01-15 June 2015


US – Privacy Concerns Over Facial Recognition Test Program at Border

The Department of Homeland Security is making a new push to find immigration violators. The three-month pilot project at Dulles is part of larger testing of biometric technology. This fall, customs agents will also begin collecting face and iris scans of people entering and returning from Mexico on foot from a San Diego border crossing. “Looking at things like iris or facial recognition helps us compare that person to the document and confirm their identity” to check against watch lists. But privacy rights advocates are concerned these test projects could lead to a slippery slope with law enforcement agencies eventually trying to using biometrics to track law abiding citizens. “This is really just the beginning,” warned Harley Geiger, Senior Counsel at the Center for Democracy and Technology. “The real concern is not so much this particular pilot program, it is that this particular pilot program is a step towards a larger program,” Geiger said. “Not just in ports of entry, but also in public places, mass transit systems throughout the domestic United States.” [CBS News] [CBSN]

CA – Biometric Data Collection Powers In Budget Bill Raise Concerns

The Canadian government wants to collect biometric information from more people entering Canada. It currently collects a digital photograph and 10 fingerprints to verify the identity of foreign nationals from 29 countries and one territory when they apply to temporarily visit, study or work in Canada. Canada’s privacy watchdog, Canadian Bar Association raise privacy concerns in submissions to Parliament. Daniel Therrien, Canada’s privacy watchdog, sent a letter to parliamentarians this week to ask about the extent of the changes following testimony by government officials. [Source] [Visitors to Canada who need visa will face biometric screening] [The Star: Ottawa Bankrolls New Screening for Visitors to Canada, New Money For CSIS] [Globe & Mail: Canada Vastly Expands Data Collection of Travellers, Boosts Spy Agency Budget]

CN – First Facial-Recognition Technology ATM Unveiled

China has the first automated teller machine (ATM) with facial-recognition technology. Anti-counterfeit technology experts says the technology should curb ATM-related crimes. The product has passed authorities’ certification and will soon be available on the market. It’s not yet known who will manufacture the ATMs and how facial data will be collected. Some have concerns about privacy and accuracy. [South China Morning Post]

WW – Start-Up Uses Mouse Patterns to Confirm Identity

An Israeli start-up uses “behavioral biometrics” to keep users safe from fraud online. BioCatch maps and logs the way a user habitually moves a computer mouse and then creates a profile. If a user deviates from the logged pattern, it’s clear the user isn’t who he or she claims to be, the report states. [The Tower]

WW – Could “Brainprints” Replace Passwords?

Researchers have found that the human brain’s response to certain words varies to such a degree that it may be possible to distinguish individual “brainprints,” or a unique identifying code. In a small experiment, researchers hooked an EEG to 45 volunteers to measure brain signal response to various words including FBI and DVD. A second computer-based experiment successfully re-identified individuals with 94% accuracy. Brainprints could provide continuous variation, a distinct advantage for authentication. “Passwords or fingerprints only provide a tool for one-off identification. Continuous verification … could in theory allow someone to interact with many computer systems simultaneously, or even with a variety of intelligent objects, without having to repeatedly enter passwords for each device.” [Fast Company]

US – Facial Recognition is Booming, But is it Legal?

Google Policy Fellow at the Center on Privacy and Technology Ben Sobel writes about facial recognition technology and its near ubiquity, in preparation for the next round in the NTIA’s bid for a facial recognition code of conduct. Used by everyone from law enforcement (including a new use by police in the UK ) to retailers to Facebook and Google, there seems to be little notice of the fact that the technology is illegal in both Illinois and Texas, Sobel writes, and a current case may bring definition to just what form of the technology is allowed. “If the law does apply,” he writes, “Facebook could be on the hook for significant financial penalties.” [Full Story]

Big Data

EU – Purpose Limitation Could Have a Limited Future

The latest Council version of the General Data Protection Regulation provides that personal data may be further processed by the same data controller even if the further purpose is incompatible with the original purpose ‘if the legitimate interest s of that controller or a third party override the interests of the data subject,’” state Profs. Lokke Moerel and Corien Prins. They note that the Article 29 Working Party and several NGOs are concerned such a development would render the limitation principle “meaningless and void,” but Moerel and Prins disagree. In a preview of their more in-depth whitepaper, Moerel and Prins argue the Council version “is the only feasible way to guarantee” personal data protection in an era of big data and the Internet of Things. [Privacy Perspectives] [EU Regulators Misunderstand Big Data]

CA – Canadian Political Parties are Embracing Big Data on the Campaign Trail

In recent years, the NDP and Liberals have been racing to catch up to the Conservatives’ ability to amass and analyze voter data. Gone are the days of volunteers standing on doorsteps with a clipboards and voters’ lists, ticking off likely supporters. The modern Liberal canvasser now carries a smart phone or tablet, loaded with the mini-VAN app. It was developed by U.S.-based NPG VAN and used to great effect by Barack Obama’s presidential campaigns. Each volunteer is trained to give a brief homily on why they support the party — the personal touch never gets old — and to then follow a script designed to elicit pertinent information, including party preference, willingness to take a lawn sign, issues of concern, email address and phone number. Responses, along with other information such as a voter’s preferred language, are punched into mini-VAN, which is linked to the party’s central database, Liberalist, where party headquarters can monitor the canvassers in real time. Information gathered by canvassers is combined with publicly available demographic data from the national census, polling results and other data mined from responses to party petitions, email blasts and online and social media campaigns to produce what Liberals refer to as analytics dashboards — complex digital graphs and charts. Dashboards range from a countrywide overview of Liberal prospects down to a microscopic look at voters in each postal code. Digital sliders on each dashboard allow organizers to input a host of demographic variables — age, religion, language, income, children, educational attainment, employment status and so on. [The Canadian Press]

US – Big Data Recommendations Coming Soon

Does the use of health data not covered by HIPAA need more oversight? That’s one of the questions being considered by the Privacy and Security Workgroup of the Health IT Policy Committee as it prepares its report on the use of big data in the healthcare industry. At a June 8 meeting, there was a great deal of discussion about how much transparency patients should have into things like the data generated by medical devices and proprietary algorithms used for decision-making. Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, LLP, and the workgroup’s chair, “admitted the workgroup has more questions than obvious answers and no consensus about areas of potential harm to consumers.” [Healthcare Informatics]


CA – Bill C-51 Passed By Senate, Despite Widespread Public Opposition

Bill C-51 passed the Senate on June 9 in a 44-28 vote despite Liberal members’ opposition, but those opposed have vowed to fight until it is repealed. Early reports on Twitter suggest that the bill passed with applause from Conservative senators, but OpenMedia has already launched its fightback against the legislation, vowing to call on leaders of all political parties to commit to repealing the legislation as part of their election platforms, after a total of 243,370 Canadians spoke out against it in the months leading up to the Senate’s vote. Speaking just hours before the vote, author Margaret Atwood said that if passed, “many people will continue to think the Senators are a bunch of overpaid, entitled, patronage-appointment rubber-stampers, despite the good work they have sometimes done. And the Ottawa Senators will consider changing their name.”…. Also taking action is lawyer and constitutional expert Rocco Galati, who said that he would contest the legislation in court if it passes. An extension of existing post 9/11 anti-terror laws, the legislation will make it easier for federal agencies to share information—that Galati said included foreign governments—as well as let police to preventatively arrest terror suspects or restrict their activities. The bill will also allow the public safety minister to add people to Canada’s no-fly list, ban promotion of terrorism, and permit the Canadian Security Intelligence Service disrupt potential security threats. [The National Observer]

CA – Conservative Groups’ Last Minute Plea to Harper: Stop C-51

The letter is signed by traditionally conservative organizations like the National Firearm Association and Free Dominion, as well more than fifty individuals. It was facilitated by OpenMedia, the group behind the public campaign against the anti-terror legislation. The groups warn Harper’s Bill C-51 will cost the Conservative Party at the polls. [Global News] [Why conservatives, libertarians and gun lobbyists oppose Bill C-51] [Who does anti-terror law threaten?]

CA – Senator Mobina Jaffer Differs With Party Leader and Slams Bill C-51

Jaffer, the first South Asian woman to hold the Canadian Senate post, along with other independent Liberal senators, plans to vote against the legislation citing concerns about rampant information sharing between 17 government agencies, a lack of oversight of that information sharing, the ability of judges to issue warrants for preventative arrest and detention, and an overly broad definition of terrorism that could entangle citizens engaged in civil disobedience, reported CBC News. [Source]

CA – National Security Agencies Too Secretive, Experts Tell Senate Open Caucus

‘In Canada, security is never part of federal elections, so this might be a good and unexpected outcome of our discussion around Bill C-51, however flawed the bill is and will prove to be,’ said University of Ottawa professor Wesley Wark. With regard to Bill C-51, many of the meeting’s witnesses agreed that the legislation will only entrench this culture of secrecy, and will even serve to worsen it in some cases. One provision of the bill would give CSIS the right to go to a Federal Court to seek permission to violate an individual’s Charter rights in order to collect information. This would occur behind closed doors, without the individual’s knowledge or even a special advocate to speak on their behalf. “I have never in my professional life seen a provision like this. It’s unconstitutional on its face,” Cavalluzzo said. “Apart from it being unconstitutional … it’s a secret process.” He went on to note that that 14 of the 17 agencies which will be receiving this information have no review mechanism. “What if they make a mistake? What is the citizen going to do?” [Hill Times] [Canada: The Tories have buried many things in omnibus bills]

CA – Torture Survivor Turned Author Voices Fears Over Bill C-51

“Bill C-51 is vague, reactionary, and open-ended, and it leaves citizens with very little protection. It was passed in the House [of Commons] with very little debate and has pushed its way to the Senate. Democracy is fragile, and when damaged, it is extremely difficult and costly to mend,” said Nemat, who wrote Prisoner of Tehran and After Tehran, detailing her experiences and their aftermath.” [National Observer] [What if C-51 is Just the Edge of a Slippery Slope? ]

CA – OpenMedia Crowd-Sources Anti-Surveillance Privacy Plan

We learned that the CSE spied on law-abiding Canadians using the free Wi-Fi at Pearson airport, and monitored their movements for weeks afterward. We learned that CSE is monitoring an astonishing 15 million file downloads a day, with Canadian Internet addresses among the targets. Even emails Canadians send to the government or their local MP are monitored — up to 400,000 a day according to CBC News. Just last week we discovered CSE targets widely-used mobile web browsers and app stores. Many of these activities are not authorized by a judge, but by secret ministerial directives like the ones MP Peter MacKay signed in 2011. CSE is not the only part of the government engaged in mass surveillance. Late last year, the feds sought contractors to build a new monitoring system that will collect and analyze what Canadians say on Facebook and other social media sites. As a result, the fear of getting caught in the government’s dragnet surveillance is one more and more Canadians may soon face. [Source]

CA – Eyes on the Spies: Canadians Deserve Accountability

The findings from our crowdsourcing process make clear that Canadians dislike excessive secrecy around government spying. There was strong support for a wide range of measures to improve the accountability, oversight and transparency of surveillance activities. Notably, 94.1% of Canadians want an all-party parliamentary committee to conduct a thorough review of Canada’s existing oversight mechanisms, and make recommendations for improvements. And 87.9%want independent bodies to oversee CSE and Canadian Security and Intelligence Service (CSIS), and issue regular reports to the public. [Source]

CA – Millions for Surveillance — Nickels for Privacy

The CSE’s official watchdog has a staff of just eight and an annual budget of only $2 million, yet it’s expected to keep tabs on a rapidly expanding spy agency with over 2,000 employees and an annual budget of over $820 million. CSIS also suffers from a severe oversight deficit. In fact, the government shut down the office of the CSIS inspector general, which was responsible for reviewing day-to-day CSIS activities. All that’s left now to oversee CSIS is the part-time, resource-starved Security Intelligence Review Committee (SIRC). Over the years, SIRC has repeatedly complained it has insufficient powers to hold CSIS accountable — complaints that the government has ignored. It’s no wonder that SIRC is now taking an average of three years to investigate complaints against CSIS. [Source]

CA – ‘You Could Be Branded Terrorists’: RCMP Officer to Demonstrators

“Whenever you’re attacking the Canadian economy you could be branded a terrorist, right?” the officer says a little bit later. “Which is not necessarily what’s going to happen, but it could happen.” It’s unknown whether “they” was in reference to the Conservative government, the Department of Justice or law enforcement brass. And it’s also unclear whether the officer was relaying his personal opinion about the bill or repeating interpretations and analysis from the media. [Source]

CA – Federal Politicians Limit Debate Time on Privacy Breach Notification Bill

Bill S-4 “would require organizations to keep records of data breaches of any kind,” [Privacy Commissioner] Therrien said at the time. “We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individuals.” …But Tamir Israel, staff lawyer for the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, told the committee his organization is “concerned that the standard for notifying the Privacy Commissioner is too high.” Israel contended at the time that it is “very useful to have notification directly to the Privacy Commissioner of a majority of breaches for tracking purposes and to generally improve incentives to adopt rigorous technical safeguards.” [Canadian Underwriter]

CA – Ontario Province Introduces Privacy Legislation for Healthcare Data

The government announced sweeping changes to provincial health privacy laws this week in a bid to deter health professionals from snooping into medical records. Speaking at a press conference in Queen’s Park, Health Minister Dr. Eric Hoskins said proposed changes to the Personal Health Information Protection Act (PHIPA) included mandatory reporting of all health-related privacy breaches to the Information and Privacy Commissioner. Hoskins said he was acting on every single recommendation he had received from privacy commissioner Brian Beamish to strengthen PHIPA. This announcement comes on the heels of a Star investigation that unveiled thousands of health-related privacy breaches have gone unreported to the privacy commissioner because of a legislative loophole allowing hospitals to handle these violations behind closed doors. The Star investigation also outlined how Ontario, which used to be at the forefront of health privacy laws in Canada, was now lagging behind other jurisdictions that have moved toward mandatory reporting of health privacy breaches. Hoskins said the proposed law changes would not only make it compulsory for Ontario hospitals to report every single health privacy breach to the commissioner, but they would also have to report all health professionals disciplined for snooping to their relevant regulatory college. Hoskins also said the government was proposing to remove “a serious barrier to prosecuting breaches of patient privacy” by eliminating the six month deadline to prosecute. Under the proposed changes, the fine for individuals caught snooping would be doubled from $50,000 to $100,000 and organizations from $250,000 to $500,000. [Source] [Privacy breaches often not due to technology failure: PLUS Canada speakers] [Tech firms need to use data ethically around the internet of things]

CA – Ontario Moves to Limit Police Sharing Non-Conviction Information

A proposed new law would prevent the inappropriate release of non-conviction or non-criminal mental health information. Under the act, non-conviction records such as withdrawn or dismissed charges, acquittals and findings of not criminally responsible by reason of mental disorder could only be disclosed through some vulnerable sector checks for people working or volunteering with children and seniors. Police will have to consider factors such as how long ago an incident took place, if the record relates to predatory behaviour around a vulnerable person and whether the records show a pattern of such behaviour before deciding whether to release those records in a vulnerable sector check. The Police Records Check Reform Act was met with widespread support, including the Canadian Mental Health Association, the Ontario Association of Chiefs of Police and the Canadian Civil Liberties Association. [The Star] [National Post] SEE ALSO: [Toronto: John Tory calls for full stop to carding, citing ‘eroded public trust’] [Toronto police Chief Mark Saunders defends lawful carding after mayor objects]

CA – Kent Enacts New ATIPPA Law

In early March, the independent review committee led by former Newfoundland premier Clyde Wells delivered a comprehensive report into the province’s access to information system, along with proposed legislation to completely overhaul it. Public Engagement Minister Steve Kent says the government is — mostly — ready for the new access to information law that was formally enacted on Monday. The new law has been rated as the strongest freedom of information legislation in the country. [Telegram]

CA – Manitoba to Allow Victims to Sue for Intimate Photos Distributed Without Consent

Manitoba has introduced a law that would allow victims who had intimate images distributed without their consent to claim damages and recoup any profits from the crime. Attorney General Gord Mackintosh said the law would be the first in Canada to make it easy for victims to sue for everything from an injunction to punitive damages. The province would also partner with the Canadian Centre for Child Protection to boost funding for its tipline, which helps remove intimate images from the Internet and links victims with support. Social media has made it easier to harass and shame a person with an intimate image, Mackintosh said. [The Winnipeg Free Press]

CA – Law, Privacy and Surveillance in Canada in the Post-Snowden Era

I am delighted to report that this week the University of Ottawa Press published Law, Privacy and Surveillance in Canada in the Post-Snowden Era, an effort by some of Canada’s leading privacy, security, and surveillance scholars to provide a Canadian-centric perspective on the issues. The book is available for purchase and is also available in its entirety as a free download under a Creative Commons licence. [Michael Geist] [Canadians Have Good Reason to Be Wary of the TPP: Geist] See also: Timothy Banks of Dentons Canada, explains the requirements that prevent data from leaving Canada]

CA – OPC’s New Priorities – Commissioner Therrien Provides an Overview

The OPC will address these priorities through exploration of technological solutions, promoting good privacy governance, and enhancing public education. Other strategies to address these priorities will involve addressing challenges relating to privacy in a borderless world and the way in which these priority issues affect vulnerable groups. [OPCC] [Daniel Therrien: Appearance before the Senate Standing Committee on Legal and Constitutional Affairs on Bill C-26, the Tougher Penalties for Child Predators Act]

CA – Penalties that do not Punish: The Canadian Anti Spam Legislation

If Compu-Finder had a valid due diligence defence resulting in a finding that they did not violate CASL, the reputational damage arising from headlines referring to million dollar penalties is hard to undo, if not impossible. Moreover, in light of the CASL legislation that permits penalties to be assessed prior to liability, a company that is exonerated would have no legal recourse to recover damages caused to its business reputation. Imagine if this were the process in regulatory offence procedure whereby the prosecutor announced that a company was charged with violating occupational health and safety law and in the same breath stated that the fine would be $1.1 millions. For a more extreme example, imagine a prosecutor stating to the media before a trial commenced that the sentence for a person charged with fraud should be seven years in the penitentiary. Such conduct would violate the presumption of innocence. Therein lies a key distinction. Administrative monetary penalties are not offences and do not attract Charter protection. [Global Compliance]

CA – Scarborough Hospital Privacy Breaches Lead to 19 Charges

Five people accused of criminal and securities offences over sale of new mothers’ confidential records. In all, the personal health information of nearly 14,000 maternity patients at Rouge Valley Health System may have been stolen and sold, including the more than 8,000 patients from its Scarborough site and a further 6,000 at its Ajax hospital. Ontario’s information and privacy commissioner reported in December that the hospitals had “failed to comply“ with their legal obligations to protect personal health information. [CBC]

CA – Ex-Privacy Commissioner Pans Bell’s Ill-Fated Ad Tracking Program

“We pay for Bell service and they’re gaining at the other end by driving ads to us that we don’t want,” Ann Cavoukian, Ontario’s former information and privacy commissioner, said during a panel Monday at the Canadian Telecom Summit. “That’s not a good model. Customers don’t like this, and I’m a Bell customer.” Bell was tracking every website a consumer viewed, every app opened, every television show watched and every call made. Through the contentious relevant advertising program (RAP), the telco would marry these insights and other long-compiled account details to create a profile of users, which would then be sold to fee-paying third parties so they could better target and match their advertising initiatives. [Source] SEE ALSO: [IT World: Cavoukian: Telus Shows How Big Data and Privacy Can Work Together] [Why privacy must be baked into the Internet of Things] and [RILEY, Thomas B. Riley Obituary]


US – Consumers Don’t Back Privacy-Personalization Trade-Off

A majority of U.S. consumers do not think trading privacy for personalized services is a fair deal, citing a survey by the University of Pennsylvania’s Annenberg School for Communication where 55% of respondents said they disagreed or strongly disagreed it’s acceptable for stores to use shoppers’ information “to create a picture of me that improves the services they provide for me.” The study’s lead author said, “Companies are saying that people give up their data because they understand they are getting something for those data … But what is really going on is a sense of resignation,” adding, “Americans feel that they have no control over what companies do with their information or how they collect it.” [The New York Times] [Americans Resigned to Giving Up Their Privacy, Says Study] [The Online Privacy Lie Is Unraveling]


US – OPM Data Breach: Raising Enforcement, Privacy Protection Questions

The government has an important responsibility to protect PI that it retains—whether that is the PI belonging to government employees retained by OPM, or financial information belonging to private citizens retained by IRS. But what are the consequences when government fails to protect information, as compared to when a corporation fails to protect information? The FTC and other government regulators are taking a hard look at, and in some cases bringing enforcement actions against, companies for inadequate data protection practices. (The issue of how the FTC decides to bring cases is itself an issue, as highlighted in this recent FOIA case filed against the agency). The question arises: what is the appropriate mechanism for ensuring that OPM or any other government agency is accountable for data protection? And who or what entity is in the position to judge whether government agencies’ data protection practices are adequate? [Source]

CA – IPC: Letter to the Treasury Board on the draft Open Data Directive

In this letter to the Deputy Minister Greg Orencsak, Treasury Board/Secretary of Treasury Board and Management Board of Cabinet, the Commissioner Brian Beamish congratulates the government for the release of the draft Open Data directive and offers his recommendations on the best ways to move forward on the Open Government initiative. His recommendations include:

  • Ensuring the protection of personal information is explicitly highlighted when opening new data sets.
  • Requiring de-identified data to be periodically reviewed so that it cannot be linked to individuals.
  • Direction on how to further open up access to the government procurement process and disclosure of contracts.
  • Requiring that descriptions of data sets are accessible and understand. [Text of letter] [Source]


WW – Facebook Supports Encrypted Emails

In a move designed to improve the security of email communications, Facebook has announced it is gradually rolling out a new feature that will allow users to encrypt messages sent from Facebook to a preferred email account. Users will be able to add OpenPGP public keys to their profiles allowing for end-to-end encryption. Public key management is not yet supported on mobile, but, the blog post states, “we are investigating ways to enable this.” Earlier this year Facebook announced that it will help fund the development of GnuPGP, an open source implementation of the OpenPGP standard. The company began encrypting all of its web traffic in 2013, making it harder for crooks and spies to eavesdrop on communications, and last year it added support for the anonymity tool Tor. Also, WhatsApp, the messaging company Facebook acquired last year, incorporated an encryption system from Open Whisper Systems into the Android version of its app last year. [New Facebook Feature Shows Actual Respect for Your Privacy] [Full Story] [Facebook Introduces PGP Encryption for Sensitive Emails]

US – MIIT Reg Provides Insight on User Consent

China’s telecommunications regulator, the Ministry of Industry and Information Technology (MIIT), has promulgated a new regulation aimed at cracking down on spam messages. Scott Livingston writes about the Administrative Provisions on Telecommunications Short Message Services that governs the sending of commercial solicitations by text or in-app messaging. “Although mainly targeting commercial solicitations, the SMS regulation provides additional guidance on the issue of ‘user consent’ that is likely to be of interest to companies involved in data collection activities in the Chinese mainland,” Livingston writes. The regulation “indicates that MIIT is taking a more sophisticated view of how consent is obtained,” he adds. [Full Story]

Electronic Records

US – Study: Privacy vs. Data Sharing: A “False Dichotomy”

Healthcare privacy and data sharing are not mutually exclusive, according to Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “I don’t want to set this up as a zero-sum game where in order to get privacy you have to abandon data sharing or in order to do data sharing you have to abandon privacy,” Samuels said, calling the idea that privacy and data sharing are always at odds a “false dichotomy.” Samuels also discussed how the OCR plans to employ audits “as a tool to get out in front of potential privacy and security problems before they occur.” [FierceHealthIT]


WW – UN Report: Encryption is a Human Right

A new report from the United Nations states that encrypted communications are needed to protect freedom of opinion and expression and that encryption is a human right. UN Special Rapporteur David Kaye said encryption creates a “zone of privacy to protect opinion and belief.” He added, “The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.” [The Intercept] See also: [Microsoft’s Top Lawyer Says Company Must Weigh Encryption Limits]

US – Gov’t Websites Must Switch to HTTPS Before 2017

The White House Office of Management and Budget (OMB) announced that all federal websites are now mandated to be encrypted under a secure connection. While policy-makers acknowledge that the switch to HTTPS only covers the connection and not the systems themselves, the OMB believes the move “will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature and create a stronger privacy standard government-wide,” the report states. The change, which has a deadline of December 31, 2016, aims to promote “better privacy standards for the entire browsing public.” [Source]

US – App Claims NSA-Proof Encryption

USMobile has released Android app Scambl3, an encryption tool “developed in collaboration with the NSA” that does not have a “backdoor” for law-enforcement monitoring. While the goal of the app is to afford smartphone users more comprehensive privacy—the company has vowed not to collect data gleaned from the app on its own servers—its security is such that it has garnered “a special U.S. export license” so as to keep it from the hands of countries with known terrorist activity. Jon Hanour, cofounder and president of USMobile, stands by Scrambl3’s abilities. “We believe the NSA cannot break our encryption,” he said. [Yahoo Tech]

US – Facebook Moves to Encrypt the Emails it Sends Users

With anti-surveillance, kill-that-damn-Patriot Act fever rising, both US and UK governments and law enforcement agencies have been gnashing their teeth over strong encryption, given that it scrambles communications for those who don’t have the correct key to decrypt them. For example, Apple and Google both annoyed US law enforcement by updating their mobile devices to have encryption turned on by default – a move that went “too far,” FBI Director James Comey said. With OpenPGP, Facebook aligns itself with all those annoying tech companies opting for strong encryption on their users’ communications. [Naked Security]

US – Recent Thefts Indicate Encryption Is a Must

After payroll processing organization Heartland Payment Systems had unencrypted computers stolen from its Californian headquarters—the second of such recent thefts—critics are calling for more comprehensive data protection that includes the “physical” elements as well as digital. This comes on the heels of a recent lawsuit from consumers allegedly affected in the Home Depot data breach, who claim the corporation had “overarching complacency when it came to data security.” Writes, “If you are responsible for or you work in security for an organization, be sure to review where your data actually is and map that to where you think that it should be.” [Forbes]

WW – Philip Zimmermann: King of Encryption Reveals His Fears for Privacy

Zimmermann and Snowden are 30 years apart in age, but their actions have framed the privacy debate. Zimmermann switched his focus from campaigning against nuclear weapons to pushing back on state snooping in 1991, when he released PGP for free over the internet in an act of political defiance. His protest helped prevent legislation which would have forced software companies to insert “backdoors” in their products, allowing the government to read encrypted messages. The creator of PGP has moved his mobile-encryption firm Silent Circle to Switzerland to be free of US mass surveillance. Here he explains why [Source]

AU – Crypto Party Craze: Australians Learning Encryption

A new kind of party craze has many Australians scrambling for invitations. Crypto parties, where people gather to learn online encryption, are attracting everyone from politicians, to business people, to activists. Two years after US spy agency contractor Edward Snowden leaked documents from the National Security Agency, exposing mass global internet surveillance, there is rapidly growing interest in protecting online activity. There have been crypto parties in Brazil, Germany and the UK, and more than a dozen have already been held in Australia. Apps like Wickr, Confide and WhatsApp have taken encryption out of the geek lab and to the masses. [Source]

EU Developments

EU – New EU-US Data Transfers Agreement Due Soon, Says US Official

EU and US officials should agree a new framework for the transfer of personal data by companies from the EU to the US “very, very soon”, a US official has said. The new agreement would replace the safe harbour framework which currently exists and facilitates the transfer of personal data from the EU to the US by US businesses. [Out-Law] [Reuters] [EU Justice Commissioner Vera Jourová has said European regulators are waiting for the U.S. to move on the use of personal data by its intelligence services before any further progress resumes on the future of the Safe Harbor agreement.]

EU – Fate of Safe Harbor in Limbo as EU Waits for U.S. to Budge

EU Justice Commissioner Vera Jourová has said European regulators are waiting for the U.S. to move on the use of personal data by its intelligence services before any further progress resumes on the future of the Safe Harbor agreement. Of the 13 recommendations sent to the U.S., two remain unfulfilled. “There, we’re still negotiating because we haven’t received satisfactory responses from the American side,” she said. European Data Protection Supervisor Giovanni Buttarelli said, “We are aware about the difficulties but at the same time, it’s time to have an answer from the U.S. side—on the commercial dimension and on the national security exception.” Additionally, U.S. Attorney General Loretta Lynch is meeting with Jourová and other EU officials Tuesday to discuss transatlantic cooperation. [EurActiv] See also: Jan Dhont and Alyssa Cervantes report on the European Court of Justice’s examination of a key question concerning the future of transborder data flows between the U.S. and EU.

EU – New Guidance on Processor BCRs Published by Art 29 WP

The Article 29 Working Party published new guidance on data processor BCRs, the significance of which “cannot be overstated.” That’s because the updated document offers guidance on how processor BCR companies should respond to government requests for access to data, a topic of great contention in Europe since the Snowden revelations. It puts companies in a catch-22, because it suggests companies receiving a government request for data put the request on hold and share with the relevant European DPA—something which may not be possible under foreign legal requirements. [Privacy and Information Law Blog] [Handling Government Data Requests Under Processor BCR]

EU – GDPR Trilogue Agenda Released

Group PPE has released a timetable for finishing up the European Parliament’s data protection reform, including an agenda for the highly anticipated trilogue process that details the proposed six-month schedule. This puts the proposed EU General Data Protection Regulation in the final stretch of what has surely been a marathon-like process. Hogan Lovells Partner Eduardo Ustaran breaks down the remaining hurdles and offers his predictions in this final stretch. Moving forward, “the challenges that lie ahead will be a real test of endurance,” he writes. [Source] [Privacy Perspectives] See also: In the context of French, Spanish, German and Dutch regulators’ investigations into Facebook’s practices, The New York Times reports on the increasingly complex questions surrounding regulation in the EU] [In a blog post for Hogan Lovells’ Chronicle of Data Protection, Partner Eduardo Ustaran examines the much-discussed one-stop-shop proposal]

EU – EU Governments in Disagreement Over Data Breach Liability Rules

EU governments are in disagreement over whether consumers should be able to sue businesses for damage they suffer as a result of a data breach even where those businesses are not responsible for the damage caused. The leaked papers also reveal that there is disagreement about whether data controllers and data processors should share the bill for damages where they are both responsible in part for non-compliant processing of personal data. This would require consumers to sue each of the businesses involved in that processing to recover from them what they each owe for the damage caused. [Out-Law]

EU – German Gov’t Proposes Telecom Data Retention Law

The draft data retention law unveiled on Wednesday would oblige providers to store call and Internet traffic metadata for a maximum of 10 weeks while location data would have to be stored for four weeks, the German government said. The measure is meant to help law enforcement agencies in their fight against terrorism and serious crime. According to the government, it strikes the right balance between freedom and security in the digital world. However, plans to retain metadata for these purposes are controversial in Germany and the draft law was immediately heavily criticized. [PC World] [Revised Data Retention Sought by Merkel Cabinet] [A draft German data retention law has been released, establishing new rules for telecommunications and Internet providers.] See also: The Guardian offers an outline of new surveillance powers proposed in the UK and what they would mean for businesses

EU – DPC Doubtful Proposal Is Constitutional

Data Protection Commissioner Andreas Voßhoff is criticizing the government’s bill on data retention, saying it not only amounts to a disproportionate violation of Germans’ basic civil rights but also those of other Europeans. Voßhoff wrote in a 31-page position paper that the government’s bill is “still not capable of” alleviating “considerable doubts regarding the general constitutionality” of data retention in telecommunications traffic, the report states. The bill would allow retention of all citizens’ telephone and Internet communications for 10 weeks. Voßhoff said the bill interferes with laws protecting the basic right to respect private and family life and protect personal data. [EurActiv]

UK – UK Intelligence Agencies Should Keep Mass Surveillance Powers: Report

UK intelligence agencies should be allowed to retain controversial intrusive powers to gather bulk communications data but ministers should be stripped of their powers to authorise surveillance warrants. That is the conclusion of a major report on British data laws published this week that proposes changes to the oversight of GCHQ and other intelligence agencies. The 373-page report, A Question of Trust, by David Anderson QC, also comes in response to revelations by the US whistleblower Edward Snowden about the scale of government surveillance disclosed two years ago. GCHQ will be happy to have retained its bulk collection powers while privacy campaigners will be dismayed. The privacy lobby will take comfort though in the shift on warrants to judicial control. The security agencies are likely to be relaxed about judicial control, which would bring the UK into line with the US and many other intelligence-gathering countries. As a direct consequence of the Snowden revelations, the report recommends that existing legislation on surveillance, the Regulation of Investigatory Powers Act (Ripa), be scrapped and fresh legislation drafted from scratch. The report by the official reviewer of counter-terrorism laws, was commissioned by David Cameron in July last year. The findings are likely to feed into proposed legislative changes on surveillance announced in the Queen’s speech. [The Guardian]

EU – GCHQ Uses Data Techniques Outlawed In US, Say Campaigners

Privacy International files legal claim and calls for end to harvesting of ‘bulk personal datasets’ by UK following last week’s passing of USA Freedom Act. The passing of the USA Freedom Act last week curtailed so-called “section 215” bulk collection of phone record metadata – information about who called whom, and timings, but not the content of conversations. It was a victory for the libertarian cause and a restriction of state surveillance powers. By contrast, UK privacy campaigners say, parliament’s Intelligence and Security Committee (ISC) has confirmed that GCHQ is still collecting datasets relating to “a wide range of individuals, the majority of whom are unlikely to be of intelligence interest.” [Source] [MPs Tom Watson and David Davis, with civil rights group Liberty, will petition the UK High Court in opposition to the Data Retention and Investigatory Powers Act, a measure that enabled the UK government to have “more surveillance power and Internet control” and allegedly competes with the European Convention on Human Rights] [Tim Berners-Lee Criticizes New Surveillance Plans of the British Government, Urges Britons to Fight the Snooper Charter]

UK – Legal Bid Over Personal Dataset Use

Privacy campaigners have launched a legal challenge against the use of large databases of personal information by Britain’s spy agencies. They are calling for watchdogs to intervene to end a technique which is seen as an “increasingly important investigative tool” for intelligence agencies. Privacy International said it lodged a claim at the Investigatory Powers Tribunal (IPT) objecting to the use of “bulk personal datasets” by MI5, MI6 and listening post GCHQ. They contain information which may be “extremely intrusive and sensitive” about “very large numbers of people, the majority of whom are of no legitimate intelligence interest whatsoever”, legal papers from the campaign group allege. Privacy International is calling on the IPT to declare the use of the datasets unlawful and issue an injunction blocking their future use. The Home Office said all surveillance activity is carried out in accordance with a “strict legal and policy framework”. Details about the use by security services of bulk personal databases emerged in a report by MPs earlier this year. The Intelligence and Security Committee (ISC) said they are “large databases containing personal information about a wide range of people” which vary in size from hundreds to millions of records. They are used to identify “subjects of interest” during the course of investigations, establish links and as a means of verifying information obtained through other sources. The report said GCHQ told the committee it considers bulk personal datasets to be an “increasingly important investigative tool” which is primarily used to “enrich” information already obtained through other techniques. [Source]

EU – What to Look Out for in Britain’s New Surveillance Bill

The government intends wholesale reform, but will it perpetuate a dark history of invasion of privacy or follow the US example, and end invasive surveillance? It is now clear that the government intends to pursue wholesale reform of surveillance law in the UK in the guise of the investigatory powers bill, which the government would like to see passed within a year. In some ways, this is a positive development: after two years of intense scrutiny by courts and committees, Britain’s legal framework for surveillance has been found desperately wanting, and a decision to overhaul surveillance law, rather than simply extend powers by attempting a revival of the snooper’s charter, raises the prospect that the government may be taking heed of some of the criticisms it has received. On the other hand, the investigatory powers bill could well turn out to be the government’s attempt to correct the technical legal failings of the current framework, insulating it from the inevitable criticism of the European court of human rights, while acquiring even more invasive surveillance powers. [Source]

EU – Senate Vote “Essentially Ensures” New Law

The French Senate has supported a new surveillance bill that would give intelligence agencies more freedom to monitor phones and email without a judge’s permission. By a vote of 251 to 68, the Senate took “a major step toward giving its spy agencies vast new powers in the wake of the deadly Charlie Hebdo attack,” the report states, noting the bill, which includes “a clause that would allow intelligence agencies to collect and analyze user metadata,” gives “law enforcement more power to monitor citizens without first going through the customary independent nine-person panel.” The Senate’s vote “essentially ensures the eventual adoption” of the legislation, the report states. [The Christian Science Monitor]

EU – Breach Notice Becomes Law in The Netherlands

Under the new law, the CBP will be have the authority to impose administrative fines ranging from E20,250 for relatively minor violations of the DPA to E810,000 for more serious violations. If the maximum fine is not deemed to be a suitable punishment, the CBP may also impose an administrative fine equal to 10% of the net annual turnover of the company in the preceding year. The law sets out specific circumstance in which the maximum fine may be imposed, but the imposition of the maximum fine requires the CBP to give the offender a warning to rectify the breach, a so called “binding instruction.” [DataProtectionLaw] [Data Guidance]

EU – CNIL to Investigate Data Privacy in Contactless Payments and Digital Health

The data protection authority in France is to review whether the use of contactless payments technology in the country respects consumers’ privacy. “CNIL is likely to be interested in the type of data that is being collected through contactless payments systems and whether the collection of that data is proportionate.” “CNIL will also want to ensure that sensitive payment data is not retained or is securely protected from hackers and that consumers’ right to object to the processing of their data via contactless payment systems is being observed.” “Data security in contactless payments is another issue CNIL will be concerned with and it will have a number of questions for companies about the steps they are taking to keep the sensitive account details of consumers private.” [Source] [France’s Data Protection Authority, the CNIL, has promised a focus on “contactless payments, Binding Corporate Rules and wellness and health devices and services” in the coming year, and it plans to inspect 550 organizations in 2015]

EU – CNIL Shows Regulatory Interest in Connected Cars and Smart Cities

The CNIL reported that it received over 5,000 complaints in 2014 and conducted over 400 investigations, including 146 remote investigations (the CNIL is empowered since March 2014 to conduct remote investigations). It also issued 62 cease and desist letters, ordered eight monetary fines and seven warnings in 2014. In addition, the CNIL revisited the actions it took in 2014, including the publication of “compliance packs” for certain industry sectors, such as the insurance sector (see our blog post of December 2014), the adoption of an accountability standard and the creation of a hub within the CNIL which is dedicated to BCRs. [Source]

EU – CNIL to Google: Delist on All Domains, or Else

The CNIL, France’s Data Protection Authority, has issued a report stating Google has not been universally removing links following the Court of Justice of the EU’s recognition of “the right to delisting” last year. “In this context, the president of the CNIL has put Google on notice to proceed, within a period 15 days, to the requested delisting on the whole data processing and thus on all extensions of the search engine,” the CNIL announced. Meanwhile, former UK GCHQ Director David Omand described Google as one of the few companies willing to work with intelligence agencies . Separately, Dan Shefet, the Danish lawyer who was able to have Google remove “defamatory information about him worldwide,” met with the EU to discuss ways to make the right-to-be-forgotten easier to implement, Reuters reports.[Full Story] SEE ALSO: Italy’s Data Protection Authority, the Garante, has issued a data protection handbook for employers to use as a tool in navigating privacy regulations that are applicable to the employment relationship.] [Italy’s new cookie policies came into effect last week]

Facts & Stats

US – Survey Indicates Change in Security Practices Need

The Informatica Corporation’s recently published survey, “The State of Data Security Intelligence ,” indicates that IT professionals are concerned about “escalating” privacy worries at work and the relative ineptitude of companies regarding data breaches, concluding there is a “need for consensus for data security intelligence.” The study involved more than 1,700 IT professionals, and 55% of those who “have had a breach in the past 12 months believe it could have been avoided if certain processes and intelligent technologies had been in place,” the report states. The findings indicate change is needed, said Larry Ponemon. “Organizations need to seriously consider adopting a data-centric security stance without delay. To do otherwise may soon be construed as negligence.” [Full Story]

US – Data Breach? Blame the CEO

A recent New York Stock Exchange and Veracode survey of 200 corporate directors finds that a majority of board executives place the blame for data breaches on CEOs over security teams, and the reason for doing so might be money. “That the directors are holding entire executive teams accountable ahead of security officers may reflect their acknowledgment that maintaining defenses costs time and money, and that higher-ups tend to hold the purse strings and set the priorities within organizations,” the report states. “Indeed, security officers can easily be hamstrung if they don’t receive the resources they need.” [Fortune]

CA – Cost of an Average Canadian Data Breach is $5.3 Million: Study

CSOs who need a weapon to convince management to up the IT security budget can throw this at them: The average cost to an organization of a data breach in Canada last year was just over CDN$5.3 million — about $2 million higher than the global average. That’s according to research conducted by the Ponemon Institute and sponsored by IBM, which looked at the actual costs of data loss or theft suffered by 21 Canadian companies in 11 industry sectors. The costs were based upon estimates provided by the organizations interviewed over a 10-month period. Ponemon acknowledges that the 21 companies sampled were not statistically representative of all companies here that suffered a breach last year. Note that’s an average cost: The study didn’t include organizations that lost over 100,000 records because they wouldn’t have been representative of most breaches. (The average number of lost records in the group was just over 20,400. The biggest number of lost records among the 21 firms studied was 74,550). Among the report’s highlights:

  • The biggest component of the CDN$250 per record cost of data breach in the studied companies was detection and escalation ($91). Post data breach response (ex-post response) and lost business were $67 and $84, respectively. Customer notification costs represented $8 per compromised record;
  • Certain industries had higher data breach costs. Financial, services, technology and energy had a per capita data breach cost substantially above the average $250. Public sector, education, and consumer organizations had a per capita cost well below that;
  • Malicious or criminal attacks caused the most data breaches. 52% of incidents involved a data theft (exfor criminal misuse. System glitch and employee negligence or human error both represented 24%of all data breaches;
  • Incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement, CISO appointments, business continuity management and insurance protection decreased the per capita cost. However, third party involvement, lost or stolen devices, quick notification and engagement of consultants increased the cost.

The report was one of a series released last week covering Canada, U.S., the U.K., Germany, Australia, France, Brazil, Japan, Italy, India, and the Arabian region. [Source]

UK – Average Data Breach Costs £4.25M

An annual study from the Ponemon Institute and IBM found that the average cost per capita cost in a data breach increased to US$217 in 2015 from $201 in 2014. Plus, the average total cost of a data breach increased to $ 6.5 million from $5.8 million the prior year. The U.S. looked at 62 companies in 16 industry sectors after they experienced the loss or theft of protected personal data and then had to notify victims. The cost per record takes into account indirect costs, such as abnormal turnover or churn of customers, as well as direct costs caused by the breach itself, including technology investment and legal fees. Only $74 was attributed to direct costs. The study also noted, however, that not all records are seen as equal when stolen. Health records have an average cost of $398 each, whereas retail records cost $189 each. [SC Magazine]

UK – UK Firms Suffer More Data Breaches

The number and cost of data breaches suffered by British organisations have increased, a Government-commissioned report found. Nine in 10 large organisations reported being hit by an information security incident, an increase from 81% last year, research by professional services firm PwC found. Nearly three-quarters of smaller firms (74%) were affected by breaches, up from 60% a year earlier. The study also found that the average cost of the most serious incidents has jumped. The average is now between £1.46 million and £3.14 million. It means the higher end of the range has more than doubled from the £1.15 million recorded in the same report a year ago. Costs of breaches include business disruption, lost sales and recovery of assets. Incidents include infection by viruses or malicious software, theft or fraud involving computers, other breaches caused by staff and attacks by an unauthorised outsider. The report said there was a rise of more than a third (38%) in the number of external attacks on large organisations. These involved activities such as “penetration of networks”, denial of service attacks, phishing scams and identity theft. By contrast, frequent, large and unsophisticated attacks appear to be declining among the businesses surveyed. The report said the nature of the most serious incidents is changing to become “more targeted”. It added: “Small businesses should not presume that they will escape targeted attacks.” [BT News]

WW – Full Results of 2015 IAPP Salary Survey Released

With data from more than 1,300 privacy professionals around the world, the 2015 IAPP Salary Survey has information on compensation related to experience, industry, certification, geography and gender, along with historical trends, in the most extensive survey of the privacy profession we’ve ever done. Our executive summary, highlighting the major findings, is open to everyone, but only IAPP members have access to the full report, with more than 50 pages of statistics. [Full Story]


US – Deleted Political Tweets Archive Disabled

A website that collected the deleted tweets of politicians was shuttered by Twitter last month. Access by Politwoops, which was funded by the Sunlight Foundation, to Twitter’s API was suspended because it contravened Twitter’s terms of service. A Twitter spokesman said, “We strongly support Sunlight’s mission of increasing transparency in politics and using civic tech and open data to hold government accountable to constituents, but preserving deleted Tweets violates our developer agreement,” adding, “Honoring the expectation of user privacy for all accounts is a priority for us, whether the user is anonymous or a member of Congress.” [Ars Technica] [Gawker]


US – Virtual Currencies Placed Under New Regulatory Requirements

The New York Department of Financial Services (NYDFS), an agency that regulates Wall Street, issued new rules that will place restrictions on financial firms wanting to use virtual currencies. NYDFS’s Benjamin Lawsky said, “We think regulation is important to the long-term health of the virtual currency industry,” adding, “Building trust and confidence among consumers is crucial for wider adoption. It also helps attract additional investment.” Financial firms using virtual currencies must obtain a “BitLicense” and keep detailed records of bitcoin transactions, the report states. “We simply want to make sure that we put in place guardrails that protect consumers and root out illicit activity—without stifling beneficial innovation,” Lawsky said. [The Hill]

US – Dear Banks: Protect Your Clients by Restricting Tellers

New York Attorney General (AG) Eric Schneiderman believes that the way to increase security at banks is to deny tellers the current “unfettered” access they have to client accounts, as such access can allow tellers to steal “customer data and money” with relative ease. The AG’s office “found that ‘insider wrongdoing’ such as the tellers’ crimes was the No. 3 cause of data breaches in New York, behind hacking and lost or stolen equipment,” the report states. “While teller-fraud cases often get overlooked because of the small dollar amounts involved,” Schneiderman feels that should not be a deterrent. “Bank customers are still at risk,” he said. [The Wall Street Journal]

CA – Canada’s Insurance Regulators Sign MOU to Share Industry Conduct Information

Four members of the Canadian Council of Insurance Regulators (CCIR), an inter-jurisdictional association of insurance regulators, announced on Monday that they have signed a memorandum of understanding (MOU) that “sets out the terms for cooperation and exchange of information across provincial and territorial jurisdictions” to make the process simpler and more effective. The MOU will address issues like risk surveillance, consistent handling of consumer complaints, commercial practices and protection of confidential information “CCIR members represent every province and territory, and it’s in all our interests to work more closely to ensure that we can cooperate and share information on Solvency Supervision and Market Conduct of Regulated Entities,” CCIR chair Patrick Déry said in a statement. “As a result, today we are signing a comprehensive MOU that will formalize information sharing and address issues like risk surveillance, consistent handling of consumer complaints, commercial practices and protection of confidential information.” Déry said in the statement that the remaining CCIR members are expected to join their counterparts in British Columbia, Alberta, Ontario and Quebec and sign on to this new MOU in the “coming months.” The CCIR signatories have agreed to share information needed to coordinate regulation of insurance companies that carry on business in more than one province of territory. The MOU also provides specific protocols for the sharing of confidential information. All provinces and territories conduct investigations into consumer complaints about insurance practices, but the MOU will also allow jurisdictions to share in “broader market and risk analysis.” [Canadian Underwriters]

US – RadioShack Bankruptcy Case Highlights Value of Consumer Data

This case serves as an important reminder that companies must think about these types of issues on a regular basis as they conduct business. Companies must carefully consider the promises they make to consumers, particularly promises that may be overbroad and short sided or, at worst, untrue. Moreover, companies acquiring or investing in other companies should carefully consider the privacy issues surrounding consumer data, particularly if consumer data is a key asset in the deal. [InfoLaw]


CA – Freedom of Information Laws a Poor Match for Secretive Governments

Advocates say lengthy delays, obfuscation and retroactive laws are defeating transparency. B.C. Privacy Commissioner Elizabeth Denham has raised concerns about the timeliness of responses and an increase in cases where no record could be found in response to a request — no email, text or paper trail. The Federal Court of Appeal recently chastised the Department of National Defence for telling someone it would take more than three years to respond to a request. And federal Information Commissioner Suzanne Legault has warned against amendments to the Access to Information Act that would retroactively protect RCMP from prosecution for destroying long-gun registry records. If anything, she argues, the act needs tougher penalties along with greater access. “Access to information held by government is critical to the functioning of a modern democracy,” Legault said in press conference in March. “However, in reality, an act that was intended to shine a light on the decisions and operations of government has become a shield against transparency.” [CBC]

CA – Four Things to Know About Highway of Tears Scandal

It’s a scandal that has the potential to rock Christy Clark’s supremacy in B.C. A former legislative staffer claims the Liberal government routinely circumvents Freedom of Information laws by deleting sensitive documents and emails. When Tim Duncan questioned the practice, he said he was told: “It’s like in the West Wing. You do whatever it takes to win.” Duncan, who used to work for the province’s Transportation Minister, Todd Stone, came forward last week. In a letter to the province’s privacy commissioner, he claims his colleagues deleted emails pertaining to the infamous Highway of Tears. [National Post]


US – Men Win Case Under Genetic Discrimination Law

The first case tried under a law preventing employers and insurers from discriminating against people with genes that increase their risks for costly diseases. The case, however, involved two men who sued their employer after the company asked to take a DNA test in an effort to find a match for feces that someone had nefariously been leaving around their work facility. The men, who were cleared of any wrongdoing when the DNA did not match, were subjected to humiliating jokes, the report states. A judge ruled in favor of the men, ruling the test falls under the Genetic Information Nondiscrimination Act. [The New York Times]

US – Cops Use DNA Analysis to Prove Waiter Spit in Customer’s Drink

A New York man who suspected that a restaurant waiter had spit into his drink got the law involved and investigators were able to determine who spit into the drink using DNA analysis, according to court documents. [Source]

Health / Medical

US – HIPAA Violation Results in 10-Year Sentence

The recent sentencing of two individuals in Alaska to 10 and two years in prison, respectively, illustrates the power of the HITECH provision and that HIPAA crimes have serious consequences in the eyes of the law. While the maximum punishment for HIPAA-related crimes is 10 years and cases thus far in the U.S. haven’t been frequent, 2009’s HITECH law permits big punishments. “The HITECH Act amended the criminal provision to more explicitly permit prosecutors to go after anyone who improperly obtains or discloses health information, even if not part of a covered entity.” [Gov Info Security]

US – Two-Thirds of Doctors Reluctant to Share Health Data with Patients

The polling question was simple. Should patients have access to their entire medical record – including MD notes, any audio recordings, etc…?  For many, the response by over 2,300 physicians came as no real surprise.

  • 49% ? Access to all records should only be given on a case-by-case basis
  • 34% ? Yes, Always
  • 17% ? No, Never

In effect, a full two-thirds (66%) were clearly reluctant to share health data with their patients. A significant 17% were completely opposed to the idea outright. [Forbes]

CA – Ontario MD Watchdog Becoming Less Secretive

Ontario’s medical watchdog has become less secretive about doctors who make mistakes and act improperly. In an effort to increase transparency and accountability, the College of Physicians and Surgeons of Ontario is now letting patients know when it has “orally cautioned” doctors. New measures, adopted by the regulator last week, also include calling on the province to get tougher with physicians who sexually abuse patients, calling for “mandatory revocation” of doctors’ licences in all cases of “physical sexual contact” with patients. In addition, it has plans to ponder whether it should report to police whenever a physician may have committed a crime, and whether gender-based restrictions are appropriate. [Toronto Star]

US – Social Media Policies Needed in Medical Offices

Medical offices need social media policies for their employees. With the advent of a constant social media presence, the ability for a HIPAA slip-up or breach of patient privacy via an employee’s personal account has grown. “Creating a social media policy to clarify the standards for permissible and prohibited content for both personal and professional social media is one way to protect your patients, your productivity and your business reputation,” the article states. Smaller offices are encouraged to mimic other preexisting healthcare privacy policies, “setting examples” of what is appropriate to post, and making it explicitly clear the consequences of a breach of protocol. [Healthcare IT News]

US – Health Sites Lack Proper Safeguards: Research

According to student research, online health resources like WebMD do not have adequate privacy controls for their search engines. The University of Pennsylvania’s Tim Libert discovered that symptoms typed into these engines were being sold to third parties. “There’s been some kind of chilling cases: companies selling lists of people who had been raped or people who had AIDS,” Libert said. “So there’s a market for this stuff.” The report also looks at the marked difference between patient treatment in real time and on websites. “Anything that is happening on the Web today is pretty much completely unregulated,” Libert said, noting that HIPAA, while a “pretty good law,” doesn’t necessarily translate online. [NPR]

Horror Stories

US – FBI Examining IRS Attack

The FBI will investigate the data breach at the Internal Revenue Service and is working “to determine the nature and scope of this matter,” while Dark Reading reports early information about the breach “is offering security food for thought to both public- and private-sector organizations. According to security pundits, the breach offers ample evidence of authentication weaknesses prevalent today and also shows how interconnected unrelated data breaches can really be.” [The Hill] [IRS Authentication Method Criticized] [The New York Times – IRS to Make Sweeping Changes Following Breach] [Government Executive: IRS Commissioner Says Budget Crunch Not to Blame for Breach]

US – Massive Cyber Attack Hits US Federal Workers, Probe Focuses on China

In the latest in a string of intrusions into US agencies’ high-tech systems, the US Office of Personnel Management (OPM) suffered what appeared to be one of the largest breaches of information ever on government workers. The office handles employee records and security clearances. A US law enforcement source said a “foreign entity or government” was believed to be behind the cyber attack. Authorities were looking into a possible Chinese connection, a source close to the matter said. [Source] [Federal Personnel Info Stolen Hackers Grab Data on 4 Million Workers] [The New York Times: Hackers May Have Obtained Names of Chinese With Ties to U.S.] [$21 million tab to taxpayers for clean up after massive Chinese hack of federal database]

US – OPM Breach: Unanswered Questions Scope, Attribution, Impact

The FBI has confirmed that it’s investigating the intrusion, which was revealed June 4 when the OPM posted a breach notification on its website. The office said it discovered the intrusion in April as it was continuing to update its information security defenses. Here are seven key questions related to this rapidly unfolding story. [Data Breach Today]

US – Union: OPM Breach Response “Abysmal Failure”

A union representing federal employees has criticized the Office of Personnel Management’s response to its massive data breach, calling it an “abysmal failure” and claiming it was much worse than disclosed. The American Federation of Government Employees says the breach allowed hackers to obtain data—including Social Security numbers—for every federal employee, every federal retiree and up to one million former federal employees. A Wired report looks at ways in which the breach has far graver repercussions than anyone could have thought. [The Wall Street Journal]

US – Gov’t Breach May Reach Beyond Federal Employees

The massive data breach that affected at least four million government employees may also involve private citizens’ personal data. Information about family, friends and even college roommates is often included on forms for federal background checks that “were, in their entirety, part of the stolen information,” meaning a “potential release of a staggering amount of information, affecting an exponential amount of people,” an official said. Some of the compromised data dates back to 1985. House Homeland Security Committee Chairman Michael McCaul (R-TX) described the breach as “the most significant breach of federal networks in U.S. history,” but two “privacy-minded” Senators are pushing back against calls from lawmakers to immediately pass a stalled cyber bill. [ABC News]

CA – Stolen Maternity Records Part of Larger Investigation

The alleged scheme to sell stolen maternity ward records to investment brokers so they could peddle RESPs to new mothers was much larger than previously believed, according to sworn police documents. After charging a former Rouge Valley Hospital clerk last November, this week the Ontario Securities Commission laid charges against another hospital employee and three financial salespeople. But the 290 page document summarizing the police investigation reveals that police were aware of at least 15 other RESP sales representatives and two other hospital employees involved — though they haven’t been charged. By the numbers

  • $11,420 – minimum amount police say three financial salespeople paid two nurses for the names of new mothers.
  • 14,450 – number of mothers contacted by Rouge Valley Hospital to inform them that their confidential patient information may have been stolen.
  • $1 – how much the nurse and clerk were allegedly paid per name.
  • $2.50 – the price for one name that one RESP salesperson charged when selling them to other sales representatives. [Source] [Nurses, financial execs charged in patient RESP scheme]

UK – Are Organizations Ready for Watershed Moment?

While there’s ample evidence to show that data breach incidents have risen markedly, they didn’t necessarily “garner the kind of media coverage that can help to increase organizations’ awareness and encourage them to take the risks seriously,” a new whitepaper from Experian reports. Data Breach Readiness 2.0 outlines this changing landscape, the future of data breaches and offers a “customer first” approach to data breach response that includes a focus on managing the impact on those affected, “recognizing that this is where all other impacts ultimately flow from.” The whitepaper also encourages regular testing of programs and plans to ensure all possible outcomes are covered. [Data Breach Readiness 2.0]

US – Looted Pharmacies Mean Privacy Concerns

Looted pharmacies in Baltimore, MD, are alerting customers that the labels on stolen prescription drugs are a potential privacy threat. While the stolen drugs’ labels do not disclose SSNs, they do contain information such as names and addresses, permitting thieves to refill the prescription at the original prescription-holder’s expense, amongst other acts of fraud. In the wake of this revelation, brands such as Rite Aid have sought the assistance of risk management firm Kroll in an attempt to protect customer privacy. Thus far, however, “There is no evidence that personal information found on stolen prescriptions has been used for fraud, pharmacy and law enforcement officials said,” the report states. [The Baltimore Sun]

US – Heartland Breached Again

Another breach at Heartland Payment Systems has affected their payroll customers. The company made a breach warranty promise earlier this year because it said it was “so confident in the security of its payment processing technology.” But a break-in at its California offices saw thieves make away with a large number of computers and other materials. State and federal law enforcement are involved in investigating. [Forbes]

AU – Adobe Breached Privacy Act Leaving 38 Million Customers Exposed

Adobe has agreed to allow an independent auditor to ensure it has taken sufficient to harden its systems following a cyber attack that left 38 million of its customers exposed to fraud in 2013. Australian Privacy Commissioner Timothy Pilgrim revealed that he had requested the audit after revealing the findings of inter-governmental report that led him to conclude that the software company breached the Privacy Act. Adobe had not responded to requests for comment on the findings but a spokeswoman for the Office of the Australian Information Commissioner (OAIC) confirmed that the software company had agreed to the measure. The breach, which took place when Adobe left an obsolete server containing personal information exposed to the internet for about three months, gave hackers access to a database containing massive amounts of sensitive information belonging to its Australian customers. It included email addresses, encrypted passwords and plain text password hints, and in about 135,000 cases encrypted card numbers and other payment information. Overall, the breach impacted 1.7 million Australians. [CSO Online]

US – Adobe Finalizes Settlement Details

Adobe will “improve its security measures and pay nearly $1.2 million in legal fees plus $5,000 per named plaintiff” to settle a class-action lawsuit stemming from a 2013 data breach. In that incident, Adobe customers’ payment card data and personal information were comprised. According to court the filing , “expert analysis concluded that although measures could have been taken to minimize or prevent the breach, there was little to no evidence that any of Adobe’s customers suffered identity theft or actual damages as a result of it,” the report states, noting the settlement is now subject to the approval of U.S. District Judge Lucy Koh. [SC Magazine]

WW – Other Horror Stores in the News

The Office of the Australian Information Commissioner has said it is gathering more information about the recent breach at Woolworths, and Sally Beauty issued a statement detailing what happened in its March data breach. ] | [Indian Music Service Breach affects 10 million Gaana.com users] | [Following a breach lawsuit, Cottage Healthcare System’s insurer “argues that it is not liable for the payout because Cottage did not provide adequate security for its documents, a clause the California hospital network agreed to when it signed the insurance policy“] [Laptop Containing Personal Information of Mod Employees Stolen From Motorway Services]

WW – Your Data is Showing:

Courts and consumers are faced with a quandary. Data leaked now could be used a decade or more hence, and both courts and individuals are left calculating probable future risk as well as current exposure. Consumers face limited options for protecting themselves. A telling measure of frustration is a syndrome that has been termed “data breach fatigue.” A third of people notified about a breach don’t take any action at all, according to a 2014 study by the Ponemon Institute. [First Look]

Identity Issues

US – Government’s Plans to Identify You Based on Your Tattoos

Tattoos aren’t just for rebels: 1 in 5 American adults have some ink, according to recent polls. And now the government is trying to beef up technology that can automatically identify people by their tattoos. The National Institute for Standards and Technology, a part of the Commerce Department that has taken the lead on evaluating biometrics, organized a “challenge” in which groups faced off to see who could deliver software and algorithms that identified tattoos most accurately. The event, sponsored by the FBI’s Biometric Center of Excellence, brought together researchers from academia and the private sector to test image recognition technology against five different scenarios.  [The Washington Post]

US – Electronic ID Pilot Begins

The government has begun distributing electronic identity (eID) cards “as a pilot project, a step to better protect citizens’ personal information from online leaks.” Developed by the Ministry of Public Security’s No.3 Research Industry, “the eID will be citizens’ second identity for use in cyberspace. It features a cryptographic algorithm technically impossible to hack and would only generate random strings once cracked,” the report states, noting it “could be loaded to bank cards, SIM cards and identity cards.” The eID “provides a person’s true identity” and could be used for online interactions that “involve financial security, property safety and privacy of Internet applications,” the report states. [Global News] [ReadWrite: Two-Factor Authentication a Workplace Necessity] [New Zealand: Expert perspectives on digital identity and privacy]

Internet / WWW

US – FTC Workshop Explores Privacy in the Sharing Economy

The rise of peer-to-peer networking and the burgeoning “sharing economy” was the topic at a FTC workshop in Washington, DC, where participants discussed whether there is need for new regulation. In a wide-ranging conversation covering rapidly changing business models, potential regulatory obligations and consumers’ increasing dependence on reputational feedback mechanisms, economists, industry representatives and academics hashed out what is clearly a complex but innovative sector of the modern economy. [Full Story]

WW – FPF Whitepaper Examines Privacy in the Sharing Economy

The Future of Privacy Forum (FPF) has released a whitepaper that focuses on the reputational, trust and privacy challenges users and providers face on management and accuracy of shared information. User Reputation: Building Trust and Addressing Privacy Issues in the Sharing Economy considers how reputation-building and trust are frequently essential assets to a successful peer-to-peer exchange and looks at issues surrounding identity, anonymity and the role of social network integration. Services like Uber, Airbnb and Etsy rely on online and mobile platforms and peer-to-peer sharing of reputational information, including reviews and recommendations. “If consumer access to services is dependent on ratings and reviews, consumers need transparency into how these systems work,” said the FPF’s Jules Polonetsky. [Full Story]

US – IAB: How Will FCC Jurisdiction Affect Us?

After a change in policy brought Internet broadband providers under the Federal Communications Commission’s (FCC) jurisdiction, the Interactive Advertising Bureau (IAB) “wants to clarify whether the net neutrality rules will result in new privacy restrictions.” Industry groups including the IAB met with the FCC to discuss the implications of the order on May 28, and while the outcome of the session was not disclosed in the report, the order itself indicates that broadband providers are certainly on the FCC’s radar. Providers “are in a position to obtain vast amounts of personal and proprietary information about their customers,” the order states, noting, “Absent appropriate privacy protections, use or disclosure of that information could be at odds with those customers’ interests.” [MediaPost]

WW – Lack of Privacy in Self-Driving Cars Means Greater Manufacturer Responsibility

The advent of the “self-driving car,” Jack Boeglin argues, “means that the more privacy and freedom motorists are willing to give up, the more that liability should flow to manufacturers, government entities and other third-parties.” The Wall Street Journal reports on Boeglin’s piece, which also suggests developers must acknowledge that the ideas of liability and privacy aren’t mutually exclusive. “Nearly all of the literature on self-driving cars explores either their impact on social values like freedom and privacy or the questions they pose for legal liability,” Boeglin writes. “These lines of inquiry have developed largely in isolation, with little effort to examine how they might intersect and inform each other.” [Yale Journal of Law & Technology]

WW – Audi: Cars Are “Second Living Rooms”—And Private

Comments by Audi Chief Executive Officer Rupert Stadler appear to indicate that German auto companies are using in-car privacy concerns as “an attempt to build rival platforms to challenge Google for market share in Internet-assisted motoring.” “The Internet, cookies and other data collectors are almost common courtesy,” Stadler said. “But a car today is a second living room-and that’s private.” Customers, Stadler said, “want to be in control of their data and not subject to monitoring. And we take this seriously,” he continued. These comments come on the heels of an explosion of industry fusion, evidenced by the year-old “Automobile Alliance” founded by Google and auto companies group-bidding for tech contracts. [Bloomberg Business] [Audi CEO Confronts Google’s Schmidt With Data-Protection Pledge]

WW – New Tech Reduces Time Between Breach Compromise and Discovery

Start-up Terbium Labs offers to help breached companies quickly discover their sensitive data on the so-called “Dark Web.” Founded by researchers from Johns Hopkins University, the company combines two technologies—one that crawls the Internet, the other that collects and stores sensitive data in encrypted form. Terbium Labs CEO Danny Rogers said, “When you can bring that breach detection time down from months to seconds or minutes, then you can really minimize the damage and reduce the risk of the data being out there in the first place.” [MIT Technology Review]

WW – Just How Much Shadow Data Is Out There?

Cloud security firm Elastica released new data, showing that millions of compliance violations and intellectual property leaks exist in cloud applications, unbeknownst to organizations, thanks to employees using “shadow IT” like Dropbox and other cloud services. The company estimates the average potential exposure to be more than $13 million per business. Another security vendor, Venafi, released results of a survey showing that most IT security pros don’t know how to, or don’t take the time to, replace encryption keys and credentials following a breach. Perhaps that’s why, CSO reports, many CIOs and CISOs are increasingly turning to specialized cybersecurity prevention and response firms to help them protect their enterprises. [Dark Reading]

Law Enforcement

UK – Police Request Private Data Access ‘Every Two Minutes’

Police forces in the UK made the equivalent of one request for communications data every two minutes between 2012 and 2015. Big Brother Watch reported that a total of 733,237 requests to access data were made by police between 1 January 2012 and 31 December 2014. That is equivalent to 670 requests a day, 28 requests an hour of one every two minutes. The report was based on Freedom of Information requests granted by every police force but one. Just 54,164 of the requests were denied internally, meaning that 92.6%were accepted. In 2014 alone just under 250,000 applications were made. The requests include any time that police officers ask to see the “who, where and when of any text, email, phone call or web search” the privacy group reported. “Despite persistent claims that the police’s access to Communications Data is diminishing, this report shows that the police are continuing to access vast amounts of data on citizens,” the group said. “It is clear from the reports’ findings that disparity exists amongst police forces on what is considered necessary and proportionate for a request for Communications Data and why a refusal for access is given.” “If law enforcement persists with calls for greater access, internal procedures will need to be clarified, transparency about the process published and independent judicial approval brought in as part of the authorisation process.” [Wired] [REPORT: UK Police Request Personal Data Every Two Minutes ]

US – Surveillance by FBI’s Fleet of Spy Planes Raises Privacy Questions

Surveillance by the FBI’s fleet of spy planes, which are registered to shell companies and fitted with tech capable of sucking up cellphone data from innocent Americans, raises serious privacy questions. … Dirtboxes work like Stingrays, which are in use by “over 46 agencies including law enforcement, the military, and intelligence agencies across 18 states and Washington D.C. for more than a decade.” A Stingray surveillance device lets law enforcement mimic a cell phone tower, track the position of users “who connect to it, and sometimes even intercept calls and Internet traffic, send fake texts, install spyware on a phone, and determine precise locations.” Dirtboxes can “sweep up identifying information about tens of thousands of cell phones in a single flight.” The low-flying aircraft, often equipped with video and sometimes cell-phone surveillance technology, are used without a judge’s approval. The FBI said the flights are employed for specific, ongoing investigations and not for bulk surveillance. In one 30-day period, the FBI flew above at least 30 U.S. cities in 11 states, the report states. “The FBI’s aviation program is not secret,” said spokesman Christopher Allen, but ACLU Senior Policy Analyst Jay Stanley said, “These are not your grandparents’ surveillance aircraft.”  [ComputerWorld] [Associated Press] [FBI Behind Mysterious Surveillance Aircraft Over U.S. Cities] See also: [Tech Pioneer Thinks Wearables Can Offset Privacy Concerns]

US – Hola VPN Used to Perform DDOS Attacks, Violate User Privacy

Researchers say that users should bid freemium service “adios.” The company doesn’t hide the fact that the Hola network is peer-to-peer. Users of the service form a large network, and Hola traffic is routed through this network, using the connections of other Hola users. This is great for Hola; it means that the company doesn’t need to operate points of presence in different countries in order to make traffic appear to originate in these countries. But this is very risky for end users. The example that Adios researchers give is a straightforward one: if you use Hola and someone else uses Hola to distribute child pornography, there’s a chance that they’ll do so using your Internet connection. This in turn could have the police kicking your door down. [Ars Technica]


US – Verizon, NASA Team Up to Create Drone-Safety Technology

Verizon is developing technology with NASA to direct and monitor the growing number of civilian and commercial drones from its network of phone towers. According to documents obtained under the Freedom of Information Act, Verizon signed an agreement with NASA last year “to jointly explore whether cell towers … could support communications and surveillance of unmanned aerial systems at low altitudes,” the report states. The $500,000 project is underway at NASA’s research center. At the moment, there’s little to regulate where drones can fly, but NASA would like to develop technology that would “geo-fence” them. The project aims to uncover whether cell towers could help in that endeavor. [The Guardian]


WW – Hong Kong Accountability Benchmarking Micro-Study Results Released

The Office of the Privacy Commissioner for Personal Data has released, with research firm Nymity, a study on how firms in Hong Kong are applying the principles of accountability in their privacy compliance programs. Privacy Commissioner Allan Chiang reports himself pleased with the findings: “It is gratifying to note that many organisations are taking privacy seriously and the subject is now on the agenda of their top management.” Without proper regulation, however, governments could use information to build what Chiang describes as a “dictatorship of data“ that obliterates the idea of individual control. “People could be arrested not because they have committed a crime but because big data analytics predict they are likely to commit one,” he said. [South China Morning Post]

Online Privacy

WW – Google Unveils Privacy Hub, Increases User Privacy Controls

Google continues to unveil new privacy features for users, including “My Account,” which serves as a hub for users’ privacy settings. The new feature aims to give users quick access to their privacy and security settings, tools to protect personal data and controls on what information is used by Google. Users have been able to control certain privacy settings for months or years, such as whether to save web browser and location history, which is also used in targeted advertising. But managing the controls is confusing and time consuming because the settings are in various places across the web that are not always easy to find. Now users will be able to use My Account, which provides a privacy checkup and security checkup, or lists where people can check off which data they want to be public and private. Google’s new website answers frequently asked questions, such as whether the company sells personal data and what information is given to advertisers. The rollout comes on the heels of newly increased app permissions for Android, which Google announced at its annual developer’s conference last week. The new system mirrors the app permissions on Apple’s iPhones, which do not allow apps to automatically access numerous types of data, such as location or phone contacts. [Reuters] [I really don’t want to give all of my photos to Google, but I’m going to do it anyway]

US – Microsoft Debuts Privacy Dashboard, Revises Privacy Statement

Microsoft announced its new privacy dashboard, a hub for all of Microsoft’s privacy documents and a one-stop shop for users to customize their privacy settings. In addition to the dashboard, the company revised its privacy statement  and service agreement with a more colloquial mindset. The goal of the revisions is to have “straightforward terms and policies that people can easily understand,” said Microsoft Deputy General Counsel Horatio Gutierrez. “The updates to Microsoft’s policies don’t seem to radically change anything that was previously there,” the report states. While the dashboard has launched, Microsoft’s new services agreement is set to go live August 1. [ITWorld]

US – Markey Calls for Internet “Erase Button” for Kids

Sen. Ed Markey (D-MA) wants websites to have an “erase button that parents can use to scrub personal information about their children from the Internet.” Markey is proposing the measure, called the Do Not Track Kids Act, as one of several updates he says are needed to amend the Children’s Online Privacy Protection Act. It would require Internet companies to gain parental consent before collecting personal and location data for anyone under the age of 13. Sens. Mark Kirk (R-IL) and Richard Blumenthal (D-CT) cosponsored the bill, and Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) introduced a companion bill in the House. [The Telegram]

WW – Twitter Now Offers Targeting Based on Downloaded Apps

Companies that make apps and would like to advertise them on Twitter can now target Twitter users based on the categories of apps installed on their mobile devices. Advertisers can now combine location, keyword and language information with data about whether a user has downloaded an app in categories like finance and productivity. According to the report, Twitter started tracking what other apps its users downloaded late last year, though users can opt out in the Twitter app settings. Twitter will also refrain from gathering information on app downloads if users have turned on services such as “Limit Ad Tracking” in iOS. [MediaPost]

WW – Firms Tout Privacy Credentials

Zettabox and “a growing number of European cloud computing providers trying to take on American competitors by playing up their privacy credentials.” Across the EU, cloud companies are “highlighting how they comply with Europe’s tough data protection rules,” the report states, noting the European Commission “is promoting a European cloud computing program as part of its recently released digital single market reforms to boost the region’s fledgling industry that has so far failed to compete” with the U.S. The report suggests the companies face an uphill battle against Internet giants, but notes a current Microsoft case may be a sign that U.S. companies “may yet struggle to comply” with EU data protection regulations. [The New York Times] See also: [Ann Cavoukian: Why privacy must be baked into the Internet of Things]

WW – Privacy Summit Divided Over Facebook Policies

At a recent Facebook summit, the best and brightest of privacy were “divided on nearly every topic at hand—including the definition of privacy itself.” However, discontent regarding Facebook’s advertising policies seems to be a unifying thread. Tech companies are “gobbling up everything they can learn about you and trying to monetize it,” said Apple’s Tim Cook. The solution? “Internet sites should allow their users to be the customers. I would, as I bet many others would, happily pay more than 20 cents per month for a Facebook or a Google that did not track me, upgraded its encryption and treated me as a customer whose preferences and privacy matter.” [The HIll]

WW – Paper Calls for Firefox Privacy Updates

Former Mozilla software engineer Monica Chew and computer scientist Georgios Kontaxis recently published a paper on the need for tracking protection in Firefox browsers, and support for the initiative is burgeoning, reports. “Tracking Protection in Firefox For Privacy and Performance“ indicates that tracking protection, a service that essentially does what its name suggests while speeding up load time, is currently an option for Firefox users but is difficult to activate and not an integral part of the browser’s functionality. The Electronic Frontier Foundation (EFF) agrees with the report’s findings. “We eagerly await the day that advertisers respect users’ requests for privacy and for browsers to implement their protections by default,” said the EFF’s Noah Swartz. [Threat Post]

WW – Apple CEO: Offer Customers the Best of Privacy and Security

During EPIC’s Champions of Freedom event in Washington, DC, Apple CEO Tim Cook spoke on security and guarding customer privacy and “protecting their right to encryption.” Cook said privacy and security aren’t trade-offs and people have a fundamental right to privacy. “The American people demand it; the constitution demands it; morality demands it,” Cook said. He also discussed consumers’ right to encryption. “Some in Washington are hoping to undermine the ability of ordinary citizens to encrypt their data. We think this is incredibly dangerous,” he said. For companies, he said, “We shouldn’t ask our customers to make a trade-off between privacy and security. We need to offer them the best of both.” [TechCrunch] [Apple’s Tim Cook Delivers Blistering Speech On Encryption, Privacy]

WW – Apple Unveils New iOS Based On Data Minimization

During its Worldwide Developers Conference, Apple unveiled its forthcoming operating system as well as a number of new features and products. Front-and-center for Apple’s privacy messaging was data minimization. Throughout the event, Apple Senior VP of Software Engineering Craig Federighi said data related to personalized services will stay on the respective devices and that users will have control. This post looks into the announcements and how data minimization is integrated into Apple’s forthcoming services. [Privacy Tech] [Wired] [Apple’s Latest Selling Point: How Little It Knows About You]

WW – Google Improves Privacy in New Android Services

Google unveiled a slew of new products and services, some of which aim to bolster security and privacy for users. Users will receive more fingerprint-related features as well as more controls over what data is accessed on their devices. Google will also offer more personalized services through Google Now, is taking a leap into virtual reality and has unveiled Project Brillo, which aims to make it easier for developers to build applications for Internet-of-Things technology such as smart homes . “We hope we can connect devices in a seamless and intuitive way,” said Google Senior VP of Products Sundar Pichai. [Bloomberg Business] [Google Centralizes Privacy and Security Controls On New Web Dashboard]

Other Jurisdictions

WW – Leaked Trade Deal Documents Raise Questions

Wikileaks has released 17 documents relating to the Trade in Services Agreement (TISA) currently under negotiation between the U.S., EU and 23 nations. According to the leak, the draft provisions mean countries could be barred from trying to control where their citizens’ personal data is held or whether it’s accessible from outside the country. But EU privacy regulations require companies to store EU citizens’ personal data locally to be sure they comply with the region’s laws. The deal, a sort of companion piece to the Transatlantic Trade and Investment Partnership, could be sped through Congress using what’s called Trade Promotion Authority. [Forbes]

IN – CyberSecurity Task Force Has Rocky Start

Security leaders in India are wary that the formation of the National Association of Software and Services Companies and Data Security Council of India‘s Cyber Security Task Force—a move to make India “a hub for cybersecurity solutions”—is in for a rocky start. While the goal to develop cybersecurity in the country and develop Indian roadmaps for its technological future is admirable, they argue, issues such as adequate financial backing and the input from experts is lacking. “A unique initiative, it focuses on making India secure,” one expert said, adding, “But what next? We must see local cybersecurity solutions being supported with soft funding and support from the government.” [Bank Info Security]

KR – Messaging App Acquires Path

Path, a social network designed for mobile devices, has been acquired by Daum Kakao—the maker of South Korean-based messaging app Kakao Talk. The acquisition adds Path’s 10-million active users to Daum Kakao’s 48 million. Path was once the subject of controversy resulting in an $800,000 fine from the U.S. FTC for collecting and storing data from users’ address books without permission. “Financial details of the acquisition were not revealed,” the report states. [CNet]

WW – Other Privacy News

Privacy (US)

US – President Obama Signs USA Freedom Act

Calling it “sensible reform legislation,” President Obama signed the USA Freedom Act hours after the Senate approved the legislation that would restrict the way the NSA collects information about Americans’ telephone calls. Senators, by a 67-to-32 vote, approved the bill after beating back three attempts by Senate Majority Leader Mitch McConnell, R-Ky., to amend the legislation, which would have diminished surveillance and transparency reforms. One amendment would have doubled to 12 months the time the NSA would have to end its existing metadata collection program. A second amendment would have changed the way independent advocates in secret surveillance courts would be treated. A third amendment would have required the director of national intelligence to certify that the new phone record system functions properly. The legislation replaces provisions in the Patriot Act, enacted after the 2001 terrorist attacks, that expired on June 1, including a section that the Obama and Bush administrations used to justify the bulk collection of metadata on Americans’ telephone conversations, which an appeals court earlier this year declared illegal, though it did not stop the program. Under the USA Freedom Act, the government, with a court order, could compel communications companies to turn over phone records of American citizens suspected of communicating with terrorists. Under the Patriot Act, the government retained the phone records, which the new law prohibits.Sen. Patrick Leahy, D-Vt., one of the bill’s Senate sponsors, characterized passage of the legislation as “an historic moment. … It’s the first major overhaul in government surveillance laws in decades and add significant privacy protections for the American people.” The USA Freedom Act received support from a number of privacy and civil liberties organizations, though the ACLU opposed it, saying it offered “incremental improvements over the dismal status quo” and did not go far enough to protect individuals’ privacy. Instead, the ACLU said the Patriot Act provisions should be left to expire. But Cindy Cohn, executive director of the Electronic Frontier Foundation, praised the Senate for passing the bill. “Technology users everywhere should celebrate, knowing that the NSA will be a little more hampered in its surveillance overreach, and both the NSA and the (secret) FISA court will be more transparent and accountable than it was before the USA Freedom Act,” she said. The USA Freedom Act would also renew several less controversial provisions of the Patriot Act that had expired, including one involving roving wiretaps that the FBI uses, after obtaining a warrant, to track terrorism suspects who often change cellphones, and a program to monitor so-called “lone-wolf” suspects who haven’t been linked to terrorist groups. [Source] SEE ALSO: [America Curbs State Snooping, Britain Gives the Green Light]

US – Swire: USA FREEDOM Act Is Biggest Intel Reform in 40 Years

Less than a week after the U.S. government enacted surveillance reform, Prof. Peter Swire writes, “I applaud the passage of the new law,” noting it’s “the biggest pro-privacy change to U.S. intelligence law since the original enactment of the Foreign Intelligence Surveillance Act in 1978.” Swire, who served as one of five members hand-picked by President Barack Obama to review U.S. intelligence programs in the wake of the Snowden revelations, discusses the close fit between the newly enacted USA FREEDOM Act and a number of the Review Group on Intelligence and Communications Technology recommendations. But reform should not stop here, Swire argues: More of the group’s recommendations should be considered. [Privacy Perspectives]

US – Judge Probes Destruction of Evidence in NSA Leak Prosecution

A federal judge is investigating allegations that the government may have improperly destroyed documents during the high-profile media leak investigation of NSA whistleblower Thomas Drake. U.S. Magistrate Judge Stephanie Gallagher’s inquiry was launched after Drake’s lawyers in April accused the Pentagon inspector general’s office of destroying possible evidence during Drake’s criminal prosecution, which ended almost four years ago. [Source]

US – Sanders Looks to Create Privacy Commission

Sen. Bernie Sanders (I-VT) hopes “to create a panel to investigate the impact of modern technology on privacy as part of an annual defense bill.” Sanders, who is seeking the Democratic presidential nomination in 2016, filed an amendment to the National Defense Authorization Act seeking the creation of a “commission on privacy rights in the Digital Age,” the report states, which would look at how the government and private companies collect and use data on American citizens. “There is a huge amount of information being collected on our individual lives ranging from where we go to the books we buy and the magazines we read. We need to have a discussion about that,” Sanders said. [The Hill]

US – New FTC CPO: Putting Our Money Where Our Mouth Is

Katie Brin might be relatively new as the FTC’s chief privacy officer, but her passion for privacy rights took root years ago. A law student at Berkeley, she was a member of the first-ever class at the Samuelson Law Technology and Policy clinic, then-headed by well-known scholar Deidre Mulligan. It was there she first tackled some of the most complex issues of our time, issues we’ve yet to resolve, like how evolving technology affects our ideas about free speech. In her first public interview, Brin talks about her goals for the office and just how “easy” it is to be CPO of the FTC. [Full Story]

US – Privacy Lawsuits Decline

While a few years ago “Internet privacy lawsuits were getting filed left and right … that stream appears to have dried up,” according to a report in The Recorder. In the Northern District of California, in cases where Apple, Google or Facebook were named as defendants, there were 29 lawsuits filed in 2010, 20 in 2011 and 30 in 2013. But in 2014, only four such suits were filed and in 2015, only one so far. [Ars Technica] SEE ALSO: [Judge Dismisses Breach Suit: Meanwhile, a county judge in Pennsylvania has dismissed a class-action lawsuit against Pittsburgh-based UPMC over a 2014 data breach in which 27,000 employees’ tax information was stolen]

US – FCC’s Wheeler Circulating Proposed TCPA Decision

FCC Chairman Tom Wheeler has announced a proposal to address the 20-plus “pending petitions seeking clarity regarding the scope requirements under the U.S. Telephone Consumer Protection Act (TCPA).” Under Wheeler’s proposal, the FCC would issue rulings including allowing consumers to “revoke their consent to receive automated ‘robocalls’ and texts in any reasonable way at any time” and prohibiting callers “from calling reassigned telephone numbers after one call,” the report states. The proposal also calls for the term “automatic telephone dialing system” to be interpreted under TCPA “to encompass any technology with the capacity to dial random or sequential numbers.” The proposal is scheduled for a vote at the FCC’s June 18 meeting. [Hogan Lovells’ Chronicle of Data Protection]

US – Clearing Browser History Can Be Deemed ‘Obstruction of Justice’

Boston Marathon bomber’s acquaintance could face 20 years in prison for deleting files. Next week, a 24-year-old man who knew Boston Marathon bombers Dzhokhar and Tamerlan Tsarnaev is scheduled to appear in U.S. Federal Court for sentencing on obstruction of justice charges related to the 2013 attacks. Khairullozhon Matanov, a former taxi driver, did not participate in or have any prior knowledge of the bombings, according to U.S. authorities. What could land him 20 more years in prison are the charges that he deleted video files from his computer and cleared his browser history in the days following the attacks. As a result of this alleged behaviour, Matanov was charged with one count of “Destruction, Alteration, and Falsification of Records, Documents, and a Tangible Object in a Federal Investigation” — which carries with it a penalty of up to 20 years in prison. Three more counts stemming from accusations that he lied to investigators about his activities and relationship with the Tsarnaev brothers carry a sentence of up to eight years in prison each. While he maintains his innocence, Matanov pleaded guilty to all charges against him earlier this year in hopes that U.S. District Judge William G. Young will accept his plea agreement for a lesser sentence of 30 months. [lSource]

WW – Airbnb Data at Center of Debate

“Housing activists, San Francisco policy-makers and Airbnb are in the midst of another showdown over short-term rental regulation,” noting data is one of the issues at the center of the debate. “Cities need to understand whether short-term rental inventory is expanding faster than they can produce housing stock,” the report states, noting, “Put another way: you would not A/B test changes to a software platform or interface without data, so why would you ask city policy-makers to A/B test regulatory changes in the dark?” By finding a way to utilize data without compromising privacy, “we can instead be more permissive on the front-end while at the same time introducing increased accountability through transparency,” said Union Square Venture’s Nick Grossman. [TechCrunch]

US – Uber Updates Its Privacy Policy to Restrict God View

After much scrutiny about its privacy practices, Uber Technologies has released a new and updated privacy policy. The policy is clearer about what Uber does with riders’ personal data, including tracking locations, reading text messages between riders and drivers and storing user address books. Hogan Lovells’ Harriet Pearson who led a privacy review of the company, said such data “actually wasn’t an issue. They had already addressed that at the time of our review.” Carnegie Mellon’s Lorrie Faith Cranor said the policy is written to protect Uber from liability: “This is a company that collects and uses a lot of data.” In a blog post, Uber’s Katherine Tassi said the company has doubled the size of the privacy team in the last few months. [Bloomberg Business]

US – PA Judge Squashes Breach Suit

A Pennsylvania judge recently rejected a class-action lawsuit filed by employees of the University of Pittsburgh Medical Center (UPMC) against UPMC for alleged negligence and breach of implied contract following a breach. The employees alleged their Social Security numbers, names, addresses, birthdates and salary information were stolen and used to file fraudulent tax returns and open fraudulent bank accounts. Judge R. Stanton Wettick, Jr., said Pennsylvania law doesn’t recognize a private right of action to recover actual damages as a result of a data breach and creating one would “overwhelm the state courts.” [Privacy Compliance & Data Security]

US – Styles: FERPA, HIPAA Don’t Take Equally Tough Stance

U.S. Department of Education CPO Kathleen Styles is concerned over what she sees as inconsistencies between FERPA and HIPAA. In a letter to Sen. Ron Wyden (D-OR) and Rep. Suzanne Bonamici (D-OR), following questions about an incident involving an Oregon college student’s health records , Styles noted “the possibility that FERPA may offer fewer confidentiality protections than the HIPAA Privacy Rule in the limited instances where institutions choose to share treatment records with their attorneys in conjunction with litigation between the student and the institution.” Her letter “confirms a gap in privacy that could allow school officials to inappropriately access students’ personal health records without their consent,” Wyden and Bonamici noted in statement. [HuffPost]

US – Other News

Privacy Enhancing Technologies (PETs)

EU – Privacy App Maker Files EC Complaint

The maker of a privacy app has lodged a complaint with the European Commission alleging “Google abused Android’s dominance of the European mobile market to unfairly favor its own privacy and security software over Disconnect’s app” by blocking its app from the Google Play app store. Disconnect, a privacy app founded by ex-Google employees, filed the complaint after its mobile app was pulled from the Google Play app store last year, the report states. Google removed the app because it threatened the company’s tracking and advertising business, according to the complaint. A spokesperson for the Commission’s competition office said it would assess the complaint. [ZDNet] See also [New Privacy App Takes a Page From NSA Technology]

WW – Creepy Dude Following Teens Online is Actually a Clever Web Privacy PSA

The retargeting online advertising technique is used to get young people to pay more attention to their privacy settings. In order to get teens to pay more attention to their online privacy settings and behaviors, child advocacy and safety group Innocence in Danger, with French agency Rosaparks, used ad retargeting on 200,000 teens to get this creepy dude to follow them around their favorite sites for a while. After 10 appearances, just enough time to give anyone the heebie-jeebies, the tagline appeared: “It’s not always this easy to see who’s following you around the Internet.” Forget just teens, this guy’s dead-eyed creep stare is enough to make anyone of any age do a thorough privacy setting evaluation. [Source]

WW – MIDDLE Aims to Balance Research, Privacy

Prof. Timothy Brick discusses the balance between researchers being encouraged to share data and participants’ concerns about who will have access to their information with PhysOrg. “Brick is working on a system called Maintained Individual Data, Distributed Likelihood Evaluation (MIDDLE) that changes the way data is collected and reported,” the report states. MIDDLE “will enable researchers to conduct studies and participants to keep control over their data,” the report states, noting Brick believes MIDDLE “will open the door for health or education studies previously made impossible or more difficult by the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).” [Full Story]


US – NIST Releases Draft of Risk Management Framework

The National Institute of Standards and Technology has released a draft of its Privacy Risk Management Framework and is now inviting the public to comment on it. The draft report, NISTIR 8062, Privacy Risk Management for Federal Information Systems, “provides the basis for establishing a common vocabulary to facilitate better understanding of-and communication about-privacy risks and the effective implementation of privacy principles in federal information systems,” NIST states on its website. In its announcement, NIST notes it is “soliciting public comments on this draft to obtain further input on the proposed privacy risk management framework, and we expect to publish a final report based on this additional feedback.” Comments may be sent to privacyeng@nist.gov and until July 13. [Full Story] See also: [We Stand on the Brink of Global Cyber War, Warns Encryption Guru Bruce Schneier]

WW – How the Tech Behind Bitcoin Could Stop the Next Snowden

An Estonian company called Guardtime says it has a solution to that: using the same ideas that underpin the digital currency Bitcoin, the company says it can ensure no one can alter digital files, not even an organization’s most senior executives or IT managers. The idea is to stop the next Snowden in his tracks by making it impossible to tamper with data, such as the NSA log files, in secret. …Like IBM, Guardtime thinks the Internet of Things could be the killer application for the blockchain. As more and more connected devices gather data and store it in the cloud—and governments and private citizens alike create automated systems that respond to that data—ensuring data hasn’t been tampered with is crucial — especially if you have to trust outside vendors or hosting providers. [Wired] [Wired: Blockchain: The Next Big Thing in File Security?]

WW – Duqu 2.0 Espionage Malware Discovered

Kaspersky Lab says it has discovered a new, advanced persistent threat that appears to have been launched by the gang behind the Stuxnet and Duqu malware families. But while security vendors typically unearth intrusions in their customers’ networks, in this case Kaspersky’s own networks also fell victim to the attack campaign, thanks in part to attackers employing a zero-day Windows exploit. Those are the results of an investigation that Kaspersky Lab says it launched earlier this year, after discovering an internal cyber-intrusion and ultimately unearthing what it has dubbed Duqu 2.0, because the malware and attack platform is based on Duqu, which security researchers believe went dark in 2012. [Source]

IN – Programmer Finds Code Spying on Airtel Users, Gets Legal Notice

Indian Telecom major Airtel has been allegedly caught spying on users by injecting mysterious lines of codes into web browsers used to visit websites over its 3G network. The startling revelation came to light when activist and programmer Thejesh GN received a legal notice for exposing how Airtel inserts Javascript code and iframes into a user’s browsing session. Thejesh traced a mystery Javascript code during one of his own browsing sessions to network managed by Bharti Airtel and posted the findings on his twitter handle @thej and the GitHub repository. Soon after, Thejesh received a cease and desist order requesting him to take down the post by Israel based company Flash Networks. According to reports Airtel was allegedly using the mystery code so that it could track the data consumed by users. For this the telecom company had partnered with Ericsson. Ericsson was reportedly using Flash Network’s mobile solution to track user behavior. [Source]

WW – VPN Software May Be Rife With Privacy, Security Vulnerabilities

Researchers have found that popular virtual private network (VPN) provider Hola—a service that promises privacy and anonymity to its more than 47 million users worldwide—is “dangerously insecure,” reports. The VPN service contains flaws that allow for remote code execution and client tracking. Hola also sells access to its peer-to-peer network with very little oversight. The vulnerabilities are so bad, the researchers recommend that customers stop using the service right away. Since reports surfaced, Hola has altered some of it services, including the flaw that allowed for remote execution of code and client tracking. The researchers, however, contend there are deeper issues fundamental to how Hola is built that should worry users, including how traffic is routed through its peer-to-peer network. [Ars Technica]

WW – GoPro, Yelp Privacy Vulnerabilities Exposed

In two separate cases, privacy vulnerabilities have been found in GoPro cameras and Yelp’s “activity feeds.” A security firm has warned security settings are “too easy” for cybercriminals to circumvent. Pen Test Partners said it could access GoPro’s Hero4 camera—even though it appeared to be turned off—and watch and eavesdrop on users as well as view or delete existing videos. Pen Test Partner’s Ken Munro said a wireless connection to the device can unknowingly be left on, even after the power button has been turned off. GoPro has said it follows “industry-standard protocol called WPA2-PSK (pre-shared key) mode.” In a column for Fusion , Kashmir Hill discusses Yelp’s “activity feeds” and how they share information—including gender, age and hometown—with businesses. [BBC News]

US – Undercover DHS Tests Find Security Failures at US Airports

An internal investigation of the TSA revealed security failures at dozens of the nation’s busiest airports, where undercover investigators were able to smuggle mock explosives or banned weapons through checkpoints in 95% of trials. The series of tests were conducted by Homeland Security Red Teams who pose as passengers, setting out to beat the system. According to officials briefed on the results of a recent Homeland Security Inspector General’s report, TSA agents failed 67 out of 70 tests, with Red Team members repeatedly able to get potential weapons through checkpoints. More recently, the DHS inspector general’s office concluded a series of undercover tests targeting checked baggage screening at airports across the country. That review found “vulnerabilities” throughout the system, attributing them to human error and technological failures, according to a three-paragraph summary of the review released in September. In addition, the review determined that despite spending $540 million for checked baggage screening equipment and another $11 million for training since a previous review in 2009, the TSA failed to make any noticeable improvements in that time. [Source]

WW – Companies Overwhelmed With Security Alerts and False Positives

Companies are becoming overwhelmed with data about security alerts, and it’s hindering their ability to make informed decisions about data protection. That’s the finding of a report released by analytics firm Prelert. The firm surveyed over 200 tech professionals, including IT administrators and managers supporting the security function, along with information security professionals. 62% of respondents to the survey are seeing too many false positives, or are faced with too many alerts to handle. Security analytics is ranking high for customer satisfaction among enterprise security pros, according to the report. When asked what technologies offered the greatest perceived value compared to total cost of ownership, respondents ranked it joint highest with cloud data encryption and threat intelligence services. [Source] [How Do We Catch Cybercrime Kingpins?]

WW – Anti-Virus Software Lab Hacked; Spyware Detected at Nuclear Sites

Kaspersky Lab, an anti-virus software provider, says its own systems were recently compromised by hackers. The company said it believes the attack was designed to spy on its newest technologies and used up to three previously unknown techniques. However, data the hackers accessed was “in no way critical to the operation” of its products, the company said. Separately, Kaspersky Lab has said sophisticated spyware has infected computers at luxury hotels that are serving as venues for nuclear negotiations with Iran. The spyware is believed to be state-sponsored, the report states, but the extent of any possible data breach is not yet known. [BBC News]


WW – New Snowden Docs Reveal Warrantless Spying

A report reveals a program approved by the Department of Justice (DoJ) expanding the National Security Agency’s (NSA’s) ability to access the Internet traffic of American citizens. Based on documents provided by Edward Snowden, two DoJ memos approved the NSA’s ability to hunt for malicious actors by targeting suspicious Internet addresses and behavior. Stanford’s Jonathan Mayer said the program’s “a major policy decision about how to structure cybersecurity in the U.S. and not a conversation that has been had in public.” The government has defended the program as necessary to protect U.S. citizens from bad actors. Meanwhile, Edward Snowden wrote a column lauding the “power of an informed public … We are witnessing the emergence of a post-terror generation…” [ProPublica and The New York Times] See also: Overview of the UK’s proposed surveillance bill, the Investigatory Powers Bill.

WW – Pilots Fear Traffic Control Updates Could Be Privacy Threat

The Federal Aviation Administration’s (FAA) proposed “satellite-based traffic control network” has pilots of private jets concerned that the data could be used to track the location of famous passengers. “There is a huge appetite out there to track where these planes go,” said National Business Aviation Association (NBAA) Vice President of Regulatory and International Affairs Doug Carr. While the FAA acknowledges these concerns and “is considering allowing operators to change the broadcast codes at their discretion between trips,” the NBAA is asking for a stronger approach—such as encrypting the data—”so only the FAA and controllers would continue to have the means for real-time tracking,” the report states. [The Wall Street Journal] See also: [Drug Enforcement wiretaps triple in 9 years, agents avoid federal oversight]

US – FBI Wants Wiretap Access to Websites and Social Media

The FBI is asking lawmakers for a new wiretap law that would give it access to social media and other websites. The FBI’s Michael Steinbach said Congress should use the Communications Assistance for Law Enforcement Act as a model for new rules for Internet-based communications, adding, “We’re not looking at going through a back door or being nefarious; we’re talking about going to the company and asking for their assistance.” Agency Director James Comey first called for a CALEA rewrite to cover encrypted mobile phone data last October. [PC World]

US – N.S.A. Secretly Expands Internet Spying at U.S. Border

The disclosures, based on documents provided by Edward J. Snowden, the former N.S.A. contractor, and shared with The New York Times and ProPublica, come at a time of unprecedented cyberattacks on American financial institutions, businesses and government agencies, but also of greater scrutiny of secret legal justifications for broader government surveillance. While the Senate passed legislation this week limiting some of the N.S.A.’s authority, the measure involved provisions in the U.S.A. Patriot Act and did not apply to the warrantless wiretapping program. Government officials defended the N.S.A.’s monitoring of suspected hackers as necessary to shield Americans from the increasingly aggressive activities of foreign governments. But critics say it raises difficult trade-offs that should be subject to public debate. [New York Times] [Hackers Can Be Fought Without Violating Americans’ Rights] [Fears NSA Will Seek to Undermine Surveillance Reform] [Review: Bulk Data Collection Useful But Needs Oversight]

US – Thousands of Sites Block and Redirect Congress to Patriot Act Protest Page

As of Sunday night, 14,827 websites and counting were blocking IP addresses associated with the US Congress, redirecting visitors away from their sites and toward a page protesting mass surveillance. Rather than saying that Patriot Act-enabled mass surveillance is kaput, we should think of it more as being relegated to the ranks of the undead, ready to be resurrected with a bit of legal tweaking. During Sunday night’s debate, Senators Rand Paul and Ron Wyden scoffed at the idea of terrorist actions ever having been uncovered by the bulk data collection. In a show of bipartisan opposition to bulk data collection, both pointed to overwhelming support from constituents who want their liberties back. [Naked Security] [NY Times: Edward Snowden: The World Says No to Surveillance]

EU – Data Retention: German Government Tries Again

The retention of metadata from electronic communications has been on the political agenda throughout Europe for many years now. After the EU had passed a Directive on data retention, Germany first introduced a national law that forced telecommunication providers to store metadata from electronic communications in 2008. Two years later, the German Federal Constitutional Court (FCC) came to the conclusion that this law violated fundamental rights, and therefore declared it null and void. A decision from the Court of Justice of the European Union (CJEU) followed in 2014, rescinding the EU Directive entirely. While the European Commission, for the time being, has refrained from making another attempt at introducing a Directive, the German government is still hell-bent on bringing a national law on data retention into effect. [EDRI]

US – Franken Wants Answers on Flights

Sen. Al Franken (D-MN) sent a letter to U.S. Attorney General Loretta Lynch and FBI Director James Comey demanding answers on reports the FBI is flying surveillance flights in at least 30 cities.

US – Lawmakers Query Auto Companies on Privacy

Members of the House of Energy and Commerce Committee have written to car developers and the National Highway Transportation and Safety Administration to discover how they are planning to protect drivers from security breaches affecting cutting-edge car amenities. Led by Fred Upton (R-MI) and Frank Pallone (D-NJ), the legislators want “the agency and automakers to provide details on what they are doing to protect against cyber-vulnerabilities now—including how they test vehicles for such vulnerabilities while they are being designed and once they are on the road,” the report states. [The Washington Post]

Telecom / TV

US – Bulk Phone Collection Program Expires; Workarounds in Place

For the first time in the post-9/11 era, phone calls made by Americans will not be automatically collected by the National Security Agency (NSA). After a rare weekend session, the Senate did not renew three specific provisions in the USA PATRIOT Act, including the bulk collection of telephony data. In Sunday night’s session, which was described as “caustic,” Sen. Rand Paul (R-KY) blocked the extension. The Senate is expected to vote on a version of the USA FREEDOM Act, which has already passed the House, and send the compromise bill to President Barack Obama for his signature. As one workaround , the Justice Department can invoke the so-called “grandfather clause” to continue to use such powers for investigations that commenced prior to June 1. [The New York Times]

US – Phone Carriers Yet to Indicate How They’ll Handle New Law

After the historic enactment of surveillance reform, questions about how phone carriers will handle and retain customer phone records remain, and, so far, the phone carriers aren’t hinting at what they’ll do moving forward. There is no mandate within the USA FREEDOM Act specifying data retention obligations for phone companies. Stanford University’s Jennifer Granick said, “The phone companies may already have data retention obligations under the Communications Act, but there’s no additional obligation as a result of USA FREEDOM having passed.” There will be, however, an obligation to provide a “two-hop function,” identifying individuals two steps from a given target. “Now the phone companies will be the place where that analysis of who’s in contact with whom is taking place,” Granick said. [NPR]

US – House Aims to Block FCC Rules Until Courts Have Say

A House appropriations bill released this week states the $315 million granted to the Federal Communications Commission (FCC) may not be utilized to “implement, administer or enforce” its net neutrality rules until the courts resolve three outstanding cases with telecom companies. The rules, which were adopted earlier this year, “reclassify Internet providers as utilities. Supporters of the rules say the agency’s new powers under the law will allow it to stop the providers from giving preference to some content on their networks,” the report states, noting some suggest “standalone legislation that would limit the FCC’s power but still keep some net neutrality reforms.” [The Hill

US – In Defense of the NSA

Even as Sen. Rand Paul (R-KY) sues the U.S. federal government for continuing with the Section 215 program of domestic surveillance, more than one voice has chimed in supporting National Security Agency (NSA) surveillance efforts and opposing the direction of the USA FREEDOM Act. Alberto Gonzales, former attorney general in the George W. Bush administration, argues in USA Today that “more privacy can’t keep us safe“ and that measures put in place after 9/11 were both appropriate and constitutional. Further, he argues, it “remains to be seen” whether the USA FREEDOM Act is “truly a win for America.” Similarly, Walter Pincus, in The Washington Post, defends the recently revealed NSA practice of targeting foreign hackers, saying The New York Times and ProPublica left out important details about instructions for the NSA to avoid pursuing American hackers. [Full Story]

US Government Programs

U.S. Wants to Collect Bulk Call Records for Six More Months

The U.S. Department of Justice has filed to the Foreign Intelligence Surveillance Court for permission to continue the bulk collection of call records for another six months, as the new USA Freedom Act allows for this transition period. The filing, made public this week, was submitted to the court last Tuesday, the same day President Barack Obama approved as law the USA Freedom Act, which puts curbs on the bulk collection of domestic telephone records by the National Security Agency. The new legislation was passed by the Senate following the expiry at midnight of May 31 of the authorization of the bulk collection under section 215 of the Patriot Act. It leaves the phone records database in the hands of the telecommunications operators, while allowing a targeted search of the data by the National Security Agency for investigations. The U.S. Court of Appeals for the Second Circuit had ruled in an appeal filed by the American Civil Liberties Union and others that a district court in New York had erred in ruling that Section 215 authorizes the telephone metadata collection program. The telephone metadata program exceeds the scope of what Congress has authorized and therefore violates Section 215, Judge Gerard Lynch wrote on behalf of the three-judge panel. The appeals court vacated the earlier order of the U.S. District Court for the Southern District of New York and remanded the case to it for further proceedings in line with the new opinion. The DOJ said in its filing that it was evaluating its litigation options in view of the decision by the Second Circuit court, but added that rulings of the appeals court do “not constitute controlling precedent” for the FISC. On Friday, advocacy group FreedomWorks and Ken Cuccinelli, a former Virginia attorney general, asked the FISC to deny the government’s request to reinstitute or continue the metadata collection for another six months, particularly in the light of the decision of the Second Circuit. [Source]

US – Will Intelligence Bill “Hobble” PCLOB?

Civil liberties proponents are raising concerns that “a one-sentence provision tucked into an annual intelligence policy bill making its way through the House could hobble the Privacy and Civil Liberties Oversight Board (PCLOB).” The provision, which is included in the House’s Intelligence Authorization Act, would prohibit the PCLOB’s “access to information that an executive branch agency deems related to covert action.” The Cato Institute’s Patrick Eddington called the measure “way beyond troubling,” adding that limiting the PCLOB “is a mistake, because our problem isn’t too much information about whether or not these NSA and other related programs are out there—our problem is we don’t have nearly enough.” [The Hill]]

US – NIST Report Aims to Help Agencies Implement Privacy

National Institute of Standards and Technology (NIST) Senior Privacy Policy Advisor Naomi Lefkovitz says privacy engineering is “ripe to be embraced and incorporated into federal processes,” and has championed NIST’s Privacy Risk Management for Federal Information Systems, a draft report aimed at helping groups do just that. “Over the past several decades we’ve had a well-developed set of principles for how to address privacy,” Lefkovitz said. “But what we haven’t had are the tools that help bridge the implementation of those principals into protections that can be exhibited in information systems.” She calls the report “a communication and assessment tool for agencies.” [FierceGovernmentIT]

WW – Using Art to Explore “Hyper-Surveillance” and Secrets

Academy Award-winning documentarian Laura Poitras filmed famed dissidents Ai Weiwei and Jacob Appelbaum as they worked to create a piece of privacy-related art. The result? A meditation on “hyper-surveillance” and “secrets,” Poitras writes. While she filmed, Ai and Appelbaum worked to stuff pandas with shredded NSA documents leaked by Edward Snowden to Poitras and journalist Glenn Greenwald. The piece, entitled Panda to Panda, “playfully acknowledges and rejects state power” and is “the synthesis of two terms created by dissident cultures,” Poitras said. The work is rife with symbolic meaning and in-jokes; “panda” is Chinese slang for secret police, while the title itself references peer-to-peer communication. [The New York Times]

US Legislation

US – Senate Lets NSA Spying Expire

Sunday’s expiration is largely the fault of procedural hurdles, rather than genuine opposition in the Hill’s upper chamber. Although Paul’s staunch opposition requires the Senate to go through a series of procedural runarounds, the Freedom Act is likely to make it through the upper chamber next week. …”Congress now has the opportunity to build on this victory by making meaningful and lasting reforms to U.S. surveillance laws,” Sen. Ron Wyden (D-Ore.), a longtime NSA critic, said in a statement Sunday night. “After Republican leaders stalled for months in a failed attempt to rerun their old playbook for extending mass surveillance, they now have no excuse for not allowing a full debate on the USA Freedom Act as soon as possible. In my view this is the best way to bring new transparency and reforms to U.S. surveillance programs and to bring certainty to our intelligence agencies.” [HuffPost] [Senate lets NSA spy program lapse, at least for now] [Parts of Patriot Act Expire, Even As Senate Moves on Bill Limiting Surveillance] [NSA Loses Power to Collect Americans’ Phone Records] [Senate Votes To Turn NSA Spying Back On, But With Reforms] [Senate Shoots Down All Bad Amendments to the NSA Reform Bill] [Feds plot course to resume NSA spying] [Why the new USA Freedom Act is worthless] [NSA surveillance debate gives rise to bipartisan Civil Liberties Coalition]

US – Senate to Vote on USA FREEDOM Act

President Barack Obama signed into law the USA FREEDOM Act. The Senate let three provisions of the Patriot Act expire: Section 215, the section the government uses to collect phone and other business records in bulk, the “Lone Wolf provision,” and the “roving wiretap“ provision. Section 215 now—at least temporarily—reverts to its pre-Patriot Act form, which doesn’t permit any collection of financial or communications records, and requires the Government to provide “specific and articulable facts” supporting a reason to believe that the target is an agent of a foreign power. This is a good thing. And of course, the government still has plenty of tools to investigate national security cases. [EFF] [US News & World Report: Reflecting on USA PATRIOT ACT’s Legacy] [Let the Clock Run Out on the NSA] [Demand Your Senator Join Rand Paul’s Fight Against Mass Surveillance] [Rand Paul Got One (Huge) Thing Right ]

US – CISA Draws Support From Cyber Community

The Cybersecurity Information Sharing Act (CISA) has received the support of security experts who argue that legal protection for companies that disclose data breach details to the government will promote prevention and communication. “If a company gets attacked and releases that information, and everybody else is made aware of that, they can immediately protect themselves,” said the University at Buffalo’s Arun Vishwanath. Sen. Mitch McConnell (R-KY) has said the Senate will take up CISA as an amendment to the defense bill it is debating this week, the report states. [USA Today]

US – Dems: Don’t Include CISA in Defense Act

Following an announcement by Sen. Mitch McConnell (R-KY) that he planned to add the Cybersecurity Information Sharing Act (CISA) onto the National Defense Authorization Act (NDAA) as an amendment, the Senate’s Democratic leadership is urging him not to do that. The letter , which is signed by Sens. Harry Reid (D-NV), Dick Durbin (D-IL), Chuck Schumer (D-NY) and Patty Murray (D-WA), asks McConnell to “back down from his ‘ridiculous’ plan to attach” CISA to the NDAA, the report states, noting the NDAA is considered “must-pass” legislation. Including CISA in the NDAA “in a manner that allows neither debate nor amendment is ridiculous,” they wrote. [NationalJournal]

US – Senate Passes Cal-ECPA

The California Senate moved unanimously to approve the California Electronic Communications Privacy Act, or Cal-ECPA, a bill that prohibits law enforcement from seizing digital documents without a search warrant. Protected data includes cloud data, PINs, emails and smartphone information. The measure has garnered particular support from California-based tech companies such as Apple and Google as well as politicians and those in the privacy community. “Data is personal and can be regarded as private, thus search and seizure of this data should require authorization,” said John Casaretto, security consultant, in support of the Senate’s decision. [Silicon Angle] [Calif. Senate OKs Bill Calling for Warrants to Search Devices ]

US – Connecticut Moves to Strengthen Breach Laws

The Connecticut General Assembly has tightened the state’s data breach laws to include both a 90-day deadline by which breaches must be reported as well as a year of free identity theft protection for victims whose SSNs were unlawfully shared. Connecticut Attorney General George Jepsen has said “his office will continue to scrutinize breaches and to take enforcement action against companies that unreasonably delay notification, even if the breach is reported less than 90 days after it was discovered,” the report states. The updates, set to go into effect October 1, have generated a positive buzz. “We had a good law in place, and this makes it better,” Jepsen said. [Government Technology]

US – Oregon Passes Bill Protecting Sexual Assault Victims

Oregon Gov. Kate Brown has signed into law a bill protecting the confidentiality of victims of sexual assault on college campuses in the state. This bill means that Oregon now has “one of the strongest confidentiality protections for victims of sexual assault and domestic violence in the country.” The law ensures the confidentiality of conversations with victim advocates and allows victims to determine when and if the incident becomes public. Oregon Attorney General Ellen Rosenblum was a vocal supporter of the bill and continues to advocate for a proposed revenge porn bill and a law restricting gun ownership for domestic violence offenders. [KTVZ] See also Oregon state attorney general supporting a bill that aims to prohibit software vendors from advertising to or collecting and retaining data from students.

US – Wyoming Privacy Constitutional Amendment Could Return

Rothfuss said he believes the proposal was voted down last session because some thought it went too far while others thought it didn’t go far enough. The Wyoming Press Association also expressed concerns the amendment could be used to prevent public information, such as criminal records of public officials, from being released. Jim Angell, the executive director of the group, said he continues to worry the amendment could lead to unintended consequences. “While I understand the concerns (behind the need for the amendment), the potential for abuse is too big,” he said. [Trib.com]

US – Other News

Workplace Privacy

CA – Employee Terminated for Single Violation of Privacy Policy

In a recent decision, Steel v. Coast Capital Savings Credit Union, 2015 BCCA 127, the B.C. Court of Appeal upheld the termination of a long service employee who was terminated for a single violation of the employer’s privacy policy. This is the second decision this year in which the Court of Appeal has upheld the termination of a long-term employee for a single act of misconduct (see Roe v. British Columbia Ferry Services Ltd., 2015 BCCA 1). This decision is encouraging for employers who are faced with an employee who has engaged in actions that undermine the trust necessary for a working employment relationship. Such actions could include the violation of an important employment policy, particularly where the employee is in a position of trust. While the Court of Appeal did not address the level of trust required of employees in the banking industry, it also did not overturn the trial judge’s broad application of this principle. Thus, the question regarding extent of this obligation in this industry remains open. [Mondaq]

WW – Using Wearables to Monitor Staff Health

Companies are increasingly expected to embrace wearable devices for their ability to monitor workers wearing them. Market research firm Tractica predicts the market for corporate and industry customers of wearables will grow “with remarkable speed,” the report states. While such customers represent just one%of wearable device sales today, that number is expected to jump to 17% by 2020. “The single largest cost for employers is healthcare,” said Lindsey Irvine, director of strategic initiatives at Salesforce. “Yet 70% is attributed to things we can change, like diet and exercise and stress. What employers are looking for is a way to address that 70% cost curve.” [Forbes]

US – As States Regulate, Companies Must Look Across Borders

Connecticut became the 21st state to enact a social media privacy law. Without one federal privacy law, companies with employees across multiple states are required to stay abreast of which states require what. “There’s model legislation that to some extent has been followed, so most of these laws are similar, but they are not alike,” said attorney Howard Mavity. Most important for companies, Mavity said, is to know under which circumstances they are allowed to access employees’ social media accounts. [The Wall Street Journal]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: