Monthly Archives: October 2015

01-15 October 2015

October 22, 2015 – 12:14 pm

Biometrics

EU – French: Fingerprints, Facial Scans, Should be Required at EU Border

French authorities want fingerprint and facial scans of everyone entering or leaving the EU. The proposal from the French delegation came as the European Commission puts more pressure on interior ministers to adopt its so-called “smart borders” package. The Commission plan is to set up a digital dragnet to monitor all non-EU nationals entering and exiting the EU. According to the Commission, the programme is needed to deal with a huge increase in people coming to and from the EU. It predicts that air border crossings could increase by 80% to 720 million in 2030. “This will result in longer queues for travellers if border checking procedures are not modernised in time,” warns the Commish document. But hot on the heels of their own version of the Patriot Act, France (PDF) wants to “broaden the scope of the smart borders package for all travellers, also including European nationals”. The scheme was first proposed two years ago, but has been revived along with other security surveillance schemes such as PNR. Currently border checks for the Schengen area are based on passport visa stamps. There is no pan-European database recording travellers’ entries or exits. This makes it difficult for authorities to detect “overstayers” says the Commission. [The Register]

WW – Facial Recognition Coming to ATMs

China Merchant Banks are employing facial recognition software in nine Shenzhen-based ATMs, phase one of a project that aims to install the system in 12,000 ATMs across the country by the end of the year. While facial recognition is just a part of a three-step verification process, critics are worried that the technology could still permit privacy gaffes to occur. Will the software mean “identical twins can access each other accounts easily?” asked one detractor on Weibo. The privacy concerns haven’t stopped other organizations, however, with companies like Alibaba and MasterCard set to unveil their own facial-recognition systems for finance-related ventures, the report states. [South China Morning Post]

CA – Royal Bank Adopts Voice-Recognition Technology to ID Customers

Following a pilot program last summer, Royal Bank (RBC) is rolling out “voice biometrics” technology. The service, which will require customers to opt in, will allow the bank to identify customers by the sound of their voice rather than by answering security questions or entering a password. RBC says it’s the first company to implement such a technology, which uses more than 100 characteristics to identify the customer, such as pitch and accent, the report states. Manulife employed a similar technology earlier this year. “It’s easy to pick up a piece of mail and look at someone’s confidential information, but you can’t steal a voice,” said a Manulife executive. [The Canadian Press]

US – Dismiss Our Biometrics Suit, Facebook Asks

Facebook has asked U.S. District Court Judge James Donato to dismiss a suit alleging its photo-tagging service violates biometric privacy laws. “The social networking service argues that the Illinois Biometric Information Privacy Act doesn’t prevent companies from storing photos of faces or information gleaned from those photos,” the report states. Facebook contends the law “only applies to faceprints that derive from in-person scans as opposed to photos,” the report continues. “Because plaintiffs’ claims rest entirely on information derived from photographs, their complaint should be dismissed with prejudice,” Facebook said in its filing papers. [Media Post]

WW – Facial-Recognition Regulations Considered; Researchers Unveil “Climb”

The Home Office “is considering increasing the regulations for retention of face recognition records.” The Home Office announced it is “undertaking a policy review of the statutory basis for the retention of facial images and consulting key stakeholders,” adding it is “considering the role of the Biometrics Commissioner. The government will of course publish the findings of the review and consult formally as appropriate.” Meanwhile, researchers from Cardiff University, the University of Warwick, Swansea University and the University of Birmingham have created “Climb, the Cloud Infrastructure for Microbial Bioinformatics“ that permits other scientists to share genomic information more safely. [Biometric Update] SEE also: [Start-Up Selling Eye-Tracking Technology to Major League Baseball]

Big Data

CA – Group to Study Data Collection

Researchers are getting ready to study “what information is being collected about Canadians and what it’s being used for, saying the public remains largely in the dark on the mass accumulation of personal data.” Queen’s University’s Surveillance Studies Centre will lead the five-year project to study the use of big data, the report states, noting the BC Office of the Information and Privacy Commissioner, Civil Liberties Association and the University of Victoria are among the project’s partners “Citizens have questions about how big data is being used by police, by political parties, in healthcare, education, social services and in other areas that touch their lives,” BC Privacy Commissioner Elizabeth Denham noted. “This project will probe big-data surveillance and analyze its scope, effectiveness and implications.” [The Globe and Mail]

EU – Agencies to Study Banks’ Big Data Use

The European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority will have their eyes on how banks employ big data in the coming year after expressing concern regarding not only the current utilization of information and its privacy impact but also its potential “to discriminate against certain sections of the population in so-called profiling.” The agencies will study the “opportunities and challenges” that come with employing big data. “The topic aims to analyze the adequacy of sectoral regulatory frameworks and identify any regulatory and/or supervisory measures which may need to be taken,” the groups said in a joint statement. [Reuters]

Canada

CA – Ontario Judge to Hear Telcom v. Police Case

An Ontario judge will soon rule on a consumer privacy case “that pits telecom companies against police departments.” In April, Peel Regional police obtained a production order for customer information from “all cellphones that accessed 36 cell towers owned by Rogers and Telus during a specific time frame,” the report states. While police said they needed the records to find a suspect, Rogers and Telus say the production order violates the Canadian Charter of Rights and Freedoms. Police since have withdrawn the order, however the judge wants to hear the case because of an uptick in similar cases. [Toronto Star]

CA – Saskatchewan Changes Privacy Rules

After a care aide’s employment record was sent to reporters, Saskatchewan is making changes to its privacy rules. As a result, politicians will have to adhere to a new code of conduct that aims to ensure compliance with the province’s privacy act, and they will need to get written consent to “collect, use or disclose someone’s personal information or personal health information,” the report states. Previously, the Freedom of Information Act “didn’t technically apply” to members of the legislative assembly (MLAs), said Saskatchewan Party MLA Jeremy Harrison. Violators of the code could be charged with contempt, face a fine or be removed from the assembly for the day or the house indefinitely. [The Canadian Press]

CA – Yukon Government Developing New Privacy Rules for Health Records

The Yukon government is looking for input on who should have access to your personal health care records, and how accessible they should be. The government is working on new regulations focussed on managing and protecting health files. The new rules would fall under the Health Information Privacy and Management Act, passed in 2013 but not yet in effect. [CBC News]

CA – Critics Raise Data Privacy Concerns in Trans-Pacific Partnership Deal

Critics say Canadians need to see the full text of the Trans-Pacific Partnership (TPP) trade deal to know the privacy trade-off. “We’re dealing with just summary documents. The devil is in the details,” said law professor at the University of Ottawa, Michael Geist. The deal includes provisions to protect the “free flow of information across borders” and “prevents governments in TPP countries from requiring the use of local servers for data storage,” the report states, which Geist finds particularly concerning. [CBC News] [Geist: How the TPP Puts Canadian Privacy at Risk] [Geist: How the TPP may put your health care data at risk: Geist]

CA – Questions Raised Over Preserving Sensitive Truth and Reconciliation Testimony

After years of collecting literally millions of documents and hearing the stories of thousands of aboriginal people who experienced abuse at residential schools, the Truth and Reconciliation Commission is ready to archive this material, much of it brutal and heartbreaking, in the new National Centre for Truth and Reconciliation at the University of Manitoba. Scheduled to open to the public this fall, it will serve as a rich repository and essential historical record of a haunting and tragic chapter of First Nations and Canadian history. Controversy has arisen, however, over whether survivors’ testimony, given privately by those seeking compensation for the abuse they suffered, should be preserved. It came as a shock to many who told their stories – confidentially, they believed – to adjudicators behind closed doors that their words might be preserved for posterity. Some argued against this scenario in an Ontario court last year. Justice Paul Perell ruled that the material from the Independent Assessment Process may be kept for 15 years but, in the meantime, identifying information must be redacted and those who testified be contacted to ask whether they would agree to have the documents remain in the archive; only with this agreement could individuals’ testimony be preserved beyond 15 years. Any other scenario would be a betrayal of survivors’ trust and detrimental to the cause of reconciliation, Justice Perell argued. Some see the ruling as a reasonable compromise but the NTRC launched an appeal, to be heard in court at the end of October. The centre wishes to preserve the documents and argues that it is well-placed to do so as an aboriginal-run organization mandated by the Truth and Reconciliation Commission. [University Affairs]

CA – Retired Mounties Sue RCMP Over Disclosure of Mental Health Records

A class action lawsuit filed in Vancouver alleges that the RCMP has breached the privacy of a number of Mounties by wrongfully disclosing their mental health records. The suit says that the disclosure of the records in 2012 was done to undermine the work of Dr. Michael Webster, a longtime RCMP psychologist who had treated the officers and who has been outspoken in the past on RCMP issues. Several retired Mounties, members of a group that represents about 2,300 officers across Canada, held a press conference outside the Vancouver Law Courts to explain the lawsuit. They told reporters that currently employed officers are afraid that if they speak out, they might be disciplined by their superiors.”The wrongful disclosure of our members’ mental health records undermines the trust and confidence members must have in our employer, to ensure that mental health supports can be accessed privately.” The suit says that in July 2012, the RCMP removed Webster from its list of approved registered psychologists and a month later initiated a complaint against him with the College of Registered Psychologists. It says the college requested the RCMP disclose complete copies of a number of Mounties who had been treated by Webster. The records were disclosed without notification to the officers and in violation of their privacy, says the lawsuit. A complaint filed against the RCMP with the Office of the Privacy Commissioner of Canada resulted in the commissioner finding that there had been a serious breach of privacy. [The Province]

CA – Ring Wants Controversial Report Released

Newfoundland and Labrador Information and Privacy Commissioner Ed Ring wants to make public a government sexual-exploitation study. The government says the 2011 report, It’s Nobody’s Mandate and Everyone’s Responsibility: Sexual Exploitation and the Sex Trade in Newfoundland and Labrador, was “based on interviews with sex workers and vulnerable individuals who could be put in danger if it was released publicly.” However, if it intends to keep the report under wraps the government will now have to go to court. Ring wrote in his review, “Public bodies cannot rely on speculation that harm might take place but must establish a reasonable expectation,” adding that identifying information should be blacked out as opposed to repressing the entire report. [The Telegraph]

CA – Denham Calls for Better Breach Protection

BC Information and Privacy Commissioner Elizabeth Denham “is calling for immediate action by provincial health authorities to boost measures that safeguard citizen’s health information in the absence of disclosure laws,” noting all provinces and territories except BC, Saskatchewan and Quebec “have legislated or incoming requirements that order health authorities to reveal the inappropriate release of private information.” Denham said, “It’s not in place here yet. It’s a problem.” Meanwhile, a breach affected University of Calgary employee records, and The Trump Hotel Collection has announced that point-of-sales systems at seven of its hotels in the U.S. and Canada “were infected with malware, potentially affecting an unspecified number of customers.” [Global News]

CA – Are Political Parties Violating CASL?

Via their email campaigns, “Canadian politicians may be violating Canada’s Anti-Spam Legislation (CASL), the very law they helped enact.” Citing a study from Toronto-based itracMarketer, an email marketing and CASL compliance software provider, the report suggests, “Canadian politicians may need a more compliant marketing staff because every political party failed at providing clear consent and permissions on their email collection pages.” The study looked at the country’s four major political parties’ email marketing, the report states, noting examples of CASL violations itracMarketer found include “not having a clear unsubscribe process, failure to explain the type of content they would send to potential subscribers and not providing a physical address on email collection pages.” [MediaPost] SEE ALSO: [Where the Parties Stand on Surveillance, Privacy] [Where Canada’s Three Political Parties Stand on Cybersecurity and Surveillance] [Election selfies are encouraged, but take them outside polling stations: Posting a photo of a completed ballot could land you in jail] [Green Party (Kris Constable) Views on Enhancing Security Against Cyber Attacks]

CA – Other Privacy News

Consumer

WW – Uptick in Privacy Products Indicate Citizen Concerns

Average citizens are increasingly out to protect their own privacy given Canada’s Bill C-51, which allows for an increased amount of information to be collected by government. As a result, product designers are creating anti-surveillance items. That trend was recently on display in London at the Victoria and Albert Museum, which focused on “objects that both encourage sharing information online (such as the selfie stick) and block it (such as the Cryptophone 500, a military-grade mobile with the highest security standards on the market … ),” the report states. The London exhibit is just one example of many new products to hit the market. [The Globe and Mail]

Electronic Records

US – Privacy Concerns Decline as Patients Acclimate to EHR Systems

Patients whose doctors use electronic health record systems are increasingly confident that their health information will remain private and secure, Weill Cornell Medical College researchers found in a new longitudinal study, published Oct. 5 in the American Journal of Managed Care. While electronic health record systems have been around since the early 2000s, they became more prevalent when the federal government began offering providers incentives to adopt the technology in 2009. To measure consumers’ perspectives on electronic health records, the researchers collected data through a random-digit-dial national telephone survey that polled about 1,000 people a year between 2011 and 2013. Some 41% of respondents were worried that electronic health records would lessen the privacy and security of personal health data in 2013, compared to 47.5% in 2011. While the 6 percent decrease is a good start, Dr. Ancker continued, the study also demonstrates that, through improved security and education, more work has to be done to sufficiently address patients’ worries. “New things make people anxious,” she said. The data also shows that there is a need to better educate patients about how electronic records work, as well as how they can improve the patients’ healthcare. [weill.cornell.edu]

US – Researchers Re-Identify 100% of ‘Anonymised’ Health Data

Researchers from Harvard University have published a paper claiming a 100 per cent success rate in de-anonymising patients from their supposedly anonymised healthcare data in South Korea. The study, which bears the ronseal title of “De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data”, was published this week in Technology Science. Two de-anonymisation experiments were conducted in the study on prescription data from deceased South Koreans, with encrypted national identifiers – Resident Registration Numbers (RNN) – included. The researchers found significant vulnerabilities in the anonymisation process which is applied to identifiers contained within prescription data, data which is often sold to multinational health companies. Finding that “weakly encrypted RRNs” may be vulnerable to de-anonymisation, both experiments were 100 per cent successful, and revealed all 23,163 of the unencrypted RNNs. [The Register] [US – New Coding System Intrudes on Patients’ Privacy, Forces Doctors to Focus on Codes Rather Than Care]

CA – Group Health Centre Debuts Online Patient Portal

Sault Ste. Marie is now one of only a handful of cities in Canada where patients can access essential health information through an online portal, after the Group Health Centre launched its myCARE portal earlier this week. The system allows patients to send messages to their healthcare team, request prescription renewals, manage appointments, review select lab test results, and more through a home computer, eliminating the need to make a visit to the centre for these needs. GHC is now one of two centres in Canada – the other being CHEO in Ottawa – that has this specific technology available for patients. [Sault Ste Marie Star]

Encryption

US – White House Will Not Demand Back Doors for Access to Encrypted Data

The White House has decided not to pursue policy urging technology companies to build backdoors into their encryption systems despite law enforcement and intelligence agencies’ vocal assertions that the backdoors are necessary. They will still be able to pursue data with warrants. [CSMonitor] [TechCrunch] [ComputerWorld] [SCMagazine] [Ars Technica] See also: [Wired: A New Way for Tech Firms to Fight Orders to Unlock Devices]

US – Federal Judge Wants to Bring Encryption Debate to Courts

A federal judge in New York is seeking to expand the debate surrounding law enforcement access to encrypted communications technology. Magistrate Judge James Orenstein has suggested he would not issue an order sought by the government compelling Apple to unlock a suspect’s iPhone, the report states. Prior to ruling on the case, Orenstein asked the company to explain whether the government’s request would be “unduly burdensome.” According to the report, the judge may have chosen the wrong case to issue such a question, as the suspect’s phone is an older version that can be accessed by Apple. “He’s clearly a judge who is interested in opening topics to discussion in the judiciary, but he also thinks the larger public should know about the debate,” said former Texas Magistrate Judge Brian Owsley. [The Washington Post] SEE ALSO: [Discordant Encryption Attitudes Bring Policy-Making Woes]

US – Back Doors Are Not Necessary to Circumvent Encryption

Andy Greenberg writes, “Encryption usually doesn’t keep determined cops out of a target’s private data. In fact, it only rarely comes into play at all.” Of the 3,554 wiretaps reported in 2014, just 25, or 0.7% encountered encryption. And of those 25 cases, investigators were able to circumvent encryption 21 times. [WIRED] See also: [Apple Removes Apps that Install Root Certificates | Apple Support | iMore]

EU Developments

EU – Court of Justice Declares Commission’s US Safe Harbour Decision Invalid

Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity

The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of

26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission

communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’

complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

EU – ECJ: Safe Harbor “Invalid”

In a much-anticipated decision, the European Court of Justice (ECJ) was very straightforward in announcing that it has sided with Austrian law student Max Schrems, agreeing with his argument that the U.S. National Security Agency’s PRISM mass surveillance program, unveiled by Edward Snowden, makes the European Commission’s finding of U.S. adequacy for personal data transfer with the Safe Harbor mechanism “invalid.” Immediately, the privacy community began to react—including Schrems himself. [Full Story] See also: [Edward Snowden Says He Would Go To Jail to Come Back to The U.S.]

EU – ‘Safe Harbour’ Data Ruling Leaves U.S. Companies in Legal Limbo

A recent court ruling may boost the European Union’s efforts to reassert authority over how its citizens’ data is being treated and pressure other countries into creating privacy laws that are considered more equitable across borders. U.S.-based internet companies like Facebook, Amazon and Google are now likely scrambling to determine if they need to change their European operations after a judge in the European Union’s highest court ruled that the agreement allowing them to transfer data to the United States violates Europeans’ rights. [CBC News] SEE ALSO: [An Interview with the ECJ’s New President] [Safe Harbor Ruling Symptom of Global Surveillance Discord] [US – Post-Safe Harbor, Senators Push for Judicial Redress Act] and [Regan: Will Schrems Case Ultimately Hurt Europeans’ Privacy?]

EU – European Commission Faces Parliament Ire; Safe Harbor Questions Persist

European Commission leadership suffered the “slings and arrows” of a European Parliament unhappy with the institution’s handling of the now-invalidated Safe Harbor agreement. Parliament’s LIBE Committee also met this week and asked the Commission why Safe Harbor lasted 15 years. Meanwhile, Georgia Institute of Technology Prof. Peter Swire writes for Privacy Perspectives on the legal paths to move forward, and Denis Kelleher suggests that UK Information Commissioner Christopher Graham’s advice not to panic over Safe Harbor is the right advice for now. And in an interview withviEUws, European Data Protection Supervisor Giovanni Buttarelli shares “lessons to be drawn from the ruling, the impact of the decision on EU citizens as well as the efficacy of new instruments aimed at ensuring a high level of data protection.” [Full Story] SEE also: [Swire on Solving the Unsolvable with Safe Harbor] {ICO: Don’t Panic Over Safe Harbor—Yet] [A Look Forward After Safe Harbor’s Invalidation]

EU – LIBE: Why Did Safe Harbor Last 15 Years?

The European Parliament’s Civil Liberties Committee (LIBE) met to debate the European Court of Justice’s recent decision in the Schrems Case invalidating Safe Harbor. The resounding message: What took so long? “It’s important to highlight that something went wrong here,” said German Green MEP Jan Philipp Albrecht, who is rapporteur to the General Data Protection Regulation and vice chairman of the LIBE Committee. Dutch MEP Sophia in ‘t Veld agreed, calling Safe Harbor “bad legislation” that “was dead a long time ago.” MEPs debated what should happen next, and while some called for Safe Harbor 2.0, in’ t Veld said it’s time to “change strategy.” [IAPP]

EU – German DPA Takes Steps After Safe Harbor Decision

The ULD, the data protection authority for the German state of Schleswig-Holstein, has taken the step that many have predicted and issued a position paper that follows the ECJ’s logic to declare model contract clauses, even consent, to likely be invalid ways of transferring data to the U.S. “The ULD specifically recommends that companies using standard model contracts cancel them with their U.S. partners and do a complete review of data transfers, consulting with the ULD in basically every instance.” Marit Hansen, head of ULD, the data protection authority in Schleswig-Holstein, issued a press release and position paper. [Full Story]

EU – Inquiry Finds More Can Be Done to Explain RTBF

Privacy advocates argue that many Europeans do not understand their specific liberties as they relate to the so-called right to be forgotten (RTBF). As such, they suggest, Google and data protection authorities (DPAs) need to do a better job of informing their consumers of their rights, including the right to reach out to DPAs and ask for a second opinion if a company such as Google rejects their RTBF requests, the report states. Although Google does mention that appeals to DPAs are an option in “rejection emails” for RTBF requests, advocates argue more could be done. “I think both DPAs and companies would have a task in raising awareness and informing users,” said Dutch Liberal MEP Sophie in ‘t Veld. [EUObserver]

UK – MPs’ Communications ‘Not Protected’, Tribunal Rules

MPs have no protection from having their communications read by UK security agencies, a tribunal has said. Green Party politicians Caroline Lucas MP and Baroness Jenny Jones argued a long-standing doctrine protecting MPs’ communications was being breached. But in a landmark decision the Investigatory Powers Tribunal said the so-called “Wilson Doctrine” was no bar to the incidental collection of data. Ms Lucas said the decision was a “body blow” for democracy.

EU – Facebook Goes on Privacy Offensive

Facebook is moving to counter at least five different privacy investigations by EU-based data protection authorities (DPAs). In particular, Facebook says a case brought by the Belgium Privacy Commission could affect the security of its users. The case, which could have a ruling as early as this week, would allow the DPA to fine Facebook as much as $284,000 per day due to its controversial use of cookies on non-Facebook sites, the report states. However, Facebook says the cookies help it weed out bots and other automated online machines. Facebook’s Alex Stamos said, “Often regulators will focus on a very, very particular issue and lose sight of the safety issues that affect all 1.5 billion users.” [Full Story]

UK – Consumer Privacy and Security Fears, Complaints Up

Consumer complaints about the way personal data is handled increased by 30% from 2013 to 2014, according to figures from Pinsent Masons, acquired via several Freedom of Information requests to the Information Commissioners Office (ICO). Complaints about the security of personal information rose from 886 in 2013 to 1,150 in 2014, while complaints about personal data increased 64% over a five-year period. Pinsent Masons said the increase in consumer complaints highlights increasing levels of public unease over how big business and other organisations store personal information. [theregister.co.uk]

EU – Albrecht on GDPR: Very Possibly Done by End of Year

In a meeting of the European Parliament’s Civil Liberties Committee (LIBE), Vice Chairman Jan Philipp Albrecht, Green MEP and rapporteur to the General Data Protection Regulation (GDPR), provided a report on the trilogue negotiations around the GDPR. Chapter five is done, he said, and chapters two, three and four are largely complete. “My impression is that we managed to get agreement on, I would estimate, 70 to 80% of the text,” he said, adding issues like consent conditions, data minimization definitions and the duties for controllers and processors have yet to be finalized. Albrecht said it’s “realistically possible” negotiations will conclude before end of year. [Full Story] See also: [First Direct-Marketing Convictions Set Standard]

EU – ECJ Issues Weltimmo Decision

Denis Kelleher examines the European Court of Justice (ECJ) decision this week in Weltimmo. In the case, the ECJ was “asked to consider what jurisdiction the Hungarian Data Protection Supervisor might have over a website in Slovakia,” Kelleher wrote when the Advocate General’s opinion on the case was issued this summer. “While it is not yet clear what precise impact this judgment will have upon the trilogue negotiations,” the court’s “clear analysis of the jurisdiction and responsibilities of different data protection authorities must be of assistance and hopefully will enable the EU to bring those negotiations to a close.” [IAPP]

EU – EDPS: PNR’s Existence Isn’t Justified

European Data Protection Supervisor (EDPS) Giovanni Buttarelli has published his opinion on the proposed Passenger Name Records (PNR) initiative, arguing there is “a lack of information to justify the necessity” of the move and stating it “raises serious transparency and proportionality issues, and … might lead to a move towards a surveillance society.” PNR could include “home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details,” the report states. “We encourage the legislators, in assessing the necessity of such a measure, to further explore the effectiveness of new investigative approaches as well as of more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries,” Buttarelli said. Meanwhile, more Snowden documents indicate the UK government spied on Internet users since 2007. [Out-Law.com]

EU – DPAs to Announce Cooperative Agreement

During their “Fireside Chat” at Dentons’ offices in London, UK Information Commissioner Christopher Graham and former interim Privacy Commissioner of Canada Chantal Bernier previewed details of a new cooperation agreement amongst global data protection authorities (DPAs) to be announced at the Data Protection and Privacy Commissioners Conference later this month. Sam Pfeifle writes that the Arrangement, as it’s being called, was first discussed at the DPAs’ conference in Mexico in 2011 and creates a common understanding of DPAs’ obligations as they work together “so that separate memorandums of understanding don’t have to be negotiated and signed each time DPAs coordinate on a case.” [Privacy Advisor]

EU – Other News

Facts & Stats

WW – Survey: Data Leaks a Privacy Malady

FinalCode’s 2015 State of File Collaboration Security study is shining light on a new trend of data leaks, which, according to the survey, more than 80% of information-security professionals have encountered. A data leak is “information that is shared inappropriately, sent to the wrong email address, stored on a computer that was lost or stolen or compromised through a general system security gap,” the report states. Uber, for example, has confirmed a recent data leak impacted 674 U.S. drivers. More than 75% of survey respondents are “very concerned to concerned” about data leaks, the report continues. [GovTech]

WW – Study: Cost of Breaches is on the Rise

The Ponemon Institute’s 2015 Cost of Cyber Crime Study, which examines 252 organizations in five different countries, discovered that while the average cost of data breaches increased 1.95 in the past year, boards are showing less get-up-and-go regarding data security. Larry Ponemon said the numbers are “moving in the wrong direction,” with breach response time also up 30%. And boards don’t seem to care unless stock prices are affected, said Curtis Levinson, a NATO cybersecurity advisor. The study notes that companies “that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cyber-crime costs that are lower than companies that have not implemented these practices.” [IT World Canada] [Cost of Data Breaches Keeps Going Up. Do Boards Care?]

US – Study: Keeping Up with Data Protection Rules is Financial Burden

A Vanson Bourne survey for software agency Ipswitch found that 68% of respondents believe staying abreast of data protection requirements is a “financial burden.” “Whilst IT professionals recognise the need to align data protection regulation to keep up with modern data-sharing practices and the globalisation of data, it is clear that compliance comes at a price for most,” said Ipswitch’s David Juitt in a statement. Meanwhile, Sachiko Scheuing, tells Computing, “When companies around the world consider setting up a new unit in digital or mobile, I don’t think Europe is the preferred place to invest in.” Indeed, “Data protection continues to be a rapidly evolving area, and one that is increasingly important to business,” the Mayson Hayes & Curran Tech Law Blog reports. [Full Story]

Filtering

US – Big Breaches Plague E*Trade, Dow Jones

Dow Jones and E*Trade recently alerted their customers that personal information had allegedly been breached. Although some “personal information had been compromised,” there isn’t evidence that includes “any sensitive customer account information,” E*Trade explained in an email to its 31,000 affected customers. Meanwhile, Dow Jones CEO William Lewis alerted subscribers of the company’s breach via letter, indicating that between August 2012 and July 2015, hackers were looking for the “contact information for as many current and former subscribers as possible,” a number as high 2.4 million. Additionally, “payment card … information for fewer than 3,500 individuals could have been accessed,” Lewis said. [BankInfoSecurity]

Finance

US – Lenders Look to Social Media to Gauge Creditworthiness

As financial lenders look to new and more accurate ways to determine an individual’s creditworthiness, some are looking at data inputs on a spectrum, where at one end credit card repayment history—the most accurate determinate—is considered, while at the other end social media posts are assessed. With banks concerned that they’re turning down potential sources of profit, companies such as Fico and TransUnion are tapping alternative data sources. “If you look at how many times a person says ‘wasted’ in their (Facebook) profile, it has some value in predicting whether they’re going to repay their debt,” said Fico Chief Executive Will Lansing. “It’s not much,” he added, “but it’s more than zero.” [Financial Times]

US – Glitch Exposes Bank Customers’ Financial Activities

A security glitch affecting online banking at Halifax and Bank of Scotland that “has put tens of thousands of customers at risk of fraud by leaving their financial activities visible to anyone.” The banks, which are part of Lloyds, have not indicated how many accounts were affected, the report states, noting “fraudsters were able to view accounts without using hacking devices as they would only need someone’s name, date of birth and address to see their bank, savings, credit card, loan or mortgage account details.” The issue was discovered last week by MoneySavingExpert.com, the report states, and the banks have since fixed the problem with additional security measures. [The Telegraph]

US – FBI Takes Down Alert on Chip Credit Cards After Bankers Complain

The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message less than a day later following concerns from U.S. bankers that back chip cards. The original online post was headlined, “New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters,” and was replaced by a “page not found” message. The FBI didn’t offer any comment on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer’s signature to bolster a chip card has become a heated battle between the nation’s major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures. The American Bankers Association contacted the FBI urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards, an ABA official said. [Computerworld]

FOI

CA – New Brunswick Making Open Data ‘Baby Steps’

The New Brunswick government is inching toward an open data portal that will allow citizens to click through public information that has been previously locked inside government servers. The commitment to opening up public data sets came when Premier Brian Gallant announced a digital government initiative earlier this month. [CBC News]

CA – No Harm to Public Safety in Releasing Most of Sex Exploitation Report

Two years after politicians and the police castigated CBC News for putting people in danger by reporting on a government-commissioned report into sexual exploitation in Newfoundland and Labrador, the province’s information watchdog has rejected those concerns, saying most of the document can be released to the public. “I am recommending that the majority of the report be released,” information and privacy commissioner Ed Ring wrote in a recent report. The government now has until Friday to decide whether it will follow the commissioner’s recommendations. Under new access to information laws, the onus is on the government to go to court to block the release of information the commissioner says should be made public. [Source] See also: [Transgender Canadians getting voter cards with birth names]

Health / Medical

AU – myHealth Record Under Governmental Scrutiny

The newly unveiled myHealth Record system has spurred such controversy that Health Minister Sussan Ley was called to a parliamentary joint committee on human rights to quell concerns. Liberal MP Philip Ruddock, the committee’s chairman, argued the system has “significant privacy concerns,” while the Australian Privacy Foundation said, “We suggest that the identity data … will be seen as very useful to the government, especially when cross-matched against the Internet and telecommunications data and other databases.” In response to the concerns, Ley said, “I can assure all Australians that as we develop an electronic health record system … all privacy and security measures will be taken to ensure the protection of a patient’s personal details.” [The Sydney Morning Herald]

UK – HHS Roadmap Paves Way for Privacy

After months of feedback, the Department of Health and Human Services (HHS) has published its 10-year roadmap that illustrates “how healthcare facilities and patients should be able to share medical information” while protecting user privacy. “The roadmap includes a common clinical data set for every patient,” the report states. “In order for us to be able to understand the quality of care delivered for individuals and for populations, we need to have that data available,” said National Health IT Coordinator Karen DeSalvo, who also spoke of the need for “federally recognized, national interoperability standards … that would include privacy and cybersecurity standards.” The roadmap aims to clarify and “align federal and state privacy and security requirements that enable interoperability,” the report states. [ComputerWorld]

US – HealthCare.gov Gets Privacy Overhaul, Honors DNT

The Obama administration announced new changes to the HealthCare.gov website in time for a new round of health insurance sign ups. HealthCare.gov CEO Kevin Counihan said the website will now feature a new “privacy manager“ that allows users to opt out of embedded third-party tracking, analytics and social media sites and will also honor do-not-track requests. Electronic Frontier Foundation (EFF) Staff Technologist Cooper Quintin said EFF applauds HealthCare.gov’s support of DNT and its decision to “give their users strong privacy controls, adding EFF “would be thrilled to see more organizations, both public and privacy, follow their lead.” Meanwhile, CSM Passcode queries whether consumers should have the right to demand that websites not track them. [Associated Press]

CA – Alberta Privacy Commission: Health Record Breaches an “Epidemic”

In the wake of news that Alberta Health Services is disciplining 48 healthcare workers after a patient’s medical records were inappropriately accessed, a spokesman for Alberta’s Privacy Commission (APC) said such actions are part of a larger problem. Scott Sibbald, a spokesman for the APC, said, “More broadly, this isn’t an isolated incident by any means. We are seeing, and I guess for lack of a better term, an epidemic within electronic medical records systems.” Sibbald noted that, so far this year, there has been one conviction and two charges for unauthorized access. The agency is also investigating as many as a dozen additional cases. [CBC News]

CA – Yukon Government Developing New Privacy Rules for Health Records

The Yukon government is looking for input on who should have access to your personal health care records, and how accessible they should be. The government is working on new regulations focussed on managing and protecting health files. The new rules would fall under the Health Information Privacy and Management Act, passed in 2013 but not yet in effect. The territorial health department has put together a “discussion document,” and is seeking feedback from health professionals and other Yukoners. Living says the goal is to finish consultations by the end of this year, and have regulations in place in early 2016. [CBC News]

US – OCR Announces HIPAA Compliance Portal

In an attempt to provide HIPAA compliance guidance for mobile app developers and answer questions as they occur, the Department of Health and Human Services Office for Civil Rights (OCR) has created an online portal. “Historically, there have been limited opportunities to obtain guidance from OCR on how HIPAA applies to certain situations,” said David Wright Tremaine’s Adam Greene. “I hope that the OCR portal will provide a much needed influx of OCR guidance and clarification regarding how HIPAA applies to mobile health app developers, other cloud-based entities and other business associates.” The information requests will be anonymized, OCR Senior Adviser Linda Sanches said, thus making the portal a tool for learning, not enforcement. “We’re not going to track anyone down,” she added. [GovInfoSecurity]

Horror Stories

US – 15 Million Affected in Breach

Experian has confirmed that approximately 15 million customers, including T-Mobile users “who had applied for Experian credit checks, may have had their private information exposed.” “The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015,” Experian’s website states. Experian and T-Mobile are working to notify customers. “Information from the hack includes names, addresses and social security, driver’s license and passport numbers,” the report states, noting Connecticut’s Office of the Attorney General plans to investigate the breach. [The Guardian]

US – Millions of Customer Records Breached

Scottrade has confirmed that 4.6 million contact records were breached from 2013 through 2014. “Although Social Security numbers, email addresses and other sensitive data were contained in the system,” the company said, “it appears that contact information was the focus of the incident.” The American Bankers Association has also discovered that “thousands of members’ personal information had been compromised.” Meanwhile, hackers may have accessed the financial information of Trump hotel patrons. The company said, “Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken … we are providing this notice out of an abundance of caution.” . [ZDNet]

US – Senator Wants Details on Experian Breach

Sen. Sherrod Brown (D-OH) of the Senate Banking Committee has written to Experian asking for details regarding its recent T-Mobile data breach. His questions include “how the breach occurred” and “what changes Experian was making to its systems to stop it from happening again,” the report states. “Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system,” Brown noted. He also requested Experian to arrange “credit freezes” for victims of the breach. Experian representatives said in a statement that they “understand the concerns raised” and will be responding. [Associated Press] [T-Mobile Reviewing Experian Affiliation] [Three lawmakers want answers from Experian on the recent data breach affecting up to 15 million T-Mobile customers].

US – PIRG Calls for FTC Investigation of Experian Breach

Twenty-five “data security and consumer advocacy” agencies, including the Electronic Privacy Information Center and the World Privacy Forum, co-signed a letter penned by the U.S. Public Interest Research Group to the Federal Trade Commission, urging the federal agency to launch an official investigation into the recent Experian data breach. “As you know, Experian is one of the three nationwide consumer reporting agencies, each holding data on over 200 million consumers,” the letter states. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” it continues. In response, an Experian spokesperson said “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.” Meanwhile, The New Yorker’s Om Malik arguesthat the company’s breach is just another iteration of the same grave trend. [The Guardian]

AU – Hackers Target Australian Health Sector, Selling Records for A$1,000

Hackers are targeting the Australian health sector, with fully populated digital health records sold on the black market for up to A$1,000 each. Plans to make the personally controlled electronic health record (PCEHR) an opt-out – rather than the current opt-in regime – could significantly expand the range of targets for health hackers. Carl Leonard, principal security analyst for Websense, said healthcare around the world is now experiencing 340% more attacks than the average industry sector. He said that, in 2014, there was a phenomenal 600% increase in the number of attacks launched against hospitals – and Australia is no exception. He said ransomware attacks were 450% more prevalent in healthcare globally than in other industries. He said: “Healthcare offers a very complete dataset that can be used for identity theft or fraud. It holds very up-to-date contact information so you can send targeted mails, and use the information and repurpose it for identity theft.” Leonard said some fully populated health records are fetching up to A$1,000 on the black market while the prices for credit card details continue to drop in what is considered a saturated market. [Computerweekly.com]

WW – Researchers Spot Potential Breach

“Researchers at Worcester Polytechnic Institute claim they’ve spotted a potential data breach issue involving Amazon Web Services (AWS).” Amazon, however, has responded that “AWS customers using current software and following security best practices are not impacted by this situation.” The researchers say they used an AWS instance to hack into another, but “only in a lab setting,” suggesting “a single cloud instance could be used by attackers to breach other instances running on the same machine, thus compromising individuals and organizations that are otherwise unrelated, except for using the same cloud service,” the report states. [Bank Info Security] See also: [Samsung breach the Result of Chinese Hackers]

US – Secret Service Privacy Breach Raises Concerns

The White House said that “significant concerns” have been raised by reports that scores of Secret Service employees accessed the unsuccessful job application of a congressman who was investigating agency scandals. Spokesman Josh Earnest said, though, that President Obama retains confidence in the agency’s director and that the “appropriate steps” will be taken to hold accountable any individuals who did not follow proper procedures. [The Associated Press]

NZ – Breaches Affect National Health Index, Merchant

A breach of New Zealand’s National Health Index exposed “confidential birth and death details” of 24,000 victims after an email was accidentally sent to the incorrect recipients. “Patients must be able to trust the information they give to doctors will only be accessible to staff involved in their treatment,” said Labour’s Annette King. King said the data is “particularly sensitive. Its release would be hugely distressing to relatives and loved ones,” adding, “any breach of this magnitude is unacceptable, full stop.” Meanwhile, the Australian Federal Police is looking into a breach that compromised shoppers’ home addresses and other personal information. [Computerworld] [NZ – Deaf Aotearoa flooded with complaints about Jehovah’s Witness church]

US – Uber Breach Investigation

Uber is investigating the breach of a database that contains information about the company’s drivers. A report from Reuters says that one suspect is Uber rival Lyft. Uber inadvertently posted the database key on a GitHub page before the breach. When Uber realized what had happened, it sent a subpoena to GitHub demanding information about people who visited that particular page during the period the key was visible. Someone using an IP address associated with Lyft’s Chief Technical Officer accessed the page. However, that IP address is not the same as the one used in the attack on Uber’s database. [SCMagazine] [Reuters] [Uber Focuses Legal Efforts on Identifying Hackers]

Identity Issues

WW – Coalition to Facebook: Rethink Policy

The Nameless Coalition, a new organization comprising groups like Human Rights Watch and the ACLU wrote a letter to Facebook articulating their displeasure with its policies regarding real names. “Users who opt to send Facebook their identification information are told that their information is secure but are given no information about how Facebook treats their data,” the coalition stated. “While we know not everyone likes this approach, our policy against fake names helps make Facebook a safer place by enabling us to detect accounts created for malicious purposes,” Facebook said. The coalition has requested a response to its letter by October 31. [The Verge]

US – FBI Urges Use of Two-Factor Authentication

The FBI is encouraging small- and medium-sized businesses and Internet users in general to use two-factor authentication to safeguard personal information. The FBI (did this) as part of this year’s National Cyber Security Awareness Month. In a related story, a coalition of government agencies, technology companies, and security experts met in Washington, DC, earlier this week to discuss ways to move toward stronger, two-factor authentication. [FBI] [ExecutiveGov] [DailyDot]

WW – Yahoo Aims to Phase Out Passwords With New Service

Yahoo’s next step in password security is to eliminate them altogether. Starting this week, the company announced, users of the Yahoo Mail app on both iOS and Android will have access to a new service called Yahoo Account Key, which uses smartphones to verify identities in lieu of traditional passwords. Here’s how it works: When users who sign up for Account Key try to access Yahoo Mail, they will no longer need to enter their password. Instead, the Account Key service will send a message to the smartphone connected to the account. With a tap on yes or no, users can indicate it is a legitimate attempt to get into the account or deny unauthorized access. If their smartphone is lost or stolen, users can verify identities through an email or a text message sent to alternative accounts and numbers. In addition to Account Key verification, Yahoo executives announced a revamped version of Yahoo Mail that allows users to connect with, manage and search Outlook, Hotmail and AOL email accounts while signed in to their Yahoo account. The new Mail also connects to Twitter, LinkedIn and Facebook to add photos and create “contact cards” with email, telephone and social media information for contacts. [Reuters]

UK – ‘Hidden Faces’ Proposed As a Biometric Privacy Solution

Biometrics researchers are working on a privacy solution for facial data that would see smartphone user images encrypted into two separate encrypted files which are then also “hidden” in new, unrelated faces and stored separately. Using a technique known as visual cryptography, two facial data templates are created from a single face. These templates are then “hidden” in an unrelated face – for example a celebrity mugshot, with one kept on a device and another in the cloud. Addressing the issue whereby hacked mobile devices could reveal facial data stored on them for biometric authentication, the technique could eliminate the risk of reverse engineering from templates or even from secure elements. [planetbiometrics.com] See also: [UK – Identity Cards Can Solve Britain’s Migrant Crisis]

US – ACLU: License Chips a “Nightmare”

The growing trend of states enacting voluntary programs that connect one’s license to the Department of Homeland Security via RFID chips is what the American Civil Liberties Union (ACLU) calls a “civil liberties nightmare.” While “the cards are designed to be used instead of passports at U.S. land borders in a bid to speed up the entrance lines from Mexico and Canada,” their growing popularity could indicate that “such cards could become mandatory across the country,” the report continues. The ACLU said the “technology is a dream come true for identity thieves and stalkers,” while University of Washington researchers said there is “no encryption of any kind and they can be read by anyone,” noting “reading and cloning” of the chips “is possible.” [Ars Technica]

JP – ID Sparks Privacy Protests

Japan’s introduction of My Number ID, an identifier that “will unite personal tax information, social security and disaster relief benefits,” has sparked such intense privacy concerns that more than 400 protesters assembled in Tokyo to contest the move. “Chanting ‘Stop My Number now!’ and ‘No dangerous My Number card!’ protesters called for postponement of the 12-digit number,” the report states, noting the system is “expected to reach an estimated 55 million households” in an attempt to help “cut down on tax evasion and benefit fraud.” Sophia University’s Yasuhiko Tajima has called the My Number plan “unconstitutional,” the report states. [RT]

US – ID-Theft Center Advises Security-Freeze Customers to Watch Credit Report Costs

A Maine-based identity theft assistance company says customers who’ve recently put a security freeze on their credit reports should watch the cost of their policies. “We have become aware that some insurance companies are mistakenly using a customer’s frozen credit history as a negative factor when calculating the costs of the customer’s policy,” said Jane Carpenter, founder of Maine Identity Services. “This means that the rate charged for the insurance may be increased.” In one case, a customer’s rates increased by more than $150. Carpenter said those who’ve experienced a data breach and are receiving credit monitoring services should also watch costs. [Full Story]

WW – What’s in a Boarding Pass Barcode? A Lot

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account. Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader. Finally, the standards for the boarding pass barcodes are widely available and have been for years. Check out this document from the International Air Transport Association (IATA) for more on how the barcode standards work and have been implemented in various forms. [KrebsonSecurity.com] [Krebs]

Internet / WWW

WW – TPP Signed: The ‘Biggest Global Threat to the Internet’ Agreed

An agreement that some campaigners have called the “biggest global threat to the internet” has just been signed, potentially bringing huge new restrictions on what people can do with their computers. The Trans-Pacific Partnership is the conclusion of five years of negotiations, and will cover 40% of the world’s economy. Its claimed purpose is to create a unified economic bloc so that companies and businesses can trade more easily — but it also puts many of the central principle of the internet in doubt, according to campaigners. One particularly controversial part of the provisions make it a crime to reveal corporate wrongdoing “through a computer system”. Experts have pointed out that the wording is very vague, and could lead to whistleblowers being penalised for sharing important information, and lead to journalists stopping reporting on them. Others require that online content providers — such as YouTube and Facebook — must take down content if they receive just one complaint, as they are in the US. That will be harmful for startups looking to build such businesses since they’ll be required to have the resources to respond to every complaint, experts have pointed out. [The Independent]

WW – Study to Examine Challenges to Privacy

Singapore- and UK-based researchers have submitted a proposal to study the potential threats to privacy and security in the cloud. “Big data provides immense benefits ranging from innovative business models to new ways of treating deadly diseases. However, challenges to privacy arise,” said City University London’s Muttukrishnan Rajarajan, while the School of Electrical and Electronic Engineering’s Lu Rongxing noted, “If privacy is not well addressed, people may be reluctant to share their data.” If approved, the initiative will begin in 2016. Meanwhile, Singapore’s Personal Data Privacy Commission has published two new surveys on consumer opinions and industry opinions of the Personal Data Protection Act. [Computer Weekly]

Law Enforcement

US – NYPD Has Super-Secret X-Ray Vans

Police Commissioner Bill Bratton won’t let the NYCLU — or anyone else — bully him for details on the NYPD’s super-secret X-ray vans. The top cop was asked about the counter-terror vehicles, called Z Backscatter Vans, in light of the NYCLU’s request to file an amicus brief arguing that the NYPD should have to release records about the X-ray vans. The website ProPublica filed suit against the NYPD three years ago after an investigative journalist’s requests for police reports, training materials and health tests related to the X-rays were denied. [The New York Post]

Offshore

AU – New Data Retention Laws Begin Today

Beginning today, every phone call you make, text message you send and email you write will be tracked by the government under a new metadata retention scheme. This scheme is allegedly being implemented to protect the country against organised crime and terrorism, but it is also being slammed as a major invasion of privacy. An Essential poll from early in the year showed that around 40% of Australians support the introduction of the new metadata laws and 44% did not, while 16% had no idea what it was. [news.com.au] International Business Times reports a survey by telecommunications industry lobby group Communications Alliance has found 84% of ISPs are not yet prepared to collect and store the required metadata. [BBC News]

Online Privacy

WW – Problematic Apps Removed from Apple’s Online Store

After Chinese-born apps were found to be laden with malware last month, Apple reviewed its App Store inventory and ousted those programs it considered “potentially invasive to user privacy.” “We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions,” said an Apple spokesperson. “We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk.” [CNET]

WW – Apple Pulls Some Ad- and Content-Blocking Apps Over Privacy Concerns

Apple has removed several ad- and content-blocker apps from its App Store after they were found to install root certificates that could potentially be used by third parties to access user information. The root certificates could be used to monitor data, which “could be used to compromise SSL/TLS security solutions.” [InformationWeek] [ArsTechnica] [The Register] [ComputerWorld] [CNET] [eWeek]

US – Senators Criticize W3C Do-Not-Track Approach

Sens. Ed Markey (D-MA), Al Franken (D-MN) and Joe Barton (R-TX) have sent a letter to the World Wide Web Consortium criticizing its approach to its do-not-track (DNT) standards. In the letter, the senators contend that the DNT definition will not protect users’ privacy and that “first-party” sites should not be able to collect data from users who opted out of web tracking. “We believe that both first and third parties should be held to high standards that respect privacy and promote competition online,” they write. Additionally, the different standards for first and third parties “gives certain companies … an exemption from what could serve as an important consumer protection and an unfair advantage over companies that better honor consumer rights and expectations.” [MediaPost]

WW – No-Tracking Search Engine Gets $9M from Investors

Swiss-born search engine Hulbee, which has received $9 million from investors, aims to become a “pro-privacy alternative to mainstream search engines.” Unlike other search engines, “it does not track users,” the report states. “It’s competing with other search players in the pro-privacy space,” promising untracked ads as well. According to Hulbee CEO Andreas Wiebe, “Ads on Hulbee are targeted based on the search query, so there’s no geotargeting or cumulative tracking,” the report states. “Hulbee doesn’t fall back on surveillance, so there’s no geotargeting,” Wiebe said. “For Hulbee, the user is completely invisible … We recognize that most consumers do not want to be tracked.” The system has been available in the U.S. since August. [Tech Crunch]

WW – Zombie Cookie Privacy Concerns Come Back To Life

Verizon plans to give AOL access to zombie cookie-gleaned information. “That means AOL’s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon,” the report contains, adding that “AOL will also be able to use data … to track the apps that mobile users open, what sites they visit and for how long.” The move has struck a chord with the privacy-conscious. “It’s an insecure bundle of information following people around on the web,” said Deji Olukotun of Access. Verizon disagrees. The information will go to “a very limited number of other partners and they will only be able to use it for Verizon and AOL purposes,” said Verizon’s Karen Zacharia. [Pro Publica]

WW – Google Disputes Claims Its In-Car Entertainment System Spies on Users

Following a report from Motor Trend magazine claiming Porsche had chosen not to use Android Auto in its newest cars because of privacy concerns, Google has denied the in-car entertainment system spies on users. The report claimed certain pieces of data from the entertainment system is collected and “mailed back to Mountain View, California. Stuff like vehicle speed, throttle position, coolant and oil temperature, engine revs … “ But Google disputed the report, saying, “We take privacy very seriously and do not collect the data the Motor Trend article claims, such as throttle position, oil temp and coolant temp.” [The Guardian]

Other Jurisdictions

WW – Forrester Releases 2015 Data Privacy Heat Map

To help global organizations navigate privacy regulations, which vary from country to country and can conflict with one another, Forrester has published its 2015 Data Privacy Heat Map. The map, initially created in 2010, features in-depth analysis of the laws and cultures of 54 countries. This year’s version includes non-European countries such as Chile, South Africa and Thailand, who’ve each made strides “toward their own comprehensive data privacy regimes,” the report states. Many countries are making changes to align themselves with the pending European data protection regulation, particularly in light of such provisions as the “right to be forgotten” and breach notification laws. [Forbes]

MX – Uptick in Gov’t Data Requests Sparks Worries

Officials and politicians in Mexico are concerned with the number of government surveillance requests and the lack of supervision in place to keep sensitive data away from those who don’t have the appropriate credentials to access it. The number of requests in 2014 for mobile records was up 25%. Privacy advocates “are particularly concerned because of Mexico’s high rate of corruption—it is not uncommon for criminals and security to work in concert,” the report states. In addition, a new telecommunications law passed in 2014 could make government surveillance easier, and “just three% of the data requests made in Mexico got a judicial review.” [SC Magazine]

AU – Telstra Gets Extension; Law Changes Explained

Telstra has received an 18-month extension by the Attorney-General’s Department to insure the organization’s full adherence to the metadata retention law that is now in effect, a process the company has said it has already begun. “We are pleased to say that Telstra is one of the few, if not only, I think, telecommunication providers that has submitted a data retention plan and had it approved by the government,” said Telstra’s Catherine Livingstone. “We are organised to do this and we will implement it over 18 months, and of course, we will work with the government following through on their undertaking to reimburse us for the costs incurred.” Meanwhile, the The Sydney Morning Herald breaks down the new data retention changes. [International Business Times]

AU – OAIC Still Protecting Privacy as Staff Dwindles

The government’s decision to significantly defund the Office of the Australian Information Commissioner (OAIC) is troubling as “the privacy functions of the OAIC have arguably never been more important, and it has now been tasked with an even greater responsibility to oversee parts of the mandatory data retention scheme.” Those behind the scenes argue the shortage of funding stems from government displeasure with freedom of information. Regardless, Privacy Commissioner Timothy Pilgrim argues that although “the team (is) somewhat diminished in size” it is “no less committed, is now doing more than ever … to enforce Australians’ privacy and freedom of information rights,” the report states. Meanwhile, the OAIC plans to release telecommunication companies’ audit results. [The Guardian]

RO – President Signs “Big Brother” Law

Under a new law signed by Romanian President Klaus Iohannis, state authorities will soon be able to access to such information as “phone-call metadata, equipment IDs and localization.” The controversial law, which Romania’s media has named “Big Brother,” provides a right to access data stored by Internet providers and telecoms. “Now, it just needs to be published in the Official Journal of Romania to come into effect three days later,” the report states. The Romanian Association for Technology and Internet’s Bogdan Manolea said, “Although it is not a data-retention law, the quality of the legal text raises more questions than answers.” [ZDNet]

WW – Other International News

Privacy (US)

US – Tech Giants Press Congress to Give EU Citizens Privacy Rights

A group of large U.S.-based technology companies have sent a letter to U.S. House of Representatives leadership urging them to pass the Judicial Redress Act, a bill that would extend certain privacy protections to EU citizens. The letter states that such a bill “is a critical step in rebuilding the trust of citizens worldwide” and that restoring “that trust is essential to continued cross-border data flows…” Meanwhile, the Computer & Communications Industry Association is opposing the Cybersecurity Information Sharing Act (CISA). Similarly, the American Library Association has said CISA would let federal intelligence agencies spy on people using library computers. [The Hill] [US – Google, Facebook, and Microsoft Stick a Bomb Under Hated CISA Cyber-Law] See also: [US – Candidates Need To Get Privacy Right]

US – Cartoon Network Cleared of VPPA Violation

The 11th Circuit Court of Appeals has ruled that Cartoon Network (CN) didn’t breach the Video Privacy Protection Act (VPPA). Plaintiffs had alleged their mobile information was tracked and shared when they used CN’s mobile app in violation of the VPPA. However, the court found that “downloading an app for free and using it to view content at no cost is not enough to make a user of the app a ‘subscriber’ under the VPPA, as there is no ongoing commitment or relationship between the user and the entity which owns and operates the app,” the opinion states. [The Hollywood Reporter]

US – Other News

Privacy Enhancing Technologies (PETs)

US – HP and 3M to Integrate Privacy Screens into Laptops

HP and 3M say they will integrate privacy screens into some laptops by next year. The feature will allow users to turn a screen black with a push of a button. “Currently, ensuring privacy in cramped quarters is usually handled by installing a clumsy plastic sheet that narrows the field of view to only the person directly in front of the computer.” “If you’re on the side, you see black. But when you have to peel off that screen when it’s time to show off your PowerPoint, they often get dinged up and lost,” the report states. [PCWorld]

WW – Silent Circle Focusing on Businesses, Not Consumers

Silent Circle Co-Founder and encryption guru Phil Zimmerman says that “People want their privacy for free,” and because of that, the company, which makes the privacy-protective Blackphone, is now focusing its sales efforts on businesses handling sensitive data instead of the consumer market. Instead, the company is looking to sell the Blackphone to large enterprises to help protect sensitive personal information, trade secrets and other communications because organizations “are operating in an environment where they’re under attack from hackers.” Meanwhile, the White House has said it will not ask Congress to pass a law requiring companies to decrypt communications data. FBI Director James Comey said, “The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry.” [Motherboard]

WW – Apple Acquires Privacy-Sensitive AI Start-Up

Apple has acquired artificial intelligence (AI) start-up Perceptio, a company known for building AI systems on smartphones without having to share large quantities of user data. According to the report, Perceptio aims to run AI image-classification systems on mobile devices without the assistance of external data, fitting in with Apple’s goal of limiting customer data usage. Apple’s Colin Johnson said, “Apple buys smaller technology companies from time to time, and we generally do not discuss our purpose or plans.” Last week Apple said it had acquired a UK-based start-up specializing in technology that allows “Siri-like personal assistants” to carry on longer conversations with users. [Bloomberg Business]

RFID / IoT

US – Pilot Program Aims to Use Smart Beacons to Track Riders Who Opt-In

A pilot program has been launched by a private contractor to track riders of Massachusetts public transit. The program’s aims are to “improve the rider experience” and help advertisers with the Massachusetts Bay Transportation Authority system “increase engagement and interaction with commuters,” by using a “secure, closed network of Gimbal Bluetooth Smart beacons” that the contractor—called Intersection—says won’t collect personally identifiable information. Riders would only be tracked if they opt in to an app that would allow for the tracking of the beacon’s signal. [NetworkWorld]

US – Insurance Companies Pair With Smart Products to Monitor Homes

Insurance companies are partnering with companies that offer smart products for homes to “get their foot in the door.” American Family Insurance, Liberty Mutual and Bloomington-based State Farm have recently paired with such companies as Google and Nest to offer policyholders discounts on their home insurance in exchange for using the devices. But not everyone thinks that’s a great idea. “These are double-edged products,” said Bob Hunter, insurance director for the Consumer Federation of America. “If properly controlled for privacy and only installed with the policyholder’s permission and total transparency, they can make a home safer … but without strict protections, these could be a threat to a family’s privacy and intimacy.” [Chicago Tribune]

US – Committee Proposal Would Create Civil Penalty for Car Hacks

The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade has proposed a requirement that vehicle manufacturers state their privacy policies and have proposed civil penalties of up to $100,000 for the hacking of vehicles. The lawmakers suggest the National Highway Traffic Safety Administration establish an Automotive Cybersecurity Advisory Council to develop cybersecurity best practices for U.S. car manufacturers. The “staff draft” released ahead of a hearing on the topic next week recommends manufacturers be required to have “reasonable measures” in place to protect driver information against hacks or face penalties of “not more than $5,000 per day.” [IDG News Service]

US – New Fridge Can Track Your Beer Supply

Internet-of-Things (IoT) technology continues its rapid growth, moving into the beer-tracking game. Bud Light, along with the National Football League, has introduced a new connected fridge that tracks and discloses real-time data on a consumer’s beer supply and temperature. The technology could eventually provide location to allow for home delivery. The fridge is currently only available in California. Meanwhile, California Gov. Jerry Brown has signed a first-in-the-nation bill mandating that smart televisions provide users with prominent notice during the initial setup that voice recognition technology is being used. AB1116 also prevents manufacturers and other third parties from using or selling recorded conversations for advertising. Privacy advocates are still concerned that collected data could be used to profile users, the report states. [MediaPost]

Security

US – FTC Launching Data Security Initiative

Several Federal Trade Commission (FTC) officials shared their views and concerns on recent developments in privacy at the IAPP Global Privacy Summit, and Bureau of Consumer Protection Director Jessica Rich said the agency is set to launch “Start with Security” to provide businesses with resources, education and guidance on data security. Jedidiah Bracy highlights the details on the program Rich and FTC Chairwoman Edith Ramirez shared at the event, the four trends Commissioner Julie Brill said the FTC is looking at and reactions from the FTC on the Obama administration’s proposed Consumer Privacy Bill of Rights. [Full Story] See also: [Is Your Company Ready for FTC Oversight of Data Security?]

US – New Cybersecurity Guidance Released by NYSE

The New York Stock Exchange (NYSE) published a new 355-page cybersecurity guidance with “46 chapters written by more than 35 contributors across security, business and government,” an offering that is touted by the NYSE as the “definitive cybersecurity guide for directors and officers” in the public sector. It “covers such topics as board obligations and action plans, how CEOs can ask better questions, how to protect trade secrets, as well as consumer protection and incident response,” the report states. “No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk,” said NYSE President Tom Farley in the publication’s introduction. “No company, region or industry is immune, which makes the responsibility to oversee, manage and mitigate cyber risk a top-down priority in every organization.” [Market Watch] See also: [FTC Security Workshop Next Stop: Austin]

US – New Protective Service Announced as Breach Reports Persist

Visa and FireEye have once again become allies on the breach protection front with the announcement of protective service Visa Threat Intelligence,. “The subscription-based service includes a web portal where Visa clients can share and view cyber intelligence, forensic threat analysis from recent data breaches and information on malicious software,” the report states, noting, “According to Visa, the ultimate goal with the program is to identify a breach, or a potential breach, before data can be used or compromised.” Meanwhile, SC Magazine reports on a breach involving America’s Thrift Stores, and a new report from Accenture suggests breaches in “the next five years will cost U.S. health systems $305 billion in cumulative lifetime revenue.” [ZDNet]

US – Group Urges FCC to Mandate Better Router Security

In a letter to the FCC, a group of more than 260 global Internet thought-leaders, including former FCC Chief Technologist Dave Farber and Internet co-inventor Vinton Cerf, unveiled an alternative plan to improve the security of WiFi routers. The proposal is in response to newly proposed FCC rules as disclosed in ET Docket No. 15-170. Farber said, “Today there are hundreds of millions of WiFi routers in homes and offices around the globe with severe software flaws that can be easily exploited by criminals. While we agree with the FCC that the rules governing these devices must be updated, we believe the proposed rules laid out by the agency lack critical accountability for the device manufacturers.” [Business Wire] See also: [FCC’s Privacy Regulation “Troubling,” House Republicans Argue]

US – Post-Ashley Madison Breach, Companies Turn to Cyberinsurance

The Canadian Press reports that several high-profile data breaches, most notably the Ashley Madison hack, are prompting companies to turn to cyberinsurance. Deloitte Director of Technology Research Duncan Stewart said, “The number of attacks are rising, the severity is rising, and when they come, they’re more difficult to deal with.” Stewart also said such insurance is now part of the cost of doing business, the report states. He also asked, “You wouldn’t own a factory and not have fire insurance, so why would you think about not having cyberinsurance?” [Full Story]

US – Lack of Data Puts Cyberinsurance Companies in a Bind

Breached businesses are frequently reticent about their experiences, and that has prevented the cyberinsurance industry from having the necessary data to both “accurately predict the risk of a breach” and determine rates. Besides employing computers to forecast risk—a process that is “totally at its infancy,” said George Washington University’s Costis Toregas—another option is a Department of Homeland Security-backed “third-party repository“ of such information, the report states. “The unlocking of the potential market into the hundreds of billions of dollars will happen when they either develop a comprehensive kind of statistical base of losses or some strong models that can tell them with some level of confidence,” Toregas added. [Nextgov] [NYT Features Special Section on Security, Privacy]

US – Breach Insurance Policies Costing a Pretty Penny

As breaches multiply, so have the rates of insurers’ “cyber premiums.” “On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that,” the report states. “Average rates for retailers surged 32% in the first half of this year, after staying flat in 2014,” the report continues. And size doesn’t matter: “Even the biggest insurers will not write policies for more than $100 million for risky customers,” the report states, noting, “That leaves companies like Target, which says its big 2013 data breach has cost $264 million, paying out of pocket.” [Reuters] [Cyber Insurance Rates To Skyrocket]

Smart Cards

HK – Cards Recalled After Security Flaw Discovered

After a security vulnerability was found in credit cards “that allows holders’ names to be read by unauthorised sources when they make contactless payments,” the Hong Kong Monetary Authority (HKMA) called for seven banks to “recall or replace” said cards. “Some of the cards issued by the seven banks do not fulfil the HKMA requirements set up in 2012 regarding contactless payment,” an authority spokesperson said. “Namely, the bank must ensure that the data stored in the card and transferrable via contactless payment must include only information essential for transaction, and not include the user’s full name.” The breach was reported to the Office of the Privacy Commissioner for Personal Data as it “may involve a leak of nonessential personal data,” the spokesperson added. [SCMP]

Surveillance

CA – ‘Orwellian’ Surveillance System Monitors All [Cell] Phones on Prison Grounds

Correctional Services Canada is using advanced surveillance technology to record the phone calls and texts of not just inmates, but anyone within earshot. The technology, which is similar to “stingrays” used by police in the United States, intercepts calls and texts coming from inside the prison, its parking lot, grounds and possibly even the surrounding area. In a memo, Warkworth’s warden Scott Thompson wrote after a number of deaths and overdoses, he asked Correctional Services Canada to install the technology to help catch contraband. “Unfortunately, I knew that by trying to intercept what the inmates were doing, I would also be provided with information about cellular devices being used in noninmate areas.” [Toronto Star]

CA – Ontario IPC Releases Surveillance Guidance

The Information and Privacy Commissioner of Ontario (IPC) published Guidelines for the Use of Video Surveillance in an attempt to regulate the use of surveillance and protect user privacy, the agency said in a statement. “Video footage captured by cameras is regularly used to assist in the investigation of wrongdoing,” the IPC report states. “However, the use of these surveillance technologies can put individuals’ privacy at risk. Therefore, it is important to carefully consider both whether it is appropriate to install video surveillance and how it is used.” The guidelines cover everything from “appropriate retention periods” to “notices of collection” while aiming to blend old guidance with new. “By following these guidelines, institutions can use video surveillance technologies, while protecting individuals’ privacy in accordance with their obligations under Ontario’s privacy legislation,” the report notes. [Full Story]

WW – New CCTV Cameras Surveil and Protect Privacy

Canon is experimenting with new CCTV technology that provides certain privacy protection but still records individuals in specific restricted areas. In recent demos by the company, new surveillance cameras can be programmed to watch restricted areas while blocking out individuals outside that area. Any images outside the restricted area are processed into a “pale green ghost.” Traditionally, cameras are aimed at a restricted area, but often capture peripheral images of people walking by. Canon’s new camera would avoid that, thereby helping it comply with some local privacy laws around the world. [PC World]

US – DHS Detains, Forces Mayor to Hand Over Passwords

Returning from a conference overseas, Stockton, CA, Mayor Anthony R. Silva was detained by representatives of the Department of Homeland Security who not only confiscated his electronics but also made his ability to leave their custody dependent on disclosure of the devices’ passwords. “Unfortunately, they were not willing or able to produce a search warrant or any court documents suggesting they had a legal right to take my property,” Silva said. Additionally, the mayor was informed that he had no right to have a lawyer present, the report states. “I think the American people should be extremely concerned about their personal rights and privacy,” Silva said. Anonymous sources allege his detainment was in connection to an ongoing probe, the report states. [Ars Technica]

WW – UL Working on Wearable Security, Privacy Standard

UL, formerly known as Underwriters Labs, will soon certify the safety and security of wearables and other Internet-of-Things (IoT) devices. The company, which is better known for certifying appliances for electrical safety, is currently developing draft security and privacy requirements for IoT devices and expects to launch the program in early 2016. “When we think of how wearables are used, there are a lot of different implications for security,” said UL Principal Engineer for Medical Software and System Interoperability Anura Fernando, adding UL aims to “begin to raise the bar for how security should be addressed … and establish a minimal baseline for what should be addressed much like we did with electricity 120 years ago.” [Computerworld]

Telecom / TV

US – Wireless Industry Issues New Privacy Commitments

The Wireless Association, based in Washington, DC, has issued a set of voluntary antitheft commitments for device manufacturers with the intent to protect user data while limiting the theft of smartphones. Nearly 20 wireless providers have now agreed to implement an antitheft tool, either preloaded or downloadable, to remotely wipe user data in cases of smartphone theft. The agreement also states that phones made after July 2016 will provide users with tools to disable the antitheft technology and use one of their choice. According to the report, smartphone thefts are down 2%0, likely from password protection. [ABC News]

US Government Programs

US – Audit Finds Some IRS Systems Dangerously Decrepit

According to a recent Treasury Inspector General for Tax Administration (IG) audit, some Internal Revenue Service (IRS) systems are vulnerable to data theft due to out-of-date technology. “We believe that running workstations with outdated operating systems poses significant security risks to the IRS network and data, particularly in the environment where a chain is only as strong as its weakest link,” the IG said. However, the IRS said it has made changes “to dramatically increase the velocity of upgrades while minimizing risks and costs.” The IRS also cited budget restrictions as a hindrance to technological advancement. The Obama administration has asked for a $242 million cybersecurity allotment for the IRS in its proposed 2016 budget. [The Hill]

US – Defense Department Contractors Must Report Breaches

A new rule requires many US Department of Defense (DoD) contractors to report “cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system.” The rule applies to the more than 100,000 contractors in the DoD’s Defense Industrial Base information sharing network. [The Hill] [NBC News] [Federal Register]

US Legislation

US – California Amends Definition of Personal Identifiable Information and Breach Notification Content Requirements

On October 6, 2015, California Governor Jerry Brown signed into law several changes to California’s Data Breach Notification Statute. The law, as amended, adds additional categories of information into the definition of Personal Information, such as licence plate numbers, new content requirements for data breach notifications (together with a new form that when used properly will be deemed compliant with the new requirements), and a new definition of “encryption.” The amendment becomes effective as of January 1, 2016. [Mondaq News]

US – California Governor Signs CalECPA Into Law

California Gov. Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA), making California “the first (state) to enact a comprehensive law protecting location data, content, metadata and device searches,” Nicole Ozer, technology and civil liberties policy director at the ACLU of California told WIRED. Privacy advocates are applauding its passage, and the Electronic Frontier Foundation calls it a “significant milestone in the campaign to update computer privacy laws, which have been stuck in the 1980s,” adding it hopes the move “will lend momentum to the federal Electronic Communications Privacy Act.” [IAPP]

US – New California Law Requires Warrant to Use Stingray

California Governor Jerry Brown has signed into law a bill that requires law enforcement to obtain a warrant prior to using cell-site simulators, often referred to as stingrays. The California Electronic Communications Privacy Act has been described as having a broad scope; it does not apply to specific technologies but instead aims to protect citizens’ digital privacy. [Ars Technica]

US – House Passes Bill Calling for DHS Strategy

The House of Representatives has passed a bill “demanding that the Department of Homeland Security (DHS) develop a formal cybersecurity strategy.” The bill outlines DHS’s responsibilities for a strategy to facilitate a hub that would allow for data-sharing on federal and civilian cyber-threats. It would also require DHS to provide technical assistance and damage mitigation for organizations that suffer hacks and breaches. Meanwhile, a congressman whose data was reportedly stolen in the Office of Personnel Management hacks says his data is now being used in identity-theft attempts. [Press TV]

US – Other Legislative News

+++

By privacynewshighlights | Posted in Uncategorized | Comments (0)

16-30 September 2015

October 12, 2015 – 10:35 am

Biometrics

US – OPM Confirms 5.6 Million Fingerprints Stolen in Hack

The government now says the number of compromised fingerprints illegally accessed in the second hack of the Office of Personnel Management (OPM) is five-times higher than originally thought. The government originally reported that 1.1 million fingerprints were stolen, but now the number has gone up to 5.6 million, the Department of Defense and OPM have said. The investigation of the breach by both agencies “identified archived records containing additional fingerprint data not previously analyzed,” the OPM stated. The agency downplayed the threat of the compromised biometric data, but said, “If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.” [Reuters] [Why OPM Hackers Wanted Fingerprints]

Big Data

US – UCLA Project Tackles Data

The next scholastic foray for Christen Borgman, the distinguished professor and presidential chair in information studies at UCLA, involves interdisciplinary data use and how the subject of the data impacts how it is handled, “with the aim of simplifying the complexities of data practices and challenging prevailing assumptions about the value of sharing data.” The “If data sharing is the answer, what is the question?” project aims “to provoke a much fuller and more comprehensive conversation about the diversity of data and practices, the infrastructure required to support them and the roles and responsibilities of varied stakeholders,” said Borgman, who has also written a book on the subject. [UCLA’sNewsroom]

WW – Is Data-Driven Sales Tech Crossing the Creepy Line?

The rise of data-driven tools uses predictive analysis and automation to help generate more effective sales. Burgeoning technological tools are helping companies determine those most likely to make a purchase, for example. A number of start-ups interested in automating sales departments have accumulated around $400 million in venture capital in the last two years, the report states, but some of the tools “seem creepy,” allowing salespeople, in one example, to see when a potential client reads an email and for how long the client lingers, so the salesperson can follow up during a time of potential peak interest. Meanwhile, the Center for Digital Democracy and the U.S. Public Interest Research Group are asking the FTC to protect consumers from unfair lead-generation practices. [The Wall Street Journal]

WW – Data Should Be Accessible, But Not Too Accessible

Citing an education study in which researchers were able to examine the tax returns of students to gauge their future success, scientists and privacy advocates discuss what the balance of data access and privacy ought to be. “There is … concern that the rush to use these data could pose new threats to citizens’ privacy,” the report states. “The types of protections that we’re used to thinking about have been based on the twin pillars of anonymity and informed consent, and neither of those hold in this new world,” said New York University’s Julia Lane, adding, “Difficulty in access is a feature, not a bug … It should be hard to get access to data, but it’s very important that such access be made possible.” [Nature]

WW – Behavioral-Based Premiums Makes Privacy Community Nervous

Swiss health insurance company Dacadoo’s controversial consideration of upping premiums for the lazy has the privacy community examining the move’s potential impact. “There’s no solidarity if someone who does a lot of sports and takes care of their health has to pay the same high premiums as someone who smokes, drinks and drives and does not play sports,” said Dacadoo’s Peter Ohnemus. His words point toward a U.S. trend, the report states, noting, “The proliferation of Internet-of-Things devices is already creating a market for data that could give companies more insight into the behavior of their customers—or, in the case of insurance firms, on whom to place bets.” [Ad-Age]

WW – Industry 4.0 Emphasizes IoT, Data Security

A Boston Consulting Group primer looks at the nine pillars of Industry 4.0, or “the next phase in manufacturing, known as the post-information revolution.”  The pillars span everything from cybersecurity and the Internet of Things to the cloud and big data, “all of which IT professionals must understand in order to effectively compete in the next 10-20 years,” the report states. The future of technology must include a discussion on ethical implications as well, Lisa Morgan writes forInformation Week, noting, “while organizations usually have stated privacy policies, more could be done to ensure the ethical use of data.” Meanwhile, UNESCO also considered Internet ethics during its recent consultation, West Indies News Network reports. [Business to Community]

WW – Privacy and the Rise of Artificial Intelligence

Here are the latest developments from IBM’s artificial intelligence system, better known as Watson. “I have seen the future, and it is a world of unparalleled convenience, untold marketing opportunities and zero privacy,” writes James Niccolai. The catalyst for his report is a recent event held by IBM to share what will become available to developers for constructing smarter, “cognitive” applications. With the dramatic rise in data collection, artificial intelligence will play a significant role in weeding through and making sense of the “mountains of information” to “make decisions we can no longer arrive at through traditional programming,” Niccolai writes, adding, “This isn’t big data; it’s gargantuan data.” [IDG News Service]

Canada

Lawmakers in Ontario tabled Bill 119, which would amend the Personal Health Information Act. The amendments aim to require breach reporting, loosen rules around prosecution and double fines for “snooping” by healthcare workers.

In a recent ruling, BC’s Court of Appeal has limited police access to text messages.

Consumer

WW – Apple: User Experience Shouldn’t Be At Privacy’s Expense

Apple CEO Tim Cook published an open letter decrying corporations that offer their services for free while, in turn, utilizing user information for advertising profit, a move some believe to be a shot at its competitors. “A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product,” wrote Cook. “But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.” The letter was released with information on Apple’s privacy policy “to explain how we handle your personal information, what we do and don’t collect and why,” Cook added. [Fortune]

US – Survey Shows Consumer Security Concerns

A Parks Associates study, Privacy and Big Data: Safeguarding Consumers, indicates that Internet-of-Things security concerns are rampant among Americans, with 40% specifically concerned about the vulnerability of their smartphones. “Big data offers tremendous opportunities to enhance every aspect of business operations, but it carries a whole new level of liability and responsibility,” Parks Associates’ Brad Russell said in a media release. “Service providers, manufacturers and app developers can all build personalized value-added services based on the data generated by these devices, but first consumers need to have the confidence to use these devices. Security is the price of big data benefits.” [EINews]

WW – In-Store Tracking Continues to Grow

Retailers’ use of mobile phone-tracking continues to grow in popularity. Gleaning data in this fashion has been “cheap and easy to install, gave us continuous live data streams and had the least security and data protection issues,” said Bernard Marr, who used such tracking “to help a client understand some basics about shopper behavior in retail stores,” the report states. Indeed, “in the U.S., there is very little comprehensive regulation of privacy and data collection by nongovernmental entities,” one attorney notes, while another, Paul Lanois points out, “If enough data can be tied to an identifier over the course of time, then it would be possible of course to identify the user of the device.” [Forbes]

US – Ads That Smile Back and Big Data in the Air

Coffee company Bahio utilized a Microsoft Kinect camera in its ads to collect 42,000 facial responses. Eventually, after scanning multiple faces, “the images and taglines changed to reflect viewers’ reactions,” the report states. While critics argue that “ads like these further erode individual privacy and consumers’ ability to choose who gets their data,” David Cox of M&C Saatchi, one of the companies that developed the ad technology, disagrees. “Each interaction is given a number; that’s it,” he said. “We’re trying not to be creepy.” Meanwhile, SmartDataCollective reports that for airlines, “trillions of calculations are being number-crunched to transform this goldmine of data opportunity into real, tangible high revenue opportunities for the airlines and their frequent flyer programs.” [Quartz]

WW – “Siri, Are You Keeping My Secrets?”

Apple’s iOS release and the digital assistant therein is giving privacy advocates pause. Users no longer need to press a button to ask “Siri” a question; instead, the phone constantly listens to conversations, waiting for an opportunity to assist with things like directions—or even to tell a joke. “When you enter the realm of always-on devices, there are real privacy implications that need to be addressed,” said Marc Rotenberg of the Electronic Privacy and Information Center. Even if the user consents, he added, those nearby may not agree “to the routine recording of everything they might say.” [The Washington Post]

E-Mail

WW – Google Unveils Opt-Out, Auto-Spam Features

Google has unveiled two new features for Gmail. The “block sender” function allows users to block people from sending emails by automatically sending blocked emails to the spam folder. The unsubscribe feature allows users to stop receiving promotional emails without dealing with the typical “why are you leaving?” process involved in unsubscribing, essentially overriding the opt-out mechanism provided by the company sending the email. While typically that company would be responsible for the consent function, this feature changes that. The unsubscribe feature is available on Gmail’s updated Android app, the report states, but iOS users don’t have access yet. [Wired]

Encryption

US – Working Group Considers Ways to Access Encrypted Data

An Obama administration working group has come up with four possible approaches that tech companies could implement that would allow law enforcement to access encrypted data. Each of the methods could be implemented, but each also has shortcomings. [Washington Post] [Washington Post] [SCMagazine]

US – White House Had Explored Smartphone Encryption Workarounds

Behind-the-scene attempts by an Obama administration working group to get tech companies to provide law enforcement with access to encrypted communications technology. Although the group said the four approaches it identified were “technically feasible,” each had drawbacks, too. According to senior officials, the potential solutions were not intended as “administration proposals” for fear of blowback, the report states. The National Security Council’s Mark Stroh said the administration “continues to welcome public discussion of this issue as we consider policy options.” While the group did not offer technical solutions, it did include guiding principles—two of which included no bulk surveillance and no “golden keys” for government access. [The Washington Post] See also: [The White House has indicated it will not seek legislation to mandate backdoors to encrypted communication services]

US – NSA Director Agrees that Encryption Key Copies Increase Likelihood of Breaches

During a Senate Intelligence Committee hearing on Thursday, September 24, NSA director Admiral Michael Rogers acknowledged that if the government holds encryption keys, there is a significantly higher risk of data breaches. Rogers was responding to a question from Senator Ron Wyden (D-Oregon). [VentureBeat]

WW – Let’s Encrypt Issues its First SSL/TLS Certificate

Let’s Encrypt, the free open source certificate authority (CA), signed its first certificate earlier this week. The project is currently in beta status. [ZDNet] [The Register] [ComputerWorld]

WW – Encryption Now a Part of Internet.org

Internet.org, Facebook’s free web services platform for developing countries, now boasts encryption—a 180-degree turn from May announcements that the program would operate without it. “Internet.org is pledging not to store any data on how people actually use the services,” the report states. “In its new data retention policy, the service promises to only store domain name information and the amount of data used, along with device information that would be visible even if the traffic were encrypted.” While “more detailed information will still be visible to Internet.org,” the report adds, “the platform says it won’t collect that data.” [The Verge]

EU Developments

EU – Safe Harbor Invalid, Says Top EU Court’s Advocate General

There has been a major development in the closely watched Schrems v Data Protection Commissioner case now in front of the European Court of Justice (ECJ): The ECJ’s Advocate General, charged with providing reasoned and impartial opinions to the court for its consideration, has delivered an opinion saying not only that the Irish Data Protection Commissioner has the right to investigate Facebook’s data transfers regardless of the Safe Harbor agreement, but also that the Safe Harbor agreement itself is “invalid,” due to the law-enforcement access to EU citizen data revealed by Edward Snowden. Denis Kelleher writes for Privacy Tracker about why this makes the Schrems case very interesting, indeed. [IAPP.org] See also: [BCRs Looking Good After Safe Harbor Opinion? Here’s Some Help]

EU – Schrems Reacts to Advocate General’s Opinion

It’s been a long road for Austrian student Max Schrems’ group Europe v. Facebook, but today, Schrems is celebrating. European Court of Justice (ECJ) Advocate General Yves Bot has issued his opinion in a case originally filed by Schrems alleging the U.S. National Security Agency collected Europeans’ data via Facebook in violation of EU law, and it looks like Schrems’ work may not have been in vain. Bot agrees with Schrems, it seems, and his opinion could mean big trouble for data transfers from the EU to the U.S under Safe Harbor—especially without changes to the role mass surveillance systems play in data access. [IAPP.org] See also: [EU What’s Next for Safe Harbor?]

EU – 50 EU Parliamentarians Send U.S. Letter on “Digital Protectionism”

Fifty members of the European Parliament have released an open letter directed at the U.S. refuting claims, including by President Barack Obama, that the EU is engaging in “digital protectionism.” The letter states, “While we admire the dynamism and success of Silicon Valley, we trust in Europe’s ability to foster talent, creativity and entrepreneurship. The acronym ‘GAFA’ is not one we ever use, and we do not see legislation as a way to manage the growth of companies.” GAFA stands for Google, Apple, Facebook and Amazon, and has been used as a term to describe American imperialism, according to a Quartz report from 2014. Meanwhile, MEP Viviane Reding opines on the EU-U.S. Umbrella Agreement. [ZDNet]

EU – Privacy Commission: Don’t Be Intimidated by Facebook

An attorney for the Belgium Privacy Commission told a judge not to be intimidated by Facebook in a case in which the commission is trying to require the company to change its privacy policy for Belgian citizens. “Don’t be intimidated by Facebook,” said a commission official. “They will argue our demands cannot be implemented in Belgium alone,” he said, adding, “Our demands can be perfectly implemented just in this country.” An attorney for Facebook queried, “How could Facebook be subject to Belgian law if the management of data gathering is being done by Facebook Ireland and its 900 employees in that country?” [Bloomberg Business]

EU – CNIL Rejects Google’s RTBF Appeal

The French data protection authority, the CNIL, has rejected an appeal by Google on the so-called right to be forgotten. The CNIL has ordered Google to apply the decision to honor European takedown requests across all its websites, not just EU-based ones. The CNIL wrote, “Contrary to what Google has stated, this decision does not show any willingness on the part of the CNIL to apply French law extraterritorially … It simply requests full observance of European legislation by non-European players offering their services in Europe.” Google, which could now face fines up to $340,000, said it disagrees with the CNIL, adding, “We’ve worked hard to implement the right-to-be-forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so.”[The New York Times]

EU – Media Orgs Object to CNIL’s May RTBF Order

The Reporters Committee for Freedom of the Press, alongside 29 other U.S. media organizations, sent a letter to French privacy regulators (CNIL) objecting to its May order that Google expand its Right To Be Forgotten delisting to all global iterations of the site. This, said the letter, is an “unacceptable interference with what people in other nations can post and read on the Internet.” The letter, according to the report, comes as CNIL considers whether to appoint a special rapporteur to respond to Google’s refusal to abide by its order. “We want to see the Internet as free and open as possible,” said Reporters Committee Executive Director Bruce Brown. “The order interferes with that.” [Columbia Journalism Review]

Research from Queen Mary University of London’s School of Law and lawyers at Pinsent Masons indicates the General Data Protection Regulation (GDPR) “will require big improvements to organisations’ computer security.”

The GDPR’s implications for protecting employee data is analyzed.

Amendments to Germany’s telecommunications law to meet the need for expanded WiFi access has privacy advocates and others concerned.

Facts & Stats

WW – Security Spending to Top $75 Billion

A new report from Gartner forecasts that security spending across the globe will reach approximately $75.4 billion in 2015, in large part driven by government initiatives, legislation and massive data breaches. “Interest in security technologies is increasingly driven by elements of digital business, particularly the cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks,” said Gartner Research Analyst Elizabeth Kim. She also said organizations are investing in endpoint detection, remediation and cloud security tools and threat intelligence. [ZDNet]

US – Getting Data Protection Wrong a Costly Mistake

The cost of post-breach clean-up is growing in severity, and it can act as a powerful motivator for companies to get data protection right. “U.S. businesses didn’t need another reason to get very serious, very quickly, about cybersecurity, but now they have one,” said STEALTHbits’ Jeff Hill. “Add the cost of litigation in an increasingly hostile legal environment to the list of unsettling data breach consequences that already includes reputation loss, customer exodus, embarrassment and federal government fines.” The report comes on the heels of a Kaspersky Lab survey that found small businesses need a budget of at least $38,000 to be able to handle breaches. [ InfoWorld]

Filtering

TH – Thai Single Gateway Plan Criticized

Thailand’s government is facing public outcry over its plan to establish a single Internet gateway for the country. Opponents of the plan say it will slow down Internet service and could cause enormous problems if it were to fail. They also noted that it would likely discourage foreign companies from doing business in Thailand. [ZDNet]

Finance

US – New Data Breach Guidance from PCI SSC

The Payment Card Industry Security Standards Council (PCI SSC) has published guidance for organizations to handle data breaches effectively and with minimal financial consequence. “Prevention, detection and response are always going to be the three legs of data protection,” said Stephen W. Orfei, PCI SSC general manager. “Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it.” The guidance may prove timely for organizations looking to avoid expensive breach claims, which a NetDiligence study found averaged $4.8 million in 2015 for large companies. [Out-Law.com]

WW – Survey: Cybersecurity Experts Happy to Make Mobile Payments Despite Risks

According to a recent survey of 900 cybersecurity experts, 87% expect an increase in mobile payment data breaches over the next 12 months, but 42% have used the payment method in 2015. The 2015 Mobile Payment Security Study by ISACA indicates cybersecurity professionals, while aware of the risks, are willing to balance the benefits of mobile payments, the report states. “ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks,” said ISACA’s John Pironti in a media release, adding risks shouldn’t slow down mobile payment adoption as long as they are properly managed. [Full Story]

US – SEC Fines Investment Firm $75,000

Missouri-based investment firm R.T. Jones Capital Equities Management has agreed to settle with the SEC and pay $75,000 over charges that it did not have a cybersecurity policy in place prior to a data breach that compromised the personal information of 100,000 individuals. During a four-year period, the firm stored the sensitive data on a third-party server, which was eventually breached in 2013. The SEC alleged the company never had any cybersecurity polies or procedures in place and did not conduct risk assessments or implement any security protections like firewalls or encryption. McDermott Will & Emery’s Eugene Goldman said, “This is the start of a series of similar actions that will be brought this year and next.” [InvestmentNews]

US – EMV Implementation is Chip-and-Signature, Not Chip-and-PIN

As of October 1, 2015, US retailers were supposed to have adopted technology that allows them to accept chip-and-PIN payment cards. The technology, also known as EMV (for EuroPay, MasterCard, Visa), aims to provide stronger security for payment card transactions. However, what has been implemented in the US is chip-and-signature instead of chip-and-PIN. Not requiring cardholders to enter a PIN to verify purchases diminishes the security of those transactions. http://www.wired.com/2015/09/big-security-fix-credit-cards-wont-stop-fraud/ [SC Magazine] [CNET]

FOI

US – UC Berkeley First to Release Transparency Report

The University of California-Berkeley, is now the first U.S. university to have published a set of transparency reports on government data requests. The reports outline requests on student, faculty and staff data. Berkeley has stressed the importance of digital privacy on campus for some time. It’s got 37,000 students and up to 100,000 devices potentially connected to its network at any time. The school sometimes handles law enforcement data requests, and its new report explains how, with processes that include a request form to be reviewed by the school’s privacy office before being approved or denied. [Slate]

Genetics

US – Genetic Database Privacy Questions Remain

A National Institute of Health (NIH) Advisory Group’s recommendations on the Precision Medicine Initiative (PMI) genetic data database indicate a “thoughtfulness and thoroughness” regarding the project’s privacy sensitivity, but “significant questions” remain, the American Civil Liberty Union’s Jay Stanley writes. “It does not look as though this will be an airtight, privacy-protective system where subjects’ data will be technologically guaranteed private,” Stanley writes, noting “the cybersecurity questions are considerable. A fair amount of trust will have to be placed by participants in those who run this program.” He also recommends PMI “be studied and analyzed closely by privacy advocates.” [Free Future]

Health / Medical

US – Hackers Are Focused on Health; Employee Error Concerns Persist

A Raytheon/Websense Security Labs study has found that health services combat 340% more cyber-attacks than other types of organizations. “It’s clear that with the amount of personally identifiable and proprietary information available and inherent as part of the healthcare industry, it will remain an attractive target to attackers and a potential weak point for untrained employees,” said the survey’s authors. However, a new survey by Scrypt has found that the primary “concern in terms of HIPAA breach potential within healthcare organizations is around staff or human error.” Executive Insight offers tips on getting healthcare security right, with one PR professional noting, “If patient data is breached, the hospital’s reputation is immediately jeopardized.” Meanwhile, a CNNreport indicates that some organizations’ wellness programs may not protect employees’ privacy. [FierceHealthIT]

US – Fitbit Now HIPAA-Compliant

Fitbit devices are now HIPAA-compliant. “We have gone through a third-party audit and we are now HIPAA-compliant as an organization,” said Fitbit Wellness Vice President and General Manager Amy Donough, adding that enables the company to “be able to sign business associate agreements and work with covered entities … We’ll be able to more deeply integrate and partner with some of these organizations to be able to have more effective and more engaging wellness programs.” Donough noted that while personal health information isn’t “the information we share or create today … it will become important as we continue to grow.” [MobiHealthNews]

Horror Stories

US – T-Mobile Customer Data Compromised in Experian Breach

A breach of an Experian database affects 15 million US T-Mobile customers. Experian processes credit checks for T-Mobile customers. The compromised data include names and Social Security numbers (SSNs) but not financial account information. The breach affects data collected between September 1, 2013 and September 16, 2015. [The Hill] [The Register] [Wired]

UK – Millions of Nuisance Calls Result in Record Fine

The Information Commissioner’s Office has fined Home Energy & Lifestyle Management (Helms) 200,000 GBP, a record amount, for making six million nuisance calls. “This is a clear breach of the rules. The data controller—the company—has to take responsibility for this,” said Information Commissioner Christopher Graham, who indicated “companies should make their directors personally liable for breaches,” the report states. However, Helms maintains that the third party in its employ that made that calls was at fault. Helms “always accepted they were responsible,” an attorney for Helms said, adding, “But there is a distinction between a deliberate act and a negligent act.” Helms plans to appeal the decision. [The Telegraph]

WW – Hotels, Healthcare Orgs Report Breaches

The Trump Hotel Collection has announced point-of-sales systems at seven of its hotels in the U.S. and Canada “were infected with malware, potentially affecting an unspecified number of customers.” Information including account numbers, security codes and cardholder names “of individuals who used a payment card at the hotel between May 19, 2014, and June 2, 2015, may have been affected,” Trump Hotels has said. Meanwhile, Palo Alto VA Health Care System reportedly “unlawfully gave patient data to a private IT company despite employees not having cleared background checks,” and “16,000 people are being notified of a major risk to their private health information following an email attack” on Oakland Family Services, a Michigan-based nonprofit. [BankInfoSecurity]

US – Kardashian’s Site Security Flaw Left 600,000 Vulnerable

A curious developer discovered an unprotected API on one of the Kardashian sisters’ new websites, which not only left upwards of 600,000 users’ personal information vulnerable, but also gave the interloper the ability to manipulate data. The 19-year-old developer, Alaxic Smith, promptly reported the issue to the site’s creator, Whalerock, which patched the hole. “Our logs indicate that (Smith) was able to access only a limited set of names and email addresses,” Whalerock said in a statement. “No one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data.” However, “the company is still in the process of validating what data was breached, and what, if any, data was actually saved or archived by Smith himself,” the report continues. [Tech Crunch]

Internet / WWW

WW – UN Report Proposes Stricter Internet Regulation

A newly released report from the United Nations’ Broadband Commission for Digital Development is titled “Cyber Violence Against Women and Girls: A World-Wide Wake-Up Call.“ The report declares online violence against women and girls, or “cyber VAWG,” a “problem of pandemic proportion.” Dewey agrees with this assessment but disagrees with the report’s recommendations that countries around the world enact regulations that would hold Internet companies like social media sites and chat rooms responsible for the content created on them and only “license” those sites that agree to heavily moderate the content they host. [The Washington Post]

US – US and China Announce Cyber Espionage Agreement

At a press conference last week, US President Obama and Chinese President Xi Jinxing announced that they had reached a “common understanding” regarding cyber espionage. The leaders agreed that both countries will not “conduct or knowingly support cyber-enabled threat of intellectual property.” There is skepticism that the agreement will result in change. [SC Magazine] [Wired] [DarkReading]

WW – Cybersecurity Pact With China Lauded

The agreement between Chinese and American heads of state to view online issues with increased gravity was a wise move. “They made some significant progress in doing this,” said James Lewis of the Center for Strategic and International Studies. The two administrations also pledged to create a group to track their cooperation in responding to cybercrime as well as a hotline “to resolve disputes over sharing information related to those crimes,” the report states. [The Daily Dot] SEE ALSO: [China Focus Could Spawn Future Issues]

US – CISA Stance Clarified

After Salesforce received criticism for signing a letter that some interpreted to be a support of the controversial CISA cybersecurity information-sharing bill, Salesforce’s CEO clarified the company’s stance via Twitter.

Location

WW – Roomba 980 Can Now Map Your House

The company behind Roomba, iRobot, has a new offering: the Roomba 980, which comes equipped with a camera and software that allows the device to gradually map its location. “Being able to localize in the environment is a foundational capability,” said iRobot’s Chris Jones. “You can imagine the day when a robot in the home can perceive and understand salient objects in the environment—that’s a couch, that’s my oven—that type of thing.” The company is wise to privacy questions around the new offering. “A representative explains that the maps are not transmitted from Roomba, and they are deleted after the robot finishes cleaning a room,” the report states. [MIT Technology Review]

WW – Getting the “Drops” on Reshipping

With so many retailers now refusing to ship to Russia or Eastern Europe because of the endemic of organized cybercrime, how do these cyber-thieves use the credit card numbers they’ve stolen? The answer is “reshipping,” a practice documented in the report “Drops for Stuff,” newly released and written by eight security researchers. How does it work? “Operators” recruit “drops” to receive goods and then reship them to “stuffers” who then sell them on the black market. This allows cybercriminals to turn a $10 purchase of a stolen card into $700 in black market cash. [KrebsonSecurity]

The Electronic Privacy Information Center has filed a Freedom of Information Act lawsuit against the U.S. Coast Guard and the Department of Homeland Security over a program that tracks and records boaters’ locations.

Online Privacy

WW – App Pays $11 Per Month To Track Users

Data collection start-up Symphony Advanced Media has released a video-tracking app that will pay users $11 per month to let it track all of their video viewing habits. VideoPulse uses a passive-listening program that hears what a user is watching in order to track it. The goal is to accurately gauge video analytics—an oft-debated issue in media circles, the report states. “There has been a significant void in understanding how consumers are using nontraditional media platforms, but innovation has finally arrived in the media measurement space,” said Symphony Advanced Media CEO Charles Buchwalter. The app currently has approximately 15,000 users and is being tested by several companies, including NBC, Viacom, Warner Bros. and A&E Networks. [Mashable]

US – EFF Announces Adzerk Will Honor DNT

Advertising company Adzerk, whose clients include Reddit, Stackexchange and Bittorrent, pledged to both respect user do-not-track requests and not have their ads “blocked by the major ad-blocking software.” “Blocking interfaces in browsers and operating systems are not only necessary for user freedom, security and privacy, but they are actually beginning to produce genuine improvements in the practices of the advertising industry,” said the Electronic Frontier Foundation’s Peter Eckersley and Alan Toner in a statement. “Apple should be congratulated for helping to make this happen, and those who are fearful about the future of the advertising-funded web should join us, Adzerk and other companies in helping to ensure that there are fewer reasons for users to need to block ads in the first place.” [BoingBoing]

WW – “Like” Button Data To Determine Ads

Facebook has announced it will use data gleaned from its “Like” buttons to tailor specific ads to users. “After the change, the types of sites you visit could be used to tune ads shown to you inside Facebook’s social networking service, its photo-sharing service Instagram and mobile apps that use Facebook’s ad network,” the report states. Facebook has also announced an opt-out for the ads, but the Electronic Frontier Foundation’s Rainey Reitman said, “Promising not to use information is not the same as promising to actually delete the data. The ‘Like’ data is especially problematic. Most people probably don’t even realize that whenever they load a page with a ‘Like’ button on it, Facebook gets a little information on them.” [Technology Review]

WW – Apple Updates Privacy Policy

Everyone, regardless of what devices they use, “should take a look at the latest edition of Apple’s privacy policy.” The policy, which includes details about data collection, “is a shining example of how easy to understand, transparent and clear such a document should be. It sets a bar other tech firms should follow,” the report states. [Computerworld] SEE ALSO: [Do Simpler Privacy Policies Invite More Outrage? ] and [Should Privacy Policies List Marketing Partners?]

WW – Microsoft Responds to Windows 10 Concerns

Microsoft’s responded to privacy concerns about Windows 10. In a blog post , Microsoft’s Terry Myerson details the ways Windows 10 gathers and uses data, the report states. Myerson notes “Windows 10 collects information so the product will work better for you,” adding that users “are in control with the ability to determine what information is collected.” [The Verge] See also: [Microsoft’s Smith: Privacy and Security Balance Necessary] See also: [Microsoft Executive Vice President and General Counsel Brad Smith talks about the ongoing litigation with the U.S. Department of Justice over emails stored in Ireland and the importance of security equilibrium]

WW – IBM Releases Cloud Security Enforcer

IBM has released new cloud security technology that aims to help protect organizations from risks associated with the rise of “bring-your-own cloud apps.” Research conducted by IBM indicates “one-third of employees at Fortune 1000 companies are sharing and uploading corporate data on third-party cloud apps,” the report states. At the same time, they’re using weak passwords or signing in using personal email addresses. Given such risks, IBM’s Cloud Security Enforcer allows companies to see all the third-party cloud apps employees are using, “provides a secure way to access them and enables companies to control which corporate data can and cannot be shared with the apps.” [eWeek]

Other Jurisdictions

IN – Tech Leaders Urged to Ask Modi to Rethink Privacy

As Indian Prime Minister Narendra Modi travels to meet with the leaders of American tech powerhouses such as Apple CEO Tim Cook, many are calling for them to encourage Modi’s ideas for “Digital India” toward a greater respect of citizens’ privacy rights. Modi aims to use the trip “to showcase what a big market India is,” said Arvind Gupta of Modi’s Bharatiya Janata Party. However, Modi’s “Digital India project does not rest on a legal framework that respects privacy and sensitive information,” said Stanford’s Thomas Blom Hansen. “While India presents significant business opportunities, CEOs should tell Modi that they will oppose any steps that erode free expression or privacy rights,” said Human Rights Watch’s Brad Adams. [The Washington Post] After much criticism, India’s government has pulled its draft encryption legislation.

RU – Russian Court Fines Google Over Alleged Privacy Violation

A Moscow city court has fined Google nearly 800,000 euros (50,000 rubles) for allegedly violating the privacy of a Russian citizen through its targeted advertising. The Russian citizen sued the company for illegally reading his emails, but Google says its advertising is operated by an automated system. “Humans are not reading your emails,” Google told AFP, adding, “Our automated system scans emails in order to prevent spam reaching your inbox and to detect bad things like malware.” The decision could open the doors for more similar actions against the company. [AFP] [A Moscow city court has fined Google nearly 800,000 euros for allegedly violating the privacy of a Russian citizen through its targeted advertising.]

Qatar has reinforced its cybercrime law with the government’s approval of “an amendment that criminalizes photographing those who are injured or killed in accidents and posting them on social media.”

Australian MPs Terri Butler and Tim Watts have released a draft bill that would make revenge porn a federal crime.

The governments of Australia and South Korea have “signed a blueprint of defence and security cooperation between the two nations.”

Privacy (US)

US – Brill Calls for Advertisers to Be Upfront With Consumers

At the Better Business Bureau’s National Advertising Division Annual Conference, Federal Trade Commissioner Julie Brill used her keynote address to discuss the need for organizations to respect user privacy as they employ new advertising techniques such as tracking and data-sharing. “Advertising has become one of the most technologically advanced and data-driven industries in our economy,” Brill said. “However, it is not enough that companies communicate with and provide choices to consumers regarding retail mobile location tracking. They must also be truthful about these choices.” She also pushed for greater opt-out abilities for data-sharing online. “After all these years, consumers still don’t understand what’s happening with their personal information,” she said, “and they continue to struggle to control targeted advertising and data collection.” [FTC.gov]

US – “Unfair Methods of Competition” Statement Prompts Concerns

In a blog post, the Phoenix Center’s Lawrence J. Spiwak echoes Federal Trade Commissioner Maureen Ohlhausen’s sentiments on the FTC’s recently released Statement of Enforcement Principles Regarding ‘Unfair Methods of Competition’ Under Section 5 of the FTC Act, contending, “The FTC’s conduct in this case was certainly not an example of good government.” The next steps? “While the FTC deserves kudos for at least attempting to move the ball forward … my recommendation is that before we go too far down the road … prudence would dictate that we go back to the drawing board,” Spiwak writes, adding, “the American public deserve a well-reasoned and cohesive approach to Section 5’s unfair methods of competition standard.” [The Hill]

US – Comcast Settles With California for $33 million for Privacy Violations

Comcast has agreed to a $33 million settlement with the California Department of Justice and the California Public Utilities Commission for posting personal details online of customers who had paid for unlisted voice-over-Internet-protocol phone service. Comcast will pay $25 million to the two departments, $8 million in restitution to the 75,000 affected customers and has agreed to a permanent injunction mandating it strengthen rules on vendors that process personal information and provide additional monetary relief to customers “who have identified personal safety concerns” stemming from the disclosure of their data. “This settlement provides meaningful relief to victims (and) brings greater transparency to Comcast’s privacy practices,” said California Attorney General Kamala Harris. [Reuters]

US – Candidate Websites Fail Privacy Test

An Online Trust Alliance (OTA) survey of the 23 presidential candidates’ websites found that only six candidates protect basic user privacy. While cybersecurity ratings were high across the board, the omissions were dubbed “alarming” by the group, which found that some candidates’ sites didn’t have privacy policies posted. “One of them will be our next president,” said the OTA’s Craig Spiezle. Not all findings were doom and gloom, however. “Six candidates were lauded because they pledged in their privacy policies not to share personal information without users’ permission or a court order: Republicans Jeb Bush, Chris Christie, Rick Santorum and Scott Walker, and Democrats Lincoln Chafee and Martin O’Malley,” the report states. [The Wall Street Journal]

US – IA PP-EY Annual Privacy Governance Report 2015

Privacy, still nascent a decade ago, now employs thousands of professionals across the gamut of organizational structures and around the world. Yet there is still relatively little data about how the work of privacy is done. To that end, IAPP and EY surveyed a broad spectrum of organizations to document privacy governance—literally, how privacy is done. Today, we share the findings—the most comprehensive look at the structure and “how” of privacy governance we’ve ever released. At more than 150 pages, it is a document full of deep data and interesting trends, including looks at differing approaches taken by industry, by size of company, by maturity of program and by region of the world. Dive in. [IAPP.org

US – Schneier: Tech Needs Increased Regulation

As new technologies employ facial recognition and surveillance flourishes, more regulatory strides must be made, Bruce Schneier writes. “Despite protests from industry, we need to regulate this budding industry,” he notes. “We need limitations on how our images can be collected without our knowledge or consent, and on how they can be used.” Meanwhile, payment-processing company Worldpay has announced a prototype for a chip-and-pin terminal that “takes a photo of a shop customer’s face the first time they use it and then references the image to verify their identity on subsequent transactions,” a move that has inspired privacy concerns. [Forbes]

US – OIG: OCR Has Room for Improvement

After conducting two different reports, the Office of the Inspector General (OIG) has found the Office for Civil Rights (OCR) has “room for improvement” in both HIPAA compliance and post-breach procedures. “OCR had not announced when it will begin its permanent audit program,” the OIG said in its first study. “Without fully implementing such a program, OCR cannot proactively identify covered entities that are noncompliant with the privacy standards.” The second study found that over one third of OCR employees failed to ensure that covered entities “had reported prior large breaches” and called for the agency to “develop an efficient method in its case-tracking system.” Meanwhile, theOCR has announced that Phase 2 of HIPAA audits will begin in early 2016. [HealthIT Security]

US – IAPP Privacy Innovation Award Winners Announced

The winners of the 2015 IAPP Privacy Vanguard Award and the 13th Annual HP-IAPP Privacy Innovation Awards were honored for their work in the privacy field. Hogan Lovells Partner and Director of the Privacy and Information Management Practice and Co-Chair of the Future of Privacy Forum Christopher Wolf was recognized with this year’s IAPP Privacy Vanguard Award and hailed as a trailblazer in the privacy profession and a “Dean of the Industry.” Three organizations were honored with the HP-IAPP Privacy Innovation Awards in the large, small and innovative privacy technology categories: Intuit, TeleSign and AirWatch by VMware. The Privacy Advisor has all the details. [Full Story]

US – LinkedIn Settlement Approved

U.S. District Court Judge Edward Davila has given LinkedIn’s proposed $1.25 million settlement of a 2012 class-action suit final approval. The “plaintiffs’ claim does not assert that class members were necessarily harmed by the data breach, but that they overpaid for their premium LinkedIn subscription because they did not receive promised data security,” Davila noted in his opinion. “The deal requires LinkedIn to pay approximately $15 each to almost 50,000 users who purchased premium memberships to the service,” the report states, adding the company “must use security techniques including ‘salting’ and ‘hashing’ for at least five years.” [Media Post]

US – Proposed Seattle Budget Includes Funding for CPO

In his 2016 budget proposal, Seattle Mayor Ed Murray has included a request for funding for a chief privacy officer position. The new CPO would “address potential privacy concerns and safeguard personal data,” the report states. Seattle hired a chief technology officer in 2014 to oversee a privacy overhaul. The city also appointed a Privacy Advisory Committee and, based on guidance from that committee, created a citywide privacy policy. Murray is also seeking funding for police body cameras, the report states. “We will work carefully to get this right and adequately address privacy concerns” Murray said of the plan for body-worn cameras. [Geekwire]

US – Senators Want Update From Car Manufacturers

Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking for an update on their efforts to protect consumers from the privacy risks presented by smart cars. The two launched an investigation into the matter in 2013, asking manufacturers to answer questions on consumer privacy and security, and Markey published a subsequent report outlining hacking and data collection risks. Now, the senators want an update on “company-specific information” that includes 2015 and 2016 vehicles, with any changes that may have been made to vehicles, policies or practices since Markey’s initial inquiry. The senators request the companies respond no later than October 16. [Multichannel News]

US – Parents Unfamiliar with Current Laws: Survey

A Future of Privacy Forum (FPF) survey found that while a majority of parents are concerned about the theft of their children’s academic data, more than half claim to have no knowledge of existing privacy legislation. The FPF reports that 87% of parents “worry about student data being hacked or stolen” but “54% say they know nothing about existing federal laws regulating the use of student data,” which may account for the 57% who are in favor of new privacy legislation. “This survey makes it clear that we must do a better job of explaining to parents how their children benefit from improving the effectiveness of education products based on things learned in the classroom,” said FPF Executive Director Jules Polonetsky. “And parents want a commitment that their student data will never be exploited. I think that’s a commitment they deserve. [Full Story]

US – Court Dismisses AOL Suit

The U.S. District Court for the Northern District of California has dismissed a class-action that alleged AOL violated the Telephone Consumer Protection Act (TCPA) “when users of its Instant Messenger service sent text messages to incorrect recipients.”  The decision is one of the first to evaluate claims under the FCC omnibus TCPA order “offering guidance on numerous issues, including the types of equipment subject to TCPA restrictions and the statute’s application to social app petitioners for text messages sent using their services,” the report states. The court found “the omnibus TCPA order reinforced prior FCC decisions that supported AOL’s arguments for dismissal,” the report states. [Inside Counsel]

U.S. District Court Judge Edward Davila has given LinkedIn’s proposed $1.25 million settlement of a 2012 class-action suit final approval.

Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused.

The recent IRS breach affecting more than 300,000 individuals has inspired the Senate Finance Committee to develop bipartisan taxpayer identity-fraud legislation, which will be debated.

Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking for an update on their efforts to protect consumers from the privacy risks presented by smart cars.

A federal judge has granted class-action status to lawsuits by financial institutions that were victims of Target’s 2013 breach. “

Privacy Enhancing Technologies (PETs)

WW – Security-Minded Blackphone 2 Ready for Preorder

Amidst news this week about privacy-focused smartphones heading to market, Sikur GranitePhone is now available for preorder. The phone aims to connect users while guarding their privacy, which Sikur CEO Frederico d’Avila said popular smartphones do not do adequately, the report states. “They do not always care about security,” d’Avila said, adding, “That’s why we came to that place, to help the customer to have that right solution for their privacy. They’re not looking to security as we do, because we’re living for that.” The recent smartphone announcements come as some analysts question mobile data tracking’s impact on user privacy. [CNET]

WW – Two New Privacy-Focused Phones on the Market

Those who place a premium on private mobile calling and surfing have two new options this fall. First up is the second release from Silent Circle, the Blackphone 2. The Android-powered device features the Silent OS, an “Enterprise space” for companies to cordon off company data from personal data and peer-to-peer encrypted voice and video, among other features. It’s now available to order for $799. Blackberry has announced it will release an Android-powered phone it’s calling the Priv, which “combines the best of BlackBerry security and productivity with the expansive mobile application ecosystem available on the Android platform.” No word on price yet. [9to5Google]

WW – Secure Messaging App Use Booms

Telegram Founder Pavel Durov announced at TechCrunch Disrupt SF that the encrypted messaging service has gone from a billion messages exchanged per day to 12 billion in eight months. This, he argues, indicates privacy’s growing importance in the eyes of consumers—and companies. “Privacy is not something that is relevant only to business users, but businesses are most affected because they could be blackmailed,” he said. The app’s growing appeal has even attracted terrorist groups, the report states. When asked if that is reason for concern, Durov said, “That’s a very good question, but I think that privacy, ultimately, and our right for privacy is more important than our fear of bad things happening, like terrorism.” Meanwhile, G Data has announced “Secure Chat,” a free “tap-proof” messaging app for Android. [TechCrunch]

WW – Security Tool Strengthens Online Anonymity

The Dissent is a cryptographically backed network that, when used in conjunction with the Tor network, can markedly improve online anonymity. Dissent uses a DC-net, first proposed by a cryptographer in 1988. Though its performance is much slower than Tor, it is a more effective alternative for achieving online anonymity. “One of the most important things to understand about Dissent,” said project lead Bryan Ford, “is that it’s not going to be a drop-in replacement for Tor, at least not in its current form.” One possible use for Dissent, the report states, “would be to create a privacy-preserving WiFi networking layer.” [Motherboard]

US – UJO: Privacy’s Newest Attack Dog

Thanks to the new device CUJO, users can see when their data is being tampered with. Named after the canine antagonist in the Stephen King novel, the tool functions as a guard dog of sorts, keeping tabs on “how much data, the type of data, and where it’s going,” the reports states. “If it detects an anomaly, it will alert you on the physical product as well as through an app notification,” with the position of the device’s LED “eyes” an indicator if something’s amiss. [Fast Co Design]

RFID / IoT

US – Hoofnagle Examines FTC’s TRENDnet Case

“The FTC’s matter against TRENDnet is especially important for the emerging Internet of Things,” UC Berkeley’s Chris Hoofnagle writes. After TRENDnet-produced SecurView cameras were hacked and live feeds were shared publicly, the FTC “sought to have TRENDnet answer the question of whether it can be trusted by consumers,” Hoofnagle writes, adding, “when one reads the TRENDnet 2014 report, more questions are raised than answered.” TRENDnet’s report indicates “several weaknesses of the FTC’s assessment approach to oversight. The TRENDnet report—and reports filed by other companies—are full of confusing jargon,” Hoofnagle writes. And with TRENDnet’s report “just one of over 100 such reports that the FTC is receiving nowadays under its supervision of data privacy and security cases,” Hoofnagle writes, the agency “cannot effectively supervise all the companies under consent decree.” [Full Story] SEE ALSO: [IoT Needs Privacy and Security? Hogwash]

US – DARPA Seeking Research Proposals for Analysis of Involuntary Analog Emissions

The Pentagon’s Defense Advanced Research Projects Agency (DARPA) is looking for technology capable of monitoring Internet connected devices like refrigerators and thermostats, often referred to as the Internet of Things (IoT). Specifically, DARPA is seeking “algorithms, tools, and devices for mapping analog emissions of digital devices.” [NextGov] [FBO]

Security

US – Survey: Confidence in Security Investments Is Low

More than 80% of respondents to EMA Research’s 2015 State of File Collaboration Security survey “admitted that there have been data leakage incidents in their organizations,” with only 16% espousing high levels of confidence in their cloud system security. “Data dissemination and file collaboration are natural parts of most business and operational workflows, so security must be an integral part of the workflow to protect information,” said EMA’s David Monahan. “Unfortunately, protecting sensitive and regulated data within shared files remains a significant exposure within many organizations,” he said, adding, the “lack of capability to control unstructured data … will not only yield more data privacy breaches but will impact the adoption of advanced enterprise and cloud content management systems.” [Infosecurity Magazine]

EU – Ansip Announces Awareness Campaign

European Commission (EC) Vice-President for the Digital Single Market Andrus Ansip announced via blog post that the EC will begin a cybersecurity awareness campaign that aims to increase online security knowledge. The program includes “over 150 promotional events and activities to take place in 27 countries, with the goal of educating people about protection from digital criminals,” the report states. “People will hesitate to use e-services if they are not confident that they are reliable, safe and secure,” Ansip said. “They may actually choose not to use them at all,” and thus “we have to stay one step ahead.” [Billboard]

US – Audit Finds MIDAS Severely Vulnerable

The Department of Health and Human Services (HHS) has discovered that MIDAS, “the central electronic storehouse for information collected under President Barack Obama’s healthcare law,” has 135 system vulnerabilities, “of which nearly two dozen were classified as potentially severe or catastrophic.” “It sounds like a gold mine for ID thieves,” said the Electronic Frontier Foundation’s Jeremy Gillula. “I’m kind of surprised that this information was never compromised.” Medicare’s Andy Slavitt said “the privacy and security of consumers’ personally identifiable information are a top priority” and the problems were immediately addressed. “But,” the report states, “the episode raises questions about the government’s ability to protect a vast new database at a time when cyber-attacks are becoming bolder.” [ABC News]

US – Pentagon Issues Guidance on Breach Notices

Following the major hacks at the Office of Personnel Management, the Pentagon has issued guidance to the Department of Defense (DoD) “on considerations for making public announcements regarding breaches of private information.” In a letter, Michael Rhodes, senior official for privacy at the DoD, said the department “must continue its efforts to promote a culture to continuously ‘think privacy’ and act swiftly to develop and implement effective breach mitigation plans, when necessary.” Rhodes added that no two breaches are alike, so case-by-base analysis as well as “the use of best judgment is required for effective breach management.” [FEDweek]

US – President: “Basic International Framework” Needed

U.S. President Barack Obama has called for a “basic international framework” on cybersecurity. As Chinese President Xi Jinping’s Washington, DC, trip nears, Obama said the U.S. aims to illustrate that “economic cyber attacks” are “something that will put significant strains on a bilateral relationship if not resolved and that we are prepared to take some countervailing actions.” This comes on the heels of a revelation that China’s government “distributed a document to some American tech companies” asking they “pledge their commitment to contentious policies that could require them” to hand over user data, The New York Times reports. And Tech Times reports the Chinese government is allegedly constructing a Facebook-esque catalogue of U.S. officials. [Reuters]

US – Docs Illustrate the Days After the Target Breach

Target’s actions immediately following its 2013 breach. Days after the breach exposed 40 million customer debit and credit card accounts, the company hired Verizon security experts to look for system vulnerabilities. The results of that investigation, which haven’t been publicly revealed until now, confirm “what pundits have long suspected,” the report states. “Once inside, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.” The report also found that while Target has a password policy, it wasn’t being followed. [KrebsonSecurity]

Surveillance

UK – M15 Director: “Snoopers’ Charter” Necessary

M15 Director-General Andrew Parker has said the UK intelligence agency’s ability to spy on communications data is no different than “the work spies have been doing for a hundred years.”  Parker said the so-called “snoopers’ charter” is crucial to protect citizens as the number of threats against the UK is as high as he’s seen in his 32-year career. “We need to be able to do what we have always done through our history,” he said. “To find and stop the people who threaten the UK, we need to be able to monitor the communications of terrorists and spies and others who threaten the country.” Meanwhile, a new legal challenge to surveillance programs was filed by Human Rights Watch. [Financial Times]

WW – How TV Shows Portray Mass Surveillance

Pop culture blogger Alyssa Rosenberg discusses how television programming portrays mass surveillance and predictive policing. “The rise of increasingly sophisticated surveillance technology has been a rich inspiration for popular culture in recent years,” she writes, noting “network television now has three shows on the subject.” She notes the bevy of surveillance-related shows on national television demonstrates “the mood of our times,” adding, “No matter what qualms these series might express about the civil liberties issues involved in mass surveillance or about the ethics of arresting or harming people before they’ve actually broken the law, they’ve already ceded ground on these issues in encouraging us to believe in a heightened risk of crime.” [The Washington Post]

US – Boston Subway to Track Riders With Beacons

The Massachusetts Bay Transportation Authority (MBTA), which operates the Boston public transportation system, announced it has started a yearlong pilot project that will track riders who download a special app via a Bluetooth beacon system run by a company called Intersection. In the news release, the MBTA said the project will track riders but will not collect personally identifying information and all data will be handled on a “secure, closed network.” The hope is to find ways to improve communication with transport users, map how riders use the various stations and explore “how brands can increase engagement and interaction with commuters based on proximity.” [BostInno]

US – Whose Job Is OPM Data Security?

In response to questions from Sen. Ron Wyden (D-OR), the National Counterintelligence and Security Center (NCSC) said infosecurity at the Office of Personnel Management is not NCSC’s job. According to the nation’s top counterintelligence agency, “Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget and the Department of Homeland Security.” Wyden was unimpressed, calling the response, “unworthy of individuals who are being trusted to defend America.” The back-and-forth lends credence to those lawmakers who believe legislation is needed to clarify cybersecurity roles in the federal government, the report states. [The HIll]

Telecom / TV

US – New Hampshire Library Restores Tor Node

A library in Lebanon, New Hampshire that suspended its operation of a Tor relay due to concerns raised by a Department of Homeland Security investigator has restored the node. The library’s IT director said that there was no pressure to take down the relay, but that they volunteered to take it down until the board met and voted on Tuesday, September 15. The Kilton Library is a pilot participant in the Library Freedom Project. The publicity generated by the story has prompted a dozen more libraries across the US to ask for information on hosting Tor nodes. [ArsTechnica] [The Register]

US – California County Announces Cell-Site Simulator Use Policy

The Sacramento County Sheriff’s Department says it will obtain “judicial authorization” before using cell-site simulator technology often referred to as a Stingray. The SCSD’s policy also automatically seals the applications for judicial authorization and calls for collected data to be purged after each use of the technology. Earlier this month, the US Department of Justice (DoJ) unveiled its policy regarding the technology, which requires law enforcement officials within its agencies to obtain a warrant prior to its use. The DoJ’s policy does not affect other federal, state, or local law enforcement agencies. [Ars Technica] [SACSheriff]

US Legislation

US – House Committee Approves Judicial Redress Act

Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused. A major component of the EU-U.S. Umbrella Agreement, the Judicial Redress Act, is a necessary law for assuaging European concerns about the use of their data by U.S. companies. Committee Chairman Bob Goodlatte (R-VA) said, “The Judicial Redress Act can go a long way toward restoring our allies’ faith in U.S. data privacy protections and helping facilitate agreements.” In a separate column for The Hill, Rep. Jim Sensenbrenner (R-WI), an author of the bill, wrote that the legislation “is essential to U.S. law enforcement.” [The Hill]

US – Tech Firms Support Judicial Redress Act

U.S. technology companies “are lining up” to support the Judicial Redress Act. The House bill “would allow non-U.S. citizens to seek records U.S. agencies have collected and pursue legal action when such records are disclosed,” the report states, noting it would apply to citizens of “select allied nations, primarily in the European Union.” Support by technology companies shows “the sector’s latest effort to rebuild trust abroad in the wake of Edward Snowden’s disclosures, which revealed many companies were turning over customers’ communications to the U.S. government,” the report states. A group of tech firms wrote that the loss of trust “translated into significant negative commercial consequences for U.S. firms, with global consumers choosing technology solutions from other providers.” [Tech Crunch]

US – Software Alliance Backs CISA, Other Reforms

An industry group that represents a number of high-profile technology companies has sent a letter to Congressional leaders expressing its support for the Cybersecurity Information Sharing Act (CISA). The Software Alliance, which represents a number of companies including Adobe, Apple, IBM, Microsoft and Symantec, stated that CISA “will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat.” In addition to CISA, the group urges Congress to pass ECPA reform, the LEADs Act, the Judicial Redress Act and modernize the Mutual Legal Assistance Treaty. [The Daily Dot]

The California legislature has passed a DNA collection bill that would allow DNA to be collected from all felon arrestees, but only allow it to be “uploaded to the state’s database after a judicial finding of probable cause,” reports California Newswire. It now awaits Gov. Brown’s signature.

Florida will see 27 new laws going into effect on October 1, including that deals with police using devices to track suspects.

Oregon Gov. Kate Brown signed the state’s new invasion of privacy law.

A bill introduced in Oregon’s legislature aims to protecting the privacy of students when in a legal dispute with a college.

The University of Wyoming students are working to pass a law that would change how student emails are labeled under the Public Records Act.

Delaware’s recently enacted “package of statutes governing the collection, storage and use of the personal information of Delaware residents by websites, Internet and cloud service providers and Internet and mobile applications.”

Maine has a new employee social media privacy law, which goes into effect on October 15.

In Wyoming, proposed legislation “would bar school district employees from requiring students to provide them access to social media accounts, smartphones or other personal digital information.”

Workplace Privacy

WW – Study: Employee Privacy Concerns Slow Device Rollout

A Bitglass study indicates that employees’ privacy concerns are slowing down companies’ efforts to roll out bring-your-own-device (BYOD) initiatives. “From an employee standpoint, the biggest challenges are privacy concerns over what does the IT department have visibility into and what do they have control over on my device … Am I giving up my privacy in exchange for having access to corporate email and apps on my device?” said Bitglass VP of Products and Marketing Rich Campagna. “As a result, BYOD adoption has been a lot lower than a lot of people expected over the last few years.” [ FierceMobileIT]

+++

By privacynewshighlights | Posted in Uncategorized | Comments (0)