01-15 August 2015


AU – Agencies to Take Fingerprints from Kids

Children who fight with extremist groups could be prevented from returning to Australia under plans to expand powers to gather biometric data. The Senate has passed legislation to beef up the country’s biometrics system, permitting the collection of data from children as young as 10 without parental consent. Fingerprints, and potentially iris scans and facial images, will be used to match people entering and leaving Australia to a database of known criminals and suspected terrorists. [SBS News]

WW – Facial-Recognition Tech Getting Attention from Apple, Police

A patent filed by Apple in 2014 and published this week “describes various methods for streamlining the sharing of photos by linking faces to contact data, also utilizing facial recognition tech.” Apple’s patent, entitled “Systems and methods for sending digital images,” is similar to Facebook’s Moments app, which “uses facial-recognition tech to help distribute photos to the people in them,” since the patent “describes various methods for streamlining the sharing of photos by linking faces to contact data, also utilizing facial-recognition tech,” the report states. Meanwhile, The New York Times reports on facial-recognition software used by the U.S. military that “is being eagerly adopted by dozens of police departments around the country to pursue drug dealers, prostitutes and other conventional criminal suspects.” [TechCrunch]

WW – HTC Caught Storing Fingerprints as World Readable Cleartext

Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max. The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open “world readable” folder. “Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” the team says, adding that the images can be made into clear prints by adding some padding. It is one of four vulnerability scenarios in which biometric data normally secure in an Android phone’s TrustedZone can be pilfered. [The Register]

CA – Biometrically-Authenticated Wearable Payments With Mastercard, TD

The wearables market is beginning to pick up steam, and Toronto’s Nymi is already working on the next generation of wearables technology with a pilot project to complete credit card payments using a wearable with the credentials biometrically authenticated by a heartbeat. Nymi has been developing its biometric authentication wearable technology, which uses a heartbeat as a unique biometric identifier and maintains the authentication as long as the wearable is being worn. As soon as it’s taken off – or the user’s heart stops beating – the authentication ends, making it a unique approach to security. This summer, Nymi has been working with TD Bank Group and MasterCard to pilot using the Nymi Band to make contactless payments using a TD Bank Mastercard with the credentials stores on the wearable. Using Nymi’s proprietary HeartID technology as well as a Nymi Band prototype enabled with near field communications, 100 TD employees in Toronto, Ottawa and Regina are testing making payments using the contactless Tap & Go payment terminals already at many Canadian retailers. [Source]

Big Data

US – Draft Report Outlines Big Data Challenges

The Office of the National Coordinator’s Health IT Policy Committee Privacy and Security Workgroup (PSWG) completed a draft report outlining the healthcare privacy and security challenges of using big data and recommending steps to address them. “The complex legal landscape around health privacy creates obstacles for individuals trying to access their personal information and hurdles for researchers,” the study states. In addition to governmental transparency regarding its handling of big data, the group also suggests “that current laws around the use of such information should be evaluated and modified to ‘incentivize’ privacy, but that voluntary codes of conduct also could improve security efforts,” the report states. [FierceHealthIT] [The Sound Of Silence: New Video Tech Looks Beyond The Internet Of Things] [Connected medical devices: The Internet of things-that-could-kill-you]


CA – Sask. Privacy Commissioner, SHRA At Odds Over Privacy Breach

Saskatchewan’s privacy commissioner and the Saskatoon Health Region Authority (SHRA) are at odds over whether disciplinary action taken against a snooping employee should be disclosed. The employee in question had viewed her own along with other individuals’ health records without a need-to-know. According to Ronald Kruzeniski, Saskatchewan’s information and privacy commissioner (IPC), the health records clerk viewed the personal health information to satisfy curiosity and alleviate boredom. The privacy breach came to light in early 2015 through a regular audit. The employee was found to have viewed the personal health information of six people, including her own. [Global News]

CA – BC: Sex-Abuse Case Review a Breach of Privacy: Mom

B.C.’s privacy commissioner has been asked to investigate concerns about an external review of the Ministry of Children and Family Development by retired deputy minister Bob Plecas. Elizabeth Denham’s office confirmed that it has received a complaint about the review, but offered no further comment. Plecas was hired last month to review the ministry’s handling of a high-profile sex-abuse case. In that case, B.C. Supreme Court Justice Paul Walker found that social workers ignored or misled the courts and allowed a sexually abusive father unsupervised access to his four children. The government has appealed Walker’s decision. [The Times Colonist]

CA – Federal Govt’s New Healthy Living App Rewards Canadians With Points

The federal government is unveiling a new app in the fall that will reward Canadians for making healthier lifestyle decisions. The “Carrot Rewards” app aims to push Canadians to eat better, exercise more and live healthier lives, by rewarding them with various types of points. “Canada is the first country in the world to create a national app, a national mobile platform for rewarding its citizens for healthier lives,” said Andreas Souvaliotis, Founder and CEO of Social Change Rewards, which is marketing the app for the government. [Global News] [Canadians are victims of China-based VPN network and new malware kit, say vendors]

WW – IPC: Balancing Transparency, Privacy and the Internet

While providing services to the public, municipalities are often required to collect, use and disclose personal information from and about their community members. Some information received and processed by municipalities is legally required to be made publicly available for the purposes of allowing public participation in decision-making and for maintaining transparency and accountability with respect to the activities of these institutions. Municipalities should balance the need to protect the privacy of their community members, in compliance with the provincial privacy legislation and the need to meet their other legislated obligations. The new guide Transparency, Privacy and the Internet: Municipal Balancing Acts describes a number of policy, procedural and technical options available to municipalities to mitigate the privacy risks associated with publishing personal information on the Internet. [Office of the Information and Privacy Commissioner, Ontario]


WW – Google, Facebook Privacy Polices Rank Highest

Time and the Center for Plain Language reviewed the privacy policies of seven of the most ubiquitous tech companies and ranked them based on the clarity of language, finding Google and Facebook’s to be the most straightforward. “A privacy policy that consumers are unlikely to read or understand provides no protection whatsoever,” the report states. “The results of our study are quite consistent, especially at the top and bottom of the rankings: Google and Facebook do a good job of communicating their privacy policies in a way that allows consumers to understand and make decisions—at least motivated consumers. According to the analysis, Lyft and Twitter do a poor job of communicating those policies. The remaining companies—LinkedIn, Uber and Apple—do better in some areas than others.”[Full Story]

US – Consumers Want to Sell Their Own Data, But What’s It Worth?

Digital Catapult, a working group bringing together academics and industry, recently commissioned a study showing that consumers want ways to collect and manage their personal data and want to make money from sharing that data. However, while that may be the case, The Conversation reports that determining a value for a person’s data is no easy task. The Digital Catapult study showed 62% of respondents would be willing to receive 30 GBP per month for sharing their data; however, that was the maximum amount allowed in the study. “No doubt they’d not turn down 100GBP or 1,000 GBP either.” Compounding that is the question of “who holds the reins: government, business or the third sector?” [Full Story] see also: [How to protect your wireless network from Wi-Fi Sense] [Cellphone Projects in Developing World Need Better Privacy, Security Measures] [How your phone’s battery life can be used to invade your privacy] [New Windows 10 scam will encrypt your files for ransom] [Windows 10 sends identifiable data to Microsoft despite privacy settings] [Microsoft on Windows 10 and Privacy] [Microsoft responds to Windows 10 privacy policy concerns]


UK –Fears Over “Lax” Council Data Security

Sensitive personal information has been lost or misused by councils on thousands of occasions, according to a study by privacy campaign group Big Brother Watch. The study found that local authorities recorded 4,236 data breaches over a three-year period from April 2011. Emma Carr, Big Brother Watch director, said: “Despite local councils being trusted with increasing amounts of our personal data this report highlights that they are simply not able to say it is safe with them. The report, based on responses to Freedom of Information requests sent to local authorities throughout the UK, shows that, amongst other things, “some 197 mobile phones, computers, tablets and USBs were lost or stolen” and “data was lost or stolen on 401 occasions, with 628 instances of incorrect or inappropriate information being shared on emails, letters and faxes”.[Digital By Default News]

US – Data in Clinton’s ‘Secret’ Emails Came from Five Intelligence Agencies

The classified emails stored on former Secretary of State Hillary Clinton’s private server contained information from five U.S. intelligence agencies and included material related to the 2012 fatal attacks in Benghazi, Libya, the McClatchy news service has learned. Of the five classified emails, the one known to be connected to Benghazi was among 296 emails made public in May by the State Department. Intelligence community officials have determined it was improperly released. Revelations about the emails have put Clinton in the crosshairs of a broadening inquiry into whether she or her aides mishandled classified information when she used a private server set up at her New York home to conduct official State Department business. While campaigning for the 2016 Democratic presidential nomination, Clinton has repeatedly denied she ever sent or received classified information. [thestar.com]

US – Study: Gov’t Weaknesses “Deep, Pervasive”

A George Mason University Mercatus Center study of the government’s 30-day “cybersecurity sprint” indicates that while improvements were made, major weaknesses in cybersecurity persist, with 10 agencies declaring noncompliance. “Federal agencies lag far behind the cybersecurity goals that policy-makers have crafted and amended over the past decade. In only one category, security training, do a majority of agencies report full compliance,” the study states, noting the “government’s cybersecurity weaknesses are not merely superficial issues that can be quickly resolved in a few short weeks; they are deep, pervasive and systemic problems resulting from decades of poor information security practices.” [InsiderOnline]

NZ – Justice Minister Tackles ‘Privacy Paralysis’

Justice Minister Amy Adams says privacy laws significantly hamper the ability to detect and deal with domestic violence because government officials and those working with children and families are often over-cautious when it comes to sharing information. Ms Adams will today release a discussion document with proposals to tackle domestic violence which is understood to contain more provisions for sharing information between the courts, police and the agencies and community organisations which deal with families. [The New Zealand Herald]

US – Government’s Privacy Push Garners Results

After the conclusion of the White House Office of Management and Budget-initiated 30-day “cybersecurity sprint” across federal government agencies, there was a 30% increase in more sophisticated password use. While the jump from 42% to 72% was positive, White House Chief Information Officer Tony Scott said he believes “we still have more work to do,” adding that a team of experts would review the government’s “policies, procedures and practices” relating to cybersecurity. Scott said an assessment will be issued in the months ahead, the report states. [Reuters]


US – Yahoo Class-Action Appeal Denied

U.S. District Court Judge Lucy Koh’s ruling to elevate an email privacy suit against Yahoo to a class-action still stands, according to the Ninth Circuit Court of Appeals, which rejected Yahoo’s request to overturn Koh’s decision. Plaintiffs said, “Yahoo violated the federal wiretap law and a California privacy law by allegedly intercepting messages without the consent of both the sender and recipient,” but Yahoo argued “consumers aren’t entitled to class-action treatment because the key issue in the privacy dispute—whether people consented to Yahoo’s email scans—will require individualized assessments,” the report states. Koh had determined “that the consumers raised the kinds of ‘common’ questions that don’t require separate determinations for every affected web user,” the report continues. [Media Post]

WW – Email Marketing Laws and the Results of Compliance

Kissmetrics looks at anti-spam laws, highlighting certain laws and outlining what marketers need to know and the results complying with them can mean for their businesses. “Email marketing is one of the most effective marketing tactics online,” the reports states, noting, “however, there are a number of best practice techniques that you need to comply with to ensure that you don’t irritate your customers or run afoul of regulators.” The report offers the major points of laws in Europe, specifically the UK, and the U.S., stating that “if you protect customer privacy and allow customers to opt out of marketing emails, you will build goodwill … ensure that your marketing will go to customers who are receptive and open to your messages” and “protect you financially.” [Full Story] [Want to be totally secure on the Internet? Good luck]

Electronic Records

CA – Lifelabs to Make Patients’ Test Results Available Online

Ontario’s biggest medical lab company says early access will help patients be better informed when talking with their doctors. For the first time, some patients using Ontario laboratory testing centres will be able to access their results online. Canadian laboratory testing company LifeLabs has announced the launch of an online portal, called My Results, which will allow patients to access their medical test results 24 to 48 hours after testing. The new portal will only offer results from LifeLabs centres, which is Ontario’s biggest medical lab company. The Ontario Association of Medical Laboratories estimates there are 325 licensed laboratories and specimen collection centres across the province, 240 of which are owned by LifeLabs. Despite privacy concerns that come with a move online, LifeLabs believes its system is secure.[The Star]


WW – Full-Disk Encryption Debate Continues

Manhattan District Attorney Cyrus Vance Jr., Paris Chief Prosecutor François Molins, City of London Police Commissioner Adrian Leppard and High Court of Spain Chief Prosecutor Javier Zaragoza wrote an op-ed making the argument that the full-disk encryption offered in Apple and Google operating systems blocks justice. “Now, on behalf of crime victims the world over,” they write, “we are asking whether this encryption is truly worth the cost.” Later that day, Jenna McLaughlin wrote a counterpoint in The Intercept, stating they posed a “flawed argument” that “misstated the extent of the obstacles to law enforcement” while failing “to acknowledge the value to normal people of protecting their private data from thieves, hackers and government dragnets.” [The New York Times] SEE ALSO: [Post-Snowden, Cryptography Companies Find Success]

WW – ICANN User Information Accessed

The Internet Corporation for Assigned Names and Numbers (ICANN) reported a breach of “user names, email addresses, encrypted passwords and other data, such as bios, interests and newsletter subscriptions.” “Encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider,” ICANN said, but it has not named the provider. The investigation is ongoing, the report states, noting ICANN site users are being required to update their passwords. This is the third data compromise incident for the organization within the past year. [IT World]

US – Tokenization in the Cloud; Ex-DHS Official: Encryption Is Key

A recent report from Cipher Cloud reveals that 68% of the 50 banks it surveyed use tokenization, most notably to protect personally identifiable information, IBM’s Security Intelligence reports. The use of tokenization, too, is spreading into the retail industry, the report states. In a CSO Q&A, Dropbox’s Patrick Heim discusses the privacy and security concerns for businesses moving to the cloud. Meanwhile, Richard Marshall, former director of global cybersecurity management for the U.S. Department of Homeland Security, has said businesses need to do a better job at encrypting their services. “There was no thought (at the Office of Personnel Management) to encrypt that data because it was deemed too difficult and too complex to do. Well that’s not accurate,” he said. [CipherCloud]

EU Developments

UK – High Court Strikes Down Data Retention Law

Not long after privacy advocacy groups found six EU member states have data retention laws that “appear to be in contravention to the Charter of Fundamental Rights,” the UK High Court this week declared the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA) “incompatible with human rights” and “unlawful.” The section of the law requiring retention of data should be “disapplied,” the court ruled, but suspended that ruling until March 31 to give the government time to rewrite the law. Further, the secretary of state has permission to appeal the ruling to the Court of Appeal. [Lexology] [The UK High Court this week declared the UK’s Data Retention and Investigatory Powers Act 2014 “incompatible with human rights” and “unlawful.”]

EU – Safe Harbor Agreement Could Be Reached “After Summer”

The Safe Harbor talks between the EU and U.S. are in their final stages, An agreement could be finalized “after the summer.” The negotiations, which began in January of 2014, aim to ensure U.S. Safe Harbor companies will not be able to “circumvent the EU’s tough data protection regime by passing data on to another company not certified under the data-sharing deal and therefore not adhering to the same privacy standards,” the report states. Under the new Safe Harbor plan, “U.S. registered companies will face stricter rules when transferring data to third parties,” the report continues, noting the negotiations took time “because the EU has wanted to ensure the U.S. guarantees are watertight.” [ReutersSafe Harbor talks between the EU and U.S. are in their final stages and an agreement could be finalized “after the summer.”

EU – Potential Last-Minute Resistance to Safe Harbor

Safe Harbor negotiations may face opposition from the Europe of Nations and Freedom (ENF) group of EU Parliamentarians, Sputnik reports. “I do not think that the U.S. will only collect basic data,” said Austrian parliamentarian and ENF member Georg Mayer. “We know from the past how hungry the American services are for every data. So no trust in that, also under the experience we made in the negotiations for TTIP. I think—I have to talk to the rest of the ENF group—we will not vote in favor for that agreement.” The EU and the U.S. are reportedly working out the “final details” of the agreement. [Full StorySafe Harbor negotiations may face opposition from the Europe of Nations and Freedom group of EU Parliamentarians.

US – Europe News Briefs

The General Data Protection Regulation may not only mandate breach notification but also increase fines “from tens of thousands to a one-million-euro punishment or 5% of global annual turnover, whichever is greater.”

Lokke Moerel analyzes the three iterations of the General Data Protection Regulation to assess whether the Binding Corporate Rules for Processors function remains in the legislation.

Facts & Stats

WW – Estimated Privacy Advisory Market Worth $3 Billion and Counting

The privacy advisory market is worth over $3 billion and is poised to continue its “meteoric rise,” according to estimates by PwC’s Jay Cline, who attributes the uptick to a mixture of the growth of global government privacy regulation, the greater use of big data for corporate competitive edge, technological advances and criminal data breaches. “Today’s privacy advisory market looks like the information-security market did 10 years ago … And where is that market heading today? Last month, Gartner projected that spending on information-security vendors will hit $101 billion by 2018,” Cline said. “If the $3 billion estimate is in the ballpark, and it’s true there’s no one dominant market leader, an upcoming wave of corporate spending is totally up for grabs.” [ComputerWorld]

US – 2015 Health Data Hacks: Stunning Stats

The health data breach statistics for 2015 are stunning. So far this year, just the top five breaches have impacted a total of 99.3 million individuals. And all five involved hacker attacks – which were relatively rare until this year. As of Aug. 4, the official federal tally of major health data breaches since September 2009 listed 1,282 breaches affecting a total of 143.3 million individuals. That means the five recent hacker attacks represent almost 70% of all victims on the six-year tally. And just one of those attacks – the hacking of health insurer Anthem that affected nearly 79 million – accounts for 55% of the total impacted. Top 5 Health Data Breaches in 2015, So Far: Anthem, Premera, UCLA Health, mie, CareFirst. In addition to the five biggest hacker breaches, the “wall of shame” breach tally from the Department of Health and Human Service’s Office for Civil Rights, which tracks breaches affecting 500 or more individuals, lists another 33 hacking incidents this year, affecting nearly 2.4 million individuals combined. So, the grand total of victims affected by hacking breaches reported this year is 101.7 million. And it’s only August. [Health Information Security]

WW – Report: Companies Face Consequences for Lack of Privacy

A new Forrester report shows there are consequences for companies that don’t meet their customers’ privacy expectations. Forrester’s research shows that one in three adult Americans has cancelled a transaction due to privacy concerns. “In most cases,” the report states, “a person’s willingness to buy from, work for and invest in a company is driven by their perceptions of the company.” With increasing cyberattacks aimed at acquiring consumer data, “The problem is that the internal security many organisations have in place isn’t enough to secure customers … Understanding where all those assets are and managing them holistically is critical.” [Information Age]

WW – Breach Victims Paying Less and Less

The financial impact breaches have on individual victims is becoming increasingly less substantial, thanks to strides in data protection and the nature of what thieves are looking for. “Only a tiny number of people exposed by leaks end up paying any costs, and for the rare victims who do, the average cost has actually been falling steadily,” the report continues. “For the bad guys, your five-year growth plan is not data breaches and stealing credit cards,” said The Nilson Report’s David Robertson. “It involves stealing all the info you can and opening legitimate accounts in people’s names.” And while “the bad guys are getting good … the good guys are getting even better,” he added. [The New York Times]


US – Appeals Court: Netflix Didn’t Violate VPPA

The Ninth Circuit Court of Appeals has upheld an earlier decision by U.S. District Court Judge Edward Davila to dismiss a potential class-action lawsuit that alleged Netflix violated the Video Privacy Protection Act (VPPA). The appeals court decided Netflix did not violate the VPPA “by displaying information about subscribers’ movie-watching history to their friends, families and guests,” the report states. Meanwhile, ZDNet reports on the Seventh Circuit Court of Appeals’ recent decision overturning “a district court that had tossed a class-action lawsuit against Neiman Marcus over a 2014 data breach.” [US Appeals Court Sides With Netflix In Privacy Battle Over Home Page] [MediaPost] [Toronto woman’s webcam hacked while watching Netflix]


US – New Payment Cards Coming this Fall

This fall marks the official switch from swiping cards at the register to utilizing cards with chips for greater security. Small businesses that either don’t know about the change or are overwhelmed at the prospect of getting new readers to facilitate the chips are nervous, the report states. Square is offering 250,000 card-readers for free, the report states, noting the move is important because retailers “could be on the hook for damages from a breach if they don’t upgrade their equipment.” [The Washington Post]

US – CFOs Increasingly Investing in Security

For the first time, Bank of America Merrill Lynch’s 2015 CFO Outlook Pulse Survey asked chief financial officers (CFOs) about data security and fraud issues. The survey found that 82% of U.S. companies have a formal data security plan, and 69% showed an increase in the investment in data security, the report states. In addition, 10% of the companies said they’ve had a data breach, and 48% said the impact of the breach was minimal. Companies are increasingly investing in anti-virus spyware detection programs and installing actively managed firewalls, and 83% are using malware software, the report states. [SC Magazine]

WW – Is Yodlee Selling Data the Right Way?

For Yodlee, which provides personal financial tools, roughly 10% of the company’s 2014 revenue came from selling anonymized data to investment firms. Yodlee says it “adheres to strict privacy standards to ensure that the transaction data in our data products is anonymized and does not contain personally identifiable or attributable information,” adding the data is used “to develop more sophisticated analytic solutions.” Peter Swire, who Yodlee hired to review its privacy practices, said it is “doing the technical and administrative things that regulators have recommended” to protect the anonymity of the data,” and is “not in the business of playing spy” to figure out transaction histories of individuals or their names. [The Wall Street Journal]

Health / Medical

WW – Need to Brush Up on Your BA Agreements?

A report discusses third-party partnerships between healthcare associations and business associates (BAs) and the importance of ensuring HIPAA compliance. “All parties should have a thorough understanding of their relationship and how they are expected to maintain patient data security,” the report states. Under HIPAA rules, BAs are responsible for keeping protected health information (PHI) secure—it’s not just the covered entity that bears the burden. This should be ensured through the covered entity’s agreement with the BA. “Not only does the business associate agreement dictate how and when PHI could be disclosed, it also outlines the potential consequences should sensitive information be exposed,” the report states. [HealthITSecurity]

US – Judge Orders NHL to Turn Over Injury and Concussion Data

The National Hockey League has been ordered by a judge to turn over reams of data about player injuries and concussions to lawyers representing former NHL players who are suing the league. The roughly 80 former players who are suing the NHL, including Bernie Nicholls, Gary Leeman and Butch Goring, allege NHL and team executives knew or ought to have known about the links between head trauma and long-term cognitive problems but failed to do enough to protect players, all the while profiting from the violence of hockey. The NHL has argued interested players could have read medical research and news reports on their own and put “two and two together” about the dangers of repeated head hits and concussions. In an order released late week, U.S. Federal Court judge Susan Nelson agreed to some but not all of the requests for discovery filed by the former players’ lawyers. “The Court finds that the (NHL’s) blanket application of the physician-patient privilege – protecting all medical data from disclosure – is inapplicable here,” the judge wrote in her ruling. “The clubs are ordered to produce any internal reports, studies, analyses and databases in their possession (whether initiated by the U.S. clubs, NHL, or retained researchers) for the purpose of studying concussions in de-identified form. The U.S. clubs shall produce any responsive correspondence and/or emails between themselves, themselves and the NHL, or with any research or other professional about the study of concussions.” [tsn.ca]

WW – WADA Urges Athletes to Report Privacy Breaches From Leaked IAAF Doping Inquiry

The World Anti-Doping Agency invited athletes to come forward if they feel their privacy was breached by leaked results of suspicious blood tests. WADA said its independent commission will “urgently” investigate the allegations of widespread doping in athletics aired by German broadcaster ARD. The inquiry, led by IOC member and former WADA head Dick Pound, began after ARD alleged systematic doping in Russian athletics last December. A follow-up program broadcast last Sunday alleged that IAAF files showed 800 suspicious results in blood samples from 5,000 athletes in the years from 2001-12. ARD and British newspaper The Sunday Times suggested the IAAF did not act on the evidence. [The Associated Press]

UK – Boots, Tesco and Superdrug to Get Access to NHS Medical Records

High street pharmacies such as Boots, Tesco and Superdrug will be given access to NHS medical records, under a national scheme which privacy campaigners fear could expose patients to “hard sell” tactics. Health officials have drawn up plans to send sensitive data from GP surgeries to pharmacies across the country, starting this autumn, without considering the views of patients. NHS England says the scheme will ease pressures on family doctors, and improve the care given to patients in the High Street. But campaigners fear major commercial chains will be able to exploit the valuable data, and use it to push the sales of their products. Officials have now ordered the national rollout of the scheme, on the basis of an evaluation of pilots in 140 pharmacies which they say showed “significant benefits”. But the official report shows that the research garnered responses from just 15 patients – a sample so small that their views were discarded from the research. [The Daily Telegraph]

Horror Stories

US – Hackers Breach Sabre, American Airlines; More OPM Fallout

A group of China-backed hackers believed to have accessed the databases of the Office of Personnel Management (OPM) and Anthem is allegedly behind similar breaches at American Airlines and Sabre, which processes reservations for airlines and hotels. Meanwhile, in a memo to OPM Director Beth Cobert, Inspector General (IG) Patrick McFarland said the OPM’s Office of the Chief Information Officer (CIO) has “hindered and interfered with” IG oversight and “has created an environment of mistrust by providing my office with incorrect and/or misleading information.” Additionally, in a letter to Cobert, Rep. Jason Chaffetz (R-UT), who repeatedly called for the resignation of the previous OPM Director Katherine Archuleta, is calling for current OPM CIO Donna Seymour—appointed by Archuleta—to resign. [Bloomberg Business] [Stolen Consumer Data Is a Smaller Problem Than It Seems]

US – Fitness Firm Says Ex-Employee Stole Data

Exercise chain Planet Fitness has been granted a restraining order,, against a former payroll manager after successfully arguing the ex-employee is in possession of sensitive data that he threatened to release publicly. The ex-employee was mistakenly emailed the data because he shared the name of one of the company’s lawyers. After being asked to delete the email and its contents, and saying he did so, the ex-employee later revealed he had downloaded the attachment along with other data, such as the PII of 900 Planet Fitness employees, including the executive team. The restraining order says the ex-employee cannot “use, copy, destroy, disseminate, transmit, secret, print, publish, tamper with or alter Planet Fitness’ confidential information.” However, the judge did not grant a request to seize all of the ex-employee’s electronic media. Meanwhile, an unnamed man employed by an unnamed federal agency is highlighted in a SFGate feature after complaining that he can’t turn off the GPS function on his employer-issued smartphone. [Seacoastonline.com] [Privacy breach no more: Eastern Health finds missing USB in file folder] [Michael’s Breach: What We’ve Learned]

US – Faulty Record Disposal by Business Associate Exposes Physician Practice

FileFax Inc., a Chicago-area record storage and disposal company, is being sued by the Illinois attorney general’s office for improper disposal and exposure of thousands of patient medical records, which belonged to Suburban Lung Associates, a pulmonology group. Suburban Lung Associates had hired FileFax to dispose of the medical documents. Instead of properly disposing of the medical documents, FileFax dumped the records into an unlocked, public garbage dumpster. The documents that were placed in the dumpster contained records for about 1,500 patients and included information such as Social Security numbers, names and phone numbers, among other information. According to Elizabeth G. Litten, an attorney at Fox Rothschild LLP, many companies outsource the storage as well as disposal of records to a third party. [Mondaq News] [Breached Retailer: ‘I Wish I Had Known How Sophisticated …‘]

US – AG Investigating MIE Breach

The Indiana Office of the Attorney General (AG) is investigating the recent Medical Informatics Engineering’s (MIE) 3.9 million-victim data breach of Social Security numbers and medical information, which could spell big trouble for the organization. “MIE is going to be in the limelight throughout the process,” the report states, noting AGs have the power to broaden the scope of investigations beyond HIPAA violations to include state laws. Meanwhile, James Young, one of the victims in the breach, is suing MIE, claiming it didn’t “take adequate and reasonable measures to ensure its data systems were protected” and did not “take available steps to prevent and stop the breach from ever happening.” [FiercEMR]

US – White House Details Contractor Data Breach Guidelines

The Office of Management and Budget (OMB) has released detailed guidance for data breach contract clauses for federal agencies. The newly proposed “Improving Cybersecurity Protections in Federal Acquisition“ aims to make sure federal data is protected, both inside a federally owned system or in a corporate vendor’s system. The guidance is open to comment until September 10. Once finalized, agencies’ senior privacy officers along with their chief information officers, chief acquisition officers, chief information security officers and other officials “shall immediately begin working together to apply the guidance,” the proposal states. [Next Gov] See also: [Is the FTC Guide a Sure-Fire Way To Stay Out of Trouble?] [Careers can end with the click of a mouse]

WW – ICANN Resets Passwords After Website Breach

The overseer of the Internet’s addressing system said that someone obtained information related to user accounts for its public website, although no financial information was divulged. ICANN, short for the Internet Corporation for Assigned Names and Numbers, said user names, email addresses, encrypted passwords and other data, such as bios, interests and newsletter subscriptions, were contained in the accounts. Despite the breach, the accounts as well as internal ICANN systems do not appear to have been accessed, the organization said in a post on its website. Although an investigation continues, ICANN said the “encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider.” It did not name that provider. [ComputerWorld]

US – Investigation Reveals HHS Incidents; IRS Breach Announced

A review of the Department of Health & Human Services (HHS) by the House Energy & Commerce Committee has revealed evidence of five breaches within three years. “What we found is alarming and unacceptable,” said Reps. Fred Upton (R-MI) and Tim Murphy (R-PA). “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack,” they continued. This announcement follows the IRS’s disclosure that a flash drive containing the personal information of some 12,000 Texas school district employees was “misplaced” by an IRS worker completing an audit of the district. [The HIll]

US – Shutterfly Wants Suit Dismissed

Shutterfly is asking a federal judge to dismiss a lawsuit accusing the company of “violating a state privacy law by compiling a database of ‘faceprints’.” The request responds to a lawsuit filed in June by Brian Norberg, who claims Shutterfly and its subsidiary ThisLife violated an Illinois biometrics privacy law by including his faceprint even though his photo was uploaded by someone else. But Shutterfly wrote in its dismissal motion, filed Friday with U.S. District Court Judge Charles Norgle in Illinois, “Helping a user re-identify his own friends within his own digital photo album does not violate any law.” [MediaPost]

US – Florida: DCF Employee, Husband Stole Identities to Get Public Assistance

As an employee of Florida’s Department of Children & Families, Clara Builes was in charge of approving applications for public-assistance benefits for the poor. But Miami-Dade prosecutors say that for nearly four years, she used her position to help steal the identities of several unsuspecting people, getting fraudulent benefit cards used to buy nearly $20,000 in food and groceries. Builes and her husband, Gonzalez Builes, 53, surrendered Wednesday to face an array of white-collar charges, including official misconduct, grand theft and public assistance fraud. [The Miami Herald]

Identity Issues

US – OCR Reaches First-Ever Transgender Privacy Settlement

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a voluntary settlement with a New York City medical center establishing a new standard of care for transgender patient privacy. The OCR reached the agreement with The Brooklyn Hospital Center (TBHC) after a patient alleged the Affordable Care Act was violated when TBHC assigned “a transgender female who presented as a female at the hospital … to a double-occupancy patient room with a male occupant,” the report states. Under the new agreement, TBHC will adopt and train employees on new transgender policies. Apgar & Associates Attorney Chris Apgar said, “The next settlement may not be a voluntary settlement and may include the levying of civil penalties.” [AIS Health]

WW – Hacker Demonstrates Ease of “Killing” Virtually Anyone

At the DEF CON event in Las Vegas, Chris Rock, CEO of Kustodian, demonstrated the ease with which he was able to have living people legally declared dead. Using online databases to pose as a doctor or funeral director, Rock was able to “game the system,” reports CSM’s Passcode, and have death certificates issued for living people. Similarly, Rock showed how he could create a “totally new virtual baby,” exploiting similar vulnerabilities in the birth registration process for many countries. Rock initially focused on the Australian system and “was shocked to find (death registration) was an online system without any protection at all.” With no verification process for doctors or funeral directors, “you can kill someone in about 10 minutes,” Rock said. [Full Story] [Just how easy is it to digitally fake a death? ]

Internet / WWW

WW – Interpol is Training Police to Fight Crime on the Darknet

Interpol has just completed its first training course designed to help police officers to use and understand the Darket. The five-day course was held in Singapore, and attended by officers from around the world. According to Interpol, the next course will be held in Brussels. The students did not, it seems, explore the Darknet itself. Interpol said in a statement that its Cyber Research Lab “created its own private Darknet network, private cryptocurrency and simulated marketplace, recreating the virtual ‘underground’ environment used by criminals to avoid detection.” Police forces have had some successes in the past two years, taking down the Silk Road drug-dealing site in 2013 and more than 400 services in Operation Onymous in November 2014. However, new services soon emerge to replace them. [ZD Net]

WW – Beacon Project: Privacy-Conscious Data Sharing?

The Global Alliance for Genomics and Health’s (GA4GH) Beacon Project utilizes beacons to allow organizations to share genomic data with greater ease. “A beacon is a web server that answers the question, ‘Have you observed this allele or mutation?’” explains GA4GH’s Marc Fiume explains, and does not ask for the specifics of how or where. “Within this climate of data protectionism, the Beacon Project is a clever way to ask organizations to share even a little bit of information,” the report states, noting institutions can create “online search functions that let anyone in the world take a peek at their databases—but only to find a particular kind of information that was carefully chosen not to overly expose privacy or security risks.” [Bio-IT World]

WW – Coalition Issues Stronger DNT Standard

Digital rights group Electronic Frontier Foundation and a coalition of privacy-enhancing companies that includes Disconnect, Adblock, Mixpanel, Medium and DuckDuckGo, have issued a stronger Do-Not-Track (DNT) standard. EFF Chief Computer Scientist Peter Eckersley said, “We are greatly pleased that so many important web services are committed to this powerful new implementation of Do Not Track, giving their users a clear opt-out from stealthy online tracking and the exploitation of their reading history.” Disconnect Chief Executive Casey Oppenheim said, “The failure of the ad industry and privacy groups to reach a compromise on DNT has led to a viral surge in ad blocking, massive losses for Internet companies dependent on ad revenue and increasingly malicious methods of tracking users and surfacing advertisements online.” [The Guardian] [Privacy pressure group EFF announces stronger Do Not Track standard]

WW – Ad-Blocking Technology Expected to Cost Industry Billions

“If I don’t know what data is being collected on me, I’d rather block it.” That’s Guillermo Beltrà’s policy on pop-up advertisements. Beltrà is one of an increasing number of Internet users who are taking sophisticated measures to sidestep online revenue-generating efforts by using ad-blocking software,. That’s according to a new report by Adobe and PageFair, which said such ad-blocking will lead to almost $22 billion of lost advertising revenue this year, which is up 41% compared to the last 12 months. That kind of trend is causing grave concerns for firms relying on online advertising for revenue, the report states. [New York Times] [Online ad-blocking is on the rise. That’s bad news for everyone.]

Law Enforcement

UK – Breach May Have Affected 2.4 Million

The UK Information Commissioner’s Office is “making inquiries” after retailer Carphone Warehouse said the personal details of up to 2.4 million customers may have been accessed in a cyber-attack discovered last week. The encrypted credit card details of up to 90,000 individuals may have been accessed, the company said. The other data accessed could include names, addresses, dates of birth and bank details. Those affected are being contacted. Dixons Carphone, which owns Carphone Warehouse, said additional security measures have been brought in and the affected websites have been taken down. [BBC News]

WW – Google to Restructure Into Alphabet Conglomerate

Google Cofounders Larry Page and Sergey Brin announced a massive restructuring of Google under the umbrella holding company now called Alphabet. Page writes, “Alphabet is mostly a collection of companies,” adding, “The largest of which, of course, is Google.” Under the new structure, Page will assume the role of CEO and Brin will be president of Alphabet, while Sundar Pichai—known for his work on Chrome and Android—will become the new CEO of Google. Each business under Alphabet will have a CEO “with Sergey and me in service to them as needed,” Page writes. X labs as well as Capital and Ventures, for example, will be broken out from Google under Alphabet. [Full Story]


US – Appeals Court Says Warrant Required for Cell Location Data

The Fourth US Circuit Court of Appeals has ruled that law enforcement must obtain a warrant prior to requesting cell phone location data from service providers. According to the decision, that information is protected under the Fourth Amendment. [SC Magazine[] [The Register]

WW – “Marauder’s Map” App Revealed Facebook Users’ Locations

Harvard student Aran Khanna built a Chrome extension called “Marauder’s Map” that uses location data contained in interactions through Facebook’s Messenger app to determine users’ whereabouts within a meter. Khanna explained how he found an acquaintance’s dorm room by “looking at the cluster of messages sent late at night.” He then realized he could also locate users he was not friends with but were part of a certain group chat. Facebook asked Khanna to take down the app, which he did, though he uploaded the code to Github—while also directing readers to a page on protecting their privacy. Facebook promptly launched an update to Messenger and has revoked Khanna’s internship at the company. [Wired] [How Facebook could affect your chances of getting a loan]

WW – Software Engineer Obtains Thousands of Facebook Users’ Data

After a software engineer was able to access data on thousands of users by simply guessing their mobile telephone numbers, Facebook has been urged to tighten its privacy settings. Reza Moaiandin, the software engineer who alerted Facebook of the flaw through its “bug bounty” program, obtained the names, profile pictures and locations of users who had linked their mobile numbers to their Facebook accounts but hadn’t made it public, the report states. Moaiandin said the vulnerability leaves the system open to abuse and urged the site to add a second layer of encryption, which he says would have prevented him from finding the users’ information. [The Guardian] [Facebook urged to tighten privacy settings after harvest of user data]

Online Privacy

WW – EFF Launches Ad-Block Extension

After a period of beta testing, the Electronic Frontier Foundation (EFF), just days after announcing an alternative do-not-track (DNT) coalition and standard, has officially launched a Privacy Badger 1.0 browser extension that aims to stop advertisers and other third parties from secretly tracking users. “If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser,” the EFF states. Alan Chapell said, “There’s no mechanism for anyone in the digital media ecosystem to trust any DNT signal they receive. As a result, the entire framework is open to question.” [Consumer Affairs]

WW – Google, Facebook Privacy Polices Rank Highest

Time and the Center for Plain Language reviewed the privacy policies of seven of the most ubiquitous tech companies and ranked them based on the clarity of language, finding Google and Facebook’s to be the most straightforward. “A privacy policy that consumers are unlikely to read or understand provides no protection whatsoever,” the report states. “The results of our study are quite consistent, especially at the top and bottom of the rankings: Google and Facebook do a good job of communicating their privacy policies in a way that allows consumers to understand and make decisions—at least motivated consumers. According to the analysis, Lyft and Twitter do a poor job of communicating those policies. The remaining companies—LinkedIn, Uber and Apple—do better in some areas than others.” [Full Story]

WW – Twitter Makes All Public Tweets Available to Advertisers

Twitter has announced that every public tweet posted since the beginning of the social network, more than nine years ago, will now be available to brands and advertisers. The more than 500 billion tweets will be searchable through a new API. “The dream of mining this data for real-time, in-depth, unbiased insights on a global scale is getting ever closer,” said Brandwatch’s Giles Palmer. Additionally, Twitter released its new Transparency Report, announcing it will expand its scope to include two new sections on trademark notices and email privacy practices. Message Systems also announced a new reporting tool developed with Twitter called the Email Privacy Report, which “details email encryption as it is transferred between domains and ISPs,” a report states. [Wired]

WW – Device Battery Life May Allow For Online Tracking

A new report from four French and Belgian security researchers reveals that a device’s battery status could allow websites to track users across the Internet without the users’ knowledge. A feature in the HTML5 specification allows websites to see users’ battery life in order to provide them with a lower-energy mode when their battery is getting low. The specification, introduced by the World Wide Web Consortium (W3C), allows sites to collect the data without consent because “the information disclosed has minimal impact on privacy or fingerprinting and therefore is exposed without permission grants,” W3C stated. The researchers disagree, however, pointing out that websites receive specific data on battery life, rendering such data as a sort of unique ID for a device. [The Guardian ]

WW – Twitter’s Tweet-Sharing Is Troubling

Twitter’s declaration that companies will now have the ability to access over 500 billion public tweets is a problematic one, Rochester Institute of Technology’s Evan Selinger and Samford University’s Woodrow Hartzog write in an op-ed for CSM’s Passcode. “If you care about privacy, you’ll be troubled by the deepening commodification of our online conversations,” they write. Selinger and Hartzog point out that when we’re communicating with friends via social networks it is “easy to forget we’re really speaking directly to companies that need to monetize our data to grow. If these companies don’t give us good options for responding to diminished obscurity, they aren’t taking our privacy seriously.” [Full Story]

WW – The Shaky State of the Cookie Opt-Out

A report on the state of opt-outs in mobile devices and the challenges the industry faces. With a growing debate around consumer choice and ad blocking, “it’s clear that existing opt-out mechanisms aren’t exactly cutting it,” particularly with regard to cross-device tracking, the report states. Stanford University’s Jonathan Mayer wrote earlier this summer in a blog post that if the industry offers “an opt-out, they can only do so with a likelihood, but no guarantee, that the opt-out will transfer to other devices.” Experian Marketing Services’ Brienna Pinnow said, “How can the consumer understand this ecosystem if we ourselves are struggling with the best way to do it?” [Full Story]

Other Jurisdictions

WW – New Accountability Paper to Be Released at Nymity Workshops

Nymity heralds the publication of “Getting to Accountability: Maximizing Your Privacy Management Program,” a paper that works in conjunction with the corporation’s “Getting to Accountability” global workshop series, Nymity said in a statement. “The Nymity accountability paper is unique as it takes a resource-based approach to building a privacy management program,” said the company’s President, Terry McQuay. “It helps privacy offices overcome the challenges of communicating and evaluating a definitive privacy management program, leveraging and motivating individuals throughout the organization, and justifying the business case to obtain the necessary resources.” The paper will be released at the workshops. [Full Story]

WW – Other Jurisdiction News

China has issued a draft Network Security Law.

India’s Department of Biotechnology has released a modified draft of the Human DNA Profiling Bill, but according to one legal researcher privacy concerns remain unaddressed.

At a consultation meeting in Islamabad, a Pakistani cyber-crime bill received criticism over concerns that it is overly broad and could criminalize dissent.

India’s constitutional bench of the Supreme Court will decide if privacy is a fundamental human right, a move catalyzed by pushback on the government-mandated Aadhaar system, which utilizes biometric information for its citizen ID cards.

The Australian Labor Party is urging a rethink on the proposed Telecommunications Act.

23 individuals and 10 companies are being indicted by a Korean Supreme Prosecutors’ Office task force for violating the Personal Information Protection Act.

Chinese search engine Baidu has won its appeal in the Intermediate People’s Court of Nanjing City, which said its “use of cookies to personalize advertisements directed at consumers on partner third-party websites does not infringe consumer rights of privacy.”

Colombia’s Supreme Court has ruled that parents who monitor their under-18-year-old children’s online activity do not violate the minors’ privacy.

Russia’s data protection authority has been holding meetings with business associations to clarify the country’s localization law that goes into effect September 1.

Privacy (US)

US – Neiman Marcus Continues Battle against Class-Action

A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, if the decision is allowed to stand, it “will impose wasteful litigation burdens on retailers and the federal courts.” That’s the argument Neiman Marcus made in a petition asking the full Seventh Circuit to rehear the case. Last month, the panel ruled Neiman Marcus customers whose credit card information was potentially exposed in a 2013 breach could proceed with their proposed class-action, finding the customers alleged sufficient injuries associated with subsequent identity-theft protection and fraudulent charges. Editor’s Note: A recent post for Privacy Tracker analyzed the Neiman Marcus case. [Full Story] [US – Donald Trump offered access to the Republican National Committee’s voter file]

US – Protester Arrests Draw Attention to SCOTUS Decisions

After Black Lives Matter protesters Johnetta Elzie and DeRay Mckesson were arrested on Monday along with 57 other protesters in St. Louis, MO, their social media posts pronounced disquiet about procedural cheek-swabbing. This draws attention to a 2012 Supreme Court decision that protects the move’s legality. Alonzo King first challenged the idea of DNA swabbing upon arrest after his genetic information was matched to an unsolved rape, which he was later convicted of, a move that he argued infringed his Fourth-Amendment rights. In the resulting case, Maryland v. King, the Supreme Court narrowly disagreed. Similarly, the protestors’ reliance on cell-phone video and social media posts draws attention to 2014’s Riley v. California, which found that police cannot search cell phones during arrest without a warrant. Without that decision, the report argues, “you don’t have to be Fox Mulder to see the potential for government abuse.” [Full Story]

US – NTIA Drone Talks Begin

The National Telecommunications and Information Administration (NTIA) held its first meeting with stakeholders to discuss best practices for drone usage. The NTIA’s John Verdi explained the goal is to “inform” the technology’s development, the report states. “We are not regulators,” said the NTIA’s Angela Simpson. “We are not developing rules or bringing enforcement actions,” noting that unifying stakeholder perceptions of “common-sense best practices” would permit a “major boon” for drones. While groups like the Motion Picture Association of America expressed support for the NTIA gathering, they argued that “existing laws and regulations and the good conduct of their members will do most of the heavy lifting on privacy protections for the new technology.” Further meetings are scheduled for the fall. Editor’s Note: Joseph Jerome recently wrote a piece for Privacy Perspectives on why privacy pros should be involved with drone discussions. [Full Story] [NZ: First TV drone complaint: No breach] [Vancouver woman says drone appeared to be trying to get images of her suntanning topless on balcony]

US – Jeep Owners File Complaint

A potentially massive lawsuit may follow Jeep’s hacking scandal, Wired reports. Three Jeep Cherokee owners have filed a complaint against Fiat Chrysler Automobiles and Harmon International—the maker of the Connect dashboard computer in millions of Chrysler vehicles, the report states. A security flaw in the Connect dashboard was the entry point for the security researchers who last month demonstrated they could wirelessly hack into a 2014 Jeep over the Internet, interfering with its steering, brakes and transmission. The plaintiffs are inviting anyone with a Connect system to join the complaint, which accuses the companies of fraud, negligence, unjust enrichment and breach of warranty. [Full Story] [–Chrysler Knew of Vulnerability for More than a Year | Bloomberg | Wired] SEE ALSO: [VW Hid Security Flaw For Two Years] [Tesla Patches Model S Software Vulnerabilities | Wired | CNET | BBC]

US – NHTSA Investigating Car Cybersecurity

The National Highway Traffic Safety Administration (NHTSA) is expanding its investigation into automobile cyber security concerns. Initially the agency was focusing on Chrysler, which last week issued a recall to fix a software issue in 1.4 million cars. Now NHTSA wants to find out what other car manufacturers may have used similar parts. [The Hill] [slate.com: The Fourth Amendment and Driverless Cars – Should cops need a warrant to access data from your self-driving vehicle?]

IN – Supreme Court to Rule on Right to Privacy

India’s constitutional bench of the Supreme Court will decide if privacy is a fundamental human right, a move catalyzed by pushback on the government-mandated Aadhaar system, which utilizes biometric information for its citizen ID cards. “The government had told the court last month that privacy was not a fundamental right and there were several restrictions related to the subject,” the report states. “Some rights activists however have argued that the collection of biometric data (for the Aadhaar system) including iris scans and finger printing is a violation of privacy. They added that as private agencies were contracted to collect the personal data, there are serious concerns about the safety of the sensitive personal data in private hands. [Full Story] [India: Supreme Court slams Govt: No right to liberty if no privacy]

US – FTC Closes Morgan Stanley Investigation

The FTC will not pursue disciplinary action against Morgan Stanley after concluding an investigation of the corporation’s 2015 breach. In a letter to Morgan Stanley’s legal team, FTC Associate Director of the Division of Privacy and Identity Protection Maneesha Mithal explained the move, which the report argues “suggests that if an entity has appropriate policies in place, but there’s a failure due to ‘human error,’ then the FTC will not necessarily pursue a case,” adding that “in this case, the access controls for one narrow set of reports was configured improperly, and Morgan Stanley corrected the problem as soon as they become aware of it.” [Full Story]

US – FTC Seeks Public Comment on New Potential Consent Method

The FTC has issued a request for public comment on a proposed verifiable parental consent method under the Children’s Online Privacy Protection Act (COPPA) Rule. Riyo submitted a proposal for a consent method that involves “validating a parent’s face against an online presentation of verified photo identification.” The method is based on a fraud-prevention tool currently in use, Riyo said, adding the method differs from those in the COPPA Rule because it uses computer vision technology, algorithms, image forensics and multi-factor authentication. The FTC is seeking public comment through September 3 on whether the method is covered under COPPA already and whether the benefits of the program outweigh risks to consumer data. [Full Story]

US – Judge Won’t Dismiss Sony Suit

A California court has upheld a class-action suit against Sony in which nine of the corporation’s 15,000 victims of the 2014 breach claim Sony showed “negligence, breach of implied contract … and violation of the California Confidentiality of Medical Information Act.” While “Sony argued that the plaintiffs endured no current or threatened injury that is impending,” U.S. District Court Judge R. Gary Klausner disagreed. “The information included financial, medical and other personally identifiable information, was used to threaten the individual victims and their families and was posted on the Internet,” Klausner stated, adding, these “alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.” [Full Story]

US – FTC Charges Data Brokers in $7 Million Financial Scam

The FTC has charged data brokers with illegally selling the sensitive financial information of payday loan applicants “to a scam operation” that effectively bilked more than $7 million from approximately 500,000 applicants. According to the FTC press release, scammers debited individuals’ bank accounts and charged their credit cards without consent. “Scammers used consumer information they bought from this operation to make millions in unauthorized charges,” said FTC Bureau of Consumer Protection Director Jessica Rich. “Companies that collect people’s sensitive information and give it to scammers can expect to hear from the FTC.” The defendants are Sequoia One, Gen X Marketing Group, Jason A. Kotzker, Theresa D. Bartholomew, John E. Bartholomew and Paul T. McDonnell. [Full Story]

US – NYC Hospitals Ban Filming of ER Reality TV Without Prior Written Consent

New York City hospitals will no longer allow the filming of reality TV in their wards without prior written consent. According to the New York Post, the Greater New York Hospital Association said in a statement that the ban “effectively puts an end to ‘reality TV’ in New York’s emergency rooms.” The ban was sparked by an April 2011 accident that claimed the life of an 83-year-old man struck by a garbage truck in Manhattan. ABC “NY Med” filmed the efforts to save the victim and the exchanges between the doctors and his relatives. Although the family’s faces were obscured, the family said they recognized themselves when the show aired in August 2012. Manhattan City Councilman Dan Garodnick says “reality TV has no place in our emergency rooms.” [680 News]

US – Target Joins the Beacon Bandwagon with Trial in 50 Stores

Target, the nation’s second-largest discount chain, is testing beacon technology in 50 of its stores. The retailer joins a growing number of retailers that hope to attract customers with timely deals sent to their smartphones and smartwatches on products based on their location. At the same time, use of beacons worries privacy experts, who say that too much personal data is being collected and stored by retailers or third parties. That data, they said, could become vulnerable to hackers. The use of beacons will only add to the growing pool of personal data available to hackers, analysts said. The primary focus of Target’s announcement Wednesday was on ways that customers can improve their in-store experience by connecting to the egg-sized beacons that are spread around the store. The beacons use Bluetooth technology to connect to the customer’s device via an updated Target app. The app is available now for iPhones and is coming soon to Android devices. [Computerworld]

US – Commissioners: Simmer Down, FCC

The FCC’s Michael O’Rielly and the FTC’s Maureen Ohlhausen take umbrage with the FCC’s Open Internet Rules initiatives, which they argue will create onerous privacy restrictions for Internet providers. “The FCC should refrain from imposing its Byzantine privacy regime on broadband and Internet providers,” they write in an op-ed for The Wall Street Journal. “If it doesn’t, Congress may need to reemphasize the roles it has set for agencies regarding privacy and data security issues.” They also discuss the change in FTC and FCC jurisdiction. “Privacy enforcement over Internet service providers … previously resided with the FTC,” The Hill reports. “But when the FCC took the controversial step of reclassifying Internet access, it also snatched up that role.” [Full Story] [US — Rand Paul and Chris Christie tangle over surveillance during Republican debate]

US – Commissioner Wright to Leave FTC

The FTC announced that Commissioner Joshua Wright will resign his post, serving his last day on August 24. He has served since his appointment by President Barack Obama in January 2013. “The agency has benefited greatly from his perspective as a lawyer and economist,” said FTC Chairwoman Edith Ramirez. “We are going to miss him.” Wright writes in his resignation statement that he will return to George Mason University School of Law as a professor of law. Notably a dissenter on recent FTC reports and settlements, including the IoT report in January and Nomi Technologies settlement in April, Wright said of his colleagues, “While we agreed upon the right course of action for the Commission more often than not, when we did disagree, our discussions were always productive and respectful of the diverse perspectives within the agency.” [Full Story]

US – Court Upholds FCRA Dismissal

The Seventh Circuit has upheld the dismissal of a suit alleging Advocate Health and Hospitals violated the Fair Credit Reporting Act (FCRA). The proposed class-action alleged Advocate Health and Hospitals failed to protect health data that was stolen from its offices, the report states, noting the Seventh Circuit indicated the hospital is not a “consumer reporting agency.” The Seventh Circuit said Advocate Health and Hospitals does not “get paid for assembling information on patients; instead, it sends information to insurers and government agencies in order to get paid. This excludes Advocate from being considered a consumer reporting agency under the FCRA,” the report states. [Full Story]

US – Strippers’ Info Kept Away from Praying Man

A group of Washington strippers and club managers do not have to disclose their personal information requested by a man who wants to pray for them, a federal judge ruled. Tacoma resident David Van Vleet filed a Public Records Act request with the Pierce County auditor as a private citizen, seeking the personal information of dancers at DreamGirls at Fox’s, a strip club in Parkland, Washington. Van Vleet told local reporters that he requested the information because he wanted to pray for them. “I’m a Christian,” Van Vleet said. “We have a right to pray for people.” [Courthouse News Service]

US – Other Privacy News

The FCC’s Michael O’Rielly and the FTC’s Maureen Ohlhausen take umbrage with the FCC’s Open Internet Rules initiatives, which they argue will create onerous privacy restrictions for Internet providers.

U.S. District Court Judge Lucy Koh’s ruling to elevate an email privacy suit against Yahoo to a class-action still stands, according to the Ninth Circuit Court of Appeals, which rejected Yahoo’s request to overturn Koh’s decision.

The Seventh Circuit has upheld the dismissal of a suit alleging Advocate Health and Hospitals violated the Fair Credit Reporting Act.

The Ninth Circuit Court of Appeals upheld the dismissal of a class-action suit alleging Netflix violated the Video Privacy Protection Act.

The Seventh Circuit Court of Appeals overturned a district court ruling that had tossed a class-action lawsuit against Neiman Marcus over its 2014 data breach.

Privacy-minded members of Congress aim to curb federal use of Stingrays, which function similarly to cell-phone towers, allowing phones within a certain space to connect and unknowingly share information with agencies like the FBI.

In two separate cases, judges have ruled that owning a cell phone does not equate to an agreement allowing law enforcement to access and use location data.

The Shutterfly biometric case is challenging the Illinois Biometric Information Privacy Act.

Court cases involving the collection of biometric information may mean Illinois’ biometric privacy law will serve as a guide for other states looking to implement similar legislation.

Privacy Enhancing Technologies (PETs)

WW – Mozilla to Offer Anti-Tracking Tool; Privacy-Based Browsers Grow

Mozilla is testing enhancements to private browsing in Firefox that would prevent third parties from tracking users across sites. While many browsers have a do-not-track option, many companies don’t honor them, the report states. Mozilla’s experimental tool would block outside parties from tracking users via cookies and browser fingerprinting. Search engines aimed at protecting user privacy are seeing a surge in business. DuckDuckGo reports its daily search query numbers have grown 600 percent since the Snowden revelations. Meanwhile, Microsoft is refuting allegations that it’s collecting specific consumer data through its Windows 10 operating system. [Full Story] [WW – As browser wars get personal, Firefox gives privacy a try]

WW – NII Releases Privacy Visor

The National Institute of Informatics has released the newest iteration of its privacy visor, and it’s set to go on sale next year. The device aims to conceal the privacy-conscious from photo-recognition technology by employing “light-reflective material and a mask, which uses angles and patterns to disrupt facial-recognition technology through both absorbing and bouncing back light sources,” the report states. “Photos taken without people’s knowledge can violate privacy,” the team of researchers behind the product said. “For example, photos may be posted online together with metadata including the time and location. But by wearing this device, you can stop your privacy being infringed in these ways.” [Full Story] [‘Privacy Visor’: Japan designs eyewear to prevent facial recognition]

Winning Study Has Lessons for Product Design

It’s relatively intuitive that the more tech knowledge individuals have, the more likely they are to identify privacy risk as they use tech products. The award-winning paper, “My Data Just Goes Everywhere,” confirms this. However, that ability to identify privacy risk helps very little, researchers found, in spurring people to actively avoid that risk. Jedidiah Bracy looks into why this is, what does trigger risk-avoidance and what that suggests for product design and privacy policy, in this post for Privacy Tech. Meanwhile, ITBusiness Edge encourages technologists to ask “are we abetting the data collectors in something that might be bad for society’s—and our own—best interest?” [Full Story]

Apps for Keeping Conversations Private

Companies are addressing consumer concerns with “dark social” apps that allow users to send messages without the “traceable footprint,” CNBC reports. Privacy is “getting more and more to the forefront of people’s consciousness,” said Open Garden Chief Marketing Officer Christophe Daligault. “There’s chatter about the snoopers. Geotargeting and governments are trying to provide a number of ways for people to not be able to communicate privately, and there’s a growing concern of a cat-and-mouse game.” Enter apps like OM, Open Garden’s messenger that allows “completely off-the-grid conversations.” These apps have proven successful, with 93% of respondents to a 2014 RadiumOne poll indicating they had used a “dark social” tool “more than three times the rate they used Facebook for the same purposes,” the report states. Editor’s Note: Privacy communications start-ups Confide, Personal, and Disconnect.Me will discuss their technology at the Privcy.Security.Risk. conference’s “New Innovations in Privacy and Security” panel in Las Vegas Sept. 30-Oct. 1. [Full Story]


US – New IoT Guidelines Open for Comments

The Online Trust Alliance (OTA) has published a series of guidelines for corporations like Microsoft and Target involved in the production and sale of Internet-of-Things devices, calling for tighter privacy policies, greater use of encryption and an attitude of long-term privacy sustainability. Without a framework of best practices, it “could lead to hackers remotely opening garage doors and turning on baby monitors that are no longer patched, to infiltrating fitness wearables to spy on health vitals, or creating mayhem by sabotaging connected appliances,” said the OTA in a statement. The group is accepting comments on its guidelines until September 14. [Full Story] See also: [Wearable tech will transform sport – but will it also ruin athletes’ personal lives? ] and [A DEFCON-Black Hat Roundup for the Privacy Pro] SEE ALSO: [Wearable tech will transform sport – but will it also ruin athletes’ personal lives?  ] AND [Brookings: Building Economies with Privacy in Mind]

US – Online Trust Alliance Develop IoT Security Guidelines

The Online Trust Alliance (OTA), whose members include Microsoft, Symantec, and Verisign, say that the manufacturers of smart home devices and other Internet-connected products that make up the Internet of Things (IoT) are not paying attention to the need to build in security. They have issued suggested guidelines for manufacturers, developers, and retailers, and are inviting public comment. [The Register] [ZDNet] [CNET} [NYT: Why ‘Smart’ Objects May Be a Dumb Idea]

UK – Apple’s Airdrop Abused By ‘Cyber-Flashing’ London Train Perv

Perverts have latched onto Apple’s AirDrop as a means of pushing unsavoury content at unsuspecting commuters. Lorraine Crighton-Smith, 34, received two unsolicited pictures of a unknown man’s penis on her iPhone via AirDrop as she was travelling to work on a train in south London. Officers are investigating the case, which they reckon is the first of its type that they have come across. AirDrop is a documents transfer technology that works between supported Macs and iDevices. Apple introduced the Bluetooth-based tech with the release of iOS 7 back in 2013. It’s supported by devices from the iPhone 5 onwards. By default AirDrop is restricted to “contacts only” to but this is changed to “everyone” as soon as a user accepts a message from a previously unknown contact. From that point on users run the risk of being sent all sorts of undesirable content by strangers. [The Register]


US – White Houses Calls for Increased Cybersecurity Budgets

The Obama administration has proposed a $14 billion budget increase for the IRS, Department of Health and Human Services and other agencies’ 2016 cybersecurity allotments, a figure that represents a 72-percent increase in security funding, National Journal reports. Budget documents indicated that with the greater resources, “the IRS would take especially aggressive steps to fight identity theft and stolen identity refund fraud,” including “systems improvements and new information-sharing with states and industry to help detect and prevent identity theft before tax refunds are paid.” [Full Story]

US – Hackers Compromised Emails from “All” Top Security, Trade Officials

According to a secret document, Chinese hackers compromised “the private emails of ‘all top national security and trade officials’” since 2010. The unnamed source indicated the attacks were ongoing. The revelation has opened the doors for criticism of the U.S. government’s attitudes regarding cybersecurity. “The U.S. government has proven itself incompetent” in protecting its data, said Fight for the Future’s Evan Greer, adding, “Information-sharing bills like CISA would make us even more vulnerable by dramatically expanding the amount of private data the U.S. government keeps in its databases and the number of government and law enforcement agencies who would house that data.” [NBC News]

US – FTC Recommends 10 Steps to Help Ensure Data Security

While there is no generally applicable federal law in the U.S. requiring all businesses to take particular steps to secure their sensitive data, the FTC has investigated and penalized numerous companies for failing to implement “reasonable” data security standards. In an effort to help guide U.S. businesses on the question of what constitutes “reasonable” security measures, the FTC launched a “Start with Security Initiative” on June 30th, to provide information to businesses about data security and the protection of consumer information. The initiative comprises three elements: a publication containing lessons from more than 50 data security cases brought by the FTC; a series of educational conferences across the country aimed at small- and medium-sized businesses in various industries; and a website that consolidates the Commission’s data security information for businesses at fkks.com.
1) Start with Security.

2) Control Access to Data Sensibly.

3) Require Secure Passwords and Authentication.

4) Store Sensitive Personal Information Securely and Protect It During Transmission.

5) Segment Your Network and Monitor Network Activity.

6) Secure Remote Access to Your Network.

7) Don’t Forget About Security for New Products.

8) Make Sure Your Service Providers Implement Reasonable Security Measures.

9) Update Security Practices.

10) Secure Paper, Physical Media, and Devices. [Source]

WW – Lenovo Installs Unremovable Unwanted Software

Lenovo has been using code in the firmware of some devices to make unwanted software persist even after users reinstall operating systems. Lenovo is exploiting Microsoft’s Windows Platform Binary Table feature, which is built into Windows machines. [v3.co.uk] [ZDNet] and see also: [Intel Architecture Flaw Lets Attackers Install Rootkits ]

WW – Security Flaws in ZigBee Wireless Standard

Several flaws have been found in the ZigBee wireless security standard; they could be exploited to compromise vulnerable devices and take control of other devices on the same network. ZigBee is used in many IoT devices and in smart home networks. [ZDNet] [The Register]

WW – (Some) Android (Users) to Get Monthly Updates

Google and companies that manufacture Android devices are distributing a fix for the critical Stagefright vulnerability. Android users have usually not received security updates in a timely manner; now Google, Samsung, and LG now say they will issue monthly security updates for Android devices. [ComputerWorld] [The Register] [Ars Technica] [WW – Where did the principle of secrecy in correspondence go? ]

WW – Hacking Printers to Send Data as Sound Waves

A team of security researchers has demonstrated the ability to hijack standard equipment inside computers, printers and millions of other devices in order to send information out of an office through sound waves. The attack program takes control of the physical prongs on general-purpose input/output circuits and vibrates them at a frequency of the researchers’ choosing, which can be audible or not. The vibrations can be picked up with an AM radio antenna a short distance away. [The Whig]

Smart Cards

US – Stingrays in Congressional Crosshairs

Privacy-minded members of Congress aim to curb federal use of Stingrays, which function similarly to cell-phone towers, allowing phones within a certain space to connect and unknowingly share information with agencies like the FBI, USA Today reports. “I don’t see how you can use a Stingray without it raising very substantial privacy issues,” said Sen. Ron Wyden (D-OR). “I want police to be able to track dangerous individuals and their locations, but it ought to be done with court oversight under the Fourth Amendment.” This summer, the House passed an amendment to the Justice Department’s funding bill to “bar funding for the use of Stingrays without a warrant,” the report states, noting the Justice Department has said it is “reviewing its policies” regarding the use of Stingrays.
Full Story

US – App Will Help RNC Manage Updated Voter Database

A new app to be unveiled by the Republican National Committee’s (RNC) chief technology officer includes a toolkit for helping campaigns manage their field operations, Bloomberg reports. The product is called Republic VX and allows campaigns to look at the efficacy of specific volunteers, for example, or even detect when volunteers are lying by claiming they’d knocked on more doors than they had, the report states. It will use the RNC’s voter file, automating updates to it by the end of each election season to keep the database fresh. It’s an indication of the RNC’s new seriousness about using and improving data systems for campaigning, the report states. [Full Story]


CN – China to Establish Police Presence at Major Internet Companies

The Chinese government plans to put “network security offices” staffed by police at large Internet companies in that country. The goal is to “catch criminal behavior online at the earliest possible point.” There is some suspicion that the plan is also part of the country’s efforts to censor what people in that country can view on the Internet. [CNET] [ComputerWorld] [Wired] [What does the panopticon mean in the age of digital surveillance?] [It’s incredibly difficult to stop the Internet from knowing you’re pregnant

US – EINSTEIN’s Effectiveness Called Into Question

As the Department of Homeland Security (DHS) pushes the Carper-Johnson Federal Cybersecurity Enhancement Act of 2015, a bill that would hasten the adoption of network-monitoring program EINSTEIN, critics question EINSTEIN’s effectiveness in light of the Office of Personnel Management breaches, Federal Times reports. “It’s not necessarily the best out there, but if that’s the fastest way to get government agencies to catch up to the rest of the world on protecting themselves, the bill could be a good thing,” said the SANS Institute’s John Pescatore. “But if that happens at the expense of the deployment of best-in-breed detection and prevention systems, then that’s a bad thing.” He added that deploying EINSTEIN would “at least get each agency to square one … but unfortunately, the attacks have moved on to square three and four.” [Full Story]

WW – ECHELON: The Surveillance Program that Predated Snowden

There is a long history of government data collection—even before digital surveillance was possible. Over the last 50 years, Project ECHELON enabled the U.S. and UK to track enemies and allies within and outside national borders. It’s a program that’s evolved from keywords intercepted in faxes to today’s “all-encompassing data harvesting,” the report states. Privacy advocate Duncan Campbell first made reference to ECHELON in 1988, and in 2000, 60 Minutes published a report on the scope of the program. In 2005, some speculatively pointed to ECHELON as a potential tool the Bush Administration was using, but it wasn’t until the Snowden revelations that it became clear the program exists. [TechCrunch]

CA – Hidden Camera Discovered at Ontario Federation of Labour Headquarters

The discovery of a hidden video camera at the Ontario Federation of Labour headquarters has shaken employees and triggered bitter finger pointing and strong denials among current and former top union brass. In early July, a staff member discovered a concealed working camera in an exit sign near the reception area of the building at 15 Gervais Dr. in Toronto. Ontario Federation of Labour president Sid Ryan confirmed a grievance has been filed by a staff member with respect to the camera. He says he was told cameras were installed in the building “for security reasons” but says he had no idea there was a hidden camera in the reception area until it was discovered by a staff member this summer. [Waterloo Region Record]

WW – Airline Begins Weighing Passengers for ‘Safety’

In a recent statement, Uzbekistan Airways, the country’s flag carrier announced it will weigh passengers and their carry-on luggage prior to flights to determine how much weight they’ll be adding to the plane. “According to the rules of International Air Transport Association, airlines are obliged to carry out the regular procedures of preflight control passengers weighing with hand baggage to observe requirements for ensuring flight safety,” says the airline’s statement. An IATA spokesperson, however, tells CNN the organization isn’t aware of any such regulation. “We are not aware of an IATA rule concerning the weighing of passengers and their hand luggage prior to flight,” says Chris Goater, manager of IATA corporate communications, via email. [CNN]

Telecom / TV

US – AT&T Helped U.S. Spy on Internet on a Vast Scale

The National Security Agency’s ability to spy on vast quantities of Internet traffic passing through the United States has relied on its extraordinary, decades-long partnership with a single company: the telecom giant AT&T. While it has been long known that American telecommunications companies worked closely with the spy agency, newly disclosed N.S.A. documents show that the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative,” while another lauded the company’s “extreme willingness to help.” AT&T’s cooperation has involved a broad range of classified activities, according to the documents, which date from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T. The N.S.A.’s top-secret budget in 2013 for the AT&T partnership was more than twice that of the next-largest such program, according to the documents. The company installed surveillance equipment in at least 17 of its Internet hubs on American soil, far more than its similarly sized competitor, Verizon. And its engineers were the first to try out new surveillance technologies invented by the eavesdropping agency. One document reminds N.S.A. officials to be polite when visiting AT&T facilities, noting, “This is a partnership, not a contractual relationship.” The documents, provided by the former agency contractor Edward J. Snowden, were jointly reviewed by The New York Times and ProPublica. The N.S.A., AT&T and Verizon declined to discuss the findings from the files. “We don’t comment on matters of national security,” an AT&T spokesman said. [New York Times]

AU – Pilgrim Prods Telcos on Data Retention Privacy

Acting information commissioner Timothy Pilgrim has reminded telcos of their privacy obligations when it comes to retaining customer information in order to comply with the government’s data retention regime. Under the data retention scheme, telcos will need to retain for at least 24 months a range of customer information, ranging from billing information to call and email records. [computerworld.com.au]

US – Cybersecurity Bill Could ‘Sweep Away’ Internet Users’ Privacy, Agency Warns

The Department of Homeland Security (DHS) said a controversial new surveillance bill could sweep away “important privacy protections”, a move that bodes ill for the measure’s return to the floor of the Senate this week. The latest in a series of failed attempts to reform cybersecurity, the Cybersecurity Information Sharing Act (CISA) grants broad latitude to tech companies, data brokers and anyone with a web-based data collection to mine user information and then share it with “appropriate Federal entities”, which themselves then have permission to share it throughout the government. [The Guardian]

US – Judges: Users Shouldn’t Be Forced to Give Up Phones for Privacy

Two judges in two separate cases that dealt with the use of smartphones have ruled that owning a cell phone does not equate with a wholesale agreement for law enforcement access and use of location data. “We cannot accept the proposition that cell-phone users volunteer to convey their location information simply by choosing to activate and use their cell phones and to carry the devices on their person,” said Fourth Circuit Judge Andre Davis. And in a California case, U.S. District Court Judge Lucy Koh said “making it this easy to track Americans is a violation of the constitutional right to be protected against unreasonable searches,” adding that “it is untenable to force individuals to disconnect from society just so they can avoid having their movements subsequently tracked by the government.” [Fusion]

WW – BYOD’s Potential Headaches

Forbes and IT News Africa report on the challenge organizations face in protecting bring-your-own-device (BYOD) tools from attack while not impairing user privacy. “Simply locking down mobile devices, however, is not a realistic response. Instead, organizations should give users freedom to use devices as they like, while assuming that they may in fact become compromised,” said Lookout CTO Kevin Mahaffey. “This requires appropriate security controls that can detect compromise and react in real-time to isolate the device from sensitive data until it recovers.” Meanwhile, Canada’s Office of the Privacy Commissioner, as well as the Offices of the Information and Privacy Commissioner in Alberta and BC, are cautioning businesses regarding potential BYOD security risks and have issued a joint publication for organizations.

US – Groups Want FCC to Stop Requiring Telecoms to Store Data

A coalition of tech and privacy groups is asking the FCC not to make telecommunications companies store customer data. Current policy requires companies to keep caller names, addresses and telephone numbers as well as “telephone number called, date, time and length of the call” for 18 months for billing purposes. Privacy groups say that opens Americans up to inappropriate surveillance and data breaches. In a letter to the FCC, the 26 groups—led by the Electronic Privacy Information Center—called the policy “outdated and ineffective,” adding, “It is not necessary or proportionate for a democratic society.” [The Hill]

US Government Programs

US – FTC to Consumers: Give Us Your Complaints

In a FTC post, FTC Division of Consumer and Business Education’s Lisa Weintraub Schifferle writes about a new easier way for consumers to report their privacy complaints to the agency. “Did a company share your personal information without your knowledge or consent? The FTC wants to know,” she writes, adding, “Just go to the FTC’s Complaint Assistant and click the banner that says: ‘Concerned about how a company is handling your personal information? Click here to report privacy concerns.’” Schifferle’s post includes a list of what types of consumer privacy complaints the FTC might address—such as companies knowing more about consumers than they expect. [Full Story] [US: Conservative video-maker James O’Keefe: Homeland Security targeted me, asked intrusive questions]

US – Proposed Cyber Security Requirements for US Government Contractors

The US Office of Management and Budget (OMB) has issued proposed cyber security rules for federal government contractors. The new rules would establish baseline security requirements and oblige contractors to disclose breaches to authorities. The draft rules would also allow the Department of Homeland Security (DHS) to establish monitoring programs on contractors’ systems if they are not abiding by the rules. OMB is accepting public comment on the draft document through September 10, 2015. [NextGov] [The Hill] [CIO]

US – Poll: Voters Support Gov’t Monitoring of Social Media

A recent poll indicates a majority of voters support the government monitoring social media to assist in the fight against terrorists. The report notes that many tech companies are opposing Bill S 1705, which would require them to “report potential terrorist activity on their sites to law enforcement,” but states that 61% of voters responding to the poll “said they were in favor of the government monitoring social media sites to defend against potential terrorist attacks, while 27% opposed it.” The poll which was conducted from July 31 through August 3, focused on “a national sample of 2,069 registered voters,” the report states. [Morning Consult]

US Legislation

US – Mental Health Bills Continue to Raise Privacy Questions

Proposed legislation including the Senate’s Mental Health Reform Act and the House’s Helping Families in Mental Health Crisis Act that aim to “improve federal oversight and give patients more access to services” have incited debate over mental health treatment and patient privacy, according to U.S. News and World Report. “The bills will be a tremendous violation of freedom that we wouldn’t be okay with if it were any other group of people,” said the Western Mass Recovery Learning Community’s Sera Davidow. Meanwhile, a judge ruled against therapists who argued it was a violation of patient privacy to disclose that their clients were viewing child porn. [Full Story]

US – Congresswoman Details Forthcoming Revenge Porn Bill

Upcoming federal “revenge porn” legislation will be proposed by Rep. Jackie Speier (D-CA) in September. Speier co-authored the bill with a yet unnamed Republican, while a mirror bill is expected in the Senate. “This is not just about jilted lovers trying to get revenge,” Speier said. “This is about protecting an individual’s right to privacy … It is something that we value in the First Amendment, and it’s something that I think cries out for a federal solution.” The bill is expected to meet resistance from free-speech advocates concerned that it will stifle online expression. Meanwhile, convicted revenge porn website operator Kevin Bollaert—who is serving an 18-year sentence—claims he ran his site in defense of free speech. [National Journal ]

US – CISA Stalls for Now

A Senate effort to pass the controversial Cybersecurity Information Sharing Act (CISA) stalled this week, potentially leaving the fate of the bill uncertain. There is a chance the Senate could revisit the legislation when it comes back from summer recess in September, but the upper chamber will have a slew of other big issues, including a nuclear deal with Iran and a measure to fund the federal government, the report states. Senate Majority Leader Mitch McConnell (R-KY) was going to allow debate on the 21 amendments placed on CISA, but time ran short on such an effort. Sens. Ron Wyden (D-OR), Al Franken (D-MN) and Patrick Leahy (D-VT) have all called for more privacy protections within the bill. [The Wall Street Journal]

US – Governor Signs Four Privacy Laws

Delaware Gov. Jack Markell has signed four new privacy laws aimed to “protect the personal information of school-aged children, prevent the distribution of victim’s personal information and stop the practice of employers demanding access to their employees’ personal social media accounts,” Government Technology reports. “While the Internet has revolutionized the way we live and work, and made possible countless advances in our society, we must also recognize that it has made our citizens’ personal information more vulnerable than ever,” Markell said. “Some restrictions on how personal information is shared are reasonable, and I commend the legislators, Attorney General Denn and everyone involved in working on these bills for finding a balance between online commerce and personal privacy.” [Full Story] [US: Delaware Governor Signs Internet Privacy, Safety Package into Law]

US – Other Privacy Legislation

California and Nevada are expanding the definition of personal information and requiring stronger security for companies that share personal information.

North Carolina’s Senate passed SB 446, which aims to develop guidelines for operating drones.

Wisconsin Rep. Amy Loudenbeck (R-Clinton) has introduced AB 303 to prohibit the Workforce Development from requiring that job seekers to provide a Social Security number to search for jobs on the Job Center of Wisconsin’s website.

Despite its governor’s unwillingness to sign the legislation, among others, Maine has a new drone privacy bill.

Wyoming lawmakers are moving to change the state’s constitution to add privacy and open-government protections.

Sens. Orrin Hatch (R-UT) and Tom Carper (D-DE) have introduced the Federal Computer Security Act of 2015, which would require inspectors general and the Government Accountability Office to report on security practices and software.

Delaware has passed a suite of four laws aimed at protecting citizens’ and children’s privacy, including legislation to prevent ed-tech providers from selling student’s personal information and limitations on advertising on sites and apps targeted at children, reports Delaware 105.9.

A Senate effort to pass the controversial Cybersecurity Information Sharing Act stalled last week, leaving the fate of the bill uncertain.

The Department of Homeland Security has warned that the proposed Cybersecurity Information Sharing Act will “sweep away important privacy protections.”

Rep. Jackie Speier (D-CA) will introduce a bill to battle so-called revenge porn on September 9.

A mental health reform bill introduced by Sens. Chris Murphy (D-CT) and Bill Cassidy (R-LA) could mean updates for HIPAA

Upcoming federal “revenge porn” legislation will be proposed by Rep. Jackie Speier (D-CA) in September.

Proposed legislation including the Senate’s Mental Health Reform Act and the House’s Helping Families in Mental Health Crisis Act have incited debate over mental health treatment and patient privacy.

A District Court judge has ruled unconstitutional a Burlington North Carolina ordinance requiring hotels to furnish police with names on their guest registries.

Workplace Privacy

WW – Anti-Doping Agency Asking Athletes for Info on Breach

The World Anti-Doping Agency (WADA) invited athletes to come forward if they feel their privacy was breached by leaked results of suspicious blood tests. WADA said its independent commission will “urgently” investigate allegations of widespread doping in athletics aired by German broadcaster ARD, The Associated Press reports. ARD alleged files indicated 800 suspicious results in blood samples from 5,000 athletes from 2001 to 2012. “WADA is committed to protecting the confidentiality of athletes,” said WADA President Craig Reedle in a statement, adding WADA “deplores” the way the data was obtained and leaked to the media. He urged any athlete concerned that their rights “are being eroded” come to the commission. [Full Story]

US – Appeals Court to Hear Employee Data-Theft Case

A Massachusetts Appeals Court will hear a case that illustrates the question of employer liability when an employee takes company data for personal reasons, Privacy and Security Matters reports. In Adams v. Congress Auto Insurance Agency, Inc., a customer argued the insurance company did not adequately protect his data after one of its employees passed his phone number to her boyfriend to dissuade the customer from pursuing police action against him. Superior Court found the employee’s “alleged theft of personal information from a secure database” and her boyfriend’s “subsequent misuse of that data were both criminal acts that severed the chain of causation between Congress’ alleged negligence and the harm” to the customer. [Full Story]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: