14-20 December 2015


CA – OPC Warns of ‘Sea Change’ in Privacy Rights in Canada

Federal Privacy Commissioner Daniel Therrien issued his 2014-2015 Annual Report on the Privacy Act, titled “Protecting Personal Information and Public Trust”. In his annual report, Therrien looked at three pieces of legislation that “taken together, these initiatives have resulted in what can only be described as a sea change for privacy rights in Canada.” The first, C-44, allows Canadian spies to operate abroad and gives them more ability to obtain information without disclosing its origins; C-13, which creates new legal authority for cops and public servants to obtain Canadians’ personal data without a warrant; and C-51, the anti-terrorism legislation that opens the door for wide new intelligence-gathering and sharing. The Liberals have said they will change aspects of C-51, but have said little about the other two pieces of legislation. [Vice] [Privacy czar sees middle ground in fight over access to Internet customer info] See also: [No to surveillance: Unions push Liberals to repeal Bill C-51] [Federal government needs to do more to guard against breaches and privacy violations] [Record high number of federal data breaches, says Canada’s privacy commissioner ] [Federal departments reported 256 data breaches in 2014-15] [Privacy watchdog urges Liberals to open ‘exhaustive debate’ on Bill C-51] [Privacy czar urges ‘open debate’ as Trudeau government rethinks terror law]

CA – Supreme Court to Weigh in on the Solicitor-Client Privilege Dispute Between Courts, Privacy Commissioners

As outlined in the April 2015 Blakes Bulletin: Privilege Rules: Solicitor-Client Privilege Held Sacrosanct by Alberta Court of Appeal, the Supreme Court of Canada (SCC) has granted leave to appeal (on October 29, 2015) the Alberta Court of Appeal’s decision in University of Calgary v. JR, where the Alberta Court of Appeal held that Alberta’s Office of the Information and Privacy Commissioner (OIPC) does not have the statutory authority under the Freedom of Information and Protection of Privacy Act (FOIPPA) to order a public body to produce records over which it has asserted solicitor-client privilege. [Blake, Cassels & Graydon LLP, mondaq.com] See also: [Making Private Information Public: The Continued Expansion of Privacy Class Action Liability] [Canadian Businesses Increasingly Face Privacy Breach Class Actions Absent Traditional Forms of Damages]

CA – Nova Scotia Cyberbullying Law Declared Unconstitutional

The Supreme Court of Nova Scotia has declared the province’s cyberbullying law to be unconstitutional, from start to finish. It was passed unanimously by the Nova Scotia legislature in the immediate aftermath of the death of Rehtaeh Parsons. The government of the day – which was heading for an election – was not willing to throw the police and the prosecution service under the bus for no charges being laid, so instead created the appearance of doing something by creating and passing a very poorly executed law. In the process, they trampled on the Charter rights of all Nova Scotians and created a distraction from the important discussion about sexual assault and consent. [Privacy Lawyer] See also: [The “New York Times Magazine” has a good story about swatting, centering around a Canadian teenager who did it over a hundred times]


WW – People are Info-Egoists When It Comes to their Privacy: Study

People are much more concerned about sharing their own private information with third-party app developers than they are about revealing their friends’ data, according to Penn State researchers. However, as social media makes data increasingly interconnected, preserving one’s own privacy while ignoring the privacy rights of others may make everybody’s data more vulnerable. “The problem is becoming known as interdependent privacy. The privacy of individual consumers does not only depend on their own decisions, but is also affected by the actions of others.” [Phys.org] Se also: [ComputerWeekly: UK BCS Launches Consultation on Personal Data Exploitation]


CA – B.C. Government Must Strengthen Records Management, Says Report

A report into records mismanagement by the B.C. government has made several sweeping recommendations in advance of legislation that will come into effect next year. In October, B.C. privacy commissioner Elizabeth Denham published a report finding that the provincial government inappropriately deleted emails. The government then appointed former B.C. privacy commissioner David Loukidelis to produce a follow-up report providing detailed recommendations on how it should manage records and handle freedom of information requests. The report was tabled on December 16th. Loukidelis called for reforms within the Ministry’s Information Access Operations (IAO), which is a central body within the B.C. government that processes freedom of information requests to its ministries. This body took over the processing of requests when the government shifted to a centralized model in 2009. In particular, the IAO should be on the lookout for situations where the government cannot meet the standard expected of it, the report suggested. [IT World Canada] [Times Colonist: Make Openness the First Default: Premier Clark said the government accepts all the recommendations]

US – Retailers Improve Unsubscribe Practices, Allowing Consumers to Opt Out

The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, revealed today results of its second annual OTA Email Unsubscribe Audit, analyzing which leading e-commerce sites are enabling consumers to easily opt out of email. OTA reported that 75% of the top 200 online retailers (according to the Internet Retailer Top 500 list) have moved beyond basic compliance, demonstrating a commitment to user empowerment and control of their inboxes. These companies have been named to the 2015 Unsubscribe Honor Roll, recognizing excellence in marketing practices. Companies achieved this distinction by scoring 80% or higher on a weighted blend of 12 best practice criteria related to the unsubscribe process and results. Merchants also improved significantly in their honoring of unsubscribe requests. In 2014, 10% of those audited failed to honor unsubscribe requests, while in 2015 the failure rate was less than 2%. Download The Report


EU – Paris Terrorists Used No Encryption at All

In the wake of the Paris attack, intelligence officials and sympathizers upset by the Edward Snowden leaks and the spread of encrypted communications have tried to blame Snowden for the terrorists’ ability to keep their plans secret from law enforcement. Yet news emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted. [The Intercept] [TechDirt] [ArsTechnica] SEE ALSO: [Paris attacks blamed on strong cryptography and Edward Snowden] and also: [FBI head: Social media becoming weapon for terrorists [and new word on the San Bernardino shooters] and [Apple CEO defends privacy, encryption amidst terrorist concerns] [Rolling Stone Magazine: Edward Snowden: Clinton’s Call for a ‘Manhattan-Like Project’ Is Terrifying]

EU Developments

EU – EU Officials Reach Agreement on Text of New Privacy Law

After nearly four years of haggling and lobbying, negotiators agreed on a final text of the EU-wide bill, which will replace a patchwork of 28 different sets of national privacy laws, and boost the bloc’s paltry privacy penalties to potentially billions of euros, EU officials said. Under the agreed text, fines would rise to a maximum of 4% of a company’s world-wide revenue. The text, which must be definitively approved by the European Parliament and EU governments before going into effect in two years’ time, is expected to tighten rules for getting online consent and create new responsibilities for cloud-services companies. It is also expected to tightly restrict how analytics and advertising companies can re-use data harvested from individuals, for example after they purchased a product or signed up for a service. The agreement on the law kicks off a new phase of fighting between regulators and companies over how to best tackle the vast amount of personal information that individuals generate when they do anything from visiting a website to walking past a Wi-Fi hot spot. [Wall Street Journal] [Council of the European Union – Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – Final Text | Press Release] [EU Data Protection Deal Confirmed: Overview, Next Steps] See also: [The Transatlantic Data War: Europe Fights Back Against the NSA ]

EU – Article 29 Working Party Calls for EU Police Directive to Prohibit Mass Data Transfers to Third Countries

The Article 29 Data Protecting Working Party (the “Working Party”) issued its opinion on the EU Police Directive. Massive, repeated and structured transfers of personal data to third countries authorities should be prohibited; exceptions should be justified and limited to what is strictly necessary. There should be a general obligation to notify a data breach to the DPA, and notification to data subjects should be distinguished by their categorization (e.g. victims, witnesses, etc.) [Opinion 03/2015 on the draft directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data – Working Paper 233]

UK – Committee Seeks Input on Draft Investigatory Powers Bill

The Joint Committee on the Draft Investigatory Powers Bill was appointed by the two Houses of Parliament in the UK to explore key issues raised by the proposed legislation. The committee sought input from “interested individuals and organisations.” Written evidence will be accepted through December 21, 2015. [BCS] [UK Parliament] [Police could hack any device, even toys, under UK surveillance draft bill] [Written Evidence Regarding Investigatory Powers Bill – Andrews & Arnold Ltd and FireBrick Ltd: Investigatory Powers Bill Overstates Usefulness of Internet Connection Records]

Facts & Stats

US – More Than 11 Million Victims of Healthcare Breaches in 2015

The U.S. Department of Health and Human Services found that 55 healthcare organizations were the victims of breaches and hacks in 2015, with a total of 11,802,842 affected individuals. “The sheer amount of victims shows that the healthcare industry needs to step up its security game,” the report states. “If the healthcare industry doesn’t want to become the first one to have the dubious distinction of having a fatal victim, and doesn’t want to keep losing private data, it better start taking security seriously. The numbers don’t lie,” it continues. [Motherboard] See also: [University Pays $750,000 Penalty for Security Breach and Failure to Conduct Risk Assessment of e-PHI: HHS – Resolution Agreement – University of Washington] [Modern Healthcare]


EU – Germany: Web Giants Pledge to Delete Hate Speech in 24 Hours

Facebook, Google and Twitter have agreed to delete hate speech deemed illegal in Germany within 24 hours. The move follows pressure from German authorities concerned about the increasing volume of racist abuse being posted on social networking sites. [AP] [German Supreme Court rules in favor of blocking websites]

CN – China Seeks Internet Regulation; Activists Warn of Threat to Speech

Chinese President Xi Jinping called for governments to cooperate in regulating Internet use, stepping up efforts to promote controls that activists complain stifle free expression. Xi’s government operates extensive Internet monitoring and censorship and has tightened controls since he came to power in 2013. [USNews] See also: [The Star: China Prepares to Rank Its Citizens — One By One]

Health / Medical

EU – Digital Health Plans Will Give Patients Online Access and Control Over Medical Records

NHS patients in Wales will be able to access their medical records online, supplement that information and share it with others under plans announced by the Welsh government. The Welsh government said people in Wales will “routinely use digital apps, wearable devices and other online resources to be well-informed and active participants in their care” under its plans. They will also be able to book appointments and order repeat prescriptions via online systems as well as “use the internet, email and video conferencing to connect with clinicians and care professionals in a way that suits them”. The Welsh government said that technology would also be used to ensure patients receive digital prompts, such as reminders about forthcoming appointments or to take medication or exercise. [Source] See also: [The price of wearable craze: Personal health data hacks: Your personal health information is about 10 times more valuable than a stolen credit card number on the black market]

US – Non-Healthcare Companies Have Exposed PHI in Breaches: Study

According to a study from Verizon, nearly 20% of breaches involving healthcare information are not detected for at least one year. This is due in part to the fact that some organizations outside the healthcare sector are unaware that they have healthcare data stored in their systems. 20% of healthcare breaches of health records involved privilege abuse. [Dark Reading] [The Register]

WW – Healthcare Pros Lack Confidence in Sharing Anonymized Data: Study

A Privacy Analytics and Electronic Health Information Laboratory survey of 271 healthcare professionals found that many organizations that share health data for “secondary purposes” are unsure that the data they are sharing is adequately anonymized, yet 56% are still planning to increase their 2016 sharing, Health Data Management reports. “The question is what is acceptable risk and how do you manage it,” said Privacy Analytics CEO Khaled El Emam. “We’ve seen some very large and complex data sets. And, to de-identify that, you really need some sophisticated techniques. There are good practices for de-identification and there are poor practices for de-identification,” he continued. [Health Data Manaagement] See also: Also See: New Guidance, Processes for De-Identifying Healthcare Data]

Horror Stories

WW – MacKeeper Exposes Personal Data of 13 Million Users

The company that makes MacKeeper has acknowledged a breach that exposed usernames, passwords, and other data for 13 million customers. Someone found the data while “searching for database servers that require no authentication and are open to external connections.” That person notified MacKeeper maker Kromtech; the company quickly blocked public access to the databases. [Krebs] [CNET]

Identity Issues

WW – Community Support FYI: Improving the Names Process on Facebook

Facebook will begin to test new tools that address two key goals. First, they want to reduce the number of people who are asked to verify their name on Facebook when they are already using the name people know them by. Second, they want to make it easier for people to confirm their name if necessary. These tools have been built based on many conversations with community leaders and safety organizations around the world. [Source]

Law Enforcement

CA – The Cellphone Spyware the Police Don’t Want to Acknowledge

The RCMP and the OPP have both declined to tell the Star if they use International Mobile Subscriber Identity (IMSI) catchers – also known as “stingrays” – because they say giving out that information could interfere with their investigations. Stingrays electronically mimic cellphone towers, and trick cellphones within their range into connecting to them. Once a phone makes the connection, the stingray can grab data from it – including phone numbers, texts, phone calls and websites visited – in real time. Ontario Privacy Commissioner Brian Beamish said the technology, which has a range of several kilometres, casts a wide net that doesn’t distinguish between suspects in criminal cases and ordinary citizens. “It’s potentially so intrusive in terms of the amount of information it can gather, not only about a target but about other people as well, people that aren’t under suspicion,” Beamish said. [Source]

Privacy (US)

US – Congress Passes the Cybersecurity Act of 2015

The Cybersecurity Act of 2015 (the “Act”) was passed by Congress this week as part of the 2016 omnibus spending package. The Act is very similar to the Cybersecurity Information Sharing Act (“CISA,” S. 754), which passed the Senate on October 27 and was the subject of a previous analysis, although there are some important differences which we highlight below. If enacted into law by the President as part of the spending package, the Act would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government, state governments, and private entities. [Overview at Inside Privacy]


US – NIST Outlines Methods for Protecting Data from Cyber Attacks

The threat of ransomware is one of three example scenarios highlighted in a recent white paper released by the National Institute of Standards and Technology (NIST), titled Data Integrity: Reducing the Impact of an Attack. The paper launches a joint project led by the National Cybersecurity Center of Excellence (NCCoE), with participation by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and several private sector organizations. [HLDA]

US – False Sense of Confidence Over Data Security: Report

Overall, the report finds that many retailers have a false sense of confidence when it comes to protecting their organization’s – and consumer – sensitive data. A majority of retailers indicated they believe they are doing a good job with IT security efforts, but the study shows “gaping holes in their security programs such as sharing login credentials among multiple employees and not knowing if sensitive data is being leaked. [Source]


EU – Few Time Limits on Deployments of CCTV Systems: Study

Video surveillance, first introduced in France, Italy and the UK by private sector, is heavily used by law enforcement for security purposes; there are few limits in regards to how long such systems may be deployed – 5 years in France (and renewable for 4-month periods if there is a risk of terrorism), and no time limit in Italy or the UK. [The Use of Surveillance Technologies for the Prevention Investigation and Prosecution of Serious Crime – Céline C. Cocq and Francesca Galli, European University Institute]

UK – UK Spy Agency Admits Hacking Phones and Computers Without Warrants

GCHQ admitted for the first time in court that it engages in computer hacking. Previously it had refused to confirm or deny whether it had such capabilities. In 2013, 20% of GCHQ intelligence reports were based on information from hacking, the tribunal heard. That proportion is likely to have increased since then, as the use of encryption has made it more difficult to listen in on communications. Ben Jaffey, counsel for Privacy International, told the IPT, “GCHQ undertakes ‘persistent’ CNE operations where an implant ‘resides’ in a targeted computer for an extended period to transmit information or ‘non-persistent operations’ where an implant expires at the end of a user’s internet session.” [Source]

US – Make Sure Santa Registers Your Drone, FAA Warns

The Federal Aviation Administration (FAA) announced that new drones must be properly registered with a registration number visibly marked before they take to the skies. “Registration provides us with an opportunity to educate unmanned aircraft users about how to operate safely,” said FAA Deputy Administrator Michael Whitaker. “It will also create accountability, so when a drone is located that has been flying improperly we’ll be able to locate the owner,” he said. “There’s nothing that would require an enforcement action if we just get someone to do what they’re supposed to do.” [Washington Post] See also: [I Read the FAA’s 211 Page Drone Registration Regulation So You Don’t Have to] and [Privacy Nightmare: Own a Drone? FAA Wants Your Credit Card Number] and [FAA Finally Admits Names and Home Addresses In Drone Registry Will Be Publicly Available]

Telecom / TV

CA – CRTC Executes First Inspection Warrant for Suspected Violations of the Unsolicited Telecommunications Rules

The CRTC has executed its first warrant in relation to a telemarketing investigation, which allows it to enter and inspect a property in Ontario; the company is alleged to be making unauthorized calls to Canadians for the purpose of selling anti-virus software to numbers registered on the National Do Not Call List. [Canadian Radio-television and Telecommunications Commission – CRTC Executes First Inspection Warrant as Part of Telemarketing Investigation]

US Government Programs

WW – ISIS Releases PII of Government Officials; DHS Screening Scrutinized

Supporters of the Islamic State (ISIS) have allegedly released the personal information of several U.S. and French officials, CSM Passcode reports. Though not yet verified by the U.S. government, Twitter accounts tied to ISIS released the home addresses of some ex-State Department and CIA officials, as well as names and emails tied to officials from the French Ministry of Defense. Meanwhile, the State Department said, “obviously things went wrong” in the visa background checks of suspected San Bernardino shooter, Tashfeen Malik. At issue is a secret policy of the Department of Homeland Security that prevents officials from checking applicants’ social media postings as part of the screening process. According to the report, Obama administration officials had implemented the program out of fear of a civil liberties backlash. [CS Monitor]

US Legislation

US – CISA Buried in Omnibus Bill

A version of the Cybersecurity Information Sharing Act (CISA) with most privacy protections eliminated has been incorporated into the omnibus bill, which is likely to pass as the bill comprises a large portion of funding for the federal government. As currently amended, CISA no longer requires companies to anonymize data they turn over to the government, and it broadens the scope of purposes for which the government may use the data. [WIRED] [The Register] [TechDirt] See also: [Congress Adds ‘CISA’ To ‘Omnibus’ Budget Bill, Up To President Obama To Veto] [Ryan Urged to Leave Cyber Threat Sharing Bill Out of Omnibus] [OmniCISA Pits DHS Against the FCC and FTC on User Privacy] [Government privacy watchdog set to lose power to examine covert action]

US – “Do Not Track” Bill Lets Consumers Just Say No to Online Tracking

Sens. Richard Blumenthal (CT) and Ed Markey (MA) introduced the Do Not Track Online Act of 2015 [PDF], which would direct the FTC to create new regulations “regarding the collection and use of personal information obtained by tracking the online activity of an individual.” If the bill passes, the FTC would have a year to establish standards for implementing a simple and easy-to-use Do Not Track mechanism for consumers to indicate that their personal information should not be collected while surfing the web. The FTC would also create a rule prohibiting providers from collecting the personal information of individuals who have used the Do Not Track mechanism. [Source]




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: