01-15 May 2015


US – NSA Converts Spoken Words into Searchable Text

Experts in speech recognition say that in the last decade or so, the pace of technological improvement has been explosive. As information storage became cheaper and more efficient, technology companies were able to store massive amounts of voice data on their servers, allowing them to continually update and improve the models. Enormous processors, tuned as “deep neural networks” that detect patterns like human brains do, produce much cleaner transcripts. And the Snowden documents show that the same kinds of leaps forward seen in commercial speech-to-text products have also been happening in secret at the NSA, fueled by the agency’s singular access to astronomical processing power and its own vast data archives. [Intercept] [FirstLook: Speech Recognition is NSA’s Best-Kept Open Secret]

US – Professor Invents Long-Range Iris Scanner

A Carnegie Mellon engineering professor says he has invented a long-range iris scanner to help police identify potential suspects before approaching them in cars. Prof. Marios Savvides says it is first-of-its-kind technology. “Fingerprints, they require you to touch something,” he said, adding, “Iris, we capture it at a distance, so we’re making the whole user experience much less intrusive, much more comfortable.” The technology works at distances between six and 12 meters and could replace government IDs at places such as airports, the report states. Savvides said people are already being tracked every day, and that “if someone really wanted to know what you were doing every moment of the day, they don’t need facial recognition or iris recognition to do that.” [The Atlantic]

WW – Your Poop Is the Latest Privacy Threat

Microbe populations on the skin and in the mouth tend to fluctuate over time, so their genetic signatures don’t stay the same. That’s partially because the skin and mouth are exposed, so they constantly pick up new microbes from other people or from the environment. It’s also because relatively few species live in these areas, so there’s not a lot of diversity to contribute to a really unique signature. But the same isn’t true of intestinal bacteria, researchers found. They were able to match the genetic signature of gut bacteria in stool samples to their owners 86 percent of the time, even including some people who had taken antibiotics in the interim. Over 500 species of bacteria live in the large intestine, and some of them are strains which are actually unique to each person. They’re pretty isolated from the outside environment, too, which means their genetic signature is more unique and less prone to change. [Source]

Big Data

US – FTC, CFPB to Keep Pressure on Big Data Firms

Officials from the FTC and the Consumer Financial Protection Bureau (CFPB) vowed to keep pressure on organizations handling personal data. The FTC’s Jessica Rich said, “One of the big messages that we want to send to businesses … is that there are indeed laws currently on the books that apply” to big data, while the CFPB’s Peggy Twohig said the agency has conducted “significant research” on consumer reporting. The FTC plans to release a report on discriminatory uses of data. [Law360]

UK – ‘Big Data’ Processing Justified on ‘Legitimate Interests’ Grounds: ICO

Businesses do not always need consumers’ consent to process their personal data contained in ‘big data’ sets, the Information Commissioner’s Office (ICO) has said. …businesses can rely on the so-called ‘legitimate interests’ ground to process personal data too. Businesses can rely on this provision providing their interests in processing personal data do not unduly prejudice the rights and freedoms of individuals. In the big data guidance it issued last July, the ICO said businesses must process personal data fairly and in a transparent manner when undertaking big data initiatives. The guidance explained the extent to which businesses can rely on consent previously given by consumers to the processing of their personal data when they identify a new use for the data. [Source] [Chief Data Officer: Insight Into A Crucial Role for The Exabyte Age]

WW – The Philosophy of Privacy: Why Surveillance Reduces Us to Objects

Using the internet can be seen as a trade-off: privacy for freedom. But the insidious and widespread invasion of that privacy by a security state is something different altogether. Partly for this reason, writers like Jeremy Rifkin have been saying that information privacy is a worn-out idea. On this view, the “internet of things“ exposes the value of privacy for what it is: an idiosyncrasy of the industrial age. So no wonder, the thought goes, we are willing to trade it away – not only for security, but for the increased freedom that comes with convenience. This argument rings true because in some ways it is true: we do, as a matter of fact, have more freedom because of the internet and its box of wonders. But like a lot of arguments that support the status quo, one catches a whiff of desperate rationalisation about it as well. In point of fact, there is a clear sense in which the increased transparency of our lives is not enhancing freedom but doing exactly the opposite – in ways that are often invisible. [Source]


CA – Commons Passes Controversial Anti-Terror Bill

The conservative government’s controversial antiterror legislation is one step closer to becoming law. Bill C-51 passed the House of Commons this week by a vote of 183 to 96 and now heads to the Senate for final passage. The government is expected to give royal assent within weeks, the report states. Bill C-51 has been criticized by privacy experts, including Canada’s privacy commissioner, for its broad information-sharing provisions, and is said to threaten civil liberties. [The Huffington Post Canada] The bill’s many critics believe it overreaches in two key regards. One is CSIS’s expanded mandate to take “reasonable and proportional” measures to actively disrupt suspected threats to national security at their inchoate “pre-criminal” stage – before the RCMP would typically mount a criminal investigation. The other is the broader sharing of Canadians’ personal information across government and privacy concerns. The bill also underreaches in crucial regards, say opponents. There is no expanded independent, civilian oversight of the newly empowered state security apparatus, which is increasingly intertwined. There is no provision for existing federal watchdogs to share operational information or conduct joint investigations. And attempts to impose three-year sunset clauses on some of the more contentious provisions were rejected by the Conservative majority. [Ottawa Citizen] [Ottawa Citizen: House of Commons Set to Hold Final Vote on Anti-Terror Bill] Canada Poised to Pass Anti-Terror Legislation Despite Widespread Outrage [The Guardian] [Sorry Liberals, ‘Oversight’ Won’t Fix Menace of a Terror Bill] Bill C-51: They Appear to Know Not What They Have Done : C-51 introduces a new crime of “advocacy” of terrorism offences (“in general”). We think this is a horrible, unnecessary and unconstitutional speech crime. But having insisted on an “advocacy” crime, you’d expect the government to be concerned about how the same word “advocacy” is used elsewhere in the same bill. But by simply dropping the word “lawful”, the new info-sharing Act seems to preclude application of the new information sharing powers in relation to any sort of advocacy, protest or dissent, no matter how criminal or indeed, how violent. And so government officials will now need to spend a lot of time wondering if, e.g., violent conduct really is “protest” or “advocacy” or “dissent”, and whether they can still use the Act in relation to such conduct. Officials will also need to sit around and ask “shall we read the carve-out in the info sharing Act (now reaching both lawful and unlawful “advocacy” or whatever character) as excluding information sharing related to the new ‘advocacy’ crime?” Officials will make it work: basically, they’ll just ignore the incoherence and jam the round peg into the square hole of nonsensical legislative language. And so, to do their jobs, they’ll just have to ignore the law, because (as Shakespeare would say) the law is a total ass. And the Privacy Commissioner, reviewing this work-around, would act very properly in tearing a strip off of these officials. [Source: Craig Forcese] The Senate Liberals’ leader, James Cowan, told The Huffington Post Canada he hasn’t spoken to Liberal Party Leader Justin Trudeau, who supported the bill in the Commons, but he expects most of the Liberal team in the upper chamber to oppose the bill. …Trudeau kicked all his senators out of the Liberal caucus last year and barred them from organizing for the federal party. Despite the surprise banishment, the 29 senators decided to keep calling themselves Liberals anyway. Cowan said he has always believed the Senate should be more independent, and he hopes Conservative senators might eventually follow suit. [HuffPost] [Globe & Mail: Liberal Senators To Vote Against Anti-Terror Bill Trudeau Supported]

CA – Bill S-4 – Proposed Amendments to PIPEDA

The Office of the Privacy Commissioner (OPC) supported the bill in its June 4, 2014, Submission to the Senate Standing Committee on Transport and Communication, stating that on the whole, the proposed amendments will strengthen the privacy rights of Canadians with respect to their interactions with private sector companies, improve accountability and provide incentives for organizations to comply with the law. In its Feb. 12, 2015, Submission to the Standing Committee on Industry, Science and Technology, the OPC endorsed its June 2014 submission, but provided additional comments in light of the seminal decision of the Supreme Court of Canada in R. v. Spencer. The OPC noted that carrying out a reasonable expectation of privacy analysis under PIPEDA is highly complex and contextual, leaving organizations in a state of uncertainty as to when they may or may not disclose personal information without a warrant. Therefore, the OPC urged the Committee to clarify when the common law policing powers to obtain information without a warrant can be used. [Mondaq]

CA – B.C. Premier Defends Bill 20 Amendments

Andrew Weaver, the B.C. Green Party MLA, said he didn’t support the change. “In fact, I don’t, to be perfectly honest, think that it is anybody’s business apart from the voter and the chief electoral officer to know who or who has not voted. That’s a matter of privacy.” B.C.’s Information and Privacy Commissioner agrees. In a letter released last month, Elizabeth Denham wrote that the amendment extends beyond the objective of increasing voter turnout and expressed the concern that “the proposed amendments would allow for other uses and expand the already broad ability of political parties to collect information about voter participation.” [Source]

CA – Quebec School Officials No Longer Allowed to Strip Search Students

Following high-profile case of 15-year-old girl searched at Quebec City school, report recommends that only police officers conduct such examinations. Fabienne Bouchard, a former prosecutor and retired lawyer hired to conduct the probe, wrote a school that has serious grounds to believe a student is involved in drug trafficking should call police instead of carrying out the search itself. “The recommendations are clear and the investigation was necessary to clarify the practice and to clarify the law around the practice,” Education Minister François Blais said. He added that schools and police will need to co-operate in the coming weeks to find a solution on how they should deal with drug trafficking. [Star]

CA – CASL Reduces Spam Received By Americans, But Not Canadians: Report

The unusual findings may be due to the cross-border nature of the spam industry in North America. According to Cloudmark, most spam email originating in Canada (78%) is bound for the U.S., and most of the spam Canadians received (53%) comes from the U.S. Since CASL, spam outbound from Canada has dropped dramatically. However, while email received in Canada overall has dropped by 29%, much of that was due to a sharp decline in legitimate email. The average percentage of email received by Canadians that is spam actually increased from 16.5 to 16.6%. According to Cloudmark, the stricter requirements for consent for marketing emails under CASL are behind the drop in legitimate email volume. [Source]

CA – CRA Can Now Share Tax Filings With 16 Government Agencies

Until now, the CRA has only had permission to share this information with three other agencies (CSIS, RCMP and FINTRAC) and only under very specific conditions. That list has grown to 16 in total and now includes Canada Border Services, the Canadian Armed Forces and Citizenship and Immigration among others. The more people that have access to taxpayer information under Bill C-51, the higher the risk of leaks, hacks and other foul play, according to Avner Levin, the director of Ryerson University’s Privacy Institute. The change in legislation is “unprecedented,” he says. “It’s snooping and meddling of the worst kind.” [MoneySense]

CA – Canada Joins Global Sweep of Kids’ Online Privacy

Investigators will be looking at whether apps and sites gather personal information on kids, and if they do, whether that information is limited to what’s necessary (to create an account, for example). They will also examine whether the apps and sites prompt users to involve a parent or guardian in any registration process; and whether they take measures to make privacy policies understandable to kids. That means not just using simple language, but also using graphics or even animated characters to guide them through the information and to encourage parental involvement. The sweep, which began Monday and runs through

CA – Sask. Privacy Commissioner Investigates Government Information Leak

Executive council, Saskatoon Health Region, Oliver Lodge and the Ministry of Health all under investigation aftercare aide’s personnel documents released to media. Bowden said the province’s release of the information to the media was an attempt to silence him. He also wants to know why details of the allegations against him were released from SHR to the provincial government and then the media before him. He said he received word of his suspension on April 16 but did not get a comprehensive list detailing the accusations against him until April 24, four days after Young sent the email to media. Bowden filed a complaint with the Office of the Information and Privacy Commissioner (OIPC) because he said his privacy was violated when the details of his personnel file were emailed to reporters. OPIC will make the final decision. The commissioner will investigate the executive council, Saskatoon Health Region, Oliver Lodge and the Ministry of Health. [Source] [Star Pheonix: Sask Privacy Commissioner Probes Premier’s Office]

CA – Manitoba Court Rules Family of Man Who Died During ER Wait Can Sue

Vilko Zbogar, one of the family’s lawyers, said the ruling has important implications for the evolution of charter law, as well as the family’s pursuit of justice. “This is absolutely a landmark ruling on charter interpretation and on privacy rights,” he said. …The Appeal Court also restored the family’s right to sue the Winnipeg Regional Health Authority for disclosing private health information about Sinclair after his death. [The Record]

CA – Impaired Driving Trial Hears Arguments on Whether Police Violated Privacy Rights

Defence lawyer Pierre Joyal argued that a hospital emergency room is a space where citizens have a certain expectation of privacy, and that police had no reason or right to be standing so close to Snider’s medical team when they overheard privileged information. Even if they did overhear it, he said, it should never have been used to start gathering evidence against his client. “The expression is ‘what happens in Vegas stays in Vegas.’ Well, what happens in the emergency room stays in the emergency room,” Joyal noted in his relatively brief address to the court. “Nothing justified (police officers) being there.” [Montreal Gazette]

CA – Canada’s Friendly Drone Laws

Addressing privacy concerns may be as simple as ensuring that existing laws encompass drones. This is the approach taken by Hong Kong in its recent guidelines.. Similarly, Canada’s Privacy Commissioner has opined that Canada’s existing privacy laws apply to drones. While “lateral surveillance”—private citizens surveilling other private citizens—is often not covered by privacy statutes, torts such as intrusion upon seclusion may fill that gap. [Mondaq]

CA – Premier Cites an Official’s ‘Lapse In Judgment’ in Release of Information

Wall said Monday the senior staff member has been removed from the file and has had an exemplary record otherwise. “What I had asked for is that general information be provided to the media on background,” he said. “The first email in my view met that test … a second email went to one reporter … that had specific information.” [Winnipeg Free Press]

CA – Other Privacy News


US – Millennials Most Trusting of Generational Groups

Despite high-visibility data breaches, 44% of millennials in the U.S. believe “their personal information is kept private ‘all’ or ‘most of the time’ by the businesses or companies they do business with”—the highest of all major U.S. generational groups. The most skeptical generation is Americans aged 70 and older, with 29% believing their personal information is kept private all or most of the time and just over a third believing it’s kept private a little or none of the time. Generation X and baby boomers fall somewhere in between the two groups, “suggesting that expectations of personal privacy are age-related,” the report states. [Gallup]

US – DAA Sets Opt-Out Compliance Deadline for September

The Digital Advertising Alliance (DAA) announced that starting in September, “ad companies will have to allow people to opt out of receiving ads that are targeted based on data collected across mobile apps.” The self-regulatory group’s mobile privacy code, unveiled in 2013, requires ad networks and other companies to notify consumers about cross-app advertising and allow them to opt out via AppChoices, which the DAA released earlier this year. While the rules were announced nearly two years ago, a compliance deadline had not been set until now, the report states. “We give companies a reasonable amount of time to make sure that everything’s in order,” said the DAA’s Lou Mastria, [MediaPost]


US – DARPA Aims to Automate Privacy-Protecting Sharing

The Defense Advanced Research Projects Agency (DARPA) plans to consider public proposals on ways for organizations to expedite data sharing while protecting personally identifiable information (PII). Known as Brandeis, the initiative aims to “break the tension” between data protection and finding value in sharing data. DARPA Program Manager John Launchbury said, “Rather than having to balance these public goods, Brandeis aims to build a third option: Enabling safe and predictable sharing of data while reliably preserving privacy.” Purdue University Computer Science Prof. Gene Spafford said, “The objective really is to find a way to transform or mask the data so it’s still useable but eliminate those windows of potential exposure.” [BankInfoSecurity]

AU – Privacy Report Card Warns of Public’s Big Data Concerns

The Australian privacy commissioner says the shift to a simpler, consolidated service delivery model featuring one-stop shops is “an opportunity to place privacy respectful practices at the heart of customer services and build trust with the community”. Coombs wants to see greater protection for data that is sent interstate by government agencies, the right to anonymity and pseudonymity “where lawful and practicable” and mandatory reporting of serious breaches, “particularly if this is introduced into Commonwealth legislation”. [Source]

US – New App Lets Users Send Video of Police to ACLU

The ACLU of California has released a new mobile app for smartphones that lets users automatically send videos of police directly to the advocacy organization. ACLU of Southern California Executive Director Hector Villagra said, “We want to multiply the number of cameras that can be trained on police officers at any time,” adding, “They need to know that anything they do could be seen by the entire world.” However, some are raising privacy concerns about the app. “Everyone wants to keep an eye on the police,” said Loyola Law Prof. Laurie Levenson. “But in these incidents, the police are interacting with an individual involved in the worst conduct of their lives … The ACLU needs to consider their privacy rights.” [Los Angeles Times]


CA – CASL Reduced Legitimate Email as Much as “Spam”: Cloudmark Study

Average monthly email volumes received by Cloudmark customers in Canada declined by 29%, but the percentage of received email that Cloudmark assessed as “spam” actually increased, albeit by an insignificant amount (from 16.5% to 16.6%). In other words, the proportionate impact of the legislation for Canadian recipients has been as high or higher on “legitimate” traffic as it has been on true “spam”. [Source]

CA – Privacy Commish: Guidance for Privacy Law and CASL Compliance

The Guide is a reminder that commercial messages are regulated by both CASL (which regulates the sending of commercial electronic messages) and Canadian privacy laws (which regulate the collection, use and disclosure of email addresses in the course of commercial activities). The Guide explains some of the basic Canadian privacy law requirements for commercial electronic marketing activities. Following is a summary: ? Accountability: An organization is accountable for how the organization and its service providers collect, use and disclose personal information (including email addresses) in the course of commercial activities. [Source]

Electronic Records

US – Activist Wants Google Settlement Tossed

An activist has filed papers in the Ninth Circuit Court of Appeals opposing a judge’s approval of Google’s recent $8.5 million settlement in a privacy lawsuit. Theodore Frank is founder of the Center for Class Action Fairness and previously asked a judge to reject the deal, arguing it would not benefit Google’s users.[MediaPost]

US – Plaintiffs Want Blue Cross Suit Back in State Court

Blue Cross of California customers who allege the health insurer’s data security practices put millions at risk by exposing their Social Security numbers have urged a federal judge to send their putative class-action back to state court, arguing federal courts lack jurisdiction since the plaintiffs are not seeking monetary damages.


WW – Vint Cerf: Encryption Backdoors Are a Bad Idea

Recent calls by the FBI and other government officials for technology vendors to build encryption workarounds into their products is a bad idea, said Vint Cerf, who also said more users should encrypt their data and that the encryption backdoors the FBI and other law enforcement agencies are using will weaken online security. During a speech in Washington, DC, Cerf said because of the Internet’s myriad security challenges, more users and Internet service providers need to adopt measures like encryption, two-factor authentication and HTTP over SSL. He added that calls by law enforcement for technology vendors to build encryption workarounds into their products is a bad idea, the report states. “If you have a back door, somebody will find it,” he said, “and that somebody may be a bad guy.” [IDG News Service] [PC World]

US – Encryption Backdoor Legislation Looks Unlikely, For Now

The House Oversight and Government Reform Subcommittee on Information Technology held a hearing on encryption and law enforcement access to mobile devices. Though FBI Executive Assistant Director Amy Hess and Suffolk County (MA) District Attorney Daniel Conley testified on the need for law enforcement access to combat terrorism and criminal activity, there appeared to be little support from lawmakers. Rep. Ted Lieu (D-CA) said, “It is clear to me that creating a pathway for decryption only for good guys is technologically stupid, you just can’t do that.” Some remained optimistic, however, that a solution is possible. Rep. Will Hurd (R-TX) said, “I believe we can find a way to protect the privacy of law-abiding citizens and ensure that law enforcement have the tools they need to catch the bad guys.” Open Technology Institute’s Kevin Bankston said forcing U.S. businesses to install backdoors will drive away foreign customers and open the door for major breaches of personal information. [BankInfoSecurity]

EU Developments

EU – Digital Single Market Plans Unveiled

The EU has unveiled plans for a strategic Digital Single Market to help boost the region’s economy, better compete with U.S. technology firms and help “home-grown” start-ups. The 16 initiatives include reorganization of telecoms, cybersecurity and privacy. GE CEO Jeffrey Immelt said the single market “is a big deal” that “will add tremendously to competitiveness in the long term,” but critics caution Brussels may be putting “government officials in charge of how hugely popular online services are designed and implemented.” EU Digital Commissioner Gunther Oettinger said, “If you look at the platforms they have in the U.S., national data rules play an increasingly reduced role,” while Re/code offers several leaked documents and reports on what to expect from this latest initiative. [The Wall Street Journal] [Companies Urged To Prepare Themselves As Latest EU Data Law Proposals Threaten Digital Marketing Industry]

EU – Right to Redress for EU Citizens Pushes Data-Sharing Deal Forward

The EU and the U.S. are close to completing negotiations on a deal protecting personal data shared for law enforcement purposes such as terrorism investigations. The negotiations hit a point of contention because of a lack of legal redress for EU citizens in U.S. courts in cases where data may have been misused, while U.S. citizens have that right in the EU. But the Judicial Redress Act, introduced in the U.S. in March and aiming to giving citizens of U.S. allies the right to sue over data privacy in the U.S., has pushed things in the right direction, the report states. [Reuters]

EU – Lawmakers in France Move to Vastly Expand Surveillance

The provisions, as currently outlined, would allow the intelligence services to tap cellphones, read emails and force Internet companies to comply with requests to allow the government to sift through virtually all of their subscribers’ communications. Among the types of surveillance that the intelligence services would be able to carry out is bulk collection and analysis of metadata similar to that done by the United States’ National Security Agency. The intelligence services could also request the right to put hidden microphones in a room or on objects such as cars or in computers, or to place antennas to capture telephone conversations or mechanisms that capture text messages. Both French citizens and foreigners could be tapped. [New York Times] [France Set to Join the Spy Game]

EU – France Passes New Surveillance Law in Wake of Charlie Hebdo Attack

One of the most contentious elements of the bill is that it allows intelligence services to vacuum up metadata, which would then be subject to analysis for potentially suspicious behaviour. The metadata would be anonymous, but intelligence agents could follow up with a request to an independent panel for deeper surveillance that could yield the identity of users. Another controversial element is the so-called “black boxes” – or complex algorithms – that internet providers will be forced to install to flag up a succession of suspect behavioural patterns online, such as keywords used, sites visited and contacts made. Surveillance agencies will also be able to bug suspects’ homes with microphones and cameras and add keyloggers to their computers to track every keystroke. [The Guardian] [Familiar Swing to Security Over Privacy After Attacks in France] [France doubles down on their war on cash and passes next phase in war on privacy] Five Dangers of France’s New Snooping Laws: Basically the bill will allow the implementation of intrusive measures such as placing cameras and recording devices in private dwellings and install “keylogger” devices that record every key stroke on a targeted computer in real time. But without any independent checks and due diligence that an independent judge would normally provide. [Source]

EU – Germany is Accused of Spying on Friends

Within the past two weeks, the tide has turned. Ms. Merkel is back in the spotlight over spying. This time it is Germany‘s foreign intelligence service, known here as the B.N.D., that is being accused of monitoring European companies and perhaps individuals. Further, the reports said the spying was done at the behest of the National Security Agency, the United States intelligence organization. …The accusation was angrily rebutted by Gerhard Schindler, head of the B.N.D. He dismissed as “absolutely absurd” any suggestion that his agency was “a compliant tool” of the Americans. …The current flare-up started on April 23 when Der Spiegel reported that since at least 2008, a division of the B.N.D. had helped the NSA to spy on European and German interests, including the French-German enterprise European Aeronautic Defense and Space, now known as the Airbus Group. [New York Times] Pressure Mounts on Merkel to Explain German Role in N.S.A. Espionage: Ms. Merkel and other members of her conservative bloc have argued that the intelligence agreement is vital to protecting Germany’s 80 million or so citizens against Islamic terrorism and other threats. They have continued to defend the trans-Atlantic cooperation since the latest controversy erupted. But even conservatives have begun to express their weariness over what they characterize as repeated American attempts to use intelligence cooperation to spy on European institutions or firms in a way they say jeopardizes joint projects.

EU – Ireland Beefs Up Data Privacy Office

The agency, like counterparts in other EU states, regulates how companies deal with privacy issues—for instance, whether companies inappropriately send email advertising, collect too much information from customers or keep accurate records. The rules are generally tighter than in the U.S. Ireland’s data protection office was created in 1988, when only a handful of large, data-based firms had big operations in Europe. As companies flocked to Ireland, the agency’s resources didn’t keep up. Until this year, its only office has been above a convenience store in Portarlington, a town of less than 8,000 people more than an hour’s drive west of Dublin. [Wall Street Journal] [How Ireland’s Data Protection Czar Views Global Tech Firms]

EU – GDPR is the Biggest Threat to Business Continuity for a Decade

This time next spring, or earlier, there’s likely to be a mad panic within sales and marketing departments as companies struggle to beat the deadline for making significant changes to data protection and security or risk facing punitive fines equivalent to up to 5% of global turnover or E100m. Ahead of the GDPR, sales and marketing professionals should follow these top ten steps to ensure that their future marketing efforts within the EU will be compliant. [Source]

EU – Facebook Escapes DPA’s Fines for Now

Facebook has temporarily escaped daily fines over its revamped policy for users’ photos and data. The Dutch Data Protection Authority (DPA) said it lifted the threat of combined penalties totaling as much as 750,000 euros, the report states, “after Facebook agreed to provide information needed to weigh the next steps in the investigation announced in December.” The DPA stepped in last year after Facebook alerted users of changes to its policy in which it claimed the right to use their information and images for commercial purposes. The DPA sought a suspension of Facebook’s new policy pending an investigation or said it would face fines, and Facebook opted to go to court over the dispute. [Bloomberg]

EU – French Lower House Approves Expanded Surveillance Powers

The lower house of the French Parliament has overwhelmingly approved surveillance measures “that could give the authorities their most intrusive domestic spying abilities ever, with almost no judicial oversight.” The bill now moves to the upper chamber, where it is also expected to pass. Prime Minister Manuel Valls said, “The last intelligence law was done in 1991, when there were neither cell phones nor Internet.” The bill allows intelligence authorities access to cell phones and email; mandates service providers let government review virtually all subscriber data, and lets intelligence services carry out bulk collection and analysis of metadata. Paris Bar Association’s Pierre-Olivier Sur said it is “a sort of PATRIOT Act concerning the activities of each and every one.” [The New York Times] The New York Times offers an analysis of France’s move to vastly expand government surveillance powers in the name of public safety.

UK – Deputy PM Clegg Calls for Digital Bill of Rights

Deputy Prime Minister Nick Clegg has called for a new Digital Bill of Rights, initially called for after the Snowden revelations, to be introduced within six months of the new Parliament to “stop information about us being abused online, and to protect our right to freedom of speech.” Monty Munford writes that the 2015 Digital Rights Survey found that while the majority cited privacy concerns about their data, few took appropriate actions to protect it. It will take someone disproportionately famous who could make a Digital Bill of Rights a reality, Munford writes, citing none other than David Beckham. [The Telegraph] [GovInfoSecurity: The Privacy Impacts of the Elections]

UK – Theresa May to Revive Her ‘Snooper’s Charter’

Election results were barely in when the home secretary indicated the Tories will increase state surveillance powers, to the alarm of privacy campaigners. Speaking as early results indicated the Conservatives would form a government with a Commons majority, Theresa May said increased surveillance powers was “one very key example” of Tory policy that was blocked by the coalition arrangement with the Liberal Democrats in the previous government. May’s remarks alarmed privacy campaigners who fear a Conservative government will revive the controversial draft communications bill, which was beaten last year after the Lib Dems withdrew their support. That law, labelled a snooper’s charter, would have required internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year. May said in a BBC interview: “David Cameron has already said, and I’ve said, that a Conservative government would be giving the security agencies and law enforcement agencies the powers that they need to ensure they’re keeping up to date as people communicate with communications data. [Guardian] [NY Times: David Cameron Seeks New Powers to Combat Extremism in Britain]

EU – ‘Right To Be Forgotten’: One Year On

Over the last 12 months, Google has processed 253,617 data removal requests, and agreed to just over 40 per cent of those. The legislation has received heavy criticism from a number of parties, including the House of Lords EU Committee, which described it as “unworkable and wrong”, and Wikipedia founder Jimmy Wales, who described it as “deeply immoral”. However, the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), has defended the legislation, claiming that it has “raised awareness of people’s data protection rights” and that removal of links from search results “can have a real benefit”. [Telegraph]

EU – Other Privacy News

  • Maryland Law Prof. Frank Pasquale reacts to leaked documents from the office of EU Digital Commissioner Günther Oettinger in which the regulator called for “a central EU-wide body with the power to monitor platforms’ use of data, and to resolve disputes between the operators and the businesses they serve.” In this column for The Guardian, Pasquale writes, “This is far-sighted, important planning.”

Facts & Stats

US – Survey Suggests 70 Million Had PI Breached in 2014

A new survey projects that more than 70 million adults in the U.S. had their personal information compromised in 2014. The survey, which polled more than 3,000 American adults, found that while some incidents may have resulted from stolen credit cards, many stemmed from data breaches—and not only online. The survey found that 79% of those notified of a data breach were told by a brick-and-mortar store or a financial institution, the report states. Only 18% said the problem originated at an online retailer. “The study arguably highlights the need for stronger consumer protections,” the report states. [Consumer Reports]

WW – The Projected Cost of Those Breaches? $2.1 Trillion

A new study from Juniper Research reveals that data breaches will cost organizations more than $2 trillion during the next four years. The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation equates that to approximately 2.2% of global GDP or an average of $6 million per organization hit by a breach. “Typically the most expensive forms of cybercrime are data breaches,” the study states, adding, “those attacks which result in the criminals seizing business or personal records.” In separate research, the Ponemon Institute reveals that information technology assets are insured 39%- less than physical assets. The report states that “companies are reluctant to purchase cyber-insurance coverage” even though they foresee greater cyber risk. [IT Pro]

WW – IT Pros See Data Privacy as Top Concern

A new study conducted and released by Dimensional Research reveals that data privacy is now a top concern for IT professionals. According to The State of Data Privacy in 2015, 93% of businesses face data privacy challenges and 77% of businesses exceeding 5,000 employees are investing more into privacy in 2015. What’s more, 84% of the IT professionals surveyed said their focus on data privacy is escalating this year. A top concern for IT professionals is a lack of awareness among employees about existing privacy policies, followed by an insufficient budget to train employees. [BusinessSolutions]

US – The Rise of the Chief Data Officer is Upon Us

The rise of chief data officers (CDO), a reflection of “the central role that data now plays in every facet of society,” the report states. A 2015 study from IBM’s Center for Applied Insights that surveyed 250 chief information officers from large organizations found that 61% wanted their employers to recruit CDOs in the next year. “The emergence of chief data officers at major agencies and departments is a promising sign that the federal government continues to execute on President Obama’s open data vision and his 2013 executive order,” said Nick Sinai, former deputy U.S. chief technology officer. [TechRepublic]


WW – Facebook Study Examines “Filter Bubble”

A study conducted by Facebook data scientists and published in Science contends the so-called “filter bubble“—the possibility that users create their own insular, online echo chambers—is not occurring on the social networking site. The peer-reviewed study looked at 10.1 million politically partisan American users and revealed that while their friend networks and the stories they read are, in fact, skewed toward their ideology, the effect is more limited than expected, the report states. Eli Pariser, who coined the term “filter bubble,” said the study “shows that the effects that I wrote about exist and are significant, but they’re smaller than I would have guessed.” The study has its critics, however, including Prof. Zeynep Tufekci. [The New York Times]

EU – RTBF Less of a Censorship Issue than Originally Thought?

Internet censorship concerns over the European Court of Justice’s decision in favor of the Right To Be Forgotten (RTBF) appear to be unfounded, new Reputation VIP data shows. While individuals are responding to the ability to strike personal information from search engines in large numbers—according to Google reports, the rate of request has been averaging 500 per day—findings illustrate that “invasion of privacy” serves as the catalyst for 58.7% of requests, followed by “damage to reputation” at 11.2%. Collectively, social media sites lead the charge for reported URLs at 20%. “Much of the criticism of the RTBF has centered on fears of criminals erasing bad behavior, leading to cries of censorship. But this data suggests those fears mischaracterize the mainstay of RTBF requests.” [TechCrunch]


US – Facts About FATCA, America’s Global Disclosure Law

FATCA requires foreign banks to reveal Americans with accounts over $50,000. Non-compliant institutions could be frozen out of U.S. markets, so everyone is complying. …More than 80 nations—including virtually all that matter—have agreed to the law. So far, over 77,000 foreign financial institutions (FFIs) have signed on too. Countries must throw their agreement behind the law or face dire repercussions. Even tax havens have joined up. The IRS has a searchable list of financial institutions. Countries on board are at FATCA – Archive. [Forbes] An American Tax Nightmare: There is no recourse and no appeal process. Those impacted are left with the choice of uprooting their families (including foreign spouses and children), careers and businesses to re-establish a life in the United States; or to make the painful decision to renounce their citizenship. Without significant and timely changes, that will only be the tip of the iceberg as foreign financial institutions continue their search for unprofitable American accounts. Remember, the vast majority of those renouncing citizenship are not wealthy tax evaders trading their passport for income tax savings; they are middle-class Americans, living overseas, fully compliant with their U.S. tax and reporting obligations. [NYTimes]


CA – Shredding at Legislature Prompts Privacy Commissioner to Weigh In

The commissioner’s office issued a news release, in part to answer questions raised by the public and media about shredding in the wake of the Tories’ defeat in the recent election. Following the NDP’s historic win, photos have been posted on social media of giant bags of shredded paper sitting outside legislature offices. That has led to concerns — or conspiracy theories — the PC government, which has been in power for 44 years, might be frantically discarding evidence of secrets, scandals or other valuable information that has been kept from the public eye. [Edmonton Journal]

US – School Districts, Nonprofit Team Up for Ed-Tech Rating System

More than 20 school districts have teamed up with Common Sense Media to establish a rating system for the privacy policies of educational-technology products. The “Common Sense Privacy Ratings Initiative” will be announced at a conference in June and operationalized later this year. It will likely use a color-coded key so schools can easily understand companies’ compliance with privacy standards. “There’s a lot of pressure on districts, from parents and legislators,” to ensure ed-tech tools comply with applicable laws, explained Omar Khan, the nonprofit’s chief product and technology officer, noting the privacy rating system is still being developed. [Education Week] [Edtech Privacy by Design: The Teacher as Privacy Entrepreneur]


US – Microbiome DNA Raising Privacy Concerns

According to new scientific research, the microbiomes—what some call the “gut print”—in the human body can be used to uniquely identify individuals. The research suggests the possibility of identifying previously anonymous participants and revealing data including health, diet or ethnicity. The National Institutes of Health currently contains a publicly available trove of human DNA, the report also states, and Harvard’s Curtis Huttenhower notes, “Right now, it’s a little bit of a Wild West as far as microbiome data management goes … As the field develops, we need to make sure there’s realization that our microbiomes are highly unique.” Separately, Al Jazeera America asks whether DNA will be the next frontier in privacy. [Nature]

WW – Is DNA the Next Frontier In Privacy?

Obama has called for 1 million genomes to be sequenced, but government is mum on how it will protect genetic data. At a hearing about the Precision Medicine Initiative in front of the Senate Health, Education, Labor and Pensions Committee on May 5, Democratic Sen. Patty Murray of Washington state warned of the risks to privacy. “In the last few months we’ve seen serious security breaches impacting families’ personal health information, and that’s unacceptable,” she said. “We need to be aware that data is being created that cybercriminals will want to exploit, and that means we will need to develop a strategy to protect privacy that meets today’s challenges.” Collins responded that the White House, the NIH and the Office of the National Coordinator for Health Information Technology were all “deeply serious” about protecting the data of its volunteers. [Source]

Health / Medical

US – Bill Would Lift Patient Authorization Requirements

Some privacy experts are concerned with a draft bill that would weaken HIPAA privacy protections. The 21st Century Cures bill proposes the Department of Health and Human Services “revise or clarify” the HIPAA privacy rule’s provisions on the use and disclosure of protected health information (PHI) for research purposes. The bill would not require patient authorization for the release of PHI for research if covered entities or business associates are involved. David Holtzman, CIPP/G, said the provisions in the draft bill “roll back essential protections of the control that patients have over how their information is used and disclosed.” [Gov Info Security]

US – AHA: Privacy Rules Potential Deterrent to Telehealth Adoption

A report by the American Hospital Association (AHA) says health privacy regulations are one of the potential deterrents to telehealth adoption. “As telehealth utilization expands, however, myriad significant federal and state legal and regulatory issues will determine whether and how hospitals, health systems and other providers can offer specific telehealth services,” the AHA said. While telehealth technologies can create new electronic health information, they can also create operational challenges for hospitals aiming to stay compliant with state and federal rules. The AHA recommends hospitals update and adapt their data privacy and security practices to respond to the new risks telehealth technologies present. [HealthIT Security] See also: [ONC Guide to Privacy and Security of Electronic Health Information]

US – The Risks Increase for All Entities

Risks to healthcare IT security are growing. Every 60 seconds, 232 computers are infected with malware and 12 websites are successfully hacked, the report states. Plus, medical records are worth $60 on the black market, where credit card data is worth $20. “That makes us significant targets,” said Intermountain Healthcare CISO Karl West. Meanwhile, ID Experts President and Cofounder Rick Kam writes for Government Health IT why size doesn’t matter in health data breaches. For example, while large organizations used to be the primary targets, mid-sized organizations with presumably smaller cybersecurity budgets are now becoming targets. [Healthcare IT]

US – While Not ‘Back to the Drawing Board,’ Stage 3 MU Needs Revision

The Meaningful Use Stage 3 proposal, while mostly “beneficial,” isn’t without fault, finds the Office of the National Coordinator (ONC) Health Information Technology (HIT) Privacy & Security Workgroup. In its critiques, the group cites five necessary improvements, most specifically in the areas of “user guidance” on safe use and “patient access,” requesting the development of education materials for consumers as well as more sophisticated methods of identity protection, even “a need to certify patient-facing health applications.” The ONC was careful to recognize the extent of its requirements, and as such is offering assistance with revisions as the proposal moves forward, Healthitsecurity.com reports. [Source]

Horror Stories

US – Ponemon Study: Criminal Breaches Now Outnumber Accidents

According to the Ponemon Institute’s Fifth Annual Benchmark Study on Patient Privacy and Data Security, data breaches caused by criminals outnumbered accidental ones for the first time, CSO reports. “Over the five years, the percentage of incidents that occur due to criminal attacks versus negligence has increased by 125%,” said Larry Ponemon, CIPP/US, chairman and founder of the Ponemon Institute. In the last two years, “91% of healthcare organizations reported at least one breach; 39% reported two to five data breaches, and 40% had more than five data breaches,” the report states. And, Ponemon said, that could be undercounting. [Source]

US – Men Arrested for Harvesting Data

Two men alleged to have developed an app enabling criminals to harvest personal data from users of photo-sharing site Photobucket have been arrested. The app allowed users to access password-protected accounts containing private photos. It’s unknown how many users were affected. If found guilty, Brandon Bourret and Athanasios Andrianakis face a maximum of five years in prison and a $250,000 fine for computer fraud and an extra prison sentence of up to 10 years and another $250,000 if they are found guilty of two counts of access device fraud, the report states. The men were arrested in the U.S. [BBC News]

US – Judge Dismisses eBay Class-Action; Hospital Hacked

A federal judge has dismissed a class-action lawsuit filed against eBay following a 2014 data breach exposing encrypted passwords and personal information for 145 users. The suit alleged the breach resulted in economic damages for eBay users, including potential identity theft, but experts say plaintiffs would have had to prove actual or threatened injury to have been successful. Meanwhile, Massachusetts-based Partners HealthCare System is being criticized for allowing employees to send sensitive patient data via email after hackers gained access , and the official federal tally of major health data breaches shows the healthcare sector continues to be a growing target for hackers. [GovInfoSecurity]

WW – Who Should Pay for Breaches?

A recent study from Experian Data Breach Resolution and the Ponemon Institute from the perspective of “who should be responsible for securing payment systems and how effective their organization is in preparing for and responding to a payment card breach.” In detailing the results, the report states respondents indicate breach prevention is a growing priority. “Companies in the payments industry face a huge challenge keeping up with securing new technologies to protect customer data and with cybercriminals,” said Experian’s Michael Bruemmer. Meanwhile, PYMNTS reports on how a revised data breach notification law could exempt “minor cybersecurity breaches,” while breaches have spurred lobbying for the proposed Cybersecurity Information Sharing Act. [Help Net Security]

US – Sally Beauty Breached Again

Beauty products seller Sally Beauty has confirmed it’s suffered its second data breach in just over two years; a new independent report by Forrester Research discusses the ways firms are “exposing themselves to unnecessary risks” by using outdated approaches to verify employee access to data, and in ZDNet, Steve Wilson says it’s time to “turn up the heat on enterprise IT” to stop breaches from happening.

US – Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions. [Krebs]

Identity Issues

AU – Pilgrim: Metadata Is PI

After 22 months, journalist Ben Grubb should now be able to access his own metadata from Internet provider Telstra. That’s because Privacy Commissioner Timothy Pilgrim “has ruled that metadata is personal, finding that Telstra must hand over information it holds about a journalist, two years after he exercised his legal right to see his personal metadata.” However, the story may not be over. The Australian reports telcos are unhappy with the decision. “Australia’s telcos have reacted with dismay,” the report states, adding, “Telstra quickly announced an appeal, and Communications Alliance Chief John Stanton issued a statement saying the industry could not afford to apply such a policy.” [ABC]

Internet / WWW

WW – Global Privacy Sweep Focusing on Children

The Global Privacy Enforcement Network plans to focus its 2015 international privacy sweep on the proliferation of websites and mobile applications targeted at children. The sweep involves 29 data protection authorities in 20 countries. “Children are more connected than ever before, and these platforms must bear that in mind when seeking thanks potentially sensitive data such as name, location or e-mail address,” said Canadian Privacy Commissioner Daniel Therrien. “This is about protecting children. I can’t think of anything more important than that.” The sweep will assess whether the apps and websites examined collect personal information from children and the controls in place to limit that collection. [Source] [Majority of App Developers Contacted by OPC Commit to Improve Privacy Communications In Wake Of GPEN Sweep ]

WW – Facebook Project and Microsoft App Draw Criticisms

Facebook’s Internet.org initiative, aimed at bringing free basic Internet services to users in developing countries, is being described by critics as a “privacy nightmare” because users will be tracked on partner sites, the traffic will be unencrypted and data will be shared with third parties. Meanwhile, Web Security reports on privacy concerns related to Microsoft’s new app that guesses people’s ages and genders via an uploaded photograph. The app, which has had 210,000 images uploaded, now has users concerned about possible privacy breaches and Microsoft’s ability to use images across its services per its terms. Microsoft engineers have said the company neither stores nor uses the photos. [ITProPortal]

US – Online Trust Alliance to Lead IoT Initiative

The Online Trust Alliance (OTA) announced it is leading an initiative to develop a security, privacy and sustainability trust framework for Internet of Things (IoT) devices. The framework aims to provide clarity and confidence to consumers and will initially focus on connected home and wearable/fitness technologies, according to a press release. OTA hopes to use the framework as the basis for a potential certification program for IoT devices and their manufacturers. OTA’s Craig Spiezle said because of the rapid development of IoT products on the market “we must ensure that security and privacy best practices are integrated to maximize consumer protection.” A working group meeting is scheduled for June 16. [Source]

WW – As Sensors Shrink, Wearables Moving Toward “Disappearables”

While wearables may be the hot thing now, the subject of Article 29 Working Party, Federal Trade Commission and U.S. Congressional scrutiny, a new report says they will soon give way to “disappearables,” devices that are so small that they’ll be integrated in the ear, under the skin or woven into clothing. “In five years … everything we see now will absolutely be classified as toys,” says Nikolaj Hviid, who makes smart earbuds called the Dash, which are shaped as hearing aids and allow for music playing, phone calls and monitoring of health indicators. This shift is being driven by chips that use Bluetooth technology and are far smaller and less power hungry than previous versions. [Reuters]

Law Enforcement

US – New State Law Requires Warrants Before Stingray Deployment

Washington Gov. Jay Inslee has signed a bill into law that will require law enforcement to get a judge-approved warrant before deploying a stingray, or cell-site simulator. To obtain a warrant, police will have to disclose the device’s use to a judge and discard cell-phone data from those not associated with the specific investigation, the report states. The Center for Democracy & Technology’s Harley Geiger said the move exemplifies the increasing trend of state governments taking action in lieu of federal legislation. “Stingray technology is just one of many examples of domestic mass surveillance that has the public troubled,” Geiger said. [SC Magazine] SEE ALSO: California County Calls Off Stingray Purchase: Officials in Santa Clara County (California) have said no to the acquisition of cell-site simulator technology known as Stingray. The purchase was initially approved earlier this year, but a lengthy negotiation found the county was unable to reach an agreement with Harris Corporation, the device manufacturer. [Ars Technica]

US – Debt Collectors Linked to ALPR Lobby

In addition to the backing of police departments, automated license plate readers (ALPRs) also allegedly have the support of some in the financial industry. Journalist Lee Fang filed a records request in Rhode Island and found two letters of opposition to a proposed state law limiting how ALPR data is used and shared. One letter was written on behalf of the Rhode Island State Police; the other came from American Financial Services Association Senior Vice President Danielle Fagre Arlow, who wrote of “ALPR’s valuable role in our industry—the ability to identify and recover vehicles associated with owners who have defaulted on their loans and are not responding to good-faith efforts to contact them.” [The Intercept]

US – Justice Dept. Will Spend $20 Million on Police Body Cameras Nationwide

Federal officials plan to award nearly $20 million in funding to dozens of departments, about a third of them small law enforcement agencies. In addition, another $1 million will be set aside so that the Bureau of Justice Statistics can figure out how to study the actual impact of these cameras. [WashPost] The DOJ document which outlines eligibility for the grants states that law enforcement agencies will have to develop or build on a policy which includes the “Implementation of appropriate privacy policies that at a minimum addresses BWC program issues involving legal liabilities of release of information, civil rights, domestic violence, juveniles, and victims’ groups.” However, the document includes few specific details about what policies will have to include in order to be deemed to have addressed these issues. [CATO: We Should Be Wary of Federal Body Camera Funds] [USA Today: States, Civil Liberty Advocates Collide Over Police Body Camera Policy] See also: [Toronto Police Will Be Allowed to Turn Body Cameras Off, Won’t Record Carding]


US – FTC Details Privacy “Trade-Offs” in Retail Tracking

In a new blog post, U.S. FTC Chief Technologist Ashkan Soltani shares a deep-dive into the emerging retail tracking landscape. “In light of the Commission’s proposed settlement with Nomi and the ongoing public debate,” Soltani writes, “I thought it would be worthwhile to describe how different retail tracking technologies work, and in my opinion, the specific trade-offs of each approach.” In addition to an overview of the landscape, Soltani provides an in-depth look at the various identifiers used, as well as how notice and choice are being offered. “Given the variety of approaches,” he adds, “there are a number of things that industry could do to alleviate the privacy concerns and address some of the gaps in consumer awareness.” [Blog]

Online Privacy

WW – IBM and Facebook Pair Up to Bolster Data-Fueled Advertising

IBM and Facebook have announced a partnership to use their “complementary strengths” to bolster data-fueled marketing efforts. “Our clients have urged us to bring Facebook into the equation because it is so important,” said Deepak Advani, general manager of IBM Commerce. “Facebook is where consumers spend a lot of their time.” The idea is that Facebook will benefit from IBM’s data analytics strengths while Facebook will provide insights on human behavior and preferences. “We both want to connect people with brands. Our objectives are very much aligned. And we share quite a few major clients,” said Blake Chandlee, Facebook’s vice president of partnerships. [The New York Times]

US – Researchers: Parents’ Social Posts Can Reveal Sensitive Personal Data

A new study reveals that one of the biggest threats to children’s online privacy could be parents. Researchers from New York University (NYU) Polytechnic School of Engineering and NYU Shanghai will release a paper demonstrating that parents’ online behavior can compromise their children’s privacy, particularly through posting photos of their children on social media. By analyzing such publicly available photos with public records, including voter registrations, the researchers found personal information about children, including their names, birthdays and home addresses. “By demonstrating just how much information can be gained about a child through adults’ online activities, we hope to spur parents to take precautions to minimize their children’s exposure online,” said Kevin Liu, one of the researchers. [Source]

WW – Google to Give Mobile Users “More Control”

Google is planning to give its mobile users more control over what information applications can access. An announcement that Google’s Android operating system is set to give users more detailed choices over what apps can access is expected this month. The change would bring it closer in line with Apple’s operating system, iOS, the report states, noting Google is seeking to attract users to its mobile services as they increasingly go online via wireless devices. A Google spokesperson declined to comment, according to the report. [BloombergBusiness]

Other Jurisdictions

CN – Draft National Security Law Aims for “Cyber Sovereignty”

Draft legislation proposed by the standing committee of the National People’s Congress would include a “cyberspace ‘sovereignty’ clause.” “The state establishes national Internet and information-security safeguard systems,” the draft states, “and protects national Internet space sovereignty, security and development interests.” Additionally, China must “achieve security and control in Internet and information core technology, key infrastructure and important data and information systems.” Earlier reports on the nationwide security legislation included powers for handling “harmful moral standards.” The draft also calls for strengthening the country’s banking infrastructure and for improvement to financial systems “to withstand international risks and shocks,” the report states. [Reuters]

AU – Framework Aims to Embed Privacy Culture in Australian Organisations

Australian Information Commissioner Timothy Pilgrim is encouraging organisations to embed sound privacy practice into their operations with the release of a new privacy management framework. In an assessment of the online privacy policies of 20 organisations operating in Australia, including Twitter, Microsoft, Instagram, and Westpac, the OAIC revealed that 55 percent of the organisations’ policies did not meet one or more of the basic content requirements under APP 1, which requires organisations and agencies to have a privacy policy that is clearly expressed and up to date. While all the policies assessed adequately described the kinds of personal information they collect and how it is collected, some did not outline how personal information could be accessed and corrected, said the OAIC. [ZDNet] See also: NSW Privacy Commissioner Elizabeth Coombs is calling for amendments to the state’s Privacy and Personal Information Protection Act, including mandatory breach notification.

AU – Australians Willing to Sacrifice Privacy for Security

Around 600 people were surveyed following last year’s synchronised anti-terrorism police raids. A similar number were surveyed following Sydney’s Lindt Cafe siege. Security measures ranked more than 50 per cent ‘acceptable’ in the surveys included internet monitoring, mandatory DNA record-keeping, facial recognition technology, biometric scanning at airports, national ID cards, access to all travel information, bomb detection for vehicles in parking areas and x-ray scanning at major events and transport terminals. “It seems Australians are fairly ready to trade off quite strong incursions into their personal privacy if they believe these will be effective in making their world safer,” said researcher Dr Simon Fifer. “As Australians, we like to think of ourselves as naturally a bit rebellious towards authority but our research is really not supporting that stereotype.” [Source]

Privacy (US)

US – Federal Court Rules NSA Bulk Surveillance Illegal

The Court of Appeals for the Second Circuit ruled today that the bulk collection of phone metadata by the National Security Agency is illegal. Instead of looking at the constitutionality of the program, the court ruled it went beyond the scope of what Congress intended when it passed the USA PATRIOT Act. The 97-page ruling concluded that a provision of the law allowing the Federal Bureau of Investigation to collect business records relevant to combating terrorism cannot legitimately lead to bulk surveillance of domestic phone records, the report states. “We do so comfortably in the full understanding that if Congress chooses to authorize such a far-reaching and unprecedented program, it has every opportunity to do so and to do so unambiguously,” the judges wrote. [The New York Times] [New York Times: Why the N.S.A. Isn’t Howling Over Restrictions]

US – Warrantless Laptop Seizure at Borders Disallowed, Rules Judge

“The Court finds, under the totality of the unique circumstances of this case, that the imaging and search of the entire contents of Kim’s laptop, aided by specialized forensic software, for a period of unlimited duration and an examination of unlimited scope, for the purpose of gathering evidence in a pre-existing investigation, was supported by so little suspicion of ongoing or imminent criminal activity, and was so invasive of Kim’s privacy and so disconnected from not only the considerations underlying the breadth of the government’s authority to search at the border, but also the border itself, that it was unreasonable. Therefore, the motion to suppress the evidence …. will be granted.” Amy Berman Jackson, Federal judge, US District Court for Washington DC, [NakedSecurity]

US – New Attorney General Expected to Pursue Microsoft Overseas

Newly appointed U.S. Attorney General Loretta Lynch will continue to back the Justice Department’s (DoJ) warrant compelling Microsoft to hand over customer data stored on servers in Ireland. Despite the change in leadership at the DoJ, a spokesperson said the agency’s position has “not changed.” Federal prosecutors have sought the customer data since December 2013, but Microsoft has refused to hand it over, arguing the warrant does not have jurisdiction over data stored in foreign data centers. The outcome of the case will have huge implications for U.S. technology companies. Oral arguments for the case are expected later this summer, but a date has not yet been set, the report states. [ZDNet]

US – Verizon-AOL Deal Raises Privacy Concerns

News that Verizon will purchase AOL for $4.4 billion has some privacy advocates concerned the move could give the company more personal information of customers for tailored advertising. In a note to investors, a telecom-industry analyst said, “We can envision a scenario in which Verizon leverages AOL’s ad-tech platform to target consumers and measure their engagement across traditional and digital video and measure and deliver interaction across its multiple devices, platforms and properties.” Public Knowledge Senior Vice President Harold Feld said “it raises extremely substantial and urgent privacy concerns.” Stanford University’s Johnathan Mayer said, “With this acquisition, Verizon appears to be tearing down the wall between telecommunications and personalized advertising.” [National Journal]

US – Facebook Privacy Team Restructure Has Washington Focus

Revisions in Facebook’s privacy team highlight its newfound interest in Washington, DC, as the corporation brings on former FCC Director Kevin Martin, while transferring current Facebook Chief Privacy Officer Erin Egan to serve as vice president of public policy in its Washington, DC, headquarters. “Facebook has become a major player in Washington in the past few years. The company spent more than $9 million on lobbying last year, ranking only behind Google when compared to other Internet companies, according to the Center for Responsive Politics.” [The HIll]

US – CPOs Increasingly Hired, Especially in Higher Education

Historically, the CPO was more likely to be found in the private sector rather than in higher education. But in the last few years, colleges and universities have begun hiring a growing number of CPOs because of data security and protection on campus. University of California, Berkeley CPO Lisa Ho says the “CPO role is expanding beyond the realm of preventing data breaches to represent a fundamental institutional value and priority.” She said as universities continue to face pressing privacy issues, CPOs will be called on to help balance an institution’s “multiple priorities, obligations and values.” [EDUCAUSE]

US – Apple, AT&T Object to RadioShack Sale of PII

Apple and AT&T have both formally objected to the potential sale of customer data as part of the RadioShack bankruptcy case. “In order to protect its customers’ personal information, Apple oversees the collection and use of customer information collected by its retail partners, including RadioShack,” Apple said in papers filed to a Delaware bankruptcy court, adding, “The reseller agreement between Apple and RadioShack protects information collected by RadioShack regarding purchasers of Apple products and prohibits the proposed sale of such information.” AT&T also filed an objection, noting a debtor “seemingly intends” to include consumer data acquired by selling AT&T devices, the report states. Meanwhile, a federal court ruled that Birch Communications does not have to hand over customer data to a copyright litigant. [Law360]

US – DoJ Issues Guidance and Best Practices for Cyber Incident Response

The Department of Justice (“DoJ”) guidance provides the following recommendations on measures to take in advance of any cyber intrusion or attack, with an eye toward minimizing the harm that could result from such an attack and the steps that an organization should take in responding to a cyber security incident. [Inside Privacy] …the guidance [also] sets out what companies should not do in the event of a cyberattack. A key warning here is that businesses should not “hack-back” or attempt to penetrate or damage an attacker’s systems. This warning is well taken—penetrating another system, even one believed to be involved in maliciously compromising a network, may expose individuals or business to criminal liability under the Federal Computer Fraud and Abuse Act, or to civil damages and penalties. [Breaking Down the DOJ Cybersecurity Unit’s Guidance on Responding to Cyberattacks]

US – The Rise of the Chief Data Officer is Upon Us

The rise of chief data officers (CDO), a reflection of “the central role that data now plays in every facet of society,” states a 2015 study from IBM’s Center for Applied Insights that surveyed 250 chief information officers from large organizations found that 61% wanted their employers to recruit CDOs in the next year. “The emergence of chief data officers at major agencies and departments is a promising sign that the federal government continues to execute on President Obama’s open data vision and his 2013 executive order,” said Nick Sinai, former deputy U.S. chief technology officer. [TechRepublic]

US – NY Assemblyman Wants DMV to Ask Permission Before Selling Data

A routine transaction at New York’s Department of Motor Vehicles in which drivers’ personal information is sold after they get their licenses or register their vehicles. The state sells the information to insurance companies, courts and employers who need to verify driving records—and also so drivers can be notified of recalls—and says strict rules govern how much data is provided and who may obtain it. But Assemblyman Kevin Cahill (R-Kingston) disagrees with the practice and is sponsoring a bill that would let drivers decide whether the data is sold. “You have to register your car, but you shouldn’t have to give away your information,” he said. [CBS2]

US – VCs: Data Privacy Affects Valuation, Ability to Raise Capital

Conventional wisdom says privacy isn’t in Silicon Valley’s DNA. Rather, it’s come up with a use for the data first, ask questions about whether you can actually use it later. But that’s changing. Venture capitalists (VCs) are now making data privacy a core part of doing due diligence; corporate boards are now asking privacy questions more frequently of young start-up ventures, and privacy-enhancing technology is a booming area for VC investment. Sam Pfeifle talks with investors and start-up founders about the new era of data privacy in start-up culture, where a good privacy program can affect everything from the initial capital raise to the exit strategy. [Privacy Advisor]

US – Commissioners Call FCC’s Privacy Approach “Prehistoric”

Two commissioners from the Federal Communications Commission (FCC) have said the agency’s approach to consumer broadband privacy is “prehistoric.” Federal Communications Commissioners Michael O’Rielly and Ajit Pai expressed their concerns about the potential rulemaking for how Internet service providers process consumer data in light of the recent net neutrality order. In discussing last month’s FCC workshop on broadband privacy, Pai said, “One of the takeaways I had … is nobody knows where we go from here … That is almost the very definition of regulatory uncertainty.” O’Rielly said, “I believe we are heading in a bad direction on privacy, and it will be bad for consumers going forward.” [Law 360] See also: Group Aims to Relax FCC Authority: The 21st Century Privacy Coalition, led by former Congresswoman Mary Bono and former FTC Chairman Jon Leibowitz, is lobbying Congress to pass the Data Security and Breach Notification Act. [National Journal ]

US – Former Investigator: Triversa Falsified Findings in LabMD Case

A former Triversa employee says the firm faked LabMD breach findings in order to provoke Federal Trade Commission (FTC) action against the cancer testing center. LabMD, which eventually closed its operations, faced a complaint by the FTC in 2013 over its data security practices. The complaint was based on breach information provided by Triversa; however, some—including a congressman—alleged that information was suspect. Now, a former Triversa investigator, Richard Wallace, indicated the company “routinely” and “deliberately” falsified security problems in an effort to pull in customers, the report states, and then threatened to report “breaches” to regulators if companies didn’t buy Triversa’s services. [SC Magazine]

US – Bombshell Testimony in FTC’s LabMD Case Breach Allegations

Wallace also testified that Tiversa had a “common practice” in attempting to drum up business of making it appear that other prospective clients’ data files were compromised on peer-to-peer networks and “spread” among IP addresses of known identity thieves. Those IP addresses, however, were actually for computers in criminal investigations that were already closed by law enforcement, and added to the Tiversa’s “data store” of records, Wallace testified. [GovInfoSecurity] [FTC] [GovInfoSecurity: FTC’s LabMD Case: The Next Steps Commission Won’t Call Rebuttal Witness] [SC Magazine: Former Tiversa Investigator Says Firm Faked Labmd Breach Findings] [CNN: Whistleblower Accuses Cybersecurity Company of Extorting Clients] [Law360: FTC Responds to LabMD Motion to Dismiss]

US – Google’s $8.5 Million Privacy Settlement Faces Appeal

Theodore Frank, founder of the Washington-based Center for Class Action Fairness questioned the choice of nonprofits slated to receive funds, arguing that some of them had relationships with Google as well as the lawyers representing the consumers. He pointed out that two of the plaintiffs’ lawyers were alumni of three schools slated to receive funds (Stanford, Harvard and Chicago-Kent College of Law) and that Google already donates money to Harvard, Stanford, AARP and Chicago-Kent. U.S. District Court Judge Edward Davila reportedly indicated that he was troubled by some of those points, saying at a hearing that the deal “doesn’t pass the smell test.” [MediaPost]

US – E-Verify in the States

E-Verify mandates vary considerably across states. Currently, Alabama, Arizona, Mississippi and South Carolina have across the board mandates for all employers. The state governments of Georgia, Utah, and North Carolina force all businesses with at least 10, 15, and 25 employees, respectively, to use E-Verify. Florida, Indiana, Missouri, Nebraska, Oklahoma, Pennsylvania and Texas mandate-Verify for public employees and state contractors, while Idaho and Virginia mandate E-Verify for public employees. The remaining states either have no state-wide mandates or, in the case of California, limit how E-Verify can be used by employers. [CATO]

US – Watchdog Attacks Airbnb ‘Unwarranted Intrusion Into Users’ Privacy’

Santa Monica-based Consumer Watchdog released a letter it sent to ShareBetter SF, a coalition of San Francisco groups that is hoping to qualify a city ballot initiative to impose stricter regulations and penalties on online short term rental platforms. Airbnb has raised similar concerns. “As written, your initiative is an unwarranted intrusion into users’ privacy and inappropriately requires the home sharing platform to do the enforcement work that should rightfully be done by the city,” the letter states, calling the initiative “antithetical to San Francisco’s core values.” …”It’s just a crazy blunt approach that is uncalled for,” Simpson said. [Source]

US – 147 Drone-related Bills in State Legislatures

More than a dozen states regulate when and whether a warrant is required before police use a drone to gather evidence, according to the ACLU. This year, 44 states are considering another 147 drone-related bills. Drone enthusiasts say the regulations are misguided and that their actions are misinterpreted by a nervous public unfamiliar with the technology and its promise. States already protect citizens against Peeping Toms regardless of the technology involved, said Brendan Schulman, an attorney who specializes in drones at Kramer Levin Naftalis and Frankel in New York. [Bloomberg] The Data Quality Campaign offers an update on U.S. federal and state student privacy bills, including the updated Student Digital Privacy and Parental Rights Act of 2015 and new bills in North Dakota and Virginia.

US – U.S. Senate Panel Raises Privacy Concerns in White House Hacking Incident

“Just like any entity that handles personally-identifiable information, the White House has a responsibility to notify Americans if the recent, or any future breach, results in a compromise,” the committee chairman, John Thune, said in a statement on Sunday accompanying the letter. “If such information has been lost, the White House still has a responsibility to victims even if it believes the hack was perpetrated by foreign spies and not cyber thieves,” Thune added. [Reuters]

US – Social Media Giants Not Privacy Monsters: Deloitte Report

“Social media gets a bad rap in the media around most things, and privacy settings and policy changes in particular. But in reality they performed quite well in terms of informing consumers about exactly what they are doing, what they are collecting, and how consumers can best protect themselves,” said Deloitte’s cyber risk expert Marta​ Ganko​. The researchers were also surprised that social media out-performed 10 other industries, including government, health and fitness, and technology, when it came to having robust online privacy policies and limited use of data-raking cookies. Social media had the shortest average duration for a third-party cookie stored on a user’s device, while the telecommunication and retail industries, ranked eighth and 11th, both had a third-party cookie which could be stored on a device for more than 135 years. Cookies usually last about two years. [Report]

US – FTC Names Katherine Race Brin CPO

The FTC has appointed Katherine Race Brin as its new chief privacy officer (CPO) to succeed Peter Miller. “Katie has served as acting CPO since December 2014,” said FTC Chairwoman Edith Ramirez, adding, “it’s an important role, and I look forward to continuing to work with her to ensure that the FTC complies with our privacy obligations.” Brin has served as senior advisor to the director of the FTC’s Bureau of Consumer Protection and as staff attorney in the Division of Privacy and Identity Protection. [Full Story]

US – Felten Named Deputy U.S. CTO

The White House’s Office of Science and Technology Policy has announced Ed Felten as its deputy U.S. chief technology officer. Felten currently teaches at Princeton University and was the first chief technologist at the FTC. “There is no one more valuable to bridging tech and policy than Ed,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology. [Source]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Mobile App Unveils Unencrypted Data

Researchers are now offering a new free online tool that shows users when transmitted data is not encrypted. Datapp, created by researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which so far is only compatible with Windows 7 or 8, acts as a consumer-friendly web traffic “sniffer,” normally something that requires some technical expertise. “Think of it as Wireshark (a network traffic-analysis tool) with an access point for dummies,” said UNHcFREG Director Ibrahim Baggili. He also said UNHcFREG created the tool without outside funding but is accepting donations in order to add more features. [IDG News Service]

US – FTC’s Sannappa on API Design’s Critical Role in Privacy

In a blog post for Tech@FTC, Nithan Sannappa of the FTC’s Division of Privacy and Identity Protection discusses privacy and security in mobile computing—specifically, the “principle of least privilege” and “sandboxing.” Sandboxing, Sannappa writes, “is an implementation of the principle of least privilege,” which recommends “every program and every user of the system should operate using the least set of privileges necessary to complete the job.” While most mobile operating systems feature sandboxing, the approach varies based on application programming interface (API) design. “Decisions about how to design APIs … play a critical role” in user privacy and security, Sannappa writes. [Source]

WW – Wave of Privacy-Enhancing Start-Ups Fail To Deliver

Violet Blue examines a wave of start-ups, their move to raise money from investors interested in privacy-enhancing technology (PET) and, to date, their failure to deliver those promises. The list includes Anonabox, which promised to put TOR in a router, raising $82,643 before being ejected from Kickstarter; iGuardian (now SHIELD), raising $174,382 without delivering as of yet; Webcloak, and LogMeOnce. “Despite debunkings,” Blue writes, “these ‘magic box’ charlatans keep coming; people keep funding them, and crowdfunding sites don’t seem well-equipped to stop them.” To pile on, a slew of “green” security reporters “are easily duped” into believing such PETs claims. Blue concludes by providing a cheat sheet for nontechnical individuals who come across others making bold PET claims. [ZDNet]

US – Wickr Announces Privacy Initiative

Online private-messaging service Wickr has announced it is splitting in two. Mark Fields will take over as chief executive of the for-profit wing, allowing Wickr Cofounder Nico Sell to lead its new nonprofit initiative. The Wickr Foundation aims to promote privacy and share online communication best practices with teenagers, dissidents, journalists and human rights activists. Fields said he plans to bring Wickr’s core technology to more businesses, the report states.

US – Judge Says Airport Laptop Search “Unreasonable”

A US federal judge in the District of Columbia has ruled that a laptop search conducted at Los Angeles International Airport violated the laptop owner’s constitutional privacy protections. The ruling allows the defendant, a South Korean businessman, to suppress evidence collected from his computer. He has been accused of selling aircraft parts to Iran. [Ars Technica] [ZDNet]

US – AVG Acquires Privax

AVG Technologies has acquired Privax , which currently has 250,000 paying subscribers who use its encrypted VPN service. AVG CEO Gary Kovacs said, “With this acquisition, we will immediately be able to provide new and innovative privacy and security services to hundreds of millions of users worldwide.” [Full Story ]

US – SEC Publishes Cybersecurity Guidance

The Securities and Exchange Commission (SEC) Division of Investment Management has published a guidance update setting forth cybersecurity concerns and advice for the investment companies and advisers it regulates. The SEC specifically suggests conducting a periodic assessment of the nature, sensitivity and location of information collected and the security controls and processes in place, and recommends creating and implementing a comprehensive strategy to prevent, detect and respond to cybersecurity threats, the report states, noting the strategy could include data encryption, an incident-response plan and data backup and retrieval. The SEC recommends implementing the cybersecurity strategy “through written policies and procedures and training programs,” the report states. [JD Supra]

Remote Identification

WW – Vehicle “Fitness Tracker” Start-Up Raises $5 Million

Automile, a Swedish start-up that offers a device and platform that connects users’ cars to the cloud, has closed a $5 million Series A round. “The device itself features GPS for location tracking and GSM for data connectivity, which is included as part of the service’s subscription fee,” the report states. It’s kind of like a fitness tracker for your car, the report states, allowing users to track mileage and fuel consumption or spot potential mechanical issues. The company plans to offer an application programming interface so third-party developers can develop new applications “in the areas of fleet management, logistics, insurance or in entirely new markets,” the report states. [TechCrunch]


US – DHS Certifies First SAFTEY Act Cyber Product

The U.S. Department of Homeland Security (DHS) has certified the first-ever cybersecurity products under the SAFETY Act. The post-9/11 program offers certain liability protection to organizations that use approved cybersecurity products to defend their data. In its move, the DHS certified FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform, meaning, companies who use these products will be protected from lawsuits and other claims they failed to prevent cyberterrorism. FireEye CEO David DeWalt said, “FireEye is proud to earn this first-ever SAFETY Act certification in the cybersecurity space, bringing a new level of liability protection for our customers.” [The Hill]

Smart Cards

US – Orgs Sign On to IBM’s Threat Exchange Network

IBM has announced that more than 1,000 organizations across 16 industries are participating in its X-Force Exchange threat intelligence network. The network was launched a month ago and provides open access to historical and real-time data feeds of threat intelligence in an effort to thwart cybercrime. [Full Story]

WW – EMV Cards Making Way into U.S. Market, Concerns Remain

In the wake of massive data breaches affecting major retailers, the move to credit cards with chips using so-called EMV technology is underway, but, unlike Europe, many EMV-enabled cards in the U.S. are chip-and-signature cards instead of the more secure chip-and-PIN cards. A representative from Visa said the majority of card issuers in the U.S. are opting for the more familiar signature verification step for now “to keep the consumer experience as consistent as possible.” However, the use of signature over PIN is frustrating a number of retailers and other merchants. The National Retail Federation’s Mallory Duncan said, “It means that merchants will be spending billions of dollars and see they get very little benefit from this investment.” Significantly, a new Ponemon study reveals that a majority in the payment ecosystem don’t believe the switch to chip-and-PIN will improve consumer data security. [The Washington Post]


US – N.S.A. Collection of Bulk Call Data Is Ruled Illegal

In a 97-page ruling, a three-judge panel for the United States Court of Appeals for the Second Circuit held that a provision of the U.S.A. Patriot Act, known as Section 215, cannot be legitimately interpreted to allow the bulk collection of domestic calling records. The provision of the act used to justify the bulk data program is to expire June 1, and the ruling is certain to increase tension that has been building in Congress. [New York Times] . [WashPost: NSA Program on Phone Records Is Illegal, Court Rules] [US – N.S.A. Ruling Divides Republican Candidates] [Jim Harper – The Implications of Court’s NSA Ruling Assessing Order Declaring NSA Bulk Collection Program Illegal] [Wired: Court Rules NSA Bulk Data Collection Was Never Authorized by Congress] …perhaps the most important message the unanimous decision sends is a simple one: Congress could not have intended to approve a program whose true scope almost no one outside the National Security Agency fully comprehended — that is, until Edward Snowden leaked its details to the world. …In fighting this lawsuit, brought by the ACLU immediately after the Snowden leaks, the government argued that Congress was apparently fine with this alarmingly broad interpretation. The problem, as Judge Gerard Lynch of the Second Circuit Court of Appeals rightly pointed out in his 97-page opinion, is that “it is a far stretch to say that Congress was aware” of what the intelligence court was doing. To the contrary, Judge Lynch wrote, “knowledge of the program was intentionally kept to a minimum, both within Congress and among the public,” and there was “no opportunity for broad discussion” about whether the court’s interpretation was correct. Allowing the government to define “relevant” so loosely, he said, “would be an unprecedented contraction of the privacy expectations of all Americans.” [New York Times: The Illegal Phone-Data Sweeps] Court Ruling on N.S.A.’s Data Collection Jolts Both Defenders and Reformers …the Senate’s most ardent civil libertarians say that legislation has now been supplanted by the court’s ruling. Mr. Paul said Friday that he would press to ban the collection of phone records altogether. And Senator Ron Wyden, Democrat of Oregon, said he would filibuster efforts by Mr. McConnell to extend the government’s current collection authority beyond its May 31 expiration. …”I will filibuster any effort to have a short-term extension of the Patriot Act if there are not major reforms, specifically getting rid of the federal human relations database, also known as bulk phone records collection,” Mr. Wyden said Friday. “I believe I can also find other members to join me in it.” [NYTimes] Is the NSA’s Big Data Program Authorized? Key Quotes from a Major Court Ruling “We conclude that to allow the government to collect phone records only because they may become relevant to a possible authorized investigation in the future fails even the permissive ‘relevance’ test. Just as ‘the grand jury’s subpoena power is not unlimited, § 215’s power cannot be interpreted in a way that defies any meaningful limit. Put another way, we agree with appellants that the government’s argument is ‘irreconcilable with the statute’s plain text.’ Such a monumental shift in our approach to combating terrorism requires a clearer signal from Congress than a recycling of oft‐used language long held in similar contexts to mean something far narrower.” [Source]

US – Skynet: NSA’s Surveillance Program Analyses Phone Records

Another top secret presentation from June 2012 explains that Skynet works by analysing the target’s travel patterns – including which locations they have visited in a given timeframe and how often they have returned to the location. The program also analyses the target’s behaviour, based on how they use their mobile phone, and attributes such as swapping SIM cards and handsets repeatedly, as well as constantly turning the phone off, are flagged up in the system. Skynet also analyses data collected by the NSA into people around the target who might be travelling with them or have similar travel plans, as well as whether they have contacts in common. [Source] [It’s Time to End Orwellian Surveillance of Every American] [“Skynet” is real, and it could flag you as a terrorist If you visit airports or swap SIM cards often, you might be flagged by “Skynet“]

US – FAA Teams With Private Companies on Drone Tests

The Federal Aviation Administration (FAA) and three private companies announced plans to test an undisclosed number of commercial drones. Teaming up with CNN, PrecisionHawk and BNSF Railroad, the FAA will test drones while they gather news, survey crops and inspect railroads. “There will be a host of beneficial uses of drones that will benefit the public tremendously,” said the Center for Democracy & Technology’s Harley Geiger. “But with the pace of the technology’s improvement, it’s important to establish privacy rules now.” In February, the FAA said privacy was “beyond the scope” of its role as safety regulator. [BuzzFeed] [Drone, Data X: FAA Aims to Finalize Rules in Less Than 16 Months]

US – Researchers Find Android Apps Sharing Tracking Data

A security team has found that thousands of free Android apps are sharing user data by connecting with advertising and tracking sites without users’ knowledge. As detailed in a report from MIT Technology Review, Luigi Vigneri and his team created an automatic method to scan apps and used more than 2,000 free Android apps in their research. In some cases, a single app connected to 2,000 unique URLs, the report states. The team reportedly has a potential solution on the way called NoSuchApp that will monitor which URLs Android apps could be sharing tracking data with, the report states. [Slash Gear]

US – Drone Use Prompts Thorny Legal Questions on Airspace Ownership

Murky questions exist around commercial airspace and jurisdiction as unmanned aerial vehicle (UAV) use continues to rise. State and local police say complaints by citizens are soaring. International Association of Chiefs of Police President Richard Beary said, “We’ve never been responsible for airspace before. We understand the ground game; now all of a sudden you want state and local police to regulate airspace?” Plus, UAVs are flooding airspace below 500 feet, prompting privacy concerns. One Massachusetts town is declaring that property owners control the airspace 500 feet above their properties, citing a 1946 Supreme Court decision. The case—where does “navigable airspace” begin and property ownership end—now poses a dilemma for regulators and the UAV industry. [The Wall Street Journal]

CN – Chinese Drone Maker Becoming Global Industry Leader

Accel Partners has invested $75 million in Chinese drone developer DJI, helping make it “one of the leaders in the burgeoning civilian market for drones.” The investment comes amidst struggles to regulate unmanned aerial vehicles, particularly for safety and privacy reasons. Accel Partner Sameer Gandhi said, “The size of our investment really shows how big we think the opportunity can become … For one of the first times, you’re seeing an international company, a Chinese company, being the innovator and frankly leapfrogging all activity in other parts of the world and truly being the company everyone is chasing from an innovation point of view.” According to Forbes , DJI is on track to exceed $1 billion in sales this year alone. [New York Times]

Telecom / TV

US – Court Reverses Landmark Cell-Phone Privacy Decision

A U.S. Circuit court has reversed a landmark privacy decision. Last year, the court ruled against the government in a case involving Quartavious Davis, whose cell phone was tracked by police as he went on a crime spree. But in a decision published Tuesday, a panel of 11th Circuit Court judges overturned the ruling in U.S. v. Davis. The new ruling says that because Davis’s phone location data wasn’t his property but that of the phone carrier, he had no expectation of privacy and the police who were tracking him didn’t need a warrant. “It’s a huge setback as compared to the decision it vacated,” said one law professor. [Wired]

US – Appeals Court Overturns Privacy Win in Phone-Tracking Case

Two judges disagreed with the majority on the constitutional question, including Judge Beverly B. Martin who wrote a dissenting opinion arguing that the Fourth Amendment required the government to get a warrant before accessing the cell site location data. “The judiciary must not allow the ubiquity of technology—which threatens to cause greater and greater intrusions into our private lives—to erode our constitutional protections,” she wrote. [Source]

US – Court’s Reversal Leaves Phones Open to Warrantless Tracking

The 11th circuit’s reversal on Davis leaves the question of warrantless phone tracking in limbo. Several state courts have ruled that the practice is unconstitutional, including Massachusetts, New Jersey and Florida, while some higher courts now seem to allow it. “It’s a hodgepodge,” says Electronic Frontier Foundation civil liberties lawyer Hanni Fakhoury. “What does all this mean for someone who lives in Florida? One court has said yes and one has said no. That’s problematic.” [Wired]

US – DOJ Reviewing Use of Stingrays, Aiming for More Transparency

The Department of Justice (DOJ) has begun a review of the secretive use of Stingrays, or cell-phone surveillance technology that mimics cell-phone towers. Stingrays trick mobile phones into believing they are communicating with legitimate cell-phone towers while harvesting data from the phones including identity, location and phone content, the report states. The FBI for years used the technology without warrants. But senior government officials have said they want to be more open about the surveillance, though the DOJ hasn’t revealed what that will look like yet in terms of how little or how much it shares. [PCWorld] [ComputerWorld] [SC Magazine] [Ars Technica]

US – Trade Groups: FCC Reclassification Unfair for Broadband Providers

A coalition of industry trade groups argues in court papers that the FCC’s move to reclassify broadband as a utility will place “immense burdens and costs” on Internet service providers. “The order represents a sharp about-face in which a federal agency … has arrogated to itself breathtaking authority over the most transformative technology in living memory,” stated the coalition, which includes the USTelecom Association, CTIA-The Wireless Association, the Wireless Internet Service Providers Association, the American Cable Association, the National Cable & Telecommunications Association, AT&T and CenturyLink. “It has done so by subjecting broadband Internet access service to a regime that was originally designed, not for the era of social networking and streaming video but for 19th century railroads.” [MediaPost]

US Government Programs

US – Federal Court Rules NSA Bulk Surveillance Illegal

The Court of Appeals for the Second Circuit ruled today that the bulk collection of phone metadata by the NSA is illegal. Instead of looking at the constitutionality of the program, the court ruled it went beyond the scope of what Congress intended when it passed the USA PATRIOT Act. The 97-page ruling concluded that a provision of the law allowing the Federal Bureau of Investigation to collect business records relevant to combating terrorism cannot legitimately lead to bulk surveillance of domestic phone records, the report states. “We do so comfortably in the full understanding that if Congress chooses to authorize such a far-reaching and unprecedented program, it has every opportunity to do so and to do so unambiguously,” the judges wrote. [The New York Times] Appeals Court Rules NSA Data Collection Not Authorized by Patriot Act: A US Federal Appeals Court has found the NSA’s wholesale collection of cellphone communication metadata to be illegal. The court did not address the constitutionality of the practice, but instead said that the scope of the operation exceeds what Congress authorized in section 215 of the Patriot Act, which was passed in the wake of the September 11, 2001 attacks. The original case was brought by the American Civil Liberties Union (ACLU) and was dismissed by a lower court in 2013. [Wired] [Ars Technica] [Ars Technica]

NSA Bulk Surveillance Program Likely Heading to SCOTUS

The recent Second Circuit Court of Appeals ruling that the NSA bulk phone records collection program is illegal “raised constitutional questions likely to be answered by the Supreme Court.” The ACLU’s Patrick Toomey said, “Given the amount of metadata that Americans create everyday … I think it’s very likely that the status of the third-party doctrine ends up before the Supreme Court again sometime soon, whether through one of these cases or another.” National Whistleblowers Center Executive Director Stephen Kohn said Thursday’s NSA decision justified the actions of Edward Snowden and highlighted “the importance of whistleblowing.” Meanwhile, a column in TIME describes the ruling as “a victory for privacy.” [The Hill]

US – Cybercriminals Targeting Healthcare Data

According a new study on Privacy and Security of Healthcare Data, criminal attacks have now passed insider negligence as the main cause of data loss and theft in the healthcare industry, which is not well prepared. With “some exceptions, … healthcare providers either lack the resources, staff, or technical innovations to meet the changing cyber-threat environment.” Half of the healthcare organizations surveyed said they had “little or no confidence” that they would be able to detect every data loss or theft. And nearly two-thirds of healthcare providers and affiliated businesses offer no protection services for patients whose data are stolen. [Dark Reading] [NBC News]

US – What You Need to Know About Educational Software

Research released in January shows that educational applications are the second most popular category in the Apple App Store, comprising just over 10% of all app downloads. This indicates a tremendous interest in learning applications across a wide, technically savvy—and growing—demographic. But a lack of regulations and guidelines means privacy isn’t always a priority. “The topic will likely take its place as a top-level priority this year as parents, educators and administrators take greater notice of the potential issues coming down the road,” Goodman writes. [The Privacy Advisor]

US Legislation

US – House Passes USA Freedom Act to Curb NSA Spying

Civil liberties groups like the Electronic Frontier Foundation and others are divided in their support of the bill. Many say it’s better than nothing, but hope that the Senate will add wording to strengthen protections before passage. EFF had supported the legislation until last week when a federal appeals court ruled that the bulk collection of phone data is illegal. In that decision, the Second Circuit Court of Appeals found that the collection of Americans’ phone metadata was never authorized by Section 215 of the Patriot Act, as the intelligence community had insisted. EFF has now said that the ruling should embolden the Senate to roll back the bill to a previous 2013 version that provides stronger reforms. [Wired]

US – McCaul: USA PATRIOT Act Will Get Privacy Protections

House Homeland Security Chairman Mike McCaul (R-TX) says the USA PATRIOT Act, set to expire June 1, will be renewed by Congress with more privacy protections. The act would “stop metadata collection by the National Security Agency … and put it back in the hands of telephone carriers,” the report states. “I think that’s where you’re going to see Congress headed towards, and the courts have certainly gone in that direction,” said McCaul. Meanwhile, following the court ruling last week declaring the practice illegal, Senate Intelligence Committee Chairman Richard Burr (R-NC) has defended the federal government’s bulk phone-recorded collection saying it’s “very effective at keeping America safe.” [Newsmax]

US – Legislators Introduce Bill to Protect Student Privacy

After a 2013 Fordham University study unveiled that nearly 95% of schools were employing cloud services to manage students’ data, legislators are attempting to ensure its protection. The Hatch-Markey Bill aims to force the hand of educational intuitions to not only alert students and their families that their data is being handled by third parties, but also prohibit schools from selling said data as, per the Fordham study, only 7% of universities take these steps themselves. “Data analysis holds promise for increasing student achievement, but it also holds peril from a privacy perspective. A child’s educational record should not be sold as a product on the open market,” said Sen. Ed Markey (D-MA). [The Hill]

US – Senators Introduce Drone Bill

Two senators have introduced a bill that aims to establish temporary rules to regulate and manage the nascent commercial drone industry, Forbes reports. Sen. Cory Booker (D-NJ) and Sen. John Hoeven (R-ND) introduced the Commercial UAS Modernization Act, which would set guidelines for unmanned aircrafts systems. Commercial use of such aircrafts is currently banned by the Federal Aviation Administration, though businesses may apply for exemptions to operate UAS on a case-by-case basis. Booker said he introduced the bill to prevent the U.S. from falling behind other countries because of a lack of rules. [Source]

US – Illinois Data Breach Bill Opposed by Ad Industry

New state data breach legislation in Illinois is being opposed by the ad industry. In a letter to state lawmakers, the Association of National Advertisers, together with other groups—including the Direct Marketing Association, Interactive Advertising Bureau, American Advertising Federation, American Association of Advertising Agencies, Acxiom and Epsilon—said that Illinois Senate Bill 1833 would create “unnecessary compliance burdens” for businesses. The proposed legislation would require businesses to notify customers if a breach exposed financial and geolocation data. The bill has already passed the state senate and will be taken up by a house committee on Wednesday. Illinois Attorney General Lisa Madigan backs the proposed legislation. [MediaPost]

US – Washington Limits Stingray Surveillance in Unanimous ‘Pro-Privacy’ Law

Governor Jay Inslee, a Democrat, added his signature to HB 1440 this week, authorizing a law that effective immediately requires police officers to obtain search warrants before deploying “cell site simulators,” or devices that mimic the behavior of mobile phone towers. [RT.com]

US – Georgia Passes Student Data Privacy, Accessibility and Transparency Act

Pundits are calling the state’s new student data privacy law the most comprehensive in the nation. The state is required by the act to develop a data security plan that will keep student data as safe as possible. Technology vendors working with schools will be required to develop security procedures and prohibited from selling personal information about students to advertisers or anyone else. [GovTech]

US – Other Privacy Legislation

  • The White House has given its support to a bill proposed by Reps. Luke Messer (R-IN) and Jared Polis (D-CO). The Student Digital Privacy and Parental Rights Act “would bar school technology vendors from selling student information to third parties or from creating student profiles for noneducational purposes.”
  • Oman’s draft information protection law seeks to “make it mandatory for government and private institutions to take necessary steps to protect data they collect about citizens and individuals for official and other purposes.”

Workplace Privacy

US – Woman Fired for Turning Off 24-hour Tracking App

A California woman’s lawsuit in which she claims she was fired for turning off a tracking app installed on her employer-issued iPhone. Myrna Arias said she was fired shortly after she told her boss she was turning off the Xora app that she and her coworkers were required to use. Arias said her boss “admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she installed the app on her phone.” Arias said it was an invasion of her privacy during off hours, likening it “to a prisoner’s ankle bracelet,” the suit states. Arias now seeks $500,000 for invasion of privacy, retaliation and unfair business practices, among others. [Ars Technica]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: