16-31 July 2015


IN – In Effort to Expand Biometric ID Scheme, India Says Privacy Not Fundamental Right

During the course of defending the legality of the Aadhaar biometric scheme before India’s Supreme Court this week, the chief lawyer for India’s central government argued that privacy is not a fundamental right bestowed by the country’s constitution. India’s government also asked the court to reconsider all Supreme Court judgments over the past two decades that defined privacy as a constitutional right. India’s central government made the argument in order to defend extending the use of the Aadhaar biometric system for security and crime-related surveillance. The government is currently piloting the use of the biometric scheme for airport security. Ironically, the Modi government, which came to power last year, was highly critical of the previous government’s administration of the biometric ID system during a contentious election campaign, when it characterized Aadhaar as a “failure” and a “waste of money” that needed to be eliminated. However, after the new government came to power, it decided not only to maintain, but expand the system, with a view to expanding social services, along with enhancing attendance monitoring over government employees. [Biometric Update]

US – GAO Tells Congress to Revisit Facial-Recognition Tech

The Government Accountability Office (GAO) has released a new report on facial-recognition technology, specifically on its commercial uses, privacy issues and the applicable federal law. Although the report does not put forth any recommendations, it proposes that Congress look into “strengthening the consumer privacy framework” to keep up with emerging technology such as facial recognition. Sen. Al Franken (D-MN) announced the new report and issued a press release on it, writing that “what we really need are federal standards that address facial-recognition privacy by enhancing our consumer privacy framework.” [TechCrunch] [All forms of biometric authentication are not created equal]

WW – Facebook’s Facial-Recognition Tool Draws Privacy Ire

When you are identified in a picture on Facebook, biometric software remembers your face so it can be “tagged” in other photographs.  Facebook Inc. says this enhances the user experience. But privacy advocates say the company’s technology — which was shut off in Europe and Canada after concerns were raised — should only be used with explicit permission. The U.S. government is participating in a working group to develop rules for companies using facial recognition — even if those are voluntary. “Face recognition data can be collected without a person’s knowledge,” said Jennifer Lynch, an attorney for the Electronic Frontier Foundation, a San Francisco-based privacy rights group. “It’s very rare for a fingerprint to be collected without your knowledge.” Privacy groups such as Lynch’s last month cited the business community’s opposition to requiring prior consent as the reason they walked out on the government meetings. The Department of Commerce’s National Telecommunications and Information Administration, which sponsored the talks, plans to continue the process without most of the privacy advocates. [Bloomberg News 8]

WW – Researchers’ Breakthrough Means Faces on CCTV, Infrared-Footage Identifiable

The problem with infrared surveillance videos or CCTV videos thus far has been it can be difficult to recognize the people in them. That’s because “the link between the way people look in infrared and visible light is highly nonlinear,” so matching images of people in such surveillance footage to how they look in real life has been an unresolved challenge, the report states. But Saquib Sarfraz and Rainer Stiefelhagen at the Karlsruhe Institute of Technology in Germany may have solved the problem by teaching a neural network to do the work. One way this has become possible is because of an increase in vast databases of facial images, the report states. [MIT Technology Review] [Deep Neural Nets Can Now Recognize Your Face in Thermal Images]

US – NetChoice Praises NTIA Facial-Recognition Talks

NetChoice, which represents online commerce companies and advocates, has announced it is pleased with the results of the latest National Telecommunications & Information Association (NTIA) facial-recognition discussion. The NTIA discussion aimed to “vet two proposed privacy best practices for facial recognition,” the report states. “Today was extremely productive as a diverse group of stakeholders made clear steps toward establishing facial-recognition technology policies and regulations that foster transparency, control and closure,” said NetChoice’s Carl Szabo. “I think we all agree that companies using facial-recognition technologies should provide people with meaningful control when their facial image data is shared with others,” he added. [Multichannel News]

WW – Keystroke-Monitoring Identified as Anonymity Threat

Monitoring a user’s keystrokes, “a sort of digital fingerprint that can betray its owner’s identity,” has been identified by security researchers as a threat for Tor users. “The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page,” said security researcher Runa Sandvik. “Suddenly, the IP address I am using to connect to these two sites matters much less.” Researchers Per Thorsheim and Paul Moore developed a Chrome plugin to ward off these attacks. “For oppressive regimes, this is most certainly of high interest,” Thorsheim said. [Ars Technica]

WW – Phones Help Detect Depression Symptoms

A Northwestern University Feinberg School of Medicine study has found that tracking consumers’ smartphone usage could indicate with 86% accuracy whether or not they were depressed. Northwestern Center for Behavioral Intervention Technologies Director David C. Mohr, dubbing phones part of the “fabric of people’s lives,” found the study important as it indicated that critical mental health information may be gleaned “without asking (patients) any questions.” He continued, “We now have an objective measure of behavior related to depression. And we’re detecting it passively. Phones can provide data unobtrusively and with no effort on the part of the user.” [Full Story]


CA – Foreign Visitors to Canada to Face Electronic Screening

Millions of travellers will soon face another layer of red tape when they try to visit Canada. Starting Saturday, Ottawa will start accepting applications for electronic travel authorization (eTA) from people who wish to travel to Canada by air. Prospective travellers have until March 15 to submit their biographic, passport and other personal information through Citizenship and Immigration Canada’s website for pre-screening or face being denied entry when the border enforcement kicks in. The new measure — part of the harmonization with the United States’ travel security system — will apply to most air passengers, including all applicants for study and work permits, as well as those who come from countries that currently do not require a visa to come to Canada. Critics view the initiative as another attempt to block refugees from arriving on Canadian soil and raise concerns over the use of the data in storage. [Source] See also: [Mondaq News: Canada: Data Protection Agreements]

CA – Ottawa Says Little About CSIS Document Breach Claimed by Anonymous

The federal government is saying little about an apparent breach involving classified information. Digital hacking collective Anonymous made good late Monday on a threat to release what it says is the first of many secret documents. An apparent Treasury Board memo about funding of the Canadian Security Intelligence Service’s overseas communications capabilities was posted online. The Canadian Press could not confirm the document’s authenticity and Jeremy Laurin, a spokesman for Public Safety Minister Steven Blaney, had no immediate comment. In an accompanying video statement, Anonymous denounced the recent shooting of an Anonymous supporter in British Columbia during a confrontation with the RCMP. [The Star] [RCMP national website goes offline, Anonymous claims responsibility]

CA – Manitoba WRHA Putting Personal Health Info at Risk

The Winnipeg Regional Health Authority’s cybersecurity “weaknesses” threaten to allow personal health information to fall into the wrong hands, according to Manitoba’s auditor general. Auditor General Norm Ricard’s report found sensitive patient information can be accessed by personal flash drives, laptops, smartphones and tablets, so-called “end-user devices” that aren’t properly protected.  Ricard noted that more than 3,900 personal devices are now connected to WRHA emails, which could potentially include personal health information. Flash drives are also a concern. Manitoba’s auditor general made the following 12 recommendations to the Winnipeg Regional Health Authority to enhance cybersecurity:

  1. Identify and assess all risks associated with end-user devices in the WRHA environment
  2. Share assessment results with WRHA CEO and document residual risks
  3. Implement controls to reduce risks associated with end-user devices
  4. Develop a strategic plan for information and communication technology services to the WRHA, including plans for remote access through personal devices
  5. Create an information classification scheme based on the sensitivity of information
  6. Develop guidance for Personal Health Information Act (PHIA) trustees on how to audit their security safeguards
  7. Monitor trustees’ compliance with PHIA’s audit of security safeguards requirements
  8. Develop a risk-based audit program
  9. Update information security training to target higher risk positions and outline incident procedures
  10. Require associated physicians, medical staff, contractors, students, researchers and employees periodically attend PHIA awareness training
  11. Require same individuals to attend security awareness training upon hiring
  12. Implement additional information security awareness techniques to reinforce training

The WRHA said it is committed to making all of the changes and some are already underway. [The Winnipeg Sun]

CA – Medical Marijuana Class Action Certified by Federal Court

The Federal Court of Canada has certified a class-action lawsuit involving 40,000 people in the medical marijuana access program. The case was launched in 2013 after Health Canada sent letters to people with the program’s name on the envelope. Before that, mail sent to individuals in the program didn’t mention marijuana. Recipients were upset, saying their privacy had been violated. Some said they worried they’d lose their jobs or become victims of a home invasion. In March this year, the Office of the Privacy Commissioner of Canada ruled that Health Canada had violated federal privacy laws. That ruling didn’t allow for any compensation. In a press release, the Halifax law firm that launched the case says the certification shows the Federal Court has decided the class-action lawsuit is necessary to allow people access to justice. The plaintiffs are seeking damages for breach of contract, breach of confidence, invasion of privacy and charter violations.  The federal government now has 30 days to appeal the Federal Court’s certification. [Source] See also: [Canadian Appeals Monitor: Overview of Ontario Court of Appeal ‘s Decision in Hopkins v. Kay] SEE ALSO: [RCMP overrides rights of bereaved families: Editorial]

CA – TPP Likely to Force Canada to Repeal Local Data Protection Laws

U.S. negotiators are pushing hard to eliminate national laws in TPP countries that require sensitive personal data to be stored on secure local servers, or within national borders. This goal collides with the B.C. Freedom of Information and Privacy Act and similar regulations in Nova Scotia, which are listed as “foreign trade barriers” in a 2015 United States Trade Representative (USTR) report. According to that report, the B.C. privacy laws “prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.” Irrespective of your views on whether such local storage requirements are reasonable or not, what’s significant here is that TPP, ostensibly a trade agreement, may force Canada to repeal local privacy laws. That fact underlines why the secret nature of the negotiations is profoundly anti-democratic: matters are being decided behind closed doors that should rightly be debated openly.  [Techdirt] [Pacific trade deal could raise health costs, lower privacy protection: Geist]

CA – File Breach at Electronic Spy Agency Prompts Mandatory Privacy Training

Canada’s electronic spy agency introduced mandatory privacy awareness training for all employees in March following an internal breach involving personal information. When Greta Bossenmaier became chief of the Communications Security Establishment in February, the ultra-secret eavesdropping outfit was under intense public scrutiny over alleged spying on citizens. But less than two months into the job, Bossenmaier was informing the spy agency’s staff of a privacy violation inside its own walls. [The Canadian Press ]

CA – Ontario Hit With Hundreds of Privacy-Breach Complaints

Ontario has been hit with more than 200 privacy complaints about the mishandling of personal information by the provincial government or its agencies over the past 18 months, according to the information and privacy commissioner. Most of them can be chalked up to human error or computer glitches, but the common thread in the complaints is that detailed personal information ended up in the wrong hands. As recently as last week, a misdialed fax machine was blamed for a privacy breach affecting hundreds of Ontario Disability Support Program recipients in Hamilton.  In 2014 the Information and Privacy Commissioner’s office received 61 reports of breaches from provincial ministries and government agencies, and 73 from individuals, plus nine others that the office initiated on its own, Beamish said. This year so far there have been 29 from ministries and agencies, 35 from individuals and four self-initiated. [The Toronto Star]

CA – Complaint filed with Ontario Press Council

The Ontario Press Council has received a complaint against Bullet News Niagara. The complaint is for a story the online media outlet published last week about an anonymous poster, whose identity became known to his employer and ultimately led to the employee losing his job. [Source]

CA – Other Canadian Privacy News Roundup


US – Study: Consumers Want To Know If Companies Are Collecting Data

An Annenberg School for Communication study indicates consumer support for the trade of their data for discounts is largely “overstated.” The survey found 91% disagree and 77% strongly disagree that “If companies give me a discount, it is a fair exchange for them to collect information about me without my knowing,” the report continues. “By misrepresenting the American people and championing the trade-off argument, marketers give policy-makers false justifications for allowing the collection and use of all kinds of consumer data often in ways that the public find objectionable,” the report stated. “Data collection in itself isn’t inherently evil, but companies have to be more forthright about what they are doing because customers are watching,” Digital Clarity Group’s Tim Walters said. [TechCrunch] See also: [Big Data Knows You Like Losers] and [Men who harass women online are quite literally losers, new study finds]

US – Tool Diagnoses Severity of Leaked PI

The New York Times published an online tool to gauge not only which elements of your personal information have been leaked but also how many times it was accessed by hackers depending on your online registrations, purchases or enrollments with companies such as Target, Anthem or Neiman Marcus. “How can you protect yourself in the future? It’s pretty simple: You can’t,” the report states. “But you can take a few steps to make things harder for criminals,” like two-factor authentication, frequent password updates and encryption. The report also includes links to each breached corporation’s public statement regarding the hacks. [Full Story]

US – Sparapani Outlines “Consumer Data Compact”

ACLU and Facebook veteran Tim Sparapani outlines a “Consumer Data Compact” for the Digital Age. The “fundamental question” of the time, he writes, could be, “Are businesses returning at least as much, if not more, value to their customers from using their data than the businesses obtain from that data? Answering this question can allow both businesses and regulators to evaluate the privacy impact of products and services.” He continues, “When businesses are able to answer this question in the affirmative, they have aligned their interests with those of consumers. The FTC and state regulators should work to align its policy and enforcement work to incentivize companies to make just such an analysis.” [Forbes] See also: [Slate: Turning the Tables: A Privacy Policy from the Users] See also: [Why Netflix and HBO don’t care if they lose $500M a year to password sharing]

US – Digital Trust Foundation Grants $1.6M to Address Cyber Abuse

The Digital Trust Foundation (DTF) announced that it will award $1.6 million in grants for research, education and support for “understanding, preventing and responding to digital abuse.” DTF Board Member Larry Magid said, “Cyberbullying, cyberstalking, and other forms of digital abuse are far too common.” Three of the grants will go toward research on digital abuse related to cyberstalking and digital domestic violence; two will go toward abuse in schools; one will go toward creating an online platform for victims, while three more will focus on the legal system. [Full Story]


HK – Personal Data Checks Fail to Register in Public Lists

Just one in 10 commonly used government public registers have safeguards against the misuse of private data, the Office of the Privacy Commissioner for Personal Data has found.  The 10 registers that it examined covered bankruptcies, births, business, companies, land, marriages, notice of intended marriages, licensed persons, vehicles and voters. Personal data available include identity card numbers, residential addresses and signatures on the companies and land and vehicles’ registration information.  Privacy Commissioner Allan Chiang Yam-wang said cyber bullying, financial loss and personal safety risks may ensue from people with malicious intent getting access to the information. “The ideal scenario would be that the legislation responsible for setting up the public registers is clearly defined,” Chiang said. The register of electors is the only public list in the survey that has legislative safeguards written in to guard against data misuse. Of 82 public register-related laws, only 32 state the purposes of the publication of the data. Just five of these 32 contain explicit measures against misuse of the data. Chiang said the Personal Data (Privacy) Ordinance cannot be fully applied to public registers as those are bound by corresponding legislations. [Pogo Was Right]

US – Clearer, More Stringent Cybersecurity Rules for Government Contractors

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data. Recent breaches underscore problems in the current contactor arrangements, including inconsistent data security standards in federal contracts as well as in various guidelines established by different agencies. A proposal for new rules will soon be available for public comment. [The Hill] [Amazon] See also [The blue pages conspiracy blues: Why Ottawa doesn’t want you to call]

US – White House to Release Vendor Data Policy

The White House will release a new policy that aims to create consistency amongst vendors and their storage of government data. “The increase in threats facing federal information systems demand that certain issues regarding security of information on these systems is clearly, effectively and consistently addressed in federal contracts,” an Office of Management and Budget notice states. Meanwhile, the Pentagon has chosen Leidos to handle the modernization of its electronic healthcare records. “We wanted to make sure we took adequate steps to protect the information that will be on this system, as well as the privacy of health care information,” said Undersecretary of Defense for Acquisition, Technology and Logistics Frank Kendall. [Nextgov]


US – Email Privacy Act Could Bypass Debate

With 291 cosponsors, the Email Privacy Act, which would modernize the 1986 Electronic Communications Privacy Act (ECPA), is in a position to bypass debate and move straight to approval. “When ECPA was written, the Internet as we understand it did not exist,” said Rep. Kevin Yoder (R-KS), author of the Email Privacy Act. “Only 340,000 Americans even subscribed to cell-phone service. Mark Zuckerberg was only two years old. But as our society and technology has evolved, our digital privacy laws remain stuck in 1986. With our bill now receiving the support of a veto-proof majority of the House of Representatives, the time has arrived to fix that.” [Multichannel]


US – Dept. of Commerce to Revisit Wassenaar Export Rules

A US Department of Commerce spokesperson said that the government plans to revise export controls on hacking tools after members of the information security community spoke out against the government’s first iteration of the rules, required by the Wassenaar Arrangement. The rules are aimed at restricting the export of cyber tools that could be used for malicious purposes. Security experts have said that the rules would have a chilling effect on research. [The Register]

PL – Pakistan Bans Blackberry Enterprise Server

Pakistan’s Ministry of the Interior has issued a notice to the Pakistan Telecommunication Authority (PTA) to order telecommunications companies that serve that country to stop access to BlackBerry Enterprise Services as of December 1, 2015. The directive was issued “for security reasons,” according to a PTA spokesperson. [The Register] [v3.co.uk] [ArsTechnica]

EU Developments

EU – EDPS Provides Detailed Recommendations for Final GDPR Text

As the trilogue process continues toward a final draft of the EU’s proposed General Data Protection Regulation, the European Data Protection Supervisor has not stood idly by. Today, the EDPS released a detailed draft of its own, creating a new “fourth text” for the trilogue process to consider. Further, it has released its own mobile app that allows one and all to both read its recommendations and compare all of the texts against one another. [Privacy Tracker]

EU – Data Privacy Chief Criticizes Air Passenger Bill

EU data privacy chief Giovanni Buttarelli has said a forthcoming law gathering detailed information on air passengers is too invasive and is unlikely to stop terrorism. Buttarelli said it makes more sense to target specific categories of flights, passengers, and countries. “I’m still waiting for the relevant evidence to demonstrate, even in terms on the amount of money, and years to implement this system, how much it is essential,” he said. His comments come after MEPs in the civil liberties committee on 15 July agreed a legislative proposal that will allow the collection of detailed information – such as credit card details and addresses – of all people flying in and out of the EU. Buttarelli is due to give a formal opinion on it in September. [euobserver.com]

UK – High Court: Parts of Data Retention Law Illegal

The UK High Court has struck down a key provision in the nation’s surveillance legislation. The Data Retention and Investigatory Powers Act (DRIPA) was considered “emergency” legislation after the EU’s highest court struck down the EU data retention directive. DRIPA required communications providers to retain customer data in case intelligence services needed to investigate crimes. The UK High Court  agreed with MPs David Davis and Tom Watson that the law did not include enough privacy or data-protection safeguards. Sections 1 and 2 of DRIPA were found unlawful on the basis that:

  • they fail to provide clear and precise rules to ensure data is only accessed for the purpose of preventing and detecting serious offences, or for conducting criminal prosecutions relating to such offences.
  • access to data is not authorised by a court or independent body, whose decision could limit access to and use of the data to what is strictly necessary. The ruling observes that: “The need for that approval to be by a judge or official wholly independent of the force or body making the application should not, provided the person responsible is properly trained or experienced, be particularly cumbersome.”

The government has nine months to rewrite the law, and the Home Office said it will appeal the ruling. [Politico EU] [UK High Court smacks down ’emergency’ UK spy bill as UNLAWFUL]: Government has until March 2016 to write new legislation]

EU – Google Changes User Consent Policy to Comply With Cookie Reg

Google has announced a change to its user consent policy, which will affect website publishers using Google products and services including Google AdSense, DoubleClick for Publishers and DoubleClick Ad Exchange. Google says that under the new policy, publishers will have to obtain EU end-users’ consent before storing or accessing their data. The change is in direct response to the EU’s cookie compliance regulation, the report states, and follows Google’s CookieChoices website, launched earlier this month. The site was launched to help digital publishers obtain tools and access other resources in their endeavor to gain user consent. [TechCrunch]

EU – Google Appeals CNIL’s RTBF Order

Google is appealing the CNIL’s formal notice that the company honor right-to-be-forgotten requests globally. In a blog post, Google Global Privacy Counsel Peter Fleischer writes, “We’ve worked hard to implement the right-to-be-forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so … But as a matter of principle, we respectfully disagree with the idea that a national data protection authority can assert global authority to control the content that people can access around the world.” Fleischer also suggests a global implementation would have a “chilling effect” on the Internet. Meanwhile, in the U.S., the Association of National Advertisers is urging the FTC to dismiss a Consumer Watchdog complaint that claims not honoring takedown requests is an unfair and deceptive trade practice. [Full Story]

EU – AEPD Names New Director

The Council of Ministers on Friday announced that Mar España Martí has been named the new director of the Spanish Data Protection Agency (the AEPD). She replaces José Luis Rodríguez Álvarez, who served in the role for four years. The new director, according to a press release in Spanish, is a lawyer and civil servant with extensive experience working on the protection of human rights. Her work with the presidency has included a focus on electronic administration and information security, promoting quality of data and transparency efforts in the Spanish government. She will serve a term of four years as the head of the AEPD. Rodríguez reports that he will return to his work at Universidad Complutense de Madrid and will remain active with data protection issues. [Full Story]

EU – Nymity Announces New EU Headquarters, New Roles

Nymity has announced it will open a new European headquarters in London, UK, and Lauren Reid will assume the role of director of EU privacy solutions. Reid has worked for two years at Nymity’s corporate headquarters in Toronto, Canada. “I am excited for the opportunity to be on the ground in Europe during what promises to be an eventful fall, with the EU regulation just around the corner and evolving expectations for the privacy office,” Reid said. Nymity President Terry McQuay said the London expansion gives the company an opportunity “to further our commitment to EU data protection and accountability.” Nymity has also announced it is welcoming Jorge Molet in the newly created post of Privacy Research Lawyer, Latin America. [Full Story]

EU – Ireland: Right to Access Birth Cert For Up to 50,000 Adopted

As many as 50,000 adopted people will have the right to their birth certificate for the first time under new legislation being drawn up by the Government. The Adoption (Information and Tracing) Bill, due to be discussed at this week’s Cabinet meeting, is expected to operate retrospectively and will apply to all future adoptions.  At present many adoptees are unable to access birth certs listing their original parents’ names due to legal obstacles, including a constitutional right to privacy on the part of birth parents. To help resolve this, adopted people would be required to sign a statutory declaration obliging them to respect the wishes of birth parents in cases where they do not wish to be contacted. This mechanism is regarded by those involved in drafting the legislation as a way of striking a balance between the right to privacy of birth parents and the identity rights of adopted people. [Irish Times]

EU – European News Roundup

Facts & Stats

WW – Average Black Market Identity Cost? Twenty Bucks

The going rate for a stolen identity is about $20. That’s according to Quartz, which analyzed listings for a full set of someone’s personal information—known as “fullz”—on the black market, using data collected by dark web search engine Grams. More than 600 listings came up, some identities including credit card information, some not. The listings ranged in price from less than $1 to about $450, the report states—the median price being $21.35. The most expensive identity, from a vendor called “OsamaBinFraudin,” came for $454.05, because, the vendor said, the identity came with a high credit score. Another identity, selling for $248.22, came with an American Express card with a $10,000 limit. [Full Story] See also: [Why Russian Cybercrime Markets Are Thriving]


WW – Apple Proposes Ads Based On Your Credit Balance

Apple has once again aimed squarely at the FinTech market and followed up its recent patent application for P2P banking with another: e-commerce advertising based on your available bank balance. With it’s latest filing with the USPA, Apple is looking at a; “Method and system for targeted advertising of goods and services to users of mobile terminals, based for example on the users’ profile. Goods and services are marketed to particular target groups of users sharing a common profile which may be selected to increase the likelihood of the users responding to the advertisements and purchasing the advertised goods and services. The common profile of users may be based on the amount of pre-paid credit available to each user. An advantage of such targeted advertising is that only advertisements for goods and services which particular users can afford, are delivered to these users.” [Forbes]


EU – Privacy Trumps Journalistic Freedom, European Court Rules

The European Court of Human Rights (ECHR) has ruled that journalists can be prevented from publishing publicly available information in cases where a person’s right to privacy is violated. In the case of Satakunnan Markkinapörssi and Satamedia v. the Republic of Finland , the ECHR decided that the Finnish magazine could be prevented from publishing publicly available tax data in order to protect the privacy rights of individuals. Finland’s data protection ombudsman advised the companies to stop publishing such data, but the companies felt it violated their freedom of expression. Pinsent Masons’ Ian Birdsey said, “The case highlights the difficulties that the courts often face when seeking to balance competing rights,” adding, “It will be interesting to see how the courts will assess the ‘public interest value’ on a case-by-case basis.” [Out-Law.com]

US – US Census Bureau Data Dump

Cyber activists have taken information from servers used by the US Census Bureau and made the data available online. The compromised data do not include citizens’ census records, but instead they include information about Census Bureau employees, including email addresses, password hashes, and the IP addresses from which they last logged in. Much of the information was already accessible online. [The Register] [NextGov]


WW – Genetics Company, Pharma-Research Looking to Extend Lifespan

Personal genetics company AncestryDNA has announced a partnership with Google-owned biotech firm Calico. AncestryDNA, the genetic branch of Ancestry.com, has a “massive database of genetic information on its paying customers” to help Calico search for genes that affect lifespan and potentially develop drugs to lengthen it. The partnership is just the latest in a growing trend. For example, genetics company 23andMe recently partnered with Pfizer. “The logic behind these partnerships is clear,” the report states, as the genetics companies collect and store DNA swabs participants have consented to, which is valuable for research, while “typically, it takes a lot of cajoling to get people … to part ways with their biological bits.” [Wired] See also: [Kuwait DNA tests violate right to privacy: HRW] and See also: [indiatimes.com: Is the Upcoming DNA Profiling Bill The End of Physical Privacy?]

Health / Medical

US – Healthcare Org Calls for Improved Privacy Laws

It’s time for Congress to sophisticate both “our antiquated medical privacy laws and … our technological capabilities,” Health IT Now Coalition Executive Director Joel White writes, citing a whitepaper from the organization. “We call on Congress to systematically review the costs and benefits of privacy laws in light of recent scientific and technical advances,” White writes. “There are less burdensome models for protecting privacy—we use them every day.” He also considers HIPAA, arguing, “Enforced by a punitive regime of fines and jail terms, HIPAA elevates even the most mundane health records to the level of national security secrets.” [The Hill] See also: [Software turns smartphones into tools for medical research]

US – Halamka and McGraw: HIPAA Helps Patients

Beth Israel Deaconess CIO John Halamka and Office for Civil Rights Deputy Director for Health Information Privacy Deven McGraw write that HIPAA is neither as antique nor as cumbersome a regulation as recent critiques make it out be. “Although intersecting federal and state laws on this topic can often be confusing and are a significant source of frustration, providers should still seek to avoid over-interpreting,” Halamka and McGraw write. “Low tolerance for risk with respect to compliance with privacy laws can … actually impose significant risks on patients … there no longer needs to be a tradeoff between privacy and safety.” [FierceHealthIT]

US – Advocates Say Legislation is Problematic

Patient Privacy Rights’ Deborah Peel believes recent legislative moves such as the 21st Century Cures bill lack innovation and put the patient second. “The problems of interoperability of data, the 21st Century Cures bill and the calls to create a national patient identifier are all proposals to solve today’s problems with yesterday’s technology—pressure to open up commercial use of health information. This doesn’t have anything to do with research and cures,” Peel said. “The promise of electronic health information was supposed to be to help with treatment, not to create massive, hidden business models where people are using your data for purposes we don’t even know about,” she added. [FierceHealthIT]

US – The Many Misinterpretations of HIPAA

There are many ways that “people use, misuse or abuse HIPAA.” For example, in 2012, a woman called a Pennsylvania hospital to alert staff of her mother’s medical history, only to have the staff refuse to take the information, citing HIPAA. As a result, her mother was nearly given a medication to which she was allergic. In such scenarios, said Carol Levine of the United Hospital Fund’s Families and Health Care Project, HIPAA has become “an all-purpose excuse for things people don’t want to talk about.” Rep. Doris Matsui (D-CA) has introduced legislation that would clarify the law, noting “it’s just misunderstanding what is and isn’t allowed under HIPAA.” [The New York Times]

US – Court Upholds Waiver of Privacy Rights in Malpractice Suits

A Florida appeals court upheld the constitutionality of a controversial change in Florida’s medical-malpractice law, “ruling in part that some privacy rights are waived when people pursue malpractice lawsuits.” The decision stems from a 2013 law that requires patients to sign forms authorizing “ex-parte communications” before filing malpractice claims. Emma Gayle Weaver filed a challenge to the law, arguing it violates the right to privacy in medical-malpractice cases. But the three-judge panel wrote in its decision that any privacy rights pertaining to medical information “are waived once that information is placed at issue by filing a medical malpractice claim.” [Orlando Sentinel]

US – Court Examining Pocket-Dial Privacy Implications

The U.S. Court of Appeals for the Sixth Circuit has found no expectation of privacy for Cincinnati/Northern Kentucky International Airport Board Chairman James Huff, who inadvertently dialed a coworker, Carol Spaw, who recorded Huff’s conversation with his wife and another board member about personnel matters, noting he “failed to take ‘simple and well-known measures’“ to protect against pocket-dials. However, the court “revived Bertha Huff’s claims, finding she had a privacy expectation even if she was aware that her husband’s phone could accidentally make phone calls,” the report states, sending the case back to district court to determine if Spaw’s actions “met the standard for an ‘intentional use of a device’ to intercept Bertha Huff’s statements.” [The National Law Journal] See also: [US – Privacy and the Data Toothpaste Problem]

US – Uncertainty Surrounds 21st Century Cures Bill

Wiley Rein’s Kirk Nahra discusses the 21st Century Cures Bill, recently passed by the House of Representatives. Two of the bill’s provisions, Nahra says, raise a lot of questions about whether they’re good ideas and address problems that need to be dealt with on HIPAA’s privacy rule. One provision, for example, allows for disclosures of health information for research purposes to pharmaceutical companies and medical device manufacturers and “seems to allow these companies to pay an unlimited amount of money to obtain that data,” Nahra notes, adding, “Usually you can’t pay for protected health information, so that’s … creating some significant potential privacy concerns.” [Healthcare Info Security]

US – Appeals Court: Neiman Marcus Suit Can Proceed

In a reverse of a previous ruling, the U.S. Court of Appeals in Chicago found that victims of the 2013 Neiman Marcus LLC data breach will be able to sue the corporation. Unlike U.S. District Judge James B. Zagel’s initial ruling, the court found victims could indeed measure “concrete injuries” and therefore had grounds for a suit, believing that “unreimbursed payments weren’t the only possible harm” and “citing the cost of credit monitoring and the hackers’ ability to use the fraudulent data for years,” the report states. “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities,” the court said. [Bloomberg Business]

UK – NHS Official Demands Details of Millions of Confidential Appointments

A top health official has demanded confidential details of millions of GP appointments. Sparking yet another NHS privacy row, she has ordered the firm in charge of bookings at most English surgeries to hand over the sensitive data urgently. The information includes the date, time and duration of appointments as well as the reason for the consultation. Most of the postcode of the patient is also asked for, as well as their date of birth. The information is intended to gauge demand for the Government’s planned seven-day NHS. But privacy campaigners say it is incredible that neither patients nor their GPs have been consulted about the move. They warned there was enough information within the files for patients to be identified. [The Daily Mail]

Horror Stories

US – OPM, Anthem Hackers May Have Breached United Airlines

The same hacking group that stole sensitive records from the Office of Personnel Management (OPM) and Anthem also breached United Airlines. Manifests were compromised, which include passenger names, travel times, arrivals and departures. Security professionals believe such data can be cross-referenced with other data stolen from Anthem and the OPM to create detailed maps of U.S. citizens and increase the possibility of advanced and precise targets for blackmail and espionage. United Airlines is also one of the biggest airline contractors with the U.S. government, “making it a rich depository of data on the travel of American officials,” the report states. [Bloomberg Business]

US – Planned Parenthood Says Hackers Trying to Steal PI

Planned Parenthood announced Monday that anti-abortion hackers are attempting to breach the organization to access and potentially expose sensitive data on its employees. Planned Parenthood Executive Vice President Dawn Laguens said the attempts are a “gross invasion of privacy” that could put its staffers at risk. “Planned Parenthood has notified the Department of Justice and separately the FBI that extremists who oppose Planned Parenthood’s mission and services have launched an attack on our information systems,” she said. An adversary called “E” has taken some credit for the attack. Hackers have also threatened to release more information, including internal emails, though it hasn’t been confirmed if such data has been accessed. [The Hill] [Planned Parenthood confirms attack from anti-abortion hackers]

US – Class-Action Filed Over Data Theft

Experian is the target of a class-action lawsuit alleging it “failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.” Hieu Minh Ngo, who used the guise of a private investigator to gain access to Experian-owned Court Venture’s 200 million profiles, was recently sentenced to 13 years in prison. Ngo scammed victims out of “$65 million in fraudulent individual income tax returns,” the report continues, noting plaintiffs are suing for complimentary credit monitoring as well as a fund “for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service.” [KrebsOnSecurity]

US – Health System Faces Potential Class-Action

Children’s National Health System is facing a potential class-action lawsuit following the hack of up to 18,000 patients’ personal data last year. Patient Fardoes Khan filed the suit after being informed her data was compromised. [Washington Business Journal]

US – Insurer and State Program Announce Breaches

In New York, insurance payer Healthfirst is notifying members of a data breach affecting approximately 5,300 individuals, and, in Georgia, approximately 3,000 clients of Community Care Services Program are being notified that the state’s Division of Aging Services program inadvertently emailed their personal data to a contracted provider not authorized to view the information.

US – More Stores Shut Down Photo Centers

CVS recently disabled its online photo center following news of a potential breach through PNI Digital Media, following a similar action by Walmart in Canada , and now other stores in the U.S. and UK—including Rite Aid, Sam’s Club and Tesco’s—have moved to the do the same after PNI, which either manages or hosts the sites, examined the possible extent of the breach. “We take the protection of information very seriously,” said Kirk Saville of Staples, which purchased PNI last year. “PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation,” he continued. “The retailers’ main websites and other services were not affected by the potential breach,” the report states. [Reuters] [Hacking fears close photo websites]

WW – Anonymous Behind Census Bureau Hack

“Online activist collective” Anonymous took credit for the United States Census Bureau’s hack and subsequent data leak, citing displeasure with the “secretive” drafting of the Trans-Pacific Partnership (TPP) and Transatlantic Trade and Investment Partnership (TTIP) agreements as its impetus. The Census Bureau deemed the information released by Anonymous as “non-confidential,” the report continues. “Security and data stewardship are integral to the Census Bureau mission,” the organization said in statement. “We will remain vigilant in continuing to take every necessary precaution to protect all information.” [The International Business Times] [CA – Public service labour board taken offline after breach discovered last week

US – Class-Action Filed Following UCLA Breach Admission

Following UCLA Health’s admission last week that it had been hit by a massive data breach in May, a former patient has filed a class-action lawsuit in U.S. District Court claiming the health system broke its contractual obligations to protect patients’ data. Allen filed the suit on behalf of “several millions of individuals,” the report states, claiming personal data entrusted to the hospital was “left in an unencrypted state and stolen by cyber thieves.” Meanwhile, in an op-ed on The Hill’s Congress Blog, attorney Karla Grossenbacher makes the case for a single, federal standard on data breach notification. [ConsumerAffairs]

US – Senate Votes to Fund OPM Victims, Not OPM

The Senate Appropriations Committee voted to provide the 22 million-plus victims of the OPM hack with 10 years of credit monitoring and a $5 million fund for damage reparation, but did not vote in favor of providing the organization itself with additional funds. The affected’s “vulnerability will go on for a number of years,” said Sen. Barbara A. Mikulski (D-MD), who introduced the amendments based on the proposed RECOVER Act. “They deserve our protection.” But some feel more work needs to be done. Sen. John Boozman (R-AR), himself a victim of the hack, has called for additional hearings, adding, ”this is something that our country has to get straight.” [Roll Call]

US – OIG Finds Lack of Cybersecurity Tech and Training Among Reasons for Breach

In a newly released study, the Office of the Inspector General (OIG) identifies the U.S. Postal Service’s “undertrained employees, lack of accountability for risk acceptance decisions, ineffective collaboration among cybersecurity teams and continued operation of unsupported systems” as contributing factors to its data breach in 2014, which affected 2.9 million people. “Although USPS was in compliance with fundamental legal and industry requirements, it did not have a security operations center providing round-the-clock incident analysis and response,” the report continues, adding that the agency is moving to update its cybersecurity technology. Meanwhile, a new ruling mandates that the Inspector General must gain permission to obtain sensitive information from the organization it audits, a move that “significantly impaired“ the role, said Inspector General Michael E. Horowitz. [FierceGovernmentIT]

US – Ashley Madison Site Followed Standard Practice. That’s Bad

On the hack of the controversial Ashley Madison website, known for promoting extramarital affairs, the site followed standard web security practices and failed to implement simple privacy and security design features, making such a breach “inevitable.” The site’s password-reset feature allowed other users to see who used the site, for one, and the site kept real names and addresses on file. Johns Hopkins Cryptographer Matthew Green makes the point that customer data is often a liability and not an asset. Ashley Madison’s site also charged users $19 to delete their data, “a practice that now looks like extortion in the service of privacy.” A column in The Washington Post states that the breach should be a “warning to all of us—cheaters or not.” [The Verge] [Online Cheating Site AshleyMadison Hacked] [Privacy sacred, even for the unscrupulous]

WW – Health System, Adultery Site, Photo Center Breached

UCLA Health System’s computer network sustained a data breach in which as many as 4.5 million unencrypted personal health records were accessed. Patient Privacy Rights’ Deborah Peel said, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.” In a separate breach , hackers claim to have in their possession the personal information of 37 million users of AshleyMadison—a website that connects people who want to have extramarital affairs. The hackers, reports journalist Brian Krebs, have said they will release personal data until the site, along with other Avid Life Media sites, are taken down. In yet another data breach, CVS shut down its online photo center after an intrusion may have accessed customer credit card information. [Los Angeles Times] [Sask. Cancer Agency employees snooped on 48 patients] [SK: Snooping cases worry privacy commissioner] See also:  [CA – NB Horizon notifying patients after laptop stolen in Fredericton: Stolen laptop contained Medicare information and was not password protected] See also: [Misdialed fax number led to privacy breach, Liberals say: A wrong fax number resulted in privacy breach in Hamilton affecting some 500 recipients of disability payments]

US – BCBS Post-Breach Response May Set New Precedent

Blue Cross Blue Shield’s move to provide complimentary identity monitoring to the 106 million victims of its recent breach “for as long as they’re enrolled in the plans’ insurance coverage” may set a new breach-response precedent. As corporations usually extend monitoring for one or two years post-breach, the decision is seen as landmark. “Something like this may eventually become standard business operations,” said Medical Identity Fraud Alliance Senior VP Ann Patterson. However, it’s problematic as “it requires the data breach victim to affirmatively ‘opt in’—they aren’t automatically included, and it only lasts as long as you are insured by Blue Cross,” said Cohen & Malad’s Lynn Toops. [BankInfoSecurity] [UK – Morrisons data leak ‘a warning to companies’ about importance of fraud prevention policies says expert]

Identity Issues

EU – DPA: Facebook Can’t Change Pseudonyms to Real Names

In Germany, Facebook has been prevented from disallowing users to create accounts under false names. The Hamburg data protection authority has said the social network cannot change individuals’ chosen usernames or ask them to provide official identification, the report states. The ruling follows a woman’s use of a pseudonym for her Facebook account “to avoid unsolicited contact in relation to her business” that the social networking site changed to her actual name. Facebook has expressed disappointment with the ruling. “The use of authentic names on Facebook protects people’s privacy and safety by ensuring people know who they’re sharing and connecting with,” the company said. [BBC News]

US – De-Identify Data for Research’s Sake

The de-identification of healthcare data permits research innovation while not sacrificing patient privacy, noting, “both the healthcare and pharmaceutical industries are beginning to adopt this approach.” Eli Lily Office of Medical Transparency Director Ben Rotz notes, “As we have a set of rules that are followed, as we start to see standards in place for how the data are collected, then we’re going to start to see more and more technologies emerge that allow for a standard way to anonymize the data,” adding, “As more and more of that tends to happen, people can concentrate on the why and the what of what they’re doing instead of the how do they make it happen from a technology perspective.” [HealthITSecurity]

CA – Transgender Activist Wins Court Battle Over IDs

The Newfoundland and Labrador government will change the Vital Statistics Act to allow transgender people to change their birth certificate and government identification to match their gender identity. The change comes after transgender activist Kyra Rees in St. John’s took the provincial government to court in a battle to get her birth certificate to reflect the gender she identifies with. With legislative changes, Rees and other transgender people can go out in public without fear of ‘outing’ themselves because of the gender marker on their identification cards. Similar changes have been made in Ontario, Alberta, British Columbia and Manitoba. Changes will be made to the act during the next session of the House of Assembly. Rees is urging the province to convene a fall sitting in the House of Assembly so that there is no delay in passing the legislation. [CBC News]

US – Use Synthetic Data to Protect Census Data

Since the first U.S. Census was carried out in 1790, the Census Bureau has expanded its mission and now collects information about occupation, education, income and other personal data. The datasets are useful, but confidentiality becomes harder to preserve. A research team led by a Duke University Prof. Jerry Reiter and Cornell University Prof. John Abowd has developed an approach to solving this problem by using synthetic data or “simulated data generated from statistical models,” the report states. “A query that can be asked of the confidential data can also be asked of the synthetic data,” Abowd said. [Nextgov]

WW – Finding the De-Identification Middle Ground

De-identification plays a major role in protecting privacy while allowing for data to flow and constitutes a big part of a privacy pro’s toolbox. There have been robust debates about its feasibility and whether it’s even possible to truly de-identify data, but, earlier this month, the Future of Privacy Forum (FPF) and Ernst & Young held a workshop to work through these issues in an attempt “to drill down into some challenges that privacy pros face in (their) day-to-day practice.” FPF Policy Counsel Joseph Jerome recaps the event and includes insight from industry, practitioners, academics and regulators about striving toward a workable and practical de-identification solution. [Privacy Tech]

Internet / WWW

WW – UN Gives U.S. Failing Grade on Privacy

The U.S. scores very low on protecting its citizens’ privacy, according to a new United Nations Human Rights Committee Review. The committee’s midterm report cards for several countries, including Bolivia, Hong Kong, Norway, Portugal and the U.S., look at how well the countries have adhered to and implemented UN recommendations on the International Covenant of Civil and Political Rights. In several aspects of protecting privacy, the U.S. was graded “not satisfactory.” Specifically, the U.S. government has not established an adequate oversight system to ensure privacy rights are being upheld, the report states. [The Intercept]

Law Enforcement

CA – RCMP Tracked Toronto Activists With Fake Facebook Profile

Officers with the national police force used a Facebook profile to pose as a broke student so as to communicate with protest groups in Toronto, according to documents obtained under the Access to Information Act.  The social media account, which went by the name of Bebop Arooney and had a profile picture of three penguins frolicking on a beach, tracked the Facebook pages of more than two dozen organizations in Toronto, ranging from Black Lives Matter Toronto and Idle No More to the Ukrainian Canadian Congress. Six Jewish and Palestinian groups were also monitored. WWF wrestler Mick Foley also attracted the Mounties’ attention. A second RCMP social media account — @angrycitizen123 — followed Foley on Twitter. The RCMP confirmed it created both profiles but said they were not used for surveillance purposes. “The (Facebook) account mentioned was opened in 2005 for operational reasons, and since that time, the RCMP’s social media practices have changed and evolved and now we used an official media account for such purposes,” a spokesperson said. “The Facebook account is historical and no longer relevant.” The Facebook profile was deleted Thursday. The Twitter account is still online. “If there are no criminal investigation ongoing, then monitoring these groups is potentially problematic,” said Cara Zwibel, director of the Canadian Liberties Association’s Fundamental Freedoms Program. “Even though we think of social media as stuff that is out there in the public, the privacy commissioner’s office made it clear that it doesn’t cease to be personal information just because it is in that kind of forum.” The Facebook profile also appears to have contravened Facebook’s own terms of use. A spokesperson for the social media giant said bogus accounts, even those created by law enforcement agencies, are subject to removal. [Toronto Star]


US – MAPPS Publishes Best Practices

Following the FTC request that companies “protect the privacy of individual citizens’ ‘sensitive’ data as outlined in its Protecting Consumer Privacy in an Era of Rapid Change report,” national private-sector geospatial firms association MAPPS has published its “Best Practices Guideline“ for handling users’ geospatial data, Directions Magazine reports. Announced during MAPPS’ yearly conference, the guidance provides assistance to companies when determining whether they “should obtain individual consent for collection of geospatial data and when it is not needed to protect privacy,” the report states. “This document helps engage in lawful, ethical and professional practice that is respectful of individual citizens,” said MAPPS Executive Director John Palatiello. [Full Story]

WW – Google Rolls Out User-Friendly Location History Tool

Google is rolling out a new “your timeline” feature for Google Maps in coming weeks “that is certain to thrill some folks—and horrify others.” The feature allows users to view their entire location history on Google Maps based on data pulled from devices upon sign-in to Gmail. Google says it’s a useful way to remember where you’ve been on any given point in time and that it’s only viewable to the user. [PCWorld]

Online Privacy

WW – New Operating System Brings Cheers and Privacy Concerns

With the rollout Wednesday of Microsoft’s new operating system, Windows 10, many praised its new features while others expressed concerns about user privacy. For those using Windows 7 or 8, the upgrade is free, but some are pointing out that comes with a privacy trade-off, as has been demonstrated in Microsoft’s new privacy policy and services agreement, the report states. Microsoft Deputy General Counsel Horacio Gutiérrez said the company’s new dashboard creates a “straightforward resource for understanding Microsoft’s commitments to protecting individual privacy with these services.” [Information Age] [Windows 10 may be free, but it comes at a huge price to your privacy] [Microsoft’s Windows 10: Some issues to consider before you upgrade]

WW – Microsoft to Honor Revenge Porn Takedown Requests

Calling it a “first step,” Microsoft announced it will honor takedown requests for so-called “revenge porn” in its Bing search engine and content access removal from Xbox Live and OneDrive upon a victim’s requests. “Much needs to be done to address the problem,” Jacqueline Beauchere wrote in a Microsoft blog post. “As a first step, we want to help put victims back in control of their images and their privacy.” The company has also set up a new reporting site for victims to inform Microsoft of particular photos or videos in question. Beauchere added, “It’s important to remember … that removing links in search results … doesn’t actually remove the content from the Internet—victims still need stronger protection across the web and around the world.” [Full Story]

WW – W3C: Fingerprinting, Supercookies Undermine Trust in the Web

In a new post, the World Wide Web Consortium (W3C) Technical Architecture Group (TAG) says digital fingerprinting, supercookies and other forms of pervasive tracking of users’ web behavior undermine trust in the Internet. “Tracking users’ activity without their consent or knowledge is … a blatant violation of the human right to privacy,” the post states. One of the group’s major concerns is that users have no means by which to prevent these “unsanctioned tracking” tools. Ad-tech companies have argued such tools are not privacy-invasive because they anonymize user data, but the TAG writes, “Unsanctioned tracking can be harmful even if non-identifying data is shared.” In a separate post in The Guardian, Felix Salmon opines that advertising technology is “killing the online experience” through privacy invasions and the excessive use of bandwidth. [MediaPost] See also: [US: The myth of online privacy]

WW – Most Android Phones at Risk From Simple Text Hack, Researcher Says

A security research company claims to have found a vulnerability baked into Android that could endanger nearly all devices running the popular mobile software. The flaw, says researcher Zimperium, exists in the media playback tool built into Android, called Stagefright. Malicious hackers could take advantage of it by sending to an Android device a simple text message that, once received by the smartphone, would give them complete control over the handset and allow them to steal anything on it, such as credit card numbers or personal information. So far, Zimperium told National Public Radio, the flaw has not been exploited, but in a blog post on its own website, it said that 95 percent of Android devices worldwide are vulnerable. [CNET] See also: [Thousands of Apps Secretly Run Ads That Users Can’t See]

WW – Adobe Aiming to Compete on Cross-Device ID Data

Adobe is working at its own cross-device ID that would aim to rival such platforms as Facebook and Google. The company has begun “actively recruiting co-op members” and has slated a beta release for November. Adobe’s privacy product manager told a group of consumers and partners on a recent conference call, “We are asking permission to use some of your anonymous data to build both a declared graph as well as a stitched graph to help fill in for situations where a consumer might not have signed in on a particular device.” But potential participants have cited concerns with how the co-op could conflict with current opt-out systems. [Ad Exchanger]

US – Senators Want FCC to Limit Info-Sharing

A group of senators wants the FCC to ensure that broadband providers do not share data about users’ web behavior without the users’ consent. “ISPs should gain affirmative express consent from consumers before using or sharing information beyond what a consumer would reasonably expect an ISP to use and share in order to deliver service and manage its networks,” wrote the group, which includes Sens. Ed Markey (D-MA), Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Ron Wyden (D-OR), Bernie Sanders (I-VT), Jeff Merkley (D-OR), Cory Booker (D-NJ) and Elizabeth Warren (D-MA). “This includes sharing information with affiliates, as well as for advertising or marketing purposes,” the senators added. [MediaPost]

US – White House Responds to Snowden, ECPA Petitions

The White House responded in separate statements to two petitions—the first calling for the pardon of Edward Snowden and the second calling for Electronic Communications Privacy Act (ECPA) reform. Regarding Snowden, the White House responded that his “dangerous decision to steal and disclose classified information had severe consequences for the security of our country,” adding, “He should come home to the United States and be judged by a jury of his peers.” However, the White House agreed with petitioners that “ECPA is outdated, and it should be reformed,” adding that while it won’t “endorse a single ECPA-reform bill at this time,” it is “encouraged by the strong bipartisan support for updating this legislation.” [Full Story] [After two years, White House says ‘no’ to petition asking for pardon of Edward Snowden]

US – The EFF Turns 25

The Electronic Frontier Foundation (EFF) celebrated its 25th birthday last week and the privacy community reflected on its colorful and impactful history. The report highlights some of the EFF’s landmark legal victories, such as the 1999 case in which the court agreed with the EFF that computer code was protected under free speech. Those within the industry expressed support and gratitude for the organization. “When the EFF is behind you, businesses have a fighting chance to protect their assets,” said Blancco Technology Group’s Paul Henry. “Many of the things that they have suggested are now considered best practices globally,” added Nok Nok CEO Phillip Dunkelberger. [CSO Online]

Other Jurisdictions

IN – Government: Citizens Have No Right to Privacy

The Modi government told India’s Supreme Court that citizens cannot invoke the concept of the fundamental right to privacy in attempts to scrap the Aadhaar national identity card program. Attorney General Mukul Rohatgi told Justice J. Chelameswar that the “constitution does not confer (the) right to privacy of citizens,” referring to a 1950s Supreme Court judgment in which eight justices ruled that citizens do not have such a right. Rohatgi added, “The law on right to privacy is vague in the country, and a larger bench should be constituted to pass an authoritative verdict on the issue. To be frank, question of violation of right to privacy does not arise when it does not exist.” [India Today]

AU – Immigration Department Sought Private Medical Records ‘for Political Reasons’

The personal medical records of asylum seekers have been handed over by International Health and Medical Services (IHMS) to Australia’s immigration department for “political purposes” and potentially in breach of privacy laws, according to leaked internal briefing notes from within IHMS. The revelations are contained in the meeting notes of a clinical directors’ meeting at IHMS on confidentiality in September 2013, obtained by Guardian Australia. In response IHMS and the immigration department strongly denied they had inappropriately provided or sought access to asylum seekers’ medical records. [The Guardian]

CN – Aliyun Publishes Data Protection Pact

At the first-annual Data Technology Day in Beijing, Aliyun, e-commerce company Alibaba’s cloud computing company, released its Data Protection Pact. “We aim to make cloud computing the engine of the data technology economy, and big data a driving force of economic development,” said Aliyun President Simon Hu. “Aliyun will continuously be committed to building a cloud-computing ecosystem to efficiently and securely serve global clients.” The document details Aliyun user rights, including the ability to “freely and safely access, share, exchange, transfer or delete their data at any time,” as well as the opportunity “to select whatever services they choose to securely process their data.” [MarketWatch]

WW – Asia-Pacific News Roundup

Privacy (US)

US – Appeals Court Overturns Neiman Marcus Dismissal

On Monday, July 20, the US Court of Appeals reinstated a liability case against Neiman Marcus for potential damage to consumers from the data breach that exposed data for 350,000 Neiman Marcus customers. The company acknowledged that at least 9,200 of those accounts were later used for fraud. This appears to be the first time an appeals court has recognized the actual damage associated with consumers having to research and repair credit card accounts after data breaches. [WSJ]

US – FTC Announces New Workshop on Lead Generation

The FTC announced it will host a new workshop on the increased use of lead generation across industries, including those in consumer lending and education. The FTC explained that lead generators “identify or cultivate consumer interest in a product or service, and sell the consumer ‘lead’ information to third parties.” In so doing, consumer leads often “contain sensitive personal and financial information” that travels through several businesses before reaching its final destination. The October 30 workshop will bring together representatives from industry, consumer advocacy and government to explore how lead generation works, what types may be unlawful, best practices and how consumers can avoid bad actors. [Full Story]

US – LifeLock Violated 2010 Settlement: FTC

The FTC has filed documents in U.S. District Court alleging identity-theft protection service LifeLock violated its 2010 settlement with the agency. The FTC alleges LifeLock made deceptive claims about its services, failed to implement a comprehensive information-security program to protect sensitive consumer data, falsely advertised that it protected customer data at a high level and did not meet the 2010 order’s bookkeeping requirements, an FTC press release states. “It is essential that companies live up to their obligations under orders obtained by the FTC,” said Consumer Protection Bureau Director Jessica Rich. “If a company continues with practices that violate orders and harm consumers, we will act.” The FTC voted 4-1 on the order, with Commissioner Maureen Ohlhausen in opposition. [Full Story] [FTC Charges LifeLock with Deception]

US – Senators Receive Millions of Faxes Protesting CISA

Opponents of legislation in the US Senate may have stalled a vote on the bill that aims to improve cyber threat information sharing between private companies and the government. Legislators were hoping to vote on The Cybersecurity Information Sharing Act (CISA) prior to the summer recess, which begins on August 10. A privacy advocacy group, Fight for the Future, sent more than six million faxes to Senate members protesting the proposed legislation. [ComputerWorld] [SCMagazine]

US – Trade Group, Privacy Advocates Launch Public-Facing Campaigns

Beginning next week and until August 28, trade group ACT-IAC is collecting recommendations from academia and the public and private sectors on ways to strengthen federal security. In September, the groups will submit the recommendations to the Office of Management and Budget and will release a public report outlining its findings. Meanwhile, operators behind the viral campaign “Operation: #FaxBigBrother” announced that concerned Internet users have generated more than 6.1 million faxes in opposition to the Cybersecurity Information Sharing Act, Fight for the Future has announced. The faxes were sent as part of a week of action organized by privacy advocacy and civil liberties groups. [NextGov]

US – Privacy Groups Turn to Fax Machines in Cyber Bill Fight

A broad coalition of civil liberties advocates and digital privacy groups have teamed up to create a one-week website — stopcyberspying.com — which lets anyone write up and send a fax to senators. Photos are optional. The move is part of the ongoing battle over a stalled cybersecurity bill that may hit the floor sometime later this week. The bill, known as the Cybersecurity Information Sharing Act (CISA), would boost the public-private exchange of data on hackers.  Industry groups and many in Congress believe the enhanced sharing of this type of information is necessary to help the country better understand and counter the growing cyber threat. But privacy advocates believe the measure would simply create another outlet for the government to collect sensitive data on Americans. The website calls CISA “a surveillance bill in disguise” and “the Darth Vader bill.” [Source]

US – RNC Offers Voter File to Presidential Candidates

The Republican National Committee (RNC) has offered to share its voter file with Donald Trump’s presidential campaign. The RNC has the names, voting history and consumer data of roughly 250 million Americans, the report states. The Trump campaign’s attorneys are reviewing the data-sharing agreement, which has been offered to all 17 of the Republican presidential candidates, 11 of whom signed off on it. The RNC said every indication points to Trump entering into the agreement. The RNC offer runs in contrast to the decision by political operation Freedom Partners, which denied Trump access to its voter data. [Yahoo Politics]

US – Trump Shares Graham’s Cell Number

At a Tuesday speaking engagement, Republican presidential hopeful Donald Trump took aim at political rival Sen. Lindsey Graham (R-SC) by releasing Graham’s personal cell-phone number, which led to an “influx of calls.” With Trump, Graham said, “nothing surprises me anymore. It’s just too bad, really,” adding, “I think the beginning of the end has come. The beginning of the end has arrived because he’s crossed a line with the American people that will not be tolerated.” When asked if he would confront Trump on his actions, Graham added, “What good would that do, calling (him)? I’m more worried about the Iran nuclear deal than I am Donald Trump.” [Politico]

US – Lawsuit Filed Over City’s Garbage-Snooping Law

Seattle’s recent law requiring garbage collectors to look through trash to determine no more than 10 percent is recyclables or food has sparked a privacy lawsuit. “In short, this program calls for massive and persistent snooping on the people of Seattle,” said the Pacific Legal Foundation’s Brian Hodges. “This is not just objectionable as a matter of policy; it is a flagrant assault on people’s constitutional rights.” Currently, violators of the law can expect to be fined anywhere from $1 to $50. “The law makes garbage collectors the judges and the juries,” Hodges told The Seattle Times. [KiroTV] [Does Seattle’s Trash Monitoring Violate Privacy Rights?]

UK – Supreme Court to Hear Google Appeal of Vidal-Hall

The England and Wales Court of Appeal delivered a decision in April that IAPP VP of Research and Education Omer Tene called “the European Judicial Privacy Decision of a Decade,” invalidating a section of the UK Data Protection Act and establishing affirmatively that “moral damage” is recoverable under privacy law. On Tuesday, however, the UK Supreme Court agreed to hear Google’s appeal of Google v. Vidal-Hall, and the impact of the decision will be wide-ranging. [The Privacy Advisor]

US – CISA Critics Speak Out

Sen. Ron Wyden (D-OR) argues that a classified 2003 National Justice Department memo has grave relevance to the ongoing debate on the Cybersecurity Information Sharing Act (CISA), which could potentially be voted on before the August recess. “I remain very concerned that a secret Justice Department opinion that is of clear relevance to this debate continues to be withheld from the public,” Wyden wrote. The senator isn’t the only one concerned about CISA, with groups like the ACLU and the EFF joining together to create stopcyberspying.com, a one-week only site that allows critics to send faxes to senators. “Congress is stuck in 1984,” the site states. “We’re going to communicate with it in a way it’ll understand: With faxes.” Meanwhile, the Senate Homeland Security and Governmental Affairs Committee is moving to enact additional anti-hacking legislation. [National Journal]

US – Gerstell Appointed as NSA’s General Counsel

Glenn Gerstell, a Washington, DC, attorney and “significant Obama fundraiser,” has been appointed as the NSA’s general counsel. While the move hasn’t yet been officially heralded, it’s already sparked debate. “His résumé shows no deep experience working with intelligence and national security issues that the NSA’s counsel contends with on a regular basis,” the report states. “That said, sources familiar with his appointment … noted that his experience running a large law firm would prepare him for overseeing the team of more than 100 lawyers in NSA’s general counsel’s office, who provide advice and guidance on everything from surveillance operations to contracts and procurement.” [The Daily Beast]

US – Appeals Court Rules Facebook Can’t Refuse Warrants

A New York state appeals court has ruled Facebook does not have the right to refuse search warrants for its users. “We continue to believe that overly broad search warrants—granting the government the ability to keep hundreds of people’s account information indefinitely—are unconstitutional and raise important concerns about the privacy of people’s online information,” said Facebook’s Jay Nancarrow. The court, however, “disagreed with Facebook’s claim that the federal Stored Communications Act gave it the standing to contest the warrants, saying the company had misinterpreted the law,” the report continued. [The New York Times]

US – Gunshot Detection System Prompts Privacy Concerns

While many believe ShotSpotter, SST’s new gunshot-detection program, is a breakthrough security offering, some are concerned with the privacy implications. Within 30 seconds of gunshot, the program’s microphones are able to distinguish the shot, analyze it and report it to law enforcement. Cities and college campuses are installing it in droves. However, “many have questioned whether ShotSpotter could constitute a fourth-amendment violation-warrantless search and seizure of public sounds,” the report states. “How can we be sure that the technology is in fact confined to listening for gunshots?” the ACLU’s Jay Stanley asked, adding, “How can we ensure that it won’t expand over time to more and more uses?” [The Guardian] [ShotSpotter: gunshot detection system raises privacy concerns on campuses]

US – Master’s in Cybersecurity Can Be Conduit to Lucrative Career

For students interested in pursuing a Master’s degree in cybersecurity, not only are more and more universities offering courses to that end, but the career path post-graduation is also proving to be increasingly lucrative and expansive. Schools like Carnegie Mellon University, Fordham University and the University of Southern California are among 10 schools profiled in the report, which notes that cybersecurity professionals had the eighth highest entry on the “100 best jobs for 2015” list. Additionally, “the profession is growing at a rate of 36.5% through 2022,” the report states. [CSO]

US – School District Discusses Body-Camera Policy

Iowa’s Burlington Community School District is considering student and teacher privacy implications as its school board works to define its new body-camera policy. “We hope to have a tool in place that will allow us to accurately address any issues or concerns that arise in our district,” said Director of Human Resources Jeremy Tabor. The board’s privacy considerations have run from “limiting the use of the cameras to student disciplinary situations” to “giving people the option to say ‘no’ to being recorded,” the report states. “We don’t want to rush this,” said Tabor. “We want to make sure we’re taking the proper amount of time to vet this and make sure we have a good, effective policy in place.” [Government Technology]

US –Legislators Want to Increase DHS’s Cyber Authority

US legislators have introduced a bill that would give the Department of Homeland Security (DHS) a greater role in overseeing the cyber security of federal agencies. The FISMA Reform Act would give DHS the authority to conduct risk assessments on federal networks and use defensive measures without the permission of an agency. [SCMagazine] [NextGov] [SCMagazine]

US – Legislation Aims to Establish Automobile Cyber Security Standards

US Senators plan to introduce legislation that would require cars sold in the country to meet certain cyber security standards. It calls for the National Highway Traffic Safety Administration and the Federal Trade Commission to establish those standards, which will include isolating critical systems from other parts of the vehicle’s network. The bill also includes provisions for customer data protection and privacy. [Wired] Earlier this year, members of the US House Energy and Commerce Committee write to 17 car manufacturers and the National Highway Traffic Safety Administration to ask for information about how they plan to address cyber security concerns. [EnergyCommerce]

Privacy Enhancing Technologies (PETs)

WW – Google, Silent Circle Pair Up on Next Version of Blackphone

Google and Silent Circle, the maker of a privacy-centric Blackphone have formed a partnership. Through this partnership, the next version of the Blackphone will come equipped with Google’s Android for Work software, which allows users to compartmentalize personal and professional use and also “collects huge amounts of user data to sell advertising,” the report states, asking, “So why would Silent Circle, which is intensely concerned with privacy, team up with the largest data collection company in the world?” The answer, according to Silent Circle, “comes down to marketing … Most users of Blackphone and Silent Circle’s other encrypted-communication products are in Europe. The Google deal will raise the company’s profile in the U.S.,” the report states. [The Wall Street Journal]

WW – Researchers Say They’ve Created Faster Onion Router

A group of researchers claim they have created a better, faster alternative to the Tor network. In a newly published paper, researchers from the Swiss Federal Institute of Technology and the University College of London describe an anonymizing network called HORNET (High-speed Onion Routing at the NETwork layer), saying it could be part of the next generation of Tor. The researchers state HORNET moves anonymized data at 93 gigabits per second and can be scaled to handle large quantities of users. Though the researchers said the system couldn’t fully protect against targeted attacks, widespread use could stymy mass surveillance, they claim. [Ars Technica]

WW – Snowden Describes Privacy-Focused Internet, Calls for SPUD Protocol

Former U.S. National Security Agency contractor Edward Snowden remotely spoke at an Internet Engineering Task Force (ITEF) meeting, urging attendees to design an Internet for users, not spies. “Who is the Internet for?” he asked. “Who does it serve; who is the IETF’s ultimate customer?” He said the growing use of credit cards on the web is pinpointing users’ identities. “We need to divorce identity from persona in a lasting way,” he said. “If it’s creating more metadata, this is in general a bad thing.” Snowden urged the engineers to implement the SPUD protocol, reducing the number of intermediaries through which data passes by a combination of transport protocols. [Snowden Describes How to Build an Internet Focused on Privacy]

US – Start-Up Aims to Puts Users in Control

Given what they called a lack of regulations to protect consumers against potential harms as a result of increasingly pervasive and surreptitious online tracking, college buddies Chandler Givens and Ryan Flach decided to do something about it themselves. Seeing the kinds of concerns consumers have around companies doing things that, if not unlawful, felt wrong to them, Givens saw an opportunity in their combined skillset; Givens is a privacy lawyer and Flach a software engineer. Now they’ve launched TrackOFF, software designed to put power back in consumers’ hands by letting them combat digital tracking from their own computers. [The Privacy Advisor]

WW – Baidu Launches Privacy Protection App ‘DU Privacy Vault’

New Android Security Solution Protects Apps, Photos, Videos and More…  Baidu, a lsrge Chinese language Internet search provider and developer of PC, Web and mobile products, has launched DU Privacy Vault, Baidu’s first mobile app focused exclusively on protecting people’s privacy. Free to download, DU Privacy Vault enables users to easily and safely secure all the apps, photos and videos on their phone. In the name of preserving privacy, DU Privacy Vault showcases the following features:

  • App Lock: Lock all of your apps with a single gesture-based password.  Secure your smartphone and completely protect your privacy.
  • Lock Cover: Disguise your lock screen as something else. A fake ‘App Crash’ screen cover and a ‘Fingerprint Scan’ screen cover are now included. More screen covers will be available for download soon.
  • Photo/Video Safe Vault: Hide and encrypt your photos and videos with DU Privacy Vault. Never again worry about other people peeking in on your gallery.
  • Prevent Uninstall: After you turn on the Prevent Uninstall feature,  other people won’t be able to delete DU Privacy Vault from your phone  without your authorization.
  • Lock Delay: Within the time limit you set, you won’t need to unlock your apps again when you reopen them.

DU Privacy Vault runs on Android 5.0 and up, and is available as a free download on Google Play. [Source]

EU – CyberGhost Talks Privacy

As CyberGhost, a Romania-based VPN start-up, invests in a EU pro-privacy boot camp for interested start-ups, it also has lots to say about privacy and data collection. “What we are doing here (with the boot camp) is to prove you can grow a company, sustainable, on the long term, with success and profitability, without using all this data. It’s just not necessary. It’s just a myth that you need data to run all businesses,” said CyberGhost Cofounder and CEO Rob Knapp. “We have a security industry that protects data because we store data. So why do we start storing data? The best data security is not to store it. It’s very simple.” [TechCrunch] [VPN Maker CyberGhost Aims To Grow A Privacy Hub In Eastern Europe]

EU – Hornet Gives Wings to Onion Privacy Technology

European researchers may have stumbled upon a new anonymised internet browser that is like Tor on rocket fuel. Hornet, or high-speed onion routing at the network layer to give it its full name, can move internet traffic at some 93Gbps and still offer the same level of protection as the sluggish Tor network, according to Ars Technica. The new method appears in a paper penned by a group of from the Swiss Institute of Technology in Zurich and the University College London. [Source]


WW – Power of IOT Means Great Responsibility

Experts say that while incredibly promising, the Internet of Things brings with its advent much to consider. “Just imagine smart meters, which are great for reducing energy use and shrinking bills,” said KPMG’s Mark Thompson. “You could have the energy regulator, Ofgem, involved as well as Ofcom, because the data’s going over a broadband connection. Then, because there’s data involved, the Information Commissioner’s Office is bound to have an interest.” When data crosses borders, “you could have a perfect storm of countries not always having the same security and privacy standards,” he adds. To address the privacy issues, Privitar’s John Taysom recommends “disassociation”—through which “companies and governments get the data without a risk to privacy,” the report states. [The Guardian]

US – Connected Car Remotely Hacked; Legislation Introduced

Two years ago, Wired reported how security experts hacked a Ford Escape and a Toyota Prius by directly connecting computers into the cars’ online diagnostics port. Now, those same hackers have successfully demonstrated they can remotely hack a Jeep Cherokee miles away from the vehicle. Charlie Miller and Chris Valasek plan to discuss their findings at next month’s Black Hat conference in Las Vegas, NV. Remotely, Miller and Valasek were able to stop the vehicle, turn the ignition on and off and control the radio as well as all of the vehicle’s dashboard features. [Hackers hijack Jeep, taking control of speed, brakes: Two hackers remotely took control of a Jeep Cherokee and changed its speed and other features]Meanwhile, Sens. Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced legislation today aimed at setting new security standards for connected vehicles. [Full Story] See also: [Yahoo Finance: Ford CEO on Balancing Consumer Privacy Expectation]

US – Lawmakers Look Into Data Security

A House Judiciary Committee hearing examined the deluge of new Internet-of-Things devices that are proliferating in the marketplace and whether government needs to step in with new legislation. “The time of the ‘Dick Tracey’ watch is here,” said Rep. Ted Poe (R-TX). As automobiles, transportation systems and other devices increase the amount of data they collect, Rep. Jarrold Nadler (D-NY) cautioned that “unless cities integrate strong security … (they are) vulnerable to attack.” Poe also added that it’s Congress that “needs to set the expectation of privacy” for users. Consumer Electronics Association President Gary Shapiro cautioned against stifling data collection, noting, “There’s so much happening from an innovation point of view.” [Nextgov]

US – NHTSA Head Says Driverless Cars Must Have Privacy Protections

National Highway Traffic Safety Administration Administrator Mark Rosekind said this week that the agency encourages development and deployment of connected and driverless cars, but the industry must work to build in privacy and cybersecurity protections for widespread adoption. Rosekind said the industry must not only focus on traffic safety but information security as well. “We will have to help people who can’t tell LIDAR from a coffee maker,” Rosekind said. “Whether for profit of for malicious intent we know these systems will become targets for bad actors,” adding, “We must reassure vehicle owners that their data is secure, the vehicles are secure.” On Tuesday, a new privacy bill for connected cars was introduced. [USA Today]


US – Survey: Execs Consider Cyber-Threats a Top Concern

A new survey reveals that three-quarters of executives from U.S. businesses, law enforcement and other organizations, as well as security practitioners, have said they are more concerned about cyber threats this year than they were last year. Conducted by PwC, the survey questioned more than 500 individuals. “Heightened awareness and concern are well-warranted,” the report states, noting, “A record 70% of survey respondents said they detected a security incident in the past 12 months. Many incidents go undetected, however, so the real tally is probably much higher.” PwC’s David Burg said 2015 is a “watershed year for cybercrime.” [Fierce Government IT]

WW – How Security Experts and Non-Experts View Online Safety

Researchers from Google have posted results that surveyed security experts and non-experts to determine how each group prioritizes online safety measures and explore why any differences between the two exist. Password management was a key priority for both groups, but their approach differed. Security experts said they rely on password managers, while non-experts relied on strong passwords and frequent password changes. “Our findings suggested this was due to lack of education about the benefits of password managers and/or a perceived lack of trust in these programs,” the researchers wrote in a Google blog post. Another key difference involved non-experts’ reliance on antivirus software. Security experts rely instead on software updates and noted that antivirus software “might give users a false sense of security since it’s not a bulletproof solution.” [Full Story] [37 million Americans don’t use the Web. Here’s why you should care]

US – New OPM Report: Hack Not Sophisticated; CSID Responds to Criticism

A new report on the Office of Personnel Management (OPM) hacks from the Institute for Critical Infrastructure Technology points to poor governance and old technology and not sophisticated cyber-intrusions as the reason for the breaches. “The failure of (the Department of Homeland Security) or OPM systems to detect the breach does not indicate a level of sophistication on behalf of the adversary,” the report states. Meanwhile, CSID President and Cofounder Joe Ross defended the company’s work in helping the OPM notify and respond to the initial hack of 4.2 million individuals. “We took a beating early on for doing what in our mind (was) the right thing to do,” he said. A column for The Washington Post states that there are currently not enough cybersecurity experts in government agencies. [Fierce Government IT]

US – Government Asks Bidders on Hack Contract

The government plans to award a sweeping five-year contract in August to a private company to monitor the hacked security clearance data of 21.5 million people for identity theft — and ensure that the records are protected from further intrusions. The winning bidder will be asked to monitor financial and health information of the breach victims — contractors and federal employees and their families — for fraudulent activity; set up call centers to answer questions;  train government employees how to prevent other hacks and restore stolen identities. And the contractor must be on constant alert for further risks to the  hacked background investigation files, among the most sensitive data in the government, according to a 55-page solicitation the General Services Administration issued last week. GSA has asked potential bidders if they have the capacity to host such a large trove of data: “In light of these requirements, does your company have the ability to host and protect in excess of 21.5 million records?” [The Washington Post]

WW – Windows 10 Wi-Fi Sense Feature Shares Wi-Fi Passwords With Contacts

One of the new features of Microsoft’s newest operating system is that Windows 10 will automatically share an encrypted version of your Wi-Fi network password with contacts in Outlook and Skype unless users specifically opt out. The password will not be disclosed, but the sharing mechanism will allow those contacts to use your Wi-Fi network if they are in the area. The Express settings for installation enable this feature by default. Some say that the feature is not as scary as people would like to think it is. [Krebs] [v3.co.uk] [ZDNet]

WW – Hackers Could Use Cell Phones as Spycams

Stagefright, a “multimedia playback engine” unique to Google Android phones, has a vulnerability so profound that “that attackers could send a text message with a malicious video file and infect the mobile device without a recipient actually clicking to open the file,” effectively rendering it a “spycam,” reports. Google has released a patch for the flaw, but “the fix won’t help millions of users with older versions of the system that Google no longer supports,” the report continues. Meanwhile, Israeli researchers discovered how to hack into an air-gapped computer “using the GSM network, electromagnetic waves and a basic low-end mobile phone,” Wired reports. [The Christian Science Monitor]

US – CDOs a Growing Necessity

The need for a chief data officer (CDO) is growing as more organizations express concern about the increasing amount of data they must manage, according to TM Forum Transformation Research Center Managing Director Rob Rich. While “many service providers have successfully consolidated and modernized systems and simplified programs … there is lots more work to do to tap big data’s potential and to protect the organization’s (not to mention customer’s) data,” Rich writes. “Clearly, the more fragmented a company’s data, the more difficult it is to manage and protect, and the more likely it is that sensitive data could be compromised.” A CDO’s role may include data strategy, education and data governance, the report states. [FierceCIO]

US – OPM Changes Privacy Policy; Hunt for New Contractor Underway

The Office of Personnel Management (OPM) announced it has changed its privacy regulations in order to allow investigators to probe its databases for security vulnerabilities. The OPM is also in the middle of finding a contractor for notifying and providing identity-theft protection services for the 21.5 million victims of the second hack of the agency. Jedidiah Bracy reports on the latest efforts by the OPM and the White House to shore up information security and appropriately respond to the second hack, as well as the latest moves by lawmakers to assess the relevance of providing such credit-monitoring services. [Privacy Tech]

WW – Stagefright Vulnerabilities Affect Nearly All Android Devices

Nearly all Android smartphones contain remote code execution vulnerabilities that could be exploited simply by sending the device a maliciously crafted text message. The vulnerabilities lie in Stagefright, an Android component that is used in playing, recording, and processing multimedia files. Google has developed a fix for the issue, but because the wireless carriers and device manufacturers must also take action, it is unknown if and when the devices will be patched. [SANS.edu] [ArsTechnica] [DarkReading] [Forbes] [ComputerWorld] [CNET]

Smart Cards

WW – Sony Moves into the Drone Camera Business

Sony is partnering with autonomous driving start-up ZMP for the creation of a new camera drone company called Aerosense. The new company will use Sony’s imaging, sensing and networking technology for aerial surveillance capabilities for businesses, while ZMP will implement its robotics know-how to help them fly. According to the report, Sony will not sell the drones, but will lease them for “measuring, surveying, observing and inspecting.” Meanwhile, Google is joining forces with Amazon, Verizon and the Harris Corp to help create an air-traffic control system for drones in order to prevent mid-air accidents. David Vos, who is in charge of Google’s Project Wing, said, “We think the airspace side of this picture is really not a place where any one entity or any one organization can think of taking charge … The idea really is anyone should be free to build a solution.” [The Guardian]

WW – Automakers Consortium to Buy Nokia’s HERE Mapping Software

Several car makers, including Audi, BMW, Daimler, and Volkswagen, have made a successful bid to purchase Nokia’s HERE mapping software, which will become an open platform. Daimler CEO Dieter Zetsche said his company is interested in building security into the system. [BetaNews] [Forbes] [The Hill] [CNET] Earlier this week, hackers proved they could remotely hack into and turn a connected car off while it drove. [Full Story]


US – NSA to Lose Access to Section 215 Data

According to an announcement from the Office of the Director of National Intelligence, the NSA will start to purge data collected under its Section 215 surveillance program that expires later this year. NSA analysts will no longer be permitted to search the database after November 29, 2015. Technicians will be able to access the database for three additional months for the purpose of comparing what they had collected before to what is permitted under the new system. [NextGov] [NYTimes]

EU – Governments Step Up Domestic Surveillance

There has been a rise in domestic government surveillance in EU member states. Last month, in response to the Charlie Hebdo terrorist attacks, France passed what many are calling an intrusive surveillance law, and just this week, the European Parliament stepped down in a fight against new passenger name record regulations. Plus, the EU is spending hundreds of millions to develop security technology that is raising concerns among privacy advocates and civil liberties organizations, the report states. “Funding these programs is not per se problematic,” said the Council of Europe’s Nils Muiznieks. “It is how the new technologies will be used that poses a series of human rights concerns.” The European Commission’s Natasha Bertaud said the EU has the highest privacy standards in the world, but added, “There can be no security without freedom and no freedom without security.” [Reuters]

WW – White-Hat Hacker Discovers OnStar Vulnerability

A white-hat hacker has discovered a vulnerability in the mobile app for GM’s OnStar vehicle communications system that can permit hackers to “locate, unlock and remote-start” participating cars. In response, General Motors is developing a patch for the bug that is “days away” from release and working to quell fears. “We believe the chances of replicating this demonstration in the real world are unlikely,” said GM’s Terrence Rhadigan. “In addition, the action involves one user at a time, and would impact only that specific user’s account.” This comes on the heels of Fiat Chrysler’s recent voluntary recall of 1.4 million vehicles after the Jeep Cherokee was found susceptible to hacking. [Reuters] [Ars Technica]

US – Fiat Chrysler Recall

Chrysler has issued a safety recall for 1.4 million vehicles following the publication of a story in which hackers were able to take control of a Jeep. Users have several choices for fixing the vulnerabilities. They can go to a Chrysler dealer and have the software updated; they can download the patch onto a USB drive and plug it into their vehicle; or they can choose to receive a USB drive in the mail from Chrysler that already has the fix on it. Some have criticized the USB from Chrysler option because it asks users to trust a USB drive they receive in the mail. [v3.co.uk] [Wired] [ZDNet] [ArsTechnica]

US – Report Studies Impact of Drones on Data Security

A study by Tractica indicates that as widespread interest in drone use grows so will the need for more sophisticated data analysis and protection. “There are many other IT considerations,” Tractica’s Bob Lockhart said in the report. “Just like other mobile devices, drones are targets for theft of data and intellectual property, and drone inputs could affect certifications such as ISO9001 or ISO27001 for information security.” Data storage policies should also be in place. “Drones could produce huge amounts of data for organizations that are not used to large data volumes, so organizations should have a data science program ready in advance, he said, and know where the data be stored and processed,” the report states. [IT Canada] [IT departments must prepare for the impact of commercial drone deployment]

US – Drone Shooter Cites Privacy Concerns

A Kentucky man who shot an $1,800 drone that was hovering over his house and his subsequent arrest for “first degree criminal mischief and wanton endangerment” has sparked a privacy law debate. “You know, when you’re in your own property … you have the expectation of privacy,” said William Meredith. “We don’t know if he was looking at the girls. We don’t know if he was looking for something to steal. To me, it was the same as trespassing.” While critics of the shooting contend “the law frowns on self-help when a person can just call the police instead,” Prof. Michael Froomkin argues “it’s reasonable to assume robotic intrusions are not harmless and that people may have a right to ‘employ violent self-help.’“ [Fortune]

US – Constitutional Court Upholds Law

France’s Constitutional Council upheld a controversial surveillance law that permits intelligence agencies to gather metadata with the only necessary approval from “an independent body created to oversee surveillance activities.” Dissenters argue the legislation “undermines privacy and civil liberties because it allows a wide range of surveillance activities without prior approval by a judge” and that its “terminology … is so vague as to permit any kind of surveillance,” the report continues. However, the court did move to “strike down a provision … that would allow emergency surveillance without the approval of the prime minister or another minister in the government.” [The Wall Street Journal]

WW – Surveillance News Roundup: [Nursery camera hacked at southwestern Ontario home: Internet cameras, cars and computer files becoming easier for hackers to break into] and [UK: George Clooney’s home security plans rile Oxfordshire neighbours: Installation of 18-camera CCTV system at the actor’s £10m property would violate privacy and be a visual intrusion, says parish council] [Baby monitors, cars and your sex life: Nothing is safe from hackers] [Will the internet listen to your private conversations?] [US – New MileHi app: Tinder of the skies?]

US – Pittsburgh Seeking to Implement Surveillance Camera Privacy Policy

A long-shelved City of Pittsburgh privacy ordinance is finally seeing daylight this summer, with the launch of police training in video surveillance rules and an effort to identify security cameras held by neighborhood groups. The big caveat: The U.S. Coast Guard has warned the city not to reveal camera locations, effectively barring civilian involvement in surveillance decisions. It’s unclear, though, whether the restrictions placed on the city really come from Washington, or rather from a local interpretation of a federal directive. Privacy advocates, meanwhile, argue that excluding civilians from surveillance decisions makes it impossible to ensure that civil liberties are respected. [Source]

Telecom / TV

US – NIST Draft Guidance on Mobile Devices for Healthcare Organizations

The US National Institute of Standards and Technology (NIST) has released draft guidance for health care providers regarding the use of mobile devices to access and transfer sensitive data. NIST is accepting public comments on the document through September 25, 2015. [ComputerWorld] The guide covers topics ranging from how to best administer privacy throughout an organization to what risks are the most significant. It also stresses how “implementing security must be balanced with making sure healthcare workers can easily use the technology to perform their duties,” the report states. NIST is accepting feedback on the draft guide until September 25. [CSO Online]

US – Brady’s Smartphone Privacy “On Solid Ground” for Now

Tom Brady’s reported destruction of his personal smartphone before meeting with the NFL’s “Deflategate investigator” Ted Wells was “on solid ground legally.” “The NFL has no power to issue their own subpoena,” said defense lawyer Peter Elikann. “They’re not a court. They’re not law enforcement.” He added. “Smartphones are something that we’ve never had in history before. Your entire life is on a smartphone: your financial records, your personal photographs, your private romantic communications.” The report suggests if the NFL can get a judge to require texts to be produced by Brady’s smartphone provider, “Brady will find he enjoys significantly lower privacy protections than if the government had accused him of a crime and Fourth Amendment search-and-seizure protections applied.” [NECN] See also: [Pakistan to shut down BlackBerry services by December over ‘security’ ]

US Government Programs

US – ODNI: NSA’s Technical Personnel to Have Metadata Access for Additional Three Months

On June 29, the Foreign Intelligence Surveillance Court approved the government’s application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act’s 180-day transition provision. The Office of the Director of National Intelligence says that while the NSA has decided that analytic access to historical metadata collected under Section 215 will cease on November 29, the NSA will allow technical personnel to maintain access to the data for an additional three months in order to “verify the records produced under the new targeted production authorized by the USA FREEDOM Act,” the report states. [IC on the Record]

US Legislation

US – Sens. Introduce Second EdTech Bill

Sens. Steve Daines (R-MT) and Richard Blumenthal (D-CT) have introduced the Safe Kids Act, aimed at restricting the sale and use of student data by education-technology companies. The second student privacy bill to be introduced in the Senate this year, the Safe Kids Act would require companies to meet set data security standards and would empower federal regulators to punish those who violate the bill’s provisions. “The perils of privacy invasion and data abuse must be stopped at the classroom door with laws that match advancing technology,” Blumenthal said. The House currently has a similar, White House-backed bill, and Sens. Orrin Hatch (R-UT) and Ed Markey (D-MA) introduced a similar student privacy bill in May. [The Hill]

US – Blumenthal Hopes Lawmakers Will Join Forces on Student Privacy

Sen. Richard Blumenthal (D-CT), who introduced the Safe Kids Act with Sen. Steve Daines (R-MT), hopes to work with other legislators to work out the differences between their bill and one proposed by Sens. Orrin Hatch (R-UT) and Ed Markey (D-MA). The Safe Kids Act would prohibit “education companies … from selling or using student data for targeted ads and require them to meet certain data security standards when handling student information,” the report states, while the Hatch-Markey bill aims to update FERPA. “I think we’ll probably work out the differences,” Blumenthal said. If senators can agree on one bill, the report states, it has “chances of moving sometime after the August recess.” [The Hill]

US – CISA Unlikely to Have its Day Before Congressional Recess

A Congressional vote on the Cybersecurity Information Sharing Act (CISA) before its August recess is “unlikely.” “I’m sad to say I don’t think that’s going to happen,” said Senate Majority Whip John Cornyn (R-TX), adding,”I think we’re just running out time.” NationalJournal reports that “extra time could help” as CISA “has numerous political hurdles to clear that may not be easily negotiated during the first week of August.” Critics have picked apart CISA’s issues, even going so far as to say that passing it into law would be a mistake. Meanwhile, a Vormetric poll has found that 92 percent of Americans are in favor of “retaliation in the wake of cyberattacks that compromise sensitive government data.” [The Hill]

US – Another Student Privacy Act Introduced

Yet another student data protection bill was introduced Wednesday, this one dubbed the Student Privacy Protection Act and championed by Reps. Todd Rokita (R-IN) and Marcia Fudge (D-OH). “The measure would update the Family Educational Rights and Privacy Act (FERPA), which many agree has outdated digital privacy protections,” the report states. “It is time our laws reflect today’s technological reality,” Fudge said. The Student Privacy Protection Act could serve as a companion bill to an effort from Sens. Orrin Hatch (R-UT) and Ed Markey (D-MA), since both revise FERPA to achieve similar goals, the report states. [The Hill] See also: [Students under surveillance: Universities are increasingly using personal data to predict performance. But at what cost to privacy?]

US – Senators Introduce FISMA Reform Bill

Sen. Susan Collins (R-ME) and Sen. Mark Warner (D-VA) introduced the FISMA Reform Act, a bill that would formalize the Department of Homeland Security’s (DHS) role in protecting government networks and websites. While the DHS “has the mandate to protect the .gov domain, it has only limited authority to do so,” Collins said. “There is no minimum standard,” added Warner. “This voluntary system has resulted in an inconsistent patchwork of security across the whole federal government.” However, Connecticut state officials are taking aim at federal security bills out of concern they could preempt state laws. “It is just inconceivable to me that the federal government could do as thorough a job on the ground as we can in Connecticut,” said Connecticut Attorney General George Jepsen. [The Hill]

US – Post-Breach Bill Stalls

A bill that aims to serve as a legislative guideline for organizations post-breach has lost traction in Congress, with opponents claiming it would preempt state laws and suggesting there is “no bipartisan path forward.” Bill sponsor Rep. Marsha Blackburn (R-TN) “stressed that the measure was narrowly tailored by design to avoid complications in the Senate,” but detractors, including the bill’s initial Democratic sponsor, Rep. Peter Welch (D-VT), claim that the “biggest problem is the definition of personal information in the bill” as well as its “preemption of 47 state laws, some of which are stronger than the federal bill,” the report states. [Roll Call]

US – Privacy News Roundup

  • Pennsylvania Sen. Dominic Pileggi (R-Delaware County) wants to expand the state’s DNA-collection law, Pennsylvania Independent reports, noting Pileggi is “arguing police could stop repeat offenders if the authorities didn’t have to wait for a conviction before swabbing a suspect, as current law requires.”
  • A “sharply divided” Federal Communications Commission has issued its Telephone Consumer Protection Act (TCPA) Declaratory Ruling and Order with “a range of new statutory and policy pronouncements that have broad implications for businesses of all types that call or text consumers for informational or telemarketing purposes.”
  • The House of Representatives passed the 21st Century Cures bill, which “contains a controversial provision calling for significant changes to the HIPAA Privacy Rule,” by a vote of 344 to 77.
  • Beth Israel Deaconess CIO John Halamka and Office for Civil Rights Deputy Director for Health Information Privacy Deven McGraw write that HIPAAis neither as antique nor as cumbersome a regulation as recent critiques make it out be.
  • The FTC’s case against Nomi Technologies is based on presumption, George Mason University School of Law’s James Cooper writes.
  • Nine House Democrats have unveiled the Recover Act, a bill that would provide “lifetime identify-theft monitoring” for victims of the Office of Personnel Management breaches, as a companion to a bill from Sen. Ben Cardin (D-MD).
  • Massachusetts-based St. Elizabeth’s Medical Center has entered into a $218,400 settlement with the Department of Health and Human Services for failing to comply with HIPAA.
  • Filmmaker Laura Poitras is suing the U.S. government after receiving no response to her Freedom of Information Act requests for documents pertaining to the government’s targeting of Poitras at airports.
  • Seattle’s law requiring garbage collectors to look through trash to determine that no more than 10 percent is recyclables or food has sparked a privacy lawsuit.

Workplace Privacy

WW – New Service Aims to Ease BYOD Use

Good Technology aims to ease bring-your-own-device (BYOD) reimbursement procedures with its Enterprise Split Billing program. The Good Enterprise Suite with Data Service portion of the application permits employees to safely utilize office tools from their devices in a way that doesn’t incur personal data charges, the report states. “Companies can streamline their mobility rollouts and mitigate potential legal and HR complications, while employees don’t have to worry about personal data usage or incursions on privacy,” said Good Technology CEO Christy Wyatt. [FierceMobileIT] [Good enables BYOD firms to distinguish between personal, corporate data use]

US – Survey Finds Organizations Lack BYOD Policies

A tyntec survey indicates that corporations are not implementing bring-your-own-device (BYOD) policies. “Staffers are using their own devices to call, text and otherwise stay in touch with colleagues and customers … many voice concerns about the privacy of their personal messages on these devices,” the report states. “BYOD is the new norm,” said tyntec’s CTO and co-founder, Thorsten Trapp. “And the sooner enterprises embrace sound BYOD policies and user-friendly features, the sooner they can increase productivity and eliminate concerns from employees and IT.” [CIO Insight]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: