1-15 December 2014

Big Data

US – Does Data-Mining Have a Place at the Guggenheim?

A new trend across the country is seeing museums mining “increasingly detailed layers of information about their guests, employing some of the same strategies that companies like Macy’s, Netflix and Walmart have used in recent years to boost sales by tracking customer behavior.” Museums are using the data to make decisions about exhibit design, donor outreach and gift shop marketing strategies, the report states. But such data-mining has some critics questioning whether the big data revolution “has a place in the nonprofit arts world.” [The Wall Street Journal]

US – ‘Womb-to-Workforce’ Data-Mining Scheme Sparks Revolt

Privacy advocates are calling for a moratorium on the Pennsylvania school system’s sweeping data-collection program, which they say is part of the federal government’s goal of being able to track the development of every child “womb to workforce.” All 50 states have been mandated by the U.S. Department of Education to establish inter-connected “longitudinal databases” accumulating information on every student from pre-kindergarten through college. Two groups, Pennsylvania Against Common Core and Pennsylvanians Restoring Education, are asking Gov. Tom Corbett to place a moratorium on data collection in the Pennsylvania Information Management System or PIMS. The system gathers information on students in all 500 school districts across the state and some schools have started collecting behavioral data that goes beyond testing for academic knowledge, according to the two organizations. The two groups are also asking the state attorney general’s office to launch an investigation into possible violations of student privacy laws. [Source]


US – Stakeholders Work on Facial Recognition Code of Conduct

Attempts to create a multi-stakeholder, voluntary code of conduct for the commercial use of facial recognition continued at the Commerce Department, as the “National Telecommunications & Information Association’s John Verdi moderated a wide-ranging discussion about language on issues including data retention/disposal, security and deletion.” The focus this week was on the language surrounding the retention, security and disposal of biometric images. The Center for Digital Democracy’s Jeff Chester urged the group to include more specific language on data use, but a representative from Facebook said that too much “granularity” would make the code too prescriptive. [Broadcasting & Cable]

WW – The Vending Machine of the Future Is Here, and It Knows Who You Are

The “vending machine of the future” is the first vending machine with facial-recognition technology. The machines are able to “identify and greet a user, remember a person’s preferences and even refuse to vend a certain product based on a shopper’s age, medical record, dietary requirements or purchase history,” the report states. A school can in fact link the machine with its database and direct it to refuse to sell certain products to underage students, or a gym could program the machine with its membership database so the machine wouldn’t vend sugary or high-fat products to a person on a diet, for example. [The Telegraph]

US – Pizza Hut Launches Digital Menu that Reads Your Mind by Tracking Eye Movement… And Tells You What to Order In 2.5 Seconds

It can tell you what you want to eat in the blink of an eye, simply by tracking the movement of your retina. In exactly 2.5 seconds the subconscious menu reads the minds of customers, by using a mathematical algorithm to identify a customer’s perfect pizza. The incredible software was developed for Pizza Hut by Swedish eye tracking technology pioneers Tobii Technology. Taking six months to build, the menu is completely controlled by the customer’s retina. [The Daily Mail]


CA – Supreme Court: Limited Warrantless Phone Searches Are Legal

In a 4-3 decision, the Supreme Court of Canada has ruled police may conduct limited searches of suspects’ cell phones without getting search warrants if they follow strict rules.. “When is it okay for the police to conduct a warrantless search of a cell phone when making an arrest? The short answer, according to the Supreme Court’s decision in R. v. Fearon, is ‘sometimes,’” he writes. Beyond that point, Brown writes, “I’m really only sure about a couple of things. First, there is no reason to worry that the police are about to start searching everyone’s mobile device. Second, the law can be incomprehensible and impractical at times.” [IAPP Privacy Tracker] See also: [Privacy Commissioner Daniel Therrien told the House Privacy Committee if Bill C-13 passes without amendment, it could face a Charter challenge] [Canada: Missing Persons Act ‘broadly worded,’ says lawyer Mike King] and [Alberta privacy commissioner to investigate leak of Lukaszuk phone bill] and [A new paper in The John Marshall Journal of Information Technology & Privacy Law contends Canada’s federal anti-spam legislation, CASL, “creates unconstitutional limits on free speech,” stating CASL violates freedom-of-expression guarantees in the Charter of Rights and Freedoms.]

CA – Province to Legislate What Police Can Disclose About Innocent Ontarians

Ontario will table legislation in the new year detailing for the first time what information police can — and cannot — disclose to employers, volunteer agencies and academic institutions about Ontarians who have not been convicted of a crime, the Star has learned. A lengthy Toronto Star investigation earlier this year detailed how the routine release of police-held information about innocent Ontarians has ended careers, undermined job prospects, forced students out of university and college programs and ended up in the country’s criminal records database which is accessed by U.S. border officials who have used it to restrict the travel of Canadians. Once a policy is developed it will go before a cabinet committee for review, then to cabinet for approval, he said. If approved, legislation will be drafted. He said he expects tabling in the legislature by spring. [Source] See also: [Revealing ‘sensitive’ surveillance details worried Ottawa: memo]

CA – Former Privacy Commissioner and Journalist Bruce Phillips Dead at 84

Former journalist and federal privacy commissioner Bruce Phillips has died. He was 84. A statement from his family says he died of kidney failure on Saturday in Penticton, B.C. The statement says he suffered a stroke in June. Phillips worked for a number of media outlets during his career including CTV news in the 70’s and 80’s. Among his other duties he hosted the CTV show “Question Period.” He later served as Canada’s privacy commissioner between 1991 and 2000. Phillips was invested in the Order of Canada in 2010. After leaving the office of the privacy commissioner, Phillips retired to B.C.’s Okanagan region to be near his two daughters. [The Canadian Press] See also: [2014 Year in Review]


US – Retailers Dabbling With In-Store Beacon Technology

Stores are turning to beacons to help communicate with and entice in-store shoppers. Macy’s, for example, has installed the low-frequency technology in all 840 of its stores, while Kohl’s is testing them out in various locations. Shelfbucks CEO Erik McMillan said the technology will “skyrocket” from the 50,000 that are currently being used to as high as 10 million in the next year. A survey conducted by Swirl revealed 30% of in-store customers made a purchase after receiving a beacon-enabled “push ad.” Still, some are concerned about being tracked. One IT administrator said, “If a retailer really wants to draw me into their store, showing me deals before I get to the mall is a better way.” [Associated Press]

US – Consumer Privacy to Be “Major Factor” in 2015

Over the past year, privacy has become a political and business issue. That’s according to a report that cites recent surveys indicating consumer privacy “will likely become a major factor for businesses in 2015.” The report considers the many privacy-focused products companies have launched and cites a Ponemon Institute survey that found “more than half of U.S. companies and about two-thirds of EU companies placed more trust in open-source commercial code to reduce privacy risks, compared with closed-source code.” Larry Ponemon said, “The problem for many companies is that proprietary software potentially may be doing things with your data that you might not know.” [eWeek] [US: Data Privacy Became a National Political, Business Issue in 2014]

CA – British Columbians Becoming More Concerned About Sharing Their Health Data

Half of British Columbians are “very willing” to allow health researchers to study their personal health records provided the information is anonymous, but that number has been dropping over growing privacy and security concerns, a new Mustel Group poll reveals. Last year, 63% of British Columbians polled as very willing. “Concerns about sharing data is growing in the public’s mind,” Mustel research consultant Phil Giborski told participants at The Data Effect conference in Vancouver Monday. “Their main concerns are that they will not remain anonymous and guarantees against hacking cannot be provided.” [Source]


US – Gas Tax Tracking Raises Privacy, Fairness Concerns

As more California drivers shift toward using energy-efficient vehicles, state officials are trying to come up with alternative revenue generators for the highway budget. A main source of the revenue is from a gas tax, but a mileage-based concept is being considered in California as well as nine other states. In order to track vehicles’ mileage, cars would have to be equipped with odometer readers, smartphone applications and GPS technology, all of which raise privacy concerns. Privacy advocates are worried the data could potentially be used not only to track total mileage but to learn when and where people drive. [Los Angeles Times]

US – Iowa Mobile ID Program Raises Privacy Questions

The state of Iowa is proposing using a mobile app as an alternative to a traditional driver’s license and may be the first in the nation to do so. The idea has been proposed by Iowa Department of Transportation Director Paul Trombino, who promises the free, government-developed app would be secure. He describes the digital license as an “identity vault app” that would require Iowans to use PINs to verify their identity. But opponents to the plan worry about what happens if a police officer takes a smartphone back to the cruiser to check a driver’s license and the driver has sensitive content on the device they’d rather not make available to police. Questions arise, such as, would the digital license app display only the phone ID or also have access to the entire phone? [InformationWeek] See also: [It’s 10pm, Do You Know Where Your Kids Are? (This App Does)] and [NZ: Husband of ex-MP loses job for peek at records]


US – Microsoft Draws Support for Fight Against Government Demand for Customer eMails

Major tech companies, including Apple, Verizon, and eBay, are lending their support to Microsoft in its effort to resist a US Justice Department demand for information held on a company server in Ireland. The companies, along with business associations and news media outlets have filed briefs urging that the Justice Department’s warrant be thrown out. Many noted that to require Microsoft to surrender the data would cause damage to US businesses. In a blog post, Microsoft General Counsel Brad Smith wrote, “This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.” [NextGov] [CS Monitor] [WIRED] [ComputerWorld] [Microsoft Makes Argument in Email Privacy Case] See also: [Damning emails withheld from media, opposition: Manitoba ombudsman]

Electronic Records

WW – Study Calls Nymity Accountability Framework Most Relevant

The recent “Privacy Accountability Management Framework for Data Controllers Operating across Asia “ study, which examined six privacy accountability frameworks, named the “Nymity Accountability Framework as the most creditable, practical and relevant framework to address the data protection laws of nine Asian jurisdictions,” according to a media release. Nymity’s Terry McQuay said, “We are absolutely flattered at the recognition as we had no knowledge that this study was being conducted … Based on the feedback provided in the study, we have modified the Nymity Privacy Management Accountability Framework to ensure 100-percent coverage for compliance.” [PR Newswire]


US – Prosecutors Want Phone Makers to Help Them Access Data on Encrypted Devices

Federal prosecutors have invoked an 18th century law, the All Writs Act, to compel smartphone makers to decrypt seized devices in two separate cases. Judges in both cases ordered the device manufacturer to provide “reasonable technical assistance” to help decrypt the information. [Ars Technica] [The Register] SEE ALSO: [People Want Safe Communications, Not Usable Cryptography]

US – Encryption Standard Will Allow Law Enforcement Access

“Verizon is the latest big company to enter the post-Snowden market for secure communication, and it’s doing so with an encryption standard,” Bloomberg Businessweek reports. The product, known as Verizon Voice Cypher, was introduced with encryption company Cellcrypt and “offers business and government customers end-to-end encryption for voice calls on iOS, Android or BlackBerry devices equipped with a special app,” the report states, noting it provides secure communications “regardless of their wireless carrier, and it can also connect to an organization’s secure phone system.” Verizon and Cellcrypt said law enforcement will have the ability to access Voice Cypher communications if they can “prove that there’s a legitimate law enforcement reason for doing so,” the report states. [BusinessWeek]

EU Developments

UK – Court Rules Gov’t Intel Spying Legal; WP29 Releases Working Doc

A British court that oversees the nation’s intelligence agencies has ruled that mass electronic surveillance of citizens’ cell phones and online activity is legal. A complaint against the programs had been brought by a group of privacy advocates and Amnesty International. The groups have said they will appeal to the European Court of Human Rights. Privacy International Deputy Director Eric King said the decision “is a worrying sign for us all.” [The New York Times] SEE ALSO: [The Article 29 Working Party released its Working Document on surveillance of electronic communications for intelligence and national security purposes. This is the legal analysis of the group’s opinion on electronic surveillance for national security] and [UK: Fight against terror should not trump privacy rights – Human Rights Commissioner]

EU – Commission Enacts Gag Order for Safe Harbor Talks

The EU Commission is imposing gag orders on MEPs and preventing journalist access to discussions at the European Parliament’s LIBE Committee. Such clampdowns occur whenever an official is to speak on ongoing negotiations with the U.S. about Safe Harbor, the report states. MEPs face the risk of sanctions if they discuss the issue outside of the room during these “in-camera” sessions, as they’re called. Last week, Dutch MEP Sophie in ‘t Veld and German MEP Cornelia Ernst voted to suspend the Safe Harbor session but were outvoted and the meeting was kept secret. “We hear absolutely nothing that justifies the in-camera. Nothing,” in ‘t Veld said. [EUObserver]

EU – WP29 Seeks Consistent Data-Transfer Agreement Approach

The Article 29 Working Party has agreed on a new “Co-Operation Procedure for Issuing Common Opinions on Contractual Clauses” that aims to help companies that want to rely on model contracts to export personal information from the European Economic Area (EEA). “The procedure adopted by the Article 29 Working Party recognizes the need for a truly harmonized approach to handling data-transfer agreements throughout the EEA,” Jan Dhont and David Dumont of Lorenz write, adding, “Consistent approaches will become even more important under the future General Data Protection Regulation, which exempts model contracts from prior DPA authorization.” [The Privacy Advisor]

EU – Falque-Pierrotin Criticizes Risk-Based Approach

CNIL President and Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin has warned that too much reliance on the so-called “risk-based approach“ to privacy could undermine fundamental human rights. Addressing the French Parliamentary Commission on Digital Rights, Falque-Pierrotin said the risk-based approach is useful “as a guide to allocate resources but should not affect the underlying rights of the data subject.” She also said that accountability should be applied to all processing, including low-risk processing. [Hogan Lovells Chronicle of Data Protection] See also: [French data protection agency, the CNIL, has undergone a reorganization leading to the creation of a compliance directorate with the goal of supporting data controllers in compliance efforts] AND [The French data protection authority, the CNIL, has published a Methodology for Privacy Risk Management, while the UK Information Commissioner’s Office has issued a code of practice for conducting privacy impact assessments (PIAs) and commissioned a research study on PIAs and risk management. More recently, the Article 29 Working Party issued a new opinion on legitimate interests of the data controller.

UK – Social Media Urged to Simplify Terms and Conditions by UK Parliament

A report issued by the House of Commons Science and Technology Committee is calling on the government to work with the Information Commissioner’s Office (ICO) to develop a set of information standards that would commit websites and apps to explain how they use personal data in clear, concise and simple terms. The committee’s report suggests that an internationally recognised Kitemark could be the first step towards ensuring the responsible use of UK citizens’ data by social media platforms and other organisations. [Source]

EU – EU Privacy News Roundup

Facts & Stats

US – Uber Disciplines One Employee; Faces Class-Action from Another

Uber Technologies has taken unspecified disciplinary action against a manager for tracking a journalist’s movements. The car-booking company had been investigating the actions of a general manager at its New York business for monitoring the whereabouts of a reporter without her permission. Meanwhile, Business Insider reports on the amount of data Uber and Lyft collect according to their Android privacy policies, and an Uber driver has filed a lawsuit in California seeking class-action status. The suit claims Uber accessed his credit report to unfairly fire him. [Today] and [Why Uber has a Canadian privacy problem]


US – US Treasury Department Says Tor is a Major Source of Financial Account Takeovers

In a non-public report, the US Treasury Department says that many bank account hijackings could have been prevented if financial institutions had known to block transactions that came through the Tor network. The Treasury Department’s Financial Crimes Enforcement Network analyzed suspicious activity reports that banks filed between August 2001 and July 2014. [Krebs]

US – Intruders Stole Insider Information to Beat Wall Street

Information thieves used phishing messages to gain access to systems at more than 100 publicly traded companies and stole data about merger discussions, product information, and legal action, which could be used to help inform investment decisions. The majority of affected companies are in the health care and pharmaceutical industries. [Ars Technica] [CNN]


CA – Ontario Passes Legislation That Makes It Illegal to Destroy Government Records

Based on some of the recommendations of the IPC report, Deleting Accountability: Record Management Practices of Political Staff – A Special Investigation Report, the Ontario government yesterday passed Bill 8, The Public Sector and MPP Accountability and Transparency Act. The legislation makes it an offence to alter, conceal or destroy records with intent to deny an access request, with a penalty of up to $5,000. [Information and Privacy Commissioner, Ontario] See also: [AU: Freedom of information laws upheld by two men working from home] See also: [ON: Horwath pressures Liberals about more power for IPC]

CA – PEI: Freedom of Information Should Apply to UPEI, Say Students

‘Public money should equal public access,’ says UPEI Student Union president Lucas MacArthur. Student union president Lucas MacArthur will meet with Premier Robert Ghiz. MacArthur said P.E.I. is the only province in Canada that hasn’t brought post-secondary institutions under the law. The student union has already met with Minister of Labour and Justice Janice Sherry, the standing committee on education, and UPEI administration about freedom of information at the university. MacArthur said UPEI does have a freedom of information office, but it is not accountable to the government and it should be. [CBC News ]

CA – Billings By Ontario Doctors Are Secret: Should They Be?

Nineteen physicians billed Ontario’s publicly funded health insurance plan more than $2 million each in 2012-13. But you can’t know who they are. Revealing their names would be an unjustified invasion of privacy, according to the health ministry’s privacy office, which denied that part of a freedom-of-information request from the Star. But the release of physician-identified billing records in the United States earlier this year has reignited a decades-old debate about public disclosure of such information in Ontario. Even the province’s acting information and privacy commissioner has indicated the time may have come to rethink keeping the data under wraps. [Source]


US – Courts Strike Down DNA Collection and Drug Testing Laws

In two separate cases, courts struck down state laws involving the collection of DNA and drug-testing data. A California appeals court ruled the state’s law requiring the collection of DNA from anyone suspected of a felony is unconstitutional. Presiding Justice J. Anthony Kline said, “We conclude that the DNA Act … unreasonably intrudes on such arrestees’ expectation of privacy.” Meanwhile, a federal appeals court ruled Wednesday that a Florida law requiring welfare applicants to submit to drug tests prior to receiving benefits violates the Fourth Amendment. Judge Stanley Marcus wrote, “If we are to give meaning to the Fourth Amendment’s prohibition on blanket government searches” the law “crosses the constitutional line.” [The Associated Press]

Health / Medical

US – Dozens of Federal Agencies Could Get Access to PHI

Under a proposed Federal Health IT Strategic Plan 2015-2020, 38 government agencies would have the ability to collect, share and use the personal health information of U.S. citizens. “While I’m a big fan of NASA, why the heck does NASA need access to my health records?” she asks. “A better question … why the heck does the Bureau of Prisons need to access the health records of non-felons?” The draft plan is still open for public comment until February 6. [NetworkWorld] See also: [Pharma Teaming with Web Biz To Target Prescription Ads] Sewe also: [BC: Privacy probe to investigate medical records faxed to wrong numbers] and [Staffers snooped into 500 patients’ files at Lakeridge Health] AND [ON: Six hospital staff fired for accessing patient files after in-hospital suicide]

US – Research Group Wants HIPAA Amended for Data Use Without Consent

The American Medical Informatics Association (AMIA) says allowing health researchers to access patients’ personal health information (PHI) without their permission could be beneficial. The group’s board chair and vice president of policy and development, Ross Martin, wrote a letter to Rep. Fred Upton (R-MI) suggesting Congress amend HIPAA to allow for increased data-sharing. Martin said exemptions for access to PHI should be made for “observational or data research.” The AMIA letter made recommendations that HIPAA amend the definition of healthcare operations so covered entities and their business associates can be trusted “with the responsibility of conducting research with health data to improve the health of our nation as a whole.” [HealthITSecurity]

Horror Stories

WW – Sony Employees Offered Reprieve by Hackers, with a Twist

The alleged hackers of Sony Pictures Entertainment (SPE) have offered to withhold email correspondences of employees, but only if each employee writes in and asks the hackers. “Message to SPE Staffers,” the hackers’ post states. “We have a plan to release emails and privacy of the Sony Pictures employees. If you don’t want your privacy to be released, tell us your name and business title to take off your data.” Meanwhile, attorneys for SPE are reaching out to publishers, telling them not to report and publish the “stolen data” and to delete what they do have. In an op-ed for The Christian Science Monitor’s Passcode feature, Prof. Evan Selinger argues that publishing hacked emails is a privacy violation. [Re/Code] See also: [Sony Pictures Allegedly Hacking the Hackers] and [SONY Private Key Leaked, Used in PoC to sign malware]

WW – Hack Could Cost Sony $100 million; Employees Mull Class-Action

Fallout from the unprecedented hack and release of massive amounts of information from Sony Pictures continues, with news the attack could cost the company as much as $100 million. Several former Sony Pictures employees who had their personal information disclosed say a class-action lawsuit is in the works. “We’re all worried about our identities, privacy and our families, and Sony so far hasn’t done much to address the situation,” said one former employee. U.S. Federal Bureau of Investigation agents will be on hand at Sony Pictures headquarters this week to advise and update employees on the investigation. Meanwhile, a Ponemon survey of employees of organizations in the U.S., UK, France and Germany found 71 percent have access to data they should not. [Reuters]

US – Sands Casino Network Hit by Cyber Attack

In February 2014, staff at the Las Vegas Sands Corp. noticed things starting to go very wrong very quickly with its computer network. Hard drives at the headquarters of the world’s largest gaming company were being wiped. Early on, Iran was suspected of being behind the campaign, an apparent retaliation for remarks made by casino CEO and majority shareholder Sheldon Adelson. Sands spends millions on security, protecting Adelson and his family, and protecting the company’s assets, but cyber security was lagging. The attackers made their way into one system at a casino in Pennsylvania and eventually worked their way to the company’s Las Vegas servers. When the extent of the attackers’ intended destruction became apparent, the Sands severed itself from the Internet. The attack, which was kept largely under wraps, is similar to the recent attack on Sony Pictures because the perpetrators are seeking not financial gain, but retribution. The attacks are far-reaching, but because they do not pose a threat to national security, the government is unlikely to take action. [BusinessWeek]

US – MA AG: TD Bank Must Pay $625K for Breach

Massachusetts Attorney General Martha Coakley has announced TD Bank will pay a $625,000 fine and must take actions to improve its security practices following a 2012 data breach involving lost backup tapes that contained the personal information of more than 90,000 state residents. According to Coakley, the bank also delayed notice of the incident to her office. Coakley filed an assurance of discontinuance on Monday and in it alleged the bank lost two unencrypted computer server backups that were to be transported by a third party. TD Bank has said there is no evidence the loss of data has led to any fraud or unauthorized access or use. [WCVB] see also: [US: The Case of the $1.7 Million Laptop]

US – Target to Argue No-Harm, No-Foul in Breach Suit

Following a federal court’s ruling to allow a class-action lawsuit against Target to proceed, Bloomberg reports the company plans to use a “no-harm, no-foul” defense based on a 2013 Supreme Court ruling. The high court ruling stated citizens have no basis to seek damages as a result of mass surveillance because they cannot prove they were in imminent danger. Likewise, Target argues that customers were not in imminent danger of identity theft or financial harm, the report states. Meanwhile, the Pennsylvania Superior Court will allow a plaintiff a second chance to certify a class-action alleging Keystone Mercy Health Plan violated the law when it lost a flash drive containing sensitive personal information of approximately 286,000 subscribers, and in California, IKEA is seeking decertification in a ZIP code case. [Source] SEE ALSO: [7 Lessons from Target’s Breach]

Identity Issues

WW – Tech Alliance FIDO Releases Specifications for Two-Factor Authentication

The FIDO (Fast Identity Online) Alliance, a consortium of high-profile tech companies, has released the first specifications for manufacturers to develop two-factor and biometric authentication systems that will work on different devices. The document addresses two login systems: the Universal Authentication Framework (UAF), and Universal 2nd Factor (U2F). FIDO members will share patent licensing on the developed technologies, which should hasten their adoption. [ComputerWorld] [SC Magazine] [The Register] [FIDO Press Release]

US – City’s New Municipal IDs to Employ Facial Recognition

New York City has hired nearly two dozen investigators and will employ high-tech facial recognition software to deal with security concerns about the new municipal IDs being issued next month. The program is designed to become one of the largest of its kind in the country, the report states, and aims to give undocumented immigrants a chance to participate in the community. Concerns about information being stored in government databases are being addressed by limiting access to only high-level administrators, and law enforcement must obtain warrants to access data. [New York Post] [NYC to Issue ID Cards with Free Benefits to Illegal Aliens] See also: [For Afghans, Name and Birthdate Census Questions Are Not So Simple]

WW – Google Rethinking CAPTCHA

Google is retooling the way it implements CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) authentication to incorporate behavioral information. Google’s new system will ask users to click on a box indicating that they are not robots. The technology takes into account how the user moves the mouse. Google also uses other, undisclosed behavioral information. If the single click is inconclusive, users will be given a traditional CAPTCHA. [Google Can Now Tell You’re Not a Robot With Just One Click] [WIRED] [The Register] [ComputerWorld] [Google Online Security Blog]

Intellectual Property

EU – Police Shutter Websites Hawking Counterfeit and Pirated Products

Law enforcement agencies in Europe have seized nearly 300 domains associated with selling counterfeit electronics and medications as well as pirated movies and music. No arrests have been made yet. [BBC] [Computer Weekly]

WW – The Pirate Bay Offline After Swedish Authorities Seize Servers

Authorities in Sweden have raided seized the servers of The Pirate Bay, causing the torrent tracking website to go dark. The site has been taken down before but previously has always returned quickly. This time, the site does not appear to be bouncing back as quickly. One of The Pirate Bay’s founders, Peter Sunde, says he is fine with the site’s disappearance, because he does not like what it has become. Other filesharing sites reportedly also went down on the same day, but it is not clear if the incidents are related. [eWeek] [BBC] [WIRED] [ComputerWorld]

Internet / WWW

WW – Commissioners to App Marketplaces: Make Developers Share Privacy Policies

A total of 23 privacy enforcement partners from across the globe are telling app marketplaces, including Google Play and Apple’s App Store, “to make it mandatory for mobile app developers to post links to privacy policies prior to download if they’re going to collect personal information,” Canada’s Office of the Privacy Commissioner announced. In an open letter to the operators of seven app marketplaces, the data protection and privacy commissioners wrote that many apps that appear to collect personal information do not have privacy policies, “thus removing the ability for individuals to be meaningfully informed when making decisions about the collection, use and/or disclosure of their personal information.” The joint recommendation follows the Global Privacy Enforcement Network’s mobile app privacy sweep. [Source] [A total of 23 privacy enforcement partners from across the globe are telling app marketplaces “to make it mandatory for mobile app developers to post links to privacy policies prior to download if they’re going to collect personal information,” Canada’s Office of the Privacy Commissioner announced].

US – Think Tank Publishes IoT Guidelines

A Washington think-tank funded in part by corporate backers has published guidelines for collection and use of data gathered via the Internet of Things (IoT). The Information Technology and Innovation Foundation’s (ITIF) Center for Data Innovation published the 10 guidelines in conjunction with a bipartisan event featuring senators who sent a letter in October to Commerce Committee leaders requesting an oversight hearing on IoT, the report states. “We’re hoping that (the principles) will help to direct the conversation in Washington,” said Daniel Castro, a senior analyst at ITIF, adding, the Federal Trade Commission, which held an IoT workshop recently, should focus more on actual scenarios than hypotheticals. [Advertising Age] See also: [IoT, Trust, And The Emerging Market Of One] and [Omer Tene: Customers in the Maze: Ethics Heat Up the Flatirons]

US – Mobile Apps Still Collect Vast Amounts of Personal Data on Kids, Despite FTC Privacy Rule

According to privacy and consumer advocates, more than a year after federal regulators issued privacy rules for kids’ mobile apps, online stores are flooded with software programs that “quietly collect vast amounts of data on the youngest consumers,” including location data and even voice recordings. The FTC expanded the Children’s Online Privacy Protection Act in July 2013 to require app developers to get parental consent before collecting data on anyone younger than 13. “Kids are such a lucrative market, especially for apps,” said the Center for Digital Democracy’s Jeff Chester. “Unfortunately, there are still companies out there that are more concerned about generating revenue than protecting the privacy of kids.” [Associated Press]

WW – BBB: Native Ads Must Comply with Privacy Code

Native advertising, which Mashable previously described as one of the biggest trends in advertising, “must comply with the industry’s privacy code.” That’s the word from the Better Business Bureau (BBB) in a compliance warning that states, “Native advertisements personalized for consumers based on their prior browsing across websites must comply with the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising (OBA) … Companies involved in interest-based native ads are responsible for meeting all the requirements of the OBA principles, just as they would be with respect to any other” ads based on interest. The BBB also advised web publishers “must provide ‘enhanced’ notice when data about visitors is used to serve them native ads on other sites,” the report states. [MediaPost]

EU – In-Car Emergency Systems Will Meet Privacy Concerns

A proposal that would mandate all cars in the EU have automatic emergency calling systems has been approved after meeting privacy concerns. The “eCall” system would allow cars to automatically call emergency services after an accident. The system needs to transmit sensitive data, including location information, which has many concerned about their privacy being violated. However, a deal has been reached addressing such concerns. “The new rules will ensure that eCall works only as a safety device,” said MEP Olga Sehnalova, rapporteur on the issue, adding, “It will be illegal to use it to track a driver’s movements or to misuse location data, which must be sent only to the emergency services.” [PCWorld]

Law Enforcement

UK – UK Police Not Receiving Adequate Cyber Crime Training

According to a survey of UK police intelligence analysts, British police are not receiving adequate training to equip them with what they need to know to fight cyber crime. Just 30 percent of respondents said they felt they had the necessary skills to deal effectively with cyber crime. [Independent] [PA Consulting] See also: [SSK: Police chief says privacy practices sometimes too restrictive] and [Spotting terrorist behaviour online is harder than finding child abuse images] and [RCMP accidentally sent woman’s assault complaint to media]

UK – Child Abuse Database Containing Millions of Images to Launch

Data taken from tens of millions of child abuse photos and videos will shortly be used as part of a new police system to aid investigations into suspected paedophiles across the UK. The obscene material was seized during previous operations. The project, called the Child Abuse Image Database (Caid), will be launched by the Prime Minister at an internet safety event on Thursday 11 December. But one expert warned its success depended on it being properly staffed. [Source] See also: [Ottawa firm’s emergency response portal could help first responders]

US – Body-Worn Cameras Seem Imminent and So Do Privacy Concerns

Just one year ago, the idea of police officers wearing body cameras seemed novel. But within the past few months, big cities including Washington, DC, Los Angeles and New York have been piloting programs. After the events in Ferguson, MO , it’s no longer a question, the report states. “The body camera is here to stay,” said one privacy law expert. President Barack Obama proposed earlier this week to reimburse communities half the cost of buying cameras and storing video, which prompted privacy questions regarding when officers should turn cameras on and off, how to store the massive amount of data and how long to keep the footage. [The Washington Post] See also: [Body cameras: Can they reduce confrontations with police?] and [Data from wearable devices could soon land you in jail]

US – New York Flags 278 Gun Owners as Mentally Unstable

New York State’s tough new SAFE Act gun control law has flagged 278 gun owners who could lose their weapons because they have been deemed mentally unstable, a new report shows. Gov. Andrew Cuomo urged lawmakers to pass the SAFE Act quickly after the 2012 mass shooting at the Sandy Hook elementary school in Newtown, Conn. Since the law’s enactment, the state has collected 38,718 names in a database of individuals who have been found at-risk for owning guns by psychiatrists and other health professionals. The paper said when the database was checked against a list of pistol permit holders in the state, there were 278 matches, less than 1 percent. [The Syracuse Post-Standard]


WW – IAPP Resource Center: Location Data Privacy Guidelines

The Location Forum, in partnership with the IAPP, is now offering IAPP members free access to its Location Data Privacy: Guidelines, Assessment and Recommendations through the IAPP Resource Center. These guidelines were developed by the forum to bring attention to critical issues and provide a framework for developers, managers, marketers and executives to follow. They aim to help organizations understand the potential risk areas related to location privacy and offer a risk assessment scorecard as well as transparency recommendations that provide a comprehensive overview of the business, technology and user issues associated with handling location data. (IAPP member login required) and [AU: Mental health group questions using tracking devices on patients]

US – Lyft Cofounder Says Company “Open” to Privacy Options

Lyft Cofounder John Zimmer says the company “is ‘open’ to considering any options to increase people’s privacy.” That’s after Sen. Al Franken (D-MN) wrote to the company earlier this week criticizing it for allegedly allowing employees to track users’ locations. Zimmer said, “If you look at our company and our company’s values and the way we operate internally, we’ve always respected users’ privacy.” He added that, in recent weeks, the company has upgraded its policy to limit the number of people who can access information about a customer’s ride and that he’s open to working with Franken. [The Hill]

US – Senator Franken Unhappy With Uber Response

Sen. Al Franken (D-MN) is unhappy with the answers he received from rideshare service Uber about its privacy practices, saying the company lacked details and, in some cases, avoided answering questions altogether, PCWorld reports. “Quite frankly, they did not answer many of the questions I posed directly to them,” he wrote in a blog post. “Most importantly, it still remains unclear how Uber defines legitimate business purposes for accessing, retaining and sharing customer data. I will continue pressing for answers to these questions.” [PC World] See also: [Franken Turns Attention From Uber to Lyft]


TW – Gov’t Probe Reveals Smartphones Violate Privacy Law

A regulatory agency of the Taiwanese government has found 12 smartphone makers violate the region’s privacy rules. A two-month-long probe revealed some of the smartphones collect user data without consent while others contain “imperfections” that do not meet the law. Taiwan National Communications Commission Vice Chairman Hsiao-Cheng Yu said the agency’s report will be released in the coming weeks and the government will ask the phone makers to modify their handsets to comply with the privacy standards or face monetary fines or bans on their products. [Reuters] [UK: Rory McIlroy ‘wiped important data from electronic devices’, court is told]

Online Privacy

WW – Hackers Are Getting Personal Information Easier Than Before: Symantec

In the mobile app world, when hackers want access to personal information, they simply need to ask for it. That’s according to a recent survey by Symantec of more than 6,000 smartphone users globally that found many are willing to forgo privacy for free entertainment. Symantec is aiming to change that by implementing its “App Advisor” functionality to preemptively scan apps for privacy issues and alert users of the necessity of app permissions in real time prior to the download process. “When you download an app, the term ‘free’ rarely comes without a cost,” said Symantec’s product manager of mobile applications, James Nguyen, adding it’s good for users to think about whether the data they’re giving up is worth the trade-off. [Computer Dealer News] [Norton] [Safe Practices] [Infographic] See also: [Zuckerberg admits Facebook deserves criticism for how it handles its privacy messaging] and [That privacy notice you’re posting to Facebook? It won’t work]

WW – Google to Develop Products Aimed at Kids

Beginning next year, Google plans to create specific versions of its most popular products for users age 12 and under. Kids under 13 have typically been off-limits to tech companies. “We expect this to be controversial, but the simple truth is kids already have the technology in schools and at home,” said Google’s vice president of engineering, adding, “So the better approach is to simply see to it that the tech is used in a better way.” The move follows other recent “kid-centric efforts,” including Google’s virtual Maker Camp, Doodle 4 Google competition and Made with Code initiative, the report states. [USA Today] See also: [Managing Your Online Presence after Death]

US – Online Curriculum Helps Teach Kids About Privacy, Security

Increased use of technology by children in the classroom and at home and how McAfee has teamed up with Discovery Education to unveil a free online curriculum to teach children about online privacy and safety. The program, thinkbeforeyoulink.com , is aimed at children between the ages of eight and 11 and uses interactive scenes that children may come across in the real world—such as sites asking them to share their addresses or the names of their schools. The program, co-developed by McAfee CPO Michelle Dennedy also teaches children about cybercriminals and how they use personal details to get into their parents’ bank accounts or place harmful software on computers. [The New York Times]

WW – Kickstarter Campaign Results in Facebook Alternative

NPR reports on Diaspora, a nonprofit social network born out of a New York University (NYU) computer lab. Four undergrads were given “a global commission to rebottle the genie of personal privacy” after they were granted $200,000 thanks to a Kickstarter campaign. Jim Dwyer wrote a book, More Awesome Than Money, on the NYU grads’ creation of Diaspora, which aims to resist “the surveillance economy that underwrites so much of what goes on online.” [NPR] See also: [Facebook Swipe At Apple On Privacy Is The Real News]

WW – Twitter Improves Tools for Users to Report Harassment

Twitter has always prided itself on being a forum for free speech, even if that speech is vile and hateful. So it has tread more carefully than other public message services when it comes to blocking users that spew abuse at others. It didn’t even have a button for reporting abuse until July 2013, shortly before it sought to raise money from the public through an initial stock offering. Now, after numerous cases involving vile language and threats of rape or death made to Twitter users — and slowing use of the service — the company appears to have a new approach. It wants to do more to make Twitter an appealing place to hang out online. The company has announced new tools to make it easier to report harassment, which will be gradually introduced this month to its 284 million active users. In particular, Twitter intends to simplify the forms that a user has to fill out to report abuse, especially for mobile users, who have been forced to navigate a clunky interface. The company will also encourage bystanders to report abuse they witness, which will improve the ability of Twitter’s safety team to respond quickly and fairly. [The New York Times]

Other Jurisdictions

HK – Hong Kong’s First Prison Sentence Under the Personal Data Ordinance

The Hong Kong Privacy Commissioner for Personal Data (PCPD) announced that a former insurance agent has received a prison sentence in respect of offences under the Personal Data (Privacy) Ordinance (the Ordinance). This case is important in that it marks the first custodial sentence being imposed pursuant to the Ordinance. [Source] See also: [‘Right to be forgotten’ on the Internet gains traction in Japan]

AU – ANZEN Privacy News Roundup

Privacy (US)

US – Judge: NSA Should Have Unlimited Collection Ability

The NSA should have an unlimited ability to collect digital information in the name of protecting the country against terrorism and other threats, said a federal judge at an event in Washington, DC. Judge Richard Posner of the U.S. Court of Appeals for the Seventh Circuit said, “I think privacy is actually overvalued,” adding, “Much of what passes for the name of privacy is really just trying to conceal the disreputable parts of your conduct.” Meanwhile, The Intercept reports on Snowden documents indicating the NSA plans to “secretly introduce new flaws into communications systems so that they can be tapped into,” with an operation codenamed AURORAGOLD. [PCWorld]

US – Court Demands More Info on Secret Spying Program

A federal judge ordered the federal government to provide more detail on a “mysterious” law enforcement database that sparked the investigation of a man charged with violating the trade embargo against Iran. The U.S. government maintains that Homeland Security investigators did not spy on defendant Shantia Hassanshahi using the National Security Agency’s bulk telephony metadata program, which collects individuals’ phone calls and records. But Hassanshahi argues that the government used the mass surveillance program, or at least something like it, to access telephone records that helped secure his arrest. [Source]

US – FISMA Reform to Make DHS More Efficient; FBI Calls for Data-Sharing Laws

Phyllis Schneck’s job as deputy undersecretary at the Department of Homeland Security (DHS) should get easier when President Barack Obama signs the Federal Information Security Management Act (FISMA) reform legislation that passed Congress this week. For example, after the Heartbleed bug threatened IT systems earlier this year, Schneck’s team had to get permission from other federal agencies for DHS to scan their IT systems to check for vulnerabilities. FISMA would allow DHS to do so without permission. Meanwhile, FBI officials are calling for updates to the Computer Fraud and Abuse Act and for new laws to allow data sharing on threats. [BankInfoSecurity] See also: [White House silent on privacy debate]

US – FCC Settles TV Station Investigation for $35,000

The Federal Communications Commission (FCC) has settled an investigation of a television station licensee. Newport Television LLC, former licensee of KTVC Salt Lake City, will pay a $35,000 civil penalty to settle an investigation “involving the station’s recording and broadcast of a person’s telephone conversation as part of a news segment without first telling the person that the call was being recorded and would be broadcast,” the report states. Doing so was a violation of the FCC’s Telephone Broadcast Rule. “We hold broadcasters to high standards and will ensure that they fully respect the privacy rights of consumers,” said the FCC’s Travis LeBlanc. [TVNewsCheck]

US – Supreme Court to Hear Online Free Speech Case

Beginning today, the Supreme Court will hear a landmark case about threats on the Internet. In Elonis v. U.S., Anthony Elonis claims threats he wrote about his wife and coworkers on his Facebook page weren’t meant to be taken seriously. Elonis was jailed for the posts, which has First Amendment advocates worried about free speech rights. But the government and others say making a threat is a crime itself, despite intent. [The Hill]

US – Oregon AG Calls for Student Privacy Bill of Rights

Oregon Attorney General Ellen Rosenblum has called on the state’s legislature to adopt legislation that would prevent the collection and sale of student information to third-party advertisers. She said current law is outdated and does not appropriately protect personal information. “We essentially need a consumer bill of rights so that people know what their rights are online,” she said, adding, “There’s great things about technology, but we have to inform the people; we have to inform parents and the kids so we can be protected better online as well as offline.” [TNS]

US – Ad Company Agrees to Pay $750K for Violations

An online advertising company has agreed to pay $750,000 to six states for bypassing some users’ privacy settings. PointRoll, owned by Gannett, has agreed to the settlement with New York, New Jersey, Connecticut, Florida, Maryland and Illinois for going around users’ Safari privacy settings to place cookies to track user behavior. “Every company is expected to play by the same set of rules: No one should have to fear a business is violating their privacy by bypassing personal settings on their computers or mobile devices,” said New York AG Eric Schneiderman. [Bloomberg]

US – FTC Settles with Medical Billing Provider, Former CEO for Deceptive Data Collection

The FTC has settled with a medical billing provider and its former CEO for misleading “thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.” In complaints against PaymentsMD and former CEO Michael C. Hughes, the FTC alleged the patient portal provided a means by which sensitive health information could be acquired. “Consumers’ health information is as sensitive as it gets,” said FTC Bureau of Consumer Protection Director Jessica Rich. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.” [FTC] [FTC: Online billing service deceptively collected medical records]

US – Union Files Charge Against USPS Over Breach

Following its data breach that may have compromised the personal data of approximately 800,000 employees, the USPS is now facing a new problem. After employees were notified of the breach in November, the American Postal Workers Union filed an unfair labor practice charge with the National Labor Relations Board alleging the USPS violated the National Labor Relations Act, which “requires an employer to bargain in good faith with the union representing its employees.” The USPS failed to provide the union with an opportunity to bargain over the impacts of the breach on employees, the charge alleges. [The National Law Review] and [Breach Delays USPS Financial Report]

US – White House Weighs Drone Integration and Privacy

The next few weeks may determine how drones will be integrated into U.S. airspace. The White House Office of Information and Regulatory Affairs is reviewing the Federal Aviation Administration’s (FAA) sUAS rule as well as privacy issues, while the FAA is set to publicly release its rules for drones weighing less than 55 pounds. The rules will include requiring operators to have licenses and limiting flights. The White House is also creating an executive order on privacy issues. Columnist Gregory McNeil writes, “If small drone businesses want to have a voice, they will need to work with experienced professionals individually or organize and hire someone to represent their views collectively.” [Forbes] See also: [US: Private drone market threatens our privacy] [The White House Office of Information and Regulatory Affairs is reviewing the Federal Aviation Administration (FAA) sUAS rule as well as privacy issues, while the FAA is set to publicly release its rules for drones weighing less than 55 pounds] and [The FAA’s new drone rules will include requiring operators to have licenses and limiting flights.]

US – PCLOB Budget Could Double Under Proposed Spending Bill

A proposed spending bill released on Tuesday could more than double the current budget of the Privacy and Civil Liberties Oversight Board (PCLOB). The PCLOB has been busy during the last year, examining various U.S. intelligence surveillance programs to determine whether they are legal and have proper oversight. Under the proposed bill, the PCLOB budget would increase from $3.1 million to $7.5 million next year. The additional funding “will enable the PCLOB to pursue its mission without delay,” Senate Democrats said in a summary of the bill. [The Hill]

US – Groups Allege Candy Contest Violated COPPA, Ask FTC to Investigate

Earlier this year, the company behind popular candy Ring Pop, Topps Company, ran a contest called #RockThatRock, inviting users to post photos on Facebook, Twitter and Instagram of themselves wearing the candy ring and using the hashtag. The winning photos were featured by a pop-rock band popular with preteens and teens. Some of the photos posted on the brand’s Facebook and Twitter pages used contestants’ social media names and some showed teenage girls—and younger—in provocative poses. Now, 10 advocacy groups have asked the FTC to investigate Topps Company, alleging it violated COPPA by using names and pictures of children under 13. [The New York Times]

US – CA’s First “Revenge Porn” Conviction

A man has been sentenced to one year in jail for violating California’s newly enacted “revenge porn” law. Noe Iniquez, after breaking up with his girlfriend, posted topless photos of her on her employer’s Facebook page in an attempt to get her fired. Previously, such actions were outside the reach of law, but now they are a misdemeanor crime. “We are breaking ground in California on an issue that is affecting people around the country,” said California AG Kamala Harris. Prof. Mary Ann Franks notes the law still needs tweaking, explaining, “it requires that the victim demonstrate that she suffered serious emotional distress, which is unnecessary, burdensome and potentially requires the victim to expose even more of her private life to the public eye.” [Los Angeles Times]

US – VPPA Case Dismissed

A potential class-action lawsuit against ESPN for allegedly violating the Video Privacy Protection Act (VPPA) has been dismissed by a federal judge. U.S. District Court Judge Thomas Zilly said the court papers did not contain enough facts to back up claims the company disclosed a plaintiff’s name to a third party without his consent. Zilly said the transmission of “anonymous” data—in this case, the serial number of plaintiff’s Roku device—to Adobe for data analytics is not a violation of the VPPA. Zilly added, “Even if Adobe does ‘possess a wealth of information’ about individual consumers, it is speculative to state that it can, and does, identify specific persons as having watched or requested specific video materials.” [MediaPost]

US – PwC Releases Report on CMO’s Role in Privacy

PricewaterhouseCoopers has released a report on the role chief marketing officers (CMOs) play in privacy. The report notes that, traditionally, privacy has not been on the radar of many CMOs, and asks whether CMOs are familiar with their organizations’ privacy policies. “Do you know who leads privacy aspects for your organization?” the report asks, adding, “Once that area was the sole realm of the chief privacy officer or the general counsel; now it’s time for CMOs to take a more active role in managing and protecting consumers’ data.” [Source]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Quantum Security for Passports and Credit Cards?

Researchers in The Netherlands are proposing what they believe will be a way “to make it impossible for criminals to forge passports, ID cards or credit cards.” University of Twente researchers have developed a way to authenticate documents “using principles derived from quantum physics,” the report states, noting each card is painted with “a thin white strip of nanoparticles” and when the card is issued “a laser fires tiny bundles of light into it, which bounce around like pinballs among the nanoparticles, creating a unique pattern that is all but impossible to copy.” However, the report states, such cards “could still be stolen and used. That is why Pinkse envisions that the method will likely be used in combination with others, such as biometrics.” [CNBC] See also: [Change all of your passwords at once with Dashlane] and [Should we expect every messaging app to offer full privacy?]


CA – 60% of Canadian Businesses Don’t Have a Security Strategy: Report

According to new research from Cisco, Canadian businesses are not equipped to respond to security threats within their networks. The study, which combines the views of Canadian businesses and consumers about security at work, also found there are discrepancies between the preparedness of large and small businesses. [canadiansecuritymag.com] SEE ALSO: [Canadian firms seeing fewer data breaches – why that could actually be bad]

US – Cybersecurity Guidance Predicted to Include Coverage for Third Parties

It now seems likely new cybersecurity guidance expected from federal banking regulators in 2015 will include recommendations for investments in cyber-insurance. The December 10 New York State Department of Financial Services notice to New York banking institutions on expanded IT examination procedures specifically notes state banking regulators expect to see policies related to cybersecurity insurance for not only the bank but also any third parties with which the bank works. That move could foreshadow federal expectations for banking institutions by the Federal Financial Institutions Examination Council, the report states. [BankInfoSecurity] and [A Boost for Cybersecurity Policy Analysis: $45 Million in Grants to Support 3 Universities’ Initiatives]

US – Another Large Retail Breach; Another Push for Cyber-Threat Sharing Bill

Thieves have stolen credit and debit card data from Bebe Stores, Inc., a nationwide chain of women’s clothing stores. While officials for Bebe have not responded to requests for comment, various banks have reported a pattern of fraudulent charges on customer credit cards that had all been used previously at a Bebe store. Meanwhile, major retail and financial industries came together to press Congress to pass legislation that would allow industry to exchange cyber-threat information with the government. [KrebsOnSecurity]

WW – Credit Cards, Healthcare Data on Hackers’ Hit List For 2015: Experian

It seems like there were headlines highlighting yet another data breach almost every week in 2014. Bad news for sure, and what’s worse is that we haven’t heard the last of them yet. So what’s in store for data breaches in 2015? Turns out cybercriminals will still be after credit card data – but that’s no surprise, given criminals always look for the ultimate payload, which is usually financial data they can use to their advantage. Yet what’s also striking is that they’ll be eyeing healthcare data as well, according to Experian, a global information services group providing consulting services in finance, security, and regulatory compliance. [Source]

US – Privacy Issues Stall Newborn Screening Bill

A bill that would support newborn screening nationwide has stalled in Congress because some Republican senators have privacy concerns about genetic research funded by the legislation. The senators won’t comment individually, but the Senate Steering Committee has indicated it wants a provision added to the bill to require parental consent before genetic research and genomic sequencing could be done on a child’s newborn screening sample.[Milwaukee Journal Sentinel]


US – ISP Sues Gov’t Over Gag Order

A small Internet provider is challenging the Justice Department concerning a 10-year-old gag order served by the FBI for the company’s customer records. The now-defunct Calyx Internet Access first sued the FBI in 2004 for being served warrantless National Security Letters. In a lawsuit filed on Thursday, Calyx Founder Nicholas Merrill, who now runs the Calyx Institute , argued the U.S. government, in placing a permanent gag order on a case that is now closed, has violated his First-Amendment rights. “It’s really long past due that we have an open and public discussion about how warrantless searches are being used against Americans,” Merrill said. [The Washington Post] Dee also: Meanwhile, a 2006 memo indicates former President George W. Bush’s administration told a secret court it was justified in spying on communications without warrants to prevent terror attacks, according to a legal memo released recently, and new reports indicate UK Government Communications Headquarters hacked Belgium’s largest telecommunications provider, Belgacom. See also: [Canadian Telcos Want to Build Surveillance-Ready Networks] and [UK Lawyers’ bid to protect client talks from spies] AND [The unstoppable rise of the global surveillance profiteers]

US – Senator Argues Against Back Doors for Government

Noting that a back door placed in software and electronic communication devices to allow government access is also a backdoor that could be exploited by entities with malicious intents, US Senator Ron Wyden (D-Oregon) has proposed legislation that would prohibit government agencies from requiring back doors in digital products. [The Register] [Wyden’s Op/Ed in LA Times]

US – CA Sheriff Could Have State’s First Authorized Drones

Alameda County Sheriff Gregory Ahern formally announced Wednesday that the county has acquired two drones. With Federal Aviation Administration approval, which could come next year, it could “become the first law enforcement agency in California to deploy an authorized drone,” the report states. County citizens had “vociferously” opposed the agency’s proposed acquisition of the technology. “The reason for specifically acquiring this is search and rescue,” Ahern said. A representative from the Electronic Frontier Foundation, however, said, “The sheriff has done nothing to address the concerns expressed by the community at the February 2013 hearing.” The sheriff’s office has released a new draft order, but privacy advocates worry the language in the draft lacks substantial privacy safeguards. [Ars Technica] see also: [India: Police Drones To Patrol Delhi Streets After Alleged Uber Rape]

EU – BND Says it Can Spy on Citizens if They Work for Foreign Entity

German intelligence agency BND claims it has the authority to spy on German citizens if those citizens work for a foreign organization. German law forbids intelligence agencies in that country to spy on German citizens, but BND claims a loophole in this case for communications attributed to the foreign employer. [Ars Technica]

WW – Using Surveillance to End the Impunity of Oppressors

The words “hidden camera” raise privacy red flags immediately, but for Oren Yakobovich, head of the human rights organization Videre, privacy concerns take a back seat to exposing the atrocities of oppressive regimes. Arming activists with micro-cameras, Yakobovich “uncovers, verifies and publicizes human-rights abuses that the world needs to witness.” In his recently released TED Talk from a conference in Rio, he outlines how he came to a life of turning the idea of surveillance on its head. [YouTube] See also: [Automakers Working To Gain Consumer Trust on Smart Cars] and [Car Insurers Promise Discounts If Big Brother Watches You]

Telecom / TV

WW – Blackphone to Open Privacy-Focused App Store

Makers of the anti-surveillance Blackphone are set to unveil a privacy-focused app store and the ability to run separate operations for private and pseudonymous accounts and applications. The new app store will be released in January and will feature apps approved by Blackphone. Plus, the privacy-focused smartphone will roll out a new feature, called Spaces, in the phone’s operating system that allows for separate and varying levels of privacy and security. “The addition of Spaces and the Blackphone app store is the most significant update to PrivatOS since its inception,” Blackphone CEO Toby Weir-Jones said . “We are delighted to have developed the Silent Space, alongside Graphite Software, who share our core values of privacy and security.” [GigaOM]

US – Law Firm Faces Class-Action for Text Message Violations

A law firm is facing a putative class-action lawsuit for allegedly violating the Telephone Consumer Protection Act. Pullin Law Firm allegedly sent text messages to an unknown number of users to generate business. The case could be a signal to law firms to avoid such marketing tactics. According to the complaint , “In a misguided effort to offer legal services to financially vulnerable consumers, Defendant engaged in an invasive and unlawful form of marketing: the unauthorized transmission of advertisements in the form of ‘text message’ calls to the cellular telephones of consumers throughout the country.” The suit seeks a minimum of $500 per violation. [Law360]

US Government Programs

US – NSA Surveillance Practices Create Trade Barrier

Paul Nemitz, a director in the European Commission’s Justice Department who is tasked with leading the overhaul of the EU data protection law, has said the law allowing the U.S. National Security Agency’s surveillance practices “is a real trade barrier to a European digital company to provide services to Americans inside America.” Nemitz’s concern that “U.S. citizens are deterred from using European email providers because they do not get the same protection as they would by using U.S. providers.” Meanwhile, a Council of Europe report states, “Unless the U.S.A. improves compliance with international human rights standards in its activities that affect the Internet and global communication systems, the movement towards such a truncated Internet will be difficult to stop.” [Reuters] See also: [US: Congress Passes Bill Giving Police Unlimited Access to Citizens’ Private Communications]

US – DoJ Creates Unit to Fight Cybercrime

U.S. Assistant Attorney General Leslie Caldwell has announced the Department of Justice is creating a dedicated cybersecurity unit within the department’s Computer Crime and Intellectual Property Section. The unit was formed in response to significant crimes like the “cyberheist campaign last year (that) caused $45 million in losses in a matter of hours,” the report states. “Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of everyday Americans,” said Caldwell. [eSecurity Planet]

US Legislation

US – FISMA Now Awaits President’s Signature

A cybersecurity bill that will change the way federal agencies respond to and manage data breaches has now passed both houses of Congress and awaits President Barack Obama’s signature. The House of Representatives approved the Federal Information Security Modernization Act (FISMA) a day after the Senate did the same . FISMA authorizes the Office of Management and Budget to set federal information security policies and requires the Department of Homeland Security to help implement the policies. Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-DE) said, “This bill will modernize our outdated federal network security laws, provide the tools and authorities needed to improve security at our federal agencies and increase transparency and accountability for data breaches at federal agencies.” [The Hill] [Senate Approves Bill To Help Federal Agencies Avoid Data Breaches]

US – Outlook for State Data Security Laws: More than Breach Notification

Forty-seven states have breach notification laws on the books, at least 31 have data destruction or disposal laws, 12 have imposed broad data security requirements and a few more have more granular laws. “Is data security legislation coming to a state near you?” Delving into New York’s proposed A 10190, the team suggests “the bill may be a harbinger of legislation to come, with potentially significant implications for corporate security and compliance resources and budgets.” F [Hogan Lovells for Privacy Tracker]

US – Legislative News Roundup

Workplace Privacy

WW – Employers’ Use of IoT: The New Panopticon?

Employers are increasingly using Internet of Things (IoT) technology to monitor and measure employee productivity and movements, but the University of Illinois’ Jerome McDonough suggests the technology allows for “a new form of panopticon for employees,” calling the trend “very troubling.” Courts have traditionally granted broad rights to record employees while at work, but the growing use of IoT gives unprecedented surveillance capabilities to employers. “The law is very slow to react,” said University of Denver Prof. Corey Ciocchetti, who predicts “it’s only getting worse for employees.” [San Jose Mercury News] See also: [NZ: Credit union admits privacy breach: The head of a credit union in Napier has admitted the company breached the privacy of a former employee by taking a private Facebook image and distributing it to employment agencies.]

US – Background Check Practices Prompt Lawsuit, Questions

A putative class-action filed in a New Jersey federal court alleges Michaels Stores violates state and federal consumer protection laws by burying disclosures alerting job applicants the company will procure background checks on them during the application process. A woman filed the suit last week claiming Michaels only tells prospective employees it will obtain background checks by a disclosure at the end of its written and online job applications, the report states. Meanwhile, the strength of car service Uber’s background checks on drivers has come into question. [Law360]

US – How Much Access to PII Do Your Employees Have?

In response to several stories during the last year about employee access to intimate details they shouldn’t have—from the NSA employees using “surveillance to collect data on love interests” to an Uber employee tracking a reporter’s location, 29 tech companies including social networks, fitness trackers and dating sites 10 questions about their internal privacy policies for accessing user data. Of those questioned, “only 13 responded,” the report states, and of the 10 that provided comment, responses ranged from serious to “boilerplate” commentary. “All told, the collective responses offer a complex and, in many cases, unsettling survey of the current data privacy landscape.” [Buzzfeed]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: