16-31 December 2014


WW – Hacker Clones Politician’s Fingerprint from Photos

Chaos Computer Club’s Jan Krissler said he successfully replicated the fingerprint of a German politician by using commercial software and several photos taken during a press conference. Krissler said, “politicians will presumably wear gloves when talking in public.” Prof. Alan Woodward noted, “Biometrics that rely on static information like face recognition or fingerprints—it’s not trivial to forge them, but most people have accepted that they are not a great form of security because they can be faked,” adding, “People are starting to look for things where the biometric is alive—vein recognition in fingers, gait analysis—they are also biometrics, but they are chosen because the person has to be in possession of them and exhibiting them in real life.” [BBC News] [Hacker claims you can steal fingerprints with only a camera]


CA – Most Canadians Trust Government to Protect Their Privacy: Poll

According to a survey by Environics Institute and the Ottawa-based Institute on Governance (IOG), most Canadians are reasonably confident the federal government is protecting the personal information it collects about them, and support the idea of sharing that data between departments to improve service. And they accept government surveillance on Canadians for national security as “important” — unless it applies to them. That’s when the majority feel government snooping on their phone records and Internet activity would be a violation of privacy. The survey found 9% of those asked strongly agreed with the notion that the government is “adequately” protecting the personal information it gathers when they fill out their taxes, apply for a passport, cross a border or apply for employment insurance. 48% “somewhat” agreed; 31% aren’t very confident and 12% say they aren’t at all confident that their privacy is protected. [National Post] see also [Schneier: Over 700 Million People Taking Steps to Avoid NSA Surveillance]

CA – Canada: $7,500 In Damages Awarded for Intrusion Upon Seclusion

In McIntosh v Legal Aid Ontario, Superior Court Justice Cornell awarded the plaintiff damages of $7,500 after finding a breach under the relatively new tort of intrusion upon seclusion. This tort was first recognized in Ontario in Jones v. Tsige, 2012 ONCA 32 (CanLII), in which the Court of Appeal for Ontario allowed a civil action for damages for the invasion of personal privacy in Ontario and awarded the plaintiff $10,000 in damages. [Lexology]

CA – Ontario Liberals Paid $10,000 to Have Gas Plant Data Erased: OPP

IT consultant Peter Faist, who is the spouse of former Ontario premier Dalton McGuinty’s deputy chief of staff, was paid $10,000 by the Liberal caucus to wipe data off approximately 20 government computers, police claim. The allegation, unproven in court, comes from an Ontario Provincial Police Information to Obtain document released by the Ontario Superior Court on Thursday. The document was used to get a search warrant, which was executed at a government office in late November.The data Faist is said to have deleted relates to the cancellation of two gas plants in the Toronto-area prior to an election campaign. Police suspect the data were internal email conversations regarding the cancellation of the gas plants. David Livingston, McGuinty’s chief of staff, is accused of ordering the deletion of the emails. [CBC News]

CA – Canada Revenue Agency Destroys Staffers’ Texts

The Canada Revenue Agency has destroyed all text message records of its employees and has disabled logging of these messages in the future. Emails, released through access to information legislation, reveal that Shared Services Canada, the federal organization responsible for information technology services, destroyed the records in the middle of a business day in August. The Canada Revenue Agency has confirmed that it instructed the organization to destroy those records and also no longer log the instant messages, including PINs, BBMs and regular texts, going forward. “Since SMS and BBM messaging are non-secure, transitory methods of communication are used only for routine and nonbusiness related purposes; there is no requirement to maintain the transitory information,” said Philippe Brideau, a CRA spokesman. [Toronto Star]

CA – Alberta Amends PIPA to Address Concerns Between Freedom of Expression and Privacy

Alberta’s amendments to the Personal Information Protection Act have narrowly addressed the Supreme Court of Canada’s concerns about the appropriate balance between freedom of expression and rights to privacy, leaving a number of larger questions to another day. [Lexology] SEE ALSO Michael Geist offers an alphabet of Canadian tech policy in this report.

CA – RCMP Broke Privacy Laws by Sharing Medical Histories of Officers: Report

The RCMP committed a “serious privacy breach” and broke federal privacy laws when it shared sensitive medical information about five of its officers while throwing accusations at their psychologist, according to a privacy commissioner’s report written last month. The five Mounties went to the Office of the Privacy Commissioner of Canada two years ago, after discovering the RCMP had submitted portions of their personal medical histories to the College of Psychologists of B.C. [National Post]

CA – Ontario Fails to Track Complaints Against Crown Attorneys

Ontario’s Ministry of the Attorney General has no idea how many complaints have been lodged against its nearly one thousand prosecutors from across the province, or how many have been disciplined for misconduct in recent years. The lack of organized, accountable oversight, legal observers say, marks a “failure” by the government to properly scrutinize complaints against its Crown attorneys: public servants responsible for making important decisions such as who to prosecute for crimes and recommending sentences for those found guilty. [Mississauga News]

CA – Future Saskatchewan Licences to Prevent Fraud]

SGI is looking to add facial recognition services to their future driver licences and identification cards to help prevent fraud. With SGI’s current five-year contract for driver’s licence and identification card production expiring in 2016, SGI is asking vendors to offer their proposal for a contract by Feb. 13, 2015. “In addition to proposals for regular driver’s license production services, were also asking for proposals for facial recognition services,” said Kelley Brinkworth, manager of media relations for SGI communications. [Moose Jaw Times Herald]

CA – Ontario Privacy Commissioner Slams Hospital’s Lax Privacy Controls

More than a year after discovering a massive privacy breach, Rouge Valley Hospital still has no way of finding out whether any confidential patient records have been inappropriately accessed, Ontario’s privacy watchdog revealed. An investigation by the privacy commissioner found the hospital’s computer system preserves only two weeks of user history. It was only after one careless employee admitted to stealing records and another left patient information in a printer that the privacy breaches were discovered. Privacy Commissioner Brian Beamish ordered Rouge Valley to overhaul its system so that all access to patient files can be tracked. He also ordered the hospital to improve confidentiality training and privacy breach management procedures. He has given the hospital until Sept. 16, 2015, to comply, but declined to name the people or financial institution involved in the breach. This summer, Rouge Valley revealed that two employees had accessed the records of more than 14,000 mothers who gave birth there between 2009 and 2013, so as to sell them Registered Education Savings Plans (RESPs). [Toronto Star]


WW – UN Approves Privacy Resolution in Major Victory for Human Rights

The UN General Assembly formally approved a major resolution on the right to privacy, by consensus. The resolution spotlights the privacy violations that are enabled by advances in technology, overbearing government surveillance, and corporate complicity. As communications have gone global, so too must privacy protections. Privacy rights limited by national borders are increasingly meaningless. As detailed in November, this resolution contains strong language that definitively places mass surveillance under international human rights law. The Human Rights Council has a chance in March to follow through and create a permanent mechanism to safeguard the right to privacy at an international level. The resolution calls for a permanent office on the right to privacy. For that to happen, though, the Human Rights Council in Geneva will have to take action in March by creating a new “special rapporteur” on the right to privacy. If so, in 2015, the world will have its first independent authority examining and promoting the right to privacy with the power to admonish governments for violations. [AccessNow]

WW – The Privacy and Security Winner and Loser Was the User in 2014

In last year’s “unofficial contest to determine computer security and privacy winners and losers,” the award goes to “you, the user,” Kim Zetter writes, with “a host of new products and services … to help protect the privacy and security of your data and communications” and court rulings providing “better protection against the warrantless seizure of your data.” But, the user was also the loser, Zetter notes, with reports suggesting spy agencies across the globe “will not rest until they’ve seized or deciphered every bit of your data.” Zetter lists privacy and security’s other winners and losers: Apple, WhatsApp, the Florida Supreme Court, U.S. Supreme Court, Yahoo and Google Project won, while Sony, President Barack Obama, the U.S. Marshals, Verizon and Gamma International lost. [WIRED]

US – Pew Research Reports on the Future of Privacy

The Pew Research Internet Project has released a new study on the future of privacy. The survey interviewed more than 2,500 experts in conjunction with Elon University’s Imagining the Internet Center and found a split in what respondents think 2025 will look like. For example, 45% said there would likely be “a secure, popularly accepted and trusted privacy-rights infrastructure by 2025,” while the remaining 55% said there are not enough incentives for governments or industry to create such an infrastructure. Stanford University Prof. Paul Saffo said, “Privacy has already shifted from being a right to a good that is purchased.” [Pew Research] and [Experts believe digital privacy may be entirely gone by 2025] and [US: Data privacy important to farmers, study shows]


US – Possible Breach Affects Files of 40,000 Federal Workers

The data of more than 40,000 federal employees may have been compromised in a cyberattack on federal contractor KeyPoint Government Solutions. The Office of Personnel Management (OPM) has started notifying affected workers and will offer free credit monitoring. KeyPoint specializes in background screening and investigations of federal workers and is the second such company to be breached this year. A representative for the OPM said officials concluded an investigation into the incident, finding “no conclusive evidence to confirm sensitive information was removed from the system” and that “Keypoint has worked closely with OPM to implement additional security controls.” [Associated Press]


US – Mediation Attempt in Yahoo Case Fails

U.S. District Court Judge Lucy Koh received this week a status report saying a class-action lawsuit between web users and Yahoo could not be resolved through out-of-court mediation. The plaintiffs argue that Yahoo “violates the federal Electronic Communications Privacy Act by intercepting emails and scanning them for keywords.” Koh rejected Yahoo’s bid to get the lawsuit dismissed earlier this year, but has yet to rule on whether the case can move forward as a class-action. [MediaPost]

EU – Ireland Chimes in on Microsoft Data Privacy Case

Ireland has filed a friend-of-the-court brief in support of Microsoft’s refusal to provide the US government with customer email held on a server in Ireland. The document asks the US to respect Ireland’s sovereignty. Microsoft maintains that the US’s Electronic Communications Privacy Act (ECPA) stored communications provisions are not applicable outside US borders. The data pertain to a criminal case in the US. [CNET] [Why Microsoft, Apple, Fox News and NPR Are Suddenly Working Together] [Tech Giants Rally Around Microsoft to Protect Your Data Overseas]


US – Snowden Leak Shows Which Encryption Agencies Can’t Crack

The latest leak from Edward Snowden details how the U.S. National Security Agency (NSA) and the UK GCHQ have undertaken efforts to “crack all types of encrypted Internet communication.” The leaks did reveal which encrypted services the NSA could not break, including Tor, Truecrypt and PGP. [Der Spiegel]

WW – Google Plans to Warn Chrome Users on All HTTP Connections

Google plans to flag all HTTP traffic as unsecure in its Chrome browser.Chrome users will see alerts when they attempt to visit HTTP sites. Google plans to implement the change in 2015. [The Register] [BBC] [eWeek]

EU Developments

EU – Commission Releases 2015 Agenda; Privacy Bridges Project to Release Consensus Report

The European Commission made public its work agenda for 2015. High on the list is the ongoing effort to break down national barriers to create a digital single market. The commission aims to keep pushing for new telecom legislation including provisions on net neutrality; new data protection rules and a long-term digital strategy for the years ahead, among other goals. Meanwhile, the University of Amsterdam and the Massachusetts Institute of Technology have issued a press release about two recent meetings of the EU-U.S. Privacy Bridges Project—a group of EU and U.S. privacy experts aiming to bridge the gap between EU and U.S privacy regimes—in Washington, DC. The group will release a report in 2015. [PCWorld]

EU – Gov’t Leaders Push for Passenger Name Record Legislation

European Union governments are pushing EU lawmakers to end their opposition to proposals that would make it easier to track airline passengers. UK Prime Minister David Cameron said the stalemate is putting lives at risk. Talks on the passenger name record legislation, which would force airline carriers to give EU countries information about passengers entering or leaving the EU, have been deadlocked since its introduction in 2011. MEPs who oppose the legislation say it undermines data privacy. But Cameron said at a recent summit of EU leaders that lawmakers shouldn’t prevent a mechanism that could keep innocent people from being killed. [Bloomberg]

UK – UK Gov’t Seeks to Water Down Meaning of ‘Consent’

The UK government has raised objections to current EU proposals that would require businesses seeking to rely on ‘consent’ as the lawful basis for processing personal data to ensure that that consent has been unambiguously given “for one or more specific purposes”. It said those proposals are “unjustified” and called on EU law makers to instead turn to the definition of consent under existing EU data protection rules instead for setting the legal standard businesses would need to achieve for consent under the draft new General Data Protection Regulation. Under the 1995 Data Protection Directive, set to be replaced by the Regulation, individuals’ consent is defined as “any freely given specific and informed indication of … wishes by which the data subject signifies his agreement to personal data relating to him being processed”. However, organisations wishing to rely on individuals’ consent to process their data are obliged to ensure that “the data subject has unambiguously given his consent”. The UK government is arguing for this requirement to be removed. Its concerns are detailed in a Council of Ministers (Council) document published by information law business Amberhawk Training. [Out-Law.com]

EU – The Dutch Government Has Published New Draft Bill Implementing EU Data Retention Regulations.

The Dutch government has published its draft concept adapting the regulations on the retention of online data and is calling on all interested parties to send in comments. The proposal was adjusted according to the Telecommunications Act and the Code of Criminal Procedure, in response to an earlier ruling by the European Union’s Court of Justice. The ruling said the Dutch telecom data retention law was invalid. Despite calls from the opposition to scrap the data retention law, the government said the law is essential for the investigation and prosecution of serious criminal offenses and must therefore be sharpened. The latest proposal presents more stringent time limits for storing telephony data. Data will have to be kept for 12 months or even longer in case of a serious offense where the sentence is of at least 8 years. For crimes with a sentence of less than 8 years, data will have to be retained for 6 months instead of the current twelve. The retention law will be further restricted to data that is strictly required by the government for the investigation and prosecution of serious crimes. In addition, the data will have to be stored exclusively on EU territory. Access to data will in the future have to go through a judge. That is not the present case. [Telecompaper]

EU – Funding for Irish DPA Doubled

Funding for Ireland’s Office of the Data Protection Commissioner has doubled. The office will now receive a total of 3.65 million euros, up from 1.89 euros in 2014. Minister of State for Data Protection Dara Murphy said the funding exemplifies the government’s willingness to protect personal data, “irrespective of the nationality of the individuals concerned.” Murphy added, “Organizations in both the public and private sectors, including government departments, state bodies, multinationals and SMEs all need to be mindful of their obligations when dealing with data entrusted to them by citizens.” [Irish Times]


CN – Gmail Blocked in China

China is reportedly blocking access to Gmail inside the country. China began blocking various Google services in 2009 and started blocking Gmail access earlier this year. Users have been seeking third party email clients to access their accounts, and now those have been blocked as well. The only way to access Gmail in China now is through virtual private networks (VPNs). [CS Monitor] [ZDNet] [Ars Technica] [NYTimes] [GreatFire] SEE ALSO [Hacked emails reveal China’s elaborate and absurd internet propaganda machine]


US – FTC Charges Data Broker; Warns Children’s App Maker

The U.S. FTC has charged a data broker with selling “the sensitive personal information of hundreds of thousands of consumers … to scammers who allegedly debited millions from their accounts.” The FTC complaint says data broker LeapLab purchased payday loan applications of financially disadvantaged consumers “and then sold that information to marketers whom it knew had no legitimate need for it,” the FTC press release states. FTC Bureau of Consumer Protection Director Jessica Rich said, “Defendants like those in this case harm consumers twice: first by facilitating the theft of their money and second by undermining consumers’ confidence about providing their personal information to legitimate lenders.” Meanwhile, the FTC has sent a warning letter to a Chinese-based developer that makes the children’s app BabyBus alleging the app collects geolocation information without parental consent and that such actions could violate the Children’s Online Privacy Protection Act. [Source] SEE ALSO: [Hong Kong: Privacy czar hits leaky holiday agency app]


AU – Watchdog Exposes Tricks Public Servants Use to Avoid Sharing Information With the Public

A government watchdog has exposed some of the techniques federal public servants use to wrongfully prevent citizens from accessing their own records. The Information Commissioner’s investigation of the bureaucracy’s biggest workplace, the Department of Human Services, revealed an organisation obsessed with process, that preferred legalese to plain English and had increasingly lost sight of its duty to share information. In one Kafkaesque case, freedom of information officers told a man that recordings of his own voice breached his ex-partner’s privacy because he had mentioned her. Rather than give him the readily available recordings of his phone calls to the Child Support Agency, the FOI team proposed spending weeks of staff time going through each call and censoring the moments he spoke about his ex-partner. Another FOI applicant had asked for a copy of an “actual conversation” he had with department staff. The department refused his request, saying it had no audio recording of the phone call. But it did not tell him it had a written record of it. The report also cited an applicant who wanted details of a call an official had made to another organisation, within a specific date range, that “apparently infers that I was attempting to extort money”. The department denied that request, too, saying there was no document that mentioned “extortion”, even though it had a similar record that matched the request. The commissioner, Professor John McMillan, began investigating the department, which includes Centrelink and Medicare, after noticing a huge increase in the number of times it invoked its “practical refusal” power. Under FOI law, government agencies can knock back requests for documents if processing them would “unreasonably” waste time and resources. However, the department used this power 777 times last financial year, a more than twentyfold increase from two years earlier. Professor McMillan said he had also received many complaints about a change in the department’s culture. [Canberra Times]

JP – Site Aims to Allow Whistleblowing Without Retribution

A Japanese Internet activist and academic who’s challenging a new state-secrets law by setting up a website aimed at making it easier for government officials to leak sensitive information to the media without getting caught. The website was unveiled and uses an open-source platform called GlobaLeaks. “I want to create a secure channel that people can use to transfer information without putting themselves in jeopardy,” said creator Masayuki Hatta. The site responds to a state-secrets law that went into effect last week that establishes prison terms of up to 10 years for public servants or others who leak state secrets. Reporters Without Borders called the law “an unprecedented threat to freedom of information.” [Reuters] [Right to privacy still tentative in Japan] SEE ALSO: [MB: Ombudsman prods city on HQ]

US – NSA Releases 12 Years’ Worth of Internal Reports

On December 24, the US National Security Agency (NSA) made public 12 years worth of internal reports for the President’s Intelligence Oversight Board. Even so, the reports indicate that the NSA conducted illegal surveillance with mild or no consequences. The reports, which are heavily redacted, were released in response to a Freedom of Information Act (FOIA) lawsuit brought by the ACLU. [Ars Technica] [The Register]


UK – Foreign Criminals’ Data Taken Off Police Records

Biometrics commissioner warns privacy laws meant to protect innocent could also guard those committing offences abroad: Thousands of foreign criminals who have been convicted of offences outside England and Wales have had their DNA profiles and fingerprint details deleted from British police databases, a Home Office watchdog has revealed. Alastair MacGregor QC, the biometrics commissioner, has warned the Home Office that this “obviously unsatisfactory state of affairs” might be putting the public at unnecessary risk. The commissioner says there is a gap in the law as a result of new rules designed to remove DNA profiles and fingerprints of innocent people from the police national computer. He says this gap means the biometric details of those arrested but not charged with an offence in Britain cannot be held indefinitely solely because they have been convicted of an offence outside England and Wales. “If the police wish to retain the biometric records of such individuals and have no other basis for doing so, they have no option but to go back to those individuals and (re-arresting them) to take further samples and fingerprints from them,” said the commissioner, voicing concern about the burden this places on forces. MacGregor says re-arresting and re-sampling a suspect following his conviction outside England and Wales could prove a greater invasion of their privacy than simply holding onto the DNA and fingerprints samples already taken from them. The commissioner also says rules that restrict the holding of DNA and fingerprint details of foreign-national criminals on the police national computer of foreign criminals have severely limited the practical use of the powers for British police forces. [The Guardian]

Health / Medical

US – Better Communication Can Mitigating Patient Privacy Concerns: Research

Research reveals that patient privacy concerns could be alleviated by improved communication between individuals and the primary care physician. The survey, conducted by Xerox, found that data security remains a top concern; nearly 35% did not use a portal to interact with their electronic health records. “With providers facing regulatory changes, mounting costs, and patients who increasingly seek access to more information, our survey points to an opportunity to address issues by simply opening dialogue with patients about patient portals,” said Xerox Commercial Healthcare Chief Innovation Officer Tamara St. Claire, adding, “Educating patients will empower them to participate more fully in their own care while helping providers demonstrate that electronic health records are being used in a meaningful way.” [Health IT Security]

US – Consumer Watchdog Tells Insurance Customers to Boycott Medical Database

Consumer Watchdog is calling on customers of Anthem and Blue Shield to boycott a new healthcare database. Backed by $80 million from the two insurance companies, the California Integrated Data Exchange, or Cal Index, would provide state hospitals and doctors with a one-stop database for patient medical records, but Consumer Watchdog argues the plan is being rushed ahead without considering privacy vulnerabilities. The insurers have already sent out nine million notices to customers advising them of their inclusion in the database unless they opt out. “We urge people to opt out because Anthem and Blue Shield have failed to notify consumers of everything they plan to do with their medical information,” said Consumer Watchdog’s Carmen Balber, adding the insurers “have jumped the gun.” [Los Angeles Times] [California Health Database Must Address Privacy, Consumer Group Says]

US – Many Patients Block Access to Electronic Records in Study

Nearly half of the patients who were allowed to choose whether or not to share their electronic records with physicians, nurses, or other clinic employees chose to block the access of some providers to all or a subset of their health information in a study conducted at an Indianapolis safety net clinic. In a companion article about provider reactions to patient control over access to information, the majority of physicians supported the principle of patient control of EHRs but expressed concern over the consequences for the quality of care and the physician–patient relationship. The two studies were part of a group of related papers published online and in a January supplement to the Journal of General Internal Medicine. The research was sponsored by the Office of the National Coordinator of Health IT and conducted by Indianapolis’ Regenstrief Institute. [MedScape] SEE ALSO: [High noon for federal health records program?] and [Neil Wilkinson, former chair of Capital Health, claimed $450,000 in honoraria]

US – Expanded Newborn Screening Raises Privacy Concerns

President Barack Obama is expected this week to sign into law a $100 million bill renewing federal funding for newborn screening. Involving a pinprick to a baby’s heel and a few drops of blood, newborn screening is intended to identify serious disorders within a few days of birth. But privacy advocates worry about the government collection and long-term storage of newborn DNA. The federal law, first authorized in 2008, now includes for the first time an amendment acknowledging privacy concerns over dried blood spots stored on cards and kept on file by state governments: For blood spots used in federally funded research, scientists must obtain a consent form signed by the parents. (The consent requirement will remain in place for up to two years, until the Department of Health and Human Services updates rules governing research on human subjects.) [WorldMag]

US – Insurance Company Sued for Mail-Order Policy for AIDs Drugs

A San Diego man and Consumer Watchdog have filed a lawsuit against Aetna alleging the insurer violates the privacy of individuals with HIV and AIDs by requiring them to get necessary medications through mail-order delivery. An Aetna spokeswoman said the policy is part of a strategy to keep health plans affordable. Consumer Watchdog Attorney Jerry Flanagan said, “Requiring health plans to offer coverage for patients with a preexisting condition means little if the insurer can charge these patients exorbitant co-insurance or only cover care through inconvenient and ineffective mail-order requirements that put the patients’ health and privacy at risk.” [Associated Press]

Horror Stories

US – The Latest in Breaches, and a Prediction for 2015

Chick-Fil-A has announced it is investigating a possible data breach after it “received reports of potential unusual activity involving payment cards used at a few of our restaurants,” stating also that the breach may be the common link in the loss of 9,000 sets of card details. A group of hackers associated with the activist group Anonymous has taken responsibility for hacking the online retailer Amazon, compromising customers’ user names, passwords and credit card information. Experian’s Second Annual Data Breach Industry Forecasts that estimates healthcare data breaches will cost $5.6 billion in 2015. [Source] [Security in 2015: Will you care about the next big breach?] [Top hack attacks of 2014: Love, nudity and politics] [US: 10 recent data breaches]

WW – ICANN Reports November Hack

Unknown attackers hacked sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), which allowed them to take control of employee email accounts and access personal information of business contacts. ICANN said, in a release, the breach also gave attackers administrative access to files stored in its centralized zone data system and personal information of account holders who used the system. The breach occurred last month, ICANN says. The group controls the Internet’s domain name system and so is a prime target for hacking attacks that aim to get data that can be used to then breach other targets, the report states. [Ars Technica]

US – Federal, Health Cyber Attacks “Skyrocketing”

A review of cyberattacks against federal agencies during the past year concludes that the number of government system breaches is “skyrocketing.” FireEye’s Tony Cole said, “This is a global problem. We don’t have a malware problem. We have an adversary problem. There are people being paid to try to get into our systems 24/7.” Meanwhile, GovInfoSecurity profiles the biggest health data breaches in 2014, according to the latest federal tally, noting that security incidents involve a range of causes, including insider threats, missteps by business associates and hackers. Additionally, the National Credit Union Administration, itself a federal regulator, will review its data security policies following the loss of sensitive consumer data during an audit. [CNN] [Star investigation: 3 GTA hospitals don’t proactively audit access-to-patient files]\

US – Class-Action: Kmart Breach Due to Brand’s Failure to Protect

A federal class action claims Kmart’s failure to protect customer information with “elementary” security measures left banks liable for the resulting fraud. First NBC Bank filed the class-action against Kmart Corp. and its parent, Sears Holding Corp., over an announcement hackers had breached Kmart’s payment data systems in September, the report states. First NBC Bank says the hack occurred because of Kmart’s outdated anti-virus system, which hadn’t been updated to detect the malware hackers used. Kmart has not disclosed how many were affected by the breach. [Courthouse News Service]

US – Staples Confirms Breach of 1.2 Million Credit Cards

Staples confirmed that hackers had compromised approximately 1.2 million customer credit cards. The confirmation by the company is an update on the breach that was originally announced in October. Cyber criminals, in this case, deployed malware to point-of-sale systems in 115 stores across the U.S. According to Staples’ investigation, criminals may have had access to “cardholder names, payment card numbers, expiration dates and card verification codes.” [US: Staples data breach unlikely to dampen holiday shopping] SEE ALSO: [130K users’ data leaked via China’s train ticketing site]

US – Customers Sue Target

In related news, a federal judge ruled that a consumer lawsuit against Target can proceed. U.S. District Court Judge Paul Magnuson wrote, “Plaintiffs’ allegations plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct.” Meanwhile, Boston Children’s Hospital agreed to pay $40,000 and strengthen its data security after a breach affected 2,100 patients. [USA Today]

Identity Issues

US – IOWA: Driver’s License App On a Smartphone Raises Privacy Issues

A smartphone app that drivers in Iowa will be able to use as an official driver’s license could lead to privacy abuses by law enforcement. In 2015, the Iowa Department of Transportation (DOT) plans to become the first to offer the apps to drivers for free, according to published reports. “The way things are going, we may be the first in the nation,” Iowa DOT Director Paul Trombino was quoted as saying in a report published in The Des Moines Register. Iowa police will accept the driver’s license app during traffic stops and by airport security officers screening travelers, Trombino said. Thirty states already allow drivers to show proof of insurance via a smartphone app, so allowing them to also identify themselves as licensed drivers on a smartphone is a natural extension. However, handing police officers or security screeners your smartphone gives them access to a lot more than your license, according to Forrester analyst Heidi Shey. “The privacy concerns that have been brought up already about this are all worth considering. Putting a driver’s license on a smartphone app leaves the door open to privacy violations simply due to device access,” Shey said. For example, if a police officer pulls over a driver for a traffic violation, the officer typically takes the license and registration back to the patrol vehicle to process the information. While the U.S. Supreme Court ruled in Riley v. California that a warrant must first be obtained prior to searching the contents of a cell phone, that ruling could be thwarted by officers citing “probable cause” or “exigent circumstances.” “Once well-recognized exception [to a warranted search] applies when ‘the exigencies of the situation’ make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment,” the Supreme Court wrote in its decision. The Electronic Privacy Information Center, a research group in Washington, filed a brief as part of the Riley case before the Supreme Court. Alan Butler, EPIC’s senior counsel in Washington, said while there’s “no direct application of Riley” because the Iowa mobile app is being built to act only as an ID, it still raises a host of privacy concerns – not the least of which is all the searchable private information on a smartphone. Additionally, what if the driver were to get a phone call or text message while the smartphone was in a police officer’s possession? “And, what is the app doing? Is it collecting additional information about me, whether intentionally or unintentionally?” Butler said. “What is my device doing when it’s using the app? Is it leaking private information about me without my knowledge?” There are also practical reasons a smartphone could fail as a means of legal ID, including a dead battery. [ComputerWorld]

Internet / WWW

WW – CSA: Cloud Privacy Top Issue

The Cloud Security Alliance (CSA) has said data privacy is a top issue for industry in 2015 across the globe, citing “Microsoft’s ongoing battle with the U.S. government over emails contained in an offshore data center as prime example of the battles that lie ahead.” CSA’s Jim Reavis described the Microsoft case as “one of the biggest issues we’ve seen” for cloud security and adoption. Meanwhile, Iceland could become the “Switzerland of information,” with data centers located in a country that “is in the initial stage of implementing the most progressive data-privacy laws in the world.” [TechTarget] [The Irish government has sided with Microsoft against demands by the U.S. government for the company to share data held on servers in Ireland]

WW – Cloud Computing Standard Released, but Will It Be Obeyed?

While cloud computing is emerging, transparency, confidentiality and control are key concerns of potential cloud clients. Cloud clients often lack the necessary information on how the information moved to the cloud is safeguarded, processed, and what happens in case they want to move to another provider or their provider terminates its operation or changes the terms of its policies? At the European Commission’s urging, the national data protection authorities and the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) developed the new standard ISO/IEC 27108. The acceptance of the standard and the ability to live up to the expectations of its developers still remains to be seen in practice. [Full Story]

Law Enforcement

US – Duluth Case Shows Police Body Camera Footage Is New Legal Battleground

When a man in Duluth, Minnesota, barricaded himself in a garage at his home and threatened to kill himself with a knife, police officers shot him twice. The incident, which happened in August, was captured on police body cameras. Months later, city officials who want the body camera video kept secret are in a battle with advocates of police accountability that many believe will be fought out in the Minnesota legislature. The man who was shot by police, 34-year-old Joe Zontelli, survived. The two officers involved were cleared of wrongdoing. But the incident made news in the midwest city of 86,000, and after an investigation was completed by the St Louis County attorney Mark S Rubin, reporters expected the video to be released. It was not. Tom Olsen, a reporter for the Duluth News Tribune who filed a public records request for the police body camera videos, said that under normal circumstances, reporters would have received their information requests after an investigation was complete and a press conference held. The county prosecutor reviewed body camera footage, but authorities didn’t release the videos. Gunnar Johnson, the Duluth city attorney, instead used a legal maneuver to try to temporarily classify the video – and future videos from other cases. Duluth requested the state clarify what body camera footage is public and what should be kept private, through an unusual request to Minnesota’s information policy analysis division. The office denied Duluth’s request, in what will be the final word on the issue unless the legislature picks it up this spring. Johnson said his office was now “working” with the decision, “with the support of other municipalities”. [The Guardian] [The Minnesota Department of Administration has declined an application by the Duluth Police Department that would restrict public access to police body-camera video] SEE ALSO: [Spokane: Police body camera pilot ends; review and implementation next] and [LAPD to buy 7,000 body cameras] and [Cops with cameras coming to Durham, Ontario] and [Calgary Police chief says new tech ‘absolutely’ compliant with privacy laws] and [US: Seattle Police Held a Hackathon to Figure Out How to Redact Body Cam Video Streams] and, finally, [U.S. Army will launch 2 missile surveillance blimps over Maryland]


WW – TTIP Negotiations Continue, While Leaked TISA Negotiation Proposals Have Critics Speaking Out

Progress between the EU and U.S. on the Transatlantic Trade and Investment Partnership (TTIP), a deal to cut tariffs and regulatory barriers to trade. While supporters say it will open up new markets and reduce trade costs, opponents are concerned the agreement threatens privacy by encouraging surveillance of personal data. Meanwhile, negotiations are also underway for the Trade in Service Agreement, in which the U.S. aims to free up data flows online. Leaked proposals in the negotiations have an Australian advocate saying they include rules that would “threaten privacy and civil rights protections for digital personal data.” [BBC News]

Online Privacy

WW – Facebook Has New Search Feature; Class-Action Over Ads Will Continue

Facebook’s new keyword search feature has “enormous implications” for advertising, developers and Facebook itself. With the new feature, users can search stories from their friends and surrounding network, which could add up to more than a trillion posts, according to CEO Mark Zuckerberg. “Privacy by obscurity is basically dead … Now anyone armed with the right, or wrong, keywords can pull up your worst moments and either quietly judge or publicly shame you,” the article states. Meanwhile, a federal judge has denied Facebook’s request to dismiss a class-action suit claiming it violated the U.S. Wiretap Act, saying because of “Facebook’s unwillingness to offer any details regarding its targeted advertising practice” she couldn’t determine whether the practice falls under an “ordinary course of business” exception. [TechCrunch] See also: [ThinkUp Helps the Social Network User See the Online Self] See also [The Slow Death of ‘Do Not Track’]

EU – Dutch DPA Investigating Facebook Privacy Policy

A day after warning Google it may fine it nearly 18 million euros for alleged privacy violations, the Dutch Data Protection Authority (DPA) has said it is also investigating Facebook’s recently revamped privacy policy. The changes, set to go live in January, attempt to simplify the site’s privacy policy, but the policy also states Facebook may use data it collects to sell advertising. The Dutch DPA is looking into that and has asked the company to delay rolling out its new privacy policy until the investigation is completed. “We were surprised and disappointed to learn about the inquiry,” Facebook said, noting it “routinely” reviews such updates with Ireland’s Office of the Data Protection Commissioner for compliance with the EU Data Protection Directive. [The New York Times] see also: [Google Faces $19M Fine Over Privacy Policy]

Other Jurisdictions

RU – Data Protection Law to Become Effective One Year Earlier Than Planned

On December 17, the lower chamber of the Russian Parliament passed legislation that would change the effective date of Russia’s new law requiring local storage of Russian citizens’ personal data from September 2016 to September 2015. Impacted businesses hoped the law would not go into effect until 2016 because of practical considerations that would require the reworking of IT systems to meet the deadline. The Federation Council and president must now approve the change, which would mean businesses “will lose a year of reviewing and implemented their compliance obligations under the law,” the report states. [Hogan Lovells’ Chronicle of Data Protection]

CH – Chilean Bill Aims to Establish Enforcement Body

The Chilean government will soon introduce legislation to create an autonomous body to oversee data protection issues, according to Deputy Economy Minister Katia Trusich. the new law would also require companies to register databases containing personal information but would aim to strike a balance between protecting personal data and allowing it to circulate, Trusich said. “This is an urgent issue for Chile,” Trusich said. Chile’s current data protection framework was enacted in 1999 and is based on Spain’s model. While it aims to protect individuals’ personal information, it doesn’t contain a provision for an enforcement agency or provide sanctions for violations. The new bill aims to close the gaps. [Bloomberg BNA]

NZ – Privacy Commissioner to ‘Name and Shame’ Wayward Corporates

Until recently, Privacy Commissioners rarely named wayward corporates. Instead they relied on bringing tribunal proceedings, which are steps that are time consuming and expensive, and therefore taken only on limited occasions. Now, like other regulators such as the Commerce Commission, the Privacy Commissioner will, in appropriate cases, ‘name and shame’. For many corporates that is a much bigger negative than, say, being ordered to pay a penalty. With greater regulatory exposure, corporates should up their privacy compliance. Plus, when the Privacy Commissioner starts to investigate they should be proactive and careful in managing the situation. [Lexology] SEE ALSO: [NZ: Veil of privacy could be lifted on suspect surgeons] See also [US – Another Voice: Campaign finance disclosure laws may invade citizens’ privacy

AU – South Australia’s Worst Fine Evaders Have A ‘Right To Privacy’, Civil Liberties Group Says

Naming South Australia’s worst individual fine evaders online is an invasion of privacy, according to the SA Council for Civil Liberties. The State Government yesterday published the five worst individual offenders and the three worst companies in an effort to embarrass them into paying hundreds of thousands of dollars in unpaid fines.Attorney-General John Rau said the Government had some success in the past by “naming and shaming” those with outstanding debts. But the council’s spokesperson, George Mancini, said the Government needed to recognise peoples’ right to privacy. He said he was concerned because the information would not normally be available to the public, despite legislation enabling the Government’s fines recovery unit to publish the names of anyone who has not paid a fine. “One of the reasons it’s not available is because it’s confidential, or it’s private information, even just your name and the fact that you have a fine, your date of birth and the amount of the fine,” Mr Mancini said.”Their identity is all information that is not ordinarily available to anybody.” [ABC Net]

WW – Rest of the World News Roundup

Privacy (US)

US – FTC Finalizes Charges with Snapchat

The FTC has finalized a settlement with Snapchat, according to the agency. The complaint, which was originally announced last May, alleges the company deceived customers with guarantees that messages would be deleted and that appropriate security measures had been taken to protect data. The final order states the company must not misrepresent how it handles the data of its customers and that Snapchat “must implement a comprehensive privacy program monitored by an independent privacy professional for the next 20 years.” [FTC]

US – Advocates File Suit to Block Use of Driver Databases for Immigrant Deportation

Immigrant advocates filed a lawsuit over concerns that federal immigration agents could use state driver’s license databases to track down people for deportation. The National Immigration Law Center sued the Department of Homeland Security demanding documents detailing how federal immigration agents access and use driver’s license data. The lawsuit comes after immigrant advocates in Maryland received reports that federal agents earlier this year arrested several immigrants with prior deportation orders after apparently identifying them with help from a driver’s license photo and vehicle information. It also comes about two weeks before California starts issuing driver’s licenses to immigrants in the country illegally. More than 1 million people are expected to apply over the next three years. “We need to at least know what the current policy is,” said Melissa Keaney, an attorney at the Los Angeles-based advocacy organization. “We don’t want to cause unnecessary panic, but we don’t want to cause a repeat of what happened in Maryland.” The lawsuit aims to compel Homeland Security and Immigration and Customs Enforcement (ICE) to release records under the Freedom of Information Act that were requested in April. ICE declined to comment on the suit. The agency does not use driver databases to identify immigration enforcement targets but “like other law enforcement agencies, ICE may use DMV data in support of ongoing criminal investigations or to aid in locating individuals who pose a national security risk or public safety threat,” said Gillian Christensen, an agency spokeswoman. Ten states have approved driver’s licenses for immigrants in the country illegally, many of them with a distinct marker so the documents can be distinguished from those carried by US citizens and permanent residents. Meanwhile, a ruling by the US supreme court has moved thousands of young immigrants a step closer to obtaining driver’s licenses in Arizona. [The Guardian]

US – Oracle Acquires Datalogix, FTC Called Upon to Investigate

Oracle announced that is has acquired Datalogix, drawing criticism from privacy advocates worried the deal could give the company too much access to consumer data. According to an Oracle press release, Datalogix aggregates and provides analysis on more than $2 trillion in consumer spending, from offline to online advertising. In response, the Center for Digital Democracy’s Jeffrey Chester has called on the FTC to investigate the deal, noting it could violate Facebook’s consent decree with the agency. “Through the data it gathers on what we buy, and with its relationship with Facebook and other powerful marketers, Datalogix consists of a online treasure trove of data on Americans,” Chester said. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – App Maker Pitches Self-Destruct Messaging To Hollywood

A startup is eyeing Hollywood in the wake of the Sony Pictures hack by offering a messaging app that never reveals the full text and then automatically destroys the conversation after it’s read. The app maker, Confide, launched an ad campaign on Tuesday, offering the business version of its self-destruct tool to entertainment studios, networks and labels for free, in perpetuity. [CNET] SEE ALSO: [8 Free Privacy Programs Worth Your Year-End Donations] and [Can New Messaging Apps Inadvertently Cause Spoliation? ]

US – Boeing and Blackberry Create ‘Self-Destructing’ Phone

BlackBerry will help Boeing with its self-destructing “Black” phone, which has been in planning since 2012 and is capable of wiping all data if someone tries to access its content inappropriately. The phone is designed for government agencies with a need for secrecy. [The Telegraph] SEE ALSO: [The Affair: the fashion brand making stealth tech stylish]


US – FBI Investigating “Revenge Hacking”; Sony Hack May Have Been Inside Job

The U.S. FBI is looking into so-called “revenge hacking” by companies that have been breached by criminal hackers. The recent hack of Sony has generated “an intensifying and largely unspoken sense of unease inside many companies,” the report states, prompting some to “push the limits of existing law” to find ways of hacking back. Rep. Michael McCaul (R-TX) said, “It’s kind of a Wild West right now,” and some businesses may be conducting reactive hacking operations “without getting permission” from the federal government first. Similarly, The Washington Post published a Q&A with the Lizard Squad, the hackers who allegedly took down the PlayStation and Xbox networks on Christmas Day, which claims to have provided the Guardians of Peace—the group that released stolen data from Sony—with employee log-in credentials. Investigators familiar with the Sony hack now say the cause of the breach may have been a combination of a disgruntled employee and a piracy group and not North Korea as the FBI argues. [Full Story] and [Sony says PlayStation still has problems, gradually coming back online] [US: Hacked Sony ex-employees sue for privacy violations] and The recent Sony Pictures hack has transformed the debate over cybersecurity legislation in Congress and may spur lawmakers to make changes.

US – Simple Fix Could Have Thwarted JP Morgan Data Breach

A preliminary investigation of the massive breach at JP Morgan Chase last summer revealed that a simple security fix to an overlooked server could have prevented the damaging incident. Last spring, hackers stole the login credentials of an employee, but one of the servers did not have the two-factor authentication necessary to prevent unauthorized access, leaving the company vulnerable to attack. In response, JP Morgan has set up a “business control group” comprising technology and cybersecurity executives to analyze the incident and prevent another such attack. [The New York Times] [Two-factor authentication oversight led to JPMorgan breach, investigators reportedly found]

US – Seattle Police Hold Hackathon to Test Body Camera Footage Privacy

Seattle Police are planning to test body cameras on officers in the field, and in a “hackathon” They attempted to find a balance between releasing footage and redacting private details. Approximately 80 people attended the hackathon, working on techniques to redact such details as people’s faces or license plate numbers captured on film. Police departments in New York City and Los Angeles are also prepping to test body cameras. “With 1,612,554 videos already on our servers—and more on the way through our upcoming body cam pilot program—our department is looking for a better, faster way redact those videos and make them accessible as public records,” Seattle police said in an announcement. [Slate]

Smart Devices

US – Despite Voluntary Code of Conduct, Smart Meters Privacy Worries Persist

Concerns persist about the smart grid’s impact on consumer privacy via smart meters. The Department of Energy will publish the final draft of a voluntary code of conduct on data privacy for smart meters this month. Thirty-eight million have already been installed in the U.S., the report states, gathering information about household electricity consumption at a granular level. Despite the voluntary code of conduct, critics are worried consumers will still be “cajoled or conned into giving up their data,” the report states, to power companies but also to third-party aggregators. “I think the data is going to be worth a lot more than the commodity that’s being consumed to generate the data,” said Miles Keogh of the National Association of Regulatory Utility Commissioners. [Politico]

US – Ford Names Data Analytics Officer; Advocates Worry About the Data Use

Ford has hired an executive to oversee its collection and management of the information it captures from its cars and trucks. Ford has hired Paul Ballew, a research expert, to be its chief data and analytics officer-a new title at the 113-year-old company. The data collection aims to enhance driver services, but it also has some worried that privacy and security will diminish. “There’s another facet that comes with them being able to provide all these services,” said Julia Horwitz, consumer protection counsel at the Electronic Privacy Information Center. “What are they going to do with your data?” Editors Note: The automotive industry recently unveiled privacy principles, but one U.S. Senator says they don’t go far enough. [International Business Times]


US – Senators Ask for Clarification on Cell-Phone Surveillance

In a letter to the Departments of Justice and Homeland Security, Sens. Patrick Leahy (D-VT) and Chuck Grassley (R-IA) have requested clarification on behalf of the Judiciary Committee on how federal law enforcement agencies use cell-phone data collection. Of particular concern is technology like “Stingray,” which is a device that mimics a cell-phone tower in order to sweep up the data of phone users in the area. The letter “demanded answers about how the FBI and other law-enforcement agencies protect the privacy of people whose cell-phone information is collected, even when they’re not targeted or suspected of wrongdoing.” [Source]

US – EFF Argues Privacy Case in Jewel v. NSA

The Electronic Frontier Foundation (EFF) told a federal judge that the NSA has illegally searched and seized U.S. citizens’ Internet communications. The privacy advocacy group argued in Jewel v. NSA that the agency violates the Constitution when it uses a method called “upstream” to access data, in this case, from AT&T customers. The class-action lawsuit was originally filed six years ago and dismissed in 2010 for lack of standing, but that was overturned in 2011. According to the report, “The case showcases the challenge of litigating matters that engulf both individual liberties and national security.” [Courthouse News Service]

US – IoT, Connected Cars, Wearable Tech to Make Big Showing at CES

The 2015 Consumer Electronics Association’s 2015 International Consumer Electronics Show starts next week. Connected cars will be represented at the show more than ever before; Audi, BMW, Chrysler and Ford will all be showcasing the new technology, among others. Wearable tech is also anticipated to make a big showing, and the Internet of Things (IoT) will be a main theme at the show, with more than 900 exhibitors showing products. Meanwhile, IoT continues to grow in popularity despite consumers’ privacy concerns, citing a new study indicating 65% of U.S. consumers are “moderately or extremely open to the idea of adopting smart home technology.” [CBS News]

US – Judge Throws Out Evidence Collected from Webcam

A federal judge this week threw out evidence collected from a webcam that was nailed to a utility pole near a suspected drug dealer’s house during a six-week period. The U.S. Justice Department argued the placement of the webcam is no different than posting a police officer to make the necessary observations. U.S. District Court Judge Edward Shea said a warrant is necessary to post a webcam controlled by the local police. Shea said, “The American people have a reasonable expectation of privacy in the activities occurring in and around the front yard of their homes, particularly where the home is located in a very rural, isolated setting,” and that such a reasonable expectation “prohibits the warrantless, continuous and covert recording” of the defendant. [Ars Technica] SEE ALSO: [Neighbourhood watch: how domestic CCTV is sweeping the UK]

Telecom / TV

EU – German Researchers Discover Flaw to Let Anyone Listen to Cell Calls

German researchers have discovered a flaw that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale. The flaws are to be reported at a hacker conference in Germany this month and describe insecurities on SS7, the global network that allows cellular carriers to route calls, texts and other services to each other, the report states. Even while carriers work to secure their systems, they still have to communicate with each other over SS7, “leaving them open to any of thousands of companies worldwide with access to the network,” so a single carrier in Kazakhstan could be used to hack into networks in the U.S., for example. [Washington Post]

WW – Researchers Find Apps Exploit Permissions

Android apps “really do use those permissions they ask for to access users’ personal information.” French researchers found, for example, that one online store records a phone’s location up to 10 times a minute. To conduct the experiment, researchers had volunteers use monitoring app Mobilitics, which was developed by researchers in conjunction with the French data protection authority, CNIL. Over a three-month period, Mobilitics recorded every time an app accessed personal data on the phone and whether that data was transferred to an external server, finding location was one of the most frequently accessed data points. Meanwhile, Hong Kong’s privacy commissioner has found Android apps “are able to access a user’s personal photos and files on Android version 4.3 or older without notifying them.” [PCWorld]

US Government Programs

US – NSA Reports Detail Decade’s Worth of Privacy Violations

On Christmas Eve, the NSA released more than a decade of reports detailing internal privacy violations. The reports include instances of employees accessing unauthorized information to spy on U.S. citizens. Meanwhile, there are five cases involving NSA surveillance that the U.S. Supreme Court could hear in 2015. [The Hill] [US: NSA reports detail decade’s worth of privacy violations]

US – Secret Service Has Not Submitted Digital Cyber Defense Reports: Auditor

According to a report from an internal auditor, the US Secret Service does not use two-factor authentication for network access and it does not abide by established rules for government agencies regarding network security monitoring. The DHS Office of Inspector General found the Secret Service refused to hand over mandatory data on its computer security systems to DHS in 2014. The office found that the Secret Service’s refusal to provide the required data “created a significant deficiency in the Department’s information security program,” the report states. The USSS CIO was concerned about “operational security” of data feeds [The Hill]. [NextGov] [DHS]

US – Obama Wants Congress to Introduce Information Sharing Legislation

At his end-of-year press conference, President Obama indicated that he would like to see the reintroduction of an intelligence-sharing bill in this legislative session. In the wake of the Sony Pictures breach, Obama said that he has a team working on seeing what can be done to prevent such attacks in the future, and that he would like to see Congress focus on “stronger cyber security laws that allow for information sharing across private sector platforms as well as the public sector.” [ZDNet]

US Legislation

US – Obama Signs Five Cyber-Related Bills into Law

For the first time in more than 12 years, major cybersecurity bills have become law after President Barack Obama signed five of them on Thursday. The five new bills include the Federal Information Security Modernization Act, the Homeland Security Workforce Assessment Act, the Cybersecurity Workforce Assessment Act, the National Cybersecurity Protection Act and the Cybersecurity Enhancement Act. [GovInfoSecurity] This FEDweek report outlines changes in cyber-incident reporting that come with the newly enacted Federal Information Security Modernization Act of 2014.

US – 2014 legislative Roundup

US – State Legislative News Roundup

Workplace Privacy

WW – Whether Working or Job Seeking, the Algorithm Is Watching

Are you perusing LinkedIn at work more than usual? That small change in behavior could set off alerts in computer analytics programs used to surveil and rank employees, according to a forthcoming book, “The Reputation Economy: How to Optimize Your Digital Footprint in a World Where Your Reputation Is Your Most Valuable Asset.” If your LinkedIn browsing is noticed “by a recruiter, look forward to increased cold calls trying to lure you into new jobs,” the authors write. “If it’s caught by your company, look forward to either a conversation about what it would take to keep you — or a swift kick toward the door.” In my latest Sunday Business column, I wrote about “The Reputation Economy” and another coming book, “The Black Box Society: The Secret Algorithms That Control Money and Information.” Both books examine how companies are increasingly using sophisticated computer scanning systems to score people on their health risks, financial wherewithal and purchasing patterns — ranking systems of which consumers are often unaware.But the books’ descriptions of employee scoring systems are particularly noteworthy, whether you are currently a satisfied employee or seeking a new job.”The Reputation Economy,” for instance, describes how human resource departments and search firms are increasingly turning to software programs to automate the process of weeding out applicants with weaker résumés as well as identify job candidates to interview. Companies also use such scoring programs, the authors write, to rate their own workers — on productivity, teamwork, creativity and so on — and to identify promising employees to select for promotion or management training programs. [NY Times]

US – FBI Unit Studying How to ID Insider Threats

The profiling unit of the FBI, the FBI Cyber Behavioral Analysis Center, has begun a multi-year project studying how technology can help identify insider threats. “Is there a similarity between the person who is putting a logic bomb on your network and the person who is going to throw a bomb in your office?” asked Supervisory Special Agent Kevin Burton. “Are the behaviors different? Do they intersect?” Those are some of the questions the unit aims to answer to help federal managers detect otherwise hidden behavioral patterns, doing so within the bounds of privacy, the report states, adding that ultimately human beings—not computers—are behind breaches. [NextGov]

UK – Welsh Council Rapped for Covert Spying on Sick Leave Worker

A council that ordered covert surveillance of a sick employee has been ordered to review its practices following an investigation by data privacy watchdogs. An Information Commissioner’s Office (ICO) investigation found that Caerphilly Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick. The surveillance was only authorised on anecdotal evidence and began only four weeks into the employee’s sickness absence. Caerphilly Council went straight to snooping on its worker using a private investigation firm without properly considering other options. The covert surveillance was used to compile a report, which was ultimately shelved having gone unused. The ICO determined the council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence, as an agreed data protection undertaking (PDF) explains. Anne Jones, assistant information commissioner for Wales, commented: “It shouldn’t need to be said that spying on employees is incredibly intrusive and must only be done as the last resort.” “Organisations need to be absolutely clear why they need to carry out covert surveillance and consider all other alternatives first. If it cannot be completely justified, it shouldn’t be done,” she added in a statement on the case. The ICO accepts covert surveillance of employees can be justified in some exceptional circumstances, such as suspicions the employee is engaged in criminal activity or equivalent malpractice. Covert surveillance should be used as a last resort when alternatives which respect the employee’s privacy have been considered and ruled out as inappropriate. The ICO’s Employment Practices Code, which covers monitoring of employees at work, can be found here (PDF)

Xmas / Seasonal

WW – Santa Claus Breaks the Law Every Year

Each year when the nights start growing longer, everyone’s favourite rotund old man emerges from his wintry hideaway in the fastness of the North Pole and dashes around the globe in a red and white blur, delivering presents and generally spreading goodwill to the people of the world. Who can criticise such good intentions? Despite this noble cause, Father Christmas is running an unconventional operation at best. At worst, the jolly old fool is flagrantly flaunting the law and his reckless behaviour should see him standing before a jury of his peers. Admittedly, it would be a challenge to find eleven other omnipotent, eternally-old, portly men with a penchant for elves. Read on to find out four shocking laws Santa breaks every year. But be warned; this is just the tip of an iceberg of criminality that dates back centuries! [Source] SEE ALSO: [Elf on the Shelf: festive fun or Santa’s sinister spy?] AND [UK: Make sure gadget gifts are safe for youngsters] and [UK: Drones given as Christmas gifts will lead to soaring privacy complaints, watchdog warns] AND [Horrifying ‘sexy’ Santa selfies remind you to check your online privacy settings] AND [Ho, ho, ho! NSA reports on its spying naughtiness]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: