16-30 September 2014


US – FBI Facial-Recognition Technology Achieves ‘Full Operational Capability’

The Next Generation Identification System, a controversial biometric database that relies heavily on facial-recognition technology, is now fully operational, the agency has announced. The program is designed to help law-enforcement officials identify criminal suspects, but it has endured repeated scrutiny from civil-liberties groups that say the database will endanger the privacy of everyday citizens guilty of no wrongdoing. The agency announced two new services that complete the database’s “operational capability.” The first, called Rap Back, allows officials to receive “ongoing status notifications” regarding the reported criminal history of people “in positions of trust, such as schoolteachers.” The other newly deployed service is the Interstate Photo System, a facial-recognition program that will allow law-enforcement agencies, including probation and parole officers, to cross-reference photographic images with criminal databases. Privacy groups have repeatedly deplored the FBI’s facial-recognition database as rife with troubling privacy implications. In June, the American Civil Liberties Union, the Electronic Frontier Foundation, and others warned that the facial-recognition program has “undergone a radical transformation” since it was last vetted for privacy concerns six years ago. The lack of oversight, they said, “raises serious privacy and civil-liberties concerns.” No federal laws limit the use of facial-recognition software, either by the private sector or the government. [Source]

CA – Fingerprint, Retina Scans Considered for Border Crossing Security

Canadian and U.S. security officials are considering new advanced technology features, such as fingerprinting and retina scanning, to improve the border crossing between Windsor, Ont., and Detroit. Delegates to the U.S. and Canada Border Conference in Detroit learned how security will change once the new cross-border bridge is constructed between west Windsor and Detroit. Officials spoke of eliminating paperwork, and using mobile apps, self-serving booths and fingerprinting and retina scans as some of the options. [CBC News]

Big Data

US – FTC Warns of Big Data Discrimination

At Monday’s FTC workshop on big data, Chairwoman Edith Ramirez acknowledged that while big data can bring enormous benefits to society, it “also has the capacity to reinforce disadvantages faced by low-income and underserved communities.” Computerworld reports that Commissioner Julie Brill also repeated calls for transparency rules for data brokers and advances in self-regulation by brokers. Participants had varying ideas on how to handle the issues surrounding big data, with some advocating for policy-makers to look at data “situationally” and others saying consumers should have control over their data. Meanwhile, consumer groups and others are urging the FTC to use tools other than its “enforcement hammer to address data security” as large-scale breaches continue. [Source]

US – KPMG Releases Big Data Whitepaper

Authored by Greg Bell; Doron Rotman and Mike VanDenBerg, consultancy KPMG has released a whitepaper on the privacy and security risks inherent in the use of big data. Navigating Big Data’s Privacy and Security Challenges first helps define big data, then sums up the existing regulatory landscape and identifies the five biggest challenges, ranging from re-identification risk to issues of notice and consent. Finally, the document offers a brief case study on the use of big data at a global telecom firm. [Source] See also: [IOT risk security management and the internet of things] and [The 5 V’s of Big Data…. adding in value] and [Here’s What You Need to Know About Big Data] and also: [Data miners peek into medicine cabinets]


CA – Supreme Court Ruling Not Stopping Police from Warrantless Data Requests

Law enforcement agencies are still making warrantless requests for telecom customers’ personal data months after a Supreme Court ruling appeared to shut down the practice. Police in Canada used to ask telecom companies to voluntarily hand over data on Canadian customers more than a million times per year. In June, the Supreme Court struck down this warrantless method as an invasion of privacy. But while the number of warrantless requests has dropped since the decision, they have not stopped. Key players, including the country’s largest police force and a major telecom, aren’t saying whether they still send or accept them. Another of Canada’s “big three” telecoms, Rogers, started demanding warrants for all requests after the June ruling, known as the Spencer decision. Even after this policy change, the company continues to receive warrantless requests, according to Ken Engelhart, vice-president of regulatory affairs at Rogers. [The Toronto Star] SEE ALSO: [Geist: An Inconsistent Mess: Government Documents Reveal Ineffective and Inconsistent Policies Amid Widespread Demands for Subscriber Information] and [Canadian cellular carrier TELUS has finally released a transparency report. The company received 103,500 official requests in 2013. Bell is the only major Canadian telecom company left who hasn’t revealed the number of law enforcement or government requests they receive] AND [In Canada, you can send a letter to your ISP or cellular provider asking for all of the information they collect and retain about you. In theory. Motherboard wrote about the responses received] [Telecom firms handed customer info to Environment Canada, other federal agencies] and [Geist: Geist: Fed Web Snoops Don’t Have Their Stories Straight] [Geist: An Inconsistent Mess: Government Documents Reveal Ineffective and Inconsistent Policies Amid Widespread Demands for Subscriber Information]

CA – Inquiry Shows Justice Department Sought Details for Foreign Countries

“The Justice Department asks Canadian technology companies for information on their subscribers dozens of times each year on behalf of foreign countries seeking records from wireless carriers, messaging services and even online dating sites.” That disclosure is according to the response to an inquiry by Liberal MP Irwin Cotler, who sought information from federal agencies “on when and how often they seek subscriber data from various telecom and service providers,” the report states. University of Ottawa Prof. Michael Geist is calling the results an “inconsistent mess,” the report states. The Justice Department’s International Assistance Group indicated between January 1, 2010, and May 22, 2014, “there have been approximately 250 requests made to various service providers including the country’s large telecommunications companies,” the report states. [Source] [Are You ‘Kind Of A Big Deal?’ Dating App For Elites Will Protect Your ‘Personal Brand’]

CA – Privacy Watchdog Investigating RCMP Data Collection

Canada’s privacy watchdog is investigating the RCMP’s warrantless collection of Canadians’ personal data. The Office of the Privacy Commissioner confirmed last week it is formally reviewing the police force’s collection of Canadians’ personal data from telecommunications companies. The findings are expected to be made public in the near future. The RCMP has never met with the privacy commissioner to ensure that its requests comply with privacy laws, according to a recent disclosure to Liberal MP Irwin Cotler. The investigation was launched after the former privacy commissioner, Chantal Bernier, revealed to the Star and the Halifax Chronicle Herald that nine telecoms were asked to turn over user data 1.2 million times in 2011. Authorities in Canada, including the RCMP, routinely sought “basic subscriber information” — names, telephone numbers, address and Internet protocol addresses — without having to obtain a warrant. Public Safety revealed last week that it has met with the privacy office numerous times to attempt to draft a new system of accountability for Canada’s police and spy agencies. “Those provisions would have required that law enforcement agencies and (the Canadian Security Intelligence Service) create written records of each request, conduct regular audits of practices, deliver these audits to responsible ministers, and be subject to review by relevant oversight bodies,” said Public Safety Canada in a disclosure to Cotler. The reform efforts have failed so far. All pieces of legislation that would have enacted the reforms have languished in Parliament and died on the order paper. As such, data requests remain shrouded in secrecy. With the exception of voluntary transparency reports from a handful of telecoms, there is no public disclosure on the volume of requests. Customers are not informed when their data is shared with police. Privacy Commissioner Daniel Therrien’s office also confirmed they have launched a review into private Canadians’ complaints about the warrantless access. Those complaints focus on the telecom companies themselves, for voluntarily turning information over to police. [Source] See also: [ON: Privacy commissioner intervening in Peterborough hospital privacy breach case]

CA – Alberta Commissioner Seeks PIPA Amendments

The Commissioner is asking the Government of Alberta to take action to amend the Personal Information Protection Act, pursuant to a decision by the Supreme Court of Canada (which ruled that the Act was unconditional, and gave the Alberta Legislature 12 months to bring it in line with the Canadian Charter of Rights and Freedoms). Unless the amendments are made by November 15, 2014, the Act will lapse, causing Alberta to lose the benefits of the law (including mandatory breach reporting and notification to affected individuals, and local enforcement without court involvement). [Source]

CA – Former Commissioner Radwanski Dead at 67

Former Canadian Privacy Commissioner George Radwanski died this past Thursday of a heart attack at the age of 67. Radwanski was the editor-in-chief of the Toronto Star before becoming involved in public policy in the 1980s. A speech and policy writer for Jean Chretien, the prime minister appointed Radwanski as federal privacy commissioner in 1996, where he served until resigning in 2003 amidst a parliamentary investigation for inappropriate spending. He was cleared of all charges of fraud in 2009, but the report notes that his career never recovered from the incident. “I think it was a nightmare for him being charged with anything, and being acquitted I think he thought, ‘Now I’ve been exonerated and now I can re-engage in public life,’ and he didn’t really get a chance to do that,” his son told reporters. [The Canadian Press]


CA – Canadians Anticipate a More Connected World in 2025, But Have Concerns About Security And Privacy

McAfee Canada released findings from its first Safeguarding the Future of Digital Canada in 2025 study, which examines the thoughts and attitudes of more than 500 Canadian consumers concerning technology trends. The study looks at how technology relates to people’s homes, workplace, cars, mobile devices and online security. Canadian consumers believe that technology will significantly change their lifestyle by 2025, but feel hesitant in sharing personal information or adapting to these technologies in fear of their privacy being jeopardized. 66% of Canadians expressed concern over the expected state of cyber security in 2025. [Source]

US – Fitbit Denies Claims It Sells Personal Data

Fitbit, the maker of a popular line of wearable fitness-tracking devices, makes a statement saying it does not sell personal data to advertisers. This in response to a campaign by Senator Charles Schumer for a federal regulation to require companies like Fitbit to let customers prevent their data from being sold. [Wireless Week]


US – Feds Hesitate Moving IT Services to the Cloud

Government agencies know the benefits of cloud computing and want to double its use. But when it comes to migrating applications to the cloud, the majority of feds — 89% — are hesitant to lose control of their IT services, according to a new MeriTalk report. For “Cloud Control: Moving to the Comfort Zone,” MeriTalk surveyed 153 government IT executives closely involved in their agencies’ cloud deployments, and found that only 44% of agencies have “mature” data governance practices in the cloud. When asked how they feel about transitioning IT service to the cloud, 43% of feds compared it to giving their son the keys to a new convertible. This explains why agencies manage 71% of data themselves, whereas cloud vendors manage just 29%. [Source]


US – OTA Releases Email Unsubscribe Best Practices

More than a decade removed from the implementation of the CAN-SPAM Act, the Online Trust Alliance (OTA) has revealed a set of “user-centric unsubscribe best practices.” In May, the OTA called for public comments seeking input on email marketing unsubscribe best practices “with the goal to move beyond regulatory requirements” by gathering feedback from industry and submitters in North America, the EU, New Zealand and Australia. In addition to benchmarking best practices, the OTA aimed to “raise awareness of the issue and provide actionable advice to the email marketing community” as well as “aid consumers and empower them to control their inbox and enhance their trust and confidence in email.” [OTA] See also: [Toronto: Doug Ford’s campaign emails raise privacy concerns, says municipal lawyer]

US – New Overseas Email Act Receives Mixed Reviews

New legislation is aimed at providing greater legal protection for emails held by U.S. service providers overseas. The Law Enforcement Access To Data Stored Abroad Act (LEADs Act) would mandate digital content contained within an account of a “U.S. person” but stored on a server outside of the U.S. be accessible by law enforcement only with a warrant. The catalyst for the bill is the ongoing legal wranglings about email data stored on Microsoft servers in Ireland. Microsoft General Counsel Brad Smith said, “This bill proposes a more principled legal blueprint for balancing law enforcement needs with consumer privacy rights.” The Center for Democracy & Technology’s Greg Nojeim applauded the bill’s “overall thrust” but said he is concerned it applies only to emails held by a “U.S. person.” [Full Story]


WW – Open Source Project Aims to Provide Encryption for Communications

An open source project aimed at providing easy-to-use encryption for email launched on Monday, September 15. The Pretty Easy Privacy (PEP) Project plans to develop the technology to interact with “existing communication tools on different desktop and mobile platforms.” [CSO Online]

WW – Android Phones Will Join iPhones In Offering Default Encryption

The next generation of Google’s Android operating system, due for release next month, will encrypt data by default for the first time, the company said, raising yet another barrier to police gaining access to the troves of personal data typically kept on smartphones. Android has offered optional encryption on some devices since 2011, but security experts say few users have known how to turn on the feature. Now Google is designing the activation procedures for new Android devices so that encryption happens automatically. [Washington Post]

US – New Level of Smartphone Encryption Alarms Law Enforcement

Moves by Apple Inc. and Google Inc. to put some smartphone data out of the reach of police and the courts are raising alarms inside U.S. law-enforcement agencies, current and former officials say.” [The Wall Street Journal]

US – FBI Director Critical of Default Encryption on Mobile Phones

FBI Director James Comey has expressed concerns about Apple’s and Google’s decisions to increase encryption on mobile devices. Comey said that the new features appear to be “something expressly to allow people to place themselves beyond the law.” [ArsTechnica] [ComputerWorld] [NBC News] [The Register]

WW – IOS 8 Prevents Apple from Accessing Device Data

Apple says that the most recent version of its mobile operating system removes the company’s ability to provide law enforcement with data from devices running iOS 8. Encryption used in this iteration of iOS prevents everyone expect the device’s owner from accessing data stored on the device. Apple will still be able to turn over data stored elsewhere, such as in iCloud. However, while Apple may not have the ability to access those data, police could ostensibly retrieve the data from locked devices. [Washington Post] [WIRED]

WW – Apple Will No Longer Unlock iPhones, iPads, Even With Search Warrants

Apple said that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user information. [Washington Post]

US – Apple’s “Warrant Canary” Disappears from Transparency Reports

Apple’s “warrant canary” – a statement in its transparency report that the company has never received an order from the US government under the Patriot Act – is conspicuously absent from the company’s two most recent reports. The report for the first six months of 2014 does say that “Apple has not received any orders for bulk data.” [ZDNet] [Expert: Apple’s health push poses big privacy challenges]

EU Developments

EU – National Parliaments Raise the Pressure on Data Protection

Parliamentary delegations from 16 states call on the EU to adopt its legislative package to protect personal data ‘by 2015’. The 16 countries are: Germany, Austria, Belgium, Croatia, France, Greece, Hungary, Lithuania, Luxembourg, the Netherlands, Portugal, the Czech Republic, Romania, the United Kingdom, Slovakia and Sweden. Spokesperson Viviane Loschetter from Luxembourg said: “It is essential that the adoption happen before 2015: the EU must impose its data protection standards on third countries, otherwise they will do it first. I am thinking particularly of the United States.” [World News Report]

EU – French Crime Database Breaches Privacy Rights, EU Court Rules

Storing someone’s private information in a crime database for 20 years when charges against that person have been dropped violates privacy rights, the European Court of Human Rights (ECHR) ruled in a case brought by a French citizen, Francois Xavier Brunet, against the French government. Retaining his data “could be regarded as a disproportionate breach of Mr Brunets right to respect for his private life and was not necessary in a democratic society,” the court ruled. It found this to violate Article 8 of the European Convention on Human Rights which protects the right to respect for private and family life, the court ruled. France was ordered to pay Brunet €3,000 (about US$3,900) in damages. [Source] SEE ALSO: [Proposed anti-terror law in France would erode civil liberties] and [Austria boosts anti-terrorism measures]

EU – Internet Firms Should be Banned from Building Customer Profiles: Germany

German Interior Minister Thomas de Maiziere says Google and other Internet companies should be banned from building profiles of customers using their personal data, according to this media report. “We need additional tools that enable meaningful use of Big Data but we also need to prevent the creation of customer profiles,” Mr. de Maiziere told the Sunday edition of the Frankfurter Allgemeine Zeitung. He said he wanted to ban Internet companies from gathering customer data and then selling those profiles. [Capital.gr]

UK – Data Guide: Direct Marketing Association

Legislation and codes applicable to marketing in the UK include the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the British Code of Advertising, Sales Promotion and Direct Marketing (CAP Code), and the Direct Marketing Association Code; considerations for data acquisition include consent (e.g. obligations to customer at sign-up, channel-specific consent rules, and privacy and data protection notices), cookies, unsubscribe requests, and subject access requests. Considerations for data care include preference services (e.g. TPS, CTPS, MPS, BMPS, and FPS), data sharing, and data security and storage; data usage considerations include privacy impact assessments and anonymisation/pseudonymisation. [Source]

EU – Article 29 Working Party Gives Google Guidelines for Privacy Practices

The Article 29 Working Party (WP29) gave Google a set of guidelines to help the company alter its privacy practices to make them more in line with EU data protection law. The guidelines include a list of measures Google could implement, including disclosing how it collects and shares user data and what other third parties could collect data. Since consolidating its more than 60 privacy policies into one, Google has been under fire from European regulators and has been investigated by six EU countries, including Spain, France, Italy, Germany, the UK and The Netherlands. Google’s Al Verney said the company was open to the regulators’ feedback and future discussions. “We have worked with the different data protection authorities across Europe to explain our privacy policy changes,” he said. [Re/Code]

EU – Article 29 Working Party Release Guidelines on Handling RTBF Requests

The EU’s Article 29 Working Party released a statement addressing “how search engines are complying” with the European Court of Justice ruling on the so-called right to be forgotten, Bloomberg reports. The data protection authorities said they’ve agreed on a “tool box” on a “coordinated and consistent approach” for handling user complaints “resulting from search engines’ refusals to ‘de-list’ complainants from their results.” Additionally, “it was decided to put in place a network of dedicated contact persons in order to develop common case-handling criteria,” according to the statement. The network will provide a “common record of decisions taken on complaints” and “a dashboard to help identify similar cases as well as new or more difficult cases.” [Full Story] [Bloomberg]

EU – Commission Nominees Grilled by MEPs

A “grilling” of nominees for positions in the next European Commission was conducted by Members of the European Parliament (MEPs), including EU Home Affairs Commissioner Cecilia Malmström, who has been nominated to head up trade. Malmström is under fire for her alleged “soft response” to U.S. spying programs. Malmström has rejected claims that she watered down EU data protection reform. “I have always defended the European data protection proposals, internally and externally,” she said, adding, “These are based on misconceptions or on lies.” Additionally, Günther Oettinger, who has been nominated to be Europe’s new “digital economy and society” chief, is being criticized for his response to the recent hack of celebrities’ photos. [EUObserver]

EU – Group Claims EU Home Affairs Chief Worked With U.S. to Undermine Privacy Reform

Digital rights group Access has said that EU Home Affairs Commissioner Cecilia Malmström, who will be stepping down shortly, secretly collaborated with the U.S. Department of Commerce to water down the EU’s draft data protection reform. Access released an email dated January 12, 2012, claiming it proves the Home Affairs department actively worked to undermine the reforms. “If this assessment is correct,” GigaOm’s David Meyer writes, “the revelation may jeopardize Malmström’s confirmation by the European Parliament as the EU’s new trade commissioner.” The trade commissioner role will play a large part in the upcoming EU-U.S. Transatlantic Trade and Investment Partnership. Her confirmation hearing is set for October 22. [GigaOm]

EU – EDPSA Shortlist Announced

The European Commission has announced its shortlist of candidates for the European data protection supervisor (EDPS) and assistant supervisor positions in a letter to the secretaries-general. “Following a selection process carried out in line with its internal selection and recruitment procedures, the commission decided on 16 September 2014 to adopt the following lists of candidates, in alphabetical order,” the letter states. For EDPS, the finalists are Giovanni Buttarelli, Noëlle Lenoir and Yann Padova. For assistant EDPS, the finalists are listed as Cinzia Biondi, Giovanni Buttarelli and Wojciech Wiewiórowski. [Source]

Facts & Stats

US – Study: Average Budget for a Fortune 1000 Privacy Program?

This spring, the IAPP looked at privacy professionals’ roles in organizations worldwide , the influence they had on budget spending and the areas over which they had primary control. What we found was interesting, but we realized that, as a benchmarking device, it was difficult to utilize. As our members come from all manner of industries, and companies of every size and shape and have roles that range from CPO to outside counsel to HR manager, it was hard to pinpoint just what kinds of privacy programs we were looking at. So we focused more tightly, getting a sample that was alike in crucial ways: All of them were privacy leads at large, private, for-profit firms. And we are beginning to unearth some good benchmarking data. [Full Story]

US – A Day in the Life of a Data Mined Kid

Education, like pretty much everything else in our lives these days, is driven by data. Nearly everything they do at school can be — and often is — recorded and tracked, and parents don’t always know what information is being collected, where it’s going, or how it’s being used. See what a day in the life of a data mined student looks like with our Quantified Student infographic. In most states, the data are fed into a giant database, known as a “statewide longitudinal data system.” Different states collect different elements of personal student data. In the last decade, the federal government has handed states more than $600 million to help them create these databases. A study released last year by Fordham Law professor Joel Reidenberg found that very few school districts explicitly restrict the sale or marketing of student information in contracts with service providers. There are also privacy issues with third-party educational apps, often brought into the classroom by teachers. Those apps may have weak privacy policies, or, in some cases, none at all. Experts say the growth of technology in schools is happening faster than we can keep up with it. The larger concern, he says, is that connecting all those dots can create a profile of a student that can follow him from kindergarten through college. Maybe even into the workforce. It’s the prospect of that permanent data trail, say privacy advocates, that makes it so important that schools, teachers and parent wrestle with student data issues now. [Source] See also: [Canada: Graphic Back to School Tips from Privacy Commissioner] [Why Ed Privacy Laws Should Open the Eyes of All Privacy Pros]

US – Privacy Concerns Arise Over Tech in Classrooms

California lawmakers ban the sale and disclosure of data related to K-12 students. At a New York state elementary school, teachers can use a behavior-monitoring app to compile information on which children have positive attitudes and which act out. In Georgia, some high school cafeterias are using a biometric identification system to let students pay for lunch by scanning the palms of their hands at the checkout line. And across the country, school sports teams are using social media sites for athletes to exchange contact information and game locations. Technology companies are collecting a vast amount of data about students, touching every corner of their educational lives — with few controls on how those details are used. Now California is poised to become the first state to comprehensively restrict how such information is exploited by the growing education technology industry. Lawmakers in the state passed a law last month banning educational sites, apps and cloud services used by schools from selling or disclosing personal information about students from kindergarten through high school; from using the children’s data to market to them; and from compiling dossiers on them. The law is a response to growing parental concern that sensitive information about children — like data about learning disabilities, disciplinary problems or family trauma — might be disseminated and disclosed, potentially hampering college or career prospects. Although other states have enacted limited restrictions on such data, California’s law is the most wide-ranging. California lawmakers did make some concessions to industry. An exception in the legislation, for instance, allows companies to use student data for “legitimate research purposes.” “The bill sets a standard that is applicable to the larger privacy debate,” Steinberg said. “Personal information should only be used for other purposes with the permission of the individual.” [The New York Times]

US – Employee Errors Cause Most Breaches; Malware Breaches Cost the Most

Amidst the latest breach-related announcements, including reports that Home Depot’s recent breach affected 56 million payment cards , Beazley Breach Response Services released its analysis for more than 1,500 data breaches from 2013 and 2014. The results, released at the IAPP Privacy Academy and Cloud Security Alliance Congress, indicate the two most common sources of breaches are unintended disclosure—like misdirected emails and faxes, which account for 31%—and the physical loss of paper records, accounting for 24 percent.[Full Story]

WW – Scientists Support Ethics Guidelines

Findings from a Revolution Analytics survey of 144 data scientists revealed that many believe big data research needs a set of ethical guidelines. Nearly half of those surveyed believed the recent Facebook emotion contagion experiment was unethical. “Statisticians and data scientists have an important role to play in the practices and standards around handling and analyzing data in the world at large,” said Revolution Analytics Chief Community Officer David Smith, “my hope is that web and technology companies will involve data scientists more in analyzing the data that they collect.” [InformationWeek]


CN – DuckDuckGo Joins Google in Being Blocked In China

“DuckDuckGo joins Google in being censored and blocked in the nation. Google, after years of being throttled by China’s Great Firewall since the web giant turned off its mainland China servers in 2010, was finally blocked totally in June this year. Only foreign search engines that have Chinese servers, such as Bing and Yahoo, work in China. But, operating under Chinese media laws, both Bing and Yahoo heavily censor their search results – in contrast to Google and DuckDuckGo.” [Tech in Asia]


US – GAO: CFPB Needs Data Protection Plan

The Consumer Financial Protection Bureau (CFPB) collects financial data on millions of U.S. citizens, but a report released Monday by the Government Accountability Office (GAO) suggests the CFPB “lacks a plan to adequately protect it.” The GAO’s primary privacy concern is the lack of written data collection and security procedures, the report states. “The GAO’s report recognizes that the bureau collects data on a scale similar to other regulators and uses that data to carry out its mission to protect consumers,” a CFPB spokesman said, adding, “The CFPB agrees with the GAO’s recommendations, which focus primarily on documentation of processes related to data collection.” [National Journal]

US – FTC Submits Comments on Mobile Financial Services to CFPB

A FTC press release has announced the agency has provided comments to the Consumer Financial Protection Bureau (CFPB) on mobile financial services in response to a CFPB request for information on the topic. FTC staff highlighted five consumer protection issues in the mobile financial sphere, including liability for unauthorized charges, unfair billing practices, the privacy of consumers’ financial and personal data, the security of that data and the potential use of personal and financial data by data brokers and other third parties. [FTC Press Release]


CA – Privacy Watchdog to Probe Handling of Minister’s Expenses

Canada’s Privacy Commissioner, and possibly its Information Commissioner, are investigating a federal department’s handling of Access to Information requests for Alberta Premier Jim Prentice’s expenses from when he was a cabinet minister in Ottawa. In a letter sent to NDP MP Charlie Angus, Claude Beaulé, a senior investigator in Privacy Commissioner Daniel Therrien’s office, confirms a “complaint file has been opened.” The Canadian Taxpayers Federation, meanwhile, said it had complained to Canada’s Information Commissioner about the case, and was told an investigation would be conducted. A CTF official was among those who made the original requests for Mr. Prentice’s expenses, which were initially said to have been destroyed. A spokesperson for the Information Commissioner said earlier this month the office would not confirm if it was conducting an investigation. [Source] See also: [Toronto trustees expense everything from $28 cookies to $4,000 walking tours of Israel – Documents reveal how Toronto District School Board trustees have been spending taxpayer dollars]

CA – Revoking ISIS Passports: Government Refuses to Disclose Numbers

Despite repeated queries from CBC News, Immigration Minister Alexander’s office has refused to reveal just how many passports have been seized since 2002, citing privacy concerns. Instead, they directed questions to the Canada Border Services Agency, which has yet to respond. Outside the Commons, Alexander cited privacy and security concerns for his refusal to release numbers. According to government records, since 2003, just 40 now-former Canadians have had their citizenship formally stripped after it was determined that they had obtained it by false representation or through other fraudulent means. The new provisions, which give the minister the power to revoke citizenship for terrorism-related offences, has not yet been tested. Unlike passport revocation, those numbers — but not the names of the individuals themselves — are available, as such decisions are cabinet orders, and are published on the Privy Council Office website. [CBC News]


US – Genetics Testing Company Reverses Plans for Privacy Changes

Personal genetics testing company 23andMe is reversing its plans to make a major change to its privacy settings. It was recently reported that the company was planning to alter its user settings in a way that would give people less control over the results genetic tests would reveal about them. While it used to employ an opt-in system that would allow 23andMe to reveal close DNA relatives, it planned to change that to automatically opt new customers into the system. However, the company has since decided to reverse that decision as well as hire a chief privacy officer as a result of some backlash over the proposed changes. IAPP President and CEO Trevor Hughes discussed the privacy implications of such genetic work, even when consent is given. [VOX]

Health / Medical

US – Developers Seek HIPAA Clarity for Apps

A group of app developers have sent a letter seeking clarity on the Health Insurance Portability and Accountability Act (HIPAA). Startups including CareSync, AirStrip and AngelMD sent a letter to Rep. Tom Marino (R-PA) to express their frustration at the limited online resources to help app developers navigate the complex HIPAA mandate. They said they are struggling to compete with larger vendors that have greater resources to hire lawyers and consultants. Regulators “have not kept pace with the rapid growth of technology that gives users greater access to healthcare providers and more control over their health information,” they wrote. Meanwhile, Fitbit has hired a lobbying firm to work on consumer privacy and healthcare issues a month after Sen. Charles Schumer (D-NY) criticized its data collection practices. [Reuters]

US – GAO Report: Healthcare.gov Has Privacy, Security Vulnerabilities

The main website for the Obama administration’s health insurance exchange, Healthcare.gov, has several privacy and security vulnerabilities, according to a GAO report. The GAO also noted that moves by the Centers for Medicare & Medicaid Services to protect privacy and security have not mitigated vulnerabilities in the management of security and privacy. “Until these weaknesses are addressed, increased and unnecessary risks remain of unauthorized access, disclosure or modification of the information collected and maintained by Healthcare.gov,” the GAO report states. Reuters reports on Sen. Lamar Alexander’s (R-TN) criticism that the administration launched the site “knowing that the personal information of Americans who bought insurance through the website was not safe.” [Full Story]

US – HHS Releases HIPAA Guidance on Same-Sex Couples

Healthcare Info Security reports the Department of Health and Human Services (HHS) Office for Civil Rights has developed guidance on how the HIPAA Privacy Rule affects married same-sex couples to assist covered entities and business associates (BAs) “in understanding how the 2013 decision by the Supreme Court in United States v. Windsor may affect certain of their HIPAA Privacy Rule obligations.” The Windsor ruling requires covered entities and certain BAs “consider lawfully married same-sex spouses to have the same rights under the HIPAA Privacy Rule as opposite-sex spouses,” the report states. The guidance states “spouses include … individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.” [Source] See also: [County health department takes major tech step forward on privacy] See also: [Rob Ford Tumour Diagnosis: Do Politicians Have A Right To Medical Privacy?]

WW – Merck Finds Patients Willing to Sell Access to Data

A survey conducted by Merck, and outlined in a paper in The American Journal of Accountable Care, judged willingness of patients to have their tumors sequenced and the data studied in exchange for payment. Sixty-three of the 64 patients surveyed were willing to share their data as long as they retained data ownership and only shared the data with the entity that paid for it. “While the model would still involve significant outlay,” the report notes, “the authors think it would be cheaper than assay development.” Meanwhile, the California Supreme Court has agreed to hear a case that would determine whether healthcare regulators violated the state Constitution’s privacy clause when they accessed a local doctor’s prescribing records as part of an investigation into claims of unprofessional conduct.” [FierceBiotechIT]

US – Hospital CIO Shares How They Fought Attacks from Anonymous

Boston Children’s Hospital senior VP for information services and CIO Dr. Daniel J. Nigrin, shares how his organization defended itself against a series of attacks launched earlier this year. The hospital received a warning about the attacks several weeks before they began. The hospital incident response team prepared for the attacks along with the IT department. They managed to fend off a series of distributed denial-of-service (DDoS) attacks for a while, but when those reached a certain level of intensity – 27 Gbps – the hospital called in third-party help. The attacks affected the hospital’s external websites and networks. When Nigrin saw what was happening, he shuttered all the websites and took down email service. Employees communicated through a secure messaging application. [CSO Online]

WW – Pilot Program Allows Patients Choices on Which Data to Share With Doctors

Five behavioral health patients in Maryland have volunteered to participate in a federally organized five-month pilot project in which they pick and choose what information they want to share with their primary healthcare physicians via software called Consent2Share, a practice one public health official says is indicative of a more general paradigm shift, Modern Healthcare reports. The pilot is one of a series hosted by the Office of the National Coordinator for Health Information Technology in an initiative called Data Segmentation for Privacy. Meanwhile, a Canadian start-up plans to offer personal health assessments based on wearable sensor data and public health data sets. [Modern Healthcare]

Horror Stories

US – Home Depot Breach Put 56 Million Payment Cards at Risk

Home Depot announced that a breach at its U.S. and Canadian stores over a six-month period this year may have put an estimated 56 million payment cards at risk.” “That would make it the largest compromise of debit and credit cards in the string of cyberattacks that have hit retailers over the past year.” [Washington Post] [Analysis: Home Depot Breach Details]

US – Ex-Employees Say Home Depot Ignored Early Warnings; Class-Action Filed

Former members of Home Depot’s cybersecurity team have said that the high risk of cyber-attack was evident as far back as 2008. In interviews after the company experienced the largest retail data breach ever, the former employees said outdated software was being used to protect its network. And, a computer engineer hired to oversee security has been sentenced to jail for “deliberately disabling computers at the company where he previously worked,” the report states. Meanwhile, Toronto law firm McPhadden Samac Tuovi LLP has filed a class-action against Home Depot of Canada and its American parent, The Home Depot, Inc., in the Ontario Superior Court of Justice. [New York Times] See also: [Steven Lozanski v. Home Depot Inc. – Court File #CV-14-51262400CP – Ontario Superior Court of Justice]

US – Following Breach, Report Shows Home Depot Has $105 Million in Coverage

Following news of a data breach last week, Business Insurance reports Home Depot has a total of $105 million in cyber coverage. American International Group provides $10 million of primary coverage, followed by Zurich Insurance Group providing $20 million and Liberty Mutual Insurance providing $15 million, among others. Home Depot is likely to point to the Supreme Court’s Clapper ruling to fend off class-actions, but attorneys say plaintiffs are “quickly learning that they can bypass the defendant-friendly 2013 decision by proving that their data has been misused or that they relied on false security pledges.” [Business Insurance]

WW – TripAdvisor Customer Data Compromised

Viator, a website recently acquired by TripAdvisor, has learned that a breach of a payment card service provider’s system exposed customer data. The breach affects approximately 1.4 million customers. Viator learned of the breach after investigators looked into fraudulent payment card transactions that led back to the website. [NextGov] [The Register]

US – Jimmy John’s Confirms Data Breach

US sandwich restaurant chain Jimmy John’s has acknowledged that a payment vendor’s data breach compromised customer payment card information. The incident affects transactions at 216 stores between June 16 and September 5, 2014. [Krebs] [DarkReading] [Darkreading]

JP – Japan Airlines Data Breach

Japan Airlines (JAL) has confirmed that a cyber attack compromised personal information of as many as 750,000 customers. The incident involved unauthorized access to a JAL database from an external server.

The compromised data include names, addresses, and workplaces. The malware appears to have infected 23 computers and did not affect financial information. The attack is believed to have gained purchase through a phishing attack and may have remained undetected for over a month. [SC Magazine] [ZDNet]

WW – Breach Roundup

Data loss incidents and breach headlines include a lawsuit against six Mississippi hospitals following a breach of sensitive patient information are causing experts to weigh in with tips on why breaches happen, best practices in the event of a breach and complying with data breach laws. Mondaq reports on Florida’s Information Protection Act of 2014, which amended Florida’s breach notification statute, while TechTarget offers recommendations for “best practices” in reporting breaches. CSO examines “why retailers get hacked,” quoting one expert’s suggestion that retailers and their marketing firms must recognize some information is “just too dangerous to have.” And research from Protiviti suggests, “Businesses are failing to maintain proper security and are still not managing data properly, when looking at the big picture.” [ITProPortal]

Identity Issues

CA – Ping Identity Scoops $35m to Authenticate Everywhere

Identity provider Ping Identity has secured $35m in funding, bringing the total funding for the company to $110m. The market for identity assurance is booming as the more customers carry out transactions online. Third party vendors such as Ping Identity are in competition with existing vendors such as Facebook and Google who are also developing in this space. Forbes predicts “it will be a third party approach that straddles all the different vendors that will win”. [Forbes]

Internet / WWW

WW – Yahoo Slams New ‘Digital Will’ Law; Users Have Privacy When They Die

What should happen to your personal digital communications—emails, chats, photos and the like—after you die? Should they be treated like physical letters for the purposes of a will? Yahoo doesn’t think so. The company is criticizing new legislation giving executors charged with carrying out the instructions in a person’s will broad access to their online accounts. The legislation aims to tackle the sensitive question of what to do when someone’s online accounts on sites like Facebook, Google or Yahoo outlive them. This past summer, Delaware signed into law the Fiduciary Access to Digital Assets and Digital Accounts Act. It was modeled after legislation approved earlier by the Uniform Law Commission, a nonprofit group that drafts and lobbies for new state laws. In Delaware, the measure removes some of the hurdles that an estate attorney or other fiduciary would otherwise have to go through to gain broad access to the deceased’s online accounts. “A fiduciary with authority over digital assets or digital accounts of an account holder under this chapter shall have the same access as the account holder,” the law states. That expanded access violates the initial agreement users entered into when they started using Yahoo’s services, the company said Monday in a blog post. “When an individual signs up for a Yahoo account, they agree to our terms of service, which outlines that neither their account nor the contents of their private communications are transferrable at the time of death,” wrote Bill Ashworth, Yahoo’s senior legal director of public policy. Delete, not transfer. Yahoo’s terms of service say it may delete an account and all of the account data, if it’s shown a copy of the person’s death certificate. [Source]

US – What Impact Will “Cyborgization” Have?

A new paper from the Brookings Institution explores the privacy impacts of a trend of “cyborgization”—using cell phones and wearable devices as an extension of ourselves. “Should we recognize our increasing cyborgization as more than just a metaphor, given the legal and policy implications both of doing so and of failing to do so?” Benjamin Wittes and Jane Chong write in the paper. The trend raises questions about privacy, access, discrimination and other issues, the report states, noting, “This cyborgization of the populace, the authors say, could have immediate and significant effects on the law especially around surveillance.” [FierceGovernmentIT]

Law Enforcement

CA – Toronto Police to Wear Body Cameras in Test Project

By the end of the year, 100 Toronto police officers are expected to be sporting body-worn cameras as the force launches a one-year pilot project testing the increasingly popular — and at times, controversial — policing tool. Major details are still being hammered out, including where the cameras will be worn, when the cameras will record, and what the final price tag will be, but the Toronto Police Service plans to equip officers in four areas of the city with cameras by mid-December, according to a Request for Proposals seeking a supplier for the cameras and software. The pilot project comes after numerous reports and recommendations suggesting that the cameras, usually affixed to an officer’s lapel, glasses or police cap, could improve police accountability and reduce the use of force by officers. But the president of the Toronto Police Association, Mike McCormack, says numerous concerns will need to addressed before rank-and-file officers get fully on board. “We want to see sound policies around not only the implementation, but when are they going to be used, what about privacy rights for citizens, what about privacy rights for police officers, and what are we trying to capture with these lapel cameras?” McCormack said. The 2012 Police and Community Engagement review (PACER) was the first Toronto report to recommend that police adopt body-worn cameras, a recommendation echoed in this summer’s review of police interactions with people in mental crisis, penned by retired Supreme Court justice Frank Iacobucci. In his report, Iacobucci cited research indicating the cameras decrease complaints against police, “in part because police have an additional incentive to treat people respectfully, and also because individuals are deterred from bringing false allegations against police.” [Source]

US – New Radar Gun to Help Police Detect Texting Drivers

Police may soon have a new weapon in their efforts to prevent drivers from texting while on the road. A Virginia company is working on a device that detects the radio signals sent out from a vehicle when someone inside is using a cell phone. The technology is able to differentiate text messaging from phone calls. Virginia law allows adults to talk on a cellphone while driving, but not send text messages. The device is not yet ready for production. It still needs legislative approval and a commitment from law enforcement. [CBS-DC]


AU – Information Commissioner Updates Guide for Mobile App Developers

New content has been added to the guide for mobile application developers that discusses the preparation, implementation and regular updates to a data breach policy and response plan; to aid app developers in creating a breach plan additional information regarding data breaches can be found in the Guide to the Information Security and a Guide on Data Breach Notification. [Source]


NZ – Snowden Says New Zealand Lied About Mass Surveillance Activities

Snowden wrote a thing for The Intercept ahead of New Zealand’s election alleging the country is lying about its use of and role in developing mass surveillance technology. Meanwhile, a new report says that Snowden’s leaks haven’t really made life easier for terrorists, despite frequent claims to the contrary.

Online Privacy

WW – Apple CEO Tim Cook’s Open Letter on Privacy

Apple launches a new web site making privacy a key part of its brand values. An ‘Open Letter’ from Apple CEO Tim Cook says: “We believe in telling you up front exactly what’s going to happen to your personal information and asking for your permission before you share it with us. And if you change your mind later, we make it easy to stop sharing with us. Every Apple product is designed around those principles. When we do ask to use your data, it’s to provide you with a better user experience.” It goes on: “Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.” It’s really hotting up now! [Apple]

WW – Facebook Testing Update Option with Expiration Dates

Facebook is currently testing a new option that would allow users to place an expiration date on a given post, ranging from one hour to one week. The move comes after more employers, attorneys and law enforcement officials increasingly use social media posts to make hiring and other decisions. “It’s interesting to me because Facebook used to push this idea that our cultural notions of privacy were changing and that people should share things all the time. People reacted poorly to that,” said University of Maryland Human-Computer Interaction Lab Director Jennifer Golbeck. “But in the last six months or so, they’ve started coming around to the idea that people still want to do things privately.” [Bloomberg Businessweek]

WW – Facebook Takes Vault of Consumer Data to the Masses

Using the vast amount of data it has gathered from its 1.3 billion users, Facebook has made itself the number-two digital advertising platform in the world. Now, it’s going to take its targeted ads to the rest of the Internet, rolling out its ad platform, Atlas, which will allow marketers to use the social networking site’s detailed knowledge of users to target ads to users on other websites and mobile apps. Meanwhile, U.S. Federal Trade Commission Chief Technologist Latanya Sweeney writes in a new blog post on the ramifications of the decisions ad networks are making. [The New York Times] See also: [The ‘hot’ new thing on Tinder: Posting photos of your resume and bank account instead of your face]

US – Lawyers Seeking Telematics Data

Lawyers are turning increased attention to the data gathered by vehicle telematics systems, seeing “the data as a puzzle piece in building court cases.” The report suggests this attention indicates “privacy concerns raised about telematics data won’t go away soon. At the least, the industry’s quest to be closer to consumers through telematics has created new responsibilities involving data management.” Don Slavik, a product liability lawyer, said, “It introduces some questions of privacy issues that people aren’t aware of … We’ve just learned about the large volume of data going through systems. Not just one or 10 or 20 pieces of data, but thousands of pieces of data that are reported.” [Automobile News]

Privacy (US)

US – Study: What “Reasonable” Privacy and Security Means to the FTC

A new study from the Westin Research Center looks at the “reasonable” components of a privacy and data security program as interpreted from more than 40 FTC enforcement actions. Part of the IAPP’s ongoing FTC Casebook project, this report by Westin Fellow Patricia Bailin is meant to help shed light on what an acceptable level of privacy and data security could be, even as companies litigate the issue with the FTC in federal courts. [Source] See also: [Artificial Intelligence Is Doomed if We Don’t Control Our Data]

US – Rep. Wants Hearing to Look at Health Breach

Rep. Elijah Cummings (D-MD) has sent a letter to Rep. Darrell Issa (R-CA), chairman of the House Committee on Oversight and Government Reform, requesting that a bipartisan hearing be held to look at the causes and effects of a breach at Community Health Systems reported last month. Cummings said cybersecurity threats are an ongoing problem and an investigation of the breach would help the committee “learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets.” [FierceHealthIT]

US – Justice Sotomayor Worried About Drones

Speaking to students and faculty at the Oklahoma City University’s law school, Supreme Court Justice Sonia Sotomayor said we are seeing “frightening” changes in surveillance technology and that citizens should get more engaged in the privacy debate. She said drone technology, for example, should “stimulate us to think about what is it that we cherish in privacy and how far we want to protect it and from whom,” adding, “people think that it should be protected just against government intrusion, but I don’t like the fact that someone I don’t know … can pick up, if they’re a private citizen, one of these drones and fly it over my property.” [The Wall Street Journal]

US – TRUSTe Announces DPM Platform

TRUSTe has announced the launch of its comprehensive end-to-end data privacy management solution, the TRUSTe Data Privacy Management (DPM) Platform, which includes automated capabilities to assess and manage privacy risks, implement compliance controls and ensure ongoing monitoring. TRUSTe CEO Chris Babel notes, “Developed in consultation with our extensive enterprise customer-base, the new TRUSTe DPM Platform puts privacy professionals in the driver seat giving them full control of data privacy management, automating processes and increasing productivity as they manage their global privacy initiatives from a single dashboard.” [Press Release]

US – Judge Dismisses Neiman Marcus Class-Action

An Illinois federal judge has thrown out a proposed class-action lawsuit alleging Neiman Marcus Group negligently failed to protect 350,000 customers’ credit card information prior to a 2013 hack into the department store’s servers. U.S. District Judge James B. Zagel ruled the plaintiffs lacked standing under Article III, stating he “wasn’t convinced unauthorized credit card charges for which the plaintiffs would be reimbursed qualify as concrete injuries warranting Article III standing,” the report states. [Law360]

US – Facebook Wins Appeal;

Facebook’s appeal against law enforcement’s collection of bulk user data has been accepted. The New York State Supreme Court ruled against a government request to dismiss the appeal and accepted briefs in support of Facebook from groups including Google and Microsoft. “Facebook is asking for the return or destruction of the data and also wants a ruling on whether the warrants are in violation of the Fourth Amendment,” the report states, and is also asking the court to determine whether the warrants’ gag provisions violated the Stored Communications Act. [PCWorld]

US – Courts Aren’t Recognizing Harm, But Breach Cases Keep Coming

George Washington University Law School’s Daniel Solove, founder of TeachPrivacy, notes in a blog that the law has not been kind to plaintiffs in data breaches. “The fact is,” he writes, courts “don’t recognize harm. Generally, we make those who cause wide-scale harm pay for it … But when a company loses data about a lot of people … the courts frequently say ‘no harm, no foul.’ Yet the lawsuits keep coming. Why?” Solove highlights a paper, Empirical Analysis of Data Breach Litigation, outlining some conclusions it makes, such as “data breach lawsuits lacking actual harm or class certification are almost as equally likely to reach settlement as dismissal.” Solove writes, “This research study shows that parties are bargaining around the legal system to make it go away.” [Source]

US – As Ad Industry Capitalizes on Tracking, One Scientist Looks at the Effects

The Economist reports on surveillance as the advertising industry’s new business model. Internet ads now account for around a quarter of the $500 billion global advertising business, and companies are able to capitalize on data they collect from users based on what sites they visit and what they click on. But users should be able to find out if they’re being tracked and what information is being stored on them and be able to stop it if they wish, the report states. Meanwhile, computer scientist Roxana Geambasu of Columbia University has recently developed software which uses a series of “shadow accounts” to see how ads change for a user when certain phrases are used. [Full Story]

US – Privacy Pathways Training Program Launched

The Privacy Pathways program, piloted through partnership with schools like the University of Maine School of Law and the High Tech Law Institute at Santa Clara Law, aims to give students access to privacy training and discounts on exams, publication opportunities and connections to the IAPP member community through internships and externships. At this week’s Privacy Academy and CSA Congress, the IAPP announced the program is expanding rapidly, with the addition of the Privacy and Technology Project of the Institute for Innovation Law at UC Hastings College of the Law in San Francisco, CA, and the University of Washington. [Full Story]

US – Yelp Agrees to $450,000 Settlement with FTC

Yelp has agreed to settle charges brought against it by the FTC and pay $450,000 for accepting registrations from children under the age of 13 in its app. In 2009, the company introduced a registration feature in its app that allowed users to create new accounts “but failed to implement a working age-screen mechanism in the new in-app registration feature,” the report states. In turn, data was collected about children through the app. Yelp wrote about the settlement in a blog post and has agreed to destroy the personal information of children collected by the bug within 30 days of the service of the order. [PCWorld] See also: [StubHub Case Rejected: a California judge rejected a proposed $2 million settlement between StubHub and a class of 69,000 customers] and also: [Google Class-Action Dropped: a group of Android users who brought a class-action against Google have dropped their case] and also [The EU will approve Facebook’s $19 billion offer for messaging service WhatsApp]

US – Hoffman Named 2014 IAPP Privacy Vanguard, Calls on Privacy Pros To Promote Ethical Use of Data

Computing has become so sophisticated that, if used correctly, it could solve many of the very real problems we face in areas like healthcare, education and renewable resources. But progress can only be made if the data we collect and compute is used correctly and ethically, and privacy professionals have an obligation to fight for that. That was the call-to-action David Hoffman made from the stage at the IAPP’s Privacy Academy in San Jose, CA, just after he accepted the 2014 IAPP Privacy Vanguard Award. “The public needs to understand that our organizations can be trusted,” Hoffman said. [Full Story]

US – Microsoft Privacy, Security Work to Become Part of Cloud, Legal Groups

Microsoft has announced its Trustworthy Computing group will no longer be a stand-alone entity, with the unit’s work on privacy, security and related issues being folded into Microsoft’s Cloud & Enterprise Division and Legal & Corporate Affairs, GeekWire reports. Microsoft indicated one of the goals “is to integrate the Trustworthy Computing work more tightly into Microsoft’s engineering teams,” the report states, noting a portion of the group will report to Microsoft General Counsel Brad Smith and another to the Cloud & Enterprise Division’s Scott Guthrie. [Source]

WW – Jepsen Questions Apple Watch; Apple Lobbies Congress on Health Privacy

Connecticut Attorney General George Jepsen has sent a letter to Apple requesting a meeting to discuss his concerns about how the company will collect, store and process personal health information generated by its forthcoming Apple Watch. Jepsen noted he was not accusing Apple of any violations but attempting to open a dialogue. Meanwhile, Apple has sent a cadre of executives to Capitol Hill to address the emerging privacy and security concerns a week after it unveiled a slew of new products and services, Politico reports. Apple’s chief technology officer and health product manager have briefed the House Energy and Commerce Committee to “provide an overview of Apple’s new offerings, demonstrate the new products and discuss how Apple sees this market developing.” [PC World]

US – Apple Makes Bold Privacy Statement

With a letter from CEO Tim Cook posted at the top, Apple released today a new privacy notice , which includes “a detailed look at how we protect your privacy.” Perhaps most notably, Apple is committing to technology that will make it impossible for the company to read the contents of iPhones or iPads upon government request. Further, declared Cook, “I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.” In another sign of the company’s commitment to privacy as a business driver, Apple, along with Box, announced via TRUSTe that it is Asia-Pacific Economic Cooperation-certified. [Full Story]

US – Mining WiFi Data: Retail Privacy Pitfalls

To compete with large online sites, more brick-and-mortar retail outlets are exploring in-store tracking. This feature looks into the practice to see whether retailers are going too far. “Two years ago, nobody wanted to put WiFi in their stores to give customers a way to window shop,” said General Datatech Senior Wireless Engineer Ryan Adzima. “Now they have a massive incentive because they’ll see you going to Amazon or other competitors; they’ll see your buying history, and they can target you more specifically and draw you away from competitors.” [InformationWeek]

Privacy Enhancing Technologies (PETs)

WW – Privacy Technology Everyone Can Use Would Make Us All More Secure

Cory Doctorow argues privacy-enhancing technology has long been unnecessarily difficult to use for the common person. In doing so, he announced SimplySecure.org, a nonprofit that he’s advising and which “collects together some very bright usability and cryptography experts with the aim of revamping the user interface of the Internet’s favorite privacy tools.” He also reaches out to those who haven’t shown an interest in privacy until now: “If you were lucky enough to be born with the unearned privilege of having ‘nothing to hide,’ then you owe it to your children, brothers, sisters, parents and friends who don’t have your good fortune to help provide cover for them.” [The Guardian]

WW – Nokia Position Paper Highlights the “Privacy Engineer”

Privacy by Design and legislative developments in privacy are valid, says a paper from Nokia entitled “Privacy Engineering and Assurance“; however, it notes, “they do not answer the question of ‘How do you do it, in practice?’“ The Nokia paper aims to foster the birth of a new professional—the privacy engineer—and solve the problem of “how” by developing a software engineering discipline that includes privacy engineering and privacy assurance to “take Privacy by Design from a subjective set of seven essential principles into a framework for implementation of privacy in the product creation process.” [Source] See also: [Creating Standards for Privacy Engineers]

WW – Ello Promises Privacy;

Privacy-focused alternatives to popular services continue to emerge, including, this week, the introduction of Ello, a social networking alternative to Facebook that claims to respect user privacy by not selling or sharing data with third parties. “You are not a product,” the invite-only social network wrote in its manifesto. The site does use cookies, both on its site and in emails; Google Analytics to generate aggregated user data, and honors Do-Not-Track settings. [CSO]


US – Missouri RFID Ban Highlights Nation’s Privacy Fears

Student privacy advocates are hailing a new law in Missouri that bans school districts from tracking students using radio frequency technology. Last week, state lawmakers overrode the governor’s veto of the bill. The controversial technology uses radio waves emitted from tiny batteries, often embedded in a card or badge, to track the location of students. The new law reflects growing national concern about electronic privacy in the wake of reports of massive government surveillance efforts through the National Security Agency. It also shows a growing interest in student privacy as parents are increasingly questioning the kinds of student records that schools maintain electronically. [Source]


WW – OWASP Releases Its First Top 10 Privacy Risks

Just seven months after the project’s start , the Open Web Application Security Project’s Top 10 Privacy Risks Project has released its first list of findings. Headed up by Florian Stahl and Stefan Burgmair, the project, quite simply, aims to document the top 10 privacy risks in web applications, consulting with volunteers and experts from across the globe. “The result,” reads the project’s description, “is a list covering technological and organizational aspects focusing on real-life risks and not only legal issues.” The top three risks include web application vulnerabilities, operator-sided data leakage and insufficient data breach response. The project and its results are free to use, and it is licensed under the GNU GPL v3 license. [Privacy Perspectives]

EU – European Network and Information Security Agency Annual Incident Reports 2013: Analysis

Security incidents in the electronic communications sector across the European Union, are classified as follows – natural phenomena (earthquakes, floods, pandemic diseases, etc.) – 38%, human errors (improper use of tools or errors in execution of procedures) – 31%, malicious attacks (a deliberate attack by an internal or external agent) – 4%, and system failures (hardware and software failures) – 27%. The most prominent causes of data security incidents include the following – software bugs, hardware failure, software misconfiguration, human error, and hardware misconfiguration; the assets most affected include the following – base stations and controllers, switches, mobile switching, core networks, and power supply systems. [Report]

WW – NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide

There’s a new story about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties. The article actually talks about several government programs. Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks. The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. [Schneier on Security – Crpto-Gram Newsletter] SEE ALSO: [Why it’s a bad idea to sell your child’s cheap tablet on eBay]

US – NIST Releases Draft Guidelines for 3-D Printer Security

The US National Institute of Standards and Technology (NIST) has released draft guidelines for 3-D printer security. The guidelines note that attackers who manage to breach the printers’ security could not only steal sensitive plans but also pose physical threats to the plants and employees. The specialized printers, which sometimes use metal powders to “print” objects, could explode. The machines’ commands could also be altered, undermining the printed objects’ integrity. NIST will accept comments on the document through October 17, 2014. [NextGov] [NIST]

US – DHS Program Will Bring Technologies from Lab to Practice

The US Department of Homeland Security’s (DHS’s) Transition to Practice (TTP) program aims to bring cyber security technology developed at federal laboratories “into the real world.” [HSToday]

US – NIST Creates Digital Evidence Subcommittee

The National Institute of Standards and Technology (NIST) has established a new digital evidence/forensic science subcommittee in its Organization of Scientific Area Committees (OSAC). The committee will “identify and establish national standards and guidelines for forensic science practitioners.” [NIST]

WW—Bash Shellshock Flaw

A serious flaw in a software component called Bash is said to be more serious that the Heartbleed vulnerability that was disclosed earlier this year. The flaw, which is being called Shellshock, can be exploited to remotely take control of vulnerable systems. It affects an estimated 500 million UNIX and LINUX machines. Bash, or the GNU Bourne Again Shell, is a command prompt on many Unix systems. The US Computer Emergency Response Team (US-CERT) has issued a warning and is urging admins to patch the flaw. Others have expressed concern that the patches that have been made available are incomplete. [BBC] [CSMonitor] [Krebs] [Ars Technica] [US CERT] –Shellshock Flaw is Being Actively Exploited (September 25, 2014) There are reports that attackers have already begun exploiting this flaw to infect vulnerable servers around the world. [eWeek] [ZDNet] [WIRED and [NYT: Shellshock May Further Marginalize Open Source Software]]

Smart Cards

US – US Will Adopt Chip-and-PIN

The idea of storing credit card account information on a magnetic stripe, while innovative in 1960 when it was first conceived, is now vulnerable to theft, particularly because the data encoded on the magnetic stripes are static. The US is finally following the rest of the world in moving to the more secure chip-and-PIN, or EMV technology (so-called because it was started by Europay, MasterCard, and Visa). [WIRED]


CA – Ottawa Admits to Tracking Hundreds of Protests

Ottawa has kept tabs on hundreds of demonstrations across Canada and around the world over the last eight years, from peaceful protests to public university lectures to riots. Newly released documents show about 800 public demonstrations and events were observed and reported on by government departments and law enforcement agencies since 2006. Reports were collected centrally by the Government Operations Centre, an agency tasked with preparing the federal government’s response to emergencies. Some were collected by Foreign Affairs on international protests, but the majority focused on domestic events – especially First Nations protests and environmental activism. Some appear to be media reports detailing the events, but others were prepared by Canada’s spy agency, CSIS, and the RCMP. The Conservative government has defended the practice, saying even peaceful protests can go bad and the public’s safety must be protected. But the documents, tabled in Parliament, reveal the Government Operations Centre was interested in much more than protests. [The Toronto Star]

US – NSA Chief Dismisses Scandal’s Impact; Agency ‘Fully Compliant’ With Law

Whistleblower Edward Snowden’s revelations about the NSA surveillance programs have not negatively affected its relationship with foreign counterparts, said NSA Director Adm. Michael Rogers, adding the corporate sector, nation states and foreign intelligence counterparts have not walked away from the agency. Rogers, who has been at the agency’s helm for only five months, said he is not dwelling on the past, but he did defend the agency’s controversial operations. “The reviews to date have all come to the conclusion that the National Security Agency has been fully compliant with the law and, secondly, that in the execution of those lawful operations, there is no finding that the NSA has attempted to systematically undermine that law or failed in its duties to protect the information that it collects,” he said. Moving forward, the NSA should aim for “translucency” because true “transparency” would undermine surveillance efforts entirely, he said. “The people on the other side of the glass can see the broad movement of the shapes and have a comfort level with that,” said Hayden. [FierceGovernementIT]

US – NSA Director: Snowden Hasn’t Damaged Our Relationships with Counterparts

NSA Director Adm. Michael Rogers said the Edward Snowden revelations have not negatively affected the NSA’s relationship with its counterparts, pointing out “the corporate sector, nation states and foreign intelligence counterparts have not walked away from the agency.” Rogers has been leading the agency for the last five months. Meanwhile, a new chat program designed by a middle-school dropout, now aged 22 and a self-taught coder, offers anonymity and encryption and even resolves the issue of metadata . A new version of the program, called Ricochet, is planned for release in November. [FierceGovernmetn IT]

US – Border Patrol to Test Body Cameras to Curb Use of Force

The U.S. Border Patrol has purchased body cameras and will begin testing them this year at its training academy, two people briefed on the move said Wednesday, as new leadership moves to blunt criticism about agents’ use of force. R. Gil Kerlikowske, who has led the Border Patrol’s parent agency since March, announced the plans to a small group of activists who have pressed for cameras, according to a person who attended the briefing and spoke on condition of anonymity because the discussion was intended to be private. Testing will occur at the Border Patrol academy in Artesia, New Mexico. [CBC News]

WW – Making an Art of Surveillance

An exhibit set to feature hacked photos of naked celebrities is raising eyebrows, blurring lines between our online and offline worlds. “Celebgate has brought many privacy issues to the forefront,” noting that while XVALA’s exhibit may seem to “demonstrate that noncelebrities simply have much less to fear,” past artistic installations have shown that random images of “unremarkable people” have also raised concerns, sometimes even leading to lawsuits. “Like other art before it, this leading edge of expression exploring surveillance, privacy and anonymity will challenge and make us face the realities we are creating—at least as long as these exhibits are permitted for public consumption’” [Source]

Telecom / TV

US – ‘Interceptor’ Cellphone Towers Found Near White House, Senate

Mysterious “interceptor” cellphone towers that can listen in someone’s phone call despite not being part of any phone networks have turned up near the White House and Senate. A company that specializes in selling secure mobile phones discovered the existence of several of the towers in and around the nation’s capitol. “It’s highly unlikely that federal law enforcement would be using mobile interceptors near the Senate,” ESD America CEO Les Goldsmith said. The towers are also capable of loading spyware onto a mobile device before passing off a victim’s call to a legitimate network. “My suspicion is that it is a foreign entity,” he told Venture Beat. [The Washington Times]

CA – The Covert Cellphone Tracking Tech the RCMP and CSIS Won’t Talk About

Law enforcement and intelligence agencies in Canada won’t say whether they use covert tools called International Mobile Subscriber Identity (IMSI) catchers to track the location of mobile phones and devices – even as the extent of their use by U.S. government agencies is raising serious questions among civil libertarians. The devices colloquially known as Stingrays – which is the trademarked name for a widely used model sold by Florida-based Harris Corp. – commonly work by masquerading as a legitimate cellular communications tower and tricking nearby devices into connecting and sharing your phone’s IMSI, typically without the knowledge of device owners. Once connected, an operator can collect identifying information on all connected devices in a geographic area, or home in on the location of a specific device. In certain circumstances, it can even intercept phone calls and text messages. [The Globe and Mail] SEE ALSO: [Documents Suggest Maker of Controversial Surveillance Tool Misled the FCC] AND [The ACLU wrote a letter to the FCC asking for an investigation]

CA – Netflix Refuses CRTC Demand for Confidential Data

Netflix refused to heed a demand from Canada’s federal broadcast regulator to hand over confidential customer data despite threats its exemption from regulation would be revoked if the video streaming service did not comply. “While Netflix has responded to a number of the CRTC’s requests, we are not in a position to produce the confidential and competitively sensitive information ordered by the commission due to ongoing confidentiality concerns,” said a Netflix spokesperson. “While the orders by the CRTC are not applicable to us under Canadian broadcasting law, we are always prepared to work constructively with the Commission.” [Source] See also: [Mining WiFi Data: Retail Privacy Pitfalls]

US – FTC Files Comments with FCC on Promoting Privacy in Broadband

In a comment filed Friday with the FCC, the FTC provided information on its enforcement, policy and education work as it relates to consumer privacy and data security as applied to residential broadband Internet services, according to an FTC press release. In its comments, the FTC highlights its efforts to promote consumer privacy and data security “through rigorous enforcement of the FTC Act, the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act.” It also describes its privacy report, Protecting Consumer Privacy in an Era of Rapid Change, and its numerous workshops and seminars on related topics. [Source]

US – Apple’s CEO Throws Major Shade at Tech’s Ad-Based Business Model

Apple announced new privacy features and a push to educate consumers on how the company uses their data in an open letter from chief executive Tim Cook. In the letter, Cook also took some not so subtle digs at competitors who mine user data for advertising purposes: “We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you.” [Washington Post]

US – FPF Gives iOS8 a Thumbs-Up; Apple Faces Criticism for iTunes Gift

The Future of Privacy Forum has reviewed Apple’s iOS8, concluding its new “prompting with purpose” disclosures, refined location settings and strict requirements for apps “will present greater transparency, protection and control over privacy” for users. Meanwhile, as part of its launch of the iPhone6, Apple featured a gift to users: Irish rock band U2’s new album. A free download was sent to users’ iTunes music collection, but some users weren’t so excited, citing Apple had gained access to their accounts without asking permission first. [Source]

US Government Programs

US – CFPB to Tighten Controls After Government Audit Cites Problems

Responding to government auditors, the Consumer Financial Protection Bureau (CFPB) is formalizing a comprehensive privacy plan addressing how the agency will assess and manage privacy risks and monitor and audit privacy controls. The CFPB also will develop role-based privacy training for its staff and review its remedial action plans and information-security risk management process “to further refine oversight of service providers,” according to CFPB Director Richard Cordray. The changes come after a Government Accountability Office audit issued this week stated the CFPB “lacks a plan to adequately protect” the consumer financial data it collects. [GovInfoSecurity]

US – GAO Says TSA Needs to Strengthen Privacy Oversight

The Government Accountability Office (GAO) has said the Transportation Security Administration (TSA) has made positive strides implementing its Secure Flight program but still needs to improve oversight of its privacy mechanisms, including staff training. “Because the program relies on sensitive information, including personally identifiable information from the approximately two million people Secure Flight screens each day, privacy incidents and inappropriate disclosures could have significant impacts on the traveling public,” the GAO audit states. Though the TSA has implemented privacy measures, more could be done, including job-specific privacy training in line with Office of Management and Budget privacy training requirements, the report states. [HS Today]

US – FISA Court Renews NSA Metadata Program

The Foreign Intelligence Surveillance Court has reauthorized the NSA program that collects in bulk the metadata of U.S. citizens’ phone records. The reauthorization comes while a reform bill remains stuck in the Senate. “Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program,” said the Department of Justice and Office of the Director of National Intelligence in a joint statement. Both of the government agencies also said they support the USA FREEDOM Act, saying “it reflects a reasonable compromise that preserves essential intelligence community capabilities, enhances privacy and civil liberties and increases transparency.” [The Hill]

US – Appeals Court Says NCIS Scan of Civilian Computers Went Too Far

A US federal appeals court in California ruled that the Naval Criminal Investigative Service (NCIS) overstepped its authority when an NCIS agent used a tool to search for hashed child pornography images on the computers of all Washington state computer users running Gnutella file-sharing software. Judge Marsha Berzon wrote that the “surveillance of all computers in Washington amounted to impermissible direct active involvement in civilian enforcement of the child pornography laws, not permissible indirect assistance.” [Ars Technica]

US – Air Force Seeking Improved Network Mapping and Analysis Technology

According to a presolicitation notice, the Air Force is seeking situational awareness technologies to help it see what is happening on its networks. The program, called Mission Awareness for Mission Assurance (MAMA) “will investigate the automated assessment of mission execution by analyzing network traffic flows” so personnel can “prioritize essential functions, map out cyber assets, and assess and mitigate vulnerabilities.” The Air Force wants to be able to carry out core missions in the face of attacks. [Defense Systems] [Presolicitation Notice]

US – Connect.gov Password Consolidation to be Tested Next Month

Starting as soon as October 2014, Connect.gov, a system that will eliminate the need for users to remember at least some of their sets of access credentials, will “launch with a few key anchor agencies that will be testing it out in the first round.” More agencies are expected to join within the next two years. [NextGov]

US Legislation

US – As Laws Are Slated for the Books, Tech Worries Persist

Student privacy bills are headed to the books in 20 states. According to the Data Quality Campaign, 110 bills on student data privacy were introduced in 36 states this session, with 24 being signed into law. They addressed biometric, social and personal information. Mmeanwhile, the lack of restrictions on the “unprecedented student data amassed by education technology companies,” and the tensions that continue to build as the federal government encourages the use of such technology while parents worry about who gets that information and what’s done with it. A story in The New York Times story reports on similar concerns. [Government Technology]

US – Tech Companies Urge Lawmakers to Move Forward with Bill to Amend ECPA

Technology companies are calling on US legislators to pass Email Privacy Act, a bill that would update the 1986 Electronic Communications Privacy Act (ECPA), which allows law enforcement authorities to search, without a warrant, communications that have been stored in what we now call the Cloud for more than 180 days. The bill’s supporters say that ECPA is outdated and poses a threat to people’s privacy. [The Hill]

Workplace Privacy

NZ – Is it Wrong to Send Personal Emails to Work Addresses?

The Legal Complaints Review Officer (“LCRO”) of the Office of the Privacy Commissioner, New Zealand, determined that there was a risk that a confidential email sent by an lawyer to an individual’s work email account might have been accessed by others in the workplace (the fact that this did not appear to have occurred did not detract from concern about the risk); however, the LCRO declined to make a disciplinary finding, claiming that it was not appropriate to make an example of the lawyer when the use of email for communication needed more discussion by the Law Society and its members. [Source]

US – Barriers to BYOD? A Lack of Trust In Employers to Protect Privacy

A new survey released by AdaptiveMobile finds only 30% of more than 5,000 employees of global organizations are happy with “employers managing their corporate mobility service.” In total, 84% of respondents listed privacy as a top-three concern with the use of personal devices for work. Almost half simply wanted to keep work and private life separate, but a full quarter also said they have a general mistrust of their employer “being granted any type of control over their devices.” [ZDNet]

US – Federal Background Checks, One Year After The Navy Yard Shooting

A year after a Navy and Marine Corps subcontractor killed 12 people at the Washington Navy Yard, the federal government has fired the firm that handled most of its background checks, conducted multiple reviews of security-clearance processes and changed key screening policies. Now the government is touting major reforms of the process, which faced challenges long before incidents with Alexis and Edward Snowden brought critical problems into focus. In a February report, the council said screeners need greater access to state and local police reports. It concluded that they can’t always view records that could raise red flags, oftentimes because of legal and technological limitations. The review echoed findings from the House Oversight and Government Reform Committee. OPM said it now has increased its engagement with local and state police agencies and is working on IT upgrades to connect more with crime databases. The Obama-appointed council also called for OPM to conduct follow-up investigations every five years for employees and contractors who hold clearances. That requirement is now in place. In addition, it also recommended reducing the number of workers who hold clearances. The Defense Department made the same recommendation in its review of the shooting, released in March. Clapper has directed all agencies to identify clearances they could eliminate. The Pentagon has said it expects to reduce the number of Defense authorizations by 10 percent. Earlier this month OPM announced another major change: It said it would not renew its contract with USIS for background checks. In Congress, lawmakers have also proposed various background-check bills. [Source]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: