Biometrics
WW – Academics Unveil Facial Recognition Technology for Shopping
Academics at the Chongqing Institute of Green and Intelligent Technology in southwest China say they have developed a new system of facial recognition software that is capable of taking images of shoppers’ faces from 91 angles. The information is then analyzed over a period of just a couple of seconds using two million data sets, with an accuracy rate of 998 out of 1,000. The system could be operational from the second half of 2015 and would allow shopping without PINs or passwords as identifiers. Meanwhile, a judge has issued a warning about the consequences of a rape conviction based on DNA collected at a police station despite the alleged perpetrator’s protest. [International Business Times]
US – GM to Launch Eye-Tracking Technology for Distracted Drivers
General Motors is preparing “to launch the world’s first mass-produced cars with eye- and head-tracking technology” that can decipher whether drivers are distracted. Australian group Seeing Machines has signed an agreement with a manufacturer to supply GM with tracking devices for up to 500,000 vehicles over the next three to five years, the report states. “The technology raises significant privacy concerns over how manufacturers and insurers will store and handle the data, though Seeing Machines’ devices will not keep or transmit the information, at least initially,” the report states. [Gulf News] See also: [Car Hacking Is The New Car Jacking] [US: GM reportedly ready to introduce facial recognition tech in cars]
Canada
CA – B.C. Government Set to Review Controversial Privacy Law
Until Sept. 19, B.C. residents have an opportunity to voice any concerns over the provincial Personal Information Privacy Act (PIPA), which has been criticized for overstepping the boundary when it comes to the privacy rights of citizens. The key concerns with PIPA include how personal information is handed over to government authorities and other organizations without a warrant or consent, and citizens aren’t notified when their information has been given up. It was enacted in 2003 and last reviewed in 2008. The special committee, comprised of MLAs, is expected to issue a report to the Legislative Assembly on the review’s results by Feb. 25, 2015. “The committee is undertaking a comprehensive review of B.C. private sector privacy legislation,” said MLA Mike Bernier, committee chair, in a media release. “We are holding a public consultation to gather important information on how well the act is working, and whether changes are necessary.” [Source] [Metro News]
CA – Peterborough Lawsuit Sets Precedent for Ontario Patient Privacy Rights
A class-action suit against Peterborough Regional Health Centre to be heard by the Court of Appeal in December will determine whether patients can sue hospitals for invasion of privacy. [Toronto Star] See also: With the certification of Evans v. The Bank of Nova Scotia, the newly introduced tort of intrusion upon seclusion has become another weapon in the arsenal for the class-action plaintiffs’ bar. [Law Times] See also: [Focus: Privacy class actions on the rise]
CA – B.C. Police Too Prying In Volunteer Background Checks
A privacy watchdog is calling on B.C.’s privacy commissioner to investigate whether police departments are being too intrusive in the questions posed to potential volunteers and employees. The B.C. Freedom of Information and Privacy Association said several police departments are collecting “unnecessary, inappropriate and excessive personal information” from people applying for paid and unpaid positions. The non-profit association was approached by someone applying for a volunteer position with the Delta Police Department’s community police section. They had been given a 25-page “integrity and lifestyle questionnaire” asking about sexual activity, drug use, finances and whether the applicant has ever been unemployed or on welfare. Applicants also have to undergo a polygraph test and a background investigation and are told “deceit, dishonest or non-disclosure concerning questions in this document may result in your disqualification from current or future civilian employment opportunities.” “This kind of statement encourages respondents to disclose further personal information even when it is not specifically asked for,” said Vincent Gogolek, the association’s executive director. Once the privacy association started investigating, it found many police departments across B.C. have similar questionnaires, he said. The association is asking B.C.’s information and privacy commissioner, Elizabeth Denham, to determine whether police departments are invading people’s privacy with these questions. Denham’s office confirmed it had received the complaint and said staff would be reviewing it before deciding whether to launch a formal investigation. [Source]
CA – Audit Raises Concern About Prisoners’ Privacy Rights
The federal organization with one of the worst track records on privacy continues to suffer from lack of awareness, lack of training and a lack of reporting, according to a recent audit. Auditors reviewing the privacy of inmates at federal institutions noted that Correctional Service Canada staff didn’t report all privacy breaches, believing some incidents weren’t breaches at all. Auditors noted that they saw first-hand an inmate return a report to guards because the document was given to him by mistake. The potential privacy breach wasn’t reported, auditors wrote. According to the report, CSC staff were told that institutional culture, “fear of reprimand” and lack of awareness about “what actually constitutes a privacy breach” were among the reasons why privacy breaches weren’t being reported. The internal audit team concluded “offender safety may be jeopardized if these systemic issues continue.” The audit renewed concerns about the privacy practices in prisons that were identified in 2006, with auditors noting that CSC had yet to implement some recommendations from that eight-year-old report. The service was to implement sweeping changes by the end of July, including training packages. [Source]
Consumer
US – Airbnb Sued Over Privacy Concerns—Anonymously
Airbnb has been sued by 21 anonymous New Yorkers who hope to prevent the home-sharing website from turning over their personal information to the New York Office of the Attorney General, CNBC reports. Airbnb said in May that it will comply with a subpoena from New York Attorney General Eric Schneiderman during his probe of illegal hotel operations in New York City, the report states. The case involves a law that prohibits residents of multiple buildings to rent out their apartments for less than 30 days unless they are also at their apartments. Airbnb has said it will withhold the renters’ info until a court tells it otherwise. [CNBC]
EU – Microsoft Agrees to be Held in Contempt So It Can Appeal Case
Microsoft has reached a deal with the U.S. government in which it will agree to be held in contempt of court in order to move an email privacy case on to appeal. The case involves a U.S. government demand for emails stored on a server in Dublin, Ireland. The Obama administration has said the company must comply with valid warrants for data, even if it’s held overseas, the report states. “Everyone agrees this case can and will proceed to the appeals court,” said Microsoft in a statement. “This is simply about finding the appropriate procedure for that to happen.” [Ars Technica] [ZDNet] [SCMagazine] [The Register] [Stipulation Regarding Contempt Order]
US – Tech Giants Want Vote on Email Privacy Act
A host of technology companies including Google, Microsoft, AOL and Yahoo have written to congressional majority leaders requesting a vote on the Email Privacy Act, which has seen no movement since it was proposed last summer, despite having the support of more than half the house. congressional supporters of the bill say the delays are due to attempts to attach other provisions to the bill. According to the letters, the bill, which is an update to the Electronic Communications Privacy Act, would “eliminate outdated discrepancies between the legal process for government access to data stored locally in one’s home or office and the process for the same data stored with third parties” in the cloud. [The Hill]
Encryption
WW – CryptoWall More Prolific Than CryptoLocker
Analysis from Dell SecureWorks Counter Threat Unit shows that CryptoWall ransomware has passed infection rates of its relative, CryptoLocker. In just five months, CryptoWall infected an estimated 625,000 computers around the world, collecting more than US $1.1 million in ransom. [SC Magazine]
WW – Mozilla Retires 1,024-bit Certificates; 100,000+ Websites Now “Untrusted”
Because Mozilla allowed its 1,024-bit certificates to expire, more than 100,000 websites are now considered untrusted by that company’s browsers. Chrome has not allowed its 1,024-bit certificates to expire due to just those concerns. [The Register]
UK – ICO Fines Ministry of Justice Over Unencrypted Prison Records
The UK Information Commissioner’s Office (ICO) has fined Ministry of Justice GBP 180,000 (US $298,500) for losing a device that contains unencrypted prison records. In May 2012, the Prison Service issued new hard drives with encryption capabilities to all 75 prisons in England and Wales. The ministry, for which this is a repeat offense, was reportedly unaware that disk encryption needed to be switched on. The missing device contained personal data about nearly 3,000 inmates. The data include health information, visitor information, and prisoners’ links to organized crime. [NextGov] [v3.co.uk]
WW – CryptoPhone Identifies Rogue Cell Towers
Rogue cell towers, also known as IMSI catchers, can track smartphones and intercept calls, often without detection. “It’s only a matter of time before they’re as ubiquitous as GPS trackers.” In response, German firm GSMK has developed a firewall for its high-end, secure CryptoPhone. The system—reportedly the first of its kind—can detect when a rogue cell tower is connecting to the phone but is currently only available for Android phones. CSMK’s CryptoPhone 500 combines its operating system with a Samsung Galaxy S3 device, while offering end-to-end encryption. Additionally, in response to the rise of IMSI catchers, the Federal Communications Commission is developing a task force to address the issue. [Wired]
EU Developments
EU – DPA: RTBF Ruling Bolsters Regulators’ Roles
After Europe’s top court created a right to be forgotten, an almost-forgotten battle involving Facebook was resurrected. The European Court of Justice (ECJ) May ruling bolsters Hamburg data protection regulator Johannes Caspar’s case aiming to force Facebook to comply with German law, which Caspar discussed with the company at an August meeting. Facebook says it is only bound by Irish rules, as its EU headquarters are in Dublin, Ireland. “The ECJ ruling bolsters the jurisdiction of the national data protection authorities,” Caspar said, adding, “It determines that national law is applicable to data processors which have a unit in the country, even if its activity is merely to to economically support the Internet offerings.” [Bloomberg]
EU – President Calls for Privacy Negotiations to be Completed in 6 Months
Amidst what the Financial Times has called “one of the biggest overhauls of the EU executive in more than a decade”—with incoming European Commission President Jean-Claude Juncker’s announcement of his nominations for a suite of new commissioners—Juncker has called for the “conclusion of negotiations on the reform of Europe’s data protection rules as well as the review of the Safe Harbour arrangement with the U.S.” One large departure under Juncker is his creation of a sort of hierarchy within the commission. Rather than 27 commissioners, there are now two ‘high vice presidents,’ five vice presidents and then 20 commissioners.” [Privacy Advisor]
EU – Ireland Names Dixon as Next DPC; Hawkes Talks Expectations
Irish Data Protection Commissioner Billy Hawkes’ tenure came to an end on August 31, and today, an Irish government committee approved longtime civil servant Helen Dixon as the new data protection commissioner of Ireland. Dixon will have an increasingly important role to play. Mark Scott recently called the position “relatively obscure” but with “global sway.” Hawkes—who was sometimes criticized for having a “light touch” as a regulator—discusses the highs and lows of his tenure and what his replacement may expect, especially given it will be her job to regulate tech giants like Yahoo, Google and Facebook, headquartered in Ireland. [The Privacy Advisor] [The New York Times]
UK – Data Explosion Fuels Growth in Privacy Cases
The number of privacy cases fought in UK courts has doubled in the last five years, amid an explosion in the amount of personal data held and shared by government agencies, and retained by businesses. In the year to 31 May 2014, there were 56 cases in the High Court, up from 28 five years ago, according to figures from legal information provider Thomson Reuters, which said a high proportion of the cases this year involve claims against public institutions, particularly the police. These have included stop and search complaints. Improved data storage and search technology allows personal data on citizens to be much more easily shared and transferred between government departments. The rapid growth in the commercialisation of personal data has created a lot of new threats to people’s privacy. When businesses cross the line, people feel strongly enough to enforce their privacy rights through the courts. [Source] See also UK Prime Minister David Cameron is “expected to unveil plans that make it easier for intelligence agencies to access airline passenger information” as part of the government’s strategy to fight terrorism. [PressTV] and The Swiss Federal Council said the European Court ruling on data retention has no effect on Swiss laws. The Swiss law on telecoms surveillance is under review, with an aim to increase the required data storage period to 12 months. [Telecompaper] and [Decision No 2014-693 DC March 25 2014 – The Constitutional Council, France]
Facts & Stats
WW – GPEN: 85% of Apps Fail to Protect Privacy
The results from a survey of more than 1,200 mobile apps by 26 privacy regulators from around the world has found 85% of apps fail to provide basic privacy information, according to a UK Information Commissioner’s Office press release. Nearly 60% of the apps left users struggling to find basic privacy information, and 43% did not adequately tailor privacy notices to a small screen. [UK ICO] See also Disconnect Mobile app, Google has once again removed it from its Google Play Store. UPDATE: [Privacy guard Disconnect Mobile returns to Google Play]
WW – Study Reveals Popular Android Apps Put Privacy, Security at Risk
A newly published study has revealed that many of Android’s most popular apps—including Instagram, Grindr and OKCupid—do not take basic security measures to protect users’ data. Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) analyzed a broad range of Android-specific apps to find security vulnerabilities and plan to release one YouTube video per day disclosing their findings. UNHcFREG’s Ibrahim Baggili said, “What we really find is that app developers are pretty sloppy.” Many of the vulnerabilities included lack of encryption of images stored on servers, messages between users and other data traffic. Baggili also said the team has contacted developers of the apps that were analyzed. [PC World] See also: [Xiaomi under investigation for sending user info back to China]
Filtering
WW – Google Kicks Off RTBF Meetings
Google’s inaugural right-to-be-forgotten meeting in Spain, noting the company’s advisors “took just three questions from the public.” The Madrid meeting is the first of seven set across Europe, but some are criticizing the meetings as publicity stunts. “Whatever Google would have done would have been considered PR,” said Luciano Floridi, an Oxford philosophy professor and current panelist, adding future events will devote more time to questions. Jef Ausloos, a researcher at Belgium’s University of Leuven, said, “What we need to know now, is how exactly this should happen, what the role is for national data protection authorities.” [Bloomberg] See also: After Europe’s top court created a right to be forgotten, a battle involving Facebook and Hamburg data protection regulator Johannes Caspar was resurrected. [Bloomberg]
CN – China Snooping on Scholars’ Google Searches
People conducting research in China are being watched by authorities when they conduct Google searches. Public Internet users in China are not able to use Google at all, but scholars at research institutions are able to use the search engine through the CERNET education network. Authorities in China were able to see what those scholars were researching until Google began encrypting searches. Now China uses a man-in-the-middle attack to keep an eye on CERNET users’ searches. [InfoSecurity] [NextGov] [Netresec] In a related story, a Chinese man is suing state telecommunications company China Unicom for blocking his access to Google]
Finance
US – Bank of America Finalizes 32 Million Dollar Settlement in TCPA Class Action
A U.S. District Court in California has approved a $32 million Telephone Consumer Protection Act settlement, ending a class-action against Bank of America and FIA Card Services that alleged the defendants systematically called or texted consumers’ cell phones through automatic dialing systems and/or prerecorded voice systems without express consent [Hunton & Williams Privacy and Information Security Law Blog See also: [Adobe Class-Action Moves Forward | Home Depot Suit Filed]
US – Verizon Fined for Customer Privacy Violations
Verizon has agreed to pay US $7.4 million for failing to notify approximately two million customers of their privacy rights and to settle charges Federal Communication Commission (FCC) that it used customer billing and location data in targeted marketing campaigns aimed at trying to sell them other Verizon services. Communications companies may do this if they first obtain customers’ permission. [CNN] [ArsTechnica] [FCC] See also: Carrier IQ and a group of mobile phone manufacturers have asked a judge to dismiss a class-action accusing the software maker of violating several privacy laws, including a federal wiretap law. [Verizon failed to tell 2 million people it was using their personal info for marketing. Now the FCC is making it pay]
FOI
CA – Number of People on Canadian No-Fly List Must Stay Secret: Government
Federal security officials are resisting pressure to reveal how many people are on Canada’s no-fly list, arguing the information could help terrorists plot a catastrophic attack on an airliner. In newly filed court documents, the government also contends that divulging the figure might damage relations with key allies, especially the United States. Information Commissioner Suzanne Legault is challenging the government’s refusal to disclose the data to a Montreal journalist who requested it under the Access to Information Act. La Presse reporter Daphne Cameron filed two requests for figures from 2006 through 2010 — one for the total number of people on the list, the second for the number of Canadian citizens. Legault’s office investigated Cameron’s complaint against Transport Canada and recommended last year that the agency release the figures. Transport Canada refused to comply, prompting Legault to take the case to the Federal Court of Canada. In withholding the numbers, Transport Canada invoked a section of the access law shielding information whose release could interfere with the conduct of international affairs as well as the detection, prevention or suppression of “hostile activities.” The U.S. has revealed there are about 16,000 people — including fewer than 500 Americans — on its no-fly list. In a 2012 report, the watchdog that keeps an eye on CSIS said confusion over how the no-fly list should work had “significantly undermined” its potential to help keep the skies safe. The Security Intelligence Review Committee said the notion of “an immediate threat to civil aviation” was open to interpretation, and federal agencies had “struggled” with nominating people for the list. [Source] See also: [AU – Clear and Present Danger to Freedom of the Press] and [CA – Prentice expense report requesters leaked, raising privacy concerns] and [CA – Soldiers on Viagra part of a list of secrets held by Harper government] and [CA – Calgary: Some city councillors argue for hike in FOIPP charges]
Health / Medical
US – Second Healthcare Sector Cyber Security Exercise to Start in October
According to a press release from the Health Information Trust Alliance (HITRUST), the second cyber security exercise for the healthcare sector, CyberRX 2.0, will begin in October 2014. More than 750 healthcare organizations have signed up to take part in the cyber attack simulation exercise. The program has been expanded to offer three tiers of participation: Local/Basic, Regional/Mature, and National/Leading. [SC Magazine] [HITRUST Alliance Press Release]
US – Web Portal Delays HIPAA Audits
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has delayed the launch of a second round of HIPAA audits in an attempt to implement new web portal technology. “We recently had an opportunity to update the technology we’re using, giving us capabilities that we just didn’t have access to before,” said OCR Senior Adviser Linda Sanches. The portal will automate some elements of the auditing process, lightening the load on human resources. Sanches also encouraged healthcare providers to have a list of business associates prepared, and while the requirements of the audits remain the same, Adam Greene of Davis Wright Tremaine notes that the documentation must be meticulous. [FierceHealthIT] See also: [ON: Surgery room ‘black box’ poised to change medical culture]
US – Court Tosses Advocate Health Suit; CarrierIQ Asks Judge for Dismissal
A federal court based in Illinois has thrown out a putative class-action against Advocate Health and Hospitals that alleged the organization violated the Fair Credit Reporting Act (FCRA) by not appropriately securing health data stolen from its facilities. The judge ruled the hospital cannot be considered a credit-reporting agency covered by the FCRA. [Law360]
US – Exploring Health Data Collection, Marketing
The health data marketing ecosystem and hundreds of medical databases are up for sale to willing marketers. “People would be shocked if they knew they were on these lists,” said World Privacy Forum President Pam Dixon. “Yet millions are.” Directories including such category headings as “Suffering Seniors” or “Aching and Ailing” and other lists categorized by diagnosis, including 2.3 million cancer patients, are reportedly available. In February, Sen. Jay Rockefeller (D-WV) introduced legislation to limit such lists, but the Direct Marketing Association (DMA) said self-regulation is the better route. “We have very strong self-regulation,” said DMA Vice President for Government Affairs Rachel Nyswander Thomas, adding, “Regardless of how the practices are evolving, the self-regulation is as strong as ever.” [Bloomberg] Separately, the Vermont attorney general has settled a computer privacy case with a leasing company. SEI/Aaron’s has agreed to pay $45,000 to the state and $2,000 to each of the three customers who were affected. And [ON – Concerns raised over demographic data collection at Toronto hospitals] [NL: Donna Colbourne fined in Western Health privacy breach]
WW – Epidemiologist: Accurate De-Identification Important for Research
Daniel Barth-Jones, an HIV and infectious disease epidemiologist at Columbia University, writes about the importance of accurate de-identification methods in response to the paper Privacy, Anonymity and Big Data in the Social Sciences from MITx and HarvardX MOOC scholars Jon Daries, Justin Reich and others. Barth-Jones writes that the view that “anonymization is an obsolete tactic made increasingly difficult by advances in data mining and big data” is short-sighted, noting, “de-identification should rather be appropriately taken as part of an integrated and multidimensional approach for fashioning effective public policy for big data privacy.” [FierceBigData] SEE ALSO: [Concerns raised over demographic data collection at Toronto hospitals] and [UK HSCIC Data Pseudonymisation Review: Interim Report – Health & Social Care Information Centre]
WW – Apple Updates Language on HealthKit’s Permitted Data Uses
Apple has updated the language in its HealthKit platform to explicitly state that consumer health information is off-limits to data farmers. Developers who create software using the HealthKit’s application programming interface (API) are only permitted to gather data that’s used to enhance services outlined in the apps’ policy, and selling the data to advertisers is forbidden. “Your application must not access the HealthKit APIs unless it is primarily designed to provide health and/or fitness services, and this usage is clearly evident in your marketing text and user interface,” states Apple’s HealthKit license. [Tech Times]
Horror Stories
WW – Massive Celebrity Hack and Leak Raises Cloud Questions
Hundreds of intimate photos and videos of female celebrities were leaked online over the weekend, many of them allegedly stemming from hacks of Apple’s iCloud service. A spokesperson for Oscar-winning actress Jennifer Lawrence said the hacks and subsequent disclosure of such images are a “flagrant violation of privacy.” In a column for Mashable, Christina Warren asks, in light of the hack, how secure is the cloud? Twitter has suspended accounts of users who have posted the stolen data, and a legal representative for Lawrence said, “The authorities have been contacted and will prosecute anyone who posts the stolen photos.” The Atlantic’s Jennifer Valenti writes about the ethics of looking away from the disclosed personal information, noting that people who look at the photos “are violating these women in much the same way that the person who stole the pictures did.” [Newsweek] See also: [Taking a Naked Selfie? Your Phone Should Step In to Protect You]
WW – Apple Says iCloud Accounts Were Breached in Targeted Attack
Apple has acknowledged that several celebrities’ iCloud accounts were compromised, but the company said it was done by guessing or stealing login credentials rather than breaching Apple’s iCloud security. There was public speculation that the accounts had been breached using a recently disclosed exploit for Apple’s Find My iPhone service, but Apple denies that was the case, saying that the breaches were the result of “a very targeted attack on user names, passwords, and security questions.” [BBC] [DarkReading] See also: [Apple Patches Flaw in Find My iPhone | Source] See alwso: [Google Locks Down Stolen Credentials]
US – Home Depot Investigating Reports of Payment Card Data Breach
Home improvement retailer Home Depot has confirmed that it is working with its “banking partners and law enforcement to investigate” reports of a data breach. The company declined to comment further until the investigation is complete. The attorneys general (AGs) of Connecticut, Illinois and California are leading a multi-state probe into a data breach disclosed by Home Depot, said Connecticut AG George Jepsen. The IAPP featured an interview with Jepsen on AG enforcement priorities. [Home Depot breach could be one of the biggest in history] [Krebs] [DarkReading] [SC Magazine] [The Register] [BBC]
US – Temple University Announces Breach Affecting Nearly 4,000
Temple University has announced a breach involving the theft of an unencrypted desktop computer containing personal information on 3,780 patients from a physician’s office. The computer contained files with such information as name, age and billing codes but did not include Social Security numbers or financial data, the report states. The theft was reported to police, and the university says it has offered identity-monitoring services to all affected patients for 12 months and has taken steps to prevent such a theft in the future. [The Philadelphia Inquirer] See also: [US – 900,000 Customers Affected in Goodwill Breach] and [NZ – Earthquake data privacy breach ‘avoidable’]
US – AGs Probing Home Depot Breach
Meanwhile, Bartell Hotels has announced a data security breach at five of its San Diego-area hotels; a university is shutting down online voter registration following a data breach in February; Ernst & Young has been accused by a Canadian customer alleging customer business data was found on two Dell servers he purchased in 2006; a Goodwill data breach has been linked to a third-party vendor, and Miranda Alfonso-Williams offers advice on “five ways to prevent costly data breaches” at your business. [Reuters]
US – JP Morgan Breach a “Legacy” Issue
Hackers managed to breach the cyber-defenses at JP Morgan just as the bank’s cybersecurity chief was getting acquainted with his new position and the organization’s vast technology infrastructure, Bloomberg reports. Greg Rattray had just been appointed the company’s head of information security when the June breach incident started. “It sucks that this happened at the beginning of Greg’s watch, but this is a legacy issue,” said Trend Micro Chief Cybersecurity Officer Tom Kellerman. “They had an acting person who was juggling way too much, with no one fully dedicated to the role for a bit of time.” [Bloomberg] [US: Casinos may offer lessons about protecting privacy]
Identity Issues
CA – StatsCan Considering ‘Virtual Census’ to Replace Head Count
Statistics Canada is studying a radical new method of counting how many people live in this country — one that could eventually replace the census with a “virtual population register.” Chief statistician Wayne Smith said the agency’s work on building a virtual census is one part of its aggressive pursuit of innovation. A virtual census relies heavily on administrative data: giant caches of information collected by government in the regular course of business. Statistics Canada already uses 500 databases drawn from federal, provincial and municipal governments, and the private sector. Among many other things, those data files provide information on individual incomes taxes, corporate taxes, payroll deductions, employment insurance, building permits, births and deaths, even telephone bills. A handful of European countries — Finland, Holland, Sweden, Denmark and Germany — have scrapped their survey-based censuses in favour of population counts that rely heavily on an amalgam of administrative data. Sometimes, that data is combined with information from sample surveys. Smith conceded that the growing reliance on administrative data raises enormous privacy issues, but he insisted that the statistics agency operates within strict limits. [Source]
IN – Controversial Biometric Project in India May Go Ahead
The largest biometric identification projects in the world — India’s attempt to give an ID number to 1 billion people linked to fingerprint and iris scans — may be going ahead under the new government. The winning Bharatiya Janata Party had said during last spring’s election campaign that it would review the controversial program for a secure ID to get government benefits. However, this week it approved a 2015 target for voluntary enrollments, signalling that it will back the project. [itworldcanada.com] See also: [South Carolina boy sues over makeup removal for driver’s license photo]
Law Enforcement
US – Cities Seek to Upgrade Stingray Before Providers Drop 2G Network
Several US cities are seeking to upgrade cell phone surveillance systems commonly known as stingray. The controversial technology has been shrouded in secrecy, e.g., law enforcement agencies allegedly misleading the courts about the technology. Stingrays are capable not only of determining a target’s location, but also of intercepting communications contents. One of the techniques the technology uses is to force targeted devices to resort to using the 2G network by jamming 3G and 4G network signals because 2G network security is not as strong as that of later generation networks. Most providers will stop supporting the 2G networkwithin the next few years, which means current stingrays will no longer work. [Ars Technica]
Offshore
PH – Philippine House to Rewrite Privacy Bill
After certain stakeholders criticized the current draft of a privacy bill in front of the Philippines House of Representatives, the House will rewrite the bill—a request made by its author, Rep. Rufus Rodriguez [The Philippine Star].
WW – APEC Cross Border Privacy Rules Update
Markus Heyder provides an update on the status of the APEC Cross-Border Privacy Rules. See also: [SG – Monetary Authority of Singapore – Consultation Paper on Proposed Credit Bureau Regulatory Framework and Credit Bureau Bill]
Online Privacy
US – Why Privacy Policies Are So Inscrutable
The Atlantic reports on why privacy policies are so inscrutable, analyzing 50 of the most popular websites in the U.S., whose policies, taken together, totaled 145,641 words—or the equivalent of The Grapes of Wrath . “Today’s privacy policies don’t tell consumers the whole story for two main reasons,” the report states, noting that, first of all, “websites have adopted a kind of precautionary legalese to inoculate themselves against lawsuits and fines.” And second, the rise in data brokerage firms has created a lucrative industry around consumer profiling. The column delves into the vagueness of many basic terms, particularly consent, explicit consent and third-party data sharing. Of the 50 privacy policies analyzed, 48 interact with other third parties, but only nine say which ones. [The Atlantic]
WW – Facebook Messenger Tracking ‘A Lot More Data Than You Think’
“Messenger appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance,” tweeted Jonathan Zdziarski, a noted author and expert in iOS related digital forensics and security on Tuesday. In an email to VICE’s Motherboard, Zdziarksi told reporter Matthew Braga that Facebook logs “practically everything a user might do within the app.” “[Facebook is] using some private APIs I didn’t even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you’re connected to) and are even tapping the process list for various information on the device,” he wrote. News of Zdziarski’s findings spread swiftly around the web this week, prompting Facebook to issue the following statement: “These accusations are completely unjustified. Privacy is core to our approach with Messenger, and like any developer, we analyze usage trends to make our apps better, faster, and more efficient. As an example, with regard to what and where people tap – when we noticed that people were using the ‘Like’ stickers a lot, we modified the app so that people could send them with fewer taps.” [CBC] See also: [The Economist: Everything people do online is avidly followed by advertisers and third-party trackers] and also: [Facebook Generation Rekindles Expectation of Privacy Online]
WW – Facebook Testing Update Option with Expiration Dates
Facebook is currently testing a new option that would allow users to place an expiration date on a given post, ranging from one hour to one week. The move comes after more employers, attorneys and law enforcement officials increasingly use social media posts to make hiring and other decisions. “It’s interesting to me because Facebook used to push this idea that our cultural notions of privacy were changing and that people should share things all the time. People reacted poorly to that,” said University of Maryland Human-Computer Interaction Lab Director Jennifer Golbeck. “But in the last six months or so, they’ve started coming around to the idea that people still want to do things privately.” [Bloomberg Businessweek] See also: [Facebook being more proactive in pushing users to check privacy settings]
Other Jurisdictions
AU – Report into Serious Invasions of Privacy in the Digital Era released
The Australian Law Reform Commission’s Final Report, Serious Invasions of Privacy in the Digital Era (Report 123, 2014) was tabled in Parliament and is publicly available. The Terms of Reference for this Inquiry, required the ALRC to design a tort to deal with serious invasions of privacy in the digital era. In this Report, the ALRC provides the detailed legal design of such a tort located in a new Commonwealth Act and makes sixteen other recommendations that would strengthen people’s privacy in the digital environment. The Report also recommends that a new Commonwealth surveillance law be enacted to replace existing state and territory laws, to ensure consistency of surveillance laws throughout Australia, and a number of other reforms to supplement the statutory cause of action. The Report and a Summary Report is available to freely download or purchase in hard copy from the ALRC website. The Report is also freely available as an ebook. [Source] See also: [AU – New laws open door for ACT information privacy commissioner]
AU – Australian Law Reform Commission Recommends Privacy Invasion Tort
The Australian Law Reform Commission is recommending a new Commonwealth tort for serious invasions of privacy [ZDNet]. See also: [Attorney General, Government of Australia – Confidential Industry Consultation Paper: Telecommunications Data Retention – Statement of Requirements] and Austrian Justice Minister Wolfgang Brandstetter would like a data retention law following the Constitutional Court’s decision to strike down Austria’s existing law in July. [Telecompaper]
US – Miles Driven Tax Could Replace Gas Tax
It hasn’t hit the fastlane yet. But the controversial idea of imposing a mileage-based driving tax in California is gaining speed. The Legislature last month approved Senate Bill 1077, which authorizes a pilot program to explore a “road usage charge” as a potential replacement of the state gas tax. The bill would have no authority to impose the charge. But just the concept a mileage-based fee, and the related idea of the government tracking one’s driving habits, has stirred concerns over privacy, fairness and excessive taxation. [Source]
Privacy (US)
US – FTC Announces Panelists, Topics for Upcoming Workshop
The FTC has announced the agenda and panelists for its upcoming big data workshop, which aims to look at the use of big data and its impact on consumers, including those who are low-income or underserved. FTC Commissioner Edith Ramirez will make the opening remarks at the September 15 event in Washington, DC. Panelists will include Princeton University’s Solon Barocas, Promontory’s Michael Spadea, the Electronic Frontier Foundation’s Jeremy Gillula, Georgia Institute of Technology’s Peter Swire and the World Privacy Forum’s Pam Dixon, among many others. The workshop will look at what’s on the horizon with big data, survey the legal landscape and consider the path forward. [Press Release]
US – White House Names New CTO and Deputy CTO
The White House announced today the appointment of Google’s Megan Smith as U.S. Chief Technology Officer (CTO) and former Twitter Counsel Alex Macgillivray as Deputy CTO. Both have long histories in Silicon Valley. Smith also served as CEO of PlanetOut, an early online forum for the LGBT community that is now defunct, in addition to a number of roles at Google, including her most recent post as VP of Google[x], where new projects are developed. Macgillivray was deputy general counsel at Google before taking the lead counsel role at Twitter and was a lawyer with Wilson Sonsini Goodrich & Rosati before that, representing clients like Creative Commons and the Internet Archive. Among the new CTO team’s tasks, a White House statement said, will be a “focus on policy matters,” including items like “where big data and privacy intersect.” Most recent U.S. CTO Todd Park will remain with the White House “to help recruit technologists to federal service.” Most recent Deputy CTO Nicole Wong departed the White House recently to return to California. [Washington Post]
US – FTC Complaint and Final Decision and Order on Credit Karma App
An FTC order (in effect for 20 years) resolves complaints that a mobile app company failed to securely transmit consumers’ sensitive personal information; the company’s app developer used code that disabled SSL certificate validation “in testing only” but the company failed to ensure this code’s removal from the production version of the app that was shipped to consumers and failed to perform an adequate security review of its app prior to launch. The company is required to implement a comprehensive security program (including training in secure engineering and defensive programming), and requiring service providers to implement and maintain appropriate safeguards. [FTC]
US – EFF Argues Against CISA
The Electronic Frontier Foundation makes its case to pass the USA FREEDOM Act and kill the Cybersecurity Information Sharing Act in this release. See also: [In Re Application of the Federal Bureau of Investigation for an Order Requiring the Production of Tangible Things – BR 13-25 – Foreign Intelligence Surveillance Court]
US – REDEEM Act Needs a European Import: The Right To Be Forgotten
The unlikely duo of Sens. Rand Paul (R-KY) and Cory Booker (D-NJ) recently announced the REDEEM Act, a bill intended to facilitate the sealing of adult criminal records. According to the proposed legislation, those convicted of nonviolent crimes can petition to have their criminal records sealed. The legislation would have significant consequences for those who have committed nonviolent crimes, calling for a limited right to be forgotten in the U.S. “so that the common-sense goal of allowing Americans to achieve a better future can be realized.” [The Privacy Advisor]
US – Google Accord With Harvard Tie Fails Judge’s Smell Test
Google’s settlement of a privacy lawsuit likely won’t win approval because its terms include a donation to Harvard University and other schools that attorneys involved in the case attended, a judge said. [Reuters]
US – Hoofnagle Opines on Big Data Impacts on Civil Liberties and Society
UC-Berkeley Prof. Chris Jay Hoofnagle writes that use-regulation “has tremendous implications for civil liberties and our society,” adding, “Ultimately, it can help determine how much power companies and governments have.” [Slate]
US – Judges Hear Appeal Against NSA Spying; Congress Questions Secret Spying Law
During this week’s review of the legality of the NSA’s bulk collection of phone records, the panel of federal judges expressed concerns about the privacy implications of NSA tactics. The ACLU has challenged a lower court’s decision to uphold the NSA practices, arguing they are unconstitutional. One judge said, “We don’t know what we don’t know” about the operations. Meanwhile, four House Democrats are protesting what they call a “secret law” that allows spying on Americans’ emails and is a “threat to democracy.” The legislators are asking President Barack Obama “to ban ‘disproportionate or unnecessary’ collection of people’s messages, Internet chats and other communications,” the report states. [FOX News] [Slate]
Privacy Enhancing Technologies (PETs)
WW – Programmers Developing Privacy-Enhanced Skype Alternative
A group of programmers famous for frequenting such sites as 4Chan, Hacker News and Reddit are working on an open-source, security-focused replacement for Skype. Tox, as the project is called, is “yet another example of programmers uniting in the post-Snowden era to make easy-to-use tools with encryption and privacy considerations built in.” Tox uses encrypted peer-to-peer networking and eliminates the need for messages to travel through a central server, the report states, and users are given a Tox ID to allow for anonymity. [PCWorld] See also: [Book Review: No Place To Hide: Worth a Read, Maybe Two] See also: [Australian patents privacy indicator for Google Glass]
WW – Privacy Big Ingredient in Apple’s New Products Release
Apple unveiled a slew of new products this week, including the iPhone 6 and 6 Plus as well as the Apple Watch, Apple Health Kit and Apple Pay. The product launch comes a week after a targeted hack of celebrities, which has been tied to Apple’s iCloud. Now that it is releasing products that will handle the most sensitive of personal data, including financial, location and health data, the company is placing a huge onus on privacy and security. “Security is at the core of Apple Pay,” said Apple CEO Tim Cook. McDermott Will & Emery Attorney Jennifer Geetter said, “Given the popularity of the iPhone and its uncanny ability to know what we want before we know, anything Apple does now compounds and expands the existing challenge of meeting consumer expectations while protecting privacy.” [Politico] [On the Privacy Challenges Ahead for Apple]
WW – New Platforms Make the User the Data Broker
A slew of platforms are designed to give users the ability to sell their personal information to advertisers and marketers. Datacoup, Handshake and Meeco all share the same goal of cutting out the data-broker middleman by allowing users to profit from their personal data. “The way we see it,” said Handshake CEO Paul Davis, “your data belongs to you. So if someone should be making a profit on it, it should be you.” MIT Technology Review also profiles Datacoup. [NPR] See also: AVG Technologies has unveiled a new short privacy notice for its most popular apps. The easy-to-read disclosures are meant to resemble a nutritional label, showing what the company does and does not collect as well as how and why data is shared. Meanwhile, less than 24 hours after reinstating the
RFID
US – NYC Firefighters Are Being Tracked With Military-Developed Radio Tags
New York City’s fire department is experimenting with outfitting its firefighters with $20 radio tags. Think of it as an E-Z Pass for tracking firefighters during the confusion of an emergency. “It’s in a little sealed plastic — it looks like a little key fob, actually,” said George Arthur, a Naval Research Laboratory engineer, in a statement. “They’re positioned over the left breast, inside the bunker coat in a little Kevlar pocket that’s sewn in there. And it just sends out a little ping every five seconds: Here I am, here I am, here I am.” Back on the truck, a $1,100 reader picks up the signal. “It just listens and says, ‘Okay, 1234, that’s Jessica Smith,’ so we know Jessica Smith is nearby,” said NRL’s David DeRieux. The data is also sent back to the FDNY’s command center in Brooklyn, too, and projected on a wall to help in the wide-scale coordination of firefighters. They are currently testing the technology on 15 trucks. But how well can the technology determine firefighters’ precise locations — like what floor of a building they are on? Indoor tracking, admits the Naval lab’s DeReiux, is “a very tough nut to crack,” in part because a six-inch shift in any direction could mean the difference of being on one side of a wall or the other.[Source]
Security
WW – Need for Privacy Operations at Nonprofits
A recent study of nonprofits revealed many are, on average, increasing staff dedicated to technology-related issues, and as many as 64% included technology as part of their operational plans. These results “are generally encouraging,” writes Network Advertising Initiative Executive Director Marc Groman, but “information privacy controls and data governance are conspicuously absent from the survey and discussion.” Groman points out nonprofits “often possess vast amounts of data” and that “it isn’t simply about investing in new technology” but also integrating “privacy considerations and responsible data governance” into the organization’s management practices. He writes it is “critical” that someone within a nonprofit has responsibility for information privacy. [Privacy Perspectives]
WW – Does Training Actually Thwart Breaches?
In a LinkedIn blog post, George Washington University Law School’s Daniel Solove discusses whether employee training really can reduce data security breaches. “Coming up with a quantifiable return on investment for training is challenging because the threats are constantly changing,” Solove writes, adding that it’s not just training that matters but the quality of that training. Among the many reasons to train employees—including that it creates a culture of compliance, all it takes is one person to create an incident, and it’s often the law to train—the bottom line is that no organization is going to suffer because they trained employees, but plenty have because they didn’t. [LinkedIn] See also: [Ernst & Young accused by Canadian used computer dealer of data breach]
Surveillance
US – Groups Reveal Decade-Old Memos Authorizing Wiretapping
The Justice Department has released two decade-old memos describing the Bush administration’s legal justification for the warrantless wiretapping of Americans’ phone calls and emails. The program began in secret after the September 11 attacks and was justified, according to the memo, by the fact that the “president has inherent constitutional power to monitor Americans’ communications without a warrant in a time of war.” The memos were obtained by the Electronic Privacy Information Center and the ACLU. Meanwhile, a coalition of 40 groups including the ACLU has asked the Senate to prioritize passing the latest version of the USA FREEDOM Act without weakening it. [The Washington Post] See also: [US: Army’s eyes in the sky built to spot people from 5 kilometers away]
Telecom / TV
US – Unsealed Documents Show Yahoo Fought PRISM Compliance
Recently unsealed documents reveal that the US government threatened Yahoo with a US $250,000-a-day fine if it did not comply with the PRISM data collection program and surrender user communications information. Yahoo had been fighting the demand in court; the government was able to use the ruling from the Foreign Intelligence Surveillance Court of Review to convince other technology companies to comply with their data demands. That same court ordered the documents unsealed. [Washington Post] [NYTimes] [ArsTechnica]
US – Comcast Using Public Wi-Fi Hotspots to Inject Ads
People who use Comcast’s public Wi-Fi network are finding that they are receiving pop-up advertisements for the company’s service. Comcast calls the practice “watermarking.” Comcast uses JavaScript to inject the content into the data flows of users who have signed up to use the company’s Wi-Fi hotspots around the country. Comcast says that the messages are there to assure users that they are using a legitimate Comcast hotspot. [The Register] [PC World] [ArsTechnica]
US – US Cities Seek to Upgrade Stingray Before Providers Drop 2G Network
Several US cities are seeking to upgrade cell phone surveillance systems commonly known as stingray. The controversial technology has been shrouded in secrecy, e.g., law enforcement agencies allegedly misleading the courts about the technology. Stingrays are capable not only of determining a target’s location, but also of intercepting communications contents. One of the techniques the technology uses is to force targeted devices to resort to using the 2G network by jamming 3G and 4G network signals because 2G network security is not as strong as that of later generation networks. Most providers will stop supporting the 2G network within the next few years, which means current stingrays will no longer work. [Ars Technica] See also: [MN: Inmates lose telephone privacy]
US Government Programs
US – FISA Court Renews NSA Metadata Program
The Foreign Intelligence Surveillance Court has reauthorized the National Security Agency (NSA) program that collects in bulk the metadata of U.S. citizens’ phone records. The reauthorization comes while a reform bill remains stuck in the Senate. “Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program,” said the Department of Justice and Office of the Director of National Intelligence in a joint statement. Both of the government agencies also said they support the USA FREEDOM Act, saying “it reflects a reasonable compromise that preserves essential intelligence community capabilities, enhances privacy and civil liberties and increases transparency.” [The Hill]
US Legislation
US – Two Bills Head to CA Gov for Signing
There are two bills heading to California Gov. Jerry Brown for signing, both of which deal with issues affecting student privacy. SB 1177 describes privacy guidelines for operators of websites, online services and mobile applications, while AB 1584 focuses on obligations with contracts between local education organizations and third-party technology vendors. Assembly Education Committee Chief Consultant Rick Pratt said, “There really was very little if any protection that would guard the security, the privacy, the confidentiality of student information … and so hopefully bill 1584 and 1177 will provide some security and privacy where it doesn’t exist in current law right now.” A representative from Common Sense Media said it’s “a landmark regulatory scheme.” In separate news, school officials have said the Oklahoma State Department of Education violated student privacy laws. [Government Technology] and [Does California’s “Kill Switch” Bill for Smartphones Risk Privacy for Personal Safety?]
US – North Carolina Advances Further Drone Legislation
The North Carolina General Assembly has advanced the Appropriations Act of 2014, which includes a provision giving anyone surveilled without a warrant “civil cause of action against the person, entity or state agency that conducts the surveillance or that uses an unmanned aircraft system to photograph for the purpose of publishing or otherwise disseminating the photograph.” [HSToday.us]
Workplace Privacy
US – Every Three Minutes, a Worker’s Personal Device Is Remotely Wiped
While the bring-your-own-device trend is on the upswing, so are remote data-wipes of workers’ personal phones, tablets and laptops, according to PA-based firm Fiberlink Communications Corp., which specializes in mobile device management. Fiberlink’s software wiped 81,000 devices in the first six months of this year, compared with 51,000 in the last six months of 2013. That’s an average of 450 per day or three per minute. The WSJ reports that employers are not required to make a distinction between personal and professional information when erasing data. [The Wall Street Journal] See also: [Canada: Limited Protection of Dependents’ Personal Information In Group Insurance Matters]
+++
Privacy News Highlights 