16-31 October 2014


US – Court: Police Can Compel Defendants to Give Up Fingerprints but Not Passwords

A circuit court judge has ruled that defendants can be compelled to give up fingerprints but not passwords to law enforcement in cell-phone search cases. Judge Steven C. Frucci said that disclosing a fingerprint is like giving up one’s DNA or handwriting sample and thus not a violation of the Fifth Amendment protecting against self-incrimination. However, a password requires defendants to share knowledge, which is protected by the Fifth Amendment. Last year, privacy advocate and lawyer Marcia Hofmann predicted that Apple’s fingerprint ID could mean that users would not be able to plead the Fifth in cellphone search cases. [The Virginian-Pilot]

WW – This MasterCard with a built-in fingerprint sensor is coming in 2015

MasterCard has announced the world’s first contactless payment card that uses your fingerprint to authenticate payments. It’s partnered with Zwipe, the company behind this biometric technology, on a card that will only permit charges if your thumb is resting on the built-in sensor. You can wave it near an NFC reader for contactless payments, and it’s also fully compatible with chip terminals. Fingerprint data is all stored locally inside the card’s secure element and is never transmitted to MasterCard. And since biometric authentication obviates any need to enter a PIN, Zwipe says this is fundamentally more secure than the chip and PIN system. The company already ran a pilot with Norway’s Sparebanken DIN bank, but the prototype card used was far from perfect. It had a battery inside, which made it a bit more unwieldy compared to your everyday plastic. [Source]

AU – Opposition Grows to Storage of Photo and Biometric Data

Photographs of millions of Australians will be stored by the Immigration Department, and this “biometric data” gathering could extend to fingerprinting and iris scanning under the Abbott government’s controversial counterterrorism laws. The “foreign fighters” bill means there will be a major expansion of facial recognition imaging of Australians passing through international airports in a crackdown on passport fraud that could eventually apply to a wide range of biometric data – which could be shared with other government agencies. Critics say the danger of such information being hacked is profound, given many personal electronic devices are now secured by fingerprints and iris scans. The sheer scale of the personal information that would stream into the government’s databanks is set to open one of the first fissures in the largely bipartisan approach to national security, with Labor warning that the legislation poses a danger to privacy. [Source]


CA – Legislative News Roundup

Canada Introduces New Anti-Terror Legislation After Ottawa Attacks C-44: [Canada’s Public Safety Minister Steven Blaney introduced Bill C-44, which would broaden the powers of CSIS including authorizing Canadian spies abroad to break the laws of a foreign country when investigating threats to the security of Canada] | S-4: [The Canadian House of Commons is discussing Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act to include mandatory breach notification provisions] [Canada’s House of Commons Industry Committee will now review Bill S-4, the Digital Privacy Act] and [Canada Mulls Mandatory Data Breach Notifications] | C-13 [Canadian Justice Minister Peter MacKay is getting criticism from both parties over Bill C-13, also known as the cyberbullying bill] and AB PIPA [Alberta has “formally filed” a motion to extend the deadline for the province to amend its Personal Information Protection Act (PIPA) with the Supreme Court] [Tighter privacy laws were among the issues highlighted by the Saskatchewan government in last week’s throne speech] and finally: Canada’s Conservatives’ latest budget bill includes the creation of a national missing persons’ DNA databank] [November 1st – 10th Anniversary of PHIPA] and finally: [CASL Enforcement: Much Ado About Nothing]

CA – Statement of the Privacy and Information Commissioners of Canada on National Security and Law Enforcement Measures

Privacy and Information Commissioners of Canada attending their annual meeting noted with sadness last week’s events in Saint-Jean-sur-Richelieu, Quebec, and in Ottawa, Ontario. “The following days, weeks and months will be critical in determining the future course of action to ensure not only that Canada remains a safe country, but also that our fundamental rights and freedoms are upheld. Legislative changes being contemplated may alter the powers of intelligence and law enforcement agencies. We acknowledge that security is essential to maintaining our democratic rights. At the same time, the response to such events must be measured and proportionate, and crafted so as to preserve our democratic values. To that end, the Privacy and Information Commissioners of Canada call on the federal Government:

  • To adopt an evidence-based approach as to the need for any new legislative proposal granting additional powers for intelligence and law enforcement agencies;
  • To engage Canadians in an open and transparent dialogue on whether new measures are required, and if so, on their nature, scope, and impact on rights and freedoms;
  • To ensure that effective oversight be included in any legislation establishing additional powers for intelligence and law enforcement agencies.

Canadians both expect and are entitled to equal protection for their privacy and access rights and for their security. We must uphold these fundamental rights that lie at the heart of Canada’s democracy. The statement is available on the website of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada. [Source]

CA – Ruling Prevented Sharing of Data on Men Who Killed Soldiers

Canada didn’t share “some intelligence” with the U.S. about the two men who committed fatal acts last week because of a 2013 court ruling limiting the transfer of personal data, according to a Canadian official. U.S. authorities knew little about Michael Zehaf-Bibeau or Martin Roulou, who each killed a solider last week in Canada. A court ruling last year said the Canadian Intelligence Service was breaking privacy laws by passing data about Canadian citizens to the “Five Eyes” intelligence-sharing network, comprising Canada, the U.S., Australia, New Zealand and the UK. [Reuters] See also: [The Canadian Forces Counter Intelligence Unit has issued a new directive regarding social media practices in the wake of last month’s attacks]

CA – Classroom Behavior App Has Commissioners Worried

Privacy commissioners in Canada are concerned about a new computer program, increasingly used in Canadian schools, that collects and stores information about the in-class behavior of students. ClassDojo allows teachers to assign or deduct points for students based on their behavior, creating a competition for the best behavior among classmates and allowing parents to monitor how their kids are doing in real time. ClassDojo collects information on 53 million students globally on a minute-by-minute basis and stores it on a private company’s servers in the U.S. that is not subject to Canadian privacy laws, the report states. [Ottawa Citizen] See also: [Toronto: Rate My Classmate site meant to call out group-project slackers] and [Canadian university athletes must waive privacy to play: CIS] and [If a teacher’s decades-old erotic films can resurface online, what rights should we have to digital privacy?]

CA – Privacy Commissioner Issues Annual Report, MetaData Research Paper

The Office of the Privacy Commissioner (OPC) has released its annual report and a privacy research paper entitled Metadata and Privacy: A Technical and Legal Overview. See also: [Dentons Bernier Shares Tips from a Former Privacy Regulator]

CA – Alberta Privacy Commissioner Worried About Calgary Police Service’s Body-Worn Camera Plans

Growing worries over the Calgary Police Service’s plans to equip 550 officers with body cameras forced Jill Clayton, Alberta’s privacy commissioner, to voice concerns in a letter to Chief Rick Hanson. In September, deputy police Chief Trevor Daroux told Metro his pilot program ran through 2012 to 2013, recorded 2,700 videos and helped in 32 criminal cases. After completing the project, CPS announced they would move forward with body-worn cameras in 2015. This announcement sparked privacy concerns from the public and a civil liberty group. Clayton told Metro she was concerned about the project because she hasn’t heard from anyone at CPS. In her letter, which was later posted the her website, Clayton urges CPS to file a Privacy Impact Assessment. This report would address the CPS’s ability to handle the endless amounts of private information they would gather from using body-worn cameras. Though not required, she has been lobbying for legislation to make PIAs mandatory. [Source]


US – Study Finds Discriminatory Pricing “Much More Widespread”

A new study of top e-commerce websites has found “price steering”—when companies use consumer profiles to personalize prices—is much more widespread than previously understood. The study, which was conducted by a team of computer scientists at Northeastern University, tracked searches on 16 popular e-commerce sites and found six of the sites used the pricing technique but none alerted consumers of it. [The Wall Street Journal]

US – Vladeck, Calo Examine Digital Marketing Manipulation

David Vladeck, former director of the Federal Trade Commission’s Bureau of Consumer Protection, discusses a recent article by Prof. Ryan Calo in which Calo writes about the potential for digital marketing to manipulate consumer choice. Vladeck writes that Calo’s “arguments are powerful and persuasive” but suggests the risks might be “less pronounced” than Calo asserts, noting there are ways “regulators are already responding to the risks that manipulative digital advertising poses to consumers.” Reiterating that any disagreements he has with Calo’s article are “gentle caveats,” Vladeck concludes that Calo “has responsibly sounded an alarm to prompt regulators into action.” [The George Washington University Law Review]

WW – Study Spotlights PII Collection, Impact on Consumer Behavior

LexisNexis Risk Solutions has released a study focusing on why industries collect, store and process personally identifiable information (PII) and its corresponding effect on consumer behavior. The study surveyed more than 3,000 consumers regarding their willingness to share their PII in low, medium and high-risk transactions, and the study also interviewed 22 executives in the financial, healthcare, retail and government sectors to reveal how each uses PII for identity verification. LexisNexis Risk Solutions VP Dennis Becker said, “Organizations need to be cognizant of how consumers’ fears and experiences affect their willingness to share sensitive data and seek ways to minimize the amount of personal information being requested.” [BusinessWire] One survey has found nearly half of holiday shoppers said they will not shop at stores that have been hacked. See also: [Nico Sell of Wickr: Privacy Is the New Fame]


WW – Facebook and Yahoo Develop Mechanism to Protect Recycled eMail Addresses from Abuse

Facebook and Yahoo are taking steps to prevent users of recycled email addresses from taking control of other accounts. When Yahoo began recycling email addresses last year, critics were concerned that the information could be used to change passwords on accounts that used the old email address for password change confirmation, and that the new email user could possibly receive sensitive messages intended for the former user. Yahoo and Facebook have together developed a mechanism for preventing such abuse. Using Simple Mail Transfer Protocol (STMP), sensitive email messages will include a field within the header that notes the date since the sender has known the address. If the address is determined to have changed ownership since that date, the message will not be delivered. [ComputerWorld] [WIRED] See also: [After Nova Peris and Barry Spurr, should we all give up on email in the name of privacy?]

WW – Mobile ISP Cricket was Thwarting Encrypted Emails, Researchers Find

Engineers from digital security and privacy firm Golden Frog found some customers of Cricket, a prepaid mobile company, were prevented from sending encrypted emails for months. The findings were shared with the FCC and released in a media report earlier this month, but without the company’s name, the report states. “Golden Frog said that Cricket customers were unable to send encrypted messages and said its testing found that the problem ended shortly after the TechDirt article was published,” the report states. “It is unclear how long or how many customers were affected.” [The Washington Post] See also: [Mondaq looks at Canada’s Anti-Spam Law provisions “concerning the distribution and installation of computer programs,” suggesting they should “be of particular concern to all businesses who distribute or intend on distributing software either alone or as part of their product or service offerings.”]


WW – China Using Phony Apple Certificate to Snoop on iCloud

A group that monitors Chinese government censorship, GreatFire.org, says that censors in China are conducting man-in-the-middle attacks on Apple’s iCloud in that country. Technical information suggests that a phony Apple certificate is being used to intercept the traffic. [GreatFire] [ArsTechnica] [InformationWeek] [v3.co.uk] [ComputerWorld] See also: [Apple Chief Vouches for China’s Pro-Privacy Stance

WW – Apple Issues iCloud Security Advisory

Apple has issued a security warning about attacks attempting to steal information from iCloud users with fraudulent certificates. An Apple support page warns users to heed invalid certificate warnings while visiting iCloud and that they should never enter login information into websites that present certificate warnings. [Apple] [TheRegister] [CSMonitor] [v3.co.uk] [Adobe eReader now using SSL to phone home] [Analysis of Samsung KNOX] See also: T-Mobile is “quietly” hardening its network to a more sophisticated form of encryption, making it more difficult for bulk surveillance

WW – Apple to Stop Using SSL 3.0 for Push Notifications

Apple plans to stop using the Secure Sockets Layer 3.0 (SSL 3.0) encryption standard for its Apple Push Notification service following the disclosure of a vulnerability. Developers have until October 29 to update their apps. More information on the SSL 3.0 flaw can be found here and [ZDNet] [CNET]

EU Developments

EU – Parliament Approves New Commission

President-Elect Jean Claude Juncker has secured confirmation for his new European Commission with 423 Members of the European Parliament voting in favor and 209 voting against. Juncker said the commission will focus on digital matters. Harmonizing tech-related policy and laws across the EU will be the responsibility of two new commissioners, Andrus Ansip and Günther Oettinger, who will replace outgoing Commissioner for the Digital Agenda Neelie Kroes. And Access has published an extensive look at the incoming group of EU commissioners, suggesting, “In the five years ahead a certain number of these incoming commissioners will have a huge influence on digital rights and security issues that impact the lives of European citizens and, indirectly, the rest of the world.” [EurActiv] [Germany’s government is calling for “EU-wide retention of flight passenger data to combat the risk of terror,” and that move is “sparking opposition in the European Parliament.”] [During a meeting in Luxembourg, EU justice ministers for the first time “sounded out their political views on the balance between the right to be forgotten and the right to know“][The parliamentary committee in Italy’s Chamber of Deputies has published the initial draft of an “Internet Bill of Rights” it has been working on since August] [The ICO has updated its code of practice for surveillance cameras and personal information, cautioning that surveillance cameras “must only be used as necessary and proportionate to address real and pressing concerns.”] [The Paris Court of First Instance has found for the plaintiffs in a suit on the right to be forgotten]

EU – Commission to Focus on Data Protection

As the new European Commission starts its five-year term, plans include working toward agreement on the EU’s new data protection rules, a European Parliament media release states. Data protection will be a key area of focus. “The EU hopes that the legislative package, which has always had the complete support of the European Parliament, will be adopted in 2015,” the report starts, citing the European Commission Director for Fundamental Rights and Union Citizenship Paul Nemitz as indicating “if the political will exists, the council will adopt the package.” As Nemitz put it, “This reform will pave the way for a digital age with a fair competitive environment for European SMEs.” [EurActiv] See also: [Hogan Lovells Partner Eduardo Ustaran writes in a blog post, “2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years.”] and [UK: Coming Down The Tracks: The Legislation That Will Make Data Protection Law Even Worse!] and [Hunton & Williams’ Privacy and Information Security Law Blog examines the Council of the EU’s proposed revisions to the compliance obligations of data controllers and data processors and the risk-based approach to compliance] [Christian Wiese Svanberg of Plesner Law Firm offers an overview of the recent EU Council of Ministers discussions on the proposed data protection regulation, noting “the reform now appears unstoppable, and fundamental changes to the scope and legal form of the proposal are becoming increasingly unlikely.”] [Christian Wiese Svanberg offers an overview of the EU Council of Ministers’ discussions of the proposed General Data Protection Regulation and the highly debated right to be forgotten] [Olivier Proust writes about the “burdensome exercise” that is notifying data protection authorities of data processing, noting it is still necessary.]

EU – No Details Being Shared on the DPC’s “Significant” LinkedIn Audit

The Office of the Data Protection Commissioner’s (DPC) has issued a “raft of ‘significant’ recommendations” last month for LinkedIn to improve the privacy of its 1.2 million Irish users. “The recommendations, delivered on behalf of all European citizens, represent the culmination of a year-long investigation,” the report states, noting the DPC “is not releasing any details of those ‘significant’ recommendations. Nor is it indicating what problems it may have discovered in relation to how LinkedIn treats our personal information.” The reason, a DPC spokeswoman explains, is that it is up to organizations “to decide whether to publish an audit report carried out by this office.” The report states LinkedIn has declined to share the findings of the audit. [Independent.ie] See also: [While it hasn’t yet received the increase funding expected, the Irish Office of the Data Protection Commissioner is getting a “range of measures designed to strengthen the office“]

EU – Amazon Web Services Opens German Location to Quell Privacy Concerns

Confirming a report from this summer, Amazon Web Services has opened a location in Frankfurt, Germany. The move is designed to help diminish the post-Snowden privacy concerns of Europeans, especially Germans. Gartner Research Director Gregor Petri said, “The customers who are the hardest to convince to move workloads out of the country are mostly from Germany.” Forrester Research’s Stefan Ried said, “With the announcement, Amazon sets itself up to address not only the typically higher legal compliance and security concerns of European customers but also gets more credibility with the usually more conservative CIOs across Europe.” [PCWorld] see also: [A German court wants clarification from the European Court of Justice on whether dynamic IP addresses constitute private data] See also: [UK: GCHQ’s outgoing director warns spies must monitor the internet]

Facts & Stats

WW – Attacks Up 48%; Data Security Legal Practice Booming

A new PricewaterhouseCoopers (PwC) study reveals that the number of detected cyber-attacks has gone up 48% since 2013. There will be approximately 42.8 million cyber-attacks this year alone, or about 117,339 attacks per day. The study notes, “It is no surprise to find that as the number of information-security incidents continues to mount, so do financial losses.” Meanwhile, corporate “legal spending on cybersecurity and data privacy issues is expected to grow at the highest rate of any practice area in 2015, as clients look to ramp up their efforts to address the increasingly prevalent and sophisticated threats to the sensitive data they hold.” Plus, New York’s banking regulator says law firms, as a vendor, need to be carefully watched to develop strong data security practices. [The Hill]


WW – Google Changes Search Algorithm to Help Fight Piracy

Google made changes to its search algorithm that have had a noticeable effect on the number of video streaming and torrent sites that appear at the tops of results. Visibility of many sites known to offer pirated content has been significantly reduced. [Ars Technica] See also: [Montreal woman wins cash from Google for Street View cleavage]

WW – Survey Shows Orgs Disable Firewall to Improve Network Performance

According to a report from McAfee, while 60% of 504 surveyed IT professionals say security is paramount in network design, about 30% of organizations responding to the survey said that firewall security features are often disabled to boost network performance. McAfee senior director of network security Jennifer Geisler noted that “the way most firewalls are designed, it forces the trade-off so this is not a negative reflection on the administrator.” [Source]


US – Obama Signs Federal Card Security Order; MasterCard Unveils Biometric Cards; Apple Pay Available Today

President Barack Obama has signed an Executive Order that will bolster security for federal credit cards, a move designed to urge private-sector banks and retailers to follow suit. Starting in January, federal credit cards will use chip-and-PIN technology, and the White House said that Home Depot, Target, Walgreen and Wal-Mart will roll out chip-and-PIN-compatible terminals in all stores by January. Obama also called on Congress to enact data breach notification legislation, but that won’t happen this year. [Reuters] MasterCard announced it will introduce built-in fingerprint sensors for contactless payment cards in 2015. Starting this month, Apple Pay will work with iPhone 6 devices. [President Barack Obama signed an executive order that will bolster security for federal credit cards, a move designed to urge private-sector banks and retailers to follow suit, Reuters reports] [The U.S. Consumer Financial Protection Bureau finalized a rule allowing certain financial institutions to post annual privacy notices online rather than by paper delivery] and [In a filing with the FCC, the American Bankers Association (ABA) said banks that call or text customers run the risk of being sued under the Telephone Consumer Protection Act, a 23-year-old law that requires consumers’ consent to being called on their mobile phones] and [The California Superior Court has ordered Bank of America to turn over call recordings made with borrowers during the period of the Excessive Forbearance Remediation Project in 2013, subject to the Privacy Notice]

US – PCI Issues Security Awareness Guidance

PCI leaders have for months stressed the need for merchants to implement more structured employee education programs around data security. Now the PCI Security Standards Council has outlined just how it expects businesses that handle card data to address employee education. In a 28-page supplement to security awareness program best practices, the council reiterates that continuing employee education about how to detect and mitigate data security risks is a PCI compliance requirement. Three key points noted in the guidance include:

  • The need to assemble a security awareness team, which is responsible for the development, delivery and maintenance of the security awareness program;
  • Why developing security awareness content for the business plays a critical role in developing appropriate content and training information; and
  • How business can use security-awareness checklists to monitor and security awareness training programs.

The guidance’s appendix also includes a detailed checklist with specific compliance recommendations for each of the PCI-DSS requirements included in version 3.0. While this guidance is directed at requirement 12.6, which deals with information security policies and awareness programs, it touches on a range of security best practices – a comprehensive take on PCI compliance that industry security experts agree is needed. [Bank Information Security]

WW – Home Depot Breach Costs Twice Target’s

A new survey reveals that credit unions spent $60 million after the data breach at Home Depot last September, a cost that is more than double that of Target’s. The Credit Union National Association (CUNA) survey noted that 7.2 million consumer cards at credit unions were affected, and that, on average, it costs $8.02 to reissue a card. CUNA’s president and CEO said, “The bottom line is that credit union members end up paying the costs—despite the fact that the credit unions they own had nothing to do with causing the breach in the first place.” Retail groups pushed back in a letter sent to CUNA. “Even after absorbing substantial fraud losses,” the letter stated, “merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches.” [The Hill]

WW – Coalition Launches Bitcoin Principles; EFF Aims to Stop NY Bitcoin Rules

A coalition of cryptocurrency companies has endorsed a new principles-based framework aimed at bolstering identity security, trust and access to a shared data Internet. The initiative was spearheaded by the institute for Data Driven Design out of the MIT Media Lab, and the resources—called the Windhover Principles—are being implemented on an open source platform, the report states. “The Windhover Principles for Digital Identity and Trust are deeply rooted in the belief that individuals should have control of their digital personal identities and personal data,” an announcement said. “Underlying this core value is the principle of ensuring innovation in trust and privacy.” Meanwhile, the Electronic Frontier Foundation has launched a “Stop the BitLicense” initiative, arguing New York’s proposed Bitcoin rules could threaten privacy rights. [InsideBitcoins] See also: [India: Swiss authority willing to disclose info on black money:Centre]


CA – NB Ombudsman, Privacy Boss Call for More Open Government

Observers and officials are calling on Premier Brian Gallant to steer a cultural shift in New Brunswick’s civil service toward more transparency and less partisanship. The province’s Right to Information and Privacy Commissioner and the Ombudsman both say there needs to be a real change. A focus on government secrecy and partisanship in the civil service follows on some recent revelations:According to a poll commissioned by CBC News ahead of the Sept. 22 provincial election, New Brunswickers care more about transparency and integrity than they do about public education, taxation and shale gas. Residents have been largely left in the dark by their government on some major undertakings. Both the previous Liberal government’s move to sell NB Power and the Alward government’s forestry deal were criticized over secrecy. [Source] and also: [Alberta care homes fight to prevent release of financial reports]

CA – UPEI Student Union Wants University Included Under FOI Legislation

If a UPEI student wants information about the P.E.I. Sports Hall of Fame, they can file a freedom of information request and appeal a denied request. If that student wanted to do the same thing with their university, they would be out of luck. It’s a point UPEI student union president Lucas MacArthur made when he pitched the idea of including the university in Freedom of Information and Privacy Protection legislation to the education and innovation committee. MacArthur said P.E.I. is the only province that doesn’t include post-secondary institutions in its access to information law. The student union executives are meeting with Justice Minister Janice Sherry on Nov. 26 to discuss the issue. [Source] See also: [Toronto: School trustees not compelled to post details of expenses] and [Toronto school board trustees tampered with FOI request for expense reports, emails suggest]


CA – Ottawa Proposes DNA Database

Ottawa is one step closer to creating a DNA-based national missing-persons tool it says will assist coroners and police in solving cases and identifying human remains – a victory for families who have long pressed for the database despite privacy concerns and funding obstacles. The proposed legislation, introduced in the Conservatives’ latest budget bill, is the culmination of more than a decade of advocacy by those calling for a system that can compare missing persons’ DNA with samples culled from unidentified human remains. Victims’ families say the national database will give them the comfort of knowing that if their missing loved one is in a morgue somewhere, at least they’ll know. The budget bill is aimed at creating a missing-persons index, a human-remains index and an index for relatives whose profiles may be valuable in locating loved ones or identifying remains. The new indexes will be housed within the RCMP’s National DNA Data Bank facility, which already holds a crime-scene index and a convicted-offenders index. The legislation says profiles uploaded to the missing-persons index and the human-remains index can be compared against those in the crime-scene index and the convicted-offenders index – a move that could set up a battle with the Office of the Privacy Commissioner, which said it doesn’t object to a missing-persons database so long as it’s tightly secured and independent from the criminal indexes. The Privacy Commissioner’s Office told The Globe and Mail it is reviewing the proposed amendments to the DNA Identification Act and will be looking closely at the relationship between the new indexes and the existing criminal ones. The Criminal Lawyers’ Association has also raised concerns about linking the various indexes, saying it’s possible an intentionally “missing” person’s DNA could innocently end up at a crime scene. The association argues police might then become aware of that person’s whereabouts, infringing on privacy rights. [Source] See also: [Nevada’s four-month-old law requiring DNA samples be taken form all individuals arrested for a felony has received little pushback]

Health / Medical

US – DHS ICS-CERT Investigating Medical Device Vulnerabilities

An unnamed official at the US Department of Homeland Security (DHS) said that the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is investigating approximately two dozen cases of vulnerabilities in medical devices. While there have been no reported attacks exploiting these flaws, DHS is concerned that they could be exploited to cause heart implants and drug infusion pumps to malfunction. [ArsTechnica] [InformationWeek] [BBC] [SCMagazine] [IBT]

US – Federal Court Rules No HIPAA Violation in Malpractice Reform

A Florida federal appeals court recently ruled that physician defendants may have equal access to the health information of plaintiffs and that such access does not violate the Health Insurance Portability and Accountability Act. A tort reform law, which was upheld by this decision, states that prospective plaintiffs must submit a written request that authorizes defendants to access health records and conduct ex parte interviews. Jeff Scott of the Florida Medical Association said, “The impact is: It’s going to level the playing field in medical malpractice cases by giving defendant physicians the same access to crucial expert witnesses that the plaintiff has.” [Health IT Security] See also: [A Florida court has ruled that physician defendants may have equal access to the health information of plaintiffs and that such access does not violate the Health Insurance Portability and Accountability Act] and [Bloomberg BNA reports on the ambiguities that occur when the U.S. Health Insurance Portability and Accountability Act and the Telephone Consumer Protection Act intersect] See also [US: Potential Health Data Breach, Medical Records Fly off Truck] and [Hospital privacy violations rife in Ontario] and [Yellowknife woman’s psychiatric report lands in employer’s hands] and [Ford’s records accessed at second hospital]

US – Apple’s Ban on Sharing HealthKit Data with Advertisers OK by FTC

Apple’s decision to bar HealthKit app developers from sharing user data with brokers or advertisers was a “welcome move” to FTC Chairwoman Edith Ramirez, Re/code reports. “Steps like this are, I believe, critical to fostering consumer trust,” Ramirez said during a conference Monday on connected devices. “Consumers will enthusiastically invite the Internet of Things into their homes, cars and workplaces only if they are confident that they remain in control over their data,” she said. The FTC has been looking into whether the government needs to get more involved in how companies are using Internet of Things data, and Ramirez has noted concerns about how such data is protected from hackers. [ReCode] See also: [US: Medical Information More Valuable To Hackers Than Credit Card Numbers] and [Beware of gift iPads]

Horror Stories

CA – Federal Data Breaches Up Again

The number of data breaches reported to the federal privacy commissioner by bureaucrats increased, hitting a record high according to a new report. Privacy commissioner Daniel Therrien said in his annual report to Parliament that 228 data breaches across the federal government were reported for the 12 month period ending March 31. Human error accounted for just over two-thirds of those breaches. The number was more than twice the number reported for the previous fiscal year. As a result the commissioner’s office issued a four-page tip sheet with checklists on four controls for protecting against breaches. Physical controls, for example, stress the importance of protecting devices not in use by placing them in locked cabinets or in storage areas where access is restricted. Technological controls would include encryption or strong passwords, with training for employees in each. Imprinting serial numbers on devices so they can be tracked is another recommendation. So is using portable storage devices to store personal information only as a last resort. Personnel security controls include regular mandatory training about security and privacy, and monitoring the use of personal storage devices by employees to ensure policies and procedures are being followed. Also in the report, the privacy commissioner’s office said it wants to get a better idea of how bureaucrats use portable storage, so it has started to study how into 17 departments and agencies use the devices and whether they have implemented policies and adequate controls. It hopes to have the report done in the next year. [Source]

US – Staples Breached

Staples said its computer systems were compromised, affecting customers’ payment card information. The office supplier is working with law enforcement to determine the extent of the breach and has not revealed when the attack occurred, at which stores or how many customers were affected. The Massachusetts-based office supply store chain has contacted law enforcement. Information from sources at banks in the northeastern US suggest that the breach affects stores in Pennsylvania, New York, and New Jersey. [Krebs] [The New York Times] See also: [The personal information of nearly 100,000 people seeking their high school transcripts was recently exposed on a site that helps students obtain their records] and [Canada: Staples investigating potential security breach of credit cards]

WW – D&T Report Offers Guidance for Determining Veracity of Data Leak Claims

Deloitte & Touche has published a paper that contains advice for determining whether data found on the Internet are actually data stolen from a company or if posted information is fake. Companies can check to see if the posted data are duplicates of data that has been posted previously; they can also check to see if the listed usernames actually exist, and if the passwords abide by the company’s password policy. [SC Magazine] [Krebs] [DarkReading] [Deloitte Report]

US – BBB Goes After Five Web Publishers for Lack of Enhanced Notice

The enforcement wing of the Better Business Bureau (BBB) has gone after five web publishers for not complying with the ad industry’s self-regulatory privacy guidelines. Answers Corporation, Best Buy, BuzzFeed, Go.com and Yelp have all agreed to revise their sites by offering “enhanced notice” on all pages where ad networks and other third parties collect information for use in targeted advertising. A spokesperson from Yelp said the company was contacted by the BBB’s enforcement unit in February, adding, “We immediately looked into whether any changes should be made to Yelp’s site and willingly made those minor updates.” Genie Barton, head of the BBB’s enforcement wing, said many web publishers appeared to be unaware of the self-regulatory principles. “We’ve done everything that we can to publicize it,” she added. [MediaPost] see also: [Librarians Are Dedicated to User Privacy. The Tech They Have to Use Is Not]

US – Employees of Fortune 500 Companies May Have Credentials Leaked

New research alleges that at 221 of the Fortune 500 companies, employees’ credentials are leaked online for hackers to access and use in cyber-attacks. Web intelligence firm Recorded Future said of the 600,000 websites that have posted users’ credentials from January 1 to October 8 of this year, 44 percent included a username-password combination from a Fortune 500 company. The leading industrial sectors affected include the financial sector and the retail/customer service vertical. Meanwhile, NetworkWorld reports on Voxis, a platform that allows cybercriminals to use stolen credit card data while avoiding fraud detection systems. Apple Pay competitor CurrenC, which is in beta, may have been breached, and cybersecurity firm IT Governance is urging U.S. organizations to implement ISO27001 to minimize data breach risk. [Mashable]

US – Hotel Company Files Complaint Against Insurer

InterContinental Hotels Group PLC has filed a complaint against Zurich American Insurance Co. “demanding coverage under two insurance policies for any potential losses that might result from a pending class-action accusing the hotel company of illegally recording customer service phone calls in California.” The class-action in question, which includes a potential class of 7,000 California residents, alleges Six Continents Hotels “recorded their calls to the company’s reservation hotline without their consent,” the report states. [Law360] See also: [Marketing Company Settles with Vermont AG]

Identity Issues

US – Report: Identity Fraud Surging

The Medical Identity Fraud Alliance’s new report, “The Growing Threat of Medical Identity Fraud: A Call to Action,” includes “several harrowing anonymous stories” as the number of medical data breaches continue to climb, Fortune reports. In fact, that number has quadrupled in the past five years fueled by “a decentralized U.S. health system, increasing digitization of records and demand in the black market,” the report states. “The crime itself can be very valuable to a cyber criminal or any criminal, even a low-tech criminal, and the reason is that the information contained in a medical record includes just about everything about you,” the Ponemon Institute’s Larry Ponemon said. [Source]

US – MyE-Verify to Use Cloud Services for Backend

The US Department of Homeland Security’s (DHS’s) MyE-Verify identity check tool allows people to place freezes on their Social Security numbers (SSNs). MyE-Verify has been available in some states since October 6 and is expected to be rolled out across the country by mid-2015. While DHS will operate the public facing website, the agency is looking for a cloud service provider to host the system’s backend. Here’s how the government describes Mye-Verify: “myE-Verify is a free, Web-based service that provides you with self-service features to participate in the E-Verify process. E-Verify is a Web-based system that enables an employer, using information reported on an employee’s Form I-9 for Employment Eligibility Verification, to determine if that employee is eligible to work in the United States. Many employers use E-Verify to verify the employment eligibility of their new employees.” [NextGov] See also: [850 voters in NYC are officially 164 years old]

US – Judge Finds Android IDs Are Not PII, Dismisses Cartoon Network Suit

A U.S. District Court judge has found that Cartoon Network (CN) doesn’t violate users’ privacy rights by transmitting the names of videos they view to analytics company Bango. Judge Thomas Thrash, Jr., dismissed a potential class-action lawsuit by an Android user alleging CN violated the Video Privacy Protection Act when it shared the titles of the videos he watched, combined with his Android ID, to Bango, which was then able to attribute his private viewing habits to an “existing digital dossier.” Thrash found Android IDs are not personally identifiable information, writing that although the randomly generated number is unique, “It is not, however, akin to a name. Without more, an Android ID does not identify a specific person.” [MediaPost]

US – LifeLock Introduces Consumer-Control Tool for Personal Information

LifeLock has announced it is beta-testing a new service that would allow consumers “to find and remove or suppress their personally identifiable information, such as name, address, age and known relatives, from selected common people-search websites and Internet-based advertising companies.” Called Lifelock Privacy Monitor, the free service “gives consumers better control of their privacy,” said LifeLock President Hilary Schneider, “and ultimately puts one more hurdle in the way of would-be identity thieves.” The company also recently conducted a survey that found 86% of consumers do not want their personal information sold by people-search websites and ad companies. [Source]

WW – Google Now Offering USB Key Security

Google is now offering optional enhanced security for users of its many services. The Security Key technology lets users of Google’s Chrome browser insert a key into a USB port on the device and tap it when prompted. It’s a more streamlined version of the 2-Step verification the company already offers, which sends users a code as a text message or email that users then enter. The new system requires that users purchase the USB key. The Center for Democracy and Technology’s Joseph Lorenzo Hall supports such technology, writing in a recent blog post that it’s time for “the beginning of the end of passwords.” [Google Online Security Blog] [Ars Technica] [Krebs] [CNET]

US – CES to Feature Companies Finding Solutions to ID Theft, Fraud

The Consumer Electronics Association (CEA) has announced the launch of the Personal Privacy and Cybersecurity Marketplaces at the 2015 International CES. The marketplaces will include personal cybersecurity products, solutions from smart wallets and safe payment apps as well as private Internet access. “As we all embrace the convenience and ‘always-connected’ powerful capabilities of our electronic devices, our privacy and security take on even more importance,” said a CEA spokeswoman, adding the CEA developed the marketplaces to highlight companies developing advanced solutions to stop identify theft, fraud and other cyber-crimes. [Press Release]

Intellectual Property

WW – OECD Releases Guidance on “Intangible Digital Content Products”

The OECD has released guidance urging governments and businesses to implement data protections for consumers of digital content. Consumer Policy Guidance on Intangible Digital Content Products was released on October 27, according to Bloomberg BNA, and it details customer surveys and complaints, including concerns about improper information disclosure as well as “misleading or unfair” data collection and use practices. Consumers also complained about poor redress mechanisms, the security of online payment systems and unclear terms of service. [OECD Library]

Internet / WWW

WW – Overview of Mauritius Conference of Data Protection Commissioners

The 36th International Conference of Data Protection and Privacy Commissioners (ICDPPC), held in Mauritius, “was an extremely productive and revealing event,” writes Hogan Lovells Partner Eduardo Ustaran. The ICDPPC, an annual gathering of data protection regulators “and other movers and shakers of the privacy world has become a reference point in terms of debating key public policy issues and coordinating regulatory strategies and actions,” Ustaran writes, noting the quality of the discussion and participants this year was top-notch. Given how active things are at the moment, this year’s conference did not disappoint. Ustaran highlights takeaways of particular relevance to the world’s privacy pros. [Privacy Perspectives] [The Big Takeaways From the DPAs Conference in Mauritius]

WW – ISO Cloud Standard Offers Help with Compliance Challenges

While cloud computing continues to grow, many organizations have delayed adoption due to the compliance concerns that come with sharing data with third-party providers. Kurt Wimmer and Caleb Skeath of Covington & Burling LLP write that the International Organization for Standardization’s (ISO) new standard, ISO 27018, is the first voluntary international standard for processing information that is specifically tailored for cloud providers and includes many requirements imposed by EU law. Because of this, “the new standard may provide … a quick reference point to evaluate the security practices of cloud service providers” and, as a result, may change the industry of cloud computing. Meanwhile, it will be difficult for healthcare companies “to fully trust cloud software vendors” unless governments “tighten the regulatory screws on SaaS vendors to make them be more transparent and forthcoming about their security practices.” [Source] [Kurt Wimmer and Caleb Skeath of Covington & Burling LLP write that the International Organization for Standardization’s (ISO) new standard, ISO 27018, is the first voluntary international standard for processing information that is specifically tailored for cloud providers and includes many requirements imposed by EU law.]

Law Enforcement

CA – RCMP Failed to Keep Records on Warrantless Access, Watchdog Says

There’s no way to know if the RCMP complied with privacy laws in requesting Canadians’ personal information without a warrant, or even how often the Mounties made such requests, according to Ottawa’s privacy watchdog. Privacy Commissioner Daniel Therrien said his office was not able to track how often the national police force requested access to Canadians’ personal information without a warrant — because the RCMP don’t track that information themselves. Therrien’s office revealed they were formally reviewing the RCMP’s warrantless access practices after the Star and the Halifax Chronicle Herald reported that police forces asked nine telecommunications companies for their customers’ information 1.2 million times in 2011 alone. Since launching the review in October 2013, Therrien’s office interviewed 50 RCMP members, including senior officers, field agents making warrantless requests, and IT specialists. After reviewing RCMP databases, which receive round two million new entries per year, the watchdog’s investigators could only find a few cases where they could identify a warrantless request had been made. [Source]

US – Local Cops Say Your Driving History Is Public — Unless You Want a Copy

Monroe Police have been using high-speed cameras to capture license plates in order to log vehicle whereabouts. As of July, the County’s database contained 3.7 million records, with the capability to add thousands more each day. The justification for cops having records of the whereabouts of law-abiding citizens is that the vehicles are driven in public and therefore drivers have no expectation of privacy. It’s an argument that’s at odds with the Supreme Court’s 2012 ruling in U.S. v. Jones. In Jones, a GPS tracking case, the court held that individuals do have an expectation of privacy when it comes to their long-term whereabouts, even when using public roads. [Source]

US – Virginia Police Departments Sharing Suspects’ Phone Metadata

For nearly two years, several law enforcement agencies in Virginia have been sharing suspects’ phone metadata with each other. The information, shared between five police departments, has been compiled into a database. [Ars Technica] [Virginia Police Have Been Secretively Stockpiling Private Phone Records] See also: [UK: Police apologise after personal details of crime victims leak online]


WW – Apple’s New OS X Yosemite Sends Search Data and Location back to Company Servers

While Apple has made headlines recently for its enhanced encryption in iOS 8, the company’s newest Mac operating system, OS X Yosemite, reportedly leaks user information by sending location and search data when users query Spotlight, the operating system’s search feature. [ArsTechnica] [TheRegister] [Spotlight: Privacy Advocates Furious As Apple Feature Siphons Off Location Data of Yosemite And iOS 8 Users][Users can turn off the setting in Mac OS X’s System Preferences]

Online Privacy

US – Verizon Under Fire for Inserting Unique Identifiers, Tracking Internet Activity

Verizon Wireless has been inserting Unique Identifier Headers (UIDH) into data flowing between its users and the websites they visit. The short-term string of approximately 50 characters helps advertisers identify users on the web, and according to the report, “it’s the lynchpin of the company’s Internet advertising program.” The Electronic Frontier Foundation’s Jacob Hoffman-Andrews said, “ISPs are trusted connectors of users and they shouldn’t be modifying our traffic on its way to the Internet.” A Verizon spokeswoman said the company doesn’t use the UIDH to create customer profiles and customers who opt out of the Relevant Mobile Advertising program will not receive targeted ads. [Wired] [Ars Technica] [Verizon Wireless] See also: [Forbes: The Scoop on Permacookies] and [Unraveling and Unpacking the Technology of Web Tracking]. Meanwhile, technologists have developed a Firefox browser extension called AdNauseum that aims to turn ad blocking into a form of protest. The extension clicks on online ads that are blocked by AdBlock instead of ignoring them. One of its developers said “it is not advertising we are protesting but advertising insofar as it represents a dominant means of tracking.” Meanwhile, a program at Verizon Wireless gives customers points toward rewards like the “perfect night out” or other entertainment in exchange for their personal information. UPDATE: [Somebody’s Already Using Verizon’s ID to Track Users] see also: [Comcast customer files lawsuit claiming privacy violation]

US – Facebook Says Political Data-Mining Deal Is Privacy-Safe

Facebook is mining data on its users’ political views and plans to share those insights with ABC News and BuzzFeed for use in their reporting in 2016. The data will be collected from users 18 and older in the U.S. and will classify political sentiment as positive, negative or neutral. Facebook Director of News and Global Media Partnerships Andy Mitchell said, “Given the volume of conversation around politics on Facebook, we believe this data truly represents what the American people think about the potential candidates.” A Facebook spokesperson said the data “is gathered in an aggregated and depersonalized manner in a privacy-safe way.” [Politico] See also: [Twitter and IBM strike data mining agreement, Report] See also: [Online privacy taught to teens at Calgary conference] and also: [Social media is our modern diary. Why do tech companies own all the keys?]

WW – Facebook Experiments to Improve Tor Access

Facebook London Software Engineer for Security Infrastructure Alec Muffett writes about the social network’s efforts “to provide methods for people to use our site securely” and an experiment that “makes Facebook available directly over Tor network” via an “onion” address. “Tor challenges some assumptions of Facebook’s security mechanisms,” he writes, describing how a Tor user “who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada” might be mistaken for a botnet. “Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud,” Muffett writes. [Source] SEE ALSO: Facebook has unveiled a new pseudonymous app called Rooms, developed by Josh Miller, which is reportedly the first product where Facebook doesn’t require users to use their real names.

WW – Apple Responds to Privacy Concerns About Spotlight

Apple’s Spotlight search function, updated last week with the latest version of Apple’s operating system and also available for older machines to download. The tool offers Google search suggestions and allows users to search their PCs or the Internet via Bing. Following privacy concerns that it was collecting user location data, Apple issued a statement clarifying Spotlight’s data collection practices, including that it doesn’t retain IP addresses and blurs locations. “We are absolutely committed to protecting our users’ privacy and have built privacy right into our products,” Apple said, adding it has worked to minimize the amount of information sent to the company. But security expert and new FTC CTO Ashkan Soltani called the feature the “worst example of ‘Privacy by Design’ I’ve seen yet.” [The Washington Post]

US – Senator Demands Explanation from Whisper Over User Tracking

Fallout from last week’s report by The Guardian about several privacy issues with anonymous social media app Whisper continued after Senate Commerce Committee Chairman Jay Rockefeller (D-WV) wrote a letter to the company’s chief executive asking for a detailed, in-person meeting, The Guardian reports. In his letter, Rockefeller told Whisper CEO Michael Heyward that as commerce chair, Rockefeller has “jurisdiction over the FTC and consumer protection issues including online privacy.” Last week, Whisper’s editor-in-chief said The Guardian’s report was “a pack of vicious lies,” but last weekend, in a statement, Heyward said, “We realize that we’re not infallible.” [The Guardian]

US – Whisper Fires Back Against Accusations

The company behind Whisper—the site enabling users to make confessions they’d be unlikely to make publicly, while promising anonymity and claiming to be the safest place on the Internet—is tracking user location. Further, it reports the company is sharing information gleaned from smartphones being operated from military bases with the U.S. Department of Defense. However, the company has written a five-page statement alleging the story is inaccurate. “Whisper does not collect nor store any personally identifiable information from users and is anonymous,” the company said. “There is nothing in our geolocation data that can be tied to an individual user and a user’s anonymity is never compromised.” [The Guardian] See also: [What happens when your friend’s smartphone can tell that you’re lying]

CA – Negative Online Reviews Led to Threats of Legal Action from Targeted Businesses

It’s just an opinion, right? But if you post it online, you could get some unwanted attention from lawyers. A growing number of companies are going after people who post negative reviews online. Ottawa student Olivia Parsons learned that the hard way. After moving out of her apartment in June, she says she posted several less-than-flattering online reviews on Google and Yelp. The reviews took aim at CLV Group — the company that manages the building. According to its website, CLV manages more than 7,500 rental apartments in Ontario and Quebec. Parsons was upset about fees she was asked to pay after moving out and the way, she says, the company handled the issue. About a week later, Parsons got a surprise in the mail — a letter from CLV Group’s lawyer demanding Parsons immediately stop posting negative reviews and that she delete the ones already up. The letter described her reviews as “false” and “misleading” and damaging to the company’s reputation. That letter came as a surprise for another reason. Parsons used an online pseudonym. Yet the company was still able to track down her real name and even her new address. She has no idea how they managed to do that. [Source]

US – Ello Gets $5.5 Million in VC

Privacy-promising social network Ello has received $5.5 million in venture capital funding, while simultaneously filing as a Public Benefit Corp. in Delaware, which makes it “impossible under U.S. law for investors to require Ello to show ads, sell data or sell the company to any buyer who would violate those conditions.” Addressing skepticism about Ello’s plans for not selling data to third parties, Ello investor Seth Levine said, “Our belief is that there are products and features that Ello can develop that users will be willing to pay for.” [TechCrunch]

Other Jurisdictions

AU – Gov’t Delays Vote on Metadata Bill

The Australian government will delay a parliamentary vote on a mandatory metadata retention bill until next year, The Guardian reports. The bill would require Australian telecommunications companies and ISPs to store data on users—specifically IP addresses and who users have emailed but not their web-browsing history—for two years, but, it will not be subject to a vote until a bipartisan committee initiates an inquiry. A communications spokesman for the Labor party said, “It involves privacy concerns from everyone that’s got a mobile phone or access to the Internet and potential cost concerns.” [The Guardian]] [Australian Communications Minister Malcolm Turnbull has introduced a bill that would repeal certain reporting requirements for telcos] [Australian Immigration Minister Scott Morrison is defending a proposal to collect biometric data, noting such retention of “sensitive personal information on travelers was becoming a ‘common standard’ for countries.”] and [The Office of the Australian Information Commissioner has released its 2013-14 Annual Report, which shows the office handled a record number of complaints] and also [The New South Wales Office of the Attorney General “has confirmed the government’s intentions” to include rules for “storing data offshore, particularly as part of cloud computing arrangements.”] and also: [Hong Kong Privacy Commissioner Allan Chiang has issued guidance on a number of data protection issues banks must consider]

Privacy (US)

US – NSA Phone Program Faces Court Test

In a case that will be “closely watched,” the DC Circuit Court of Appeals will hear arguments challenging the constitutionality of the NSA’s bulk phone data collection program. Plaintiff Larry Klayman said “all we’re really asking is that the NSA adhere to the law.” The FBI is urging Congress to change the Communications Assistance for Law Enforcement Act to essentially force companies to give the FBI a mobile device master key to sidestep encryption. Section 213 of the USA PATRIOT Act, which allows for so-called “delayed-notification search warrants” concerns privacy advocates that such “sneak and peak” warrants are also being used in cases not involving suspected terrorists. See also: Colorado’s senate race, Sen. Mark Udall’s (D-CO) political fight for survival and what his loss could mean for surveillance reform. [Source]

US – ACLU Challenging School District Digital Policy for Violating Students’ Rights

The ACLU is challenging a Tennessee school district’s policy of searching students’ electronic devices and monitoring and controlling what the students post to social media. The policy also allows schools to monitor communications sent through or stored on school networks. The ACLU says the policy is broadly written and “demonstrates a fundamental misunderstanding” of students’ constitutional rights. [WIRED] [Policy] [ACLU Letter] See also: [“Al Quaida” SSID causes flight delay]

US – Google, Viacom Ask Judge to Dismiss Suit “With Prejudice”

Google and Viacom have asked a federal judge to throw out a proposed class-action suit that alleges the companies violated children’s privacy rights by collecting personal data from those visiting sites like Nick.com for example. The suit, “which was brought in 2012 on behalf of a group of children, stems from allegations that Viacom allows Google to set tracking cookies on Nick.com, Nickjr.com and Neopets.com,” the report states, noting an earlier version of the suit was dismissed without prejudice in July , “meaning that the children’s lawyers could amend their allegations and try again,” which they did, in August. Google and Viacom are urging the judge “to dismiss the lawsuits with prejudice, which would prevent the users from bringing the complaint again.” [Media Post] See also: [Federal Court Won’t Revive Redbox Suit] nad [A New Jersey federal judge threw out a Wyndham Worldwide Corp. shareholder’s derivative action over a series of security breaches] and [In a case deciding whether the display of ads by Google’s Remarketing service violated the Israeli Spam Act, a district court correctly dismissed the case but in turn “practically altered the law’s provisions”] and [Judge Thomas Thrash, Jr., dismisses a potential class-action lawsuit by an Android user alleging Cartoon Network violated the Video Privacy Protection Act when it shared the titles of the videos he watched, combined with his Android ID, to Bango, which was then able to attribute his private viewing habits to an “existing digital dossier.”]

US – SCOTUS to Take Up Hotel Privacy Rights Case

The Supreme Court agreed to take up a hotel privacy rights case involving a Los Angeles city ordinance that requires hotels to maintain detailed guest lists and make them “available to any officer of the Los Angeles Police Department for inspection.” In December, a “divided” Ninth Circuit Court of Appeals said the ordinance violated the Fourth Amendment. The plaintiffs’ lawyer said, “A lot of the hotel owners in the LA area are being subject to warrantless searches under this ordinance.” Lawyers representing the city said the ordinance helps police investigate crimes, locate fugitives and could assist in responding to a homeland terrorist attack. [The Wall Street Journal] See also: [Police: Texas women digging through hotel dumpster had guests’ credit card information]

US – DMA, Venable Release Breach Notification Guide

The Direct Marketing Association (DMA) and Venable LLP have released a new guide on state data breach notification laws, according to a press release. The Essential Guide to Data Breach Notification is being distributed now. “We hear nearly every week about the occurrence of data breaches,” said Peggy Hudson, DMA’s senior VP for government affairs. “Data security and consumer trust are inextricably linked, and it’s up to all marketers to act as stewards of consumer information. With this guide and our extensive advocacy efforts, DMA is making the task of data stewardship more manageable for responsible actors across the data-driven marketing economy.” [Source] [DMA Fact Sheet]

US – Most U.S. Farmers Worried About Data Privacy -Farm Bureau Survey

Three out of four U.S. farmers fear data they share with companies offering big data services may fall into the wrong hands or be used without their consent, including for commodity market speculation, according to a survey published this week. The American Farm Bureau Federation said in the survey of 3,380 farmers from late July to September that more than 82% of farmers are unsure how companies selling data-mining tools aimed at boosting yields and efficiency plan to use their data. (Survey findings). Despite the unease, more than half of farmers say they plan on investing in new or additional precision planting or data gathering tools in the future, according to the survey by the country’s largest farmer organization. [Source]

US – Privacy Act Turns 40, Gets Roasted

The Privacy Act turned 40 this year. To celebrate, Georgetown Law’s freshly launched Center on Law and Technology held a birthday party of sorts. Well, a birthday party where the guest is partly celebrated but mostly roasted by all of its friends and foes and then told how it can improve. But who doesn’t love a good roast? The event featured an all-star roster of panelists who discussed how the law came to be and why it was so desperately needed 40 years ago, as well as the ways its provisions now fail to protect Americans thanks to technology, the ascension of big data and some pretty sneaky workarounds created to circumvent the law’s prohibitions. [IAPP Privacy Advisor]

US – Ashkan Soltani Named FTC’s New Chief Technology Officer

The U.S. FTC named Ashkan Soltani as its new chief technology officer. Soltani, who has been an independent security researcher and investigative reporter, is taking over for Latanya Sweeney, who will be returning to Harvard University. “Technology and online and mobile platforms are continuing to evolve at a rapid pace and will remain a key focus for the FTC,” said Chairwoman Edith Ramirez, adding, “I am very grateful to Latanya Sweeney for her outstanding work … particularly for her leadership in strengthening the commission’s efforts to better protect sensitive consumer information.” Soltani will take up his new role in November. [FTC] See also: [Omer Tene breaks down the FTC’s reasonable standard and how it can help you navigate the uncertainty of “reasonable security.”]

Privacy Enhancing Technologies (PETs)

WW – Overview of Emerging Tokenization-as-a-Service Model

Payments security specialist Ian Hermon writes about the emergence of the tokenization-as-as-service model for payment card data protection. He points out that tokenization “protects merchants by devaluing the data they need to hold,” thus making it less desirable for hackers—a notion highlighted last week in the California attorney general’s report on data breaches. A report released by security company Solutionary reveals that 75% of the companies it assisted had no cyber-incident response team or policies and procedures in place. Cybereason CEO and Cofounder Lior Div argues, in a column for Forbes, that the “main reason … security fails to successfully battle complex hacking operations is not due to a lack of competency or negligence” but rather “because security teams desperately lack context.” [SC Magazine]

US – Karp: Engineers, Technologists Can Help Mine Data and Protect Privacy

Palantir Technologies Chief Executive Alex Karp says privacy is at risk in the current data ecosystem, but engineers and technologists can help protect individuals from government snooping by placing “tags” on data that would require anyone who uses a given data point to disclose how they’re using it. Palantir has developed similar technology for the private sector and law enforcement agencies. “The behavior should be tagged in a way that a third party can always be aware of what (the engineer) is doing,” Karp said. He also noted that more technologists should go to work for the U.S. government because it is in short supply of engineers, the report states. [WSJ] See also: [Will Breaches and Privacy Concerns Lead to the Rise of the Personal Cloud?] See also: [Professor: Anonymous Apps Give False Sense of Security] and [The Hidden Privacy Threat of … Flashlight Apps?] and [MIT Tech Review: Well-funded start-up Illumio says it has created software designed to reduce intrusions and protect data centers from massive breaches] SEE ALSO” [A Look at Dynamic Data Obscurity: What Anonymization and the TSA Have in Common] AND [Experts Point to ‘Responsible’ De-identification Methods as the Means to Protect Patient Privacy and Harness the Power of Big Data for Much-Needed Research and Analytics] AND [US: Riding with the Stars: Passenger Privacy in the NYC Taxicab Dataset]

WW – Kickstarter Suspends Funding for Privacy Router

Kickstarter has suspended funding for Anonabox, a privacy-enhancing router project, for allegedly misleading investors. In an email to investors who had pledged money to the project, Kickstarter said “a review of the project uncovered evidence that it broke Kickstarter’s rules,” including “offering purchased items and claiming to have made them yourself” and “presenting someone else’s work as your own” as well as “misrepresenting or failing to disclose relevant facts about the project or its creator.” A post on Reddit revealed that what the project’s creator, August Germar, said was custom-built hardware was already for sale by Chinese suppliers. [Wired] Meanwhile, web creator Tim Berners-Lee is backing MeWe, a private communications network that combines social media, cloud storage and individual and group messaging, all with privacy at the forefront. See also: [Opinion: Better data privacy will boost innovation]

WW – Google Employs 1960s-Era Technique for Privacy-Friendly Stats Collection

Google plans to use a technique developed in the 1960s in a project aimed at gathering users’ computer data in a privacy-friendly manner. Named Randomized Aggregatable Privacy-Preserving Ordinal Response , the project will collect software statistics, including security flaws, without compromising sensitive information. It does this by using a “statistical trick … allowing software to send reports that are effectively indistinguishable from the results of random coin flips and are free of any unique identifiers,” said Ulfar Erlingsson, the project’s lead tech manager for security research. “However, by aggregating the reports, we can learn the common statistics that are shared by many users.” Google will present a paper on this at the ACM Conference on Computer and Communications Security [PCWorld]


US – NIST Issues Information Sharing Guidelines for Public Comment

The US National Institute of Standards and Technology (NIST) has released a draft of its Guide to Cyber Threat Information Sharing for public comment. “The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices.” NIST will be accepting comments through November 28. [Source]

US – NIST Warns of Security Issue in Samsung’s “Find My Mobile” Service

A vulnerability in Samsung’s “Find My Mobile” service could be exploited by attackers to lock the devices. The National Institute of Standards and Technology (NIST) has issued a warning about the problem. [ComputerWorld] [NIST]

Smart Cards

US – US Defense Dept Starting to Roll Out Chip-and-PIN Cards for Travelers

The US Department of Defense (DOD) has issued approximately 600 payment cards with chip-and-PIN technology to members of the military who travel. All 1.3 military travelers will have the new cards by the end of summer 2015. DOD military travelers may also request the cards starting in January 2015. [NextGov] [US Government to Require Chip-and-Pin for Federal Payments]

US – POS Malware Persistent

Point-of-sale malware known as Backoff is still being found on systems in the US. According to numbers from Damballa, Backoff infections increased 57% in August and 27% in September. It is unlikely that infections will decrease any time soon as the holiday shopping season draws near. [The Register] [NBC News]

US – Automakers Working on Protecting Vehicle Data Privacy

The Association of Global Automakers — the trade association representing Toyota Motor Corp, Honda Motor Co., Nissan Motor Co., Hyundai Motor Co. and other foreign automakers — and the Alliance of Automobile Manufacturers — the group representing U.S. automakers, Toyota, Volkswagen AG, Daimler AG and others — both say they are working together to ensure driver data privacy. The two groups told the National Highway Traffic Safety Administration late Tuesday they are working jointly to write consumer privacy protection principles. Sen. Al Franken, D-Minnesota, has raised concerns about driver privacy because of consumer data from GPS and in-vehicle systems. Global Automakers told NHTSA it supports making vehicle to vehicle communications required. [Source] See also: [Napel: Where’s the Security for Wearables?]


US – Intelligence Director’s Interim Report Calls for Privacy Improvements

The Office of the Director of National Intelligence (ODNI) has issued an interim report on the implementation of Presidential Policy Directive/PPD-28, Signals Intelligence Activities. The directive was issued in January of this year and establishes new principles and strengthens oversight on signals intelligence activities. The interim progress report recommends ensuring “privacy and civil liberties are integral considerations in signals intelligence activities,” say Alexander Joel, CIPP/US, CIPP/G, and Robert Litt, in their announcement. Among the key points denoted by the Civil Liberties Protection Officer and the General Counsel for ODNI are a call for improving how privacy and civil liberties complaints are handled and reviewing training “to ensure that the workforce understands the responsibility to protect personal information, regardless of nationality” with completion of the training “a prerequisite for accessing personal information in unevaluated signals intelligence.” [Source] See also: [FBI Director: Post-Snowden Pendulum Has Swung Too Far] and [How the FBI caught a teenager making bomb threats: It planted a fake news article about him and hoped he clicked it]

US – Florida Supreme Court Says Warrant Required for Cell Phone Tracking

Florida’s Supreme Court has ruled that law enforcement must obtain a warrant before collecting cell phone location data. The court ruled that obtaining cell tower location data from service providers in real-time constitutes a Fourth Amendment search and therefore requires a warrant. The case involves cell data from a provider but could likely be applied to devices like StingRays, which simulate cell tower signals. [WIRED] [ArsTechnica] [SCMagazine] [Ruling] and also: [US: Can privacy be applied when using mobile phones for Ebola contact tracing?]

US –Washington, DC Police and Stingray

Documents obtained through a Freedom of Information Act (FOIA) request show that police in Washington, DC have had a StingRay cellular surveillance device since 2003, but it remained unused until 2009, when officers were trained in its use. StingRay is a trademarked name, but has come to serve as a generic term for the technology. The devices, also known as IMSI catchers, can determine the location of cell phones as well as intercept calls and text messages. They also vacuum up data from other phones in the area. [Ars Technica]

UK – Schneier, Diffie, Ex-MI5 Bod, Privacy Advocates Team Up On Code Red

Security experts including Bruce Schneier and Whitfield Diffie are teaming up with privacy advocates to form a new privacy group that aims to champion privacy against the growing tide of intrusive government surveillance. The project, Code Red, is due to begin in January with the aim of becoming a “strategic think tank and campaign clearinghouse to provide new resources and tactical advice to human rights groups across the world”. The project reflect concerns that that government surveillance and intrusion has escalated – despite the national security disclosures by whistleblower Edward Snowden. Code Red aims to support whistleblowers as well as human rights groups. Code Red has put together an impressive cast of members on its steering group including Diffie, one of the pioneers of public key cryptography, and influential security expert Schneier as well as Tor developer and Snowden disclosures affiliate Jacob Appelbaum. Code Red’s steering group includes several influential figures in civil society, among them MI5 whistleblower Annie Machon, former US Congress member and presidential candidate Cynthia McKinney, former Wikimedia General Counsel Mike Godwin, the Electronic Frontier Foundation’s International Rights Director Katitza Rodriguez and the former editor of Index on Censorship Judith Vidal-Hall. [Source]

SK – Government Tries to Ease Public’s Online Privacy Fears

South Korean Prime Minister Chung Hong-won is trying to ease fears among the public about online privacy after prosecutors last month launched a cyber-investigation team to help uncover online rumors that President Park Geun-hye said “crossed the line.” As a result, citizens have been fleeing a domestic chat app to a foreign rival due to fears the government is spying on their conversations. Hong-won said the government is only monitoring for high-profile crimes such as murder, human trafficking or insurrection. The prime minister’s office said he has “emphasized that the government has been steadfast in ensuring freedom of expression and other basic privacy rights and will continue to do so.” [Reuters]

UK – Lords Consider Drone Laws Over Privacy Fears

A House of Lords committee will hear from drone safety experts about whether legislation needs updating. The committee is investigating the civil use of unmanned aerial vehicles (UAVs) and is expected to report its findings in 2015. The popularity of drones has surged as the technology has improved, leading to a consumer boom in cheaper, simpler models. Among the questions the committee will seek answers to are the implications of drones for air traffic control, and whether drones will be affected by current data protection legislation. [Source] See also: [The Skies Are Watching You] and also: [Nevada: Where Drone and Data Scientist Jobs Are Headed]

Telecom / TV

US – Advocates Concerned About Phone “Kill Switch” Legislation

Several states are attempting to pass legislation requiring cell-phone makers to include a “kill switch” in the devices allowing for remote shutdown capabilities in an attempt to stymy cell-phone theft and protect the personal data of consumers. But the legislative trend is raising red flags for privacy advocates who say such kill switches would provide law enforcement with too much power, potentially preventing citizens from communicating and documenting public demonstrations. The Center for Democracy & Technology’s Jake Laperruque said, “The idea of this being co-opted as an anti-protest tool is especially disturbing.” To date, California and Minnesota have passed kill-switch legislation, while Nevada and New Jersey are considering it. [USA Today]

WW – Why Consumers Should Be Scared of Smart TVs

Michael Price writes about why he’s scared of his new “smart television” after reading through its 46-page privacy policy. “The amount of data this thing collects is staggering,” he writes, adding users can always go with a “dumb” option, “but it comes at a cost. The device will not function properly or allow the use of its high-tech features,” leaving users “with an unacceptable choice between keeping up with technology and retaining their personal privacy.” Last year, the Center for Democracy & Technology’s Justin Brookman discussed how the lack of Privacy by Design in smart TVs will erode consumer trust. Meanwhile, five predictions for “addressable television,” includes how “privacy will be a key conversation.” [Salon] See also: [Whirlpool’s “Internet of Things” problem: No one really wants a “smart” washing machine]

US Government Programs

US – DHS Privacy Office’s Annual Report Outlines Next Priorities

The Department of Homeland Security’s Privacy Office has released its 2014 Annual Report to Congress, which includes highlights of such accomplishments as its Fair Information Practice Principles becoming “the privacy policy touchstone” for all federal agencies, its impact assessment official guidance becoming a model for agencies and foreign countries and its publishing of a directive on the department’s use of social media as a standard for other agencies’ use. The office will prioritize assessing new systems and programs to develop robust privacy protections; expand its service as a consultation organization and increase its engagement with the privacy community, among others. [Source] See also: [The “second source” for Snowden reporters, explained]

US – ICE Twice Breached Privacy Policy With License-Plate Database

Since February, shortly after the U.S. Department of Homeland Security (DHS) canceled plans for widespread access to a national license-plate tracking database, officials within the DHS’s Immigration and Customs Enforcement agency (ICE) have allegedly bypassed the privacy office on at least two occasions to purchase a one-year subscription to a license-plate tracking database. An ICE spokeswoman said use of the database is limited and a privacy impact assessment is in preparation. Rep. Bennie Thompson (D-MS) said, “there may be law enforcement need for certain personal information, [but] DHS must make sure that contracts of this nature are thoroughly reviewed by its privacy office and Office for Civil Rights and Civil Liberties to ensure compliance with all relevant laws and regulations.” [The Washington Post]

US – NSF to Fund Database Research Project

A US initiative will create a database for the collection, storage and analysis of learning and behavioral data generated by students via digital learning technologies. Called LearnSphere, the project will be led by researchers at Carnegie Mellon University, which is receiving $4.8 million in funding from the National Science Foundation. The eventual infrastructure, distributed across several institutions, third parties and for-profit vendors, will include a trove of anonymous data, including digital-interaction options, chat-window messages between students and possibly some biometric information generated during classroom interactions, the report states. A representative from the Electronic Privacy Information Center said LearnSphere “warrants further evaluation” before moving ahead. [Education Week]

US – FCC Brings Largest Enforcement Ever (Again): $10 Million

The FCC is planning to fine TerraCom and its affiliate YourTel America $10 million for several violations of laws protecting the privacy of phone customers’ personal information. It is the largest enforcement action in the commission’s history (beating out the $7.5 million fine for Sprint in May), according to an FCC press release. The companies “apparently stored Social Security numbers, names, addresses, driver’s licenses and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.” In the companies’ privacy policies, they promised customers “technology and security features to safeguard the privacy” of that information, the FCC said. [Source] [The Federal Communications Commission intends to fine TerraCom and its affiliate YourTel America $10 million] See also: [Call Center Scams on Rise]

US – U.S. FCC Joins Global Enforcement Network

The U.S. Federal Communications Commission (FCC) has announced it has joined the Global Privacy Enforcement Network (GPEN). GPEN seeks to promote the cooperation and collaboration of global privacy enforcement authorities and includes about 50 data protection authorities. “We live in a world where threat to consumer privacy and data security often require the cooperation of numerous law enforcement agencies around the world,” said FCC Enforcement Bureau Chief Travis LeBlanc, adding, “If we are to detect, disrupt and dismantle these persistent global privacy assaults, it is critical that we work closely with our international partners abroad as well as our federal, state and local partners here at home.” [Source] [Does the FCC Have FTC Envy] See also: [The Blind Men, the Elephant and the FTC’s Data Security Standards] [The Federal Communications Commission announced it has joined the Global Privacy Enforcement Network.]

US – Report Examines USPS Audit, Lack of Controls in Law Enforcement Requests

According to a U.S. Postal Service Office of Inspector General audit that came out earlier this year, the USPS granted 49,000 law enforcement requests to track mail in 2013. Additionally, the inspector general said the program has “insufficient controls,” including the lack of proper approvals and justifications and failing to require annual reviews, the report states. The program’s shortcomings could “hinder the Postal Inspection Service’s ability to conduct effective investigations, lead to public concerns over privacy of mail and harm the Postal Service’s brand.” In another report revealed earlier this month, the Inspector General concluded nearly 14 million customer records had been put at risk when changing addresses. [Bloomberg]

US Legislation

US – 9/11 Commission Urges Cybersecurity Legislation

Members of the 9/11 Commission are urging Senate Majority Leader Harry Reid (D-NV) to pass cybersecurity legislation before year’s end. Noting recent large-scale hacks against Target and Home Depot and reports of security vulnerabilities, members warn that the U.S. could face a major cyber-attack if nothing is done. “The al Qaeda threat did not manifest itself without warning on September 11, 2001,” Commission Chairman Thomas Kean and Vice Chairman Lee Hamilton wrote in a letter . “But we did not heed those warnings until it was too late. Unfortunately, that pattern seems to be repeating itself in the cyber realm.” [The Hill] [Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said when the Senate reconvenes next month “it must swiftly take up and pass the USA FREEDOM Act.”] and [Members of the 9/11 Commission are urging Senate Majority Leader Harry Reid (D-NV) to pass cybersecurity legislation before year’s end] [The Washington Post reports on the potential effects a Republican-run Senate would have on tech policy.]

US – Feinstein Floats Privacy Changes to Cyber Bill

Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) has said she is considering changes to the Cybersecurity Information Sharing Act to address privacy concerns, but has acknowledged that might not be enough to get the law passed. “You know, it’s always more, more, more,” Feinstein said. She declined to share specific details about the changes, the report states. Feinstein’s measure was passed 12-3 by the Senate Intelligence Committee, the report states, noting Feinstein commented, “I think if we could get this up on the floor, I believe we can pass it … We’re willing to take amendments and do them on the floor, so that shouldn’t stop it.” [The Hill] [Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) has said she is considering changes to the Cybersecurity Information Sharing Act to address privacy concerns, but has acknowledged that might not be enough to get the law passed.]

US – California AG Calls for Action from Retailers, Healthcare

California Attorney General (AG) Kamala Harris unveiled the California Data Breach Report, the state’s first since 2012. In it, the AG focuses on the retail and healthcare sectors and sets forth recommendations that call for more readable breach notices, increased use of technology like chip cards to devalue stolen credit card data and for the healthcare industry to employ widespread encryption. She also calls for additional security funding for smaller retailers, a growing target of cyber-attacks. [Source] [The Privacy Advisor outlines California Attorney General’s California Data Breach Report, which sets forth recommendations that call for more readable breach notices, increased use of technology like chip cards to devalue stolen credit card data and for the healthcare industry to employ widespread encryption.]

US Legislative News Roundup: [While President Barack Obama has called on Congress to enact data breach notification legislation, that won’t happen this year.] | [Several states are attempting to pass legislation requiring cell-phone makers to include a “kill switch,” but the trend is raising red flags for privacy advocates who say they would provide law enforcement with too much power] | [Sen. Orrin Hatch (R-UT) outlined his agenda for technology legislation in the next Congress and highlighted the need to reform to email privacy] | [Alabama Sen. Arthur Orr (R-Decatur) has indicated he is working on legislation that would require companies doing business in the state to notify customers of data breaches] | [New Jersey legislators have proposed AB 3322, requiring health insurers to encrypt personal health data on all of their computers] | [The New Jersey Assembly Consumer Affairs Committee has approved AB 3146, aiming to protect consumers from identity theft] | [Pennsylvania Gov. Tom Corbett is expected to sign a bill that creates a prescription drug monitoring program despite privacy concerns] [The Pennsylvania Senate has passed a prescription drug monitoring bill despite privacy concerns voiced by the American Civil Liberties Union. The bill now head to the governor’s desk] | [The Conference of the German Federal and State Data Protection Authorities has adopted a resolution expressing concern about privacy risks involved in the collection and processing of personal data in cars]

Workplace Privacy

WW – Exploring the Balance of Data Security and Employee Privacy

“With the right technology, enterprises can control the risk associated with maintaining confidential and private information. However, as many of these security measures require a detailed supervision of business operations, enterprises must be careful to avoid intruding on worker privacy,” states a new whitepaper from the Medical Device Privacy Consortium. Securing the Enterprise in a Privacy-Responsible Manner looks at the intersection of surveillance of systems and employee privacy rights in different regulatory environments and offers some recommended privacy principles to follow. [Source] See also: [The French Supreme Court has ruled employers must notify the CNIL of devices to monitor employees’ email volume and flows] and also: [US: 5 best practices for lawfully monitoring your employees’ social media activities]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: