01-15 March 2015

Biometrics

US – Facial-Recognition Software Raises Privacy Concerns

New software is being implemented by Rutgers University for students taking an online course to track students’ facial identity, photo ID and browser activity. The ProctorTrack software suite records face, knuckle and personal identification details during the online courses and “keeps track of all activity in the monitor, browser, webcam and microphone” during each session. [The Daily Targum]

US – Privacy Advocates Launch Petition Against Voice-Activated Barbie

Children’s privacy advocacy organizations are trying to stop the production and release of a new voice-activated Barbie doll. The Internet-connected “Hello Barbie” can record and analyze speech and “listen and learn each girl’s preferences and then adapt to those accordingly.” The Campaign for a Commercial-Free Childhood has launched a petition to prevent the doll from hitting stores. “If I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed,” said Angela Campbell, adding, “In Mattel’s demo, Barbie asks many questions that would elicit a great deal of information about a child, her interests and her family.” [The Washington Post]

Big Data

EU – Report: Privacy is a Global Issue of Economic Justice

Data Justice has issued a new report indicating companies’ control of personal information “is not just an issue of privacy but is becoming a critical issue of economic justice.” Data Justice Director Nathan Newman writes, “This steady loss of data by individuals into the hands of increasingly centralized corporate hands is helping drive a large portion of the economic inequality that has become central to the political debate in our nation.” The report proposes steps “to making big data work for everyone”—including requiring explicit consent and better informing users of how data is being used and how companies profit from it. [Huffington Post]

US – Universities Form Alliance to Manage Big Data

Aiming to better manage big data in healthcare, the University of Pittsburgh Medical Center, the University of Pittsburgh and Carnegie Mellon University have teamed up to form the Pittsburgh Health Data Alliance. The three organizations are hoping to integrate data from electronic health records, wearables, diagnostic imaging and other sources more seamlessly. Through the Pittsburgh Health Data Alliance, “the three institutions also hope to create and advance technologies around ‘data-heavy’ healthcare innovation, perhaps resulting in spin-off companies that could boost economic activity around the burgeoning data and digital health sectors.” [MedCity]

US – Interview: White House’s First Chief Data Scientist

The White House has named former PayPal and eBay executive DJ Patil as the nation’s first chief data scientist. As well as helping the government make the most of the data it holds, Patil said the government’s role in making sure data is used properly and helping citizens get access to data. He described his office’s purpose as ensuring “responsible use of data for the good of all citizens.” Patil’s immediate projects include analyzing the ways people use government websites and Precision Medicine, a longitudinal health study that aims to find patterns between lifestyle factors and genetic predispositions. [The Wall Street Journal] [Big Data: A Brief(ish) History Everyone Should Read] [Big Data’s Dark Side ]

Canada

CA – Canada’s “AntiTerrorism” Bill C-51

A Legal Primer: Expands the Powers of Canada’s Spy Agency, Allows Arrest on Mere Suspicion. Overly broad and unnecessary anti-terrorism reforms could criminalize free speech. Bill C-51,the Anti-Terrorism Act, 2015, would expand the powers of Canada’s spy agency, allow Canadians to be arrested on mere suspicion of future criminal activity, allow the Minister of Public Safety to add Canadians to a “no-fly list” with illusory rights of judicial review, and, perhaps most alarmingly, create a new speech-related criminal offence of “promoting” or “advocating” terrorism. These proposed laws are misguided, and many of them are likely also unconstitutional. The bill ought to be rejected as a whole. Repair is impossible. [Source] SEE ALSO: [Bill C-51 for Dummies: What you should know: Explaining the Tories’ controversial anti-terror legislation: Canada’s privacy commissioner Daniel Therrien has warned, in particular, about the information-sharing aspect of C-51. Therrien won’t be appearing in front of the House of Commons committee that is currently studying the bill, although both the NDP and Liberals requested that he do so.] | [Proposed CSIS powers a ‘constitutional mess,’ former watchdog warns: New anti-terror bill comes under heavy criticism during opening round of testimony. Ron Atkey, who served as the first chair of the Security Information Review Committee (SIRC), warned that provisions allowing CSIS agents to ask the federal court to authorize activities that could breach charter rights will almost certainly be struck down by the courts.] | [Bill C-51: Privacy watchdog Daniel Therrien blocked from committee witness list: Conservatives rebuff NDP attempt to add privacy commissioner to committee witness panel. Privacy Commissioner Daniel Therrien provided a written submission to the Commons committee reviewing the new anti-terrorism legislation, but efforts to add him to the witness list were blocked by Conservative committee members.] | [First Nations vow legal challenge of anti-terror bill: “We want the whole bill gone,” AFN National Chief Perry Bellegarde told reporters after testifying at a turbulent House of Commons committee on the proposed omnibus bill, which would give extraordinary powers to federal spies, government departments and the RCMP to thwart national security threats. The authorization to launch a Supreme Court challenge would first need the permission of AFN chiefs.] | [Aboriginal leaders fear anti-terror bill gives licence to target them as ‘terrorists in our own territories’: “We don’t want to be labelled as terrorists in our own territories, our own homelands, for standing up to protect the land and waters,” Assembly of First Nations national chief Perry Bellegarde told the House of Commons public safety committee. Public Safety Minister Steven Blaney told the committee earlier this week such concerns were ridiculous, saying the legislation is not intended to capture minor violations committed during legitimate protests.] | [Bill C-51: Blaney, MacKay questioned on anti-terror bill fine print: Justice Minister Peter MacKay, RCMP commissioner and CSIS director appear before committee. During his opening statement, Blaney highlighted the “key misconceptions” that he said had been put forward by members of the opposition and “so-called experts”: the claim that “legitimate protest” could be treated as potential terrorist threats, which he called “completely false, and frankly ridiculous.” …Before witness testimony got underway, Garrison tried to get unanimous consent from his committee colleagues to sit for an extra hour in order to hear from Privacy Commissioner Daniel Therrien, but that consent was denied.] | [Borders are “no-privacy” zones: Many do not know how few rights exist in that area. Others wish the courts would clarify that picture. As reported in Canadian news sources, Quebec resident Alain Philippon found all this out first hand when he recently refuse to provide the password for his cell phone to airport border agents inspection in Halifax. He was returning from time spent in the Dominican Republic.] | [Man arrested for refusing to give his phone’s passcode to border agents: Right now, Canadian laws don’t treat cellphones or smartphones any differently from other goods, so, they are subject to examination. The Supreme Court of Canada also says police can try to crack one’s passcode, but a person has no obligation to give up their password to police, under the charter right to silence.] | [Speaking against Bill C-51: “We are deeply concerned that (Security of Canada Information Sharing Act) SCISA would permit the sharing of personal information of individuals who have participated in lawful, peaceful demonstrations like the large-scale protests against investment in apartheid-era South Africa and the incarceration of Nelson Mandela,” the letter states. “The historic peaceful protests in support of nuclear disarmament would also almost certainly have been caught as well.”] | [Anti-Terrorism Act threatens privacy rights: Editorial – The new Anti-Terrorism Act gives the Canadian Security Intelligence Service and 16 other federal departments and agencies “excessive” power to share “unprecedented” amounts of personal information, the privacy commissioner warns] | [Officials flag federal anti-terror bill Privacy commissioners, ombudsmen unite in labelling it ‘far-reaching’ “There’s needs to be better balance in this bill,” acting Manitoba ombudsman Mel Holley said. “When we look at this new bill, we say it goes too far, the definitions are too broad, the powers are sweeping, and the oversight is lacking. There’s always this debate about the balance between privacy and security. Well, we don’t recall being at the debate. “It doesn’t matter if you’re in Montreal or Morris, this affects all of us.”] | [Anti-terror bill powers ‘excessive,’ Canada’s Privacy Commissioner says: “The end result is that national security agencies would potentially be aware of all interactions that all Canadians have with their government. That would include, for example, a person’s tax information and details about a person’s business and vacation travel,” Mr. Therrien said. Bill C-51 would beef up the powers of the Canadian Security Intelligence Service, criminalize the promotion of terrorism and provide the RCMP with new powers of preventative arrest. But the Privacy Commissioner is decrying the fact that 14 of the 17 federal agencies that are receiving “limitless” powers under C-51 are “not subject to independent oversight.”] | [Privacy Commissioner Slams Bill C-51: Canadians are ‘concerned with the issue of government surveillance,’ Therrien says. The privacy commissioner also expressed concern that the bill permits various government departments, approximately 17, to share information about Canadians, based simply on “relevance” rather than necessity. As an example, he writes, tax information that has traditionally been highly protected could be widely shared with other government departments. And, if it turns out that sharing such information was inappropriate, there’s no recourse for Canadians.] | [All Canadians would be trapped in anti-terror legislation’s ‘web’, warns privacy commissioner: The commissioner also called for a limit on how long personal information can be retained by departments, urged formal written agreements between departments, and asked that the government build in some type of independent oversight measures to ensure departments are treating personal information properly. He also said the government should include a mandatory review of the bill after three years, which has been the standard practice for other national security legislation.] | [Daniel Therrien: Bill C-51 Means Trouble Without Big Changes: The bill would provide 17 federal government agencies with almost limitless powers to monitor and profile ordinary Canadians, with a view to identifying security threats among them. The end result is that national security agencies would potentially be aware of all interactions all Canadians have with their government. That would include, for example, a person’s tax information and details about a person’s business and vacation travel.] [Daniel Therrien: Submission to PSNS Committee on C-51] | [Christy Clark says we could ‘regret’ giving away personal freedoms in Bill C-51: We should be very careful in Canada, in a country where so many people have sacrificed their lives to preserve our freedoms, to make sure that we aren’t — in the effort to protect ourselves against unknown threats – really diminishing our personal freedoms. …We will regret that forever. When you give up personal freedoms, it’s very hard to get them back.” — B.C. Premier Christy Clark.] | [Privacy lawyer warns against flying with ‘intimate information’: Alain Philippon case raises concerns about how far border guards can go. Border agents have the right to look though an individual’s computer or cellphone, or demand a password, as that power has yet to be constitutionally tested. Fraser says if you deal with private records professionally, it’s best to wipe your devices clean before you hit customs.] | [Profs Roach and Forcese & their swift assault on C-51: Kent Roach and Craig Forcese just happened to be on sabbatical when the PM announced his Anti-Terrorism Act. They set up a website, under the stolid banner “Canada’s Antiterrorism Act: An Assessment,” on which they have posted a series of devastatingly comprehensive critiques of the bill—tackling everything from how it would chill free speech, to how it would undermine privacy, to how it puts judges in the unprecedented position of authorizing Charter of Right and Freedoms violations by Canada’s spy agency. Their fine-grained commentaries now form the intellectual core of what’s emerged as surprisingly vigorous push-back against the Anti-Terrorism Act. Expect to see them citied again and again when the House public safety committee begins hearings into the bill on March 9. Roach and Forcese are slated to be called to testify. The committee won’t hear from anybody more steeped in the subject at hand.] | [Canada’s Terrifying Anti-Terror Bill Spooks Need a Tighter Leash, Not C-51’s Fresh Powers: If Canada’s security agencies are already overstepping their bounds, the extension of CSIS powers to include the “disruption” of terrorist activity, C-51’s extremely broad definition of terrorism, and preventative imprisonment when a subject “may” engage in terrorism, is nothing short of frightening. The complaints have come piling in, including from four former prime ministers. The latest plea to scrap C-51 comes from 100 law professors nationwide, with their 4,000-word text covering “some, and only some” of the serious flaws in the bill. The letter notes that the bill opens the door for the stifling of protests and other forms of legitimate dissent.] | [Colin Bennett: C-51 and no fly-lists — they will get longer: …the Secure Air Travel Act codifies what may seem like a deceptively simple idea to strangle the ability of terrorists, and those who support terrorists, from travelling by air. On the other hand, the list is going to get longer; it is going to be shared with more public and private agencies (domestic and foreign); the chances of the capture of erroneous, incomplete or obsolete information will be multiplied; the number of false-positive hits is likely to increase; and the process for innocents to seek removal and redress is likely to become more lengthy, costly and onerous.] | [Colin Kenny: What real intelligence oversight would look like: Efforts to increase national security accountability of CSIS must include the re-establishment of its Inspector General. The Harper government shut this organization down in 2012, arguing that its mandate overlapped with that of SIRC, even though both bodies were specifically designed to look at CSIS in different ways: SIRC held the role of after the fact, civilian review that reported to Parliament, while the Inspector General performed an internal oversight function that reported to the Minister of National Defence. Unlike the members of SIRC, Inspectors General had decades of experience working in Canada’s security and intelligence community. They had the background, access and mandate to provide as close to real-time oversight of the spy agency as is possible in a Westminster system.] | [Chill sets in over anti-terror laws Filmmaker concerned he’ll be labelled terrorist: “Just me posting some of my ideas for this drama series would be enough for them to throw me in jail and not charge me until they determine they’ve taught me a lesson, and perhaps even try to dissuade me from producing the series,” Torrie said. “Literally freedom of speech, of expression is at stake here.” The new law says it can apply to someone who purposely tells someone else to commit terrorism but also to someone whose comments might lead someone to do so, regardless of whether that was the intention, and regardless of whether the comments result in a terrorist activity. It is punishable by up to five years in prison] | [Why experts say Bill C-51 will spawn spy scandals] | [ The Conservatives insist accountability will be improved through the need for judicial warrants to exercise new CSIS powers. The paper points out that the only circumstance in which the bill clearly requires a court-approved warrant is when CSIS will contravene the Charter of Rights and Freedoms or other Canadian law. “As with its existing surveillance powers, a substantial amount of CSIS activity that falls short of the warrant ‘trigger’ will never be pre-authorized by a judge,” it says, adding this is especially true when it comes to international operations, where Canadian law generally doesn’t apply.] |  [Libertarian Party of Canada on Bill C-51] [Canada’s controversial anti-cyberbulliying law, Bill C-13, is now in effect].

CA – Mounties Stonewalled Request for Warrantless Data

The internal memorandum cites specific problems with the RCMP evidence, acknowledging “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states, “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.” The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.” [Source]

CA – NF Govt Commits to Implementing Access Report Recommendations

“We will be acting on the recommendations contained in the report,” said Steve Kent the minister responsible for the Office of Public Engagement, adding that the government will begin implementing the recommendations during the spring sitting of the House of Assembly. The commission even went so far as to write draft legislation of its own. The independent commission is chaired by former Liberal premier and chief justice Clyde Wells, who prepared the report with retired journalist Doug Letto and former federal privacy commissioner Jennifer Stoddart. [Source]

Consumer

US – Pew: People Know About Surveillance Programs, Unsure How to Respond

In new research, roughly two years after the initial Snowden revelations, the Pew Research Center finds that U.S. citizens are aware of the surveillance programs revealed by Snowden, but are split on how they’ve responded to that knowledge. While just 6% are unaware entirely, 34% have taken at least one step to hide their information from the government and 40% of those under 50 have done so. Of the rest, 54% believe it would be “somewhat” or “very difficult” to do anything to avoid the surveillance, and are unaware of steps that would make it possible. Finally, the country is almost evenly split on whether there are appropriate checks and balances in place: 48% say the courts are balancing national security with the right to privacy appropriately. [Full Story]

WW – Privacy or Personalization? It’s Complicated

A recent study from Accenture shows that about 60% of consumers want real-time promotions and offers, but only 14% want to share their browsing history. The research also shows varying attitudes about the desired level of personalization depending on age. What most people do like, according to the study, is automatic discounts for loyalty points and coupons, sites that are optimized for different devices and “one-click” checkout. Marketingland offers suggestions for marketers navigating the balance between value and privacy, such as “make data use transparent” and “own and control your data.” [MediaPost]

US – Survey: This Tax Season, Privacy Concerns Abound

A recent survey by Taxsoftware.com indicates most Americans are “very or somewhat concerned about the privacy and safety of their personal and financial data” this tax season. Of the survey’s respondents, “70% expressed concerns about the safety of their data when using desktop computers to file their state and federal tax forms; 68% are concerned when using their iPads or tablets, and 69% are concerned when using their smartphones,” a news release states. A spokesperson for Taxsoftware.com suggests the IRS “would do all taxpayers a great favor by eliminating its free e-file service, and thereby dramatically and immediately help reduce fraud.” [Full Story]

CA – Quebec Man to Fight Phone Password Charge

A Quebec man “charged with obstructing border officials by refusing to give up his smartphone password” has said he will fight that charge, and the case is raising legal questions . Dalhousie University Schulich School of Law’s Rob Currie noted that travelers crossing Canada’s border “have a reduced expectation of privacy,” the report states. However, he said, “This is a question that has not been litigated in Canada, whether they can actually demand you to hand over your password to allow them to unlock the device,” adding, it is “one thing for them to inspect it, another thing for them to compel you to help them.” [CBC News]

E-Government

US – CA, ME City Officials on Protecting Citizens’ Privacy

At a meeting in Bangor, ME, a City Council member raised concerns that a proposed program to inspect more apartments in the city could result in privacy issues. Councilor Ben Sprague worried whether city inspectors would be required to report illegal activities to law enforcement. And in California, the Electronic Frontier Foundation reports Oakland City Council’s Public Safety Committee will soon consider recommendations by Oakland’s Domain Awareness Center Ad Hoc Advisory Committee on Privacy and Data Retention. The committee aims to pass a privacy policy following further input from city staff and the public. [Bangor Daily News]

E-Mail

WW – Yahoo Announces On-Demand Passwords, Releases Encryption Plugin Source Code for Review

Yahoo has announced that it will let users log into their accounts with on-demand passwords sent as SMS messages to their mobile devices. The scheme is not the same as two-factor authentication, which Yahoo also offers. Yahoo also plans to release a plug-in that would enable end-to-end encryption for its email by the end of the year. The company has released the plug-in’s source code for public review. [CNET] [DarkReading] [SC Magazine] [ComputerWorld] [Yahoo]

CA – CRTC Issues $1.1 Million Penalty to Compu-Finder for Spamming Canadians

The Chief Compliance and Enforcement Officer finds that Compu-Finder sent commercial electronic messages without the recipient’s consent as well as emails in which the unsubscribe mechanisms did not function properly. The emails sent by Compu-Finder promoted various training courses to businesses, often related to topics such as management, social media and professional development. The four alleged violations occurred between July 2, 2014 and September 16, 2014. Furthermore, an analysis of the complaints made to the Spam Reporting Centre of this industry sector shows that Compu-Finder accounts for 26% of all complaints submitted. [Press Release] [Million Dollar Spam Fine Sends Message to CASL Fencesitters]

Encryption

CA – Man Arrested at Canadian Border for Refusing to Divulge Phone Password

A Canadian man returning from the Dominican Republic was arrested in Halifax, Nova Scotia, for refusing to provide law enforcement at the border with the code to unlock his smartphone. A Canadian Border Services Agency spokesperson said the man was arrested for “hindering” border guards from performing their duties. [CNET] [CBC]

US – FTC’s Primary Domain Now HTTPS by Default

US FTC has made its primary domain HTTPS by default, which enhances security and privacy for users. Browsers will automatically verify the website’s authenticity, which will help guard against website impersonation. [Washington Post] [The Hill] [Full Story]

WW – Firefox Update to Add Certificate Security Feature

Firefox 37 will include a new mechanism to check SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates. While the technology, dubbed OneCRL (Certification Revocation List), will not supplant the currently used Online Certificate Status protocol (OCSP) for the time being, Mozilla may eventually disable OCSP for certificates covered by OneCRL. Firefox 37 is expected to be available at the end of March. [eWeek] [The Stack]

EU Developments

EU – Council Reaches Agreement on One-Stop Shop

The EU’s Council of Ministers has reached a partial general approach on specific issues of the draft regulation. The partial general approach includes the chapters and recitals on the one-stop-shop mechanism as well as those relating to the principles for protecting personal data. [The Irish Times] Jennifer Baker writes, however, that the plan is “far from ‘one stop’“ and may make matters more cumbersome than the status quo. [No Food, No Drink, No Water: Council to Finalize Regulation Draft] Meanwhile, The Wall Street Journal reports on the ways the draft regulation might irk U.S. tech companies.

EU – Oettinger Calls for “Digital Union of Europe”

With the EU being “the largest single market in the world” but still consisting of “28 fragmented digital markets,” European Commissioner Günther Oettinger is calling for a “Digital Union of Europe … which can become a capable partner for the United States, China and India.” “A national data protection law is no longer respected by Google, Facebook or Apple,” he said. [EurActiv]

EU – Leaked Documents Reveal Which Nations Support Proposed Regulation

LobbyPlag has obtained approximately 11,000 pages of classified EU documents as well as German diplomatic cables on the proposed General Data Protection Regulation. Among the leaked documents, the group put together an infographic detailing which national governments “are lowering or raising data protection laws in Europe.” According to the leaked documents, Ireland ranks third worst, just behind Germany and the UK, for undermining the EU’s data protection rules. [Full Story] [Is the Proposed Regulation Broken?]

EU Commissioner Jourová: Suspending Safe Harbor is “Plan B”

A delegation of 11 Members of the European Parliament is visiting the U.S. this week to discuss issues including “the renewal of the so-called Safe Harbor deal that regulates the transfer of personal data of EU citizens to the U.S.” [PCWorld] EU Commissioner Jourova is saying she wants to finalize Safe Harbor negotiations by May and that the EU will be “strict” about ensuring the U.S. government adheres to internal rules governing the use and safety of EU citizen data for national security purposes, European Commissioner Vera Jourová conducted a wide-ranging interview. As she heads up Justice, Consumers and Gender Equality for the commission, Jourová said the pending data protection regulation is also one of her two top priorities, and she said there is “strong momentum to finalise the reform by 2015.” She expects an EU Council vote by June and then the beginning of the trilogue process. [EurActiv]

EU – Advocates Worry They’re Losing Out on TPP Deal

As negotiations over the Trans-Pacific Partnership enter final stages in Hawaii this week, privacy advocates worry that even long-time privacy supporters like Sen. Ron Wyden (D-OR) are allowing too much surveillance of American and global citizens by corporations. Specifically, they “worry that data flow provisions in the trade agreement will enable big companies to fight and discourage strong privacy rules abroad.” While tech firms are often on the same side as advocates in battles over, for example, the Stop Online Piracy Act, here they find themselves at odds. It’s become “a Rorschach test,” said Google Head of Global Trade Policy David Weller, “whether you think kind of deep evil is being done or not …” [Huffington Post]

EU – Dutch Court Strikes Down Law; Germany Pans to Introduce Retention

The District Court of The Hague struck down the nation’s data retention law that gives law enforcement access to telecommunications data. The law had required telecommunications providers to collect and store users’ data for up to 12 months. According to the ruling, the law violated citizens’ rights to privacy. “The judge finds that this violation is not limited to what is strictly necessary,” the ruling stated. The Dutch government has argued the law helps it find and defend against terrorists. The ruling can still be appealed. Meanwhile, Germany’s government “plans to introduce data retention in a national solo run.”  [The Wall Street Journal]

EU – Irish Government Defends Record on Regulation Negotiations

In response to a report alleging the Irish government is looking to water down privacy protections in the upcoming Data Protection Regulation, accompanied by some 11,000 classified documents, the Department of Justice (DoJ) is defending its record. While LobbyPlag analyzed the documents to show just one of Ireland’s tabled changes “improved privacy,” the DoJ argued the report is “based on a crude analysis of footnotes recorded in council texts” and that those footnotes need to be placed in context of wider arguments. For instance, Ireland was seeking compromise when holding the presidency. [The Irish Times]

EU – FTC and Dutch DPA Sign Enforcement Pact

The U.S. FTC and the Dutch Data Protection Authority (DPA) have announced they have signed a memorandum of understanding (MoU) to bolster their information-sharing and enforcement efforts in matters related to privacy protection. “In our interconnected world, cross-border cooperation is increasingly important,” FTC Chairwoman Edith Ramirez said. “This arrangement with our Dutch counterpart will strengthen FTC efforts to protect the privacy of consumers on both sides of the Atlantic.” Dutch DPA Jacob Kohnstamm said, “The signing of this MoU between the Dutch DPA and the FTC is a great step … and marks the good relationship between our offices.” [FTC press release]

EU – CNIL Issues BYOD Guidelines

The French Data Protection Authority, the CNIL, has published new guidelines on bring your own device (BYOD). The guidance includes that if a company has already made a standard declaration to the CNIL about employee management or employs a data protection officer, there’s no need for additional declarations to cover its BYOD policy. [Hogan Lovells’ Chronicle of Data Protection]

UK – Inquiry Calls for Overhaul of Surveillance Laws but Clears Spy Agencies

Civil liberties advocates have long been concerned about the surveillance powers of government agencies, and some were dissatisfied with the oversight panel. Shami Chakrabarti, director of Liberty, an advocacy group, said that the committee “has repeatedly shown itself as a simple mouthpiece for the spooks — so clueless and ineffective that it’s only thanks to Edward Snowden that it had the slightest clue of the agencies’ antics.” [NY Times]

EU – A New Era at the EDPS

With the release of “The EDPS Strategy 2015-2019,” European Data Protection Supervisor Giovanni Buttarelli and Assistant Supervisor Wojciech Wiewiórowski have etched out a bold vision with ambitious goals, writes Christopher Kuner. The document lays out three major strategic objectives and 10 action items, and the interest in these pieces couldn’t be more clear: The release was attended by the first vice president of the European Commission and the chairman of Parliament’s LIBE Committee. Kuner analyzes why data protection has become so high-profile and what we can take away from the new five-year plan. [Privacy Perspectives]

Facts & Stats

WW – How Do the World’s DPAs Break Down by Gender?

With so many popular “Women Leading Privacy” events at the IAPP Global Privacy Summit, during the recent update of IAPP’s global data protection authorities (DPA) information page, IAPP decided to delve deeper into the question. This feature looks at DPA leadership according to gender and compiles the results, broken down by regions around the world. See whether Women Leading Privacy efforts so far have resulted in more opportunity on the regulatory side as well as in the private sector. [Full Story]

Filtering

UK – ISPs Take Another Tack to Block the Pirate Bay

Internet service providers (ISPs) in the UK are now blocking websites that offer pirated content as well as those that serve as proxies for such sites and even sites that simply list the proxy sites. The reach of the court order has raised concerns about censorship. [BBC] [WIRED] [The Responsibility of Operationalizing the Right To Be Forgotten | Google Report ]

Finance

US – Report: 80% of Global Merchants Fail PCI DSS

According to a new Verizon Communications report, four out of five global retailers fall short on debit and credit card security, failing the Payment Card Industry Data Security Standard (PCI DSS), Reuters reports. The report also found that businesses tend to only upgrade security software just before a PCI DSS compliance check. Data for the report was gathered from more than 5,000 companies in 30 countries. Additionally, Verizon found that in the past 10 years, not one company that suffered a breach was compliant with the standards at the time of the incident. [Full Story] [Verizon 2015 PCI report: More achieve PCI compliance, but fail to keep it] [Verizon: PCI requirement to test security systems a compliance weak point for orgs]

US – Orfel: Compliance Report Findings “Sobering”

Verizon’s 2015 PCI Compliance Report “should serve as a loud and clear wake-up call to everyone in the business community who cares about the payment data security of their customers,” writes Stephen Orfel, general manager of the PCI Security Standards Council. That’s because the report’s findings “are sobering,” Orfel writes, noting “a compound annual growth rate of 66%” in security incidents since 2009. Further, of the payment card breaches investigated by Verizon’s forensics team in the last 10 years, not a single organization was PCI DSS compliant at the time of the breach. “The business community needs to up its game to answer this enormous challenge,” Orfel writes. [The Hill]

US – AG, Credit Reporting Agencies Reach Settlement

The nation’s major credit reporting agencies have agreed to overhaul their approach to fixing errors and their treatment of medical debts on consumers’ reports. New York State Attorney General Eric Schneiderman announced Monday his office has reached a “sweeping settlement” with the agencies, which keep records on more than 200 million individuals. The settlement was prompted by an investigation in 2012. [The New York Times]

US – NCUA Seeks Power to Examine Third-Parties

The head regulator for the National Credit Union Association (NCUA) is pleading with Congress to give her agency the power to examine and police third-party vendors in an attempt to thwart cyber-hacking. The NCUA is the only federal banking regulator without the power to examine third-party vendors.

CA – Alberta Online Bank First In Canada to Shun U.S. Clients amid Tax Rules

The shunning of U.S. customers is part of the spreading fallout from the U.S. Foreign Account Tax Compliance Act, which came into force this year. The law is the centrepiece of a concerted U.S. effort to crack down on overseas tax evasion by identifying all offshore American account holders. .Canadian financial institutions have complained loudly about steep FATCA-related compliance costs, which can reach as high as $100-million for each of the Big Six banks. It’s also caused extreme stress for hundreds of thousands of Americans and dual Canada-U.S. citizens living in Canada, many of whom have never filed U.S. taxes. The new reporting rules mean they find it much trickier to avoid filing U.S. taxes and other required forms. Under U.S. law, Americans must file U.S. taxes every year, regardless of where they live. A number of financial institutions in Europe and elsewhere are already balking at doing business with Americans. [Source]

FOI

US – Clinton: Gov’t Doesn’t Have Right to Review Her Personal Emails

While Hillary Clinton says neither the federal government nor an independent third party has the right to review emails she sent as secretary of state if she deems them personal, tat’s inaccurate because State Department guidelines say there is “no expectation of privacy” for personal emails sent by government employees on a departmental email system. “No one creating records on an official government network has an individual ‘privacy right’ to demand that their emails or records should be shielded beyond the reach of public access requests under FOI laws, state or federal,” said Drinker Biddle’s Jason Baron. [USA Today] See also: [Clinton excuse ‘laughable’: veteran official] [Read the three BYOD mistakes Hillary Clinton made “and how your BYOD policy can avoid them.”]

US – Facebook Report Details Government Data Requests

Facebook’s Global Government Request Report shows that the overall number of requests the company received from governments worldwide increased slightly from the previous six months. The majority of the data requests were related to criminal cases. In the US, nearly 80% of requests were met with the release of some data. While requests from the US and German governments declined, the number of requests in the US may be higher than the figures indicate because Facebook did not include national security requests in its report. Facebook also notes that requests to restrict or take down content rose 11% over the previous six months. [ComputerWorld] [ZDNet] [Forbes] [GovtRequests.com]

Genetics

WW – In Growing Market for Genetic Data, Privacy Implications Prove Lasting

The work of researcher Michael Goetzman on the security implications of DNA technologies. Goetzman found “that the increasingly lucrative market for data brokers may simultaneously amplify breach concerns in the healthcare sector,” the report states. [SC Magazine]

Health / Medical

US – Wyden Concerned About Health Info Privacy on Campuses

Sen. Ron Wyden (D-OR) asked for details about the thoroughness of privacy protections on health information for students who use college and university medical facilities. Wyden wrote a letter to Education Secretary Arne Duncan with concerns that patients have less understanding of the rules governing campus health facilities versus those governing outside practitioners. “College students should be able to expect the same level of privacy as other people when it comes to the incredibly sensitive information they give their on-campus health and mental health providers,” Wyden said. [KTVZ]  edSurge reports optimism is coming back to the student privacy debate. Electronic Privacy Information Center’s Khaliah Barnes said, “It’s a false dichotomy: Privacy and innovation can and should exist.” [Student Sues UMontana Over Info-Sharing ]

US – HITRUST Releases Review Findings

The Health Information Trust Alliance (HITRUST) has released the findings from its three-month review of cyber-risk management for the healthcare industry. The analysis uncovered a constant theme: that today’s approach to cybersecurity is predominantly reactive and, for the vast majority of organizations, inefficient and labor-intensive,” HITRUST’s announcement states. And Government Health IT reviews the lessons privacy and security professionals can learn from each other.

Horror Stories

US – Three Charged in Massive Data Breach

The Department of Justice (DoJ) has charged three men for taking part in what it says is “one of the largest” data breaches uncovered in U.S. history. The three are charged with running a cyber-fraud ring that stole one billion email addresses and then sent spam offering knockoff software products. While the DoJ hasn’t named the companies involved in the breach, it appears Epsilon was among them, the report states. Two of the three men are now in custody; one has pleaded guilty to conspiracy to commit computer fraud while the other is charged with conspiracy to commit money laundering. The third is a Vietnamese citizen who was living in The Netherlands. [Krebs]

US – Breach Bill Discussed; More Breaches Announced; Class-Action Filed

Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) are circulating their Data Security and Breach Notification Act of 2015, which would preempt 47 state data notification laws. [Gov Info Security] Meanwhile, a Wired article discusses the “crooked path to determining liability” in breaches.

US – Mandarin Oriental Breach

The Mandarin Oriental hotel chain has confirmed a breach of its systems that compromised customer payment card information. The attack affected point-of-sale systems at 45 of the company’s hotels. [Krebs] [BBC]

WW – Superfish Removed from 250,000 Windows Machines

Microsoft, along with Lenovo and other software manufacturers, has managed to scrub Superfish adware from 250,000 Windows-based PCs. According to Microsoft’s security team, the daily number of Lenovo machines infected has dropped below 1,000; at its peak, Superfish had been found daily on 60,000 PCs. [ComputerWorld] See also: [FREAK Still Affects Some Cloud Services]

US – School Accesses Rape Victim’s Medical Records

A woman is suing the University of Oregon for privacy violations after it allegedly used her mental health records to defend itself against allegations it “mishandled” her sexual assault by three of its basketball players. The three players were kicked out of school, but the assault case never went to trial. The woman suing the school had received therapy at the school’s clinic after being sexually assaulted. The university then allegedly used those records in its defense. The student-run Organization Against Sexual Assault’s Kelsey Jones said, “It’s very concerning for a lot of people … It’s 10 times harder now to seek that help and feel safe and feel OK to share 100% of what you’re feeling.” [NPR]

US – Other Breaches

  • Bistro Wants Suit Dismissed: P.F. Chang’s China Bistro has asked the Seventh Circuit to uphold a lower court’s dismissal of a class-action stemming from a data breach at the chain.
  • A Google software problem has exposed personal information on the owners of about 300,000 websites
  • Uber is facing a potential class-action over a recently disclosed data breach involving 50,000 of its drivers.

Identity Issues

New Guidance Released for De-ID

HITRUST announced it will release a De-Identification (De-ID) Framework, with guidance, standards and controls for de-identifying data in a healthcare setting. The framework includes use cases for defining levels of anonymization, criteria for evaluating De-ID methods and technical controls for mitigating the risk of using and storing health data. HITRUST will host a webinar March 24 to introduce the framework, at which point it will be available for download. [HealthData Management]

US – Do We Need a New Definition of Privacy?

See also the work of School of Communication and Information Assistant Prof. Vivek Singh and his recent paper, “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata. “ Singh, who is currently a visiting professor at MIT, suggests the research shows “we need to rethink the ideas we have about privacy,” the report states. Singh explains, “It is relatively easy for anyone, with just a bit of information, to find out very private details about our lives …We therefore need to redefine our current definition of privacy.” While the research doesn’t prove “that we all have any lesser privacy than before or that privacy is gone,” he notes, it “does show that we do need to rethink how we measure and define it.” [News.Rutgers]

Internet / WWW

US – FCC Releases Net Neutrality Rules

Documents from the US Federal Communications Commission (FCC) show that the commission is going to treat broadband as a public utility, which means it will be subject to more stringent regulation. The document indicates that the FCC will determine what is deemed acceptable in a case-by-case basis. [NYTimes] [Washington Post] [Silicon Republic] [FCC Press Release] [Net Neutrality Has Sparked an Interagency Squabble Over Internet Privacy : The FTC and the FCC are arguing over who is better at protecting consumers. ]

WW – UN Needs Privacy Rapporteur: Advocates

The Electronic Frontier Foundation (EFF) has joined a group of 60-plus advocacy groups to call for the creation of a UN special rapporteur on the right to privacy. “The special rapporteurs are independent experts appointed by the Human Rights Council and serve in their personal capacities,” the EFF announcement states. “A special rapporteur would play a critical role in developing common understandings and furthering a considered and substantive interpretation of the right to privacy in a variety of settings.” The EFF notes privacy is one of the few rights that does not have specialist attention in the UN. “There is a pressing need to better articulate the content of this right as part of international human rights law and produce guides on its interpretation,” the report states. [Full Story]

US – NIST Releases Draft of IoT Standard Framework

The National Institute of Standards and Technology (NIST) cyber-physical systems public working group has released a discussion draft of its Framework for Cyber-Physical Systems—what has come to be known as the Internet of Things. It synthesizes the work of five subgroups, one of which covered security and privacy, and offers the beginning of a common way of working with and protecting an array of items on the network as varied as cars and pill bottles. NIST is receiving feedback on the draft in the lead-up to the next in-person meeting of the working group, April 7 and 8. NIST hopes to have a finalized draft in 2016. [Hogan Lovells Chronicle of Data Protection]

Law Enforcement

US – Seattle Police Post Body Camera Footage for Public Viewing

Seattle police have posted footage from police-worn body cameras to their own YouTube channel. The new program is uncommon and probably the first in the country. But it answers a question facing every department employing body-worn cameras: How much should police show the public? In the past, the Seattle Police Department faced criticism for setting up drone networks or wireless cameras before holding public meetings. But police hope posting the footage for the public to view will engender trust. Phil Mocek of Seattle’s Privacy Coalition, however, worries the public footage could be used as a “roving network of public surveillance.” [The Guardian]

US – New Lawsuit by ACLU Targets Cellphone Snooping With Stingray Device

The ACLU suit, filed in Orange County Superior Court, seeks to find out what the state’s bigger police forces are doing with those peripheral numbers, what they are doing with the targeted data and what rules have been set to ensure the data aren’t being abused. …In a survey by the ACLU of nine California police agencies, three – including Santa Ana and the Orange County Sheriff’s Department – said they do not have StingRays. However, an official with the Orange County Sheriff’s Department confirmed that his agency is looking for money to buy a StingRay. [Source]

Location

WW – TomTom Addressing Privacy Concerns

GPS maker TomTom is planning to improve its service by using its customers’ travel data to make more timely updates to its road navigation software; however, this time around it plans to be more clear on how it uses customer data. According to Vice President of Privacy and Security Simon Hania, allegations the company shared data with police back in 2011 led the company to “take more action to better communicate how it uses customer data,” the report states. The data will also be encrypted, anonymized and held on secure servers. “If you cannot explain to your users what you are doing and why, maybe you shouldn’t be doing it,” Hania said. [V3.co.uk]

Offshore

WW – Fieldfisher Releases “Managing Global Data Residency Risk” Report

Fieldfisher has announced the publication of its “Managing Global Data Residency Risk” report, which provides an in-depth look at issues around Data Residency Rules—laws prohibiting the transfer of personal data from specific countries or regions unless certain legal standards are met—and legal solutions that enable international data exports. “In an increasingly data-hungry and interconnected world, data protection issues continue to take on greater importance, and it is against this backdrop that the report has been produced,” Fieldfisher said in its announcement on the report’s release. The report compiles research by privacy specialists on 47 territories worldwide. [Full Story]

Online Privacy

US – DARPA Details Plans for Privacy Tools

The Defense Advanced Research Projects Agency (DARPA) has formally announced its plans to research and develop tools for online privacy. Named for Supreme Court Justice Louis Brandeis, the new program “seeks to explore how users can understand, interact with and control data in their systems and in cyberspace through the expression of simple intentions that reflect purpose, acceptable risk and intended benefits,” the report states. DARPA Program Manager John Launchbury said the aim is to develop methods that can help protect private data “without having to impose cumbersome protective mechanisms that ultimately deplete the larger value of the information at hand.” The four-and-a-half-year program will be split into three 18-month phases resulting in experimental systems that show privacy technologies at work. [Full Story]

US – DARPA “Brandeis” Program Aimed at Privacy Protection

The Defense Advanced Research Projects Agency (DARPA) is examining a program the agency says will help develop the “technical means to protect the private and proprietary information of individuals and enterprises.” The program is named after Louis Brandeis-frequently referred to as the “father of privacy.” DARPA will gauge interest in the program at a Proposer’s Day event on March 12. Meanwhile, IBM has also said it is offering technology “to encrypt the certified identity attributes of a user, protecting privacy and enhancing security.” The program is called Identity Mixer and prevents third parties from accessing data “by revealing only selected data to service providers,” the report states. [NetworkWorld] [DARPA is tackling online privacy. But can you trust them?]

EU – Facebook Says Users Consented to Scans

Facebook intends to defend itself in a privacy lawsuit by arguing that users agreed to allow the company to scan “private” messages in order to determine whether people are sending their friends links to sites outside of Facebook. “Facebook users expressly consented to the conduct,” Facebook said in a report filed last week with U.S. District Court Judge Phyllis Hamilton. The proposed class-action alleges “Facebook violates the federal wiretap law and a California privacy law by scanning the private messages that users send to each other through the company’s platform,” the report states. [MediaPost]

US – Twitter Responds to Critics, Revises Image Policy

Just over a month after a public declaration by CEO Dick Costolo that Twitter had done a poor job protecting people from harassment, he has announced a new policy banning nonconsensual illicit images and videos. Issuing an FAQ based on a Buzzfeed questionnaire originally posed to Reddit, Twitter said it has changed its privacy notice and terms of service: “You may not post intimate photos or videos that were taken or distributed without the subject’s consent.” Those in pictures or videos can submit takedown requests, and accountholders may appeal the action, but the images will be hidden from view and the account will be locked. If there is no appeal, or the appeal fails, the accountholder will not be allowed to return until the image is deleted. Meanwhile, U.S. Rep. Katherine Clark (D-MA) has called on the Department of Justice to increase prosecution of online harassment cases. [Full Story]  A Twitter conversation about one ed-tech company’s terms of service prompted the company to change the policy to meet privacy concerns.

US – Amidst Consumer Concerns, Calls for ECPA Reform, Chip-and-PIN Tech

With persistent data breach reports in the news and polls indicating most U.S. consumers don’t believe their personal data is safe, there are new and persistent calls for changes. Digital Fourth, a coalition of technology companies, advocates and other groups, has renewed its “call for Congress to change a 29-year-old electronic privacy law called the Electronic Communications Privacy Act (ECPA).” [IDG News Service reports] Debra Berlyn writes on ProtectMyData, “a consumer education campaign advocating the implementation of chip and PIN technology for credit and debit cards.”

US – Apple Watch Gets Cautious Approval from Advocates

The Apple Watch has a sensor allowing users to keep track of their heart rates and even share that information with friends, signaling Apple’s move into the health space. The watch can be used in concert with Apple’s new ResearchKit software, “a platform for medical researchers, which will let them pull in data from the many sensors on the Watch and iPhone from willing iGuinea Pigs,” the report states. Privacy Rights Clearinghouse’s Pam Dixon said she’s pleased with the watch’s defaults, but added the onus is on users to be sure they’re not sharing data with third parties that could use it to harm them. [Fusion] [The CIA Campaign to Steal Apple’s Secrets]

US – FTC to Look at Cross-Device Tracking

The US FTC will hold a workshop in the fall to examine cross-device tracking and how it affects consumers. Such events can indicate that the agency will follow up with reports and increased enforcement of privacy rules. [Washington Post]

WW – Skype Updtes Privacy Statement for User-Friendliness

Skype announced this week it is “updating the look of its Privacy Statement” with an aim toward “increasing the transparency of the organization as a whole, highlighting the information that is typically hidden from the consumer,” Sean Cameron writes. “At Skype, we want to make it easier for you to understand and review the important documents that relate to our products and services,” Skype announced. [WinBeta]

Other Jurisdictions

AU – Proposed Law’s Amendment Protecting Journalists Raises Questions

Australia’s government is one step closer to enacting its data retention laws after agreeing “to a Labor amendment to protect journalists’ sources.” And while other concerns remain, “the bill to force communications companies to keep customer information for two years is set to pass through Parliament by the end of next week,” the report states. Labor’s Jason Clare is calling the amendment “a good result; it’s a victory for journalists,” while Sen. Scott Ludlam asked why journalists are being singled out: “I think the government has left itself open to, well, what about doctors, what about diplomats, what about legal professional privilege, what about serving military officers?” [ABC]

AU – Data Retention Bill Set to Become Law

Australian Communications Minister Malcolm Turnbull and Attorney-General George Brandis agree with a suite of recommendations made by a Parliamentary Joint Committee and that new data retention legislation will soon become law. The law will require telcos to keep a set of customer data, including call records, IP addresses, email address, text history and more, for a minimum of two years so the data can be accessed by law enforcement if necessary. Following the bill’s passage, roughly 20 agencies would have access to the data. [ZDNet]

AU – Over 100 Data Breaches Voluntarily Reported to OAIC in Past Year

One year into the Privacy Act, the Office of the Australian Information Commissioner issued a “law reform report card,” detailing “how organisations and agencies have responded positively to the challenge of implementation. The Office of the Australian Information Commissioner received over 100 voluntary data breach notifications, and saw a 43% increase in privacy complaints in the 12 months since changes to the country’s Privacy Act came into effect. Australian Privacy Commissioner Timothy Pilgrim said that he has been pleased to see private organisations and government agencies respond positively. “This is recognition that good privacy practices are good for business, particularly in building customer trust,” he said. “For the next 12 months, our focus will be on governance, assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements. [Source] [Privacy Act amendments chalk up first anniversary : OAIC has received 4016 privacy complaints over past year says Timothy Pilgrim]

Privacy (US)

US – Wong: CPBR Gives Framework for National Privacy Discussion

President Barack Obama’s release of the proposed Consumer Privacy Bill of Rights Act (CPBR) has been met with an array of reactions. Among the recent reports on the CPBR, The National Law Review and Lexology examine the bill in detail. And the reaction pieces include Sen. Al Franken (D-MN) stating the CPBR “lacks the necessary teeth to hold companies accountable for their privacy policies and to ensure robust protections for consumers’ information,” while the Technology Policy Institute’s Thomas M. Lenard suggests it marks a step toward “regulating the Internet.” In a piece for The Christian Science Monitor, former White House Deputy Chief Technology Officer Nicole Wong writes, “What we need today is a framework for a national discussion about privacy regulation, and that is what the White House has given us.” [Full Story] SEE ALSO: [White House releases proposed “Consumer Privacy Bill of Rights,” to little acclaim Privacy advocates don’t like it, and tech companies don’t either] | [White House draws fire from privacy advocates over Consumer Privacy Bill of Rights] | [Obama’s ‘Privacy Bill of Rights’ Gets Bashed from All Sides: Some privacy advocates are disappointed that the proposal would not give the FTC the power to set regulations to enforce the principles. Instead, companies and industry associations would write their own rules and then ask the FTC to sign off on them. Additionally, the bill would overturn state laws that offer stronger protections. But the Web companies themselves aren’t so thrilled with the proposal either. Michael Beckerman, the CEO of the Internet Association, which represents Google, Facebook, Amazon, Yahoo, and others, warned that the bill “casts a needlessly imprecise net.”]

US – Wyndham Case Could Reach SCOTUS

Oral arguments in Wyndham Worldwide Corporation’s battle against “the FTC in a high-stakes legal case that will help define the role of the federal government in protecting the security of consumer data online.” Wyndham is trying “to reverse a district judge’s decision endorsing the FTC’s enforcement authority,” the report states, noting Wyndham’s lawyers argue the FTC “overstepped its authority by punishing companies for weak cybersecurity.” Indiana University’s Fred Cate said, “I would not at all be surprised if the case went to the Supreme Court … And if in fact this went against the FTC, Congress would almost certainly have to act because we would be left without a security regulator with authority across the economy.” [The Hill] [Oral arguments in Wyndham Worldwide Corporation’s battle against the FTC]

US – New Commerce Data Advisory Council Members Announced

Secretary of Commerce Penny Pritzker has announced the members of the new Commerce Data Advisory Council (CDAC), which includes “19 of the best and brightest private- and public-sector thought-leaders on data management and dissemination in the United States.” The CDAC’s role is to help guide the Commerce Department’s efforts “to foster innovation, help create jobs and drive better decision-making throughout our economy and society.” A full list of the CDAC members can be found here. “Together, they will help us make our data easier to access and use, and maximize the return of data investments for entrepreneurs, government, businesses, communities and taxpayers,” Pritzker said. [Full Story]

US – NTIA Seeks Comments on Drone Privacy

With its plans to hold its “multistakeholder process,” a series of meetings with interested people aimed at developing best privacy practices for the aerial drone industry, the National Telecommunications and Information Administration (NTIA) has announced it has “opened up a request for comments on discussions aimed at developing privacy best practices for both the commercial and private use of drones.” “The public is invited to submit suggestions concerning the structure of the multistakeholder engagement and the substantive issues stakeholders will discuss,” the NTIA wrote in its announcement, noting it “expects to convene the first public meeting within 90 days from the publication of the Request for Comment.” [PCWorld]

US – Judge Dismisses Breach Suits Over Lack of Provable Harm

A federal judge last week dismissed two would-be class-action lawsuits filed over last year’s Paytime, Inc., breach. The plaintiffs who sued the national payroll firm said they faced the threat of identity theft because of the breach and that the company delayed informing them of the breach. But U.S. Middle District Judge John Jones said in dismissing the suits that none of those who sued Paytime have been identity theft victims. “There is simply no compensable injury yet, and the courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to be able to successfully read and manipulate the data and engage in identity theft,” he said. [PennLive]

US – Jury Denies Damages for Privacy Intrusion Victim

A jury has found a California man is “not entitled to monetary damages from a neighbor he claimed used her position as a Sonoma County social worker to pry into his confidential files and embarrass him.” Eugene Alexeev testified in the trial that Lisbeth De Mejia, a Human Services Department eligibility worker, “shouted out confidential information about his lack of a job and dependence on public assistance in a 2010 argument,” the report states. Alexeev wanted damages for breach of privacy and infliction of emotional distress, and while jurors “found De Mejia’s conduct was outrageous and intrusive, violating Alexeev’s privacy,” they decided it had not been the cause of his “anxiety, crippling headaches, loss of sleep and depression,” the report states. [The Press Democrat]

US – Judiciary Committee Approves FBI Hacking Rule Change

A judicial advisory panel has approved a rule change that will broaden the FBI’s hacking authority despite concerns the amended language violates the Constitution. The Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to allow judges more flexibility in how they approve search warrants for electronic data, the report states. The ACLU and others have said the rule violates Fourth Amendment rights on search and seizure, and Google said Congress should decide on such a rule. Meanwhile, the Treasury Department has issued a final rule exempting it from having to reveal to holders of preparer tax identification numbers the names of those who’ve asked for their files. [National Journal]

US – Department of Education Issues “Model Terms of Service” 

Despite the title, the Model Terms are not a template that the Department expects schools to insist that their online educational services and applications adopt when providing services to the school. Instead, the document contains a checklist of the types of privacy-related provisions that commonly appear in online services’ TOS, such as provisions related to marketing and advertising, modifications to the TOS, data use, data sharing, security controls, and data de-identification. For each type of provision, the document provides sample TOS provisions under the headings “GOOD! This is a Best Practice” and “WARNING! Provisions That Cannot or Should Not Be Included in TOS,” and explains why those provisions either represent a best practice or are problematic when considered in light of schools’ privacy obligations. [Source]

US – Companies Not Living Up to Student Pledge

Natasha Singer suggests companies are not living up to the Student Privacy Pledge . The pledge requires companies to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality and integrity of student personal information against risks—such as unauthorized access or use,” but Singer suggests some “companies signed the pledge even though, at the time they joined, they had not begun full encryption, an elementary security measure.” The Future of Privacy Forum’s Jules Polonetsky said, “Companies that don’t provide strong security for sensitive data can be at legal risk for violating the pledge, state laws and contractual commitments.” [The New York Times]

US – No Privacy in Your Trash, Minnesota Supreme Court Rules

The State Supreme Court upheld a Court of Appeals ruling denying the search was unconstitutional. It said the U.S. Supreme Court has ruled consistently that trash is public. But the Minnesota court considered whether Minnesota’s Constitution affords greater protection than the U.S. Constitution on the matter. …It doesn’t, Justice Wilhelmina Wright wrote in her opinion. [Source]

US – Swire Recognized for Privacy Leadership

At the IAPP Global Privacy Summit, Georgia Tech Scheller College of Business Prof. Peter Swire was awarded the IAPP 2015 Privacy Leadership Award. The award recognizes a leader in the field of privacy and data protection who has demonstrated an ongoing commitment to furthering privacy policy, promoting recognition of privacy issues and advancing the growth and visibility of the privacy profession. Accepting the award, Swire said he’s had a lifelong fascination with the intersection of technology, policy and law and has always loved science fiction—stories about how people and societies respond to new technological challenges. He likened such stories to what privacy professionals do in their daily jobs. [Full Story] See also: [FTC Chair Edith Ramirez Talks Privacy, Data Security]

Privacy Enhancing Technologies (PETs)

WW – Windows 10 Settings Strive to Make Privacy More Accessible

A new report states that Microsoft’s Windows 10 and its new “Privacy” tab “has a bunch of privacy settings you won’t find in the traditional Control Panel, because a lot of these settings are more for tablets and phones than they are for laptops and desktops.” The report looks at such options as settings for location, ads and even microphone and webcam access. “The General section is where you’ll be able to quickly change basic privacy settings-for example, you can choose whether to let apps access your name, photo and other account info; you can let Windows track your typing and give you word suggestions based on what you write, and you can allow websites to access your language list,” the report states. [CNET]

US – Cashing in on Privacy; Good Reps Mean “Halo Effect”

With the recent shift away from the mindset that consumers don’t care about privacy, tech firms, service providers and start-ups have begun to tout their privacy-protecting features or build entirely new models and businesses around them. Companies like AT&T and Google have introduced pay-for-privacy models, and start-up Abine masks emails, encrypts passwords and blocks trackers for a monthly fee. Meanwhile, a recent study has shown that companies with positive reputations “benefit from a ‘halo effect,’ even when they have been accused of wrongdoing. However … companies with good reputations are punished more severely than companies with weaker reputations when the evidence of their wrong doing is stacked against them.” [Quartz] [Meet the free encryption app that promises to put your privacy first: The Cryptocat developer’s new team aims to get easy file and message encryption into everyone’s hands, which could give Gmail and Dropbox (and the NSA) a run for their money.] | [Peerio is an encrypted messaging and file storage app for Windows, Mac, and the Chrome browsers that takes the likes of Gmail and Outlook, HipChat, and Dropbox to task. The app puts its users in the privacy driving seat, clearly marking for the lay user when something is encrypted.]

Security

US – FTC Launching Data Security Initiative

Several FTC officials shared their views and concerns on recent developments in privacy, and Bureau of Consumer Protection Director Jessica Rich said the agency is set to launch “Start with Security” to provide businesses with resources, education and guidance on data security. This Privacy Perspectives piece highlights the details on the program Rich and FTC Chairwoman Edith Ramirez shared at the event, the four trends Commissioner Julie Brill said the FTC is looking at and reactions from the FTC on the Obama administration’s proposed Consumer Privacy Bill of Rights.[Full StoryA three-judge panel has suggested the Federal Trade Commission should handle privacy cases in its own administrative court rather than in federal court. [The Wall Street Journal]

WW – Cyber-Threats Outpacing Security Pros

A study of more than 1,000 security professionals in the U.S., UK and Canada “paints a picture of mounting pressures on organisations due to a shortage of necessary specialist skills, tight budgets and poor employee education,” suggesting security pros are not able “to keep pace with cybersecurity threats” from both external and internal sources. [Reuters]

WW – NSS Labs’ Testing Service Will Hold Security Vendors Accountable

NSS Labs, an independent security testing company, has developed a testing service to see how security vendors stack up—including which real threats their products are blocking and which they’re not. The new offering from NSS Labs allows security officers to test products in real time through a service that does not sell security products. This kind of benchmarking is sure to shake up an industry that is loathe to admit it doesn’t catch everything. NSS Labs got a taste of that kind of backlash last year, after it released a test of various breach-detection systems, which found that FireEye, then the darling of the breach detection space, underperformed similar offerings from Cisco, General Dynamics and Trend Micro. NSS Labs actually issued a grade of “caution” to customers who used FireEye’s web and email malware protection systems. [The New York Times]

US – Wikipedia Sues NSA; CIA Tried to Break Apple Security

Online encyclopedia Wikipedia has announced it will sue the NSA for its bulk surveillance programs, arguing they threaten freedom of speech and violate the Fourth Amendment. “By tapping the backbone of the Internet, the NSA is straining the backbone of democracy,” said Wikimedia Foundation Executive Director Lila Tretikov, adding, “By violating our users’ privacy, the NSA is threatening the intellectual freedom that is central to people’s ability to create and understand knowledge.” [National Journal] See also: The Intercept reports on a multi-year effort by the CIA to break the security of Apple’s iPhones and iPads. [NSA sued by Wikimedia, rights groups over mass surveillance: Lawsuit claims NSA illegally taps ‘backbone’ of Internet making a potentially new front for rights activists against spy agency. The litigation takes on what is often called “upstream” collection because it happens along the so-called backbone of the Internet and away from individual users. Bulk collection there violates the constitution’s First Amendment, which protects freedom of speech and association, and the Fourth Amendment, which protects against unreasonable search and seizure, the lawsuit said.] | [Wikimedia Foundation files suit against NSA to challenge upstream mass surveillance: When the 2013 public disclosures about the NSA’s activities revealed the vast scope of their programs, the Wikimedia community was rightfully alarmed. In 2014, the Wikimedia Foundation began conversations with the ACLU about the possibility of filing suit against the NSA and other defendants on behalf of the Foundation, its staff, and its users.] | [The case challenges the NSA’s use of upstream surveillance conducted under the authority of the 2008 Foreign Intelligence Surveillance Act Amendments Act (FAA). Upstream surveillance taps the internet’s “backbone” to capture communications with “non-U.S. persons.” The FAA authorizes the collection of these communications if they fall into the broad category of “foreign intelligence information” that includes nearly any information that could be construed as relating to national security or foreign affairs. The program casts a vast net, and as a result, captures communications that are not connected to any “target,” or may be entirely domestic. This includes communications by our users and staff.

Surveillance

ET – Ethiopian Government May be Using Spyware Against Journalists

The Ethiopian government is allegedly spying on Washington-area journalists who work for Ethiopian Satellite Television (ESAT) with spyware intended for use by law enforcement. ESAT computers were infected in 2013 when an employee opened what turned out to be a malicious file. That attack was likely aided by a tool from Italian company Hacking Team. A more recent incident revealed another attempt at such an attack. A spokesperson for the Hacking Team said the company cannot divulge clients’ identities or locations, and that it would take action if it learned that entities were misusing its products. [Washington Post]

Telecom / TV

EU – Dutch Court Strikes Down Data Retention Law

A Dutch district court has struck down a law that required telecommunications providers to retain customer data for six to 12 months. The law was initially enacted in 2009 to fulfill the EU directive on data retention, which the European Court of Justice struck down last spring. [ZDNet] In related news Bulgaria has also revoked its Data Retention law and the European Commission announced it will not be looking to introduce a new directive to require telcos “to store the communications data of European Union citizens for security purposes”. Of course individual member states may introduce their own national laws but there will be no requirement at the EU level to do so.

US – Former AT&T Biz Partners: Privacy Record Should Be Scrutinized

Dozens of former AT&T business partners have warned regulators that the company has a poor record on privacy, and increased scrutiny should be placed on its proposed $48.5 billion merger with DirecTV. The Minority Cellular Partners Coalition, which includes more than 90 former AT&T partners, has written to the Federal Communications Commission accusing the company of breaking the law by “voluntarily handing over data to the National Security Agency following the Sept. 11 terror attacks” without a court order. The coalition wants stronger privacy oversight of AT&T if the deal goes through. [U.S. News & World Reports]

CA – Internet Carriers May Be Breaching Canadian Privacy Laws

In privacy and transparency report, Teksavvy scores highest, Videotron and Shaw score low. The study looked at the information provided publicly by internet carriers in Canada about how they protect customers’ privacy and ranked them based on 10 criteria. In fact, “it appears that many Canadian internet carriers are in violation of their legal responsibilities” under Canadian privacy law, says the report entitled “Keeping Internet Users in the Know or in the Dark“ released by Toronto-area researchers. [Source]

WW – Android Lollipop 5.1 Brings Promised Anti-Theft “Kill Switch”

It’s the Android version of what’s known on the iPhone as Activation Lock or Find My iPhone. According to Secure Our Smartphones, the addition of the kill switch in iPhones running iOS 7 and iOS 8 has cut iPhone thefts dramatically in cities like San Francisco, New York and London – because, they say, would-be thieves have learned they can’t resell them. Although a remote lock-and-wipe feature is available on most Androids already, Device Protection promises to go beyond the Android Device Manager feature available on older versions. [Source]

US Government Programs

US – Survey: CTOs Concerned About Data Privacy, Security

The Consortium for School Networking (CoSN), which launched its Protecting Privacy in Connected Learning last year, has released its third K-12 IT Leadership Survey, and school technology leaders’ top concerns include the privacy and security of student data. “K-12 IT leaders are increasingly worried about the privacy and security of student data,” a CoSN press release states, noting 57% of respondents “said the issue is more important than it was last year.” Separately, Yale Law School has announced it is destroying student admissions evaluations and notations from the career development office “to avoid being forced to hand over a wide range of documents” amidst students’ Family Education Rights and Privacy Act requests for their files. [Full Story]

US Legislation

US – Senate Committee Approves CISA 14-1

By a vote of 14-1, the Senate Intelligence Committee “approved a controversial cybersecurity bill designed to help companies and the federal government better defend against the growing threat of data breaches.” The Cybersecurity Information Sharing Act (CISA) aims to help businesses and government thwart the threat of data breaches by expanding legal liability protections to companies sharing threat-detection data with each other and government agencies. CISA “is critically important both for our agencies that keep the country safe and the institutions that hold millions of Americans’ personal information,” said Sen. Richard Burr (R-NC). [CNet]

US – Senators Introduce Data Broker Legislation

Sens. Edward Markey (D-MA), Richard Blumenthal (D-CT) Sheldon Whitehouse (D-RI) and Al Franken (D-MN) have reintroduced legislation requiring “accountability and transparency for data brokers who are collecting and selling personal and sensitive information about consumers.” The Data Broker Accountability and Transparency Act (S 668) would allow consumers “to order the companies to stop using, sharing or selling data about them for marketing purposes,” and includes provisions for the FTC “to write regulations setting up a centralized website for people to easily understand their rights and get information about the companies.” Consumer Watchdog has endorsed the bill, while the Direct Marketing Association is opposing it. [Full Story]

US – Virginia Limits Retention Time for License Plate Reader Data

Virginia’s governor has signed legislation that limits the length of time law enforcement in that state may retain license plate reader data to seven days. While New Hampshire has banned license plate data collection altogether and Maine has set a 21-day retention limit, many other states have set no formal limits. The Virginia law allows the data to be retained more than seven days if they pertain to an active and ongoing criminal investigation. The law takes effect July 1, 2015. [Ars Technica]

US – CA Senator Proposes State Chief Data Officer

California Sen. Richard Pan (D-Sacramento) wants to overhaul the state’s open data portal and create the role of a chief data officer reporting to the secretary of the Government Operations Agency as leader of the effort. Pan’s bill “would task the governor with naming a chief data officer no later than Jan. 1, 2016, and require at least 150 data sets to be published on the statewide open data portal by 2017,” the report states. The bill also seeks the creation of “a statewide open data roadmap” and calls for all data inventoried by state agencies to be published on the data portal by 2022. [Techwire]

US – MN Privacy Amendment One Step Closer to Voters

Minnesota House Government Operations and Elections Policy Committee has given HF 327, a bill seeking to give Minnesota voters “an opportunity to amend their state constitution in order to reject significant parts of mass surveillance programs by both state and federal government officials,” a recommendation of “do pass.” HF 327 would allow Minnesota voters the chance to amend the state constitution and add references to protecting “electronic and communications data” against “unreasonable searches and seizures.” The report notes the addition “would make emails, phone records, Internet records and other electronic information gathered without a warrant inadmissible in state court.” [TenthAmendment]

US – Illinois AG Pushing for Stricter Breach Notification Law

While Illinois already has a law on the books mandating data breach notification, dating from 2005, Attorney General Lisa Madigan has unveiled, with Sen. Daniel Biss (D-District 9) and Rep. Ann Williams (D-District 11), an updated law that would expand the type of information requiring notification to include medical information, geolocation data, marketing data and much more. The law would also require that companies take “reasonable” steps to protect data. The move comes “after 67 million personal records were hit last year,” the report states. [Full Story]

US – Other Legislative News

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: