16-30 June 2014

Biometrics

WW – Industry: “There Is No Anonymity If We Choose to Live in Society”

The recent National Telecommunications and Information Administration (NTIA) meeting on drafting a voluntary code for commercial uses of facial recognition technology was short, but not for lack of contentious debate. As promised at the last NTIA meeting, the trade association representing the biometrics industry prepared a draft of principles on a code, and there were a few people who didn’t like what it had to say—at all. It’s a particularly heated time to talk facial recognition: More than 30 privacy and civil liberties groups sent the Justice Department a letter this week asking that it complete a “long-promised audit of the FBI’s facial-recognition database,” while behavioral authentication company Biocatch has raised $10 million to expand its biometric authentication platform. But the meeting turned on this one sentence: “There is no anonymity if we choose to live in society.” Angelique Carson reports for The Privacy Advisor.

US – Biometrics Industry Introduces Best Practices Draft, Advocates Don’t Like It

The International Biometrics Industry Association has introduced a discussion draft on proposed self-regulatory standards on facial recognition as part of the National Telecommunications and Information Administration (NTIA) multi-stakeholder process. The draft, introduced ahead of the NTIA’s June 24 meeting, has some privacy advocates upset. The Center for Digital Democracy’s Jeff Chester said the draft is “just the latest example of where the NTIA process is being run by industry lobbyists who really don’t want to see consumer privacy protected.” [Broadcasting & Cable] [Biometrics and its Emerging Role in Financial Services]

US – Researchers’ Work Takes “Quantified Self” to New Level

A prototype wearable device is designed to detect nonverbal body noises—including coughing, laughing and teeth grinding—that can provide evidence of a person’s mood and health. Developed by researchers at Cornell University, the system attaches behind a user’s ear and could possibly be integrated with Google Glass in the future. Its built-in sensors can detect subtle clues to determine mood and emotional state. “We see ‘quantified self’ and health tracking taking off, but one unsolved problem is how to track food consumption in an automated way,” said the lead researcher of the technology. She said if enough people use it, for example, the health of a city may be measured. [MIT Technology Review]

US – Match Pairs Up with Facial Recognition Company to Find Clones of Exes

Popular dating site Match.com is rolling out facial recognition technology that will help users find “clones” of their exes. Three Day Rule, the company partnering with Match for the facial recognition tool, bases its model on the fact that “attractive” means different things to different people. Match users can opt in to the Three Day Rule database to be paired up. The software identifies hair color, face shape, eye shape and eyebrow structure of the “ex” to find a match. While that gives some folks the creeps, the algorithm is not much different than what other sites are using these days, the report states. [The Washington Post]

Big Data

WW – Big Data Discrimination Issues the Focus of Winners at PLSC

Over the past year, the idea of big data analytics and its potential for discriminatory harm has only gained steam. IAPP VP of Research and Education Omer Tene published with the Future of Privacy Forum’s Jules Polonetsky about the topic in a paper called “Judged by the Tin Man”; Michael Schrage wrote about it for Harvard Business Review , and the White House reports on big data highlighted potential discrimination as an issue to watch. Perhaps it’s not surprising then that the two IAPP prize-winning papers at this year’s Privacy Law Scholars Conference both deal with big data and the increasingly complicated systems that employ it. The IAPP’s Sam Pfeifle interviews the four authors of the two papers in this exclusive for The Privacy Advisor.

Canada

CA – Commissioner Cavoukian Calls on Govt to preserve Freedom and Liberty

In the final annual report of her unprecedented third term as Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian draws attention to the need for greater transparency and accountability from the provincial and municipal governments. She also calls on Canadians to keep the pressure on our country’s leaders to ensure that the message of “respect our privacy, respect our freedoms,” is heard loud and clear. Entitled Freedom and Liberty, the Commissioner has put forward four key recommendations in her report to safeguard Ontarians’ right of access to public records, and holding government to account:

  • New Consequences for Insufficient Records Retention
  • Municipal Councillors’ Records
  • Government Contracts
  • Modernization of the Acts. [Source] [2013 Annual Report]

CA – Commissioner Therrien: Human Rights Run in My Blood

Daniel Therrien applied for the job as Canada’s federal privacy commissioner as soon as he read the news: Jennifer Stoddart would soon retire. For many in the privacy community, the government’s subsequent approval of Therrien for the role earlier this month was confusing. Most hadn’t heard of him—and he certainly wasn’t known among the privacy circuit. In an exclusive interview, Angelique Carson spoke with Therrien about how he feels his career to this point, his upbringing, even his home in the country, all align perfectly with his new role as the chief protector of Canadians’ privacy. [The Privacy Advisor] [Therrien believes his public safety background will bolster privacy watchdog role]

CA –Supreme Court Says Warrant Required to Obtain Customer Data from ISPs

Canada’s Supreme Court has ruled that law enforcement agencies must obtain a warrant to request customer information, such as names, addresses, and phone numbers, from Internet service providers (ISPs). The court ruled that individuals are entitled to a reasonable expectation of privacy, but did not overturn the conviction of the man whose case brought the issue before it because the police had been acting in good faith. [The Register] [R. v. Spencer – 2014 SCC 43 – Supreme Court of Canada]

CA – B.C.’S Top Court Says Police Cellphone Searches Unconstitutional

British Columbia’s highest court says police must obtain a warrant before searching through the vast amounts of personal information stored in a smartphone, the latest in several court judgments across Canada warning law enforcement that the contents of cellphones are private. The B.C. Court of Appeal released a decision that concluded the RCMP violated the rights of a man charged in a kidnapping when they searched two of his BlackBerry smartphones without a warrant. The court also made it clear that police must ask for permission before examining the contents of a smartphone. “It seems to me that downloading the entire contents of a cellphone or smartphone, like the BlackBerrys in this case … can no longer be considered valid … as a reasonable warrantless search,” Justice Risa Levine wrote in a unanimous decision. “The highly invasive nature of these searches exceeds the permissible scope for a warrantless search authorized under the common law as a search incident to arrest.”[The Canadian Press]

EU – WP 29 Opinion: Wait on Quebec Adequacy Decision

The Article 29 Working Party has released an opinion recommending the European Commission “wait to consider whether the Canadian province of Quebec’s data protection legal regime is adequate to preserve the privacy of personal data received from the European Union.” The opinion raises several points, including “that the territorial scope of the Quebec Act in relation to the PIPEDA should be clearly defined before any decision on its adequacy is taken by the European Commission” and stating “the Working Party considers necessary any initiative, such as a legislation change or a court ruling, offering a clear definition of the notion of ‘sensitive information’ … (and) considers that the onward transfer principle needs to be clarified in Quebec’s law.” [EU Europea] [Bloomberg BNA] {H&W Blog]

CA – Examining Ontario’s “Vicarious Liability” Case

Norton Rose Fulbright Canada LLP’s Christine Carron, Pamela Sidey and Randy Sutton consider the question, “Should an employer be held vicariously liable if an employee breaches the privacy of a company’s customers?” They write that according to Ontario’s Superior Court of Justice, “vicarious liability for the nascent tort of ‘intrusion upon seclusion’ could be the basis of a nationwide class-action for non-pecuniary damages.” The authors note employers could also face liability “for failing to adequately supervise employees and protect their customers’ personal and financial information.” [Mondaq]

CA – Poll: Most Canadians Don’t Approve of Bill C-13

A new poll by Forum Research indicates most Canadians oppose Bill C-13, “at least when asked about elements of Bill C-13 that have nothing to do with cyberbullying.” The survey, which was conducted earlier this month, included 1,433 respondents. Of those, “more than two-thirds of Canadians disapproved of a stipulation in the controversial bill that would allow authorities to access personal data without a warrant,” report states, noting 79% of those who have personal data online “said they expect their personal information to remain confidential and private.” [The Huffington Post Canada] [Letter to Prime Minister Steven Harper Regarding Canada’s Growing Privacy Deficit – AMINA Corp, Canadian Civil Liberties Association, Canadian Internet Policy & Public Interest Clinic et. al]

CA – New Tool Helps Canadians Find Out if Telecoms are Collecting Their Info

Canadians concerned about their online privacy have a new way to find out whether their telecom provider is collecting information about them — and sharing it with third parties like government entities. The new tool, developed by some of the country’s top privacy experts, makes it easier for Canadians to force their provider to disclose their practices. “What we’re trying to do as researchers is identify what kind of data telecommunications companies in Canada collect, obtain, and process, and disclose to third parties,” said Dr. Christopher Parsons, a fellow at the Munk School of Global Affairs’ Citizen Lab. “But we also wanted to make it easier for Canadians individually to engage in the same sort of action.” Known as “Access My Info,” the web tool helps create a formal letter which, under Canadian privacy law, telecom companies are legally obliged to respond to within 30 days, the website offering the tool says. The project was developed by OpenMedia.ca, the Citizen Lab and the Digital Stewardship Initiative. [The Canadian Press]

CA – Ring Outlines Recommendations That Would Dismantle Bill 29

Newfoundland and Labrador Privacy Commissioner Ed Ring’s first presentation at the Access to Information and Protection of Privacy Act Review Committee hearings, where he “outlined a series of recommendations that he says will equate to the dismantling of Bill 29, the province’s privacy legislation.” Ring’s office has spent much time in court since the controversial Bill 29 was passed, the report states, noting those court cases often involved determining “if solicitor-client privilege exceptions are valid.” Ring has called the process “expensive, time-consuming and frustrating,” the report states. [Voxy]

CA – The Supreme Court Decision on IP Addresses and Its Implications

Canada’s Supreme Court unanimously concluded individuals “may have an interest in anonymity on the Internet that should be taken into account in determining whether law enforcement should have warrantless access to subscriber information associated with Internet Protocol addresses.” The court determined Internet service providers’ (ISPs’) terms of service and the Personal Information Protection and Electronic Documents Act (PIPEDA) “did not affect the analysis in the way previous courts had suggested,” writes Timothy Banks of Dentons Canada. “The court rejected the idea that PIPEDA permits an organization to respond to a police request that would otherwise violate an individual’s reasonable expectation of privacy.” This decision sets the stage for consideration of other data and has implications for any organization that receives police requests for information. [Privacy Tracker]

CA – Judge Certifies Class-Action Under New Canadian Privacy Tort

Justice Robert Smith recently certified a class-action lawsuit against the Bank of Nova Scotia under the new privacy tort of intrusion upon seclusion, saying “he couldn’t rule out the possibility the bank is vicariously liable for breach of privacy” after an employee stole client records. The employee “was given complete power in relation to the victims’ (customers) confidential information because of his unsupervised access to their confidential information,” Smith said, which created the opportunity for him to “abuse his power.” Suzanne Chiodo, an associate at Rochon Genova LLP, says this is good news for privacy lawyers, adding it “combines the law that was laid down in Jones v. Tsige with the low bar for certification” in class-actions. [Law Times] [Canada: Stolen Customer Data Results In Ontario’s First Certified Privacy Class Action]

CA – Despite Supreme Court Ruling, Senate Passes Bill S-4

While Privacy Commissioner Daniel Therrien has said Bill C-13 and S-4 should be reviewed in light of last week’s Supreme Court ruling that warrants are required to access telecom subscriber info, the Senate has passed Bill S-4. In his blog, Michael Geist called the move a “head in the sand approach.” Meanwhile, Justice Minister Peter MacKay has said the Supreme Court’s ruling “actually confirms what the government has said all along: that Bill C-13’s proposals regarding voluntary disclosure do not provide legal authority for access to information without a warrant.” [The Huffington Post Canada] See also: [OIPC BC – Follow-Up to Special Committee to Review the Personal Information Protection Act]

CA – Bill Calls for CSEC Scrutiny

Liberal MP Joyce Murray has tabled a private member’s bill seeking “to impose greater judicial and parliamentary scrutiny on Communications Security Establishment Canada (CSEC).” CSEC currently “faces no such direct scrutiny,” the report states, noting, “This spy agency operates under secret orders from the Minister of National Defence and keeps its relationships with communications corporations murky,” while being allowed to gather Internet data “without going to court.” Critics are calling for changes, with University of Ottawa Law Prof. Craig Forcese suggesting, “The government has been operating on a theory that what they’re collecting is something magical that doesn’t attract a reasonable expectation of privacy.” [The Globe and Mail] See also: [Border agency backs down on cross-border data bank]

CA – Cavoukian Calls for Document Destruction Penalties

Describing the alleged destruction of public records related to a scandal over a decision to cancel two gas plants as “offensive,” Ontario Information and Privacy Commissioner Ann Cavoukian is calling for “real penalties for bureaucrats or elected officials who deliberately destroy government records in violation of the Privacy Act.” “This is not how freedom works,” Cavoukian said during the release of her final annual report before the end of her third term as the province’s commissioner. She added, “I just think we have to drive that home so government doesn’t think they can do whatever they want quietly behind closed doors.” [The Canadian Press] See also: [Exit interview: Ann Cavoukian leaves privacy watch dog role to lead Ryerson’s big data institute]

Consumer

US – Woman Registers Herself as Corporation to Take Back Data Control

One woman aiming to regain ownership and control of her data. Jennifer Lyn Morone, an American working on her master’s degree at London’s Royal College of Art, has turned an art project aimed at designing a protest into an effort to transform herself into a “humanoid/corporate hybrid” and has become Jennifer Lyn Morone (JLM), Inc., registered as a company. JLM’s business plan is an attempt to “establish the value of an individual in a data-driven economy.” The business “derives value from three sources,” its plan states: “accumulation, categorization and evaluation of data generated as a result of Morone’s life.” [The Economist]

WW – “Respect Network” Aims to Put Users in Control

The Respect Network, launched in an attempt to “create a decentralized successor to today’s ad-centric model, where everyone throws their personal data into centralized services such as Google and Facebook.” The service is a new application platform and “a network of private, portable ‘clouds’ of personal data” that allows the user to stay in control, the report states. Meanwhile, a new study has found that banning the use of privacy services to hide domain name registrants from potential criminals would have privacy implications for lawful users of such services. [GigaOM] See also: [Is privacy loss worth 8% Ajusto car insurance saving: Mayers] See also: [U.S. GAO – Consumers’ Location Data – Testimony Before the Subcommittee on Privacy, Technology and the Law, Committee on the Judiciary, United States Senate]

WW – Facebook Moods May be Contagious, but So Is User Ire

Late last week, Facebook revealed it had manipulated a randomly selected number of users’ news feeds in a psychological experiment to see if mood is essentially contagious. Researchers determined it was. But public outcry for such an experiment without users’ consent prompted lead researcher Adam Kramer to post a public apology. In January 2012, Facebook selected 689,003 users and changed the number of positive and negative posts in their feeds. Users who saw more positive posts tended to write positive posts and vice versa. The research was in line with Facebook’s terms of service, but some say it was unethical. Meanwhile, in the U.S., Facebook is taking on the New York district attorney’s office for its seizure of 381 disabled retirees’ profiles in a fraud investigation. [The New York Times]

E-Government

UK – Government in Cyberspace: UK Citizens Remain Divided

A survey by KPMG and Censuswide has found that UK citizens are divided on the role of government in cyberspace. Calls have been made for UK laws governing internet surveillance to be reviewed after revelations of a secret government policy justifying mass surveillance of UK users of Facebook, Twitter, YouTube and Google. The survey found that 76% of respondents think government needs to do more to protect their online privacy. Additionally, 55% said government should be responsible for keeping the internet running, and 54% said the government should not interfere with the operation of the internet. [Digital By Default News]

UK – U.K. Conducts Mass Cyber-Snooping, Rights Groups Say

Britain’s top counterterrorism official says the country’s espionage rules allow its electronic spy agency to routinely intercept online communications between Britons who use U.S.-based platforms such as Facebook, Twitter and Google. A witness statement by Office for Security and Counterterrorism chief Charles Farr, made public Tuesday, said data sent on those services is classed as “external” rather than “internal” communications because the companies are based outside Britain. Britain’s Home Office confirmed the document was genuine. It was written in response to a legal action by civil liberties groups who are seeking to curb cyber-spying, and was published by the groups this week. [Associated Press]

Electronic Records

US – Hospital Networks Leaking Data

Researchers have found that hospital networks are leaking information to the Internet. In some instances, the leaked data include lists of all computers and devices on a hospital’s internal network. In every case, the leakage problem could be traced to an Internet connected computer that was improperly configured. Attackers could potentially identify vulnerable systems because network administrators have enabled Server Message Block (SMB) in a configuration that makes the data externally accessible. These computers were often found to be running Windows XP. [WIRED]

Encryption

US – Massachusetts Court Says Man Can be Compelled to Decrypt Computers

The Massachusetts Supreme Judicial Court has ruled that a man suspected of mortgage fraud can be ordered to decrypt computers seized from his possession. According to the court, the defendant, Leon Gelfgatt, admitted to police that he owned the computers and that he could decrypt them. The court ruled that this information means that decrypting the devices would not reveal anything new to authorities. [Ars Technica] [DocumentCloud] See also: [U.S. Department of State Written Response to Kelley Drye & Warren LLP in Relation to the Use of Tokenization]

WW – More Than 300,000 Servers Still Have Not Patched Heartbleed

According to a recent scan of web servers, at least 300,000 have not been patched to protect them from exploits targeting the Heartbleed vulnerability. The flaw was disclosed in April; a scan run at that time indicated more than 615,000 publicly available SSL servers with the vulnerability. A month later, the number had dropped to 318,000. However, the most recent scan showed that fewer than 10,000 servers had been patched in the last month. [CNET] [ComputerWorld] [v3.co.uk] See also: [Android 4.4.4 Addresses Heartbleed Flaw | The Register | Ars Technica | ComputerWorld]

WW – Researchers Use Big Data, Data-Mining to Bypass HTTPS Encryption

Researchers from the University of California at Berkeley and Intel say they were able to use big data models to get around a widely used version of encryption—Hypertext Transfer Protocol Secure (HTTPS)—including on sites operated by the Mayo Clinic, Planned Parenthood, Kaiser Permanente, Bank of America and the American Civil Liberties Union. The researchers say, in their most recent paper, they were able to identify sensitive information a person was searching on HTTPS-encrypted sites with 90-percent accuracy—including searches on pregnancy and suicide. [The Wall Street Journal]

EU Developments

EU – Irish High Court Refers Facebook Case to ECJ

In a move that could have big implications for Facebook and the EU-U.S. Safe Harbor arrangement, Ireland’s High Court has referred questions raised in a case brought by Max Schrems to the European Court of Justice (ECJ). A recent ECJ ruling made waves after it ruled Google must delete links in the so-called “right-to-be-forgotten” case. Schrems, who started Europe-v-Facebook , has alleged Facebook illegally transferred EU citizens’ personal data out of the EU to U.S. intelligence agencies and that Irish Data Protection Commissioner Billy Hawkes wrongly interpreted EU data transfer law. A legal representative for Hawkes said the controversy was a matter for the political level, the report states. Meanwhile, EU Justice Commissioner Viviane Reding said a lack of judicial redress for EU citizens in the U.S. could prevent the EU from backing the Safe Harbor agreement. [The Irish Times]

EU –The Irish Facebook Case Is About Safe Harbor’s Future: Opinion

Analysis continues to pour in now that an Irish High Court judge has issued a preliminary judgment in a case involving Facebook that may have “sweeping consequences for U.S. e-commerce firms.” In the case, privacy activist Max Schrems claimed Safe Harbor didn’t protect his data because he’s not a U.S. citizen. “The judge hasn’t ruled directly on the major arguments of the privacy activist,” the report states, but has referred the case to the European Court of Justice to determine the validity of the EU-U.S. Safe Harbor agreement. Schrems’ case argues that Facebook, because it founded a subsidiary in Ireland, is subject to European privacy laws. EU Justice Commissioner Viviane Reding has said her office has begun a review of Safe Harbor. [The Washington Post]

EU – CNIL Gets New Online Audit Powers

Reports on the Act on Consumer Protection, which has amended the Act on Information Technology, Data Files and Civil Liberties “to allow the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), to conduct online audits.” The legislature’s goal was to allow the CNIL “to find infringement efficiently on the Internet by giving such findings probative value, and once an infringement has been found, to instruct the data controller to comply immediately,” the report states. The CNIL may now conduct Data Protection Act compliance audits remotely, “from a computer connected to the Internet” in this “latest addition to the audit procedures already in place.” [International Law Office]

UK – UK Gov’t Says Warrantless Spying on Social Media Sites is Legal

The UK government’s most senior security official says mass surveillance of social media is permissible under the law because such sites are “external communications.” Christopher Farr, director general of the Office for Security and Counter-Terrorism, says the monitoring of such online communications—recently called out in a case brought by Privacy International, Liberty, Amnesty International and other civil rights groups—does not require law enforcement to obtain search warrants because the Regulation of Investigatory Powers Act only requires warrants for spying on internal communications between British residents. [The Guardian]

UK – UK Government Can Intercept Social Media Posts Without Warrant

The British government can collect posts from social media sites like Google, Twitter, and Facebook without a warrant because the content is considered “external communications.” This revelation comes from court testimony from the Director General of the UK’s Office for Security and Counterterrorism published ahead of a hearing scheduled for mid-July. The distinction between the types of communications is made in sections 8(1) and 8(4) of the UK’s Regulation of Investigatory Powers Act (RIPA). [ArsTechnica] [BBC] [ComputerWorld] [Privacy International]

US – Bill Would Amend ECPA, Require Warrant to Search eMail

A bill that would require the government to obtain a warrant before searching people’s email and other stored communications now has majority support in the US House of Representatives. The Email Privacy Act would amend 1986’s outdated Electronic Communications Privacy Act (ECPA). The proposed legislation would bar third-party service providers from disclosing customers’ communications to law enforcement unless they have a warrant. [ComputerWorld] [CNET] [Text of Bill]

EU – Irish High Court Refers Facebook Case to ECJ

In a move that could have big implications for Facebook and the EU-U.S. Safe Harbor arrangement, Ireland’s High Court has referred questions raised in a case brought by Max Schrems to the European Court of Justice (ECJ). A recent ECJ ruling made waves after it ruled Google must delete links in the so-called “right-to-be-forgotten” case. Schrems, who started Europe-v-Facebook, has alleged Facebook illegally transferred EU citizens’ personal data out of the EU to U.S. intelligence agencies and that Irish Data Protection Commissioner Billy Hawkes wrongly interpreted EU data transfer law. A legal representative for Hawkes said the controversy was a matter for the political level, the report states. Meanwhile, EU Justice Commissioner Viviane Reding said a lack of judicial redress for EU citizens in the U.S. could prevent the EU from backing the Safe Harbor agreement. [The Irish Times]

EU – Right-to be-Forgotten Decision Has Nothing to Do With Right to be Forgotten

In the weeks following the European Court of Justice (CJEU) decision on the so-called “right to be forgotten,” reactions have varied among stakeholders. Google announced it will begin removing links to online content in Europe by the end of June. Now that enough time has passed since the decision, Profs. Vagelis Papakonstantinou and Paul de Hert have ruminated on its implications. Papakonstantinou and de Hert “calmly assess what the CJEU decision really is and is not about,” suggesting it “has nothing to do with a ‘right to be forgotten’” at all. [Privacy Perspectives] [The New York Times]

EU – Hustinx Pushes for Privacy Framework in Letter to EC President

It is “vital for a strong and modernised data protection framework in the EU to be adopted as soon as possible and for privacy and data protection considerations to be mainstreamed into all new policies and legislation,” European Data Protection Supervisor Peter Hustinx wrote in a letter to European Council (EC) President Herman Van Rompuy. The letter comes in advance of the EC’s next meeting, during which it intends to agree on “strategic guidelines for the future development of justice and home affairs in the EU.” Hustinx notes his concern that communications from the council “barely acknowledge the role of data protection in ensuring the EU’s activities are appropriate and proportionate” and recommends the council use his office’s opinion on the future development of freedom, justice and security as guidance. [EDPS]

EU – Are EU States Allowing Direct U.S. Surveillance?

The U.S. National Security Agency (NSA), with the aid of several EU governments, directly taps cables to collect high volumes of private e-mails, phone calls and Internet chats. The program, known as RAMPART-A, was revealed to a Danish newspaper in collaboration with The Intercept. According to documents leaked by Edward Snowden, foreign partners “provide access to cables and host U.S. equipment.” And, the “NSA is more active in Germany than anywhere else in Europe,” Der Spiegel reports . In a letter to European Council President Herman Van Rompuy, European Data Protection Supervisor Peter Hustinx said the EU needs stricter controls to protect citizens from spying. And the U.S. House of Representatives overwhelmingly passed a bill this week that would significantly restrict warrantless government access to private electronic communications. [The Intercept]

Facts & Stats

WW – “People Are Now Products” and PI Is Currency, Study Suggests

A recent study by encrypted communications company Silent Circle found that 88% of people in the UK believe their mobile calls and texts are being tapped. The results indicate “people are now products, and their private information is the currency,” said Silent Circle CEO Mike Janke. Meanwhile, services that offer encryption apps for privacy and data storage are seeing an uptick in sales. Ctrl-Shift, a marketing consultancy group, says it sees the launch of a new personal information-management services initiative once per week, on average. [The Wall Street Journal] See also: [National Institute of Standards and Technology – Guidelines on Mobile Device Forensics – Special Publication 800-101 – Revision 1]

Finance

US – Ford and Intel Pair Up Toward Smarter, Privacy-Enhanced Cars

Research from Ford and Intel recently explored how interior-facing cameras would be integrated with sensor technology and data generated within and around a car to create “a more personalized and seamless interaction between driver and vehicle,” according to a press release. Project Mobii also aims to give drivers greater privacy and controls, with features like facial recognition technology that personalizes display information depending on whether there’s an additional passenger in the car and alerts the primary vehicle owner via a smartphone picture if the driver is not recognized by the car. [Wall Street Journal] [US: Privacy an issue in auto technology, expert says]

FOI

US – Open Gov’t Initiatives Mean Increased Transparency, Privacy Risks

Governments are making more data publicly available in machine-readable formats in an effort to be more transparent, but doing so has privacy risks, according to a paper recently published in a Switzerland-based scholarly journal. The report is authored by the University of Ottawa’s Teresa Scassa, who says the open government movement has privacy risks, including responsibly handling public personal information, distinguishing between public- and private-sector actors and “the potential for monitoring and profiling of citizens through big data.” [FierceGovernmentIT] See also: [Article 29 Data Protection Working Party – Statement on the Role of a Risk-Based Approach in Data Protection Legal Frameworks]

CA – Federal Advisers Urge Access to Information Reform

Several members of the federal advisory panel on open government are urging the Conservatives to reform the Access to Information Act, a law that has barely changed in more than 30 years. The panel of experts from business, academia and civil society is providing advice to Ottawa on preparations for the next open government plan, to be released this fall. In their first plan, published in 2012, the Conservatives focused on making data sets more readily available, increasing access to archived federal documents and developing new ways to consult Canadians online. But the government has made no commitment to reforming the Access to Information Act despite calls for modernization from the federal information watchdog, opposition parties and pro-democracy groups.[The Canadian Press] see also [ON: Complaints about justices of peace kept secret] See also: [US – Further Guidance on the Implementation of FATCA and Related Withholding Provisions: Notice 2014-33 – Internal Revenue Service]

Google

WW – Google to Unveil Connected Health Service

On the heels of a similar announcement by Apple, Google will reportedly launch a new health service called Google Fit, which will collect and aggregate data from fitness trackers and other health-related applications. The announcement is expected next week at the Google I/O conference on June 25 and 26. Google Fit will collect the data from open APIs and will announce partnerships with other wearable device makers. Google Fit may also make it possible for health-monitoring, wearable devices to interface with Google’s cloud-based services. [Forbes]

Health / Medical

US – ONC Team to Consider Protecting Minors’ EHR Data

The Privacy and Security Tiger Team of experts, coordinated by the Office of the National Coordinator for Health IT, will focus next on the complexities surrounding minors’ electronic health records. The team’s July 14 meeting will look at the varying state laws that allow minors to obtain certain health services and whether the information involved may be disclosed to parents. At issue is how to segregate the information a minor may not want shared with parents—on substance abuse or reproductive health, for example—from the rest of the minor’s record. [FierceHealthIT]

US – Pritts Talks Mobile Health Apps; Online Therapy Brings Privacy Concerns

Joy Pritts, who is about to exit as the Office of the National Coordinator (ONC) for Health Information Technology’s first-ever privacy officer, discusses the privacy risks of mobile health apps in a Q&A. Among the top threats to patient health privacy remains the loss and theft of devices as well as “inappropriate access” to health records, Pritts says, adding, “We always encourage a multilayered approach to securing information.” Meanwhile a federally backed consortium of health providers, administrators and health information exchange experts are discussing how to exchange behavioral health data while maintaining privacy, and NPR reports on online psychotherapy and the privacy concerns that come with it. [SearchHealthIT] [Privacy and security experts: mHealth requires a new approach]

US – Industry Wants Patient Data-Sharing Made Easier

Health industry leaders met with lawmakers Tuesday in a roundtable discussion pushing for legislation to make patient health data-sharing easier, but lawmakers expressed concern about “nefarious” use of the data. During the discussion within the House Energy and Commerce Committee, industry asked lawmakers for legislation that would allow electronic medical records companies to charge physicians for data transfers, improve cloud computing and invest in more federal medical research. The move, argued industry, would change the healthcare system and curb medical mistakes. 23andMe’s CEO said she’d “like to democratize healthcare,” but Rep. Phil Gingrey (R-GA) said more open health data flows would be “scary.” [The Hill]

US – Hospitals May Be Using Data Brokers to ID Potential High-Risk Patients

Some U.S. hospitals are using public records and credit card transaction data gleaned from data brokers to identify potential high-risk patients. The largest hospital organization in the Carolinas, the report states, is placing data for two million individuals into algorithms that locate high-risk patients. Similarly, the largest hospital system in Pennsylvania is allegedly using household and demographic data. [Bloomberg]

Horror Stories

US – 160,000 Breached at Butler U; Biz Releases Student Data Privacy Guidelines

Officials at Butler University have warned that the records of 160,000 students, faculty, staff and alumni have been compromised after a hack. Exposed data includes birthdates, Social Security numbers and bank account information. Meanwhile, in a press release, Skyward, a K-12 software provider, has unveiled a set of data security and privacy guidelines for protecting student data. The recommendations include best practices for electronic storage as well as how to evaluate and strengthen schools’ internal privacy policies. Separately, former Mississippi Governor Haley Barbour writes, “Student privacy should be protected, and companies should not be raiding kids’ records to make a buck.” Last week, in a joint House subcommittee hearing, lawmakers and experts discussed student data privacy issues and concerns. [Miami Herald] See also: [NZ: At what point is data breach reporting overkill?]

WW – Smart LED Lights Save Energy, Spark Privacy Concerns

A California-based company has developed Energy-saving, smart LED lights that become smart networks that can collect data. The lights contain built-in sensors and cameras—and in the case of Terminal B in Newark airport—they can monitor for security and traffic. A building in Silicon Valley uses the lights in its parking lot, where they are also connected to security cameras. “We do use the license-plate recognition, and we can also detect people,” said the building’s owner, adding, “Everything goes up in the cloud, so we can access everything from anywhere. The future is limitless for this technology.” [CBS News]

US – Bistro Hit with Class-Action Following Breach

P.F. Chang’s China Bistro has been hit with a proposed class-action lawsuit following a data breach that exposed its customers’ credit and debit card data. The plaintiff in the case, John Lewert, says P.F. Chang’s “security failures enabled hackers to steal financial data from within P.F. Chang’s systems and subsequently make unauthorized purchases on customers’ credit cards and otherwise put consumers’ financial information at serious and ongoing risk,” the report states. It appears that the security breach at PF Chang’s began in September 2013 and was still active until June 11, 2014. The breach compromised continental US customers’ payment card data. A PF Chang’s spokesperson did not comment on the timing of the attack, but noted that it does not appear to have affected the company’s Pei Wei Asian Diner restaurants. [Krebs on Security] [Law360] See also: [Forbes: Yeah, the Thieves Got the Data. But How Do They Turn It Into Cash?]

US – 1.3 Million Affected by Montana Breach

The state of Montana has begun sending out notification letters to 1.3 million people affected by a data breach. The breach was discovered in mid-May by a contractor who noticed suspicious activity on one computer storing millions of records. And a New York radiology practice has informed 97,000 patients of a data breach after an employee of the practice gained unauthorized access to their personal information. Meanwhile, privacy attorney Gregory Parks advises organizations about which data breach provisions should be included in outsourced contracts, and EDUCAUSE Center for Analysis and Research has released a paper on data breaches in higher education. [CSO]

US – Healthcare Provider Settles with HHS for $800,000

Parkview Health System has agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for $800,000. Parkview will also adopt a corrective action plan to address deficiencies in its HIPAA-compliance program, according to a press release. The settlement follows an HHS investigation into a retiring physician’s complaint over 71 cardboard boxes of medical records being transferred from him to other physicians, which were left accessible to unauthorized persons. “All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” said an OCR spokeswoman, adding that HIPAA-covered entities must protect information even during transfer or disposal. [HHS] See also: [$412-million lawsuit launched against Toronto hospital over privacy breach]

CA – $412-Million Lawsuit Against Toronto Hospital Over Privacy Breach

A $412-million class action lawsuit has been launched against Rouge Valley Health System less than a month after the Scarborough hospital admitted to a major privacy breach affecting up to 8,300 new mothers. Michael Crystal, one of the lawyer behind the lawsuit, said that the firm is seeking damages of approximately $49,000 per person and Crystal said the number of affected patients could rise depending how widespread the breach becomes. The hospital came under fire at the beginning of June after admitting that two former employees sold patient information to multiple Registered Education Savings Plan (RESP) companies. Both the Ontario Securities Commission and the Privacy Commissioner of Ontario were notified of the breach, which is said to have occurred over a two-year period. [CP24.com]

US – Advocate Files Complaint with FTC; Other Incidents Reported

A privacy advocate has filed a complaint with the FTC over a Maricopa County Community College District (MCCCD) data breach that compromised the data of approximately 2.5 million faculty, students, vendors and staff, alleging the school violated the Safeguards Rule. “Having researched and reported on breaches for about a decade now, some breaches strike me as really appalling, and the MCCCD breach is one of those,” the advocate wrote in a blog post. Meanwhile, the U.S. Department of Justice is leading a multinational effort against the “Gameover Zeus” botnet and “Cryptolocker” ransomware. The world’s largest medical device maker, Medtronic, says it was the victim of a cyberattack in papers filed with the U.S. Securities and Exchange Commission, and Krebs on Security reports on a slew of data breaches affecting car washes across the country. BankInfoSecurity reports on lessons learned from distributed-denial-of-service attacks, including how they’re used as a diversionary tactic. [Source] See also: [In the Matter of Snapchat Inc.: Comments to the FTC – Electronic Privacy Information Center]

Identity Issues

US – New York to Issue ID Cards for Undocumented Immigrants

New York City’s 500,000 undocumented immigrants will be able to open bank accounts, visit libraries and use medical clinics, thanks to an official municipal identification card approved by the City Council. The measure, backed by Mayor Bill de Blasio, passed in a 43 to 3 vote with two abstentions. The photo IDs will display the holder’s name, birth date, address and – at the cardholder’s option – a self-designated gender. Similar cards have been created in Los Angeles, San Francisco and New Haven, Connecticut, which began its program in 2007 in response to a series of street robberies of undocumented immigrants who carried cash because they lacked access to banks. The victims’ status made them reluctant to report the crimes, said Officer David Hartman, a New Haven police spokesman. New York’s program would be the largest in the U.S., costing $8.4 million when it goes into effect next year, decreasing to $5.6 million annually over the next three years, Mark-Viverito said. The city will seek sponsors to offer discounts and other inducements for residents to carry the card so that its use would expand beyond undocumented immigrants, Mark-Viverito said. Details of how the card would be administered are still being worked out, she said. [Bloomberg] See also: [Barth-Jones: Does De-identification Work?]

Intellectual Property

AU – Australian and Irish Commissioners Agree to Cooperate

The Office of the Australian Information Commissioner (OAIC) and the Data Protection Commissioner of Ireland (DPCI) have signed a Memorandum of Understanding (MOU) to assist each other with investigations and collaborate on consumer and business education, new laws, government and self-regulatory enforcement, staffing and resource issues and information relating to investigations. “Each participant will designate a primary contact for the purposes of requests for assistance and other communications,” the MOU states. In the MOU, the OAIC and DPCI recognize the complexity of the global economy and the wide-ranging circulation of personal information across national borders, increasing the need for cross-border enforcement cooperation. [PS News]

Internet / WWW

WW – Group Developing Open-Sourced IoT Data-Sharing Standard

HyperCat is a project funded by the UK government and comprising the work of more than 40 organizations—including IBM as well as several start-ups and universities—tasked with developing a standard that would allow sensors and devices to share data more easily. The UK’s Technology Strategy Board allotted £6.4 million to the project, and the group hopes it can encourage an open-standards-based Internet of Things framework rather than an ecosystem where data is stored in silos or only available via proprietary formats and application programming interfaces. BT Semantic Technology Head John Davies said, “This will drive commercial use of the hubs and lowers the barrier to participation, particularly for SMEs.” [ZD Net]

WW – Protecting Student Privacy in the Age of Ed Tech

Attorney Bradley Shear discusses the challenges of protecting student privacy in an environment where students regularly use online technology in the classroom. Pointing to the outdated nature of the Family Educational Rights and Privacy Act, Shear writes that an “update to the terms ‘education records’ and ‘personally identifiable information’ to account for the increased capturing of student data in a digital format is needed.” Some states have stepped in with possible solutions, but, according to Shear, “The bottom line is that students, parents, teachers, privacy professionals, lawmakers, state attorneys general, the FTC and the ed-tech industry must work together to ensure that student privacy is protected in the Digital Age.” [Privacy Tracker]

US – EFF Says Opening Wi-Fi Networks Would be a Boon to Privacy

The Electronic Frontier Foundation (EFF) wants people to start opening their home wi-fi connections, saying that the change would actually improve privacy. While some companies have already begun testing this model, they have charged customers for use of their network. The EFF’s plan would be free. The organization says the initiative will boost privacy, sharing connectivity would drive home the point that an IP address is not an individual, and linking illegal activity to an IP address does not mean that the person whose router is running on that address is the culprit. Each link to the router will be encrypted, which will require users to download a certificate. Network owners’ traffic will receive priority. The EFF plans to release firmware for the project next month. [Wired] [ArsTechnica]

US – Turning Private WiFi Routers into Public Hotspots

Over the past year, Comcast started exchanging customers’ home wi-fi routers for models that allow them to be used as public hotspots. The arrangement does not allow passers-by access to password-protected home networks, but is instead intended to allow users with registered Xfinity accounts access wi-fi connections while visiting friends or in public places. The routers do not have a stronger signal, meaning people driving past homes are not likely to piggyback on strangers’ networks. The change means that users do not have to provide visitors with the password to their home network. People who use the Xfinity public network will also be required to sign in with their Comcast customer access credentials. One concern is that vulnerabilities in routers could be exploited to tamper with the devices. [CNN]

US – Postal Service Explores Sensors, Data Collection Via ‘Vehicles, Mailboxes, Machines, Letter Carriers’

The U.S. Postal Service is seeking a company to help develop a program called the Internet of Postal Things. The Risk Analysis Research Center (RARC), part of the Postal Service’s Office of the Inspector General (OIG), is looking for a supplier “who possesses expertise and critical knowledge of the Internet of Things, data strategy and analytics, and the Postal Service’s operations, infrastructure, products and services.” The OIG is exploring ways for the Postal Service to benefit from the technology that provides “virtually unlimited opportunities to collect and process data from any device, infrastructure, machine and even human beings.” [The Weekly Standard]

Law Enforcement

US – Law Enforcement Agencies Using Spyware for Mobile Device Surveillance

Researchers have uncovered a mobile spyware product known as Remote Control System (RCS), which is being sold by an Italian company to police around the world. RCS can intercept and record communications from devices running Android, iOS, Windows Mobile, Symbian, and BlackBerry operating systems. There are at least 320 command-and-control servers for RCS in more than 40 countries. [ComputerWorld] [The Register] [USA Today] See also: [Documents Suggest Illinois State Police Purchased Stingray] and [Law Enforcement Officers Were Purposely Deceptive About Stingray Use | Source]

US – FBI Discloses Data on ‘Backdoor’ Searches of Americans’ Phone Calls, E-Mails

U.S. intelligence revelations include the number of warrantless searches conducted by the Federal Bureau of Investigation (FBI) under Section 702 of the FISA Amendments Act and the FISA Court ruling that allowed for broad surveillance authority over 193 countries worldwide. The FBI sent a letter to Sen. Ron Wyden (D-OR) reporting the NSA last year used 198 e-mail addresses or phone numbers of U.S. citizens to search for data on foreign intelligence. Such a low number, Wyden said, means the FBI should be able to obtain a warrant for each one. The NSA has been granted “a far more elastic authority than previously known,” a newly disclosed 2010 legal certification indicated. [The Washington Post]

US – San Diego Police to Wear Cameras Inside Private Homes

San Diego police officers equipped with cameras on their uniforms will be allowed to record interactions with the public within private homes, Chief Shelley Zimmerman said Wednesday. The chief outlined for the City Council’s Public Safety and Livable Neighborhoods Committee the SDPD policies developed for use of the new cameras. The cameras will always be on during an officer’s shift, recording in 30-second loops so that video of the moments leading up to an interaction will be saved, she said. The officer will activate full video and audio recording before a contact. “Private citizens have a reasonable expectation to privacy in their homes,” Zimmerman said. “However, when an officer is lawfully present inside a home, such as on a warrant, consent or exigent circumstances as examples – in the course of the officer’s official duties – there’s no reasonable expectation of privacy.” The chief said officers will not be required to inform citizens that they are being recorded, but should acknowledge it when asked. They will also not be required to stop recording if a citizen makes a demand, she said. Zimmerman also described situations when officers will not push the record button, including:

  • non work-related activity in a locker room, break room or restroom;
  • when someone is being examined by a physician because of patient-doctor confidentiality;
  • when someone is a victim or witness of a sex crime or child abuse;
  • a peaceful demonstration, until it appears the gathering is about to become unlawful; and
  • victims or witnesses of other crimes so there is no hesitation to share sensitive information.

However, domestic violence victims, who often quickly recant their statements, should be recorded, she said. Kellen Russoniello, of the American Civil Liberties Union of San Diego and Imperial Counties, said the public should be informed upfront about the recording, and should be allowed to obtain a copy. Strong disciplinary procedures are also needed for officers who do not follow the procedures, he said. [City News Service]

Offshore

SG – Personal Data Protection Regulations 2014 in Force July 1st

Singapore’s Personal Data Protection Regulations 2014, effective July 2, 2014, prescribe requirements related to the exercise of rights under the Personal Data Protection Act 2012 (the “Act”) in relation to deceased individuals (the right to give/withdraw consent or bring an action/complaint), and access and correction requests (generally providing for a 30-day timeline for response, and permitting fees only for access requests, not correction requests); provisions concerning the transfer of personal data outside Singapore specify that such transfers comply with the Act if the data is in transit or publicly available in Singapore, the transfer is necessary for a contract, or the transferring organization has obtained individual consent or is required to transfer the data pursuant to a law, contract, binding corporate rules, or other legally binding instrument. [Source]

SG – Data Privacy Ambiguity May Hamper Singapore’s Smart Nation Ambition

It’s been a big week for the Singapore government which unveiled its big plan to become “the world’s first smart nation”, tapping strongly on data sensors and analytics to enable intelligent urban living. However, unanswered questions about the management of such data, which cuts across government agencies and private entities, could prevent Singapore from realizing its smart nation dream. [Source]

Online Privacy

WW – Facebook Added Research Exception to User Agreement Ex-Post

Facebook has added the term “research” to its user agreement approximately four months after its now infamous study on emotional contagion. Some have defended the study, noting that Facebook’s current user agreement explicitly says it can use data for research, but Hill points out critics “were all relying on what Facebook’s data policy says now,” adding it was not until May 2012 that Facebook made changes to its data use policy to reflect research exceptions. A Facebook spokesperson said, “To suggest we conducted any corporate research without permission is complete fiction.” Jaron Lanier writes, “My guess is that the public would choose to outlaw using our communication tools as conduits for secret, algorithmic manipulations of our emotions.” [Forbes] [The New York Times]

WW – Ad Industry Urges Web Standards Group to Abandon Do-Not-Track Effort

The Digital Advertising Alliance (DAA) is calling on web standards group the World Wide Web Consortium (W3C) to stop its Do-Not-Track initiative. “By wading into this public-policy matter, the W3C not only duplicates efforts undertaken by legitimate policy-makers but also strays far beyond its expertise and mission,” DAA Executive Director Lou Mastria wrote to the W3C on Wednesday, adding the DAA wants the W3C “to abandon this effort and to return to its mission of developing consensus around specifications for web technologies.” Turn General Counsel and CPO Max Ochoa said the proposed “tracking” definition will result in “a dramatic concentration of market power in the hands of first parties that … are historically poor stewards of privacy.” [MediaPost News] See also: [EU Article 29 Data Protection Working Party Opines on Tracking Preference Expression]

US – Amazon Phone Transmits Data; LinkedIn Launches Privacy-Guaranteed App

While Amazon’s Fire Phone is fascinating, it’s “probably also the biggest single invasion of your privacy for commercial purposes ever. And no one seems to have noticed.” While the phone is able to identify objects like books, movies and games as well as songs, TV shows and phone numbers, it does so by transmitting pictures and GPS location information to “the company that pretty much invented what we now call big data analytics for customer insights and the largest online retailer in the wild wild west.” Meanwhile, Google’s latest changes to its app permissions are “just wrong,” one blogger says, and LinkedIn has launched a job search app that promises complete privacy. [VentureBeat]

WW – Exploring OnionShare and the Risks of File-Sharing Apps for Organizations

The Electronic Frontier Foundation’s Parker Higgins writes about a newly created one-to-one file-sharing tool—OnionShare—that allows for simple, encrypted data-sharing between two people over the Tor browser. The code for OnionShare is simple, making it difficult for backdoors to be inserted, and avoids using a middleman site, such as Dropbox or Mega. Higgins also argues copyright issues—particularly ones raised by the Motion Picture Association of America and the Recording Industry Association of America—have prevented more file-sharing technology. In a separate story, eSecurity Planet reports 46% of IT security pros say data is leaking from their businesses because of file-sharing services. [WIRED]

WW – BuzzFeed Quizzes: Who Has Your Info?

The popular website Buzzfeed has “shareable quizzes” that have become “an unprecedented opportunity for data-mining.” Analytics expert Dan Barker said that while most websites record some information about you, “Buzzfeed records a whole ton.” And while most of the quiz topics are playful and innocuous, some are not. For example, one quiz asked users whether they’d been raped, attempted suicide or taken medication for mental health, and the site assigns a unique ID to every answer. BuzzFeed says it anonymizes all data and has strict policies to only access data “in the aggregate form.” [Newsweek]

US – Website Analysis Turns Up Slew of Possible COPPA Violations

An analysis of 40 popular children’s websites has found a majority of them “aggressively” tracked users. TRUSTe analyzed the top 10 websites in four categories—pre-school, education , kids’ entertainment and gaming—and found high levels of user tracking. On the 40 websites, researchers found a total of 1,110 third-party trackers from 644 different organizations. “This post-Millennial generation of kids has access to unprecedented levels of technology from an early age,” said TRUSTe CEO Chris Babel. “From toddlers to teens, kids’ online activity is monitored and their personal data is being collected, stored and possibly shared.” [PC Magazine]

WW – Westin Center Unveils First Global Survey of Rapporteurs

Can a privacy statement be valid if the statement is in English and not translated into the official local language of the country in which it’s being read by a consumer? Tough question. To get the answer, the Westin Research Center reached out to rapporteurs from around the world to get answers for 21 different countries in its first global survey of privacy law. [Source]

WW – Beyond Privacy Policies: Why Software Transparency Is Needed

“A privacy policy or transparency statement is a good starting point but, by itself, only expresses aspirations and intentions,” write Ontario Information and Privacy Commissioner Ann Cavoukian and Dawn Jutla of Saint Mary’s University. “It stands to reason,” they add, “that documented and independently verifiable privacy claims should enhance compliance, credibility and trust goals. To achieve this, we need standardized methods and tools.” Cavoukian and Jutla detail how to accomplish this and discuss the work of the OASIS Privacy by Design for Software Engineers Technical Committee. [Privacy Perspectives]

US – Privacy Policies Don’t Inspire Consumer Trust

Responding to the California AG’s recently issued CalOPPA guidance, Andrew Serwin says while transparency is a noble goal, recent research shows that statements made in a privacy policy may not be so important for consumer trust. Serwin discusses the Lares Institute’s recent research finding consumers “did not rank disclosures in a privacy policy as being that important. Indeed, what people read in a privacy policy was seventh out of the 10 reasons people trusted companies with their information,” and only five percent of respondents said reading the policy was the reason they trusted the company. [The Privacy Advisor]

US – HIPAA-Compliance Software Increasingly Popular

With HIPAA audits to increase this year, healthcare organizations are investing in software or services to ensure compliance. HIPAA Secure Now, a risk assessment service, saw website activity grow from 400 to 7,000 hits a month since the HIPAA omnibus rule went into effect in March 2013. Meanwhile, since federal breach reporting requirements took effect nearly five years ago, more than 1,000 medical breaches involving 500 people or more have been reported to HHS. An InsuranceNewsNet article offers five tips on how to avoid HIPAA breaches. [InformationWeek]

Other Jurisdictions

MX – Mexican Congress Expected to Tackle Telecom Bill

After widespread protests halted the advancement of a comprehensive telecoms reform bill, a special session of Congress is expected to debate the bill in the next few weeks. The bill would expand government surveillance powers and allow for network discrimination, taking on similar rules to those proposed by the U.S. Federal Communications Commission. The bill also requires telecoms to retain consumer data for two years. [Access Now]

MX – Mexican Telecoms Bill to Be Taken Up in Special Session

Activist site Access Now reports that a telecoms regulation bill that has been hotly contested among Mexican Internet users is likely to be taken up in a special session of Congress in the next few weeks. The contentious portions of the bill would allow for greater law-enforcement access to data without judicial approval, allow for law enforcement to block phone and Internet access and would allow for so-called “fast lanes,” whereby Internet Service Providers could provide more bandwidth to those companies who pay for it. According to the report, “President Enrique Peña Nieto and his party, the Institutional Revolutionary Party or PRI, was forced to publicly say they would modify the bill.”

RU – Russian Parliament Passes Tax Information Sharing Bill

A bill allowing banks to share data on foreign clients with overseas governments is headed to Russian President Vladimir Putin for his signature. Hundreds of Russian institutions have signed on to comply with U.S. tax law, even given the risk of fines. The U.S. Foreign Account Tax Compliance Act requires foreign financial institutions to share information on Americans’ accounts with balances upwards of $50,000 with the U.S. Internal Revenue Service. [Reuters]

AU – Pilgrim on Australia’s Privacy Act Changes in Practice

Looking at the complexity of the Privacy Act changes that went into effect on March 12, Australian Privacy Commissioner Timothy Pilgrim discusses what those changes mean in daily life. Companies, Pilgrim states in the report, must now “be open and transparent about what they do with personal information—why they’re collecting it, how they’re going to collect it from you, the types of information they want to collect, how they’re going to use it, who they might disclose it to and how they’re going to protect it.” Companies must also make privacy policies “easily understandable and readable,” the report states, noting the Office of the Australian Information Commissioner “can enforce these changes if they see fit and is examining further policies to ensure readable policies become a reality.” [The Sydney Morning Herald]

CN – Is China’s Privacy Law Being Used to Quell Dissent?

Chinese officials arrested prominent human rights lawyer Pu Zhiqiang, according to a Reuters report, on “suspicion of the crimes of causing a disturbance and illegal access to the personal information of citizens.” The charges carry penalties of five and three years in prison, respectively. Pu was arrested at a private gathering commemorating the 25th anniversary of the Tiananmen Square protests, in which he took part. He has represented artist Ai Weiwei and other activists who have been a thorn in the side of the Chinese government. In a piece for The Washington Post, former NSA General Counsel Stewart Baker suggests the Chinese are using privacy law as a means to quell dissent. Further, “How is China’s privacy law different from the data protection laws that Europe has been urging the world to adopt?” [Reuters]

AU – Australian Gov’t: Breach Legislation Needs More Work

Although agreeing with the proposal in principle, the government will not support a bill to force companies to notify customers of data breaches because the legislation “needs more work.” In March, Sen. Lisa Singh reintroduced the lapsed Privacy Alerts Bill, which seeks to compel organisations that suffer data breaches involving such information as personal, credit or tax file number data to notify the privacy commissioner and individuals affected “as soon as possible,” the report states. Senators raised concerns about reintroducing a bill without updating the text from the prior bill. “Definitions are important. It’s not something we should just be rushing through,” said Liberal Senator David Fawcett. [IT News]

AU – Australian and Irish Commissioners Agree to Cooperate

The Office of the Australian Information Commissioner (OAIC) and the Data Protection Commissioner of Ireland (DPCI) have signed a Memorandum of Understanding (MOU) to assist each other with investigations and collaborate on consumer and business education, new laws, government and self-regulatory enforcement, staffing and resource issues and information relating to investigations. “Each participant will designate a primary contact for the purposes of requests for assistance and other communications,” the MOU states. In the MOU, the OAIC and DPCI recognize the complexity of the global economy and the wide-ranging circulation of personal information across national borders, increasing the need for cross-border enforcement cooperation. [PS News]

HK – Chiang Supports Right to be Be Forgotten in Hong Kong

Following the EU’s “right to be forgotten” ruling, Hong Kong Privacy Commissioner Allan Chiang “will ask his regional counterparts to join him in pressing the Internet search giant to extend the same safeguards to the region.” Chiang said, “As a responsible enterprise, Google should also entertain removal requests from other parts of the world to meet their privacy expectations … We are not exercising a legal right but requesting a service that is available to EU citizens.” In a separate report, SCMP quotes a Hong Kong cryptography expert on the increased “interest in open-source cryptographic tools“ since the Edward Snowden revelations. [South China Morning Post]

AU – Commissioner: Policies Needed for Wearables at Work

With wearable devices sure to make it into the workplace, Privacy Commissioner Timothy Pilgrim is encouraging companies to develop policies addressing the use of such devices. For devices that collect personal information, Pilgrim said, “the policy could also outline how that information is used, disclosed and stored.” The report suggests organisations “develop their own enterprise-grade privacy policies to ensure employees are at ease working with and around wearable computers,” noting there has been a lack of discussion “on the impact wearables will have on employee privacy and how organisations can deal with this challenge.” [The Sydney Morning Herald]

NZ – Business NZ Drops Breach Notification Objection

Lobbying group Business NZ has dropped its objection to Justice Minister Judith Collins’ call for organisations to inform the Office of the Privacy Commissioner in data loss incidents and to inform those affected in “serious” breach cases, Fairfax NZ News reports. Phil O’Reilly said issues the group would have with a change in New Zealand law would be in such details as defining what constitutes a “serious” breach, the report states, noting “BusinessNZ would object if officials implemented the law change in an ‘impractical fashion,’ but O’Reilly did not believe that was likely.” [BusinessNZ]

Privacy (US)

US – Supreme Court: Google Must Face Lawsuit Over ‘Street View’ Privacy Invasions

The Supreme Court decided it will not hear Google’s challenge to an appeals court ruling requiring the company to face a class-action lawsuit alleging it illegally spied on users from 2008 to 2010 in order to bolster its Street View data. The Supreme Court ruled the Wiretap Act covers data on unencrypted, in-home WiFi data, which Google collected as part of its Street View project. Last year, Google reached a settlement with 38 U.S. states and the District of Colombia, agreeing to pay $7 million and destroy the data it collected in the U.S. [Venture Beat] See also: [Maybe SCOTUS Gets Tech After All]

US – Privacy Groups Write Letter Against CISA

A group of 22 privacy groups wrote a letter to the Senate Intelligence Committee warning of the increased surveillance that would come with the Cybersecurity Information Sharing Act. Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) and Vice Chairman Saxby Chambliss (R-GA) introduced the bill, which has been called a rehash of their failed bill CISPA. The letter said the bill doesn’t appropriately restrict data-sharing and includes broad definitions of cyber threats and a failure to protect personally identifiable information. [The Hill]

US – Federal Judge Rules SC Law Banning Political Robocalls Unconstitutional

U.S. District Court Judge Michelle Childs has ruled that a South Carolina law banning political robocalls is unconstitutional. Basing her decision on the First Amendment, Childs noted the government should not use content—importantly, political speech—to ban robocalls. A Columbia-based media attorney noted, “Political speech has the highest level of protection under the First and Fourteenth Amendment, and the court’s ruling is certainly consistent with the notion that a content-based restriction on political speech can be constitutional only if it serves a compelling governmental interest and no less-restrictive alternative exists.” [SC Now]

US – FTC Launches Contest at DEF CON to Find Robocall Solution

The FTC receives more than 150,000 complaints about robocalls every month, but it’s determined to find a technological solution and is tapping one of the world’s largest hacking conferences to find answers. It will hold a contest at DEF CON 22 in Las Vegas, NV, this August “to inspire the next generation tech solution in the fight against illegal robocalls,” according to the FTC’s blog. “Unfortunately, the technical distinctions between a telephone call and an e-mail have made it difficult to use Internet security tactics in the battle against robocalls,” the blog says, but the contest will hopefully change that. [FTC]

US – SCOTUS Unanimously Rules Warrants Needed for Cell Searches

In a developing story, the Supreme Court of the United States has unanimously ruled that law enforcement must obtain a warrant prior to searching the contents of a suspect’s mobile phone. Chief Justice John Roberts wrote, “To further complicate the scope of privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself,” adding, “Treating a cellphone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter.” Roberts also wrote, “We cannot deny that our decision today will have an impact on the ability of law enforcement to combat crime … Privacy comes at a cost,” but the justices reserved the right for police to claim “exigent circumstances.” [Full Story] [Court defends ‘21st-century mobile castles’: U.S. ruling protects cellphone privacy and ‘bodes well’ for Canada]

US – What the SCOTUS Cellphone Decision Means Going Forward

With the proliferation of smartphones and other electronic devices, courts have struggled to apply old Fourth Amendment principles to modern technologies and the digital data they hold. Now, by and large, that struggle is over. The change came through an unexpected vehicle: Riley v. California. Yesterday, the Supreme Court decided in a surprising 9-0 decision that police officers must now obtain a warrant before searching the digital information on the cellphone of an arrestee. The court’s ruling in Riley signals an important shift in the notion of privacy as it relates to digital information. IAPP Westin Research Fellow Dennis Holmes analyzes the decision and its implications for Privacy Tracker. [Full Story]

US – U.S. May Extend Privacy Right of Redress to Europeans

The U.S. government may extend to Europeans a privacy right in the U.S. that EU citizens have at home, according to a European Commission press release. A welcoming statement from EU Justice Commissioner Viviane Reding noted U.S. Attorney General Eric Holder said the U.S. intends to “take legislative action in order to provide for judicial redress for Europeans who do not live in the U.S.” Reding said this action could remove a major obstacle in negotiations between the two regions. “This is an important first step towards rebuilding trust in our transatlantic relations,” Reding said, adding, “Now the announcement should be swiftly translated into legislation so that further steps can be taken in the negotiation. Words only matter if put into law. We are waiting for the legislative step.” [Full Story]

US – Competitors Put Differences Aside to Fight Microsoft Case

Apple, Cisco and AT&T all filed amicus curiae briefs supporting Microsoft in its appeal of a federal court order to turn over a customer’s information stored in a data center in Ireland to U.S. law enforcement officials. Verizon filed an amicus brief last week. “The case highlights how the advent of cloud computing has technology companies overcoming their competitive differences in order to challenge troublesome data protection laws,” the report states. The companies say the court’s reasoning indicates, no matter where it is stored in the world, customer data isn’t safe from law enforcement’s grip. [GigaOM]

US – Tech Giants Back Spokeo in Privacy Class-Action

A group of web companies have joined together to back Spokeo in fighting a class-action lawsuit alleging the company provided inaccurate data. Google, Yahoo, Facebook and eBay are pushing the Supreme Court to hear Spokeo’s appeal of a recent decision allowing a Virginia resident to sue the data broker for allegedly violating the Fair Credit Reporting Act. In an amicus brief, the tech companies argue such “no-injury” lawsuits are producing an “increasingly negative impact” on their business. “If any of the millions of individuals who interact with (web companies) is willing … to allege that a generalized practice or act violated a law providing a private cause of action and statutory damages, then she could launch a putative class action,” the companies write. [MediaPost News] [Spokeo, Inc. v. Thomas Robins – Brief for Amici Curiae eBay Inc., Facebook, Inc., Google Inc., and Yahoo! Inc. in support of Petitioner – In the Supreme Court of the United States]

US – Judge Rules Carrier IQ Privacy Lawsuit Must Move Forward

U.S. District Court Judge Edward Chen has ruled that a privacy lawsuit against Carrier IQ must move forward. Chen wrote he was “not convinced” that allowing the case to continue would cause “irreparable injury” to the company. In 2011, Carrier IQ was accused of logging users’ keystrokes on mobile phones. Chen also suggested that the involved parties could resolve the issue through mediation and directed them to proceed with discovery. In the meantime, Chen scheduled the next conference for mid-November. [MediaPost News]

US – Markey Wants Privacy Protected Before Commercial Drones Take Flight

Sen. Ed Markey (D-MA) proposed a funding bill amendment to prohibit the Federal Aviation Administration (FAA) from approving nonmilitary drone use unless steps are taken to protect personal privacy. The amendment would require the FAA to add a data collection mechanism to its application process for commercial drone use that would specify the drone operator, the location where the drone would be flown and what type of data would be collected, along with what would happen to it afterwards, the report states. “We need to build in strong personal privacy protections and public transparency measures before commercial drones take off, which is exactly what my amendment will do,” Markey said. [The Hill]

US – House Has Enough Votes for ECPA Reform

The E-mail Privacy Act gained its 218th cosponsor this week, enough to give lawmakers hope the reform could move forward this year. “Having a majority of House members supporting our bill shows House leadership that the bill would pass … if it was put on the House floor,” said one of the bill’s authors, Rep. Kevin Yoder (R-KS). The proposed legislation would reform the Electronic Communications Privacy Act. There are signs, according to the report, that other lawmakers may have “some interest in attaching additional components,” including restrictions on law-enforcement access to cellphone location information. Though Yoder conceded that he’d be flexible with add-ons, he warned, “The more things you add … the more challenging it becomes.” [The Hill]

US – Changes to Incident Reporting; Potential New Legislation

The “Morning Cybersecurity” report from Politico had a number of items of interest. First, they report on an update from US-CERT that will change the system for reporting cybersecurity incidents on federal networks. It’s expected to go into effect by October 1. Further, Rep. Lee Terry (R-NE) is expected to circulate a federal data breach bill this week, which would go before the House Energy and Commerce Committee. He’s looking for democratic cosponsors before bringing the bill forward. In other legislative news, the FY15 State and Foreign Operations Appropriations bill supports funding to continue for implementing the White House’s International Strategy for Cyberspace. Finally, there is a note on YouTube and its 38,000 instructional videos on obtaining stolen credit card numbers, discovered by the Digital Citizens Alliance. [Politico]

US – Judge Rules LinkedIn Must Face Privacy Lawsuit

Professional services social network LinkedIn must face a privacy class-action lawsuit alleging the company violated its users’ privacy when it accessed their external e-mail accounts, downloaded their contacts’ e-mail addresses and solicited business from those contacts. U.S. District Court Judge Lucy Koh said the practice “could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts or are unable to take the hint that their contacts do not want to join their LinkedIn network,” adding, “In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘we will not … e-mail anyone without your permission,’ LinkedIn may have actively led users astray.” [Reuters]

US – Tech Sector Approves of New Majority Leader

Newly appointed House Majority Leader Kevin McCarthy (R-CA) is receiving praise from much of the tech sector. “Few members of Congress have as deep an understanding and appreciation for the economic impact and social change created by technology as Leader McCarthy,” said TechNet Chief Executive Linda Moore, who added, “he knows what public policies make the innovation economy thrive.” TechNet’s members include Apple, Google, Facebook and Microsoft. [The Hill]

US – State Working on Privacy Changes; New Social Network for Students, Teachers

The Louisiana Board of Elementary and Secondary Education (BESE) is expected to appropriate $1 million toward an effort to create a new identification system for public school students that doesn’t use Social Security numbers. A recently passed bill requires schools to use unique student IDs. The BESE president said, “This goes to the benefit of every single family and every single student of this state.” Meanwhile, Wired reports on Edmodo, a social network built specifically for primary and secondary students and teachers that offers new ways for teachers to assess students and trade tips. Cofounder Nic Borg said, “K-12 is an incredibly change-resistant system, and to be disruptive, you have to do it in the least disruptive way possible.” [Associated Press]

US – Hearing Features Debate on Student Data Mining, FERPA Reform

During a joint House subcommittee hearing on student privacy, experts, industry, regulators and lawmakers explored and debated the current state of federal student privacy laws in the digital age. Overall, there was quite a bit of agreement on moving forward with student privacy issues—including greater participation by states and the need for more legal counsel in drafting contracts between school districts and vendors—but panelists did not agree on the existing scope of the Family Educational Rights and Privacy Act and whether a federal mandate updating the statute is necessary. [The Privacy Advisor].

US – Lofgren: Congress Has No Appetite for Consumer Privacy Bill

Rep. Zoe Lofgren (D-CA) has said she does not see Congress moving forward with consumer privacy legislation any time soon, The Hill reports. “We’re not doing that,” she said, adding, “Do you see any appetite to do that? No.” At this point, Congress is focused on government surveillance reform. “People have an interest in privacy overall,” she noted, “but Yahoo can’t arrest you.” [Full Story]

US – Federal Breach Law Not Likely, Especially with Cantor Defeat

Kentucky recently became the 47th state to enact a breach notification law. One of the bill’s sponsors pointed to its success as a way “to be in uniformity with other states, especially the big commerce states that you think of, like Texas, New York and California,” adding, “That uniformity helps our business community here.” However, Joseph Lazzarotti, head of Jackson Lewis’ privacy, social media and information management practice, notes, “The nuances of breach notification laws across the country … further complicate responding to multi-state breaches.” The “toxic atmosphere in Congress” means “a data breach notification measure and other cybersecurity reforms can’t get passed,” noting that the defeat of House Majority Leader Eric Cantor in his state’s primary race “makes passing such a bill tougher.” [BankInfoSecurity]

US – Sixth Circuit Clarifies “Development” in Dirty World Decision

The Sixth Circuit has overturned a lower court ruling that determined a website provider was liable under Section 230 of the Communications Decency Act for defaming comments made on the site. The district court ruled against Dirty World Entertainment, saying, ““a website owner who intentionally encourages illegal or actionable third-party postings to which he adds his own comments ratifying or adopting the posts becomes a ‘creator’ or ‘developer’ of that content and is not entitled to immunity.” The Sixth Circuit, however, interpreted the term “development” using the “material contribution test” and sided with the defendant, saying it “cannot be found to have materially contributed to the defamatory content of the statements … simply because those posts were selected for publication” or “through the decision not to remove the posts.” [News Room Legal]

US – Data-Flow Restrictions Topic at Presidential Meeting

President Barack Obama’s Export Council hosted a meeting that included discussion on the effect foreign laws are having on cross-border data flows. Private-sector members submitted to Obama a recommendation letter detailing concerns about data flow restrictions in other nations and how other governments are implementing “digital protectionism.” The report states, “These foreign laws may limit the ability of American businesses, particularly small- to medium-sized businesses, to expand their business operations to include countries that enact such measures.” [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Is Self-Regulation the Way Forward for Privacy?

A few weeks back, as part of the European Commission’s Digital Agenda for Europe, the Community of Practice (CoP) held its second-ever meeting to explore co- and self-regulatory best practices, and, today, the Council of Better Business Bureaus (BBB) is holding its first-ever meeting to develop self-regulatory best practices. The BBB’s Genie Barton said, “as far as I know, it’s the first private-sector conference on self-regulation writ large in the U.S.” This exclusive for The Privacy Advisor looks into both events and explores the role self-regulation has in privacy, including insights from Barton, the CoP’s Robert Madelin, FTC Commissioner Maureen Ohlhausen, National Consumer League’s Sally Greenberg and the Future of Privacy Forum’s Joshua Harris.

US – Lawyers Given Green Light to Scan Social Media Sites of Jurors

Lawyers have been given the green light to scan the social media sites of jurors. The American Bar Association says it’s ethical for lawyers to scour online for publicly available musings of citizens called for jury service—and even jurors in deliberations. But the ABA does warn lawyers against actively “following” or “friending” jurors or otherwise invading their private Internet areas. The “formal opinion” was issued in April and will serve as an ethical guideline for the nation’s lawyers. The ABA’s ethics committee began reviewing the issue about two years ago and concluded that looking at Facebook posts, Twitter tweets and other information gathered passively is ethical research. [The Associated Press]

US – Court Rules Against Wyndham in FTC Challenge

Court denies a hotel company’s motion to dismiss a lawsuit against it, holding it liable for a data breach suffered by a subsidiary – the claim sufficiently alleges that the company and its subsidiaries were operating as a common enterprise with respect to the use of computer systems that were not subject to reasonable safeguards and sufficiently identifies that on behalf of its subsidiaries, the company created the information security policies, and provided oversight for the IT and security functions. [FTC v. Wyndham Worldwide Corporation – 2014 U.S. Dist. LEXIS 84913 – United States District Court for the District of New Jersey]

Privacy Enhancing Technologies (PETs)

WW – Blackphone Reviewed: Little If Any Data Leakage

Dubbed the “Android for the paranoid,” the Blackphone runs an operating system called PrivatOS and is the first consumer-grade smartphone to be built explicitly for privacy. It employs services and software aimed at protecting users’ digital information in a straightforward way. The phone is the product of collaboration between Silent Circle and Geeksphone. the phone appears to live up the hype; user testing indicated “little if any data leakage that would give any third-party observer anything usable in terms of private information.” [Ars Technica]

US – $30 Million Investment Will Test Encryption’s Ease of Use

In one of the largest investments in consumer-privacy technology, encrypted messaging app Wickr has now received $30 million from venture capitalists. The service uses proprietary encryption for messaging, and, in a post-Snowden world, the service is enticing for many. However, some say it’s difficult to create encryption that is foolproof and easy to use. In the coming months, Wickr also plans to expand its services into paid offerings—including video communication. One of the main investors said, “There is room for what Wickr is doing to greatly enhance the effectiveness and the utility of messaging.” [The Wall Street Journal] Meanwhile, the Massachusetts Supreme Judicial Court ruled that a criminal suspect can be ordered to decrypt his seized computer.

WW – Introducing: Connect in Private

Like a lot of tech start-ups, Connect in Private has designs on changing the world. The unique angle in this case involves a patent the company has recently been granted for certificate-less, authenticated, encryption technology, or CLAE. “Current encryption is certificate-based,” said Alexander Hanff, a long-time privacy advocate who’s been brought on board as Connect in Private’s CPO. “That creates an issue because many of the certificate authorities are susceptible to secret court orders in the U.S. The beauty of CLAE is that it allows for identity-based encryption without the need for certificate authorities.” [The Privacy Advisor]

WW – Browser Add-on Aims to Decipher Privacy Policies

Privacy-focused companies Disconnect and TRUSTe have worked together to develop a browser add-on that translates website privacy policies into easily understandable language. The product, Privacy Icons, analyzes privacy policies, describing them in nine categories, including data retention, location tracking, expected use of data, and vulnerability to Heartbleed. Each category is accompanied by an icon that is colored, green, yellow, or red to indicate levels of concern about the site’s policy. The average website privacy policy is 2,400 words long and is written at a college student reading level. The pay-whatever-you-want add-on is currently available for Chrome, Firefox, and Opera. Versions for Safari, Internet Explorer, and mobile browsers will be available soon. [ComputerWorld] [DisConnect.Me]

WW – Disconnect, TRUSTe Unveil Privacy Icons

Consumer privacy software developer Disconnect, together with TRUSTe, has unveiled Privacy Icons, software intended to help consumers easily understand how websites collect and process their data. “Not many people read privacy policies,” said Disconnect Cofounder Casey Oppenheim in a press release. “But these are legally important documents that communicate what’s going on with your personal information. Privacy Icons translates these complicated policies into terms people can easily understand, including how their data is collected, shared and protected by the websites they visit and the services they use.” [Disconnect.Me]

EU – German Publisher Buys Into French Privacy Search Engine

German publisher Axel Springer has reportedly bought a minority stake in French search engine company Qwant—a privacy-conscious search engine. Qwant categorizes results into columns for web, news, social and shopping, among others. “We want to use the knowledge of Qwant and to make an exchange of ideas to see how search works,” said Axel Springer’s Michael Schneider. The publisher’s CEO recently sent an open letter to Google Chairman Eric Schmidt on “why we fear Google.” [GigaOM]

WW – Hackers Use Snowden Leaks to Reverse-Engineer NSA Surveillance Devices

Edward Snowden’s document leaks gave security researchers the necessary insights to develop their own. After the NSA’s classified Advanced Network Technology catalogue was published, Michael Ossmann and his team set about recreating two of its approved radio-based surveillance devices: one that could be fixed to a computer’s monitor connector to send on-screen images and another that can be fixed to a keyboard cable to collect keystrokes. Before, nobody knew how the so-called “retro reflectors” worked, but armed with NSA documentation, Ossmann and co. were able to create their own tiny transistor-sized devices that could surreptitiously transfer wireless data to a nearby radio point (much like the NSA is reported to have done). For reference: intelligence officers can use radio-based trackers to monitor computers that are not connected to the internet. Now that the NSA tech is no longer a mystery, Ossmann intends to educate others about how the NSA’s bugs operate so they can be protected against in the future. He’s due to present his findings at the Defcon hacking conference in Las Vegas in August, alongside many other experts who have found ways to expose and rebuild the agency’s technology. [engadget.com]

Security

WW – Anti-Hacking Org: Industry Data-Sharing Is Needed

The U.S. National Cybersecurity and Communications Integration Center, now with the backing of Capitol Hill, is set to improve its role as the coordinator between U.S. banks, utilities and other critical infrastructure organizations to thwart cyber attacks. “If we don’t know what’s going on, we can’t respond to it,” said the center’s director, Larry Zelvin. Lawmakers are crafting legislation to allow businesses that share threat data with the center to not be liable. Privacy advocates are concerned, however, that the system would expand surveillance practices of U.S. intelligence agencies. Plus, Juniper Networks Vice President of Government Affairs Robert Dix said, “There are a lot of people in industry that frankly are not comfortable sharing” with the Department of Homeland Security. [Bloomberg]

US – Study Shows Benefits of CISO Reporting to CEO

CSO Online Publisher Bob Bragdon cites findings of the 2014 Global State of Information Security Survey that support the idea that the CISO should report directly to the CEO. Organizations in which the CISO reported to the CIO had 14% more downtime than those in which the CISO reported to the CEO. Companies in which the CISO reported to the CIO had higher financial losses. “In fact, having the CISO report to almost any other position in senior management other than the CIO reduced losses from cyber incidents.” The study gathered information from more than 9,000 respondents. [CSO Online]

WW – Ten Ideas for Improving Cyber Security

Ten cyber experts’ best ideas for thwarting digital security threats include changing the way we think about security and being proactive about protecting sensitive data; encouraging transparency from cloud services about data handling; making better use of encryption; developing systems that present smaller attack surfaces; developing a new secure network for critical infrastructure; and establishing privacy and data security regulation and enforcement for companies. Most acknowledged that there are no easy and quick fixes. [Forbes]

WW – Start-Up to Accelerate Smart Home Products; Nest Purchases Dropcam

Quirky is a start-up that fields and produces new product ideas, but its founder and CEO Ben Kaufman has realized that, increasingly, approximately one in four product pitches are for connected devices for the home. “The Internet of Things is still for hackers, early adopters and rich people,” he said, but his company plans to accelerate the adoption of smart home devices. Quirky will spin off a new company called Wink, dedicated exclusively to providing an operating system to integrate all kinds of automated home devices. Meanwhile, Nest, which was recently purchased by Google, will buy home-monitoring camera start-up Dropcam for $555 million. [The New York Times] See also: [You’ve Got a Connected Home: What Could Go Wrong?]

Surveillance

US – US Legislators Approve Measure to Cut Funds for NSA Backdoor Installations

The US House of Representatives has approved a measure that would strip funding from NSA surveillance programs that involve placing backdoors on IT equipment. The measure, an amendment to the Department of Defense Appropriations Act 2015, would also forbid access to citizens’ Internet communications under Section 702 of the Foreign Intelligence Surveillance Act, without a warrant. [CNET]

US – PCLOB to Release Report on Foreigner Spying

The Privacy and Civil Liberties Oversight Board will next week release its report on the NSA’s collection of foreigners’ data. The report will “contain a detailed analysis” of surveillance programs targeting foreigners, which the government has said are legal under Section 702 of the FISA Amendments Act. Meanwhile, a coalition of privacy groups has released a “Congressional Scorecard” that assigns lawmakers a grade based on their support for surveillance reform; the Office of the Director of National Intelligence has released its first annual report on U.S. surveillance programs, and the new NSA chief says the damage done by the Snowden revelations does not mean “the sky is falling.” [The Hill]

CN – Is Privacy Law Being Used To Quell Dissent?

Chinese officials arrested prominent human rights lawyer Pu Zhiqiang last week on “suspicion of the crimes of causing a disturbance and illegal access to the personal information of citizens.” The charges carry penalties of five and three years in prison, respectively. Pu was arrested at a private gathering commemorating the 25th anniversary of the Tiananmen Square protests, in which he took part. He has represented artist Ai Weiwei and other activists who have been a thorn in the side of the Chinese government. In a piece for The Washington Post, former NSA General Counsel Stewart Baker suggests the Chinese are using privacy law as a means to quell dissent. Further, “How is China’s privacy law different from the data protection laws that Europe has been urging the world to adopt?” [Reuters]

Telecom / TV

EU – Germany to Drop Verizon Contract Over Spying Fears

The German government plans to drop a contract with Verizon because of fears about U.S. government surveillance. Tobias Plate, a spokesman for the German Interior Ministry, said Berlin has decided not to renew the contract for Verizon to provide Internet service to several government departments, the report states. “There are indications that Verizon is legally required to provide certain things to the NSA, and that’s one of the reasons the cooperation with Verizon won’t continue,” Plate said. Verizon’s current contract will expire in 2015. [The Hill] [The Register] [ZDNet]

US – DAA Unveils Mobile Privacy App

The Digital Advertising Alliance (DAA) announced it has created a mobile privacy app that enables users to opt out of behavioral advertising on mobile devices. The tool will also allow users to pick and choose which ad networks and third parties to avoid. “It’s about getting this in front of the DAA participants and showing them what it looks like,” said DAA Managing Director Lou Mastria, adding the group will “be doing a bigger push” to market the app when it becomes available to consumers this fall. [MediaPost News] See also: [So, Your Site’s Secure. What About Your App?]

US Government Programs

US – GAO: Small Gov’t Agencies Lack Cybersecurity

A recent report from the Government Accountability Office (GAO) finds that policy gaps leave small federal agencies—those with 6,000 employees or less—unprepared for cybersecurity risks. GAO’s analysis of six small agencies, which found “policies and procedures related to information security and privacy often needed an update, were incomplete or missing entirely.” For the analysis, the agencies were scored against 11 security and privacy elements taken from various laws and guidance documents, including the Privacy Act of 1974 and the Federal Information Security Management Act. [FierceGovernmentIT] [download the report, GAO-14-344]

US – Audit: USPS Fails to Observe Safeguards with “Snail Mail Snooping”

While digital surveillance has been stealing the headlines lately, the U.S. Postal Service (USPS) has been failing to comply with key safeguards on “snail mail.” An Office of Inspector General audit of “mail covers”—orders to record addresses or copy the outside of mail sent to a particular individual or address—were not properly approved, and 13% were “either unjustified or not correctly documented.” Additionally, the audit uncovered that some of the safeguards to catch such violations were not being implemented since the USPS was not conducting the required annual reviews. Former White House Privacy Director Tim Edgar called the audit’s findings “troubling.” [Politico] [Redacted version of report]

US Legislation

US – U.S. Reps. Introduce SSN Protection Bill

Reps. Dennis Ross (R-FL) and Kathy Castor (D-FL) have introduced the Safeguarding Social Security Numbers Act of 2013, a bill to protect Social Security numbers by limiting the number of visible digits. “Identity theft is a serious issue in our community … More needs to be done to protect our neighbors, and this is bipartisan legislation to implement an important safeguard and reduce identity theft-related scams,” said Castor. [Sunshine State News]

US – Feinstein Releases Draft Information Sharing Bill

Senate Intelligence Committee Chairman Dianne Feinstein (D-CA) has released a draft of the Cybersecurity Information Sharing Act, which she wrote with the Committee Vice Chairman Saxby Chambliss (R-GA). The bill creates incentives for private organizations to share cybersecurity threat information with the government and within public agencies. It would provide liability protection for the sharing of cyber information for cybersecurity reasons under the terms of the bill and then sets out protections to stave off privacy intrusions, such as a requirement for companies to strip out personally identifying information before sharing data. [Sierra Sun Times]

US – Florida Governor Signs Breach Notification Law

Florida Gov. Rick Scott has signed a revised data breach notification law that strengthens consumer protections. The law includes a 30-day deadline on notification from the date of discovery of the incident, adds account credentials to the list of data that constitutes “personal information” and imposes a statutory requirement to protect that information, among other changes. [National Law Review]

US – Louisiana Gov. Signs Student ID Bill

Louisiana Gov. Bobby Jindal has signed HB 1076, meaning that public school students in the state will get unique ID numbers instead of having Social Security numbers tied to academic records, and districts will have to get parental consent before collecting certain student data. The state has until May 1, 2015, to put in place a system for unique IDs, and all public school students will have a number by June 1. [The Advocate]

US – New Jersey “Ban the Box” Heads to Gov.

New Jersey legislators have passed The Opportunity To Compete Act, which limits employers’ ability to conduct criminal background checks. Employers would be required to make a conditional offer to applicants prior to conducting such checks and would be subject to a $1,000 fine for a first offence and increasing to $10,000 upon a third offence. [NJBiz]

US – North Carolina Legislature Passes Student Privacy Bill

The North Carolina legislature has unanimously passed SB 815, which would require the state Board of Education to make information about the student data system available to the public and ensure the protection of personally identifiable information in the system. Sponsored by Sen. Chad Barefoot (R-District 18), the bill would also restrict the collection of biometric information and certain sensitive information and require notification of parental rights and opt-out opportunities. The bill now heads to Gov. Pat McCrory for a signature. [Lincoln Times-News]

US – Connecticut Gov. Signs Pharmacy Rewards Program Bill

Connecticut Governor Dannel Malloy has signed into law a bill requiring pharmacies to notify customers that take part in prescription drug rewards programs about which third parties will have access to their data and whether they will have access to protected health information. The law requires pharmacies to provide a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers enroll and information on how they may revoke their HIPAA authorization. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Kentucky State Rep. Pre-files Drone Privacy Bill

State Rep. Diane St. Onge (R-District 63) has reintroduced a bill requiring police to obtain a warrant before using drones to gather evidence. St. Onge pre-filed the bill for the 2015 session and has received support from the American Civil Liberties Union and others. The bill allows for colleges and private businesses to use drones for research and business purposes and allows for emergency police use other than evidence-gathering. [USA Today]

Workplace Privacy

US – Employers Increasingly Monitoring Employees

Digital tools being used to monitor employees. In one positive example, a company learned workers are more productive if they have social interaction, so it introduced a 15-minute coffee break, resulting in reduced turnover and increased productivity. But fine-grained digital monitoring of worker behaviors concerns advocates like the Electronic Frontier Foundation’s Lee Tien, who said the rules on such surveillance are few. A Harvard researcher recently found that worker surveillance aimed at increasing productivity can sometimes have the opposite effect. Meanwhile, a new online service helps job candidates tidy up their Facebook and Twitter accounts before applying for jobs. [The New York Times]

ON – Workplace Safety Insurance Board (WSIB) Steps Up Spying On Clients

Documents obtained by Torstar News Service suggest the WSIB is spying on clients claiming to be seriously injured, now more than ever and often without cause. “Now that we are conducting more surveillance related to misrepresentation of level of disability where we don’t have an actual allegation, e.g. call record, there have been lots of questions from compliance specialists around what constitutes sufficient grounds to warrant surveillance,” states a 2011 internal email from Bob Thomas, an employee in the WSIB’s regulatory services division. Those “sufficient grounds,” according to the email, include dozens of indicators such as chronic pain, language barriers and problems speaking to an injured worker directly, frequent change of phone number or address, recovery times that are inconsistent with usual healing times, anti-social behaviour or overreaction and psychological problems. Other “red flags” for fraud, as the board refers to them, include forms returned by someone else or not signed, an unreasonable distance travelled by the worker to see a doctor, a worker who is “never home, returns calls after hours, noise in background” or who has a “first medical treatment from chiropractor.” The documents were obtained by the IAVGO Community Legal Clinic through a freedom of information request after surveillance was used to reduce the benefits of eight clients. [Source]

NO – Privacy Appeals Board, Norway – Decision on Employee CCTV Surveillance

The Board overturns the data protection authority’s prohibition on a company’s video and audio monitoring of its employees and a fine of NOK 200,000 (approximately USD 32,556) imposed under the Personal Data Act and the Personal Data Regulations); the monitoring is permitted provided that the cameras are not configured to gain access to staff areas via VPN (having IT equipment that can be accessed via the internet does not constitute a violation as long as the link is appropriately secured), cameras in an equipment room are permitted because the company’s interests outweigh privacy considerations (suspected employee misconduct), and the company does not have to erase secret audio recordings (the manual recordings are not searchable and some employees have been subjected to serious threats). [Source]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: