01-15 November 2015

Biometrics

US – Retailers Test Out Facial Recognition

Retailers are deploying and experimenting with facial recognition technology designed to identify suspected thieves. After several months of experimentation in some of its stores, Wal-Mart decided not to use the technology. “We were looking for a concrete business rationale,” said a Wal-Mart spokesperson, adding, “It didn’t have the ROI.” The technology, made by California-based FaceFirst, scans customers’ faces as they walk into the store and compares the images to find matches with alleged offenders. According to FaceFirst, they do not retain images of every customer, only the suspects or people who resemble a suspect. Though FaceFirst said its software is accurate 98 to 100%of the time, one critic said that some companies have concluded that facial recognition is “not ready for prime time.” [Fortune]

US – Plaintiffs Ask Judge to Let Facebook Suit on Facial Tagging Proceed

Facebook users in Illinois are asking a federal judge to allow a federal lawsuit to proceed that accuses the social media site’s automatic tagging feature of violating an Illinois privacy law by storing users’ faceprints. A 2008 law in the state mandates companies collect written consent from subjects before collecting biometric data and also requires notice be provided, as well as a schedule for data destruction. Facebook has asked U.S. District Court Judge James Donato to dismiss the potential class-action, the report states, but the plaintiffs’ lawyers say the case should proceed in the name of protecting Illinois citizens’ privacy. [MediaPost]

Canada

CA – Supreme Court Paves Way to Medical Class Action Suit

The Supreme Court of Canada will not hear an appeal to a case in which hundreds of patients’ medical records were accessed inappropriately by Peterborough Regional Health Centre staffers. The Supreme Court’s decision means the case will proceed to trial, which may “open the way to privacy class-action lawsuits.

CA – BC Commissioner to Audit City of Vancouver

The British Columbia (BC) Information and Privacy Commissioner Elizabeth Denham is looking into the access-to-information requests and privacy practices of the City of Vancouver to ensure the city is in compliance with the provincial Freedom of Information and Protection of Privacy Act.

CA – Ontario MPP Proposes Smart Meter Security Law

Toronto Danforth MPP Peter Tabuns is concerned Ontario’s smart meters are vulnerable to hacking and privacy breaches. In response, he plans to table a private members bill to shore up the security gaps.

CA – NB Commissioner Rules WorkSafeNB “Violated its Own Rules”

WorkSafeNB “violated its own rules” when it shared some of its workers’ data without their consent, says New Brunswick Privacy Commissioner Anne Bertrand. After an injured worker complained that her information had been shared with a polling firm, Bertrand’s office investigated.

CA – TPP Criticized for Restrictions on Data Residency

While the deal aims to make e-commerce easier, some critics say the Trans-Pacific Partnership trade agreement’s verbiage may override some provincial laws that require data be stored on local servers to keep Canadians’ personal information safe.

CA – MB Health Minister to Review Health Record Access Laws

Health Minister Sharon Blady has promised to review health-record access laws after providers refused to give family members access to a missing mental health patient’s records citing Manitoba’s Personal Health Information Act.

CA – Federal Commissioner Comments on Drones with Camera

Federal Privacy Commissioner Daniel Therrien says regulations to restrict the use of camera-equipped drones in certain “sensitive” areas is needed. Transport Canada has said it will issue new guidelines for small drones at some point in 2016.

CA – Ontario Liquor Board to Comply with Order, Purge Records

The Liquor Control Board of Ontario is now complying with a privacy commission ruling that it must destroy the records of beer, wine and spirit club members.

CA – Former BC Commissioner to Review Email Retention/Deletion Policy

Former BC Information and Privacy Commissioner David Loukidelis has been hired to conduct an assessment on how best to implement recommendations for government retention and deletion of emails.

Consumer

WW – Study: 2016 a “Tipping Point” for Privacy Fears

A Forrester Research study indicates that 2016 will be a “tipping point” for online privacy concerns, “prompting regulators to crack down on companies, and consumers to demand greater protection.” Businesses “also stand to suffer the most when consumers decide to prioritize privacy over convenience, something that is already beginning to shape behavior,” the report continues. Other privacy trends the study highlights are: customers “paying for fewer ads, with more privacy; regulatory wrath against privacy violators, and California as incubator of privacy protections.” Specific trends aside, Forrester urges companies to act. “Don’t wait for federal regulation to get your privacy house in order,” the study says. [NBC News]

US – Companies’ Terms Increasingly Forbid Class Actions

Legal experts with the American Association for Justice and Sen. Al Franken (D-MN) and Rep. Hank Johnson (D-GA) met Monday to discuss a recent investigation that found an uptick in the number of companies preventing consumers from filing class-action lawsuits via arbitration clauses. Such clauses generally say product disputes can only be settled “by privately appointed individuals or arbitrators, rather than through the court system,” the report states. “Forced arbitration is not voluntary, it’s not just and it’s not fair,” Johnson said. The Consumer Financial Protection Bureau last month said it’s considering rules to prevent the practice. [The Hil]

WW – Study: Data Goes to Companies Users Trust

A Center on Global Brand at Columbia Business School and Aimia survey of 8,000 consumers in the U.S., Canada, the U.K., India and France found that while “80% of those polled said they would share data for rewards,” the amount of information disclosed often depends on the amount of trust they have for a brand. Among the most trusted companies? Consumers named organizations like Bank of America, Delta, T-Mobile, Walmart and Facebook. Regardless of brand confidence, the study found that “home address, mobile phone, name and date of birth were personal data consumers felt most sensitive about,” the report states. [MediaPost]

WW – Smart Packaging and RFID-Blocking Wallets

A report analyzes the rise in privacy concerns around RFID packaging, particularly with RFID-blocking wallets. Since many credit cards contain RFID chips, consumers are starting to use protective wallets to secure against adversaries skimming their credit card numbers. “The irony illustrates,” the report reads, “the dilemma faced by RFID: the more it becomes mainstream, the more it generates screams.” The efficiency and convenience of smart packaging—including RFID-enabled packaging at the item level—holds a lot of promise, the report states, but the corresponding rise in privacy concerns may slow mainstream adoption. “So will we ever see a marriage of RFID and packaging?” the report queries. “If we do, it will be because of the successful resolution of privacy concerns, giving new meaning to the phrase, ‘a marriage of convenience.’” [Packaging World]

E-Government

US – Study: Government Agencies Among Most Repeatedly Breached

A Risk Based Security (RBS) study finds that 21 of the 99 organizations suffering breaches multiple times are government-based, with the Internal Revenue Service and the U.S. Office of Veteran’s Affairs among the Top 10 “Most Breached Organizations of All Time.” A “variety of factors” contribute to the repeat breaches, RBS CISO Jake Kouns said in the report, pinpointing elements like the “juicy” nature of information and “the scale of the agencies’ environments and assets,” he said. Meanwhile, The New York Times reports that the appointment of Beth Cobert as director of the Office of Personnel Management faces an uphill battle in the Senate, while the Department of Homeland Security will begin to employ 1,000 cybersecurity professionals “as part of the government’s ongoing plan to address cyber risks.” [Dark Reading]

US – US Government Agencies Earn Poor Grades on Initial FITARA Report Card

Most US government agencies have not done well in implementing the Federal Information Technology Acquisition Reform Act (FITARA) requirements. According to a report card from the House Oversight and Government Reform Committee, agencies averaged a “D.” The grades are being viewed as “an initial assessment” to identify areas that need attention and improvement. The four categories on which the agencies were graded are data center consolidation; IT portfolio review savings; incremental development; and risk assessment transparency. [NextGov] [NextGov]

E-Mail

US – The Clinton Emails and Changing Privacy Expectations

Lawrence Cappello analyzes how the public release of former Secretary of State Hillary Clinton’s emails “represents a clear historical break from the privacy protections traditionally afforded Cabinet members.” Cappello notes that, traditionally, such high-level correspondence is only released after a 30-year delay, “in the interest of giving government officials space to express controversial ideas” without fear of political retribution. “For the same reasons that individual citizens need privacy so that they can better formulate ideas, assess their surroundings and respond to problems intelligently, so too do government officials need privacy to reflect on the long-range effects of their policies and to engage in frank discussions aimed at finding intelligent solutions,” he writes. [The Atlantic]

Electronic Records

US – PMI’s Privacy and Trust Initiatives Published

The Obama Administration’s Precision Medicine Initiative’s (PMI) Privacy and Trust Initiatives have been released, the White House said in a statement. “The Privacy and Trust Principles are organized into six broad categories: governance that is inclusive, collaborative, and adaptable; transparency to participants and the public; respecting participant preferences; empowering participants through access to information; ensuring appropriate data sharing, access and use, and maintaining data quality and integrity,” the report states. “These principles are intended to establish a foundation for future PMI activities to ensure that privacy has been built into the core of the Initiative and that privacy is maintained as a central priority of PMI throughout all components,” the report continues.[WhiteHouse.gov]

Encryption

EU – Bill Could Eradicate End-to-End Encryption

The proposed Investigatory Powers Bill, championed by Prime Minister David Cameron, would strip organizations’ ability to provide end-to-end encryption. “We need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts,” a spokesman for the Home Office said. Added Cameron, “as Prime Minister I would just say to people ‘please, let’s not have a situation where we give terrorists, criminals, child abductors, safe spaces to communicate.’” [The Daily Telegraph] See [Lacking Disk Encryption Quality For Mobile Devices]

WW – Tor Claims Government paid University to Uncover Users’ IP Addresses

According to the head of the Tor Project, the FBI paid researchers at Carnegie Mellon University US $1 million to identify users of the anonymizing network. Neither university officials nor the FBI have responded to the allegations, although a CMU spokesperson asked “to see the substantiation for their claim.” In August 2014, CMU researchers were scheduled to give a talk on cracking Tor at the Black Hat conference, but the briefing was pulled from the schedule. [Ars Technical] [Wired] [The Register] [BBC]

[Tor Statement] [Black Hat Talk Cancellation Notice]

US – Gmail Will Warn Recipients of Unencrypted Messages

Gmail will start notifying users when email in their inbox was sent overan unencrypted connection. The change will be rolled out over the next several months. Google hopes the practice will encourage the use of encryption and strong authentication. [DarkReading] [ZDNet] [NBC News] SEE ALSO: [Let’s Encrypt To Open Beta On December 3rd 2015]

US – Encryption App Signal Comes to Android

The Edward Snowden-used and –blessed, hyper-encrypted talk-and-text mobile app Signal is now available to Android users. The free, newly streamlined program, developed by Open Whisper Systems, is reportedly so secure that it consistently draws the ire of the FBI and a smattering of governments across the world. “Every time someone downloads Signal and makes their first encrypted call, FBI Director Jim Comey cries,” the American Civil Liberties Union Lead Technologist, Chris Soghoian tweeted. “True fact.” [Wired]

EU Developments

EU – Cross-Atlantic Group Pens Letter Asking New Safe Harbor Be Scrapped

While EU and U.S. officials are working on drafting a new data-transfer agreement to replace the now-defunct Safe Harbor, 20 EU and 14 U.S. NGOs have sent a letter to both European Commissioner for Justice, Consumers and Gender Equality Vera Jourová and U.S. Secretary of Commerce Penny Pritzker to ask that they shift their focus to “commit to a comprehensive modernization of privacy and data protection laws on both sides of the Atlantic.” A “Safe Harbor 2.0,” the letter said, “will not provide a viable framework for future transfers of personal information.” Instead of simply writing something similar in nature to the Safe Harbor deemed invalid by Europe’s highest court, the human rights and privacy organizations wrote that it’s the privacy laws themselves that need to be rewritten. Meanwhile, the EU-U.S. Ministerial Meeting on Justice and Home Affairs highlighted their work on trans-atlantic data protection in its “final statement,” released Friday. [Ars Technica]

EU – Facebook! You’ve Got 48 Hours to Stop Tracking People

Facebook has been ordered to stop tracking people that don’t have accounts with it in the next 48 hours or face daily fines of 250,000 euros. The decision by a Belgian court follows a case brought by the country’s privacy watchdog earlier this year in which it argued that the social media company was tracking everyone that visited pages hosted on its website, regardless of whether they were users of the service. If users “like” or share a Facebook page, they also have a cookie installed in their browser, whether or not they are logged in or have an account with the company. By not explaining what it did with the data or asking for consent, the company was breaking local privacy laws, argued the Belgian Privacy Commission. And the court agreed. [The Register]

EU – Belgian Court Rules Facebook Must Desist With Datr Cookie

Facebook plans to appeal a Belgian court ruling that mandated a cease-and-desist of “datr cookie” use. The cookie allegedly tracks the online habits of non-Facebook users after visiting the site. “We’ve used the ‘datr’ cookie for more than five years to keep Facebook secure for 1.5 billion people around the world,” a spokeswoman said. “We will appeal this decision and are working to minimise any disruption to people’s access to Facebook in Belgium.” Meanwhile, the site announced that its “Messenger” tool will employ facial recognition technology for an “easier, faster way to share photos.” [Reuters]

WW – ICDPPC Releases Special Edition Communique

Following last month’s conference in Amsterdam, the Executive Committee of the International Conference of Data Protection & Privacy Commissioners (ICDPPC) has released a “special edition” of its newsletter. ICDPPC Chair John Edwards, who is also the privacy commissioner of New Zealand, wrote, “The two Closed Session discussions proved to be more topical than we could have anticipated when we conceived them earlier this year, with the rapid commercialisation of genetic technologies and the ECJ decision in Schrems … illustrating how important it is for DPAs and others concerned with privacy to engage in a public conversation about intelligence and security.” [ICDPPC]

UK – UK Draft Investigatory Powers Bill

UK Home Secretary Theresa May presented the Investigatory Powers Bill earlier this week. Both houses of Parliament will examine the draft legislation before developing a final version and voting on it. Among the draft bill’s provisions are a requirement that Internet service providers (ISPs) retain users’ browsing history data for one year, and increased powers for law enforcement to gain access to data. [v3.co.uk] [SC Magazine] [v3.co.uk] [Ars Technica] [ZDNet] [The New York Times]

UK – Snooper’s Charter Debut Garners Jeers

After the Investigatory Powers Bill was unveiled in Parliament, critics are officially and powerfully spooked. The bill would “take the UK closer to becoming a surveillance state,” Amnesty International said. “The bill proposes the authorities be given the right to retrospectively check people’s ‘internet connection records’ without having to obtain a warrant,” records that are “a very valuable target for criminals to go after,” said Andrews & Arnold’s Adrian Kennard. The legislation also aims to totally eradicate end-to-end encryption, which led Wikipedia founder Jimmy Wales to tweet, “I would like to see Apple refuse to sell iPhones in UK if government bans end-to-end encryption. Does Parliament dare be that stupid?” Meanwhile, The Guardian studies how Snowden’s surveillance revelations impacted the U.S. and the UK differently. [Reuters]

EU – Snooper’s Charter Criticism Grows Louder

The draft Investigatory Powers Bill continues to rile up privacy advocates and tech giants alike. “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,” said United Nations Special Rapporteur on Privacy Joseph Cannataci. “If your oversight mechanism’s a joke, and a rather bad joke at its citizens’ expense, for how long can you laugh it off as a joke?” Tim Cook, CEO of Apple, also expressed his displeasure for the bill, especially its mandate of backdoor encryption. “Any backdoor is a backdoor for everyone,” Cook said. “Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.” [The Daily Dot]

EU – MEPs Vote to Pardon, Protect Snowden; DPAs Call for Transparency

In a resolution, Members of the European Parliament (MEPs) announced that “too little has been done” to protect citizens from electronic mass surveillance since the Snowden revelations. In a vote of 342 to 274, MEPs called on EU member states to “drop any criminal charges against Edward Snowden” and to grant him protection. Snowden tweeted the vote was “extraordinary.” Meanwhile, more than 30 privacy and civil liberties organizations are challenging U.S. Director of National Intelligence James Clapper to disclose how many Americans are spied on under Section 702 of the Foreign Intelligence Surveillance Act. And international data protection authorities are calling on governments worldwide to boost transparency via a resolution proposed at the 37th International Privacy Conference in Amsterdam. [Europarl]

EU – Other Privacy News

At the ISSE 2015 conference, Assistant European Data Protection Supervisor Wojciech Wiewiorowski argued that even though the ECJ ruled against the legitimacy of the Safe Harbor framework, “the ruling did not say the Safe Harbor processes themselves were invalid, but that they were simply not enough.”

Russian authorities have allegedly told Twitter that it must store Russian users’ data in the country or face the potential of being blocked and fined. Russian Internet regulator Roskomnadzor issued the warning, even though in July it had said Twitter would not have to comply with Russia’s new data localization law.

 

The draft Investigatory Powers Bill continues to rile up privacy advocates and tech giants alike. “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,” said United Nations Special Rapporteur on Privacy Joseph Cannataci.

The proposed UK Investigatory Powers Bill would strip organizations’ ability to provide end-to-end encryption. Meanwhile, Conservative MP Theresa May has promised that the Investigatory Powers bill will not be a repeat of its 2012 iteration, touting the removal of its “contentious” bits.

The Spanish data protection authority has sent letters to Safe Harbor-certified companies operating in Spain outlining necessary steps that companies must take.

Digital Rights Ireland is accusing Ireland of failing to guarantee the independence of the data protection commissioner.

The UK Information Commissioner’s Office has fined the Crown Prosecution Service 200,000 GBPs for not ensuring adequate data security of laptops containing sensitive law enforcement interviews with victims and witnesses.

Facts & Stats

US – Study Ranks Companies on Privacy Score

In an interview with DW, Ranking Digital Right’s (RDR) Director Rebecca MacKinnon discussed the results of RDR’s Corporate Accountability Index 2015 study, which graded and ranked 16 globally-prevalent telecom and tech organization grades on their human rights records. Google topped the list, with Axiata and Etisalat rounding out the bottom. “Companies need to do human rights impact assessments,” McKinnon said. “They need to assess how their business impacts on someone’s freedom of expression and privacy and they need to have a process for monitoring this as well as a process for accountability within the company,” adding that businesses “need to be clear to their users about what they collect and what happens to user information,” she said. [DW.com]

WW – World’s Top Tech Companies Get Failing Grade on Privacy

“According to the most comprehensive assessment to date of their user agreement policies,” the world’s biggest tech companies are not protecting their users’ privacy and freedom of expression. Companies from the U.S., Europe and Asia all received failing grades from a project known as Ranking Digital Rights. None of the companies reviewed offered users appropriate information on privacy and censorship, the New America Foundation think tank survey stated. “There are no ‘winners,’” the group said, adding, “Even companies in the lead are falling short.” Meanwhile, a separate report has found that nine out of 10 of the Internet’s top websites are leaking user data. University of Pennsylvania privacy researcher Tim Libert published the peer-reviewed report, which sought to quantify all the “privacy compromising mechanisms” on the world’s most popular websites. [The Guardian]

WW – Study: Privacy Fears Aren’t Instigating User Action

A Parks Associates study discovered that while 76% of households with broadband “are very concerned about their data security and personal privacy when using connected devices,” only 50% cite interest in their broadband provider’s security options, while 80% don’t even realize that they exist, the firm announced in a statement. “As consumers acquire more connected devices for their homes, the more exposure they feel, either through experience or from hearing about high-profile security breaches in the media,” said Parks Associates’ Patrice Samuels. “As a result, they are seeing high value in security and privacy support either as stand-alone services or through monthly fees.” The reason for the lack of knowledge regarding protective offerings? They “are likely not heavily promoted because they do not generate revenue for the company,” Samuels added. [Full Story]

Filtering

DAA Issues Video Ad Guidelines; CA AG Releases Location Tracking Tips

The Digital Advertising Alliance (DAA) has released new guidelines for displaying privacy icons in video ads. Ad Marker Implementation Guidelines for Video Ads includes technical specifications for the size and placement of the AdChoices icons in video ads. Unlike the recommendations for display and mobile ads, the DAA has said the icon can be placed in any of the four corners of a video ad. “Given that player formats and the positioning of player controls may vary among video ads, implementing companies may choose alternative corners so as to avoid conflicts in user interaction,” the DAA states in its 12-page release. Meanwhile, California Attorney General Kamala Harris has released consumer tips on mobile location tracking, including an information sheet called,Location, Location, Location: Tips on Controlling Mobile Tracking. [MediaPost]

US – Supreme Court Set to Hear Spokeo Case

The U.S. Supreme Court will take up Spokeo, Inc v. Robins, a case that could have far-reaching implications for privacy class-action lawsuits. “If you have automatic damages for statutory violations,” said U.S. Chamber of Commerce attorney Roy T. Englert, “it is a ticket for class-actions to sue for millions and even billions on behalf of people who didn’t suffer any harm.” However, Marc Rotenberg of the Electronic Privacy Information Center said, “This is no time for the court to make it harder to bring lawsuits against companies” that are profiting off the sale of personal data. The Editorial Board for The New York Times said the justices should let the case proceed. Separately, Google has asked a judge to delay a different privacy lawsuit until after the Supreme Court decides on Spokeo. [Los Angeles Times]

FOI

US – EPIC FOIAs Government for Umbrella Agreement Text

The Electronic Privacy Information Center (EPIC) has filed a complaint alleging the federal government is not responding to a Freedom of Information Act (FIOA) request EPIC filed in September to obtain the full text of the so-called Umbrella agreement with the EU. The potential deal between the U.S. and EU would pave the way for data sharing among law enforcement, and hinges on the U.S. government passing the Judicial Redress Act. “The stated aim of the negotiators is to ensure the privacy protections and redress rights afforded to U.S. persons under the Privacy Act of 1974 are available to non-U.S. persons,” EPIC stated in its complaint. “However, the text of the Judicial Redress Act does not support this conclusion. The public release of the text of the agreement is therefore critical to determine the reason for the legislation.” [Courthouse News Service]

US – Facebook Transparency Report

During the first half of 2015, governments requested Facebook account data more than 41,000 times, according to the company’s most recent transparency report. During that same period in 2014, the figure was just over 35,000. Nearly half of the requests came from US law enforcement. Facebook provided requested data on 80% of those cases. [CS Monitor] [NBC News] [Facebook Report]

US – Facebook Transparency Report Shows Uptick in Requests

According to Facebook’s latest transparency report, governments around the world are requesting the company ban more posts and disclose more user data than ever before. During the first half of 2015, 92 countries asked Facebook to takedown 20,568 posts on Facebook, Messenger, WhatsApp and Instagram, more than double what was requested in 2014. During the first half of 2015, governments requested Facebook account data more than 41,000 times, according to the company’s most recent transparency report. During that same period in 2014, the figure was just over 35,000. Nearly half of the requests came from US law enforcement. Facebook provided requested data on 80% of those cases. [CS Monitor] [NBC News] [Facebook Report] [Full Story]

Health / Medical

ONC Unveils 2016 Privacy Plans

In the wake of the Office of the National Coordinator for Health IT’s (ONC) release of its 10-year road map, the agency announced a litany of privacy-centered schemes for the upcoming year. “We have a lot of work planned … reminding people of what HIPAA actually provides,” said ONC CPO Lucia Savage, citing specific goals for the organization “to clarify misunderstandings about HIPAA’s privacy regulations.” She added that “breaking down barriers to information sharing is a top ONC priority for the year ahead.” Savage also disclosed that the agency and the Centers for Medicare and Medical Services and the National Governors Association are teaming up for two separate privacy projects. [Healthcare Info Security]

US – Sensitive Diagnosis Posted to FB Not Grounds for Lawsuit

A Hamilton County Common Pleas Court judge ruled an employee who screenshotted medical records and shared them on Facebook was not “within the scope of her employment” and therefore cannot be sued. The screenshot of the medical record, which disclosed the patient’s “maternal syphilis,” was then taken and published to Facebook group “Team No Hoes,” but the judge argued the action was merely a breach of hospital protocol. “(The hospital) had a policy. It was violated,” said Judge Jody Luebbers. “It’s tragic … but that’s just how I see it.” The plaintiff is expected to appeal, as the ruling was a “close call … decided on a legal technicality,” the report states. [Cincinnati]

US – Senatorial Letter Asks Tough Healthcare Privacy Questions

A bipartisan coterie of senators penned a letter to the Centers for Medicare and Medicaid Service’s Acting Administrator Andy Slavitt and Health and Human Service’s Office for Civil Rights’ Director Jocelyn Samuels, expounding on their frustrations regarding the numerous healthcare data breaches of late and outlining questions they have for the future. “We are concerned that data theft will continue to rise and will result in an increase in medical identity theft,” the letter said. This comes on the heels of the FBI’s Donald Good’s disclosure that BYOD policy implementation is considered the top healthcare security headache, while data from a Forrester study indicates that “the healthcare industry continues to shortchange Americans when it comes to protecting their data.” Meanwhile, an employee’s “retaliatory agenda“ spurred a 16,000-victim Children’s Medical Clinics PHI breach. [NextGov]

US – Brief: Prescription Case Problematic for Privacy

A Litigation Center of the AMA and State Medical Societies amicus brief on the Lewis v. Superior Court of Los Angeles County case indicates that the ruling could have significant privacy implications. The legal proceedings aim to decide if the California Medical Board “infringed upon patients’ constitutional right to privacy when it obtained prescription data without a showing of good cause,” the report states. The brief argues that “there is good reason why federal and state laws treat prescription information with the same level of protection as any other health information,” adding that “the DoJ has not offered an acceptable justification for ignoring the governing laws.” Meanwhile, Verizon’s first-ever Protected Health Information Data Breach Report reveals that most healthcare data breaches aren’t as “sophisticated” as one would think. [AMA Wire]

WW – Contraceptive Computer Chip May Hit the Market in 2018

Women may have a new option in birth control if a contraceptive computer chip hits the market in 2018 as planned. The chip, which has been backed by Bill Gates and will be submitted for pre-clinical testing in the U.S. next year, is implanted underneath the skin and can be controlled by a wireless remote. It releases a small dose of estrogen every day for up to 16 years. MIT’s Robert Farra said secure encryption prevents a third party from “trying to interpret or intervene between the communications,” and the next challenge is ensuring the device can’t be activated or deactivated without the woman’s knowledge. [BBC News]

US – Humans Are Data Security’s Greatest Threat

In a recent report from the Ponemon Institute, 70% of the healthcare organizations and business associates surveyed identified employee negligence as a top threat to information security. Healthcare organizations face big challenges in plugging the human security gap. The biggest risk is a lack of awareness on the part of users. [IAPP]

Horror Stories

US – OPM in More Trouble After Contracting Gaffe

The beleaguered Office of Personnel Management (OPM) confirmed that a $20 million contract for offering ID theft protection to the victims of its summer hacking scandal was a breach of both the agency’s policies and the Federal Acquisition Regulation. In a letter to acting OPM Director Beth Cobert, the OPM’s Inspector General Patrick McFarland indicated that “investigators turned up ‘significant deficiencies’ in the process of awarding the contract to Winvale Group,” the report states. “Because of the missteps identified by the IG, OPM’s procurement shop selected the wrong contracting vehicle,” the report continues. However, “Winvale responded to a posting on FBO.gov, just like every other contractor that submitted a bid,” said a spokesperson for the company. “Winvale had no control over or insight into the bidding process.” [The National Journal] SEE ALSO: [Cobert Nominated for Official OPM Directorship] and [Security Tech Adviser Comes to OPM]

US – Cox Communications Settles with FCC for $595,000

The Federal Communications Commission’s (FCC) Enforcement Bureau entered into a $595,000 settlement with Cox Communications for failing to adequately protect the personal data of its subscribers when the company’s system was breached in 2014, according to an FCC press release. The settlement is the first privacy and data security enforcement action by the FCC with a cable operator. “Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said FCC Enforcement Bureau Chief Travis LeBlanc. “This investigation shows the real harm that can be done by a digital identity thief.” The settlement will also require Cox to notify affected customers, provide one year of ID theft service and “adopt a comprehensive compliance plan” with annual system audits. [Full Story]

US – $90,000 Settlement in Connection with Laptop Theft

The state of Connecticut will receive $90,000 from EMC and Hartford Hospital after the 2012 theft of an unencrypted laptop with nearly 9,000 patient records was left unrecovered. “Resolving things by agreement was the best course for all involved,” an EMC spokeswoman said. “The agreement will, however, not be considered as an admission by EMC and the hospital of any alleged violations in connection with the laptop incident,” the report states, adding that while “the laptop was not found, the hospital has held that there hasn’t been any evidence of misuse of the information.” [PCWorld]

US – Comcast Resets Stolen User Passwords, Says Systems Not Breached

Account information for 200,000 Comcast customers was found for sale on the Dark Web. The telecommunications company says that its systems were not breached, and that it will reset the affected passwords. [Washington Post] [ZDNet] Meanwhile, “teenage hacktivist group” Crackas With Attitude (CWA)  leaked a list that they say contains the personal details of more than 2,000 government officials, a move that a member of the group “claimed … (was) in support of Palestine.” [Time]

Identity Issues

WW – Real Name Policy Revised by Facebook

Facebook has announced new policies regarding its “authentic names“ requirements after mounting criticism from civil rights groups like the American Civil Liberties Union and the Electronic Frontier Foundation. Facebook has pledged to permit users to “provide more information about their circumstances,” Facebook VP of Growth Alex Schultz said in a statement. “It will help us better understand the reasons why people can’t currently confirm their name, informing potential changes we make in the future.” Schultz also announced Facebook’s creation of “a new version of the profile reporting process that requires people to provide additional information about why they are reporting a profile,” which aims to curb trolls “falsely flagging profiles for using a fake name,” a burgeoning form of harassment. [The Guardian]

US – Duplicate SSN Nightmare Not a Rarity

Starting with two women who share a birthday, a similar name, state residency and social security number, the duplicate data phenomenon “is not as uncommon as you might think … In fact, some 40 million SSNs are associated with multiple people, according to a 2010 study by ID Analytics,” the report continues. As such, “you should be reviewing those reports to see if there’s activity associated with your identity that you don’t recognize,” said Tripwire’s Travis Smith. “Either of these women could probably have seen the problem earlier if they had been doing that.” [Computer World]

US – New Firm Promises Highly Targeted Election Ads

Xaxis Politics, the product of a WPP and Haystaq alliance, will employ targeted ads to get the attention of voters before the 2016 U.S. presidential elections. “We haven’t seen anyone else doing (online political targeting) with this level of granularity,” said Xaxis CEO Brian Gleason, who added that the tool permits “laser-like targeting” of voters. The system should be used wisely, analysts caution. If “Internet users perceive the tailored ads as too intrusive or creepy,” the report states, their use “could absolutely backfire,” said Borrell Associates’ Kip Cassino. [Financial TImes]

US – Anonymous Unhoods 1,000 KKK Members

Hacktivist group Anonymous made good on its threat to out the identities of Ku Klux Klan (KKK) members and sympathizers, releasing 1,000 names to the internet for netizens to do with as they will. “We hope Operation KKK will, in part, spark a bit of constructive dialogue about race, racism, racial terror and freedom of expression, across group lines,” Anonymous said. “We consider this data dump as a form of resistance against the violence and intimidation tactics leveraged against the public by various members of Ku Klux Klan groups throughout history.” [ZDNet]

US – OPM to Work to Make ID Protection a Basic Benefit

In its freshly published cybersecurity strategy, the Obama Administration encouraged the Office of Personnel Management (OPM) to include identity theft protection as a standard employee perk. The strategy “directs OPM within three months to review options and develop and deliver to (Office of Management and Budget) recommendations for making identity protection services a standard federal employee benefit,” and the OPM is listening. “Based on the response by individuals impacted by the personnel records incident there appears to be significant interest in these services by federal employees,” said an OPM spokesperson. “OPM continues to work with an interagency team to develop and deliver recommendations to OMB for making identity protection services a standard federal employee benefit.”[NextGov]

Internet / WWW

US – Hughes: Guidelines a Positive Step for OMB

The Office of Management and Budget (OMB) opened its revisions to guidelines for IT management, and while the inclusion of privacy training mandates garnered raised eyebrows from those in the IT field, some in the privacy community are impressed. The updates are a “sophisticated reflection on how privacy has evolved and arrived in today’s modern organization,” said IAPP CEO Trevor Hughes. These best practices mean that everyone who interacts with a company’s data “needs to understand enough about data management to not make a stupid decision,” he said. “Everyone who touches data is a risk factor with regard to privacy.” The OMB accepts comments on the revisions until November 20. [Gov Exec]

Law Enforcement

US – Supreme Court Won’t Hear Phone-Tracking Case; Lawmakers Want Answers on Gov’t Stingray Use

The U.S. Supreme Court has declined to hear a case on whether the government needs a warrant to collect cellphone location information. The case involves a man convicted of a string of robberies whose location was tracked via his phone. His lawyers argue that’s a violation of his privacy. Meanwhile, Rep. Jason Chaffetz (R-UT) has introduced a bill in the House of Representatives that would require law enforcement to obtain a warrant before using stingray surveillance, and a group of lawmakers—including Chaffetz—has sent a letter to 24 government agencies asking for their policies on using the technology. [ComputerWorld]

US – ACLU: Baltimore Riots Were Surveilled by Police Planes

According to documents obtained by the ACLU, the FBI deployed at least 10 flights of surveillance planes equipped with surveillance technology to monitor the riots in Baltimore, MD, earlier this year. Obtained under Freedom of Information Act filings, logs indicated more than 36 hours of flights—some of them carrying Baltimore police officers—occurred during the protests over the death of Freddie Gray while in police custody. During a Congressional hearing last week, FBI Director James Comey acknowledged the surveillance occurred upon request by local authorities but didn’t provide details on the permissions process. [Reuters]

US – New Bill Would Require Law Enforcement to Obtain Warrants Prior to Stingray Use

A new bill in US House of Representatives would require law enforcement to obtain warrants prior to using stingrays. The Cell-Site Simulator Act of 2015, also known as the Stingray Privacy Act, also requires transparency about the technology to be used by those seeking the warrant. The Justice Department has a policy in place requiring warrants for the surveillance technology’s use; this bill aims to extend that requirement to law enforcement at all levels in the country. [Wired]

Location

US – License Plate Reader Data Exposed

The Electronic Frontier Foundation learned that more than 100 automated license plate recognition (ALPR) cameras were exposed online. In some cases, the camera live streams could be accessed. ALPR systems capture images of license plates and alert authorities when they spot a plate on the “hot list.” The data are collected and stored even if they belong to cars that have nothing to do with criminal activity. [EFF]

WW – New Tor Chat Tool

Tor has launched a chat tool that lets people communicate over the Tor network and hide their locations. Tor Messenger uses encryption by default. It cannot log chats. Tor Messenger is currently available to the public in beta. [BBC] [Ars Technica] SEE also: [Tor Messenger Released]

Offshore

IS – Supreme Court Rules Against RTBF

The Israeli Supreme Court declined to implement a right to be forgotten under Israel’s privacy laws. The decision overturned an order by the Directorate of Courts, an agency overseeing court administration, to legal databases to prevent indexation of court decisions by online search engines, such as Google. The Directorate cited litigants’ right to privacy in cases ranging from family law to personal injury, including quoting the Court of Justice of European Union decision in the Costeja case. The Supreme Court weighed the balance between the right to litigants’ privacy against the public interest in open court records, holding that clear legislative mandate was required to limit access to judicial data. The ruling stressed that under the Directorate’s order, court records would remain accessible by lawyers who paid to subscribe to legal databases, unjustly handicapping members of the public who do not typically subscribe to such services and access court data exclusively through the open web. The Court suggested that the legislature could protect litigants’ privacy by requiring courts to suppress sensitive information in judgments and, in appropriate cases, publish cases under pseudonymous litigant names. The decision, HCJ 5870/14 Hashavim H.P.S. Business Data v. Directorate of Courts, in Hebrew, is available at the “Full Story” link. [Full Story]

Online Privacy

WW – New Privacy Settings Announced by Google

Google announced its addition of both an advanced “about me” page and Privacy Checkup system, which allows users to have greater control of their online privacy. The “about me” page collects the user’s online information and personal details in one space, from which he or she “can directly jump into each section and delete or change the information to control what people see,” the report states, while the “privacy checkup” takes the user on a “step-by-step tour of (his or her) privacy settings one section at a time.” Meanwhile, the 3rd U.S. Circuit Court of Appeals threw out the class-action suit that alleged Google had “violated federal wiretap and computer fraud laws by exploiting loopholes“ in Internet browsers. [CNET]

WW – Report: Six in 10 Don’t Download Apps Due to Privacy Concerns

A new Pew Research Center report looks at more than one million apps available in the Google Play Store and evaluates the kinds of permissions the apps require for use, according to a press release. The report found six-in-10 users decided not to follow through with a download once they realized how much personal data the app would collect, and 43%uninstalled the app after downloading it for the same reason. In addition, nine-in-10 users surveyed said knowledge of the kind of personal data an app collects is “very” or “somewhat” important to them in deciding whether to download. [Pew Research]

WW – Mozilla Releases Tracking Protection

Mozilla announced the release of a new feature in Firefox private browsing called “tracking protection.” The feature allows users to control the data third parties receive from them online. It blocks data-collecting content including ads, analytics trackers and social share buttons across sites. The feature also allows users to control data-collecting content on a per-site basis. [Full Story]

WW – IoT’s Unspoken Issue: MAC Addresses

Media access control (MAC) addresses present a severe privacy vulnerability in Internet of Things (IoT) devices, “anti-surveillance specialist” Adam Harvey argued at a Digital Catapult-hosted speech. “If we do this wrong we’re really screwed,” Harvey said. “The MAC address is such a big thing because so many devices use it. Anything with a networking card has a MAC address … We are about to manufacture and deploy billions of devices and we don’t even know what the problems are yet.” Potential manipulation is a concern. “If I were malicious,” he said, “I could construct a highly targeted phishing attack by saying, ‘I see you’ve been to the Grand Hotel, did you enjoy your stay there?’“ [Computing]

US – FCC Will Not Regulate Do-Not-Track Requests

The Federal Communications Commission (FCC) rejected a petition requesting it require companies to honor consumers’ do-not-track requests. The Consumer Watchdog petition wanted the FCC to “initiate a rulemaking proceeding requiring ‘edge providers’ (like Google, Facebook, YouTube, Pandora, Netflix and LinkedIn) to honor ‘Do-Not-Track’ requests from consumers.” The consumer advocacy group wanted the agency to use Title I and its Section 706 authority to regulate “information services.” The FCC said that when it reclassified broadband as a common carrier service, it would not “regulat(e) the Internet, per se, or any Internet applications or content.” [Ars Technica]

Other Jurisdictions

EU – New LIBE Committee Report on Data Protection in China

As part of a request by the LIBE Committee, the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs commissioned and released an in-depth analysis called “The data protection regime in China.” Co-authored by Prof. Paul de Hert and Vagelis Papakonstantinou, the analysis states, “One cannot talk about a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today … are not unequivocally granted under Chinese law.” The report also includes a list of policy recommendations for China. [Full Story]

EU – Microsoft to Open Data Centers Overseas

Microsoft announced it is creating two data centers in Germany, putting data out of the U.S. government’s reach. The facilities are controlled by T-Systems, a Deutsche Telekom subsidiary, which will be the “data trustee.” Microsoft employees won’t be able to access the data, which is significant, the report states, because “even though Deutsche Telekom has sizeable operations in the U.S., as a non-American company it is not legally subject to the same U.S. data-sharing rules.” Microsoft lawyers say the legal arrangements are “bulletproof” because if the company doesn’t even have keys to the building, “the U.S. government can hardly demand that it open the doors.” [Full Story]

EU – German Microsoft User Data to Be Stored in Germany

Microsoft will employ data centers in Magdeburg and Frankfurt, Germany, to hold the data of German customers after European critics conveyed surveillance fears. “These data centres will ensure that customers’ data remains in Germany and that a German company controls access to data in accordance with German law,” said Microsoft CEO Satya Nadella. “Microsoft sees cloud services as an opportunity for significant future growth as sales of its flagship operating system decline,” the report adds. [The Province]

RU – Russia to Force Twitter to Store Data In-Country

Russian authorities have allegedly told Twitter that it must store Russian users’ data in the country or face the potential of being blocked and fined. Russian Internet regulator Roskomnadzor issued the warning, even though in July it had said Twitter would not have to comply with Russia’s new data localization law. Roskomnadzor told Financial Times that the situation for Twitter has now changed. Roskomnadzor head Alexander Zharov said Twitter “changed their user agreement some months ago. And if you read that, people must provide a set of metadata, which in our understanding as a whole counts as personal data and allows to identify an individual.” [Radio Free Europe]

WW – Other Privacy News

The current opt-out-as-cybersecurity tack taken by the Senate regarding health records is “dangerously naïve” according to the Australian Privacy Foundation. It further alleges that the Senate “ignored expert advice by changing the e-health records to be opt-out,” the report states.

At the Chemical Watch Enforcement Summit, Dr. Knoell Consult’s Deirdre Lawler disclosed that select EU “data-sharing agreements … are being amended to allow companies in South Korea to use EU data to register chemicals’”

The Trans-Pacific Partnership’s full contents have been revealed, and advocacy groups like the Electronic Frontier Foundation are not impressed.

The Attorney-General’s Department has announced that the Australian government will soon issue an exposure draft of its data breach notification legislation.

In Serbia, the Commissioner for Information of Public Importance and Personal Data Protection has issued a press release that strongly criticizes a new draft Law on Personal Data Protection prepared by the Ministry of Justice, seeking “a greater degree of detail.,.

Indonesia could see its first comprehensive data privacy law “as soon as mid-February 2016,” according to the Ministry of Communications and Information.

Privacy (US)

US – 200 Companies Support Student Privacy Pledge

The Future of Privacy Forum (FPF) and Software & Information Industry Association together have announced that 200 companies have now agreed to support the Student Privacy Pledge. The pledge, which also has support from President Barack Obama, the National Parent Teachers Association and the National School Boards Association, is legally binding and can be enforced by the Federal Trade Commission and state attorneys general. “Companies that serve students understand that they must maintain the trust of parents, students and teachers,” said FPF Executive Director Jules Polonetsky. “Although many states are passing new laws to govern student privacy, the pledge plays a key role in setting a national standard for protecting student data and ensures companies are aware of the central restrictions in statutes such as FERPA and COPPA.” [Student Privacy Pledge]

US – FTC Complaint Against LabMD Dismissed

Seven years after the alleged data breach initially occurred, the FTC Chief Administrative Law Judge, Michael Chappell, ruled on Friday to dismiss the FTC’s complaint alleging that cancer-testing laboratory LabMD failed to provide reasonable and appropriate security for sensitive personal data. The case currently represents the first time a company has challenged an FTC complaint brought on the grounds of unreasonable information security and won. The FTC’s enforcement arm is considering whether to appeal. [Full Story]

US – Appeals Court Decision Could Reset Wiretap Act

Google’s recent victory in the 3rd U.S. Circuit Court of Appeals regarding how it used data and its relation to the Wiretap Act was won with a cautionary admonition from the court: “Merely tracking the URLs someone visits can constitute collecting the contents of their communications, and that doing so without a warrant can violate the Wiretap Act.” “This is a pretty big deal for law enforcement,” said Stanford’s Jonathan Mayer. “The punchline is that if the FBI or any law enforcement agency wants to look at your web history, they’ll have to get a warrant for a wiretap order,” he said. [Wired]

US – BBB Takes Companies to Task for Failing Privacy Scores

The Better Business Bureau (BBB) found advertising companies Outbrain and Gravity non-compliant with its privacy and advertising edicts after both organizations failed to attach the AdChoices informational label on advertisements as a form of “enhanced notice.” In response, Outbrain said “it was aware of some problems with its privacy notifications, and had already contacted the publisher of one site that incorrectly implemented the widget,” the report states, promising that it “will continue to take a proactive approach to privacy and disclosure compliance.” Gravity has also “since modified its widget.” [Media Post]

US – Study: MA Student Privacy Lacking

An American Civil Liberties Union of Massachusetts report found that student privacy is lacking, with policies that “allowed schools to inspect school-provided devices without any notice or consent of either the students or parents.” “These kids are going to be adults someday,” said the ACLU of Massachusetts’ Kade Crockford. “If they have learned in schools that they are not to be trusted, that they have no right to privacy … on the Internet or on their iPods or laptops or phones, they may very well believe that this is how things work.” [CSM Passcode]

US – Advocates Call for Data Broker Regulation

Experts at a Senate Judiciary Committee hearing called for regulation of companies that collect and sell massive amounts of consumer data. In opening remarks, Sen. Al Franken (D-MN), who has introduced a bill that would regulate data broker practices, pointed to the myriad data breaches in recent years as evidence that more must be done to protect citizens’ data. The World Privacy Forum’s Pam Dixon testified that it’s “reckless and downright dangerous” not to protect data stored by data-brokers, adding the danger of big data is “what data doesn’t exist can be inferred. It creates an extraordinary network of information flows about ordinary consumers.” [Courthouse News Service]

US – EFF Voices TPP Concerns

The Trans-Pacific Partnership (TPP) continues to garner criticism from privacy groups after the full text of the document was released last week. “We don’t want to see the Internet become balkanized,” said the Electronic Frontier Foundation’s (EFF) Maira Sutton. “But having these discussions decided in a trade agreement is exactly the wrong place to do it. There’s been no security researchers at the table, no public interest groups that have been following this for a long time … trade agreements are not the place to decide digital policy.” [The Hill]

US – Privacy Groups Nonplussed by TPP

The Trans-Pacific Partnership’s (TPP) full contents have been revealed, and advocacy groups like the Electronic Frontier Foundation (EFF) are not impressed. The TPP “upholds corporate rights and interests at the direct expense of all of our digital rights,” the EFF said. Of particular concern is “provisions in the agreement that require real names and addresses associated with Internet domains such as .us, .ca or .au to be registered with the home government,” the report states. “This is dangerous especially for the ability of opposition groups in repressive countries to voice their concerns online without fear of violent retribution,” Fight For the Future (FFTF) said. President Barack Obama fired back, arguing that “if we don’t pass this agreement—if America doesn’t write those rules—then countries like China will.” [Full Story]

US – Washington Announces Privacy Guide for Residents

Washington State Gov. Jay Inslee has announced a new digital privacy protection guide and website to help state residents be aware about cyber privacy, protecting personal data online and the state’s data collection policies and practices, according to a press release. The state’s new website and privacy guide gives residents tips and strategies. Chief Privacy Officer Alex Alben said he hopes both give “citizens a fuller sense of both personal privacy rights and of the state’s commitment to ensuring our state government does everything in its power to safeguard personal data.” [Full Story]

US – Twitter Moves to Dismiss Link Lawsuit

Twitter fires back after a proposed class-action lawsuit alleges the company “surreptitiously eavesdrops on its users’ communications.” Plaintiffs argue that Twitter’s link shorthand has “traffic directed through its own system so as to negotiate better advertising rates,” a practice they argue is illegal under the Wiretap Act. Twitter argues in its motion to dismiss that its methods are “routine business conduct” that aim to “prevent spam and malware,” that the action requires the consent of users and that the process is outlined in its terms of service and privacy policy. [The Hollywood Reporter]

US – Other Privacy News

Google’s recent victory in the 3rd U.S. Circuit Court of Appeals regarding how it used data and its relation to the Wiretap Act was won with a cautionary admonition from the court: “Merely tracking the URLs someone visits can constitute collecting the contents of their communications, and that doing so without a warrant can violate the Wiretap Act.“.

In a bipartisan letter to the Centers for Medicare and Medicaid Services, senators ask tough healthcare privacy questions, expounding on their frustrations regarding the numerous healthcare data breaches of late and outlining questions they have for the future.

Prosecutors say they know who hacked JPMorgan Chase last year . The three men responsible were indicted for separate crimes in July but are also responsible for the hack affecting 83 million customers’ personal data.

An amicus brief on the Lewis v. Superior Court of Los Angeles County case indicates that the ruling could have significant privacy implications,. The legal proceedings aim to decide if the California Medical Board “infringed upon patients’ constitutional right to privacy when it obtained prescription data without a showing of good cause.”

The U.S. Supreme Court has declined to hear a case on whether the government needs a warrant to collect cellphone location information. The case involves a man convicted of a string of robberies whose location was tracked via his phone.

The Federal Communications Commission’s (FCC) Enforcement Bureau entered into a $595,000 settlement with Cox Communications for failing to adequately protect the personal data of its subscribers when the company’s system was breached in 2014, according to an FCC press release.

Sen. Al Franken (D-MN) has said he will reintroduce a bill that would ban stalking apps.

Privacy Enhancing Technologies (PETs)

WW – Yik Yak as Anonymous as It Seems?

Arrests tied to racially fueled threats posted on social media app Yik Yak have called the platform’s boasts of anonymity into question. The app is considered to be “by far the most widely adopted, anonymous, location-based applications at schools,” the report states. According to Yik Yak’s policies, however, it “can disclose to police each user’s Internet protocol address and GPS coordinates, along with details about the phone or tablet,” the report continues. While a spokesperson for the company would not disclose specific information about the frequency with which authorities ask for Yik Yak data, she acknowledged “the company works with authorities” and that in times of emergency the company doesn’t require the usual legal license to access data. [NBC News]

US – ROI Calculator Aims to Break Down Automation Worth

TRUSTe unveiled its return on investment (ROI) calculator for those unsure if bankrolling in “privacy automation technology” is the right step for their company, the organization announced in a statement. On TRUSTe’s www.privacy-automation.com, “visitors can read up on privacy assessment best practices or guidelines for evaluating privacy automation ROI,” as well as access the ROI calculator. The tool has “default values for each field based on our own research but each field is customizable so that users can tailor the ROI calculations to their own use case.” [Full Story]

WW – New Risk-Assessment Tool Released

Privacy Analytics has released a privacy-risk assessment tool to help organizations evaluate their data-sharing practices, according to a press release. Risk Monitor identifies gaps in existing practices and uses peer-reviewed algorithms and methodologies to look at organizations’ current risk for exposing personal health information or personally identifiable information based on “the context and intended use of each shared data set.” Pamela Neely Buffone, vice president of product management at Privacy Analytics, said organizations are looking to maximize the usefulness of their data assets and need to have “responsible privacy measures” to ensure compliance and “the lowest possible levels of legal, financial and reputational risk.” [Full Story]

RFID / IoT

US – UMass Awarded Grant To Study “Smart Building” Privacy

The National Science Foundation granted the University of Massachusetts Amherst $486,524 for a research project aimed “to enhance privacy in smart buildings and homes,” the university announced in a statement. “It’s very easy to know whether someone’s home or not by following energy use data, so that might be considered sensitive information,” said the University’s David Irwin, one of the project directors. “On the other hand, energy companies can save you money by knowing that same information. They can charge you less for electricity in off-peak hours, for example. One thing we’ll be studying is how to preserve individual privacy while still allowing utilities to improve their operations.” [Full Story]

Security

WW – Study Aims to Eradicate the Password

Tech companies Galois, Inc., its subsidiary Tozny, GlobeSherpa and IOTAS have united to develop an alternative to the password, a project the National Institute for Standards and Technology so believes in that it awarded Galois $1.8 million for its work. The goal is to build “a behavior-based authentication system dedicated to finding a happy medium between the need to validate users while also guarding their privacy,” the report states. It would permit “new ways for user information to be shared across organizational boundaries in a way that the user is in control over how the data (is) shared, what is shared, with who and when,” said Tozny founder Issac Potoczny-Jones. [FedScoop]

US – Audit Again Finds IRS Security Lacking

A Government Accountability Office audit found the Internal Revenue Service’s (IRS) security systems to be flawed enough to put taxpayer information in danger, the second recent study to produce negative results. The audit discovered that the agency “doesn’t have sufficient control over its financial reporting system,” with some systems without an update in four years, the report states, adding that the auditors discovered vulnerabilities that the IRS itself hadn’t unearthed. In response, IRS Commissioner John Koskinen acknowledged that “challenges remain,” but said the agency had “established its ability to consistently produce accurate and reliable financial statements.” [NextGov]

US – Study: Not One U.S. State Prepared for Cyber Threats

A study by the Pell Center for International Relations and Public Policy at Salve Regina University found a “troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.” While all 50 states are forging ahead and investing in improvements to broadband communications, none of them “managed to meet all the evaluation criteria that Pell used to measure their cyber readiness,” said Francesca Spidalieri, senior fellow for cyber leadership. The study looked at whether each state had a cybersecurity plan, formal incident response capabilities, data breach notification and threat-information sharing mechanisms, the report states. [DARKReading]

Survey Finds Business Unprepared for Hacks

A new ISACA survey of 600 individuals in the cybersecurity fields found that while 74% were expecting to be hacked, only 67% felt “prepared to respond.” Cyberattacks in the form of advanced persistent threats (APT) “have become the norm,” said ISACA CEO Matt Loeb. “All organizations, regardless of their size, where they’re located or what industry they’re in, have to be prepared to deal with these things … There isn’t anybody that isn’t vulnerable. So when we talk about these things, it’s not a matter of if I’m going to be attacked, it’s a matter of when.” [Associations Now]

US – Conficker Found on Police Body Cameras

There are reports that malware known as Conficker has been found on police body cameras supplied by Martel Electronics. When the cameras were connected to computers, Conficker immediately tried to infect the machines. Once it had infected a machine, it tried to spread to other machines on the same network. Conficker was first detected in late 2008. [Ars Technica] [The Register] [ZDNet]

WW – Covington: Effective Log Management Can Prevent Breaches

In a blog post, Robert Covington discusses “the importance of good log management to prevent data breaches.” Covington cites such regulations as the Gramm-Leach-Bliley Act, Sarbanes Oxley, HIPAA and the Federal Information Security Management Act as all containing provisions on log requirements. But it’s not an easy thing to do, Covington writes. It requires sifting through a lot of records to find the ones that matter, and, in addition, for logs to matter during a forensic investigation, there have to be proper controls ensuring logs can’t be altered or deleted. Covington offers tips on how to be effective given the inherent headaches. [Computerworld]

WW – NIST Issues Advice on Whitelisting

The US National Institute of Standards and Technology (NIST) published the Guide to Application Whitelisting to help organizations implement the technology. Whitelisting is the number one mitigation on both the NSA’s Top Ten and the Australian Signals Directorate’s Top Four Strategies to Mitigate Targeted Cyber Intrusions. [NextGov] [ComputerWorld] [The Register] SEE ALSO: http://www.asd.gov.au/publications/protect/application_whitelisting.htm

Surveillance

US – Federal Judge Rules NSA Program Illegal; Transition Will Happen

A federal judge has ruled that the NSA bulk collection of U.S. citizens’ phone records is illegal. The impact of the ruling, however, will be limited because the USA FREEDOM Act, which mandates a change to the NSA program, takes effect on November 29. U.S. District Court Judge Richard Leon sided with legal activist Larry Klayman, stating, “This court simply cannot, and will not, allow the government to trump the Constitution merely because it suits the exigencies of the moment.” Meanwhile, in a memo sent to relevant committees in the U.S. Congress, the NSA stated that it “has successfully developed a technical architecture to support the new program” in time for the November 29 deadline. [The Wall Street Journal] [The Hill] [Wired] [DC Judge Richard Leon’s opinion] [The Register] SEE ALSO: [James R. Clapper, Director of National Intelligence v. Amnesty International USA – Appeal – Supreme Court of the United States]

WW – Inaudible Sounds Being Used to Track Users Across Multiple Devices

High-frequency sounds are being used to track people’s behavior across multiple devices. The sounds, which are inaudible to humans, are embedded in television commercials and online advertisements. Tablets and smartphones detect the sounds. The US Federal Trade Commission (FTC) held a Cross-Device Tracking workshop on Monday, November 16, to address the issue. [Ars Technica] [FTC.gov]

US – Immigrant Ankle Bracelets Unwelcome

After a federal ruling found President Obama’s detention of undocumented immigrants to be illegal, the solution was to release the detainees and keep tabs on them via ankle bracelets, a choice that detractors argue is “not only stigmatizing, but also unnecessary.” While the government maintains that the monitors are “an economical alternative to detention,” those who wear the bracelet see it less of a cheap fix and more of an unwelcome Big Brother. “It’s like they make us free, but not totally free,” said Grace, an immigrant forced to wear the monitor. “It’s the same psychological game as detention. They aren’t freeing us totally. It’s, ‘If you break a rule, if you don’t tell us you’re leaving, we’ll put you in detention again.’” [The New York Times]

US – Biggest Breach of Attorney-Client Privilege in U.S. History?

The Intercept revealed it has received a massive trove of phone recordings from prisons and jails across the U.S. Obtained anonymously from a hacker via SecureDrop, the materials comprise more than 70 million records of phone calls and links to recorded conversations, placed by inmates to at least 37 states between December 2011 and ending in the Spring of 2014. The data was taken from the country’s leading provider of prison phone services, Securus Technologies. Highlighted in the breached material are approximately 14,000 recorded conversations between inmates and their attorneys, “a strong indication that at least some of the recordings are likely … privileged legal communications,” the report states. “This may be the most massive breach of the attorney-client privilege in modern U.S. history,” said ACLU National Prison Project Director David Fathi. [Full Story]

Telecom / TV

US – Vizio Sued Over Smart TV Data Collection, Sharing

A class-action lawsuit has been filed against Vizio “alleging that its use of data from smart TVs violates both federal and California state law.” The suit alleges Vizio doesn’t sufficiently protect the data it collects and shares via users’ smart TVs, in violation of the Video Privacy Protection Act. The suit also claims the company misled users about the way in which the collected data would be used. The suit follows news a hacker was able to gain access to a user’s home network via a Vizio smart TV. Vizio has not yet commented on the suit. [Consumer Reports]

US – TV, IP Address Tracking Product Raises Privacy Concerns

A report from ProPublica raised privacy concerns about television maker Vizio’s consumer-tracking policies, including its ability to track viewing habits and share such data with third parties to gain a larger picture of what those consumers do on their mobile devices. Vizio’s “Smart Interactivity Program” is the default for approximately 10 million users and combines viewing behavior with the user’s IP address. A Vizio spokesperson said that the company’s mining program is part of a “revolutionary shift across all screens that brings measurability, relevancy and personalization to the consumer like never before.” The company also said it shares “aggregate, anonymized data” with third parties to “make better-informed decisions” about content and advertising, the report states. [The Washington Post]

US Legislation

US – Bill Pushes for Auto Cybersecurity Frameworks

Rep. Ted Lieu (D-CA) introduced the Security and Privacy in Your Car Study Act of 2015, a bipartisan bill that would mandate the National Highway Safety Transportation Administration conduct a study to help determine “framework recommendations for vehicle cybersecurity” over the course of a year. “Americans have a right to drive cars that are safe and protected from hackers. Frankly, without adequate protections, a hacker could turn a car into a weapon,” Lieu said. The act “is a first step in bringing industry, advocates and government together to strike a balance between innovation and consumer protection to ensure that car navigation, entertainment and operating systems are safe and the data gleaned from such systems kept private.” [Fed Scoop] See also: [Ford: Car Data is “Your Data”] [

US – Insurance Company Releases Data-Collecting Driving App

In 2014, Allstate Insurance developed a usage-based insurance program to collect data on users’ driving behaviors. It says 820,000 customers participate in “Drivewise” and has now launched Drivewise Mobile, which collects the same kind of information—breaking, speed, etc.—making it the first major insurer to collect such data through a smartphone app. Allstate’s Ginger Purgatorio, vice president of the Drivewise program, says while the company had to deal with privacy concerns on data collection, customers are now accustomed to companies collecting their data if it means a benefit to them. “They’re willing to provide information to get that value,” she said. [CSO Online]

US – Franken Reintroduces Ban on Stalking Apps

Citing a Good Morning America report on “apps that can secretly track your every move“ Sen. Al Franken (D-MN) has said he will reintroduce a bill that would ban stalking apps. “My commonsense bill will help a whole range of people,” he said in a statement, “including survivors of domestic violence.” The Location Privacy Protection Act would require apps to obtain consumer permission before collecting location data and would require consent before location data is shared with a third party. [Broadcasting & Cable]

US – Other Legislative News

A Florida legislator has proposed a new law that would provide recourse for victims of drone accidents, allowing them “to recover costs from the owner and operator of a drone if the device ‘was a substantial contributing factor’ in causing the damage.”

The U.S. House Energy and Commerce Health Subcommittee has advanced a mental health reform bill that would alter HIPAA to allow “caregivers and family members to have more information about a mentally ill person’s care.”

U.S. Rep. Jan Schakowsky (D-IL) has submitted a bill to create federal data security standards in hopes that the recent U.S.-EU Safe Harbor invalidation “will spur Congress to action.”

Florida lawmakers have submitted a new batch of privacy legislation that would create exemptions to public records law, “ranging from topics involving substance abuse to cell-phone tracking’”

Maine’s drone privacy law has been in effect for a month.

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: