16-30 September 2015


US – OPM Confirms 5.6 Million Fingerprints Stolen in Hack

The government now says the number of compromised fingerprints illegally accessed in the second hack of the Office of Personnel Management (OPM) is five-times higher than originally thought. The government originally reported that 1.1 million fingerprints were stolen, but now the number has gone up to 5.6 million, the Department of Defense and OPM have said. The investigation of the breach by both agencies “identified archived records containing additional fingerprint data not previously analyzed,” the OPM stated. The agency downplayed the threat of the compromised biometric data, but said, “If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.” [Reuters] [Why OPM Hackers Wanted Fingerprints]

Big Data

US – UCLA Project Tackles Data

The next scholastic foray for Christen Borgman, the distinguished professor and presidential chair in information studies at UCLA, involves interdisciplinary data use and how the subject of the data impacts how it is handled, “with the aim of simplifying the complexities of data practices and challenging prevailing assumptions about the value of sharing data.” The “If data sharing is the answer, what is the question?” project aims “to provoke a much fuller and more comprehensive conversation about the diversity of data and practices, the infrastructure required to support them and the roles and responsibilities of varied stakeholders,” said Borgman, who has also written a book on the subject. [UCLA’sNewsroom]

WW – Is Data-Driven Sales Tech Crossing the Creepy Line?

The rise of data-driven tools uses predictive analysis and automation to help generate more effective sales. Burgeoning technological tools are helping companies determine those most likely to make a purchase, for example. A number of start-ups interested in automating sales departments have accumulated around $400 million in venture capital in the last two years, the report states, but some of the tools “seem creepy,” allowing salespeople, in one example, to see when a potential client reads an email and for how long the client lingers, so the salesperson can follow up during a time of potential peak interest. Meanwhile, the Center for Digital Democracy and the U.S. Public Interest Research Group are asking the FTC to protect consumers from unfair lead-generation practices. [The Wall Street Journal]

WW – Data Should Be Accessible, But Not Too Accessible

Citing an education study in which researchers were able to examine the tax returns of students to gauge their future success, scientists and privacy advocates discuss what the balance of data access and privacy ought to be. “There is … concern that the rush to use these data could pose new threats to citizens’ privacy,” the report states. “The types of protections that we’re used to thinking about have been based on the twin pillars of anonymity and informed consent, and neither of those hold in this new world,” said New York University’s Julia Lane, adding, “Difficulty in access is a feature, not a bug … It should be hard to get access to data, but it’s very important that such access be made possible.” [Nature]

WW – Behavioral-Based Premiums Makes Privacy Community Nervous

Swiss health insurance company Dacadoo’s controversial consideration of upping premiums for the lazy has the privacy community examining the move’s potential impact. “There’s no solidarity if someone who does a lot of sports and takes care of their health has to pay the same high premiums as someone who smokes, drinks and drives and does not play sports,” said Dacadoo’s Peter Ohnemus. His words point toward a U.S. trend, the report states, noting, “The proliferation of Internet-of-Things devices is already creating a market for data that could give companies more insight into the behavior of their customers—or, in the case of insurance firms, on whom to place bets.” [Ad-Age]

WW – Industry 4.0 Emphasizes IoT, Data Security

A Boston Consulting Group primer looks at the nine pillars of Industry 4.0, or “the next phase in manufacturing, known as the post-information revolution.”  The pillars span everything from cybersecurity and the Internet of Things to the cloud and big data, “all of which IT professionals must understand in order to effectively compete in the next 10-20 years,” the report states. The future of technology must include a discussion on ethical implications as well, Lisa Morgan writes forInformation Week, noting, “while organizations usually have stated privacy policies, more could be done to ensure the ethical use of data.” Meanwhile, UNESCO also considered Internet ethics during its recent consultation, West Indies News Network reports. [Business to Community]

WW – Privacy and the Rise of Artificial Intelligence

Here are the latest developments from IBM’s artificial intelligence system, better known as Watson. “I have seen the future, and it is a world of unparalleled convenience, untold marketing opportunities and zero privacy,” writes James Niccolai. The catalyst for his report is a recent event held by IBM to share what will become available to developers for constructing smarter, “cognitive” applications. With the dramatic rise in data collection, artificial intelligence will play a significant role in weeding through and making sense of the “mountains of information” to “make decisions we can no longer arrive at through traditional programming,” Niccolai writes, adding, “This isn’t big data; it’s gargantuan data.” [IDG News Service]


Lawmakers in Ontario tabled Bill 119, which would amend the Personal Health Information Act. The amendments aim to require breach reporting, loosen rules around prosecution and double fines for “snooping” by healthcare workers.

In a recent ruling, BC’s Court of Appeal has limited police access to text messages.


WW – Apple: User Experience Shouldn’t Be At Privacy’s Expense

Apple CEO Tim Cook published an open letter decrying corporations that offer their services for free while, in turn, utilizing user information for advertising profit, a move some believe to be a shot at its competitors. “A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product,” wrote Cook. “But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.” The letter was released with information on Apple’s privacy policy “to explain how we handle your personal information, what we do and don’t collect and why,” Cook added. [Fortune]

US – Survey Shows Consumer Security Concerns

A Parks Associates study, Privacy and Big Data: Safeguarding Consumers, indicates that Internet-of-Things security concerns are rampant among Americans, with 40% specifically concerned about the vulnerability of their smartphones. “Big data offers tremendous opportunities to enhance every aspect of business operations, but it carries a whole new level of liability and responsibility,” Parks Associates’ Brad Russell said in a media release. “Service providers, manufacturers and app developers can all build personalized value-added services based on the data generated by these devices, but first consumers need to have the confidence to use these devices. Security is the price of big data benefits.” [EINews]

WW – In-Store Tracking Continues to Grow

Retailers’ use of mobile phone-tracking continues to grow in popularity. Gleaning data in this fashion has been “cheap and easy to install, gave us continuous live data streams and had the least security and data protection issues,” said Bernard Marr, who used such tracking “to help a client understand some basics about shopper behavior in retail stores,” the report states. Indeed, “in the U.S., there is very little comprehensive regulation of privacy and data collection by nongovernmental entities,” one attorney notes, while another, Paul Lanois points out, “If enough data can be tied to an identifier over the course of time, then it would be possible of course to identify the user of the device.” [Forbes]

US – Ads That Smile Back and Big Data in the Air

Coffee company Bahio utilized a Microsoft Kinect camera in its ads to collect 42,000 facial responses. Eventually, after scanning multiple faces, “the images and taglines changed to reflect viewers’ reactions,” the report states. While critics argue that “ads like these further erode individual privacy and consumers’ ability to choose who gets their data,” David Cox of M&C Saatchi, one of the companies that developed the ad technology, disagrees. “Each interaction is given a number; that’s it,” he said. “We’re trying not to be creepy.” Meanwhile, SmartDataCollective reports that for airlines, “trillions of calculations are being number-crunched to transform this goldmine of data opportunity into real, tangible high revenue opportunities for the airlines and their frequent flyer programs.” [Quartz]

WW – “Siri, Are You Keeping My Secrets?”

Apple’s iOS release and the digital assistant therein is giving privacy advocates pause. Users no longer need to press a button to ask “Siri” a question; instead, the phone constantly listens to conversations, waiting for an opportunity to assist with things like directions—or even to tell a joke. “When you enter the realm of always-on devices, there are real privacy implications that need to be addressed,” said Marc Rotenberg of the Electronic Privacy and Information Center. Even if the user consents, he added, those nearby may not agree “to the routine recording of everything they might say.” [The Washington Post]


WW – Google Unveils Opt-Out, Auto-Spam Features

Google has unveiled two new features for Gmail. The “block sender” function allows users to block people from sending emails by automatically sending blocked emails to the spam folder. The unsubscribe feature allows users to stop receiving promotional emails without dealing with the typical “why are you leaving?” process involved in unsubscribing, essentially overriding the opt-out mechanism provided by the company sending the email. While typically that company would be responsible for the consent function, this feature changes that. The unsubscribe feature is available on Gmail’s updated Android app, the report states, but iOS users don’t have access yet. [Wired]


US – Working Group Considers Ways to Access Encrypted Data

An Obama administration working group has come up with four possible approaches that tech companies could implement that would allow law enforcement to access encrypted data. Each of the methods could be implemented, but each also has shortcomings. [Washington Post] [Washington Post] [SCMagazine]

US – White House Had Explored Smartphone Encryption Workarounds

Behind-the-scene attempts by an Obama administration working group to get tech companies to provide law enforcement with access to encrypted communications technology. Although the group said the four approaches it identified were “technically feasible,” each had drawbacks, too. According to senior officials, the potential solutions were not intended as “administration proposals” for fear of blowback, the report states. The National Security Council’s Mark Stroh said the administration “continues to welcome public discussion of this issue as we consider policy options.” While the group did not offer technical solutions, it did include guiding principles—two of which included no bulk surveillance and no “golden keys” for government access. [The Washington Post] See also: [The White House has indicated it will not seek legislation to mandate backdoors to encrypted communication services]

US – NSA Director Agrees that Encryption Key Copies Increase Likelihood of Breaches

During a Senate Intelligence Committee hearing on Thursday, September 24, NSA director Admiral Michael Rogers acknowledged that if the government holds encryption keys, there is a significantly higher risk of data breaches. Rogers was responding to a question from Senator Ron Wyden (D-Oregon). [VentureBeat]

WW – Let’s Encrypt Issues its First SSL/TLS Certificate

Let’s Encrypt, the free open source certificate authority (CA), signed its first certificate earlier this week. The project is currently in beta status. [ZDNet] [The Register] [ComputerWorld]

WW – Encryption Now a Part of Internet.org

Internet.org, Facebook’s free web services platform for developing countries, now boasts encryption—a 180-degree turn from May announcements that the program would operate without it. “Internet.org is pledging not to store any data on how people actually use the services,” the report states. “In its new data retention policy, the service promises to only store domain name information and the amount of data used, along with device information that would be visible even if the traffic were encrypted.” While “more detailed information will still be visible to Internet.org,” the report adds, “the platform says it won’t collect that data.” [The Verge]

EU Developments

EU – Safe Harbor Invalid, Says Top EU Court’s Advocate General

There has been a major development in the closely watched Schrems v Data Protection Commissioner case now in front of the European Court of Justice (ECJ): The ECJ’s Advocate General, charged with providing reasoned and impartial opinions to the court for its consideration, has delivered an opinion saying not only that the Irish Data Protection Commissioner has the right to investigate Facebook’s data transfers regardless of the Safe Harbor agreement, but also that the Safe Harbor agreement itself is “invalid,” due to the law-enforcement access to EU citizen data revealed by Edward Snowden. Denis Kelleher writes for Privacy Tracker about why this makes the Schrems case very interesting, indeed. [IAPP.org] See also: [BCRs Looking Good After Safe Harbor Opinion? Here’s Some Help]

EU – Schrems Reacts to Advocate General’s Opinion

It’s been a long road for Austrian student Max Schrems’ group Europe v. Facebook, but today, Schrems is celebrating. European Court of Justice (ECJ) Advocate General Yves Bot has issued his opinion in a case originally filed by Schrems alleging the U.S. National Security Agency collected Europeans’ data via Facebook in violation of EU law, and it looks like Schrems’ work may not have been in vain. Bot agrees with Schrems, it seems, and his opinion could mean big trouble for data transfers from the EU to the U.S under Safe Harbor—especially without changes to the role mass surveillance systems play in data access. [IAPP.org] See also: [EU What’s Next for Safe Harbor?]

EU – 50 EU Parliamentarians Send U.S. Letter on “Digital Protectionism”

Fifty members of the European Parliament have released an open letter directed at the U.S. refuting claims, including by President Barack Obama, that the EU is engaging in “digital protectionism.” The letter states, “While we admire the dynamism and success of Silicon Valley, we trust in Europe’s ability to foster talent, creativity and entrepreneurship. The acronym ‘GAFA’ is not one we ever use, and we do not see legislation as a way to manage the growth of companies.” GAFA stands for Google, Apple, Facebook and Amazon, and has been used as a term to describe American imperialism, according to a Quartz report from 2014. Meanwhile, MEP Viviane Reding opines on the EU-U.S. Umbrella Agreement. [ZDNet]

EU – Privacy Commission: Don’t Be Intimidated by Facebook

An attorney for the Belgium Privacy Commission told a judge not to be intimidated by Facebook in a case in which the commission is trying to require the company to change its privacy policy for Belgian citizens. “Don’t be intimidated by Facebook,” said a commission official. “They will argue our demands cannot be implemented in Belgium alone,” he said, adding, “Our demands can be perfectly implemented just in this country.” An attorney for Facebook queried, “How could Facebook be subject to Belgian law if the management of data gathering is being done by Facebook Ireland and its 900 employees in that country?” [Bloomberg Business]

EU – CNIL Rejects Google’s RTBF Appeal

The French data protection authority, the CNIL, has rejected an appeal by Google on the so-called right to be forgotten. The CNIL has ordered Google to apply the decision to honor European takedown requests across all its websites, not just EU-based ones. The CNIL wrote, “Contrary to what Google has stated, this decision does not show any willingness on the part of the CNIL to apply French law extraterritorially … It simply requests full observance of European legislation by non-European players offering their services in Europe.” Google, which could now face fines up to $340,000, said it disagrees with the CNIL, adding, “We’ve worked hard to implement the right-to-be-forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so.”[The New York Times]

EU – Media Orgs Object to CNIL’s May RTBF Order

The Reporters Committee for Freedom of the Press, alongside 29 other U.S. media organizations, sent a letter to French privacy regulators (CNIL) objecting to its May order that Google expand its Right To Be Forgotten delisting to all global iterations of the site. This, said the letter, is an “unacceptable interference with what people in other nations can post and read on the Internet.” The letter, according to the report, comes as CNIL considers whether to appoint a special rapporteur to respond to Google’s refusal to abide by its order. “We want to see the Internet as free and open as possible,” said Reporters Committee Executive Director Bruce Brown. “The order interferes with that.” [Columbia Journalism Review]

Research from Queen Mary University of London’s School of Law and lawyers at Pinsent Masons indicates the General Data Protection Regulation (GDPR) “will require big improvements to organisations’ computer security.”

The GDPR’s implications for protecting employee data is analyzed.

Amendments to Germany’s telecommunications law to meet the need for expanded WiFi access has privacy advocates and others concerned.

Facts & Stats

WW – Security Spending to Top $75 Billion

A new report from Gartner forecasts that security spending across the globe will reach approximately $75.4 billion in 2015, in large part driven by government initiatives, legislation and massive data breaches. “Interest in security technologies is increasingly driven by elements of digital business, particularly the cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks,” said Gartner Research Analyst Elizabeth Kim. She also said organizations are investing in endpoint detection, remediation and cloud security tools and threat intelligence. [ZDNet]

US – Getting Data Protection Wrong a Costly Mistake

The cost of post-breach clean-up is growing in severity, and it can act as a powerful motivator for companies to get data protection right. “U.S. businesses didn’t need another reason to get very serious, very quickly, about cybersecurity, but now they have one,” said STEALTHbits’ Jeff Hill. “Add the cost of litigation in an increasingly hostile legal environment to the list of unsettling data breach consequences that already includes reputation loss, customer exodus, embarrassment and federal government fines.” The report comes on the heels of a Kaspersky Lab survey that found small businesses need a budget of at least $38,000 to be able to handle breaches. [ InfoWorld]


TH – Thai Single Gateway Plan Criticized

Thailand’s government is facing public outcry over its plan to establish a single Internet gateway for the country. Opponents of the plan say it will slow down Internet service and could cause enormous problems if it were to fail. They also noted that it would likely discourage foreign companies from doing business in Thailand. [ZDNet]


US – New Data Breach Guidance from PCI SSC

The Payment Card Industry Security Standards Council (PCI SSC) has published guidance for organizations to handle data breaches effectively and with minimal financial consequence. “Prevention, detection and response are always going to be the three legs of data protection,” said Stephen W. Orfei, PCI SSC general manager. “Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it.” The guidance may prove timely for organizations looking to avoid expensive breach claims, which a NetDiligence study found averaged $4.8 million in 2015 for large companies. [Out-Law.com]

WW – Survey: Cybersecurity Experts Happy to Make Mobile Payments Despite Risks

According to a recent survey of 900 cybersecurity experts, 87% expect an increase in mobile payment data breaches over the next 12 months, but 42% have used the payment method in 2015. The 2015 Mobile Payment Security Study by ISACA indicates cybersecurity professionals, while aware of the risks, are willing to balance the benefits of mobile payments, the report states. “ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks,” said ISACA’s John Pironti in a media release, adding risks shouldn’t slow down mobile payment adoption as long as they are properly managed. [Full Story]

US – SEC Fines Investment Firm $75,000

Missouri-based investment firm R.T. Jones Capital Equities Management has agreed to settle with the SEC and pay $75,000 over charges that it did not have a cybersecurity policy in place prior to a data breach that compromised the personal information of 100,000 individuals. During a four-year period, the firm stored the sensitive data on a third-party server, which was eventually breached in 2013. The SEC alleged the company never had any cybersecurity polies or procedures in place and did not conduct risk assessments or implement any security protections like firewalls or encryption. McDermott Will & Emery’s Eugene Goldman said, “This is the start of a series of similar actions that will be brought this year and next.” [InvestmentNews]

US – EMV Implementation is Chip-and-Signature, Not Chip-and-PIN

As of October 1, 2015, US retailers were supposed to have adopted technology that allows them to accept chip-and-PIN payment cards. The technology, also known as EMV (for EuroPay, MasterCard, Visa), aims to provide stronger security for payment card transactions. However, what has been implemented in the US is chip-and-signature instead of chip-and-PIN. Not requiring cardholders to enter a PIN to verify purchases diminishes the security of those transactions. http://www.wired.com/2015/09/big-security-fix-credit-cards-wont-stop-fraud/ [SC Magazine] [CNET]


US – UC Berkeley First to Release Transparency Report

The University of California-Berkeley, is now the first U.S. university to have published a set of transparency reports on government data requests. The reports outline requests on student, faculty and staff data. Berkeley has stressed the importance of digital privacy on campus for some time. It’s got 37,000 students and up to 100,000 devices potentially connected to its network at any time. The school sometimes handles law enforcement data requests, and its new report explains how, with processes that include a request form to be reviewed by the school’s privacy office before being approved or denied. [Slate]


US – Genetic Database Privacy Questions Remain

A National Institute of Health (NIH) Advisory Group’s recommendations on the Precision Medicine Initiative (PMI) genetic data database indicate a “thoughtfulness and thoroughness” regarding the project’s privacy sensitivity, but “significant questions” remain, the American Civil Liberty Union’s Jay Stanley writes. “It does not look as though this will be an airtight, privacy-protective system where subjects’ data will be technologically guaranteed private,” Stanley writes, noting “the cybersecurity questions are considerable. A fair amount of trust will have to be placed by participants in those who run this program.” He also recommends PMI “be studied and analyzed closely by privacy advocates.” [Free Future]

Health / Medical

US – Hackers Are Focused on Health; Employee Error Concerns Persist

A Raytheon/Websense Security Labs study has found that health services combat 340% more cyber-attacks than other types of organizations. “It’s clear that with the amount of personally identifiable and proprietary information available and inherent as part of the healthcare industry, it will remain an attractive target to attackers and a potential weak point for untrained employees,” said the survey’s authors. However, a new survey by Scrypt has found that the primary “concern in terms of HIPAA breach potential within healthcare organizations is around staff or human error.” Executive Insight offers tips on getting healthcare security right, with one PR professional noting, “If patient data is breached, the hospital’s reputation is immediately jeopardized.” Meanwhile, a CNNreport indicates that some organizations’ wellness programs may not protect employees’ privacy. [FierceHealthIT]

US – Fitbit Now HIPAA-Compliant

Fitbit devices are now HIPAA-compliant. “We have gone through a third-party audit and we are now HIPAA-compliant as an organization,” said Fitbit Wellness Vice President and General Manager Amy Donough, adding that enables the company to “be able to sign business associate agreements and work with covered entities … We’ll be able to more deeply integrate and partner with some of these organizations to be able to have more effective and more engaging wellness programs.” Donough noted that while personal health information isn’t “the information we share or create today … it will become important as we continue to grow.” [MobiHealthNews]

Horror Stories

US – T-Mobile Customer Data Compromised in Experian Breach

A breach of an Experian database affects 15 million US T-Mobile customers. Experian processes credit checks for T-Mobile customers. The compromised data include names and Social Security numbers (SSNs) but not financial account information. The breach affects data collected between September 1, 2013 and September 16, 2015. [The Hill] [The Register] [Wired]

UK – Millions of Nuisance Calls Result in Record Fine

The Information Commissioner’s Office has fined Home Energy & Lifestyle Management (Helms) 200,000 GBP, a record amount, for making six million nuisance calls. “This is a clear breach of the rules. The data controller—the company—has to take responsibility for this,” said Information Commissioner Christopher Graham, who indicated “companies should make their directors personally liable for breaches,” the report states. However, Helms maintains that the third party in its employ that made that calls was at fault. Helms “always accepted they were responsible,” an attorney for Helms said, adding, “But there is a distinction between a deliberate act and a negligent act.” Helms plans to appeal the decision. [The Telegraph]

WW – Hotels, Healthcare Orgs Report Breaches

The Trump Hotel Collection has announced point-of-sales systems at seven of its hotels in the U.S. and Canada “were infected with malware, potentially affecting an unspecified number of customers.” Information including account numbers, security codes and cardholder names “of individuals who used a payment card at the hotel between May 19, 2014, and June 2, 2015, may have been affected,” Trump Hotels has said. Meanwhile, Palo Alto VA Health Care System reportedly “unlawfully gave patient data to a private IT company despite employees not having cleared background checks,” and “16,000 people are being notified of a major risk to their private health information following an email attack” on Oakland Family Services, a Michigan-based nonprofit. [BankInfoSecurity]

US – Kardashian’s Site Security Flaw Left 600,000 Vulnerable

A curious developer discovered an unprotected API on one of the Kardashian sisters’ new websites, which not only left upwards of 600,000 users’ personal information vulnerable, but also gave the interloper the ability to manipulate data. The 19-year-old developer, Alaxic Smith, promptly reported the issue to the site’s creator, Whalerock, which patched the hole. “Our logs indicate that (Smith) was able to access only a limited set of names and email addresses,” Whalerock said in a statement. “No one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data.” However, “the company is still in the process of validating what data was breached, and what, if any, data was actually saved or archived by Smith himself,” the report continues. [Tech Crunch]

Internet / WWW

WW – UN Report Proposes Stricter Internet Regulation

A newly released report from the United Nations’ Broadband Commission for Digital Development is titled “Cyber Violence Against Women and Girls: A World-Wide Wake-Up Call.“ The report declares online violence against women and girls, or “cyber VAWG,” a “problem of pandemic proportion.” Dewey agrees with this assessment but disagrees with the report’s recommendations that countries around the world enact regulations that would hold Internet companies like social media sites and chat rooms responsible for the content created on them and only “license” those sites that agree to heavily moderate the content they host. [The Washington Post]

US – US and China Announce Cyber Espionage Agreement

At a press conference last week, US President Obama and Chinese President Xi Jinxing announced that they had reached a “common understanding” regarding cyber espionage. The leaders agreed that both countries will not “conduct or knowingly support cyber-enabled threat of intellectual property.” There is skepticism that the agreement will result in change. [SC Magazine] [Wired] [DarkReading]

WW – Cybersecurity Pact With China Lauded

The agreement between Chinese and American heads of state to view online issues with increased gravity was a wise move. “They made some significant progress in doing this,” said James Lewis of the Center for Strategic and International Studies. The two administrations also pledged to create a group to track their cooperation in responding to cybercrime as well as a hotline “to resolve disputes over sharing information related to those crimes,” the report states. [The Daily Dot] SEE ALSO: [China Focus Could Spawn Future Issues]

US – CISA Stance Clarified

After Salesforce received criticism for signing a letter that some interpreted to be a support of the controversial CISA cybersecurity information-sharing bill, Salesforce’s CEO clarified the company’s stance via Twitter.


WW – Roomba 980 Can Now Map Your House

The company behind Roomba, iRobot, has a new offering: the Roomba 980, which comes equipped with a camera and software that allows the device to gradually map its location. “Being able to localize in the environment is a foundational capability,” said iRobot’s Chris Jones. “You can imagine the day when a robot in the home can perceive and understand salient objects in the environment—that’s a couch, that’s my oven—that type of thing.” The company is wise to privacy questions around the new offering. “A representative explains that the maps are not transmitted from Roomba, and they are deleted after the robot finishes cleaning a room,” the report states. [MIT Technology Review]

WW – Getting the “Drops” on Reshipping

With so many retailers now refusing to ship to Russia or Eastern Europe because of the endemic of organized cybercrime, how do these cyber-thieves use the credit card numbers they’ve stolen? The answer is “reshipping,” a practice documented in the report “Drops for Stuff,” newly released and written by eight security researchers. How does it work? “Operators” recruit “drops” to receive goods and then reship them to “stuffers” who then sell them on the black market. This allows cybercriminals to turn a $10 purchase of a stolen card into $700 in black market cash. [KrebsonSecurity]

The Electronic Privacy Information Center has filed a Freedom of Information Act lawsuit against the U.S. Coast Guard and the Department of Homeland Security over a program that tracks and records boaters’ locations.

Online Privacy

WW – App Pays $11 Per Month To Track Users

Data collection start-up Symphony Advanced Media has released a video-tracking app that will pay users $11 per month to let it track all of their video viewing habits. VideoPulse uses a passive-listening program that hears what a user is watching in order to track it. The goal is to accurately gauge video analytics—an oft-debated issue in media circles, the report states. “There has been a significant void in understanding how consumers are using nontraditional media platforms, but innovation has finally arrived in the media measurement space,” said Symphony Advanced Media CEO Charles Buchwalter. The app currently has approximately 15,000 users and is being tested by several companies, including NBC, Viacom, Warner Bros. and A&E Networks. [Mashable]

US – EFF Announces Adzerk Will Honor DNT

Advertising company Adzerk, whose clients include Reddit, Stackexchange and Bittorrent, pledged to both respect user do-not-track requests and not have their ads “blocked by the major ad-blocking software.” “Blocking interfaces in browsers and operating systems are not only necessary for user freedom, security and privacy, but they are actually beginning to produce genuine improvements in the practices of the advertising industry,” said the Electronic Frontier Foundation’s Peter Eckersley and Alan Toner in a statement. “Apple should be congratulated for helping to make this happen, and those who are fearful about the future of the advertising-funded web should join us, Adzerk and other companies in helping to ensure that there are fewer reasons for users to need to block ads in the first place.” [BoingBoing]

WW – “Like” Button Data To Determine Ads

Facebook has announced it will use data gleaned from its “Like” buttons to tailor specific ads to users. “After the change, the types of sites you visit could be used to tune ads shown to you inside Facebook’s social networking service, its photo-sharing service Instagram and mobile apps that use Facebook’s ad network,” the report states. Facebook has also announced an opt-out for the ads, but the Electronic Frontier Foundation’s Rainey Reitman said, “Promising not to use information is not the same as promising to actually delete the data. The ‘Like’ data is especially problematic. Most people probably don’t even realize that whenever they load a page with a ‘Like’ button on it, Facebook gets a little information on them.” [Technology Review]

WW – Apple Updates Privacy Policy

Everyone, regardless of what devices they use, “should take a look at the latest edition of Apple’s privacy policy.” The policy, which includes details about data collection, “is a shining example of how easy to understand, transparent and clear such a document should be. It sets a bar other tech firms should follow,” the report states. [Computerworld] SEE ALSO: [Do Simpler Privacy Policies Invite More Outrage? ] and [Should Privacy Policies List Marketing Partners?]

WW – Microsoft Responds to Windows 10 Concerns

Microsoft’s responded to privacy concerns about Windows 10. In a blog post , Microsoft’s Terry Myerson details the ways Windows 10 gathers and uses data, the report states. Myerson notes “Windows 10 collects information so the product will work better for you,” adding that users “are in control with the ability to determine what information is collected.” [The Verge] See also: [Microsoft’s Smith: Privacy and Security Balance Necessary] See also: [Microsoft Executive Vice President and General Counsel Brad Smith talks about the ongoing litigation with the U.S. Department of Justice over emails stored in Ireland and the importance of security equilibrium]

WW – IBM Releases Cloud Security Enforcer

IBM has released new cloud security technology that aims to help protect organizations from risks associated with the rise of “bring-your-own cloud apps.” Research conducted by IBM indicates “one-third of employees at Fortune 1000 companies are sharing and uploading corporate data on third-party cloud apps,” the report states. At the same time, they’re using weak passwords or signing in using personal email addresses. Given such risks, IBM’s Cloud Security Enforcer allows companies to see all the third-party cloud apps employees are using, “provides a secure way to access them and enables companies to control which corporate data can and cannot be shared with the apps.” [eWeek]

Other Jurisdictions

IN – Tech Leaders Urged to Ask Modi to Rethink Privacy

As Indian Prime Minister Narendra Modi travels to meet with the leaders of American tech powerhouses such as Apple CEO Tim Cook, many are calling for them to encourage Modi’s ideas for “Digital India” toward a greater respect of citizens’ privacy rights. Modi aims to use the trip “to showcase what a big market India is,” said Arvind Gupta of Modi’s Bharatiya Janata Party. However, Modi’s “Digital India project does not rest on a legal framework that respects privacy and sensitive information,” said Stanford’s Thomas Blom Hansen. “While India presents significant business opportunities, CEOs should tell Modi that they will oppose any steps that erode free expression or privacy rights,” said Human Rights Watch’s Brad Adams. [The Washington Post] After much criticism, India’s government has pulled its draft encryption legislation.

RU – Russian Court Fines Google Over Alleged Privacy Violation

A Moscow city court has fined Google nearly 800,000 euros (50,000 rubles) for allegedly violating the privacy of a Russian citizen through its targeted advertising. The Russian citizen sued the company for illegally reading his emails, but Google says its advertising is operated by an automated system. “Humans are not reading your emails,” Google told AFP, adding, “Our automated system scans emails in order to prevent spam reaching your inbox and to detect bad things like malware.” The decision could open the doors for more similar actions against the company. [AFP] [A Moscow city court has fined Google nearly 800,000 euros for allegedly violating the privacy of a Russian citizen through its targeted advertising.]

Qatar has reinforced its cybercrime law with the government’s approval of “an amendment that criminalizes photographing those who are injured or killed in accidents and posting them on social media.”

Australian MPs Terri Butler and Tim Watts have released a draft bill that would make revenge porn a federal crime.

The governments of Australia and South Korea have “signed a blueprint of defence and security cooperation between the two nations.”

Privacy (US)

US – Brill Calls for Advertisers to Be Upfront With Consumers

At the Better Business Bureau’s National Advertising Division Annual Conference, Federal Trade Commissioner Julie Brill used her keynote address to discuss the need for organizations to respect user privacy as they employ new advertising techniques such as tracking and data-sharing. “Advertising has become one of the most technologically advanced and data-driven industries in our economy,” Brill said. “However, it is not enough that companies communicate with and provide choices to consumers regarding retail mobile location tracking. They must also be truthful about these choices.” She also pushed for greater opt-out abilities for data-sharing online. “After all these years, consumers still don’t understand what’s happening with their personal information,” she said, “and they continue to struggle to control targeted advertising and data collection.” [FTC.gov]

US – “Unfair Methods of Competition” Statement Prompts Concerns

In a blog post, the Phoenix Center’s Lawrence J. Spiwak echoes Federal Trade Commissioner Maureen Ohlhausen’s sentiments on the FTC’s recently released Statement of Enforcement Principles Regarding ‘Unfair Methods of Competition’ Under Section 5 of the FTC Act, contending, “The FTC’s conduct in this case was certainly not an example of good government.” The next steps? “While the FTC deserves kudos for at least attempting to move the ball forward … my recommendation is that before we go too far down the road … prudence would dictate that we go back to the drawing board,” Spiwak writes, adding, “the American public deserve a well-reasoned and cohesive approach to Section 5’s unfair methods of competition standard.” [The Hill]

US – Comcast Settles With California for $33 million for Privacy Violations

Comcast has agreed to a $33 million settlement with the California Department of Justice and the California Public Utilities Commission for posting personal details online of customers who had paid for unlisted voice-over-Internet-protocol phone service. Comcast will pay $25 million to the two departments, $8 million in restitution to the 75,000 affected customers and has agreed to a permanent injunction mandating it strengthen rules on vendors that process personal information and provide additional monetary relief to customers “who have identified personal safety concerns” stemming from the disclosure of their data. “This settlement provides meaningful relief to victims (and) brings greater transparency to Comcast’s privacy practices,” said California Attorney General Kamala Harris. [Reuters]

US – Candidate Websites Fail Privacy Test

An Online Trust Alliance (OTA) survey of the 23 presidential candidates’ websites found that only six candidates protect basic user privacy. While cybersecurity ratings were high across the board, the omissions were dubbed “alarming” by the group, which found that some candidates’ sites didn’t have privacy policies posted. “One of them will be our next president,” said the OTA’s Craig Spiezle. Not all findings were doom and gloom, however. “Six candidates were lauded because they pledged in their privacy policies not to share personal information without users’ permission or a court order: Republicans Jeb Bush, Chris Christie, Rick Santorum and Scott Walker, and Democrats Lincoln Chafee and Martin O’Malley,” the report states. [The Wall Street Journal]

US – IA PP-EY Annual Privacy Governance Report 2015

Privacy, still nascent a decade ago, now employs thousands of professionals across the gamut of organizational structures and around the world. Yet there is still relatively little data about how the work of privacy is done. To that end, IAPP and EY surveyed a broad spectrum of organizations to document privacy governance—literally, how privacy is done. Today, we share the findings—the most comprehensive look at the structure and “how” of privacy governance we’ve ever released. At more than 150 pages, it is a document full of deep data and interesting trends, including looks at differing approaches taken by industry, by size of company, by maturity of program and by region of the world. Dive in. [IAPP.org

US – Schneier: Tech Needs Increased Regulation

As new technologies employ facial recognition and surveillance flourishes, more regulatory strides must be made, Bruce Schneier writes. “Despite protests from industry, we need to regulate this budding industry,” he notes. “We need limitations on how our images can be collected without our knowledge or consent, and on how they can be used.” Meanwhile, payment-processing company Worldpay has announced a prototype for a chip-and-pin terminal that “takes a photo of a shop customer’s face the first time they use it and then references the image to verify their identity on subsequent transactions,” a move that has inspired privacy concerns. [Forbes]

US – OIG: OCR Has Room for Improvement

After conducting two different reports, the Office of the Inspector General (OIG) has found the Office for Civil Rights (OCR) has “room for improvement” in both HIPAA compliance and post-breach procedures. “OCR had not announced when it will begin its permanent audit program,” the OIG said in its first study. “Without fully implementing such a program, OCR cannot proactively identify covered entities that are noncompliant with the privacy standards.” The second study found that over one third of OCR employees failed to ensure that covered entities “had reported prior large breaches” and called for the agency to “develop an efficient method in its case-tracking system.” Meanwhile, theOCR has announced that Phase 2 of HIPAA audits will begin in early 2016. [HealthIT Security]

US – IAPP Privacy Innovation Award Winners Announced

The winners of the 2015 IAPP Privacy Vanguard Award and the 13th Annual HP-IAPP Privacy Innovation Awards were honored for their work in the privacy field. Hogan Lovells Partner and Director of the Privacy and Information Management Practice and Co-Chair of the Future of Privacy Forum Christopher Wolf was recognized with this year’s IAPP Privacy Vanguard Award and hailed as a trailblazer in the privacy profession and a “Dean of the Industry.” Three organizations were honored with the HP-IAPP Privacy Innovation Awards in the large, small and innovative privacy technology categories: Intuit, TeleSign and AirWatch by VMware. The Privacy Advisor has all the details. [Full Story]

US – LinkedIn Settlement Approved

U.S. District Court Judge Edward Davila has given LinkedIn’s proposed $1.25 million settlement of a 2012 class-action suit final approval. The “plaintiffs’ claim does not assert that class members were necessarily harmed by the data breach, but that they overpaid for their premium LinkedIn subscription because they did not receive promised data security,” Davila noted in his opinion. “The deal requires LinkedIn to pay approximately $15 each to almost 50,000 users who purchased premium memberships to the service,” the report states, adding the company “must use security techniques including ‘salting’ and ‘hashing’ for at least five years.” [Media Post]

US – Proposed Seattle Budget Includes Funding for CPO

In his 2016 budget proposal, Seattle Mayor Ed Murray has included a request for funding for a chief privacy officer position. The new CPO would “address potential privacy concerns and safeguard personal data,” the report states. Seattle hired a chief technology officer in 2014 to oversee a privacy overhaul. The city also appointed a Privacy Advisory Committee and, based on guidance from that committee, created a citywide privacy policy. Murray is also seeking funding for police body cameras, the report states. “We will work carefully to get this right and adequately address privacy concerns” Murray said of the plan for body-worn cameras. [Geekwire]

US – Senators Want Update From Car Manufacturers

Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking for an update on their efforts to protect consumers from the privacy risks presented by smart cars. The two launched an investigation into the matter in 2013, asking manufacturers to answer questions on consumer privacy and security, and Markey published a subsequent report outlining hacking and data collection risks. Now, the senators want an update on “company-specific information” that includes 2015 and 2016 vehicles, with any changes that may have been made to vehicles, policies or practices since Markey’s initial inquiry. The senators request the companies respond no later than October 16. [Multichannel News]

US – Parents Unfamiliar with Current Laws: Survey

A Future of Privacy Forum (FPF) survey found that while a majority of parents are concerned about the theft of their children’s academic data, more than half claim to have no knowledge of existing privacy legislation. The FPF reports that 87% of parents “worry about student data being hacked or stolen” but “54% say they know nothing about existing federal laws regulating the use of student data,” which may account for the 57% who are in favor of new privacy legislation. “This survey makes it clear that we must do a better job of explaining to parents how their children benefit from improving the effectiveness of education products based on things learned in the classroom,” said FPF Executive Director Jules Polonetsky. “And parents want a commitment that their student data will never be exploited. I think that’s a commitment they deserve. [Full Story]

US – Court Dismisses AOL Suit

The U.S. District Court for the Northern District of California has dismissed a class-action that alleged AOL violated the Telephone Consumer Protection Act (TCPA) “when users of its Instant Messenger service sent text messages to incorrect recipients.”  The decision is one of the first to evaluate claims under the FCC omnibus TCPA order “offering guidance on numerous issues, including the types of equipment subject to TCPA restrictions and the statute’s application to social app petitioners for text messages sent using their services,” the report states. The court found “the omnibus TCPA order reinforced prior FCC decisions that supported AOL’s arguments for dismissal,” the report states. [Inside Counsel]

U.S. District Court Judge Edward Davila has given LinkedIn’s proposed $1.25 million settlement of a 2012 class-action suit final approval.

Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused.

The recent IRS breach affecting more than 300,000 individuals has inspired the Senate Finance Committee to develop bipartisan taxpayer identity-fraud legislation, which will be debated.

Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking for an update on their efforts to protect consumers from the privacy risks presented by smart cars.

A federal judge has granted class-action status to lawsuits by financial institutions that were victims of Target’s 2013 breach. “

Privacy Enhancing Technologies (PETs)

WW – Security-Minded Blackphone 2 Ready for Preorder

Amidst news this week about privacy-focused smartphones heading to market, Sikur GranitePhone is now available for preorder. The phone aims to connect users while guarding their privacy, which Sikur CEO Frederico d’Avila said popular smartphones do not do adequately, the report states. “They do not always care about security,” d’Avila said, adding, “That’s why we came to that place, to help the customer to have that right solution for their privacy. They’re not looking to security as we do, because we’re living for that.” The recent smartphone announcements come as some analysts question mobile data tracking’s impact on user privacy. [CNET]

WW – Two New Privacy-Focused Phones on the Market

Those who place a premium on private mobile calling and surfing have two new options this fall. First up is the second release from Silent Circle, the Blackphone 2. The Android-powered device features the Silent OS, an “Enterprise space” for companies to cordon off company data from personal data and peer-to-peer encrypted voice and video, among other features. It’s now available to order for $799. Blackberry has announced it will release an Android-powered phone it’s calling the Priv, which “combines the best of BlackBerry security and productivity with the expansive mobile application ecosystem available on the Android platform.” No word on price yet. [9to5Google]

WW – Secure Messaging App Use Booms

Telegram Founder Pavel Durov announced at TechCrunch Disrupt SF that the encrypted messaging service has gone from a billion messages exchanged per day to 12 billion in eight months. This, he argues, indicates privacy’s growing importance in the eyes of consumers—and companies. “Privacy is not something that is relevant only to business users, but businesses are most affected because they could be blackmailed,” he said. The app’s growing appeal has even attracted terrorist groups, the report states. When asked if that is reason for concern, Durov said, “That’s a very good question, but I think that privacy, ultimately, and our right for privacy is more important than our fear of bad things happening, like terrorism.” Meanwhile, G Data has announced “Secure Chat,” a free “tap-proof” messaging app for Android. [TechCrunch]

WW – Security Tool Strengthens Online Anonymity

The Dissent is a cryptographically backed network that, when used in conjunction with the Tor network, can markedly improve online anonymity. Dissent uses a DC-net, first proposed by a cryptographer in 1988. Though its performance is much slower than Tor, it is a more effective alternative for achieving online anonymity. “One of the most important things to understand about Dissent,” said project lead Bryan Ford, “is that it’s not going to be a drop-in replacement for Tor, at least not in its current form.” One possible use for Dissent, the report states, “would be to create a privacy-preserving WiFi networking layer.” [Motherboard]

US – UJO: Privacy’s Newest Attack Dog

Thanks to the new device CUJO, users can see when their data is being tampered with. Named after the canine antagonist in the Stephen King novel, the tool functions as a guard dog of sorts, keeping tabs on “how much data, the type of data, and where it’s going,” the reports states. “If it detects an anomaly, it will alert you on the physical product as well as through an app notification,” with the position of the device’s LED “eyes” an indicator if something’s amiss. [Fast Co Design]


US – Hoofnagle Examines FTC’s TRENDnet Case

“The FTC’s matter against TRENDnet is especially important for the emerging Internet of Things,” UC Berkeley’s Chris Hoofnagle writes. After TRENDnet-produced SecurView cameras were hacked and live feeds were shared publicly, the FTC “sought to have TRENDnet answer the question of whether it can be trusted by consumers,” Hoofnagle writes, adding, “when one reads the TRENDnet 2014 report, more questions are raised than answered.” TRENDnet’s report indicates “several weaknesses of the FTC’s assessment approach to oversight. The TRENDnet report—and reports filed by other companies—are full of confusing jargon,” Hoofnagle writes. And with TRENDnet’s report “just one of over 100 such reports that the FTC is receiving nowadays under its supervision of data privacy and security cases,” Hoofnagle writes, the agency “cannot effectively supervise all the companies under consent decree.” [Full Story] SEE ALSO: [IoT Needs Privacy and Security? Hogwash]

US – DARPA Seeking Research Proposals for Analysis of Involuntary Analog Emissions

The Pentagon’s Defense Advanced Research Projects Agency (DARPA) is looking for technology capable of monitoring Internet connected devices like refrigerators and thermostats, often referred to as the Internet of Things (IoT). Specifically, DARPA is seeking “algorithms, tools, and devices for mapping analog emissions of digital devices.” [NextGov] [FBO]


US – Survey: Confidence in Security Investments Is Low

More than 80% of respondents to EMA Research’s 2015 State of File Collaboration Security survey “admitted that there have been data leakage incidents in their organizations,” with only 16% espousing high levels of confidence in their cloud system security. “Data dissemination and file collaboration are natural parts of most business and operational workflows, so security must be an integral part of the workflow to protect information,” said EMA’s David Monahan. “Unfortunately, protecting sensitive and regulated data within shared files remains a significant exposure within many organizations,” he said, adding, the “lack of capability to control unstructured data … will not only yield more data privacy breaches but will impact the adoption of advanced enterprise and cloud content management systems.” [Infosecurity Magazine]

EU – Ansip Announces Awareness Campaign

European Commission (EC) Vice-President for the Digital Single Market Andrus Ansip announced via blog post that the EC will begin a cybersecurity awareness campaign that aims to increase online security knowledge. The program includes “over 150 promotional events and activities to take place in 27 countries, with the goal of educating people about protection from digital criminals,” the report states. “People will hesitate to use e-services if they are not confident that they are reliable, safe and secure,” Ansip said. “They may actually choose not to use them at all,” and thus “we have to stay one step ahead.” [Billboard]

US – Audit Finds MIDAS Severely Vulnerable

The Department of Health and Human Services (HHS) has discovered that MIDAS, “the central electronic storehouse for information collected under President Barack Obama’s healthcare law,” has 135 system vulnerabilities, “of which nearly two dozen were classified as potentially severe or catastrophic.” “It sounds like a gold mine for ID thieves,” said the Electronic Frontier Foundation’s Jeremy Gillula. “I’m kind of surprised that this information was never compromised.” Medicare’s Andy Slavitt said “the privacy and security of consumers’ personally identifiable information are a top priority” and the problems were immediately addressed. “But,” the report states, “the episode raises questions about the government’s ability to protect a vast new database at a time when cyber-attacks are becoming bolder.” [ABC News]

US – Pentagon Issues Guidance on Breach Notices

Following the major hacks at the Office of Personnel Management, the Pentagon has issued guidance to the Department of Defense (DoD) “on considerations for making public announcements regarding breaches of private information.” In a letter, Michael Rhodes, senior official for privacy at the DoD, said the department “must continue its efforts to promote a culture to continuously ‘think privacy’ and act swiftly to develop and implement effective breach mitigation plans, when necessary.” Rhodes added that no two breaches are alike, so case-by-base analysis as well as “the use of best judgment is required for effective breach management.” [FEDweek]

US – President: “Basic International Framework” Needed

U.S. President Barack Obama has called for a “basic international framework” on cybersecurity. As Chinese President Xi Jinping’s Washington, DC, trip nears, Obama said the U.S. aims to illustrate that “economic cyber attacks” are “something that will put significant strains on a bilateral relationship if not resolved and that we are prepared to take some countervailing actions.” This comes on the heels of a revelation that China’s government “distributed a document to some American tech companies” asking they “pledge their commitment to contentious policies that could require them” to hand over user data, The New York Times reports. And Tech Times reports the Chinese government is allegedly constructing a Facebook-esque catalogue of U.S. officials. [Reuters]

US – Docs Illustrate the Days After the Target Breach

Target’s actions immediately following its 2013 breach. Days after the breach exposed 40 million customer debit and credit card accounts, the company hired Verizon security experts to look for system vulnerabilities. The results of that investigation, which haven’t been publicly revealed until now, confirm “what pundits have long suspected,” the report states. “Once inside, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.” The report also found that while Target has a password policy, it wasn’t being followed. [KrebsonSecurity]


UK – M15 Director: “Snoopers’ Charter” Necessary

M15 Director-General Andrew Parker has said the UK intelligence agency’s ability to spy on communications data is no different than “the work spies have been doing for a hundred years.”  Parker said the so-called “snoopers’ charter” is crucial to protect citizens as the number of threats against the UK is as high as he’s seen in his 32-year career. “We need to be able to do what we have always done through our history,” he said. “To find and stop the people who threaten the UK, we need to be able to monitor the communications of terrorists and spies and others who threaten the country.” Meanwhile, a new legal challenge to surveillance programs was filed by Human Rights Watch. [Financial Times]

WW – How TV Shows Portray Mass Surveillance

Pop culture blogger Alyssa Rosenberg discusses how television programming portrays mass surveillance and predictive policing. “The rise of increasingly sophisticated surveillance technology has been a rich inspiration for popular culture in recent years,” she writes, noting “network television now has three shows on the subject.” She notes the bevy of surveillance-related shows on national television demonstrates “the mood of our times,” adding, “No matter what qualms these series might express about the civil liberties issues involved in mass surveillance or about the ethics of arresting or harming people before they’ve actually broken the law, they’ve already ceded ground on these issues in encouraging us to believe in a heightened risk of crime.” [The Washington Post]

US – Boston Subway to Track Riders With Beacons

The Massachusetts Bay Transportation Authority (MBTA), which operates the Boston public transportation system, announced it has started a yearlong pilot project that will track riders who download a special app via a Bluetooth beacon system run by a company called Intersection. In the news release, the MBTA said the project will track riders but will not collect personally identifying information and all data will be handled on a “secure, closed network.” The hope is to find ways to improve communication with transport users, map how riders use the various stations and explore “how brands can increase engagement and interaction with commuters based on proximity.” [BostInno]

US – Whose Job Is OPM Data Security?

In response to questions from Sen. Ron Wyden (D-OR), the National Counterintelligence and Security Center (NCSC) said infosecurity at the Office of Personnel Management is not NCSC’s job. According to the nation’s top counterintelligence agency, “Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget and the Department of Homeland Security.” Wyden was unimpressed, calling the response, “unworthy of individuals who are being trusted to defend America.” The back-and-forth lends credence to those lawmakers who believe legislation is needed to clarify cybersecurity roles in the federal government, the report states. [The HIll]

Telecom / TV

US – New Hampshire Library Restores Tor Node

A library in Lebanon, New Hampshire that suspended its operation of a Tor relay due to concerns raised by a Department of Homeland Security investigator has restored the node. The library’s IT director said that there was no pressure to take down the relay, but that they volunteered to take it down until the board met and voted on Tuesday, September 15. The Kilton Library is a pilot participant in the Library Freedom Project. The publicity generated by the story has prompted a dozen more libraries across the US to ask for information on hosting Tor nodes. [ArsTechnica] [The Register]

US – California County Announces Cell-Site Simulator Use Policy

The Sacramento County Sheriff’s Department says it will obtain “judicial authorization” before using cell-site simulator technology often referred to as a Stingray. The SCSD’s policy also automatically seals the applications for judicial authorization and calls for collected data to be purged after each use of the technology. Earlier this month, the US Department of Justice (DoJ) unveiled its policy regarding the technology, which requires law enforcement officials within its agencies to obtain a warrant prior to its use. The DoJ’s policy does not affect other federal, state, or local law enforcement agencies. [Ars Technica] [SACSheriff]

US Legislation

US – House Committee Approves Judicial Redress Act

Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused. A major component of the EU-U.S. Umbrella Agreement, the Judicial Redress Act, is a necessary law for assuaging European concerns about the use of their data by U.S. companies. Committee Chairman Bob Goodlatte (R-VA) said, “The Judicial Redress Act can go a long way toward restoring our allies’ faith in U.S. data privacy protections and helping facilitate agreements.” In a separate column for The Hill, Rep. Jim Sensenbrenner (R-WI), an author of the bill, wrote that the legislation “is essential to U.S. law enforcement.” [The Hill]

US – Tech Firms Support Judicial Redress Act

U.S. technology companies “are lining up” to support the Judicial Redress Act. The House bill “would allow non-U.S. citizens to seek records U.S. agencies have collected and pursue legal action when such records are disclosed,” the report states, noting it would apply to citizens of “select allied nations, primarily in the European Union.” Support by technology companies shows “the sector’s latest effort to rebuild trust abroad in the wake of Edward Snowden’s disclosures, which revealed many companies were turning over customers’ communications to the U.S. government,” the report states. A group of tech firms wrote that the loss of trust “translated into significant negative commercial consequences for U.S. firms, with global consumers choosing technology solutions from other providers.” [Tech Crunch]

US – Software Alliance Backs CISA, Other Reforms

An industry group that represents a number of high-profile technology companies has sent a letter to Congressional leaders expressing its support for the Cybersecurity Information Sharing Act (CISA). The Software Alliance, which represents a number of companies including Adobe, Apple, IBM, Microsoft and Symantec, stated that CISA “will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat.” In addition to CISA, the group urges Congress to pass ECPA reform, the LEADs Act, the Judicial Redress Act and modernize the Mutual Legal Assistance Treaty. [The Daily Dot]

The California legislature has passed a DNA collection bill that would allow DNA to be collected from all felon arrestees, but only allow it to be “uploaded to the state’s database after a judicial finding of probable cause,” reports California Newswire. It now awaits Gov. Brown’s signature.

Florida will see 27 new laws going into effect on October 1, including that deals with police using devices to track suspects.

Oregon Gov. Kate Brown signed the state’s new invasion of privacy law.

A bill introduced in Oregon’s legislature aims to protecting the privacy of students when in a legal dispute with a college.

The University of Wyoming students are working to pass a law that would change how student emails are labeled under the Public Records Act.

Delaware’s recently enacted “package of statutes governing the collection, storage and use of the personal information of Delaware residents by websites, Internet and cloud service providers and Internet and mobile applications.”

Maine has a new employee social media privacy law, which goes into effect on October 15.

In Wyoming, proposed legislation “would bar school district employees from requiring students to provide them access to social media accounts, smartphones or other personal digital information.”

Workplace Privacy

WW – Study: Employee Privacy Concerns Slow Device Rollout

A Bitglass study indicates that employees’ privacy concerns are slowing down companies’ efforts to roll out bring-your-own-device (BYOD) initiatives. “From an employee standpoint, the biggest challenges are privacy concerns over what does the IT department have visibility into and what do they have control over on my device … Am I giving up my privacy in exchange for having access to corporate email and apps on my device?” said Bitglass VP of Products and Marketing Rich Campagna. “As a result, BYOD adoption has been a lot lower than a lot of people expected over the last few years.” [ FierceMobileIT]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: