the bill. [Bank Info Security] UPDATE: The Cybersecurity Information Sharing Act was passed by the Senate Intelligence Committee. Then companies and privacy groups demanded Obama reject it. Then Treasury Secretary Jack Lew called for a cybersecurity law but didn’t even mention CISA.

US – Obama to Issue Drone Privacy Executive Order

President Barack Obama plans to issue an executive order to construct privacy guidelines for the commercial use of drones operating in U.S. airspace, Politico reports. The order would put the National Telecommunications and Information Administration (NTIA) in charge of the efforts. A White House spokesman said, “We don’t have any details to share at this time, but there is an interagency process underway.” The NTIA has already developed a code of conduct for mobile apps and is currently facilitating the development of a code for the commercial use of facial recognition technology. [Politico] Meanwhile, the FAA plans to permit small drones to be used for commercial purposes after media sources, energy companies, farmers and other groups put on the pressure. An FAA spokesman said the agency is drafting rules for small drones now that will be “issued for comment late this year,” but they could take several years to finalize. Also, a New York man escalated the drone debate after allegedly illegally taking video of hospital patients with his drone and then posting it to his Facebook page. SEE ALSO: [Opinion: Why Drone Benefits Outweigh Privacy Issues]

US – Court to Hear Wyndham Appeal in FTC Case

A federal appeals court has agreed to accept hotel chain Wyndham’s petition to appeal Federal Trade Commission (FTC) vs. Wyndham Worldwide Corporation et.al to determine whether the FTC has the authority to “bring charges against companies based on their alleged failure to protect consumers’ data.” The U.S. Chamber of Commerce, American Hotel & Lodging Association and National Federation of Independent Business filed a friend-of-the-court brief in support of the appeal, stating, “Whether the FTC’s enforcement authority … extends to regulation of data security is an issue of central importance to businesses that face the prospect of being investigated by the commission.” [MediaPost] [FTC Privacy Casebook]

US – Hartzog and Solove: How Broad Should FTC’s Regulatory Powers Be?

Profs. Woodrow Hartzog and Daniel Solove have released a paper on the scope and potential of the FTC’s data protection regulatory powers. “For more than 15 years, the FTC has regulated privacy and data security through its authority to police deceptive and unfair trade practices … Recently, the FTC’s powers for data protection have been challenged by Wyndham Worldwide Corporation and LabMD,” write Hartzog and Solove in the paper’s abstract. “These recent cases raise a fundamental issue, and one that surprisingly has not been well explored. How broad are the FTC’s privacy and data security regulatory powers? How broad should they be?” [Source]

Privacy Enhancing Technologies (PETs)

US – NIST Workshop to Collocate with Privacy Academy

The National Institute of Standards and Technology (NIST) has announced its Second Privacy Engineering Workshop will be held September 15-16 in San Jose, CA, in conjunction with the IAPP Privacy Academy and CSA Congress, which kicks off September 17 in the same complex. The workshop will consider engineering definitions and concepts with the intent to inform the development of the NIST report on privacy engineering. Registration and agenda details will be available soon. Meanwhile, three researchers have released a new paper, “ Privacy Mindset, Technological Mindset,” which argues that “a major obstacle for (Privacy by Design) is the discursive and conceptual gap between law and technology.” [NIST Press Release] See also: [Removing the Gap Between Privacy Engineers and Lawyers] and [Privacy Literacy for the Next Generation of Privacy Leaders: Georgetown Law Center Aims To Bridge the Gap Between Technologists and Privacy Lawyers]

US – Snowden Calls for Privacy by Design; Academics Win Award

Speaking at the Hope X conference via videolink over the weekend, Edward Snowden called on developers to build privacy protections into systems by design. He said encryption is an “important first step,” but added, “It doesn’t end at encryption; it starts at encryption.” Snowden said now’s the time “to help build a better future by encoding our rights into the programs and protocols upon which we rely … every day.” He also added that he intends to work on privacy-enhancing technology as well. In a related report, a team of Princeton and University of Texas at Austin researchers have been awarded a 2014 PET Award for their paper, “A Scanner Darkly.” The paper presents a privacy-enhancing layer to “perceptual computing.” [TechCrunch] [Snowden: NSA employees share intercepted sexts] See also: [Forbes: Forget Glass. Here Are Wearables That Protect Your Privacy]

WW – OpenPDS Would Give Users Data-Sharing Choice

A new system would allow Internet users to choose which data to share with websites and mobile apps. Prototype system openPDS—short for personal data store—stores data in a single location that users specify and then any cellphone app, online service or big data team that wants to use the data must “query your data store, which returns only as much information as is required,” the report states. In addition, the data that is shared is code instead of raw data. The MIT researchers who developed the system are now testing it with telecommunications companies in Italy and Denmark. [MIT News]

WW – Personal Robot Means Privacy Concerns, But May Be More Transparent

A new personal robot will be sold commercially in 2015. Jibo has sensors and will live in users’ homes—but that means privacy concerns such as the gathering, processing and storing of information. It also means the feeling of being observed, the report states. Users will no longer type a search phrase into a field but will instead ask the robot for help in finding information. But an advantage of Jibo is that it won’t be silently collecting data on the user and sending it back for processing at some ISP homebase; instead it will provide “visceral notice” of the collection of information—”more powerful, certainly, than any privacy policy,” the report states. [Forbes]

WW—Startup Unveils Portable, Encrypted Server

In one of the latest privacy-enhancing innovations, a UK start-up has released a portable server that comes with SSL/TLS and GPG encryption and only requires a WiFi network and AC plug to operate. The Wedg can host e-mail and cloud storage, with various levels of encryption, and is not susceptible, according to the company, to government surveillance. “Many small businesses are still using Gmail as their default e-mail solution. With a hosted service solution, the potential risk of data leakage and infiltration from other influences is great, but with Wedg, everything is hosted locally,” Wedg CEO Shehbaz Afzal said. [International Business Times] [UK: Paranoid About Online Privacy? How About a Portable Cloud Email Storage Server Instead]

WW – New E-mail Encryption Service Promises Even It Won’t Have the Keys

Enlocked has announced the release of an e-mail encryption solution that employs military-grade e-mail security. Enlocked caters to small businesses and independent professionals and aims to simplify encryption technology. The service encrypts and decrypts messages on users’ computers locally with a key, and the messages can only be unlocked with the users’ secure passphrases, which even Enlocked won’t know, according to a press release. Meanwhile, in response to a recent BlackBerry blog post criticizing encrypted phone Blackphone’s approach to privacy, CEO Toby Weir-Jones has fired back. [Source]

EU – Old Technology in the Modern Age: Typewriter Sales Surge in Germany

German typewriter makers such as Bandermann and Olympia have cited climbing sales amid NSA spying revelations. Meanwhile, Olympia spokesperson Andreas Fostiropoulis told Wirtschaftswoche magazine that the company expects typewriter sales to hit a 20-year high in 2014. German defense contractor Diehl switched from computers to typewriters last year. Earlier in July, German politicians said they were considering going back to old-fashioned manual typewriters for confidential documents, in order to protect national secrets from American NSA spooks. [nationalheadlines.co.uk]

US – New App Promises Privacy

Washington: Are you worried that your messages or pictures are not deleted completely after you send or receive them? Here comes a messaging app that promises to provide you the much sought after privacy by removing all your messages – texts, pictures or videos – after you send or receive them. Called Wiper, the app can delete anything sent or received. If you are having a chat and want it removed, all you have to do is select “Wipe” from within a chat. The messages – whatever they might be – are also removed from Wiper’s servers. If you make a call using Wiper, your call logs are also deleted, leaving no trace of any interactions you may have via the service, Slash Gear reported. Wiper says you can send text, videos, pictures or anything else via a closed system. This free to use app is available on both App Store and Google Play. [Source]


WW – Spear Phishing on the Rise; Old Passwords Might Not Be So Bad

A recent security report from Symantec reveals a 91% increase in spear phishing attacks from 2012 to 2013, prompting TechInsurance CEO Ted Devine to offer some prevention tips for small businesses. “A single e-mail opened by an unsuspecting employee can undo months of work,” he said. “And once a hacker gains access, the financial consequences can be significant.” Meanwhile, Ars Technica reports researchers say traditional password best practice—”long, randomly generated passwords”—is not “feasible in practice” for lower-value accounts. More broadly, however, less valuable accounts may not need complex passwords, according to the report. [Source] SEE ALSO: [Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts].

WW – Researchers Find USBs Dangerous at Their Core

While many computer users often depend on USBs to easily transport data, there are more risks to using them than just the fact that they sometimes carry malware infections. The risk is built into the core of how they work, according to security researchers Karsten Nohl and Jokob Lell, who plan to present their findings next week. The researchers created a malware called BadUSB, which can be installed on a USB device to take over a PC and invisibly alter files or redirect users’ Internet traffic. And it doesn’t live in the thumb drive’s memory; it lives in the firmware itself. [WIRED]

WW – Exploring the Risk-Based Approach in Practice

The Centre for Information Policy Leadership at Hunton & Williams recently released a whitepaper on the risk-based approach, exploring how to improve its effectiveness in practice. “The whitepaper explores the fundamental question of how the ultimate purpose of privacy laws—to protect individuals from both tangible and intangible harm—can be achieved more effectively in the modern information age.” Issues explored in the paper include the potential benefits and applications of the risk-based approach in addition to the challenges and questions that face such a paradigm. [Hunton & Williams’ Privacy and Information Security Law Blog]

WW – Google Reveals Top Security Hackers

Google is publicly revealing “Project Zero,” its team of security researchers whose mission is to track down and neutralize “the most insidious security flaws in the world’s software,” hackable bugs known as “zero-day vulnerabilities.” Such bugs can be exploited by criminals and “state-sponsored hackers” for spying. One of the team’s members is George Hotz, who cracked AT&T’s iPhone lock back in 2007 when he was 17 years old. The team is encouraged to expose any zero-day software, not just those in Google products, “with the aim of pressuring other companies to better protect Google’s users,” the report states. [WIRED] See also: [Here’s How Easy It Could Be for Hackers to Control Your Hotel Room]

Smart Cards

AU – NSW Opal Card Raises Privacy Concerns

Australia’s spy agency could get its hands on the home address and travel history of NSW commuters using the state’s Opal card, a civil liberty group warns. The pay-as-you-go card, which can be used on trains, buses and ferries across the state, has been promoted by the Baird government as a way of saving travellers time and money. But Stephen Blanks, president of the NSW Council for Civil Liberties, says the Opal card’s privacy policy allows personal information of cardholders to be forwarded to law enforcement agencies without the need for a warrant. “It’s entirely up to the internal decision making of Transport NSW to whether or not information requests (from law enforcement agencies) will be complied with,” he told AAP on Tuesday. “Typically, they’ll comply with all requests.” [news.com.au] SEE ALSO: Australian AG George Brandis indicated that requiring ISPs “to retain customer data for up to two years for access by law enforcement agencies is under ‘active consideration’ by the government.” And the Australian Parliament’s House Standing Committee on Social Policy and Legal Affairs issued “Eyes in the Sky: Inquiry into drones and the regulation of air safety and privacy,” outlining “possible shortcomings of the current privacy regime,” among other things.


US – Artists, Writers to Congress: Mass Surveillance Is Censorship

A group of notable writers and artists has written an open letter to U.S. Senate leaders urging Congress to act to end mass surveillance, arguing its threat to “our most cherished democratic ideals” and “constitutional international human rights to free expression and privacy.” “Mass surveillance is censorship,” the group writes, citing an October 2013 survey of members of PEN—an international association of writers—that found one in six were refraining from writing or speaking on certain topics because of fears about NSA surveillance. “Congress must act now to protect our freedom to speak, think, write and create freely—and in private,” the authors write. [Full Story] SEE ALSO: the UN called government surveillance “almost certainly illegal.” A “damning but cautiously phrased report,” recommended that governments review national laws and policies to assess whether they are in line with international human rights law. [UN human rights report blows apart governments’ pro-surveillance arguments] Also: [Blacklisted: The Secret Government Rulebook For Labeling You a Terrorist]

US – Senator Introduces “Historic” Surveillance Reform Bill

Sen. Patrick Leahy (D-VT) introduced legislation this week that would bring extensive reforms and increased transparency to U.S. surveillance capabilities. “If enacted,” Leahy said, “this bill would represent the most significant reform of government surveillance authorities since Congress passed the USA PATRIOT Act 13 years ago,” noting the bill has support from the White House, several privacy groups and the technology industry. Meanwhile, the New America Foundation’s Open Technology Institute has released a report outlining some of the “collateral damage” caused by the widespread knowledge of the NSA programs, and a CyberArk survey indicates 68 percent of businesses have changed their security strategies in light of the NSA leaks and recent breaches.

UN – Gov’t Surveillance “Almost Certainly Illegal”

The United Nations (UN), “in a damning but cautiously phrased report,” recommends that governments review national laws and policies to assess whether they are in line with international human rights law. UN High Commissioner for Human Rights Navi Pillay said, “The very existence of a mass surveillance programme creates an interference with privacy,” adding, “The onus is on the state to demonstrate that such interference is neither arbitrary nor unlawful.” Meanwhile, two UK electronic surveillance programs were publicly debated on Tuesday, according to The Wall Street Journal. Members of the UK Parliament voted 498 to 31 to approve the “Data Retention and Investigatory Powers” bill. [GigaOM]

WW – Sleep Sensor Promises to Keep Bedroom Data Safe

Sense, a device promising to help people sleep better by tracking everything that happens at night in their bedrooms, raised $500,000 almost instantly on crowd-funding website Kickstarter this week, Forbes reports. Sense works when users attach movement-sensing “sleep pills” to their pillows that know when they go to bed and when they actually sleep. A microphone collects five-second sound snippets at a time, which are sent back to Hello Inc., the company that created Sense, so users’ can play back the sounds the next morning to know what may have disturbed them in the night. CEO James Proud said the company understands the privacy concerns and is aiming for full transparency on its data uses. [Full Story]

WW – Snowden on Cloud Service Providers and Naked Photos

In a recent media interview, Edward Snowden discussed cloud storage services and how some do a better job protecting user data from government surveillance than others. Snowden said Dropbox is “hostile to privacy,” while calling for more services that provide users with zero-knowledge systems whereby the service provider hosts and processes the information for its customers without actually having access to it themselves. Snowden said SpiderOak is one such service. In the same video interview, Snowden also alleged U.S. National Security Agency employees often share intercepted sexts—”an intimate nude photo of someone in a sexually compromising situation,” he said. Snowden said such privacy violations go unnoticed by oversight authorities “because the auditing is so weak.” [The Guardian]

US – PCLOB Expected to Investigate EO 12333

The Privacy and Civil Liberties Oversight Board (PCLOB), which has already conducted investigations and produced reports on sections of the USA PATRIOT Act and Foreign Intelligence Surveillance Act, is expected to focus its efforts on investigating a little-known but powerful U.S. intelligence mandate: Executive Order (EO) 12333. EO 12333 has no oversight and very little congressional review. EO 12333, which was originally issued in 1981 by President Ronald Reagan, specifies that the National Security Agency has control of signals intelligence collection overseas. However, the nature and scope of the collection have not yet been made public. [The Washington Post]

FI – ‘Big Brother’ Airport Installs World’s First Real-Time Passenger Tracking System

Civil liberty groups criticise a new tracking device at Helsinki Airport that can monitor passengers’ footsteps, from arrival at the car park to take-off. All mobile phones logged into the Wi-Fi network at Helsinki Airport will be monitored by an in-house tracking system that identifies passengers’ real-time movements. The technology has been criticised by privacy advocate groups, but is said to be aimed at monitoring crowds and preventing bottlenecking at the airport, which sees around 15 million passengers a year, Bloomberg reports. Currently at its initial phase, the full tracking system is expected to be in place by the end of this year which could enable shops to specifically target passengers that are within their vicinities, such as a deli that could alert a passenger walking by of a certain item on sale. All data collected is said to be in aggregated form, preventing any personal information from being seen by Finavia Oyi, the Finnish Civil Aviation Administration operating the airport, as the software discards any unique identifiers of devices, claims Tuomas Wuoti, the CEO at Walkbase. But software security analysts find it hard to believe “location tracking is only left at statistics” levels. [The Telegraph]

US – New York Knows Where Your License Plate Goes

In a crime-fighting tactic that sets civil libertarians’ teeth on edge, police in Monroe County and other urban counties across New York state are collecting and archiving tens of millions of records that track vehicle movement. The records are stored in a series of loosely connected secure computer servers, accessible directly or indirectly by police from one end of New York to the other and by federal Homeland Security officials. Each of the records, which are gathered by license plate cameras mounted on police cars or at fixed locations, includes a photograph and the time and place that a particular vehicle was imaged. Strung together, the records can paint a picture of where a person has traveled — whether to the scene of a crime, a doctor’s office or to church. The system can instantly alert patrol officers of a “hit” on a stolen car or, more often, a vehicle whose registration has lapsed and is ripe for ticketing. Stored records also can be accessed later as part of criminal investigations. [Rochester Democrat & Chronicle]

Telecom / TV

WW –New App Brings Free Encrypted Calling to iPhones

Open Whisper Systems, an open-source software group, has announced the release of Signal, a free iOS app allowing users to easily encrypt calls. Similar to Silent Circle, Signal uses ZRTP encryption and both the calling and receiving parties must have the app installed. But while Silent Circle is paid for by users, Signal will be funded by donations and government grants. Open Whisper’s Moxie Marlinspike says two main priorities are call quality and ease of use, adding, “The hard part is developing a product that people are actually going to use and want to use.” While he admits “there are always unknowns,” Marlinspike says Signal’s security protections relating to eavesdropping are “probably pretty great.” [WIRED]

WW – Apple iOS Diagnostics Tool Could be Exploited to Access Personal Data

Diagnostic services built into Apple’s iOS mobile operating system could be used to access personal data in iPhones. The services, which Apple says are designed for engineers, are not documented. Apple says that the feature was not designed to let the NSA access data in the devices. [Reuters] [The Register]

BR – Brazilian Telco Oi Fined $1.59 Million for Privacy Violations

Brazilian telecommunications firm Oi has been fined $1.59 million (3.5 million reais) for violating users’ privacy. The Consumer Protection and Defense Department (DPDC) fined the company after it found it had sold consumer browsing data to third parties. “The company, under the pretext of improving the browsing experience, hid from customers essential information about the service and its implications for privacy and the safety of their personal data,” said DPDC Director Amaury Oliva, adding, “At no time were customers told that their browsing would be monitored by the company and that their profile would be sold to advertising companies.” [EFE]

US – Class-Action Claims iPhones Spy on 100 Million Users

A class-action lawsuit filed in federal court alleges Apple uses the location service function on iPhones to spy on customers and give their private information to third parties. Chen Ma, the lead plaintiff, has sued on behalf of approximately 100 million iPhone users alleging privacy violations. “In or around September 2012, Apple released iPhone 4, which contains an iOS operating system software that enables iPhone 4 to track its users’ whereabouts down to every minute, record the duration that users stay at any given geographical point and periodically transmit these data stored on the users’ devices to Apple’s database for future references,” the complaint alleges. [Courthouse News Service]

US Legislation

US – Tech Companies Support Strengthened Leahy NSA Reform Bill

Sen. Patrick Leahy (D-VT) introduced the USA FREEDOM Act, and proponents “lined up … to praise the bill.” Leahy sought input from the tech industry, privacy groups and the Obama administration, and the bill is being lauded as a compromise by all of those groups. A previous version of the bill, after being gutted, passed in the House but lost the support of the tech industry due to the revisions. The current version includes curtailing bulk data collection, setting rules for the destruction of irrelevant information and creating congressional oversight. Jennifer Granick of the Stanford Center for Internet and Security notes, however, that while it does most of what civil liberties groups and others have asked for, it fails to address FBI surveillance. [TechCrunch]

US – Missouri to Vote on Digital Privacy; State Sen. Aims to Protect SSNs

While the U.S. Supreme Court recently upheld privacy protections against police searches of cell phones, Missouri voters will vote next week on a ballot measure that would require police to obtain a warrant before searching or seizing “electronic communications and data,” including cellphones, emails and flash drives. Meanwhile, a Missouri senator has introduced a measure he believes will garner bipartisan support that would end the state’s practice of posting death certificates 50 years and older online with Social Security numbers readable. Sen. Paul LeVota (D-Independence) said the Office of the Secretary of State has indicated it wouldn’t be opposed to changing the law. [Associated Press] [US: Voters to decide on electronic privacy]

US – NY Legislature Approves “Revenge Porn” Bill, Awaits Governor’s Approval

The New York legislature has passed a revenge porn bill that is now headed to the governor’s desk for signature [Rockland County Times] SEE ALSO: [Sweden’s justice minister announced the appointment of an investigator to produce a report on online slander—particularly revenge porn] See also Rhode Island passed a social media privacy law and Revenge porn laws went into effect in Colorado and Idaho. And The Massachusetts Senate passed a social media bill protecting students and job applicants from having to disclose online account information. It now heads to the governor for a signature.

US – Sens. Introduce Bill to Update FERPA

Sens. Ed Markey (D-MA) and Orinn Hatch (R-UT) introduced the Protecting Student Privacy Act, which would update the Family Education Rights and Protection Act, on Wednesday. The proposed legislation “clearly spells out information security practices and data responsibilities for both education institutions and outside parties.” The bill would also tie educational funding to whether schools follow the bill’s provisions, the report states. Schools that include personally identifiable information when unnecessary, don’t require third parties to destroy data that is no longer needed and don’t implement security policies to protect sensitive data would not receive funding. [Government Technology] See also: [Education Data Frontiers: Industry Could Provide the Answers]

Workplace Privacy

CA – Remote Staff Never Out Of Employer’s Eye

While studying history at the University of Waterloo in Waterloo, Ont., Tim Lichti started a lawn-cutting company and felt a need to get a better handle on tracking his workers as they moved from job site to job site. So he went looking for ideas, and in the process developed what would eventually become Breadcrumbtracking.com. Guided by the principle that staff are usually the biggest cost for almost any company, Mr. Lichti realized the importance of having an understanding of how those resources are being deployed. Breadcrumbtracking.com developed an app that works with almost any mobile device and provides employers with an almost instant update on where their staff are at any given moment during the workday, and how long they are spending on particular tasks. The app isn’t just for lawn maintenance businesses – it can be used by any company that has remote employees. Workers have to clock in and out on the app, so it also allows managers to easily record hours worked for payroll purposes, and the app also allows time- and datestamped pictures to be uploaded, which aids in time-specific jobs. Waterloo-based Breadcrumbtracking.com is also developing software that permits mobile workers to process invoices, estimates and payments on the road. [The Globe and Mail]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: