01-15 October 2014


US – Airlines Look to Biometrics to Streamline the Check-In Process

Biometrics, the technology that uses human physical traits as a form of identification, is gaining popularity with governments and merchants. Now airlines are considering the technology. The next breakthrough in paperless airline ticketing may be under your thumb — literally. Alaska Airlines is exploring using passengers’ fingerprints to replace travel documents, driver’s licenses and credit cards now needed to navigate from airport curbs to jetliner seats. If successful, it would be the first U.S. carrier to employ biometrics for boarding passes and inflight purchases and could spur wider adoption across the industry. [Source]

WW – Build in Biometric Security for Market Advantage” Levin

Adam Levin writes about how “legions of sophisticated hackers are infiltrating the most state-of-the-art data security strategies out there” and how biometrics “may well be the next ‘less hackable’ thing.” He notes there will likely be a small window of time before biometrics become “‘the new normal,’” so “there is a marketing advantage, which is why it’s crucial for companies that handle sensitive information to get in front of the trend.” He notes Apple has begun this process and other companies are experimenting with “bio-specific authentication.” He writes that if there is a takeaway, “it’s to be found in the Apple model, which doesn’t lead with a security solution so much as it incorporates it.” [Forbes] See also: [Companies Battle It Out on Privacy]

EU – Comedy Club Charges Per Laugh With Facial Recognition

A comedy club in Barcelona is experimenting with charging users per laugh, using facial-recognition technology to track how much they enjoyed the show. The software is installed on tablets attached to the back of each seat at the Teatreneu club. Each laugh is charged at 0.30 euros (23p) with a cap of 24 euros (£18). Takings are up so far. The project was developed to combat falling audience numbers.The system is now being copied in other theatres around Spain. The comedy club has also launched a mobile app as a method of payment, as well as its first pay-per-laugh season ticket. James Woroniecki, director of London’s 99 Club, said: “Sounds fun, just so long as all the facial recognition data doesn’t get forwarded to the NSA [US National Security Agency]. [BBC News]

WW – Millions of Voiceprints Quietly Being Harvested as Latest ID Tool

The collection of voiceprints by governments and businesses is increasing “to pay pensions, collect taxes, track criminals and replace passwords.” A representative from a voice biometric vendor said, “There’s a misconception that the technology we have today is only in the domain of intelligence services, or the domain of Star Trek … The technology is here today, well-proven and commonly available.” A Barclays executive suggested “voice biometrics will be the de facto standard in the next two to three years.” A separate report notes the rise of the technology is spurring privacy concerns. One advocate said if public use of voice biometrics services were to be compromised, “We could lose a major avenue of anonymous speech.” [The Guardian] [Voiceprint harvesting – the next frontier in data privacy war]

Big Data

US – FPF Whitepaper Intros Toolbox for Weighing Big Data Rewards, Risks

Over the past few years, organizations have developed various frameworks to measure privacy risks of new projects, products or services. Yet these frameworks, typically called privacy impact assessments or risk management tools, account for only one part of a cost-benefit analysis. In a new Future of Privacy Forum (FPF) whitepaper, Jules Polonetsky, IAPP VP of Research and Education Omer Tene and the FPF’s Joseph Jerome introduce a new toolbox for weighing big data rewards against privacy risks. The paper includes case studies and graphics and provides a taxonomy of privacy risks and an analytical framework for “data benefit analysis.” [Source] See also{ Washington Post: Weighing the Benefits of Mining Health Data] See also: [Big Data is watching you. Has online spying gone too far?] AND Intel Global Privacy Officer David Hoffman explained

US – Information Accountability Foundation Releases Big Data Ethics Whitepaper

The Information Accountability Foundation released its first paper on its Big Data Ethics Project. The project aims to create tools for businesses and law enforcement authorities to ensure big data benefits while preventing negative outcomes such as discrimination or misuse of data. Governance, according to the paper, is key. “To establish big data governance, the foundation believes in the need for a common ethical frame based on key values and the need for an interrogation framework,” the paper states. “In formulating a frame, we concluded the following: Governance requires enforcement; big data enforcement needs to be explored by stakeholders, and interrogation frameworks should be customized [Source] SEE ALSO: Intel’s endeavor to encourage organizations to take “a data innovation pledge “ that promotes “the simultaneous ethical and innovative use of data.” Meanwhile, speaking at an EU event, Tim Berners-Lee suggested “the promise of big data has been undermined by companies using their customers’ data to deliver targeted advertising,”

UK – ICO Publishes Report on Big Data

On 28 July, the ICO released its report ‘Big data and data protection’ (the ‘Report’). The Report defines ‘Big Data’ and sets out the data protection and privacy issues raised by Big Data, as well as compliance with the UK Data Protection Act 1998 (‘DPA’) in the context of Big Data. The ICO defines Big Data by reference to the Garter IT glossary definition, and further explains that processing personal data must be of a significant volume, variety or velocity. When announcing publication of the Report, Steve Wood, the ICO’s Head of Policy Delivery, stated that “Big Data can work within the established data protection principles….The principles are still fit for purpose but organisations need to innovate when applying them”.[Source]

WW – Can Mobile Tracking Help Stem Ebola Outbreaks?

Big data analytics may help emergency response teams, medical charities and nongovernmental organizations contain the Ebola virus, but to do so, tracking of mobile phones is needed. According to the report, citizens in some of the poorest countries in Africa own mobile phones, which is proving to be a “rich source of data in a region where other reliable sources are sorely lacking.” In one example, Orange Telecom in Senegal shared anonymized voice and text data from 150,000 mobile phones with Swedish nonprofit Flowminder to help draw up maps of population movements in the region. And the U.S. Centers for Disease Control is currently collecting mobile phone activity data from operators to map where helpline calls are sourced. [BBC News]


CA – Cyberbullying Bill Inches Closer to Law Despite Privacy Concerns

A controversial bill to fight cyberbullying and give more powers to law enforcement is set to pass third reading in the House of Commons. Bill C-13 would make it illegal for anyone to post or transmit an “intimate image” of another individual without that person’s consent. But other measures included in the bill would give police easier access to the metadata that ISPs and phone companies keep on every call and email by their customers. It would also make it easier for police to get preservation or production orders by lowering the threshold from a “reasonable grounds to believe” a crime has happened or could happen to “reasonable grounds to suspect.” The bill would also give immunity to any companies that turn over to police the information they hold. The bill is expected to pass, with the majority Conservatives supporting it despite a number of objections raised by Canada’s privacy commissioner, Daniel Therrien, and by Amanda Todd’s mother. Both Therrien and Todd said the bill should have been split so the widely embraced cyberbullying measures were considered separately from the far more controversial online data-collection measures. NDP digital issues critic Charmaine Borg said she expects the bill, should it become law, to be challenged in court following the Supreme Court’s decision last June in the case R vs. Spencer. The Spencer decision barred ISPs from voluntarily disclosing the names, addresses and phone numbers of their customers to law enforcement officials in response to an informal request — something ISPs have been doing hundreds of thousands of times a year. The landmark decision came the day the House justice committee reported back to the House on C-13. [Source] See also: [Cyberbullying bill C-13 moves on despite Supreme Court decision] See aslo: [Harper government missed deadline on jihadi tracking tool]

CA – Alberta’s PIPA Scheduled to Lapse on November 15, 2014

On November 15, 2013, the Supreme Court of Canada found Alberta’s Personal Information Protection Act (PIPA) to be invalid and gave Alberta’s Legislature 12 months to make it constitutional. To date, no amendments to PIPA have been tabled by the Alberta government and the next session of the Alberta Legislature has been delayed until November 17, 2014. On September 22, 2014, Alberta’s Information and Privacy Commissioner wrote an open letter to Alberta’s Premier, the Minister of Justice and Solicitor General and the Minister of Service Alberta expressing concern over PIPA’s inevitable lapse as result of the delayed start to the session of the Alberta Legislature: If PIPA is allowed to lapse, Alberta’s citizens and businesses will lose the unique benefits afforded by the legislation, including: mandatory breach reporting and notification to affected individuals, local enforcement without court involvement, and protection for the access and privacy rights of employee of provincially-regulated private sector businesses. As the oversight body for PIPA, the Commissioner’s office is receiving inquiries from the public and stakeholders as to the status of the legislation. In addition, there are 280 PIPA cases currently open – including breach reports from organizations, complaint investigations, and quasi-judicial inquiries – which will potentially be affected in the event the legislation lapses. In response, Alberta’s new Premier, Jim Prentice, declared he would be seeking an extension from the Supreme Court with respect to the amendment deadline. A motion extending the suspension of the declaration of invalidity was filed in the Supreme Court by the Attorney General of Alberta on October 1, 2014. [Source] “In a precedent-setting decision, Alberta’s Court of Queen’s Bench has ruled the province’s Health Information Act protects any information broadly connected to a patient’s care, even if that information is about another person.”

CA – Decision Reserved in Lawsuit Over Sask. Student’s Cellphone Privacy

A judge has reserved decision in a lawsuit over whether a Grade 6 student’s privacy was violated when school staff read the texts on his cellphone. Court heard a teacher at Riverside Community School in Prince Albert took the 12-year-old’s phone when she caught him texting during class in March 2010. The teacher gave the phone to the then-vice-principal, who went through the boy’s texts and found one about a car theft. Dwayne Tournier testified the text was from someone who said — quote — “we stole a car.” The lawsuit alleges that after the school contacted police, an officer got the boy to text the sender back about the car’s location and then took him in a cruiser to identify the vehicle. The boy’s grandparents, who were his guardians, argue the actions of the school put the boy in a position where he feared retaliation by the text’s sender because the boy was seen in the cruiser. The lawsuit claims damages from the Saskatchewan Rivers School Division and Tournier. “The mistake, if a mistake was made, is in reading the contents of the cellphone, then calling the local city police to take this young lad to a stolen vehicle to identify a vehicle,” said lawyer Marcel Simonot, on behalf of the grandparents. [Source]

CA – OPC’s Bernier Joins Private Practice

Former Interim Privacy Commissioner of Canada Chantal Bernier has joined Dentons’ privacy and security practice as counsel. “We are honored to have Chantal Bernier, a renowned thought-leader in privacy protection, join Dentons,” said Dentons CEO Chris Pinnington. “In the digital age, when privacy risks and concerns are on the rise, Ms. Bernier’s perspective and insight as a seasoned regulator and senior executive will be a tremendous asset to our clients, in Canada and around the world.” [MarketWired]


EU – Survey Shows What Europeans Think Their Personal Data Is Worth

A survey commissioned by European telco Orange examines how Europeans perceive the value of their personal data. “There is a perceived imbalance within the data-sharing relationship,” the survey states, “with two-thirds of consumers believing that organizations benefit the most from the sharing of data—just 6% think that the consumer benefits the most.” The UK, France, Spain and Poland were surveyed, and respondents, on average, said that each piece of personal data shared with a familiar business is worth approximately $21. For unfamiliar companies, the value increased to $25. The report includes breakdowns of what respondents thought specific data points were worth, including full name, date of birth, location, income and marital status. [Quartz]

US – The Future of Retail Tracking and Allegations About Uber’s Location Privacy

Macy’s is leading the rise of iBeacon technology in retail stores. The retail chain will add 4,000 iBeacon devices to its almost 800 stores nationwide in the next few weeks. Macy.com President Kent Anderson said, “The customer who gets more engaged in more of the channels that Macy’s has to offer gives us more wallet share.” iBeacons also being placed at various Marriott locations. [The Washington Post]

US – Experiment Demonstrates Perils of Not Reading Privacy Policies

In an experiment to demonstrate the dangers of connecting to unfamiliar networks, security firm F-Secure set up an open WiFi network in a busy, public area in London, UK, complete with lengthy terms and conditions that included a “Herod clause.” Yup. Six people clicked through to exchange “permanent ownership” of their firstborn children for WiFi access. Enter Terms of Service; Didn’t Read, a user rights initiative that is rating websites according to their terms and privacy policies. [Source]

US – How Many Chocolate Chip Cookies is Your Personal Data Worth?

New York-based artist Risa Puno’s recent experiment in which she asked New Yorkers at an arts festival to give up sensitive personal information from fingerprints to partial Social Security numbers (SSNs) for a cookie—not a web cookie, an actual cookie. In total, 380 did so, with 117 allowing Puno to take their fingerprints and just under half giving her the last four digits of their SSNs. Based on the experiment, Slate offers advice on how to measure the value of your personal data in cookies. Meanwhile, ComputerworldUK reports on how firms can survive in the age of data currency. [ProPublica]


CA – PEI Privacy Commissioner Urges Review of Government Document Storage

Personal records stored in derelict buildings should serve as a wake-up call to government, says the information and privacy commissioner. The province is in the process of relocating health and financial records housed in two boarded-up Health P.E.I. buildings in Charlottetown. City police have reported that the buildings have been broken into at least five times in the last month. Maria MacDonald doesn’t believe this is an isolated case of poorly stored documents. Close to 1,200 boxes of documents, including medical and financial records, are being removed from the buildings, says Pam Trainor, executive director of acute care, mental health and addictions for Health P.E.I. The removal of the records began Thursday and most were expected to have been taken out of the old buildings by the end of Monday. [Source] [Ireland: Investigators accessed social welfare information and disclosed to credit unions]

CA – IBM Wins a Federal Data Centre Contract

IBM Canada has won a multi-year contract to provide and manage one of the new data centres the federal government needs as it consolidates IT infrastructure under its Shared Services program. IBM’s Barrie, Ont., data centre building, which was opened in 2012, will house some of the federal IT infrastructure as the government squeezes 485 data centres into seven by 2020. This contract dealt only with the physical space. IBM will not be providing servers, storage or networking. [IT World Canada]

US – Public Officials Give Up Some Privacy on Personal Cellphones – Editorial

Citizens expect, demand and deserve public officials who put the public first. One way we put the public first is by promoting open government and protecting the people’s right to know. An official cannot choose to use personal technology like a cellphone or home computer to conduct public business and then deny access to the resulting public records on grounds of personal privacy. This point was driven home recently for Pierce County Prosecuting Attorney Mark Lindquist, who had been using his personal cellphone for official business. The question of whether public officials can keep public information private is now winding its way through the courts. Public records do not become private property when created and stored on personal devices. The information in public records belongs to the people, even if accessing it on a private device is inconvenient or embarrassing for the official who created and stored it there.[Source] See also: [New York postman accused of hoarding 2,500 pounds of mail]


CA – CASL: Rules for the Installation and Use of Computer Programs

Effective January 15, 2015, Canada’s anti-spam law (commonly known as “CASL”) will impose onerous restrictions and requirements for the commercial installation and use of computer programs on another person’s computer system. The rules apply to almost any computer program (not just malware/spyware/harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit). The rules have potentially serious implications for Canadian businesses that distribute computer programs and for foreign businesses that distribute computer programs to computer systems located in Canada. Unfortunately, the rules are challenging to interpret and apply, and regulators have provided limited guidance. [More] See also: [CRTC works with small business to stop malicious spam from being sent to Canadians]

Electronic Records

US – Advocates Claim Compliance Site Violates COPPA

The Center for Digital Democracy and Campaign for a Commercial-Free Childhood have alleged in comments filed with the FTC that AgeCheq—a company that aims to help app developers comply with children’s privacy rules—itself violates those regulations. The comments claim AgeCheq collects data about children without first obtaining their parents’ permission, in violation of the Children’s Online Privacy Protection Act (COPPA). AgeCheq CEO Roy Smith said the allegations are “specious,” adding, “We’re mystified by this whole thing.” Smith said he doesn’t believe COPPA bans the company from collecting data about children because his site doesn’t fit into COPPA’s definition of a website operator. [MediaPost]

EU Developments

EU – Google Ordered to Change Handling of User Data in Germany

Hamburg Data Protection Commissioner Johannes Caspar issued a statement ordering Google to limit how it combines user data that could be used to determine such customer information as marital status or sexual orientation. Caspar emailed Google about its 2012 privacy policy terms, which allow it to combine data it gathers when customers use its services. “With that, one can compile detailed movement patterns, detect the social and financial status, and friendship, sexual orientation and the relationship status,” Caspar said, ordering Google “to take the necessary technical and organizational measures to guarantee that their users can decide on their own if and to what extend their data is used for profiling.” Google is reportedly reviewing the order. [Bloomberg]

EU – Ansip: EU May Suspend Data-Sharing Agreements if U.S. Doesn’t Shape Up

Europe may suspend data-sharing agreements with the U.S. if American policy makers don’t improve how Europeans’ online information is protected. That’s according to Andrus Ansip, the nominee to lead Europe’s digital agenda, who added the U.S. still needs to convince European lawmakers it takes a hard line on data protection. “Americans have to deliver and provide real trust to European citizens,” Ansip said during a hearing at European Parliament in Brussels, adding a suspension of Safe Harbor is still on the table. [The New York Times]

EU – Belgium Appoints First Privacy Minister

After several months of negotiations, finally a new governmental coalition has been formed in Belgium. It may come as a surprise, but the new government has paid particular attention to privacy-related issues in its coalition agreement, including the appointment of a Secretary of State for privacy. DLA Piper’s Patrick Van Eecke and Elisabeth Verbrugge look at the new government’s stated intentions for privacy, including a slate of planned reforms, and look into the future to assess the impact of these decisions. [Full Story] [Belgium’s New Government Sets Privacy High on the Agenda, Appointing Minister of Privacy] and also: [IRE: Government expected to increase data protection budget]

Facts & Stats

WW – How Much is Data Really Worth?

While companies are building entire businesses around the collection and sale of data, no one really knows what all that information is worth. “It’s flummoxing that companies have better accounting for their office furniture than their information assets,” said a Gartner analyst. “You can’t manage what you don’t measure.” As more companies traffic in information and use big data analytics tools to find ways to generate revenue, the lack of standards for valuing data leaves a widening gap in our understanding of the modern business world, the report states. Such intangible assets like patents, trademarks and copyrights could be worth more than $8 trillion, one economist estimates. [The Wall Street Journal]


US – FCC Fines Marriott for Blocking Guests’ Wi-Fi Hotspots

Marriott has agreed to pay the US Federal Communications Commission (FCC) US $600,000 to settle charges that the company blocked guests’ personal hotspots, forcing them to use the hotel’s WiFi at significant cost. The Gaylord Opryland Hotel in Nashville, Tennessee, admitted to the blocking, saying that it normally established wireless services and networks for groups at the convention facility, charging US $250 to US $1,000 per access point. The service provided by the hotel includes a monitoring system that blocks networks that are not its own. [Ars Technica] [The Register]


US – TCPA Prompts Bank Fears; Kohl’s Seeks Class-Action Dismissal

In a filing with the Federal Communications Commission (FCC), the American Bankers Association (ABA) said banks that call or text customers run the risk of being sued under the Telephone Consumer Protection Act (TCPA), a 23-year-old law that requires consumers’ consent to being called on their mobile phones. “A single financial institution might be responsible for 50,000 to 60,000 or more potential data security breach notifications per month,” the ABA wrote to the FCC. “A substantial portion of these automated notifications must be sent to mobile telephone numbers.” Meanwhile, Kohl’s has asked a federal judge to throw out a putative TCPA class-action alleging the retailer gathered consumers’ cell-phone numbers for debt-collection purposes. [Quartz]


AU – FOI May Cost $800 as Coalition Seeks to Abolish Regulator

The federal government has introduced a bill to abolish Australia’s freedom of information watchdog. In a move that will wind back significant reforms in Australia’s federal freedom of information framework introduced in 2010, the government has pushed ahead with its plans to abolish the Office of the Australian Information Commissioner (OAIC). The bill would remove an office conceived as the “champion” of freedom of information and privacy, and would largely revert to the pre-2010 framework where complaints about freedom of information matters were heard by the commonwealth ombudsman and appeals went to the Administrative Appeals Tribunal (AAT). Labor and the Greens have previously raised major concerns about this move, saying it would “shut the door on open government”. Crucially, the bill provides no relief or waivers for the $800 filing fee to make applications to the AAT, which is likely to create a substantial barrier to seeking review of government decisions.[Source] The Freedom of Information Amendment (New Arrangements) Bill 2014 was introduced into Australia’s Parliament on Thursday, and the Office of the Australian Information Commissioner (OAIC) has detailed what to expect if the bill becomes law. The Australian government’s plan to require data retention continues to make headlines as do allegations that Australian privacy laws are putting military personnel at risk.


US – 23andme Genetic Testing Service Coming to Canada

A California company offering a genetic testing service that claims to pinpoint both health conditions and genetic background has begun operating in Canada, despite being blocked by the U.S. health regulator from offering its full service. The company 23andme tests for about 100 health markers based on a sample of your saliva. Customers apply for the testing kit online, submit a sample and get a response in two to six weeks via email. The U.S. Food and Drug Administration blocked 23andme from sending health information to customers of its genetic testing kits in the U.S. “The FDA believes that we are a medical device, so we are going through the medical device review process. In Canada we are working with health authorities and they have deemed that we are non-therapeutic and therefore we don’t need pre-market clearance,” said CEO Anne Wojcicki. However, Canada’s privacy commissioner has raised concerns about the privacy of genetic tests. At this time, there are no laws in Canada that specifically address the use of genetic test results by insurance companies. The Canadian Life and Health Insurance Association has agreed its members will never require a genetic test from a customer, but say that if there is such a test, “the insurer would request access to the information, just as it would for other aspects of the applicant’s health history.” [Source]

Health / Medical

US – FDA Issues Medical Device Cyber Security Guidance

The US Food and Drug Administration (FDA) has released guidance for medical device cyber security. The publication offers recommendations to manufacturers and urges them to “consider cybersecurity risks as part of the design and development of a medical device.” The agency also encourages manufacturers provide the FDA with documentation about risks in devices and plans to mitigate those risks, as well as plans for providing updates and patches. The FDA is holding a workshop on the issue later this month. [FDA] [SCMagazine] [USA Today] [MobiHealthNews: A Roundup of FDA-Approved Electronic Medical Devices]

US – OCR Prepping to Launch Phase II Audits

The Department of Health and Human Services Office for Civil Rights (OCR) is preparing to launch OCR Phase II Audits, a permanent audit program for covered entities, although the OCR is still dealing with funding constraints and finalizing the program, the OCR’s Iliana Peters said at a conference last month. When the program will begin depends on some technology upgrades, Peters said, noting once Phase II starts, the OCR will use it as an enforcement tool and, depending on what issues are discovered, corrective actions may result. She added settlements and monetary penalties are “never off the table” if major compliance issues are found during investigations. [PR Web]

WW – Facebook Moving Into Healthcare

Amidst reports that Facebook will feature new guidelines and an ethics review panel for research projects, the social networking giant is also reportedly moving into the healthcare landscape. Facebook is allegedly exploring the development of online “support communities” to connect users with similar ailments and a small team is considering “preventative care” applications. The company has been convening meetings with various medical industry experts and entrepreneurs to set up a research and development team to test new health apps, the report states. [Reuters]

Horror Stories

US – JP Morgan Chase: Breach Affected 76 Million Households

In a filing with the US Securities and Exchange Commission (SEC), JPMorgan Chase disclosed that a security breach earlier this year affected 76 million households and seven million businesses, and that the data compromised include phone number and email addresses, but not account information. The company has denied emerging reports of a second breach. Stanford’s Jonathan Mayer said, “There’s no doubt that companies with valuable information have a target on them.” Meanwhile, new evidence on where “massive data breaches lead“—including to “clone cards” sold to low-level criminals—and details some of the costs of data breaches. [NBC News] [NBC News] [Fast Edgar] [NYTimes] [CS Monitor] [The Register] [ComputerWorld] [ZDNet] [SCMagazine] [NPR News] Lawmakers in the U.S. are using the JP Morgan data breach to push privacy-diminishing cyber-legislation.

CA – Personal Info Accessed In B.C. Government Database Breach

The B.C. government is trying to notify 15,000 people whose personal information has been illegally accessed because of a data breach on a Ministry of Forests’ website and associated databases. The ministry says names, contact information, birth dates, drivers’ licence numbers and job evaluation information of firefighters who applied to work on wildfire crews may have been compromised. A ministry news release says data about applicants’ aboriginal, minority or disabled status may have also been viewed when the information was accessed by an unauthorized user on Sept. 24. The ministry says public website access was shut down as soon as the breach was discovered and the Information and Privacy Commissioner was notified. The government says it is offering free credit protection services to people who have been affected. However, it says some of the database records are up to 10 years old and contacting everyone involved in a timely manner may be difficult. [The Globe and Mail]

US – Inspector General Says Nearly 14 million Postal Service Records at Risk

The U.S. Postal Service Inspector General has concluded the Postal Service has put nearly 14 million customer records at risk. The inspector general’s audit found that hundreds of businesses have access to millions of change-of-address forms with little oversight from the Postal Service. “There is a risk that the (data) could be accessed by unauthorized users,” auditors for Inspector General David Williams wrote, adding, “Security controls … are not sufficient to protect the confidentiality and integrity of customer information.” [The Washington Post] See also: [Kmart, Dairy Queen see payment-card data stolen] [Oregon Employment Dept. Reports Breach]

US – Senators Want Answers on USIS Breach

Senate Homeland Security and Governmental Affairs Committee leaders have sent letters to the Obama administration as well as the Department of Homeland Security (DHS), the Office of Management and Budget and the Office of Personnel Management seeking answers to a breach that hit the U.S. Investigations Services (USIS) in August. The breach likely compromised the personal information of approximately 25,000 government employees. Committee Chairman Tom Carper (D-DE) and ranking member Tom Coburn (R-OK) wrote in the letter to DHS Secretary Jeh Johnson that the breach raises significant concerns, noting, “If you determine that additional tools and authorities are needed to further improve federal network security, we urge you to inform the committee as soon as possible.” [GovInfoSecurity]

CA – Alberta Health Services Unsure What Happened to Information Lost in a Privacy Breach

Officials don’t know what happened to the information gleaned from 19 months of a breach of patient records by an Alberta Children’s Hospital staffer targeted a wide variety of victims, including high-profile people. And though Alberta Health Services says the low-level administrator’s access to 247 patients’ records hasn’t impacted care of the integrity of the data, the agency’s president Valerie Kaminski said it’s not clear what was done with the information. “We don’t know ─ we asked that question and the information they gave us was very non-descript,” said Kaminski. “There was no evidence they made copies at all.” The former staffer, who was fired, had access to patient history, contact information, date of birth and family information on two different databases from January of 2013 to August 2014 on at least one of the databases. It went beyond children’s medical information, extending to nurses, physicians and “high profile people across the community, there were a large number of adult patients,” said Kaminski. [Source] [Alberta Children’s Hospital patient privacy breach prompts apology] See also: [The Alberta Court Of Appeal Considers Confidential Information, Settlement Privilege And The Freedom Of Information And Protection Of Privacy Act]

WW – Hartzog: Snapchat Should Not Blame Users for Latest Leak

Prof. Woodrow Hartzog writes that Snapchat, in its message to consumers after a hack of images stored on a third-party server, should not have blamed users for the incident. “Snappchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use,” the company wrote. Hartzog notes that such rules are “buried in the fine print” and that two lessons can be drawn from the incident and response: Businesses need to educate their users about security risks in plain language, and technologies that promise to protect privacy “must provide better data security than traditional social media.” Meanwhile, Gizmodo writes new app Vent is a “disaster waiting to happen,” and The Globe and Mail reports anonymous app Shadow creates a false expectation of privacy. [Wired]

US – AT&T Employee Fired for Accessing Customer Data

AT&T has fired an employee for allegedly accessing customers’ personal data, including driver’s license and Social Security numbers, as well as customer metadata about calls made. AT&T notified the affected customers by letter. [The Register] [ZD Net] [Net Security] [Text of Letter]

WW – Cybersecurity Awareness Month News Roundup

In conjunction with cybersecurity awareness month, the U.S. FTC has released online shopping tips in a short YouTube clip, and in an effort to help organizations better understand the data breach landscape, Experian has released its 2014-2015 Data Breach Response Guide. Meanwhile, in a survey by UK-based telecoms company BT, 26% of the 640 IT decision-makers said their business had experienced a data breach incident where their cloud provider was partly at fault, and Help Net Security reports the majority of IT decision-makers said they aren’t confident data would be secure if outsiders penetrated their network’s perimeter security. Separately, EBay has moved to dismiss a proposed class-action over a data breach, and software company Netwrix has recommended three steps Home Depot could have taken to prevent its breach. In healthcare, there’s been a “substantial spike” in the number of major data breaches posted on the U.S. Health and Human Services “wall of shame” since the Health Insurance Portability and Accountability Act Omnibus Rule came into play a year ago.

WW – Interpol Says “Around 100” Cyber Kingpins Worldwide

The latest business to announce a credit and debit card breach is the U.S.-based ice cream and restaurant chain Dairy Queen. The company said 395 of its stores were affected. In a similar story, U.S. investigators believe the hackers that breached JP Morgan are the same ones who breached Fidelity Investments. The slew of cyber-attacks are prompting some companies to consider going on the offensive by “hacking back” or going on “active defense.” Trend Micro’s chief cybersecurity officer said, “Active defense is happening. It’s not mainstream. It’s very selective.” According to Europol’s Cybercrime Center, there are only “around 100” cybercriminal kingpins worldwide. [The Washington Post]

Identity Issues

SK – Wave of Identity Thefts Forces South Korea to Overhaul National ID System

After an avalanche of data breaches, South Korea’s national identity card system has been raided so thoroughly by thieves that the government says it might have to issue new ID numbers to every citizen over 17 at a possible cost of billions of dollars. The admission is an embarrassment for a society that prides itself on its high-tech skills and has some of the fastest Internet access. The issue came to a head after 20 million people including the president, Park Geun-hye, were victims of a data theft at three credit card companies. Park acknowledged in January change was needed and ordered a study of possible options. A decision is due later this year. Rebuilding the system and tightening security could take up to a decade, according to Kilnam Chon, a researcher known as the “Father of the Korean Internet” for his pioneering work in online technology in the 1980s. “The problems have grown to a point where finding a way to completely solve them looks unlikely,” said Chon. [Source] [SCMagazine] [The Register] See also: [BC: Pastafarian’s fight with ICBC comes to a boil]

US – Feds Say Agent Legally Impersonated Woman

The Justice Department says a federal agent had the right to impersonate a young woman online by creating a Facebook page in her name without her knowledge. The woman’s account was set up by a U.S. Drug Enforcement Administration special agent after she was arrested for allegedly being part of a drug ring. While she awaited trial, the agent set up the fake Facebook page, using her name and posting photos from her seized cell phone, to communicate with at least one wanted fugitive. The woman is suing the agent for invading her privacy. The Justice Department is looking into the matter. [Buzzfeed] [US: Government Set Up A Fake Facebook Page In This Woman’s Name]

Internet / WWW

WW – International Privacy Conference Releases Declaration, Resolutions

As the 36th Annual International Conference of Data Protection and Privacy Commissioners winds down in Mauritius, leaders from the conference have released a declaration on the Internet of Things (IoT) as well as resolutions on accreditation, big data, international cooperation and privacy in the digital age. In their IoT declaration, Executive Committee Chairman Jacob Kohnstamm and Mauritius Data Protection Office Chairwoman Drudeisha Madhub conclude data collected from IoT devices should be considered personal data; IoT value is not only found in devices but in services; transparency will be key; local processing is needed to help bolster security; regulators will closely watch the IoT landscape; Privacy by Design should be “a key selling point,” and “a strong, active and constructive debate” is needed between all stakeholders. [Source] Notable private sector Interviews: [Google Chairman: ‘We’re Going to End Up Breaking the Internet’ – Eric Schmidt said the Internet as we know it will fail unless governments reform their surveillance practices] [Privacy as a Selling Point: An Interview with Siemens’ Rob Gratchner] [Microsoft’s Lynch Talks Privacy and Trust, Then and Now] [Protecting Privacy In The Digital Age: Mikko Hyppönen Answers Your Questions] [Edward Snowden’s Privacy Tips: “Get Rid Of Dropbox,” Avoid Facebook And Google]

WW – UN Report Says Bulk Surveillance Threatens International Law

A 22-page report to the UN General Assembly claims that mass surveillance “is indiscriminately corrosive of online privacy and impinges on the very essence of the right guaranteed by” the UN’s International Covenant on Civil and Political Rights. The study was written by Ben Emmerson, UN special rapporteur on counterterrorism. He said spy programs implemented by the U.S. NSA and the UK GCHQ, for example, “pose a direct and ongoing challenge to an established norm of international law,” and such programs undermine “the right to privacy of communications on the Internet altogether.” The report follows an equally critical analysis from UN High Commissioner for Human Rights Navi Pillay released in July. [The Guardian] [OHCHR]

WW – IPEN Hears Top Risks, Focuses on Privacy-Friendly Tech

In a time when mass surveillance is being supported by the Internet and Western governments in the effort to fight terrorism, and “insecure protocols and the lack of technical measures to protect data in current Internet technology make it easy to circumvent privacy,” Florian Stahl writes on the efforts of the Internet Privacy Engineering Network (IPEN), recently founded by the European Data Protection Supervisor. The IPEN, which held its first workshop in Berlin, Germany, late last month, is working “to support the development of privacy-friendly technologies and raise awareness,” Stahl writes, detailing the Open Web Application Security Project’s presentation of its top 10 privacy risks at the workshop. [Privacy Perspectives] [IPEN website] [IPEN Press Release]

WW – HTTPA? Researchers Work on Accountability Internet Protocol

Two MIT Computer Science and Artificial Intelligence Lab researchers are developing a new Internet protocol called HTTPA, or HTTP with Accountability. Instead of keeping data secret, Oshani Seneviratne and Lalana Kagal are building a protocol that allows data owners to attach conditions for the data’s use, with a way of auditing whether such conditions are being met. If users want to audit their data, the protocol will identify everyone who accessed the data and what was done with it. Since there are potentially hundreds of resources on a given page, Seneviratne explained, “HTTPA would just be applied to resources that need protection … You don’t want to protect every resource, just those that contain sensitive information or protected content.” [CSO Online]

Law Enforcement

NZ – Mobile Fingerprint Scanners Coming to Alcohol Checkpoints

Thousands of motorists suspected of drink-driving could soon be hauled into booze buses [a mobile police drug and alcohol checkpoint] to have their fingerprints taken and stored on a police database. The Booze Bus Biometrics system will enable officers to check the identities of huge numbers of people more quickly and easily than by taking them to the nearest police station. But a leading civil rights lawyer says expanding the tools available for storing people’s personal data is a further step in a creeping “trend of net-widening”. [Source] See also: [Toronto: 18 Officers Probed Toronto Crack House Break-in]

US – Crime-Fighting Surveillance Planes Provoke Privacy Controversy

A US company has developed a way to monitor entire neighbourhoods, using a technology originally developed for the recent wars in Iraq and Afghanistan. But while police forces are excited by the prospect of getting access to the tech, privacy campaigners see it as a threat to citizens’ constitutional rights. By flying a special manned plane over a city, Persistent Surveillance Systems (PSS) says it is able to view and record everything that is happening on the ground across a 25 sq mile (64.7 sq km) area. Rigged with 12 high-resolution cameras, a spliced together picture of a sort of “live Google Earth” map is beamed down from the aircraft to analysts. “The resolution is not high enough to show who someone is, people appear as merely one grey pixel on a screen,” Ross McNutt, a retired United States Air Force veteran and PSS president, told BBC Click. But that one pixel is enough for the person’s movements to be accurately tracked for the time the plane is in the air – up to six hours. When PSS flew its planes over Compton, California, in early 2012 over nine days, it recorded murders, robberies and many other crimes. By matching the time frames of the PSS recordings with on-the-ground testimony, analysts and police were able to see the moment when the crime was committed. They were then able to track where the suspect was before and after the moment of crime. But PSS doesn’t just see the murders and the criminals – its cameras look down onto the streets and backyards where everyday activities happen as well. The firm’s insistence that the close-ups it obtains are low resolution are not enough to placate opponents who see its tech as a threat to Americans’ liberties. [Source] [BBC News] See also: [Police to Receive X-Ray Glasses, Identify Suspects Through Walls]

US – Surveillance Drone Taken Out By Privacy Protecting Hawk

A recent video seems to prove that it’s not just humans that are annoyed with the excessive surveillance these days. While capturing video with a drone, the operator was a bit more than shocked to see his RC aircraft get taken out by an apparent privacy protecting hawk. The incident began when Christopher Schmidt decided to strap a go pro camera to a Quad Copter to take some video around Magazine Beach Park in Cambridge, Massachusetts. During his filming, he appears to have ticked off a hawk who decided to let the drone know who was boss. Sending the drone hurling toward the ground, the Google engineer said the hawk decided he wasn’t happy with his drone invading the airspace and knocked it to the ground, according to Fox 5. Schmidt goes on to write, “As far as I could tell, the hawk came out unscathed, and having defeated his prey, was happy to retreat. (As soon as he flew at me, I throttled down the props to try to minimize any harm to the bird.) The quadcopter came out unscathed as well.” Last week we reported on a man using his shotgun to take out a similar drone – do you think people will start getting the message? [Mad World News]


WW – Grindr Shuts Off Proximity Tracker in Egypt; Privacy Art Exhibit Cancelled

Dutch artist Dries Verhoeven has been forced to cancel his “non-sexual social media-based” art exhibit after privacy concerns were raised. The Berlin-based social-media experiment used the sex-dating app Grindr to lure users to the installation site in order to project the user comments in a public setting. Grindr said, “While Grindr supports the arts, what Dries Verhoeven is doing by luring Grindr users under false pretenses is entrapment. This is an invasion of user privacy and a potential safety issue.” Meanwhile, Egyptian officials have been arresting individuals believed to be homosexual men, prompting Grindr to disable its proximity feature and send a message to users to be “as savvy as you can and to be very careful.” [Hyperallergic] Meanwhie, Venture Capitalist Peter Sims alleges his location was tracked by Uber during a Chicago event. “After learning this,” he wrote, “I expressed my outrage … that the company would use my information and identity to promote its services without my permission.” See also: [US: ‘God View’: Uber Allegedly Stalked Users For Party-Goers’ Viewing Pleasure]

Online Privacy

WW – Adobe Collects eReader Data and Transmits it in Cleartext

Adobe has acknowledged that its Digital Editions eBook reader gathers information about users’ reading histories and sends the data back to the company unencrypted. Adobe maintains that the feature is designed to prevent piracy. The company says the information it collects, which includes user, device and app IDs; IP addresses; duration of reading; and percentage of book read is data that could be demanded by publishers. Adobe now says it plans to issue an update to the software to address the cleartext data transmission. [NBCNews] [Ars Technica] [The Register] [The Register] [The Digital Reader] A tip from a hacker prompted a journalist to use a network tracking app to discover Adobe Digital Editions 4 was “gathering data on the ebooks that have been opened, which pages were read, and in what order.”[GigaOm] See also: [New Flaw: POODLE Puts Browsers at Risk]

UK – Your Colleagues Pose Bigger Threat to Your Privacy than Hackers

The threat from hackers is not nearly as big a problem as the threat posed by your own colleagues, a privacy report has revealed. According to research conducted at the Central European University’s Centre for Media, Data and Society, over half of all privacy breaches in Europe over the last decade are inside jobs, rather than the work of external hackers. The team from CEU conducted the study by examining 350 privacy breaches that took place across ten years. Focussing on the 229 incidents that directly involved the privacy of European citizens, the primary conclusion of the study was that organisational insiders are more to blame for the loss of private information than those attempting to maliciously access information from elsewhere. [Source] [Report: Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005‐2014]

WW – Even Those Who Opt Out Are Part of the Database

Companies like Google and Facebook may be learning about those who don’t use their services. Researchers from Switzerland’s ETH Zurich University studied publicly available data archived from social network Friendster and found that if the company had used certain state-of-the-art prediction algorithms, it could gather sensitive information, such as sexual orientation, about even nonmembers. Meanwhile, Natasha Singer’s column in The New York Times explores how her birthday-information she doesn’t give out online-appeared on a site that lists reporter birthdays. Another Times article looks at the tension inherent in humans’ wishes for privacy and instincts to share. [WIRED] See also: [‘Words With Friends’ Addicts Asked Zynga What It Knew About Them And Got More Than Expected]

EU – Justice Ministers Worry RTBF Is Leading to “Mass Data Erasure”

For the first time, EU justice ministers have “sounded out their political views on the balance between the right to be forgotten and the right to know.” Meeting in Luxembourg, the ministers expressed concern that Google’s compliance with a ruling from the EU’s top court in May requiring it to delete certain search links upon request could lead to a mass erasure of data, the report states. Austrian Justice Minister Wolfgang Brandstetter said, “We can’t leave it up to search engines to decide on the right balance between freedom of expression and a right to be forgotten.” Google’s Eric Schmidt said it would have been helpful if the court was clearer on the details of which delete requests should be honored. [Bloomberg] See also: [Google Notifies NYT of Story Link Removal, Citing RTBF] and [The Economist: Google Continues To Grapple with Right To Be Forgotten Ruling]

WW – Beacon Trial Shows Difficult Balance between Privacy and Personalization

Mothercare, a UK-based baby products retailer, has said it will trial beacons at the beginning of 2015. The goal is to give customers a better in-store experience. Harpinder Singh, a mobile commerce manager for the company, said, “There’s definitely an opportunity here, and because it’s so low-cost, we’re definitely going to a trial at the start of next year,” but added, “it’s a little scary how much you can do” with the technology. Steven Skinner of business technology firm Cognizant said customers need to be reassured their privacy won’t be compromised. “To overcome this, retailers need to educate customers about the benefits this technology offers them and demonstrate the unique benefits they would not get otherwise.” [Computing]

Other Jurisdictions

JP – Court Calls on Google for Right to Be Forgotten

A Japanese court has ordered Google to remove various Internet search results related to a specific Japanese citizen, saying it violates the man’s privacy. The Tokyo District Court issued an injunction ordering Google to delete 120 out of 230 search results that hinted the man was involved with criminal activity, the report states. The man originally filed for the injunction in June, claiming the results endangered his life. His lawyer said, “This is good news for those who feel their lives are threatened and are sickened physically and psychologically by Google’s search results.” [The Wall Street Journal] Minister Yuko Obuchi has announced that Japan’s Ministry of Economy, Trade and Industry will amend its guidelines implementing the Personal Information Protection Law.

HK – Privacy Commissioner Issues Guidance “Banks Must Consider”

Hong Kong Privacy Commissioner Allan Chiang has issued guidance on a number of data protection issues banks must consider. That’s after his office handled 373 data protection complaints about banks in 2013-2014, up from 198 cases the year before. Banks have “been among the top three private-sector organizations being complained about,” Chiang said. The guidance includes instructions on marketing activities, the collection of personal data, cookies and data-retention policies, the report states. “Privacy-assuring banks will enjoy enhanced customer trust and loyalty, thus creating a win-win-win for the customers, their businesses and the banking industry as a whole,” the guide said. [Out-Law.com] See also: A Russian regulator has sent notifications to Facebook, Google and Twitter saying they must register as “organizers of information,” meaning they must store user data locally.

Privacy (US)

US – Following Largest Breach Yet, Obama Now to be Briefed on Cyber-Attacks

Following the JP Morgan Chase breach, “the largest data breach ever,” President Barack Obama will now receive regular updates on foreign cyber-attacks. The breach “now ranks alongside Islamic State group news as a national security concern,” the report states, noting there has been speculation that the Russian government might have supported the attack. Meanwhile, The New York Times reports that, in the coming year, banks in the U.S. are likely to replace debit or credit cards with versions that have tiny computer chips in them in an effort to make shopping at brick-and-mortar stores more safe. [International Business Times] See also: [Chase Breach: Fear of Phishing]

US – Privacy advocates sue Pentagon over Internet voting test results

The Electronic Privacy Information Center (EPIC) has filed a lawsuit against the Pentagon under the Freedom of Information Act over online voting experiments. EPIC’s Ginger McCall said, “Voting is an integral part of our democratic system, and it is imperative that the public have information about whether or not e-voting systems are really secure and reliable before they are used or more money is spent on their acquisition.” Meanwhile, a privacy activist is suing the Chicago Police Department for monitoring cell phones. [The Washington Post]

US – Cartoon Network Suit Dismissed; Google Seeks the Same

Developments in two class-action lawsuits. In California, Google has asked a federal judge to dismiss an amended putative class-action that alleges “the tech giant breached user contracts by giving consumer data from Google Wallet users to third-party app developers, saying Tuesday that there is no significant difference from the dismissed, original complaint.” And in Georgia, a federal judge has dismissed a putative class-action alleging that Cartoon Network’s Android app violated the Video Privacy Protection Act and accusing the network “of disclosing its mobile application users’ personal information without consent.” The judge ruled “the shared information wasn’t personal enough,” the report states. [Law360]

US – A Look at Recent Privacy Class-Action Developments

Google will enter into mediation with consumers who alleged the company disclosed their contact information with third parties after various apps were purchased and downloaded. A federal judge approved the order, stating the mediation must begin by 6 February 2015. Meanwhile, eBay has filed a motion to dismiss a class-action that alleges consumer injury sustained after the company’s network was breached in a cyber-attack. Late last week, a California judge approved Vendini’s $3 million class-action settlement in which the ticket-seller was accused of compromising user data when its servers were breached. And Travelers Indemnity has filed a federal lawsuit seeking a declaration that it does not have to defend or indemnify P.F. Chang’s data breach litigation, according to a Law360 report [Courthouse News Service]

US – Aaron’s to Pay $28.4M; $14M comScore Settlement Finalized

California Attorney General Kamala Harris announced the nation’s second largest rent-to-own chain, Aaron’s, has agreed to pay $28.4 million to settle violations of state consumer protection and privacy laws. The company settled with the Federal Trade Commission last year. “Aaron’s concealed its illegal privacy and business practices from customers in a deceptive attempt to avoid California’s robust consumer protection laws and increase its profits,” Harris said. A company spokeswoman said Aaron’s admitted to no wrongdoing or liability. In related news, a federal judge approved a $14 million class-action settlement with comScore, and the Digital Trust Foundation—created out of the Facebook Beacon lawsuit—is giving away more than $6 million to projects that promote online privacy, safety and security. [Source] [Source]

US – Savage Named Chief Privacy Officer of ONC

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has named Lucia Savage as its new chief privacy officer. Savage is currently a senior associate general counsel at UnitedHealthcare, where she runs a team that works with large data transactions with health information exchanges, transparency initiatives and other data-driven healthcare innovation projects, the report states. The ONC’s Karen DeSalvo said Savage “brings to our team a set of rich experiences at the intersection of health information, privacy and modernizing the healthcare delivery system.” She is set to start on October 20. [Heath IT Outcomes]

US – Snowden: Supreme Court Will Strike Down NSA Programs

Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said when the Senate reconvenes next month “it must swiftly take up and pass the USA FREEDOM Act.” He said “there is no excuse for inaction” and that reforms in the bill “are strongly supported by the technology industry, the privacy and civil liberties community and national security professionals in the intelligence community.” Last week, Sen. Ron Wyden (D-0R) and leaders from the tech industry expressed similar calls for surveillance reform. Edward Snowden is “confident” that the U.S. Supreme Court will find mass surveillance programs illegal. Plus, Forbes reviews “Citizenfour,” a documentary about Snowden. [The Hill]

US – NBA Union Wants to Ensure Privacy Is Protected

The National Basketball Players Association (NBPA) is raising concerns about increased tracking and data collection of players through sleep trackers, off-court movement monitors and other mobile sensors that determine players’ health and improve performance. According to the report, the NBPA was not aware of the rapid growth of Internet-of-Things technology and other biometric advances and, thus, had not developed an official position on the data collection. “If the league and teams want to discuss potentially invasive testing procedures that relate to performance, they’re free to start that dialogue,” said NBPA Counsel Ron Klempner, adding, “Obviously, we’d have serious privacy and other fairness concerns on behalf of the players.” Security of the collected data is also mentioned as a concern, the report states. [ESPN]

US – FPF, SIIA Issue Student Privacy Pledge

The Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) have announced a pledge to protect student data. The FPF and SIIA, together with school service providers, educator organizations and other stakeholders including Reps. Jared Polis (D-CO) and Luke Messer (R-IN), have come up with a pledge that includes a promise not to sell student data, behaviorally target students or use student data without authorization. Organizations that have made the pledge include Microsoft, Houghton Mifflin Harcourt and the National Parent-Teacher Association. According to Politico , some privacy advocates have raised concerns about organizations that have yet to sign the pledge, including Apple, Google, Pearson and Khan Academy. [Source] See also: [Toronto school board sets higher targets for students based on race, sexual orientation]

Privacy Enhancing Technologies (PETs)

WW – Money, Interest Continue to Pour in for Privacy-Enhancing Tech

In the blog post “You are not your browser history,” data artist Jer Thorpe discusses our “online doppelgängers” and a new browser extension called Floodwatch. Developed in conjunction with Ellery Royston, Ian Ardouin-Fumat and Ashkan Soltani, Floodwatch allows users to “easily track and analyze their browser-based ad histories.” Meanwhile, Frankly, a mobile start-up that provides self-destructing messaging apps, has secured $12.8 million in funding bringing total funding up to $22 million since its founding. USA Today reports on Authy, a free app that places two-factor authentication on smartphones, and a Fast Company column discusses the case for making encryption the default—a topic featured in a recent Privacy Perspectives post. Plus, Facebook is reportedly working on an app that lets users remain anonymous.

EU – German Start-Up Sees 400% User Growth, Secures $3.2 Million

ZenMate is a Berlin-based start-up that provides users with secure, encrypted access to any website, from anywhere, via a Virtual Private Network-style connection. The start-up secured Series A funding in the amount of $3.2 million this week. Its registered users have grown to more than five million, with a 400% increase in the last six months. Its key markets are Germany, the U.S. and the UK, “and growth in those markets reflects the fact that consumers are growing increasingly concerned about personal data being harvested from web histories by ad firms and that privacy is now a global issue that could have a major impact on e-commerce,” the report states. [Forbes]

WW – New Internet Security System to Revolutionise User Privacy

Researchers have developed a new system that protects Internet users’ privacy while increasing the flexibility for web developers to build applications that combine data from different sites, thus dramatically improving the safety of surfing the internet. According to the researchers at UCL, Stanford Engineering, Google, Chalmers and Mozilla Research, the system, named Confinement with Origin Web Labels (COWL), works with Mozilla’s Firefox and the open-source version of Google’s Chrome web browsers and prevents malicious code in a web site from leaking sensitive information to unauthorized parties. The system also allows code in a web site to display content drawn from multiple web sites – an essential function for modern, feature-rich web applications. The researchers show that the system provides strong security without perceptibly slowing the loading speed of web pages and will be freely available for download and use on October 15 at http://cowl.ws.[Source]

WW – Privacy Products Continue to Proliferate

The “Pretty Easy Privacy” project is a user interface project currently crowdfunding on Indiegogo that aims to make standards like PGP more accessible to ordinary people by removing the need to understand key management. Meanwhile, researchers from Stanford, Google, Mozilla and other firms have built a new system that protects Internet users’ privacy while “increasing the flexibility for web developers to build web applications that combine data from different websites.” And Syme, a social network that gained attention last year for its strong privacy features, has quietly disappeared. [GigaOm]

US – One Firm’s Self-Imposed Privacy-Protective Process: Costly but Worth It

Ad-tech firm 4Info’s self-imposed rigorous process to ensure the data it gathers, shares and uses to aim mobile ads at consumers is protected and “near-impossible to connect to an individual.” The company incorporated Privacy by Design and reports it spends at least 30% more to store data in a privacy-safe way than it would otherwise. It does that by “spreading data points associated with a specific user ID across several servers located in multiple physical locations so it cannot be compiled easily into one user profile by outside systems or hackers,” the report states. [Advertising Age]

WW – Messaging App Launches Korean Version to Cash in on Privacy Fears

Privately owned German messaging app Telegram released a Korean-language version on Tuesday to capitalize on a surge in demand from users wary of local apps such as KakaoTalk after the government said it would boost cyber surveillance. Telegram, which advertises its app with the tagline “taking back our right to privacy”, does not have any servers in South Korea, where prosecutors last month launched an cyber monitoring campaign after complaints by President Park Geun-hye. Market research firm Ranky.com said KakaoTalk had in the last week lost 400,000 users, or about 2 percent, of its 35 million or so customers in South Korea. During the same period, Telegram was downloaded by one million Koreans. [Source]

US – Twitter Investing $10 Million in MIT Lab

Twitter is investing $10 million in a lab at the Massachusetts Institute of Technology (MIT) to create platforms for online collaboration between users on civic and political issues. MIT Media Lab’s Laboratory for Social Machines (LSM) will get access to Twitter’s real-time, public news feed and its archives going back to the very first tweet, the report states. The lab will research the potential of social networks “to remake the public sphere.” Additionally, the investment will be spread over the next five years, and the “LSM will have operational and academic independence in its research,” the report states. [Computerworld]


WW – Protect Your Tappable Credit Cards and Personal ID from Wireless RFID Pickpocketing

RFID (Radio Frequency Identification) chip technology has become embedded in passports, health cards, drivers licenses, grocery store dongles, gas station dongles, debit cards and credit cards in many countries to help us get serviced faster by tapping/waving them when we are buying a coffee, gas or crossing a border. All of the information stored in the RFID chip of our credit cards and personal IDs can easily be sniffed and stolen wirelessly unless we keep them in a RFID signal blocking protective sleeve, wallet, purse or bag. Your RFID enabled cards and IDs can get scanned from 4.5 metres away. Here are the manufacturers that list products with RFID signal blocking capabilities:


US – NIST Releases Final Smart Grid Doc, Revised Guidelines on Privacy

The National Institute of Standards and Technology (NIST) has released its third and final version of a document that aims “to help industry transform the more-than-century-old U.S. electrical system into an advanced, interoperable smart grid.” NIST has released version 3.0 of its “Framework and Roadmap for Smart Grid Interoperability Standards,” two years after its second version was published. NIST also published a revision to its “Guidelines for Smart Grid Cybersecurity,” which is an update to the 2010 version. The revision covers regulatory changes involving privacy, among other updates. [NIST Press Release] [FierceGovernmentIT] [Full Story] See also: [Ericsson Buys Bankrupt SmartGrid Tech Company]

US – IT Security Workforce Reaches New High

As IT security employment reaches a record high in the United States, the workforce remains overwhelmingly white and male. And that hasn’t changed in years. Here’s a look at the latest employment numbers from the federal government. “Information security analyst” is the only IT security occupation classification BLS tracks. An annualized 61,000 individuals considered themselves information security analysts during the third quarter of 2014. That includes 59,800 employed and 1,300 unemployed, resulting in an annualized unemployment rate of 2%. Economists generally consider an unemployment rate below 3% as full employment, meaning that a low unemployment rate denotes churn in the marketplaces, not people desperate for a job. During the same quarter in 2013, an annualized 53,500 individuals called themselves information security analysts, with 51,100 employed and 2,000 jobless, and an annualized unemployment rate of 3.7%. Those statistics translate into a 14% gain in the information security analysts’ workforce in just a year, reflecting the growing demand for IT security skills by businesses and governments. [Source]

WW – Researchers Uncover Voice-Activation Flaws

Researchers warn that voice-activated smartphones and other devices can be a significant security risk as some systems responded just as well to fake voices as they did to the voice of the owner. Security firm AVG says this means hackers could use this flaw to send “bogus messages or compromise gadgets in the future.” “Utilizing voice activation technology in the Internet of Things without authenticating the source of the voice is like leaving your computer without a password,” noted AVG Chief Technology Officer Yuval Ben-Itzhak, adding, “everyone can use it and send commands,” said. [BBC News]

WW – Dropbox Says Account Credentials Taken from Other Services

Several Pastebin posts claim to contain hundreds of sets of login credentials for Dropbox. A note accompanying the posts claims that credentials for nearly seven million accounts were compromised. Some sets have been confirmed as authentic. Dropbox appears to have reset access credentials for all accounts in the posts. Dropbox has issued a statement saying that they were not compromised, and the posted information was taken from other services. [Ars Technica]

WW – Malicious Android App Steals Data

An Android app that appears to be a simple game is actually malware capable of recording audio with infected devices, as well as stealing messages and device data, gaining root privileges. Gomal may be spreading through unofficial app stores. The malware will steal email from the Good for Enterprise app. Good for Enterprise developer, Good Technology, says that Gomal is a proof-of-concept app presented at Black Hat 2013. [SC Magazine] See also: [HP Will Revoke Certificate Inadvertently Used to Sign Malware]

Smart Cards

US – White House Issues Executive Order to Use Chip and Pin

The U.S. President today signed a new Executive Order directing the government to lead by example in securing transactions and sensitive data. Multiple initiatives are included. The most important is an example of the government leading by example to secure payments to and from the Federal government by applying chip and PIN technology to newly issued and existing government credit and debit cards. [White House]


US – FBI Director Acknowledges Some Warrantless Data Collection, Calls for Updated Wiretapping Laws

FBI Director James Comey has admitted that in some cases, his agency does collect information without a warrant. Speaking at the Brookings Institution, Comey qualified his statement on television news magazine 60 Minutes earlier in the week that the FBI never conducts surveillance without first obtaining a court order. Comey noted that the two types of cases in which the FBI gathers information without a warrant are when consent has been obtained and when conducting surveillance of foreign suspects under Section 702 of the Foreign Intelligence Surveillance Act. Comey also spoke of his concerns that stronger encryption on new iPhones and Android devices will make it more difficult to pursue investigations. He said that the government needs wiretapping powers because CALEA is outdated and has not kept up with changing technology. He did acknowledge that any provision that allows law enforcement to gain access to communications could also be abused by criminals. [NextGov] [NextGov] [DarkReading] Sen. Ron Wyden (D-OR) held a roundtable in a Palo Alto, CA, high school last week with some of the tech industry’s most influential leaders in what he referred to as “one of the first times Congress has focused squarely on the economic impact of the overreach of government intelligence.”

US – New FISMA Regulations Allow DHS to Scan Some Civilian Networks

The US Office of Management and Budget (OMB) is granting the Department of Homeland Security (DHS) authority to scan certain civilian networks for indications of threats. The issue came up after DHS had to get permission from agencies to scan for Heartbleed, which delayed mitigating that threat. New rules for compliance with the Federal Information Security Management Act (FISMA) require the agencies to agree to the DHS scanning. [Federal News Radio] [NextGov] [US – Audio Recording Capability in 2015 Corvettes Could Violate Privacy and Three New Jersey lawmakers are sponsoring bills to limit access to vehicle black box event recorders.

US – Tech Companies Say NSA Harms Business; Privacy Office Releases Report

The National Security Agency (NSA) privacy office has released a report on the privacy and civil liberties protections under Executive Order 12333, which dates back to 1981 and allows the agency to keep the contents of U.S. citizens’ communications if they are captured “incidentally” overseas. The office said there are multiple privacy safeguards in place. The ACLU has criticized the lack of judicial and congressional oversight. U.S.-based technology companies—including Google, Facebook and Dropbox—are banding together in a roundtable discussion with Sen. Ron Wyden (D-OR) to discuss how foreign companies are using the NSA revelations to gain a competitive advantage over U.S. business. [PC World] Facebook and other tech companies can appeal “bulk warrant” requests from U.S. intelligence agencies.

CA – Twitter Sues U.S. Government Over National Security Data

Twitter is suing the U.S. government in an effort to loosen restrictions on what the social media giant can say publicly about the national security-related requests it receives for user data. The company filed a lawsuit against the Justice Department on Monday in a federal court in northern California, arguing that its First Amendment rights are being violated by restrictions that forbid the disclosure of how many national security letters and Foreign Intelligence Surveillance Act court orders it receives — even if that number is zero. Twitter vice president Ben Lee wrote in a blog post that it’s suing in an effort to publish the full version of a “transparency report” prepared this year that includes those details. Critics of the U.S. government’s secrecy surrounding its national security surveillance activities lauded Twitter’s move. Jameel Jaffer, the ACLU’s deputy legal director, said “challenging this tangled web of secrecy rules and gag orders” was the right move, and he urged other tech firms to follow Twitter’s lead. “If these laws prohibit Twitter from disclosing basic information about government surveillance, then these laws violate the First Amendment,” Jaffer said. “The Constitution doesn’t permit the government to impose so broad a prohibition on the publication of truthful speech about government conduct.” [Source] [Source]

WW – MoFo Launches New Drone Practice Group

Morrison & Foerster has launched a new practice group that collects “the capabilities of attorneys from its aviation, privacy, environmental, product liability and other practices to tackle the challenges presented by the growing use of commercial drones by U.S. companies and others.” The group will include “more than 25 attorneys boasting a range of practice specialties,” the report states. [Law360] Meanwhile, Amazon has announced it is seeking an attorney to fill the corporate counsel role at its Prime Air delivery system , which is currently being developed to “get packages into customers’ hands in 30 minutes or less using unmanned aerial systems.”

US – Public Beacons Make Appearance in NYC, Quickly Taken Down

Beacons—small radio transmitters that can push advertisements to smartphones—were placed in New York City phone booths. Within hours of the report, City Hall ordered Titan, the company that controls the phone booth ad space, to remove the devices. City Hall’s Phil Walzak said, “While the beacons Titan installed in some of its phones for testing purposes are incapable of receiving or collecting any personally identifiable information, we have asked Titan to remove them from the their phones.” Some are concerned beacons can be used to track the movement of users. [Buzzfeed] [Buzzfeed] [Polonetsky commentary]

HK – Hong Kong Protests: China May Be Spying With Smartphone Apps

The Chinese government might be using smartphone apps to spy on pro-democracy protesters in Hong Kong, a U.S. security firm said. The applications are disguised as tools created by activists, said the firm, Lacoon Mobile Security. It said that once downloaded, they give an outsider access to the phone’s address book, call logs and other information. The identities of victims and details of the servers used “lead us to believe that the Chinese government are behind the attack,” said a Lacoon statement. [Source]

WW – Good2Go: App Lets Users Give Consent but Raises Privacy Concerns

The new app, which helps two parties gauge their level of intoxication and practice affirmative consent, also requires users to log their phone numbers. This means the company gets information about who a user is hooking up with and when it happened. [Source] Meanwhile, the Justice Department has charged a Pakistani man for the sale of an app that could spy on unsuspecting users, a technology domestic violence activists have tried to stop.

US – Police-Boosted Parental Control App is a Privacy Mess, Says Report

The heavily distributed kid-monitoring software ComputerCop, which many police departments around the US gave to families for free, is doing far more harm than good, a new report by the Electronic Frontier Foundation alleges. An eight-month investigation by the group — a nonprofit that focuses on civil liberties in the digital realm — says ComputerCop, which allows parents and guardians of children to monitor a child’s computer and Internet use, is sketchy in its effectiveness and falls short on protecting user data from spying. The EFF report also alleges that ComputerCop engages in shady business practices to convince law enforcement officials to spend taxpayer money on the software. “Probably the biggest problem of all is that there are law enforcement agencies that aren’t actually paying attention to cybersecurity,” said Dave Maass, who wrote the EFF report. “Some of the biggest jurisdictions in the country are giving out software that makes kids less safe if they use it.” [Source]

Telecom / TV

PH – Philippines’ SIM Card Registration May Be Violation of Privacy

A GROUP of privacy and human rights experts has urged the government to rethink the proposal that requires registration of cellphone subscriber information module (SIM) cards, a move endorsed by the national police force and Malacañang. In a statement, Foundation for Media Alternatives Executive Director Al Alegre said that while addressing crimes is important, the government should rethink how “this policy could be a violation of our citizen’s right to privacy.” “SIM cards registered when it falls into the wrong hands can wrongfully implicate innocent citizens,” Nighat Dad of Digital Rights Foundation Pakistan was quoted in a statement by the Foundation for Media Alternatives. Mr. Dad also warned that precedents exist in his country, saying SIM card registration had become a “new tool for monitoring citizens.” Foundation for Media Alternatives said in a statement that “most countries in Asia don’t have data protection laws that could help secure the collected information from SIM card registration.” [Source] See also: An article in JDSupra explores the ramifications for businesses of California’s “Kill Switch” law.

US Government Programs

US – Government Says Accessing Foreign Servers Without a Warrant is Legal

The US Justice Department maintains that the government can break into servers outside the country without a warrant. The statement is part of a response to a motion from the legal team of alleged Silk Road mastermind Ross Ulbricht, which claimed that the government’s activity violated their client’s Fourth Amendment rights and that all information the government gathered when it accessed Silk Road servers should be suppressed. [Forbes] [WIRED] [Ars Technica]

US – Federal Agencies Seek Advice on Privacy Tech Spending

Several U.S. government agencies are looking for ways to bolster privacy protection by investigating privacy-enhancing technology, and the White House has launched a project to assess federal research in privacy technology. The deadline for comment is October 17 and includes in-house research by federal agencies as well as research conducted by federal contractors and recipients of federal grants. According to an information request published by the National Science Foundation last month, the National Privacy Research Strategy “will establish objectives and prioritization guidance for federally funded privacy research, provide a framework for coordinating research and development in privacy-enhancing technologies and encourage multidisciplinary research that recognizes the responsibilities of the government, the needs of society and enhances opportunities for innovation in the digital realm.” [E-Commerce Times]

WW – Create App-Specific Passwords for iCloud

Apple has long offered two-step verification for iCloud accounts, but extra barrier for gaining access to your account was limited. The change was prompted after the recent celebrity photo leak. An unfortunate incident spurred Apple to secure users iCloud accounts using both two-step verification and app-specific passwords. The change requiring app-specific passwords was put into place on October 1. For those unfamiliar, app-specific passwords are used when an app or service you’re attempting to sign into doesn’t support two-step verification. Instead of forcing you to enter your account password, you create a single-use app-specific password, eliminating any potential for your account to be compromised. Signing into your iCloud account in Outlook, using the Email app on an Android device or a third-party calendar app are all examples of when an app-specific password is going to be required. [Source]

UK – UK Police Say Some Smartphones Have Been Remotely Wiped After Seizure

Police in the UK have reported that several mobile phones in their possession as evidence have been remotely wiped. The feature is designed to prevent owners’ data from being exposed if a phone is stolen. [BBC] [ZDNet]

US Legislation

US – White House Considering Options for Cyber Security Legislation

White House Cybersecurity Coordinator Michael Daniel says that instead of trying to push a single, comprehensive cyber security bill through the legislature, the administration will instead focus on supporting a series of smaller bills that will address the necessary issues. The administration would like to see legislation that paves the way for the Department of Homeland Security (DHS) to work more closely with private companies to protect their systems from attacks as well as clarifying how government agencies work together and with DHS. [USA Today] [Federal Times]

US – CA Gov Signs “Revenge Porn 2.0” While Publishers Sue to Stop Law in AZ

California Gov. Jerry Brown has signed an expanded “revenge porn” law that now includes “selfies.” Existing law made it a misdemeanor to post private or graphic photos with the intention of humiliating those pictured, and SB 1255 expands that to include private images regardless of who took the photo. Brown also signed AB 2643, which allows revenge porn victims to bring civil actions against those posting the images. In Arizona, a group including bookstores, publishers and the American Civil Liberties Union is suing to stop a so-called revenge porn law because it has no requirement for malicious intent and could include images taken in a “commercial or public setting.” See also: UK prosecutors are seeking prison time for revenge porn convictions. [The Sacramento Bee] Patricia Bailin writes about California’s new laws addressing a variety of privacy, security, breach notification and surveillance concerns. See also: California Gov. Jerry Brown has signed a bill that supporters say is the nation’s toughest law on protecting student privacyCalifornia has also passed an expanded “revenge porn” law that now includes “selfies.” Brown also signed a bill that would extend the expiration date of the state’s 25-year-old wiretap law from 2015 to 2020 and vetoed a bill that would have required police to obtain warrants for surveillance via drones. See also: [Anisa Salmi speaks out after nude photos leaked online] California has passed a law that requires schools to discard students’ public posts on social media within a year after a student leaves the district and notify parents that school officials are analyzing social media posts. California has passed a law making it illegal for paparazzi to use drones to take celebrity photographs, while Connecticut’s legislature is making another attempt at regulating drones,.

Workplace Privacy

WW – Working Papers Frame the Future of Labor

Data & Society’s Future of Labor project has rolled out working papers exploring the issues raised by the impact of technology on work. The papers, authored by Alex Rosenblat, Tamara Kneese and danah boyd, aim to frame the ways in which data-centric technology is affecting work to assist researchers, policy-makers and activists “who are trying to get a handle on future of work issues,” the report states. The working papers address topics including the automation of hiring via algorithms; the history of using track technologies to increase efficiency and measure productivity at the workplace, and the ways robots, drones and other intelligent systems are being integrated into the workforce “in both protective and problematic ways.” [Data & Society]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: