01-15 November 2014


US – Judge Rules FBI Facial Recognition Database Needs Scrutiny

A federal judge has ruled the Federal Bureau of Investigation’s (FBI) facial-recognition database needs scrutinizing due to its size and scope. U.S. District Judge Tanya Chutkan wrote of the FBI’s Next Generation system, “There can be little dispute that the general public has a genuine, tangible interest in a system designed to store and manipulate significant quantities of its own biometric data, particularly given the great numbers of people from whom such data will be gathered.” The ruling validates an Electronic Privacy Information Center (EPIC) lawsuit. EPIC National Security Counsel Jeramie Scott said, “The opinion strongly supports the work of open-government organizations and validates their focus on trying to inform the public about government surveillance programs.” [National Journal] See also: [US: Virginia police can now force you to unlock your smartphone with your fingerprint]

CA – Royal Bank to Test Toronto Company’s Nymi Technology

The Royal Bank of Canada has paired with Toronto-based technology developer Bionym to test a wristband called Nymi (pronounced Nim-ee), which identifies owners through their unique heartbeat and then lets them charge purchases to their credit card. The device looks like a watch, and will soon grace the wrists of 250 RBC clients and staff under a pilot project in Toronto that runs through February. Eventually, the bank hopes to roll out its RBC PayBand across the country. For now, the Nymi band will only work with MasterCard, though eventually the Royal Bank hopes to allow debit transactions. [The Canadian Press, cbc.ca] [Globe & Mail] and [This Startup Is Turning the Human Body Into a Next Gen Design Platform]

US – ‘This Call May Be Monitored’ — To Study Your Voice Print

You may not know it, but banks like Wells Fargo may be already using voice biometrics to make sure you’re really you. JP Morgan Chase & Co., Wells Fargo & Co. and other banks are using customer calls to record biometric voiceprints, using the data to help screen out later fraud. The technology is used to help create voiceprint “blacklists” of criminal who break into customer accounts by fooling call-center workers. But the practice has some pitfalls — some states prohibit collecting biometric data, and privacy lawyers said that the boilerplate “this call may be monitored” statement doesn’t give banks the authority to store customer biometrics.. [Minneapolis Business Journal]

Big Data

US – Groups Tell FTC Approved Merger Must Be Rethought

The Center for Digital Democracy and U.S. PIRG called on the FTC to rethink its decision to approve a marketing corporation merger. The groups told the FTC the $2.3 million merger of direct marketing company Alliance Data Systems and Conversant “raises serious privacy concerns” and the FTC’s approval of the transaction without appropriate safeguards “directly undermines its role as the country’s chief privacy regulator.” The merger amounts to “expanded commercial surveillance of the American people,” the groups said, calling for the FTC to launch a formal review of consolidations of companies that deal with big data. [The Hill] SEE ALSO: [Big Data, Underground Railroad: History says unfettered collection of data is a bad idea] and [Fox and Macaulay: IoT and Privacy Can Thrive Together] and [Forbes: Everything You Need To Know About The Internet Of Things] and [Top 10 Big Data Technologies of Present Times] and [How Can Healthcare Ensure Its Big Data is Smart Enough?] and [Big Data Survey: Trouble Brewing For IT] and [$$$ Cloud will make up 3/4 of all data center traffic in 3-4 years]


CA – RCMP Record Keeping Needs Work, Says Privacy Commissioner

Canada’s Royal Canadian Mounted Police (RCMP) cannot tell whether it complies with federal privacy law when gathering information about citizens without a warrant, according to the Canadian Privacy Commissioner’s annual privacy report. The Commissioner attempted to audit the RCMP’s collection of subscriber data from telecommunications service providers without warrants. It searched the organization’s records, but found that it couldn’t extract the relevant data. The RCMP said that it would establish a working group to better monitor and report on warrantless requests for subscriber information. It will report back to its Departmental Audit Committee in April 2015. The Commissioner’s report also highlighted a record high in voluntarily reported data breaches by government organizations. It received reports of 228 data breaches across the federal government, up from 109 in the prior year. Among the biggest offenders was Correctional Service Canada, which reported 22 incidents. The Canada Revenue Agency reported 33 incidents, while Citizenship and Immigration Canada revealed 54 privacy breaches. The leader, however, was Veterans Affairs Canada, which reported 60 privacy incidents. It was responsible for over a quarter of all federal agency breaches documented throughout the year. [SC Magazine] See also: [Geist: Ontario Provincial Police Recommend Ending Anonymity on the Internet] and [How Canada’s privacy deficit undermines our economy] and [Canada: More Disturbing Questions about Warrantless Data Disclosures]

CA – British Columbia: Committee to Review PIPA on Breach Notification

The Special Committee to Review the British Columbia’s Personal Information Protection Act (PIPA) (‘the Committee’) will issue a report to the Legislative Assembly, on 25 February 2015, on the results of its review. The Committee, which sought further input on the effectiveness of PIPA, held a public hearing in Victoria on 7 October 2014 and received submissions from stakeholders and the public. A number of the submissions suggested that PIPA should be amended to include a specific notification requirement for information security breaches. Currently, British Columbia’s PIPA does not contain such a provision. British Columbia’s Freedom of Information and Privacy Association recommended that mandatory breach notification be incorporated into PIPA. Also, British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, advised the Committee that mandatory breach provisions would bring PIPA in line with other jurisdictions. [Data Guidance] See also: [November 1st – 10th Anniversary of PHIPA]


US – US Privacy Confidence at New Low, Survey Indicates

A new Pew Research report reveals that 91% of U.S. citizens believe that consumers have lost control of how their personal information is collected and used by corporations and 80% said there should be concerns about government surveillance. The report’s author, Mary Madden, said, “There is both widespread concern about government surveillance among the American public and a lack of confidence in the security of core communications channels.” She added, “At the same time, there’s an overwhelming sense that consumers have lost control over the way their personal information is collected and used by companies.” [BBC News] See also [PCWorld: U.S. Concerns About Online Privacy Present Opportunity, Experts Say]

US – Online Privacy Should Be Marketed More Like Snowboarding

Wickr and r00tz Asylum CEO and Cofounder Nico Sell says there are ways to make privacy products exciting for kids. “Don’t use the words privacy and security,” Sell explained. “When kids ask me, ‘What’s Wickr?’ I say it’s an app that spies use to send secret messages,” Sell said, adding kids then respond, “Wow! Can I use it?” Sell calls on her past career as a snowboarder as an example: “If we would have gone to kids and said, ‘Hey, snowboarding makes your legs strong and your heart healthy,’ it wouldn’t have worked” Instead, she says, the focus should be, “It’s rebellious; it’s what the cool kids do; it’s what parents don’t know how to do.” [Slate]


CA – Ottawa Finalizes Action Plan 2.0 on Open Government

New portal launched with calls for open government on non-sensitive data by default. The second chapter of the federal government’s open government strategy now has a confirmed action plan. Treasury Board said this week that the action plan — a document that civil servants have to follow over the next two years — for what it calls Open Government 2.0 has been issued following a consultation period. The plan includes a directive that federal employees treat open by default for the handling of non-sensitive information. There’s a commitment to develop a federated open data search service that provides what the government calls a “no wrong door approach”; an enhanced set of tools and resources to make it easier to search and compare government spending across federal departments; and a new government-wide consultation portal to promote opportunities for public participation. [IT World Canada] See also: [Ottawa announces second action plan on open data ] | [Treasury Board has 15 apps that prove its open data strategy is working

US – Voter Data Use Fails the Creepy Test

According to a KSN report, a group calling itself the Kansas State Voter Report has been sending out flyers to citizens that include their names, addresses and whether or not they voted in past elections. The disclosed data is public information, but it has voters up in arms. “I don’t think that’s anyone’s business,” one voter said. The local county elections commission said it did not know who the group was or who funded the group. Likewise, last week a similar instance was reported in New York. [Privacy Perspectives] [US – Voters Angry About Mailers]

US – Seattle Launches Sweeping, Ethics-Based Privacy Overhaul

The City of Seattle this week launched a citywide privacy initiative aimed at providing greater transparency into its data collection and use practices by convening a group of stakeholders. Called the Privacy Advisory Committee, the group comprises various government departments to look at the ways the city is using data collected from practices as common as utility bill payments and renewing pet licenses, or during the administration of emergency services like police and fire. By this summer, the committee will deliver to the City Council suggested principles and a privacy statement. Chief Technology Officer Michael Mattmiller is responsible for privacy in the progressive city and said city leadership agrees the city’s policy on privacy should be ethics-based: It will answer the question, “Who do we want to be as a city, and how do we want to operate?” [Source]

US – Federal Agencies Can Now Require Contractors to Get Privacy Training

Contractors with access to government records may have to start training their employees on how to appropriately process sensitive personal information. This week, a final rule was issued giving federal agencies-such as the Department of Defense, General Services Administration and NASA-the flexibility to either offer privacy training to contract employees or require the contractors to do the privacy training themselves. The Federal Acquisition Regulation now requires contractors to keep records of employees who have completed the training, which can be requested by federal agencies at any time. “Without proper proof of training, contracted employees will not be given access to federal records,” the report states. [The Hill]


WW – Google Releases Results of Email Hijacking Study

A new report from Google suggests that the perpetrators of manual account hijacking often approach this type of digital invasion as a job. “These are really professional people with a very specific playbook on how to scam victims,” says Elie Bursztein, the lead author of the report. While the volume of these attacks are low — nine incidents per million users per day, according to Google’s analysis — their toll can be devastating. The report, released on Google’s security blog, is the result of years of research by a team that works on account abuse. [Study] [Washington Post] See also: [Verizon tells customers not to give out passwords—and disregards its own advice] and also: [3rd Skillsoft email raises privacy concerns in N.B.]

Electronic Records

CA – Revenue Canada Adds Internal Fraud Detection

The online activities of civil servants at the Canada Revenue Agency are going to watched more closely after the government chose an Israeli software surveillance solution to ensure staff don’t improperly access income tax and other files, part of a policy of toughening up procedures after embarrassing revelations of staff violating privacy procedures. [Source]


US – EFF: ISP is Stripping STARTTLS Flags from eMail

According to the Electronic Frontier Foundation (EFF), a US Internet service provider (ISP) is removing encryption from the traffic between customers and email servers, stripping the communications of the expected level of privacy. There have been incidents in which the ISP intercepted email to remove STARTTLS flags, which signal requests for encryption while communicating with another server or client. If the flag is removed, the email is sent in clear text. Some firewalls use this technique to prevent spam from emanating from their servers, but when it affects legitimate email, the unencrypted messages become vulnerable to interception and eavesdropping. [Ars Technica] [The Register] [EFF.org]

US – The New York Times Challenges News Sites to Embrace HTTPS

Staff members from The New York Times are calling on news sites to encrypt their online traffic by deploying HTTPS. The paper’s software engineering architect and its chief technology officer, together with a cybersecurity and technology strategist, write, “If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.” In addition to being more secure, HTTPS protects the privacy of users by preventing their search and reading histories from being transmitted “for anyone to see.” [Source]

US – AIDS Websites that Leaked Location Data Now Encrypting User Traffic

Two federal websites that help individuals seek AIDS-related medical services have started encrypting user traffic after years of no protections. The lack of basic encryption could have potentially revealed the identities and location of those seeking such highly sensitive services. “We started requiring SSL (Secure Sockets Layer) for the (services) Locator because we understood that information should be encrypted to protect privacy,” said the director of AIDS.gov. The site, which is run by the Department of Health and Human Services, also added encryption to its related smartphone apps. Another site, run by the Centers for Disease Control and Prevention, has also upgraded its security controls. [The Washington Post]

WW – New Google Tool Detects Crypto Flaws

Google engineers have released an open-source tool to help developers detect bugs and other crypto flaws to prevent the leaking of sensitive information. Called “nogotofail,” a play on a flaw in Apple’s iOS and OSX devices, the tool “provides an easy way to confirm that the devices or applications you are using are safe against known TSL/SSL vulnerabilities and misconfigurations,” the engineers wrote in a blog post, adding, it works with “any device you use to connect to the Internet.” [Ars Technica]

WW – Privacy Tools: The Best Encrypted Messaging Programs

Working with Princeton’s Joseph Bonneau and the Electronic Frontier Foundation’s Peter Eckersley, Julia Angwin has compiled a review and analysis of the best available encrypted messaging services to date. However, Bonneau notes, “It’s important to realize we’re mostly grading for effort here and not execution.” [ProPublica] See also: [Critics bash the EFF Secure Messaging Scorecard]

EU Developments

EU – Council Proposes Amendment to EU Data Protection Regulation, Chapter IV

The Council of the European Union has proposed amendments to Chapter IV of the EU General Data Protection Regulation as it relates to compliance obligations of data controllers and data processors including – privacy impact assessments will only be required for processing activities likely to involve high risk to the rights and freedoms of individuals (such as discrimination, identity theft, fraud, or financial loss), only processing which would result in a high degree of risk would require that the data authority be consulting prior to the commencement of processing activities, and the appointment of a data protection officer is voluntary unless the national law of the relevant member state provides otherwise. [Source] See also: [The Proposed General Data Protection Regulation: Suggested Amendments to the Definition of Personal Data – Douwe Korff, Professor of International Law, EU Law Analysis] and [EU Regulation: A Tipping Point Has Been Reached] See also: [Nemitz: Google Meetings Are Passive-Aggressive Lobbying Efforts] According to leading lights of the EU data protection scene, the proposed EU General Data Protection Regulation will be finalized in 2015. As the new European Commission starts its five-year term, plans include working toward agreement on the EU’s new data protection rules, a European Parliament media release states. With a new EU Commission in place and operational, Hogan Lovells Partner Eduardo Ustaran discusses the three key players with “ultimate responsibility” for the commission’s place in the data protection reform process. French data protection authority the CNIL requires businesses operating in France to declare all personal data processing tools and communicate the decision to operate such tools to employee representatives.A report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits, The Wall Street Journal reports.

EU – German Apps Struggle to Comply with Strict U.S. Patient Data Rules; Portuguese, French Start-Ups Focus on Privacy

The U.S.’s strict patient data rules are a struggle for some German healthcare apps to comply with despite Germany’s reputation as one of the strictest privacy jurisdictions. Meanwhile, a small start-up from Portugal tells the story of how difficult it is to launch a tech business that relies on people’s data given Europe’s ever-stricter rules on data privacy. It’s been working for two years to get a privacy seal from EuroPriSe GmbH, a pan-European certification company. And Computerworld reports on French start-ups taking a more privacy-centric approach to file-sharing offerings for consumers and organizations. [The Wall Street Journal] See also: [Are your file sharing tools leaking data?]

PO – New Law Would Up the Ante for DPOs, Ease Data Transfers

With a draft data protection law having passed its third reading in Poland’s lower house, there’s a good probability it will become law—meaning new responsibilities for organizations and, in particular, data protection officers (DPOs). In this Privacy Tracker blog post, Marcin Lewoszewski of CMS writes about provisions in the bill that would ease cross-border data transfer and require organizations to appoint a DPO with “appropriate knowledge in the field of personal data protection,” among other things. “However,” writes Lewoszewski, “there is no information in the new law about how a candidate’s ‘appropriate’ knowledge in the field of privacy should be verified or certified, or about who should do it.” Poland’s draft data protection law would mean new responsibilities for organizations and, in particular, data protection officers]

Facts & Stats

WW – IAPP Study: Benchmarking Privacy Investments of the Fortune 1000

How is the average Fortune 1000 privacy program organized? What is its annual budget? To whom does the privacy lead report, and what are the privacy team’s responsibilities? How much does the company spend on privacy per dollar of revenue or per employee? All of these questions and more are answered in the IAPP’s first annual study, Benchmarking Privacy Management and Investments of the Fortune 1000, which establishes the Privacy Industry Index, an estimate of the total spend of the Fortune 1000 on privacy, along with important data for understanding how privacy is done in major corporations throughout the U.S. [Full Story] See also: Center for Democracy & Technology CEO Nuala O’Connor is struck that every company is now a tech company and “those that respect privacy and have strong security practices in place are the ones that consumers are increasingly turning to for a variety of services.” Merck CPO Hilary Wandall similarly notes that “today’s businesses can’t run without data,” but the study’s results cause her to wonder: If “sales and profits are everyone’s responsibility, shouldn’t privacy be too?” Se ealso [IAPP: A New Home for Privacy Industry Research and Information]

QWW – Malware Masquerades as Trusted App; Carnegie Mellon Launches PrivacyGrade

A new and potentially invasive malware makes nearly 95% of iPhone and iPad devices vulnerable. A vulnerability in Apple’s iOS allows hackers to replace official apps, such as a Gmail or a banking app, with a malicious one, called the Masque Attack, which can access sensitive personal information. “Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced,” researchers said. “These data may contain cached emails, or even login-tokens, which the malware can use to log into the user’s account directly.” Meanwhile, researchers at Carnegie Mellon have created “PrivacyGrade,” a site that provides “privacy summaries that highlight the most unexpected behaviors of an app.” [The Hacker News]

EU – Report Suggests EU Cookie Policy Costs Billions, with Few Benefits

A new report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits. “There are compliance costs for websites, and we don’t see much benefit,” said one of the report’s authors, Daniel Castro. “These banners don’t really educate users, and there has been no noticeable change in user behavior since cookie warnings were introduced, so the directive appears to be a waste of resources,” he added. [The Wall Street Journal]


US – FCC Chairman Tells Silicon Valley He’s Open to Obama Net Neutrality Plan

President Barack Obama went public with his support of an aggressive approach to protecting net neutrality. Shortly after that, Federal Communications Commission Chairman Tom Wheeler told a gathering of business representatives and public interest groups that he was taking the president’s comments under advisement and that he would need the groups’ support in the coming fight over net neutrality, according to multiple sources in the meeting. The sources said that Wheeler did not, as had been reported earlier, say that he had decided to go in a different direction from what the White House wanted.” [Huffington Post] See also: [Obama’s call for an open Internet puts him at odds with regulators] and [US: The split between Obama and the FCC on net neutrality, in plain English] The U.S. Federal Communications Commission has issued clarification on its 2006 Junk Fax Order confirming that fax ads must contain an opt-out provision, reports The National Law Review.


US – OCC: Law Should Hold Retailers Accountable for Breach Costs

“Congress must move forward with legislation that would put retailers, and not just banks, on the hook for at least some of the costs related to data breaches,” citing comments from Comptroller of the Currency Thomas Curry. While many recent headline-making breaches “occurred through retailer computer systems, it is banks who have been put in the position of replacing debit and credit cards, monitoring accounts and repaying customers,” the report states. Also last week at the IAPP Practical Privacy Series, regulators including Office of the Comptroller of the Currency National Bank Examiner Melissa Love-Greenfield offered insight into where they are focusing their efforts and what financial services companies can do to avoid their wrath. [Law360]


UK – Facebook’s Government User Data Requests Up 24%

Requests by governments for Facebook’s user data are up by nearly a quarter in the first half of this year compared with the previous six months. Global government requests were up by 24% to almost 35,000 in the first six months, the social media giant said. The amount of Facebook content restricted because of local laws also rose about 19% in the same period. News of the increase comes as Facebook fights its largest ever US court order to hand over data from 400 people. [BBC News]

CA – P.E.I. Govt Creates New Office to Handle Freedom of Information Requests

The P.E.I. government has created a new office to handle all Freedom of Information requests due to a big increase in the number of requests being made. A new Access and Privacy Services office has replaced individual co-ordinators within each of the 13 departments and executive government offices. Kathryn Dickson, manager of this new office, says the number of Freedom of Information and Protection of Privacy (FOIPP) requests coming into the province has doubled over the last five years. Previously, each government department had its own FOIPP coordinator, but these were made up of existing departmental staff with other duties and responsibilities. The province’s privacy commissioner has repeatedly raised concerns about backlogs in her office as a result of FOIPP requests denied. The new Access and Privacy Services office is located within the Department of Environment, Labour and Justice. [Charlottetown Guardian] See also: [B.C. Health Ministry ordered to release papers related to firings]


WW – Would You Put Your Genome in the Cloud?

Google Genomics may eventually possess millions of genomes on its servers, Sarah Zhang asks, “Are there legitimate privacy concerns here?” Genomic research works better with bigger sets of genomic data, and Google aims to centralize them into one database, a potential boon for researchers. “This is the infrastructure for personalized medicine,” she writes, noting that bigger databases create bigger privacy concerns, and “the privacy worries aren’t unique to Google Genomics … but the sheer scale of their envisioned database magnifies the potential problems.” If it succeeds, she writes, “it’ll be because it forces us to reckon with the privacy issues that lie behind genome sequencing.” [Gizmodo] See also: [UK – Major genome data project can deliver increasingly personalised drug treatments] and [Genomic Researchers Seeking Balance Between Ethics and Patient Privacy]

Health / Medical

US – FTC asking Apple About Health Data Protection

The U.S. Federal Trade Commission is seeking assurances from Apple Inc. that it will prevent sensitive health data collected by its upcoming smartwatch and other mobile devices from being used without owners’ consent,” two sources said. “The two people, both familiar with the FTC’s thinking, said Apple representatives have met on multiple occasions with agency officials in recent months to stress that it will not sell its users’ health data to third-party entities such as marketers or allow third-party developers to do so.” [Wall Street Journal] See also: [Privacy attorney: Med device cybersecurity guidance ‘is the future’ ] [Wearable Health Tech: New Privacy Risks]

US – Connecticut Court Court Allows HIPAA Negligence Claim

“Since the implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003, injured or wronged individuals (and their lawyers) have been looking for ways to bring claims against healthcare providers and others who engaged in activities that appeared to violate these rules,” writes Kirk Nahra of Wiley Rein. It appears that the Connecticut Supreme Court has just given them some hope. In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the court found that “HIPAA does not preempt the plaintiff’s state common-law causes of action for negligence …” However, Nahra writes, “Neither side should overreact to this decision. Plaintiffs now can move a claim forward but still have a long way to go to prove their case.” [GovInfoSecurity] [Privacy Tracker] See also: [Legal aid employee to pay $7,500 for intrusion upon seclusion] and also: [Insurer Includes Sensitive Data in Email Subject Lines] and [CA – Winnipeg patient alarmed to hear medical details broadcast in clinic] and [UK – ICO interest in digital health initiatives likely to grow]

US – Healthcare Privacy Policies Must Be Stronger, Says AMA

The American Medical Association (AMA), at its interim meeting, released policies calling for increased diligence in protecting patients’ health data, particularly at insurance companies. “The disclosure of potentially sensitive medical information on standard insurance forms has become more of a concern as the Affordable Care Act allows an increasing number of young adults to obtain health insurance as dependents of their parents, guardians, spouses or domestic partners,” AMA President Robert Wah said. “The AMA’s new policy promotes a multi-pronged approach to protect the privacy interests of patients and preserve the financial interests of policyholders.” [HealthITSecurity] See also: [ONC CPO: We Need To Explain HIPAA Better] See also: [US – HHS Issues Ebola Privacy Guidance | US – Office for Civil Rights (OCR) Issues Ebola Guidance on HIPAA Privacy ]

WW – Insurer Publishes Guide on Avoiding Breaches

TechInsurance, an insurance provider for small technology businesses, has published The Small-Business Owner’s Guide to Identity Theft Prevention and Data Security, a free e-book that offers small businesses data security tips. The guide offers tips on how to strengthen security to prevent data breaches; tips on what to do when a data breach occurs; simple steps to boost security, and checklists aimed at preventing, responding to and recovering from breaches. The guide also includes a recent study finding 29 percent of businesses “incorrectly believe their cyber exposures are covered under an existing insurance policy.” [Security IT]

Horror Stories

WW – Home Depot: 53 Million E-Mails Stolen

Home Depot on Nov. 6 offered an update to the findings of its data breach investigation, saying that, in addition to 56 million cards being compromised, approximately 53 million e-mail addresses were also taken. The latest news follows weeks of investigation involving law enforcement and third-party IT security experts, Home Depot says. In order to evade detection, the criminals involved in the cyber-attack against Home Depot used custom-built malware, which has not been used in other attacks. The malware, which was present on Home Depot’s payment systems between April and September, has since been eliminated from its U.S. and Canadian networks, the retailer says. [Source]

US – NOAA Breach

The US National Oceanic and Atmospheric Administration (NOAA) suffered a security breach in September. To prevent further infiltration, the government shut down some services. When satellite data suddenly became unavailable in October, NOAA attributed it to “unscheduled maintenance.” Officials say that NOAA did not notify the necessary authorities when it learned of the attack. [Washington Post] [eWeek] [ZDNet] [The Register] [CNN] [SC Magazine] [ComputerWorld] [ITNews]

US – USPS Breach Affects Employee Data

A breach of US Postal Service (USPS) information systems compromised personally identifiable information of more than 600,000 employees, including employees of the US Postal Regulatory Commission. The breach was detected in September. Customers who contacted the USPS customer care center by phone or email between January and August 2014 may be affected as well. The FBI is investigating. [ComputerWorld] [NextGov] [ArsTechnica]

EU – HSBC Turkey Confirms Card Breach

HSBC Turkey confirms that a recent cyber-attack exposed payment card information for 2.7 million customers. Information compromised in the breach includes debit and credit cardholder names, account numbers and expiration dates. The bank says that, so far, it has not seen any evidence of fraud or other suspicious activity arising from the incident. HSBC Turkey detected the attack in the past week through its internal security controls, according to an FAQ. The attack was limited to Turkey, and all card operations have been restored to normal functioning, the bank says. No other details about the nature of the incident were revealed. An investigation is under way in collaboration with the Banking Regulation and Supervision Agency of Turkey and other relevant authorities, HSBC Turkey says. Turkey’s Public Prosecutor’s Office has also been notified about the incident. [Bank Information Security]

WW – Scammers Victimize 10,000 Booking.com Customers

As many as 10,000 users of hotel booking site Booking.com have been the victims of a scam using a list of email addresses that were allegedly obtained fraudulently. According to the BBC’s “Money Box,” the criminals accessed Booking.com reservations to gather contact details of customers for the purpose of phishing. Booking.com insists it was not breached but that the scammers contacted individual hotels to gather the data. The incident has affected customers in the UK, U.S. France, Italy, Portugal and the United Arab Emirates. [International Business Times]

US – What CIOs Can Learn From the Biggest Data Breaches

Several lessons may be gleaned from some of this year’s largest data breaches, including Adobe, eBay, JP Morgan Chase, Target and Home Depot. Among the lessons, Hexis Cyber Solutions VP of Corporate Development Todd Weller said that in addition to encrypting its data, eBay should have educated its employees about various phishing scams that could lead to hacker infiltration. Other lessons include investing in intrusion detection and identifying vulnerabilities. [CIO] [Tracking Data Breaches]

US – Lawmaker Seeks Info on Cyber-Attacks; More Orgs Breached

U.S. Rep. Elijah Cummings (D-MD) has sent letters to the chief executives of five companies—including Home Depot, Target and Kmart—seeking more information on the cyber-attacks each suffered. The ranking Democrat on the House Oversight and Government Reform Committee, Cummings said, “The increased frequency and sophistication of cyber-attacks on both public and private entities highlights the need for greater collaboration to improve data security.” Chinese hackers have infiltrated computer systems overseen by the U.S. National Oceanic and Atmospheric Agency and the Turkish unit of HSBC was breached, resulting in the theft of 2.7 million customers’ bank data. Back in the U.S., banking trade groups are calling on Congress to implement cybersecurity regulations for retailers. [Reuters] see also: [British Columbia’s provincial government is notifying 15,000 individuals after a privacy breach in its Wildfire Management Branch] [AU – Immigration Department breached privacy of 9,250 asylum seekers by publishing their details online] and [Dentist’s patient information found scattered on Toronto street]

Identity Issues

UK – Gov UK Quietly Disrupts the Problem of Online Identity Login

A new “verified identity” scheme for gov.uk is making it simpler to apply for a new driving licence, passport or to file a tax return online, allowing users to register securely using one log in that connects and securely stores their personal data. After nearly a year of closed testing with a few thousand Britons, the “Gov.UK Verify” scheme quietly opened to general users on 14 October, expanding across more services. It could have as many as half a million users with a year. The team behind the system claim this is a world first. Those countries that have developed advanced government services online, such as Estonia, rely on state identity cards – which the UK has rejected. “This is a federated model of identity, not a centralised one,” said Janet Hughes, head of policy and engagement at the Government Digital Service’s identity assurance program, which developed and tested the system. The Verify system has taken three years to develop, and involves checking a user’s identity against details from a range of sources, including credit reference agencies, utility bills, driving licences and mobile provider bills. But it does not retain those pieces of information, and the credit checking companies do not know what service is being used. Only a mobile or landline number is kept in order to send verification codes for subsequent logins. When people subsequently log in, they would have to provide a user ID and password, and verify their identity by entering a code sent to related stored phone number. The US, Canada and New Zealand have also expressed interest in following up the UK’s lead in the system, which requires separate pieces of verified information about themselves from different sources. The level of confidence in an individual’s identity is split into four levels. The lowest is for the creation of simple accounts to receive reports or updates: “we don’t need to know who it is, only that it’s the same person returning.” The service has been built in consultation with privacy pressure groups including No2ID, Big Brother Watch, the University of Oxford’s Internet Institute, the Consumers Association, and the privacy regulator, the Information Commissioner’s Office. … Privacy groups have worked with the government to create a list of principles for interacting with the Verify system. [The Guardian]

US – Android User Takes Privacy Battle With Cartoon Network to Appellate Court

Android user Mark Ellis has appealed the dismissal of his privacy lawsuit against Cartoon Network for allegedly violating the Video Privacy Protection Act (VPPA). Ellis filed the appeal with the 11th Circuit Court of Appeals, claiming Cartoon Network’s app transmitted his Android ID together with his video viewing history to a third party. U.S. District Court Judge Thomas Thrash dismissed the lawsuit last month saying that “an Android ID does not identify a specific person.” [MediaPost] [Would you like to put an Ontario card in your wallet? Bureaucrats are in charge, not governments]

Internet / WWW

WW – Germany, Brazil Urge U.N. to Strengthen Digital Spying Resolution

Both Germany and Brazil are urging the United Nations (UN) to strengthen a digital spying resolution to include metadata. The draft notes that arbitrary surveillance, communications interception and the collection of metadata are “highly intrusive acts” and “violate the right to privacy and can interfere with the freedom of expression and may contradict the tenets of a democratic society, especially when undertaken on a mass scale.” The draft also calls on the UN Human Rights Council to appoint a special rapporteur for privacy rights standards clarification. Germany’s UN ambassador said, “As the universal guardian of human rights, the United Nations must play a key role in defending the right to privacy, as well as freedom of opinions and expression in our digital world.” [Reuters] Telecompaper reports the German interior ministry has introduced a revised version of its bill on improving IT security that includes a new data retention clause.

US – NIST – US Government Cloud Computing Technology Roadmap, Volume II, – Useful Information for Cloud Adopters: Special Publication 500-293

Security challenges unique to cloud computing include that broad network access has the potential to introduce new cyber threats and the lack of visibility and control over the IT assets often runs counter to the existing security policies and practices that assume complete organizational ownership and physical security boundaries; recommendation include – process-oriented requirements (such as clarity of security roles and responsibilities, detailing privacy requirements in contracts and service-level agreements) and technical requirements (such as encrypting data at rest and in transit, applying application partitioning, logical separation and physical separation, and controlling VM and Virtual Networks). [Source] See also: [FFIEC Regulators: Banks Need to Share Cyber-Threat Info] [DOD’s Vision for a Commercial Cloud Ecosystem]

WW – CSA Releases Security Guidance for Critical Areas of Cloud Computing

Best practices regarding information management and data security in the cloud include understanding the cloud storage architecture in use and using the data lifecycle to identify security exposures and determine controls, monitoring key internal databases and file repositories with database activity monitoring and file activity monitoring to identify large data migrations, encrypting all sensitive data (paying particular attention to key management), and ensuring removal of data from a cloud vendor is covered in the service level agreement (e.g. deletion of user accounts, migration/deletion of data from primary/redundant storage, and transfer of keys). [Source]

WW – Apple Users Raise Privacy Concerns After Hard-Drive Files Uploaded to Servers

Security researcher Jeffrey Paul’s discovery that several of his personal files found their way to the cloud after he upgraded the operating system on his MacBook Pro. He thought the files only lived on his encrypted hard drive. Cryptography experts Bruce Schneier and Matthew Green had similar experiences. All three have publicly written about their dismay over the finding. [The Guardian] UPDATE: [Clarification of iCloud Autosave Issue Earlier this week we ran a story about documents being saved to iCloud without notifying users. The headline suggested that the issue affected all documents, when in fact, the feature is on by default for iWork apps, Preview, and TextEdit. It does not affect Word. Apple describes the autosave default in an August 2014 support document

Law Enforcement

CA – RCMP Reveals Details of Plan for 700-Km Surveillance Fence Along Canada-U.S. Border

A massive intelligence-gathering network of RCMP video cameras, radar, ground sensors, thermal radiation detectors and more will be erected along the U.S.-Canada border in Ontario and Quebec by 2018, the Mounties said this week. The $92-million surveillance web, formally known as the Border Integrity Technology Enhancement Project, will be concentrated in more than 100 “high-risk” cross-border crime zones spanning 700 kilometres of eastern Canada, said Assistant Commissioner Joe Oliver, the RCMP’s head of technical operations. [Source]

CA – Alberta Privacy Commissioner to Investigate Police Use of Body Worn Cameras and Facial Recognition Software

Alberta’s Privacy Commissioner Jill Clayton has ordered an investigation into some potentially scary tools being employed by the local police department — tools with the capability of seriously infringing on a citizen’s right to privacy if not used correctly. On Wednesday, just two days after Calgary cops announced they would become the first police service in Canada to adopt facial recognition software capable of matching any photograph or video image to their databank of 300,000 mugshots, Clayton stepped in. “Information and Privacy Commissioner Jill Clayton has initiated an investigation of the Calgary Police Service’s use of body-worn cameras and facial recognition software,” read the stern-sounding release.[Source] Alberta Privacy Commissioner Jill Clayton has launched an investigation into BWCS after being dissatisfied with the lack of evidence of a privacy assessment by a local police service. It is too early to tell whether that investigation will have any meaningful effect on the implementation of BWCS in Canada. [Privacy Advisor] [Calgary police service looks to put a face to crime, adds facial recognition software NeoFace to its investigative arsenal] AND ALSO: [Influx of records requests may force police to drop body cams]

US – Private License Plate Data Raises Privacy Flags

Privately owned license-plate imaging systems are popping up around Rochester and upstate New York — in parking lots, shopping malls and, soon, on at least a few parts of the New York state Thruway. Most surprisingly, the digital cameras are mounted on cars and trucks driven by a small army of repo men. Shadowing a practice of U.S. law enforcement that some find objectionable, records collected by the repo companies are added to an ever-growing database of license-plate records that is made available to government and commercial buyers. At present that database has 2.3 billion permanent records. On average, the whereabouts of every vehicle in the United States appears in that database nine times. Todd Hodnett, founder of the company that aggregates and sells that data, defends the activity as lawful and harmless. “We’re just photographing things that are publicly visible,” he said. Many private-sector camera operators, like parking companies, say they do not know the names and addresses behind the plates they scan. Others, like universities, say they discard the records almost immediately. But that doesn’t satisfy critics. No matter how benign the intentions of camera system operators, they say, their data may prove irresistible to government or private parties bent on snooping. Only five states have adopted laws regulating or banning private use of license-plate readers, also known as LPRs, with legislative bodies in as many more states having considered such measures. Lee Tien of EFF, a leading digital privacy group, said advocates have been trying without success to get a clear picture of who is getting access to DRN’s data. But they know state and federal regulations leave room for a wide range of clients. “As a general matter, the limit is what they’re currently willing and able to do to monetize the data,” he said. [Democrat & Chronicle]


US – Carmakers Unite Around Privacy Protections

19 automakers accounting for most of the passenger cars and trucks sold in the U.S. have signed onto a set of principles they say will protect motorists’ privacy in an era when computerized cars pass along more information about their drivers than many motorists realize. The principles were delivered in a letter to the FTC, which has the authority to force corporations to live up to their promises to consumers. Industry officials say they want to assure their customers that the information that their cars stream back to automakers or that is downloaded from the vehicle’s computers won’t be handed over to authorities without a court order, sold to insurance companies or used to bombard them with ads for pizza parlors, gas stations or other businesses they drive past, without their permission. The principles also commit automakers to “implement reasonable measures” to protect personal information from unauthorized access. The automakers’ principles leave open the possibility of deals with advertisers who want to target motorists based on their location and other personal data, but only if customers agree ahead of time that they want to receive such information, industry officials said in a briefing with reporters. Industry officials say they oppose federal legislation to require privacy protections, saying that would be too “prescriptive.” But Marc Rotenberg, executive director of the Electronic Privacy Information Center, said legislation is needed to ensure automakers don’t back off the principles when they become inconvenient. [ABC News] [Hogan Lovells] [Auto Alliance Press Release]

Online Privacy

WW – Facebook Rewrites Its Privacy Policy So that Humans Can Understand It

Facebook has announced that it has expanded its data use policy and has also made an effort to rewrite the language in a way normal people can understand. To do that, Facebook has taken some information on how the site itself works – and how users can set their privacy on Facebook – and created a new “Privacy Basics” page that walks users through its most-used privacy features. That includes step-by-step instructions on how to control who sees posts you create or items you “like.” The data use policy will now be displayed on an interactive, colorful site aimed at making it easy to navigate. But there are some changes to the language, as well — again aimed at making it easier to understand, getting rid of some of the confusing legalese. Unchanged was how the company uses data for research. The current guidelines, which give Facebook the broad right to conduct “research,” remain effective. As per Facebook’s usual way of operating, the changes are only a proposal for now. Users will have seven days to comment on the policy changes, which Facebook will then review before making the policy final. Once Facebook’s announces its final changes, the policy will take effect in 30 days. Facebook is also rolling out a tool that lets users give Facebook more information about ads they do — or don’t — want to see on the site in Europe. This option had previously only been available in the United States. Egan said that Facebook users will also be able to apply their ad preferences, such as requests to opt out of seeing personalized ads, across mobile and desktop devices — something that they can’t do now. [The Washington Post] See also [The Canadian government wants to pay more people to creep your Facebook] and also: [A new poll conducted for CNBC.com found 45% of those surveyed are most concerned about Facebook regarding personal data collection. And [ZDNet: Users can’t tell Facebook from a scam] A NY District Court ruling “says that by merely agreeing to AOL’s terms of service,” users have waived their Fourth Amendment rights.

US – Facebook Campaign Aims to Assure Advertisers Their Data Is Safe

In an effort to assure brands that their data is safe when they share their consumers’ information to buy ads on Facebook, the social networking giant has been meeting with marketers in recent weeks to make them comfortable with the platform. Facebook’s new ad server, Atlas, and ad product, Custom Audiences, lets brands use their email lists and other customer information to target marketing, the report states. Brands have been nervous about sharing data with anyone in a time when hacks and breaches involving stolen email lists can be devastating to brand reputation. Some say Facebook’s recent interest in talking about good stewardship of sensitive information is a sign of its “maturing advertising business.” [Adweek]

EU – CJEU Case on ‘Screen-Scraping’ Has Potential to Affect Business Models

Some price comparison websites and other online businesses could be forced to alter their business models if the EU’s highest court takes steps to prevent unauthorised ‘screen-scraping’ of data, an expert has said. This week, the Court of Justice of the EU (CJEU) is due to hear arguments from Ryanair and a Dutch price comparison business about the extent to which rules contained in the EU’s Database Directive apply to data that is not protected by copyright or a ‘sui generis’ database right. The CJEU’s judgment on the matter, which is unlikely to be issued for many months, will determine the extent to which businesses can apply contractual restrictions, in the absence of having copyright or database rights protection for their data, to prevent others from using that data. Screen scraping involves the use of software to automatically collect information from websites and systems. [The application to the CJEU] [Out-Law]

WW – Snapchat Starts Actively Warning Users That Third-Party Apps Aren’t Safe

Following the exposure of users’ private “snaps,” ephemeral messaging app Snapchat is warning users to not use third-party apps with its service. Snapchat said companies that claim to offer Snapchat services violate its terms of service and are untrustworthy. “We’ve enjoyed some of the ways that developers have tried to make Snapchat better,” the company wrote. “Unfortunately, some developers build services that trick Snapchatters and compromise their accounts.” Meanwhile, Reuters reports that consumers who are concerned about over-sharing are turning to private messaging services like Snapchat. [PCWorld]

AU – Samaritans Radar Depression App Raises Twitter Privacy Concerns

A newly launched app by a UK suicide prevention charity is raising massive privacy concerns by monitoring Twitter accounts without user consent. The new web app — called Samaritans Radar – works by proxy. When a user downloads and signs up to Samaritans Radar, the app then has access to the Twitter accounts followed by that user. It will monitor those accounts, looking for key phrases in public Tweets. These include the terms such as “depressed”, “help me” (probably not parsing for Star Wars fandom), “tired of being alone”, “hate myself” and “need someone to talk to”. When it finds one of these phrases, it will alert the user via email, offering support on how to reach out to the depressed party; if the user is reported as suicidal, the report will be verified by Twitter Trust & Safety, and both the Radar user and the reported account will be contacted by Samaritans. So far, the app has had over 3,000 users sign up, with more than 1.6 million accounts being monitored — and, according to The Register, a mere 4 percent of the Tweets flagged by the app have been validated as genuine. Meanwhile, a Change.org petition addresses Twitter, noting that it has no faith in Samaritans to address user concerns, and requesting that the social network deny the app access to user data, effectively shutting it down. [Source] See also: [The Truth About Teenagers, The Internet, And Privacy] See also: [Somebody’s Already Using Verizon’s ID to Track Users]

WW – 81% of Tor Users Can Be De-Anonymised by Analysing Router Information, Research Indicates

Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers. [The Stack]

WW –73,000 Unsecured Webcams Available for View

A website offers video feeds and links to more than 73,000 unsecured webcams from around the globe. “Eerily, the site is very user-friendly. You can search by country … by manufacturer … or, like an iTunes playlist, you can hit shuffle and view a random camera feed. Plus, many of the connected cameras include location coordinates and a handy Google Map pinpoint.” Highlighting several recent examples in the news of bad actors out there “trying to hack their way into our lives,” Bracy writes, “The last thing we need is for poor design practices and wanting consumer education to make it easier for those adversaries.” [NetworkWorld] see also: [NY Woman Suing Landlords for Secretly Installing Cameras]

Other Jurisdictions

AU – Australian Law Reform Commission Issues Final Report on Serious Invasions of Privacy in the Digital Era

The final report regarding serious invasions of privacy recommend the following – a new tort of serious invasion of privacy in a new federal law (either by intrusion upon seclusion or misuse of private information, only actionable by a natural person who has a reasonable expectation of privacy, and not requiring proof of actual damage); a general statute of limitations (1-3 years) would apply. The Act should provide for specified defences (e.g. consent, absolute privilege), and exemptions (minors); a court may consider countervailing public interest matters (e.g. freedom of expression, national security), and award damages (but not aggravated damages). The Privacy Commissioner’s powers should be extended to make declarations about serious invasions of privacy complaints, and (with court leave) to assist a court as amicus curiae and intervene in court proceedings. [Summary Report] [Final Report] The Australian Communications and Media Authority and the Office of the Privacy Commissioner have signed a memorandum of understanding formalizing their streamlined approach to telecommunications, spam and telemarketing matters. See also: The Australian state of Victoria has made unsolicited “sexting, sharing unwanted ‘intimate images’ and even threatening to distribute such images” illegal under new laws designed to protect digital privacy. AND [NZ – Beneficiary awarded more than $20,000 in case of over collection of information] Hogan Lovells’ Chronicle of Data Protection offers an update on South Africa’s data protection regime. And also [Data Privacy Regulation Comes of Age in Asia]

Privacy (US)

US – FTC Refutes Wyndham’s Challenge; Unreasonable Security Is “Unfair”

Generating a flurry of conversation among privacy professionals worldwide, the U.S. Federal Trade Commission (FTC) last week filed its response to Wyndham Worldwide Corporation’s interlocutory appeal in the Third Circuit. It’s the most recent activity in a case that began in 2012, when the FTC issued a complaint against Wyndham alleging data security failures that enabled three data breaches between 2008 and 2009. The FTC’s response outlines and affirmatively answers the three questions presented in Wyndham’s appeal, including whether unreasonable failure to protect the security of consumer data constitutes an unfair act or practice. [Privacy Advisor] [What’s Reasonable Security? A Moving Target]

US – FTC v. Pairsys, Inc. – Stipulated Preliminary Injunction – U.S. District Court for the Northern District of New York

The Court granted a preliminary injunction against a company that mislead consumers by claiming to remove spyware and viruses from the consumer’s computers (the company exploited consumers’ concerns about malware infection and claimed to represent legitimate computer software companies). The company is restrained and enjoined from making false or misleading statements to induce any person to pay for goods or services in violation of the Telemarketing Sales Rule, or initiating an outbound telephone call to a telephone number within a given area code, without first paying the required annual fee for access to the National Do Not Call Registry. [Complaint] [Preliminary Injunction]

US – FTC Says Debt Broker Disclosed Too Much

The FTC has sued a debt broker for posting debt portfolios containing sensitive personal information of approximately 28,000 consumers online without adequate protections. Bayview Solutions buys and sells portfolios of consumer debt for debt collectors. The FTC complaint alleges “one particular website used by defendants is a public website that is readily accessible to anyone with Internet access,” and, “There are not passwords or other security methods” to restrict access. The unencrypted data included names, dates of birth, contact information and bank account and driver’s license numbers. Plus, the consumers affected “would be unlikely to know that defendants possess, and are openly disclosing, their information,” the complaint states. [Courthouse News Service] [FTC sends dozens of warning letters to companies over advertising disclosures]

US – Carrier IQ Agrees “in Principle” to Settle Suit

“Carrier IQ has agreed in principle to resolve a class-action lawsuit alleging that its software for mobile devices violated consumers’ privacy.” The settlement would resolve allegations the software was capable of logging users’ keystrokes, the report states. The allegations came as the result of a researcher’s video report, and consumers subsequently filed class-action lawsuits against Carrier IQ and six device manufacturers, including HTC, Samsung and LG Electronics. The device manufacturers have not yet agreed to settle the lawsuit. [MediaPost]

US – TRUSTe’s DPM Platform Beta Commences at Capacity

TRUSTe has announced that the beta program for its Data Privacy Management (DPM) Platform, a privacy compliance solution where businesses can manage privacy initiatives from a single dashboard, has commenced at capacity. “Privacy professionals have struggled to keep pace with the evolving privacy and regulatory landscape and are looking for solutions to reduce these risks and protect their brands,” TRUSTe’s Chris Babel explained, noting the platform “provides an easy way to manage these complex privacy initiatives across multiple business units from a single interface.” [The Privacy Advisor]

US – Making the Case for Data-Driven Education; Student Sues School for Privacy Violations

An in-depth report explores the rise of data-driven education and its effect on students and policy-makers. U.S Department of Education Chief Privacy Officer Kathleen Styles said she receives 12,000 calls and 2,000 emails a year from schools looking for assistance with the Family Education Rights and Privacy Act and approximately 300 to 400 complaints from parents concerned the law has been broken. She added that states, on the whole, do a “solid job” protecting student data. Additionally, the Family Online Safety Institute has released the report, Parenting in the Digital Age: How Parents Weigh the Potential Benefits and Harms of Their Children’s Technology Use. Meanwhile, a University of Montana (UM) student is suing the school on behalf of the student body, claiming UM illegally shared students’ personal information with a Connecticut-based vendor. [Government Technology] See also: [US – FOSI Calls for “Redefining Internet Safety”]

US – White House Names Next US Chief Technology Officer

The White House announced that it has named its next Chief Technology Officer, Megan Smith, a Google executive with decades of experience in Silicon Valley. The Obama administration named as deputy U.S. CTO, Alexander Macgillivray, a former Twitter lawyer known as a staunch defender of the free flow of information online. The New York Times and NPR feature interviews with new U.S. Chief Technology Officer (CTO) Megan Smith. “I actually think that working in the federal government, or state or local, is one of the most significant things that a technical person can do,” Smith tells The New York Times. But there are challenges. “Smith will have to call on all her powers to turn government agencies into more tech startup-type cultures.” “One agency still saves data on floppy disks.” Looking to the future, Smith’s focus is on people. “We want to create an environment where, in addition to amazing policy groups … tech teams feel comfortable, included and are in leadership positions here,” she said. [Washington Post] [New York Times: From Silicon Valley To White House, New U.S. Tech Chief Makes Change]

US – Ramirez: Businesses Need To Get Better at Notice

Federal Trade Commission Chairwoman Edith Ramirez said that online service providers must get better at disclosing their information collection and processing practices. “It’s crucial to provide some form of notice, like in the initial setup of a device or app, about what information is collected, how it’s used and with whom it’s shared,” she said. [Computerworld]

US – FISMA Reforms Stalled

Changes to the 2002 Federal Information Security Management Act (FISMA) may not be as easily brought about as legislators would like. The compliance requirements of the original plan were correctly criticized for generating vast quantities of paper reports (and vast fees for consultants) while providing little true assurance of security. The changes would require a move toward continuous monitoring. While including the FISMA changes in the 2015 National Defense Authorization Act is one a possibility, sources say that its inclusion is unlikely, particularly because “there are provisions in FISMA that are raising concerns.” [NextGov]

US – Justice Department Seeks to Expand Judges’ Search Warrant Purview

The US Department of Justice (DOJ) has petitioned the Advisory Committee on Criminal Rules to expand magistrate judges’ reach in granting search warrants. Rule 41 of the Federal Rules of Criminal Procedure allows judges to issue search warrants within their judicial district. DOJ wants to broaden the judges’ purviews to allow them to issue warrants for electronic surveillance regardless of the device’s location. Opponents say that the change DOJ is asking for would threaten the Fourth Amendment’s limitations on search and seizure, and that it could allow for unprecedented access to foreign networks. [NextGov] [RT.COM]

US – Dating Site Faces $16.5 Million Penalty in Privacy Case

A jury in California rendered a verdict late last month of $16.5 million for the plaintiff in a case involving a dating website for individuals with sexually transmitted diseases (STDs). The website PositiveSingles was found guilty of sharing photos and other sensitive information of its users with other dating websites even though it claimed to be a “confidential” service. According to a press release , the service promised it would not share data with third parties, but “it turned out that PositiveSingles was simply one of over a thousand different websites, funneling member profiles and personal information into a single database that in fact shared that information with third parties.” The verdict was rendered under the California Legal Remedies Act, the report states, with $1.5 million stemming from compensatory damages and $15 million in punitive damages. A related case is still active. [BBC News]

Privacy Enhancing Technologies (PETs)

WW – Mozilla Unveils Polaris Privacy Initiative with CDT, Tor

Mozilla has announced a new strategic initiative called Polaris to help privacy leaders in the industry “collaborate more effectively, more explicitly and more directly to bring more privacy features into our products.” The project aims to give users better privacy technology and more control, awareness and protection, a Mozilla blog post states. Mozilla is joined by the Center of Democracy & Technology and the Tor Project, which “will support and advise Polaris projects and help us align them with policy goals.” Mozilla has also introduced a new “forget” button and added private search engine DuckDuckGo. [Mozilla]

WW – Changes in Firefox 33.1 Focus on Privacy

Mozilla has released version 33.1 of its Firefox browser. While incremental updates usually go unannounced, this update is notable for the Forget Button, which allows users to delete recent history and cookies for the last five minutes, two hours, or 24 hours, with a simple click. The button is new, but the capability is not – until version 33.1, it has been buried in the Firefox menu. Firefox also has a Private Mode that has been available since version 3.1, released in 2008. [eWeek]

WW – Tor Reacts to Silk Road Operation Onymous; NSF Awards Privacy Grant

The international sweep that took down some parts of the online drug and criminal underworld continues to elicit reaction. The Tor blog offers a detailed account of what the developers know and don’t know about what is known as Operation Onymous. In trying to understand how the anonymous network was so thoroughly infiltrated by law enforcement, the blog states that when the time comes to prosecute those arrested, “the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical Internet-facing services.” Meanwhile, the U.S. National Science Foundation has awarded a University of Texas at Arlington computer scientist with a $250,000 grant to improve online privacy and protections against adversaries. [Source]

WW – New Apps Meet Need for More Privacy After Oversharing

Consumers concerned about oversharing on public social networks are turning to private messaging apps to share texts, photos and videos with a limited group of people. Downloads of private social messaging apps increased 200% in 2013 over 2012, making them the fastest-growing category of apps, according to San Francisco-based mobile analytics firm Flurry. The apps provide more private connections and allow users to express themselves without worrying about how they are perceived by their entire networks. [Source]


US – NIST Releases Cyber-Threat Sharing Draft Guidance

The National Institute of Standards and Technology (NIST) has released draft guidelines to help organizations share information with one another about cyber-attacks. “Organizations can gain valuable insights about their adversaries,” said Christopher Johnson, one of the authors of the guidelines. “They can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise.” The window for comment on the guidelines is open until November 28. [FierceHealthIT]

EU – ENISA Publishes Technical Guidelines on Incident Reporting version 2.1

Electronic communications network and service providers are required to report significant incidents to their National Regulatory Authority (“NRA”); however, member states are taking different approaches (such as setting thresholds for national reporting relatively high, keeping track of major security incidents and intervene whenever network and service provides fail to improve on security issues, or monitoring security networks and service to improve security). When reporting to ENISA, NRA’s should assess whether or not an incident is relevant for NRA’s in other countries and include an incident report which includes – service and number of users affected, duration, root cause and a description of the response action and lessons learned. [Source] See also: [Practical Information Security Management and Data Breach Response – Kelly Friedman, Partner, Davis LLP]

WW – DarkNet Domains Seized, Black Market Websites Shuttered

In an international effort, law enforcement officials seized and shut down hundreds of dark net domains associated with black market websites. Seventeen people have also been arrested. Among the seized domains are 414 .onion domains, addresses used by the Tor anonymity software. Last week, news of the arrest of alleged Silk Road 2.0 operator Blake Benthall made headlines, but that arrest was just part of Operation Onymous, the larger effort to dismantle online black markets. [WIRED] Update: [Europol have corrected the statement regarding over 400 domains being seized. The figure is closer to 27, the 400 number refers to URL links pointing back to the domains]

HK – Hong Kong Monetary Authority Guidance on Customer Data Protection

Controls for preventing and detecting customer data loss or leakage should include the following – develop formal security policies and procedures (covering system controls, physical security, mobile computing, and outside service providers), implement logical access controls (the rights to access customer data and transmit customer data to external parties should be granted on a need-to-have basis only), implement controls over data transmission (prohibit unauthorized transmission of consumer data from internal systems to outside networks/systems via Internet services that could store data – e.g., using peer-to-peer file sharing software), and conduct periodic audits over customer data protection. [Source]

WW – The Staggering Complexity of Application Security

During the past few decades of high-speed coding we have automated our businesses so fast that we are now incapable of securing what we have built. [Dark Reading] See also: [Stanford: Guidelines for Securing Mobile Computing Devices] [Mobile Security Guide – Everything You Need to Know] [Mobile Phone Security Tips] [Ultimate Library of ICS Cyber Security Resources] [Data Security Confidence Index] [E&Y: Global Information Security Survey 2014]

Smart Devices

WW – Smart TV, Dumb Policy

A 46-page privacy policy which is now included in all newly purchased Samsung Smart TVs states that voice recognition technology “may capture voice commands and associated texts” in order to “improve the features” of the system. The policy, a summary of which is also posted online, ominously advises users to, “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” Writing about the privacy policy for Salon.com, Michael Price, counsel in the Liberty and National Security Program at the Brennan Center for Justice at NYU School of Law, said he was now “terrified” of his new TV, noting that voice recognition is just one feature that could be used to spy on users. The television also logs website visits, has a built-in camera for facial recognition and uses tracking cookies to detect “when you have viewed particular content or a particular email message.” “I do not doubt that this data is important to providing customized content and convenience, but it is also incredibly personal, constitutionally protected information that should not be for sale to advertisers and should require a warrant for law enforcement to access,” writes Price, adding that current privacy laws offer little protection against “third party” data. [Source]


US – Americans’ Cellphones Targeted in Secret U.S. Spy Program

The Justice Department is scooping up data from thousands of cellphones through fake communications towers deployed on airplanes, a high-tech hunt for criminal suspects that is snagging a large number of innocent Americans, according to people familiar with the operations.” “The U.S. Marshals Service program, which became fully functional around 2007, operates Cessna aircraft from at least five metropolitan-area airports, with a flying range covering most of the U.S. population, according to people familiar with the program.” [Wall Street Journal] See also: [Cam Kerry: Surveillance Should Not Overshadow Civil Liberties] [UK – UK intelligence agencies spying on lawyers in sensitive security cases] and [Tomgram: Shamsi and Harwood, An Electronic Archipelago of Domestic Surveillance] and [Craig Forcese: Does the State belong in the computers of the nation? (audio)] and [PRISM scandal threatens EU-US ‘Safe Harbour’ agreement]

US – Justice Department Walks Back Transparency on National Security Letters

The government is retracting an argument made on appeal in a case challenging the constitutionality of an investigative tool widely used by the FBI to obtain data on Americans without court oversight,” reports The Washington Post’s Ellen Nakashima. “In a case being heard by the Ninth Circuit Court of Appeals in San Francisco, a Justice Department lawyer last month asserted that companies that receive national security letters — an administrative subpoena that can be issued by a field office supervisor — can comment on the ‘quality’ of NSLs they receive, including whether they think that ‘the government is asking for too much.’ “ [Washington Post]

WW – Director Says NSA Will Deal With Encryption Challenges; GCHQ Says Tech Firms In Denial; Germany, Brazil Make Anti-NSA Moves

U.S. NSA Director Michael S. Rogers visited Silicon Valley and said that “a fundamentally strong Internet is in the best interest of the U.S,” The New York Times reports. Increased encryption of services by U.S. tech giants is “a challenge” for law enforcement, he said, adding, “And we’ll deal with it.” The new head of the UK’s GCHQ says some U.S. tech companies have become “command-and-control networks … for terrorists and criminals” and that British intelligence agencies could not tackle the challenges of increased encryption “at scale” without the help of the private sector. Meanwhile, Germany may enact a law that would require national clouds be built on local technologies, and Brazil, to avoid U.S. surveillance has started laying its own undersea Internet cables. [New York Times]

US – Silicon Valley Privacy Push Sets Up Arms Race With World’s Spies

There is an arms race developing between Silicon Valley and government intelligence programs, and so far, Silicon Valley “shows no sign it plans to give in.” Government requests place tech companies in a Catch-22: If they comply, they risk alienating their customers; if they don’t, they face continued allegations from law enforcement for aiding criminals and terrorists. Specifically, Microsoft General Counsel Brad Smith has called for arms-control talks. [Bloomberg] See also: Facebook has reported a 24% increase in government requests in the first half of 2014. A federal appeals court urged to strike down the NSA bulk phone metadata program and the Supreme Court considered how to balance whistleblower protections with national security. Finally, some are calling Sen. Mark Udall’s (D-CO) reelection loss a “blow for privacy and transparency advocates, as Udall was one of the NSA and CIA’s most outspoken and consistent critics.” The Privacy Advisor recently reported on the “ national emergency“ that is potentially brewing in this arena. [Bloomberg]

UK – ICO Issues Data Protection Code of Practice for Surveillance Cameras

The Information Commissioner’s Office release a Code of Practice (the “Code”) – which provides guidance on the operation of CCTV or other surveillance camera devices (e.g. body worn video cameras, and unmanned aerial systems ); organisations should take into account the nature of the problem the organisation is seeking to address, whether a surveillance system would be a justified and effective solution, what effect its use may have on individuals, and if its use is a proportionate response to the problem. Organisation should establish who is responsible for the control of the information, how the information is used, and to whom it may be disclosed. [Source]

EU – German Data Protection Authority Issues Guidelines on Video Surveillance

Use of video surveillance cameras in public places requires notification to the Data Protection Authority; special consideration should be given to monitoring in the following situations – retail establishments (cameras should not be used in areas where customers have an expectation of privacy, such as fitting and change rooms), shopping malls (video surveillance should be avoided in locations such as ATMs, relaxation areas, washrooms, and locker areas), employee monitoring (constant monitoring of employees is usually inadmissible, unless they are working in a vulnerable area such as point of sale, jewelry or warehousing operations), and dashcams (dashcams infringe on the privacy rights of pedestrians and fellow motorists, due to the ongoing monitoring while the car is running). [Source] See also: [US: Woman Claims Landlord Hid Cameras In Her Upper West Side Apartment] and [Can We Afford Privacy from Surveillance?] and [UK – Drone use puts operators at risk of ‘collateral privacy intrusion’, says data watchdog]

EU – German Spy Agency Seeks Millions To Monitor Social Networks Outside Germany And Crack SSL

The BND also wants to spend EUR4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent [on] the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers. [IT World]

US – Brookings Institution Tells Congress Drone Privacy Concerns Inflated

The Brookings Institution has published a report urging Congress to not respond to privacy concerns raised by the future implementation of drones by drafting anti-drone legislation. Gregory McNeal, the author of the report, says drones and other automated surveillance may actually bolster privacy protections. He noted that state anti-drone legislation has “focused on the technology (drones), not the harm (pervasive surveillance),” adding, “In many cases, this technology-centric approach creates perverse results, allowing the use of extremely sophisticated pervasive surveillance technologies from manned aircraft while disallowing benign uses of drones for mundane tasks like accident and crime scene documentation or monitoring of industrial pollution and other environmental harms.” [Ars Technica] see also: [Will the EU Beat the U.S. to Commercial Drones?]

US – Harvard Secretly Photographed Students to Study Attendance

Students and faculty raise concerns after Harvard University announced it had secretly photographed undisclosed classrooms in a study researching student attendance, The Boston Globe reports. “Just because technology can be used to answer a question doesn’t mean that it should be,” one professor said, adding, “And if you watch people electronically and don’t tell them ahead of time, you should tell them afterwards.” Harvard President Drew Faust said she is taking the matter “very seriously” and will have the incident reviewed by a recently created panel that already oversees the school’s electronic communications policies. Harvard was criticized a year-and-a-half ago after news spread that administrators had been secretly searching school email accounts. [Full Story]

US Government Programs

US – NSA’s Richards Introduces New Privacy Assessment Process

Since the Snowden disclosures in June of 2013, the NSA has become the poster child for over-collection both in the U.S. and abroad. But NSA Civil Liberties and Privacy Officer Rebecca Richards, wants to change that by bringing the agency’s civil liberties and privacy program beyond a compliance system that just checks off boxes. Speaking at a recent Privacy and Civil Liberties Oversight Board hearing on “Defining Privacy,” Richards said, “We have an opportunity to bring NSA’s approach to privacy together with a broader approach” that takes into consideration people’s legitimate privacy interests. As part of this new approach, Richards said she is testing a new privacy and civil liberties assessment process that includes frameworks from the private sector and non-intelligence agencies. [Privacy Advisor]

US Legislation

US – What the Midterm Elections Mean for Privacy Legislation

As the dust settles from this week’s midterm elections, Wired reports on what it calls the last bipartisan issue: reform of the NSA. Two senators helping to lead the charge for reform—Sens. Mark Udall (D-CO) and Mark Begich (D-AK)—were ousted this week, but, the report states, “a Republican majority in the House and Senate is not the devastating blow to privacy you might have expected it to be.” However, one of Congress’ loudest data security advocates , Rep. Lee Terry (R-NE), was unseated this week as well. Outside of Congress, California Attorney General Kamala Harris defeated her challenger one week after releasing the state’s first data breach report in two years. Experts say she plans to build upon cybersecurity policies in the upcoming term. [WIRED]

US – Senate May Vote on NSA Reform Next Week

The U.S. Senate could vote on ending the National Security Agency’s bulk collection of phone records as early as next week. If passed, the House could vote on the legislation by year’s end, which would “clear the decks for incoming Senate Majority Leader Mitch McConnell (R-KY),” the report states. “The American people are wondering whether Congress can get anything done,” said Sen. Patrick Leahy (D-VT), author of the bill. “The answer is yes. Congress can and should take up and pass the bipartisan USA FREEDOM Act without delay.” [The Washington Post]

Workplace Privacy

US – Postal Workers Union Files Complaint to NLRB After Data Breach

Following a breach affecting 800,000 U.S. Postal Service (USPS) employees, the American Postal Workers Union (APWU) has filed a complaint with the National Labor Relations Board. The APWU alleges the USPS “didn’t work with them to address the issue during the two months between the breach’s discovery and the Post Office’s public announcement on Monday,” the report states. APWU President Mark Dimondstein said the USPS was aware of the security problems, “they kept you and your union leadership in the dark … We do not know at this point whether management did everything in their power to protect our privacy, but they bear the ultimate responsibility.” [The Hill] Update: [House To Question USPS] See also: [Analytics in HR and in the Cloud]

US – Employee Mistakes Undermine US Government Data Security

According to an Associated Press analysis of information obtained through Freedom of Information Act (FOIA) requests, at least half of US government IT security incidents are the result of mistakes made by workers. Employees have violated workplace policies; lost or had stolen devices containing sensitive information; and shared sensitive information. [The Guardian] [A final rule was issued giving federal agencies the flexibility to either offer privacy training to contract employees or require the contractors to do the privacy training themselves]

US – DoD Puts Contractors on Notice For Insider Threats

New rule requires US government contractors to gather and report information on insider threat activity on classified networks. According to a 2012 financial services sector study by the Software Engineering Institute (SEI), the impact of insider attacks is considerable. Each attack, which, on average, remains undetected for 32 months, costs the victim between $382,750 and $479,000. The impact of the unwitting insider threat is huge. According to a report published by the Ponemon Institute in December 2013, the costs to remediate damage caused by an advanced persistent threat (APT) attack run as high as $18 million ($9.4 million in reputational damage, $3.1 million in lost user productivity, $3 million in lost revenue and business disruption, and $2.5 million in technical support costs). Approximately 50% of known APT attacks are initiated through phishing attacks – the other half of successful APT attacks succeed because of users with poor cyber hygiene habits, or unwitting insider threat actors, [Dark Reading]

US – Cybersecurity Codes Being Added to All Federal Job Descriptions

By the end of 2015, the Office of Personnel Management plans to have every position within the federal government labeled with a descriptive code detailing the cybersecurity functions – if any – required of the employees performing that job function. Federal employees active in cybersecurity account for some 4 percent of the workforce but, until recently, there were no standard job descriptions for the work being done. Prior to OPM’s efforts, there were no clear definitions on cybersecurity workflow in federal agencies and no baseline for hiring managers on what related skills were needed across a variety of positions. [Federal Times]

US – Coca-Cola Faces Class-Action

A former employee of Coca-Cola has filed a class-action lawsuit against the company for failing to protect and notify the loss of personal information of more than 70,000 current and former employees. Over a six-year period, 55 laptops were allegedly stolen from the company’s Atlanta headquarters. They reportedly contained Social Security numbers, driver’s license records, physical addresses and financial information. The plaintiff is seeking $5 million in damages. [The Pennsylvania Record]

US – Former Law Firm Employee Sues Over Photos

A woman is suing her former employer for uploading compromising photos of her to the firm’s computer server. Aubrey Fullmer, former receptionist of Simpson Logback Lynch & Norris, was allegedly dating one of the firm’s lawyers, Benjamin Simon, who decided to leave to start a new firm. The firm “confiscated his laptop computer,” which contained revealing photos of Fullmer. She claims the firm accessed personal files that were not stored on the confiscated computer but rather Simpson’s “personal GoogleDrive”—a cloud-based server. The suit claims the firm eventually moved them to the firm’s shared server where any employee could view the images. [Courthouse News Service]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: