Biometrics
EU – French: Fingerprints, Facial Scans, Should be Required at EU Border
French authorities want fingerprint and facial scans of everyone entering or leaving the EU. The proposal from the French delegation came as the European Commission puts more pressure on interior ministers to adopt its so-called “smart borders” package. The Commission plan is to set up a digital dragnet to monitor all non-EU nationals entering and exiting the EU. According to the Commission, the programme is needed to deal with a huge increase in people coming to and from the EU. It predicts that air border crossings could increase by 80% to 720 million in 2030. “This will result in longer queues for travellers if border checking procedures are not modernised in time,” warns the Commish document. But hot on the heels of their own version of the Patriot Act, France (PDF) wants to “broaden the scope of the smart borders package for all travellers, also including European nationals”. The scheme was first proposed two years ago, but has been revived along with other security surveillance schemes such as PNR. Currently border checks for the Schengen area are based on passport visa stamps. There is no pan-European database recording travellers’ entries or exits. This makes it difficult for authorities to detect “overstayers” says the Commission. [The Register]
WW – Facial Recognition Coming to ATMs
China Merchant Banks are employing facial recognition software in nine Shenzhen-based ATMs, phase one of a project that aims to install the system in 12,000 ATMs across the country by the end of the year. While facial recognition is just a part of a three-step verification process, critics are worried that the technology could still permit privacy gaffes to occur. Will the software mean “identical twins can access each other accounts easily?” asked one detractor on Weibo. The privacy concerns haven’t stopped other organizations, however, with companies like Alibaba and MasterCard set to unveil their own facial-recognition systems for finance-related ventures, the report states. [South China Morning Post]
CA – Royal Bank Adopts Voice-Recognition Technology to ID Customers
Following a pilot program last summer, Royal Bank (RBC) is rolling out “voice biometrics” technology. The service, which will require customers to opt in, will allow the bank to identify customers by the sound of their voice rather than by answering security questions or entering a password. RBC says it’s the first company to implement such a technology, which uses more than 100 characteristics to identify the customer, such as pitch and accent, the report states. Manulife employed a similar technology earlier this year. “It’s easy to pick up a piece of mail and look at someone’s confidential information, but you can’t steal a voice,” said a Manulife executive. [The Canadian Press]
US – Dismiss Our Biometrics Suit, Facebook Asks
Facebook has asked U.S. District Court Judge James Donato to dismiss a suit alleging its photo-tagging service violates biometric privacy laws. “The social networking service argues that the Illinois Biometric Information Privacy Act doesn’t prevent companies from storing photos of faces or information gleaned from those photos,” the report states. Facebook contends the law “only applies to faceprints that derive from in-person scans as opposed to photos,” the report continues. “Because plaintiffs’ claims rest entirely on information derived from photographs, their complaint should be dismissed with prejudice,” Facebook said in its filing papers. [Media Post]
WW – Facial-Recognition Regulations Considered; Researchers Unveil “Climb”
The Home Office “is considering increasing the regulations for retention of face recognition records.” The Home Office announced it is “undertaking a policy review of the statutory basis for the retention of facial images and consulting key stakeholders,” adding it is “considering the role of the Biometrics Commissioner. The government will of course publish the findings of the review and consult formally as appropriate.” Meanwhile, researchers from Cardiff University, the University of Warwick, Swansea University and the University of Birmingham have created “Climb, the Cloud Infrastructure for Microbial Bioinformatics“ that permits other scientists to share genomic information more safely. [Biometric Update] SEE also: [Start-Up Selling Eye-Tracking Technology to Major League Baseball]
Big Data
CA – Group to Study Data Collection
Researchers are getting ready to study “what information is being collected about Canadians and what it’s being used for, saying the public remains largely in the dark on the mass accumulation of personal data.” Queen’s University’s Surveillance Studies Centre will lead the five-year project to study the use of big data, the report states, noting the BC Office of the Information and Privacy Commissioner, Civil Liberties Association and the University of Victoria are among the project’s partners “Citizens have questions about how big data is being used by police, by political parties, in healthcare, education, social services and in other areas that touch their lives,” BC Privacy Commissioner Elizabeth Denham noted. “This project will probe big-data surveillance and analyze its scope, effectiveness and implications.” [The Globe and Mail]
EU – Agencies to Study Banks’ Big Data Use
The European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority will have their eyes on how banks employ big data in the coming year after expressing concern regarding not only the current utilization of information and its privacy impact but also its potential “to discriminate against certain sections of the population in so-called profiling.” The agencies will study the “opportunities and challenges” that come with employing big data. “The topic aims to analyze the adequacy of sectoral regulatory frameworks and identify any regulatory and/or supervisory measures which may need to be taken,” the groups said in a joint statement. [Reuters]
Canada
CA – Ontario Judge to Hear Telcom v. Police Case
An Ontario judge will soon rule on a consumer privacy case “that pits telecom companies against police departments.” In April, Peel Regional police obtained a production order for customer information from “all cellphones that accessed 36 cell towers owned by Rogers and Telus during a specific time frame,” the report states. While police said they needed the records to find a suspect, Rogers and Telus say the production order violates the Canadian Charter of Rights and Freedoms. Police since have withdrawn the order, however the judge wants to hear the case because of an uptick in similar cases. [Toronto Star]
CA – Saskatchewan Changes Privacy Rules
After a care aide’s employment record was sent to reporters, Saskatchewan is making changes to its privacy rules. As a result, politicians will have to adhere to a new code of conduct that aims to ensure compliance with the province’s privacy act, and they will need to get written consent to “collect, use or disclose someone’s personal information or personal health information,” the report states. Previously, the Freedom of Information Act “didn’t technically apply” to members of the legislative assembly (MLAs), said Saskatchewan Party MLA Jeremy Harrison. Violators of the code could be charged with contempt, face a fine or be removed from the assembly for the day or the house indefinitely. [The Canadian Press]
CA – Yukon Government Developing New Privacy Rules for Health Records
The Yukon government is looking for input on who should have access to your personal health care records, and how accessible they should be. The government is working on new regulations focussed on managing and protecting health files. The new rules would fall under the Health Information Privacy and Management Act, passed in 2013 but not yet in effect. [CBC News]
CA – Critics Raise Data Privacy Concerns in Trans-Pacific Partnership Deal
Critics say Canadians need to see the full text of the Trans-Pacific Partnership (TPP) trade deal to know the privacy trade-off. “We’re dealing with just summary documents. The devil is in the details,” said law professor at the University of Ottawa, Michael Geist. The deal includes provisions to protect the “free flow of information across borders” and “prevents governments in TPP countries from requiring the use of local servers for data storage,” the report states, which Geist finds particularly concerning. [CBC News] [Geist: How the TPP Puts Canadian Privacy at Risk] [Geist: How the TPP may put your health care data at risk: Geist]
CA – Questions Raised Over Preserving Sensitive Truth and Reconciliation Testimony
After years of collecting literally millions of documents and hearing the stories of thousands of aboriginal people who experienced abuse at residential schools, the Truth and Reconciliation Commission is ready to archive this material, much of it brutal and heartbreaking, in the new National Centre for Truth and Reconciliation at the University of Manitoba. Scheduled to open to the public this fall, it will serve as a rich repository and essential historical record of a haunting and tragic chapter of First Nations and Canadian history. Controversy has arisen, however, over whether survivors’ testimony, given privately by those seeking compensation for the abuse they suffered, should be preserved. It came as a shock to many who told their stories – confidentially, they believed – to adjudicators behind closed doors that their words might be preserved for posterity. Some argued against this scenario in an Ontario court last year. Justice Paul Perell ruled that the material from the Independent Assessment Process may be kept for 15 years but, in the meantime, identifying information must be redacted and those who testified be contacted to ask whether they would agree to have the documents remain in the archive; only with this agreement could individuals’ testimony be preserved beyond 15 years. Any other scenario would be a betrayal of survivors’ trust and detrimental to the cause of reconciliation, Justice Perell argued. Some see the ruling as a reasonable compromise but the NTRC launched an appeal, to be heard in court at the end of October. The centre wishes to preserve the documents and argues that it is well-placed to do so as an aboriginal-run organization mandated by the Truth and Reconciliation Commission. [University Affairs]
CA – Retired Mounties Sue RCMP Over Disclosure of Mental Health Records
A class action lawsuit filed in Vancouver alleges that the RCMP has breached the privacy of a number of Mounties by wrongfully disclosing their mental health records. The suit says that the disclosure of the records in 2012 was done to undermine the work of Dr. Michael Webster, a longtime RCMP psychologist who had treated the officers and who has been outspoken in the past on RCMP issues. Several retired Mounties, members of a group that represents about 2,300 officers across Canada, held a press conference outside the Vancouver Law Courts to explain the lawsuit. They told reporters that currently employed officers are afraid that if they speak out, they might be disciplined by their superiors.”The wrongful disclosure of our members’ mental health records undermines the trust and confidence members must have in our employer, to ensure that mental health supports can be accessed privately.” The suit says that in July 2012, the RCMP removed Webster from its list of approved registered psychologists and a month later initiated a complaint against him with the College of Registered Psychologists. It says the college requested the RCMP disclose complete copies of a number of Mounties who had been treated by Webster. The records were disclosed without notification to the officers and in violation of their privacy, says the lawsuit. A complaint filed against the RCMP with the Office of the Privacy Commissioner of Canada resulted in the commissioner finding that there had been a serious breach of privacy. [The Province]
CA – Ring Wants Controversial Report Released
Newfoundland and Labrador Information and Privacy Commissioner Ed Ring wants to make public a government sexual-exploitation study. The government says the 2011 report, It’s Nobody’s Mandate and Everyone’s Responsibility: Sexual Exploitation and the Sex Trade in Newfoundland and Labrador, was “based on interviews with sex workers and vulnerable individuals who could be put in danger if it was released publicly.” However, if it intends to keep the report under wraps the government will now have to go to court. Ring wrote in his review, “Public bodies cannot rely on speculation that harm might take place but must establish a reasonable expectation,” adding that identifying information should be blacked out as opposed to repressing the entire report. [The Telegraph]
CA – Denham Calls for Better Breach Protection
BC Information and Privacy Commissioner Elizabeth Denham “is calling for immediate action by provincial health authorities to boost measures that safeguard citizen’s health information in the absence of disclosure laws,” noting all provinces and territories except BC, Saskatchewan and Quebec “have legislated or incoming requirements that order health authorities to reveal the inappropriate release of private information.” Denham said, “It’s not in place here yet. It’s a problem.” Meanwhile, a breach affected University of Calgary employee records, and The Trump Hotel Collection has announced that point-of-sales systems at seven of its hotels in the U.S. and Canada “were infected with malware, potentially affecting an unspecified number of customers.” [Global News]
CA – Are Political Parties Violating CASL?
Via their email campaigns, “Canadian politicians may be violating Canada’s Anti-Spam Legislation (CASL), the very law they helped enact.” Citing a study from Toronto-based itracMarketer, an email marketing and CASL compliance software provider, the report suggests, “Canadian politicians may need a more compliant marketing staff because every political party failed at providing clear consent and permissions on their email collection pages.” The study looked at the country’s four major political parties’ email marketing, the report states, noting examples of CASL violations itracMarketer found include “not having a clear unsubscribe process, failure to explain the type of content they would send to potential subscribers and not providing a physical address on email collection pages.” [MediaPost] SEE ALSO: [Where the Parties Stand on Surveillance, Privacy] [Where Canada’s Three Political Parties Stand on Cybersecurity and Surveillance] [Election selfies are encouraged, but take them outside polling stations: Posting a photo of a completed ballot could land you in jail] [Green Party (Kris Constable) Views on Enhancing Security Against Cyber Attacks]
CA – Other Privacy News
- An Ontario judge will soon rule on a consumer privacy case “that pits telecom companies against police departments.”
- After a care aide’s employment record was sent to reporters, Saskatchewan is making changes to its privacy rules.
- Via their email campaigns, “Canadian politicians may be violating Canada’s Anti-Spam Legislation (CASL), the very law they helped enact,” citing a study from Toronoto-based itracMarketer, an email marketing and CASL compliance software provider.
- Canada a Haven for Data Following Ruling on US
- Litigating Cyber Privacy Class Actions in Canada]
- Alberta health-care workers suspended for patient privacy breach
- Canadian companies turning to cyber insurance in wake of high-profile hacks
Consumer
WW – Uptick in Privacy Products Indicate Citizen Concerns
Average citizens are increasingly out to protect their own privacy given Canada’s Bill C-51, which allows for an increased amount of information to be collected by government. As a result, product designers are creating anti-surveillance items. That trend was recently on display in London at the Victoria and Albert Museum, which focused on “objects that both encourage sharing information online (such as the selfie stick) and block it (such as the Cryptophone 500, a military-grade mobile with the highest security standards on the market … ),” the report states. The London exhibit is just one example of many new products to hit the market. [The Globe and Mail]
Electronic Records
US – Privacy Concerns Decline as Patients Acclimate to EHR Systems
Patients whose doctors use electronic health record systems are increasingly confident that their health information will remain private and secure, Weill Cornell Medical College researchers found in a new longitudinal study, published Oct. 5 in the American Journal of Managed Care. While electronic health record systems have been around since the early 2000s, they became more prevalent when the federal government began offering providers incentives to adopt the technology in 2009. To measure consumers’ perspectives on electronic health records, the researchers collected data through a random-digit-dial national telephone survey that polled about 1,000 people a year between 2011 and 2013. Some 41% of respondents were worried that electronic health records would lessen the privacy and security of personal health data in 2013, compared to 47.5% in 2011. While the 6 percent decrease is a good start, Dr. Ancker continued, the study also demonstrates that, through improved security and education, more work has to be done to sufficiently address patients’ worries. “New things make people anxious,” she said. The data also shows that there is a need to better educate patients about how electronic records work, as well as how they can improve the patients’ healthcare. [weill.cornell.edu]
US – Researchers Re-Identify 100% of ‘Anonymised’ Health Data
Researchers from Harvard University have published a paper claiming a 100 per cent success rate in de-anonymising patients from their supposedly anonymised healthcare data in South Korea. The study, which bears the ronseal title of “De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data”, was published this week in Technology Science. Two de-anonymisation experiments were conducted in the study on prescription data from deceased South Koreans, with encrypted national identifiers – Resident Registration Numbers (RNN) – included. The researchers found significant vulnerabilities in the anonymisation process which is applied to identifiers contained within prescription data, data which is often sold to multinational health companies. Finding that “weakly encrypted RRNs” may be vulnerable to de-anonymisation, both experiments were 100 per cent successful, and revealed all 23,163 of the unencrypted RNNs. [The Register] [US – New Coding System Intrudes on Patients’ Privacy, Forces Doctors to Focus on Codes Rather Than Care]
CA – Group Health Centre Debuts Online Patient Portal
Sault Ste. Marie is now one of only a handful of cities in Canada where patients can access essential health information through an online portal, after the Group Health Centre launched its myCARE portal earlier this week. The system allows patients to send messages to their healthcare team, request prescription renewals, manage appointments, review select lab test results, and more through a home computer, eliminating the need to make a visit to the centre for these needs. GHC is now one of two centres in Canada – the other being CHEO in Ottawa – that has this specific technology available for patients. [Sault Ste Marie Star]
Encryption
US – White House Will Not Demand Back Doors for Access to Encrypted Data
The White House has decided not to pursue policy urging technology companies to build backdoors into their encryption systems despite law enforcement and intelligence agencies’ vocal assertions that the backdoors are necessary. They will still be able to pursue data with warrants. [CSMonitor] [TechCrunch] [ComputerWorld] [SCMagazine] [Ars Technica] See also: [Wired: A New Way for Tech Firms to Fight Orders to Unlock Devices]
US – Federal Judge Wants to Bring Encryption Debate to Courts
A federal judge in New York is seeking to expand the debate surrounding law enforcement access to encrypted communications technology. Magistrate Judge James Orenstein has suggested he would not issue an order sought by the government compelling Apple to unlock a suspect’s iPhone, the report states. Prior to ruling on the case, Orenstein asked the company to explain whether the government’s request would be “unduly burdensome.” According to the report, the judge may have chosen the wrong case to issue such a question, as the suspect’s phone is an older version that can be accessed by Apple. “He’s clearly a judge who is interested in opening topics to discussion in the judiciary, but he also thinks the larger public should know about the debate,” said former Texas Magistrate Judge Brian Owsley. [The Washington Post] SEE ALSO: [Discordant Encryption Attitudes Bring Policy-Making Woes]
US – Back Doors Are Not Necessary to Circumvent Encryption
Andy Greenberg writes, “Encryption usually doesn’t keep determined cops out of a target’s private data. In fact, it only rarely comes into play at all.” Of the 3,554 wiretaps reported in 2014, just 25, or 0.7% encountered encryption. And of those 25 cases, investigators were able to circumvent encryption 21 times. [WIRED] See also: [Apple Removes Apps that Install Root Certificates | Apple Support | iMore]
EU Developments
EU – Court of Justice Declares Commission’s US Safe Harbour Decision Invalid
Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015
Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity
The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.
The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).
Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of
26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).
The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.
In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.
The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.
The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.
Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
The Court considers that that analysis of the scheme is borne out by two Commission
communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.
As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.
For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’
complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
EU – ECJ: Safe Harbor “Invalid”
In a much-anticipated decision, the European Court of Justice (ECJ) was very straightforward in announcing that it has sided with Austrian law student Max Schrems, agreeing with his argument that the U.S. National Security Agency’s PRISM mass surveillance program, unveiled by Edward Snowden, makes the European Commission’s finding of U.S. adequacy for personal data transfer with the Safe Harbor mechanism “invalid.” Immediately, the privacy community began to react—including Schrems himself. [Full Story] See also: [Edward Snowden Says He Would Go To Jail to Come Back to The U.S.]
EU – ‘Safe Harbour’ Data Ruling Leaves U.S. Companies in Legal Limbo
A recent court ruling may boost the European Union’s efforts to reassert authority over how its citizens’ data is being treated and pressure other countries into creating privacy laws that are considered more equitable across borders. U.S.-based internet companies like Facebook, Amazon and Google are now likely scrambling to determine if they need to change their European operations after a judge in the European Union’s highest court ruled that the agreement allowing them to transfer data to the United States violates Europeans’ rights. [CBC News] SEE ALSO: [An Interview with the ECJ’s New President] [Safe Harbor Ruling Symptom of Global Surveillance Discord] [US – Post-Safe Harbor, Senators Push for Judicial Redress Act] and [Regan: Will Schrems Case Ultimately Hurt Europeans’ Privacy?]
EU – European Commission Faces Parliament Ire; Safe Harbor Questions Persist
European Commission leadership suffered the “slings and arrows” of a European Parliament unhappy with the institution’s handling of the now-invalidated Safe Harbor agreement. Parliament’s LIBE Committee also met this week and asked the Commission why Safe Harbor lasted 15 years. Meanwhile, Georgia Institute of Technology Prof. Peter Swire writes for Privacy Perspectives on the legal paths to move forward, and Denis Kelleher suggests that UK Information Commissioner Christopher Graham’s advice not to panic over Safe Harbor is the right advice for now. And in an interview withviEUws, European Data Protection Supervisor Giovanni Buttarelli shares “lessons to be drawn from the ruling, the impact of the decision on EU citizens as well as the efficacy of new instruments aimed at ensuring a high level of data protection.” [Full Story] SEE also: [Swire on Solving the Unsolvable with Safe Harbor] {ICO: Don’t Panic Over Safe Harbor—Yet] [A Look Forward After Safe Harbor’s Invalidation]
EU – LIBE: Why Did Safe Harbor Last 15 Years?
The European Parliament’s Civil Liberties Committee (LIBE) met to debate the European Court of Justice’s recent decision in the Schrems Case invalidating Safe Harbor. The resounding message: What took so long? “It’s important to highlight that something went wrong here,” said German Green MEP Jan Philipp Albrecht, who is rapporteur to the General Data Protection Regulation and vice chairman of the LIBE Committee. Dutch MEP Sophia in ‘t Veld agreed, calling Safe Harbor “bad legislation” that “was dead a long time ago.” MEPs debated what should happen next, and while some called for Safe Harbor 2.0, in’ t Veld said it’s time to “change strategy.” [IAPP]
EU – German DPA Takes Steps After Safe Harbor Decision
The ULD, the data protection authority for the German state of Schleswig-Holstein, has taken the step that many have predicted and issued a position paper that follows the ECJ’s logic to declare model contract clauses, even consent, to likely be invalid ways of transferring data to the U.S. “The ULD specifically recommends that companies using standard model contracts cancel them with their U.S. partners and do a complete review of data transfers, consulting with the ULD in basically every instance.” Marit Hansen, head of ULD, the data protection authority in Schleswig-Holstein, issued a press release and position paper. [Full Story]
EU – Inquiry Finds More Can Be Done to Explain RTBF
Privacy advocates argue that many Europeans do not understand their specific liberties as they relate to the so-called right to be forgotten (RTBF). As such, they suggest, Google and data protection authorities (DPAs) need to do a better job of informing their consumers of their rights, including the right to reach out to DPAs and ask for a second opinion if a company such as Google rejects their RTBF requests, the report states. Although Google does mention that appeals to DPAs are an option in “rejection emails” for RTBF requests, advocates argue more could be done. “I think both DPAs and companies would have a task in raising awareness and informing users,” said Dutch Liberal MEP Sophie in ‘t Veld. [EUObserver]
UK – MPs’ Communications ‘Not Protected’, Tribunal Rules
MPs have no protection from having their communications read by UK security agencies, a tribunal has said. Green Party politicians Caroline Lucas MP and Baroness Jenny Jones argued a long-standing doctrine protecting MPs’ communications was being breached. But in a landmark decision the Investigatory Powers Tribunal said the so-called “Wilson Doctrine” was no bar to the incidental collection of data. Ms Lucas said the decision was a “body blow” for democracy.
EU – Facebook Goes on Privacy Offensive
Facebook is moving to counter at least five different privacy investigations by EU-based data protection authorities (DPAs). In particular, Facebook says a case brought by the Belgium Privacy Commission could affect the security of its users. The case, which could have a ruling as early as this week, would allow the DPA to fine Facebook as much as $284,000 per day due to its controversial use of cookies on non-Facebook sites, the report states. However, Facebook says the cookies help it weed out bots and other automated online machines. Facebook’s Alex Stamos said, “Often regulators will focus on a very, very particular issue and lose sight of the safety issues that affect all 1.5 billion users.” [Full Story]
UK – Consumer Privacy and Security Fears, Complaints Up
Consumer complaints about the way personal data is handled increased by 30% from 2013 to 2014, according to figures from Pinsent Masons, acquired via several Freedom of Information requests to the Information Commissioners Office (ICO). Complaints about the security of personal information rose from 886 in 2013 to 1,150 in 2014, while complaints about personal data increased 64% over a five-year period. Pinsent Masons said the increase in consumer complaints highlights increasing levels of public unease over how big business and other organisations store personal information. [theregister.co.uk]
EU – Albrecht on GDPR: Very Possibly Done by End of Year
In a meeting of the European Parliament’s Civil Liberties Committee (LIBE), Vice Chairman Jan Philipp Albrecht, Green MEP and rapporteur to the General Data Protection Regulation (GDPR), provided a report on the trilogue negotiations around the GDPR. Chapter five is done, he said, and chapters two, three and four are largely complete. “My impression is that we managed to get agreement on, I would estimate, 70 to 80% of the text,” he said, adding issues like consent conditions, data minimization definitions and the duties for controllers and processors have yet to be finalized. Albrecht said it’s “realistically possible” negotiations will conclude before end of year. [Full Story] See also: [First Direct-Marketing Convictions Set Standard]
EU – ECJ Issues Weltimmo Decision
Denis Kelleher examines the European Court of Justice (ECJ) decision this week in Weltimmo. In the case, the ECJ was “asked to consider what jurisdiction the Hungarian Data Protection Supervisor might have over a website in Slovakia,” Kelleher wrote when the Advocate General’s opinion on the case was issued this summer. “While it is not yet clear what precise impact this judgment will have upon the trilogue negotiations,” the court’s “clear analysis of the jurisdiction and responsibilities of different data protection authorities must be of assistance and hopefully will enable the EU to bring those negotiations to a close.” [IAPP]
EU – EDPS: PNR’s Existence Isn’t Justified
European Data Protection Supervisor (EDPS) Giovanni Buttarelli has published his opinion on the proposed Passenger Name Records (PNR) initiative, arguing there is “a lack of information to justify the necessity” of the move and stating it “raises serious transparency and proportionality issues, and … might lead to a move towards a surveillance society.” PNR could include “home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details,” the report states. “We encourage the legislators, in assessing the necessity of such a measure, to further explore the effectiveness of new investigative approaches as well as of more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries,” Buttarelli said. Meanwhile, more Snowden documents indicate the UK government spied on Internet users since 2007. [Out-Law.com]
EU – DPAs to Announce Cooperative Agreement
During their “Fireside Chat” at Dentons’ offices in London, UK Information Commissioner Christopher Graham and former interim Privacy Commissioner of Canada Chantal Bernier previewed details of a new cooperation agreement amongst global data protection authorities (DPAs) to be announced at the Data Protection and Privacy Commissioners Conference later this month. Sam Pfeifle writes that the Arrangement, as it’s being called, was first discussed at the DPAs’ conference in Mexico in 2011 and creates a common understanding of DPAs’ obligations as they work together “so that separate memorandums of understanding don’t have to be negotiated and signed each time DPAs coordinate on a case.” [Privacy Advisor]
EU – Other News
- Under a new law signed by Romanian President Klaus Iohannis, state authorities will soon be able to access to such information as “phone-call metadata, equipment IDs and localization.”
- The French Data Protection Authority, the CNIL’s, summary of actions regarding Google and the so-called right to be forgotten.
- The European Landowners Organisation is asking “ European Union regulators to update the rules in light of the dramatic growth in use of drones carrying cameras by private individuals.”
- In Germany, the Lower House of Parliament voted in favor of data-retention legislation. The proposed law would require “telecoms companies to retain details of Germans’ communications for 10 weeks,” but it has yet pass the Upper House of Parliament.
Facts & Stats
WW – Survey: Data Leaks a Privacy Malady
FinalCode’s 2015 State of File Collaboration Security study is shining light on a new trend of data leaks, which, according to the survey, more than 80% of information-security professionals have encountered. A data leak is “information that is shared inappropriately, sent to the wrong email address, stored on a computer that was lost or stolen or compromised through a general system security gap,” the report states. Uber, for example, has confirmed a recent data leak impacted 674 U.S. drivers. More than 75% of survey respondents are “very concerned to concerned” about data leaks, the report continues. [GovTech]
WW – Study: Cost of Breaches is on the Rise
The Ponemon Institute’s 2015 Cost of Cyber Crime Study, which examines 252 organizations in five different countries, discovered that while the average cost of data breaches increased 1.95 in the past year, boards are showing less get-up-and-go regarding data security. Larry Ponemon said the numbers are “moving in the wrong direction,” with breach response time also up 30%. And boards don’t seem to care unless stock prices are affected, said Curtis Levinson, a NATO cybersecurity advisor. The study notes that companies “that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cyber-crime costs that are lower than companies that have not implemented these practices.” [IT World Canada] [Cost of Data Breaches Keeps Going Up. Do Boards Care?]
US – Study: Keeping Up with Data Protection Rules is Financial Burden
A Vanson Bourne survey for software agency Ipswitch found that 68% of respondents believe staying abreast of data protection requirements is a “financial burden.” “Whilst IT professionals recognise the need to align data protection regulation to keep up with modern data-sharing practices and the globalisation of data, it is clear that compliance comes at a price for most,” said Ipswitch’s David Juitt in a statement. Meanwhile, Sachiko Scheuing, tells Computing, “When companies around the world consider setting up a new unit in digital or mobile, I don’t think Europe is the preferred place to invest in.” Indeed, “Data protection continues to be a rapidly evolving area, and one that is increasingly important to business,” the Mayson Hayes & Curran Tech Law Blog reports. [Full Story]
Filtering
US – Big Breaches Plague E*Trade, Dow Jones
Dow Jones and E*Trade recently alerted their customers that personal information had allegedly been breached. Although some “personal information had been compromised,” there isn’t evidence that includes “any sensitive customer account information,” E*Trade explained in an email to its 31,000 affected customers. Meanwhile, Dow Jones CEO William Lewis alerted subscribers of the company’s breach via letter, indicating that between August 2012 and July 2015, hackers were looking for the “contact information for as many current and former subscribers as possible,” a number as high 2.4 million. Additionally, “payment card … information for fewer than 3,500 individuals could have been accessed,” Lewis said. [BankInfoSecurity]
Finance
US – Lenders Look to Social Media to Gauge Creditworthiness
As financial lenders look to new and more accurate ways to determine an individual’s creditworthiness, some are looking at data inputs on a spectrum, where at one end credit card repayment history—the most accurate determinate—is considered, while at the other end social media posts are assessed. With banks concerned that they’re turning down potential sources of profit, companies such as Fico and TransUnion are tapping alternative data sources. “If you look at how many times a person says ‘wasted’ in their (Facebook) profile, it has some value in predicting whether they’re going to repay their debt,” said Fico Chief Executive Will Lansing. “It’s not much,” he added, “but it’s more than zero.” [Financial Times]
US – Glitch Exposes Bank Customers’ Financial Activities
A security glitch affecting online banking at Halifax and Bank of Scotland that “has put tens of thousands of customers at risk of fraud by leaving their financial activities visible to anyone.” The banks, which are part of Lloyds, have not indicated how many accounts were affected, the report states, noting “fraudsters were able to view accounts without using hacking devices as they would only need someone’s name, date of birth and address to see their bank, savings, credit card, loan or mortgage account details.” The issue was discovered last week by MoneySavingExpert.com, the report states, and the banks have since fixed the problem with additional security measures. [The Telegraph]
US – FBI Takes Down Alert on Chip Credit Cards After Bankers Complain
The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message less than a day later following concerns from U.S. bankers that back chip cards. The original online post was headlined, “New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters,” and was replaced by a “page not found” message. The FBI didn’t offer any comment on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer’s signature to bolster a chip card has become a heated battle between the nation’s major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures. The American Bankers Association contacted the FBI urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards, an ABA official said. [Computerworld]
FOI
CA – New Brunswick Making Open Data ‘Baby Steps’
The New Brunswick government is inching toward an open data portal that will allow citizens to click through public information that has been previously locked inside government servers. The commitment to opening up public data sets came when Premier Brian Gallant announced a digital government initiative earlier this month. [CBC News]
CA – No Harm to Public Safety in Releasing Most of Sex Exploitation Report
Two years after politicians and the police castigated CBC News for putting people in danger by reporting on a government-commissioned report into sexual exploitation in Newfoundland and Labrador, the province’s information watchdog has rejected those concerns, saying most of the document can be released to the public. “I am recommending that the majority of the report be released,” information and privacy commissioner Ed Ring wrote in a recent report. The government now has until Friday to decide whether it will follow the commissioner’s recommendations. Under new access to information laws, the onus is on the government to go to court to block the release of information the commissioner says should be made public. [Source] See also: [Transgender Canadians getting voter cards with birth names]
Health / Medical
AU – myHealth Record Under Governmental Scrutiny
The newly unveiled myHealth Record system has spurred such controversy that Health Minister Sussan Ley was called to a parliamentary joint committee on human rights to quell concerns. Liberal MP Philip Ruddock, the committee’s chairman, argued the system has “significant privacy concerns,” while the Australian Privacy Foundation said, “We suggest that the identity data … will be seen as very useful to the government, especially when cross-matched against the Internet and telecommunications data and other databases.” In response to the concerns, Ley said, “I can assure all Australians that as we develop an electronic health record system … all privacy and security measures will be taken to ensure the protection of a patient’s personal details.” [The Sydney Morning Herald]
UK – HHS Roadmap Paves Way for Privacy
After months of feedback, the Department of Health and Human Services (HHS) has published its 10-year roadmap that illustrates “how healthcare facilities and patients should be able to share medical information” while protecting user privacy. “The roadmap includes a common clinical data set for every patient,” the report states. “In order for us to be able to understand the quality of care delivered for individuals and for populations, we need to have that data available,” said National Health IT Coordinator Karen DeSalvo, who also spoke of the need for “federally recognized, national interoperability standards … that would include privacy and cybersecurity standards.” The roadmap aims to clarify and “align federal and state privacy and security requirements that enable interoperability,” the report states. [ComputerWorld]
US – HealthCare.gov Gets Privacy Overhaul, Honors DNT
The Obama administration announced new changes to the HealthCare.gov website in time for a new round of health insurance sign ups. HealthCare.gov CEO Kevin Counihan said the website will now feature a new “privacy manager“ that allows users to opt out of embedded third-party tracking, analytics and social media sites and will also honor do-not-track requests. Electronic Frontier Foundation (EFF) Staff Technologist Cooper Quintin said EFF applauds HealthCare.gov’s support of DNT and its decision to “give their users strong privacy controls, adding EFF “would be thrilled to see more organizations, both public and privacy, follow their lead.” Meanwhile, CSM Passcode queries whether consumers should have the right to demand that websites not track them. [Associated Press]
CA – Alberta Privacy Commission: Health Record Breaches an “Epidemic”
In the wake of news that Alberta Health Services is disciplining 48 healthcare workers after a patient’s medical records were inappropriately accessed, a spokesman for Alberta’s Privacy Commission (APC) said such actions are part of a larger problem. Scott Sibbald, a spokesman for the APC, said, “More broadly, this isn’t an isolated incident by any means. We are seeing, and I guess for lack of a better term, an epidemic within electronic medical records systems.” Sibbald noted that, so far this year, there has been one conviction and two charges for unauthorized access. The agency is also investigating as many as a dozen additional cases. [CBC News]
CA – Yukon Government Developing New Privacy Rules for Health Records
The Yukon government is looking for input on who should have access to your personal health care records, and how accessible they should be. The government is working on new regulations focussed on managing and protecting health files. The new rules would fall under the Health Information Privacy and Management Act, passed in 2013 but not yet in effect. The territorial health department has put together a “discussion document,” and is seeking feedback from health professionals and other Yukoners. Living says the goal is to finish consultations by the end of this year, and have regulations in place in early 2016. [CBC News]
US – OCR Announces HIPAA Compliance Portal
In an attempt to provide HIPAA compliance guidance for mobile app developers and answer questions as they occur, the Department of Health and Human Services Office for Civil Rights (OCR) has created an online portal. “Historically, there have been limited opportunities to obtain guidance from OCR on how HIPAA applies to certain situations,” said David Wright Tremaine’s Adam Greene. “I hope that the OCR portal will provide a much needed influx of OCR guidance and clarification regarding how HIPAA applies to mobile health app developers, other cloud-based entities and other business associates.” The information requests will be anonymized, OCR Senior Adviser Linda Sanches said, thus making the portal a tool for learning, not enforcement. “We’re not going to track anyone down,” she added. [GovInfoSecurity]
Horror Stories
US – 15 Million Affected in Breach
Experian has confirmed that approximately 15 million customers, including T-Mobile users “who had applied for Experian credit checks, may have had their private information exposed.” “The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015,” Experian’s website states. Experian and T-Mobile are working to notify customers. “Information from the hack includes names, addresses and social security, driver’s license and passport numbers,” the report states, noting Connecticut’s Office of the Attorney General plans to investigate the breach. [The Guardian]
US – Millions of Customer Records Breached
Scottrade has confirmed that 4.6 million contact records were breached from 2013 through 2014. “Although Social Security numbers, email addresses and other sensitive data were contained in the system,” the company said, “it appears that contact information was the focus of the incident.” The American Bankers Association has also discovered that “thousands of members’ personal information had been compromised.” Meanwhile, hackers may have accessed the financial information of Trump hotel patrons. The company said, “Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken … we are providing this notice out of an abundance of caution.” . [ZDNet]
US – Senator Wants Details on Experian Breach
Sen. Sherrod Brown (D-OH) of the Senate Banking Committee has written to Experian asking for details regarding its recent T-Mobile data breach. His questions include “how the breach occurred” and “what changes Experian was making to its systems to stop it from happening again,” the report states. “Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system,” Brown noted. He also requested Experian to arrange “credit freezes” for victims of the breach. Experian representatives said in a statement that they “understand the concerns raised” and will be responding. [Associated Press] [T-Mobile Reviewing Experian Affiliation] [Three lawmakers want answers from Experian on the recent data breach affecting up to 15 million T-Mobile customers].
US – PIRG Calls for FTC Investigation of Experian Breach
Twenty-five “data security and consumer advocacy” agencies, including the Electronic Privacy Information Center and the World Privacy Forum, co-signed a letter penned by the U.S. Public Interest Research Group to the Federal Trade Commission, urging the federal agency to launch an official investigation into the recent Experian data breach. “As you know, Experian is one of the three nationwide consumer reporting agencies, each holding data on over 200 million consumers,” the letter states. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” it continues. In response, an Experian spokesperson said “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.” Meanwhile, The New Yorker’s Om Malik arguesthat the company’s breach is just another iteration of the same grave trend. [The Guardian]
AU – Hackers Target Australian Health Sector, Selling Records for A$1,000
Hackers are targeting the Australian health sector, with fully populated digital health records sold on the black market for up to A$1,000 each. Plans to make the personally controlled electronic health record (PCEHR) an opt-out – rather than the current opt-in regime – could significantly expand the range of targets for health hackers. Carl Leonard, principal security analyst for Websense, said healthcare around the world is now experiencing 340% more attacks than the average industry sector. He said that, in 2014, there was a phenomenal 600% increase in the number of attacks launched against hospitals – and Australia is no exception. He said ransomware attacks were 450% more prevalent in healthcare globally than in other industries. He said: “Healthcare offers a very complete dataset that can be used for identity theft or fraud. It holds very up-to-date contact information so you can send targeted mails, and use the information and repurpose it for identity theft.” Leonard said some fully populated health records are fetching up to A$1,000 on the black market while the prices for credit card details continue to drop in what is considered a saturated market. [Computerweekly.com]
WW – Researchers Spot Potential Breach
“Researchers at Worcester Polytechnic Institute claim they’ve spotted a potential data breach issue involving Amazon Web Services (AWS).” Amazon, however, has responded that “AWS customers using current software and following security best practices are not impacted by this situation.” The researchers say they used an AWS instance to hack into another, but “only in a lab setting,” suggesting “a single cloud instance could be used by attackers to breach other instances running on the same machine, thus compromising individuals and organizations that are otherwise unrelated, except for using the same cloud service,” the report states. [Bank Info Security] See also: [Samsung breach the Result of Chinese Hackers]
US – Secret Service Privacy Breach Raises Concerns
The White House said that “significant concerns” have been raised by reports that scores of Secret Service employees accessed the unsuccessful job application of a congressman who was investigating agency scandals. Spokesman Josh Earnest said, though, that President Obama retains confidence in the agency’s director and that the “appropriate steps” will be taken to hold accountable any individuals who did not follow proper procedures. [The Associated Press]
NZ – Breaches Affect National Health Index, Merchant
A breach of New Zealand’s National Health Index exposed “confidential birth and death details” of 24,000 victims after an email was accidentally sent to the incorrect recipients. “Patients must be able to trust the information they give to doctors will only be accessible to staff involved in their treatment,” said Labour’s Annette King. King said the data is “particularly sensitive. Its release would be hugely distressing to relatives and loved ones,” adding, “any breach of this magnitude is unacceptable, full stop.” Meanwhile, the Australian Federal Police is looking into a breach that compromised shoppers’ home addresses and other personal information. [Computerworld] [NZ – Deaf Aotearoa flooded with complaints about Jehovah’s Witness church]
US – Uber Breach Investigation
Uber is investigating the breach of a database that contains information about the company’s drivers. A report from Reuters says that one suspect is Uber rival Lyft. Uber inadvertently posted the database key on a GitHub page before the breach. When Uber realized what had happened, it sent a subpoena to GitHub demanding information about people who visited that particular page during the period the key was visible. Someone using an IP address associated with Lyft’s Chief Technical Officer accessed the page. However, that IP address is not the same as the one used in the attack on Uber’s database. [SCMagazine] [Reuters] [Uber Focuses Legal Efforts on Identifying Hackers]
Identity Issues
WW – Coalition to Facebook: Rethink Policy
The Nameless Coalition, a new organization comprising groups like Human Rights Watch and the ACLU wrote a letter to Facebook articulating their displeasure with its policies regarding real names. “Users who opt to send Facebook their identification information are told that their information is secure but are given no information about how Facebook treats their data,” the coalition stated. “While we know not everyone likes this approach, our policy against fake names helps make Facebook a safer place by enabling us to detect accounts created for malicious purposes,” Facebook said. The coalition has requested a response to its letter by October 31. [The Verge]
US – FBI Urges Use of Two-Factor Authentication
The FBI is encouraging small- and medium-sized businesses and Internet users in general to use two-factor authentication to safeguard personal information. The FBI (did this) as part of this year’s National Cyber Security Awareness Month. In a related story, a coalition of government agencies, technology companies, and security experts met in Washington, DC, earlier this week to discuss ways to move toward stronger, two-factor authentication. [FBI] [ExecutiveGov] [DailyDot]
WW – Yahoo Aims to Phase Out Passwords With New Service
Yahoo’s next step in password security is to eliminate them altogether. Starting this week, the company announced, users of the Yahoo Mail app on both iOS and Android will have access to a new service called Yahoo Account Key, which uses smartphones to verify identities in lieu of traditional passwords. Here’s how it works: When users who sign up for Account Key try to access Yahoo Mail, they will no longer need to enter their password. Instead, the Account Key service will send a message to the smartphone connected to the account. With a tap on yes or no, users can indicate it is a legitimate attempt to get into the account or deny unauthorized access. If their smartphone is lost or stolen, users can verify identities through an email or a text message sent to alternative accounts and numbers. In addition to Account Key verification, Yahoo executives announced a revamped version of Yahoo Mail that allows users to connect with, manage and search Outlook, Hotmail and AOL email accounts while signed in to their Yahoo account. The new Mail also connects to Twitter, LinkedIn and Facebook to add photos and create “contact cards” with email, telephone and social media information for contacts. [Reuters]
UK – ‘Hidden Faces’ Proposed As a Biometric Privacy Solution
Biometrics researchers are working on a privacy solution for facial data that would see smartphone user images encrypted into two separate encrypted files which are then also “hidden” in new, unrelated faces and stored separately. Using a technique known as visual cryptography, two facial data templates are created from a single face. These templates are then “hidden” in an unrelated face – for example a celebrity mugshot, with one kept on a device and another in the cloud. Addressing the issue whereby hacked mobile devices could reveal facial data stored on them for biometric authentication, the technique could eliminate the risk of reverse engineering from templates or even from secure elements. [planetbiometrics.com] See also: [UK – Identity Cards Can Solve Britain’s Migrant Crisis]
US – ACLU: License Chips a “Nightmare”
The growing trend of states enacting voluntary programs that connect one’s license to the Department of Homeland Security via RFID chips is what the American Civil Liberties Union (ACLU) calls a “civil liberties nightmare.” While “the cards are designed to be used instead of passports at U.S. land borders in a bid to speed up the entrance lines from Mexico and Canada,” their growing popularity could indicate that “such cards could become mandatory across the country,” the report continues. The ACLU said the “technology is a dream come true for identity thieves and stalkers,” while University of Washington researchers said there is “no encryption of any kind and they can be read by anyone,” noting “reading and cloning” of the chips “is possible.” [Ars Technica]
JP – ID Sparks Privacy Protests
Japan’s introduction of My Number ID, an identifier that “will unite personal tax information, social security and disaster relief benefits,” has sparked such intense privacy concerns that more than 400 protesters assembled in Tokyo to contest the move. “Chanting ‘Stop My Number now!’ and ‘No dangerous My Number card!’ protesters called for postponement of the 12-digit number,” the report states, noting the system is “expected to reach an estimated 55 million households” in an attempt to help “cut down on tax evasion and benefit fraud.” Sophia University’s Yasuhiko Tajima has called the My Number plan “unconstitutional,” the report states. [RT]
US – ID-Theft Center Advises Security-Freeze Customers to Watch Credit Report Costs
A Maine-based identity theft assistance company says customers who’ve recently put a security freeze on their credit reports should watch the cost of their policies. “We have become aware that some insurance companies are mistakenly using a customer’s frozen credit history as a negative factor when calculating the costs of the customer’s policy,” said Jane Carpenter, founder of Maine Identity Services. “This means that the rate charged for the insurance may be increased.” In one case, a customer’s rates increased by more than $150. Carpenter said those who’ve experienced a data breach and are receiving credit monitoring services should also watch costs. [Full Story]
WW – What’s in a Boarding Pass Barcode? A Lot
The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account. Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader. Finally, the standards for the boarding pass barcodes are widely available and have been for years. Check out this document from the International Air Transport Association (IATA) for more on how the barcode standards work and have been implemented in various forms. [KrebsonSecurity.com] [Krebs]
Internet / WWW
WW – TPP Signed: The ‘Biggest Global Threat to the Internet’ Agreed
An agreement that some campaigners have called the “biggest global threat to the internet” has just been signed, potentially bringing huge new restrictions on what people can do with their computers. The Trans-Pacific Partnership is the conclusion of five years of negotiations, and will cover 40% of the world’s economy. Its claimed purpose is to create a unified economic bloc so that companies and businesses can trade more easily — but it also puts many of the central principle of the internet in doubt, according to campaigners. One particularly controversial part of the provisions make it a crime to reveal corporate wrongdoing “through a computer system”. Experts have pointed out that the wording is very vague, and could lead to whistleblowers being penalised for sharing important information, and lead to journalists stopping reporting on them. Others require that online content providers — such as YouTube and Facebook — must take down content if they receive just one complaint, as they are in the US. That will be harmful for startups looking to build such businesses since they’ll be required to have the resources to respond to every complaint, experts have pointed out. [The Independent]
WW – Study to Examine Challenges to Privacy
Singapore- and UK-based researchers have submitted a proposal to study the potential threats to privacy and security in the cloud. “Big data provides immense benefits ranging from innovative business models to new ways of treating deadly diseases. However, challenges to privacy arise,” said City University London’s Muttukrishnan Rajarajan, while the School of Electrical and Electronic Engineering’s Lu Rongxing noted, “If privacy is not well addressed, people may be reluctant to share their data.” If approved, the initiative will begin in 2016. Meanwhile, Singapore’s Personal Data Privacy Commission has published two new surveys on consumer opinions and industry opinions of the Personal Data Protection Act. [Computer Weekly]
Law Enforcement
US – NYPD Has Super-Secret X-Ray Vans
Police Commissioner Bill Bratton won’t let the NYCLU — or anyone else — bully him for details on the NYPD’s super-secret X-ray vans. The top cop was asked about the counter-terror vehicles, called Z Backscatter Vans, in light of the NYCLU’s request to file an amicus brief arguing that the NYPD should have to release records about the X-ray vans. The website ProPublica filed suit against the NYPD three years ago after an investigative journalist’s requests for police reports, training materials and health tests related to the X-rays were denied. [The New York Post]
Offshore
AU – New Data Retention Laws Begin Today
Beginning today, every phone call you make, text message you send and email you write will be tracked by the government under a new metadata retention scheme. This scheme is allegedly being implemented to protect the country against organised crime and terrorism, but it is also being slammed as a major invasion of privacy. An Essential poll from early in the year showed that around 40% of Australians support the introduction of the new metadata laws and 44% did not, while 16% had no idea what it was. [news.com.au] International Business Times reports a survey by telecommunications industry lobby group Communications Alliance has found 84% of ISPs are not yet prepared to collect and store the required metadata. [BBC News]
Online Privacy
WW – Problematic Apps Removed from Apple’s Online Store
After Chinese-born apps were found to be laden with malware last month, Apple reviewed its App Store inventory and ousted those programs it considered “potentially invasive to user privacy.” “We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions,” said an Apple spokesperson. “We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk.” [CNET]
WW – Apple Pulls Some Ad- and Content-Blocking Apps Over Privacy Concerns
Apple has removed several ad- and content-blocker apps from its App Store after they were found to install root certificates that could potentially be used by third parties to access user information. The root certificates could be used to monitor data, which “could be used to compromise SSL/TLS security solutions.” [InformationWeek] [ArsTechnica] [The Register] [ComputerWorld] [CNET] [eWeek]
US – Senators Criticize W3C Do-Not-Track Approach
Sens. Ed Markey (D-MA), Al Franken (D-MN) and Joe Barton (R-TX) have sent a letter to the World Wide Web Consortium criticizing its approach to its do-not-track (DNT) standards. In the letter, the senators contend that the DNT definition will not protect users’ privacy and that “first-party” sites should not be able to collect data from users who opted out of web tracking. “We believe that both first and third parties should be held to high standards that respect privacy and promote competition online,” they write. Additionally, the different standards for first and third parties “gives certain companies … an exemption from what could serve as an important consumer protection and an unfair advantage over companies that better honor consumer rights and expectations.” [MediaPost]
WW – No-Tracking Search Engine Gets $9M from Investors
Swiss-born search engine Hulbee, which has received $9 million from investors, aims to become a “pro-privacy alternative to mainstream search engines.” Unlike other search engines, “it does not track users,” the report states. “It’s competing with other search players in the pro-privacy space,” promising untracked ads as well. According to Hulbee CEO Andreas Wiebe, “Ads on Hulbee are targeted based on the search query, so there’s no geotargeting or cumulative tracking,” the report states. “Hulbee doesn’t fall back on surveillance, so there’s no geotargeting,” Wiebe said. “For Hulbee, the user is completely invisible … We recognize that most consumers do not want to be tracked.” The system has been available in the U.S. since August. [Tech Crunch]
WW – Zombie Cookie Privacy Concerns Come Back To Life
Verizon plans to give AOL access to zombie cookie-gleaned information. “That means AOL’s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon,” the report contains, adding that “AOL will also be able to use data … to track the apps that mobile users open, what sites they visit and for how long.” The move has struck a chord with the privacy-conscious. “It’s an insecure bundle of information following people around on the web,” said Deji Olukotun of Access. Verizon disagrees. The information will go to “a very limited number of other partners and they will only be able to use it for Verizon and AOL purposes,” said Verizon’s Karen Zacharia. [Pro Publica]
WW – Google Disputes Claims Its In-Car Entertainment System Spies on Users
Following a report from Motor Trend magazine claiming Porsche had chosen not to use Android Auto in its newest cars because of privacy concerns, Google has denied the in-car entertainment system spies on users. The report claimed certain pieces of data from the entertainment system is collected and “mailed back to Mountain View, California. Stuff like vehicle speed, throttle position, coolant and oil temperature, engine revs … “ But Google disputed the report, saying, “We take privacy very seriously and do not collect the data the Motor Trend article claims, such as throttle position, oil temp and coolant temp.” [The Guardian]
Other Jurisdictions
WW – Forrester Releases 2015 Data Privacy Heat Map
To help global organizations navigate privacy regulations, which vary from country to country and can conflict with one another, Forrester has published its 2015 Data Privacy Heat Map. The map, initially created in 2010, features in-depth analysis of the laws and cultures of 54 countries. This year’s version includes non-European countries such as Chile, South Africa and Thailand, who’ve each made strides “toward their own comprehensive data privacy regimes,” the report states. Many countries are making changes to align themselves with the pending European data protection regulation, particularly in light of such provisions as the “right to be forgotten” and breach notification laws. [Forbes]
MX – Uptick in Gov’t Data Requests Sparks Worries
Officials and politicians in Mexico are concerned with the number of government surveillance requests and the lack of supervision in place to keep sensitive data away from those who don’t have the appropriate credentials to access it. The number of requests in 2014 for mobile records was up 25%. Privacy advocates “are particularly concerned because of Mexico’s high rate of corruption—it is not uncommon for criminals and security to work in concert,” the report states. In addition, a new telecommunications law passed in 2014 could make government surveillance easier, and “just three% of the data requests made in Mexico got a judicial review.” [SC Magazine]
AU – Telstra Gets Extension; Law Changes Explained
Telstra has received an 18-month extension by the Attorney-General’s Department to insure the organization’s full adherence to the metadata retention law that is now in effect, a process the company has said it has already begun. “We are pleased to say that Telstra is one of the few, if not only, I think, telecommunication providers that has submitted a data retention plan and had it approved by the government,” said Telstra’s Catherine Livingstone. “We are organised to do this and we will implement it over 18 months, and of course, we will work with the government following through on their undertaking to reimburse us for the costs incurred.” Meanwhile, the The Sydney Morning Herald breaks down the new data retention changes. [International Business Times]
AU – OAIC Still Protecting Privacy as Staff Dwindles
The government’s decision to significantly defund the Office of the Australian Information Commissioner (OAIC) is troubling as “the privacy functions of the OAIC have arguably never been more important, and it has now been tasked with an even greater responsibility to oversee parts of the mandatory data retention scheme.” Those behind the scenes argue the shortage of funding stems from government displeasure with freedom of information. Regardless, Privacy Commissioner Timothy Pilgrim argues that although “the team (is) somewhat diminished in size” it is “no less committed, is now doing more than ever … to enforce Australians’ privacy and freedom of information rights,” the report states. Meanwhile, the OAIC plans to release telecommunication companies’ audit results. [The Guardian]
RO – President Signs “Big Brother” Law
Under a new law signed by Romanian President Klaus Iohannis, state authorities will soon be able to access to such information as “phone-call metadata, equipment IDs and localization.” The controversial law, which Romania’s media has named “Big Brother,” provides a right to access data stored by Internet providers and telecoms. “Now, it just needs to be published in the Official Journal of Romania to come into effect three days later,” the report states. The Romanian Association for Technology and Internet’s Bogdan Manolea said, “Although it is not a data-retention law, the quality of the legal text raises more questions than answers.” [ZDNet]
WW – Other International News
- Australia will not be passing any new data breach legislation this year, according to Attorney-General George Brandis.
- Australia’s controversial data retention law came into effect last week.
- Laws addressing the secret recording of phone calls in Australia.
- The first two organizations have been found guilty of breaching new direct-marketing provisions in Hong Kong’s Personal Data (Privacy) Ordinance.
- Brazil’s Ministry of Justice recently “launched a public consultation concerning the regulation of Internet Law,” particularly with regard to issues of net neutrality, privacy, log access information and other matters.
- India’s Supreme Court has ruled that voluntary Aadhaar cards, issued by the Unique Identification Authority of India, can now be used in welfare schemes and other fund programs.
- South Africa’s new Cybercrimes and Cybersecurity Bill is set to create “20 new cybercrime offences,” expanding on the already-existing Electronic Communications and Transactions Act.
- In Brazil’s Congress, the Lower House “is considering a bill that would double penalties for libel and defamatory speech when they occur online and dissolve protections for communications privacy in criminal investigations.”
Privacy (US)
US – Tech Giants Press Congress to Give EU Citizens Privacy Rights
A group of large U.S.-based technology companies have sent a letter to U.S. House of Representatives leadership urging them to pass the Judicial Redress Act, a bill that would extend certain privacy protections to EU citizens. The letter states that such a bill “is a critical step in rebuilding the trust of citizens worldwide” and that restoring “that trust is essential to continued cross-border data flows…” Meanwhile, the Computer & Communications Industry Association is opposing the Cybersecurity Information Sharing Act (CISA). Similarly, the American Library Association has said CISA would let federal intelligence agencies spy on people using library computers. [The Hill] [US – Google, Facebook, and Microsoft Stick a Bomb Under Hated CISA Cyber-Law] See also: [US – Candidates Need To Get Privacy Right]
US – Cartoon Network Cleared of VPPA Violation
The 11th Circuit Court of Appeals has ruled that Cartoon Network (CN) didn’t breach the Video Privacy Protection Act (VPPA). Plaintiffs had alleged their mobile information was tracked and shared when they used CN’s mobile app in violation of the VPPA. However, the court found that “downloading an app for free and using it to view content at no cost is not enough to make a user of the app a ‘subscriber’ under the VPPA, as there is no ongoing commitment or relationship between the user and the entity which owns and operates the app,” the opinion states. [The Hollywood Reporter]
US – Other News
- The Home Depot has asked a federal court to dismiss a lawsuit filed by financial institutions over a 2014 breach
- A group of large U.S.-based technology companies sent a letter to House of Representatives leadership urging them to pass the Judicial Redress Act, which would extend certain privacy protections to EU citizens.
- A report in The National Law Review takes a close look at the Judicial Redress Act, approved by the House Judicial Committee last month.
- Sen. Chris Murphy (D-CT) is renewing calls for passing the Judicial Redress Act. The bill, upon which the EU-U.S. Umbrella Agreement is partially predicated, would extend some data privacy rights to European citizens in the U.S.
- The Computer & Communications Industry Association is opposing the Cybersecurity Information Sharing Act (CISA), while the American Library Association has said CISA would let federal intelligence agencies spy on people using library computers.
- A group of House Republicans believes the foray of the Federal Communications Commission “into the privacy regulation space“ via ISP privacy enforcement is “troubling.”
- Facebook has asked U.S. District Court Judge James Donato to dismiss a suit alleging its photo-tagging service violates biometric privacy laws.
- A federal judge in New York is seeking to expand the debate surrounding law enforcement access to encrypted communications technology.
- California Gov. Jerry Brown has signed into law the California Electronic Communications Privacy Act, which makes California “the first (state) to enact a comprehensive law protecting location data, content, metadata and device searches,” the ACLU of California’s Nicole Ozer said.
- The House of Representatives has passed a bill “demanding that the Department of Homeland Security develop a formal cybersecurity strategy.”
- California Gov. Jerry Brown has signed a first-in-the-nation bill mandating that smart televisions provide users with prominent notice during the initial setup that voice recognition technology is being used.
- Reps. Vern Buchanan (R-FL) and Jim McDermott (D-WA) have introduced a bill that would require the most commonly used tax forms to include truncated Social Security numbers.
- UC Berkeley’s Chris Hoofnagle examines the Federal Trade Commission’s TRENDnet case in his blog.
- The National Law Review reports the Securities and Exchange Commission has “proposed that persons involved in administrative proceedings be required to submit all documents and other items electronically,” noting that under the proposal, “parties would be required to omit ‘sensitive health information’ that is identifiable by individual.”
- An HIT feature looks at the issues surrounding HIPAA and consent.
- The question of body cameras for campus law enforcement in the context of the Family Educational Rights and Privacy Act is examined
Privacy Enhancing Technologies (PETs)
US – HP and 3M to Integrate Privacy Screens into Laptops
HP and 3M say they will integrate privacy screens into some laptops by next year. The feature will allow users to turn a screen black with a push of a button. “Currently, ensuring privacy in cramped quarters is usually handled by installing a clumsy plastic sheet that narrows the field of view to only the person directly in front of the computer.” “If you’re on the side, you see black. But when you have to peel off that screen when it’s time to show off your PowerPoint, they often get dinged up and lost,” the report states. [PCWorld]
WW – Silent Circle Focusing on Businesses, Not Consumers
Silent Circle Co-Founder and encryption guru Phil Zimmerman says that “People want their privacy for free,” and because of that, the company, which makes the privacy-protective Blackphone, is now focusing its sales efforts on businesses handling sensitive data instead of the consumer market. Instead, the company is looking to sell the Blackphone to large enterprises to help protect sensitive personal information, trade secrets and other communications because organizations “are operating in an environment where they’re under attack from hackers.” Meanwhile, the White House has said it will not ask Congress to pass a law requiring companies to decrypt communications data. FBI Director James Comey said, “The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry.” [Motherboard]
WW – Apple Acquires Privacy-Sensitive AI Start-Up
Apple has acquired artificial intelligence (AI) start-up Perceptio, a company known for building AI systems on smartphones without having to share large quantities of user data. According to the report, Perceptio aims to run AI image-classification systems on mobile devices without the assistance of external data, fitting in with Apple’s goal of limiting customer data usage. Apple’s Colin Johnson said, “Apple buys smaller technology companies from time to time, and we generally do not discuss our purpose or plans.” Last week Apple said it had acquired a UK-based start-up specializing in technology that allows “Siri-like personal assistants” to carry on longer conversations with users. [Bloomberg Business]
RFID / IoT
US – Pilot Program Aims to Use Smart Beacons to Track Riders Who Opt-In
A pilot program has been launched by a private contractor to track riders of Massachusetts public transit. The program’s aims are to “improve the rider experience” and help advertisers with the Massachusetts Bay Transportation Authority system “increase engagement and interaction with commuters,” by using a “secure, closed network of Gimbal Bluetooth Smart beacons” that the contractor—called Intersection—says won’t collect personally identifiable information. Riders would only be tracked if they opt in to an app that would allow for the tracking of the beacon’s signal. [NetworkWorld]
US – Insurance Companies Pair With Smart Products to Monitor Homes
Insurance companies are partnering with companies that offer smart products for homes to “get their foot in the door.” American Family Insurance, Liberty Mutual and Bloomington-based State Farm have recently paired with such companies as Google and Nest to offer policyholders discounts on their home insurance in exchange for using the devices. But not everyone thinks that’s a great idea. “These are double-edged products,” said Bob Hunter, insurance director for the Consumer Federation of America. “If properly controlled for privacy and only installed with the policyholder’s permission and total transparency, they can make a home safer … but without strict protections, these could be a threat to a family’s privacy and intimacy.” [Chicago Tribune]
US – Committee Proposal Would Create Civil Penalty for Car Hacks
The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade has proposed a requirement that vehicle manufacturers state their privacy policies and have proposed civil penalties of up to $100,000 for the hacking of vehicles. The lawmakers suggest the National Highway Traffic Safety Administration establish an Automotive Cybersecurity Advisory Council to develop cybersecurity best practices for U.S. car manufacturers. The “staff draft” released ahead of a hearing on the topic next week recommends manufacturers be required to have “reasonable measures” in place to protect driver information against hacks or face penalties of “not more than $5,000 per day.” [IDG News Service]
US – New Fridge Can Track Your Beer Supply
Internet-of-Things (IoT) technology continues its rapid growth, moving into the beer-tracking game. Bud Light, along with the National Football League, has introduced a new connected fridge that tracks and discloses real-time data on a consumer’s beer supply and temperature. The technology could eventually provide location to allow for home delivery. The fridge is currently only available in California. Meanwhile, California Gov. Jerry Brown has signed a first-in-the-nation bill mandating that smart televisions provide users with prominent notice during the initial setup that voice recognition technology is being used. AB1116 also prevents manufacturers and other third parties from using or selling recorded conversations for advertising. Privacy advocates are still concerned that collected data could be used to profile users, the report states. [MediaPost]
Security
US – FTC Launching Data Security Initiative
Several Federal Trade Commission (FTC) officials shared their views and concerns on recent developments in privacy at the IAPP Global Privacy Summit, and Bureau of Consumer Protection Director Jessica Rich said the agency is set to launch “Start with Security” to provide businesses with resources, education and guidance on data security. Jedidiah Bracy highlights the details on the program Rich and FTC Chairwoman Edith Ramirez shared at the event, the four trends Commissioner Julie Brill said the FTC is looking at and reactions from the FTC on the Obama administration’s proposed Consumer Privacy Bill of Rights. [Full Story] See also: [Is Your Company Ready for FTC Oversight of Data Security?]
US – New Cybersecurity Guidance Released by NYSE
The New York Stock Exchange (NYSE) published a new 355-page cybersecurity guidance with “46 chapters written by more than 35 contributors across security, business and government,” an offering that is touted by the NYSE as the “definitive cybersecurity guide for directors and officers” in the public sector. It “covers such topics as board obligations and action plans, how CEOs can ask better questions, how to protect trade secrets, as well as consumer protection and incident response,” the report states. “No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk,” said NYSE President Tom Farley in the publication’s introduction. “No company, region or industry is immune, which makes the responsibility to oversee, manage and mitigate cyber risk a top-down priority in every organization.” [Market Watch] See also: [FTC Security Workshop Next Stop: Austin]
US – New Protective Service Announced as Breach Reports Persist
Visa and FireEye have once again become allies on the breach protection front with the announcement of protective service Visa Threat Intelligence,. “The subscription-based service includes a web portal where Visa clients can share and view cyber intelligence, forensic threat analysis from recent data breaches and information on malicious software,” the report states, noting, “According to Visa, the ultimate goal with the program is to identify a breach, or a potential breach, before data can be used or compromised.” Meanwhile, SC Magazine reports on a breach involving America’s Thrift Stores, and a new report from Accenture suggests breaches in “the next five years will cost U.S. health systems $305 billion in cumulative lifetime revenue.” [ZDNet]
US – Group Urges FCC to Mandate Better Router Security
In a letter to the FCC, a group of more than 260 global Internet thought-leaders, including former FCC Chief Technologist Dave Farber and Internet co-inventor Vinton Cerf, unveiled an alternative plan to improve the security of WiFi routers. The proposal is in response to newly proposed FCC rules as disclosed in ET Docket No. 15-170. Farber said, “Today there are hundreds of millions of WiFi routers in homes and offices around the globe with severe software flaws that can be easily exploited by criminals. While we agree with the FCC that the rules governing these devices must be updated, we believe the proposed rules laid out by the agency lack critical accountability for the device manufacturers.” [Business Wire] See also: [FCC’s Privacy Regulation “Troubling,” House Republicans Argue]
US – Post-Ashley Madison Breach, Companies Turn to Cyberinsurance
The Canadian Press reports that several high-profile data breaches, most notably the Ashley Madison hack, are prompting companies to turn to cyberinsurance. Deloitte Director of Technology Research Duncan Stewart said, “The number of attacks are rising, the severity is rising, and when they come, they’re more difficult to deal with.” Stewart also said such insurance is now part of the cost of doing business, the report states. He also asked, “You wouldn’t own a factory and not have fire insurance, so why would you think about not having cyberinsurance?” [Full Story]
US – Lack of Data Puts Cyberinsurance Companies in a Bind
Breached businesses are frequently reticent about their experiences, and that has prevented the cyberinsurance industry from having the necessary data to both “accurately predict the risk of a breach” and determine rates. Besides employing computers to forecast risk—a process that is “totally at its infancy,” said George Washington University’s Costis Toregas—another option is a Department of Homeland Security-backed “third-party repository“ of such information, the report states. “The unlocking of the potential market into the hundreds of billions of dollars will happen when they either develop a comprehensive kind of statistical base of losses or some strong models that can tell them with some level of confidence,” Toregas added. [Nextgov] [NYT Features Special Section on Security, Privacy]
US – Breach Insurance Policies Costing a Pretty Penny
As breaches multiply, so have the rates of insurers’ “cyber premiums.” “On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that,” the report states. “Average rates for retailers surged 32% in the first half of this year, after staying flat in 2014,” the report continues. And size doesn’t matter: “Even the biggest insurers will not write policies for more than $100 million for risky customers,” the report states, noting, “That leaves companies like Target, which says its big 2013 data breach has cost $264 million, paying out of pocket.” [Reuters] [Cyber Insurance Rates To Skyrocket]
Smart Cards
HK – Cards Recalled After Security Flaw Discovered
After a security vulnerability was found in credit cards “that allows holders’ names to be read by unauthorised sources when they make contactless payments,” the Hong Kong Monetary Authority (HKMA) called for seven banks to “recall or replace” said cards. “Some of the cards issued by the seven banks do not fulfil the HKMA requirements set up in 2012 regarding contactless payment,” an authority spokesperson said. “Namely, the bank must ensure that the data stored in the card and transferrable via contactless payment must include only information essential for transaction, and not include the user’s full name.” The breach was reported to the Office of the Privacy Commissioner for Personal Data as it “may involve a leak of nonessential personal data,” the spokesperson added. [SCMP]
Surveillance
CA – ‘Orwellian’ Surveillance System Monitors All [Cell] Phones on Prison Grounds
Correctional Services Canada is using advanced surveillance technology to record the phone calls and texts of not just inmates, but anyone within earshot. The technology, which is similar to “stingrays” used by police in the United States, intercepts calls and texts coming from inside the prison, its parking lot, grounds and possibly even the surrounding area. In a memo, Warkworth’s warden Scott Thompson wrote after a number of deaths and overdoses, he asked Correctional Services Canada to install the technology to help catch contraband. “Unfortunately, I knew that by trying to intercept what the inmates were doing, I would also be provided with information about cellular devices being used in noninmate areas.” [Toronto Star]
CA – Ontario IPC Releases Surveillance Guidance
The Information and Privacy Commissioner of Ontario (IPC) published Guidelines for the Use of Video Surveillance in an attempt to regulate the use of surveillance and protect user privacy, the agency said in a statement. “Video footage captured by cameras is regularly used to assist in the investigation of wrongdoing,” the IPC report states. “However, the use of these surveillance technologies can put individuals’ privacy at risk. Therefore, it is important to carefully consider both whether it is appropriate to install video surveillance and how it is used.” The guidelines cover everything from “appropriate retention periods” to “notices of collection” while aiming to blend old guidance with new. “By following these guidelines, institutions can use video surveillance technologies, while protecting individuals’ privacy in accordance with their obligations under Ontario’s privacy legislation,” the report notes. [Full Story]
WW – New CCTV Cameras Surveil and Protect Privacy
Canon is experimenting with new CCTV technology that provides certain privacy protection but still records individuals in specific restricted areas. In recent demos by the company, new surveillance cameras can be programmed to watch restricted areas while blocking out individuals outside that area. Any images outside the restricted area are processed into a “pale green ghost.” Traditionally, cameras are aimed at a restricted area, but often capture peripheral images of people walking by. Canon’s new camera would avoid that, thereby helping it comply with some local privacy laws around the world. [PC World]
US – DHS Detains, Forces Mayor to Hand Over Passwords
Returning from a conference overseas, Stockton, CA, Mayor Anthony R. Silva was detained by representatives of the Department of Homeland Security who not only confiscated his electronics but also made his ability to leave their custody dependent on disclosure of the devices’ passwords. “Unfortunately, they were not willing or able to produce a search warrant or any court documents suggesting they had a legal right to take my property,” Silva said. Additionally, the mayor was informed that he had no right to have a lawyer present, the report states. “I think the American people should be extremely concerned about their personal rights and privacy,” Silva said. Anonymous sources allege his detainment was in connection to an ongoing probe, the report states. [Ars Technica]
WW – UL Working on Wearable Security, Privacy Standard
UL, formerly known as Underwriters Labs, will soon certify the safety and security of wearables and other Internet-of-Things (IoT) devices. The company, which is better known for certifying appliances for electrical safety, is currently developing draft security and privacy requirements for IoT devices and expects to launch the program in early 2016. “When we think of how wearables are used, there are a lot of different implications for security,” said UL Principal Engineer for Medical Software and System Interoperability Anura Fernando, adding UL aims to “begin to raise the bar for how security should be addressed … and establish a minimal baseline for what should be addressed much like we did with electricity 120 years ago.” [Computerworld]
Telecom / TV
US – Wireless Industry Issues New Privacy Commitments
The Wireless Association, based in Washington, DC, has issued a set of voluntary antitheft commitments for device manufacturers with the intent to protect user data while limiting the theft of smartphones. Nearly 20 wireless providers have now agreed to implement an antitheft tool, either preloaded or downloadable, to remotely wipe user data in cases of smartphone theft. The agreement also states that phones made after July 2016 will provide users with tools to disable the antitheft technology and use one of their choice. According to the report, smartphone thefts are down 2%0, likely from password protection. [ABC News]
US Government Programs
US – Audit Finds Some IRS Systems Dangerously Decrepit
According to a recent Treasury Inspector General for Tax Administration (IG) audit, some Internal Revenue Service (IRS) systems are vulnerable to data theft due to out-of-date technology. “We believe that running workstations with outdated operating systems poses significant security risks to the IRS network and data, particularly in the environment where a chain is only as strong as its weakest link,” the IG said. However, the IRS said it has made changes “to dramatically increase the velocity of upgrades while minimizing risks and costs.” The IRS also cited budget restrictions as a hindrance to technological advancement. The Obama administration has asked for a $242 million cybersecurity allotment for the IRS in its proposed 2016 budget. [The Hill]
US – Defense Department Contractors Must Report Breaches
A new rule requires many US Department of Defense (DoD) contractors to report “cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system.” The rule applies to the more than 100,000 contractors in the DoD’s Defense Industrial Base information sharing network. [The Hill] [NBC News] [Federal Register]
US Legislation
US – California Amends Definition of Personal Identifiable Information and Breach Notification Content Requirements
On October 6, 2015, California Governor Jerry Brown signed into law several changes to California’s Data Breach Notification Statute. The law, as amended, adds additional categories of information into the definition of Personal Information, such as licence plate numbers, new content requirements for data breach notifications (together with a new form that when used properly will be deemed compliant with the new requirements), and a new definition of “encryption.” The amendment becomes effective as of January 1, 2016. [Mondaq News]
US – California Governor Signs CalECPA Into Law
California Gov. Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA), making California “the first (state) to enact a comprehensive law protecting location data, content, metadata and device searches,” Nicole Ozer, technology and civil liberties policy director at the ACLU of California told WIRED. Privacy advocates are applauding its passage, and the Electronic Frontier Foundation calls it a “significant milestone in the campaign to update computer privacy laws, which have been stuck in the 1980s,” adding it hopes the move “will lend momentum to the federal Electronic Communications Privacy Act.” [IAPP]
US – New California Law Requires Warrant to Use Stingray
California Governor Jerry Brown has signed into law a bill that requires law enforcement to obtain a warrant prior to using cell-site simulators, often referred to as stingrays. The California Electronic Communications Privacy Act has been described as having a broad scope; it does not apply to specific technologies but instead aims to protect citizens’ digital privacy. [Ars Technica]
US – House Passes Bill Calling for DHS Strategy
The House of Representatives has passed a bill “demanding that the Department of Homeland Security (DHS) develop a formal cybersecurity strategy.” The bill outlines DHS’s responsibilities for a strategy to facilitate a hub that would allow for data-sharing on federal and civilian cyber-threats. It would also require DHS to provide technical assistance and damage mitigation for organizations that suffer hacks and breaches. Meanwhile, a congressman whose data was reportedly stolen in the Office of Personnel Management hacks says his data is now being used in identity-theft attempts. [Press TV]
US – Other Legislative News
- A California bill “that would have seen an option for (RFID) tags in driver’s licenses“ has been vetoed by Gov. Jerry Brown, highlighting potential privacy and security concerns. Brown has signed a data breach notification law that includes new standards for data encryption and defining personal information “following large scale data breaches at some of the country’s most prominent health systems, which include UCLA Health.” And Privacy This Week looks at the six privacy-related bills Brown signed earlier this month.
- Pennsylvania lawmakers have introduced two bipartisan student privacy bills that would allow schools to “still use education technology products that amass, sell or share student data—but only after notifying parents and allowing them to opt out.”
- Vermont lawmakers are considering new personal privacy laws ahead of the next legislative session to “ensure high-tech gadgetry doesn’t cut into Vermont’s long-held tradition of privacy protection.”
- The U.S. Senate is expected to bring the Cybersecurity Information Sharing Act to the floor following this week’s recess, “but if discussion among industry, agencies and Congress is any indication, consensus over what that legislation will look like won’t come easily.”
- Delaware has passed the Delaware Online Privacy and Protection Act, which requires online operators “to conspicuously post a privacy policy identifying the personally identifiable information it collects on users and how it responds to do-not-track signals.”
- Florida Sen. Jeff Clemens has sponsored a bill in that state to protect social media passwords.
- The National Law Review examines the “patchwork of state laws” in the U.S. that address access to employees’ social media accounts, while Maine’s Employee Social Media Privacy law is set to go into effect on October 14.
- California Gov. Jerry Brown has “vetoed a trio of bills that would have prohibited civilians from flying aerial drones over wildfires, schools, prisons and jails, despite alarm over close calls with firefighting aircraft.”
- There are new drone regulations in Nevada. [Don’t Like That Drone Overhead? Grab An Anti-Drone Freeze Ray]
- A new North Carolina law takes effect in December that “adds 35 offenses to a growing list of charges that mandate those accused give a DNA sample to law enforcement.”
- The Oregon House Interim Committee on Judiciary has received a report from the Work Group on Unmanned Aircraft Systems.
- A bill proposed by Sen. Mike Folmer (R-Lebanon County) will place a “two-year moratorium on the use of drones by state and local government agencies to fly over private property and municipalities.”
+++