01–15 July 2014

Biometrics

US – FBI Facial Recognition Not on Par with Facebook?

The FBI is planning to deploy its own facial recognition system, which will centralize millions of photos in one federal database, this summer and to have it reach all 50 states by year’s end. But the Electronic Frontier Foundation has found the system, called Next Generation Identification, isn’t as efficient as may have been expected. Facebook’s DeepFace system, however, operates at 97% accuracy, meaning “the nation’s most powerful law enforcement agency is getting outgunned by a social network.” One biometrics expert says while plenty of facial-recognition contractors promise near-human capabilities, “the difference between a human brain and a computer brain is huge.” [The Verge]

WW – New Google Glass App Reads Brainwaves, Translates Them to Action

A new app aims to kickstart a more seamless way of interacting with Google Glass. MindRDR links with Google Glass with a biosensor—which is mounted on the user’s head—to create a “communication loop.” The biosensor picks up on brainwaves that correlate to the user’s ability to focus. Then, those brainwaves are translated to a meter reading that “gets superimposed on the camera view in Google Glass. As you ‘focus’ more with your mind, the meter goes up, and the app takes a photograph of what you are seeing in front of you,” the report states. The technology may be used to train people to concentrate better or for medical applications for users with mobility problems, among other uses. [Tech Crunch]

CA – Facial Recognition with Biometric Encryption in Match-on-Card Architecture for Gaming and Other Computer Applications

A facial recognition system with biometric encryption using match-on-card (“MOC”) technology has the following advantages – the MOC technology allows the secure storage and processing of biometric data within a tamper-resistant secure module of a device which is in the user’s possession (including smart cards, USB flash drives, and certain types of smartphones), the system cannot be linked with other databases that store biometric keys (“BK”) since a BK generated for the same user will be completely different, the host stores a BK that is generated from a biometric that cannot be reverse engineered, and the smart card cannot be loaned to another user because the BK will not be valid. [Source] and also: [IPC ON – Privacy by Design Solutions for Biometric One-to-Many Identification Systems]

Big Data

WW – De-ID Is Not Sufficient: Scholars

Scholars at Princeton University say data de-identification tools aren’t sufficient to ensure privacy. Asst. Prof. Arvind Narayanan and Prof. Ed Felten have published an academic paper, “No Silver Bullet: De-identification Still Doesn’t Work,” poking holes at the methodologies of a paper published last month by researcher Daniel Castro and former Ontario Information and Privacy Commissioner Ann Cavoukian that claimed the opposite , the report states. Felton and Narayanan list eight problems with Castro and Cavoukian’s paper. “There is no evidence that de-identification works either in theory or in practice and attempts to quantify its efficacy are unscientific and promote a false sense of security,” they write. Meanwhile, Zach Wener-Fligner writes on “why you may never be truly anonymous in a big data world.” [IT News] and also: [De-identification Protocols: Essential for Protecting Privacy – Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, and Khaled El Emam, Ph.D., Canada Research Chair in Electronic Health Information, University of Ottawa]

EU – EDPS Report: Ensuring More Effective Data Protection in an Age of Big Data

The new E.U. legal framework will require data controllers to verify if any consent relied upon was valid, and that other legal grounds relied upon are also sound and convincing; this requirement will apply to the use of big data technology, and whenever personal data is processed in that context. The new framework will deliver stronger rights for data subjects, responsibilities for data controller, and supervision and enforcement of data protection rules across the EU; it will provide for strong sanctions (up to millions of euros) for the most serious cases. [Source] and see: [Using Privacy by Design to Achieve Big Data Innovation Without Compromising Privacy – Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, and David Stewart and Beth Dewitt, Deloitte] and also: [A Risk-Based Approach to Privacy: Improving Effectiveness in Practice – Center for Information Policy Leadership, Hunton and Williams LLP] and [The Scored Society: Due Process for Automated Predictions – Danielle Keats Citron and Frank Pasquale, University of Maryland School of Law – Social Science Research Network]

Canada

CA – Ottawa Prepares to Share Personal Data with Foreign Governments

The Conservative government has given itself broad new powers to share Canadian immigration files and other information with foreign governments – a practice that could have far-reaching implications for individuals who cross borders. The powers are included in Bill C-24, an overhaul of citizenship law passed last month, though have drawn little attention. The changes amend the Citizenship Act to allow Stephen Harper’s cabinet to draft regulations “providing for the disclosure of information for the purposes of national security, the defence of Canada or the conduct of international affairs,” including under international deals struck by Citizenship and Immigration Minister Chris Alexander. The police and our security agencies are clearly gaining warrantless access to customer information that allows them to identify us and our activities online and probably more. Cabinet will also now be permitted to allow the “disclosure of information to verify the citizenship status or identity of any person” to enforce any Canadian law “or law of another country.” Ottawa contends the final regulations are still being developed and will comply with Canadian law. However, critics warn the changes could lead to Canada sharing citizenship and immigration details with foreign countries, whether verified or not, without oversight. [The Globe and Mail] See also: [Allegations of widespread bugging at Saskatoon jail] and also: [OIPC BC – Special Report: A Failure To Archive – Recommendations To Modernize Government Records Management] and also: [OIPC BC – Updated Guidance on the Storage of Information Outside of Canada by Public Bodies]

CA – Canadians Report 1,000 Anti-Spam Law Violations

More than 1,000 complaints have been filed since the new anti-spam law took effect, says Manon Bombardier, the CRTC’s chief compliance and enforcement officer. Hundreds of reports have been submitted daily at fightspam.gc.ca and investigators are already at work looking into whether companies have violated the new law.Consumers who wish to report unwanted spam emails can forward messages to spam@fightspam.gc.ca or fill out an online form to register a complaint. “We’re going to look at all the complaints we receive,” Bombardier says. “We will be strategic in which ones we pursue for investigations but we will review all the complaints.” [The Canadian Press] See also: [Office of the Privacy Commissioner of Canada – Personal Information Retention and Disposal: Principles and Best Practices]

CA – A Review of CSEC SIGINT Information Sharing With Second Parties

The Minister of National Defense (the “Minister”) should issue a new ministerial directive to provide general direction to Communications Security Establishment Canada (“CSEC”) on its foreign signals intelligence information sharing activities with its second partners (the US, UK, Australia, and New Zealand), and set out expectations for the protection of the privacy of Canadians in the conduct of those activities. The CSEC Commissioner should report annually to the the Minister the number of one-end-in-Canada second-party-collected communications it acquires from its second partners. [A Review of CSEC SIGINT Information Sharing With the Second Parties – File #2200-79 – Office of the Communications Security Establishment Commissioner]

CA – A New Possibility for Security and “Privacy by Design”: Fault-Free Software

“Semantic analysis” is a new approach to ensuring software accuracy that analyzes code statements with formal logic rules to ensure the software is semantically correct and output data is tracked backwards through the logic to ensure it is consistent with the input data set; this approach can be used to achieve Security and Privacy by Design by identifying the presence of malware (semantic analysis can generate a functional signature, where any departure from that signature can be flagged) and addressing privacy issues (e.g., if output data sets are constrained to exclude personal information, the program logic can be tested to ensure it correctly handles an occurrence of PI in the input data set). [Source]

Consumer

US – Senator Wants Answers from Facebook

Sen. Mark R. Warner (D-VA) has asked the FTC to provide more details about Facebook’s emotion contagion study and to determine whether the company violated any existing law or its consent agreement with the agency. Meanwhile, in a separate story, Future of Privacy Forum Executive Director Jules Polonetsky writes about anti-behavioral advertising group Some of Us and its criticism of Facebook’s use of targeted ads. Upon looking at the group’s privacy policy, Polonetsky found the group “does exactly what it is calling on its users to protest to Facebook,” allowing tracking by some of the ad industry’s largest data brokers and placing users on an e-mail list for future use. [Forbes] See also: [European Regulators Looking Into Facebook Study] and [Canada: Facebook emotion study examined by privacy commissioner] and [Privacy vs. Personalization – The Creepy Side of Small Business CRM] and, finally: [Prepared Statement of Woodrow Hartzog to the Committee on Oversight and Governmental Reform Regarding the FTC and its Section 5 Authority] [Prepared Statement of Gerard M. Stegmaier to the Committee on Oversight and Governmental Reform Regarding the FTC and its Section 5 Authority] and finally [FTC v. Wyndham Worldwide Corporation, et al. – Memorandum Opinion and Order – United States District Court for the District of New Jersey]

US – Retail Breaches Making Customers Wary

Two surveys reveal that recent breaches are making consumers think twice about where they shop and how they pay for products. The Consumer Data Insecurity Report from the National Consumer League (NCL) notes consumers are increasingly blaming retailers for compromised credit cards and are changing services because of that. Security Matters: Americans on EMV Chip Cards states that nearly two-thirds of U.S customers are more likely to pay in cash after a breach. Nearly 60 percent of the fraud victims surveyed in the NCL study said their trust in retailers has significantly decreased. [Dark Reading]

AU – Psychologists Warn Lack of Privacy May Put Students at Risk

School counsellors in NSW independent schools fear students will avoid seeking help or talking openly about their problems because principals can now demand access to their confidential files, the Australian Psychological Society (APS) has warned. A new national privacy manual for independent schools says a principal can access a counsellor’s files “in the same way as he or she may call for the records made by any other school employee which relate to school matters”. It also says that if a student did not accept this, they would need to seek counselling elsewhere. The APS has warned the policy could have a devastating impact on students but the Association of Independent Schools of NSW says principals have no interest in prying into the private lives of students or their families and have an obligation to ensure the wellbeing of all students in their care. [The Sydney Morning Herald]

E-Mail

US – Goldman Sachs Wants Google to Delete Misdirected E-mail

To prevent what it calls a “needless and massive” breach of privacy, the Goldman Sachs Group is asking Google to delete an e-mail containing “highly confidential brokerage account information” that was mistakenly sent to a Gmail account. Goldman Sachs has filed a complaint with a New York state court and says Google “appears willing to cooperate” if that order is issued. The bank said, “Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs’ clients and to avoid the risk of unnecessary reputational damage to Goldman Sachs.” [Reuters] See also: [In The Matter Of A Warrant For All Content And Other Information Associated With The Email Account xxxxxxx@Gmail.com Maintained At Premises Controlled By Google, Inc. – Memorandum Opinion – U.S. District Court for the Southern District of New York] and [In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corporation – Government’s Brief In Support Of The Magistrate Judge’s Decision To Uphold A Warrant Ordering Microsoft To Disclose Records Within Its Custody And Control – U.S. District Court Southern District Of New York]

CA – Onslaught of E-mails: CASL’s Unintended Consequence

“In recent weeks, Canadians have been inundated with e-mails from retailers, manufacturers, nonprofits, even government agencies—all rushing to verify that people actually want their accounts flooded with deals, discounts, announcements or anything with a whiff of commerciality, useful or otherwise,” describing the phenomenon as “the unintended by-product of a new Canadian law designed to de-clutter inboxes.” Canada’s Anti-Spam Legislation (CASL) is now in effect, and senders of commercial electronic messages to Canadians—regardless of where the senders are located—must verify recipients’ consent, thus spurring the proliferation of e-mail requests in the weeks before July 1. [The New York Times] See also: [Geist: In Defence of Canada’s Anti-Spam Law, Part Two: Why the Legislation Is Really a Consumer Protection and Privacy Law in Disguise]

Electronic Records

WW – Human Care Systems Taps Perspecsys for Cloud Compliance

Human Care Systems (HCS), which designs and delivers patient, physician and pharmacist support services for some of the top pharmaceutical companies globally, has selected Perspecsys AppProtext Cloud Data Protection Gateway to secure patient medical data. Andrew Taff, director of operations and technology at HCS, said the selection was made in order to “meet strict EU data residency and privacy compliance requirements while recording, storing and processing patient treatment and medical data in the cloud.” The system will allow HCS to retain confidential and sensitive patient medical data within their “local regional data center” while transferring only “surrogate token values” to the cloud platform, according to a press release. [Big News Network]

Encryption

US – Survey: More Than One-Third of Respondents Not Using Encryption

A Voltage Security survey conducted at a recent European IT security exhibition found “nearly 36% of IT security professionals admit to sending sensitive data outside of their organisations without using any form of encryption to protect it.” Voltage CTO Terence Spies commented, “This statistic is cause for alarm, particularly given that encryption provides protection for companies against cyber criminals, competing companies and even governments; it is the key to keeping sensitive data away from prying eyes.” The survey included responses from 200 IT professionals, the report states. [Information Age]

UK – Jail Time for UK Man Who Refused to Surrender Crypto Keys

A UK man has been sentenced to six months in jail for refusing to surrender cryptographic keys to police. Computer science student Christopher Wilson was asked to provide police with keys to unlock his computer because he is suspected of breaking into the Northumbria Police website and attempting to break into the website of the Serious Organised Crime Agency. [The Register]

WW – Microsoft Flips Switch on New Webmail Encryption

Microsoft has pulled back the curtain on its implementation of tougher encryption standards for Web-based email and some cloud services, the company announced. In the works for more than six months, Microsoft has now activated Transport Layer Security encryption (TLS) for its webmail services at Outlook.com, Hotmail.com, Live.com, and MSN.com. This means it will be significantly harder for email originating from and being sent to a Microsoft account to be spied on, as long as the connecting email service also uses TLS. Matt Thomlinson, vice president of Microsoft’s Trustworthy Computing division, said that this work is part of a “comprehensive engineering effort to strengthen encryption.” “This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data,” he said. [CNET]

EU Developments

UK – Britain Unveils Emergency Laws to Keep Email, Phone Data for Security

Britain said it would rush through emergency legislation to force telecoms firms to retain customer data for a year, calling the move vital for national security following a decision by Europe’s top court. Communication companies had been required to retain data for 12 months under a 2006 European Union directive but this was thrown out in April by the European Court of Justice on the grounds that it infringed human rights. Britain’s coalition government said the scrapping of that directive could deprive police and intelligence agencies of access to information about who customers contacted by phone, text or email, and where and when. Prime Minister David Cameron said it was vital these powers were not compromised at a time of growing concern over Britons travelling to Iraq and Syria to join militant Islamist groups. Those concerns prompted the government to take the unusual step of announcing fast-track legislation which, under a deal brokered behind closed doors between Britain’s three major political parties, could become law as soon as next week. [Reuters]

UK – Parliament Fast Tracking Emergency Data Retention Law

The UK government is pushing emergency legislation through Parliament that will require telecommunications service providers to store communications metadata for up to one year. All three major political parties have expressed their support of the measure. Prime Minister David Cameron says the law does not create new surveillance powers. The Data Retention and Investigation Powers Bill is being rushed through Parliament because in April, the European Court of Justice overturned the EU Data Retention Directive on the grounds that it “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.” [BBC] [v3.co.uk] [ZDNet]

UK – ISPs, Nonprofits File Legal Complaint Against Spying Practices

Seven Internet service providers, along with nonprofit groups from multiple countries, have filed a legal complaint against British spy agency GCHQ. The groups allege the organization illegally hacked into the computers of Internet companies to access their networks. The complaint was filed with the Investigatory Powers Tribunal and calls for an end to GCHQ’s targeting of system administrators to gain access to the networks of service providers for the purpose of mass surveillance. It also alleges GCHQ paired up with the U.S. NSA to target exchange points operated by three German companies, in violation of international law. [Wired] See also: [Report: NSA targeted German privacy activist]

EU – BCRs Gain Momentum with Article 29 WP Endorsement

Phil Lee discusses the Article 29 Working Party’s letter to the European Parliament illustrating the clear support that Binding Corporate Rules (BCRs) for processors have and will continue to have from the Working Party. BCRs are an “optimal solution to promote the European principles of personal data abroad,” said Working Party Chair Isabelle Falque-Pierrotin. The letter is “representative of a growing trend for global organizations to seek BCR approval in preference over other data export solutions,” Lee writes, noting there were 19 BCR-approved organizations in 2012 compared with 53 today. [Fieldfisher]

EU – EDPS Opines on the Transfer of Personal Data to 3rd Countries and International Orgs

The following are considered adequate safeguards when transferring personal data to an inadequate country – a third party beneficiary clause, clarification of the exporter and importer’s obligations (such as requirement to respond to enquiries, provide a copy of the clauses to the data subject, and submission to reviewing, auditing), a liability clause, obligation of the importer to communicate security breaches to the exporter, details of governing law, information about cooperation with supervisory authorities, and power of the data protection authority to block or suspend the transfers. [Opinion] [Press Release: European Commission – Cloud Service Level Agreement Standardisation Guidelines] [Guidelines]

EU – Germany Gives Berlin CIA Chief the Boot Over Spying Allegations

Germany has told the U.S. CIA station chief in Berlin to leave the country after two suspected U.S. spies were unearthed. The revelations follow allegations that Chancellor Angela Merkel was among the many Germans whose mobile phones were bugged by U.S. agents. “Spying on allies … is a waste of energy,” Merkel said. “We have so many problems, we should focus on the important things.” German authorities say they are investigating a government employee suspected of spying on confidential government affairs and have seized evidence including computers and several data storage devices. [Reuters]

EU – Privacy Pro to Head European Marketing Trade Group FEDMA

For the first time, a privacy officer will be the chair of a major European trade body. The Federation of European Direct and Interactive Marketing (FEDMA) has announced Sachiko Scheuing, the European privacy officer at Acxiom, has been elected to the post alongside Director General of the Dutch Marketing Association Diana Janssen. The two will serve a three-year term in an effort to further FEDMA’s pursuit of helping the marketing industry to use data in an ethical way and to ensure that both consumers’ and marketing organizations’ needs are met. [The Privacy Advisor].

EU – Reding Leaves European Commission To Become MEP

Four European Commissioners—including Viviane Reding—left their jobs after being elected to the European Parliament. Formerly the commission’s justice commissioner, Reding is now Luxembourg’s MEP, the report states. The other commissioners who have left their posts to become MEPs include former economics commissioner Olli Rehn of Finland, industry commissioner Antonio Tajani of Italy and Janusz Lewandowski, of Poland, who was previously in charge of the EU budget. Jose Manuel Barroso, outgoing head of the commission, “said their portfolios will be temporarily taken over by other commissioners, pending the hearings and appointment of their successors,” the report states, noting, “Austria’s Johannes Hahn, responsible for regional policy, will also look after justice and fundamental rights.” [EU Observer]

Facts & Stats

CA – Most Alberta Freedom of Information Requests Get No Results

Two out of three Albertans who ask for government records using a freedom of information request get nothing, a Journal analysis shows. A review of nearly two decades of data revealed a majority of people who request provincial records are told documents “do not exist.” Fewer than two in 10 will get some of the information they wanted, and fewer than one in 10 will get everything they asked for. Information and privacy commissioner Jill Clayton said the findings are “concerning,” and she will review the issue as part of her ongoing investigation into Alberta’s freedom of information system. [Edmonton Journal] See also: [Nova Scotia: New FOIPOP review officer appointed for province] and [NB: Hospital privacy breach report set for release]

Filtering

WW – Microsoft Preps for RTBF; DPAs Prep for Refusals

In response to the recent EU high court ruling, Microsoft plans to join Google in rolling out an online takedown form to delink personal information. “Developing an appropriate system is taking us some time,” the company said. “We expect to launch a form through which users can make requests soon.” Data protection authorities in the EU plan to meet next week to commence work drafting “procedural guidelines” for handling complaints about search engines’ refusals of takedown requests. [The New York Times]

Finance

US – Federal Court Dismisses FINRA Privacy Case

A U.S. District Court judge has tossed a privacy lawsuit by a former broker who alleged public disclosures by the Financial Industry Regulatory Authority (FINRA) violated his privacy rights. Alan Santos-Buch sued FINRA for making details of a 1997 case against him public on its website and in a regulatory document. He said such public disclosures have made it difficult for him to get a job. However, the judge ruled the case failed to raise “substantial constitutional questions” that would allow it to proceed, noting in a 21-page opinion, “Santos-Buch has failed to allege any facts establishing that irreparable injury may occur without immediate judicial relief.” [Reuters]

FOI

EU – EU Court Orders More Transparency of Anti-Terror Program

The Court of Justice of the EU (CJEU) has ordered that EU institutions be more transparent about negotiations over transferring EU citizens’ banking data to U.S. anti-terrorism authorities. In 2001, the U.S. Terrorist Finance Tracking Program had ordered the Society for Worldwide Interbank Financial Telecommunication to share financial transactions via its U.S. operating center. Of the recent CJEU ruling , Dutch MEP Sophie in ‘t Veld said, “The court clearly states that transparency is a prerequisite for a truly democratic Europe. The European Union must develop from a Europe of diplomats, discretion and confidentiality to a Europe of citizens, administrative transparency and trust.” [PC World]

US – FOIA Lawsuit Seeks Documentation of Intelligence Agency Flaw Stockpiling

The Electronic Frontier Foundation (EFF) has filed a Freedom of Information Act (FOIA) lawsuit for information about US intelligence agencies’ stockpiling of security flaws. Specifically, the request seeks information about how intelligence agencies decide which flaws to disclose and which to keep secret. The privacy rights group is concerned that the flaws, which have not been patched by software vendors, could pose a threat to users. [The Register] [ComputerWorld]

CA – Edmonton Urged to Publish Sunshine List of Top Salaries

Edmonton should follow the provincial lead and disclose its own sunshine list, a government-spending critic argues. Figures compiled by the Journal show that roughly 2,000 City of Edmonton employees earned more than $100,000 last year. The information indicates roughly 12.3% of the total 16,100 workforce — planners, bus drivers, park rangers, technicians and other staff — made six figures in 2013. Fire rescue services and the Edmonton Police Service each had 27% of their staff in this range, the highest proportion among major sections of the city. But virtually everyone in the auditor’s office — 13 of 14 employees — was paid $100,000 plus. In January, the province released a “sunshine list” of 3,455 public service employees — 12.7% of the total — whose pay and benefits exceed $100,000. Derek Fildebrandt, the Alberta director of the Canadian Taxpayers Federation, said Edmonton should follow suit. About 11.7% of Alberta’s overall labour force was in the $100K club in 2011, according to the most recent Statistics Canada figures.[Edmonton Journal] [Alberta Education broke privacy laws in minister Jeff Johnson’s email to teachers]

Genetics

CA – Call to Halt Use of Gene Test Results in Insurance Calculations

Canada’s Office of the Privacy Commissioner (OPC) has issued a statement urging the life and health insurance industry to refrain from asking applicants for access to existing genetic test results. This would require the insurance industry to go beyond its current voluntary moratorium on asking people to undergo genetic testing on application. The insurance industry, however, disagrees. ‘They say these tests aren’t necessary, we think they are’, said Frank Zinatelli, vice president and general counsel for the Canadian Life and Health Insurance Association, a group representing 99% of the insurance industry in Canada. From the commercial perspective, it thought that genetic information should be treated in the same way as any other piece of available medical information; access to data enabling accurate individual risk classification is paramount to the insurance industry’s sustainability. The present lack of legislative guidance on the issue in Canada appears to contribute to the sense of urgency with which the OPC statement has been issued. Nevertheless in, ‘[r]ecognising that the state of medical technology is changing rapidly,’ the OPC has indicated that its ‘position should be revisited on a periodic basis’. [BioNews] [Source]

Google

EU – Google to Tour Europe on Privacy, RTBF

In response to the EU court ruling on the right to be forgotten, Google plans to tour Europe as early as this fall in a series of meetings to explain its stance on privacy. Additionally, the online search giant has announced additional members of its privacy panel, including former German Minister Sabine Leutheusser-Schnarrenberger and Le Monde Editorial Director Sylvie Kauffmann. Details on the full 10-person panel, with individual biographies, as well as an online form asking users to “tell us your thoughts on the CJEU ruling” are now available on a Google webpage. “For each of these requests, we’re required to weigh … an individual’s right to be forgotten with the public’s right to know,” Google states. “We want to strike this balance right.” [The New York Times] See also: [Businesses Finding Opportunity in RTBF Ruling] [Brussels: Google seeks privacy debate]

WW – Google Restores Links Removed After RTBF Ruling

Google has “restored links to some news articles that were removed to comply with a European Union court privacy ruling days after the deletions were criticized by publishers.” The news follows last week’s comments by a UK journalist that the so-called “right to be forgotten” will curtail freedom of expression. The Guardian’s Hayley Dunlop said, “Some but not all of the Guardian stories that Google hid in search results are now appearing once more,” and notes The Telegraph has also confirmed two 2010 articles that had been removed are once again accessible. The UK Information Commissioner’s Office has not “received any complaints over how Google has handled requests for removal,” the report states. [Bloomberg] [Google does U-turn on some deleted links in ‘Right to be Forgotten’ cases]

UK – Google Blurs Out Homes of Celebrities on Its Street View Maps

Google has begun blurring out the homes of celebrities on its ‘street view’ maps after some claimed the images breached their privacy under new European laws, it has been reported. The search engine giant this week removed images of properties owned by the likes of Prime Minister Tony Blair and Sir Paul McCartney. Pictures of houses owned by singer Katherine Jenkins and rocker Jimmy Page are also understood to have been removed, according to reports. The Google Street View tool currently includes millions of photographs which allow online users to navigate their way around most parts of the UK at street level in 3D. But following a ruling by the Court of Justice of the European Union in May, which gave individuals the “right to be forgotten”, certain images have become obscured. [London Evening Standard]

Health / Medical

WW – Is Big Data Becoming Health Industry’s Big Brother?

Health data generated by apps, devices, electronic health records and wearables combined with purchasing and TV-watching habits tracked by social media sites and others mean big data may be poised to become big brother, noting, “It’s hardly out of the question that someday soon the healthcare industry might want to tap into social media to find out more about patients’ health habits.” A new report by the World Privacy Forum (WPF) found healthcare analytics companies are already drawing from retail databases, data brokers, retailer loyalty cards and nonprofit organization member lists, among others. The WPF report notes if the data is used for discrimination, it could have “dire consequences … The secrecy of the data being shared is the part society should worry about.” [GovernmentHealthIT] [Is Google eyeing big data analytics in electronic medical records?] and [OPC Canada – Wearable Computing: Challenges and Opportunities for Privacy Protection] and [Ontario’s privacy watchdog probing leak of woman’s medical information]

US – New Mobile Platform Seeks to Make Health Apps HIPAA-Ready

Medable is a platform designed to allow “medical grade” apps to safely share health data with clinical systems. Michelle Longmire, the Stanford-based physician who created the platform, said, “With Medable, mobile apps can make it easy for users to communicate with their doctors, nurses and caregivers and also provide them with any kind of data originating from the mobile devices,” adding, “That lets everyone receive the data, visualize it, and then communicate about it in a very natural way.” App developers can use the platform to create new services, all delivered through a software development kit and an application programming interface. Longmire also said Medable uses the HL7 clinical data format for easy integration with existing electronic health records systems. [VentureBeat] See also: [What big data could do for health care] and [The Legal And Ethical Concerns That Arise From Using Complex Predictive Analytics In Health Care]

WW – Can Software Make Health Data More Private?

Researchers are developing software designed to prevent sensitive medical information from being inadvertently shared. The software, developed by computer scientists at the University of Illinois, would allow patients to decide which parts of their records they want to keep private but also aims to use machine-learning analysis to reveal whether unselected information would disclose sensitive data such as mental health issues, sexually transmitted diseases or past drug abuse. The software would then keep that additional data confidential for the patient. “Electronic health records at the moment have no facility—none—to break the record into parts,” said Harvard Medical School’s John Halamka. “You either get the record or you don’t.” This software aims to change that. [MIT Technology Review] See also: [You’ve Been Doing It Wrong. Privacy Is Part of User Experience ]

CA – Hospital Suicide Prompts Review of Secrecy in ‘Quality of Care’ Law

Critics say the Quality of Care Information Protection Act — intended to allow for honest review of medical errors — has morphed into a shield for health-care providers. The Ontario Minister of Health launched a review of controversial legislation that keeps internal hospital investigations secret. The review comes after Star stories revealed the suicide of a 20-year-old while under a Brampton hospital’s psychiatric care and the family’s struggle for answers. The review will look at how the Act has been used in the past and “any shortcomings.” The sweeping piece of legislation, brought in in 2004, was meant to allow health professionals to speak freely about medical error without fear and to protect patient privacy. But critics of the Quality of Care Information Protection Act (QCIPA), including NDP health critic France Gelinas, say it has morphed into a shield for health care providers at the expense of the public’s trust. The Freedom of Information and Protection of Privacy Act does not apply to QCIPA. and unless otherwise specified QCIPA trumps all other Acts. That means the public won’t know how an incident happened — or the steps being taken to prevent it from happening again. [Toronto Star] see also [Toronto: Hospital class action informed by intrusion upon seclusion case] and [Temorshah Hafizi v. Her Majesty the Queeen – Court File No. 12-1063 – Ontario Superior Court of Justice]

Horror Stories

US – One Class-Action Gets Tossed While Others Forge Ahead

An Illinois state court has thrown out a putative class-action lawsuit over a data breach at Advocate Health and Hospitals Corp., finding “the plaintiffs needed to prove that their data had actually been misused in order to sustain their claims.” In California, however, a federal judge gave preliminary backing to a class-action settlement that would give $15 million in games, online currency and ID theft reimbursement to PlayStation Network users affected by a 2011 data breach, and a long-standing dispute over Carrier IQ’s alleged violation of consumers’ privacy has been sent to mediation. Meanwhile, the California Department of Managed Health Care is apologizing for an incident where 18,000 doctors’ Social Security numbers were released and San Diego Children’s Hospital Mistakenly Shares Medical Data and [Gaelen Patrick Condon et al. v Her Majesty the Queen – 2014 FC 250 – Federal Court of Canada] [Law 360]

US – AG Fines Country Store $3,000 for Failing to Notify Security Breach

In a move that shows even small businesses are not free from privacy obligations, the Vermont attorney general (AG) has levied a $3,000 civil penalty on a country store for failing to notify its Internet customers of a security breach. Late last year, the Shelburne Country Store’s website was hacked and credit card information was stolen. The company fixed the problem but did not notify consumers until it was contacted by the AG. “At this stage of the game, having seen widely reported data breaches at big retailers like Target and dozens of others, we will not accept the excuse that a business did not know of its obligations to report a breach,” said Vermont AG William Sorrell. [Vermont Biz] See also: [US Blue Shield discloses 18,000 doctors’ Social Security numbers] and [OPC Canada – Ten Tips for Reducing the Likelihood of a Privacy Breach]

US – Luxury Hotel, School District Hit by Breaches

The Houstonian Hotel, Club & Spa has announced at least 10,000 customers’ credit card details were exposed in a breach that lasted approximately six months. The “malicious software attack” commenced on December 28, 2013, and continued until June 20, the report states. “We undertook immediate action to fully secure our customers’ data,” a news release issued Tuesday said. “As of June 20, we had fully replaced and overhauled the breached systems, further restricted access to all our servers and hired a data forensics firm to help us enhance our digital security.” Meanwhile, a Kansas City-based school district is investigating an incident that involved current and former students’ and employees’ personal data—including Social Security numbers—being leaked online. [Houston Chronicle]

Identity Issues

WW – When a Password-Is-Dead Scheme Goes Terribly Wrong

Recently, The Wall Street Journal’s Christopher Mims, to prove a point that two-factor authentication makes relying simply on passwords a thing of the past, publicly posted his Twitter password. However, the experiment went terribly wrong. In response, “a whole bunch of people tried to log in to his Twitter account,” prompting Twitter to send Mims a text message. Mims said at one point he was receiving two text messages per minute. He then tried to switch to a “Twitter for iPhone” app, which essentially revealed Mims’ phone number to those who clicked the verification code link. “The good thing to come out of exercises like these,” Hill writes, “is getting companies to protect stupid users from themselves.” [Forbes] See also: [How to Teach Humans to Remember Really Complex Passwords] and [Datatilsynet, Denmark – Guidance on Multifactor IT Security and Logins]

US – NY De Blasio Signs City ID Bill, Cards Will Be Free for One Year

New York Mayor Bill de Blasio signed into law a bill that would create a citywide identification card program. The cards will be free for the first year of the program. New Yorkers will be able to apply at locations in the five boroughs. The program is specifically designed to provide identification cards to the city’s nearly 500,000 undocumented immigrants so that they can sign apartment leases, open bank accounts, and visit their children at public schools, among other things. “This card important is for all New Yorkers,” de Blasio said. “But, for all those who don’t have ID, it’s going to be crucial.” Now the administration’s goal is to implement the program. The New York Civil Liberties Union issued a statement opposing the legislation, saying that it could expose the immigrants who apply for cards to prosecution and deportation by federal authorities. De Blasio said that the information will not be shared with any agencies and that applicants will not be asked about their immigration status.[Epoch Times]

CA – No Sin to Give Your SIN: Statscan Looks to Shore Up Census With Number

Statistics Canada is asking people to provide their SIN during test runs for the 2016 census, part of an effort to make the survey data more reliable. The agency is trying to find out if people will reveal a key identifier they’ve been so often warned to protect. The Conservative government eliminated the mandatory long-form census in 2011, saying it was too intrusive. It was replaced with a controversial voluntary National Household Survey. When the data from the survey was released last year, information on thousands of smaller communities was withheld because of low response rates. And because some people didn’t want to fill out the voluntary form or parts of it, collected data on income levels has been criticized as flawed. The agency is now asking a broad sample of those who fill out the tests of the mandatory, short-form census to include their SIN. The number will help tap into specific information from tax returns held by the Canada Revenue Agency, the type of solid data that could backstop the census. Previous questionnaires have asked people for permission to seek information from the revenue agency, but a SIN is a much more accurate link to income tax files than a name and date of birth. In 2006, the mandatory long census had a response rate of 93.5%. The 2011 NHS received a response rate of 68.6%, with higher reluctance among some groups, such as aboriginals. [The Canadian Press]

Internet / WWW

WW – TRUSTe Event Explores Intersection of Tech and Privacy

Data privacy management firm TRUSTe followed up on its work with the Future of Privacy Forum (FPF) to create a smart grid privacy seal by creating a day-long Internet of Things Privacy Summit, which concluded yesterday in Silicon Valley. The event had 26 speakers exploring the future of connected technology and its implications. Finally, the event finished with a debate on whether privacy “is even possible” in the Internet of Things era. The full event is archived and available for viewing. Following the event, TRUSTe announced an Internet of Things Privacy Tech Working Group, which includes the FPF, along with the Online Trust Alliance, the Center for Democracy & Technology and others. The group will begin meeting in the next three months and will report out findings at the next Internet of Things Privacy Summit in June of 2015. [Webcast]

US – NIST Cloud Computing: Forensic Science Challenges – NISTIR 8006

Challenges regarding cloud computing forensic science include the following – architecture (proliferation of systems, locations and endpoints that can store data), data collection (accessing the data of one tenant without breaching the confidentiality of other tenants), analysis (correlation of forensic artifacts across and within cloud providers), legal (identifying and addressing issues of jurisdictions for legal access to data), incident first responders (confidence, competence, and trustworthiness of the cloud providers to perform proper data collection), standards (minimum/basic standard operating procedures, practices, and tools), and training (misuse of digital forensic training materials that are not applicable to cloud forensics). [Source]

Law Enforcement

CA – Calgary Police, Bylaw Enforcement to Track Licence Plates for Parking Data

Each day for the past four years, Calgary parking enforcement officers drive the city’s streets in cars equipped with cameras designed to scan licence plates and identify parking scofflaws. Even if no violation has been committed, the city still holds on to data showing the time and location the vehicle was spotted, as well as a photo of the vehicle. As use of licence-plate scanning technology grows in Canada among bylaw enforcement agencies and police departments there is no consistency as to how long such data is retained or who it’s shared with. While some agencies scrub their systems of so-called “non-hit” data daily, others hold on to that data for several years or indefinitely. Some agencies share the data they collect with police investigators, while others require a warrant. Privacy advocates are worried. The technology is becoming a “mass surveillance” tool and demands better oversight, said Christopher Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab specializing in technology and privacy issues. “It doesn’t matter that there are positive intentions behind this. It’s a surveillance system,” he said. The Calgary Parking Authority is now conducting a privacy impact assessment of its ParkPlus System, spokeswoman Shelley Trigg said. [Canadacom] See also: [NC man puts up massive tarp to block neighbor’s surveillance camera]

US – Hot-Car Death Highlights Key Role of Digital Evidence

One of the few details to come out of the murder case against suburban Atlanta dad Justin Ross Harris — whose son was found dead after being strapped into a hot car for hours — is that he searched for information about such deaths shortly before the incident occurred. According to police, Harris used his work computer to search for information about “child deaths inside vehicles and what temperature it needs to be for that to occur.” While Harris’ family appears to be standing by him and he’s been convicted of no wrongdoing, the revelation is the latest reminder that what you do and say online can become public in unpredictable and sometimes undesirable ways: Fifteen or 20 years ago, the notion of taking criminal evidence from a personal computer was as novel as the technology itself. Today, it seems commonplace and all over the headlines. [CNN]

Location

BR – City Partners with Traffic Apps in Data Deal

As commuters increasingly use apps that incentivize data-sharing in exchange for updates on traffic jams, one government is finding similar opportunities using the same services. Waze and Moovit collect data from drivers and pedestrians, respectively, feeding back information on the most efficient ways to get around. Rio de Janeiro’s Department of Transport has partnered with Waze to help it eye traffic and hazards—via the GPS datapoints fed once-per-second from users’ cellphones—in exchange for real-time data from the city on highways and from cameras. While Waze can indicate how fast drivers are moving, spokesperson Julie Mossler says the passively tracked data “is not something we share.” [Forbes] See also: [German Federal Data Protection Commissioner – Guidance on Data Protection Requirements for App Developers and App Vendors]

CN – Apple Tells China It Does Not Track User Location

In response to a China Central Television (CCTV) report, Apple said it does not track the location of Chinese iPhone users. Apple said it “does not obtain or know a user’s frequent locations … Apple does not have access to frequent locations or the location cache on any user’s iPhone at any time.” CCTV had alleged the tracking could reveal “state secrets,” arguing, “Even if this feature is turned off, the information will still be recorded.” Apple said it appreciated CCTV’s “effort to help educate consumers,” adding, “We want to make sure all of our customers in China are clear about what we do and we don’t do when it comes to privacy and your personal data.” [International Business Times] See also: [BC: CCTV used to spy on tenants was ‘illegal’]

Offshore

NZ – Proposed Data Breach Fines a ‘Drop in the Ocean’

The New Zealand government is expected to introduce a rewrite of privacy laws into Parliament next year, but one security expert says the proposals are imprecise and don’t go far enough. “We are following the world rather than leading,” he says, noting data breach disclosure has been debated in New Zealand since at least 2002. However, Benson describes proposed penalties such as a $10,000 fine for not notifying the Privacy Commissioner of a breach, as a “slap on the wrist”. “Liability or decent fines are needed for people who fail to disclose,” he said. Further, a lot of the provisions remain undefined and may only be defined in case law after a new Privacy Act is passed. The meaning of terms such as “serious cases”, “enforcing compliance” and “reasonable care” remain unclear. [ZD Net] See also: [NZ Privacy Act: ‘Need to know or nice to have’ Guidelines Released]

AU – Drones Face Privacy Regulation Under Oz Government Plan

A parliamentary report into regulation surrounding the use of drones has recommended that Australia consider creating a tort of privacy invasion – something ruled out by the country’s attorney-general George Brandis as recently as April. In an example of the strange bedfellows politics can make, privacy activists and farming lobbies agree – for, perhaps, different reasons – that unfettered flying of drones poses privacy risks, and the government-dominated but bipartisan committee agrees. The government-dominated “Standing Committee on Social Policy and Legal Affairs” has published a report entitled Eyes in the sky, which notes that privacy and surveillance laws around Australia are “a complex web”. For example, the report notes that surveillance using listening devices is tightly regulated, but police can use drones for surveillance “without a warrant so long as they do not enter onto premises without permission, or interfere with any vehicle or thing without permission.” Hence the report’s recommendation that “the Australian Government consider introducing legislation by July 2015 which provides protection against privacy-invasive technologies (including remotely piloted aircraft), with particular emphasis on protecting against intrusions on a person’s seclusion or private affairs”. Such protection, the committee recommends, should include a tort of privacy invasion with “effective” opportunities for complainants to seek remedies. The recommendation has bipartisan support. [The Register] and [Eyes in the sky: Vanishing privacy] and [Hong Kong’s ‘hands off’ regulations prompt growth in drone flying by amateurs]

Online Privacy

US – Judge Approves Disclosure of Anonymous Commenters

A federal judge has authorized a subpoena to Craigslist and Amazon compelling the companies to disclose the personal details of anonymous commenters who allegedly posted negative reviews of nutritional supplement manufacturer Ubervita and its products. Judge Marsha Pechman said the subpoenas would be “intended to learn the John Doe defendants’ identities including names, addresses, telephone numbers, e-mail addresses, IP addresses, web hosts, credit card information, bank account information and any other identifying information.” [Hot Hardware] See also: [Is There Value in the Right To Be Anonymous Commenters?] and [WSJ – Clarke: In the Future, Only the Rich Will Have Privacy]

US – EPIC Files Complaint with FTC Over Facebook Study

The Electronic Privacy Information Center (EPIC) has filed a formal complaint with the FTC claiming Facebook deceived users when it conducted its emotion contagion study without user consent. “At the time of the experiment, Facebook did not state in the Data Use Policy that user data would be used for research purposes. Facebook also failed to inform users that their personal information would be shared with researchers,” the EPIC’s complaint states. Center for Digital Democracy Executive Director Jeff Chester said his organization will also speak with the FTC on this matter. Facebook Chief Operating Officer Sheryl Sandberg apologized for the study, saying it was “poorly communicated.” [USA Today]

WW – Facebook Study Demonstrates Need for Ethical Decision-Making

Opinions regarding the Facebook study on emotional response continue to reverberate in the privacy world. In a post for Re/code, Future of Privacy Forum Executive Director Jules Polonetsky and IAPP VP of Research and Education Omer Tene note “big data analysis raises issues that transcend privacy and implicate broader policy concerns around discrimination, filter bubbles, access to data and the ethics of scientific research,” adding, “Establishing a process for ethical decision-making is key to ensuring that the benefits of data exceed their costs.” In a separate post, Ed Felten writes, “experiments that manipulate user experience impact users’ privacy, and that privacy impact needs to be taken into account in evaluating the ethics of such experiments and in determining when users should be informed.” [Source]

US – Parents: Facebook Settlement Would Allow “Illegal Conduct”

Parents’ are reacting to Facebook’s $20 million settlement of a class-action filed over its “sponsored stories” program. The settlement “gives the company a free pass to violate laws in seven states that bar the use of a minor’s likeness without parental consent, the parents of several underage Facebook users told the Ninth Circuit,” the report states. They have filed a brief asking the Appeals Court to vacate the settlement, alleging it allows “clearly illegal conduct,” the report states. [Law360] See also: [Class-Action Alleges Retailer Routinely Violates Song-Beverly] See also: [Who benefits from online privacy policies?]

Other Jurisdictions

JP – Nation Set to Pass Cybersecurity Legislation

Deep and longstanding cybersecurity issues face Japan and how the nation is set to pass legislation that would bolster its cybersecurity. Recent cyber-attacks on Yahoo Japan, the country’s space agency, its largest defense contractor and Bitcoin operator Mt. Gox, as well as the highly publicized breach of Sony Playstation in 2011, have all threatened the world’s third largest economy. One information technology expert said, “The biggest problem—and the biggest ally of cyber-attackers aiming at Japan—is the widespread belief that ‘it can’t happen here,’” while also noting that cybersecurity awareness in Japan is still “very low.” [Businessweek]

RU – New Law Will Keep Personal Data Inside National Borders

The Russian State Duma has passed legislation that will require the personal data of Russian citizens to be stored inside the country. Any online service used by Russian citizens must have physical servers inside the country and such non-Russian businesses would be prohibited from sending personal information outside the border unless certain data protection guarantees are made. Those not in compliance would have their services restricted by the Russian state telecommunications agency. The proposed law is slated to take effect in September 2016, the report states, noting the law “could mean a fundamental change to how both international and Russian tech companies use international hosting services, not to mention huge costs for implementing the changes.” [TechCrunch]

Privacy (US)

US – NSA Won’t Release Snowden E-mails, Says Would Breach His Privacy

In response to a Freedom of Information Act (FOIA) request, the NSA has said it cannot release internal e-mails sent from whistleblower Edward Snowden because it would violate his personal privacy, according to U.S. News & World Report. Former Reuters Social Media Editor Matthew Keys filed the request seeking the e-mails sent from ejsnowd@nsa.ic.gov in the first five months of 2013. Snowden has said a number of times that he had raised concerns about the NSA’s surveillance programs internally while working as a contractor for the agency. The NSA had denied a broader FOIA request in June 2013. [U.S.News]

US – PCLOB Says No Illegitimate Activity in NSA Overseas Program

In a pre-released report on Section 702 of the Foreign Intelligence Surveillance Act, the Privacy and Civil Liberties Oversight Board (PCLOB) found no illegal activity but cautioned that parts of the program—including the collection of U.S. citizens’ communications—raise privacy concerns. Several civil rights and privacy advocacy groups said the report fell short of expectations. The Electronic Frontier Foundation said the recommendations were “anemic” and will do little to curb surveillance. New America Foundation’s Kevin Bankston tweeted, “If the last PCLOB report was a bombshell, this one is a dud.” [Computerworld]

US – Men File Suit Against 9/11 Threat Database

Five California men have started a legal battle against the government’s national database, built after Sept. 11 to store reports of suspicious activity in the hunt for terrorists. The suit, filed by the ACLU and Asian Americans Advancing Justice-Asian Law Caucus, challenges the database, alleging it’s “too easy for people engaged in innocuous activities to be put into the database and scrutinized as if they were a threat,” the report states. The plaintiffs include two photographers confronted by security guards at a national gas tank; an Egyptian-American who tried to buy multiple computers at a Best Buy, and a Muslim convert looking at a flight simulator game on the Internet. [The New York Times]

US – Group Releases Data Privacy Toolkits for School Districts

School technology officials’ membership organization Consortium for School Networking has released two new privacy-related toolkits, “Ten Steps Every District Should Take Today“ and “Security Questions to Ask of An Online Service Provider,” for school districts attempting to protect student information. “School leaders often need to access information immediately and with minimal hassle. These standalone resources will help district leaders quickly obtain the information and guidance necessary to ensure student privacy,” said Consortium for School Networking CEO Keith Krueger. [Education Week] [US Group Releases New Resources For Districts Grappling With Data Privacy] See also: [US: Officials say data could help identify at-risk children]

US – New York State Education Department Issues Parents’ Bill Of Rights For Data Privacy and Security

A New York law requires that a “Parent’s Bill of Rights for Data Privacy and Security” be published on the website of each state educational agency and be included with every contract that agency enters into with a third party contractor (“contractor”) that receives student data or certain protected teacher/principal performance data that is designated as confidential under the law. The Bill of Rights permits parents the rights of access and correction of their student’s personally identifiable information (“PII), and consent prior to disclosure of the PII from education records (unless FERPA permits disclosure without consent); in the event of a contractor data breach, the contractor must notify the agency, which must notify the parent. [Bill of Rights]

US – UC Berkeley Creates Campus Privacy Officer Post

As part of an initiative to bolster campus cybersecurity and information autonomy, the University of California-Berkeley has created a campus privacy officer position and is now looking for applicants. Interim Chief Information Security Officer Paul Rivers said, “I do absolutely see this position as critical to the mission of the campus … The proper balance between privacy and competing interests (such as information security) must be explicitly and transparently addressed in order to safeguard academic freedom.” [Daily Californian]

US – HHS Names New Office for Civil Rights Director

U.S. Health and Human Services (HHS) Secretary Sylvia Mathews Burwell has named Jocelyn Samuels as the new director of the agency’s enforcement wing. Samuels has previously served as acting assistant attorney general for the Civil Rights Division within the Department of Justice. She succeeds Leon Rodriguez at the Office for Civil Rights (OCR). Christina Heide, who is a senior advisor for health information privacy at the OCR, is also serving as acting deputy director for health information privacy. Susan McAndrew left the role in May. [Health Data Management]

US – FTC Approves iKeepSafe COPPA Safe Harbor Oversight Program

The FTC approved the iKeepSafe Children’s Online Privacy Protection Rule safe harbor program which includes an effective, mandatory mechanism for the independent assessment of the safe harbor program participants’; compliance with the guidelines; website operators that use a safe harbor program are subject to the program’s disciplinary procedures in lieu of formal FTC investigation and enforcement. [Press Release] [Approval Letter]

Privacy Enhancing Technologies (PETs)

WW – Companies Continue Rolling Out Privacy-Enhancing Tech

Technology designed to protect the online privacy of users from third parties or governments continues to make its way into the marketplace. Motherpipe recently announced it has launched privacy search extensions for the Chrome browser in the U.S., UK, India, Germany and Sweden. Motherpipe’s CEO said the service “offers users a choice when they are searching for things that they simply don’t want Google to share with anyone.” In a separate rollout, Rællic allows users to communicate securely. With three modes—”Normal,” “Paranoid” and “Tin Foil Hat”—Rællic’s director of systems said it “is the only software in the public sphere that offers such intensive but easy-to-use data protection to consumers and enterprises worried about interface with their communications.” [PRWeb] See also: [With privacy concerns rising in retail, Prism Skylabs says video analytics are the future]

WW – CitizenMe Aims To Embrace User Privacy and Ad Ecosystem

CitizenMe is an an app designed to inform users what online services deduce about their personalities and with future intentions to encourage users to sell that data to advertisers. Instead of reinventing the current Internet ad model, Meyer writes, the app aims to improve it. CitizenMe has been working with the Psychometrics Centre at the University of Cambridge to tap into web services to help determine how users are scored. “The first step is to provide visibility and control of data, so you can go into your settings and have some control. If you want to, you can share that data … you can exchange data for a reward,” the company’s founder said, adding, “We then provide a marketplace and exchange where we exchange on your behalf.” [GigaOM]

WW – Will IceBrowser Put Privacy Fears on Ice?

Amidst ongoing concern about government surveillance, a California company is turning to Iceland to offer its users “a new layer of security.” “The new IceBrowser service, which costs $30 a year for early users, browses the Internet through their computers routing through Iceland, using a method which blocks outside tracking and cookies as well as viruses,” the report says. Jeff Bermant, founder of California-based Cocoon, said of Internet privacy, “Certainly the United States is not considered a safe country … If they are using Internet services based in the U.S. they don’t actually have privacy.” [Forbes] [Startup Sees Iceland As Best Route To Chill Privacy Fears] See also: [The Revolution Will Not Be Monetized]

WW – Invisible IM Project Aims to Leave No Forensic Trail

The Invisible IM project aims to develop a means for people to communicate “without leaving a retrospectively recoverable forensic trail behind on third-party servers.” The technology establishes a local XMPP server on a user’s computer, which then connects to the Tor network. A secure mode will be available that will prevent anyone from knowing who is on someone else’s buddy list or even if they have ever communicated through Invisible IM. The project is being designed to provide anonymity for whistleblowers. [The Register] [ComputerWorld]

Security

WW – Survey: IT Pros’ Main Worry Is Wondering Where Sensitive Data Lives

A new global survey of more than 1,500 IT and IT-security professionals looks at how organizations understand and respond to data security threats today, Informatica Corporation states in a press release on a new Ponemon Institute study . The study found that the location of sensitive or private data is “the foremost concern of today’s IT-security professionals”—even above hacker attacks. The survey also found that organizations are “in the dark regarding sensitive data, with only 16% knowing where all their sensitive structured data resides,” the report states. Other concerns include migration to new mobile platforms, worker or contractor mistakes and outsourcer management of data. [Source]

US – Rise in Electronic Payments Sharpens Security Focus

Companies have decided they won’t wait “for Congress to ensure that the billions of dollars in electronic payments flowing through data networks each year are defended from hackers,” detailing efforts by businesses to combat data breaches. For example, the New York Office of the Attorney General has said security breaches in that state have become more serious and more common, and they cost businesses upwards of $1.37 billion last year. “With action in Congress unlikely to happen soon, the nation’s largest retailers and financial groups are taking it upon themselves to increase safeguards for consumer information. With their reputations and business on the line, both industries are determined to make progress.” [The Hill]

WW – Hackers Targeting Small Businesses

Small businesses face increased risk of a data breach or cyber-attack. One Georgia business owner, Brad Spiegel, owner of Quality Computer Systems, said, “Big businesses are going to have bigger, badder routers and bigger, badder equipment that is going to protect them. So the criminals are going to go after the low-hanging fruit.” A National Small Business Association survey revealed 44 percent of respondents had been victims of at least one attack. Meanwhile, eBay, which recently sustained a data breach, is expected to announce its earnings report later this week. In other reports, a judge has granted preliminary approval of a data breach settlement with Schnucks, with a potential payout ranging between $300,000 to $500,000, and the University of Illinois Chicago is warning former students of a possible data breach.

US – Hackers Targeted U.S. Gov’t Employees

Officials have confirmed that Chinese hackers infiltrated the computer networks of the U.S. Office of Personnel Management and appear to have been seeking information on federal employees who have applied for top security clearance. An official from the personnel agency said neither it nor the Department of Homeland Security had “identified any loss of personally identifiable information,” and an emergency response team has been assigned. Though the attack has been traced to China, it is not yet clear whether it is tied to the Chinese government. This incident comes on the heels of an attack on the Justice Department resulting in the indictment of a group of hackers from the Chinese military for stealing corporate secrets. [The New York Times] See also: [Cyber Crime and Security Survey Report 2013 – Australian Government]

WW – The Internet of Things: Smart Lightbulb Exposes Wi-Fi Password

In a proof-of-concept attack, Internet connected LED lightbulbs were used to gain access to the Wi-Fi network that controls them. LIFX smart lightbulbs can be controlled with iOS and Android devices. LIFX was made aware of the problem and has issued a firmware update to address it. The attackers were able to trick the devices into revealing the network password; they had to be within 30 meters of the devices they were targeting. [CNET] [The Register] [Ars Technica]

US – Grid Security Concerns

Some experts are saying that the addition of wind farms, solar panels, and smart meters to the power grid add points at which attackers could infiltrate and attack the country’s energy grid. There have been documented attacks on the power grid that damaged equipment, disrupted service, and required long term repairs. An Ernst & Young survey of 61 power and utility companies found that one-third report spending at least US $3 million a year on information security, which includes protecting systems from cyber attacks. [Bloomberg] SEE ALSO: [College Bescherming Persoonsgegevens, Netherlands – Privacy Checklist for Smart Meters]

US – Hotels Urged to Check Business Center Computers for Malware

An advisory from the US Secret Service and the National Cybersecurity and Communications Integration Center warns organizations in the country’s hospitality sector that computers available for hotel guests’ use in their hotels are likely being infected with keystroke loggers. The advisory was issued after suspects who had managed to compromise public use computers in hotels were arrested in Texas. The advisory urges hotels to check the computers in their business centers. [KrebsonSecurity] [ZDNet]

WW – Most Critical Infrastructure Executives Say Security is Not a Priority

According to a study that compiles responses from nearly 600 IT and IT security executives around the world, two-thirds of those responding said that their infrastructure had been compromised in the preceding 12 months, but just over a quarter said that security is a top priority. Nearly 60% acknowledged that the threat to ICS and SCADA networks is increasing, but just 5% have a dedicated ICS and SCADA security department. 55% percent of those responding said that there is just one person at their organization responsible for the security of those systems, and a quarter have no dedicated personnel at all. The report was conducted by the Ponemon Institute and sponsored by Unisys. [SC Magazine] [Unisys]

Surveillance

US – NSA Retains Data Belonging to Non-Suspects

The Washington Post conducted analysis on 160,000 intercepted conversations intercepted by the NSA and found that the majority of the people whose personal information was stored by the NSA (according to information provided by Snowden) were not suspects in investigations. The information includes highly personal messages, medical records, school transcripts, baby pictures, and resumes. The analysis of the data supports the contention that the NSA is not taking steps to exclude personal information of US citizens, as required by US law. An NSA spokesperson acknowledged that the agency “incidentally intercept[s] the communications of persons in contact with valid foreign intelligence targets,” and maintains that the NSA takes precautions to protect the privacy of the data it collects. [Washington Post] [ArsTechnica] [ComputerWorld] [CNN.com] Former NSA legal counsel Stewart Baker writes that the statistics in the report are doubtful. A separate report suggests those who use privacy-enhancing tools online are more likely to be targeted by the NSA, and The Hill reports that it is “crunch time” for reforming government surveillance. [Source] [Americans’ baby photos and resumes among NSA spy haul]

US – Analysis of Leaked XKeyscore Source Code Shows NSA Targets Tor Users

Analysis of source code in a program used by the NSA to snoop on Internet communications suggests that people outside the US who use online privacy and anonymization services are likely to have had their IP addressed collected. The source code is for a program called XKeyscore. The analysis indicates that people who search for tools like Tor will get labeled as extremists. XKeyscore also conducts deep packet inspection on messages sent through Tor. The code was analyzed by German public broadcaster ARD, which did not say how the code was obtained. [ArsTechnica] [WIRED] [CNET]

WW – A New Device Lets You Track Your Preschooler … And Listen In

LG Electronics have relased the KizON wearable tracking wristband. The technology uses WiFi and GPS to provide real-time location tracking in addition to a “One Step Direct Call” feature designed to allow the child and parent to communicate directly. Such technology, the report states, raises the question of whether minors have a right to privacy. In 2008, one lawyer wrote, “Children do have privacy rights, just like adults, although even the most important constitutional rights of children may be limited because of their minority status.” Iowa State University Prof. Reynol Junco said, “I think they’re entitled to some privacy, but not much. We are parents, after all.” [NPR]

CA – Too Many Hidden Cameras: Yukon Privacy Commissioner

Yukon’s Information and Privacy Commissioner is cautioning government against the overuse of video surveillance. Diane McLeod-McKay says there are far too many hidden cameras in Whitehorse. “My concern is that video is being overused and sometimes the reason for its use is not being balanced against the privacy risks,” adding that ‘Cost-effectiveness is no justification to infringe on privacy rights.’ McLeod-McKay says video surveillance is one of the most invasive tools available, and should only be used as a last resort. After discussions with various departments, McLeod McKay has published a guide targeting government and other public bodies on the use of hidden cameras. [CBC News]

US – FAA Drafting Commercial Drone Use Rules

Federal Aviation Administration (FAA) plan to permit small drones to be used for commercial purposes. Media sources, energy companies, farmers and other groups have been pressuring the FAA to lift its ban on flying commercial drones, and an FAA spokesman said the agency is drafting rules for small drones now that will be “issued for comment late this year.” But finalizing such rules could take several years because multiple agencies would be involved, including the Pentagon and the Department of Homeland Security. [Reuters]

Telecom / TV

UK – ISPs File Complaint Against GCHQ Over Alleged Spying

Seven Internet service providers have filed a complaint against GCHQ regarding allegations that the British intelligence agency broke into their networks to conduct surveillance. The complaint filed with the Investigatory Powers Tribunal calls for GCHQ to stop targeting system administrators to gain access to networks. The complaint was prompted by reports that GCHQ had targeted employees of Belgacom to gain access to the telecommunications company’s network. They were allegedly targeted not because they posed any sort of security threat, but because they were administrators for a network that intelligence wanted to infiltrate. [WIRED]

WW – Naked Selfies Extracted From ‘Factory Reset’ Phones

Thousands of pictures including “naked selfies” have been extracted from factory-wiped phones by a Czech Republic-based security firm. The firm, called Avast, used publicly available forensic security tools to extract the images from second-hand phones bought on eBay. Other data extracted included emails, text messages and Google searches. Experts have warned that the only way to completely delete data is to “destroy your phone”. Most smartphones come with a “factory reset” option, which is designed to wipe and reset the device, returning it to its original system state. However, Avast has discovered that some older smartphones only erase the indexing of the data and not the data itself, which means pictures, emails and text messages can be recovered relatively easily by using standard forensic tools that anyone can buy and download. The company claims that of 40,000 stored photos extracted from 20 phones purchased from eBay, more than 750 were of women in various stages of undress, along with 250 selfies of “what appears to be the previous owner’s manhood”. There was an additional 1,500 family photos of children, 1,000 Google searches, 750 emails and text messages and 250 contact names and email addresses. The company said: “Deleting files from your Android phone before selling it or giving it away is not enough. You need to overwrite your files, making them irretrievable.” [BBC News] [Android’s phone wiping fails to delete personal data]

US Government Programs

US – Placing Faces and Naming Names in New NSA Leak

The latest leaks from Edward Snowden identify five specific Muslim-Americans targeted by the NSA and the FBI and prompting a number of privacy advocates to call for reforms to the Foreign Intelligence Surveillance Act (FISA). The five “targets,” named by reporter Glenn Greenwald and Murtaza Hussain, were part of an NSA spreadsheet “in the Snowden archives called ‘FISA recap.’” The 7,485 e-mails on the list were monitored between 2002 and 2008. Wired interviewed Greenwald about the leak and why it matters. ProPublica reports that users who downloaded the Tor browser in 2011 were also targeted by the NSA. [The Intercept]

US Legislation

US – Senate Committee Approves CISA Despite Privacy Fears

In a 12-3 vote, the US Senate Intelligence Committee has approved the Cybersecurity Information Sharing Act (CISA). The bill aims to improve data sharing between the government and private sector to help protect systems from attacks. The bill provides liability protection for private companies that monitor their own networks and that share information. Following its introduction last month, the bill was heavily criticized by privacy advocates who took issue with CISA’s broad definitions, lack of Department of Homeland Security oversight and inadequate minimization techniques to protect U.S. citizens’ privacy. Compounding the concerns are the Snowden revelations, indicating the government’s willingness to circumvent law in the name of surveillance. Despite such concerns, the committee approved the bill by a vote of 12 to three. [Tech Crunch] [Forbes] [ComputerWorld] [Analysis of Feinstein-Chambliss Cybersecurity Information Sharing Act of 2014 Discussion Draft – Center for Democracy & Technology] and [Letter to the United States Senate Regarding the Cybersecurity Information Sharing Act of 2014 – American Civil Liberties Untion, et al.]

US – SB 806 – Educational Longitudinal Data System Changes – North Carolina

Senate Bill 806, Educational Longitudinal Data System Changes, if passed, would require the state board of education to create an inventory of the individual student data proposed to be accessible in the North Carolina Longitudinal Data System and required to be reported by state and federal education mandates; direct access to data will be restricted to authorized staff of the Board, only de-identified data may used in the analysis, research, and reporting conducted by the system, and individual or personally identifiable data accessed through the system may not be a public record. [Bill 806]

US – Florida Info Protection Act of 2014 in Effect; Regulator Notification Required

Effective July 1, 2014, Florida has repealed its existing data breach law in favor of a new, more stringent, law. Florida has joined the list of states requiring notice to regulators: specifically, an entity must notify the Department of Legal Affairs of any breach affecting 500 or more Florida residents as soon as possible, but no later than 30 days after determining that a breach has occurred or having reason to believe that a breach has occurred. The new law also specifies the content of that notification (e.g., description of the breach, number of Florida residents affected, services offered to individuals, copy of the notice to be provided to the individual, and contact person to field questions regarding the breach). Florida also has expanded the definition of personal information. Under the prior law, Florida had defined personal information to include name plus a social security number, a driver’s license (or other government identification number), or certain financial account information. The new Florida law also includes the following in the definition of personal information: (1) name plus an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify an individual; and (2) user name or email address, plus a password or answer to security question that would enable access to an online account. [lexology]

US – Voters to Decide Privacy Measure Aug. 5

A ballot measure protecting Missourians’ privacy that went through the Missouri Senate with overwhelming support (31-1) and also passed the Missouri House by a vote of 114-28 will be put before the voters Aug. 5. SJR 27, the legislation passed in order to get the proposed constitutional amendment on the ballot, was sponsored in the Senate by Sen. Robert Schaaf (R-St. Joseph) and handled in the House by Rep. Paul Curtman (R-Pacific). Curtman said this is a bill he thinks revolves around people’s “reasonable expectations to privacy” guaranteed in both the U.S. Constitution and the Missouri Constitution. He said writers of these documents had never seen electronic communications or the sending of data, but the same principle of having reasonable expectations to privacy would apply. “SJR27 is a necessary addition to our state constitution,” he said. “It will ensure that modern communications (electronic and data) as well as traditional communications are protected from unwarranted search and seizure.”[Source]

Workplace Privacy

US – Customs Under Fire for Sweeping Scans of Employees’ Personal Data

A troubled division of Customs and Border Protection whose leader was recently ousted by the Obama administration is now accused of improperly scrutinizing the personal information of the agency’s 60,000 employees for evidence of potential misconduct and corruption. In one program, the agency’s internal affairs division shared employees’ Social Security numbers with the FBI, looking for possible criminal leads. The program is no longer operating and is under review by the Department of Homeland Security’s inspector general, according to three federal officials with knowledge of the inquiry. In another effort, the division automatically scanned the Social Security numbers of all the agency’s employees in a Treasury Department financial records database, said the officials, who spoke only on the condition of anonymity because of the sensitivity of the matter. The Treasury Department halted the daily monitoring in April over questions about whether it violated federal policies. The programs were inspired by the Obama administration’s Insider Threat initiative, a governmentwide crackdown on security threats that relies on profiling federal workers for certain behaviors. While such data-sharing efforts didn’t appear to be illegal, they might infringe on the privacy rights of federal employees.[mcclatchydc.com]

US – Survey: Employers Nervous About Workplace Privacy

A recent survey indicates workplace privacy is a growing area of concern as companies increasingly shift toward new technology policies and widespread data breaches persist. According to the Littler 2014 Executive Employer Survey of more than 500 in-house C-suite executives, avoiding workplace and data security breaches was the top concern related to workplace privacy, while safeguarding customer and corporate data without unlawfully accessing employee information was a close second. Phil Gordon of Littler Mendelson said it’s interesting that the monitoring of employees’ personal social media activity was low on the priority list despite the proliferation of state laws on the matter. [HR.BLR.com] See also: [IAPP Workplace Privacy Resources]

US – CBP Accused of Snooping on Employees

A division of U.S. Customs and Border Protection (CBP) is under review by the Department of Homeland Security’s inspector general for potentially improperly scrutinizing the personal information of the agency’s 60,000 employees. The internal affairs division shared employees’ Social Security numbers with the FBI in an effort to find potential misconduct and corruption, the report states, and in another instance, the division “scanned the Social Security numbers of all the agency’s employees in a Treasury Department financial records database.” Although the actions weren’t technically illegal, they may infringe on employees’ privacy rights, the report states. CBP’s actions are “pushing the legal envelope,” said one privacy attorney. [McClatchy]

CA – Right to Fire Civil Servant for Abusing Internet, Privacy Breach: Tribunal

A labour relations tribunal has upheld the firing of a civil servant who used his government computer to indulge his car obsession, complain about his job, store electronic music files, and attempt to cheat on staffing competitions. In a recent decision, the Public Service Labour Relations Board said the government had just cause to fire Marc Gravelle, a human resources assistant in the Department of Justice, in July 2011. Gravelle had argued that the government did not prove its case against him and that his abrupt dismissal ignored the principle of progressive discipline. Adjudicator Renaud Paquet, however, concluded that Gravelle had severed the bond of trust that must exist between the government and one of its employees. [Ottawa Citizen ]

EU – Data Protection Authority Opinion on Location Tracking in the Workplace

A Finnish employer’s tracking of an employee’s location (e.g. GPS monitoring of a vehicle) falls under the Personal Data Act, the workplace Data Protection Act 759/2004 and the Electronic Communications Privacy Act; such monitoring may be conducted only for justifiable and specific circumstances pursuant to the employment relationship, after a hearing of employees’ concerns and by using a prescribed statutory cooperation procedure (which includes written operating rules), and with detailed notice to employees, and employees must be able to turn off the tracking during non-working hours. [Source]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: