01-15 February 2015


WW – Facebook Rolls Out New Facial Recognition Technology

Facebook is rolling out a new facial recognition technology called “DeepFace,” which was developed for Facebook by an Israeli company it acquired in 2012. The technology can recognize a human face in a new photo by comparing it with a previously uploaded photo with 97.25% accuracy. The company tested the technology by having it match tagged photos with a database of more than four million images representing more than 4,000 different people. DeepFace is only available to some users thus far, and Facebook is allowing users to opt out if they wish by changing their privacy settings. [MediaPost] See also: [Biometric Update reports market research firm Goode Intelligence has published a whitepaper entitled The Impact of Privacy and Data Protection Legislation on Biometric Authentication].

US – Millions of DNA Samples Stored In Warehouse Worry Privacy Advocates

Privacy advocates are calling for more safeguards related to a state collection of DNA samples from 16 million Californians in a nondescript government warehouse in the Bay Area. The biobank holds blood taken with the prick of a heel from almost every baby born in California for the last three decades. It is used to screen for 80 health disorders, such as cystic fibrosis and sickle cell anemia. Unlike most states, California keeps the frozen samples indefinitely and shares them with genetic researchers, for a fee. State officials say the samples are secure and are used to save lives. But the privacy advocates and an influential state lawmaker, concerned about the potential misuse of DNA information, say parents and donors should have a clear choice about whether the state can keep theirs. [LA Times]

UK – 100 X Thousands of ‘Innocent People’ in Cop Photos Database

They include photos of [“hundreds of thousands” of] people never charged, or others cleared of an offence, and were uploaded without Home Office approval. Biometrics Commissioner Alastair MacGregor QC said he was concerned about the implications of the system for privacy and civil liberties. Speaking in his first interview, he said that police forces had begun setting up a searchable database of police mugshots last year, without telling either him or the Home Office. Almost every police force in England and Wales had now supplied photographs, he said. [‘Innocent people’ on police photos database]

Big Data

US – Podesta Shares Privacy Progress Report

John Podesta looks at big data and privacy in The White House Blog. “Today, we’re releasing an interim progress report detailing the progress we have made—and what we still have ahead,” he writes, discussing the commitment President Barack Obama has made “to ensure that student educational data is used only for educational purposes” and the administration’s work “with a bipartisan group of legislators “ that plans to introduce “legislation to fulfill that promise.” Podesta also discusses price discrimination and consumer protection. “Big data will continue to contribute to and shape our society, and the Obama administration will continue working to ensure that government and civil society strive to harness the power of these technologies while protecting privacy and preventing harmful outcomes,” he writes. [Full Story]

US – White House Releases Report on Differential Pricing

The Obama administration has released a 22-page report on big data and the issues around so-called price discrimination. “One of the many questions raised by big data is whether companies will use the information they harvest to more effectively charge different prices to different customers, a practice that economists call price discrimination,” the report states. The confluence of big data analysis and price differentiation has raised concerns, and “many companies already use big data for targeted marketing, and some are experimenting with personalized pricing,” the report states. It suggests many concerns “can be addressed by enforcing existing antidiscrimination, privacy and consumer protection laws” and calls for increased transparency on how consumer data is used and shared. [Full Story]

US – The Big Data Picture – Just How Anonymous Are “Anonymous” Records?

It’s vague enough that when the authors knew the details of any four transactions you’d made during the three month data period, as, for example, would any shop that you had visited four times, they had a chance lower than 15% of guessing which anonymous tag in the file was yours. But with 10 known transactions, something you might easily rack up with multiple retailers due to daily habits at at a coffee shop, a parking lot, or a newsagent, their chance of pinpointing you rose above 80%. Loosely speaking, the anonymous data they had access to, even when coarsened astonishingly, turned out to be not-so-anonymous after all. [Naked Security]

US – FTC Asked to Investigate Big Data Acquisitions

The Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and Public Citizen said last week the FTC should launch an investigation into the growing consolidation of big data analytics firms and digital marketing companies. The groups are concerned about a “recent spate of acquisitions in the big data and digital marketing industries,” the report states. In a letter to FTC Chairwoman Edith Ramirez, the groups wrote about companies “amassing vast holdings of the key element that drives much of online commerce”-information about consumers. The groups are particularly concerned about Oracle’s recent acquisition of data broker Datalogix, the report states. [PCWorld] [IAPP VP of Research and Education Omer Tene writes that a speech Federal Trade Commission Bureau of Consumer Protection Director Jessica Rich gave last week “maps out the state of play at the intersection of technology, law and policy”]

WW – Big Data And Insurance: Should There Be A Code Of Practice?

Association of British Insurers (ABI) chairman Paul Evans called on the insurance industry to “anticipate regulators” and develop its own big data code of practice in a recent interview with the Financial Times, which makes a lot of sense. So what are the issues that a code might cover? We can all imagine privacy and data protection issues, but the use of big data in insurance touches on a number of other important legal issues. [Source]

US – Palantir Buys Start-Up, Adds Retail Analytics

Palantir, which is known for its data analytics platform and is used in law enforcement, financial research, healthcare and other areas, can now “add retail and shopping data to the mix” with its purchase of start-up Fancy That. Fancy That “has built a platform to help retailers with their omnichannel strategies across physical stores, online, mobile and other platforms where they sell goods and communicate with customers,” the report states, noting Fancy That “incorporates elements of machine learning, mobile, and sensor technologies into its services. It works on both software and hardware technologies.” The terms of the Fancy That deal have not been disclosed. [TechCrunch]


CA – Bill C-51: The Anti-Terrorism Act, 2015

The federal Conservative Government introduced a sweeping anti-terrorism bill (Bill C-51, the Anti-terrorism Act, 2015). Much of the media attention on Bill C-51 has rightly focused on the creation of a new criminal offence of knowingly advocating or promoting the commission of terrorism offences and the new judicial power to remove terrorist propaganda from websites using Canadian Internet service providers. These have significant implications for freedom of expression. However, this multi-part review of the privacy implications of Bill C-51 begins with the new Security of Canada Information Sharing Act, self-declared purpose is “to encourage and facilitate the sharing of information among Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada” (s. 3). [Source]

CA – Canada’s New Anti-Terror Bill C-51 Concerns Privacy Commissioner

Privacy Commissioner Daniel Therrien says he is concerned that the government’s new anti-terror bill does not respect the privacy rights of Canadians. Bill C-51 proposes to lower the threshold of what’s required for police to make an arrest in a terror case. Previously an arrest could be made only if a terror act “will be” carried out, but C-51 would allow police to arrest a suspect if an attack “may be” about to happen. It would also broadly expand the powers of Canada’s spy agency, CSIS, to “counter-message” or “disrupt” terrorist websites, Twitter accounts and the like. “This Act would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats,” Therrien said. “ It is not clear that this would be a proportional measure that respects the privacy rights of Canadians.” [Toronto Sun] [Full Story] [Statement from the Privacy Commissioner of Canada following the tabling of Bill C-51] [CBC: Bill C-51 aims to ‘remove terrorist propaganda’ from internet and [Anti-terrorism powers: What’s in the legislation?] [PM Harper admits proposed anti-terror law would not have stopped Ottawa attack] [Canada’s New Anti-Terror Bill Gives the Government Sweeping New Powers] [Additional oversight for security agencies just ‘needless red tape’: Government] [Former CSIS officer warns new federal anti-terror bill will ‘lead to lawsuits, embarrassment’] [It’s easy to imagine Bill C-51 actually undermining Canada’s anti-terrorism strategy] [Barbara McIsaac: Bill C-51 and the Sharing of Personal Information]

CA – CSIS’s New Powers: How the New Legislation Will Affect Security Agencies

The federal government has unveiled security legislation. Here’s a breakdown of what the new powers will allow and how the legislation will affect Canada’s spy and security services.

NEW POWERS: Canada’s spy service would become an agency that actively tries to derail terror plots at home and abroad – not just one that collects intelligence and hands it off to the RCMP.

NEW OFFENCES: The bill would give authorities the power to order the removal of “terrorist propaganda” from websites. It would also create a new criminal offence of encouraging someone to carry out a terrorist attack.

LOWER THRESHOLDS: Authorities could apply to a court if they believe terrorist activity “may be carried out.” The previous threshold called on authorities to state they believed an act “will be carried out.”

LONGER DETENTION: The bill extends the length of time authorities can detain suspected terrorists for up to seven days from three and expands the no-fly regime to cover those travelling by air to take part in terrorist activities.

INFORMATION SHARING: The bill grants government departments explicit authority to share private information, including passport applications or confidential commercial data, with law-enforcement agencies. [Globe & Mail] [Editorial: Worrying new powers for CSIS]

CA – Ed: Why Is The Opposition Silent On The Terror Bill?

Why is the opposition silent on the government’s anti-terror bill? This is a complex, far-reaching piece of legislation with serious implications for good and ill, one that deserves the most searching democratic scrutiny. All the more surprising, then, that Canada’s two main opposition parties have had so little to say about it. Apart from arguing in favour of increased oversight — preferably by a parliamentary committee — neither New Democratic Party leader Thomas Mulcair nor Liberal leader Justin Trudeau have addressed the content of the legislation in any detail. [National Post]:

CA – BC IPC: Federal Terror Bill A “Privacy Game-Changer”

“This kind of broad sharing of information is a privacy game-changer and it’s not clear as to whose information we’ll share with national security agencies, for what specific purposes and whether there are any safeguards in place,” Elizabeth Denham told Thompson Rivers University law students Wednesday afternoon. “We need to watch the watchers,” Denham said. [Source]

CA – Anti-Terrorism Bill Will Unleash CSIS on a Lot More than Terrorists

Liberal Leader Justin Trudeau has announced his party will support the government’s new anti-terrorism bill and sort out any vexing details later on. That’s a bit like buying a bull because you hope its excrement can be sold as perfume. The NDP – the Official Opposition – actually intends to do its job and oppose the legislation. Here are some questions to help it along: [Globe & Mail]

CA – Tories Defend Expanded Powers of CSIS Amid Calls for Greater Oversight

Ottawa is rejecting calls for parliamentary oversight of the nation’s spies, dismissing such increased scrutiny as “needless red tape.” Conservatives defended their controversial new anti-terrorism legislation, which has faced criticism for massively expanding the powers of the CSIS without added public oversight. Public Safety Minister Steven Blaney argued the Security Intelligence Review Committee, a five-member body that investigates complaints against CSIS, is enough. “We can be very proud of what they are doing,” he said about SIRC on CTV’s Question Period. “Anything additional would be just duplication.” The anti-terrorism legislation would give CSIS the right to disrupt terrorist activity, such as by pulling suspected terrorists off planes or messing with their bank accounts. A judge would have to sign off on such actions ahead of time. The legislation would also make it easier to arrest people for promoting terrorism. Critics say there are not enough checks on these new powers. “What is absolutely missing in this legislation is oversight, oversight, oversight,” Liberal MP Wayne Easter, a former solicitor-general, said on Question Period. “That’s what’s needed for two things. One: to ensure that the new powers in this new legislation that agencies will be granted will not infringe on the privacy rights of Canadians. Two: to ensure that the agencies are using their powers within the law.” Tory MP Roxanne James hit back. “We are not interested in creating needless red tape.” [The Globe and Mail]

CA – Supreme Court to Hear Dispute Over CSIS Powers to Spy on Canadians

The case pits CSIS against the Federal Court of Canada in a confrontation over whether the court has the authority to approve CSIS warrant applications to electronically spy on Canadians overseas. The federal court insists it has no such power. CSIS and the government argue it does. The competing positions are layered in complex legal arguments laid out in secret courtroom hearings. [Source]

CA – Edward Snowden Right to Urge Caution on Anti-Terror Measures: Editorial

Whistleblower and international fugitive Edward Snowden is right in urging Canadians to be extraordinarily cautious regarding Ottawa’s new Anti-Terrorism Act. Prime Minister Stephen Harper is right to be concerned about terrorist activities, and it’s vital that agencies protecting Canadians from such threats be adequately empowered. But so far, the government has not made a convincing case that its proposed new law would have stopped the earlier attacks, or would prevent future ones. [Source] [Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise ]

CA – Walkom: Craven Opposition Letting Terror Bill Sail Through

The Liberals and NDP are afraid to criticize the substance of Bill C-51. Too bad. There is a lot they could say. …the Canadian Civil Liberties Association asked the most trenchant question: Why are these extraordinary new security powers needed? “There are still no answers as to why our existing laws and powers didn’t work — or if they didn’t work,” CCLA executive director Sukanya Pillay wrote. She also pointed out that criminalizing something as vague as the advocacy of terrorism could have a chilling effect on academics and journalists. The British Columbia Civil Liberties Association has gone even further, saying that Bill C-51 would create “an unprecedented expansion of powers that will harm innocent Canadians and not increase public safety.” [Weak-kneed opposition lets Conservative terror bill sail through: Walkom] [CA – Elizabeth May Condemns Bill C-51, Saying It Would Create A Secret Police Force]

CA – Inside the Orwellian Launch of Tories’ Anti-Terrorism Act

During the question-and-answer period, reporters asked how the government would decide who is supporting terrorism. Stephen Maher from Postmedia asked if someone would be breaking the law if they posted material encouraging attacks by Ukrainian militants on Russian targets in Crimea. The row of bureaucrats at the front of the room said they wouldn’t speculate on hypothetical situations. Many answers seemed scripted to the point where one reporter asked if they were just reading parts of the backgrounder as their answers. The staffer replied that they weren’t. [Locked up reporters, denied a look at the bill, revolt] [How terrorists succeeded in making us go bonkers ] [Bill C-51: Harper’s Attempt to ‘Arrest His Way out of Terrorism’ ]

CA – The Fiasco of Bill C-51

But the first thing to get out of the way about Bill C-51 is that the proposed law is not just about terrorism. It’s also about securing to the government a fairly sweeping range of national-security and police powers to target activity that “undermines the security of Canada” by interfering with federal capabilities in relation to the country’s “economic or financial stability.” This doesn’t make things any more reassuring, mind you. The government’s recent record on that front isn’t exactly unblemished. [Ottawa Citizen] [Fighting Terror: Privacy vs. Security]

CA – Bill C-51 Has Troubling to Civil Liberties Issues for Air Travelers

Bill C-51 would enact the Secure Air Travel Act. This legislation would amend Canada’s approach to its “do-not-fly” list under what is known as the “Passenger Protect Program”. …there are a number of features that are likely to be troubling to civil liberties advocates. In particular, the lowered threshold and expanded grounds for being placed on the “Specified Persons List” which functions as Canada’s “do-not-fly” list are likely to be of concern given the potential sharing of information with foreign governments. It is expected that advocacy groups may be concerned that this information sharing, combined with lower thresholds and expanded grounds, could increase the risk of the detention of Canadians abroad merely on “suspicion” of knowingly contributing to terrorist activities. [Canada’s Proposed Secure Air Travel Act]

CA – Mere Oversight Won’t Fix Tory Surveillance Bill: Geist

Bill C-51’s potential to harm privacy and civil liberties requires a detailed, non-partisan review. Bill C-51 appears to allow Canada’s spy agency “to effectively ignore any law (domestic or otherwise), and do whatever is deemed necessary to counter activities that extend far beyond just terrorism.” [Star] [Anti-terrorism legislation requires vigilance: Editorial]

CA – Secrecy Shrouds Ottawa’s Information-Sharing Deal With Five Eyes Allies

A veil of secrecy has dropped around a series of immigration information-sharing agreements between Canada and its “Five Eyes” allies. The federal privacy commissioner’s office said it has raised concerns with the department about unauthorized use, disclosure of transfer of information that goes beyond Canada’s borders, both under the deal with the U.S. and the five-country information sharing initiative. Anne-Marie Hayden, a spokeswoman for Privacy Commissioner Daniel Therrien, said the office has advised the department that “refugee claimants are a particularly vulnerable group and information sharing should continue to be done on a limited, case-by-case basis. Sharing of this sensitive information should be undertaken with caution and under strict safeguards and protocols.” [The Star] [How Canada compares to ‘Five Eyes’ members in intelligence oversight : Canada is the only member of the “Five Eyes” intelligence-sharing alliance that does not have legislative oversight of its security agencies].

CA – MacKay Once Backed Intelligence Oversight Now Rejected by Tories

As deputy leader of the Conservative Party in 2005, Mr. MacKay argued forcefully for giving MPs and senators a role in overseeing Canadian spies. “When you talk about a credible oversight body, I would suggest … that a parliamentary body is going to have more credibility because of its independence and because of the fact that there is also parliamentary accountability that will be brought to bear,” Mr. MacKay said in October of that year. “To that end, I suggest that it would also cause a little bit more diligence on the part of the security agents themselves, just knowing that this oversight body was in place.” [Globe & Mail]

CA – Canada Revenue Agency Can Now Provide Police With Evidence of Crimes

The Canada Revenue Agency gained the little-noticed new authority, which does not require a judicial warrant, through an amendment tucked into the government’s most recent omnibus budget bill. Previously, confidentiality provisions in the law prevented the agency from handing information about suspected wrongdoing, on its own initiative, to law enforcement. The exception was information that pointed to tax-related crimes. The new provisions apply to offences including breaking and entering, vehicle theft, arson, corruption and kidnapping. They also allow authorities to pass along information about any offence with a minimum prison term, or one with a maximum sentence of 14 years. [Source]

CA – 80% of Canadians Will Choose A Business on Its Privacy Reputation: Survey

According to a new survey nine in 10 Canadians are concerned about privacy — including 34% who say they are extremely concerned. That’s according to a new poll released by the federal privacy commissioner to mark Data Privacy Day. The number who said they are extremely concerned is up almost 10% from the survey done in in 2012.

  • Almost eight in 10 people surveyed (78%) have become less willing to share their personal information with organizations in the wake of media stories about sensitive information being lost, stolen or made public;
  • Eight in 10 (81%) are more likely to choose to do business with a company specifically because it has a good reputation for privacy practices.

The privacy commission’s survey also found

  • A significant majority (78%) expressed concern about how personal information about them online might be used in the context of government surveillance;
  • More than half of Canadians (57%) said they were “not comfortable” with government departments and agencies requesting personal information from telecommunications companies without a warrant;
  • Canadians expressed particular concern about what might happen to the personal information stored on a mobile device if it was lost or stolen, with nearly half (49%) saying they were extremely concerned;
  • Nearly 30% of respondents said they had been negatively affected by a breach. Most felt it is at least somewhat likely that their privacy may be breached by someone using their credit or debit card (78%), stealing their identity (78%), or accessing personal information stored on their computer or mobile device (74%).

Roughly half of Canadians said they don’t have a good understanding of what businesses and government will do with their personal information. [IT World] [Privacy survey is a wakeup call for CIOs ]

CA – Saanich Disables Covert Monitoring Software at Municipal Hall

Privacy commissioner Elizabeth Denham launched an investigation last month after newly elected Mayor Richard Atwell alleged that spyware had been installed on his work computer without his consent. Denham, acting on her own, said her investigation will examine whether the district’s use of employee-monitoring software complies with the Freedom of Information and Protection of Privacy Act. She expects to finish her review by the end of March and make her findings public. Laidlaw [Saanich Chief Administrative Officer] said Saanich may revisit the issue after Denham reports. [Times-Colonist]

CA – Watchdog cum Lobbyist Loukidelis Now Acts for Vancouver Publisher.

Once paid to ensure that the privacy of British Columbians was protected, Loukidelis is now lobbying the government to amend provincial rules to permit digital information about British Columbia high school students to be sent to China. The Vancouver publisher has printed yearbooks in China since 2007 and is seeking a ministerial directive to allow it to continue to send student information — including names, photographs and year of study — overseas on a temporary basis. [Source]


WW – Poll Exposes Drone Opinions

In a new Reuters/Ipsos online poll, 73% of respondents said they “want regulations” on privately owned drones. Reuters reports various concerns from respondents, including being “uneasy about potential invasions of privacy by drones carrying cameras or other devices.” The report also found 42% of respondents opposed “private ownership of drones, suggesting they prefer restricting them to officials or experts trained in safe operation.”. [Full Story]

US – AT&T Lets Users Opt Out of Tracking, But With a Price

AT&T’s gigabit fiber-to-the-home service telecom charges customers based on their privacy preferences. The GigaPower service is the same price as Google Fiber, but users who do not want their web browsing activity tracked must pay an additional $29 per month. AT&T says it tracks “the webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter… AT&T Internet Preferences works independently of your browser’s privacy settings regarding cookies, do-not-track and private browsing. If you opt-in to AT&T Internet Preferences, AT&T will still be able to collect and use your web browsing information independent of those settings.” [Ars Technica]

US – ADL Says RTBF “Has No Place in the U.S.”

In a blog post, the Anti-Defamation League (ADL) says it supports a decision made by Google’s Advisory Council that right-to-be-forgotten takedown requests should only be honored in the EU. The ADL reiterated its own policy position from last November, stating that “individuals should not have the right to have links to old and/or embarrassing information about themselves removed from Internet search results.” They explain, “Doing so is tantamount to taking a scalpel to library books, allowing people to tear from public record things about themselves from the past that they simply do not like.” For example, it could allow “a white suprema­cist to erase all traces of his history of bigoted rhetoric before running for public office, denying the pub­lic access to make a fully informed decision.” [Full Story]

US – Researcher: Some Pledge-Signers Still Vulnerable

A security researcher has found several companies that have signed the Student Privacy Pledge do not use basic data security, The New York Times reports. Of the 60 or so companies that have currently signed the pledge, approximately 20 percent of them did not use Secure Socket Layer encryption during the log-in process for students, parents and teachers. Though there is no evidence the weak security has allowed any breaches, the vulnerabilities could easily be exploited, the report states. Company executives confirmed the log-ins aren’t currently encrypted and said “they had been caught in the process of updating their security measures,” the report states. [Full Story]


US – Considering Legislation to Let Non-Americans Seek Judicial Redress

The U.S. intelligence community and its EU counterparts are negotiating legislation that would enable non-Americans to “seek judicial redress for intentional or willful disclosures of protected information,” citing comments by Robert Litt, general counsel for the U.S. Office of the Director of National Intelligence, during a discussion at the Brookings Institution on Wednesday. “We are working on legislation right now,” Litt said. “We’ve been discussing this with representatives of the EU as well.” [Sputnik]

US – FTC Joins Agencies Adding Security Layer to Consumer Sites

The Federal Trade Commission (FTC) has joined a number of other federal agencies in deploying additional security best practices for public consumer websites donotcall.gov, ftccomplaintassistant.gov and hsr.gov. The websites have enabled a feature called HTTP Strict Transport Security (HSTS), which hardcodes all future communications to be encrypted by default so when visitors attempt to visit the sites, HSTS-enabled browsers will automatically encrypt the connection with any additional instruction from the website, reducing the potential for an attacker to impersonate an FTC website when connecting from open WiFi hotpots or insecure networks, the FTC’s blog reports. [Full Story]

WW – Report Highlights UK Public Sector Cloud Concerns

Nearly half of all public sector respondents to a survey on cloud computing have responded that security is their highest concern. After security, the second most worrisome elements of implementing public sector cloud-based applications were found to be the use of cloud apps sourced or commissioned without involving the IT department (12%) and managing the increasing number of cloud apps in use’ (also 12%). [Public Technology] [Canadian Treasury Board Gov’t-Wide Policy: keep cloud storage local]


US – Congress Takes Up Email Privacy Reform. Again.

Reforming the rules regarding email privacy is a mere step in the walk towards correcting the mass surveillance that the United States government executes, but it is an important piece of progress all the same. [TechCrunch]

Electronic Records

US – Medine: Section 215 Can and Should Be Shut Down

Privacy and Civil Liberties Oversight Board Chairman David Medine writes in a Lawfare post that the National Security Agency’s metadata surveillance program can and should be shut down. He notes that Section 215 of the USA PATRIOT Act should be “abandoned in favor of targeted queries to individual telephone companies based on individualized suspicion,” because it’s “not only more privacy protective but better for national security.” [Full Story]

US – Debate Heats Up Over Safety of Electronic Health Records

But Ross Koppel, a University of Pennsylvania professor who has published extensively on the topic in medical journals, called the federal government’s stance at the conference “a whitewash.” “They are systematically selecting studies and study methods that minimize the hundreds of thousands of errors related to HIT,” he said. “Of course, there was a safety problem with paper, but there are new, different and more wicked problems with HIT.” If the ability to cut and paste information from one chart to another causes it to balloon from three to 3,000 pages, physicians may not even be able to find the “nugget of needed information,” Koppel says. [Source]

US – No Encryption Standard Raises Health Care Privacy Questions

The main federal health privacy law – the Health Insurance Portability and Accountability Act, or HIPAA – encourages encryption, but doesn’t require it. The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers. …T the Senate Health, Education, Labor and Pensions committee said it’s planning to examine encryption requirements as part of a bipartisan review of health information security. “We will consider whether there are ways to strengthen current protections,” said Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn. [Source] [The Toronto Star: Ontario is lagging behind other health jurisdictions on the protection of patient privacy]


US – Box Hands Cloud Encryption Keys Over To Its Customers

Key management system keeps data safer from intrusion—and government demands. Box needs permission from the customer when decrypting files. “Before we can use our key, we need the customer to decrypt it inside the HSM,” the company said. “It’s a layered encryption model. So while the data itself is not encrypted with the customer’s key, the customer key is the gatekeeper for decrypting it. In effect, our key is useless until it’s decrypted by the customer.” Each time Box needs temporary access to decrypt files, “we go back to the customer to request access (by sending over the document key for decryption). Each request is captured in the logs controlled exclusively by the customer. Customers can monitor that log to see how the data is accessed and how the keys are being used, and we have no way of modifying that log.” The customer doesn’t have to manually approve each request, but anything out of the ordinary would be flagged. [Ars Technica]

WW – Developer Reveals Flaw in WhatsApp Privacy Settings

A developer from The Netherlands has revealed that WhatsApp’s privacy settings can be bypassed with a simple bit of software. The software kit, released by Maikel Zweerink, allows a user to see whether other WhatsApp users are online, even if their status is set to “private” session. His goal with the release of the software, he wrote in a blog post, is to demonstrate that the popular messaging service is “broken … in terms of privacy.” He added, “This is not a ‘hack’ or an ‘exploit,’” it is “broken by design.” [International Business Times]

WW – Email Encryption Developer Was Going Broke; Facebook, Others Chip In

The developer of one of the world’s most-used email encryption services, Werner Koch, was almost out of funds to stay in business when ProPublica published a report on the developer of Gnu Privacy Guard, a service used by investigative journalists, whistleblowers—including Edward Snowden—and dissidents. Koch “has been almost single-handedly keeping it alive with patches and updates from his home” in Germany, the report states, earning a fraction of what he could have made in private industry and falling short of paying himself and hiring a programmer. Facebook and payment provider Stripe, however, each agreed to donate $50,000 a year toward the open-sourced project; the Linux Foundation’s Core Infrastructure Initiative has provided a one-time grant of $60,000, and other donations have come in since the article was first published. [Full Story]

EU Developments

UK – GCHQ Mass Internet Surveillance Was Unlawful, IPT Rules

The Investigatory Powers Tribunal has considered unlawful the GCHQ access to information gathered by the NSA through its massive surveillance programs….The ruling would trigger massive claims against the intelligence services, principal organizations for the defense of Human Rights will request to access records related to their activities and members. On the other hand, the Intelligence agencies are already reorganizing their TTPs to continue to operate and protect their Homeland Security. [Security Affairs] See also: [EurActiv reports MEPs approved a law allowing member states “to share information on car registries”]

EU – DPAs Form Task Force Following Facebook Privacy Policy Changes

A group of European data protection authorities (DPAs) formed a task force in reaction to the latest changes to Facebook’s privacy policy. The group will be led by Belgium, The Netherlands, Germany and “perhaps” Italy, a spokesman from Belgium’s state secretary for privacy said. At issue are the company’s practice of tracking users when they are not on its site and using information from profiles for commercial purposes, the report states. Germany’s DPA has taken issue with how Facebook processes personal data, particularly between other services it already owns, such as WhatsApp and Instagram. [IDG News Service] [EU data protection authorities get serious about Facebook’s privacy policy ]

EU – Working Party Clarifies Health Data Definition in Apps

The Article 29 Working Party (WP29) has responded to a request from the European Commission made in the framework of its mHealth initiative to clarify the definition of data concerning health in lifestyle and well-being apps. The WP29 responded that it supports a broad definition of health data, distinguishing the following three categories: Data is inherently/clearly medical data; data is raw sensor data that can be used in itself or in combination with other data to make conclusions about a person’s health status or risk, or conclusions are drawn about a person’s health status or risk. The WP29 considers “explicit consent as the most likely legal ground” for processing health data. [National Law Review]

UK – ICO’s Data Protection Audit Powers Extended to Cover NHS bodies

NHS bodies in the UK can now be forced to open themselves up to data protection audits under new powers handed to the Information Commissioner’s Office (ICO). The ICO had long campaigned for the compulsory audit powers they have under the Data Protection Act to be extended to the public health sector. Previously, the ICO could only compel central government departments to participate in a data protection audit and needed the consent of other organisations to investigate their procedures. [Source] [Hackers will target online NHS medical data, warns ICO] [UK NHS authorities may be subject to compulsory audits of their data protection initiatives by the Information Commissioner’s Office]

EU – Ministers Call for More Border Checks

EU interior ministers have called for more border checks to fight terrorism in the wake of recent attacks in France and Belgium. The ministers want to change the rules governing the passport-free Schengen area to allow for “systematic checks against databases relevant to the fight against terrorism” when people enter and exit the area. Currently such checks can only be carried out on an ad hoc basis. EU home affairs commissioner Dimitris Avramopoulos noted that changes for faster data exchange within the Schengen system have already been adopted and that checks are currently possible, too. Avramopoulos agreed that member states need to improve their data exchanges. “Europol needs to receive all relevant information in order to track the travel routes of terrorists,” he said. [EU Observer] See also: [MEPs have “agreed to work towards a deal to share airline passenger data” before the year’s end.] [The U.S. intelligence community and its EU counterparts are negotiating legislation that would enable non-Americans to “seek judicial redress for intentional or willful disclosures of protected information”].

UK – UK Lords Try to Sneak Through Snooper’s Charter Once Again

A week ago, we noted that a group of UK Lords were trying to rush through the “Snooper’s Charter” that had previously been rejected by the UK. The bill, of course, was about giving the government tremendous levels of access to everyone’s electronic data with little oversight. Thankfully, despite having little notice, the attempt caused a flurry of attention and the Lords were forced to back off the plan. It seemed like another good “win” for supporters of privacy and democracy. Many people still expected the UK government to try again, but few expected it would happen so soon. Yes, less than a week after having the last attempt rejected vocally, the same group of Lords are trying yet again: On Saturday, ahead of a “report stage” debate on Monday (the Counter-Terrorism and Security Bill is almost fully baked), Lords West, Blair, Carlile and King introduced a new amendment that appears to be almost identical to the last, and to the Communications Data Bill before it. Again, this new amendment would force “telecommunications operators” – which these days includes the likes of Facebook and Skype, as well as traditional telcos – to store communications metadata for up to a year and hand it over to U.K. authorities when requested. This data retention regime may require the providers to install “specified equipment or systems.” [Source] [UK – Q&A: The UK’s controversial draft counter-terrorism laws]

EU – Germany’s BND Muscles in on Metadata Mass Surveillance

The leaked intelligence docs revealed that approximately one per cent of the metadata trawl every day is stored for up to 10 years. The remainder is discarded after weeks or months. Privacy group Access Now, which according to its website “defends and extends the digital rights of users at risk around the world”, called on the BND to curtail its NSA-style “collect-it-all” programme, with Germany being one of the most vocal international critics of NSA surveillance. [Vacuumed info flows into NSA-wannabe branch offices ] See also: [ European Commission is considering requiring telecoms to store communications data of EU citizens in order to fight terrorism] | [France’s interior minister is lobbying MEPs that a passenger name record bill “is an essential tool, among many others, needed to fight terrorism.”] | [Germany’s government has announced plans to widen data retention].

EU – German Bill to Bring Fundamental Change to Data Protection Law

Germany’s federal cabinet has approved a bill that will allow consumer organisations to take businesses to court if they do not comply with the country’s data protection laws. To date, consumer associations in Germany have had difficulty in challenging data protection shortcomings by companies, Appt said. The law previously required them to prove that a provision in a privacy policy is designed either to regulate market behaviour or to protect consumers, and civil courts have not generally qualified these provisions under either category. [Source] [What data protection reform will mean for obtaining ‘customer consent’] [Out-Law.com reports on the potential changes that may come with a German bill to extend consumer rights organizations’ ability to sue on behalf of consumers] | [The German government has approved a draft law that would, among other things, empower consumers to initiate legal action for injunctive relief against companies violating the data protection law: The National Law Review] SEE ALSO: Telecompaper: the lower house of the Dutch parliament has approved legislation requiring organizations to report data breaches] and [Telecompaper: the Dutch government responded to questions from Parliament saying its data retention legislation was implemented legally, and the justice minister reiterated the intent to maintain the law].

Facts & Stats

US – Survey: General Counsel Concerned with Ethics, Compliance, Breaches

According to the latest annual survey of general counsel and chief legal officers, 96% said the function of ethics and compliance was “important” for 2015 and about 25% said it was “extremely important,” more so than all other categories. Not far behind, however, are concerns about data breaches and protection of corporate data. Responsibility for compliance functions is increasingly being tucked back inside companies rather than outsourced to law firms, said Veta Richardson, CEO of the Association of Corporate Counsel, which conducted the survey. Other topics listed as concerns include privacy and whistleblower claims. [The Wall Street Journal]

WW – Survey: In-House Counsels have Data Breaches on Their Minds

For every Target Corp., it seems, there are several others that see their data systems breached. More than a quarter of the GCs surveyed reported experiencing a data breach within the last two years, a figure that reached a full 50% within the health-care industry. (As the WSJ reported last fall, general counsel in the financial industry are, among other things, demanding that their law firms do more to protect sensitive information to ensure that they don’t become back doors for hackers.) [Nation’s In-House Counsel are Worried About Ethics, Data and ‘Trolls’  ]


WW – New Technology May Bolster Cryptocurrencies’ Success

Despite setbacks including a 67% drop in value last year, cryptocurrency advocates remain optimistic about Bitcoin’s future. And thanks to a new technology development, they may have good reason. Crypto 2.0 may help push cryptocurrencies to the mainstream. It’s essentially a layer built on top of Bitcoin’s underlying blockchain technology that enables a variety of applications—and they can be decentralized so they aren’t subject to one controlling authority. [Techonomy ]

CN – China Wants Banking Backdoors

Chinese authorities reportedly want to see the source code for all software and hardware that gets sold to its banking sector, as well as see vendors submit to rigorous audits and build government-approved backdoors into their products. But Western technology firms have reacted with alarm at the proposed “cybersecurity review regime,” and warned that it may soon be expanded to cover much more than just the banking sector. The draft Chinese banking regulations were contained in a 22-page report that was finalized at the end of 2014, and which is expected to be officially unveiled in the coming months as part of a Beijing-led cybersecurity push. The current version of the letter from Chinese authorities – which has reportedly been circulating in draft form in recent months, triggering escalating alarm from foreign technology firms – says 75% of the software and hardware products used by the Chinese financial services sector must be “secure and controllable” by 2019. The letter does not define what it means by those terms, but includes a chart specifying that for many types of computing and network equipment, vendors would have to share their source code with Chinese authorities. [Bank Info Security]


WW – 7 Things to Love About reddit’s First Transparency Report

We’re impressed by reddit’s first transparency report. In fact, the report tracks remarkably closely to EFF’s annual Who Has Your Back report, which rates companies on factors like requiring a warrant for content and informing users about government data requests. While we have no way to know whether reddit could have done more to fight government requests for user data, we can say with certainty that it adopted industry best practices in first-ever transparency report. [Source]

US – Canary Watch Tracks Sites FBI, NSA Haven’t Hit Up

While Internet service companies often want to be transparent about user privacy, they’re sometimes forced by law to stay mum on when they receive specific data requests from the National Security Agency or Federal Bureau of Investigation. However, there’s nothing stopping them from saying they haven’t received such requests, which is where a new website called Canary Watch comes in. The site tracks statements by websites like Pinterest, for example, saying they haven’t received national security requests, the report states. If those disclosures disappear, Canary Watch will flag that, “indicating that the site was likely served a warrant.” [Engadget]

WW – Governments’ Twitter Data Requests Up 40 Percent

Twitter released its biannual transparency report detailing the number of government requests for user data and noting a dramatic rise in the number of those requests. Government requests—coming in from more than 50 different countries—rose by 40% since its last report in July 2014. The U.S. “continues to make the majority of requests for account information,” Twitter stated in its report, “comprising 56% of all requests received.” In a column for The Atlantic reacting to the latest report, Adrienne LaFrance writes, “All of this is a reminder of one of the core principles of modern communication: that nothing is private on the Internet.” [The New York Times]

US – Jeb Bush Releases Emails But Doesn’t Redact PII

In a bid to be more transparent in anticipation of a possible run for the 2016 presidential election, former Florida Gov. Jeb Bush on Tuesday released all of his email transactions when serving as governor between 1999 and 2007. However, in his attempt to be more transparent for political reasons, Bush did not redact any personal information from the emails, including email addresses, contact information, medical data and Social Security numbers. [Full Story]


UK – Bioethics Report: “Consent” Is Not Enough

Obtaining individuals’ lawful consent to the processing of their health data does not on its own validate the processing as ethical, a health research body has said. The NCoB said that anonymising personal data and using it to advance medical science or health care was also not, on its own, sufficient to “guarantee” that the use of the data “is morally acceptable”. It said there was a need for “effective governance of the use of data”, after highlighting the potential clash between the public interest in using health data to further medical research and the sometimes competing public interest in protecting “individual privacy”. [Medical researchers and health care providers must consider moral as well as legal questions on data use, says bioethics body] [‘Public should be consulted on NHS medical data-sharing scheme‘]

US – DNA Database Raises Privacy Concerns

A state database containing DNA samples of 16 million Californians is raising concerns among privacy advocates and a state lawmaker. Samples are taken from virtually every baby born in the state to screen for more than 80 health disorders. The frozen samples are stored indefinitely and are shared with genetic researchers for a fee. California officials say the biobank is secure, but some are concerned the sensitive data can be misused. “Throughout the process,” Council for Responsible Genetics President Jeremy Gruber said, public knowledge and consent is “almost completely” absent. Assemblyman Mike Gatto (D-Glendale) said, “Imagine the discrimination a person might face if their HIV status or genetic predisposition to a mental disorder were revealed to the public.” [Los Angeles Times]

US – DNA Volunteers Concerned About Privacy

Science Magazine recently announced “the end of privacy” and, in an interview with NPR, Jennifer Couzin-Frankel, who writes for the magazine, discusses the privacy concerns hundreds of thousands of volunteers have about donating their DNA for medical research. Those concerns include, “Who’s going to have access to the DNA sample that I’m handing over?” or “How much control do I have over who studies it, what they do with it?,” Couzin-Frankel explains. While it was believed for some time that DNA samples could remain anonymous, recent examples have proven DNA sequences can be retraced, the report states. [Full Story]

Health / Medical

US – Data Security, Privacy Top Concerns for FDA, CMS

Officials from the Food and Drug Administration (FDA) and the Centers for Medicare and Medicaid Services (CMS) have said that data security and privacy are top concerns for their agencies. FDA Senior Technical Advisor Joe Klosky said the agency bakes in security and encrypts data, but operational and management controls are needed as well. CMS Office of Technology Solutions Director Janet Vogel said, “Because of the private nature of our data, we’re very sensitive to both privacy and security … Making it easy to have data protected at rest and in transit and in use is a really important feature that we’re looking for.” [Fierce Government IT]

US – Interoperability and Privacy are Buzzwords at 2015 ONC Annual Meeting

Lucia Savage, ONC’s chief privacy officer, emphasized that inconsistent rules about permissions to access, use, and disclose patient data are a key barrier to developing functional and interoperable systems nationwide. She noted that the current system is governed by a patchwork of state rules and often relies on handwritten patient consent—a fundamentally non-interoperable technology. [ONC (Health Info Tech) Meeting: Privacy a Buzzword ]

US – WPF Issues Report on Medical Data Protection in Schools

In light of recent news about measles outbreaks across the U.S., the World Privacy Forum (WPF) has released Student Privacy 101: Health Privacy in Schools—What Law Applies? to guide parents about what laws apply to medical data requests of students in schools. “School health privacy can be quite messy,” the WPF post states. “In some private schools, no health privacy law may apply at all,” whereas, in others, the Family Educational Rights and Privacy Act or Health Insurance Portability and Accountability Act may apply. The WPF’s new report “covers the basics of what laws apply, when and where.” [Full Story]

US – HIMSS Calls for Enhanced Privacy

The Healthcare Information and Management Systems Society (HIMSS) recently sent a letter to Congress calling for enhanced privacy measures and healthcare security initiatives. HIMSS has told Congress it must “recognize how important interoperability in health information technology is for the transformation of healthcare in the nation,” the report states, and has called for the public and private sectors to work together. “As the nation enters the fourth year of the Meaningful Use Program, we are at a critical juncture in using IT to improve patient care outcomes via nationwide adoption of EHRs and creating the ability to exchange health information privately and securely,” HIMSS stated. [HealthIT Security] [The Healthcare Information and Management Systems Society recently sent a letter to Congress calling for enhanced privacy measures and healthcare security initiatives]

US – Federal, State Health Sites Still Contain Ad Trackers

HealthCare.gov and 16 state-based healthcare exchange websites still contain ad trackers weeks after an Associated Press report claimed the sites were leaking sensitive personal information. The Centers for Medicare and Medicaid Services (CMS), which recently said it improved site encryption and narrowed the amount of data flowing to third parties, stated, “One of the most cost-effective and best ways to reach the uninsured is through digital media and advertising.” The Center for Democracy & Technology’s Justin Brookman said, it’s “bad site design” adding, “Given that they collect such sensitive data, and given that they’re government services where people might not have a choice about visiting, I feel like these sites should really only share data with third parties when absolutely necessary.” [Advertising Age]

Horror Stories

US – Hack Hits 80 Million Anthem Customers

The country’s second-largest health insurer has announced hackers accessed and obtained tens of millions of current and former customer and employee accounts. Compromised data includes names, birthdates, Social Security numbers, contact information and other employee data. In a public letter, Anthem CEO Joseph Swedish, himself a victim of the hack, said, “As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.” Anthem has provided customers with an AnthemFacts.com web page, complete with Swedish’s letter, FAQs and a tab to ask questions. Rep. Michael McCaul (R-TX) said, “This attack is another reminder of the persistent threats we face.” [Bloomberg] [Anthem Breach May Have Started in April 2014 ] [China To Blame in Anthem Hack? ]

WW – Malware Attack Could Be the Biggest Bank Theft on Record

The New York Times reports on what is potentially one of the largest bank thefts ever. Kaspersky Lab was recently called to Ukraine to investigate the crime, which went down without any of the normal signs of a robbery. More than 100 banks in more than 30 nations were involved when a group of international hackers penetrated the banks’ internal computers via malware that allowed them to mimic every move being made on the computers by bank employees. The software remained for months, allowing the criminals to see the banks’ daily routines and then impersonate employees—transferring funds in dummy accounts set up in other countries. Thefts thus far total $300 million, but that number is expected to triple. [Full Story]

WW – Kaspersky Lab: Bank Hackers Steal $100s of Millions via Malware

total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms. The majority of the targets were in Russia, but many were in Japan, the United States and Europe. No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information. [New York Times]

US – Could the Anthem Hack Happen Again? New Report Analyzes Insurers’ Cyber Security Programs

The New York State Department of Financial Services Report analyzes survey data collected from 43 insurance entities that collectively hold a staggering $3.2 trillion of combined assets. Of these 43 entities, 21 are health insurance providers, 12 are property and casualty insurance providers, and 10 are life insurance providers. The Report’s questions address six main topics: (1) the insurer’s information security framework; (2) the use and frequency of penetration testing and results; (3) the budget and costs associated with cyber security; (4) corporate governance around cyber security; (5) the frequency, nature, cost of, and response to cyber security breaches; and (6) the company’s future plans on cyber security. In an effort to obtain a broader understanding of the context of these cyber security programs within the insurers’ overall risk management strategy, the Report also analyzes the statutorily required enterprise risk management (“ERM”) reports that certain insurers filed with the Department. [Health Law Policy]

US – LinkedIn Settlement Moves Ahead; Google Buzz Case Thrown Out

A federal judge has tentatively approved a $1.25 million data breach class-action settlement with LinkedIn. U.S. District Court Judge Edward Davila said, “The settlement agreement falls within the range of possible approval as fair, reasonable, adequate and in the best interests of the class.” The preliminary judgment still leaves Davila room to reject the settlement after a final hearing, the report states. Meanwhile, a federal judge in California has thrown out a putative class-action contesting Google’s $8.5 million Google Buzz settlement. [MediaPost]

WW – TurboTax Halts E-Filing After Stolen Data Used To File Claims

TurboTax has halted electronic filing of all state returns amid reports from states of criminal attempts to obtain refunds through its systems. Intuit said its TurboTax unit took action last week after seeing individuals were making attempts to use stolen personal information to file returns, the report states. Intuit does not believe its systems were breached. Rather “the information used to file fraudulent returns was obtained from other sources outside the tax preparation process,” the company said, adding that an examination is ongoing. [The Wall Street Journal] | [J.F. Rice: A Look back at the top 20 data breaches of 2014]

Identity Issues

US – Data De-Identification: Useful Tool, But No Magic Bullet

FERPA regulations require educational agencies and institutions–and other parties that release de-identified education records–to take into account information that is “linked or linkable to a specific student”, as well as other reasonably available information about a student, so that the cumulative effect does not allow a “reasonable person in the school community to identify the student with reasonable certainty.” De-identification is not a single on-off switch. Nor is it a magic bullet. Instead, it’s a process. [Source] [Khaled El Emam: Is it safe to anonymize data?]

US – NIST Launches Grant Competition

The National Institute of Standards and Technology (NIST) is launching a competition for U.S. companies to earn grants to pilot online identity-verification systems that help improve the privacy, security and convenience of online transactions. According to the release, NIST intends to fund multiple grants of $1 million to $2 million per year, per project, for up to two years. Eligible institutions include higher education, nonprofits, commercial organizations and state, local and U.S. tribal government entities. Abbreviated applications will be accepted through March 17, and NIST will provide guidance in the form of an applicant’s conference and other avenues. [Full Story]

Internet / WWW

US – Federal ‘Internet of Things’ Report Triggers Debate, Senate Inquiry

The FTC report noted that despite the potential risks associated with expanding connectivity, new legislation dealing specifically with the IoT would be inappropriate. “Regarding legislation, staff concurs with many stakeholders that any IoT-specific legislation would be premature at this point given the rapidly evolving nature of the technology,” the FTC said in a statement. Sen. John Thune, (R-S.D.), chair of the Senate Commerce Committee agrees. “Standing on the cusp of technological innovations that will improve both the safety and convenience of everyday items, we shouldn’t let government needlessly slow the pace of new development. By engaging early in this debate, Congress can ensure that any government efforts to protect consumers are tailored for actual problems and avoid regulatory overreach,” Thune said in a statement on the IoT hearing. [Source]

UK – Microsoft Adopts Cloud Privacy Standard

In a blog post, Microsoft General Counsel & Executive Vice President Brad Smith writes that it is the “first major cloud provider to adopt the world’s first international standard for cloud privacy.” ISO/IEC 27018 seeks to establish uniform and global standards for protecting personal information in the cloud. The British Standards Institute has independently verified that Microsoft Azure, Office 365 and Dynamics CRM Online are all in line with the new standards. According to Smith, this matters because it gives users control of their data as well as an understanding about what is happening to it. Smith said strong security has been implemented to protect data and none of it will be used for advertising. Users will also be informed when a government has requested their data. [Full Story]

WW – Cisco Forecasts Global Wireless Data Traffic To Increase Tenfold by 2019

The increased use of smartphones and Internet-of-Things devices will precipitate a massive jump in wireless traffic around the world. A new forecast from Cisco predicts that global wireless traffic will increase by 10 times in the next four years. In 2014, wireless traffic reached approximately 30 exabytes (30 billion gigabytes) and will reach nearly 300 exabytes by 2019. The number of mobile users is expected to jump from 4.3 billion to 5.2 billion, or nearly 70% of the global population. Additionally, Cisco expects there to be 3.2 billion additional devices for machine-to-machine communication and 578 million wearable devices. Data from wearables alone could increase by a factor of 18, the report states. [Re/code]

US – FTC’s Soltani Warns About IoT Security

In a FTC blog post, Chief Technologist Ashkan Soltani discusses the security shelf-life of the Internet of Things (IoT). “I’d like to briefly explain why I believe IoT security is so important and why the IoT ecosystem presents a unique set of factors that give rise for special attention to security,” Soltani writes. He cites attributes including the ease of reprogramming small devices for reasons other than what was originally intended; the lack of interfaces for the consumer; the possibility of vulnerabilities to manifest across a large class of devices; the likelihood that inexperienced businesses will create new devices without appropriate protections, and the lack of incentives for manufacturers to provide consumers with security patches for low-cost devices such as lightbulbs and webcams. [Full Story]

Law Enforcement

CA – Kelowna RCMP ‘Routinely’ Breach Privacy During Strip Searches: Judge

“Videotaping inside strip search rooms and simultaneous broadcasting to a central monitoring location is a routine policy at the Kelowna detachment. That ‘routine policy’, breaches the intent and spirit of (case law). The interests of the police of maintaining safety in the search rooms and preserving evidence are not so compelling that they outweigh (the) expectation of privacy that her strip search not be videotaped and monitored remotely.” [Judge Ellen Burdett]


US – Advocates Concerned About FCC Location Data Requirements

“Americans dial 911 nearly 240 million times a year, and 70% of the calls are made on cell phones,” Newsweek reports, noting a 2013 study found that more than 10,000 people die each year because the location data wireless providers transmit to emergency personnel is insufficiently precise. So the Federal Communications Commission on Thursday voted 5-0 to improve the indoor location of wireless 911 calls, requiring major telecommunications companies to provide horizontal-location information, within 50 meters of a caller, and vertical information—what floor a caller is on—for 67% of emergency calls. In five years, they’d be required to provide that information for 80% of emergency calls. Civil liberties groups say the plan lacks any mention of privacy safeguards. [Full Story]

WW – Visa to Use Location Tracking To Detect Fraud

Visa will roll out a feature this spring that will allow its cardholders to automatically inform their banks when they are using the location function found in nearly every smartphone. Privacy experts are applauding the feature, saying, if used properly, it could cut down on credit card fraud and protect users. The feature is optional and can be deactivated at any time, the report states. Banks will be able to update their smartphone apps to include Visa’s new location-tracking software. If a customer opts in, the Visa software will establish a customer’s home area within a 50-mile radius and transactions that occur within that radius will be considered low risk. [The Associated Press]


WW – APEC Meetings Focus on Future of CBPRs, Updating Privacy Framework

From January 30 to February 3, the APEC Data Privacy Subgroup and its parent committee, the Electronic Commerce Steering Group, met in the Philippines for another round of negotiations and meetings. The meetings focused on implementing APEC’s Cross-Border Privacy Rules (CBPR) system; developing a corollary APEC recognition mechanism for data processors, and updating the APEC Privacy Framework, the report states. The CBPR system currently comprises the U.S., Mexico and Japan and will likely be joined by Canada later this month. Thus far, 10 companies have earned their CBPR certification under APEC-recognized accountability agent TRUSTe. The next round of meetings will be held in August. [Hunton & Williams Privacy and Information Security Law Blog] [Huntons] [Thailand has announced new regulations that, if implemented, would make shooting video with drones “illegal activity for civilians lacking prior permission“]. [Biometric Update: the United Arab Emirates intends to establish a free zone for financial services on Al Maryah Island and employee privacy will be a major component of the effort]

Online Privacy

WW – Google Advisors Recommend Limited RTBF Scope

An eight-person advisory panel appointed by Google released its much-anticipated report on how best to apply the Court of Justice of the European Union’s ruling on the right to be forgotten, recommending delisting only apply in Europe. The recommendations run counter to guidance provided by the Article 29 Working Party (WP29) but include a dissenting opinion from former German Justice Minister Sabine Leutheusser-Schnarrenberger. The report does recognize a global application “may ensure more absolute protection of a data subject’s rights,” pointing out that people outside of Europe have the right to access data online. The advisory council also expressed “concerns about the precedent set by such measures, particularly if repressive regimes point to such a precedent” to censor information in their nations. [GigaOM]

WW – Google Advisory Council: Right To Be Forgotten Should Not Go Beyond Europe

After listening to evidence about the ability to block international sites, the council was also concerned about a government’s ability to truly block specific websites and the precedence such a move would set. “The Council has concerns about the precedent set by such measures, particularly if repressive regimes point to such a precedent in an effort to ‘lock’ their users into heavily censored versions of search results,” said the report. “It is also unclear whether such measures would be meaningfully more effective than Google’s existing model, given the widespread availability of tools to circumvent such blocks.” [Source]

WW – Apps Will Share Data With Google Now

In a bid to bolster its hold on the online search market, Google plans to allow a host of third-party apps—including Airbnb, eBay and Lyft-to share data with Google Now, The Wall Street Journal reports. Google Now is a predictive search app, available for Android phones and wearables as well as the Chrome web browser. If users have the updated Google app and the Airbnb app on their phones, for example, the search history from Airbnb will be shared with Now. Previously, Google acquired search data from a user’s Google account search history. According to the report, more than 30 third-party apps will share data with Google Now. [Full Story]

EU – France – Paris Court’s Move to Export R2BF Worldwide

In the judgment for Mr. Shefet, the French judge relied on a specific point of the recent privacy ruling that said a company’s local subsidiary could be held liable for the activities of its parent. The judge ordered Google’s French subsidiary to pay daily fines of roughly $1,100 until links to the defamatory content were removed from all searches worldwide. [A Question Over the Reach of Europe’s ‘Right to Be Forgotten’ ]

Privacy (US)

US – Obama Issues Executive Order Promoting Cyber Info Sharing

Speaking at Stanford University, U.S. President Barack Obama announced a new executive order designed to promote private sector cybersecurity information sharing. Obama also said a national conversation on data encryption is needed. “I lean probably further in the direction of strong encryption than some do inside of law enforcement,” he said, “But I am sympathetic to law enforcement because I know the kind of pressure they’re under to keep us safe.” Sen. Tom Carper (D-DE) said the executive order “complements” his cyber info-sharing bill. Meanwhile, also speaking at Stanford, Apple CEO Tim Cook said, “We believe deeply that everyone has a right to privacy and security.” He added, “If those of us in positions of responsibility fail to do everything in our power to protect the right to privacy we risk something far more valuable than money—we risk our way of life.” [Full Story] [Privacy experts question Obama’s plan for new agency to counter cyber threats  ]

US – Data Protection Lacking Across Ed-Tech Sector

The New York Times reports on classroom technology for students and teachers and the apparent industry-wide gap in data security and privacy protection. One software engineer with two kids in elementary school said, “A lot of education sites have glaring security problems,” adding, “A big part of the problem is that there’s not even any consensus of what ‘good security’ means for an educational website or app.” After reviewing nearly 20 education technology products, the software engineer found other potential privacy vulnerabilities, including in districts’ social networks, cl assroom assessment programs and learning apps. [Full Story]

US – Franken Probes Samsung, LG Smart TV Privacy Practices

In the wake of privacy concerns stemming from the privacy policy of Samsung’s Smart TV Voice Recognition feature, Sen. Al Franken (D-MN) has sent letters to both Samsung and LG asking for more details about their data collection practices. “If such communications are unnecessarily captured along with voice commands,” Franken wrote, “is it possible to extract that data before transmission to a third party?” Samsung said it “supports Senator Franken’s commitment to consumer privacy and we appreciate the opportunity to respond to his inquiries regarding the voice recognition feature on our Smart TVs.” [PCWorld]

US – FTC Denies Proposed Verifiable Consent Method Under COPPA

Recognizing the importance of encouraging the development of new consent mechanisms and to provide transparency, COPPA allows parties to request that the FTC approve parental consent methods not enumerated in COPPA. The goal of this provision is to encourage the development of new verification methods that provide businesses with more flexibility. The process requires a detailed description of the proposed parental consent method and an analysis of how the method is reasonably calculated to ensure that the person providing consent is the child’s parent. The application is then published in the Federal Register for public comment. [HLDA]

US – Markey Report Reveals Automobile Security and Privacy Vulnerabilities

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.” [Markey]]

US – EFF Files Supreme Court Amicus Brief Over Warrantless Searches of Hotel Records

Central to City of Los Angeles v. Patel is a city ordinance requiring hotel operators to retain certain guest registry information, which they must make available to police officers on demand. Hotel operators aren’t allowed to challenge requests for guest information in court in advance and can be punished with a jail or fine if they refuse to comply. Citizens Have a Right to Challenge Laws That Violate the Fourth Amendment [EFF]

US – Does the Government Require Your Hotel to Spy on You?

The question is not whether private parties’ privacy expectations are reasonable. The Fourth Amendment asks whether government agents’ searches and seizures are reasonable. The petitions submitted by the City of Los Angeles and the U.S. government both treat the idea of “frequent, unannounced inspections” as a virtue of the statute. According to the government parties, innocent business owners, who are not suspects of any crime, should be subject to routine surprise inspections by government agents to make sure that they are performing surveillance of their guests for the government. … The Court should revisit the third-party doctrine and the “reasonable expectation of privacy test,” which produced it. [CATO]

US – Justice Department Drops Court Battle; Hands Document to Privacy Group

The Justice Department has agreed to turn over a legal opinion on surveillance and census data following a yearlong court battle with the Electronic Frontier Foundation (EFF). The department on Thursday dropped its appeal of a federal judge’s decision requiring it to provide the opinion to the EFF. The group sued to obtain documents on government surveillance, including a document that analyzed law enforcement access to census data, under the USA PATRIOT Act. A Justice Department spokeswoman said on Friday the department will turn over the document to the EFF. [Associated Press]

US – Judge: Heightened Risk of ID Theft Doesn’t Constitute Standing to Sue

A federal judge has ruled that the “heightened risk of future identity theft” isn’t enough to establish standing for a woman who filed a class-action lawsuit after her personal data was compromised in the 2014 hack of St. Joseph Health Systems. U.S. District Judge Kenneth Hoyt dismissed the suit after St. Joseph argued the woman had not suffered an injury traceable to the breach and hadn’t proved any quantifiable damage or loss. In his ruling, Hoyt cited Clapper v. Amnesty International USA, stating the plaintiff’s allegation that risk has increased doesn’t translate into “cognizable injury.” [Courthouse News Service]

US – Congress Considers IoT Regulation

The Internet of Things (IoT) was front-and-center during a Senate Committee on Commerce, Science and Transportation hearing that featured testimony from a wide spectrum of witnesses across industry sectors. At issue in the now Republican-controlled Senate committee hearing was whether the IoT and its many benefits can flourish unfettered in a free marketplace or if regulations are needed to mandate strong security, ensure privacy protections and manage other more technical issues around spectrum availability. [Full Story ] [CA – What Canadians can learn from FTC’s Internet of Things report]

WW – Managing Privacy in the Internet of Things

The data from all these things will be valuable not just to the companies that deploy them, but also to people or companies operating in other domains. For example, your thermostat might talk to your neighbor’s weather station to determine an appropriate temperature setting, and then switch on the heating when your phone’s GPS tells it that you’re nearing home. It’s this many-to-many and cross-domain aspect of connectivity that distinguishes IoT from earlier remote monitoring/control systems and M2M (machine-to-machine) systems, where only one organization created, owned, and used the data. In the IoT, each connection won’t be predetermined; these things should be able to structure their conversations on the fly, in an automated and ad-hoc manner. But this raises a number of questions and concerns around privacy, interoperability, and data-access privileges. [Source]

US – AGs Tell Anthem Notification Took Too Long

A group of 10 state attorneys general (AGs) sent Anthem a letter complaining about the length of time it took for the country’s second-largest health insurer to notify the public of its recent breach, Reuters reports. “The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers,” wrote Connecticut AG George Jepson, adding, “Anthem must commit to reimbursing consumers for any losses associated with this breach during the time period between the breach and the date that the company provides access to credit and identity theft safeguards.” The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island. The breach could cost more than $100 million. [Full Story]

US – POTUS to Announce New SIGINT Rules; ODNI Releases Report on Privacy Reforms

President Barack Obama will announce new rules “requiring intelligence analysts to delete private information they may incidentally collect about Americans” and plans to “institutionalize a regular White House-led review of the National Security Agency’s monitoring of foreign leaders.” Subsequently, the Office of the Director of National Intelligence (ODNI) has released a report outlining how it has implemented signals intelligence privacy and civil liberties reforms. An ODNI blog post notes that over the last 18 months, reforms have strengthened privacy, limited SIGINT data collection and use and increased transparency. “As this report shows, the intelligence community has made significant progress implementing many reforms,” the ODNI wrote, adding, “However, our work is not done.” [The New York Times]

US – Brill on Obama’s Proposals; Researchers on Adequate Privacy Protection

Last week was a busy one for Carnegie Mellon University (CMU): Three researchers published a review on people’s attitudes toward privacy and how they change given context, and the Federal Trade Commission’s Julie Brill spoke on the Internet’s “accelerating encroachment into our private lives.” During her talk, Brill advocated for the passage of three new laws unveiled recently by President Barack Obama. “I do think there’s a place for industry self-regulation,” Brill said, though thus far it’s proved insufficient. Meanwhile, “approaches that rely exclusively on informing or ‘empowering’ the individual are unlikely to provide adequate protection against the risks posed by recent information technologies,” CMU’s Alessandro Acquisti, Laura Brandimarte and George Loewenstein wrote in their review. [TNS]

US – Obama’s OLC Says Section 215 Cannot Apply to Census Data

In a First, Government Acknowledges the Limits of Section 215 ..the government released an opinion (pdf), written by the Office of Legal Counsel (OLC) in 2010, that concluded that Section 215—the provision of the Patriot Act the NSA relies on to collect millions of Americans’ phone records—does have a limit: census data. [Source]

US – Uber to Implement Privacy Program Recommendations

Uber announced it is strengthening its privacy programs as the result of an outside privacy assessment, laid out in a 40-page review. The ride-sharing start-up retained Hogan Lovells Partner Harriet Pearson, CIPP/US, and her team last November after a number of reports surfaced about the company’s controversial use of consumer data, leading some to apply the name “Ubergate.” This exclusive for The Privacy Advisor reports on the detailed review and includes comments from Pearson and Uber Counsel of Data Privacy Katherine Tassi. [Full Story ]

US – First-Ever Revenge Porn Conviction Handed Out

In a first-of-its-kind case, a San Diego man was convicted under a new California revenge porn law. Kevin Bollaert was found guilty of 27 felony counts for creating a website that hosted revenge porn and a secondary site used to extort hundreds of dollars from victims. The now-defunct website YouGotPosted.com included sexually explicit photos of tens of thousands of women with links to their social media accounts. If a victim requested a takedown, she was directed to another site, ChangeMyReputation.com, where victims had to pay for the images’ removal. They were also instructed to provide pictures of themselves holding signs with their birth dates. Bollaert now faces up to 20 years in prison. [NBC] [In a column for The Atlantic, Profs. Danielle Citron and Woodrow Hartzog explain the significance of the Federal Trade Commission settlement with the founder of a revenge porn website]

US – Why the FTC’s Revenge Porn Settlement Is a Big Deal

Danielle Citron and Woodrow Hartzog explain the significance of last week’s Federal Trade Commission settlement with the founder of a revenge porn website. Until recently, the law has “struggled to address emerging privacy threats, including invasion of sexual privacy,” for a number of reasons, including free speech and certain protections for online publishers. Citron and Hartzog note, however, a “budding movement … recognizing that information shared in confidential relationships deserves protection.” Plus, businesses “are now on notice that it is illegal to exploit information shared in confidence and with an expectation of privacy,” and, “Repurposing confidential relationships, and the information shared in them, for commercial gain could prompt action by consumer-protection agencies.” [The Atlantic]

US – Seattle Creates Set of Privacy Principles

Seattle launched its Privacy Initiative in November , led by the Seattle Police Department and Department of Information Technology, to define how the city collects, uses and disposes of data to both meet the city’s needs and build public trust. The City Council received a set of privacy principles that aim to establish a core foundation from which city employees will approach decision-making where their work intersects with personal data. The principles include provisions on valuing privacy; collecting and keeping only what’s needed; granting citizens choices when possible on how their data is used; staying accountable, and requiring third-party vendors to meet the city’s privacy standards. [Full Story]

US – Taking Photos Up Girl’s Skirt Appalling, But Not A Crime, Judge Rules

Defense attorney Mark Lawrence argued that Buono had taken the images in public, a place where no one can reasonably expect privacy. The law bans clandestine photography in bathrooms, locker rooms, dressing rooms and tanning booths — all places where people should expect privacy. But the aisle in Target was plainly public, Lawrence said. Plus, up-skirt sightings can occur by happenstance, he said, citing the famous photos of a wind-swept Marilyn Monroe. It could happen to anyone riding an upward-bound escalator, taking a spill, exiting a car. “These things are not only seen but video-recorded,” Lawrence said. “It’s incumbent on us as citizens to cover up whatever we don’t want filmed in public places.” On top of that, Lawrence noted, the girl was wearing underwear, and therefore was not nude, which the invasion of privacy statute requires. [Source]

US – After 18 Years at the CDT, Dempsey Moves to Berkeley

For Jim Dempsey, the decision to leave the Center for Democracy & Technology after 18 years was pragmatic. Traveling from his home in California to Washington, DC, as frequently as he was—a frequency that only increased with his involvement in the Privacy and Civil Liberties Oversight Board and his efforts toward ECPA reform—left him somewhat exhausted. But the pragmatism of his decision doesn’t mean he’s any less excited about where he finds himself now as a result of his decision to stay put: He’ll head up the Berkeley Center for Law & Technology as its executive director. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – “Privacy-Aware Research” Among Aggregated Health Competition Winners

The Health Data Exploration project has announced five recipients in its $200,000 Agile Research Project Competition. The project is based at the California Institute for Telecommunications and Information Technology and supported by the Robert Wood Johnson Foundation. The recipients were selected for their capacity to advance the use of aggregated and anonymous personal health data for research. They are Rumi Chunara of New York University, Julie Kientz of the University of Washington, Emil Chiauzzi from PatientsLikeMe, Michelle De Mooy of the Center for Democracy & Technology (CDT) and Eric Hekler of Arizona State University. The CDT’s De Mooy’s submission, entitled “Towards Privacy-Aware Research and Development in Wearable Health,” received $50,000 in funding. [Full Story]

WW – A Reverse-Engineering “Crypto Trick”; the Power of White Hat Hacking

Wired reports that security researcher Jacob Torry will present a new scheme that would make reverse-engineering code virtually impossible. The Hardened Anti-Reverse Engineering System (HARES) encrypts code that only allows decryption by the computer’s processor just before the code is executed, the report states. “It protects software algorithms from reverse engineering, and it prevents software from being mined for vulnerabilities that can be turned into exploits.” Gizmodo reports on a security researcher who figured out how to delete any photo album on Facebook using only four lines of code. Instead of exploiting it, the researcher reported it to Facebook. Meanwhile, Apple has announced it has extended two-factor authentication to Facetime and iMessage. [Full Story]

WW – Venture Capital Firm Invests in “Instagram for Doctors”

Venture capital firm Union Square Partners late last year “made an investment that was a bit unusual,” leading a $4 million funding round for Figure 1, a start-up targeting the medical industry with a social network that allows doctors, nurses, EMTs and other medical professionals to share medical images. Figure 1 “takes a popular and effective UI and applies it to an industry in desperate need of change,” said Union Square’s Fred Wilson. “In other words, an Instagram-like app dedicated to picture-sharing between medical professionals,” the report states, noting that because it “deals with medical data, its restrained by a host of privacy laws.” [FastCompany]


US – Obama Introduces Cyber-Enforcement Squad, Seeks $14 Billion for Cyber Defense

The White House has announced a new $20 million cyber unit to oversee dot-gov network security. The “E-gov Cyber” unit will also ensure that agencies notify victims of data breaches. Acting U.S. Chief Information Officer Lisa Schlosser said the division will “conduct data-driven, risk-based oversight of agency government-wide security programs.” Reuters reports that as part of the White House’s budget proposal, President Barack Obama is asking Congress for $14 billion in funding for cybersecurity across the U.S. government. A White House summary said, “Cyber threats targeting the private sector, critical infrastructure and the federal government demonstrate that no sector, network or system is immune to infiltration by those seeking to steal” sensitive data. [NextGov]

WW – 100% of IoT-Connected Home Security Systems Tested Security FAIL

HP researchers tested 10 of the newest connected home security systems and discovered the Internet of Things-connected security systems are full of security FAIL. “The biggest takeaway is the fact that we were able to brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely,” wrote HP’s Daniel Miessler. …HP Fortify found an “alarmingly high number of authentication and authorization issues along with concerns regarding mobile and cloud-based web interfaces.” …In a previous report, HP Fortify researchers found about 25 security vulnerabilities per Internet of Things device. In the report about home security systems, HP researchers said they don’t want to dampen your enthusiasm, but they do want you to be informed about the risks before activating these systems. Wouldn’t we be better informed if we knew precisely what IoT devices and security systems are full of fail? [ComputerWorld]

WW – Report: Most Malicious Apps Come From U.S.

A new report says the U.S. is the top developer of malicious and privacy-invasive applications, despite the fact that “conventional wisdom … often places the problem squarely in Asia.” The research was done by Marble Security and looked at countries with developers that published applications that were either directly malicious, handled data insecurely or posed a potential privacy risk, the report states. It focused on app marketplaces considered the most secure, Google Play and Apple’s App Store, and found that more than 42 percent of the dangerous apps came from companies or publishers identified as being in the U.S. [PCWorld]

WW – Russian Researchers Uncover Deeply Embedded Spyware

A Russian-based security firm has uncovered a highly secretive means of spying deep within the software used in most of the world’s hard drives. According to the Kaspersky Lab, personal computers in as many as 30 countries were infected with one or more spying programs. The report calls the implants part of the “Equation Group,” which according to The New York Times , is a “veiled reference to the National Security Agency” and the U.S. Cyber Command. Prof. Peter Swire told Reuters the disclosure could impact U.S. trade and diplomatic relations. “There can be serious negative effects on other U.S. interests,” he added. [Reuters]

US – Hacked Hotel Phones Fueled Bank Phishing Scams

Over the past two weeks, fraudsters have been blasting out SMS messages to hundreds of thousands of mobile users in the Houston, Texas area. The messages alerted recipients about supposed problems with their bank account, urging them to call a supplied number and follow the automated voice prompts to validate or verify their credit card account information. [Krebs]

WW – Product Puts Encryption Keys in Customers’ Hands

Key management system Box, which has been talking about letting customers manage their own encryption keys so they can store their data in the cloud and maintain control over who gets access to it, says its new product, Enterprise Key Management (EKM), does just that by putting “encryption keys inside a customer’s own data center and in a special security module stored in an Amazon data center.” While Box must still access customer data to enable sharing, it only happens when the customer wants it to, the company says. “Without EKM, Box could be forced to hand data over to the government without notifying the customer if the government request is valid and requires Box to keep it secret,” the report states. [Ars Technica]


US – EFF Has NSA Suit Partially Denied, Files Suit Over Airborne Surveillance

A federal judge has thrown out part of an Electronic Frontier Foundation (EFF) lawsuit against the National Security Agency (NSA), citing national security. U.S. District Court Judge Jeffrey Wright issued a 10-page order denying a portion of the suit against the NSA over its Internet surveillance of Americans’ communications but said he can’t fully explain his decision because doing so could pose “grave danger to national security.” Meanwhile, the EFF has also filed a lawsuit “seeking details of a Justice Department surveillance program that uses secret airborne technology to scan large numbers of Americans’ cell phones while hunting criminal suspects.” [The Wall Street Journal reports]

US – Canary Watch Site Will Keep an Eye Out for Vanishing Warrant Canaries

The way canaries work is that companies inform us, in their transparency reports, when their customers have not been served with a secret government subpoena. Such secret subpoenas, such as the National Security Letters empowered by the USA Patriot Act, come with gag orders that keep companies from telling customers they’ve been served. When a company publishes the dates that it hasn’t received a subpoena, customers can then infer – from the missing information – the dates that the company must have been served with the subpoena. [Source]

US – FAA Releases New Rules for Drones;

Over the weekend, the U.S. Federal Aviation Administration (FAA) released a highly anticipated framework of regulations for unmanned aircraft systems (UAS), or drones. President Barack Obama released a memorandum to federal agencies on Sunday to ensure the government is respectful of citizens’ privacy and civil liberties when drones collect data while in flight. Obama made his first attempt to address the concerns that privacy advocates have raised about the increasing use of drones by government agencies. The directive orders agencies to limit the collection and retention of data gathered by unmanned aircraft. Local and state agencies receiving federal grants must also create drone privacy policies, according to the memorandum. While praising the effort as helpful, the ACLU said the directive fell short of the organization’s goal. [Bloomberg]

US – NTIA to Head Up Multistakeholder Process

Obama and the FAA issued an executive order calling on the National Telecommunications & Information Administration (NTIA) to carry out a multi-stakeholder process to create a code of conduct for protecting the privacy of U.S. citizens. The NTIA will have 90 days to initiate a framework for “privacy, accountability and transparency for commercial and private UAS use.” An NPR report notes the FAA proposal highlights safety over privacy. [Full Story]

US – Few Privacy Limitations Exist on How Police Use Drones

Members in the House and Senate introduced bills in the previous Congress that would have required police everywhere in the country to obtain a warrant before using drones for surveillance, but the bills died at the end of the year. “In the states that don’t require warrants, it’s pretty much a Wild West” in terms of what’s allowed, says Jay Stanley, senior policy analyst at the American Civil Liberties Union. “There’s nothing stopping a police department from using [drones] in all kinds of ways to spy, except for the Constitution.” [Only 14 states require law enforcement get a warrant to use drones for surveillance] Meanwhile, in Thailand, new regulations would make shooting video with drones “illegal activity for civilians lacking prior permission,” Slate reports

US – Poll: Folks OK With Police Drones – Private Ownership, Not So Much

Some 73% of respondents to a Reuters/Ipsos online poll said they want regulations for the lightweight, remote-control planes that reportedly have been involved in an increasing number of close calls with aircraft and crowds. People are also uneasy about potential invasions of privacy by drones carrying cameras or other devices. Forty-two percent went as far as to oppose private ownership of drones, suggesting they prefer restricting them to officials or experts trained in safe operation. Another 30% said private drone ownership was fine, and 28% were not sure, according to the survey of more than 2,000 respondents, conducted Jan. 21-27. [Americans : Poll]

US – Noflyzone Aims to Keep the Airspace Over Your Home Drone-Free

NoFlyZone.org registers each address along with its GPS coordinates, which are then relayed to drone manufacturers to create a geofence around the home and render their products unable to fly over the property. …The few drone makers who’ve signed on include HEXO+, Ehang, DroneDeploy, Yuneec, Horizon Hobby, PixiePath and RCFlyMaps. That list leaves out major drone makers DJI and 3D Robotics: big omissions, given that, according to TechCrunch, DJI alone “probably accounts for the vast majority of drone sales in the United States.” Even if the major drone makers do agree to go along with geofencing people’s homes at their request, it’s not clear that NoFlyZone has the right to protect personal airspace, which, at least in the US, is under the control of the Federal Aviation Administration. [NakedSecurity]

Telecom / TV

WW – Today in Creepy Privacy Policies, Samsung’s Eavesdropping TV

As an Electronic Frontier Foundation activist pointed out earlier today, via Twitter, the concept of a TV screen that might be snooping on your private conversations — and thus broadcasting a chilling effect by inculcating self-censorship within its viewers — is straight out of George Orwell’s 1984 …The Samsung example is just the latest privacy-related concern involving smart TVs — many of which routinely require users to agree to having their viewing data sent back to the TV maker and shared by them with advertisers and others simply in order for them to gain access to the service. But the clarity of wording in Samsung’s privacy policy is impressive — given it amounts to a warning not to talk about private stuff in front of your telescreen because multiple unknown entities can listen in. [TechCrunch]

WW – Privacy Worries Over Samsung TVs

Privacy Commissioner John Edwards said the function appeared to breach collection principles under the Privacy Act. “It is hard to imagine a lawful purpose for a TV manufacturer to collect voice communications not directed at the TV.” He said he would also look into the adequacy of the privacy policy disclosure. “Even if there was a disclosure of the fact of that kind of collection in the privacy policy, I’d be prepared to look at the fairness and intrusiveness of the practice.” [Source] [CBC: CA – Samsung SmartTV an ‘Absurd’ Privacy Intruder, Ann Cavoukian says]

WW – Samsung Says TVs Do Not Monitor Conversations

In a blog post, Samsung responds to media reports that, according to the company’s privacy policy, its new Smart TVs are capable of sharing private conversations with third parties—prompting some to compare it to George Orwell’s 1984. In the post, Samsung says its “products are designed with privacy in mind” and that voice recognition features “are enabled only when users agree to the separate Samsung Privacy Policy and Terms of Use regarding this function when initially setting up the TV.” Additionally, the company notes, users can activate and deactivate the service at any time. [Full Story]

WW – Samsung Edits Orwellian Clause Out of TV Privacy Policy

Relying on vague wording to obfuscate function and keep users in the dark as to how their technology really operates does no one any favors. It breeds mistrust and triggers overblown concerns. If the privacy policy sounds creepy, the implication is the service provider is also doing something creepy — or at the very least trying to hide its activity from plain sight. Which makes people naturally suspicious. …As the smart home takes shape, consumers are going to be asking increasingly probing questions about what previously-innocuous-but-now-connected-to-the-cloud home gizmos are actually doing with the data they’re sniffing. To keep buyers on side, device makers will not only need great services; they’ll need sparkling privacy and spectacular security too. A core part of the solution will be privacy by design, and privacy policies written in plain language that are displayed proudly, as an asset, held up in plain sight. [TechCrunch]

US – Senators to Push Privacy, Security Legislation for IoT

Sen. Edward Markey plans to introduce legislation to require security measures in connected cars. Markey’s legislation will require makers of wireless access points on connected cars to use penetration testing technologies and that collected data is encrypted. The legislation will also require that the car manufacturer or a security vendor be able to detect and respond to hacking attempts in real time. The bill will also require car makers to explain their data collection practices to drivers and allow them to opt out of data collection without having to disable navigation. [Source] [Will the internet of things finally kill privacy? [Why the FTC’s new report doesn’t go far enough]

US Government Programs

US – Majority of Journalists Believe U.S. Gov’t Has Spied on Them

A new report from Pew Research Center reveals that 64% of journalists surveyed think the U.S. government has collected information about their phone calls, emails or online communications, while eight out of 10 believe that simply being a journalist increases the likelihood of such intelligence gathering. However, only 14% of those surveyed said that such concerns have prevented them from covering a story about surveillance. Meanwhile, a UK tribunal ruled that some parts of intelligence gathering and sharing between the U.S. and UK are illegal. The Investigatory Powers Tribunal ruled that UK intelligence agency GCHQ broke the law when it received intelligence on millions of Britons from the U.S. National Security Agency. [Full Story]

US – New Agency Raises Privacy Concerns

The Guardian reports on concerns expressed by privacy advocates about President Barack Obama’s plans for a new Cyber Threat Intelligence Integration Center . “Given the number of other agencies that have cybersecurity threat integration responsibilities, it’s not clear that a new agency is needed,” said the Center for Democracy & Technology’s Greg Nojeim, adding, “We are keen to hear from the White House about the measures it will impose to ensure that this new agency operates transparently, with effective independent oversight, and does not become a repository for personal information unnecessary to counter cyber threats.” FireEye’s Tony Cole said, “They really could have just restructured” how the National Cybersecurity and Communications Integration Center works. [Full Story]

US – Senator Releases Harsh Report on Connected Car Privacy

Sen. Ed Markey (D-MA) has released a report warning of the data security and privacy issues with virtually every auto manufacturer. After sending inquiries to 20 automakers last year, Markey wrote, “unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions … Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.” Nearly every connected car on the market includes technologies “that could pose vulnerabilities to hacking or privacy intrusions,” the report found. Markey suggests industry work with cybersecurity experts “to establish clear rules of the road-not voluntary agreements” to better protect consumer privacy. [The Washington Post]

US Legislation

US – Trio of Reps Introduces ECPA Update

A bipartisan trio of House members is reintroducing a bill that would require warrants to obtain email or location information. Reps. Zoe Lofgren (D-CA), Suzan DelBene (D-WA) and Ted Poe (R-TX) are introducing the Online Communications and Geolocation Protection Act, an update to the Electronic Communications Privacy Act of 1986. “Fourth Amendment protections don’t stop at the Internet, and Americans rightly expect constitutional protections to extend to their online communications and location data,” Lofgren said. Similar bills have failed to get the votes needed to make it out of subcommittee. Other lawmakers are preparing to present a separate bill specifically focused on electronic communication, the report states. [The Hill]

US – State Bill Would Require Warrants for Digital Data

A bill that would require law enforcement agencies to secure a warrant before seizing U.S. citizens’ digital communications and electronic devices was reintroduced Monday in the California legislature. State Sen. Mark Leno (D-San Francisco) proposed the California Electronic Communications Privacy Act, which would prohibit government entities from forcing service providers to hand over electronic communication information without a warrant and from getting information from an electronic device from anyone except the “authorized possessor of the device,” the report states. A warrant would be required to get personal information from mobile devices, emails, text messages, contact lists and photos as well as for location information. [Courthouse News Service ]

US – Obama Student Bill Gaining Bipartisan Support

Behind-the-scenes efforts by the White House and lawmakers to get a student privacy bill off the ground. Presidential advisor John Podesta said, “I think there’s much more pressure now to move legislation and we’re certainly going to use all of the resources we have, including the president’s time, to ensure that the Congress takes this up.” In the coming weeks, Reps. Luke Messner (R-IN) and Jared Polis (D-CO) will unveil their student privacy bill. “Protecting America’s children from big data shouldn’t be a partisan issue,” Messner said, adding, “I’m glad to work across the aisle to find the appropriate balance between technology in the classroom and a parent’s right to protect their child’s privacy.” [Full Story] [The Flaws in Obama’s Cybersecurity Initiative]

US – Congress Tries ECPA Reform Once Again

Lawmakers in both houses of Congress are making a bid at revamping the 1986 Electronic Communications Privacy Act (ECPA). Reps. Kevin Yoder (R-KS) and Jared Polis (D-CO) are expected to introduce the Email Privacy Act with 223 cosponsors. Additionally, Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT) will introduce a companion bill in the Senate. Though the numbers for reform are high, an attempt last year, which failed, had the support of 272 cosponsors. “We’re starting at a much stronger place,” Polis said. “We’re able to pick up the momentum from last time, show there’s overwhelming support for this bill.” [Full Story]

US – Bill Would Nix Access to Overseas Data

Sen. Orrin Hatch (R-UT) has proposed the Law Enforcement Access to Data Stored Abroad (LEADS) Act, which would require U.S. companies to turn over data stored on overseas servers only if the warrant targets a “U.S. person.” Hatch says the legislation would “promote international comity and law enforcement cooperation,” and Microsoft agrees that it would be a “very important step.” However, Internet Association President Michael Beckerman opposes the bill , saying it could weaken individuals’ online privacy. Acknowledging the problems government surveillance powers pose for Internet companies globally, Beckerman said, “the LEADS Act, as currently written, could incentivize data localization and therefore weaken user privacy.” [Ars Technica]

US – California Introduces Bill to Ban Warrantless Spying

“Especially after revelations of warrantless surveillance by the NSA, it is time for California to catch up with other states across the nation, including Texas and Maine, which have already updated their privacy laws for the modern digital world,” said Nicole Ozer, Technology and Civil Liberties Policy Director for the ACLU of California. [Source]

US – Bill Aims to Block U.S. from Reading People’s Old Email Without Warrant

A bill seeks to prevent the U.S. government from being able to look at Americans’ old emails without a warrant. “The government is essentially using an arcane loophole to breach the privacy rights of Americans,” Yoder said. “They couldn’t kick down your door and seize the documents on your desk, but they could send a request to Google and ask for all the documents that are in your Gmail account. And I don’t think Americans believe that the Constitution ends with the invention of the Internet.” [Source]

US – Proposed Bill Limits Reach of US Search Warrants on Overseas Servers

“Electronic communications are used extensively by criminals,” DOJ says. “In the end, we must strengthen privacy in the digital age and promote trust in US technologies worldwide by safeguarding data stored abroad, while still enabling law enforcement to fulfill its important public safety mission,” Hatch said. The bill was co-sponsored with Sens. Chris Coons (D-Del.) and Dean Heller (R-Nev.). [Ars Technica]

US – New Delaware Law Gives Executors More Access to Online Data

A controversial new state law is making it easier for estate executors to access digital data—such as email, photos and social-media postings—after the account holder dies. Many Internet companies strictly limit access to their customers’ accounts to the account holder, in accordance, they say, with federal privacy law. When an account holder dies, estate executors typically have to seek a court order to access the account, which can be expensive and time consuming—sometimes taking half a year or more—and isn’t always successful. But under a Delaware law passed last summer, executors can now access online accounts without a court order, unless the deceased has instructed otherwise. Similar legislation is under consideration in several other states. That’s an encouraging development to people like Andy Blair, an estate lawyer in Raleigh, N.C., who says his parents have thousands of family photos stored online. “Without a law like this,” he says, “I may never get access to those” after his parents die. But a group of Internet firms opposed the Delaware law, saying that it violates consumer privacy and may conflict with existing federal privacy law. [WSJ]

US – Other Legislation


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: