01-15 June 2014

Biometrics

US – NSA Collecting Millions of Web-based Facial Images

The latest leak from Edward Snowden reared its head over the weekend when The New York Times reported that the U.S. National Security Agency (NSA) has been collecting millions of facial images from texts, social media, video conferences and e-mail over the last four years. According to the documents, the NSA intercepts “millions of images per day” including nearly 55,000 “facial recognition quality images.” A representative from the Electronic Frontier Foundation said, “The government leads the way in developing huge face recognition databases, while the private sector leads in accurately identifying people under challenging conditions.” In related news, the NTIA is set to host its latest meeting in the process of creating a self-regulatory code of conduct for the commercial use of facial recognition on Tuesday. Meanwhile, Reddit, Imgur and BoingBoing are joining the “Reset the Net“ campaign to protest mass surveillance. [New York Times]

US – NIST Finds Facial Recognition Accuracy Is Improving

The National Institute of Standards and Technology (NIST) has released results from its 2013 study on facial recognition algorithms, finding that accuracy is noticeably improving, according to a NIST press release. Compiled by biometrics researchers Patrick Grother and Mei Ngan, Performance of Face Identification Algorithms found that accuracy is up 30% since 2010. “We studied the one-to-many identification because it is the largest market for face recognition technology,” Grother said. “These algorithms are used around the world to detect duplicates in databases, fraudulent applications for passports and driving licenses, in token-less access control, surveillance, social media tagging, lookalike discovery and criminal investigations.” [NIST]

WW – Will Facial Recognition Tech Soon Be Reading Our Emotions?

Facial recognition is becoming “emotional recognition,” The Atlantic reports, where advances in technology “could give anyone sporting a future iteration of Google Glass the ability to detect inconsistencies between what someone says (in words) and what that person says (with a facial expression).” A recent study indicated humans “are capable of reliably recognizing more than 20 facial expressions and corresponding emotional states.” When the study was conducted with a facial recognition software program, the accuracy rate was “on the order of 96.9% in the identification of the six basic emotions,” the report states, continuing on to predict, “We run the serious risk of losing, little by little, our spontaneous humanity, appearing more and more like the predetermined algorithms that observe and judge us.” [The Atlantic]

US – Should the Facial Recognition Code Apply to the Gov’t? Could It?

Stakeholders met for the sixth in their series of meetings organized by the National Telecommunications and Information Administration (NTIA) in hopes of creating a voluntary code of conduct on facial recognition technology. This meeting aimed to look at the risks and issues the process’ participants identified since last month’s meeting. It also looked at a list of drafted definitions the not-yet-existent code could include. The most passionate debate yesterday centered around what the code should say about government access to raw images and what standards should apply to requests by governments to gain access to such information. [Privacy Advisor]

US – No Joke: Secret Service Wants Sarcasm-Detection Algorithm

According to a work order released by the U.S. Secret Service last week, the agency tasked with protecting current and former national leaders is asking developers to create an algorithm that can detect and delete online sarcasm. Additionally, the work order calls for the development of software capable of targeting “influencer identification,” “access to historical Twitter data,” the “ability to search online content in multiple languages,” “audience segmentation” and “data visualization representations, (like) heat maps.” A Secret Service spokesman said the “objective is to automate our social media monitoring process. Twitter is what we analyze. This is real live stream analysis … We are looking for the ability to quantify our social media reach. We aren’t looking solely to detect sarcasm.” [Ars Technica]

Canada

CA – Supreme Court Rules In Favor of Online Anonymity

Canada’s Supreme Court ruled unanimously that ISPs may not provide police with customers’ names, addresses and phone numbers without a search warrant. The case involved Matthew David Spencer, who was charged with possessing child pornography “and making it available to others” in a file-sharing network after a detective “found his publicly available child pornography” and “asked Shaw Communications for the IP address,” the report states. The government argued, “There is no objective reason to think that an Internet service provider must keep such basic information as an address and a name private, let alone shield it from a child pornography investigator.” Writing for the court, Justice Thomas Cromwell said, “Anonymity is an important safeguard for privacy interests online.” [The Globe and Mail] See also: [Police watch key Internet privacy appeal] and also: [Posting porn photos of ex-girlfriend called ‘despicable’ and ‘morally wrong,’ but not illegal, judge rules]

CA – Rogers Opens Curtain on Warrantless Government Snooping

Rogers Communications gave Canadians their first real peek behind the curtain of warrantless government snooping Thursday, revealing they were asked almost 175,000 times for their customers’ data in 2013. Rogers became the first major Canadian telecommunications provider to issue a transparency report, revealing aggregate numbers on how many law enforcement requests they receive in a year.More telecom and Internet service providers are expected to follow suit, as Canadian customers learn more about the scope of government access to their personal data. [The Canadian Press]

CA – Therrien Testifies on Bill C-13

Testifying before the House of Commons Justice Committee on Tuesday, Privacy Commissioner Daniel Therrien urged the government to split Bill C-13 “to allow for thorough examination of several measures that would expand online monitoring,” Ottawa Citizen reports. Bill C-13 would make it illegal to share “intimate images” without consent and would “remove barriers to getting such pictures scrubbed from the Internet—changes Therrien supports,” the report states. However, the report states, Therrien’s office has warned that provisions giving authorities tools to track telecommunications “would dangerously lower the proposed threshold” for access to personal information. Meanwhile, MP Charlie Angus has written to Treasury Board President Tony Clement “to convene an independent expert panel to make recommendations on securing Canadians’ privacy in the digital era.” [Full Story] [Commissioners Cavoukian, Clayton, and Denham’s Joint Letter to the Standing Committee Reviewing Bill C-13] and also: [Privacy watchdog cancels cyberbullying bill appearance]

CA – Conservatives Keep New Surveillance Powers in Cyberbullying Bill C-13

The Conservative government has rejected calls to change a controversial cyberbullying bill, preserving a broad range of new police surveillance powers that critics warn will infringe on Canadians’ privacy rights. The House of Commons Justice Committee wrapped up its review of Bill C-13, with the Conservative-dominated committee voting down nearly every proposed amendment. They did so despite calls from the federal ‎privacy commissioner, provincial commissioners, civil liberties groups and other experts to change parts of the bill to rein in the broad surveillance powers and warrantless access to private information. The bill was tabled as an anti-cyberbullying law, but also gives telecommunications companies immunity for handing private data over to police without a warrant. It creates a range of new surveillance warrants, such as one allowing police to install software on someone’s phone, with what critics say is too low an evidence threshold – in other words, they warn it will be too easy for police to get approval to spy on Canadians. Finally, the bill hands the broad new powers to a range of public officials, not just police. [Source]

CA – Therrien Experts Examine Facebook Class-Action

The BC Supreme Court’s recent certification of a class-action suit against Facebook over its “Sponsored Stories.” Reed Smith’s Mark S. Melodia and Frederick Lah write, “In the Canadian case, one of the main issues was whether Facebook users have the protection of BC’s Privacy Act, or instead, whether Facebook’s online Terms of Use overrode these protections.” The court pointed to a section of BC’s Privacy Act that states actions under the Privacy Act “must be heard and determined by the Supreme Court,” the report states, and defined the class as “all BC residents who are or have been Facebook members at any time between January 2011 and May 2014 and whose name or picture was used as part of the Sponsored Stories.” [Mondaq]

CA – Therrien Confirmed as Commissioner, Criticizes C-13 in Committee

Just days after NDP Leader Tom Mulcair hammered Prime Minister Stephen Harper over his nomination of Justice Department lawyer Daniel Therrien to take over as federal privacy commissioner, The Globe and Mail reports that the House of Commons voted 153 to 75 to approve Therrien. Meanwhile, CBC reports, Therrien voiced support for splitting Bill C-13 to a Parliamentary committee, a plan advocated by the Canadian Bar Association and others. He also advocated for an independent review of the bill, saying, “I think Canadians want to know more about why police and security agencies require information.” He likely knows more than most Canadians, as he’s given legal advice on surveillance to security agencies in the past. Therrien’s first order of duty is to testify before the committee considering Bill C-13 on June 10. Editor’s Note: The Privacy Advisor rounded up heated reaction to Therrien’s nomination last week. [Full Story] and [Canada: New privacy watchdog approved with Conservative and Liberal support]

CA – BC Supreme Court Certifies Class-Action Against Facebook

The BC Supreme Court has authorized a lawsuit against Facebook claiming that its practice of publishing users “likes” of businesses on their friends’ pages violates the BC Privacy Act. Through Facebook’s “Sponsored Stories” program, companies can pay to use a person’s name and likeness as proof of an endorsement. Plantiff lawyer Christoper Rhone says doing this without consent breaches the BC Privacy Act. In the court decision, BC Supreme Court Justice Susan Griffin said one key question is whether BC users of foreign social media sites have the protection of the BC Privacy Act, adding, “Given the almost infinite life and scope of internet images and corresponding scale of harm caused by privacy breaches, BC residents have a significant interest in maintaining some means of policing privacy violations by multi-national internet or social media service providers.” [CBC News]

CA – OPC: S-4 Will Allow Data Sharing without Consent

While Bill S-4 intends to overhaul online privacy rules, introduce new penalties for breaches and give new powers to the Office of the Privacy Commissioner (OPC), the OPC warns it also opens the door for the sharing of consumer data between private companies without consent. Patricia Kosseim, OPC senior general counsel and director general, told a Senate committee on Wednesday the bill’s data-sharing provision “could lead to excessive disclosures that would be invisible both to the individuals concerned and to our office.” Industry Minister James Moore, who is leading government efforts to pass the bill said, “These rules ensure that information is only released when there is a reason to believe the law has been broken.” [The Globe and Mail] [InfoWorld]

Consumer

WW – Survey: Consumers Won’t Trade Privacy for Convenience

While users worldwide are “thrilled by the ease and convenience of their smartphones and Internet services,” they aren’t willing to trade their privacy for more of it. That’s according to a new survey of 15,000 consumers in 15 countries conducted by EMC Corporation. 51% of respondents said they aren’t willing to trade “some privacy,” while 27% said they are. 41% said they “believe the government is committed to protecting” their privacy, while 81% said they expect privacy to erode over the next five years. “Consumers worldwide seem to strongly agree with the notion that there should be laws ‘to prohibit businesses from buying and selling data without my opt-in consent’—87%,” the report states. [The New York Times] See also: [UK: Young people give up privacy on Google and Facebook ‘because they haven’t read 1984’]

CA – Nearly all Canadian Businesses Collect Personal Info: Survey

The percentage of Canadian businesses collecting their customers’ personal information has sharply increased over the last seven years, a new survey for Ottawa’s privacy watchdog reveals. A total of 97% of companies surveyed in 2013 said they collect their customers’ personal information, including name, address, and telephone numbers — up from 63% in 2007. But while the number of companies collecting Canadians’ personal data is increasing, the number concerned about losing that data seems to be on the wane. Half of the businesses surveyed said they were “not at all” concerned about data breaches in 2013 — while only a year earlier 40% indicated some concern about such breaches. “58% of surveyed companies do not have guidelines in place in the event of a breach where the personal information of their customers is compromised.” [Source]

E-Government

CA – Federal Agency Seeks to Widen Surveillance of Demonstrators In Canada

The federal government is expanding its surveillance of public activities to include all known demonstrations across the country, a move that collects information even on the most mundane of protests by Canadians. The email requesting such information was sent out this week by the Government Operations Centre in Ottawa to all federal departments. “The Government Operations Centre is seeking your assistance in compiling a comprehensive listing of all known demonstrations which will occur either in your geographical area or that may touch on your mandate,” noted the email, leaked to the Citizen. “We will compile this information and make this information available to our partners unless of course, this information is not to be shared and not available on open sources. In the case of the latter, this information will only be used by the GOC for our Situational Awareness.” Wesley Wark, an intelligence specialist at the University of Ottawa, said such an order is illegal. “The very nature of the blanket request and its unlimited scope I think puts it way over the line in terms of lawful activity,” said Wark. “I think it’s a clear breach of our Charter rights.” Wark said the only lawful way a Canadian government agency, with the appropriate mandate, would have to monitor a demonstration would be if that agency could establish that the protest would constitute some kind of threat to civil order. “But it has to be specific and it has to be justifiable in law to mount such surveillance,” he added. [The National Post]

E-Mail

WW – Google Testing eMail Encryption Plug-in

Google is testing a tool for its Chrome browser that allows users to encrypt their email. The End-to-End plug-in uses OpenPGP to encrypt, decrypt, digitally sign, and verify messages in Chrome. The plug-in is currently in alpha testing mode and is not yet available in the Chrome Web Store. [DarkReading] [v3.co.uk] [CNN] [ArsTechnica] [GOOGLE] and also [Google Street View prank creates murder scare]

Electronic Records

US – National Health IT Office Unveils 10-Year Plan

The Office of the National Coordinator for Health IT has outlined a 10-year plan to develop an “interoperable health IT ecosystem that can simultaneously improve population health, boost patient engagement and lower costs.” By 2024, the office’s health IT infrastructure and data standards aim to support “robust information sharing and aggregation,” the report states. Meanwhile, the new Healthkit app for iOS8 acts as a dashboard that can collect and summarize health data from other connected apps or third-party fitness devices. But how do this and other similar apps negotiate with HIPAA rules, asks a NetworkWorld report? [FierceHealthIT] and [US: Group Of Electronic Health Record Vendors To Become Officially Interoperable]

Encryption

WW – New OpenSSL Vulnerability Revealed; Searching for New Privacy Tech

In another blow to online encryption, a researcher has found a new and severe vulnerability in the OpenSSL cryptographic library that allows bad actors to potentially decrypt and change web, e-mail and virtual private network traffic that is protected by the Transport Layer Security (TLS) protocol. TLS is the most common way to encrypt traffic on the Internet. “The good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari, etc.) aren’t affected,” said Google software engineer Adam Langley in a technical analysis. He added, “Nonetheless, all OpenSSL users should be updating.” Meanwhile, The Wall Street Journal reports on finding privacy-enhancing technology in a post-Snowden world. [Ars Technica]

WW – Google to Name Non-Encrypting E-mail Providers

Google announced in a blog post that it will begin publicly identifying which companies support and do not support e-mail encryption as part of its transparency reports, and the company plans to unveil a piece of encryption code called End-to-End, which will attempt to add a level of encryption to solve the issue of other sites not supporting Transport Layer Security. According to the blog post, 65% of traffic sent to Google servers is not encrypted. Gmail Delivery Team Tech Lead Brandon Long wrote, “The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can’t do it alone.” ACLU Technologist Christopher Soghoian said, “Google’s naming. We can shame … And we will.” [Google Blog] See also: [When Bad Passwords Make a Great Dress]

EU Developments

US – Microsoft Fights U.S. Order to Disclose E-mail Stored Overseas

In a continuing legal battle, Microsoft is challenging a U.S. federal court order to turn over a customer’s information stored in a data center in Ireland—possibly the first time a corporation has challenged such a warrant. Additionally, Verizon filed an amicus brief on Tuesday that parallels Microsoft’s arguments, and, according to the report, more companies are expected to join. In a court filing made public on Monday, Microsoft contends that if the order were upheld, it “would violate international law and treaties and reduce the privacy protection of everyone on the planet.” Peter Swire said, “This is a policy decision as well as a legal one.” [The New York Times]

EU – Ministers Agree EU Privacy Law Applies to Non-EU Business

EU justice ministers reached a partial agreement on the proposed overhaul of EU data protection law. The ministers agreed to rules governing international data transfers and the territorial scope of the proposed regulation, the report states. EU Justice Commissioner Viviane Reding said, “It’s in the interest of companies to have legal certainty rather than having to spend money on costly lawsuits only to arrive at the same result at the end.” The main sticking point is the so-called “one-stop-shop” mechanism. A European Data Protection Supervisor representative said, “Everyone agrees that a one-stop-shop is necessary, but there are about 20 different ideas of what that should mean in practice.” The lack of full agreement means a final round of negotiations cannot resume until October. [PC World]

EU – EU DPAs to Form Right-To-Be-Forgotten Task Force

A panel of watchdogs will be formed in the EU to examine “right-to-be-forgotten” takedown requests. A member of the Article 29 Working Group said the move was approved in a meeting in Brussels. The panel will reportedly analyze how regulators should respond to citizen complaints about Google’s management of takedown requests. [Bloomberg]

EU – EU Council Unlikely to Back One-Stop-Shop

EU ministers are not expected to reach an agreement on the proposed “one-stop-shop” (OSS) component of the proposed General Data Protection Regulation (GDPR). On Tuesday, an EU official said, “The discussion hasn’t moved on to be honest since the last council,” and an EU presidency source said finalizing the OSS “is out of the question.” A “discussion text” to resolve the disagreement was passed out last week, but some member states, including Germany and the UK, have expressed concern their nations could be subject to unwanted data protection rules. European Data Protection Supervisor Peter Hustinx said, “I expect the council will mark that progress has been made, but will probably not give the OK to the final version,” adding, “with the one-stop-shop principle, it can only work if we think in terms of close collaborations.” [EUobserver]

EU – Council May Offer Tweak to Proposed “One-Stop-Shop” Mechanism

The Presidency of the Council of Ministers in the EU has provided an outline of plans to tweak the proposed “one-stop-shop” mechanism by allowing local data protection authorities (DPAs) to have more of a say in cases where a questionable data protection practice affects citizens within their jurisdiction. The presidency proposed not employing the one-stop shop “if the subject matter of the specific processing concerns only processing carried out in a single member state and involving only data subjects in that single member state.” The local DPA, in such a case, would have power to investigate and resolve cases on their own, regardless of where the data processor’s headquarters are located, the report states. [Out-Law]

EU – UK Man Wins Damages Under Spam Rules

Retailer John Lewis has been prosecuted for sending unsolicited e-mails in a privacy ruling “that could open the floodgates for harassed consumers.” A producer for Sky News brought the case, and a county court said the company acted unlawfully because it couldn’t prove Roddy Mansfield agreed to receive the e-mails or was a customer. This is the third time Mansfield has won damages for receiving spam under the Privacy and Electronic Communications Regulations. [Sky News]

EU – Garante Publishes New Cookie Rules

Garante, the Italian data protection authority, has published new provisions on consent and policies around online cookies, emphasizing the difference between “technical” cookies and “profiling” cookies. For technical cookies, the presence of a privacy policy will suffice. However, when using profiling cookies, sites will need to gain consent and notify the Garante of the practice. The provisions also distinguish between first- and third-party cookies, drawing a line between the liability of publishers and of others. “On this point the DPA is clear: As for the to third parties cookies, the editor acts as a mere technical intermediary and does not have any responsibility for privacy infringements,” the report states. [eLex]

EU – Room: Regulators Acting Like EC Proposal Is In Effect

While proposed EU data protection reforms may be far from becoming law, “Regulators and courts throughout Europe are acting as if the proposed legislation were already in force,” Stewart Room told SC Congress attendees, noting that “with regulators and courts already acting according to the new thinking embodied in” the proposal, increased fines are the only big change that would come with its passage. Room also addressed the recent European Court of Justice ruling against Google, noting that it shows that “anyone with power over data will be treated as a data controller” and that EU authorities have no fear in taking on big tech firms. [ComputerWeekly]

EU – Malta’s Education Minister Suspends Student Data Request Pending Report

Education Minister Evarist Bartolo has suspended the implementation of a legal notice allowing him and “unspecified” authorities to request student information from school representatives. Legal Notice 76 would require school representatives to hand over data relating to students’ abilities and identity card numbers or face criminal charges. Bartolo contacted the Data Protection Commissioner once the notice was passed, and the commissioner set up a working group to determine the privacy concerns and whether the notice breached the privacy act. The notice is suspended pending the working group’s report. [The Independent]

EU – Swiss Gov’t Surveillance Bill Sparks Protest

The Swiss government has proposed legislation that would increase its ability to access electronic communications and Internet data and strengthen mandatory data retention laws. The proposal contains “provisions which greenlight government use of Trojan horse software and IMSI catchers” for criminal investigations and increase data retention requirements on telcos, telecom-enabled communications providers and non-commercial providers as well. The bill easily cleared the Council of States, the report states. Privacy rights activists have planned a protest against “BÜPF,” as it’s called. [Access Now]

WW – Apple Talks Privacy Amongst Plans to Connect Home, Devices

At the Worldwide Developers Conference on Monday, Apple unveiled plans to connect users’ mobile devices with an array of Internet-connected home appliances, Politico reports. Apple Senior Vice President Craig Federighi said, “We thought we could bring some rationality to this space.” McKenna Long & Aldridge advisor Dan Caprio said, “When you see a company like Apple (talking) about open standards and interoperability, that’s the next phase,” adding, “It’s a very big deal for consumer applications.” Other updates include a new API for the fingerprint sensor and encrypted e-mail storage on the cloud. Additionally, Apple will make privacy-enhancing search engine DuckDuckGo available on its Safari browser. However, The Hill reports that privacy advocates are examining Apple’s new features, including plans for a new fitness data center. [Source]

US – Brill to Push Back Against Use-Based Privacy Frameworks

The FTC’s Julie Brill spoke in Brussels yesterday about big data, data brokers, privacy and competition with still-in-office European Data Protection Supervisor Peter Hustinx. Brill said she’s planning to push back against privacy frameworks that examine only use or risk, Politico reports. “Notice and choice, collection limits and data security—as well as a careful analysis of the risks that go along with actual data uses—are all necessary strands in the tapestry we must weave to create effective consumer privacy protection,” Brill said. She added that she applauds companies that are using privacy as a competitive differentiator. [Politico]

Facts & Stats

WW – Cloud Breaches Are Three Times Costlier, Report Finds

While many IT professionals might say differently, a data breach in the cloud could be at least three times as costly as a typical security breach, a recent IT survey indicates. The Ponemon Institute report surveyed more than 600 U.S.-based IT and IT security professionals. Meanwhile, cloud software startup Okta will announce later this week that it’s secured a new round of funding via Sequoia Capital, putting its pre-money valuation at nearly $600 million, and Google is getting behind an open source cloud computing technology called Docker

US – HR Analytics Firm Secures $25.5 Million

Visier has attracted $25.5 million in new financing as “the growth of its software business applying big data analytics technologies to the human resources market” continues. The company’s CEO says it is the next step in the development of HR technology. The company’s software uses “natural language processing” to return information from direct queries about business processes and human resources information “directly to the end-user, without having to take any additional steps,” the report states. Visier’s customers include companies like Nissan Automotive, energy company Exelon Corp. and government agencies in cities across the U.S. [Tech Crunch]

Finance

US – CFPB Collecting Info on Mobile Financial Services

The Consumer Financial Protection Bureau (CFPB) has announced it is looking “into the opportunities and challenges associated with the use of mobile financial services.” The regulatory agency wants to know more about how consumers are using such services, including a focus on economically vulnerable customers. Four areas of interest for the CFPB include access for the underserved, real-time money management, customer service, privacy concerns and data breaches. The move “suggests that the bureau may attempt to use its authority under the Dodd-Frank Act to expand further into arenas touching on telecommunications and privacy and data security.” [Consumer FInance ] [Ad Law Access]

US – Credit Union Association Renews Calls for Federal Data Security Standards

With the P.F. Chang’s breach fresh in the headlines, National Association of Federal Credit Unions (NAFCU) President and CEO Dan Berger is renewing calls for national data security and breach notification standards. “It has been almost six months since Target’s data breach, and we still have no new data security standards for retailers,” he said, adding, “Since Target, there has been a major data breach discovered almost every month. The continued lack of national data security standards is an open invitation to cybercriminals.” Credit unions are subject to the Gramm-Leach-Bliley Act, but retailers are not, the report states. Meanwhile, P.F. Chang’s is reportedly using carbon-copy credit card machines after their recent breach. [Gov Security News]

US – 77,000 Non-U.S. Financial Organizations Agree to Share Data with IRS

Associated Press reports on a new data sharing agreement between the U.S. Internal Revenue Service and more than 77,000 foreign banks, investment funds and other financial organizations to help curb offshore tax evasion. As of March 2015, the organizations have agreed to share account holder names, account numbers and balances for U.S. taxpayer accounts. Under the Foreign Account Tax Compliance Act (FATCA), foreign institutions that do not participate face harsh penalties when conducting business in the U.S. “The strong international support for FATCA is clear,” said Deputy Assistant Treasury Secretary for International Tax Affairs Robert Stack. [AP]

FOI

CA – Sharp Increase in Ottawa Blocking Release of Records, Watchdog Says

Canada’s Access to Information Commissioner received a major increase in complaints over the past year related to federal departments blocking the release of government records. In her annual report tabled this week, Commissioner Suzanne Legault urges the government to improve its performance as soon as possible, after complaints rose by more than 30%. “This decline in performance must be promptly addressed,” she states. “Canadians should be concerned and speak out whenever their quasi-constitutional right of access is in jeopardy.” [The Globe and Mail]

CA – Freedom of information gets D on P.E.I.

Access to government information on P.E.I. is limited says a new report from Newspapers Canada, and the information commissioner herself is complaining she hasn’t got the resources to do her job. Information and privacy commissioner Maria MacDonald wrote in her annual report she is falling farther and farther behind in reviewing files where government has refused to provide information under the province’s Freedom of Information Act. MacDonald’s position is part-time, three days a week. She inherited a backlog of cases when she got the job. And every year that pile of cases grows. Some date back to 2010. “It’s not a secret we have been struggling since the office opened basically with the backlog of file reviews,” she said. [CBC News]

Genetics

CA – Human Tissue Removed for Medical Tests is ‘Personal Property’ of Institution, Not Person it Came From: Ruling

In a precedent-setting decision that could eventually affect everything from stem cell research to billions in pharmaceutical spending, an Ontario court has ruled that excised human tissue is private property and that it belongs not to the person from whom it came but to the institution that holds it. The ruling, which came in the preliminary phase of a medical malpractice case, is the first “clear, definitive statement about tissue being property in Canada,” said Tim Caulfield, a Canada Research Chair in health law and policy at the University of Alberta. If held up by other courts, it could eventually limit the ability Canadians have to decide what’s done with their own blood samples, tissue biopsies and genetic data. [Source]

Google

EU – Google to Flag “Right To Be Forgotten” Search Results

In the continuing developments after last month’s European Court of Justice ruling on the so-called “right to be forgotten,” Google has indicated it will flag search results it has censored after a takedown request has been accepted. The message would be similar to ones notifying users when a copyright takedown has been enacted. Google also said it will include statistics on takedown request removals in its biannual transparency report. As of June 9th, the company had received approximately 41,000 takedown requests. Google CEO Larry Page said that, of those requests, nearly one-third involved a fraud or scam, one-fifth a serious crime and 12% were connected to child pornography arrests, the report states. [The Guardian]

WW – Google’s New All-Seeing Satellites Have Huge Potential—for Good and Evil

With the $500 million purchase of Skybox, a startup that shoots high-res photos and video with low-cost satellites, Google can extend its reach far across the offline world. Thanks to its knack for transforming mass quantities of unstructured data into revenue-generating insights, the unprecedented stream of aerial imagery to which the company is gaining access could spark a whole new category of high-altitude insights into the workings of economies, nations, and nature itself. But this acquisition will also demand assurances from Google that it will incorporate privacy safeguards into its vast new view of the world. [Wired]

Health / Medical

WW – Apple to Release Health-Tracking App

Apple will this week introduce a new health-tracking app at its annual Worldwide Developers’ Conference. The app will monitor users’ footsteps, heart rate and sleep activity, the report states, initially pulling data from third parties’ health and fitness hardware. Apple will likely release a smart watch later this year, however, that will synch with its app. Meanwhile, Nick Bilton describes some of the risks inherent in homes that are connected to the Internet of Things. “I can’t shake the feeling that one day, maybe, just maybe, my entire apartment is going to get hacked,” Bilton writes. [The New York Times]

US – Apple’s HealthKit Raises Eyebrows Among Experts, Advocates

Following the debut of Apple’s HealthKit last week, healthcare experts and privacy advocates are voicing concerns over the sharing of confidential data and use of medical terms. One healthcare expert recently noted, for example, that data on a user’s phone isn’t covered under HIPAA, but it may be if it’s transmitted to a doctor, provider or pharmacy. Meanwhile, a report on the MIT Digital Summit suggests mobile apps and cloud computing “may soon end the doctor’s reign as the be-all, end-all of medical care,” and a federal IT panel recently took “baby steps” toward using technology to ensure future privacy protections for electronic health records. [FierceMobileHealthcare] See also: [How Can Healthcare Get Security Right?]

WW – Android Changes App Update Permissions Change Notification

A change in the way automatically updated Android apps inform users about changes in permissions could put users at risk of having their information shared, or allowing their device to send SMS messages from apps without their knowledge. Formerly, apps displayed any permission changes when they updated automatically. Now, permission changes are not displayed if users have previously allowed a permission in the same category. [ArsTechnica] See also: [“WARNING Your phone is locked!” Crypto ransomware makes its debut on Android]

US – Startup Unveils “Wearable Health Record” for Google Glass

Healthcare tech startup Drchrono has developed a new “wearable health record” application for Google Glass. Doctors can use it to record a consultation or surgery with patient consent, and then videos, notes and photos can be stored in the patient’s electronic health record. Dr. Bill Metaxas, who uses the technology, has warned physicians to be diligent about obtaining patient consent prior to use and to lock down the app’s security settings. “Google is still in the early stages of determining the most viable use cases for Google Glass,” Drchrono Cofounder Daniel Kivatinos said, adding, “But some doctors are demanding Glass, so Google is providing resources and support to developers.” [Reuters] See also: [Smartwear revolution promises healthier lives but raises privacy concerns]

WW – Worried About Getting Glassed? A Berlin Artist Offers One Solution

A Wired report offers a solution to those worried about Google Glass’s ability to surveil . A Berlin artist, Julian Oliver, has written a program called Glasshole.sh that detects any Google Glass device attempting to connect to a WiFi network—it’s effectively a “glass-detector,” capable of sending a “deauthorization command,” cutting off the WiFi connection and emitting a “beep” to alert others that a Glass wearer is nearby. “To say, ‘I don’t want to be filmed’ at a restaurant, at a party or playing with your kids is perfectly okay. But how do you do that when you don’t even know if a device is recording?” Oliver said. “This steps up the game. It’s taking a jammer-like approach.” [Wired]

US – What’s Top Privacy Concern for Healthcare Execs? Access Management

A new report from KLAS reveals that identity management and unauthorized data access by employees tops the table for healthcare executives’ biggest privacy and security concerns. The report, “Security and Privacy Perception 2014: High Stakes, Big Challenges, “ is based on a survey of 104 healthcare providers and found that, according to the respondents, there is no clear leader in healthcare security services. The top five services healthcare organizations were looking for included HIPAA and Meaningful Use risk assessment; attack and penetrating testing; privacy assessment; HIPAA breach advisory services, and mobile security advisory services. Additionally, 75% of academic medical centers said they were “prepared” or “very prepared” for an Office for Civil Rights audit. The second leading privacy concern, according to the report, is bring-your-own-device and remote security policies. [FierceHealthIT] See also [“Data Breach Fatigue,” Ralph Nader and What It Could Mean for the Privacy Profession] and [Canada: Privacy laws hamper quest to find birth defect’s cause]

Horror Stories

US – AT&T Says Sensitive Consumer Data Accessed in Breach Incident

In a filing with California state regulators, AT&T said an unknown amount of customer data was accessed in a breach. Compromised data included Social Security numbers and call records reportedly accessed between April 9 and 21. California law requires companies to report breaches affecting at least 500 customers. “Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization,” AT&T wrote in a letter to customers. “AT&T believes the employees accessed your account as part of an effort to request codes from AT&T (that) are used to unlock AT&T mobile phones in the secondary mobile phone market.” The company believes three employees of a vendor may have improperly accessed customer accounts. [PC World]

US – PF Chang’s Investigating Data Breach

US restaurant chain PF Chang’s says it is in contact with law enforcement agencies regarding reports that attackers stole customer payment card data from the company’s systems. Several days ago, thousands of recently stolen credit card numbers and their associated information were offered for sale in an underground forum known for trading in such things. The breach affects cards used at several different locations, suggesting that the attackers breached the company’s point-of-sale network, much like the attacks on Target and Sally Beauty. [KrebsonSecurity] [GovInfoSecurity] [SANS]

US – ComScore Settles Privacy Class-Action for $14 Million

Analytics company comScore has agreed to pay panel members $14 million for privacy violations, and it will revise disclosures to panelists and implement procedures with its partners. U.S. District Court Judge James Holderman must still accept the settlement. Meanwhile, Michaels Stores Inc. is asking an Illinois federal judge to dismiss a class-action lawsuit brought by plaintiffs who claim harm for the company’s data breach. The company argues the plaintiffs lack standing in the case. [MediaPost] See also: [Toronto: Hospital contacts police after patient records of 8,300 mothers breached]

US – House Committee Probing FTC Breach Enforcement

The U.S. House Oversight Committee is launching an investigation into the FTC data breach complaint against LabMD . A lawyer representing security vendor Tiversa told an FTC administrative law judge that the House panel is investigating the company. According to the complaint that was brought against LabMD in 2013, the company exhibited poor data security practices by placing a spreadsheet containing sensitive personal data of more than 9,000 customers on a Tiversa P-to-P network in 2008. LabMD, which has since gone out of business, has argued the FTC does not have the authority to bring such complaints against companies and that it has provided little guidance. [PCWorld]

Identity Issues

US – Subpoena Gives White House Access to Whistleblower Portal

The Project on Government Oversight (POGO) encourages whistleblowers to use Tor to submit tips, but Obama administration lawyers are using the power of the administrative subpoena to take data from the encrypted submission portal. POGO has received, for example, more than 700 tips about abuse and mismanagement at the Veterans Administration in less than a month, the report states. The administrative subpoena does not require probable cause and “comes as the number of so-called drop boxes from media organizations and other whistleblower groups is on the rise in the wake of the Edward Snowden revelations,” the report states. [Ars Technica]

US – Solove: FTC Can Help Halt ID Theft

The FTC already has the legal framework in place to stop a lot of identity theft without needing new laws to be passed, writes George Washington Law School Prof. Daniel Solove. A major contributing factor to identity theft is the use of Social Security numbers (SSNs), which have come to be misused as passwords, and the government has failed to pass measures to protect them, Solove writes. But the FTC can remedy this, because it has the power to regulate organizations’ “reasonable data security protections,” and the use of SSNs as passwords is clearly “unreasonable.” [LinkedIn]

Internet / WWW

EU – European Firms Turn Cloud Into Competitive Differentiator

F-Secure is a European online security company offering secure and private cloud storage. Users can access photos, documents and video files remotely, similar to services offered by Dropbox and Google. F-Secure, however, touts that it does not share user data with third parties or governments. F-Secure’s servers are in Finland, which has some of the world’s strongest privacy laws. F-Secure’s founder said cloud services are “very much about trust,” adding, “As a Finnish security company, we can differentiate ourselves, particularly against U.S. companies.” F-Secure is one of many EU-based companies using robust privacy to compete with U.S.-based services. In a new report into the impact of the cloud (21-page) published by the Economist Intelligence Unit (EIU), consumers could gain greater control of how their personal information is “acquired, shared or used” by engaging with cloud-based services. Co-founder of German-based AntiSpamEurope said, “We have to match the quality of American companies but with the additional benefit of extra security.” [The New York Times]

WW – IT Pros See Danger Ahead with IoT

A study completed by online IT community site Spiceworks on how the Internet of Things (IoT) will impact IT professionals, titled “The Devices Are Coming.” According to their findings, 86% of IT pros admit “to believing the new breed of devices will create security and privacy issues.” Further, only 63% “are investing in security solutions to make the IoT safer for the business in question.” Similarly, while 71% of respondents think the IoT will adversely affect both consumers and internal workforce, 59% said they are “not actively preparing for the impact it may have on business.” Meanwhile, an opinion piece for Computerworld says IT pros may do well managing threats, but are they paying attention to their vendors’ security programs? [IT Pro Portal]

Law Enforcement

EU – EU Bill Would Allow Police Access to Air Passenger Details

The European Commission has renewed its push for the 2011 EU passenger name records proposal after news that a suspect in last month’s shootings at the Jewish Museum in Brussels spent time fighting with a radical Islamist group in Syria. The bill is aimed at protecting EU citizens from terrorists entering the region by air, but it was rejected last year due to privacy concerns. [EUObserver]

WW – Metadata Debate Ongoing in Australia, Canada, U.S.

While the Canadian Supreme Court has ruled IP address information may have privacy interests for individuals, in the U.S., courts continue to grapple with issues around tracking, and the Supreme Court decision on GPS tracking from two years ago has left behind questions. Australia currently allows warrantless collection of telecommunications metadata, but Commonwealth Ombudsman Colin Neave, responsible for inspecting certain police records, in a parliamentary hearing offered up his office to look into the practice. [ITNews] See also: [Commissioner Cavoukian Expects the Toronto Police Service to Follow the Law, launches legal action to halt the indiscriminate disclosure of attempted suicide information by the Toronto Police] and [ON: Police keep low profile while keeping tabs on sex offenders] and also: [Simon Fraser University expanding web sleuth program to track child exploitation]

WW – As Breaches Persist, Cyberinsurance Demand Increases

Amidst recent breach reports, The New York Times reports on the increase in demand for cyberinsurance policies—up 21% from 2012 to 2013. Breaches like the recent one that hit eBay “have become a reality of the business world,” the report states. However, “companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses,” the report states, citing the struggle to quantify losses from “intangible” damages such as loss of brand reputation or sales and for underwriters to find “data they need to figure out how likely it is that an attack will occur, or what it will cost … because most breaches go unnoticed or are never publicly reported.” Meanwhile, Reuters reports cybersecurity experts believe “companies are unlikely to be able to stop their systems being breached. The best defense may simply be either to reduce the data they hold or encrypt it so well that if stolen it will remain useless.” And Business Insurance reports when a major breach occurs, businesses “should be prepared for directors and officers liability-related litigation that is certain to follow.” [New York Times] see also: [TRO LLC – GET IT? Sprung From Prison, Hacker Creates Hedge Fund That Shorts Stocks Of Companies With Security Vulnerabilities]

Location

WW – How “Movement Fingerprints” Reveal Vast Amounts of Personal Data

A new research paper contends that it only takes approximately one week’s worth of geolocation data generated from the GPS signals sent from an individual’s smartphone to qualify as an “unreasonable search” and violation of the Fourth Amendment. A collaboration between lawyers and computer scientists, “When Enough is Enough: Location Tracking, Mosaic Theory and Machine Learning” explores the “mosaic theory” of the Fourth Amendment to show how detailed a picture such aggregated data creates. “It’s not the direct observations,” said co-author and former FTC Technologist Steve Bellovin, “It’s what can be inferred.” Machine learning helps make these inferences, while individuals, by following daily routines with their smartphones, help generate a “movement fingerprint.” The authors noted their goal was “to identify the … point at which long-term government surveillance becomes objectively unreasonable.” Bellovin added, “We put it at a week, based on our research.” [The New York Times]

US – Court Rules Warrant Required for Phone Location Data

The 11th Circuit Court of Appeals has ruled police need a warrant prior to accessing user location data from service providers, noting it is the first ruling of its kind in the U.S. The judges wrote, “While committing a crime is certainly not within a legitimate expectation of privacy, if the cell site location data could place him near those scenes, it could place him near any other scene … There is a reasonable privacy interest in being near the home of a lover, or a dispensary of medication, or a place of worship or a house of ill repute.” ACLU Attorney Nathan Freed Wessler said , “The court soundly repudiates the government’s argument that merely by using a cellphone, people somehow surrender their privacy rights.” [Associated Press]

Offshore

EU – Council May Offer Tweak to Proposed “One-Stop-Shop” Mechanism

The Presidency of the Council of Ministers in the EU has provided an outline of plans to tweak the proposed “one-stop-shop” mechanism by allowing local data protection authorities (DPAs) to have more of a say in cases where a questionable data protection practice affects citizens within their jurisdiction. The Presidency proposed not employing the one-stop shop “if the subject matter of the specific processing concerns only processing carried out in a single member state and involving only data subjects in that single member state.” The local DPA, in such a case, would have power to investigate and resolve cases on their own, regardless of where the data processor’s headquarters are located, the report states. [Out-Law]

WW – Twitter, Netflix, Walmart Among Top Scorers in OTA Audit

The Online Trust Alliance recently evaluated 800 top consumer websites and reports only 30 percent of them made the “honor roll.” Those that made the cut did so by exercising best practices in domain and brand protection, privacy and security. Nearly 70% failed in at least one of the categories. Twitter received the top overall award, with American Greetings, Netflix and Walmart also up top, among others. “These companies represent a broad spectrum, ranging from the fourth highest revenue earner among retailers to the 476th highest,” said the OTA’s Craig Spiezle, adding that means data safety is “achievable by retailers of all sizes and that the criteria is not onerous or costly to achieve.” [OTA]

Online Privacy

WW – Facebook Announces Interest-Based Ad Controls

Facebook has announced it will begin using online data from websites and ads used by Facebook users to serve targeted advertisements, but is also providing users with more controls to see why they’re receiving a given ad and to opt out via the Digital Advertising Alliance opt-out program. “People tell us they want more control over the ads they see,” Facebook wrote in a press release, adding, “If you live in the U.S., you’ll be able to use ad preferences in the next few weeks, and we are working hard to expand globally in the coming months.” [Facebook Newsroom] [A New York University (NYU) graduate student, using 3D printing, has linked real-world nakedness with the ways in which users expose themselves online in a unique way]

US – NSA Chief: Anonymity Is a Thing of the Past

The head of the National Security Agency (NSA), Adm. Michael Rogers, says the concept of total anonymity “might be something of an anachronism.” “In the world we’re living in, increasingly by choice and by chance, we are forfeiting privacy at levels that, as individuals, I don’t think we truly understand,” adding that the NSA is caught in the tension inherent there. Meanwhile, on the first anniversary of the Snowden revelations, Danielle Kehl and Kevin Bankston look at the “real costs of NSA surveillance” for CNN. Despite government assertions otherwise, surveillance doesn’t make us safer, they contend, and now the U.S. cloud computing industry is projected to lose between $25 billion and $180 billion in the next three to five years, among other repercussions. [The Hill]

WW – Microsoft to Implement Simplified Privacy Policy, Promises No Snooping

Microsoft will implement an updated, simplified privacy and services policy that makes it clear the company won’t snoop on users’ e-mail or Skype calls for the purpose of advertising. The updated privacy policy will take effect July 31 and applies to all of Microsoft’s services. Meanwhile, many in the technological community are applauding Apple’s decision to shift how the iPhone searches for WiFi connections via a simple software update. The new version will “undermine a widely deployed system that stores have used to track the movements of customers to analyze shopping habits.” [PC World]

Other Jurisdictions

AU – Turnbull Speaks About RTBF, Big Data and Government Responsibility

Australian Communications Minister Malcolm Turnbull gave a speech at the National Archives Conference that could easily have been titled, “With Great Power, Comes Great Responsibility.” Outlining the historical need to remember, Turnbull noted that in the digital world—and importantly the post-Snowden world—the right-to-be-forgotten debate “has become increasingly relevant.” The recent European Court of Justice decision raises a lot of questions, he says, noting that one is, “Did the court go far enough—is it enough to say that you should be removed from the Google search results?” Turnbull also spoke to the economic opportunities of big data as well as its implications for government. [Full Story] See also: [US: Big Data knows you’re sick, tired and depressed]

AU – AG Introduces Bill to Update Gov’t Privacy in Victoria, AU

Victorian Attorney-General Robert Clark has introduced the Victorian Privacy Data and Protection Bill 2014, which would replace the state’s privacy and law enforcement data security acts. If passed, the bill would create a commissioner for privacy and data protection to be appointed by the government, which would replace the current Victorian privacy commissioner and Victorian commissioner for law enforcement data security. The new commissioner would “promote the state’s privacy principles, guide agencies, investigate privacy complaints and audit agency compliance with statewide data protection standards,” the report states. [ITNews]

AU – AG Welcomes New Privacy Act, Territory Privacy Principles

“The Information Privacy Act supports the development of clear, consistent and easy to understand information sharing practices within the ACT public service,” said Australia’s Attorney General Simon Corbell, in welcoming the passage of the act. The act sets out new Territory Privacy Principles consistent with the recently passed Australian Privacy Principles to guide ACT agencies’ data handling practices. “In a world where technological changes have led to a shift in community perceptions of privacy, people are more willing to share personal information but are also increasingly interested in how their information is handled and managed,” Corbell said. [Full Story]

AU – Credit Providers Get New Regime Under New Australian Laws

Changes to Australian privacy law have changed the default requirements for credit providers reporting to credit reporting bodies. This report reviews what types of transactions fall under the new regime, as well as ways to meet the new requirements. [Mondaq report]

AU – Study Suggests Australian Law Reform Will Mirror UK, Germany

A study by EU-based firm Fieldfisher “suggests that the legal regime around data protection in Australia would soon mirror those in the UK and Germany,” which it states “are quite severe with respect to companies and other organisations holding private data, and such changes would impact the way Australian businesses handle their data.” The report quotes Fieldfisher’s Phil Lee as saying, “We are witnessing a unique legal phenomenon; there is a global convergence of data security law and regulation around the issue of encryption so that it does not matter where in the world your organisation operates—regulators everywhere increasingly expect encryption of sensitive data, computers, databases and applications.” [ZDNet]

NZ – Vincent Examines New Zealand Breach Reporting Law Questions

In a blog post for, Mark Vincent considers the government’s “intention to introduce a mandatory data breach reporting law as part of a raft of proposed changes to its privacy legislation.” If the Privacy Act reforms pass, businesses in New Zealand will have to report all data beaches and will face audits and fines, he notes. “There are some very important questions that they’ll want answered in the exposure draft legislation,” Vincent writes, including what the definition of a breach is and what the threshold of risk of harm should be before the privacy commissioner and those affected by a breach are notified. [IT News]

HK – Hong Kong Data Privacy Laws Not Enough to Stop Stalking

After 14 years of debate on an anti-stalking law, reports that the Constitutional and Mainland Affairs Bureau wrote to lawmakers this week indicating, “The administration is of the view that there are no favourable conditions for us to pursue the matter further.” Privacy Commissioner Allan Chiang Yam-wang said data privacy laws are not enough to protect stalking victims, the report states. “It is disappointing,” he said, adding stalking “is a problem in society that will only get more serious as technology advances … legislation is the best way to solve this.” He added, “It’s like putting out a fire … Should we try to solve the problem now or wait for it to get so serious in the future that we reach a point of no return?” [South China Morning Post]

Privacy (US)

US – Poll: 80% in Favor of ECPA Reform

According to a recent poll of residents in five U.S. states, more than 80 percent are in favor of changing the Electronic Communications Privacy Act (ECPA) of 1986. The poll indicated 64% think the issue of digital privacy is “increasingly important” following the NSA revelations, and 72% said they would be more willing to vote for a candidate who supports reforming the ECPA. The poll was conducted by Digital 4th and surveyed residents of Georgia, New Hampshire and Colorado, among others. [TechCrunch]

US – Suit Claims Disney Violated VPPA

A man has filed a lawsuit against the Disney Channel application on the Roku streaming device. In the proposed federal class-action, James Robinson says The Walt Disney Company violated the Video Privacy Protection Act by sharing information on users’ viewing habits with third parties without users’ consent. Robinson claims Disney sent the data to analytics company Adobe in order to “form comprehensive profiles about a person’s entire digital life. These profiles can then be used for targeted advertising, sold as a commodity to other data brokers or both,” the complaint states. [Courthouse News Service]

US – NTIA Looking for Public Input on Data Collection

The National Telecommunications and Information Administration (NTIA) is seeking public comment as to whether the Obama Administration’s Privacy Bill of Rights should be “clarified or modified to accommodate the benefits of big data.” Last month’s big data reports indicated the possibility of discrimination and other concerns, and the NTIA would now like comments on whether “consumer privacy legislation (could) make a useful contribution to addressing this concern … Should big data analytics be accompanied by assessments of the potential discriminatory impacts on protected classes?” [MediaPost]

US – ComScore Settles Privacy Class-Action for $14 Million

Analytics company comScore has agreed to pay panel members $14 million for privacy violations, and it will revise disclosures to panelists and implement procedures with its partners. U.S. District Court Judge James Holderman must still accept the settlement. Meanwhile, Michaels Stores Inc. is asking an Illinois federal judge to dismiss a class-action lawsuit brought by plaintiffs who claim harm for the company’s data breach. The company argues the plaintiffs lack standing in the case. [MediaPost]

US – Brill to Push Back Against Use-Based Privacy Frameworks

The FTC’s Julie Brill spoke in Brussels about big data, data brokers, privacy and competition with still-in-office European Data Protection Supervisor Peter Hustinx. Brill said she’s planning to push back against privacy frameworks that examine only use or risk. “Notice and choice, collection limits and data security—as well as a careful analysis of the risks that go along with actual data uses—are all necessary strands in the tapestry we must weave to create effective consumer privacy protection,” Brill said. She added that she applauds companies that are using privacy as a competitive differentiator. [Politico]

US – Has the Time Come for Statewide Chief Privacy Officers?

As chief privacy officers (CPOs) become increasingly pervasive in the private sector, Government Technology looks whether the time has come for CPOs to become just as common in government departments, maybe even in a statewide role. While tight budgets have hampered governments in terms of hiring CPOs, the IAPP currently has more than 1,500 certified members in the public sector. And that’s expected to grow. “The potential for it to catch on at the state level is certainly there,” said Sallie Milam, West Virginia’s first statewide CPO. Editor’s Note: Sheila Kaplan made the case for state education CPOs in this Privacy Tracker post.[Full Story]

US – House Committee Probing FTC Breach Enforcement

The U.S. House Oversight Committee is launching an investigation into the Federal Trade Commission’s (FTC) data breach complaint against LabMD. A lawyer representing security vendor Tiversa told an FTC administrative law judge that the House panel is investigating the company. According to the complaint that was brought against LabMD in 2013, the company exhibited poor data security practices by placing a spreadsheet containing sensitive personal data of more than 9,000 customers on a Tiversa P-to-P network in 2008. LabMD, which has since gone out of business, has argued the FTC does not have the authority to bring such complaints against companies and that it has provided little guidance. [PCWorld]

US – Rep to Take Shortcut Around ECPA Update

It’s been more than a year since the E-mail Privacy Act was introduced in an effort to update the Electronic Communications Privacy Act, but one of the bill’s authors says he plans to take a shortcut and introduce a privacy amendment in upcoming House Appropriations legislation that would get the same job done. Rep Kevin Yoder (R-KS) says his amendment would ban federal agencies from using “any part of their budget for accessing e-mails using warrantless data requests,” the report states. Yoder said the Fourth Amendment “applies to digital communications, same as with paper communications.” [The Washington Post]

US – Microsoft Fights U.S. Order to Disclose E-mail Stored Overseas

In a continuing legal battle, Microsoft is challenging a U.S. federal court order to turn over a customer’s information stored in a data center in Ireland—possibly the first time a corporation has challenged such a warrant. Additionally, Verizon filed an amicus brief on Tuesday that parallels Microsoft’s arguments, and, according to the report, more companies are expected to join. In a court filing made public this week, Microsoft contends that if the order were upheld, it “would violate international law and treaties and reduce the privacy protection of everyone on the planet.” Peter Swire said, “This is a policy decision as well as a legal one.” [The New York Times] [GovInfoSecurity] [ArsTechnica] [CNET] [Microsoft’s Objection] [Judge’s Order]

US – Poll: 80% In Favor of ECPA Reform

According to a recent poll of residents in five U.S. states, more than 80 percent are in favor of changing the Electronic Communications Privacy Act (ECPA) of 1986. The poll indicated 64% think the issue of digital privacy is “increasingly important” following the NSA revelations, and 72% said they would be more willing to vote for a candidate who supports reforming the ECPA. The poll was conducted by Digital 4th and surveyed residents of Georgia, New Hampshire and Colorado, among others. [Tech Crunch]

US – Sens. Pledge to Examine Facebook’s Tracking Plans

Facebook’s announcement that it will begin targeting advertisements to users based on the sites they visit and apps they use has lawmakers promising they’ll be watching closely. “Facebook’s announcement today to track users as young as 13 outside its website in order to gather information for targeted advertising raises a major privacy red flag,” Sen. Ed Markey (D-MA) said Thursday. Sen. Jay Rockefeller (D-WV) said there’s a “need to closely review” the plans. Meanwhile, author Julia Angwin writes for ProPublica on why online tracking is “getting creepier.” [The Hill]

US – Going for Brokers: Potential Pitfalls in Proposed Data Broker Legislation

The FTC, in its recent report, recommended Congress consider legislation to improve transparency in the data brokers industry, a push made by Sens. John Rockefeller (D-WV) and Ed Markey (D-MA) when introducing their Data Broker Accountability and Transparency Act of 2014 (DATA Act). The Hogan Lovells privacy team writes for Privacy Tracker about the proposal, noting, “Through its rulemaking authority under the DATA Act, the FTC could clarify the scope of the law. However, the current version of the legislation offers little guidance to the commission about how to interpret the ambiguous provisions.” [Hogan Lovells]

US – NSA Court Win Couched in a Plea for Reform?

The U.S. District Court of Idaho has granted a motion to dismiss a case claiming Fourth Amendment violations related to the NSA’s mass surveillance of telephone data. In the decision, Judge B. Lynn Winmill outlines his reasons for siding with the NSA but also indicates a reluctance to do so. Emily Leach sums up the decision, noting Winmill recommends the U.S. Supreme Court look to Judge Richard Leon’s decision against the NSA as a template for its opinion. He also questions the veracity of the NSA’s claims that it doesn’t collect location data. Leach writes, “After five pages of explanation as to why he’s dismissing the case, Winmill acknowledges there’s ‘a subject lurking in the shadows here: The possibility that the NSA is tracking the location of calls using the trunk identifier data discussed above.’” [Privacy Tracker]

US – EFF Wins Drone Records Request, Now Seeks Attorney’s Fees

The Electronic Frontier Foundation (EFF) has gained access to 700 pages of documents related to Customs and Border Patrol (CBP) use of drones. The documents reveal the “department had arranged more than 500 flights for dozens of law-enforcement organizations and that more than a fifth of these flights helped Immigration and Customs Enforcement,” EFF stated. Because the EFF won access to these never-before-seen and frequently reported-on documents, it is asking for upwards of $83,000 in attorney fees, stating that it furthered “public understanding of CBP’s Predator drone program and Predator drone surveillance capabilities and has alerted the public to how CBP has been allocating tax dollars on drone flights.” [Courthouse News Service] See also: [Canada – Drone code of conduct developed for journalists]

US – NTIA Looking for Public Input on Data Collection

The National Telecommunications and Information Administration (NTIA) is seeking public comment as to whether the Obama Administration’s Privacy Bill of Rights should be “clarified or modified to accommodate the benefits of big data.” Last month’s big data reports indicated the possibility of discrimination and other concerns, and the NTIA would now like comments on whether “consumer privacy legislation (could) make a useful contribution to addressing this concern … Should big data analytics be accompanied by assessments of the potential discriminatory impacts on protected classes?” [MediaPost]

Privacy Enhancing Technologies (PETs)

WW – The Uphill Climb for Privacy Search Engine Start-ups

Search engines designed to protect user privacy are finding it difficult to get users to switch from Google and to generate profits without selling consumer data to advertisers. A representative from Ixquick, a search provider whose policies are endorsed by the European Commission, said, “Privacy has a price regarding user-friendliness … We know we could make more money by using targeted advertising.” According to a Mozilla poll, privacy is the biggest concern for Internet users, increasing business at companies such as DuckDuckGo , Qwant and Ixquick. Google’s share of global Internet searches is down from last year, but much of that is thought to be from the rise of search engines in China. Upstart search engines are now looking for alternative revenue streams such as privacy-enhancing technologies. [Bloomberg] [Start-up Elasticsearch Raises $70 million]

US – A Roadmap for the Next Generation of Privacy Pros

“The concept of a career roadmap is something with which we are extremely familiar,” write Chris Stevens and Steve Holland, who are both retired military intelligence professionals with a combined 60 years of service. “This is why we are proposing a career roadmap for privacy professionals.” Detailing with both prose and graphics what such a map might look like, they highlight the importance of education and certification, noting the career roadmap “will provide aspiring privacy professionals with a pathway to success and establish hierarchical relationships between certifications.” [Privacy Perspectives]

Security

US – FCC Chairman Urges Private Companies to Take Responsibility for Cyber Security

FCC chairman Tom Wheeler said private sector companies must do better than current efforts that have been pushed forward by established voluntary frameworks. Wheeler said, “the network ecosystem must step up to assume new responsibility and market accountability for managing cyber risks.” If there is not measurable improvement, Wheeler did not rule out the possibility of calling for government regulations. The FCC plans to check whether companies have implemented the framework recommendations, which were developed in 2011, and whether or not they have been effective. The FCC will also look into better ways to help companies share information about cyber threats. [ComputerWorld] [FedScoop] [Washington Post]

US – Virginia Eyes the Title of National Cybersecurity Leader

Virginia is gunning for the title of national leader in cybersecurity, and a new commission to meet for the first time today aims to help it achieve just that. Gov. Terry McAuliffe signed an executive order in February creating the Virginia Cyber Security Commission, which will “identify the state’s high-risk cybersecurity issues,” recommend methods to secure the state’s systems and data and suggest methods to promote awareness of cyber-hygiene, the report states. Virginia Secretary of Technology Karen Jackson and Good Harbor Security Risk Management CEO Richard Clarke will co-chair the commission. [StateTech]

WW – Cupid Code Exploits WiFi Networks; Hacker Gets Four Years in Prison

A new open-source code, made possible in part by the Heartbleed vulnerability, can exploit wireless networks by streamlining the process of stealing passwords, e-mail addresses and other sensitive data from routers and other connected devices. The malicious code can take two main forms. One commands a wireless network to deploy “evil networks” that can send malicious data to connected devices, while a second extension runs on client devices, the report states. The devices then send attack packets to hoard data from vulnerable routers. Meanwhile, a hacker received four years in federal prison for a string of hacks targeting computer networks around the U.S., including law enforcement organizations. [Ars Technica]

Smart Cards

US – State University Establishes Privacy Values, Principles in Official Framework

The University of California has become the first major higher education institution in the country to clearly define privacy for both individuals and the university as a whole, according to a newsletter from the university’s president. The school has established guiding principles and a framework on privacy which “outlines the values and operating principles needed to strike the delicate balance between protecting the personal autonomy of individuals at UC and safeguarding the data entrusted to the university by the people it serves—all while maintaining the institutional transparency required of a public agency,” the newsletter says. [Source]

Surveillance

US – ACLU Map Shows States Where Law Enforcement Has Stingray Technology

The American Civil Liberties Union (ACLU) has published a map showing which states’ law enforcement agencies have cell site simulators. The controversial technology often identified as Stingray, which is actually the trademarked name of a specific device made by a Florida-based company, is confirmed to be owned by law enforcement agencies in 15 US states. Use of the technology in other states has been neither confirmed nor denied. The Harris Corporation, which manufactures Stingray, has required law enforcement agencies that purchase the technology to sign non-disclosure agreements, which prohibit the agencies from even discussing whether or not the have/use the devices and certainly from explaining them. [ArsTechnica] See also: [US – Judge Says Stingray Transcript Should be Unsealed in its Entirety] and [US – US Marshals Seize Stingray Files Before ACLU Sees Them: WIRED |ArsTechnica | ACLU]

US – NSA Court Win Couched in a Plea for Reform?

The U.S. District Court of Idaho has granted a motion to dismiss a case claiming Fourth Amendment violations related to the NSA’s mass surveillance of telephone data. In the decision, Judge B. Lynn Winmill outlines his reasons for siding with the NSA but also indicates a reluctance to do so. Emily Leach sums up the decision, noting Winmill recommends the U.S. Supreme Court look to Judge Richard Leon’s decision against the NSA as a template for its opinion. He also questions the veracity of the NSA’s claims that it doesn’t collect location data. Leach writes, “After five pages of explanation as to why he’s dismissing the case, Winmill acknowledges there’s ‘a subject lurking in the shadows here: The possibility that the NSA is tracking the location of calls using the trunk identifier data discussed above.’” [Privacy Perspectives] [Full text of Judge B. Lynn Winmill decision here]

WW – Tech Giants Want Global Surveillance Reform

One year after the first Edward Snowden leak about NSA surveillance made its way into the public eye, nine of the world’s biggest technology companies have banded together to call on governments around the world to address surveillance. Additionally, they urge the U.S. Senate to not pass the NSA reform bill recently passed by the House of Representatives. In an open letter, the coalition also said it “believe(s) that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” Included in the letter are five principles: limiting government authority to access user data; increased oversight and accountability; transparency about government data requests; avoiding data localization laws, and avoiding conflicts among governments. Today, organizations and activists are observing “Reset the Net“ to urge surveillance reform. [Full Story]

Telecom / TV

WW – Vodafone Reveals Gov’ts Have Direct Access to All Phone Conversations

One of the world’s biggest mobile phone organizations, Vodafone, has revealed the existence of “secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond.” The revelation comes as Vodafone also released its first-ever Law Enforcement Disclosure Report . Vodafone said governments have directly connected wires to its network to not only listen to conversations but also to track user location. Vodafone Chief Privacy Officer Stephen Deadman said, “We are making the call to end direct access as a means of government agencies obtaining people’s communication data,” adding, “Vodafone is calling for all direct-access pipes to be disconnected, and for the laws that make them legal to be amended.” [The Guardian] [WIRED] [BBC] [NBCNews] and [Vodafone Privacy Disclosures Seen Spurring Rivals to Follow]

WW – Apple iOS8 Feature Stops WiFi Tracking

A new feature in Apple’s upcoming operating system will prevent retail stores from tracking iPhones. Devices using iOS 8 will automatically randomize the MAC address that connects to a WiFi network. Security researcher Frederic Jacobs, the individual credited with finding the feature, wrote that he hopes the practice “becomes an industry standard.” However, Gizmodo reports that though the MAC address randomization will disguise users from mobile marketers, “iBeacon may be waiting in the wings.” Sen. Al Franken (D-MN) recently reintroduced a geolocation privacy bill and held a hearing on the issue last week. [The Verge] see also: [“Stalker App” Hearing Turns Into Debate on Self-Regulation]

US Government Programs

US – Parents Become a Political Force Against Mining Kids’ Data

Parents have catapulted student privacy to a frontline agenda item in statehouses across the country, catching big data advocates off guard. After taking down inBloom, parents are now targeting the development of state-run databases, promoted by the Obama administration, which store details on kids from infancy to the start of their careers. According to the report, the U.S. Department of Education recommends states get answers to hundreds of questions on kids, such as, “Did she make friends easily as a toddler? Was he disciplined for fighting as a teen?” Ed tech developers and school reformers were surprised by the outcry from parents, with one education think tank representative noting, “People took for granted that parents would understand (the benefits), that it was self-evident.” [Politico]

US – New Federal Database Will Track Americans’ Credit Ratings, Other Financial Information

As many as 227 million Americans may be compelled to disclose intimate details of their families and financial lives – including their Social Security numbers — in a new national database being assembled by two federal agencies. The Federal Housing Finance Agency and the Consumer Financial Protection Bureau posted an April 16 Federal Register notice of an expansion of their joint National Mortgage Database Program to include personally identifiable information that reveals actual users, a reversal of previously stated policy. FHFA will manage the database and share it with CFPB. A CFPB internal planning document for 2013-17 describes the bureau as monitoring 95 percent of all mortgage transactions. FHFA officials claim the database is essential to conducting a monthly mortgage survey required by the Housing and Economic Recovery Act of 2008 and to help it prepare an annual report for Congress. Critics, however, question the need for such a “vast database” for simple reporting purposes. [The Washington Examiner]

US – Berkman Center Releases Pragmatic Recommendations for Adopting the Cloud

A paper out of the Berkman Center for Internet and Society’s ongoing Student Privacy Initiative says while there’s no hard-and-fast rule on how to enable the use of cloud-based educational technologies while protecting student privacy, there are “pragmatic recommendations” to be followed. The paper’s authors suggest employing “centralization of cloud-based ed tech decision-making at the district level” in order to facilitate the appropriate level of oversight without forbidding experimentation; examining user-friendly labeling of cloud-based products to “increase transparency and encourage compliance with parental consent,” as well as adopting FIPPs. Meanwhile, advocates say a video series about special ed students filmed in a public school violated laws on children’s privacy. [Berkman]

US Legislation

US – Odds Are Against Hacking Legislation Passing

While retailers have reported multiple major hacks in recent months, legislators have not moved forward on anti-hacking legislation. “Despite an initial flurry of activity on Capitol Hill,” the report states, “none of the multiple bills … have moved out of committee,” suggesting, “the odds are increasing that Congress will fail to pass a bill this year.” Senate Commerce Committee Chairman Jay Rockefeller (D-WV) explained that having numerous committees—including Senate Judiciary, Senate Banking, Homeland Security and Judiciary—with jurisdiction complicates matters, the report states. Alison Hawkins of the Financial Services Roundtable said, “We are just hoping to get this done before there is another attack.” [The Hill]

US – Feinstein Holds Hearing to Examine House NSA Bill

Sen. Dianne Feinstein (D-CA), a supporter of NSA surveillance programs, held a hearing last week to examine the possible outcomes of the House-passed NSA reform bill. NSA Deputy Director Richard Ledgett said the current law requiring phone companies to retain billing records for 18 months is sufficient for the agency, but noted that he can’t say confidently that companies will retain call data for that period of time. “They’ll retain the records for as long as their business requirements dictate they retain their records,” he said. When asked about a minimum requirement for retaining calling records, Verizon Vice President Michael Woods said, “We would be very much opposed to it.” [NPR]

US – Sen. Menendez Introduces Commercial Privacy Bill of Rights

Sen. Robert Menendez (D-NJ) has introduced the Commercial Privacy Bill of Rights Act of 2014, which would establish “a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the FTC; to amend the Children’s Online Privacy Protection Act of 1998 to improve provisions relating to collection, use and disclosure of personal information of children, and for other purposes.” The bill has been referred to the Committee on Commerce, Science and Transportation.

US – California ZIP Code Law Exempts Machine Collection

A provision in California’s law prohibiting retailers to collect personally identifying information from credit card users exempts Redbox machines from the law, allowing them to collect ZIP codes from customers. The law exempts sellers that require PII to be used in conjunction with a credit card to collect money “in the event of default, loss, damage or other similar occurrence.” Redbox charges $1 for a daylong rental and then adds charges for each additional day. Because of this structure, the Ninth U.S. Circuit Court of Appeals in San Francisco has ruled the company is using the credit card as a deposit to secure payment, making it exempt from the law. [SFGate]

US – Colorado Law Aims to Strengthen Patient Privacy

A new law in Colorado prohibits the Department of Revenue from “accessing or distributing an individual’s personal medical record without their permission and creates a ‘Government Access to Personal Medical Information’ task force.” Gov. John Hickenlooper signed the bill on May 31, and it went into effect immediately. The panel will, over the summer, look into “why and to what extent state and local government departments or agencies have access to, and the ability to use or distribute, an individual’s personal medical information or medical record with and without the individual’s consent.” [Modern Healthcare]

US – NY Magistrate Judge Allows “Tower Dump,” Asks for Privacy Protections

Magistrate Judge James Francis issued an order on the lawfulness of warrantless “tower dumps,” which refers to the government practice of collecting “every cell phone that is connected with one or more cell towers over a specified period of time.” The ACLU and the NYACLU were asked by the court to submit a brief in the circumstance of one tower dump request in particular. The ACLU argued the Stored Communications Act doesn’t permit such broad requests and the practice also violates the Fourth Amendment. The court rejected this argument, noting that individuals give up the privacy of their cellphone location by signing up for the service, but asked the government to resubmit its request including “more specific justification for the time period for which the records will be gathered” and its protocol for handling “the private information of innocent third parties whose data is retrieved.” [ACLU]

US – Industry Group Backs Ohio Social Media Privacy Bill

The Financial Services Institute (FSI) has backed Ohio’s HB 424, which would ban employers and educational institutions from punishing individuals for “failing or refusing to grant access to, allow observation of, or provide access information to an individual’s personal Internet-based account.” FSI in particular pointed to a section of the bill that allows financial institutions to meet their compliance duties in candidate screening. [Akron Legal News]

US – Cybersecurity Would Get Big Money in Senate Appropriations Bill

The 2015 Senate appropriations bill has underscored cybersecurity as a focus for the Commerce Department, Justice Department and science agencies. The FBI maintains a 24-hour cyber-incident response taskforce and an agent training program; the Justice Department is set to add nine lawyers to prosecute cybercrime cases, and the National Science Foundation would receive $159 million to hand out in cybersecurity research grants. The bill also includes $45 million in scholarships to train cybersecurity professionals who agree to work in the federal government, and the Commerce Department stands to get $15 million to create a NIST National Cybersecurity Center of Excellence. The Senate also approved $16.5 million to fund a NIST identity management research project. Meanwhile, the Direct Marketing Association is voicing its disappointment with the reduction of money allocated to the census in the House appropriations bill, while noting the Senate bill left the amount untouched. [FCW]

US – Court Decision Helps Define Medical Information in California

The California Court of Appeal has ruled that a healthcare provider did not breach the state’s Confidentiality of Medical Information Act when it revealed patients’ personally identifying information. The decision added clarity to the definition of medical information under the act, as the provider lost a computer containing names, medical record numbers, ages, dates of birth and last four digits of patients’ Social Security numbers but nothing related to “medical history, mental or physical condition or treatment.” [Workplace Privacy Data Management & Security Report]

US – Florida Bill Would Require Guidelines for License-Plate Scanner Data

A bill in front of Florida’s governor includes a provision to create guidelines on the retention of license-plate scanner data. “Specifically, the bill calls for a statewide policy to set the length of time that the records of innocent people could be kept.” [Landline Magazine]

US – Indiana Privacy Laws Go Into Effect July 1

House Bills 1009 and 1384 will go into effect on July 1, meaning police will have new restrictions on collecting information. Under HB 1384, police must get a search warrant to use drones or place a tracking device or camera in an individual’s car or on their property, and under HB 1009, police must have probable cause or consent to search a phone. Rep. Mike Speedy (R-Indianapolis) said, “As technology advances … there is a shift of power into law enforcement or into government away from our own privacy and our own ability to own and control our private information,” adding these bill help to modernize the laws. [The Statehouse File]

Workplace Privacy

US – National Labor Relations Board Eyeing Social Media Policies

Even while states continue to pass legislation regulating how employers can monitor and access their employees’ social media profiles, the National Labor Relations Board (NLRB) is also monitoring companies’ social media policies—and finding some of them lacking. The NLRB has issued three memos regarding social media policies and “employers may find some of the conclusions in these memos disturbing.” [GovernmentHealthIT]

CA – Feds Still Improperly Collecting Background Info on Access-to-Info Requesters

The federal government continues to collect background information on individuals who file access-to-information requests, more than seven months after officials agreed to stop the practice. An online service launched last year requires all requesters applying for documents under the Access to Information Act first to indicate whether they’re members of the media, business, academia or other categories. The service, which to date has processed almost 30,000 electronic access-to-information requests, does not allow a requester to decline to identify her or his background — and failure to select a category halts the process in its tracks. Last fall, Canada’s information watchdog secured a commitment from the Treasury Board, which is responsible for running the online service, to provide a “decline-to-identify” option. The access law does not authorize the collection of background information from individual requesters, and a government-wide directive from 2010 requires institutions to process requests without regard to the identity of the person seeking records. Treasury Board told the information commissioner last November the fix would likely be in place by March 31 this year, but the measure still has not been implemented even as other aspects of the online site have been regularly improved, based on user feedback. [The Canadian Press]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: