16-31 January 2015


US – DHS to Roll Out Facial Recognition Along Border

The Department of Homeland Security (DHS) will unveil iris- and facial-recognition services along U.S. borders starting this summer. The U.S. Border Patrol will use the technology in conjunction with the FBI’s Next Generation Identification system. The move is part of an overhaul of the “IDENT” biometric system, which currently possesses more than 170 million fingerprints and facial images of non-U.S. citizens along with 600,000 iris templates, the report states. “While the photos do not satisfy some quality requirements for facial matching,” the DHS said it’s looking for ways to use the biometric data “with strong privacy and security protections in place to improve the accuracy of biometric identification/ /verification.” [Defense One] SEE ASLO: [Ars Technica: Law Enforcement, Advocate Face Off in Debate on Biometrics]

US Military Wants to Replace Passwords With “Cognitive Fingerprints”

Transparent, behaviour-based biometrics could provide the nudge that’s needed to push biometrics into the mainstream, but there are two major obstacles to overcome before that happens. The first is that you can’t change your biometrics – so what’s the equivalent of changing your password if you’re compromised? The second is that for all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control. [NakedSecurity]

WW – The Rise of Emotion-Detection Tech

A number of companies are developing emotion-detection technology and the privacy concerns of emotion-detection’s pioneer, Paul Ekman. Ekman, an 80-year-old psychologist, fears he may have created a monster, according to the report. Start-ups such as Emotient, Affectiva and Eyeris are using Ekman’s research to drive their software. These companies are also compiling a large database “seeking patterns that can predict emotional reactions and behavior on a massive scale.” Ekman, who also serves as an advisor to Emotient, says he is torn between the technology’s potential and privacy issues including surveillance and notice and consent. [The Wall Street Journal]

WW – Psychological Profile-Based Security – Could It Work?

Fujitsu claims that its technology can assign security countermeasures based on a user’s psychological profile and risk tendencies – warning them ahead of time, before an attack can be carried out successfully. …Computer-based behavioral profiling is becoming very popular – recent research has found that algorithms can be more accurate at identifying personality traits and predicting behaviors than a person’s closest friends. Fujitsu says its behavior-based security tool can recognize what types of risks an individual is prone to, and direct countermeasures most appropriate to that person. [Naked Security]

Big Data

WW – Using Search Data to Explore “Socially Sensitive” Questions

Seth Stephens-Davidowitz shares his data-mining research on people’s perceptions and questions about sex by using Google search data. “Call it everything you always wanted to know about sex but didn’t have the data to ask,” he writes, noting that traditional surveys are not reliable in relation to such questions. By mining Google searches, Stephens-Davidowitz explores some of society’s more sensitive questions but wonders if he’s gone too far. Prof. Dan Ariely cautioned readers about the interpretation of this data, saying it may be skewed as, “Google is a reflection of what people don’t know and need extra information about.” [The New York Times]

UK – The Big Data Issue: Think Tank Calls for New Office of Responsibility

The proposed Office of Data Responsibility would help build British citizens’ trust in public bodies that use their data …For example the NHS’s care.data scheme, under which patient data will be shared between GP surgeries and hospitals, was met with strong opposition. The failed implementation of a national ID cards scheme under former Prime Minister Gordon Brown is another case in point which shows public mistrust in the handling of data by public bodies. [Misco]

US – Big Data’s Disconnect: CXO Vs Employee Views

Executives other than CEOs, and especially lower-level managers, see the current status and benefits of data initiatives far differently than the CEOs, the survey shows. While 47% of CEOs think all employees have access to the data they need, only 27% of all respondents agree that they do. [Source]


CA – CSE Tracks Millions of Downloads Daily: Snowden Documents

Global sites for sharing movies, photos, music targeted in mass anti-terror surveillance: CBC analyzed the document in collaboration with the U.S. news website The Intercept, which obtained it from Snowden. The presentation provides a rare glimpse into Canada’s cyber-sleuthing capabilities and its use of its spy partners’ immense databases to track the online traffic of millions of people around the world, including Canadians. That glimpse may be of even greater interest now that the Harper government plans to introduce new legislation increasing the powers of Canada’s security agencies. [CBC]

CA – Federal Government’s New Terror Law Concerns Privacy Watchdog

Privacy watchdog is concerned about info sharing provisions in the Conservatives new terror laws, as PM Harper heads to Toronto to sell them. Privacy commissioner Daniel Therrien says he will be closely watching the wording of provisions aimed at increasing information sharing among government agencies. [The Toronto Star] See also: [The Canadian government may revise “the Passenger Protect system to make it easier to keep individuals from boarding planes.”]

CA – Expert Says Spy Agencies ‘Drowning in Data’ and Unable to Follow Leads

U.S. reports question effectiveness of bulk collection in hunt for terrorists. Under Levitation, the electronic spy agency was sifting through up to 15 million uploads or downloads each day from around the world as part of a counterterrorism effort. But, according to the presentation, only 350 downloads each month triggered any kind of follow-up — an extremely small portion of the indiscriminately collected data. The way the program worked was that the CSE tapped into collected metadata on those downloads. It then used the computer’s IP addresses to cross-reference that through at least two wide-reaching databases of metadata held by Canada’s spying partners to try to figure out a suspect’s identity and to further monitor that person’s online activity. [CBC]

CA – Project Levitation: Politicians Call for Cybersurveillance Oversight

Surveillance meant to protect homeland security may not protect Canadians’ privacy rights. Some politicians are calling for heavier oversight of the Communications Security Establishment’s eavesdropping service that accesses everyday Canadians’ online activity. [CBC]

CA – Anti-Terror Bill to Give Agencies More Authority to Share Private Info

The changes would allow information submitted in passport applications and on the movement of items such as automatic weapons, GPS systems or controlled goods that could be used in terrorist attacks to be shared with Canadian security agencies. Other measures Ottawa is preparing include reducing the threshold required to make preventive arrests or detentions of suspected extremists. [G&M] [G&M: Harper’s Anti-Terror Bill to Criminalize the ‘Promotion of Terrorism’] [Ottawa Citizen: Anti-Terror Bill: Can Government Balance Security and Civil Rights?]

CA – Canadian Police Spent $1.6 Million on an Unconstitutional Spying Program

VICE’s analysis of the records show that the RCMP paid over $1.6 million to Canada’s cellphone companies since 2010 in order to skirt the normal process of having these requests approved by a judge. [Source]

CA – Bill C-13: Cyberbullying Bill Introduces New Lawful Access Measures

According to many commentators, the current Act, by combining both cyberbullying and lawful access concepts into a single piece of legislation, has served to reduce public controversy as legislating to attack the increasing problem of cyberbullying is a popular proposition. As well, the lawful access measures contained in the Act are a far cry from those much more robust powers that were being proposed for law enforcement in the earlier lawful access bills. For instance, Bill C-30 provided for warrantless mandatory disclosure of basic subscriber information, a controversial provision that did not resurface in the current Act. Nevertheless, the Act has still served as a bit of a lightning rod for controversy in the media and with the public. [JDSupra] Canada reports on the effect the country’s new cyberbullying bill could have on business.

CA – Changes to Police Record-Check Policies to Remove Embarrassing Details

B.C.’s privacy commissioner says police forces across the province are implementing new policies preventing them from revealing embarrassing details in record checks. “We assume the presumption of innocence as well, so information that relates to a complaint that doesn’t go anywhere, a complaint to the police by say a frustrated neighbour, again that shouldn’t find its way into an employment check.”… Denham said the greatest number of complaints they heard were about disclosure of information of suicide attempts or apprehensions under the Mental Health Act. [Vancouver Sun] [Times Colonist: Police Told to Restrict Background-Check Detail]

CA – New N.W.T. Health Care Legislation Raises Privacy Concerns

Privacy Commissioner says Bill 36 could allow access to confidential health records. “This Act, this bill, says an investigator may demand any information from any person and it goes on to say you can’t refuse to provide that information,” says Keenan Bengts, Information and Privacy Commissioner for the N.W.T. That, she says, could put people in a position where they have to decide whether to comply with Access to Information laws or face up to $5,000 in fines. [CBC] [In Northwest Territories, legislation that would allow the regulation of naturopaths and psychologists has prompted concerns from Information and Privacy Commissioner Keenan Bengts that the bill could violate privacy] See also: [New Brunswick is reviewing its legislation governing access to information and protection of privacy, and the public is asked to provide feedback through March 31]

CA – B.C.’s Privacy Commissioner to Investigate Saanich Spyware Concerns

Saanich Mayor Richard Atwell revealed to media Jan. 12 his concerns about the installation of employee monitoring software on his and other computers at Saanich municipal hall. “My office has been closely following recent events in the District of Saanich, where allegations have been made that spyware is being used on district-owned computers to monitor employees with or without their consent,” Denham said. “In light of many outstanding questions and concerns, I have decided to act on my own motion and initiate an investigation into whether the District’s use of employee monitoring software complies with the Freedom of Information and Protection of Privacy Act.” [Source] [Embattled Saanich Mayor Could Have the Last Laugh] [Times Colonist: Mayor Atwell Received Computer Security Form, Didn’t Sign It]

CA – Commissioner Advises Businesses on Importance of Protecting Information

Therrien said his message isn’t just for major companies but for the thousands of smaller businesses operating across Canada as 98% of companies employ fewer than 100 people. …businesses that don’t have strong privacy controls risk losing their competitive advantage in today’s increasingly privacy conscious marketplace. …About a third of all private sector privacy complaints under Canada’s federal private sector privacy law appear to involve smaller businesses. Landlords, hotels, real estate agencies, collection agencies, travel agencies, independent local retailers and financial planners are among the types of businesses in the community that are at the centre of these complaints. [Source] [Federal Privacy Commissioner Embarks on Private Privacy Campaign]

CA – What Obama’s Mandatory Data Breach Reporting Law Could Mean for Canada

Some Canadian privacy advocates are hopeful that if Obama’s proposed law has teeth, they will be able to brandish it in front of Canadian lawmakers and demand changes for Bill S-4, which is currently in front of a House of Commons committee for review. Like other privacy advocacy groups, John Lawford and his team have made a request to appear in front of this committee. [IT Business]

CA – B.C. Agency Drops Unlawful Seizure Case Without Explanation

Mr. Schwarz’s 16-month fight to keep the home ended this week, when the office abandoned the attempt without explanation. The case — described by a civil liberties expert as “outrageous” — was another black mark for the agency, which has been criticized for the aggressiveness of its operations. Some have called it a cash cow. B.C.’s Civil Forfeiture Office has seized $6-million more in property than a similar agency in Ontario that was opened three years earlier. The B.C. office does not need criminal charges or a conviction to pursue a case. [Globe & Mail]

CA – New Canadian Certification Program Puts Privacy First

“If you can embed privacy as the default setting in every practice and program, whatever the default condition is, it will prevail 80% of the time,” said Cavoukian. “If you can give that kind of assurance to your customers, they will thank you with their repeat business and attract new business opportunities.” In order to promote this outlook in Canada, Cavoukian announced a “Privacy by Design” certification program that Ryerson University will be launching in partnership with audit firm Deloitte. It’s a program that will be rolled out in the coming months to any company, including those in the channel, who want to meet a benchmark for security and privacy in the solutions they offer. It tries to take a proactive approach to preventing data loss. [Computer Dealer News] [Practical Webcast Q&A: Financial Innovation – Building an Analytic Foundation Through Privacy by Design]


CA – Concern for Privacy Has Jumped, Survey of Canadians Finds

More than seven in 10 Canadians (73%) said they feel they have less protection of their personal information in their daily lives – the highest level in a decade. Meanwhile, 60% say they have little expectation of privacy today, either online or in the real world because there are so many ways in which their privacy can be compromised. The survey of more than 1,500 Canadians was commissioned by the Office of the Privacy Commissioner of Canada and published today on the occasion of Data Privacy Day.

[News Release – Office of the Privacy Commissioner of Canada] [CBC: Cyber Surveillance Worries Most Canadians: Privacy Czar’s Poll] [Daniel Therrien: Consumers Care About How Companies Treat Privacy] [Online Privacy and Banks: Has Anyone Asked the Millennials]

US – Study: Amazon Most Trusted Company for Privacy in 2014

The Ponemon Institute released the results of its 2014 Most Trusted Companies for Privacy Study. According to the study, Amazon was the most trusted company for privacy. Other companies named in the top 10 include American Express, PayPal, Hewlett Packard, IBM, Nationwide, USAA, LinkedIn, Apple, USPS, Intuit and Mozilla. “What these companies have in common is a strong orientation to respecting their customers and providing the best possible customer service,” the Ponemon study stated. Meanwhile, according to a new study by Truste , 45% of U.S. citizens think online privacy is more important than national security. [Full Story]

US – Survey: Customers Less Willing to Share Data

A survey of Media Network readers and members on issues facing the media industry on topics ranging from data usage to remote working to privacy. The most resounding responses were related to data and its use, the report states. Only 15% of members surveyed said they feel their customers are becoming more willing to share their data; the vast majority said they feel customers are “clamming up in the face of companies requesting increasing amounts of data.” Two-thirds of respondents said it’s clear customers are concerned about their data privacy. [The Guardian] See also: [Calgary Herald: How to Legally Fly a Drone in Canada]

WW – Global Survey Finds Tech in Need of Privacy Rules

A new survey released at the World Economic Forum finds divergent opinion about issues raised by technology but also consensus on the need for stronger privacy protections. Conducted by Microsoft, Views from Around the Globe: 2nd Annual Poll on How Personal Technology Is Changing Our Lives surveyed 12,002 Internet users from 12 countries over the course of the last year. “After the broad consensus about how the web brings us great deals and boosts business, there’s a deep divergence on many issues,” said Microsoft Chief Strategy Officer Mark Penn. With the exception of India, a majority of those surveyed believe technology has had a negative effect on privacy, while every country except India and Indonesia said current legal protections for tech users are not enough. [USA Today]

US – Young Americans Split on Favoring Security Over Privacy

Overall, 63% of respondents said that they would forgo personal privacy in order to allow the government to investigate possible terror threats. Only 32% deemed it more important to preserve privacy. However, younger Americans appear to put more value on personal privacy than do their elder counterparts. Among respondents ages 18-39, 52% favored the investigation of terror threats, while 45% put more weight on privacy. In comparison, 67% of those ages 40-64 labeled investigating threats more important, as did 75% of individuals age 65 and older. Almost 95% of users aged 14–17 had checked or changed their privacy settings on social network systems, compared to an average of just 65% across all age groups. The figure dropped to 77% and 67% for users aged 18–24 and 25–34 respectively. These younger age groups, all sitting above the broad average, contrasted with figures for older users – just under 55% of those aged between 45 and 54 had checked or changed their settings, falling to 52.7% for 55 to 64-year-olds, and 32.5% for seniors. … Young people are constantly learning to navigate new norms of privacy in these emerging and shifting social contexts. A 14-year-old may be concerned about whether her mother reads her Facebook posts to her boyfriend. A 17-year-old might worry about what potential employers think of party photos. And a 19-year-old may grapple with what is appropriate to post about her working day. [Source] [Source]

WW – A Retreat for Google Glass;a Case Study in the Perils of Making Hardware

The device was pre-emptively banned by bars and large parts of Las Vegas. Legislators in West Virginia tried to make it illegal to use the gadget while driving. “There’s no vision for why people actually need this device,” Mr. Gownder said. “That’s a problem. When you don’t have that, people fill that in with their own assumptions, and right now the assumption is that this is a device for recording people.” [NYT blog]


CA – CRTC Reports First Action Under CASL

Faced with uncertainties, organizations seeking in good faith to comply have awaited with anticipation the first decisions of the regulators, in the hope that the details of these decisions will assist in clarifying their compliance obligations. Unfortunately, those hopes will likely be dashed … The report is not a “report” per se, but rather is a press Release. Partially as a result of this, the Release reads more like a dispatch from the frontlines then a useful report on a CASL inquiry. [Lexology] [Financial Post: What You Need to Know About the Hidden, Rolling CASL Deadlines]

WW – The “Dirty Dozen” SPAMPIONSHIP: Who’s the biggest? Who’s the worst?

For years, the USA has come out at the top of our spam by volume chart. That has been a simple side-effect of cheap and fast internet access available to a large population that owns lots of computers. But China has been flirting with top spot for the previous year, and finally cracked that dubious honour in the last quarter of 2014. [Naked Security]

Electronic Records

CA – Anti-Abortion Activist Fired In Patient Privacy Breach

Anti-abortion activist fired after a hospital privacy breach in which hundreds of patient records and abortion files were inappropriately accessed. Ontario’s acting privacy commissioner, Brian Beamish, says that an investigation was launched after Peterborough hospital informed his office about a privacy breach. The commission found that the hospital had “responded reasonably” to the breach, he said. [Star]


US – Obama’s Data Security Plan: Do as I Say, Not as I Do

A recent report on data security practices, programs and defenses at the Department of Homeland Security points toward what may well be a horrible train wreck to come. According to the report, “Widespread weaknesses in the federal government’s information security practices represent a significant vulnerability that could be exploited by adversaries, creating a potential threat to national security and American citizens.” [ABC News]

WW – Global Encryption Market Could Top $2B

A new report from Allied Market Research states that the global encryption software market will reach as much as $2.16 billion in the next five years. And encrypted messaging company Wickr has released a new self-destructing photo feed that uses cat memes to encrypt data.

EU Developments

EU – Council of Europe: Mass Surveillance Does Not Stop Terrorists

The Council of Europe says mass surveillance is ineffective in the fight against terrorism, threatens human rights and violates the privacy enshrined in European law. A 35-page document drafted by Dutch MP Pieter Omtzigt says the EU’s member states should take measures before “the industrial-surveillance complex spins out of control.” The report provides recommendations to the European Court of Human Rights. [Vice News]

US – Report Finds No Substitute to Gathering Bulk Intelligence

“There are no technical alternatives that can accomplish the same functions as bulk collection and serve as a complete substitute for it; there is no technological magic,” the report said. … However, a blue-ribbon panel set up by Obama following Snowden’s revelations reported it could find no evidence that sweeping collection of the telephone metadata of Americans led to a single major counter-terrorism breakthrough. [Reuters]

EU – DPAs to Meet on Safe Harbor’s Future

German data privacy commissioners will meet in Berlin for their annual conference to discuss whether the Safe Harbor agreement between the EU and the U.S. should be scrapped. The meeting will allow German regulators to voice ongoing frustration over the lack of reform following the Snowden revelations, which revealed the NSA was collecting German citizens’ data. “I, as well as several of my German colleagues, have serious doubts about whether U.S. companies that have self-certified under the agreement can be considered to be in a safe harbor,” said Berlin’s commissioner for data and information. [ZDNet] [DPA: Data-Transfer Agreement Needed Now]

EU – Facebook Class-Action to Commence in April

A court date for a class-action lawsuit against Facebook has been set by an Austrian court. Scheduled for this April, the Vienna Regional Court will hear a case involving Max Schrems and his group Europe-v-Facebook. In the case, Schrems claims Facebook violates EU law by tracking users on external websites via social plugins. [PC World]

EU – Reding: Legislation Needed to Level Tech Playing Field

MEP Viviane Reding said European legislators are seeking to finalize negotiations on a digital single market that aims to level the playing field for European technology companies. “For months, European government officials and regulators have clashed with the likes of Google, Amazon.com and Facebook over everything from taxes to privacy,” the report states. Reding said she wants to see single-market legislation this year. “American companies come from outside and act as if it was a lawless environment to which they are coming. There are conflicts not only about competition rules but also simply about obeying the rules,” she said. [The Wall Street Journal] [The European Commission says it wants to have a single cross-continent data protection law in place by the end of the year, claiming it will bring major benefits to consumers and businesses]

EU – EDPS Buttarelli Says EU Must Be Global Voice Amidst Tensions With U.S.

“Europe needs to be at the forefront in shaping a global digital standard for privacy and data protection which centres on the right of the individual,” said European Data Protection Supervisor Giovanni Buttarelli. These comments came during a speech, as data protection tensions between the EU and U.S. rise. Buttarelli said he and Assistant Data Protection Supervisor Wojciech Wiewiórowski want to alter the office’s role to become advisory and supervisory, the report states. “The goal for my mandate is for the EU to speak with one voice on data protection, a voice which is credible, informed and relevant,” he added. [Euractiv]

EU – Other News

Facts & Stats

WW – Legislators, Industry Busy on Data Privacy Day

Lawmakers and other industry groups showed solidarity with Data Privacy Day. Senators sent U.S. Attorney General Eric Holder a letter questioning the Drug Enforcement Agency’s vehicle-tracking database. Co-chairs of the Congressional Bi-Partisan Privacy Caucus called for better privacy protections. Additionally, some industry groups called for a revamp of the Electronic Communications Privacy Act (ECPA). Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT) also renewed attempts to overhaul ECPA. Separately, a Senate panel began work crafting cybersecurity legislation. Loretta Lynch, the current nominee for U.S. Attorney General, said electronic privacy protection will be a priority for her. Meanwhile, SC Magazine reports on how organizations can prepare for privacy legislation in 2015. [Broadcasting & Cable]

US – Benchmarking on Industry Use of PIAs

TRUSTe revealed results from a comprehensive survey of privacy professionals working across the globe and industry sectors for large organizations on how they implement privacy impact assessments (PIAs). Up to this point, there has not been much data available on industry use of PIAs. The two biggest obstacles for implementing PIAs, according to TRUSTe, are budgetary concerns and available time to conduct them. [Privacy Advisor]

US – OTA: More Than 90% of Breaches Preventable

A report released from the Online Trust Alliance (OTA) found that more than 90% of the data breaches that occurred from January to June 2014 could have been prevented. The OTA’s 2015 Data Protection Best Practices and Risk Assessment guides found 40% of the thousands of breaches analyzed were due to external intrusions; 29% by employees—either accidentally, maliciously or due to a lack of controls—and 18% resulted from lost or stolen devices. The report recommends companies enforce effective password management with multi-factor authentication and permit only authorized wireless devices to connect to company networks, among other recommendations. [MediaPost]

US – Info Security Leads All IT Spending

ESG research indicates “security/IT risk management initiatives” are the leading area for IT spending in the upcoming year, jumping from 34% of all responses in 2014 to 46% of all responses in 2015. Security issues have never before topped the list. It’s certainly not surprising, given reports like SC Magazine’s that “PCI compliance is not synonymous with security“ and SplashData’s that “123456” yet again tops the list of the most popular passwords . Perhaps, however, the private sector can look to its colleagues in the public sector. Nextgov reports survey results find that government agencies are actually better at responding to hacks than the private sector. [NetworkWorld]


WW – OECD, G20 Unanimously Endorse Global Automatic Information Exchange

This global automatic information exchange initiative is based on each jurisdiction’s participation in the OECD’s Multi-lateral Convention on Mutual Administrative Assistance in Tax Matters. The information exchange itself will follow the OECD’s Standard for Automatic Exchange of Financial Account Information in Tax Matters (first released in July 2014). This automatic information exchange “draws extensively on the intergovernmental approach to implementing FATCA” and is designed to be implemented via a combination of multi-lateral conventions and bi-lateral competent authority agreements….This is a significant development in the global trend towards information sharing. [Mondaq] [JD Supra: FATCA Data Sharing Goes Online] SEE ALSO: [WW – ‘The Age of Financial Privacy is Over’]

US – Credit Union Industry Wants Retailers Held to Equal Standards

The Credit Union National Association sent a letter to Congress saying retailers and banks should be held to the same standard. “The financial industry is required by law to develop and maintain robust internal protections to combat and address criminal attacks and (is) required to protect consumer financial information and notify consumers when a breach occurs” that could put customers at risk, the letter said. “The same cannot be said for other industries, like retailers, that routinely handle this same information and increasingly store it for their own purposes.” [The Hill] SEE ALSO: [The New York Times: Future of Lending May Focus on Behavior, Not Credit History]

CA – RBC Customer’s Bank Accounts Looted 3 Times by Identity Thieves

Bank says it took ‘reasonable steps’ to protect Meghann Johnston’s accounts, “I was extremely upset that time. This is the third time and they had accessed funds that I had delegated to something else and [RBC] had accepted the same fraudulent ID and this person just walked out with, again, thousands of dollars of my money.” Johnston says her wallet has never been stolen, so she doesn’t know how the fraudster or fraudsters got hold of her personal information. “I do not blame RBC for that, but I do blame them for refusing to institute higher security procedures for my account to prevent the fraudsters from doing this over and over again.” [CBC] [Krebs: How Was Your Credit Card Stolen? ]

WW – Improving the Privacy of the Internet Currency Bitcoin

Several Bitcoin users form a sort of sworn community in advance. To hide the source of their transactions, each one of them conforms to a certain pre-determined succession of actions – the so-called CoinShuffle protocol, which was developed by Kate and his team. Every participant decodes the list of recipient addresses he has received, adds his own to it and forwards the encrypted list to the next participant. This process is repeated with every participant. In this way they shuffle the order of the addresses and hence the traces to the recipient, similar to shuffling a deck of cards. [ECN Mag]


US – Library Strives to Archive the Internet

Is it true that what is on the Internet will stay there forever? “Chances are, though, that it actually won’t.” The report details posts and stories that have disappeared amidst the concerns that those embarrassing details live forever on the web. “Web pages don’t have to be deliberately deleted to disappear. Sites hosted by corporations tend to die with their hosts. When MySpace, GeoCities, and Friendster were reconfigured or sold, millions of accounts vanished,” the report states. With one study showing many URLs have ceased to link to the original information being cited, approximately 1,000 librarians and activists from across the globe are identifying acquisitions for the Internet Archive, a nonprofit library. [The New Yorker]


US – DNA Database Raises Privacy Concerns

A state database containing DNA samples of 16 million Californians is raising concerns among privacy advocates and a state lawmaker. Samples are taken from virtually every baby born in the state to screen for more than 80 health disorders. The frozen samples are stored indefinitely and are shared with genetic researchers for a fee. California officials say the biobank is secure, but some are concerned the sensitive data can be misused. “Throughout the process,” Council for Responsible Genetics President Jeremy Gruber said, public knowledge and consent is “almost completely” absent. Assemblyman Mike Gatto (D-Glendale) said, “Imagine the discrimination a person might face if their HIV status or genetic predisposition to a mental disorder were revealed to the public.” [Los Angeles Times]

Health / Medical

US – President Unveils Medical Research Plan

President Barack Obama wants to dedicate $215 million in next year’s budget to a research initiative that would be aimed at helping doctors develop personalized medical treatments for their patients. Obama unveiled his “Precision Medicine Initiative,” for which he says he has bipartisan support. [MSNBC]

US – Healthcare Privacy, Security Measures Included in ONC Draft

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology’s new draft roadmap. “Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Version 1“ aims to help share healthcare information and also maintain privacy. [HealthIT Security]

US – HealthCare.gov Raises New Privacy Concerns

New privacy concerns have been raised about the HealthCare.gov website that helps U.S. citizens get health insurance. A number of third-party vendors are embedded into the site, giving them potential access to user ages, incomes and zip codes as well as other details such as whether the user smokes or is pregnant. Although there is no evidence any such data has been misused, the amount of outside connections to the site worries some. Corporate cybersecurity consultant Theresa Payton said, “Vendor management can often be the weakest link in your privacy and security chain.” A spokesman for Medicare said vendors “are prohibited from using information from these tools on HealthCare.gov for their companies’ purposes.” [Associated Press] [New Privacy Concerns Over Health Care Website]

US – Advocates Want More from HealthCare.gov

Privacy advocates say the Obama administration needs to make more changes to protect consumer privacy on the government’s health insurance website. The administration scaled back the release of personal information from HealthCare.gov following a report that such details as consumers’ income and tobacco use were going to private companies that have “a commercial interest in the data,” the report states. The Department of Health and Human Services is adding a layer of encryption to the site. Advocates, however, continue to push for more protections. [PBS]

US – Lawmakers Concerned About HealthCare.gov Data-Sharing

Lawmakers pressed officials about consumer data on HealthCare.gov being shared with outside companies during a House hearing. The hearing follows revelations last week that the website was giving sensitive information about enrollees to private companies for advertising and data analysis, the report states, resulting in renewed privacy concerns. “They sell that information to any number of people,” said Rep. Dan Newhouse (R-WA), wondering “whether that makes the website more vulnerable.” Newhouse questioned an official from the National Institute of Standards and Technology on the issue, who declined to speak on specifics but said privacy concerns “are taken into account.” [The Hil]

US – Researchers: Health Apps Need to Get Better at Privacy

New research suggests security and privacy worries “are likely impeding the widespread use of thousands of mobile health applications since an overwhelming majority require access to sensitive personal data.” A team of researchers from Germany’s University of Cologne reviewed more than 24,400 English-language smartphone and tablet apps available in 2013. Nearly 95% of the apps “could cause ‘potential damage’ to users’ security and privacy through information leaks, manipulation, loss and value to third parties,” the report states. The researchers recommend app developers “be sensitized to potential threats” the researchers said, and focus on improved security and privacy protections. [FierceMobileGovernment]

US – OCR Criticized for Lack of Robust HIPAA Enforcement

Various privacy and security experts are criticizing the lack of robust enforcement of HIPAA violations by the Department of Health and Human Services’ Office for Civil Rights (OCR). Last year, the OCR said it would ramp up HIPAA audits of nearly 350 covered entities and 50 business associates, but, according to the report, that next phase has been delayed. At a media briefing last week, OCR Director Jocelyn Samuels said the agency will launch its next phase “expeditiously” but did not detail exactly when. Security consultant Tom Walsh said, “The delay could be like the ‘boy who cried wolf’ … After a while, organizations will begin to think, ‘It will never happen.’ Or, ‘It will never happen to us.’” [Gov Info Security]

US – Healthcare Breaches Need a Cure for Human Errors

As digital health records increase by the millions, criminals know that the biggest weakness in securing them is human, not technology. “Hackers are generally efficient – they look for the easiest path to exploit,” Berger said. “Unfortunately today, the weakest link is the employee population and their lack of security awareness. Phishing attacks are disturbingly successful. And it only takes one employee to get duped for the hacker possibly to gain their credentials and pivot to exploiting a database of PHI.” [CIO]

Horror Stories

US – VPPA Class Actions Remain

A number of U.S. courts are weighing privacy class-actions. federal judge dismissed a class-action claiming Dow Jones violated the Video Privacy Protection Act (VPPA), while Law360 reports that a recent court dismissal of VPPA claims against Google will not end such class-actions. Hulu viewers, for example, allege the company violated the VPPA when it shared data with Facebook. Separately, the Seventh Circuit has been urged to revive a data breach lawsuit against Nieman Marcus.

US – Privacy Concerns Over State’s Medical Marijuana Email to Patients

More than 6,800 patients received e-mails in the last three months telling them they’d been approved for Massachusetts’s medical marijuana program. The e-mails contained detailed personal information, much to patient advocates’ dismay. The state’s health department has started altering its emails, removing references to medical marijuana from the subject line and removing patients’ full names and unique program registration numbers from the body of the message. A Massachusetts attorney said the email notification violates a 2008 consumer protection statute by former governor Duval Patrick. [Boston Globe] See also: [Turbotax’s Database Knows Your Secrets]

AU – Teenage Hacker Leaks 870K ATC Records

In what Will Ockenden described in an ABC News report as “a privacy breach that touches some of the country’s most senior figures in the courts, police, government, business and media,” more than 870,000 personal records from the December breach of insurer Aussie Travel Cover (ATC) have been shared on the Internet by a teenage hacker. “ATC was notified of the intrusion on December 23, but failed to immediately notify customers and policy-holders,” noting Queensland-based hacker Abdilo “stole troves of data from two of the company’s databases, which contained a total of more than 870,000 personal records” including names, addresses and partial credit-card numbers. [SC Magazine]

US – Home Depot Has Until July to Respond to Suits

Following one of the first court hearings for the class-action lawsuit following Home Depot’s data breach, the court gave the retailer “until July to respond to allegations that its massive data breach was caused by the company failing in its obligation to comply with security standards and to protect its customers’ personal information.” At a hearing last week in a U.S. District Court in Atlanta, GA, Judge Thomas Thrash also “established two separate tracks for the litigation, one for consumers and a second for financial institutions,” the report states, and gave Home Depot until July 1 to respond to consumer’s allegations and July 15 to respond to those of financial institutions. [Atlanta Business Chronicle]

Private Details Leaked After Travel Insurance Company Hacked

It’s a privacy breach that touches some of the country’s most senior figures in the courts, police, government, business and media. But it’s not just the influential who’ve had their private details stolen. Database logs show it could affect hundreds of thousands of Australians. [ABC]

MX – Liverpool Systems Hack Could Cost More than $1M

A December attack on retailer Liverpool systems in Mexico could cost at least 107 million pesos (approximately one million USD), including compensation for damage to the company’s clients and any fines imposed by the data protection authority (IFAI). In the attack, cybercriminals accessed bank account information, addresses and personal information of customers. IFAI could fine the company 18 million pesos. Liverpool is the third largest issuer of credit cards in Mexico. (Article in Spanish.) [Full Story]

WW – If You Use Either of These WordPress Themes Update Them Now

Older versions of the Platform theme contain a remote code execution bug that could allow any attacker to completely take over a website running the vulnerable theme. Older versions of both Platform and PageLines contain a privilege escalation bug that could allow users with an account to turn themselves into an administrator with total control of a site. [Naked Security]

NZ – Abortion Data Handed Out By Mistake

The personal medical information from 2011-13 confirms the terminations took place in Tokoroa Hospital, Thames Hospital, Waikato Hospital and Anglesea Procedure Centre. The medical information includes dates of birth, National Health Index numbers, ethnic descriptions, termination details and the suburb in the town where the women live. The Ministry of Health is investigating and the health board has apologised for the breach. [Source]

US – 11th Circuit Allows FTC Data Breach Case Against LABMD to Proceed

The Eleventh Circuit did not address the issue of the FTC’s authority to enforce healthcare privacy standards. Instead, the Eleventh Circuit held that before a federal court will review the case, LabMD must first exhaust its administrative remedies, which means LabMD must first go through the FTC administrative hearing process until the FTC makes a final decision. The Eleventh Circuit ruled that only then will LabMD be able to ask the federal courts to weigh in on the FTC’s authority. [National Law Review]

US – Warehouse Fire Exposes Sensitive Documents

A highly visible fire in Brooklyn, NY, has exposed reams of sensitive documents, including decades’ worth of medical records, court documents and financial data. One observer said of the documents, “They’re like treasure maps but with people’s personal information all over them.” The city has sent a disaster-recovery team to collect the exposed documents, even though “beachcombers sifted freely through the trove of documents, picking their way through remnants of the days when many records were on paper and the city government was one of the few takers for north Brooklyn’s waterfront land.” [The New York Times]

Identity Issues

WW – Researchers Can Identify Anonymous Shoppers

By using relatively few pieces of data, researchers were able to identify “anonymous” shoppers. In a study called “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata,” a group of data scientists analyzed credit card transactions of 1.1 million shoppers in 10,000 stores during a three-month period. Though the data had been stripped of personal details, including names and account numbers, knowing four random pieces of data was enough to reidentify 90% of the shoppers, the report states. The research is part of a larger special issue of Science , dedicated to “The End of Privacy.” [The New York Times] [Associated Press]

US – Experian Launch Fraud Surveillance and ID Theft Resolution Offering

ProtectMyID® now includes payment card fraud monitoring at consumers’ fingertips with the BillGuard mobile app … Members of Experian’s ProtectMyID can now download the BillGuard mobile app and access both their ProtectMyID alerts and BillGuard features within the BillGuard mobile app. [NewsWire]

Intellectual Property

WW – How to Hide Your Online Identity With a VPN Service

VPN services mask user’s locations and help them stay hidden on the internet. It’s still unclear if VPN services located in Canada or operating within the country will be subject to the section of Canada’s Copyright Modernization Act that forces ISPs to send out notice-and-notice letters to their customers, given how ambiguous the language in the act currently is. Some VPN services like Toronto-based Tunnelbear have already banned the use of Torrents on their network in order to avoid future legal complications. [Source]

Internet / WWW

US – FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks

A new FTC report recognizes that rapid growth of connected devices offers societal benefits, but also poses risks that could undermine consumer confidence. The report takes a flexible approach to data minimization. Under the recommendations, companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data; or choose to de-identify the data collected. [FTC] SEE ALSO: [Privacy Law Blog: US and UK Regulators Position Themselves to Meet the Needs of the IoT Market] | [Tech Liberation: Some Initial Thoughts on the FTC Internet of Things Report] | [TechCrunch: What Happens to Privacy When the Internet is in Everything?] | [CSO Online: Five Myths (Debunked) About Security and Privacy for Internet of Things]

UK – Regulator Calls for International Standards

Ofcom, a telecommunications regulator in the UK, has called for international industry standards on privacy in the Internet of Things (IoT). In an outline published the same day the U.S. FTC released a highly anticipated report on IoT , Ofcom wrote, “We have concluded that a common framework that allows consumers easily and transparently to authorize the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector,” adding, “We consider that these approaches should ideally be agreed internationally where possible, so as not to inhibit sale and use of IoT devices and services across international boundaries…” [GigaOM]

WW – At World Economic Forum: Researchers Say Privacy is Dead

Harvard professors at the World Economic Forum in Davos pronounced that privacy is effectively dead. “Privacy as we knew it in the past is no longer feasible,” said Margo Seltzer, a professor in computer science at Harvard University. Another researcher said intelligence agencies’ use of personal genetic information will increasingly enter the public sphere and that, “We are at the dawn of the age of genetic McCarthyism.” [The Daily Mail] [Privacy Is Dead, Davos Hears]

WW – Commissioner Calls for New UN Agency

In Davos this week, the European Commissioner for the Digital Economy said a UN agency for data protection and data security is needed to protect the confidential and personal information of citizens around the world.

US – Microsoft’s Smith: Laws Need to Be Modernized

Microsoft’s Brad Smith “has called for an accord between the EU and the U.S. to make it easier for law enforcement authorities to access and share citizens’ data,” Financial Times reports. Meanwhile, during the Charlie Hebdo attacks in France, “Microsoft Corp. handed the FBI data linked to the Charlie Hebdo probe within an hour of being asked,” prompting Smith to point out “the system can work and that extra snooping should only happen if strictly regulated,” the report states. Smith noted laws should “be ‘modernized’ to allow the rule of law, including the Internet, to work across national borders,” the report states. [Bloomberg Businessweek]

UK – ICO Investigation Prompts Google to Change Privacy Policy

The UK Information Commissioner’s Office (ICO) has announced Google will sign an undertaking requiring it to be more transparent about how it collects and uses personal data through its services. According to an ICO press release, Google has been too vague in how it processes users’ data. ICO Head of Enforcement Steve Eckersley said, “Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products,” adding that organizations need “to properly understand the impact of their actions and the requirement to comply with data protection law.” Google must now make the necessary changes by June 30 and “take further steps over the next two years.” [Full Story]

WW – TRUSTe Approved as APEC Accountability Agent

The 21 APEC Member Economies have unanimously approved TRUSTe as an Accountability Agent for its Cross-Border Privacy Rules (CBPR) System. The CBPR System is a self-regulatory code of conduct addressing cross-border data flow between member economies; currently Japan, Mexico and the U.S. participate in the program. “As an Accountability Agent, TRUSTe will continue to review, certify, monitor and enforce the privacy practices of participating U.S.-based companies or subsidiaries to ensure compliance with the CBPR system,” the release states. [Full Story]

Law Enforcement

US – Gov’t to Pay for Impersonating Woman on Facebook

In a settlement announced this week, the federal government agreed to pay $134,000 to a New York woman, Sondra Arquiett, who accused a Drug Enforcement Administration agent of impersonating her on Facebook without her permission. In 2011, the agents impersonated Arquiett by creating a Facebook page of her posing with her son and niece to investigate an alleged drug ring. Privacy advocates are worried such tactics pose unique threats, the report states. Meanwhile, lawmakers on the Senate Judiciary Committee raised concerns yesterday about radar devices that allow police officers to effectively see into suspects’ homes. [The Wall Street Journal]

US – Body Cameras for L.A. Police: Access to Video, Privacy Among Concerns

Some San Fernando Valley residents are concerned about privacy and access to LAPD body-camera footage. “We’re going to be having on-body cameras,” Soboroff said. “American law enforcement is going to have on-body cameras. It’s a transformational movement in law enforcement.” [LA Times]

US – Law Firm Takes on Revenge Porn

In September, Pittsburgh-based law firm K&L Gates launched its Cyber Civil Rights Legal Project in order to advise victims of revenge porn, and it now has about 50 lawyers volunteering their time. The program advises victims on legal steps to sue for damages and “works with victims to consider the pros and cons of reporting online abuse to prosecutors.” One novel approach the firm takes is to use copyright law to sue people for unauthorized posting of images. “Copyright is not designed to deal with revenge porn; it just happens to give you a remedy,” says K&L Gates Partner David Bateman, noting it’s not “perfect and won’t be available in all situations.” [The New York Times]

US – FTC Charges Website Operator for Revenge Porn Deception

The FTC has charged an operator of an alleged revenge porn website for using deception to acquire intimate photos of women then referring them to another website he owned where they could have their photos removed for hundreds of dollars. Craig Brittain is banned from publicly sharing such intimate photos without the subjects’ affirmative express consent. He must also destroy the photos in his possession and the contacts made while operating the site. FTC Bureau of Consumer Protection Director Jessica Rich said, “This behavior is not only illegal but reprehensible,” adding, “I am pleased that as a result of this settlement, the illegally collected images and information will be deleted and this individual can never return to the so-called ‘revenge porn’ business.” [FTC press release]

US – Gov’t Has Massive License-Plate Database; Police Want Waze to Go Away

The U.S. Department of Justice has built a nationwide database to track the movement of vehicles in real time. The covert intelligence program scans and retains hundreds of millions of motorists’ records. According to documents acquired by the American Civil Liberties Union (ACLU), more than 100 cameras in at least seven states have been set up to snap shots of and store license plates of every passing vehicle. Records on vehicles that are not part of existing investigations have their images deleted after six months, a time period the ACLU argues is “far too long.” Meanwhile, some law enforcement officials are concerned that mobile traffic app Waze can be used by bad actors to hunt and harm police officers. [The Wall Street Journal] [Police Can’t Have It Both ‘Waze’ on Expectation of Privacy In Public]

US – GPS Act Would Restrict Cops’ Use of ‘Stingrays’ and Other Phone Surveillance Tech

Many local, state and federal police agencies using Stingrays first bought them with the stated intention to use them to fight terrorism. Since Stingrays have become more prominent, police have reluctantly admitted using them to investigate crimes including murder and cell phone robbery. A November Wall Street Journal report revealed that the U.S. Marshals Service has flown Cessna airplanes equipped with Stingray-like devices known as “dirtboxes” in the sky over at least five major U.S. airports. [IB Times]

US – Lawmakers Push to Require a Warrant for GPS Tracking by Police

“Buying a smartphone shouldn’t be interpreted as giving the government a free pass to track your movements,” Sen. Ron Wyden (D-Ore.), one of the bill’s authors, said in a statement. “GPS data can be a valuable tool for law enforcement, but our laws need to keep up with technology and set out exactly when and how the government can collect Americans’ electronic location data.” Courts have so far been mixed about which legal protections apply for information about people’s location. [The Hill]

US – New Police Radars Can ‘See’ Inside Homes

At least 50 U.S. law enforcement agencies quietly deployed radars that let them effectively see inside homes, with little notice to the courts or the public. Those agencies, including the FBI and the U.S. Marshals Service, began deploying the radar systems more than two years ago with little notice to the courts and no public disclosure of when or how they would be used. The technology raises legal and privacy issues because the U.S. Supreme Court has said officers generally cannot use high-tech sensors to tell them about the inside of a person’s house without first obtaining a search warrant. [USA Today]

US – Video Rule for TTC Hampers Hunt for Sex Attacker

Efforts to track the man down have been hampered because security camera footage from the bus was erased by the time investigators went looking for it…After 15 hours of operation, video stored within cameras on buses and streetcars is “overwritten,” explaining that time limit was mandated by Ontario’s privacy commissioner when the TTC installed the cameras. [Toronto Sun]

US –Seized-Asset Sharing Process Split Billions With Local, State Police

Attorney General Eric Holder is barring local and state police from using federal law to seize cash, cars and other property without proof that a crime occurred – the most sweeping check on police power to confiscate personal property since the seizures began three decades ago. Holder’s decision allows limited exceptions, including illegal firearms, ammunition, explosives and property associated with child pornography, a small fraction of the total. This would eliminate virtually all cash and vehicle seizures made by local and state police from the program. [Washington Post] [PBS: Will Federal Reforms on Civil Forfeiture Mean More Police Accountability?]


US – Advocates Concerned About FCC Location Data Requirements

“Americans dial 911 nearly 240 million times a year, and 70% of the calls are made on cell phones,” noted a 2013 study that found that more than 10,000 people die each year because the location data wireless providers transmit to emergency personnel is insufficiently precise. So the FCC voted 5-0 to improve the indoor location of wireless 911 calls, requiring major telecommunications companies to provide horizontal-location information, within 50 meters of a caller, and vertical information—what floor a caller is on—for 67% of emergency calls. In five years, they’d be required to provide that information for 80% of emergency calls. Civil liberties groups say the plan lacks any mention of privacy safeguards. [Newsweek]

US – Using the FTC Casebook to Find Your Geolocation Strategy

The IAPP Westin Research Center has launched its FTC Casebook. This digital resource, free only to IAPP members, contains the more than 180 FTC privacy and data security enforcement actions the FTC has initiated since 1998, each one tagged, indexed and full-text searchable. The Casebook’s benefits and functionality (which have been described, narrated and reviewed over the past week) were developed with the intention of making IAPP members roles as a privacy professionals a little easier.


The Compliance Challenges That Can No Longer Be Ignored

APEC members Singapore, Malaysia, the Philippines, South Korea and Taiwan, have all passed comprehensive data privacy regimes in the past five years. India enacted an IT law in 2011, which tracks a similar principle-based approach to data privacy. Perhaps most significantly, China has also passed a whole raft of legislation in this area in recent years, both industry specific and of more general application. [HLDA]

Online Privacy

US – No ‘Right to Be Forgotten’ Even if Record is Expunged: 2nd Circuit

After her record was expunged, Martin asked news organizations to take down the articles. Hearst and News 12 Interactive refused, arguing that they had accurately reported the fact of Martin’s arrest. So in July 2012, Martin sued Hearst and News 12 in federal court in New Haven, Connecticut, for libel, invasion of privacy and infliction of emotional harm. The news stories they refused to change or delete, her lawyers said, may have been accurate at the time of her arrest. But once the state erased her record, they argued, stories of her arrest were false and defamatory. The 2nd U.S. Court of Appeals sided with the news organizations and upheld the dismissal of Martin’s case. The erasure of Martin’s record, wrote Judge Richard Wesley for a panel that also included Judges John Walker and Dennis Jacobs, does not change historical truth, however much she might wish otherwise. “The Moving Finger has moved on,” Wesley wrote, paraphrasing Omar Khayyam. The opinion also cited previous rulings in which state courts in New Jersey, Oregon and Massachusetts held that expungement statutes don’t change history, merely what former defendants are permitted to say about the past. [Reuters] [Courthouse News: Woman Can’t Scrub Arrest from the Internet]

US – Circuit: Reports of Dismissed Arrest Not Libel

“In short, the Erasure Statute requires the state to erase certain official records of an arrest and grants the defendant the legal status of one who has not been arrested,” Wesley said. “The statute creates legal fictions, but it does not and cannot undo historical facts or convert once-true facts into falsehoods.” Here, it was uncontroverted that Martin was arrested and the reports of her arrest were true. “Neither the Erasure Statute nor any amount of wishing can undo that historical truth,” he said. “The Moving Finger has written and moved on.” [New York Law Journal] [Wall Street Journal: Some Things Should Not Be ‘Forgotten’] | [Right To Be Forgotten and Right To Be Remembered]

US – Verizon to Allow Opt-Out of “Supercookies”

Verizon has agreed to allow users to opt out of “supercookies” after criticism from privacy advocates and others that included a consumer petition circulated by the EFF and calls from Consumer Watchdog for regulators to tighten the data-sharing regulations on wireless carriers. Sen. Bill Nelson (D-FL) said the Commerce Committee will investigate the company for its use of “supercookies,” and in a letter for Fusion , tech reporter Kashmir Hill tells the company, “Putting a tracking code on my Internet activity without telling me or giving me a right to say no is not okay.” While this change represents an about-face, EFF Lawyer Nate Cardozo says, “What they really should be doing is opt-in.” [New York Times] [EFF: How Verizon and Turn Defeat Browser Privacy Protections]

US –Turn Suspends “Zombie” Cookie Program

After a ProPublica report on so-called “zombie” cookies used by Turn and Verizon, Turn has announced it is suspending the program pending re-evaluation. Turn Chief Privacy Officer Max Ochoa wrote, “We are confident that our practices, including the re-association of a Turn cookie ID with a Verizon UIDH (Unique Identifier Header) comply with self-regulatory guidelines and principles regarding consumer opt-out through these tools,” but added, “we have heard the concerns and are actively re-evaluating this method.” He said by February, Turn will not “respawn” cookie IDs associated with Verizon’s UIDH. Ochoa also noted that, “As part of this re-evaluation, Turn is engaging with media and industry participants including advocates to further educate and inform regarding industry-wide practices.” A Verizon spokeswoman told AdAge, “The intent of the UIDH is to be used as part of our advertising programs, which have robust privacy protections, not as described in recent media reports.” [Full Story]

WW – Datacoup Wants Users to Monetize Their Data

Yahoo CEO Marissa Mayer said technology firms must give users the ability to control their data in order to strengthen trust in the digital marketplace. “I think controlled consent, the idea that you are actively acknowledging what you’re doing and are being very open about how the data is being used and where it’s going to flow” is the future, she said, adding, “We take active commercial decisions not to do certain things with data.” CNBC reports on Datacoup, a company attempting to give users the ability to aggregate and monetize their personal data. “If people begin to understand what their data is worth by using a service like Datacoup, Google’s revenue model (could) collapse,” one analyst said. [The Drum]

UK – Data Protection Issues of Growing Importance to Retailers, Says Expert

Addressing data privacy and security issues is becoming an increasingly critical function of UK retailers’ business, a legal expert in the retail sector has said. “Cyber security is sufficiently important to demand the attention of senior managers and board room members in the retail sector,” Leman said. “For the chief information officer, they will want to know just how good the security measures deployed by their company are, whilst general counsels need to be confident that they can demonstrate their business did everything it could to protect data and had an effective incident response plan the company acted on in the event of a breach. The Target data breach case in the US highlighted the importance of IT security to retailers as well as the consequences there can be for senior executives and their jobs.” [Out-Law]

US – Companies Launch Offline-Online Ad Retargeting Platform

A Norway-based startup and a U.S. location-based marketing firm have announced plans to launch a global partnership with the ability to use data gleaned from in-store beacons to retarget consumers online. Together, Unacast and Total Communicator Solutions hope to accomplish an industry first by connecting the offline and online shopping worlds. The platform works when shoppers install the app and turn on Bluetooth on their phones. If they’ve opted in, when they walk into a store to look at shoes, for example, they’ll receive a personalized message; plus, days, weeks or months later, they will likely see ads for the products they browsed while in the store. [Business Insider] [Now Advertisers Can Use Beacons to Make the Shoes You Were Looking at Inside a Physical Store Follow You Around the Internet

US – FTC’s Rich Warns Ad Industry About Privacy

FTC Consumer Protection Director Jessica Rich expressed strong words to ad companies at an industry event. She said the industry should not “play games about what ‘sensitive data’ means, such as defining medical data to mean only official medical records.” Rich also discussed the self-regulatory codes of the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA), noting that both define “sensitive” data differently. “The NAI code is stronger than DAA’s in this regard,” she noted. Recognizing that behavioral ads do have some benefits, Rich also discussed enhanced forms of online tracking and that consumers “who know about tracking and want to avoid it can’t do so effectively.” [MediaPost]

WW – Mozilla Tightens Referrers for Improved Privacy

Mozilla is tweaking its referrer header to help websites protect their users’ privacy, according to a Mozilla blog post. Principal Security and Privacy Engineer Sid Stamm writes, “as the web got more complex, the amount of information in the referrer header ballooned, leading to bigger privacy problems.” Stamm notes that “HTTP Referrer provides a wealth of information about where you came from to the sites you visit, but this context isn’t always necessary (or desired) … What’s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that’s less privacy-invasive.” [Full Story]

Other Jurisdictions

WW – Introducing: The DPAs Alumni Network

Former UK Information Commissioner Richard Thomas, now global strategy advisor to the Centre for Information Policy Leadership, has announced the creation of a new Alumni Network for former privacy and data protection commissioners around the globe. A relatively informal network, the group has already collected more than 30 former commissioners and is looking to spread the word and expand. [The Privacy Advisor]

CN – New Rules in China Upset Western Tech Companies

The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software. …The new rules, laid out in a 22-page document approved at the end of last year, are the first in a series of policies expected to be unveiled in the coming months that Beijing says are intended to strengthen cybersecurity in critical Chinese industries. As copies have spread in the past month, the regulations have heightened concern among foreign companies that the authorities are trying to force them out of one of the largest and fastest-growing markets. [NYTimes]

EU – Spanish Court Rules on RTBF; Google’s Position “Doesn’t Make Sense”

A Spanish court has ruled Google must remove links from a search on a man’s name. The ruling comes eight months after an EU court confirmed the right to be forgotten. The Spanish court ruling means Google must cut the link to a notice on social security debtors in La Vanguardia newspaper because the information about the man is now outdated. Freedom of information rights aren’t being infringed upon, however, because the original content is still available in the newspaper’s online archive, the court said. Meanwhile, EPIC’s Marc Rotenberg said Google’s general position, that it doesn’t want to apply the right to be forgotten outside of Europe, “does not make sense.” [Bloomberg]

WW –Will Google Apply RTBF Beyond the EU?

Contrary to regulators’ guidelines, Google is only removing search results from European websites when individuals invoke their “right to be forgotten.” But the company says it will review that approach soon. By month’s end, Google’s advisory council, which has held public meetings across Europe for the last four months, is expected to report its conclusions on a review of whether Google’s data removals should apply only to its European websites or globally. “We’ll take the report, along with the Article 29 input and other input, and arrive at an approach,” said Google Chief Legal Officer David Drummond. “It’s our strong view that there needs to be some way of limiting the concept, because it is a European concept.” [Reuters]

MX – IFAI Could Impose Sanctions on Google in RTBF Case

Mexico’s Federal Institute for Information Access and Data Protection (IFAI) has started proceedings that could impose sanctions on Google for an alleged breach of the nation’s data protection law. The IFAI initiated the proceedings after Google Mexico did not agree to a take-down request from a Mexican citizen wishing to have personal data removed from the search engine. According to the report, Mexican law could fine an organization in breach of national data protection law up to $1.53 million. [Reuters] See also: Brazil held its first open consultation to debate and shape the Marco Civil, reports BNamericas.

Privacy (US)

US – Justice Department Drops Court Battle; Hands Document to Privacy Group

The Justice Department has agreed to turn over a legal opinion on surveillance and census data following a yearlong court battle with the Electronic Frontier Foundation (EFF). The department dropped its appeal of a federal judge’s decision requiring it to provide the opinion to the EFF. The group sued to obtain documents on government surveillance, including a document that analyzed law enforcement access to census data, under the USA PATRIOT Act. A Justice Department spokeswoman said the department will turn over the document to the EFF. [Associated Press]

US – White House Proposes National Data Breach Notification Standard

The FTC would enforce the law, with violations constituting an unfair or deceptive practice, and the FTC would be given broad rule making authority to issue whatever regulations it seems necessary to carry out its duties with respect to the law. The proposed legislation would require that the FTC coordinate with other agencies in the issuance of regulations when such regulations would affect entities subject to regulation by the FCC or the Consumer Financial Protection Bureau. State Attorneys General would also have the authority to enforce the law, subject to certain FTC rights to intervene, stay, or remove the proceeding. The proposed law does not create, or make any mention of, a private right of action. [Source]

US – Data-Privacy Advocates Welcome Obama’s Support, With Caveats

“Right now the companies are following the strongest state laws,” said Pam Dixon of the World Privacy Forum. She said a draft of the proposal posted on the White House website “doesn’t come close to the strongest state law, so the best thing would be to leave state protections in place.” Mark M. Jaycox of the Electronic Frontier Foundation warned that the White House language would strip states’ attorneys general of the power to respond aggressively to data breaches. He also voiced concern that the bill would allow companies to avoid notifying customers simply by reporting breaches to the FTC. [Source]

US – Obama Calls for New Law to Meet ‘Evolving Threat of Cyberattacks’

A key stumbling block in the effort to rewrite laws remains the concern from some U.S. companies that sharing information with the government could expose them to shareholder lawsuits or a customer exodus, and they have also complained that certain government agencies aren’t being forthcoming enough with certain intelligence. [WSJ] [CNET: Will Obama Finally Change Cybersecurity In America?] [Gizmodo: Obama’s War on Hackers Is Turning Everyone into a Suspect] [AdAge: Where’s the Breach? Obama Leaves Out Domestic Data Issues]

US – Obama Abandons Telephone Data Spying Reform Proposal: U.S. Officials

Under the proposal floated by a Presidential review panel, telephone call “metadata” generated inside the United States, which NSA began collecting in bulk after the Sept. 11, 2001 attacks, could instead be collected and retained by an unspecified private third party. The Obama administration has decided, however, that the option of having a private third party collect and retain the telephone metadata is unworkable for both legal and practical reasons. “I think that’s accurate for right now,” a senior U.S. security official said. [The National Law Review] [HLDA: The 2015 State of the Union Addresses Cybersecurity, Data Security, and Privacy]

US – Obama Supports Cybersecurity and Privacy; Experts Warn of Unintended Impacts

The President outlined three broad areas to focus on: cybersecurity information sharing, modernization of law enforcement agencies’ weapons against cybercrime, and national data breach reporting. Those are all worthy goals, however, they’re not necessarily the more urgent ones. Security experts disagree on how—or whether—these goals can even be achieved. [PC World]

US – 5 Things to Know About Obama’s New Cybersecurity Proposals

Christopher Soghoian, the principal technologist at the American Civil Liberties Union, said “nothing” the president is proposing “would do anything to actually improve cybersecurity.” The Electronic Frontier Foundation (EFF), a leading digital rights advocacy group, called the president’s cybersecurity proposals a “mishmash of old, outdated policy solutions,” and argued that the information-sharing proposals risk exposing Americans’ private information. It’s not just privacy advocates. Cybersecurity experts are also not big fans of Obama’s proposals. [Mashable]

US – White House Gets It Wrong, Credit Scores Poor Tool for Detecting ID Theft

The credit scores that are being given away are general use FICO and VantageScore risk scores. … They are not, and have never been, designed to be a fraud detection tool. …When someone applies for credit in your name, there are a variety of changes that can occur on your credit reports. The following is a list of those credit report changes, and any impact they would have on your credit scores. Remember, the White House would have you believe seeing your credit scores for free every month would somehow alert you that you’ve been the victim of identity theft. [Huffington Post]

US – PCLOB to White House: You’re Getting There…

In a nod to the one-year and six-month anniversaries of its reports on Section 215 and Section 702, respectively, the Privacy and Civil Liberties Oversight Board (PCLOB) released an assessment of how well the White House has implemented its recommendations for amending programs that collect telephone records in bulk and guide the Foreign Intelligence Surveillance Court. Most significantly, the PCLOB notes that the administration has not implemented its recommendation to halt the NSA’s telephone records program, “which it could do at any time without congressional involvement,” nor has the White House created a way to assess the value of this kind of record collection. “At some point, you have to draw the line and say you have to act on your own,” PCLOB Chairman David Medine told The Guardian, “because this program isn’t particularly effective.” [Full Story]

US – Cam Kerry on Consumer Bill of Rights: “Making Up for Lost Time”

Nearly three years after President Barack Obama first announced a “privacy blueprint” laying out the Consumer Privacy Bill of Rights, the wheels are now in motion. The initial blueprint provided a framework for what legislation should look like. “As the leader of the administration’s work on consumer privacy,” writes Cameron Kerry, “I worked over the following year with my staff in the Commerce Department’s Office of General Counsel and NTIA to put this roadmap into legislative language and pave the way for introduction of a bill.” [Privacy Perspectives]

US – FTC Releases IoT Report

The FTC released its report on the Internet of Things (IoT). The FTC recommends businesses take a number of steps to enhance and protect the privacy of consumers. “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez writes. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.” Commissioner Joshua Wright provided a dissent here. [Full Story]

US – FTC CPO Resigns, Joins Firm as Senior Counsel

FTC Chief Privacy Officer (CPO) Peter Miller has resigned and joined law firm Crowell & Moring as senior counsel for its advertising and product risk management and privacy and cybersecurity groups. Miller has been with the FTC for 10 years, including as an attorney within the Division of Advertising Practices and assistant director for regional operations for the Bureau of Consumer Protection, the report states. He’s held his post as CPO since 2012 and used the post to publicly urge other federal agencies to be more proactive about building privacy protection into IT systems from the ground up. [FCW]

US – FTC Denies Second Proposed Verifiable Consent Method

The FTC has denied AgeCheq’s second proposed COPPA Rule verifiable parental consent method. AgeCheq had proposed a device-signed parental consent form using a multistep process involving the entry of a code sent via text. In its letter to AgeCheq, the FTC stated the company’s proposed method, specifically the type of data collected to verify a parent’s identity, was not compliant with COPPA. The FTC also noted the proposal “did not meet the rule’s requirements that it be reasonably calculated to ensure the person providing the consent is the child’s parent or guardian,” as the individual trying to obtain consent “could easily be the child using the very device on which an app seeking consent was downloaded.” [Full Story]

US – Uber to Implement Privacy Program Recommendations

Uber announced that it is strengthening its privacy programs as the result of an outside privacy assessment, laid out in a 40-page review. The ride-sharing start-up retained Hogan Lovells Partner Harriet Pearson and her team last November after a number of reports surfaced about the company’s controversial use of consumer data, leading some to apply the name “Ubergate.” [Source]

SK – Uber Faces Legal Trouble from Regulator

South Korean telecommunications regulator Korea Communication Commission (KCC) has reported ride-sharing service Uber to local prosecutors for potential violations of the country’s information protection laws. According to national legislation, businesses using geolocation data must report such activity to related authorities, and the KCC claims Uber did not do so. A company spokesman said it will comply with local laws as much as possible, the report states. [CNET]

US – CA Privacy Committee Could Be “Key Committee” to Watch

The newest and perhaps “hottest” committee in the coming state legislative session, the new Committee on Privacy and Consumer Protection “is the key committee to watch in the coming session.” Created earlier this month by California Assembly Speaker Toni Atkins (D-San Diego), the panel is designed to take on growing consumer privacy issues and the use of health, financial, educational and consumer habits of the millions of state residents. “California has a strong history of protecting consumer privacy while spurring an innovative economy,” Atkins said. Demand by Assembly members for inclusion on the panel was high, she added. One pick was Assemblyman Mike Gatto (D-Los Angeles), who has initiated a wiki page allowing Internet users to help draft state privacy legislation. [Los Angeles Times]

US – Bipartisan GPS Bill Introduced

Sen. Jeff Flake (R-AZ) will lead the Senate Judiciary Subcommittee on Privacy, Technology and the Law, it was announced. Two new lawmakers, Sens. David Perdue (R-GA) and Thom Tillis (R-NC), will join the subcommittee also. Meanwhile, with their introduction of the Geolocation Privacy and Surveillance Act, lawmakers in both parties are pushing to require police to have a warrant before tracking people’s locations via their cell phones and other GPS devices. “Buying a smartphone shouldn’t be interpreted as giving the government a free pass to track your movements,” said Sen. Ron Wyden (D-OR), one of the bill’s authors. [The Hill]

US – Judge Dismisses Wiretap Act Claim,

A California federal judge dismissed claims in a multidistrict proposed class-action lawsuit that JTC Corp., Samsung Electronics Co. and other device makers violated the Wiretap Act by illegally collecting consumers’ data from their phones, “saying the plaintiffs didn’t sufficiently allege they intended to intercept communications.” [Law360]

US – N.Y. AG Seeks to Toughen Data Safeguards: Plan Would Require Businesses to Fortify Privacy Measures

The legislative proposal would provide a safe harbor to businesses that comply with the new requirements, meaning that a good-faith effort could shield them from liability actions resulting from a breach. To receive liability protection, businesses must be certified by an approved third-party auditor. [Data Breach Today]

US — Insurance Company Brings Breach Claim, Whole Foods Denies Fault

Travelers Casualty and Surety Co. of America has sued an Illinois-based Web design company, saying its negligence in designing and maintaining a community bank’s website contributed to a data breach, and Whole Foods Market Group Inc. told a Florida federal court this week that a former employee’s claim it fails to comply with federal privacy law when it screens prospective employees through credit checks is “blatantly false.”

US – Congress to Hold Breach Notification Hearing

The new Congress will hold its first hearing on data breach notification legislation next Tuesday. Rep. Michael Burgess (R-TX) said, “We need a plan in place that will help prevent data from being stolen in the first place and will also alleviate consequences if hackers are successful.” [The Hill]

US – Sony Hack Details to Come

Sony is expected to share details of its highly publicized hack with the House Oversight and Government Reform Committee. “We’ve talked to Sony, and they have agreed to get us the information,” said Rep. Elijah Cummings (D-MD). “They just need a little bit more time.”

WW – Bughunter Cracks “Absolute Privacy” Blackphone – by Sending It A Text Message

The details provided by Dowd amount to full disclosure, although he hasn’t included a proof-of-concept that would allow you to start exploiting the hole at will. He made the disclosure only after Blackphone had published a patch. Indeed, he publicly praised Blackphone on Twitter for the way it dealt with his bug report. [Naked Security] [Techcrunch: In Communications, Privacy And Security Are Illusions]

US – LabMD: Tiversa Misled FTC

In a new court filing, LabMD argues that Tiversa hacked into its computer systems and used data gleaned from the hack to mislead the FTC into believing sensitive data on 10,000 patients was unprotected. When LabMD refused to use Tiversa’s services, the filing claims, Tiversa went to the FTC with a data breach complaint. LabMD alleges the move was part of a conspiracy to “decimate” the now-defunct medical company. [Law360]

US – Google, Viacom Tracking Suit Dismissed

Google and Viacom Inc. won the dismissal of a lawsuit alleging the two companies illegally tracked the Internet activity of children under the age of 13 who visited Nickelodeon’s website to send targeted advertising, Fortune reports. The suit accused both companies of dropping cookies onto children’s computers that gathered information advertisers could use. But U.S. District Court Judge Stanley Chesler found “no showing that Google and Viacom could identify which children streamed specific videos or played specific video games, as opposed to identifying children generally,” the report states. He also said he found no showing the companies engaged in “highly offensive” behavior for which they could be held liable. [Reuters]

WW – Google, Khan Academy, 13 More Sign Pledge

Following President Barack Obama’s comments urging companies to sign the Future of Privacy Forum (FPF) Student Privacy Pledge, 15 more companies have signed on, including Google and the popular YouTube-based Khan Academy. The latest wave of companies joins the 75 that signed on last week, the report states, noting the pledge includes a “promise not to sell student information or to use behaviorally targeted advertising on education products. It also promises to make it easy for parents to see their students’ data and to be transparent about how those data are collected and used.” The FPF’s Jules Polonetsky noted, “There’s been an explosion of technology in schools, and with that has come a privacy backlash.” [The Washington Post]

US – Judge Caps Breach Liability Payment

A federal judge has placed a cap on the liability Schnuck Markets is responsible to pay its payment-processing vendors in the wake of a data breach. Judge John Ross ruled that First Data Merchant Services and Citicorp Payment Services could only withhold up to $500,000 in funds. It is not yet known how much was originally withheld from Schnucks. The company recently agreed to pay customers for fraudulent charges stemming from a breach that exposed 2.4 million payment cards. [St. Louis Business Journal]

US – Apple Says Privacy Fraud Claims Vague

Apple wants a federal judge to dismiss a consolidated class-action lawsuit alleging applications available in Apple’s App Store breached users’ privacy by taking users’ contact data, Law360 reports.

US – Journalist Sentenced to Five Years in Prison for Linking Hacked Data

U.S. journalist Barrett Brown has been sentenced for linking to hacked information from global intelligence company Statfor. Brown, who allegedly has a “loose affiliation” with hacktivist collective Anonymous, received five years in prison and must pay $890,000 in restitution. “The government exposed me to decades of prison time for copying and pasting a link to a publicly available file that other journalists were also linking to without being prosecuted,” he wrote, adding, “The U.S. government decided today that because I did such a good job investigating the cyber-industrial complex, they’re now going to send me to investigate the prison-industrial complex.” Jeremy Hammond, the hacker responsible for the breach is serving a 10-year sentence. [Time]

US – School Rule-Breakers to Hand Over Facebook and Twitter Passwords

The fact that passwords are to be demanded in the case of any rule-breaking sounds too strong. That’s the conclusion reached by Kade Crockford, director of Massachusetts’ ACLU. She dubbed Illinois’s move “government overreach” and said that either the law or schools’ implementation of that law may well be unconstitutional. [NakedSecurity]

US – Data Breaches Hit the Board Room: How to Address Claims Against Directors and Officers

The traditional aftermath of a data breach can involve regulatory investigations and lawsuits against the company by consumers or financial institutions claiming to have been harmed by the data breach. In recent years, a new trend also is emerging: shareholder derivative cases and securities class actions filed against directors and officers alleging claims for breach of fiduciary duty, or even securities fraud, relating to the data breach. The recent dismissal of one such lawsuit against the directors and officers of Wyndham Worldwide Corporation (Wyndham) provides insight on steps directors and officers can take to protect themselves from claims of breach of fiduciary duty in these lawsuits. [HLDA]

US – Arsenic Case Pits Privacy Rights Versus Historical Research

Supreme Court ponders privacy rights as they pertain to medical documents FOIC’s Harmon replied, public figure status is sometimes conferred on individuals by the swirl of events and circumstances. While a criminal or politician may have taken affirmative, voluntary steps that waive their expectation of private citizen treatment, someone who, for example, is released from prison after a wrongful conviction also falls into the same legal territory whether they want to or not. There is a societal benefit to these types of people losing their privacy protection, said Harmon, in that members of the public “get to know about their heroes, leaders, villains and victims.” [Source]

Privacy Enhancing Technologies (PETs)

WW – Tor : Crowd Source Security and Anonymity Concerns

Many “bad actors,” from criminals to nation states, run Tor nodes for the purposes of tracking or otherwise harming users. For a fairly modest investment, attackers can acquire and operate enough relays to make the probability that they will control the first and last hoops in a chain fairly good, at least over a period of time. Just 5% of relays transport 50% of the traffic. If an attacker runs both, they can fairly easily identify users with their activities. [Source]

US – Harvard Aims to Reengineer Privacy

Harvard’s School of Engineering and Applied Sciences reports on a symposium it held earlier this week on “Privacy in a Networked World.” Panelists included Pew Internet Research’s Lee Rainie and former FTC Chief Technologist Latanya Sweeney, and the event featured a video interview of Edward Snowden by Bruce Schneier. [Full Story]

US – App Developers Alliance Launches Developer Competition

Anticipating the burgeoning Internet of Things (IoT) landscape, the App Developers Alliance (ADA) has announced IoT(Accelerate)Berlin. The contest is designed for developers and pre-launch startups and is organized in partnership with Google and Ericsson. ADA Executive Director Jake Ward said, “IoT is experiencing substantial growth, and the opportunity for European developers and startups to help shape its future is clear. From connected cars and homes to health, wearables or big data solutions, the competition will help developers conceptualize and produce innovative products for this growing market.” The competition is focused around a three-day period, March 27-29, in Berlin, Germany. [Full Story]

WW – Users Get More Control Over Data in Latest Firefox Beta

To help users keep control of such data, Mozilla has been working on changes to Firefox’s Gecko rendering engine to make it easier for users or browser extensions to control referrer data. And it has created a feature called “meta referrer” in the Firefox 36 beta that allows webmasters to include a tag in HTML documents specifying a referrer policy and what data can be sent. [CIO]

WW – How to Remain (Mostly) Invisible Online

While complete anonymity these days is nearly impossible, experts have some tips, and tools, they recommend for maintaining privacy and keeping your digital footprint as minimal as possible. Internet users can better protect their privacy online “by thinking of their private information as gold; do not give it away,” Frank Ahearn says. “Place a personal value on private information and recognize that sites want to profit [from] the information they extract. The best way to combat that is to supply untrue information. Deception has a positive purpose in the digital world,” and in fact is the best ally a user has to truly protect his online information. [Source]

US – Start-Up Looks to Capitalize on Differential Privacy

In some corners of the privacy world, de-identification has become something akin to the privacy community’s white whale: always just out of reach. Thus, into the breach steps the start-up Leap Year Innovations, a firm based in Philadelphia that is currently pitching “differential privacy” as a service, and soon hopes to offer it as a software package. What’s behind this alternative to De-ID and how does it work? [The Privacy Advisor]


US – Lawmakers Reintroduce Bipartisan Data-Security Bill

Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) have reintroduced a bill that would require companies to meet data security standards when processing users’ personal information. The bill would prompt the FTC to set a nationwide data-security standard for companies handling personal data. Companies that suffer breaches would have to notify customers and the FTC. “They also could face civil penalties of up to $5 million if they hadn’t adhered to the commission’s security standards,” the report states. Rush and Barton will hold a public briefing on the bill on February 6. The House Energy and Commerce Subcommittee held a hearing on data breach notification this week. [The Hill]

US – Obama Takes on Google With Law to Protect Privacy of U.S. Kids

Obama’s proposed Student Digital Privacy Act, details of which haven’t been released, would make explicit the responsibility of vendors to safeguard data. The pledge, though voluntary, could expose signatories that break it to enforcement actions by the FTC or state attorneys general. [Bloomberg]

US – How Much Security Is Enough? Check the FTC Casebook

One of the most important issues on the FTC docket is the determination of whether a given data security practice is reasonable or not. Which is fine. But how will you know what the FTC deemed unreasonable in dozens of enforcement actions? Sure, you can go to the FTC website to seek, download and plough through all of the more than 180 FTC privacy and data security cases. But, as of last week, there’s a far better way: The IAPP Westin Research Center has launched its FTC Casebook, which is available at no additional charge to IAPP members. The Casebook makes the task of determining what the FTC regards as reasonable data security seamless, even fun! A digital resource, the FTC Casebook contains all of the FTC enforcement actions in the field, tagged, indexed, full-text searchable and annotated. But don’t take our word for it-let us walk you through just how it works. [Full Story]

US – Over 90% of Data Breaches in First Half of 2014 Were Preventable

The Online Trust Alliance says that a high percentage of data breaches were the result of staff mistakes — rather than external hacking. After analyzing over a thousand breaches involving PII, the non-profit has put together 12 ‘critical’ security practices in another guide that companies should follow in order to lessen the risk of a cyberattack — as well as minimize potential damage in a threat landscape which is becoming more dangerous by the year. [ZD Net] See also: 2015 Data Protection & Breach Readiness Guide

US, UK Establish a Joint Hacker A-Team to Conduct Cyber War Games

It’s been quite a week for British Prime Minister David Cameron. In addition to announcing the formation of the cyber cell, he had a meeting with Obama where he asked him to block companies like Apple, Facebook and Google from rolling out encryption services to users, which would allow users to communicate with one another more securely but which the British government claims could hurt intelligence collection. [Defense 1]

Smart Cars

US – Will Big Brother Eventually Monitor Driving Habits? Car Data Proposal Sparks Privacy Fears

But now the California Air Resources Board is proposing regulations (for a May board hearing) requiring manufacturers to significantly expand the kind of information on-board computer software collects about our driving habits. The software could track miles per gallon, driving distances, how often one stops and starts the car, and how fast one drives. Newer cars already tell us most of this information on those nifty trip computers in the dashboard. The difference, of course, is the regulations would require our cars to also tell government officials the information. [Source]

WW – BMW Sounds Alarm Over Tech Companies Seeking Connected Car Data

Concerns over fine line taken by the automotive industry between functionality and privacy . “There’s plenty of people out there saying, ‘Give us all the data you’ve got and we can tell you what we can do with it’,” he said on the sidelines of the Detroit motor show, adding that this included “Silicon Valley” companies, as well as advertising groups. “And we’re saying, ‘No thank you’.” … most drivers would be surprised by the scale and granularity of the data collected by modern vehicles. In a sinister illustration of the potential data that could be sacrificed by carmakers, Mr Robertson said BMW knew whether a child was in the car, based on weight sensors in the seats that linked up with the airbag system. [Irish Times]

US – “Cheaper Car Insurance” Dongle Could Lead to a Privacy Wreck

In short, you’d certainly hope that the Snapshot hardware designers and programmers took data security seriously during development. Otherwise, the very dongle that was supposed to help you learn to be a safer driver might leave you more exposed from a privacy and online security perspective … even if you conducted yourself impeccably behind the wheel, merely being out driving could harm the rest of your digital life. [Source]

US – California Mulling More Government Access to Cars’ On-Board Computers

Will Big Brother monitor our driving habits? But what if the traffic cop were a computer that always is transmitting data about our driving habits to a government agency? That question increasingly is being asked given technological advancements and a new proposal by the state’s air-quality control agency to expand the information your car’s computer would be required to collect and potentially transmit to officials. … the California Air Resources Board is proposing regulations (for a May board hearing) requiring manufacturers to significantly expand the kind of information on-board computer software collects about our driving habits. [Source]

US – U.S. Spies on Millions of Cars

The database raises new questions about privacy and the scope of government surveillance. The existence of the program and its expansion were described in interviews with current and former government officials, and in documents obtained by the American Civil Liberties Union through a Freedom of Information Act request and reviewed by The Wall Street Journal. It is unclear if any court oversees or approves the intelligence-gathering. …”Any database that collects detailed location information about Americans not suspected of crimes raises very serious privacy questions,’’ said Jay Stanley, a senior policy analyst at the ACLU. “It’s unconscionable that technology with such far-reaching potential would be deployed in such secrecy. People might disagree about exactly how we should use such powerful surveillance technologies, but it should be democratically decided, it shouldn’t be done in secret.’’ [Wall Street Journal]

US – The DEA Is Spying on Millions of Cars All Over the U.S.

With sweeping power to monitor the movements of so many Americans, the federal agency will continue to lose the hopeless drug war. We’ve traded our freedom to drive around without being tracked for next to nothing. Those who would cede essential liberty for the promise of security may deserve neither, but ceding it for the promise of a drug-free America is just delusional. The federal government could imprison every recreational drug user in America and it still couldn’t win the drug war because, among other things, the federal government can’t even prevent heavy drug use within the federal prison system. http://www.theatlantic.com/politics/archive/2015/01/the-dea-is-spying-on-millions-of-cars/384864/

US – Federal Agency Weighed Spying on Cars at Gun Shows

2009 DEA Proposal to Record Cars at Gun Shows Was Never Carried Out, Justice Department Officials Say. The Justice Department has been building a real-time database to track vehicle movement around the U.S. and has raised worries over government surveillance. [WSJ]

US – Massive DEA License Plate Reader Program Tracks Millions of Americans

According to the DEA, the program targets roadways it believes are used to transport contraband. It’s not clear what criteria the agency uses to classify a road as such. With so much information redacted it’s hard to say we’ve got the full picture here, but it’s also easy to understand why this capability is useful for law enforcement. Furthermore, identifying cars and users based on their license plates is nothing new – it’s what they’re for: license plates are public, unique identifiers. And of course we have always had the ability to follow a person or a car by spotting the right number plate and watching where it goes. So in some ways this is nothing new. But in other ways it’s very new indeed. [Naked Security]


CA – Secret ‘BADASS’ Intelligence Program Spied on Smartphones

CSE and GCHQ intelligence agents applied BADASS software filters to streams of intercepted internet traffic, plucking from that traffic unencrypted uploads from smartphones to servers run by advertising and analytics companies …the smartphone data routinely provided to ad and analytics companies represents a major privacy threat. When combined together, the information fragments can be used to identify specific users, and when concentrated in the hands of a small number of companies, they have proven to be irresistibly convenient targets for those engaged in mass surveillance. Although the BADASS presentation appears to be roughly four years old, at least one player in the mobile advertising and analytics space, Google, acknowledges that its servers still routinely receive unencrypted uploads from Google code embedded in apps. [Source]

WW – Software Makes Spying Real Easy, and It May Be on Your Phone

Spyware is readily available to any insecure spouse, overzealous boss, overbearing parent or crazy stalker. It’s sold legally, and “if it’s already on your phone, there’s no way you can tell,” the report states. Spyware companies like mSpy and flexiSPY make money off the secret surveillance of millions of people’s devices, the report states. While spyware has been around for decades, “the current crop is especially invasive” because if someone is alone with a device for a few minutes or if they have their target’s iCloud credentials, they can upload sophisticated tracking software that will let them follow whatever’s happening on the target device. [Gizmodo]

WW – Apps Will Share Data With Google Now

In a bid to bolster its hold on the online search market, Google plans to allow a host of third-party apps—including Airbnb, eBay and Lyft-to share data with Google Now. Google Now is a predictive search app, available for Android phones and wearables as well as the Chrome web browser. If users have the updated Google app and the Airbnb app on their phones, for example, the search history from Airbnb will be shared with Now. Previously, Google acquired search data from a user’s Google account search history. According to the report, more than 30 third-party apps will share data with Google Now. [The Wall Street Journal]

WW – Cookies Are So Yesterday; Cross-Device Tracking Is In

The cookie is out, and cross-device tracking is in. After all, one recent study found users can switch from laptop to smartphone to tablet an average of 21 times in a single hour. But how do you sell cross-device tracking to your users while avoiding the privacy pitfalls the cookie faced during its ascension? Michael Whitener lists the things marketers can do to keep both companies and consumers safe while taking advantage of the insights such tracking can provide. [The Privacy Advisor]

WW – Using Video to Expose Corruption, Abuse

Videre uses tiny cameras and an “army” of individuals armed with them to expose corruption and abuse, “shaming governments into action,” Erin Burnett explains in this. Oren Yakobovich is head of the human rights organization Videre, which “uncovers, verifies and publicizes human-rights abuses that the world needs to witness.” Yakobovich is also featured in a TED Talk about his efforts to use surveillance on its head. “This can stop corruption,” Yakobovich says, but some question how the camera could be misused to violate privacy or solicit bribes. [CNN video report]

US – EFF’s Game Plan for Ending Global Mass Surveillance

For years, we’ve been working on a strategy to end mass surveillance of digital communications of innocent people worldwide. Today we’re laying out the plan, so you can understand how all the pieces fit together—that is, how U.S. advocacy and policy efforts connect to the international fight and vice versa. Decide for yourself where you can get involved to make the biggest difference. This plan isn’t for the next two weeks or three months. It’s a multi-year battle that may need to be revised many times as we better understand the tools and authorities of entities engaged in mass surveillance and as more disclosures by whistleblowers help shine light on surveillance abuses. [EFF]

US – Law Enforcement Radar Can See Through Walls

As many as 50 law enforcement agencies across the country have deployed radar technology capable of seeing inside homes to determine if someone is present, all with little or no public disclosure or court oversight. The technology uses radio waves to detect movement—such as breathing—to determine if someone is home. The use of the radar raises legal and privacy concerns, particularly since the U.S. Supreme Court has said law enforcement needs to obtain a warrant prior to using high-tech sensors on an individual’s home. The ACLU’s Christopher Soghoian said, “Technologies that allow the police to look inside of a home are among the intrusive tools that police have.” [USA Today]

US – Prenuptial Snooping Is Booming, Say Private Investigators

Private detectives say there has been a dramatic increase of prenuptial investigations. “It’s worth it to them to spend a little in advance to figure out whether they’re hooked up with a loser or a longtime candidate,” said AAA Detective Agency Owner Jerry Bussard. The trend stems from the increased use of online dating and embellished online profiles. “The Internet, they say, is like a gateway drug to professional snooping,” the report states. “In a manner of speaking, it’s the new prenuptial,” said another private investigator, adding, the main difference is the “party being investigated doesn’t have to sign off or agree to be under surveillance.” [The Wall Street Journal]

EU – Danish Surveillance Push Meets Opposition from Network Providers

According to the draft the Danish Defence Intelligence Service’s cyber defense unit will also be given authority to delay transactions to review security aspects. The industry says this will amount to de facto powers to block mergers and other deals. The Justice Ministry’s plan to demand that network operators resume keeping logs on traffic, also revives measures that were banned by a European court last year. [Bloomberg]

UK – British Spies Seized Emails to Reporters

There is no explanation of why the vast collection of messages was sucked into the global system of electronic surveillance created and maintained by British and American spies. But code words within the document suggest that it may be a glimpse of the colossal amount of information gathered each day before being “minimized,” or stripped of irrelevant material. …Why email messages traveling to reporters with news organizations were captured is also left unexplained in the document. Some of the captured messages contain email addresses associated with The Washington Post, Reuters, Le Monde and The Baltimore Sun. Messages to at least four New York Times reporters were intercepted. [NY Times]

EU – France Vows Forceful Measures Against Terrorism

Prime Minister Manuel Valls announced “exceptional measures,” including plans to spend an additional 425 million euros, or more than $490 million, to create over 2,500 new jobs to buttress the fight against terrorism and monitor nearly 3,000 people the police consider surveillance targets. A bill aimed at updating the legal framework for intelligence and surveillance operations will be introduced in Parliament in March, he said. [NY Times]

AU – Australia’s Privacy Commissioner Tim Pilgrim Fears Telco Metadata Breaches

Timothy Pilgrim says Australians should be warned if their their privacy is breached as a result of leaked metadata. The legislation, dubbed the Data Retention Bill, requires Australian phone and internet providers to store various customer metadata for up to two years for law-enforcement agencies’ access. No warrant is required to access the data, only a requesting agency senior officer’s sign off. Exactly what metadata the government wants providers to store remains unclear, as the final “data set” will be in the bill’s regulations, which have not yet been released and can be changed by the Attorney-General of the day without Parliament’s approval. Instead, a “proposed data set“ document that doesn’t specify exactly what data should be retained, has been circulated. [Source]

UK – Ex-UK Spy Chief Says Accord Needed With Tech Firms to Stop Terrorism

Prime Minister David Cameron has promised laws giving greater access to online communication if he wins the May general election, but some of his rivals oppose the scale of his proposals. Sawers backed Cameron’s stance, saying that while he understood the value of online communication services like Facebook’s WhatsApp and Apple’s FaceTime, and used them himself, they could not be beyond the reach of monitoring agencies. http://www.reuters.com/article/2015/01/20/us-britain-security-sawers-idUSKBN0KT10Z20150120

UK – Privacy Activists Irate As British Lords Try to Sneak Surveillance Bill Into Anti-Terror Laws

According to Mike Harris, from the Don’t Spy On Us campaign group, the Lords have actually made the original bill tougher, by not mentioning many useful safeguards. As it stands, the proposed amendments would allow the home secretary, Theresa May, to force internet service providers to hold onto communications data for 12 months. That information would be accessible to any “relevant public authorities”, which could even allow local councils to grab data on citizens. The only barrier the secretary of state has to overcome is in consulting Ofcom, the communications regulator. [Forbes]

UK – UK Declares War on Privacy Under the Facade of “National Security”

Great Britain just isn’t that great anymore. An astounding erosion of my home country’s fundamental civil liberties and freedoms has made it difficult to envision one day returning home.

Put simply: at the next election, the U.K. population will vote on whether or not it gives the U.K. government the mandate to spy and snoop unrelentingly under the unproved and illogical assumption it will prevent future terror attacks. [ZDNet] [Europe Pivots Between Safety And Privacy Online]

AU – ‘Invasive’ Data Retention Bill Should Be Scrapped

“[Mandatory data retention] is characteristic of a police state,” the LIV wrote, quoting the Office of the Victorian Privacy Commissioner. “It is premised on the assumption that all citizens should be monitored. Not only does this completely remove the presumption of innocence, … it goes against one of the essential dimensions of human rights and privacy law: freedom from surveillance and arbitrary intrusions into a person’s life.” [Lawyers Weekly]

AU – Everyone Has Something to Hide If Universal Data Retention Becomes Law in Australia

Metadata can provide an alarming amount of information about an innocent individual’s activities, friends and beliefs. It’s simply not necessary. What would a telephone call or Google search placed in front of a brothel, gay bar or abortion clinic reveal? Imagine the caller were not me – with my classical liberal views – but a conservative Christian politician. What mischief could be had at his or her expense? [The Guardian]

AU – Privacy Commissioner Hits Out at ‘Ill-Defined’ Data Retention Plans

The Victorian Commissioner for Privacy and Data Protection said the government’s data retention proposal was ill-defined and insecure in a submission to the parliamentary inquiry investigating the scheme. This vast reservoir of highly sensitive, distributed data will not be adequately secured because the scheme does not properly address the security issues associated with the transmission and storage of the retained data …It is so vague and opaque as to make it impossible to clearly determine the risks it poses or to suggest appropriate mitigation measures. [AFR]

US – With Snowden in the Background, Privacy Takes a Back Seat to Security

In a rare streak of bipartisanship, there is virtually no distance between Republicans and Democrats on this issue. Roughly seven in 10 Democrats and Republicans alike prioritize the investigation of threats over personal privacy (71 and 68%, respectively). Even liberal Democrats, by 62-34%, side with investigation over privacy. Political independents drop to 56% preferring investigation. [Washington Post] [Goodbye Privacy: White House Sides with UK, Wants Backdoor to Encrypted Data]

TH – Cyber Bill Powers to Be Scaled Back: Government Yields to Public Pressure

The Cybersecurity Bill was among eight digital economy-related bills which earned cabinet backing early this month, on top of two others which received preliminary approval last month. But is has since been subject to complaints from experts and privacy activists who have urged a revision to prevent abuse of power by the state… Thailand is ranked third in globally for cybersecurity risk, with hackers frequently using the country as a base for major attacks, including the recent high-profile cyberhack against US-based Sony Pictures Entertainment. [Bangkok Post]

US – Marco Rubio Wants to Permanently Extend NSA Mass Surveillance

Rubio for years has positioned himself as a vocal defense hawk in Congress, and he has repeatedly defended the NSA’s spy programs revealed to the public by former agency contractor Edward Snowden. But Rubio’s call to permanently extend the legal framework that allows the NSA to collect the bulk U.S. phone metadata—language that Congress has tweaked and in many cases made more permissive since 9/11—is particularly forceful. It comes in the wake of terrorist attacks by Islamic extremists in France at a satirical newspaper and a kosher deli that left 17 dead—violence that has prompted European officials to publicly consider whether more forceful surveillance laws are needed. It also underscores the divisions among Rubio and his fellow Republican senators expected to jockey for the White House—namely, Sens. Ted Cruz of Texas and Rand Paul of Kentucky. [GovExec]

Telecom / TV

US – Group Urges FCC to Impose Privacy Rules on Broadband Providers

Consumer advocacy group Consumer Watchdog is urging the Federal Communications Commission (FCC) to place new privacy regulations on broadband providers. In a letter to the FCC , Consumer Watchdog wrote, “If consumers believe that their broadband provider substantially threatens their privacy, they are less likely to use the Internet.” The FCC should reclassify broadband service as a utility, Consumer Watchdog argues, and follow the same privacy rules set up for telephone providers. “This vital protection should exist related to private information secured from digital networks,” Consumer Watchdog wrote, adding, “The FCC must adopt regulations to ensure that the integrity and privacy of data gathered on the broadband networks we use are maintained.” [MediaPost]

US – Court Filing: Law Enforcement Kept Call Database Without Court Approval

Until last year, U.S. law enforcement maintained a database of international phone calls obtained from telecommunications companies under subpoenas that don’t require court approval. The U.S. Drug Enforcement Administration said in a court filing last week that the database tracked phone numbers and the time and duration of the calls and allowed investigators to query a number if they had a “reasonable articulable suspicion” that it was linked to a federal criminal investigation. The database was discussed during a federal court case involving a person suspected of illegally transporting U.S. goods and technology to Iran, the report states. [Bloomberg ]

US – Apple iPhone with Secret iFeature Allows Government to Spy on You

It is not clear if the “special software” being referred to in the interview is made up of standard diagnostic tools, or if the NSA whistleblower thinks intelligence agencies from the United States have found a way to compromise the mobile operating system developed by Apple. [TechTimes]

US Government Programs

US – U.S. Drug Enforcement Agency Halts Huge Secret Data Program

The program, run by DEA’s Special Operations Division, collected international U.S. phone records to create a database primarily used for domestic criminal cases – not national security investigations, according to records and sources involved. Two people briefed on the DEA program said that it began in the late 1990s. Records show it involved the use of administrative subpoenas, which can be issued by federal agents – rather than grand jury subpoenas, which must be approved by prosecutors, or search warrants, which must be approved by a federal judge. [Reuters]

US – The Many Problems with the DEA’s Bulk Phone Records Collection Program

The government’s claimed authority for this bulk collection was 21 U.S.C. § 876, which empowers the Attorney General to issue administrative subpoenas—not approved ahead of time by a grand jury or judge—which compel the production of records that are relevant and material to an investigation relating to drug crimes. But bulk collection of all call records based solely on the country a person called could never satisfy the statute, because most of the records are irrelevant to an active investigation. To be sure, the government may only have queried the database for records relevant to an active investigation, but the government was using § 876 to collect all records in anticipation of some future investigation. In other words, unless every person in the US who has ever made a phone call to someone in Iran or some other country contained in the database is considered a criminal suspect, the vast majority of records are irrelevant to any investigation. [EFF]

US – U.S. Discloses New Trove of Phone Call Records

The D.E.A. program was one of several troves of information on Americans’ phone records revealed in recent years. The most extensive and controversial one is kept by the NSA and contains records on every American phone call. Counterterrorism officials use it when conducting investigations, but civil liberties advocates have continued to raise questions about the programs. [NY Times]

US – New Report: DHS Is a Mess of Cybersecurity Incompetence

A large, embarrassing, and alarming Federal oversight report [by Senator Tom Coburn] finds major problems and grave shortcomings with Department of Homeland Security cybersecurity programs and practices which are “unlikely to protect us”. The report says (and echoes the sentiments of many civilian infosec professionals) that the DHS approach on vuln mitigation is nothing but a losing strategy. “The nature of cybersecurity threats — and the ability of adversaries to continuously develop new tools to defeat network defenses — means that DHS’s strategy for cybersecurity, which focuses primarily on vulnerability mitigation, will not protect the nation from the most sophisticated attacks and cybersecurity threats.”[ZDNet] [Slate: Step Aside, States?]

US – NSA Creating Privacy Internship Program

One of the central thrusts of the research is to determine if certain data presents more or less risk to privacy and civil liberties, and if the same can be done in terms of how the data is being used. [FedScoop]

US – Privacy Advocates Say NSA Reform Doesn’t Require ‘Technological Magic’

Just because a new federal report found no software solution to recreate the full scale of current National Security Agency surveillance does not mean that’s the right policy, privacy pros say. At a press conference with British Prime Minister David Cameron, President Obama said the US needs to preserve its capability to track electronic communications of terrorist suspects, but is working with companies to ensure the government meets “legitimate privacy concerns.” Obama has already proposed some surveillance reforms, including nixing the government’s storage of the phone records and forcing the NSA to gather them from company databases instead. “We just have to work through, in many cases what are technical issues,” Obama said. [CS Monitor]

US – As Terror Threats Rise, Privacy Is Now More Important Than Ever

Snowden’s revelations tipped the needle in favor of greater privacy and security, but recent attacks have thrown much of that effort under the bus. Does now really seem like the best time to compromise on security by calling for encryption to be outlawed, in the process stripping Internet users of their privacy, and opening them up to hacks, attacks, and identity theft? U.K. prime minister David Cameron thinks so, and he’s counting on Obama’s support for implementing backdoors in the tech companies. [ZDNet]

US Legislation

US – Tech Companies and Advocates Join Forces to Push ECPA Reform

Companies including Amazon, eBay and Facebook have joined the Electronic Frontier Foundation and dozens of other groups in sending letters to Congress demanding lawmakers finalize a bill that would require officials to get a warrant before searching people’s old emails or other items stored in the cloud. “Because of all its benefits, there is an extraordinary consensus around … reform—one unmatched by any other technology and privacy issue,” the groups wrote to leaders of the House and Senate Judiciary Committees, adding that passing a bill “sends a powerful message—Congress can act swiftly on crucial, widely supported, bipartisan legislation.” [The Hill]

US – Obama Proposal to Consider Impact of New Technologies

President Barack Obama has proposed federal legislation to safeguard student privacy in the face of new technologies that collect sensitive personal information about students in order to help tailor learning plans. While the White House hasn’t publicized details of the proposed legislation, Obama indicated in his speech unveiling the plan that it would be modeled on a California law that passed last year. “This is a huge step forward,” said James Steyer, CEO of nonprofit child advocacy group Common Sense Media. However, another activist said he considers the California bill a “very weak proposal.” [The Washington Post]

US – Proposed Indiana Law Would Raise Bar for Security and Privacy Requirements

These requirements are a substantial change from most existing U.S. privacy laws, and designing and implementing the necessary procedures could be a challenge for many companies. …Failure to comply with the bill’s requirements would constitute a deceptive act under state consumer protection law. While only the attorney general may bring an enforcement action, if a court determines that the violation was “done knowingly,” penalties include a fine of $50 for each affected Indiana resident, with a minimum fine of at least $5,000 and maximum fine of $150,000 per deceptive act. [Source] The Indiana Office of the Attorney General has recommended the 2015 legislature pass a bill that would tighten state laws governing data collection.

US – Other US Privacy News


Workplace Privacy

US – Job Searching? Get Ready to Hand Over Some Intimate Details

Rob Walker describes efforts to find a job and the online component that seems to accompany every search. “In addition to asking for your address, gender, race, etc., the questions have been more specific … I’ve also seen forms asking whether the applicant has been found to have depression, anxiety or behavioral or medical ‘disabilities.’ Generally, you cannot submit the application without providing all the requested data.” Prof. John Sullivan of San Francisco State University says companies are moving away from such practices but mainly because they can find that information by searching what candidates, themselves, have already put online. [The New York Times]

US – How to Talk to Employees During a Breach

While many companies are working with security firms and encrypting data, “they may be neglecting an important piece of the puzzle.” The article lists ways to communicate with employees during a cyber attack. Companies should be proactive when communicating with employees, the report states, instructing them on how they can help minimize the impact of the breach; be open and honest about what they do and don’t know; communicate frequently, and encourage employees to voice their questions and concerns, the report states. [Fast Company]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: