01-15 January 2015

Big Data

US – Federal Study Says Mass Data Collection Irreplaceable

The National Academy of Sciences has released an in-depth report informed by communications and cybersecurity experts as well as former intelligence officials concluding that there is no effective alternative to bulk data collection for intelligence purposes. According to the study, “no software-based technique can fully replace the bulk collection of signals intelligence.” However, the report did conclude there are ways to “control the usage of collected data” including, notably, placing strong privacy protections on the collected data once it’s in the government’s hands. [The New York Times]

WW – Big Corps Want to Know How You Feel; Defense Contractors Are Happy to Help

It’s no secret that businesses track consumers online and study social media to learn more about their shopping habits. But the public backlash against Sony after its response to being hacked, criticism of Target’s handling of its 2013 cyberattack and other examples of corporate embarrassment have put a spotlight on another type of analysis — measuring public sentiment about a business. Now, contractors that traditionally performed this type of work for government intelligence agencies are offering their skills to large corporations. Corporations are increasingly looking for early warnings to manage potential disruptions. Not everyone is excited by the prospect. The thought of government contractors offering intelligence-level expertise to corporations worries some privacy advocates. “This is the creation of a digital blacklist,” said Jeffrey Chester, who leads the Center for Digital Democracy. “A system designed for defense use should not be unleashed on the everyday goings-on of Americans.” [The Washington Post]

US – Why Uber Is Sharing Ride Data With the City of Boston

Uber said it will begin sharing trip data with the city of Boston with the goal of helping to reduce traffic congestion and assist urban planners. Under the first-of-its-kind deal, the car booking app said it will give city officials granular reports about every trip taken with Uber in the city. Riders’ personal information will not be included in the report, Uber said. What city officials will see, according to Uber, is an anonymized report showing the time, date and ZIP code of where a rider was picked up and where and when their trip with Uber ended. The data will also allow city planners to study the duration of the ride and come up with solutions to ease traffic congestion, including adding more public transportation options.[ABC News]

US – Pasquale on the Black Boxes of Data-Mining

Author Frank Pasquale discusses the lack of transparency and redress in big data profiling, both for students and employees. Though he applauds President Barack Obama’s privacy initiatives rolled out earlier this week, Pasquale writes, “it’s time for policy-makers to aim higher” because, through big data algorithms, individuals can easily be stigmatized without knowing they’ve been flagged as a high-risk student or employee. “Students should not be ranked and rated by mysterious computer formulas,” he writes, adding, “They should know when they’ve been marked for special treatment.” [Los Angeles Times]

Canada

CA – Watchdog to Study ‘Privacy Compliance’ Among Canadian Advertisers

The Office of the Privacy Commissioner of Canada is launching a research project to examine advertising on popular websites in Canada. The goal is to determine whether advertisers are complying with Canadian privacy laws. As “big data” becomes more crucial to advertisers who hope to reach consumers with messages that might be relevant to their needs, the industry has also been working to ease concerns about privacy. Industry groups representing Canadian advertisers and their agencies launched a self-regulatory group, the Digital Advertising Alliance of Canada (DAAC), in 2013. Despite the publication of the OPC’s guidelines, and the launch of the DAAC, “informal observations of major websites viewed by Canadians show that privacy compliance may still be an issue,” Privacy Commissioner Daniel Therrien wrote in a letter to the Interactive Advertising Bureau of Canada in mid-December, giving notice of the upcoming study. Similar letters were sent to the other industry groups including the DAAC. Results of the study will likely be published in the spring. [The Globe and Mail]

CA – New Sask. Privacy Commissioner to Continue Pushing for Police to Be Included in Legislation

For 10 years, former privacy commissioner Gary Dickson regularly recommended that municipal police be brought under the authority of Saskatchewan’s privacy legislation. His successor, Ronald Kruzeniski, intends to do the same. Aside from Prince Edward Island, which doesn’t have a Local Authority Freedom of Information and Protection of Privacy Act (LAFOIPP), Saskatchewan is the only province in Canada in which municipal police aren’t legislated under access and privacy laws. The RCMP, which operates in smaller centres in the province, is covered under federal privacy laws. This means anyone wishing to get access to municipal police information or file a privacy complaint through Kruzeniski’s office is unable to do so. Citizens wishing to file complaints with municipal police can currently do so through the Public Complaints Commission. Kruzeniski intends to officially make the recommendation at some point this year, and plans to meet with the Saskatchewan Association of Chiefs of Police. [Leader-Post] SEE ALSO: Ontario Acting Privacy Commissioner Brian Beamish “is calling for changes in legislation to make it harder for hospitals to handle privacy breaches internally without reporting them to the privacy office.” [Hospitals should report privacy breaches to commissioner: Editorial] [ON: Hundreds of hospital privacy violations go unreported

CA – RCMP Refusing to Pay Rogers’ New Cellphone Fees

The RCMP and many other police forces are refusing to pay new fees imposed by Rogers Communications for helping track suspects through their mobile phones. Police say the telecommunications firm is legally obligated to provide such court-ordered services and to cover the cost as part of its duty to society. Rogers says while it picks up the tab for most judicially approved requests, in some cases it will charge a minimal fee. The quietly simmering dispute underscores long-standing tensions over who should pay when police call on telephone and Internet providers to help investigate cases. Although they have concerns about the new Rogers fees, the Mounties did pay more than $2 million to telecom firms in 2012-13 in connection with customer information and intercept-related activities, the force says. [The Star]

CA – Debate Shaping Up About New Law to Fight Terror in Canada

Only 17 people have been convicted of terrorism and related offences in Canada since 2001. Five others await trial in three separate cases. In July, a sixth Canadian was charged with taking up arms in Syria and has not returned to Canada. Conservative Senator Dan Lang, chair of the Senate’s national security and defence committee, and other politicians are demanding to know why the numbers are so relatively low compared with the United States and Britain. This past week, while expressing solidarity with France over the shooting attack on the Paris office of satirical magazine Charlie Hebdo, Prime Minister Stephen Harper said a new anti-terrorism bill giving the state additional powers to watch, detain and arrest extremists will be tabled shortly after Parliament resumes in late January. [The Ottawa Citizen] SEE ALSO: Legislation will be tabled this month that “will provide national security agencies with explicit authority to obtain and share information that is now subject to privacy limits]

CA – Serious Offenders Among Dozens Mistakenly Released From Ontario Jails

Prisoners who were supposed to be locked up on charges of attempted murder, sexual assault, armed robbery and assault with a weapon were mistakenly released from Ontario jails during the last six years. In total, 98prisoners were freed prematurely between 2009 and 2013, mostly because of clerical errors. Four of these prisoners committed new offences while they should have been behind bars, the government acknowledged for the first time in December. [Toronto Star]

CA – Torontonian Uses Big Data and Privacy Expertise to Create Anonymous Index of Sexual Assault

Lauren Reid is a 30-year-old Toronto resident using her professional background in big data and privacy to push for a national, anonymous, user-controlled and self-reported database on sexual assault. It is an ambitious project, unprecedented in its scope, but it comes with its own set of complicated challenges and concerns.” The goal is to create a database that allows us insights into ‘Why didn’t you report it?’“ among other things, and also try to gauge how many people are sexually assaulted more than once, if people didn’t know it was rape at the time, if they were drinking or drugged and so on. Users would enter their stories and add or change information any time. The database would need to maintain clear definitions of sexual assault, she said, and it would be fully anonymous — no naming of names allowed. Even those who support the intention of such a database worry about privacy concerns, legal implications and false reports. “The purpose is to generate knowledge about a problem,” Ms. Reid said. “It isn’t to prosecute people.” [National Post]

CA – To Guard Government Computers from Hacking, Ottawa to Spend $100-Million on Security

Ottawa will spend as much as $100-million to safeguard Canadian government computers after a Chinese state-backed hacker broke into the National Research Council’s system last summer – and the 2015 budget is expected to help underwrite the bill for upgrading network security. There’s a request from inside government for extra money in the 2015 federal budget to fund long-term cyberprotection measures. This request is a sign of how seriously the increased threat of Chinese state hacking is being taken inside Ottawa. [The Globe and Mail] [CA – Canadian passports stolen at gunpoint in Caracas]

CA – Search Warrants’ Surge Denounced by Defence Lawyer

Search warrants have become much too easy for Toronto police to obtain, says a veteran defence lawyer who is calling on the courts to “bring some control to the situation that’s become like the Wild West.” New documents show the number of search warrants executed by Toronto police has almost tripled in a nine-year period. In roughly half the cases, nothing illegal was found and no charges laid. A 50% “failure rate” is a “huge problem,” lawyer David Bayliss said. [Toronto Star] [Interview: Privacy guru Ann Cavoukian] [ON: Hundreds Of Hospital Privacy Violations Go Unreported] and [Mondaq News: $7,500 in Damages Awarded for Intrusion Upon Seclusion] AND [Canadian Lawyer Magazine: Is Google Search Evidence Admissible?]

CA – Auto Lenders Quietly Install a Digital Repo-Man

A little-known black box buried in the guts of many GTA vehicles makes drivers with poor credit the hapless targets of what is becoming a 24-hour surveillance culture. Known as a starter interrupter, the GPS-equipped, wallet-sized box is popular with auto loan companies: If the owner stops making payments, the lender can send a signal to the box, disabling the vehicle by shutting off the starter. The GPS function also allows for tracking the customer’s movements. Thousands of starter interrupters have been on the roads in Canada for years, but in Ontario, little has been said about how they’re used and the information they allow lenders to collect. Consumer protection laws have curtailed their use in Quebec, and serious questions are being raised about their safety in the United States, following reports about moving cars being shut down remotely. [Toronto Star]

Consumer

US – Art Indicates Teens Have Complex Understandings of Privacy Threats

Privacy Illustrated, a project Carnegie Mellon University (CMU) researchers unveiled last week. It includes art submitted by 175 people from kindergarteners to senior citizens, but some of the most complex images on threats to privacy came from teens. “Teens actually value privacy a lot, but their threat models are very different from adult threat models,” said Lorrie Faith Cranor, director of CMU’s Cylab Usable Privacy and Security Lab, who led the initiative. According to the teens’ drawings, they’re “acutely concerned about prying parents, siblings and schoolmates and worried about a spying government.” View the art here. [Pittsburg Post-Gazette] [The New York Times: ThinkUp Helps the Social Network User See the Online Self]

WW – Apple Spotlight Runs Roughshod Over Mail Privacy Settings

Apple’s Spotlight desktop search engine in OS X Yosemite ignores privacy settings in the Mail email client. The searches results could include pictures and other files linked to email messages, even if users have told Mail not to load remote content. HTTP requests sent to the pages hosting the content will reveal users’ IP addresses. Users can prevent this leak by unchecking “Mail & Mailboxes” in Spotlight System Preferences. [The Register] [ComputerWorld] [ArsTechnica]

E-Government

WW – Beware Governments’ ‘Big Data’ Promises

The so-called ‘Big Data Revolution’ has governments enthralled. The BC government sees itself as a leader in bringing about ‘transformation’ with the use of data. The promises are that 1) the government is going to free itself up in its use of citizens’ personal data and this will bring convenience and make money, and 2) the government is going to free up government data and this will bring transparency and ‘digital engagement,’ and make money too. The data will be free and we will be wiser, happier and richer. At least, that’s what the glossy brochure says. You may not be too surprised to discover it’s not actually working out quite that way on the ground. In actual practice, part of this formula looks a lot like old ‘e-government’ initiatives that have been soundly criticized for costly failures and privacy fiascos. [British Columbia Civil Liberties Association]

Electronic Records

CA – City, Province to Work on Electronic Patient Reporting Across Manitoba

The way Winnipeg deals with electronic records for patients could eventually be used province-wide. This week, a city committee approved a motion for the province and city to work together to have the city’s electronic patient care system implemented across the province. Winnipeg Fire Paramedic Service Chief John Lane said Winnipeg was one of the first municipalities in Canada to use the electronic system. He said most other places use paper-based record keeping. The system uses Bluetooth to send the information from emergency crews to hospitals, and “provides absolutely seemless record keeping in terms of care,” Lane said. In 2013, the province reviewed its emergency medical services, and one of the recommendations was to find a common platform to be used across Manitoba to capture patients’ records electronically. The committee passed a motion that will allow the Winnipeg Fire Paramedic Service to start working with the province on a potential rollout of their system across the province. [CBC News]

Encryption

UK – UK PM Wants to Ban Encrypted Communication

UK Prime Minister David Cameron has said that if he wins reelection, he will initiate legislation that would provide law enforcement with a means to access private, encrypted online communications. Under the plans put forth by Cameron, encrypted messaging services such as WhatsApp, iMessage, Skype and CryptoCat would not be legal. “The first duty of any government is to keep our country safe and our people safe,” he said. Privacy International’s Mike Rispoli said , “The UK simply cannot command foreign manufacturers and providers of services … to accommodate the desires of British spies.” In a blog post, Cory Doctorow wrote, “there’s no back door that only lets the good guys go through it.” [Computerworld] ameron is urging President Obama to pressure Apple, Google and Facebook to stop using stronger encryption in their communications products. An article published in The Guardian includes details from a 2009 report from the US National Intelligence Council that has surfaced expresses concern that both government and private computers are not adequately protected because encryption is not being implemented as quickly as it ideally should be. [ZDNet] [CNET] [The Register] [Ars Technica] [Ars Technica] [David Cameron seeks cooperation of US president over encryption crackdown]

US – New York Prosecutor Calls for Law to Fight Apple Data Encryption

Apple Inc. and Google Inc. should be legally required to give police access to customer data necessary to investigate crimes, New York County’s top prosecutor said. Federal and state governments should consider passing laws that forbid smartphones, tablets and other such devices from being “sealed off from law enforcement,” Manhattan District Attorney Cyrus Vance said today in an interview at a cybersecurity conference in New York. Apple and Google’s mobile operating systems together accounted for more than 95% of smartphone shipments through the first three quarters of last year. [Bloomberg]

UK – PM Makes Apple CEO Tim Cook a Global Privacy Champ

“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services,” Apple CEO, Tim Cook wrote last year. “We have also never allowed access to our servers. And we never will.” Now, it looks like Apple will need to fight to maintain customer privacy, as British Prime Minister David Cameron wants to ban services that encrypt messages so they cannot be intercepted by spies, criminals or anyone other than those in the conversation. This directly impacts Apple’s iMessage or FaceTime, which offer end-to-end encryption. [computerworld.com]

EU – Paris Airport Security Made Security Expert Decrypt Laptop Hard Drive

When security expert Katie Moussouris was traveling through Paris’s Charles de Gaulle airport on her way back to the US after a conference, she was asked by security personnel there not only to power up her laptop, but also to enter her passwords to decrypt the machine’s hard drive. The laptop was not confiscated. [The Register]

EU Developments

EU – New Data Privacy Law Could Be Delayed Until 2016

Europe’s long-awaited new data protection law may be delayed until 2016, partly because of resistance by the UK Government. That’s the warning last week from MEP Jan Philipp Albrecht, vice chairman of the European Parliament committee overseeing the bill. The new General Data Protection Regulation(GDPR) is due to be finalised by the end of 2015 – but failure to agree the new rules is leaving European citizens exposed to snooping from foreign and European intelligence agencies and companies, Albrecht said. At a 7 January briefing in the European Parliament, he warned that delays to the law – which was first proposed in 2012 and has been hit by nearly 4,000 amendments – are “bad for democracy”. [SC Magazine]

UK – Theresa May: Data Law Could Have Helped Catch More Paedophiles

The home secretary, Theresa May, has told a child abuse summit that so-called snooper’s charter laws could have helped law enforcement officers catch more paedophiles online. May told representatives from more than 50 countries, 23 technology companies and nine non-governmental organisations that gaps remained in law enforcement and intelligence agencies’ capabilities to track down child abusers. Last month new powers were announced for police to force internet firms to hand over details that could help identify suspected terrorists and paedophiles. The counter-terrorism and security bill will oblige ISPs to retain information linking internet protocol addresses to individual users. [The Guardian] SEE also: [UK Prime Minister David Cameron has called for a ban on encrypted communications] [French data protection authority, the CNIL, published its standard defining accountability in practice, and companies demonstrating compliance will receive accountability seals from the data protection authority]. [the CNIL has issued new standards for call-monitoring and recording by employers] AND In The Netherlands next month, the District Court of the Hague will hear a legal challenge of the Dutch data retention law “filed by a broad coalition of organizations.”]

EU – Finland Gets Tough on Privacy

Finland is cracking down on social media and online messaging providers ahead of a big European Union review. On 1 January, the ‘Information Society Code’ passed into law. The Code is a major new umbrella act revising the country’s electronic communications legislation, which has four main goals: simplifying existing rules; improving consumer protection; boosting information security; and creating more equal telecoms markets. The greatest potential consequence of the Information Society Code comes from its increased regulatory powers over the information society. Most notable is the new requirement to ensure confidentiality of communications rules apply to all electronic communication distributors, including social media companies.[zdnet.com]

UK – Wellers’ Child Privacy Case: Peers Urged To Change Law

It follows a campaign by the wife of the rock star Paul Weller, who won a high court battle last year over unpixelated photos of their children published by a newspaper website. Hannah Weller’s cause is being supported by the Labour peer Angela Smith, who raised it in the Lords. The government said a balance had to be struck between privacy and free speech. Hannah Weller set up a campaign group to make it illegal to publish unpixelated pictures of children without parental consent. She insists there would be exceptions granted for pictures published in the public interest, those taken of a crowd or where there is implied consent, such as a red carpet event. The Labour peer and Shadow Home Office Minister, Angela Smith, is supporting the campaign, arguing that civil law could be changed to prevent specific abuses of privacy without threatening free speech. [BBC News]

EU – IRE: Concern Over Personal Info Database for Every Primary Student

Concern is being expressed about a new Primary Online Database being established by the Department of Education. Under the plan, all children’s PPS numbers along with details of their religion and ethnic backgrounds will be included on the database, which the Department said will be used to develop education policy into the future. Parents of all primary school children are being sent letters outlining how the new POD will work and what information will be stored, the letter states that the information will be kept until the child reaches the age of 30. The Department claims the database will eliminate the existing annual school census, facilitate transfers between schools, and keep track of students who do not go on to secondary school. [breakingnews.ie]

Filtering

US – Marriott to Stop Blocking Personal Wi-Fi Hotspots

Marriott International will no longer block personal wi-fi hotspots in its hotels. The US Federal Communications Commission (FCC) investigated the issue after a customer complained, and found that a hotel in Tennessee was using a monitoring system that de-authenticated guests’ hotspots. The FCC fined Marriott US $600,000. Marriott believed it was acting within its rights to block the hotspots and maintained that blocking customers’ wi-fi hotspots was a security measure. [BBC] [Silicon Republic] See also: [Manitoba: Hotel Wi-Fi exposes woman’s passport, credit card numbers]

US – Writers Say They Feel Censored by Surveillance

A survey of writers around the world by the PEN American Center has found that a significant majority said they were deeply concerned with government surveillance, with many reporting that they have avoided, or have considered avoiding, controversial topics in their work or in personal communications as a result. The findings show that writers consider freedom of expression to be under significant threat around the world in democratic and nondemocratic countries. Some 75% of respondents in countries classified as “free,” 84% in “partly free” countries, and 80% in countries that were “not free” said that they were “very” or “somewhat” worried about government surveillance in their countries. Smaller numbers said they avoided or considered avoiding writing or speaking on certain subjects, with 34% in countries classified as free, 44% in partly free countries and 61% in not free countries reporting self-censorship. Respondents in similar percentages reported curtailing social media activity, or said they were considering it, because of surveillance. [nytimes.com]

Finance

US – SEC Considers CyberSecurity Disclosure Rules

The Securities and Exchange Commission (SEC) is “advancing measures” that would require publicly owned businesses to share more data about their cybersecurity vulnerabilities, including data breaches. The move would likely prompt businesses to tighten their security because the public would know how well companies are protecting data. “It’s a harbinger of what’s to come, and I think it will change the way companies think about and report on cyber,” said Squire Patton Boggs’ Norma Krayem. Former Securities and Exchange Commissioner Roberta Karmel said, “It’s kind of a recent trend that Congress seems to think federal security laws should cover absolutely everything that goes on in terms of the conduct at public companies.” [The HIll]

US – Regulator Criticized for Breach Response

In the wake of a breach during a regulatory exam, a federal banking regulator is getting a chilly reception to its plans to consider new rules related to encryption of data shared with examiners. Michael Fryzel, a former NCUA chairman, says consideration of a new encryption regulation is premature. Instead, the NCUA should focus on establishing a working group to review the agency’s security practices during examinations, he says. [bankinfosecurity.com]

FOI

MB – Refusal to Release Info Revisited

The City of Winnipeg is rethinking its refusal to divulge part of the rationale for pursuing the $210-million Winnipeg police headquarters project. The ombudsman’s report grew out of a February 2014 Free Press request for information that led city officials to recommend purchasing the Canada Post building in 2009 and renovating it into a new police headquarters instead of fixing the Public Safety Building. The city denied access the following month, prompting the complaint to the ombudsman. After nine months of investigating, the ombudsman concluded while the city could invoke the “advice to a public body” exception, it did not provide any reason why it made that decision and predetermined its decision as a refusal. Mayor Brian Bowman made a campaign promise to stop the city from the frequent use of the discretionary exceptions as a means of denying access-to-information requests. [winnipegfreepress.com]

Genetics

WW – New DNA Technique May Reveal Face of Killer in Unsolved Double-Murder

There were no witnesses to the gruesome murder of a South Carolina mother and her 3-year-old daughter inside a busy apartment complex four years ago. But a new technology that can create an image of someone using DNA samples left at crime scenes might bring police closer to catching the killer. Reston, Va.-based Parabon Nanolabs, with funding from the Department of Defense, has debuted a breakthrough type of analysis called DNA phenotyping which the company says can predict a person’s physical appearance from the tiniest DNA samples, like a speck of blood or strand of hair. The DNA phenotyping service, commercially known as “Snapshot,” could put a face on millions of unsolved cases, including international ones, and generate investigative leads when the trail has gone cold. “Traditional forensic analysis treats DNA as a fingerprint, whereas Snapshot treats it as a blueprint — a genetic description of a person from which physical appearance can be inferred,” Greytak said. [Fox News] See also: [Surprise! With $60 Million Genentech Deal, 23andMe Has A Business Plan]

Health / Medical

CA – Confidentiality Agreement Handcuffs Assisted-Suicide Researcher

A professor who has successfully defended his right to protect the subjects of his research on assisted suicide wants to return to teaching at a university in Surrey, B.C., but a confidentiality agreement is blocking the way. Russel Ogden is drawing a yearly salary – more than $87,000 in 2014 – from Kwantlen Polytechnic University, but unable to teach or conduct research in its name since 2008 as a result of the deal he signed with the school. [The Globe and Mail]

Horror Stories

US – Park ‘N Fly Confirms Breach

Following a breach of its e-commerce website, Park ‘N Fly has been notifying “an undisclosed number of customers that their payment card information was exposed.” “Airport parking lots are attractive targets for fraudsters because they are often used by business travelers utilizing business or commercial credit cards,” the report states, quoting one card-issuer that noted such cards have “high lines, low decline rates and less scrutiny on a day-to-day basis by cardholders.” Park ‘N Fly is working with law enforcement and credit card issuers to investigate the incident, and those affected are being offered one year of free credit monitoring and identity protection services. [BankInfoSecurity]

US – NCUA Accepts Responsibility for Breach, Pays $50,000

The National Credit Union Administration (NCUA) announced that its board approved a payment of $50,000 to Palm Springs Federal Credit Union (PSFCU) to help cover expenses related to a data breach. In October, PSFCU notified its members that an unencrypted flash drive was lost when it was given to an NCUA examiner. The drive contained member names, addresses and Social Security numbers. NCUA, which at first faced criticism for not taking responsibility for the breach , now says it is “reinforcing training on protecting sensitive information and reviewing regulations, policies and procedures” and is considering adopting additional safeguards for electronic data. [Bank Info Security]

US – Heartland Provides Breach Warranty as Retail Encryption Need Grows

One of the country’s largest retail payment processors, Heartland Payment Systems, has announced it will offer a new breach warranty for users. The program will reimburse merchants that use Heartland for cost impacts from data breaches, the report states. Heartland Executive Director of Product Development Mike English said, “There is no bad time to ensure the businesses that process cards with us are safe … Hackers and criminals don’t wait until the busy times to breach a retail or restaurant network.” English also said the warranty also offers a “forensic audit by a PCI-certified Qualified Security Assessor.” [eWeek]

US – LinkedIn Account Credentials Targeted in Phishing Scheme

Attackers are using phony security alerts to steal LinkedIn account access credentials. The messages pretend to come from LinkedIn support staff saying that users must download an attachment that will tell users how to install an update. The attachment appears to be the LinkedIn website but it sends entered data to the attackers. Users can protect themselves by activating LinkedIn’s two-factor authentication. [v3.co.uk] [SCMagazine]

US – US Military Social Media Accounts Hijacked

The Twitter and YouTube accounts of the US military’s Central Command (Centcom) have reportedly been hijacked by people claiming to be operating on behalf of Islamic State. Both accounts were temporarily suspended. Centcom has called the incident vandalism, and says it did not affect operations, nor was it a serious data breach. Some information about military personnel was posted, but it came from the Massachusetts Institute of Technology (MIT), not from military systems. The compromised accounts were taken offline. [BBC] [WIRED] [CNET] [SCMagazine] [NextGov] [ZDNet] [Washington Post]

US – United Mileage Plus Accounts Compromised

using logon information obtained from a third-party managed to access about 35 United Airlines Mileage Plus accounts and arranged free travel and upgrades. United was not the source of the breach; the access credentials were used in attacks against other companies as well. [ComputerWorld] [Washington Post]

US – Possible Breach of Chick-fil-A Payment Systems

According to information from several US financial institutions, fast-food chain Chick-fil-A may have experienced a payment system breach. The financial institutions note a pattern of fraud connected with payment cards used at the restaurants in the US. At one financial institution alone, nearly 9,000 cards appear to have been affected. Brian Krebs notes that in similar cases, the particular franchises affected were those that had outsourced point-of-sale system management to a third party. [Krebs] [DarkReading]

US – Morgan Stanley Employee Fired Over Alleged Customer Data Theft

Morgan Stanley has fired an employee for allegedly stealing customer data, including account access credentials, and offering them for sale online. The breach affected approximately 10% of the company’s 3.5 million wealth management customers. The employee had worked at Morgan Stanley since 2008. [Bloomberg] [NYTimes] [SC Magazine]

US – USPS Breach Affected Some Health Data

Additional details being released about the September 2014 intrusion of US Postal Service computers indicates that certain health information was compromised as well. The affected data are related to workers’ compensation claims. Because the compromised health data are not part of an insurance plan, the breach will not incur health data security fines. [NextGov]

Identity Issues

US – New York City ID Opens Doors — and Privacy Concerns

In New York City, Mayor Bill de Blasio made a pitch for a piece of plastic — a new ID card for New York City residents, regardless of immigration status. New Yorkers 14 and older can now join the largest municipal identification program in the country. De Blasio said renting an apartment, opening a bank account and entering a school building will now be easier for the city’s estimated half-million unauthorized immigrants. And the IDNYC program doesn’t leave out New Yorkers who already have ID. Here’s how the mayor sweetened the deal: “A free, one-year membership to 33 cultural institutions! That did get the attention of many New Yorkers,” he said. Los Angeles is preparing to roll out an ID similar to New York’s. They join cities like San Francisco; Oakland, Calif.; and New Haven, Conn., where only about 10 percent of the city’s population has applied since 2007. New York officials hope their program will be more widely adopted. [NPR] See also: [[US – A plan to put your driver’s license on your phone] and [National Post editorial board: Good riddance to carding]

US – Debra J. Farber: Identity Management’s Role in Data Privacy

UnboundID: What are the biggest challenges at organizations right now when it comes to protecting customer privacy? Farber: Companies are struggling to know exactly where their data is located, how many copies of that data exist, who has access to it, and for how long it is stored. They don’t have the staff to manually govern this. On top of this, there are varied laws depending on your industry and the states and countries where your business operates. Usually, there’s only a high-level business process understanding as to why data is collected, from which sources, and where it resides. There’s usually confusion about “ownership,” which means that nobody knows who should make decisions about personal data. Adding to the mix is that large organizations usually have legacy systems, which have not yet been decommissioned, but which are still collecting data. Generally, companies need to tighten their processes around data lifecycle management. With the movement toward big data, the tendency for many organizations now is to collect and store as much data as possible with the hopes that insights may be gleaned in the future. Though, from a privacy perspective, that’s a bad practice. Most privacy laws require a company to collect, store, and share personal data for a specific purpose. [UnboundID]

Intellectual Property

CA – Canadian VPN Services Could Be Forced to Alert Pirating Customers

It’s unclear if VPN services will be forced to keep customer records under Canada’s new Copyright Modernization Act. Virtual Private Network (VPN) services are legal and until now, believed to be completely unregulated in Canada, making them particularly popular for internet users interested in online privacy protection, accessing geolocked content via streaming services like Netflix and U.S.-only Hulu, or for those interested in more nefarious activities like piracy-focused Torrent downloading or criminal activity. However, new legislation, which went into effect on Jan. 1, doesn’t clearly state whether Canada’s Copyright Modernization Act pertains to VPN platforms in Bill C-11’s section 41.25 (a). An integral aspect of the new law requires internet service providers (ISPs) to relay copyright infringement allegations to customers (an act that has already been occurring for years), and to also keep a record of these allegations for six months in case the copyright holder makes the decision to take legal action. Over the next few years virtual private networks could potentially become significantly less private in Canada. [Canada.com]

Internet / WWW

US – Lawmakers Launch Congressional IoT Caucus

U.S. Reps. Suzan DelBene (D-WA) and Darrell Issa (R-CA) have announced the creation of a new Congressional Caucus dedicated to the Internet of Things (IoT). “Policy-makers will need to be engaged and educated on how we can best protect consumers while also enabling these new technologies to thrive,” DelBene said, adding, “It’s important that our laws keep up with technology, and I look forward to co-chairing the IoT caucus.” Issa, who chairs the Subcommittee on Intellectual Property, Courts and the Internet, said, “It’s critical that lawmakers remain educated about the fast-paced evolution of the Internet of Things and have informed policy discussions about the government’s role in access and use of these devices.” [Press Release] [U.S. Reps. Suzan DelBene (D-WA) and Darrell Issa (R-CA) have announced the creation of a new Congressional Caucus dedicated to the Internet of Things.]

US – FTC Chair Says Internet of Things Presents “Significant Privacy and Security Implications”

In a speech at the International Consumer Electronics Show in Las Vegas, US FTC chairperson Edith Ramirez warned that the Internet of Things (IoT) presents “significant” privacy issues. The billions of connected device collect, store, and in some cases transmit data. Ramirez urged companies to make security a part of their product development process, to collect the minimum amount of data necessary, and to notify consumers of unexpected use of their data and provide simplified choices regarding this use. [BBC] [Ars Technica] [v3.co.uk] [Text of speech]

US – Cullen Joins Accountability Foundation to Work on “Accountability 2.0”

The Information Accountability Foundation (IAF), a nonprofit organization headed by Marty Abrams, announced this week that Peter Cullen, formerly GM and chief privacy strategist for Microsoft’s Trustworthy Computing Group, is joining the organization as executive strategist, policy innovation. He will be tasked with leading the IAF’s work “in developing a Holistic Governance Policy Model,” which Abrams called “an essential building block of Information Accountability 2.0 .” [Full Story]

WW – Surveys and Predictions 2015 Roundup

[Top Tech News: The Future of Your Privacy Doesn’t Look Good | Pew Internet Report] [Experts say privacy soon to be a ‘luxury’] [EFF: 2014 in Review: Mobile Privacy and Security Takes Two Steps Forward, One Step Back] [Harvard Business Review: The Tech Trends You Can’t Ignore in 2015]

Law Enforcement

US – Body-Worn Camera Plans Have Residents Worried

L.A. residents’ have privacy concerns over proposed body cameras for Los Angeles Police Department (LAPD) officers. The plan is for nearly 900 cameras to be issued in the first quarter of the year, which will record interactions between LAPD officers and members of the public. The LAPD is one of many police departments considering such a measure. Meanwhile, city police officers in Pittsburgh are required to sign a policy forbidding them from releasing information to the public without authorization. Releasing the information could result in termination. Editor’s Note: The IAPP will host a web conference on January 30 from 1 to 2:30 p.m. EST on Law Enforcement Use of Body-Worn Cameras. [NBC] See also: [North Dakota State Rep. Kim Koppelman (R-West Fargo) has introduced a bill that would exempt images from police-worn body cameras from open records requirements]

US – Spokane: Police Body Camera Pilot Ends; Review and Implementation Next

A four-month pilot program to outfit Spokane police officers with body cameras will formally come to an end this week, but little is expected to immediately change in the department’s day-to-day use of the cameras. Officers who began wearing the cameras during the pilot will be able to continue wearing them on a volunteer basis going into 2015, said Tim Schwering, director of the department’s Office of Professional Oversight. Additional officers may also elect to begin wearing cameras. Over the next several months, he said, police will review use of the cameras and work to develop estimates on the video storage capacity and staff time to respond to record requests that a full body camera program would require. The department also will create a permanent policy governing camera use and will create a stakeholder commission to help with that process, Schwering said. He said the policy will be revised and updated to reflect any forthcoming changes in state law addressing video footage and public records. Once the pilot program has been reviewed, Schwering said, cameras will be phased in for patrol officers gradually, with the goal of outfitting all patrol officers by the end of 2015. [The Spokesman-Review]

US – FBI Says Warrants Not Necessary to Use Stingray in Public

US Senators are questioning the FBI’s use of cell-tower spoofing technology known familiarly as Stingray. The agency says it does not need a warrant to harvest data. Senators Patrick Leahy (D-Vermont) and Chuck Grassley (R-Iowa), chairman and ranking member of the Senate Judiciary Committee, have written a letter expressing concern “about whether the FBI and other law enforcement agencies have adequately considered [American’s] privacy interests,” and seeking additional information on the technology’s use. [Ars Technica] [Washington Post]

Location

US – Plans to Deploy Drones Draws Backlash

A move by law enforcement agencies in the San Francisco Bay Area to deploy drones has provoked a privacy backlash. The University of California, Berkeley, would be one of the places subject to drone monitoring. “Berkeley and the Bay Area have a long history of political discussion, protests and debate, and there’s a real concern around the use of these drones under those circumstances and the broader privacy issues,” said Jesse Arreguin of the Berkeley City Council. The ACLU has released a model ordinance for municipal drone use “that would require notifying the public and developing a policy for how the device is used, what data it collects and keeps and who can access it,” the report states. [Bloomberg] [DOD wants to build drones that can buzz into bad guys’ doorways]

Online Privacy

US – Ad Company Using Verizon Tracking Header

An advertising company appears to be using Verizon unique identifier token headers (UIDH) to track users’ online behavior. Clearing cookie caches will not prevent this tracking. [ComputerWorld] [The Register] [PC World]

WW – Report: New Super Cookies Can Even Track Your Privacy-Mode Browsing

A chink in the HTTP Strict Transport Security protocol makes it possible to fingerprint users who browse sites, even when they’re using a privacy mode like Chrome’s Incognito Browsing. HTTP Strict Transport Security is usually used to ensure that users only interact with the correct servers when using HTTPS connections, by flagging how one type of encryption should be used for all future interactions. But security researcher Sam Greenhalgh has used the feature to create a new tool called HSTS Super Cookies. Just like normal cookies, they fingerprint a user when they’re browsing without a privacy feature turned on, so they can be used to identify them at a later date. But these new cookies are visible even when using privacy modes, and can also be read by websites from multiple domain names, not just the original provide. Combined, that means that these super cookies will allow any number of websites to track a users movements on the web, even when they’re using a private browsing mode. [Gizmodo]

Privacy (US)

US – 75 Companies Sign Pledge, But Google’s Not One

Google’s has decided not to sign the Student Privacy Pledge created by the Future of Privacy Forum (FPF) and endorsed by President Barack Obama, who said , “If you don’t join this effort … we intend to make sure those schools and parents know you haven’t joined this effort.” Google has said its “contracts and policies demonstrate a commitment to student privacy,” the report states. FPF’s Jules Polonetsky said Google agrees with “the substance of the commitments listed in the pledge,” noting the pledge is one way to convey how companies use student data, “But certainly it’s not the only way … Some companies may choose privacy seals or prominent privacy policy statements or other ways to communicate and self-regulate.” [The Wall Street Journal]

US – FTC Casebook Tool Unveiled by Westin Privacy Research Center

After a great deal of work, the IAPP Westin Research Center has launched its casebook of FTC privacy and data security enforcement actions. The casebook is a digital resource, collecting all 180 FTC enforcement actions (for now) and making them easily accessible, full-text searchable, tagged, indexed and annotated. To help users better understand the benefits and functionality of this tool, they have developed several use cases displaying how users might search the casebook and make use of the results.

US – New Data Breach Preparedness, Response Guidance

New to the IAPP Resource Center is the Washington Legal Foundation (WLF) Monograph Data Security Breaches: Incident Preparedness and Response. Authored by Jena Valdetero, and David Zetoony of Bryan Cave LLP with a forward by Federal Trade Commissioner Maureen Ohlhausen, the handbook provides a basic framework to assist in-house legal departments with handling a security incident. It explains security incidents, outlines ways in-house counsel can help prepare for an incident and offers steps that should be taken in responding to an incident as well as costs involved. “I believe this WLF Monograph will be a useful reference for in-house counsel as they prepare for and encounter security incidents,” Ohlhausen writes. [Full Story]

The IAPP’s Westin Research Center released the FTC Casebook, in which all FTC complaints and consent decrees and attendant documents are searchable by keyword, tag or case home page.

Privacy Enhancing Technologies (PETs)

WW – Google Patents Method for Enabling Private Browsing Automatically

While users who want to browse the Internet incognito usually must explicitly enable their browsers’ privacy settings to avoid being tracked, a new technology from Google may soon eliminate the step. The company has been granted a U.S. patent for a method that would allow private browsing automatically via certain websites. Browsers equipped with the technology would be able to tell when the website’s content might prompt users to opt for private browsing, the report states. Google’s description of the service says, “The privacy mode can be enabled to prevent storage of webpage user information generated as the user browses the webpage.” [eWeek]

US – Wearable Start-Up Raises $16M in Funding

A San Francisco-based healthcare start-up has raised $16 million in venture capital funding—$23 million in total funding—to bring Google Glass into the healthcare world. Augmedix uses the wearable technology to minimize the amount of time clinicians spend with electronic health records to increase the time spent with patients. The company’s chief executive officer said, “In terms of economic impact, we’ve repeatedly shown that our service effectively turns three doctors into four.” [Healthcare IT News]

US – Mining Your Genes

Fusion reports on the potential for pharmaceutical companies to mine people’s genes. “Imagine a world where genetic sequencing is free, like Gmail,” the report states. “That’s where we’re headed.”

US – On the Importance of Building Privacy Into Apps and Reddit AMAs

Massachusetts Institute of Technology’s Jean Yang and her team are working on Jeeves, a framework for programmers to implement privacy policies directly into the code. “If it works as foreseen—and there is still a lot to do around performance—a developer could write policies—who can see what and when—right into the application,” the report states. For example, an app might share GPS data only when the user is in a given ZIP code. [GigaOM]

Security

WW – This is the Cyberattack that Keeps Edward Snowden Up At Night

In an interview with James Bamford published by NOVA, Edward Snowden said that when it came to cyber warfare, the United States has “more to lose than any other nation on earth.” And he’s not just talking about attacks on systems with obvious effects on the physical world, but the potential fallout of attacks aimed at crippling the Internet itself. The United States is among the most digitally reliant nations out there, which opens up more avenues for cyberattacks. [The Washington Post]

WW – Majority of PHP Installations are Unsecure

More than three-quarters of PHP installations contain at least one security issue. Other software packages were found to contain flaws as well: 38 percent of sites running Apache web server were found to be unsecure, as were 36% of sites running Nginx, 22% of sites running Python, and 18% of sites running Perl. [The Register] [IRC Maxwell]

Smart Cars and Devices

WW – BMW Sounds Alarm Over Tech Companies Seeking Connected Car Data

BMW says technology companies and advertisers are putting increasing pressure on carmakers to hand over data collected by connected cars, “underlining the fine line being taken by the automotive industry between functionality and privacy.” BMW’s Ian Robertson said every car the company makes now offers some kind of wireless connectivity and there’s plenty of people saying, “Give us all the data you’ve got and we can tell you what we can do with it … and we’re saying ‘No thank you.’” Robertson said the data cars can collect now is as granular as being able to detect whether a child is in the car based on weight sensors. [The Irish Times]

CN – Even China’s Academy of Science thinks wearables are privacy problem

Researchers from the Chinese Academy of Sciences, the Australian National University, Dakota State University, Sydney University and Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) have looked over the state of play in the Internet of Things, and find that concern for privacy is lacking. Their paper at Arxiv notes that the current enthusiasm for wearables involves consumers handing over far more data (much of it highly personal and sensitive) than the mere boat-loads of data collected by outfits like Facebook. The paper offers a summary of areas the group says research is needed to develop both technologies and behaviours to protect user privacy in the IoT era. Problems highlighted by the report include:

  • User consent – somehow, the report says, users need to be able to give informed consent to data collection. Users, however, have limited time and technical knowledge.
  • Freedom of choice – both privacy protections and underlying standards should promote freedom of choice. For example, the study notes, users need a free choice of vendors in their smart homes; and they need the ability to revoke or revise their privacy choices.
  • Anonymity – IoT platforms pay scant attention to user anonymity when transmitting data, the researchers note. Future platforms could, for example, use TOR or similar technologies so that users can’t be too deeply profiled based on the behaviours of their “things”. [The Register]

Surveillance

WW – Paris Attacks Prompt Call for Intelligence-Sharing

Following the terrorist attacks in Paris, EU interior ministers pledged to increase intelligence-sharing, while data regulators warn surveillance programs under consideration must strike the right balance between privacy and security, Bloomberg reports. German Chancellor Angela Merkel has said she will press for new EU rules on data retention to help in the fight against terrorism; UK Prime Minister David Cameron says he will urge U.S. President Barack Obama to pressure Internet firms to cooperate more with intelligence agencies tracking the online activities of extremists, and European Council President Donald Tusk “has implored MEPs to accept the creation of a single, shared database of personal information on air passengers arriving in, or leaving, the EU.” Meanwhile, the European Commission said Monday it does not plan to launch an EU-wide intelligence agency. [Full Story]

US: FBI Says Search Warrants Not Needed to Use “Stingrays” In Public Places

The Federal Bureau of Investigation is taking the position that court warrants are not required when deploying cell-site simulators in public places. Nicknamed “stingrays,” the devices are decoy cell towers that capture locations and identities of mobile phone users and can intercept calls and texts. The FBI made its position known during private briefings with staff members of Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Sen. Chuck Grassley (R-Iowa). In response, the two lawmakers wrote Attorney General Eric Holder and Homeland Security chief Jeh Johnson, maintaining they were “concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests” of Americans. According to the letter, which was released last week: “For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.” [Slashdot] See also: [Hacked emails reveal China’s elaborate and absurd internet propaganda machine]

US – F.B.I. Is Broadening Surveillance Role, Report Shows

Although the government’s warrantless surveillance program is associated with the NSA, the FBI has gradually become a significant player in administering it, a newly declassified report shows. In 2008, according to the report, the F.B.I. assumed the power to review email accounts the N.S.A. wanted to collect through the “Prism” system, which collects emails of foreigners from providers like Yahoo and Google. The bureau’s top lawyer, Valerie E. Caproni, who is now a Federal District Court judge, developed procedures to make sure no such accounts belonged to Americans. Then, in October 2009, the F.B.I. started retaining copies of unprocessed communications gathered without a warrant to analyze for its own purposes. And in April 2012, the bureau began nominating new email accounts and phone numbers belonging to foreigners for collection, including through the N.S.A.’s “upstream” system, which collects communications transiting network switches. That information is in a 231-page study by the Justice Department’s inspector general about the F.B.I.’s activities under the FISA Amendments Act of 2008, which authorized the surveillance program. The report was entirely classified when completed in September 2012. But the government has now made a semi-redacted version of the report public in response to a Freedom of Information Act lawsuit filed by The New York Times. The Times filed the lawsuit after a wave of declassifications about government surveillance activities in response to leaks by the former intelligence contractor Edward J. Snowden. [nytimes.com]

US – Citizenfour Earns Oscar Nod; Snowden Talks from Moscow

It’s just been announced that Citizenfour, the documentary portraying the Snowden disclosures, has been nominated for an Oscar. Eric Jones reviews the film, noting it refrains from any narrative defense of Snowden’s actions and instead reveals Snowden’s slowly developing apprehension and also his lack of panic or regret. “The net effect is a sympathetic portrayal of a man, misguided or not, who views himself as doing the right thing and is only in this moment seeing the monumental consequences of his actions,” he writes. Meanwhile, James Bamford of PBS has published an interview with Snowden from Moscow on cyberattacks. [Privacy Advisor]

WW – Welcome to ‘Uber-Veillance’ Says Australian Privacy Foundation

Regulators are way behind the game when it comes to wearable and IoT privacy, and users are willingly conspiring with companies that don’t care about them to help create a society of “uber-veillance”. That’s the grim conclusion reached by Australian Privacy Foundation (APF) board member and University of Wollongong researcher Katina Michael in conversation with The Register. [theregister.co.uk]

WW – Ex MS Privacy Head Had Warned of Cloud Spying, But Lost His Job

Two years before Snowden in 2011, Microsoft’s then Chief Privacy Officer Caspar Bowden tried to warn his company that any cloud computing solutions sold to foreign governments would mean unlimited mass surveillance on their clients by the NSA. Two months later Bowden was fired from Redmond. [NetworksAsia]

Telecom / TV

US – Mayer Identifies Zombie Cookies

The latest technological find in the device-tracking landscape is ominously called “zombie cookies.” Initially discovered by Stanford’s Jonathan Mayer, zombie cookies stem from a “hidden undeletable number“ placed on users of Verizon smartphones and tablets and used by advertising company Turn. The Verizon number is used “to respawn tracking cookies that users have deleted,” the report states. Turn Chief Privacy Officer Max Ochoa said, “We are trying to use the most persistent identifier that we can in order to do what we do.” Verizon’s “perma cookie” caused a stir in the news last year, and AT&T dropped a similar ID number after those reports surfaced. In a blog post, Mayer wrote that given the tracking practice, “I think there’s also a good FCC, FTC or state deception case against Verizon.” [ProPublica]

US – EFF Wants Verizon to Ditch Tracking Technology

The Electronic Frontier Foundation (EFF) is urging Verizon Wireless to ditch a tracking technology that allows ad networks to collect data and send targeted ads to mobile users even in cases in which the user has tried to avoid tracking by deleting cookies. “It is clear that Verizon does not understand the privacy risks it is imposing on customers,” the EFF said. Verizon’s tracking system, which came to light last November, allows third-party advertisers to develop a “deep, permanent profile” of web-browsing habits. “Going forward, the company should undertake to obtain genuine prior, informed consent for any future tracking activities,” the EFF said. [MediaPost]

UK – ‘Burglar’s Shopping List’ Security Flaw Fixed

An online service recommended by most of the UK’s police forces has fixed a privacy flaw after being alerted by a security expert. Immobilise allows members of the public to add records to the National Property Register, detailing valuables in their homes. But security consultant Paul Moore discovered a flaw that made it possible to access other people’s records. Recipero, operators of Immobilise, said it had fixed the vulnerability. [BBC News]

US Government Programs

US – NSA to Begin Internship Program This Fall

The NSA will begin accepting applications this fall for its first privacy and civil liberties internship program. At least one student will be chosen for the 2016 summer program to work in the NSA’s newly created Civil Liberties and Privacy Office, the report states. NSA Director of Civil Liberties and Privacy Rebecca Richards said interns are an opportunity for her office. “Exposing the agency to newly minted college grads as well as exposing those newly minted college grads to what the agency does can only bring benefits to this conversation” around NSA surveillance practices, Richards said. [Fedscoop]

US Legislation

US – Obama Lays Out Legislative Proposals

President Barack Obama announced a new legislative proposal to enable cybersecurity information-sharing between the public and private sectors. Specifically, the private sector is encouraged to share threat data with the Department of Homeland Security (DHS). Additionally, the proposal includes modernizing law enforcement authorities by providing tools to fight cybercrime—including the sale of botnets, stolen credit card data and malware. The Center for Democracy & Technology’s Harley Geiger said the proposal includes further privacy-protecting measures than the Cyber Intelligence and Sharing Act, but it “allows companies to share user information with the (DHS) regardless of any privacy law” and allows the DHS to share with other law enforcement “for purposes unrelated to cybersecurity.” [Full Story]

US – Obama Releases Breach Bill Text; NY AG Proposing Data Security Bill

The Obama administration has released the text of its proposed data breach notification bill. While the proposal would strip states of the ability to make their own rules, state AGs could still keep pressure on companies by using state laws that aren’t preempted by the measure. Meanwhile, New York Attorney General (AG) Eric Schneiderman said he will propose legislation to make the state’s data security law the strongest in the country, and Schneiderman and 18 other state AGs have asked JP Morgan for more evidence on last year’s data breach. And The Hill reports credit unions want Congress to create a bipartisan working group to address the ongoing rash of data breaches. [Law360]

US – Obama Wants Breach Disclosure Law

President Obama is asking legislators to pass a bill that would require companies to disclose data security breaches that expose customer data within 30 days. The move is a response to recent breaches that have compromised the personal information of millions of people. Obama also wants the bill to include a provision prohibiting companies from selling students’ information to third party companies. [DarkReading] [TheRegister] [ComputerWorld] [CNET] [President Barack Obama announced a new legislative proposal to enable cybersecurity information-sharing between the public and private sectors] [The Hill reports on comments made by Rep. Zoe Lofgren (D-CA) on the Cyber Intelligence Sharing and Protection Act, saying its “astonishingly broad and overly vague information-sharing regime does more harm than good when it comes to Americans’ privacy.” [Reed Freeman, IAPP Privacy Perspectives] [US – Obama’s Data-Breach Initiative Has Privacy Advocates Optimistic, Cautious] and [After a long delay, Obama declines to fire U.S. attorneys over Aaron Swartz’s suicide]

US – Senator to Introduce Breach Bill; Business Happy with Obama Proposal

Sen. Bill Nelson (D-FL), the ranking member on the Senate Commerce Committee, will soon introduce a data breach notification bill that closely resembles a proposal President Barack Obama called for during his speech Monday. “Now is the time Congress must act,” Nelson said. Meanwhile, NationalJournal reports business groups and Republicans are cheering rather than jeering Obama’s proposal, largely because it would uncomplicate the patchwork state laws businesses must now comply with, but Nextgov asks the question: why wouldn’t the legislation apply to government agencies? [The Hill]

US: New Tennessee Law Protects Employees’ Online Privacy

Now that 2015 is here, the new year means lots of new laws take effect in Tennessee. That includes a change that protects employees’ private information on Facebook, Twitter, and other social media accounts from nosy bosses. Tennessee now joins a list of dozens of states that have passed an Employee Online Privacy Act. McCarty says it protects people who make their online settings private, not the information someone shares with the entire world wide web. The new law says employers cannot force an employee or job applicant to provide access to private information. There are some exceptions that allow employers to pry, such as social media accounts that are specifically for work and identified as affiliated with an employer. [WBIR TV]

US: Delaware’s New Laws: Privacy Protection, Digital Assets

As of midnight Jan. 1, new Delaware laws went into effect to protect the privacy of consumer information; allow access to digital assets of an incapacitated family member; require new disclosure around campaign contributions; and require notice of cancellation of an insurance policy. [The News Journal]

US: Illinois Passes New ‘Revenge Porn’ Law That Includes Harsh Penalties

Illinois became the latest state to criminalize “revenge porn,” crafting what its creators hope will become a model for federal legislation. Gov. Pat Quinn signed a measure making the “non-consensual dissemination of private sexual images” a felony offense in Illinois. The new “revenge porn” law goes into effect June 1, 2015, and will punish offenders with one to three years in prison and up to a $25,000 fine. [Huffington Post]

US – N.D. Bill on Teacher ‘Privacy’ Introduced

A bill introduced to the State Legislature would restrict access to school district records and is the latest in a trio of bills aiming to exempt certain information from the state’s open records laws. Senate Bill 2153 would seal relevant records in a school district employee’s file should that employee be charged with a crime in district court. The records would become publicly available after the criminal complaint against the employee was resolved. The bill is the third this legislative session to attempt to create exemptions to the state’s open records laws. Senate Bill 2133 would remove university students’ email, home and mailing addresses, as well as phone numbers, from the public record. The bill, introduced Tuesday, is a reaction to a mass open records request for students’ contact information by Odney Advertising, which consults for the Republican Party. Senate Bill 2134 would allow the State Board of Higher Education to discuss in private the hiring or firing of a chancellor. It would also make confidential all records used to prepare performance evaluations of top education officials. [The Bismarck Tribune] See also: [US – Teen’s computer-privacy tussle with his Wayzata school goes viral]

Workplace Privacy

UK – BBC Accused of ‘Spying’ After 150 Staff Emails Accessed or Monitored

The BBC has been accused of “spying” on its own staff after it was revealed that nearly 150 staff email accounts were accessed or monitored over the past two years. In response to a Freedom of Information request from the Press Gazette, the BBC said 37 staff email accounts had been monitored because of leak investigations in 2013 and 2014. Other staff accounts had been looked into as a result of a variety of complaints and inquiries, including allegations of fraud, assault, harassment and disciplinary cases. Michelle Stanistreet, general secretary of the National Union of Journalists, said: “The BBC has previously denied any significant monitoring of staff email accounts, and only in criminal or disciplinary investigations, but these figures cast doubt on that explanation and the NUJ will work with our network of reps to get to the bottom of the kind of spying that has been taking place.” [The Guardian]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: