16-30 June 2015


US – Privacy Groups Walk Out of NTIA Facial Recognition Talks

Nearly two years into talks on developing a voluntary code of conduct for the commercial use of facial-recognition technology, several privacy advocacy groups have walked out in protest. “At a base minimum, people should be able to walk down a public street without fear that companies they’ve never heard of are tracking their every movement—and identifying them by name—using facial-recognition technology,” the groups wrote in a joint statement . “Unfortunately, we have been unable to obtain agreement even with that basic, specific premise.” The National Telecommunications and Information Administration’s Juliana Gruenwald said the agency was disappointed in the departure, but added it “will continue to facilitate meetings on this topic for those stakeholders who want to participate.” [The New York Times] [Facebook Unveils New Technology: Fortune examines Facebook’s new service called Moments , suggesting it expands the use of the social network’s “powerful ‘faceprint’ technology.”] [Source]

US –Company Must Pay $2.2 Million in Forced DNA Testing Case

A jury has ruled that Georgia-based Atlas Logistics must pay two employees a combined $2.2 million for forcing them to submit to a cheek swab to determine if their DNA was a match to feces being left throughout the warehouse facility. Atlas Logistics claimed the “genetic information” involved wasn’t covered by the Genetic Information Nondiscrimination Act, arguing the act excludes analysis of DNA, RNA chromosomes and other matter if they don’t reveal an individual’s propensity for disease. But U.S. District Judge Amy Totenberg “refused to toss the case,” the report states, ruling the “plain meaning of the statute’s text” was satisfactory for the case to go forward. [Ars Technica]

US – Class-Action Filed Against Shutterly

A Chicago man has filed a class-action lawsuit in an Illinois federal court claiming photo-service Shutterfly is violating a law that restricts how companies collect biometric data. Brian Norberg says he has never used Shutterfly, but someone else uploaded his photo to the site and tagged it with his name, leading to him being added to a database without his consent. The suit seeks $1,000 to $5,000 “for every Illinois resident” whose face was added to the Shutterfly database without permission. [Fortune]

US – Will Advanced Facial Recognition Quell Privacy Fears?

Fortune examines Facebook’s new service called Moments , suggesting it expands the use of the social network’s “powerful ‘faceprint’ technology.” The facial-recognition technology has 83% accuracy at identifying users. And it doesn’t need to see your face to identify you, which the company argues will assuage privacy concerns. Facebook’s Yann LeCunn “imagines such a tool would be useful for the privacy-conscious—alerting someone whenever a photo of themselves, however obscured, pops up on the Internet,” the report states. Not everyone agrees. The Christian Science Monitor suggests that “once a face is converted to data points and made machine-readable, it ceases being a public-facing part of ourselves that we voluntarily expose to others. It becomes a resource that others control.” [New Scientist] [Think it’s cool Facebook can auto-tag you in pics? So does the government] [Technology is growing accustomed to our face]

UK – Police to Scan Concert Crowds with Facial Recognition

Police in a UK county are going to use facial recognition technology to surveil an upcoming concert. The Leicestershire Police, responding to a Freedom of Information request filed by reporters at The Register, said that surveillance cameras positioned at the Download Festival will scan faces of attendees and compare them to a local mugshot database. It’s a policing strategy that’s on the rise in the UK, but it has also been subject to some intense scrutiny. English and Welsh police have faced criticisms over their uploading of the mugshots of innocent people to a national database, and more recently Police Scotland has had to deal with some PR issues having been compelled to disclose its own such practices. But such systems are undeniably useful to police; earlier this year the head of Scotland Yard went so far as to call on British citizens to install their own CCTV security in their homes so that police could use facial recognition technology in the event of a burglary or other such incident. [Source] See also: [Churches are using facial recognition software to spy on members]

WW – Auto Company Considering Brain-Monitoring Tech

Jaguar hopes to utilize “brain-monitoring technology” to improve car safety. “These research projects are investigating how we could exploit this for the benefit of our customers and other road users,” said Jaguar’s Wolfgang Epple. The company views this step as a conduit between self-driving cars and the current state of affairs. “The car may have to hand off control to a driver at some point, and it’s critical to know if the driver is ready,” the report states, noting the company is also interested in “monitoring its drivers’ health” and is “testing a ‘medical-grade sensor’ that can be embedded in a seat and monitor heart rate and breathing through vibrations.” [The Verge]


CA – PIPEDA Changes Finally Pass

Parliament has finally amended the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”). The Digital Privacy Act (the “DPA”), which amends PIPEDA, received royal assent on June 18, 2015. Significant changes to PIPEDA include:

  1. Breach Reporting

Under the DPA, organizations will be required to notify the Office of the Privacy Commissioner of Canada (the “OPC”) and affected individuals of a breach of security safeguards.  Furthermore, organizations will be required to keep a record of all data breaches (whether or not they meet the harm threshold), and must report all breaches to the OPC upon request. Knowingly failing to report or record a breach will be an offence punishable by fines of up to C$100,000. The provisions of the DPA relating to privacy breaches have not yet come into force, but will become mandatory once the associated regulations have been enacted.

  1. Amendment to the definition of “personal information” and new provisions respecting “business contact information”

Previously “personal information” excluded certain information about an employee of an organization. Now “personal information” includes any information about an identifiable individual. However, a new definition of business contact information has been added to PIPEDA, and such information is excluded from the application of Part 1 of the Act.

  1. Changes to Consent

The DPA amends PIPEDA to explicitly state that consent is only valid if it is reasonable to expect that the individual would understand the nature, purposes and consequences of the collection, use or disclosure of his/her personal information. In addition, new exceptions to PIPEDA consent requirements have been introduced, which apply to:

  • PI in witnesses statements related to insurance claims.
  • PI produced by an individual in the course of his/her employment, business or profession.
  • Disclosure for the purposes of communicating with the next of kin or authorized representative of an injured, ill or deceased individual.
  1. Changes affecting employee privacy

The DPA introduces exceptions to the consent requirements in PIPEDA where collection, use or disclosure of personal information is necessary to establish, manage or terminate an employment relationship. However, notice must still be provided to the individual. PIPEDA has also been amended to clarify that it applies to job applicants. However, it is important to remember that PIPEDA only applies to employees and applicants of federally-regulated employers.

  1. Business Transactions

The DPA introduces exceptions to the consent requirements in PIPEDA in the context of business transactions (broadly defined), provided that certain conditions are met.

  1. Compliance Agreements

The DPA amends PIPEDA to explicitly allow the OPC to enter into compliance agreements with organizations. Such agreements may contain any terms that the OPC considers necessary to ensure compliance with Part 1 of the Act. [Source]

CA – The Digital Privacy Act: What You Need To Know Now

Parliament has passed the Digital Privacy Act, or Bill S-4. “The act received Royal Assent on June 18, with some amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) going into force immediately,” Timothy Banks writes, adding, “These are the first major amendments to PIPEDA since it was enacted 15 years ago.” And while the mandate requiring breach reporting to the Office of the Privacy Commissioner is not yet in effect, Banks notes, “there are still a number of amendments that are important for organizations to consider now” and provides a “cheat-sheet” of key amendments. [Privacy Tracker]

CA – Canada’s Mandatory Breach Notification and More

The Digital Privacy Act, or Bill S-4, makes a number of important amendments to the Personal Information Protection and Electronic Documents Act, most of which are now in force. In this web conference, hear from Fasken Martineau DuMoulin Partner Alex Cameron, who has written on the changes to the law , and from Peggy Byrne, managing counsel and privacy for CIBC Legal Department, about the key changes and their potential impacts for all organizations handling personal information about Canadians. Topics to be covered during the July 23 web conference include mandatory breach notification, mandatory record-keeping, new consent and disclosure requirements and penalties, enforcement and reputational considerations. [Full Story] [Toronto Star’s View: Lift veil of secrecy on detainee deaths in Border Services custody]

CA – Spies Wanted Mere Tweaks, Government Launched Privacy Overhaul

The Conservative government alarmed privacy advocates by overhauling the law to give Canada’s spy agency easier access to federal data, even though the spies themselves said greater information-sharing could be done under existing laws, newly released documents show. In a presentation to federal deputy ministers last year, the Canadian Security Intelligence Service said “significant improvements” to the sharing of national-security information were possible within the “existing legislative framework.” Earlier this year the government introduced an omnibus security bill that included the Security of Canada Information Sharing Act, intended to remove legal barriers that prevented or delayed the exchange of relevant files. The legislation, which recently received royal assent, permits the sharing of information about activity that undermines the security of Canada, something law professors Craig Forcese and Kent Roach called “a new and astonishingly broad concept.” Privacy commissioner Daniel Therrien denounced the scope as “clearly excessive,” saying it could make available all federally held information about someone of interest to as many as 17 government departments and agencies with responsibilities for national security. The government still hasn’t made a case for dismantling barriers to information-sharing, said Carmen Cheung, senior counsel at the B.C. Civil Liberties Association. [Source] [Canada: How the budget bill quietly reshapes privacy law: Geist] [CA – Human Rights Tribunal finds Ottawa retaliated against First Nations Child Rights Worker]

CA – Snowden Leaks Hurt Canada, Spy Agency CSE Says

Canada’s electronic spy agency says leaks by former U.S. intelligence contractor Edward Snowden have “diminished the advantage” it enjoyed over terrorists and other targets, both in the short term and — of more concern — well into the future. In newly released briefing notes, the Communications Security Establishment says Snowden’s disclosures about CSE’s intelligence capabilities and those of its allies “have a cumulative detrimental effect” on its operations. The CSE spokesman declined to provide specific examples of damage to back assertion that the leaks are undermining Canada’s attempts to fight terrorism, but said the continuing publication of sensitive material was “rendering techniques and methods less effective.” [Source] [CA – The False Choice Between Security And Privacy] See also: [Schneier: China and Russia Almost Definitely Have the Snowden Docs]

CA – Ontario: Controversial Court Security Act Proclaimed Into Law

A new provincial law intended to increase security at courthouses and other facilities gives police overly broad powers and may even be unconstitutional, according to some Ontario lawyers. The government, however, is continuing to stand by the new law, insisting it doesn’t in fact provide police with any new powers at all.  The act’s most troubling feature, according to lawyers, is the fact it gives police the power to search the vehicles of people entering court premises without a warrant. Other lawyers express similar concerns. “They’ll get shot down by the Supreme Court on this,” says criminal defence lawyer Roots Gadhia. But Anthony Moustacalis, president of the Criminal Lawyers’ Association, says the act’s predecessor, the Public Works Protection Act, included a power to search the vehicle of a person entering any public work or building without a warrant. In a sense, then, the new act simply narrows that power, he suggests. [Law Times] [CA – Sensitive info used for ‘troubling’ targeted ads, watchdog warns]

SK – Non-Responses Concern Privacy Commissioner

After one year on the job, Saskatchewan’s privacy commissioner, Ron Kruzeniski, has proposed 35 amendments to significantly update more than two decades of provincial privacy and access to information legislation. The amendments are contained in the Office of the Saskatchewan Information and Privacy Commissioner’s (OIPC) annual report (It’s Time to Update) released this week. Kruzeniski also highlighted several concerns from the past year – including that public bodies did not respond to 25% of reports sent out with recommendations. In terms of the proposed amendments to the Freedom of Information and Protection of Privacy Act (FOIP) and the Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), Kruzeniski identified three that stood out from the rest – mandatory reporting of privacy breaches, the duty to protect private information collected and including municipal police in the legislation. Kruzeniski noted that Saskatchewan is one of only two provinces (the other is P.E.I.) that don’t include municipal police forces in privacy and access to information legislation. The RCMP is included in federal privacy legislation. Other proposed amendments in the report include reducing a government institution’s allowed response time to 20 days from 30 days and including consultants, advisers and information technology specialists in privacy legislation to protect personal information they collect. [Source] :

CA – Class-Action Lawsuit Against Facebook Stopped by B.C. Court

BC’s top court has stopped a class-action lawsuit filed by a Vancouver woman against Facebook Inc. over a now-defunct advertising product. Deborah Douez alleged the product known as Sponsored Stories used the names and images of Facebook members without their consent, breaching Section 4 of B.C.’s Privacy Act. But her case pitted the law, requiring lawsuits filed under the Privacy Act to be heard in B.C. Supreme Court, against a clause in Facebook’s Terms of Use, requiring legal complaints against the company to be filed in Santa Clara County, Calif. A lower court judge sided with Douez in May 2014, ruling the Privacy Act overrode Facebook’s Terms of Use and certified the class-action lawsuit. However in a unanimous decision posted online, the B.C. Court of Appeal agreed with Facebook, ruling the judge made a mistake in interpreting the law and staying the class-action proceedings. [Source]

CA – Facebook Evidence Access Delaying Nova Scotia Court Cases

Facebook is all about instantly sharing your experiences, but one lawyer says the company isn’t as quick to share evidence for court cases. Legal aid lawyer Megan Longley says many of her cases involve comments or messages made on social media, but recovering that information from Facebook can be difficult. “The only way to access that would be through Facebook headquarters in California, which involves a court order at the national level in Canada that then gets sent to the States for disclosure orders,” says Longley, the managing lawyer of Nova Scotia Legal Aid’s youth justice office. That can take months, even up to a year, she says. [Source] [Winnipeg police accidentally broadcast lewd conversation from helicopter] [Camera with photos of 12 dead forgotten by B.C. coroner at bus stop: documents] [Beware Of Mortgage or Title Fraud] [How to Fraud-proof Your Home] [CRA Phone Scam Uses Fear of Tax Man to Swindle ‘Not So Smart’ Canadians]

CA – Canada’s Privacy Commissioner Not Satisfied with How Targeted Ads Work

Online Behavioural Advertising involves tracking consumers’ online activities, across sites and over time, in order to deliver advertisements targeted to the consumers’ apparent interests. In 2011, The Office of the Privacy Commissioner of Canada (OPC) issued guidelines to help the various organizations involved in OBA ensure that their practices are fair, transparent, and in accordance with PIPEDA. In a new report, the commissioner highlights the key:

  • Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.

And the issue:

  • Previous observations of major websites and the ads they contain suggested that, while ads are often tailored based on past web activities, there may be little notice of OBA practices and no easy ability to opt out.

“Using simple testing methods, we were able to see that OBA is being used on just over half of the websites used for the research,” Canada’s privacy watchdog concluded in its report. “We observed multiple examples where ads were targeted based on prior online activities that were related to sensitive topics without opt-in consent. We found that the procedures for opting out of OBA were often unsatisfactory.” [Source] [Genetic testing company’s use of child’s image outrages mother Christine Hoos]

CA – Advertisers React to OPC Online Behavioural Advertising Study

More than one in 10 behavior-based ads related to personal topics like divorce, bankruptcy, and pregnancy failed to comply with federal privacy guidelines, a new study shows. According to guidelines from the Office of the Privacy Commissioner of Canada (OPC), targeted digital ads involving sensitive personal information should require consumers to opt in if they want to receive such advertising. Yet 34 of the 300 targeted ads tracked in an OPC study required users to opt out, even though they dealt with that type of information. Overwhelmingly, however, the study shows Canadian advertisers are jumping onboard a new program to give consumers more information and control regarding behavior-based ads. Although almost all of the targeted ads studied by the OPC featured Ad Choices icons, the OPC report concludes that “using the Ad Choices icon (is) often difficult.” Sometimes the icons were hard to see, placed very far away from ads, led to a foreign Ad Choices site or required several steps to opt out of behavior-based ads. In April, Bell Canada responded to criticism from OPC by announcing plans to replace its behavior-based ad program – which automatically tracked customers’ mobile browsing habits – with an opt in version instead. Also in April, research by the Canadian Marketing Association found that 33% of Canadians are comfortable with OBA if the advertiser is transparent about it and gives them a chance to opt out (scroll to the bottom of this article for an infographic with this research). That rises to 41% for consumers aged 18 to 24 and hits 42% for all ages if the consumer understands how the Ad Choices icon works.  [Source]

CA – Canadian Government Websites Under Cyber Attack: Clement

The federal government says its websites were under a cyber attack this week, which affected email and Internet access. Treasury Board of Canada president Tony Clement tweeted, The websites were affected by a denial of service attack, designed to make a computer or network incapable of providing normal services to its users. He didn’t say who was responsible for taking sites, including justice.gc.ca, csis.gc.ca, Canada.ca and news.gc.ca, offline shortly after 12 p.m. Nor did he say how long the outage would last. Service for those four sites were restored later Wednesday afternoon. But sporadic outages continued. [Source]

CA – Ontario to Regulate Controversial Police Stops, Known as Carding

Ontario will regulate but not ban police street checks, a controversial tactic known in Toronto as carding and a practice critics say amounts to racial profiling. It’s not acceptable for police to stop and question a member of a racialized community for no reason then to record that person’s information in a database, Community Safety Minister Yasir Naqvi said. But when asked why he wouldn’t eliminate police street checks altogether, Naqvi said it’s important both for police to be able to engage with the communities and that they’re able to investigate any suspicious activity. [Source]

CA – Elections Canada Warns Voters About New ID Req’ts For 2015 Election

Elections Canada is urging all voters who may be missing appropriate identification to get their paperwork done in the few months remaining before the country goes to the polls. The list of acceptable forms of identification voters can use when they cast their ballots this Oct. 19, however, is quite long. The controversial Fair Elections Act the Conservative government introduced last year did away with the practice of vouching, which allowed someone with required identification to vouch for someone who did not at a polling station on the day of the vote. The legislation also removed the ability to use a voter identification card as a way to prove where one lives. [Source]

CA – Watchdog Alleges Conservatives Pressed for Speedy Gun Registry Deletion

Bureaucrats felt pressured to speed the destruction of the long-gun registry from the senior ranks of the Conservative government, the public service, and the national police force, Canada’s information watchdog alleges in new court documents. The allegations, the result of a lengthy investigation by Information Commissioner Suzanne Legault, are expected to form part of the basis for a court challenge alleging the deletion of the data violated Canadians’ charter rights. The sworn affidavit suggests public servants were ordered to speed up the deletion of the long-gun data, including backups, after Legault’s office told the Conservative government that copies must be kept for an outstanding access to information request and investigation. [Source]

CA – Changes to Ontario’s Health Privacy Laws Deserve Wide Support: Editorial

Time to chalk up a significant victory for the privacy of patients in Ontario. Health Minister Eric Hoskins has done the right thing by bringing in sweeping legal changes that will allow authorities to prosecute snoopers more easily and require hospitals to declare breaches of patient privacy. These reforms, announced this week, come after months of reporting by the Star’s Olivia Carville that showed gaping holes in the rules intended to keep patients’ health information confidential. Most strikingly, Ontario’s Personal Health Information Protection Act (PHIPA) has resulted in exactly zero successful prosecutions after more than a decade in force — even though the provincial privacy commissioner receives reports of hundreds of health-related privacy violations every year. Now the government plans to overhaul the law to get rid of some of the biggest obstacles to enforcement. It will do away with the six-month deadline to lay charges under the act, making it easier for investigators to gather sufficient evidence for a successful prosecution. And the maximum fine for those violating patients’ privacy will be doubled from $50,000 to $100,000. In addition, Ontario’s hospitals will be required to report all breaches of patient privacy to regulatory colleges and the privacy commissioner. Until now, hospitals were allowed to handle violations internally, making it impossible to track the size of the problem across the province or fix breakdowns in the system. [Source] :

CA – Privacy Watchdog Raises Awareness of Court Decisions Indexed Online

Canada’s privacy watchdog says it was the power of persuasion that helped get results for more than two dozen Canadians who had details of their legal troubles posted on a Romanian website. Daniel Therrien, the federal Privacy Commissioner, wrote in his annual report to Parliament last week that the Office of the Privacy Commissioner (OPC) received 27 complaints in 2014 about the website, which republishes court decisions from several jurisdictions with a large focus on Canada. Mr. Therrien said an absolute ban on indexing court rulings “would get into territory similar to conversations in Europe about the ‘right to be forgotten,’ which puts into play the need to ensure as much privacy as possible.” He said the OPC is studying the “right to be forgotten” in the Canadian context and plans to release a discussion paper on the topic within the year. [Source]

CA – Ontario Allows Real Estate Documents to Be Signed Electronically

Ontario is making the process of buying or selling a home easier by allowing real estate documents to be signed electronically. Effective July 1, 2015, changes to the Electronic Commerce Act will make electronic signatures legally equivalent to signatures on paper documents for real estate transactions. Under current rules, when a home or property is sold, dozens of hard copy documents such as offers and agreements of sale, must be signed by hand. Allowing these transactions to be signed electronically will also make it easier to send documents electronically and save time for anyone buying or selling property, especially when the two parties are separated by distance. [Source]


US – Privacy Tops Consumer Concerns About Tech Innovation

According to Edelman’s Earned Brand survey, privacy tops the list of reasons consumers across the globe—and specifically in Germany, the U.S. and Australia—have misgivings about innovation. Concerns regarding the environment and personal security are next on the list, the report states. “Marketers are missing out on a simple truth: Acceptance of innovation cannot be bought; it must be earned,” said Edelman President and CEO Richard Edelman. “As marketers, we need to evolve our playbook if we want to succeed. We have to address consumers’ fears before we have the permission to sell. Marketing, at the moment, is making it worse.” [Full Story]

US – Report Suggests Young People May Abandon Social Media If Privacy Breaches Continue

With all of the revelations of data snooping and privacy violations at the hands of government agencies and clandestine hacker groups, a new report suggests young people are having buyer’s remorse regarding the amount of social media accounts they’ve poured their life details into. In a report released this week (oddly) by USA Network, survey data shows that 55% of young people would eschew social media entirely “if they could start fresh.” Additionally, if major breaches of their privacy were to continue, 75% of young people said they were at least “somewhat likely” to deactivate their personal social media accounts, with 23% saying they were “highly likely” to do so. Young Americans’ sense of privacy online has been so violated that most of them believe that it’s safer to store their personal data in a box than in the cloud. Indeed, the survey said that physical filing systems were actually listed as the “most trusted” personal data storage method for young people. [Source]

US – Survey: Product Execs Out of Touch with Consumer Expectations

Many consumer product (CP) industry executives may be out of touch with consumers’ opinions on the importance of data security and privacy. That’s according to an online survey by Deloitte of 2,001 U.S. consumers and 70 CP industry executives, in which 80% of respondents said they’re more likely to purchase from CP executives they believe protect their personal information, and 72% said they avoid purchasing from companies that they believe take insufficient measures to protect it. “Many consumer product companies do not seem positioned to gain consumer trust based on their current data privacy and security strategies, policies and systems,” report states. [CFO Journal]

US – 84% of Americans Want Immediate Breach Notification

A new poll released by the Zix Corporation reveals that 84% of Americans want to be notified immediately after their personal information is breached. The poll surveyed 500 individuals between the ages of 18 to 75 to assess their views and knowledge of data breaches and whether they would change their shopping habits as a result. Ninety-two percent of those surveyed said companies should be required to notify their entire customer base no matter the size of the breach. “As the survey confirms, acknowledgement and opening a clear and honest line of communication can go a long way in rebuilding consumer trust,” said ZixCorp CEO Rick Spurr. [Full Story]

US – Privacy and Young Adults: A Complicated Relationship

A USA Network survey that found 55% of young adults would “eschew social media entirely if they could ‘start fresh’“ illustrates what some see as the inconsistency between what young adults say they feel about social media privacy and how they act online. While the survey indicates young adults trust filing cabinets more than the cloud and 75% of respondents were “‘somewhat likely’ to deactivate their personal social media accounts” if breaches continue, the report also cites a Pew Research study that found young adults were “more willing than older Americans to let companies use their personal data for commercial purposes, in exchange for the social-networking functions they value.” [Tech Crunch]


UK – Verify Programme Contains “Severe Privacy and Security Problems”

The UK government has been forced to deny allegations that its identity assurance service, Gov.uk Verify, is littered with security problems and could be used to spy on citizens. According to a research paper titled Toward Mending Two Nation-Scale Brokered Identification Systems, the service has “severe privacy and security problems” and a major flaw within its architecture that could be used to undertake mass surveillance. The main problem lies with the hub that acts as a go-between for government departments, identity providers and citizens. Verify was created by the Government Digital Service as a way for the public to prove who they are when needing to access government services online. The uptake of the service has been slow. The authors of the report claimed that Verify suffers “from serious privacy and security shortcomings, fail[s] to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy.” “Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. In case of malicious compromise it is also able to undetectably impersonate users,” the report said. But the government has hit back at the allegations and denied that Verify could be used in mass surveillance. “Gov.uk Verify does not allow for mass surveillance. It does not have any other connection with or ability to monitor people or their data,” it said in a blog post. The researcher said that the service could be improved by recommending that “a formal framework for brokered authentication be devised” and that such a framework would “integrate all the security, privacy and auditability properties at stake, while considering an adversarial model in which any party, including the hub, may be compromised and/or collude with other parties.” [Source]

Farmers Want EPA Suit Revived

Following a federal district court’s dismissal of a case filed against the Environmental Protection Agency (EPA) upholding the validity of the EPA’s public release of personal information about farmers and their families, the American Farm Bureau Federation (AFBF) and the National Pork Producers Council filed a brief with the U.S. Court of Appeals for the Eighth Circuit calling the release unlawful. The groups have asked the Court of Appeals to reverse the district court’s decision. The case involves the EPA’s release of a database—including home addresses, GPS coordinates and email addresses—of tens of thousands of farmers and their families in 2013. [The National Law Review]


CA – Report Suggests Law Goes Beyond What CSIS Wanted

Information found in a “heavily censored” copy of a 2014 presentation and memo to the Canadian Security Intelligence Service (CSIS) that indicates CSIS believed “significant improvements” to information-sharing could occur in the “existing legislative framework.” However, legislation that “recently received Royal Assent permits the sharing of information about activity that undermines the security of Canada,” the report states, noting Privacy Commissioner Daniel Therrien is among those who have raised concerns. Therrien “denounced the scope as ‘clearly excessive,’ saying it could make available all federally held information about someone of interest to as many as 17 government departments and agencies with responsibilities for national security,” the report states. [The Canadian Press]

CA – PEI Gets New Privacy Commissioner—Kind Of

Prince Edward Island (PEI) is getting a new privacy commissioner. Karen Rose has been chosen by the legislative management to be appointed PEI information and privacy commissioner, the report states. She was actually the province’s first privacy commissioner in 2002, but she left the post in 2005 citing personal reasons. Rose will replace Maria MacDonald, whose five-year term has expired. “The commissioner will accept appeals … from applicants or third parties who are not satisfied with the response they receive from a public body as a result of an access to information request made under the Freedom of Information and Protection of Privacy Act,” the government site for the commissioner states. [The Guardian]

CA – Supreme Court Rules in Favor of Facebook

A Supreme Court judge has upheld a BC Court of Appeal ruling in favor of Facebook in a 2014 case alleging it used member information “to endorse certain products without their consent.” While the initial suit claimed that Facebook’s actions violated Section 4 of BC’s Privacy Act, the BC Court of Appeal ruled unanimously that the judge’s 2014 interpretation of the law was erroneous. “Section 4 is a rule of subject matter competence that, like all BC law, applies only in BC. California courts determine for themselves, using California law, whether they have territorial competence over any given proceeding,” said Chief Justice Robert James Bauman. “We are pleased with the court’s ruling that our terms are fair and apply to all users,” Facebook said. [Digital Journal]

CA – Saskatchewan Commissioner’s Annual Report Includes Concern About “Non-Responses”

A report released Monday indicates Saskatchewan Privacy Commissioner Ron Kruzeniski’s 35 amendments for provincial privacy laws, including “mandatory reporting of privacy breaches, the duty to protect private information collected and including municipal police in the legislation,” have been met with 25% unresponsiveness from public bodies. “Kruzeniski said the non-responses could involve a misunderstanding or confusion over changes in his office’s procedures,” the report states, noting the office “is prepared to allow another year to clarify its expectations,” but if the non-responsiveness number doesn’t decrease, the commissioner “would be concerned that a ‘blatant disregard’ of the legislation was occurring.” Meanwhile, CBC News discusses other areas of Kruzeniski’s report, including why he feels provincial privacy law is “outdated.” [The Star Phoenix]

CA – Alberta’s PIPA Review to Begin

The Alberta government has initiated its review of the province’s Personal Information Protection Act (PIPA). The review will be conducted by the Standing Committee on Families and Communities, the report states, noting the law is slated for automatic review beginning on July 1 and then every six years. PIPA “will go to a legislative committee this fall, they’ll make recommendations that come back to the ministry,” Service Alberta Minister Deron Bilous said. “It’s a way to keep the (law) current and relevant and to ensure that we’re protecting Albertans’ privacy.” Alberta’s Freedom of Information and Protection of Privacy Act has been under review since 2012, the report states. [Edmonton Journal]

Electronic Records

US – Fitbit Tracking Data Comes Up in Another Court Case

When you wear Fitbit or any other fitness tracker and smartwatch, you not only monitor your physical activities, you also collect data about yourself — data that can apparently be used against you in investigations. In Lancaster, Pennsylvania cops responded to a 911 call by a woman who claimed she was raped by a home invader. The woman told the police she woke up around midnight with the stranger on top of her, and that she lost her tracker while struggling against her assailant. However, authorities found her Fitbit, which recorded her as active, awake and walking around all night. Combined with the evidence that was missing (tracks outside in the snow from boots she said the attacker was wearing, or any sign of them inside), an investigation led to her facing misdemeanor charges. [Source]

WW – Insurer Monitoring Your Heart Rate? Allstate’s Patent Makes It Possible

Northbrook-based Allstate, which last month floated the idea of one day selling the information it collects from policyholders’ connected cars, was issued a patent earlier this month for a driving-behavior database that it said might be useful for health insurers, lenders, credit-rating agencies, marketers and potential employers. Allstate’s patent also said the invention has the potential to evaluate drivers’ physiological data, including heart rate, blood pressure and electrocardiogram signals, which could be recorded from steering wheel sensors. Allstate’s patent acknowledged that use of the data might be subject to terms of agreement with the operator of the vehicle. [Source]

WW – Here’s What You Get With BBM’s $1 Privacy Subscription

BlackBerry has also updated the BBM messaging app and has started to roll out the feature to users of Android, BlackBerry 10, and the iOS. The most notable change brought by the update is the new Privacy and Control subscription which shall replace the previous Timed and Retracted Messages subscription. Privacy and Control, as the name implies, is designed to allow users to have more control on the messages that they share through BBM. It promises to add more security to the parties involved in a conversation as they no longer have to worry whether their messages have been captured through screenshot or have been shared with the wrong people. In the new feature, messages are sent with no names and no profile pictures. The chat also ends automatically in just a short period of time. This way, user identities are kept private since no one would know who said what except of course for those who were actually involved in the conversation. The Private Chat feature will be bundled with the newly rolled out Privacy and Control Subscription. For only $0.99 a month, users are getting Private Chat, Timed messages and pictures, Retract messages and pictures and Edit Message. The latter is also a newly added feature to the subscription wherein users are allowed to retract their message, change the content, and then send the message all over. [Source] See also: [BlackBerry/Cisco partnership to push healthcare towards digital age]


WW – More Sites Go All-HTTPS

Reddit has announced that starting June 29, it will refuse plaintext HTTP traffic. Last September, reddit allowed HTTPS connections for users who turned the feature on or used something like HTTPS Everywhere, the report states. Reddit is the latest to make the switch; it joins such sites as Wikipedia, which made the announcement less than a week ago, and Netflix. In addition, the White House Office of Management and Budget issued the “HTTPS-Only Standard directive,” which requires all publicly accessible federal websites and web services to use only HTTPS. “We genuinely value the privacy of the people who trust reddit as a platform for open communication,” reddit’s Heather Wilson said. [Ars Technica]

US – Free Digital Certificate Project

The Let’s Encrypt Project wants to increase the use of encryption on websites by offering free digital certificates. A corporation backed by technology companies, including Mozilla, Akamai, Cisco, and the Electronic Frontier Foundation (EFF), runs the project. Let’s Encrypt expects to release the first certificates in July. [ComputerWorld] [Encryption Would Not Have Protected Secret Federal Data Says DH]

EU Developments

EU – Belgium Takes Facebook to Court Over Privacy Breaches and User Tracking

The Belgian privacy commission is taking Facebook to court for its alleged “trampling” over Belgian and European privacy law. The lawsuit will be heard in a Brussels court after a report and an opinion published by the Belgian privacy watchdog that detailed Facebook’s alleged breaches of European privacy law, including the tracking of non-users and logged out users for advertising purposes. Facebook treats its users’ private lives without respect and that needs tackling, according to Willem Debeuckelaere, president of the Belgian privacy commission, who said at the time of the report that it was “make or break time”. The privacy commission has no power to fine Facebook, but threatened legal action backed by the Belgian prosecution service should the US-owned social network fail to address the report’s concerns. That threat has now been carried out. The European commission recently warned that EU citizens should close their Facebook accounts if they want to keep their information private from US security services, after finding that current Safe Harbour legislation does not protect citizen’s data. Facebook was also recently ordered by a Vienna court to respond to a class action data privacy lawsuit that was filed against Facebook in Austria by privacy activist and lawyer Max Schrems, which is seeking damages of €500 (£397) per plaintiff for alleged data protection violations. [Source] [EU – Isabelle Falque-Pierrotin: Privacy Needs to Be the Default, Not an Option] [The digital revolution is coming for us, but is it friend or foe? ]

EU – Thank Latvia: Council Gets Past Objections for GDPR Approach

After three and a half years of intense negotiations, EU ministers finally agreed to a general approach on their version of the proposed General Data Protection Regulation at a meeting of the Justice and Home Affairs Council in Luxembourg. John Bowman, former DAPIX negotiator for the UK, outlines the objections the Council had to overcome and what are likely to be the main sticking points as the privacy legislation everyone’s following now moves to the trilogue stage. [Privacy Perspectives]

WW – “Revenge Porn” Searches Axed

Google’s move to delist “revenge porn” from its search engines is a healthy step forward for the right to be forgotten. “Google has shown that the world won’t be knocked off its axis if the company goes beyond protecting financially relevant information … and takes aggressive steps to remove links to socially relevant information that can harm autonomy, reputation and emotional well-being,” the report continues. Governments and corporations share a duty to “invest in data protection rights,” the report states, noting those rights “will evolve through information-specific categories” and it’s less about being totally forgotten but rather made “obscure” online. [The Guardian]

US – Dixon: “We Will Be the Lead” Regulator of U.S. Tech Firms

Comments by Irish Data Protection Commissioner Helen Dixon on the role her office will play in regulating U.S. technology companies. “Ireland will be the leading regulator when dealing with U.S. tech companies,” she said. “We want to work actively with other regulators. But we will be the lead.” Dixon’s strong comments come the same day Ireland’s Office of the Data Protection Commission (DPC) released its annual report detailing its activities in 2014. The DPC is expected to audit Adobe, Yahoo and Apple this year, the report states. “We are responsible for millions of users,” Dixon said. “The companies accept pushback from us. They want to be compliant.” [The New York Times]

EU – EU Data Privacy Reform Moves Toward End Game

Ministers from the EU agreed to begin negotiations with the European Parliament over a comprehensive update to the union’s data privacy rules. The new regulations would give Europeans more rights in controlling what happens with their personal data, and give firms handling that data more responsibility for protecting it. After agreeing on a compromise common position on the draft, member states gave the Latvian Presidency of the Council of the EU the mandate to commence so-called trilogue negotiations. As it is a regulation rather than a directive, member states would have less flexibility in how they apply the new law nationally, meaning a higher level of harmonization across countries. The regulation would force companies processing personal data to prove that the data subjects have given their explicit consent. Multinationals would need to appoint independent data protection officers to ensure compliance. The potential fines for data protection violations could be as high as 2 percent of annual worldwide turnover. Depending on the company in question, this would be much higher than the fines that are currently levied. One of the most controversial aspects of the new regulation is that of liability for breaches. Under the current system, if a bank using a cloud provider to handle its customers’ data were to suffer a breach, the customer would only be able to sue the bank. Under the GDPR, the customer would be able to sue both the bank and the cloud provider. Another contentious issue that will surface during the trilogue discussions is the right of citizens to have their data erased. The UK is concerned that this may clash with the right to free expression. [Source]

EU – First Trilogue Meeting Begins

The three major institutions charged with creating the next generation of EU data protection law started discussions in the first of a series of trilogue meetings to finalize the proposed General Data Protection Regulation (GDPR). Several EU countries are concerned about the GDPR, including Cyprus, Italy, Belgium and Poland. Austria said it will not support a law that lowers data protection from existing standards. Leaders from the European Commission and European Parliament as well as negotiators from member states shared their thoughts during a press conference this morning, and the Alliance of Liberals and Democrats in the European Parliament shared its conditions for the EU data protection reform. [The Register]

EU – Numbers Indicate Google Tops EC Lobbying Efforts

According to figures published by Transparency International, Google and its lobbyists have had more meetings with European Commission officials than any other single company. Google lobbyists have had 32 meetings between December and June, the report states, topped only by BusinessEurope, which has 67 member companies spanning industries and including Microsoft, Facebook, IBM, Oracle and Samsung Electronics. The data shows more than three-quarters of lobbyists in that timespan were corporate; 18% were NGOs, and two percent were local authorities. The analysis “shows more clearly which companies have the greatest opportunity to influence decision-making,” the report states. [CIO Online]

EU – WP29’s Falque-Pierrotin on Key Digital Privacy, Security Issues

Isabelle Falque-Pierrotin of the Article 29 Working Party and the CNIL talks about delisting, the CNIL’s case against Google and making privacy the default. Asked what the most important digital privacy and security issue is, Falque-Pierrotin first lists “making security issues represented as really important and as a priority for all of the stakeholders. I’m not sure that’s the case right now.” And, she continues, it is important to “convince people that data protection is not against innovation and growth; on the contrary, data protection contributes to confidence. It is a key factor in the digital environment.” [Wired]

EU – New French Law Draws U.S. Comparisons

The French government’s plan to augment its anti-terror surveillance is being compared to the USA PATRIOT Act. “France’s ruling socialist government rushed through the bill earlier this year, shortly after the Islamist militant attacks in Paris in which 17 people were killed over three days,” the report states. While the law won’t be finalized until it is proven constitutional, it passed “by a simple show of hands from deputies in France’s National Assembly,” forgoing “the need for judicial warrants to use an array of spying devices including cameras, phone taps and hidden microphones,” the report continues. Earlier this week, however, the French government called revelations of eavesdropping by the U.S. government on the private conversations of senior French leaders “unacceptable.” [DW]

EU — A Look at France’s Digital Ambition Report

The French National Digital Council has released a report containing 70 proposals for the future of the digital economy in France and Europe. “The report follows a nationwide consultation of the major stakeholders, which has also sparked a debate on various issues relating to the digital economy such as how to regulate digital platforms and how to boost the competitiveness of French start-up companies,” Olivier Proust analyzes the report’s key proposals. He notes the French government also plans to “introduce a ‘Digital Bill’ before the French National Assembly in the fall aimed at regulating the use of the Internet as well as stimulating innovation and fostering growth in the digital economy.” [Full Story]

EU – WP29 Weighs In on the GDPR Trilogue Process

As the EU continues to buzz about the beginning of the trilogue negotiations and the final stage of the arduous process of bringing the General Data Protection Regulation (GDPR) to fruition, the Article 29 Working Party (WP29) has now weighed in with its thoughts on the final stages of what is likely to be historic legislation. Jedidiah Bracy and Sam Pfeifle write about those thoughts, which take the form of three letters to deeply involved members of the Commission, Council and Parliament. The letters include a hard line on government access to citizen data, a nuanced approach to a “one-stop shop” and an endorsement of a broad definition of personally identifying information. Further, the WP29 provides a 24-page document that outlines its specific problems with current versions of the GDPR text. [Privacy Tracker]

EU – Other News

Facts & Stats

US – Theft Accounts for More Than Half of “Wall of Shame” Breaches

Roughly 52% of breaches posted on the Department of Health and Human Services’ Office for Civil Rights’ “wall of shame” were the result of theft. Unencrypted devices appeared to be the most consistent source of recent trouble. “Although we’ve seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization,” The Marblehead Group’s Kate Borten said. “Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is the most common breach scenario affecting organizations of any size.” [Gov Info Security]

US – Results of 2015 Online Trust Audit Mixed

The 2015 Online Trust Audit and Honor Roll found 54% of government websites to have “inadequate domain, brand and consumer protection.” All is not completely doom and gloom, however. The audit found 42% of government sites, such as the White House, FTC and FDIC, worthy of the honor roll, having “the highest average privacy score across evaluated industries.” The audit states that its primary goal “is to help drive the adoption of best practices and provide prescriptive tools and resources to aid companies.” [Washington Business Journal]

US – OPM Says Hack Could Cost $19 Million

In the first of three consecutive hearings on Capitol Hill this week, OPM Director Katherine Archuleta testified in front of the Senate Appropriations Committee. Archuleta said the breach of the 4.2 million individuals—which is only part of the total number of those whose records have been compromised—will cost at least $19 million. “I am as upset as (those affected) are about what happened and what these perpetrators have done with our data,” Archuleta said. Financial Services and General Government Subcommittee Chairman John Boozman (R-AR) said, “The problem is something much greater than a lack of resources.” Relatedly, The Wall Street Journal reports that semantics may have initially obfuscated the true scope of the OPM breach. [CSM Passcode] [It gets worse: Two Federal OPM hacks affected up to 18 million]


EU – ECHR Finds Website Liable for Anonymous User Comments

In what some are calling a surprise decision, the European Court of Human Rights has found that Estonian news website Delfi can be held responsible for anonymous comments on its site. Access Senior Policy Counsel Peter Micek said the ruling has “dramatically shifted the Internet away from the free expression and privacy protections that created the Internet as we know it.” Media Legal Defence Initiative has summarized the reasoning behind the court’s decision. Digital Rights Ireland Chairman TJ McIntyre said the decision “doesn’t directly require any change in national or EU law,” but indirectly, “it may be influential in further development of the law in a way which undermines freedom of expression.” [Ars Technica]


WW – Feature Aims to Make Bitcoin Transactions Private

Though Bitcoin is often thought of as a private way of transacting currency, privacy issues remain, according to Blockstream Cofounder Greg Maxwell, who said an onlooker can reveal the identities of bitcoin users and determine an individual’s financial history. “You can leak this information to everyone, and they just have to attach your name to one address,” Maxwell said. As a result, Blockstream has created its Confidential Transaction feature in its Sidechain Element projects. The feature aims to hide the content of a given transaction as well as the destination and amount. [Bitcoin News Service]

US – Banks to Roll Out Real-Time Payments

Bank-owned digital payments network clearXchange announced this week that it will roll out over the next year a real-time payments platform available to all U.S. consumers who have a bank account.  All of clearXchange’s member institutions, which includes five of the six largest U.S. banks as well as several regional banking institutions, are expected to offer real-time payments to their customers, clearXchange says in a statement. The network, formed in 2011, enables banks to provide person-to-person, business-to-consumer and government-to-consumer payments. The network is equally owned by Bank of America, Capital One, JPMorgan Chase and Wells Fargo. None of the banks that own the network responded to Information Security Media Group’s request for comment. [Source]

WW – Bitcoin Big Bang Takes Anonymity Out of Transactions

The Bitcoin Big Bang project and the work of Elliptic exposing anti-money-laundering activity within the bitcoin space. The company has created an interactive data visualization of historic and real-time transactions that are public by default. Elliptic’s goal, according to CEO James Smith, is to expose criminal activity and bring bitcoin into the mainstream. “If digital currency is to take its legitimate place in the enterprise, it inevitably must step out of the shadows of the Dark Web,” he said. The company’s ability to track financial transactions should be an “eye opener” to those who think it’s all conducted anonymously, the report states. Smith said, “increased privacy does not necessarily have to equate to more freedom for criminals.” [Inside Bitcoin]


US – EFF Releases New “Who’s-Got-Your-Back” Privacy Report

The Electronic Frontier Foundation (EFF) has released its fifth data privacy report grading how well companies protect user data and how transparent they are about requests from governments. The EFF said that over the course of the last four years, companies are trending toward more transparency, but its latest report evaluates criteria more tightly. Adobe, Apple, CREDOmobile, Dropbox, Sonic.net, Wikimedia, WordPress.com and Yahoo all received the maximum five-star rating based on following “industry-accepted best practices”; informing users of “government data demands”; disclosing data-retention policies and “government content removal requests,” and having “pro-user public policy” and opposing “backdoors” to encrypted communications. [TechCrunch]

US – Amazon Releases Transparency Report

The fact that Amazon’s cloud computing services are used by 17 government agencies is spurring rumors that government interference is to blame for Amazon’s relative tardiness in releasing a transparency report. The company, however, has dismissed the allegations. “Where we need to act publicly to protect customers, we do. Amazon never participated in the NSA’s PRISM program,” Stephen Schmidt, Amazon Web Services CISO, wrote in blog post. “We have repeatedly challenged government subpoenas for customer information that we believed were overbroad, winning decisions that have helped to set the legal standards for protecting customer speech and privacy interests.” [PC Mag]

CA – Oldest Active Federal Access-to-Information Requests Stretch Back 6 Years

According to data collected as part of a Liberal question in the House of Commons, Justice Canada is the federal department with the longest running, active access-to-information request — an unfulfilled inquiry that dates back more than six years. Under the Access to Information Act passed by Parliament, departments are supposed to respond to requests for government records within 30 days, although in practice long delays have become routine. [Source]


US – Mystery Pooper: Firm to pay $2.2M Over Forced DNA Testing for Workers

A federal jury has concluded that an Atlanta grocery warehousing firm must pay two employees a combined $2.2 million for forcing them to submit to a buccal cheek swab to determine if their DNA was a match to feces being left throughout the facility. Employees Jack Lowe and Dennis Reynolds declined a combined $200,000 settlement offer from Atlas Logistics Group Retail Services. Instead, they forged ahead with the first damages trial resulting from 2008 civil rights legislation that generally bars employers from using individuals’ “genetic information” when making hiring, firing, job placement, or promotion decisions.  The two plaintiffs were singled out because their work schedules coincided with the timing and location of what the court termed the “defecation episodes.” The warehouse firm hired Speckin Forensic Laboratories to perform the buccal swab samples of the plaintiffs to compare them against the fecal matter left on site. Speckin recommended Short Tandem Repeat (STR) analysis. The tests cleared Lowe and Reynolds. [Source]

Health / Medical

US – Pharmacy Merger Creates Privacy Questions

CVS’s acquisition of Target’s pharmacy is rife with “some extremely likely data security and privacy problems and HIPAA horrors.” “Screaming in one track is Target’s collection of highly sensitive personal prescription and medical history, one of the largest in the world, while barreling in on the other track we have Target’s employees, who have little incentive to carefully follow data transfer protocols now that the data is about to be taken over by another company,” the report states. Chief among concerns is the way the data will be transferred and how, with double the amount of handlers, security will be guaranteed. California’s health insurance exchange is embarking on a data-collection project for all Affordable Care Act members. [Computerworld] See also: [CA – The Privacy of Transitioning Individuals’ Health Records Could Be at Risk]

US – FDA Using Online Forum to Track Drug Failures

The Food and Drug Administration (FDA) is partnering with PatientsLikeMe.com to track negative effects from prescriptive drugs. PatientsLikeMe is a forum for individuals to compare treatment experiences and seek advice. “With 350,000 users  logging 28 million data points on more than 2,500 conditions, the site bills itself as the largest digital patient community in the world … The company has already collected data on 110,000 adverse events from 1,000 medicines that the FDA will now be able to access,” the report states. PatientsLikeMe has partnered with other organizations in the past, including the National Institutes of Health and the Centers for Disease Control and Prevention. [International Business Times]

US – Behind-the-Scenes Government System Keeps Data ‘Indefinitely’ on Those Seeking Health Coverage

A government data warehouse stores personal information forever on millions of people who seek coverage under President Barack Obama’s health care law, including those who open an account on HealthCare.gov but don’t sign up for coverage. “A basic privacy principle is that you don’t retain data any longer than you have to,” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. “The more data you keep, the more harm an attacker or unauthorized person can do.” The health care system, known as MIDAS, is described on a federal website as the “perpetual central repository” for information that the Affordable Care Act authorizes federal agencies to collect. “Data in MIDAS is maintained indefinitely at this time,” says another document, a government privacy assessment dated Jan. 15. [Source]

Horror Stories

US – OPM Breach Could Affect 32 Million; IG Says Plans Destined To Fail

Officials from the Office of Personnel Management (OPM) and other federal agencies as well as two vendors appeared before a House Oversight committee Wednesday to answer questions about the massive breaches of government employee data. A day after a more sober Senate Appropriations hearing, things once again heated up as House representatives grilled OPM leadership about their security precautions and choice of vendor to handle notification and credit monitoring, even at points calling for the resignation of OPM leadership. This Privacy Tech post covers the latest, including the possibility of 32 million records at risk and comments by the Office of the Inspector General about its assessment of the OPM’s handling of the crisis. [Full Story]

US – OPM Hack Quadruples; Diplomats to Query Chinese Officials

The total number of individuals affected by the hacks of the Office of Personnel Management (OPM) has officially quadrupled to 18 million, up from initial reports of 4.2 million. Additionally, the National Archives and Records Administration (NARA) has detected similar cyber-intrusion activities in its network, but the adversaries do not appear to have as deep access into NARA’s network as they did into the OPM systems. This post for Privacy Tech continues to follow the latest fallout from what is surely one of the most damaging data breaches in U.S. history. [Full Story]

US – OPM: Attackers Had Access to OPM Database for a Year

The attackers who breached the security of a database at the US Office of Personnel Management (OPM) had access to the data for at least a year. The database holds information gathered for national security clearances. [WashPost] [ComputerWorld]

US – OPM: Fraud Protection Service Security Concerns

People whose personal information was compromised have complained that they have been required to provide sensitive personal information to the company that will provide fraud protection services to verify their identities. And there appears to be some question about whether or not this information is being or will be shared. [NextGov]

US  — OPM: Breach Affected Two Different Systems

Two different systems were breached at OPM: the Electronic Official Personnel Folder system and the central database for EPIC, the software suite that OPM’s Federal Investigative Service uses to gather information for employee background investigations. [Ars Technica] [A Department of Homeland Security Official said that encryption would not have helped protect the data exposed in the OPM breach because the intruders managed to obtain valid user credentials] and [House Committee Chairman Jason Chaffetz (R-Utah) called on the president to fire OPM officials, saying “If we want a different result, we’re going to have to have different people.”]

US – Legacy Systems Are Not the Only Reason for OPM Breach

Office of Personnel Management (OPM) officials pointed to legacy systems as a central reason for the attacks on the OPM’s network. While it is true that the older systems do not support adequate encryption and other methods of data protection, other factors, including a lack of adequate talent, poor network design, and focusing on security reactively rather than proactively, contributed to the breaches as well. [ZDNet]

US – “Flash Audit” Continues OPM’s Bad Week

The story of the hack into the Office of Personnel Management (OPM) continues to be written this week, with news of a “flash audit” by the Office of the Inspector General that revealed “serious concerns” about a major IT systems overhaul at the OPM that is already underway but “has not yet addressed several critical project-management requirements.” Jedidiah Bracy examines the continuing problems at OPM and the ways in which the scope of the breach continues to expand. [Privacy Tech] [US – Millions More Affected by OPM Breach]

US – WEDI Releases Data Breach How-To

The Workgroup for Electronic Data Interchange (WEDI) has released Perspectives on Cybersecurity in Healthcare, a report discussing how healthcare organizations can best “mitigate, discover and respond” to data breach threats. “The risk of cyberattacks is no longer limited to the IT desk—it is a key business issue that must be addressed by executive leadership teams in order to build that culture of prevention,” said WEDI CEO and President Devin Jopp. WEDI-amassed statistics indicate urgency is necessary. “In the first four months of 2015 alone, more than 99 million healthcare records have already been exposed through 93 separate attacks,”the WEDI document states. [FierceHealthIT]

US – Companies Facing Consequences for Privacy Faux Paus

A judge has refused to dismiss a suit against Sony Pictures Entertainment by former employees and victims of last year’s massive breach that alleges the corporation did not exercise privacy due diligence. In other courtroom news, LinkedIn recently agreed to settle for $13 million and update privacy protocols after allegedly manipulating preexisting profiles to woo new users, and a Home Depot stockholder is suing to inspect company records “to determine whether Home Depot management breached its fiduciary duties by failing to adequately secure payment information on its data systems.” [Bloomberg Business]

WW – LastPass Servers Hacked; Data Strongly Encrypted

Password-protection cloud service LastPass announced its servers have been compromised by hackers. Compromised data included hashed passwords, cryptographic salts, password reminders and email addresses. In a blog post , LastPass CEO Joe Siegrist said his company’s encryption protections will be difficult for the hackers to breach. He wrote, “We are confident that our encryption measures are sufficient to protect the vast majority of users,” adding, “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” [Ars Technica] [Hulk Hogan is fighting for the privacy of the world’s sex tapes] [US – Nude photos of Australian women shared on US website] [The Houston Astros were an easy hacking target: Someone reportedly reused an old password] [UK – Three exposed Brit’s privates with sloppy survey code]

WW – WhatsApp Comes Up Short Protecting User Data, Privacy Watchdog Says

WhatsApp lags behind its consumer tech peers when it comes to protecting user data from government requests, according to a prominent privacy advocacy group. In its annual Who Has Your Back? report, the Electronic Frontier Foundation awarded WhatsApp just one out of four stars when evaluating it across various categories concerning data protection. According to the EFF, WhatsApp doesn’t publish a transparency report detailing requests it’s received from the government, doesn’t promise to provide users advance notice of government data requests and doesn’t disclose its data retention policies. The messaging app does oppose creating purposeful security weaknesses known as backdoors that let government officials stealthily gather user data. Opposition to backdoor policies has become common among consumer the tech giants. [Source]  [Ten low-tech ways to protect your privacy online] [Non-creepy social networks make it to your smartphone]

Identity Issues

US – Schumer Wants Credit-Reporting Firms to do More

Sen. Charles Schumer (D-NY) has written to major credit-reporting firms requesting a “system that will notify consumers when someone is trying to get a loan or other type of credit in their name” with an option to immediately freeze their credit. “Too many people have faced the reality of learning that someone else has opened new lines of credit in their names only once their score has already been run into the ground,” Schumer wrote. The Consumer Data Industry Association has said there is an established window for threat notification and “the industry has measures in place that provide consumer protections,” the report states. [The Wall Street Journal]

CA – CancerLinQ, Privacy Analytics Working Together on Patient Data

Privacy Analytics has announced it is teaming with CancerLinQ in an effort to de-identify cancer patient data on a large scale for research purposes, stressing that adhering to privacy regulation will be paramount. “Privacy Analytics is providing CancerLinQ with software and training that will allow CancerLinQ to responsibly de-identify patient data through a proven, risk-based methodology,” the firm’s announcement states. This will allow CancerLinQ to provide oncologists with reports “that can be customized for each specific use case and objective while protecting patient privacy.” Healthcare providers will now have access to “critical patient data from electronic health records that they would not have historically been able to access and analyze through traditional methods,” said Privacy Analytics CEO Khaled El Emam. [Full Story]

US – Online Banking Provider to Use Emoji Passwords

An online banking service provider plans to use emojis as passwords. On Monday, UK-based Intelligent Environments announced it will move toward the “world’s first emoji-only passcode,” giving users a choice of 44 different emoji representations to combine into passwords. The company argues the system will be more secure than number-only PINs and passwords because it has “480 times more permutations using emojis over traditional four-digit passcodes.” IE Managing Director of Engagement David Weber said, “Our research shows 64 percent of millennials regularly communicate only using emojis.” However, Carnegie Mellon Prof. Lorrie Cranor called the move a “gimmick,” adding, “I’m not sure that it will make a difference as far as security goes.” [NPR]

Internet / WWW

WW – U.N. Sends Peacekeeping Forces to Internet of Things War

The United Nations is joining the melee for a single “internet of things” (IoT) standard. The UN-run International Telecommunications Union (ITU) has created a new “study group” that will develop international standards for the technology to enable low-power communications between machines and sensor networks. Study Group 20 will be officially called “IoT and its applications, including smart cities and communities,” and will focus first on “standards that leverage IoT technologies to address urban-development challenges.” It hopes to come up with a full end-to-end architecture for IoT, and so allow for full interoperability of both applications and datasets. Even with the weight of the United Nations behind it, the ITU faces an uphill battle. At the moment, IoT is almost defined by the fact that there are a wide range of competing standards. [Source]

WW – Potential ICANN Policy Change Creates Privacy Concerns

The Electronic Frontier Foundation (EFF) is reporting that a policy being considered by ICANN, the global domain name authority, could make it easier for third parties to discover the contact information of website owners. The impetus for the potential policy change came from U.S. entertainment companies that want “tools to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order,” the EFF states. According to Threat Post, smaller websites appear to be the most affected. “The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” the EFF notes. [Source]

Law Enforcement

US – City May Veto Police Data-Sharing Plan

The privacy concerns of Charlotte, NC, police may keep the Charlotte City Council from voting in favor of sharing data as part of a White House initiative to create greater transparency and accountability for law enforcement. If the motion is approved, the data would be shared with University of Chicago researchers who have promised to anonymize relevant data and store information securely. Some are still unsure, however. “I think we need to put it in abeyance until they totally understand what the point of it is and the purpose of it is,” said Charlotte Councilwoman Claire Green Fallon. [USA Today]

Online Privacy

EU – France Orders Google to Scrub Search Globally in Right to Be Forgotten Requests

We do not care if a URL’s got a .fr, a .uk or a .com glued to the end, the French data protection agency told Google – if a European makes a legitimate request to be forgotten in search results, make it so on all your search engines in all countries.  CNIL said in its news release that it’s received hundreds of complaints following Google’s refusals to carry out delisting. According to its latest transparency report, last updated on Friday 12 June, Google had received a total of 269,314 removal requests, had evaluated 977,948 URLs, and had removed 41.3% of those URLs. CNIL sized up the complaints it’s received from those whom Google had declined to forget and says that it requested that Google delist several results – not just based on the extension on the URL, it said, but on all results from the whole search engine. [Source]

WW – Facebook’s ‘Moments’ App Lets You Privately Sync Camera Roll Photos With Your Friends

“With a phone at everyone’s fingertips, the moments in our lives are captured by a new kind of photographer: our friends. It’s hard to get the photos your friends have taken of you, and everyone always insists on taking that same group shot with multiple phones to ensure they get a copy. Even if you do end up getting some of your friends’ photos, it’s difficult to keep them all organized in one place on your phone,” said Facebook product manager Will Ruben. The Moments app groups the photos based on the date and the specific friends that are in each photo. Facebook uses facial recognition to determine which of your friends are in each of the photos. Once your photos are grouped, the Moments app asks you if you want to sync the group of photos with the friends it identified. If the app forgot to include one of your friends, then you can manually edit the individuals that you want to sync the photos with. The photos that you share using Moments are private and do not post to the News Feed during the syncing process. However, the Moments app lets you save the synced photos to your camera roll, send them to Facebook Messenger friends, post it to your Facebook or Instagram news feeds and SMS / WhatsApp message it to your contacts. If your friends do not have the Moments app yet, they will get a preview of the synced photos that you have sent in Facebook Messenger. And if you accidentally synced photos with someone, then there is an option to “unsync” individual photos or delete the group of photos. [Source]

WW – Major Mac Flaw Spills Passwords on Apple Devices

Apple claims that its “Keychain” software lets people securely store their passwords on their Macs. As it turns out, hackers can pull the keys off the chain. A crucial flaw found in Macs allows a malicious app to snatch the passwords from your Keychain — or even directly from other apps. That exposes the passwords to your iCloud account, notes, photos, email, banking, social media — everything. Indiana University computer science professor XiaoFeng Wang and his team of researchers found several ways a bad app could “cross over” into other apps. The researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them. They also found an issue with the way Apple categorizes Mac programs with a unique ID, called a BID. Hackers could assign an email app’s BID to a piece of malware, then get scooped up into a “trusted” group of programs. The Indiana University team analyzed the top 1,612 Mac apps, and found that 89% of them were susceptible to these kinds of attacks. [Source]

WW – Apple Wants To Know If You Use Protection

New features on Apple’s pre-installed “Health” app will allow users to track their sexual activity, namely whether or not they used protection and the time of day they had sex. The new Health app, which already tracks other health information like fitness and nutrition data, will be available on iOS 9, which is set to come out later this year, and will also include the ability to track other reproductive health metrics like menstruation and ovulation cycles. You can choose to store your data solely on your device without backing it up to the cloud. But Apple also let’s you choose to share your data with your doctor or anonymously with researchers. Apple is also set to release “HealthKit,” which will pool data entered into various health and fitness apps. “It just might be the beginning of a health revolution,” Apple’s Website reads. Or it could be a great way to put personal information at risk and provide hackers nuanced and specific information. [Source]

US – Advocacy Group Petitions FCC on DNT

Consumer Watchdog has announced it is petitioning the Federal Communications Commission (FCC) in an attempt to legally enforce do-not-track compliance with “edge provider” sites like Google and Facebook. “Ensuring that ISPs respect their customers’ privacy is important, but privacy rules covering companies like Google and Facebook are also necessary if people are going to trust the Internet,” said Consumer Watchdog Privacy Project Director John Simpson. “The FCC clearly has the authority it needs and must do everything it can to build that trust if it is to succeed in promoting timely broadband deployment.” [Full Story] [Emma Watson’s next movie will tackle online privacy]

WW – Potential ICANN Policy Change Creates Privacy Concerns

The Electronic Frontier Foundation (EFF) is reporting that a policy being considered by ICANN, the global domain name authority, could make it easier for third parties to discover the contact information of website owners. The impetus for the potential policy change came from U.S. entertainment companies that want “tools to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order,” the EFF states. According to Threat Post, smaller websites appear to be the most affected. “The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” the EFF notes. [Source]

CA – OPC Releases Updated Report on Online Behavioural Advertising

The Technology Analysis Branch of the Office of the Privacy Commissioner has released its Online Behavioural Advertising (OBA) Follow Up Research Project. The report highlights the OPC’s 2011 guidelines for OBA, noting, “If these conditions and restrictions are not met, and an organization wishes to continue to use OBA, then explicit consent is required.” The report also notes in its overview that while the guidelines were shared widely and “an industry-led self-regulatory program was subsequently launched, advertising practices may not be consistent.” “While the advertising industry has made progress in giving consumers more choice about the ads that target them based on their search and browsing behaviour online, some of those ads are still getting a little too personal.” [Source] [Globe & Mail]

WW – Apple Moves to Prevent Accessing Apps for Ads

Apple will no longer share app data, “which is akin to web-browsing history,” with developers for tailoring ads to its users. Apps and social networks “have sometimes drawn on data about other apps that are already installed” on phones to determine what ads to show users, the report states, noting, for example, if a user “has downloaded a lot of games, including ones that cost money, they may be shown an ad for a paid game that they don’t already have.” The move to discontinue the “increasingly popular practice” is a part of Apple’s effort “to appear more privacy-friendly,” the report states. This may affect Twitter’s recent announcement that it would allow ad targeting based on downloaded apps. [The Information]

WW – Will Privacy Regulation Impact Facebook’s Revenue?

Research from eMarketer indicates the EU’s “mounting probes of Facebook’s privacy policies” could adversely affect the social network’s ability to release new features and increase advertising revenue. “Government privacy watchdogs from France, Spain and Italy have in recent weeks joined a group of regulators investigating the social networking company’s privacy controls,” the report states, “doubling the number of European countries analyzing the way Facebook handles the personal information and connections gleaned from more than 300 million users in Europe.” Given those actions, “It’s difficult to imagine Facebook increasing its revenue from Western Europe significantly,” eMarketer noted in its research. [The Wall Street Journal]

US – Business Opposed to TCPA Update

Business groups believe updates to the Telephone Consumer Protection Act (TCPA) have “overstepped.” The new rules “create new restrictions on important, time-sensitive, non-telemarketing communications, which go way beyond the intent of Congress when it passed the TCPA,” note the U.S. Chamber of Commerce’s Lisa Rickard and William Kovacs. [Katy on the Hill]

Study Finds Most Consumers Concerned About What Marketers Know

A University of Pennsylvania study indicates 84%- of consumers want “more control over what marketers can learn about them.” “Americans don’t think the trade-off of their data for personalized services is a fair deal,” said IAPP VP of Research and Education Omer Tene. [Ad Exchanger]

WW – The Dark Side of Proxy Servers

One researcher tested nearly 450 open web proxies and found that 79 percent forced users to load pages in http://, or unencrypted mode, which means that the proxy owners could view the traffic in plain text. In addition, 16% of the proxy servers were found to be injecting ads into the content. [Krebs] [Blog haschek] [The Dark Web as You Know It Is a Myth]

US – The Fight Against Revenge Porn Hits the Mainstream

The last week has been a good one for those who have been fighting against the online phenomenon known as revenge porn, or nonconsensual pornography. On Friday, Google announced it will honor takedown requests of sexually explicit images from victims who did not consent to their posting. That was immediately followed up by news that Rep. Jackie Speier (D-CA) plans to announce the first-ever federal legislation against revenge porn. Plus, the issue is reaching popular culture: On Sunday, Last Week Tonight with John Oliver dedicated the majority of its episode to cyber-harassment and revenge porn. This post looks into the developments and what they mean for tech companies, and includes provided comments from University of Miami School of Law Prof. Mary Anne Franks. [Privacy Perspectives] [Low-tech ways you can protect your privacy online] [How to Defeat ‘Revenge Porn’: First, Recognize It’s About Privacy, Not Revenge]  [John Oliver exposes what the Internet does to women]

Other Jurisdictions

RU – Parliament Gives RTBF Bill Initial Approval

The lower house of the Russian Parliament, the State Duma, on Tuesday gave initial approval to legislation requiring search engines to remove outdated or irrelevant personal data upon request from users. The bill, which resembles the EU’s right-to-be-forgotten concept, has some—including the country’s largest search engine, Yandex—concerned it could drive censorship and diminish information valuable to the public interest. Unlike the EU’s version, the Russian bill would require sites to delete data even if the information is in the public’s interest. Yandex said, “The limitations introduced by this bill reflect an imbalance between private and public interests,” adding, “This bill impedes people’s access to important and reliable information or makes it impossible to obtain such information.” [Reuters] [AU – How will Australia’s anti-piracy law affect you? ] SEE ALSO: [The lower house of the Russian Parliament has given initial approval to legislation requiring search engines to remove outdated or irrelevant personal data upon request from users.\

CO – Colombia DPA Issues Accountability Guidelines

Colombia’s Superintendence of Industry and Commerce (SIC) has launched the Colombian Accountability Guidelines—the first of their kind in Latin America. The result of a multi-stakeholder process, the aim of the document is to help companies implement Colombia’s Data Protection Regulation of 2012. While the guidelines aren’t binding, companies that implement their provisions are, under the law, to be looked upon more favorably in the case of a SIC investigation or enforcement action than those who don’t. José Alejandro Bermúdez Durana, deputy superintendent for data protection for SIC, says he hopes other Latin American countries will adopt Colombia’s proactive approach to incentivizing companies to create strong data protection regimes. [The Privacy Advisor] Colombia’s Superintendence of Industry and Commerce (SIC) has launched the Colombian Accountability Guidelines—the first of their kind in Latin America.

AU – Skoolbag App Gaining Popularity in New Zealand amid Privacy Concerns

An app that alerts parents to school emergencies, and tells them the date of the college disco, is gaining in popularity, despite warnings from privacy watchdogs about the safety of the data it collects. Skoolbag is the brainchild of an Australian parent Andrew Tsousis, who wanted a better way of communicating with his child’s school. It is now used by 34 schools in New Zealand and 2000 worldwide, and provides information on cancellations, school notices, school contact information, timetables, absences and parent contact details. However, the Australian privacy commission recently warned of the dangers of the inappropriate disclosure of the mountains of data being collected by Skoolbag and apps like it. [Source] See also: [Chinese Hackers Circumvent Popular Web Privacy Tools] China’s telecommunications regulator, the Ministry of Industry and Information Technology, has promulgated a new regulation aimed at cracking down on spam messages, Scott Livingston writes.

Privacy (US)

US – Supreme Court Deems Hotel Registry Rule Unconstitutional

In a 5-4 decision, the Supreme Court struck down a Los Angeles city ordinance requiring hotel operators to show a list of registered guests to the police on demand. The court held that the guest registry law violated the Fourth Amendment’s protection against unreasonable searches because it did not give hotel managers the chance to seek a ruling from a judge or magistrate before complying with police requests. Justice Sonia Sotomayor wrote for the majority that the law opened up hotel and motel owners and their guests to potentially limitless harassment because an owner who refused to give registry access to an authority “can be arrested on the spot.” [Politico]

US – EPIC Files Complaint with FTC Over Uber’s Privacy Policy

The Electronic Privacy Information Center (EPIC) has filed a complaint with the FTC regarding Uber’s new privacy policy, which permits the company to use cell phones to track users even if they’re not currently employing Uber’s services. “The complaint asks the FTC to investigate Uber’s business practices, stop the company from collecting user location data ‘when it is unnecessary for the provision of the service,’ halt Uber’s collection of user contact list information and investigate other companies that engage in similar practices, among other things.” A statement released on EPIC’s website cites “Uber’s history of misusing customer data as one of many reasons the commission must act.” [USA Today]

US – Federal CIO Backs OPM Director; Senators Press for Details

After a tough day of questioning from a House oversight panel on Wednesday, Office of Personnel Management (OPM) leadership and other government officials testified in front of the Senate Committee on Homeland Security and Government Affairs to further clarify the extent of the biggest theft of government records in U.S. history. In this post, Jedidiah Bracy reports on the hearing and includes a brief timeline of the various hacks to the OPM, KeyPoint and USIS based on testimony from witnesses. [Privacy Tech]

US – Will USA FREEDOM Act Help Restore Cross-Border Trust?

The enactment of the USA FREEDOM Act made headlines in the U.S. and beyond. However, as the Hogan Lovells Privacy Team explains in this post, “the impact that the surveillance reform legislation may have on cross-border data transfers could turn out to be newsworthy as well.” The post summarizes some of the important elements of the legislation—including how the act reforms the Foreign Intelligence Surveillance Court operations by requiring it to make important decisions, orders and opinions public—and explores the USA FREEDOM Act’s potential to influence more than government surveillance practices. [Privacy Tracker]

US – Google, Viacom Argue Lack of Standing

Google and Viacom are urging courts to reject attempts to revive a previously dismissed suit that claims Nick.com violated privacy laws and used information gleaned from the site to track users under the age of 13. The suit alleges the companies violated the Video Privacy Protection Act and utilized cookies inappropriately, while Google and Viacom see no harm done. Viacom has said, “Nick.com users lack ‘standing’ to sue, because they weren’t injured by the alleged tracking,” the report states. Viacom pointed out the users “argued that Viacom used anonymous data about their Internet activity to facilitate the delivery of the very advertising that makes Viacom’s websites available for free to them and the rest of the public.” [MediaPost] [CVS’s Target deal: Prescription for a privacy disaster]

WW – Experian Releases Breach Legislation Whitepaper

Experian Data Breach Resolution has released a whitepaper on the current state of legislation that shapes how companies must prepare for and respond to data breaches. “Currently, companies face a segmented system of state- and sector-specific data breach laws. At the same time, policy-makers in the European Union, Australia and Brazil are considering new approaches to data breach notification that could impact businesses that engage in global commerce,” Experian notes in its announcement of the new research. “Organizations must ensure they understand and are meeting both the legal requirements and expectations of regulators to protect consumers in the event of a data breach,” said Experian’s Michael Bruemmer. [Full Story] [US – Why Data Privacy Is a Real Campaign Issue in 2016]

US – Globetrotters Changing Data-Collection Methods

The Harlem Globetrotters basketball team will change its method of collecting information from newsletter subscribers, according to a Better Business Bureau (BBB) unit. The basketball exhibition team’s website invites visitors to subscribe to an email newsletter by entering their names, email addresses and ZIP codes. In a section for kids’ games, subscribers were required to check a box stating, “You are 13 or older.” But the BBB’s Children’s Advertising Review Unit said that procedure didn’t comply with children’s privacy guidelines, which require operators of sites directed at children to conduct age-screen in a “neutral” way, the report states. [MediaPost]

US – Committee Hears from Advocates, Industry on Drone Regs

Amazon is among those that don’t want drone regulations handled on a state-by-state basis. “Uniform federal rules must apply,” Amazon VP of Global Public Policy Paul Misener told a congressional committee. Privacy advocates, meanwhile, argue drones pose serious potential security concerns, especially since law enforcement use of drones has yet to be regulated. “Here is a nightmare scenario for civil liberties: a network of law enforcement UAS (unmanned aircraft systems) with sensors capable of identifying and tracking individuals monitors populated outdoor areas on a constant, pervasive basis for generalized public safety purposes,” said the Center for Democracy & Technology’s Harley Geiger. “This may seem an unlikely future to some. However, few existing laws would stand in the way.” [BuzzFeed]

WW – Nymity Releases Legal Compliance Tool

Nymity has unveiled a legal compliance requirements solution for privacy officers and lawyers. Nymity LawTables allows users to analyze and visualize compliance requirements across multiple jurisdictions; identity and compare common legal requirements; understand which rules of law require evidence, and reduce privacy risk. The solution allows privacy officers to map accountability to compliance, build tables to demonstrate compliance and map BCRs to laws, among other features. “For years, privacy officers have been asking for a simple way to compare legal requirements,” said Nymity’s Terry McQuay, adding, “After extensive research by our team of privacy and data protection experts, we have met this objective.” [Full Story]

WW – Controversy Over Uber’s Plan to Track User’s Locations When App Isn’t Running

Changes to Uber’s privacy policy, set to go into effect July 15, would allow the ridesharing app to track its users’ location data even when the app isn’t running. But the company is now facing legal troubles over the proposed changes. The U.S.-based Electronic Privacy Information Center (EPIC) submitted a complaint to the U.S. FTC citing concerns over the new data tracking policy, first outlined by Uber in May. The updated privacy policy would allow the app to collect location data about customers when the user’s GPS is turned off, or the app isn’t being used. Uber’s new policy would also allow the app to access the user’s contacts, in order to send special offers to the user’s friends and family. “This collection of users’ information far exceeds what customers expect from the transportation service,” read the complaint submitted by EPIC. “Users would not expect the company to collect location information when customers are not actively using the app.” However, Uber has also made it clear that users will be able to opt out of location tracking features. EPIC argues that forcing users to opt out “places an unreasonable burden on consumers.”  [Source]

US – Top Court Throws Out Ordinance Giving Police Access to Hotel Records

The U.S. Supreme Court ruled that a Los Angeles ordinance that lets police view hotel guest registries without a warrant violates the privacy rights of business owners, taking away what the city called a vital tool to fight prostitution and other crimes. In a 5-4 decision, the justices upheld an appeals court ruling that struck down the ordinance, saying it infringed upon hotel operators’ rights under the U.S. Constitution’s Fourth Amendment protections against unlawful searches and seizures. More than 100 other jurisdictions across the United States have similar laws that could be affected by the court’s ruling, the city’s lawyers said in court papers. [Source]

Privacy Enhancing Technologies (PETs)

New Offerings Emphasize Privacy

New social media offerings, Bill Ottman’s Minds.com and Facebook companion app Moments, are completely different in functionality and purpose but are united by the same thing: They plan to stay out of their users’ lives. Minds.com functions similarly to Facebook but places explicit emphasis on privacy by encrypting user messages and information in a way that its competitor does not. “The funny thing about Facebook’s privacy situation is they say, ‘Oh, we have all these privacy settings,’ but they don’t have the option for, ‘Hey, Facebook, I don’t want you  seeing my data,’“ Ottman said. International Business Times]

Remote Identification / IoT

WW — W3C’s Auto Division Creating Task Force

The Automotive Working Group, one of W3C’s divisions tasked with creating web standards for the automotive industry to use in smart cars, has announced the creation of a special task force to deal with security and privacy issues. “Many industry reports have confirmed that a significant majority of consumers want safe and secure access to the web from their connected car,” an official announcement states. “We hear this need resonating loudly in the automotive industry.” The task force’s activity will mainly address security-related concerns, but user privacy is also a focus. The group will consider how technologies handle user data, privacy rights and opt-in sharing agreements, the report states. [Softpedia]

US – Car Data “Pre-Standards” to Be Released

Auto Alliance will publish a list of “pre-standards” for the automotive industry regarding its current and future use of in-car data. With an initial release planned for January 1, the standards look to create “a fundamental set of expectations for the collection, use and sharing of vehicle data” and ensure “sensitive personal information” such as location and biometrics “is subject to opt-in selection when data is to be used for marketing or shared with third parties for their own use,” the report states. The standards also aim to make sure “there are restrictions on disclosure of geolocation information to the government.” [eWeek]


WW – Survey Finds Decision-Making Disconnect

The Ponemon Institute and Fidelis Cybersecurity’s Defining the Gap: The Cybersecurity Governance Survey indicates a “disturbing rift in cybersecurity knowledge between those who make decisions and manage the budgets and those who have to implement and manage the security measures.” “Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur,” Fidelis noted in its announcement of the survey. “Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.” Meanwhile, Infor COO Pam Murphy writes for Diginomica about her perspectives on cloud security. [CSO Online]

WW – Wearable Fitness Trackers Tested for Data Leakage and Poor Security

Independent IT security testing authority AV-Test.org has put nine different fitness trackers under the microscope, in order to explore how well they are protecting users’ data. In its investigation, AV-Test.org researchers examined nine fitness wristbands – Acer Liquid Leap, Fitbit Charge, Garmin Vivosmart, Huawei TalkBand B1, Jawbone Up24, LG Lifeband Touch FB84, Polar Loop, Sony Smartband Talk SWR30, Withings Pulse Ox – and found some big differences when it came to their security model. There are a variety of issues raised by the investigation, including that many fitness trackers appear to make it too easy for an unauthorised smartphone to connect to the wristband. Additionally, some of the products failed to properly authenticate that the smartphone app communicating them was legitimate, opening the door for abuse. [Source]

WW – Collaboration Key to Defense

Representatives from the government, military and academia met at the U.S. Army War College to discuss how best to tackle a large-scale technological attack, deciding that partnerships across the sectors is the best form of defense. “We have to avoid any notion of ‘my turf versus your turf’ because the problem is only going to be solved by collaboration,” said Penn State University Prof. Thomas Arminio. George Mason University Center for Infrastructure Protection & Homeland Security Director Mark Troutman agreed. “You do not want this to be a military approach,” he said. “We are Americans. We secure ourselves at the end of the day with an active and engaged citizenry.” [Government Technology]

US – NSA, GCHQ Targeted Anti-Virus Firms

In the latest leak of Snowden-acquired documents, reveals that the U.S. National Security Agency and UK Government Communications Headquarters (GCHQ) reverse-engineered software products and monitored the web and email communications of anti-virus software manufacturers, including Kaspersky Lab, particularly. “Spy agencies seem to be engaged in a digital game of cat and mouse with anti-virus companies,” the report states. “The U.S. and UK have aggressively probed for weaknesses in software deployed by the companies, which have themselves exposed sophisticated state-sponsored malware.” All of the documents supporting these conclusions are here. In related news, GCHQ was found to have illegally monitored two international human rights groups in a case triggered by earlier Snowden revelations. [The Intercept]

US – NSA and GCHQ Sought to Reverse Engineer Security Software

Intelligence agencies in the US and UK made efforts to reverse engineer antivirus and security software, as it hindered their secret investigations. The report is based on documents leaked from the NSA. It appears that the agency and GCHQ focused their efforts on companies including Kaspersky Lab, F-Secure, Avast, Eset, BitDefender, and CheckPoint. [FirstLook] [Wired] [ComputerWorld] [DarkReading]

WW – Software Applications Have on Average 24 Vulnerabilities Inherited from Buggy Components

Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components. Even worse, these software makers wouldn’t be able to tell which of their applications are affected by a known component flaw even if they wanted to because of poor inventory practices. Last year, large software and financial services companies downloaded 240,757 components on average from one of the largest public repositories of open-source Java components. Over 15,000 of those components, or 7.5 percent, had known vulnerabilities, according to Sonatype, the company that manages the repository. [Source]

WW – Irony Alert: Password-Storing Company Is Hacked

No one’s safe from hackers — not even LastPass, a company that stores people’s passwords. LastPass lets people store passwords online so they can access them all with a single master password.  You’re storing all your eggs in one basket. That could be a problem.  This week, LastPass announced that hackers broke into its computer system and got access to user email addresses, password reminders, and encrypted versions of people’s master passwords.  [Source]


WW – Samsung Addresses Bugging Vulnerability

Researchers at the Black Hat conference in London demonstrated a potentially damaging security vulnerability in Samsung phones, which could have affected up to 600 million devices around the globe. Today, Samsung reached out to Privacy Tech to note it is currently addressing concerns and will unroll security updates in the coming days. This post looks into the updates, how someone acting on the vulnerability would have taken a rare confluence of events and the growing importance of hacker culture in helping companies fix security bugs. [Privacy Tech] [WW – Samsung and LG smartwatches leave sensitive data open to hackers]

WW – Samsung Bug Could Affect 600 Million Phones

A newly discovered vulnerability that could allow adversaries to monitor Samsung smartphone cameras and microphones, read text messages and install malicious apps, potentially affecting 600 million phones around the world. Researchers demonstrated how it works at the annual Black Hat conference in London, UK. The bug resides in an update mechanism for a customized version of Swiftkey that’s available on Samsung Galaxy S6, S5 and other models, the report states. As of now, there is not much users can do to prevent attacks other than avoiding unsecured WiFi networks. Swiftkey officials said, “We take reports of this manner very seriously and are currently investigating further.”  [Ars Technica]

WW – Researchers: LG, Samsung Watches Vulnerable to Hackers

Researchers at the University of New Haven have announced they were able to “easily” extract personal data, from contacts to health information, from LG and Samsung smart watches. “It was not very difficult to get the data, but expertise and research was required,” said Ibrahim Baggili, of New Haven’s Cyber Forensics Research and Education Group. By “poking around” the watches’ internal storage and the smartphones they were linked to, the researchers were able to readily uncover the data, according to V3, because the data was not properly encrypted. Both LG and Samsung say they are currently investigating the findings, which will be presented at a digital forensics conference in August. [Full Story]

WW – Google Eavesdropping Tool Installed on Computers Without Permission

Privacy campaigners and open source developers are up in arms over the secret installing of Google software which is capable of listening in on conversations held in front of a computer. First spotted by open source developers, the Chromium browser – the open source basis for Google’s Chrome – began remotely installing audio-snooping code that was capable of listening to users. It was designed to support Chrome’s new “OK, Google” hotword detection – which makes the computer respond when you talk to it – but was installed, and, some users have claimed, it is activated on computers without their permission. [Source] [The Guardian]

WW – Listening Tool Now Optional for Chromium Users

Amidst user consternation regarding Google Chromium’s listening software, Google has made the feature optional. While the service in question “uses the computer’s microphone to listen out for the ‘OK, Google’ hotword to trigger voice searches,” users were not given the ability to opt out, the report states. Some expressed concern “Google was downloading a ‘black box’ onto their machines that was not open source and therefore could not be verified to be doing what it said it was meant to do,” the report continues. “As of the newly landed r335874, Chromium builds, by default, will not download this module at all,” Google said in response, adding that if a user so chooses, the service can be obtained via the company’s web store. [Business Insider] [Take Control of Your Google Privacy]

US – In First Opportunity, FISA Court Declines Amicus Panel

Many privacy advocates lauded the portion of the new USA FREEDOM Act that created a new amicus panel of privacy advocates to be consulted by the Foreign Intelligence Surveillance Court when making decisions. However, the FISA Court declined to empanel anyone in making its first post-FREEDOM Act decision, and is allowing the National Security Agency’s bulk collection of call data to continue for six months until a new program of retention by telecom companies can get off the ground. Judge Dennis Saylor ruled that the decision was “sufficiently clear” that the privacy panel was unnecessary. Amie Stepanovich of Access countered, however, “It is the job of the amicus to raise issues that may not be readily apparent on first blush.” [National Journal]

US – Sun Microsystems CEO Talks Surveillance

Scott McNealy is known for his role as cofounder and long-serving CEO at Sun Microsystems, though some remember him for his statement on privacy back in 1999, when he called consumer privacy issues a “red herring,” saying, “You have zero privacy anyway. Get over it.” These days, McNealy is worried about government surveillance. “It doesn’t really bother me that Google and AT&T have information about me, because I can always switch to another provider,” McNealy said. But it’s a different story with government. “It scares me to death when the NSA or IRS know things about my personal life and how I vote,” he said. [IDG News Service]

Telecom / TV

US – Phone Scamming Up 30% Last Year: Report

Retail and finance call centre phone scamming in the US is up 30% according to research. The 2014 findings are based on some 86 million scam calls a month picked up by Pindrop Security in which attackers aimed to obtain personal information on potential victims. The phone security company says one in 2200 calls are fraudulent up from one in 2900 in 2013, topping US$9 million a year. The outfit’s annual report says that credit card processors have received the highest number of fraud calls and notes that regional legislation had no effect on the instance of crime. Technical support scams are unsurprisingly the most common type of phone fraud scam chalking up eight million calls a month, followed by small credit loans, and automotive insurance. The report says brokerages which hold the highest account values are fleeced an average of $15 million annually, while credit card issuers follow with 11 million, and banks trailing at $7.6 million.  [Source]

WW – IEEE and IETF Announce Successful Trials on WiFi Privacy Risks

IEEE has announced that the IEEE 802 LAN/MAN Standards Committee and the Internet Engineering Task Force (IETF) have successfully carried out three experimental trials addressing privacy risks associated with tracking globally unique media access control (MAC) addresses in WiFi networks. The IEEE study group was formed in 2014 and aims to develop a recommended practice based on the privacy issues related to IEEE 802 technologies. “From the onset, IEEE 802 and the IETF have shared a commitment to mitigate privacy risks for nontechnical users living in a world that increasingly offers constant connectivity,” said Juan Carlos Zuniga, chair of the privacy committee. [Full Story]

US – Sens. Want Paypal To Reconsider Robocall Policy

Paypal’s new user agreement is drawing heat from four Democratic senators who are calling on the company to reconsider a policy that would force users to receive robocalls and text messages. After July 1, consumers will be unable to opt out of the new terms if they still want to use PayPal services. “Consumers should not have to agree to submit themselves to intrusive robocalls in order to use a company’s service,” wrote Sens. Ed Markey (D-MA), Al Franken (D-MN), Ron Wyden (D-OR) and Robert Menendez (D-NJ) in a letter to PayPal’s president and CEO. [The Hill]

US Government Programs

US – FTC Proposes Gramm-Leach-Bliley Amendment

The FTC has proposed an amendment to its rules under the Gramm-Leach-Bliley Act to allow auto dealers that finance car purchases or provide car leases to provide online updates to consumers about their privacy policies as opposed to sending yearly updates by mail, according to an FTC press release. Under the proposed revision, auto dealers could provide consumers with the privacy policy solely online as long as they also notify consumers that it is available there on a yearly basis. Dealers would still be required to provide consumers with a written copy of the notice upon request, however. The proposed changes will be published in the Federal Register shortly. [Full Story]

WW – Wikileaks, Court Documents Shed More Light on U.S. Spying

The French government has called extensive eavesdropping by the U.S. Government, revealed by Wikileaks, on the private conversations of senior French leaders “unacceptable.” French President Francois Hollande called an emergency meeting of the Defense Council on Wednesday to discuss revelations published by French news website Mediapart and newspaper Liberation about U.S. National Security Agency surveillance. Meanwhile, newly unsealed court documents indicate the Obama administration fought a legal battle against Google “to secretly obtain” the email records of a security researcher associated with Wikileaks. [The New York Times]

US Legislation

The USA FREEDOM Act, FISA and the New Surveillance Landscape

President Barack Obama recently signed the USA FREEDOM Act into law. Hailed as the biggest intelligence reform in 40 years, the FREEDOM Act is considered the first major pro-privacy change to U.S. intelligence law since the original enactment of the Foreign Intelligence Surveillance Act in 1978 (FISA), writes Westin Research Center Fellow Arielle Brown. The USA FREEDOM Act ends the National Security Agency’s bulk collection of U.S. call metadata, among other things. Brown offers an analysis of the new act as well as a redlined version of FISA showing how the USA FREEDOM Act modifies existing law. [Full Story]

EU – Movement on Umbrella Agreement a Life Preserver for Safe Harbor?

A bipartisan bill introduced this week to provide the same data rights to Europeans that Americans have under the Privacy Act of 1974 has received acclaim on both sides of the political aisle. “The judicial redress issue is the last major sticking point in four-year negotiations over the creation of an ‘umbrella agreement’ for the protection of personal data transferred between law enforcement agencies in the U.S. and EU,” the report states. It would also address a major point of contention in the Safe Harbor negotiations . “Without this legislation, the umbrella agreement won’t be accepted,” said German MEP Jan Philipp Albrecht. “It’s parity we’re looking for,” said UK MEP Claude Moraes. “For this step to happen, and to have equivalence, is a very significant move.” Rep. Jim Sensenbrenner (R-WI) was equally pleased and “optimistic that it will be brought to a vote.” [Politico]

US – Other Legislative News


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: