15-28 February 2015

Biometrics

WW – Breakthrough in Facial Recognition: The ‘Deep Dense Face Detector’

The technology has developed over the last 14 years, and the recent breakthrough coming out of the Yahoo/Stanford team is based on a new approach, springing from advances made recently in a type of machine learning known as a deep convolutional neural network. To train their neural net, Farfade and the other researchers created a database of 200,000 images, including faces at various angles and orientations, plus another 20 million images without faces. They then fed their neural net batches of 128 images at a time, over 50,000 iterations. The result is what the team calls the Deep Dense Face Detector: an algorithm that can spot faces set at a wide range of angles, even when partially occluded by other objects, such as the hands and head that are blocking Jolie’s face in the image. [Source]

WW – New Face-Detection Algorithm Could Revolutionize Search

A new face-detection algorithm could revolutionize image searches online. Traditional facial detection methods involved a head-on photo, but new methods dependent on deep convolutional neural networks can capture and detect faces from several different angles. The team of researchers who have developed the technology call it Deep Dense Face Detector. “The great promise of this kind of algorithm is in image search,” the report states, adding, “It is inevitable that this capability will be with us in the not-too-distant future.” Meanwhile, Built in Chicago reports on facial recognition technology developed by startup Verie. The app verifies an individual by using his or her face. The startup says such technology could be used to verify job applicants, lendees or potential dates. [MIT Technology Review]

WW – Neuro-Ethicist: Brain Data Must Be Protected

Technological advances “are making it easier than ever to measure, interpret and even reconstruct brain activity,” while the proliferation of wearables is creating “more ways to map our brainwaves than ever before,” and that means more opportunities for companies to mine that data. This presents an interesting question: Who owns brain data? Neuro-Ethicist Paul Roote Wolp recently stressed the importance of setting up ground rules to protect cognitive privacy. For example, functional magnetic resonance imaging (fMRI) is beginning to be used for lie detection, the report states, and “it’s not unreasonable to expect police and other actors to use cognitive data in the future” to determine innocence or guilt. [Gizmodo]

Canada

CA – Bill C-51: Support for Anti-Terror Legislation But With Additional Oversight

Nearly half of Canadians say draft law “strikes right balance”, fully one-third say it doesn’t go far enough. Four-in-five (82%) adult Canadians surveyed online by the Angus Reid Institute say they support the draft law, with fully one-quarter (25%) saying they “strongly” support C-51. Most Canadians (80%) profess to having at least heard about the legislation, and 4/5 respondents either strongly support (25%) or support (57%) Bill C-51. Opposition to the draft law stands at 17% in total, with just 5%  saying they are “strongly” against the legislation. [Angus Reid] [Why Stephen Harper’s terror bill is so popular] [National Post View: We need parliamentary debate on Bill C-51] [Mulcair won’t commit to scrapping anti-terror bill, if ever in power ] [“Total Information Awareness”: The Disastrous Privacy Consequences of Bill C-51] [Former justices, PMs express concern over lack of anti-terror oversight] [Former PMs call for more CSIS oversight as MPs debate anti-terror bill] [Bill C-51: Political battle lines drawn over anti-terror bill as election nears] [Anti-terror law shares information too easily, experts write ] [NDP will oppose ‘overreaching’ terrorism bill, while Liberals offer support] [Anti-terrorism bill’s powers could ensnare protesters, Elizabeth May, MP fears] [Anti-terror Act: Would new bill protect your financial information?] [Bill C-51 moves us one step closer to the end of privacy: Forcese, Roach]

CA – Open Letter to Parliament: Amend C-51 or Kill it

The following is an open letter addressed to all members of Parliament and signed by more than 100 Canadian professors of law and related disciplines.

Dear Members of Parliament,

Please accept this collective open letter as an expression of the signatories’ deep concern that Bill C-51 (which the government is calling the Anti-terrorism Act, 2015) is a dangerous piece of legislation in terms of its potential impacts on the rule of law, on constitutionally and internationally protected rights, and on the health of Canada’s democracy.

Beyond that, we note with concern that knowledgeable analysts have made cogent arguments not only that Bill C-51 may turn out to be ineffective in countering terrorism by virtue of what is omitted from the bill, but also that Bill C-51 could actually be counter-productive in that it could easily get in the way of effective policing, intelligence-gathering and prosecutorial activity. In this respect, we wish it to be clear that we are neither “extremists” (as the Prime Minister has recently labelled the Official Opposition for its resistance to Bill C-51) nor dismissive of the real threats to Canadians’ security that government and Parliament have a duty to protect. Rather, we believe that terrorism must be countered in ways that are fully consistent with core values (that include liberty, non-discrimination, and the rule of law), that are evidence-based, and that are likely to be effective.

The scope and implications of Bill C-51 are so extensive that it cannot be, and is not, the purpose of this letter to itemize every problem with the bill. Rather, the discussion below is an effort to reflect a basic consensus over some (and only some) of the leading concerns, all the while noting that any given signatory’s degree of concern may vary item by item. Also, the absence of a given matter from this letter is not meant to suggest it is not also a concern.

We are grateful for the service to informed public debate and public education provided, since Bill C-51 was tabled, by two highly respected law professors — Craig Forcese of the University of Ottawa and Kent Roach of the University of Toronto — who, combined, have great expertise in national security law at the intersection of constitutional law, criminal law, international law and other sub-disciplines. What follows — and we limit ourselves to five points — owes much to the background papers they have penned, as well as to insights from editorials in the media and speeches in the House of Commons. [Source] SEE ALSO: [Bill C-51 defies key rulings on security certificates, lawyers say Anti-terrorism bill muddies waters on disclosure rules for non-citizens] [Conrad Black: Alarm bells must ring in response to the government’s new anti-terror bill] [From opposition to retreat: Tom Mulcair and Bill C-51 ] [Conservatives extend anti-terror bill hearings after opposition filibuster] [Conservatives agree to more scrutiny of anti-terror bill after NDP filibuster][Bill C-51 threatens to sacrifice liberty for security] [National Post View: Why are the Tories determined to rush C-51 through committee?] [C-51: Conservatives demand limit on anti-terror bill expert testimony] [Fighting the evil within: The case for and against the Anti-Terrorism Act]

CA – CSE Monitors Millions of Canadian Emails to Government

CSE, under its mandate to protect federal government computer networks, vacuums up emails sent to and from the government and monitors website traffic, looking for malware and intrusions. Canada’s electronic spy agency watched visits to government websites and collected about 400,000 emails to the government every day, storing some of the data for years, according to the 2010 document. Today’s volume is likely much higher given online traffic growth. Common online activities involving the government include Canadians filing their taxes, writing to members of Parliament and applying for passports. The program to protect government servers from hackers, criminals and enemy states is raising questions about the breadth of the collection, the length of retention and how the information could be shared with police and spy partners in other countries. Public Safety Minister Steven Blaney may have a fight or, at least, a filibuster on his hands at the House public safety committee, which is slated to start reviewing the government’s proposed anti-terror legislation this week. A New Democrat-driven filibuster could delay the bill. [Critics question how long data is stored and what it’s used for ]

CA – Leaked Files Show Canadian Spy Agency Struggling With Flood Of Data.

Edward Snowden leaked documents to the CBC that reveal the massive amount of data Canada’s spy agency collects every day. CBC revealed the Communications Security Establishment in 2010 documents wanted a better computer system to deal with the 400,000 emails it collects every day. The emails are captured in a file format known as PCAP, which allows a government network administrator to record internet traffic in its entirety. The leaked files say the CSE is storing people’s messages on their servers for “days or months.” In one slide, a CSE employee says their servers can store up to 10 terabytes of emails a day — the equivalent of 2,128 DVDs. [Source]

CA – Spy Agency’s Review Group Can’t Perform ‘Oversight’ Role

During three days of lively debate in the Commons over the controversial anti-terror Bill C-51, Public Safety Minister Steven Blaney, Justice Minister Peter MacKay and other Conservative MPs have repeatedly characterized the Security Intelligence Review Committee (SIRC) as providing oversight of… the Canadian Security Intelligence Service (CSIS). Prime Minister Stephen Harper has done the same. Yet SIRC has no such mandate. “We review CSIS. We look at past activities,” to ensure they are lawful, appropriate and effective, SIRC’s Lindsay Jackson said. Recently the terms ‘oversight’ and ‘review’ have become almost interchangeable but they do actually mean separate things. Direct oversight implies a certain amount of involvement in the active political decision-making or the operational decision-making, and we are not involved in the operational decision-making,” at CSIS. [Source]

CA – Fed. P. Commish Urges Caution Over Sex Offender Registry

There is research that supports the view that laws that reduce the privacy of sex offenders makes rehabilitation and reintegration more difficult. Ultimately, this could increase the rate of recidivism. A publicly accessible database also creates a risk of vigilantism, as recognized on provincial dangerous offender websites such as the one in place in Alberta, and increases the risk that fears of being attacked or harassed will drive offenders underground. There is evidence that similar databases in the United States have led to the killing of sex offenders released in the community. [Appearance before the House of Commons Standing Committee on Justice and Human Rights (JUST) on Bill C-26, the Tougher Penalties for Child Predators Act ]

CA – Privacy Commissioners Issue Guidelines for Police on Body-Worn Cameras

Federal, provincial and territorial privacy and personal information protection Ombudspersons and Commissioners issued guidance on law enforcement and the use of body-worn cameras. The guidance notes that a Privacy Impact Assessment, which can help identify and mitigate the potential risks to privacy and personal information, is a highly recommended best practice before launching a body-worn camera program. As well, law enforcement agencies can consult with data protection experts and undertake a pilot project before deploying the cameras broadly. The privacy commissioners’ guidelines point to many concerns, including whether recordings will be made in private homes, if citizens will be informed they are being captured on video, and whether police forces will adequately protect private information caught on camera. Among their recommendations are that recordings be protected by safeguards, such as encryption and strict retention periods. They also suggest rules aimed at minimizing the recording of innocent citizens and innocuous interactions with the public [Press Release] [Source] [Guidance for the use of body-worn cameras by law enforcement authorities] [A new plan out of Ottawa would boost information-sharing between Canadian immigration and border enforcement officials, Employment Canada, Revenue Canada, the RCMP and provinces [The Toronto Star].

CA – Digital Privacy Act, Committee Hears from Federal Privacy Commissioner

Commissioner Therrien told the committee most people — and especially children and recent immigrants — aren’t always able to understand the language used in statements of terms and conditions. That has given rise to questions about whether such “vulnerable people” — as they were referred to by the committee — can legally give consent to the collection of their information. “(S-4) has a potential of improving the definition of consent from children,” he said, noting his office has had to deal with privacy complaints involving children before and recommendations have been made to businesses to use plainer language in the service agreements. “To have this clearly in legislation, that you must think about your clientele, would be useful.” [Source] A new plan out of Ottawa would boost information-sharing between Canadian immigration and border enforcement officials, Employment Canada, Revenue Canada, the RCMP and provinces, [The Toronto Star].

CA – B.C. Should ‘Aggressively Pursue’ Body-Worn Cameras for Police

“Members concluded by strongly supporting the use of body-worn cameras in B.C., and calling on government in the consultation with police and non-police stakeholders to aggressively pursue the steps necessary to implement the use of body-worn cameras by B.C. police members,” the report reads. [Metro News]

Consumer

US – Consumer Awareness of AdChoices Up, Concerns About Targeted Ads

A new study conducted by Ipsos on behalf of TRUSTe has found that 68% of smartphone users are concerned about being served targeted ads, but consumer awareness of the AdChoices program is up 16% from last year. “Our research shows that the majority of Americans are still uneasy about having their online activity tracked for use in targeted ads, mainly because they feel like they have limited control,” said TRUSTe CEO Chris Babel. “The good news is that awareness of the AdChoices icon … has risen substantially and continues to have the potential for positive impact on consumer attitudes.” [Full Story]

US – DAA Launches Two Privacy Control Tools for Consumers

The Digital Advertising Alliance (DAA) has launched two new tools to help consumers locate and opt out of behavioral advertising. “AppChoices” and “DAA Consumer Choice Page for Mobile Web“ intend to increase transparency and choice for online users. The DAA is offering AppChoices on Google Play, the Apple App Store and the Amazon Store. “Our new mobile choice tools deliver the same reliable, independently enforced, privacy-control experience where consumers and brands engage, both across the Internet and on the go,” said DAA Executive Director Lou Mastria. [Source]

E-Mail

WW – How Would Your Company Rate for Email Security?

The best industry for email security? Social media. The worst? Healthcare. Such are the findings of a survey conducted by Agari, which assessed the security of 147 businesses’ email communications, judging them on how they employ the three major email security protocols: Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance. As many of the world’s largest data breaches were reportedly the result of a targeted phishing attack, email security is becoming an important front line in the cybersecurity battle. [Fortune]

CA – CRTC Levies 1.1M Spam Fine

nNovation Partner Shaun Brown discusses the Canadian Radio-television and Telecommunications Commission announcement of its first Notice of Violation under Canada’s Anti-Spam Legislation, including a $1.1 million penalty.

Encryption

UK – Alleged Cyber Criminal Will Not Give Up Encryption Keys

A British man accused of breaching systems at NASA, the FBI, and the US Federal Reserve is refusing to surrender cryptographic keys that would allow authorities in the UK to access devices seized after his October 2013 arrest. Lauri Love is facing charges in three federal districts in the US. He is planning to petition a UK court to compel the National Crime Agency (NCA) to return the computers and data storage devices. [Ars Technica] [BBC]

WW – New Level of Encryption Boosts Browsing Privacy

CloudFlare is deploying a new level of encryption to improve the security, privacy and speed of its websites. ChaCha20-Poly1305, as it’s called, was formerly used only by Google, but all CloudFlare websites now support the new algorithm, the report states. At the moment, about 10% of CloudFlare HTTPS website connections are using it. The algorithm also protects TLS against cyber-attackers inserting fake messages into secure streams. [ZDNet]

EU Developments

EU – Italian DPA to Audit Google on U.S. Soil

Google will be the subject of regular checks by the Italian Data Protection Authority (DPA) to monitor the status of its actions to bring its platform into line with domestic legislation. Italy’s DPA approved the verification protocol referred to in its order of July 2014 to Mountain View. The protocol envisages quarterly updates on progress status and empowers the DPA to carry out on-the-spot checks at Google’s U.S. headquarters to verify whether the measures being implemented are in compliance with Italian law. Is allowing a DPA onto foreign soil for spot checks a sovereignty issue? Without commenting on the Google case specifically, Hunton & Williams’ Lisa Sotto wondered “how welcome the FTC would be if the commission sought to audit Banca d’Italia in Rome. Of course, companies can voluntarily agree to DPA visits, but there certainly would be significant and complex jurisdictional questions should a foreign DPA seek to compel an audit in another country without the agreement of the company.” [Full Story]

EU – Report: Facebook Privacy Policy Still Violates EU Law

A report from the Belgian Privacy Commission says Facebook is acting in violation of European law, despite updating its privacy policy. The study, which was conducted by the Centre of Interdisciplinary Law and ICT at the University of Leuven in Belgium, found Facebook’s privacy policy update last month “only expanded older policy and practices” and still violates EU consumer protection law. The authors said Facebook’s policies on profiling for third-party advertising don’t meet the requirements for legally valid consent and the social network “fails to offer adequate control mechanisms” for the use of user-generated content for commercial purposes. [The Guardian] [WSJ: The Sharpest Jabs From the Facebook Privacy Report] The 61-page “critical analysis” of Facebook’s revised policies says the social network fools its users into thinking they have more control over data and privacy than they actually do. Facebook says it has made its rules clearer and that it is confident it complies with all laws.

UK – ICO Fines Travel Insurance Company Over Breach

The UK Information Commissioner’s Office (ICO) has fined travel insurance company Staysure GBP 175,000 (US $270,000) for lax website security that resulted in 100,000 payment cards being compromised. Of those, about 5,000 were used fraudulently. The breach occurred in October 2013. The ICO’s ensuing investigation focused on Staysure’s lack of effective IT update policies in place at the time. Staysure says it has improved its security posture. [v3.co.uk]

EU – New EU Privacy Rules to Allow Challenges to Irish Regulator

Under a “one-stop-shop” mechanism initially proposed in reforms of EU data protection laws, businesses operating across the 28-nation bloc would only have had to deal with the data protection authority in the country where they are headquartered or have their main European base – even if the alleged mishandling of data affects citizens in another country. But opposition from some member states that do not want their national regulators to lose policing powers over multinationals such as Google, with an Irish base, led to the proposal being altered so that any “concerned” authority could object to a decision. …A majority of member states agreed to scrap an option requiring at least a third of concerned authorities to object, diplomats said, potentially giving a single “concerned” authority the right to complain. [Source]

EU – Regulation May Be Moving Away from One-Stop-Shop Mechanism

“Ireland will not retain sole control over privacy disputes involving companies such as Facebook and Apple under new rules agreed allowing any of its European peers to challenge Irish rulings.” Had a proposed one-stop-shop mechanism been approved, businesses operating in the EU would only have dealt with the regulator where they have they primary European base. But, according to anonymous sources, member states that did not want their regulators to lose policing powers over multinationals pushed for a change allowing any concerned authority to object to a decision, triggering the intervention of the still-to-come European Data Protection Board, the report states. Ministers still have to sign off on Wednesday’s decision when they meet next month. General Data Protection Regulation may be moving away from a one-stop-shop mechanism]

US – U.S. Companies Better Work Harder at Data Protection

European Commissioner for Digital Economy and Society Günther Oettinger said the EU should create a single law to protect its citizens’ data from Facebook and Google. “Americans are in the lead. They have the data, the business models and the power,” Oettinger said. “They come along with their electronic vacuum cleaner and suck up all the data, take it back to California, process it and sell it as a service for money,” Oettinger said. He warned tech giants must do more to comply with the EU’s strict data protection rules or face being “thrown out of the single market.” [USA Today]

UK – First Data the First With Double BCRs Through ICO

U.S.-based First Data began its effort to win approval for its binding corporate rules (BCRs) in 2007, back when the process was young and still evolving. This month, the UK Information Commissioner’s Office (ICO) officially recognized the multinational payment solutions company’s BCRs for data processors. Now able to boast that it’s been approved for both processors and controllers, First Data is also the first company to have done so under the purview of the ICO. [Full Story]

EU – The European Union and State Secrets:

Many LIBE members have considered this statement quite appalling because it allowed the US authorities to be the arbiters of whether or not the Ombudsman may exercise her statutory, democratic power to inspect the document at issue in conformity with EU law. It is worth recalling that art. 3 par. 2 of the Ombusdman statute states that: “The Community institutions and bodies shall be obliged to supply the Ombudsman with any information he has requested from them and give him access to the files concerned. Access to classified information or documents, in particular to sensitive documents within the meaning of Article 9 of Regulation (EC) No 1049/2001, shall be subject to compliance with the rules on security of the Community institution or body concerned.” [Source] IT World: Citing “leaked documents,” civil liberties groups are warning that the EU’s proposed data protection reform is “badly broken.”

Facts & Stats

US – Breach Detection Time is Decreasing

According to FireEye, the time it takes for breaches to be detected is dropping. The median time for breach detection was 205 days in 2014, down from 229 days in 2013 and 243 days in 2012. Less than one-third of breaches were detected by the organizations themselves. The FBI has been notifying companies of activity suggesting that their systems have been compromised. [eWeek]

WW – Cyber Attack Risk Requires $1 Billion Insurance Coverage, Per Company

Companies will need as much as $1bn in cyber insurance coverage as the costs of hacking attacks mount, but some businesses are struggling to secure even a tenth of that. US retailer Target said in November that the price tag for the data breach that affected up to 110m of its customers had reached $248m. [FT.com]

Filtering

US – Reddit Privacy Policy Bans Involuntary Pornography

Reddit has announced new changes to its privacy policy to help curb so-called revenge porn posts. Moving forward, the posting of images or videos of individuals “in a state of nudity or engaged in any act of sexual conduct” will require prior consent from the individuals in the images. “We also recognize that violent personalized images are a form of harassment that we do not tolerate, and we will remove them when notified,” team Reddit wrote. Meanwhile, Craig Brittain, whose revenge porn website was ordered shut down by the U.S. Federal Trade Commission (FTC), is demanding that Google remove search links and any of his “identity-related information” tied to news accounts of the FTC’s actions. [The Washington Post]

Finance

US – TurboTax Blocks Filing of State Returns Not Linked to Federal Returns

TurboTax maker Intuit attributes the recent spike in fraudulent electronic state tax returns to the US Internal Revenue Service’s (IRS’s) improved detection of fraudulent returns at the federal level. TurboTax suspended state tax filings earlier in February because of the high number of reports of fraud; some states have seen a rise in fraudulent tax returns of 3,700 percent. While the IRS has been sharing information about fraudulent returns with state revenue departments, in all but four states, residents may file “unlinked” state returns, meaning they may file a state return without filing a federal return at the same time. TurboTax now blocks users from filing unlinked returns with its software. [Krebs]

FOI

WW – Citizenfour Wins Oscar for Best Documentary

A film on Edward Snowden’s efforts to disclose NSA spy programs won an Academy Award last night for Best Documentary. Laura Poitras was present with a camera when Snowden first met investigative journalist Glenn Greenwald and others and documented the tense days leading up to the release to the media of NSA programs such as PRISM and Snowden’s attempts to find asylum. Poitras, together with Greenwald, Mathilde Bonnefoy, Dirk Wilutzky and Laura Mills—Snowden’s girlfriend—accepted the award Sunday night. Snowden released a statement congratulating Poitras for the win. [Full Story]

Genetics

US – Police Generate Facial Characteristics from Crime Scene DNA

Technology allows crime scene investigators to generate digital facial sketches of suspects from crime scene DNA. Investigators in South Carolina released the digital sketch last month, and according to the report, “It may be the first time a suspect’s face has been put before the public in this way, but it will not be the last.” Additionally, future projects aim to match faces generated from DNA to mug shots in databases. “This is another of these areas where the technology is ahead of the popular debate and discussion,” said New York University Prof. Erin Murphy. [The New York Times]

US – 23andMe Names Kate Black as CPO

Personal genetics company 23andMe has appointed IAPP member Kate Black its privacy officer and corporate counsel. Prior to joining 23andMe, Black worked for the Office of the National Coordinator for Health Information Technology at the Department of Health and Human Services, and she’s served as health privacy counsel for the Center for Democracy & Technology. “The potential impact that 23andMe can have on both individual health and the entire healthcare industry is profound,” Black said. “In appropriately leveraging the 23andMe database, we can significantly advance healthcare delivery, but we will not succeed unless we approach it with the utmost concern about protecting customer privacy and building customer trust.” [Source]

Health / Medical

CA – Patients Can Sue Hospitals for Invasion of Privacy, Appeal Court Rules

The ruling upheld an earlier decision that said the province’s health privacy laws do not bar patients from seeking legal action against hospitals if their privacy is breached. This week’s ruling could have sweeping implications for the province’s 155 hospitals as it has given the green light to a multimillion-dollar privacy class action launched against Peterborough Regional Health Centre. [Source]

US – Study Finds Many Health-Related Searches Are Being Tracked

According to the Pew Internet Project, 72% of U.S. Internet users look up health-related information online, but “an astonishing number of the pages we visit to learn about private health concerns-confidentially, we assume-are tracking our queries.” In 2014, a researcher at the University of Pennsylvania created software to analyze the top 50 search results for nearly 2,000 common diseases and found 91% of the pages were “passing your request for information about the disease along to one or more (and often many, many more) other corporations.” About 70% of the time, data transmitted “contained information exposing specific conditions, treatments and diseases,” the report states. [Motherboard] [Study questions claims that browsing data is anonymous] [How 9/10 Healthcare Pages Leak Private Data]

US – Medical Identity Theft on the Rise

According to a study from the Ponemon Institute, medical identity theft increased by 22% in 2014. An estimated 2.3 million adults in the US and their close family members have had their medical information stolen. The study does not include data from the Anthem breach, which was only recently disclosed. [NBC News]

US – In LabMD FTC Trial, Judge Allows Some Congressional Evidence

The latest developments in the FTC data security case against LabMD include an administrative judge ruling that allows consideration of two letters from the U.S. House Committee on Oversight and Government Reform . Both letters were sent to FTC Chairwoman Edith Ramirez, and in one, findings from a congressional investigation raise questions about the role security firm Tiversa played in the case. LabMD’s position is that Tiversa caused the breach so that it could charge LabMD to repair the damage. Tiversa CEO Robert Boback said, “Frankly, the trial is between FTC and LabMD and should not even include Tiversa,” adding, “In my opinion, LabMD and/or its counsel has gone to great lengths to try to drag Tiversa into this while impugning our character and reputation.” The FTC administrative hearing is set for March 3. [Healthcare Info Security]

US – Despite Significant Breaches, Subsequent Fines Are Few

While regulators say they’re cracking down on insurers, hospitals and doctors’ offices that don’t adequately protect the security and privacy of medical records, the data on enforcement tells a different story. Since October 2009, healthcare organizations have reported more than 1,140 large breaches affecting more than 41 million people to the Office for Civil Rights (OCR). In addition, 120,000 smaller breaches have been reported. The OCR has the authority to fine organizations up to $1.5 million per violation, but some say the agency isn’t flexing its muscles enough. It took the OCR five years, for example, to fine Parkview Health System $800,000 for its breach. Adam Greene, a former OCR official, said the office is “overwhelmed.” [ProPublica]

Horror Stories

US – Target Breach Cost $162 Million; Sony Fights for Coverage

Target has announced the total cost of the massive data breach that hit its systems late in 2013 has reached $162 million. Target said the number would have been higher if it did not have cyber-insurance coverage. In separate news, Sony has asked a New York state appeals court to reverse a “landmark” ruling that freed several insurance companies from covering the Sony PlayStation breach from 2011. [v3.co.uk]

WW – Gemalto Admits Breach, Says SIM-card Encryption Keys Not Stolen

SIM-card maker Gemalto says that it appears that US and UK intelligence agencies did breach its systems, but denies that the cards’ encryption keys were stolen. Gemalto says that after looking at the information released in the document, it is likely that two attacks that occurred in 2010 and 2011 were the work of the intelligence agencies. Gemalto says those attacks penetrated only portions of its networks that do not contain cryptographic keys information. [WIRED] [BBC]

US – Gemalto Shares Findings of NSA, GCHQ Hacking Investigation

Following recent news that the U.S. NSA and the UK Government Communications Headquarters (GCHQ) infiltrated and stole the encryption keys of the world’s largest SIM card manufacturer, Gemalto has released its findings of the incident. According to a Gemalto press release, the company has “reasonable grounds to believe that an operation by NSA and GCHQ probably happened,” but the hack was limited to office networks “and could not have resulted in a massive theft of SIM encryption keys.” Additionally, “intelligence services would only be able to spy on communications on second generation 2G mobile networks” and that 3G and 4G networks “are not vulnerable to this type of attack.” [Full Story]

US – LinkedIn Settles Password Security Class-Action

LinkedIn has settled a class-action lawsuit alleging it falsely assured 800,000 users who paid for its premium service that it had strong security measures to protect their personal information. In June 2012, a file containing 6.5 million encoded LinkedIn user passwords was posted on a Russian hacker site, and because the passwords were protected with a weak form of security, hackers could easily decode them. While there was no indication the breach affected the LinkedIn users who were paying a subscription fee for extra services, the users said the company deceived them about its level of Internet security, the report states. The settlement fund is for $1.25 million. [The New York Times]

US – Judge May Side With Hulu in VPPA Case

In a potentially precedent-setting case , U.S. Magistrate Judge Laurel Beeler said at a hearing that she will likely side with online streaming service Hulu in a case that claims the company violated the Video Privacy Protection Act (VPPA). Referencing the case involving Judge Robert Bork’s video rental history following his Supreme Court nomination, Beeler said, “It just doesn’t feel like the Bork transmission of personal information.” Plaintiff counsel Scott Kamber countered by saying, “We believe strongly that if this case does not show knowledge in the situation, that one cannot make a reasonable inference of knowledge from documents presented to the court there can never be a VPPA violation in the realm of the Internet … That may sound bombastic, but I think there is clearly a Judge Bork disclosure here.” [Courthouse News Service] [History][US Courts Continue To Find That Unique Device Identifiers Are Not Personally Identifiable Information (PII) Under The Video Privacy Protection Act (VPPA)  ]

WW – Lenovo Under Fire for Default Adware Installation

Security researchers uncovered software preinstalled on Lenovo computers that injects advertising into websites on browsers and installs a self-generated root certificate that essentially acts as a man-in-the-middle attack to create ads on encrypted HTTPS websites. An array of information security experts see the Superfish adware as “a weakness that hackers could potentially use to steal sensitive data like banking credentials or just observe your web surfing activities.” The Superfish software has been shipping on Lenovo computers since mid-2014 and by January of this year, Lenovo said it was removing Superfish due to unspecified “issues.” A Lenovo representative said the company is “thoroughly investigating all and any new concerns raised regarding Superfish.” [PC World]

WW – Lenovo Laptops Shipped with Adware and Persistent Vulnerability

Lenovo has been shipping laptops loaded with Superfish, adware designed to steal Internet traffic. Superfish is designed to “help users find and discover products visually.” It also injects ads into web pages. Superfish hijacks encrypted web sessions, and could easily be misused to conduct man-in-the-middle attacks. Lenovo has stopped including Superfish on its new machines. [Ars Technica] [Forbes] [ZDNet] [BBC] [The Register] [Lenovo]

WW — Lenovo Releases Superfish Removal Tool

Lenovo has released a tool that removes the malicious adware known as Superfish that cane pre-installed on some of its laptops. Lenovo also says it is working with McAfee and Microsoft to automatically quarantine or remove Superfish and the certificate from computers of users who do not know about the issue. McAfee and Microsoft products come factory installed on Lenovo devices; the security community has been calling on Lenovo and others to stop the practice of adding “bloatware.” [ComputerWorld] [v3.co.uk]

WW – Fallout from Lenovo Adware Installation Continues

The security community remains up in arms about Lenovo’s decision to install Superfish software—essentially undermining HTTPS encryption without the user knowing—into a commercial line of its computers. In a column for Slate, David Auerbach railed against the company, saying it “betrayed its customers and sold out their security.” Security researcher Marc Rogers said the move is “quite possibly the single worst thing I have seen a manufacturer do to its customer base.” In a blog post, Center for Democracy & Technology’s Justin Brookman wrote , “The law is far from settled, but I believe that absent very clear disclosure to users, breaking encryption likely violates—at the very least—consumer protection law that prohibits deceptive and unfair business practices.” [Full Story]

WW – Mozilla Updates Firefox to Remove Superfish Certificate

A Firefox update released on Friday, February 27, scrubs the Superfish self-signed certificate from the browser. Mozilla released the hotfix to detect whether Superfish has been removed from browsers; if it has been removed, the certificate is removed as well. If Superfish is still installed, the certificate is left in place, as removing it would prevent users from accessing HTTPS websites. [ComputerWorld]

US – Revenge Porn “King” Gets Jail Sentence

Prof. Danielle Citron reports on the latest in the trial against so-called revenge porn “king” Hunter Moore and how he will face jail time for his role illicitly obtaining and posting nude photos of women without their consent. On Wednesday, Moore entered into a plea agreement with the U.S. Attorney’s Office of the Central District of California, which includes aiding and abetting hacking and aggravated identity theft. “Unless he backs out of his guilty plea,” Citron notes, “Moore is going to serve jail time.” He is next expected in court on February 25, while his co-defendant is set to go to trial in March. [Forbes]

US – Uber Reports Breach Affecting 50,000 Drivers

Uber has reported it discovered one of its databases had a point-of-entry for unauthorized users. A “one-time unauthorized access to an Uber database by a third party” occurred on May 13, 2014, the company said in a statement last week. The database contained driver names and license numbers. The breach impacted approximately 50,000 drivers across multiple states, according to Uber’s managing counsel of data privacy, who added Uber hasn’t received any reports of identity theft. The company is alerting affected drivers and offering them one year of identity monitoring and has filed a “John Doe” lawsuit in an effort to reveal the responsible party. [Ars Technica] [ZDNet] [ComputerWorld] [SC Magazine] [Uber Statement]

US – Police Pay Ransomware Demand in Bitcoins

A suburban Chicago police department paid US $500 in bitcoins to cyber criminals who locked up the department’s computer system with ransomware. Last month, someone in the department opened an email containing Cryptoware malware. [Ars Technica]

EU – Dutch Semi-Conductor Company Admits Breach

Dutch computer chip company ASML has acknowledged that its systems were breached. According to a statement, ASML detected the breach shortly after it occurred. [The Register] [Dutch News]

US – Anthem Says Database Breach Affected 78.8 Million Records

Anthem now says that the breach of its database affected 78.8 million records. Of those, 14 million are incomplete, meaning they lack sufficient information to link them to members. [ComputerWorld] [Numbers broken down by state based on information available]

US – Anthem Breach Affected Some Non-Anthem Customers

The Anthem data security breach reportedly affected some US federal employees who were not Anthem customers. Anthem has not said how many federal employees were affected by the breach. [NextGov]

US – FBI is Close to Identifying Anthem Attack Culprit

The FBI says that it is “close” to identifying the parties responsible for the Anthem breach, but will not disclose the information until it is “absolutely sure.” [ZDNet] [Bloomberg] [The Hill]

US – National Archives Breached

Meanwhile, law enforcement is investigating a potential intrusion into the National Archives. According to The Hill , “A data breach at the National Archives could endanger the personal information of former high-ranking administration officials and family members of former presidents.”

Identity Issues

WW – El Emam Disputes the Shopping Mall Re-identification Study

Science magazine recently dedicated an entire issue to the alleged “death of privacy” and included a study on the re-identification of shoppers who made credit card purchases. One of the study’s key conclusions is that by using only four transactions, 90% of the 1.1 million individuals studied could be re-identified. “This conclusion has then been repeated uncritically by the science and general media communities,” writes Privacy Analytics CEO Khaled El Emam. In this post for Privacy Tech, El Emam critiques the researchers’ conclusions to make the case for a responsible data sharing future. [Full Story]

UK – Scottish Plans for Central Identity Database Spark Privacy Criticism

Campaigners alarmed after ministers quietly publish plans they say echo doomed ID card scheme. Critics claim the plans for the wholesale use in Scotland of the unique citizen reference number (UCRN) were extremely similar to the national ID card proposals by the UK Labour government, which were dropped on privacy and civil rights grounds after the coalition took office in 2010. … The Scottish Council for Voluntary Organisations (SCVO), the umbrella group for Scotland’s charities, said it would be pressing the first minister, Nicola Sturgeon, to abandon the proposals. It raised the very real risk of a massive data breach if an official lost a laptop or a database was hacked, undermining trust in public services, said Ruchir Shah, SCVO’s head of policy and research. [Source]

Internet / WWW

WW – New CAPTCHA Alternative Could Hurt User Privacy

A new alternative to CAPTCHAs, an anti-SPAM log-in to prove a user is not a robot, may collect personal information from its users. In December, Google launched the “No Captcha ReCAPTCHA” to verify a human user by analyzing behavior of the mouse’s movement and the way a user types. Device recognition company AdTruth, however, claims it has evidence the new service collects more information than mouse coordinates and has the potential to share user behavior with advertisers. According to the report, the new program collects personally identifiable information. [Business Insider]

Location

US – Company Using Drones to Track Cell Location for Ads

One company is flying small drones over the San Fernando Valley in Los Angeles, CA, in order to determine cell-phone locations for targeted advertising. The small, unmanned aerial vehicles apparently are determining cell-phone location by “WiFi and cellular transmission signals.” The move is part of an experiment by Singapore-based location-marketing firm Adnear. Smriti Kataria, Adnear’s director of marketing and research, said the devices do not collect conversations or personally identifiable information but rather use cell-phone triangulation and signal strength to determine location. According to the report, “A mobile user needs to have an app open that is transmitting via cellular or WiFi for this mapping to occur.” [VentureBeat]

US – First Lady’s Location Leaked Via Instagram Feed

First Lady Michelle Obama’s Instagram feed is leaking details about her location or that of her staff. The account’s manager has opted into also sharing their location, and that data can reveal details right down to the building “where someone was located when they uploaded a picture to the service.” A picture of a Christmas tree coming into the White House was posted from outside of Allentown, PA, for example. “Politicians’ locations when they post Instagram pictures became an item of interest after the Press this week found that Rep. Aaron Schock (R-IL) was using taxpayer and campaign money to fly on private jets by examining the locations leaked through his Instagram account,” the report states. [The Hill]

US – How Journalists Use Time, Location in Public Posts to Get Stories

Investigative journalism publications use public posts on Instagram to find leads for stories. In one such story, a reporter wrote about a weekend getaway attended by new House Financial Services Committee Chairman Jeb Hensarling (R-TX) and banking industry officials. The reporter found out who was attending the getaway by using one banking lobbyist’s public Instagram post and looking at the time and location. Though Instagram has no search function, it does have an application programming interface with a “Media Search” endpoint “that returns data both by timeframe and distance from a certain latitude and longitude,” the report states. [ProPublica]

Offshore

HK – Hong Kong Puts Restrictions on Cross-Border Transfers

Taking a step closer to following the EU restrictions on oversees data transfers, the Hong Kong Privacy Commissioner for Personal Data recently issued “Guidance on Personal Data Protection in Cross-border Data Transfer.” While the guidance doesn’t impose any new limitations or obligations on personal data transfers out of Hong Kong, it appears to be a harbinger of transfer restrictions coming into force in the near future, report Dana Post and Victoria White in this exclusive for The Privacy Advisor. [Full Story]

BR – Draft Bill for a Personal Data Protection Law

The Ministry of Justice of Brazil recently opened two public consultations, one on the Marco Civil da Internet and the other on the Draft Bill for a Personal Data Protection Law (APL). Gustavo Artese offers an outline of the draft APL presented, saying, “much of the protection regime foreseen by the APL has been inspired by … the EU proposed regulation.” Similarities occur specifically in its definition of personally identifiable information, the rights of data subjects and the principles of data processing. Uncertainties remain, however, “as to whether a supervisory authority will be created.” [Full Story]

Online Privacy

WW – Chrome Will Warn Users When They Try to Visit Sketchy Sites

Google’s Chrome browser will warn users when they try to visit sites that may harm their computers through surreptitiously changing the browser’s home page or placing certain ads on pages. The warning will appear before the domain is displayed. Google is also taking steps to minimize the presence of deceptive sites in search results. [The Register] [ComputerWorld]

US – NAI: No One Should Be Outed By Ads

While court decisions and legislation have produced significant gains for the lesbian, gay, bisexual and transgendered (LGBT) community, prejudices remain and, too often, the LGBT community is “confronted with serious discrimination,” Network Advertising Initiative (NAI) President and CEO Marc Groman, writes in this post for Privacy Perspectives . He notes the NAI’s update to its Self-Regulatory Code of Conduct in 2013 included the addition of sexual orientation as sensitive information, prohibiting NAI members from creating audience segments or interest categories for interest-based advertising “based on an individual’s status or perceived status as LGBT without obtaining opt-in consent.” Groman writes that “this practice was the right thing to do for consumer trust and privacy … This is how self-regulation is supposed to work.” [Full Story] [NAI Appoints Leigh Freund New President and CEO]

US – Can Intellectual Privacy Survive in the Digital Age?

Evan Selinger talks to Washington University Prof. Neil Richards about his new book, Intellectual Privacy: Rethinking Civil Liberties in the Digital Age. Richards says intellectual privacy “is about needing to have protections from being watched and interfered with when we’re making up our minds about the world-when we’re reading, surfing the web, talking on the phone and sending email to confidants.” Richards adds our intellectual property and, therefore, our free society are currently being threatened because “companies and the government have so much control over our intimate information that people live in a state of perpetual uncertainty and sometimes fear.” [The Christian Science Monitor]

US – Koppie Koppie Puts Your Child’s Photo Up for Sale

In a translated post for, Dimitri Tokmetzis discusses an experiment conducted with designer Yuri Veerman called Koppie Koppie. The online store sells mugs with photos of children Tokmetzis and Veerman legally collected off Flickr. They put the images on coffee mugs and then sell them in their store, Koppie Koppie. “Aren’t we violating the privacy of these children and their families by commercializing these intimate family moments?” Tokmetzis asks, adding, “We share your concern.” He describes three ways people’s privacy is being violated by their commercial venture, including the lack of user control over personal information, lack of confidentiality and lack of privacy in context. [Medium] [Koppie Koppie sells photos of your kids to prove you shouldn’t post them online]

US – Spotify Log-In Requirements Mean “Enormous” Data Insights

At a recent conference in California, Spotify’s Brian Benedik discussed the amount of data the company collects on its users. Because of its requirement that every user, paying or non-paying, sign in to use the service, the company collects an “enormous amount of data on what people are listening to, where and in what context. It really gives us an insight into what these people are doing,” Benedik said. Because users register both directly through the site and via Facebook logins, Spotify knows a lot about users’ age, gender and location, he added. [Full Story]

US – Behind the Scenes With the New DAA AppChoices Program

The Digital Advertising Alliance has announced an extension of its AdChoices program beyond the desktop. AppChoices, an app consumers can download (with an attendant web page), allows consumers, for example, to choose not to allow advertisers to target them based on their location on mobile devices like phones and tablets. Now, why would a company like xAd, whose very business model involves targeting consumers by location, want to participate in such a program? [FPrivacy Advisor]

US – Case Against Pandora’s Facebook Integration Could Go to Highest Court

Michigan resident Peter Deacon is appealing a 2012 ruling issued by U.S. District Court Judge Saundra Brown Armstrong dismissing his potential class-action lawsuit against Pandora. In 2011, Deacon alleged Pandora’s integration with Facebook violated Michigan’s Video Rental Privacy Act, which prohibits companies that rent, lend or sell music from disclosing customers’ identities without their consent. A lawyer for Deacon told an appeals court this week that the pro-Pandora decision “guts the protections” lawmakers intended for consumers. Some of the judges’ questions in court suggest the matter could be sent to the Michigan Supreme Court, the report states. [MediaPost ]

Other Jurisdictions

Privacy (US)

US – White House Releases Draft of Consumer Privacy Bill

Companies are also required to take “reasonable steps” to mitigate privacy risks and make them clear to users, and the FTC will need to establish rules for privacy reviews. If a company violates the terms of the act, it’s subject to lawsuits from the FTC, users, and state attorneys general. The bill creates exemptions for small operators, including people who process data for 10,000 or fewer people a year or have no more than five employees, which the White House says can ease the burden for small businesses. [The Verge] [Initial Thoughts on Obama Administration’s “Privacy Bill of Rights” Proposal]

US – Court Case Could Set Precedent on Breach Coverage

An upcoming decision from the Connecticut Supreme Court could set a new precedent for data breach insurance coverage litigation. The case involves a dispute over the exposed sensitive personal information of 500,000 IBM employees. An appellate court had ruled to nix the coverage of more than $6 million in losses in a 2007 data breach incident. According to the report, the high court is expected to rule on what constitutes a “publication” that triggers data breach coverage with data that is compromised, effectively “reshaping” how such cases are litigated. [Law360]

US – FTC Eyes Privacy Issues in Merger Reviews

The head of the FTC Bureau of Competition has said the agency could expand its coverage of merger reviews to include privacy issues. The expansion is seen, in part, as a result of companies competing on privacy. FTC Bureau of Competition Director Deborah L. Feinstein made the remarks at a conference held by BakerHostetler. “Privacy could be a form of non-price competition important to customers,” Feinstein said. [Law360]

US – YouTube Kids Could Raise COPPA Questions;

Google has announced the much-anticipated release of a child-friendly YouTube service, YouTube Kids, reports. “The app will no doubt be analyzed for its safety, and-as with any issue regarding children and the Internet-it calls up issues of compliance with the Children’s Online Privacy Protection Act,” the report states. [Inside Counsel]

US – Plaintiffs Appeal Nick.com Decision

Representatives of a group of young children are appealing a judge’s decision to dismiss a lawsuit accusing Google and Viacom of violating a federal video privacy law. The suit “centers on allegations that Viacom allows Google to set tracking cookies on the kids’ site Nick.com,” the report states.

US – Clapper v. Amnesty International’s Impact on the Harm Threshold

“Amid the storm of cybersecurity incidents in the last year, plaintiffs still face an uphill battle convincing courts that they suffered actual-and not hypothetical-harm from data breaches,” Cheryl Howard and Dana Post write. “In several recent decisions, however, courts have found that plaintiffs alleging future harm had adequately pleaded Article III standing, giving renewed vigor to data breach cases.” Howard and Post consider the Supreme Court’s 2013 ruling in Clapper v. Amnesty International—that Article III standing requires threatened injury must “be certainly impending to constitute an injury in fact”-and the case’s implications. [Full Story]

US – CDT Launches Breach Notification Multi-Stakeholder Effort

CDT has announced it is launching a multi-stakeholder effort to find innovative solutions to data breach issues. The Common Ground Data Breach Forum will first meet on March 17 and brings together leaders from the CDT’s Internet Privacy Working Group and the Digital Privacy & Security Working Group. The announcement comes a week after the CDT and law firm Jones Day brought together representatives from government, industry and nonprofit organizations. [Full Story]

US – Judges, FTC Commissioners to Discuss Section 5 Use

BakerHostetler will host current and former commissioners from the FTC and decision-makers from three branches of government to discuss the FTC’s use of Section 5 in antitrust and consumer protection enforcement actions. The Section 5 Symposium will be held in Washington, DC, and will also be webcast. Symposium topics include the origins, past and present use and future parameters of Section 5 as an enforcement vehicle, and it will feature FTC Commissioners Joshua Wright and Maureen Ohlhausen. Other panelists include The Hons. Douglas Ginsburg, William Kovacic and Terry Calvani and the FTC’s Jessica Rich. [Full Story]

US – DoE Releases Model Terms of Service, Training Video

The Department of Education’s Privacy Technical Assistance Center released a “Model Terms of Service” document to assist school districts in complying with the “Requirements and Best Practices“ document the department released in February 2014. It contains, significantly, a table of definitions that “cannot or should not be included in TOS” by education technology providers. Concurrently, the department released a video for schools and districts to use on in-service days and in other training environments to educate educators about privacy issues and their responsibilities with student data. [Full Story]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Silent Circle Set for “World’s First” Privacy Ecosystem

Privacy-enhancing technology provider Silent Circle is set to unveil the “world’s first privacy ecosystem” together with new devices, software and services at the upcoming Mobile World Congress in Spain. Silent Circle has raised nearly $50 million in a funding round, noting there’s a “strong demand” to keep communications private. Cofounder and Executive Chairman Mike Janke said Silent Circle has “created an integrated suite of secure enterprise communication products that are challenging the status quo.” Silent Circle President and CEO Bill Conner said, “As the nature and volume of data breaches increase, institutional trust is eroding … In short, in a post-Sony and Gemalto world, security breaches have been made both enterprise and personal so it’s no longer an issue affecting just the boardroom.” [ZDNet]

US – CDD Says Call for Drone Multi-stakeholder Approach Misguided

Privacy advocacy group the Center for Digital Democracy (CDD) does not agree with President Barack Obama’s call for a multi-stakeholder approach for developing privacy codes of conduct for drone use. CDD Executive Director Jeffrey Chester said the multi-stakeholder approach “is practically a guarantee that either no rules will ever be written or, if they are, will favor the ubiquitous and always advancing big data-driven collection system already in place (across our devices, applications, etc.).” The National Telecommunications& Information Administration (NTIA) disagreed with Chester’s assessment. “NTIA’s multi-stakeholder meetings are open to anyone who wants to participate, and we encourage participation from a broad range of stakeholders including civil society,” an NTIA spokeswoman said. [Multichannel News]

RFID

WW – Physical Cookies Aim to Replicate Cookies, Eliminate Privacy Woes

A plastic RFID device called a “Physical Cookie” works just like online cookies, studying shoppers’ preferences and tailoring deals and messages accordingly. A mall in Finland recently offered targeted deals to shoppers who agreed to carry the “cookie.” Instead of logging users’ histories, though, Physical Cookies just looks at the time spent during mall shopping. Meanwhile, another tool called the Rately Merchant Platform “addresses privacy problems by not creating them in the first place,” Forbes reports . It allows consumers to opt in when visiting a website, tag items they’re interested in and, if they allow it, see promos based on those tags. But retailers don’t get data on the anonymized personas or see which in-browser notifications get clicked on. [Mashable]

Security

US – NIST Budget Could Reach $1.1 Billion

The National Institute of Standards and Technology (NIST) could see a boost in its annual funding if President Barack Obama’s proposed budget is passed by Congress, Capital News Service reports. NIST could stand to gain an additional $225.8 million—for funding totaling $1.1 billion—if the budget is passed. The cybersecurity portion of NIST’s budget would gain an additional $7 million. Earlier this month, Rep. Elijah Cummings (D-MD) said, “Congress and the Executive Branch must do all we can to mitigate risks at federal agencies and ensure that American consumers are protected when they provide their personal information to private companies.” [Full Story]

WW – HP’s 2015 Cyber Risk Report Says Companies Not Patching Properly

Hewlett-Packard’s 2015 Cyber Risk Report, released on February 23, found that nearly 45% of breaches could be attributed to vulnerabilities for which patches have been available for two or more years. Of those unpatched flaws, server misconfigurations topped the list. [eWeek] [SC Magazine]

US – Teen Makes $15 Device, Hacks Connected Car

A 14-year-old has built an electronic remote communications device capable of connecting to and controlling a vehicle’s internal computer network by using $15 worth of parts. A number of automotive executives expressed their surprise at a Center for Automotive Research conference last week. The teen, along with 30 others ranging from high school students to PhD candidates, were taking part in the third annual Battelle CyberAuto Challenge. Though the event happened last summer, a recent report on the security vulnerabilities of connected cars by Sen. Edward Markey (D-MA) has brought the issue back into the spotlight. Delphi Automotive Chief Technologist Andrew Brown, Jr., said the hack “was mind-blowing.” The lead scientist for the auto challenge said the event intends to keep the auto industry “on its toes.” [PCWorld]

US – NIST’s Risk Management for Replication Devices

The US National Institute of Standards and Technology (NIST) has released an internal report titled Risk Management for Replication Devices, which include copiers, printers, and scanners. Among the issues that need to be addressed are unchanged default passwords, data that are stored and transmitted without encryption, and unpatched or outdated operating systems and firmware. [GCN]

US – ‘Breakthrough’ NSA Spyware Shows Deep Grasp of Makers’ Hard Drives

‘All-powerful’ spyware on hard drives an unprecedented technique, experts say. The U.S. National Security Agency reportedly figured out how to conceal spyware in hard drives years ago, according to former operatives, who say a new Kaspersky Lab cybersecurity report analyzing the espionage operation is correct. Tom Keenan, a cybersecurity expert and fellow at the Canadian Defence and Foreign Affairs Institute, explains that malware hidden on firmware would be nearly impossible to detect. “There’s no anti-virus program, no software that can protect you from someone who’s going to attack your firmware because all those programs have to talk to the firmware, and the firmware is doing what it pleases” [CBC] [Russian Researchers Expose Breakthrough in U.S. Spying Program]

Surveillance

WW – Google: FBI’s Expanded Surveillance Plan Seriously Violates Constitution

Google is warning that the government’s quiet plan to expand the FBI’s authority to remotely access computer files is a “monumental constitutional concern.” Google submitted public comments earlier this week opposing a Justice Department proposal that would grant judges more leeway in how they can approve search warrants for electronic data, the report states. Google’s director for law enforcement and information security, Richard Salgado, said the plan “raises a number of monumental and highly complex constitutional, legal and geopolitical concerns that should be left to Congress to decide.” [National Journal]

US – TSA Rethinking Expanding Commercial Data-Mining Program

The Transportation Security Administration (TSA) is reassessing an expansion of its PreCheck program that would mine commercial data to analyze travelers. On February 7, the TSA “rescinded a December request for proposals asking vendors for solutions that would expand the PreCheck passenger screening program to collect publicly available and commercial data on potential participants,” the report states. Critics say such a process would do more than expand PreCheck, putting private companies “in charge of determining who poses a security threat to the traveling public.” The Center for Democracy & Technology’s Chris Calabrese said there’s no science indicating it’s even possible to data-mine to pick out terrorists. [Federal Times]

US – Jeb Bush Backs NSA’s Bulk Collection of Phone Data

Former Florida Governor and potential presidential candidate Jeb Bush has said he supports the U.S. NSA’s program that collects in bulk the phone metadata of U.S. citizens. “This is a hugely important program to use these technologies to keep us safe,” he said on Wednesday. “For the life of me, I don’t understand (how) the debate has gotten off track,” noting that following the program’s rules does “protect our civil liberties.” Bush’s stance on the controversial program is at odds with two other potential Republican presidential candidates, Sens. Rand Paul (R-KY) and Ted Cruz (R-TX). Bush made privacy news last week after he released a trove of unredacted emails while serving as governor from 1999 to 2007. [The Hill]

Telecom / TV

CN – China Removes Tech Companies from Approved for Government Use List

China has taken several high-profile US technology companies off its list of products approved for use by Chinese government agencies. The recently removed companies include Cisco, Apple, McAfee, and Citrix. The policy is seen as an attempt to boost Chinese use of its domestic technology, such as Huawei and ZTE. [BBC]

US – FCC Passes Net Neutrality Rules

The US FCC has passed net neutrality rules, which include reclassifying broadband as a telecommunications service; prohibiting broadband providers from throttling or speeding up connections for a fee; and prohibiting providers from making paid prioritization deals. The US Telecommunications Industry Association said to expect legal action from broadband providers. One of the demands from the Chinese government was for tech companies to surrender their encryption keys and subject their source code for inspection. [CS Monitor] [SC Magazine] [BBC]

WW – Malware Can Track Smartphones by Power Use

Researchers from Stanford University have discovered a vulnerability that would allow smartphone location tracking by how the phone’s power is used. Yan Michalevsky and a team said, “Our approach enables known route identification, real-time tracking and identification of a new route by only analyzing the phone’s power consumption.” A phone’s power usage depends on how far away it is from a base station. As a user moves, that power use changes in relation to a base station. The team’s work , the report states, demonstrates how easily privacy can be undermined and serves as “a warning that whatever steps are taken to protect personal data, there will always be ways that it can leak unexpectedly.” [MIT Technology Review]

US – ACLU Obtains Warrant Revealing FBI Knew Stingray Disrupted Devices

The US Justice Department has maintained that the secrecy surrounding stingray cell phone surveillance technology was necessary to prevent criminals from figuring out how to elude its reach. However, the American Civil Liberties Union (ACLU) recently obtained a warrant application for stingray use and found that the FBI has knows that stingrays can disrupt cellular service for all phones and mobile devices in the vicinity of the targeted device that use the same network. [WIRED] [WIRED] See also: [Senator Questions Stingray Use]

US – Advocates Hope Net Neutrality Will Be Privacy Win

The FCC made history on Thursday by classifying ISPs as public utilities. The vote was aimed at ensuring net neutrality, but the reclassification means the FCC will now have more oversight of privacy practices of ISPs, and privacy advocates say it also probably means better protections for consumers because it means ISPs “will now have to abide by a specific set of rules designed to protect the privacy of communications.” [The Washington Post]

UK – Parliament Wants Government to Classify Broadband as Utility

In a report titled Make or Break: The UK’s Digital Future, members of the UK’s House of Lords call on the government to reclassify Internet access as a public utility, ensuring that it is available to all citizens. The report also notes that the UK is lagging behind other countries with regard to high-speed Internet access, which could have a negative effect on the country’s international competitiveness. [Silicon Republic] [Ars Technica] [UK Parliament]

US Legislation

US – White House Privacy Bill Met With Criticism from All Sides

The White House released what it’s calling a “discussion draft“ of its Consumer Privacy Bill of Rights (CPBR) to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.” Though the highly anticipated CPBR did receive some support, for the most part industry, lawmakers, regulators and privacy advocates all expressed concerns with the legislation. [Full Story]

US – Obama’s Personal Data Notification & Protection Act

The proposed legislation’s ultimate success likely will turn on whether both sides can reach agreement on a middle ground and recognize that neither businesses nor privacy advocates will be able to cherry-pick all of their favorite provisions from existing state laws and earlier federal proposals. The following is a brief analysis of the proposed bill’s key provisions. [Mondaq]

US – California May Limit Law Enforcement’s Warrantless Data Collection

SB 178, known as the Electronic Communications Privacy Act (or CalECPA, for short), curtails California’s law enforcement agencies ability to compel companies providing “electronic communications services” from producing “electronic communication information” without a warrant, a wiretap order, or a showing of exigent circumstances. It also limits law enforcements’ ability to conduct warrantless searches of mobile devices. [Source]

US – California Lawmakers Consider Drone Privacy Bill

Jackson has introduced SB 142, which she said would protect people from aerial invasions of privacy. “If you were to jump over your neighbor’s fence and stand in their yard recording what they had to say, that’s a trespass,” she said. “Why should it be any different with a drone?” [Legislation would apply trespass rules to the air]

US – Missouri Bill Would Keep Most Police Camera Footage from Public View

Taxpayers deserve to know how the police officers they fund behave. Yet Libla’s proposed legislation would make it prohibitively difficult for members of the public to view footage of police officers doing their job. Under Libla’s proposal, footage of serious police misconduct could be released by court order during an investigation. However, if implemented, the legislation would mean that in cases in which a victim of police abuse or misconduct is unwilling or unable to sue or press criminal charges, the relevant body camera footage would not be made public. Suing the government is an expensive and time-consuming endeavor with no guarantee of success. Many people who live paycheck to paycheck simply cannot afford a lawyer’s retainer for several thousand dollars to just get into the courtroom to ask for the video to be released. [Source]

US – Other Legislative News:

  1. Sens. Edward Markey (D-MA), Richard Blumenthal (D-CT), Sheldon Whitehouse (D-RI) and Al Franken (D-MN) have reintroduced the Data Broker Accountability and Transparency Act, which would allow consumers “to order the companies to stop using, sharing or selling data about them for marketing purposes.” [The Hill]
  2. The Christian Science Monitor’s Passcode offers an overview of new U.S. senators’ privacy stances going into the elections and how their commitment is shaping up now that they’re in office.
  3. Sen. Bob Menendez (D-NJ) and others are pushing a bill proposed last May that would “create a nationwide standard for data security and require companies to tell customers about data breaches within 60 days [The Jersey Journal]
  4. Indiana Attorney General Greg Zoeller met with the Federal Communications Commission to convince the agency to deny requests made by finance industry groups to weaken the Telephone Consumer Protection Act [WISHTV]
  5. JDSupra: drone bills in California and Florida.
  6. KFBK: a package of 10 privacy bills introduced, or soon to be, in the California legislature targeting connected cars, drones, infant DNA and more.
  7. Two bills in front of the Illinois Senate aim to put restrictions on the use of automated license-plate reader systems [The Tenther]
  8. New Hampshire’s House will vote on a student privacy bill this week that would prohibit schools from demanding access to students’ online accounts [NHPR]
  9. Oregon Attorney General Ellen Rosenblum has introduced the Oregon Student Information Protection Act, aiming to protect students’ personal and academic data while enabling innovation and research [Common Sense Media]
  10. The executive director of the ACLU of Virginia tells WDBJ about the Virginia General Assembly session that included a Stingray bill, a drone bill and a license-plate reader bill.
  11. A Virginia bill that started off requiring officials at state colleges and universities to notify parents when a student exhibits suicidal tendencies or behavior has passed with significant changes due to privacy concerns, among others. [The Daily Progress]
  12. Sen. Edward Markey (D-MA) and Rep. Peter Welch (D-VT) have proposed the Drone Aircraft Privacy and Transparency Act to protect individuals’ privacy in light of the expanded use of drones.
  13. The Arizona House approved a revised version of its “revenge porn” bill, but civil liberties advocates who sued to block the law said the changes don’t allay their concerns about the legislation. [Arizona Daily Star]
  14. The Arkansas House has passed a bill that would require employees of organizations that serve youth to “friend” their employers [The Huffington Post]
  15. California Sen. Mark Leno (D-San Francisco) introduced SB 576 that would require vendors to explain to consumers their location information practices upon installing a new app. [THE Journal]
  16. The Colorado Senate Education Committee unanimously approved a bill preventing the sharing or selling of personally identifiably student data by software, database and app companies, but added an amendment that may complicate the disclosure requirements. [Chalkbeat]
  17. The Colorado House Judiciary Committee has delayed a vote on a drone bill over concerns of how to prevent penalizing individuals for everyday photography [Associated Press]
  18. An Iowa Senate subcommittee has voted in support of a bill that includes provisions that would block the public from accessing gun permit-holders’ names. [WQAD]
  19. Missouri Rep. Diane Franklin (R-District 123) has introduced a bill that would require childcare centers to notify parents upon request of children in their care who haven’t been vaccinated. [HealthIT Security]
  20. Michigan’s House has delayed a bill that would require mobile phone providers to disclose to police without a warrant the location of a user that is believed to be in danger of harm. [MLive]
  21. New York Assemblyman Ed Braunstein (D-Queens) has proposed legislation that would make it a felony to film patients receiving medical treatment without prior consent. [ProPublica]
  22. Rhode Island is considering restricting government use of drones. [The Tenther]
  23. Texas Sen. Craig Estes (R-Wichita Falls) filed a bill to protect individuals’ location information from warrantless search and seizure. [Mineral Wells Index]
  24. A Utah House committee has approved a bill to restrict the collection and retention of student data by Utah schools. [The Salt Lake Tribune]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: