16-31 January 2016



US – Facial Recognition Systems Coming to All American Airports

After a favorable test run at the Washington Dulles International Airport in 2015, the Department of Homeland Security announced that it would be implementing facial recognition technology in all American airports of entry for foreign visitors and U.S. citizens. The “incremental” implementation will begin at the John F. Kennedy International Airport in New York City by the end of the month. While the DHS’s privacy impact assessment says the system won’t store the photos if “they do not result in an enforcement or administrative action,” privacy advocates such as the ACLU argue that this could be the first small step toward increased surveillance. [Fedscoop]

Big Data

WW – Big Data Report Roundup

The past two years have brought continuous policy discussion around the benefits and challenges that accompany this growing use of big data analytics. The White House and the FTC released reports on big data and data brokers in early 2014. Since then, policymakers and wonks of all stripes have weighed in on the subject, frequently highlighting one of the most contentious topics raised by these studies: how to ensure that the increase in automated decision-making does not result in unfair, unethical, or discriminatory effects for consumers. Early in these conversations, a coalition led by the Leadership Conference for Civil Rights released a set of civil rights principles for the era of big data that established broad guidelines for how to avoid having a discriminatory impact with the use of big data. Washington white papers naturally followed; the Future of Privacy Forum partnered with the Anti-Defamation league to produce a report on using big data to fight discrimination and empower groups; Upturn wrote a report on the intersection of big data and civil rights; the President’s Council of Economic Advisors wrote about differential pricing; and the White House has promised a report on the implications for big data technologies for civil rights. Several groups convened on the topic, including an FTC workshop, which resulted in an eventual report around the use of big data for inclusion and exclusion.

WW – Poll Finds Dismal European Big Data Attitudes

A new study conducted for Vodafone’s Institute for Society and Communications found that of 8,000 respondents, “just under a third” felt there were significant advantages to the big data, while “barely more than a quarter” trusted companies to respect their privacy and their data. The findings were an “indictment of current European data protection practices.” [Fortune] See also: [No new ‘competition rulebook’ necessary for big data age, says EU commissioner] and also [The Imperative for Ethical Standards in Analytics]


CA – Privacy Commissioners Issue Joint Resolution on Information Sharing

Canada’s Information and Privacy Commissioners issue a joint resolution to all levels of government relating to information sharing initiatives. All levels of government are urged to be open and transparent about the implementation of information sharing initiatives including what information will be collected, shared and disclosed; processes should be in place for individuals to request and correct their personal information, for staff to have regular and on-going training on relevant policies and procedures and for use of privacy impact assessments before implementation of these initiatives. [OPC Canada – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] [Press Release] [Resolution] [priv.gc.ca] [Parliament Should be Wary of Warrantless Access – Privacy Commission – Toronto Star]

CA – Canada’s Spy Agencies Broke Surveillance Laws, Watchdogs Reveal

A new report reveals that the Communications Security Establishment (CSE) has unlawfully shared data with foreign allies, while a report on the CSIS made public on the same day said CSIS has been neglecting to tell judges who authorize surveillance operations they are retaining elements of communications intercepts they are ordered to destroy. The reports from the watchdogs for CSE and CSIS centred on “metadata,” or the intercepted telecommunications trails reflected in phone logs and Internet protocol (IP) exchanges. Collecting and sharing such material can vastly expand intelligence-gathering operations. The legal issues this raises have been quietly debated over the past 15 years within Canada’s intelligence bureaucracy, but not in open courts or Parliament. [Globe&Mail] See also: [Watchdogs report lapses in CSIS, CSE intelligence practices] [CSIS Repeatedly Accessed CRA Taxpayer Info Without a Warrant] and [Think the Liberals will rein in the spy services? Don’t bet money on it] [Yahoo News: CSE Shut Down Data-Sharing, Post-Breach] [Canada’s Electronic Spy Agency Broke Privacy Law by Sharing Info: Watchdog]

CA – BC Privacy Breach a Failure of ‘Executive Leadership’

B.C. Information and Privacy Commissioner Elizabeth Denham said the Ministry of Education underestimated the potential fallout from misplacing a hard drive containing information about some 3.4 million school students. This week, Denham issued a report on the data breach finding that several B.C. education department workers contravened a series of security policy directives and protocols by transferring information from the ministry server onto mobile hard drives, one of which was then lost. Yukon Information and Privacy Commissioner McLeod-McKay, reacting to the B.C. report, said it’s clear that having good policies and procedures in place isn’t enough, there must also be good training and auditing of whether or not the policies are effective. [Source] [Yukon Privacy Commissioner in the Dark About Territory’s Response to Data Breach]

CA – Police Inspection of Laptop Infringed Charter: Ontario Court

Tyler Mayo filed a motion to suppress evidence alleging a violation of his Charter of Rights and Freedoms during a search and seizure. The search of a suspicious laptop (potentially containing child pornography) infringed the Charter when the police opened one of the computer files with a suspicious name, viewed its contents and attempted to open a second file (the police should have allowed the computer technician to return to the directory where the suspicious file names could be in plain view); the infringement was modest (the police conducted only a limited search of the computer relinquished to a computer store, and a warrant for a further search was obtained). [R v Mayo – 2016 INSC 125 – Can LII]

CA – Police Search of Computer Overly Broad: Alberta Court

The Court of the Queen’s Bench in Alberta considers whether search warrants complied with section 487 of the Criminal Code and section 8 of the Canadian Charter of Rights and Freedoms. Police failed to apply a date filter to the contents of the computer and storage devices being searched; exporting a decade of personal information (e.g. emails sent and received, photos, videos, complete internet browsing history and Skype exchanges) accumulated and deleted from the devices was not justified since a mirror image of the website (that the search warrant pertained to) was already secured and a number of videos on the website were already accessed. [HMQ v Mark Marek – 2016 ABQB 18 – Court of Queens Bench of Alberta]

CA – Another New Privacy Tort for Ontario

Last week saw a striking decision issued by the Ontario Superior Court of Justice. 2102 saw the tort of “intrusion upon seclusion” recognized; in 2016, we now have the tort of “public disclosure of private facts”. Unlike the 2012 decision, this one came with a large damage award. Conduct characterized as “revenge porn” clearly fits within the elements of this tort. Mr. Justice Stinson, having found that not one but two torts had been committed, could have stopped there. However, in concluding as he did, he recognized a new cause of action in Ontario: “public disclosure of private facts”. Mr. Justice Stinson modified the test articulated by Prosser, reflecting modern communication technology, to say “…if the matter publicized or the act of publication…” [Source] See also: [Experts praise court decision against man for posting explicit video of ex-girlfriend]

CA – Privacy Commissioner Launches Online Privacy Tool for Families

To mark international data privacy day, the Office of the Privacy Commissioner of Canada has launched “House Rules“—a new interactive tool for families aimed at helping parents manage the online risks facing their children. Parents are invited to use the tool to assess how their children interact online through games, mobile applications and social networking sites as a means of starting a dialogue on safe and responsible surfing. The tool offers simple tips parents and children can customize into their very own “House Rules” that can be printed off and posted in a common area as a reminder of how to protect privacy online. The Office of the Privacy Commissioner of Canada is also unveiling a new tip sheet for individuals to help all Canadians become more familiar with the basics of privacy protection. [Source]


US – Americans Express “Loss of Control” Over Their Data: Study

A study on American privacy perspectives found that 91% of Americans feel as though they’ve “lost control” over their data, with 86% taking steps to protect their information online and 47% still unsure about the breadth of the data that’s being collected about them, the organization reports. “Americans express a consistent lack of confidence about the security of everyday communication channels and the organizations that control them — particularly when it comes to the use of online tools, and they exhibited a deep lack of faith in organizations of all kinds, public or private, in protecting the personal information they collect.” Attitudes about surveillance, however, are split, with 52% expressing high levels of concern about the practice, while 46% identified as “not very concerned.” [PEW Research]

US – More Americans Worried About Privacy than Income Loss: Report

A new report from the TRUSTe/National Cyber Security Alliance Consumer Privacy Index indicates more Americans are worried about their data privacy than losing their main source of income. The study indicates concerns over online privacy beat worries about income loss by 11%. The study also found that 56% of Americans say they “trust businesses with their personal information online,” the report states. “If you ask, ‘what does privacy mean for you?’ you’ll find that privacy is an individual thing, and it is different for every person.” [CBS News]

WW – Password List Illustrates User Annoyance and Tech Dead End

SplashData’s annual list of most common passwords found that, once again, “123456” is America’s most beloved digital key. However, this comical collection highlights both user frustration with password use and the technological sector’s current quest to replace it with something more sophisticated. Fingerprint authentication is one future avenue, but critics argue that the commonality of our fingerprints makes them easy to lift and nefariously employ. [The Washington Post]

WW – Study: Bitcoin Users Trust the Currency’s Promise of Privacy Too Much

A new bitcoin study conducted by Rutgers University found that bitcoin users overestimate its provision of anonymity. Bitcoin “transactions are recorded in a public ledger and are traceable with some effort.” “The users in the study trust the security and privacy mechanisms of Bitcoin more than they actually should.” The currency’s increased privacy, however, could give it an edge over physical money in the future. “What I personally like [about bitcoin use] is the anonymity,” said a study author. “You can’t track at all what I’m buying from the supermarket if I don’t use a loyalty card with my purchases when I pay in cash.” [Rutgers]


CA – Supreme Court Gears to Battle Ottawa Over IT Rules

The country’s highest court is ready to launch a legal battle with the federal government over new IT rules, which the Supreme Court of Canada fears would threaten its independence. The Supreme Court is not alone in these concerns: the Federal Court, Federal Court of Appeal, Court Martial Appeal Court and Tax Court are all prepared to launch a constitutional challenge against having the government’s super-IT department involved in their digital affairs. The federal Liberals are now left to decide how to handle an issue created by a decision of the previous Conservative government that came into effect during the federal election. That decision forced the courts to go through Shared Services Canada for all IT purchases, such as servers, routers and software, rather than letting them make the procurements on their own. The courts had that power until Sept. 1, when the new rules kicked in and made them a “mandatory client” of Shared Services Canada, which oversees purchases and digital services for 43 of the heaviest IT users in the federal government. The move approved by the Conservative cabinet in May 2015 was supposed to save money, since Shared Services Canada buys in bulk, and improve digital security, because it buys from safe suppliers. [Toronto Star]


US – Yahoo Enters Into Settlement Agreement for Alleged Email Scanning and Extraction Practices

Yahoo accepts a settlement agreement for alleged e-mail scanning and extraction practices that violated the Stored Communications Act and California’s Invasion of Privacy Act. Yahoo must make technical changes so that all incoming and outgoing emails send to and from users in the US are analyzed for advertising purposes only after the user can access the email in their inbox or sent folder; modifications to its website include a paragraphs stating that all communications content is analyzed and stored, and that keywords, package tracking and product ID numbers are shared with third parties. [In Re Yahoo Mail Litigation – US District Court Northern District of California San Jose Division – Case No. 5-13-cv-04980-LHK] [Related News Article]

Electronic Records

US – Research Firms Team For Privacy Initiative

ESOMAR, an association for market research firms, announced on Data Privacy Day a new initiative by its members aimed at boosting “transparency and choice for online audience measurement research.” Headed up by comScore, GfK, Kantar, and Nielsen, the effort, dubbed Research Choices, will help consumers understand online data collection practices and facilitate access to different choice mechanisms across the Internet. Research firms interested in joining the effort must subscribe to the ESOMAR code of conduct, or equivalent ethical code. [IAPP Privacy Advisor]

US – Improper Employee Log-in Use Led to Californian Health Insurance Breach

21,000 Blue Shield of California members were affected by a breach catalyzed by “the misuse of Blue Shield customer service representatives’ log-in information.” While the company’s data systems were left unsullied, everything from Social Security numbers to addresses “could” have been exposed between September and December 2015, the company notified the affected. The company promised complimentary credit-tracking to victims. [FierceHealthPayer]


US – California Bill Prohibits the Sale of Encrypted Smartphones

Assembly Bill 1681, amending existing state law and the Business and Professions Code to prohibit the sale of encrypted smartphones, is introduced. The bill requires that a smartphone manufactured on or after January 1, 2017, and sold or leased in California, must be capable of being decrypted and unlocked by its manufacturer or operating system provider; a $2,500 penalty will be imposed for non-compliance with the decryption requirement for each smartphone sold or leased. [Assembly Bill 1681 – An Act to add Section 22762 to the Business and Profession Code, Relating to Smartphones – California Assembly] See also: [BlackBerry says its encryption has not been “cracked” by police]

EU Developments

EU – Safe Harbor Deadline Passed: Agreement Reached

The deadline for the US and European Union negotiators to reach a new Safe Harbor data protection agreement satisfactory to both entities was January 31, 2016. The old arrangement was invalidated last fall after the EU Court of Justice found that it did not adequately protect the privacy of EU citizens. [The Hill] [ComputerWorld] [Ars Technica] The European Commission announced an agreement with the U.S. Department of Commerce to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” [Hogan Lovells: EU-U.S. Privacy Shield to Replace Safe Harbor]

WW – Law Firm Contends U.S., EU Privacy Protections Are Equal

According to Geoffrey Robertson QC, the October ECJ judgment that invalidated the “safe harbour” agreement was based on trusting news reports of revelations by Edward Snowden rather than a thorough investigation of US law. He added that the US had become more “privacy friendly” than Europe. He made the comments in an independent opinion commissioned by Facebook, which has been affected by the ECJ ruling. The social network is lobbying against the decision alongside other big technology groups. The barrister, who has represented WikiLeaks and media companies in free-speech cases, said: “It is intellectually dishonest at present to say we have any kind of protection in Europe against national security surveillance.” [FT.com] The Sidley report represents one of the most comprehensive rebuttals to suggestions that the European Court of Justice’s ruling in October on privacy opened an irreparable rupture for U.S. and EU commerce. The decision tossed out the widely used business data-transfer agreement on the grounds that Europeans’ privacy might not be adequately protected against U.S. national security surveillance. The Sidley Austin authors, based in the U.S. and EU, said that while the ECJ did invalidate the agreement, it did so because a test had not been done to establish equivalent privacy protections in the U.S., leaving the door open to a new agreement that is based on such a finding of equal privacy. [Source] [Take-up of cloud storage in Europe affected by privacy issues]

EU – Study Hints at How E-Privacy Directive Might be Reformed

The Commission wants to update the EU’s Privacy and Electronic Communications (e-Privacy) Directive and the recommendations made to it last summer suggest that wide-ranging changes are likely, including to rules on the use of cookies, direct digital marketing and on the processing of location data.

Telecoms bodies have called for the repeal of the e-Privacy regime, but the study suggests it will be expanded and will have an impact on many more businesses that communicate via digital channels than is currently the case. The Commission, which first outlined its intention to reform the e-Privacy Directive in 2014, has promised to consider the findings of the study. Proposals for reforms are scheduled to be instigated this year, with a consultation on the reforms likely to be opened in March, according to recent reports. [Out-Law]

EU – Independence of Data Protection Commissioner Questioned

The Irish High Court is being asked to make a referral to the EU’s highest court for a ruling on whether Ireland’s Data Protection Commissioner is truly independent under EU law. Legal papers served on the State and the Attorney General claim the State has acted in breach of EU law by failing to ensure the regulator exercises its role independently. The action is being taken by the privacy advocacy group Digital Rights Ireland (DRI), which took a successful case to the Court of Justice of the European Union in 2014 overturning the entire regime under which the telephone and internet data of over 500 million European citizens were retained for up to two years. The papers note that the office of the commissioner, Helen Dixon, is integrated with the Department of Justice and that the commissioner and all her office’s employees are civil servants. They also allege the commissioner has failed to act independently in policing databases of citizens created in recent years by both Irish Water and the Department of Education. The commissioner’s office is considered one of the most important regulatory roles in Europe because of the high number of multinational, data-rich firms based in Ireland, including Facebook, Apple and LinkedIn. It has come under repeated criticism from some EU sources for being “soft” on regulation, partly because of the number of jobs such firms support here. That allegation has been denied by the current commissioner and by her immediate predecessor Billy Hawkes. [Source]

Facts & Stats

US – Breach Costs Often Come Long After Incident Detection: Survey

According to a new study, the costs of data breaches go “far beyond the initial incident response and customer notification costs.” The SANS Institute survey found that “about one third of organizations are able to remediate breaches within a week of detection, and the greatest financial impact from breaches extended months and even years beyond the event for the majority of organizations.” The survey looked at how nearly 60 organizations coped with breaches and found more than 40% said the greatest impact from the breach was felt one to 12 months after the incident. Some of that was because of unforeseen required actions necessary for forensics or data recovery. [Dark Reading]

US – OTA Releases 2016 Data Protection & Breach Readiness Guide

91% of breaches are avoidable. The best defense is implementing a broad set of operational and technical best practices that helps protect your company and your customers’ personal data. The second step is to be prepared with a data lifecycle plan that allows a company to respond with immediacy. Ultimately, industry needs to understand that effectively handling a breach is a shared responsibility of every functional group within the organization. A key to success is moving from a compliance perspective to one of stewardship. This perspective recognizes the long term impact to a brand, the importance of consumer trust and implications and considerations with vendors and business partners. The OTA Guide Guide includes risk assessment guide for service providers, check lists for cyber insurance, security best practices, incident reporting forms and remediation service check lists and more. [OTA Alliance] [Cyber Attackers Focusing on Targets With Most Valuable Data] [https://otalliance.org/Breach]


WW – Insurers Will Look for Evidence of Appropriate Cyber Defenses for Cyber Insurance Policies in 2016

Insurers who provide cyber insurance are not convinced enterprises are doing enough to protect their digital assets. A recent study from CSO outlines some major changes coming to cyber security insurance in 2016: Cyber insurance will move toward a “must have” and “evidence based” model with new minimum level requirements in place for policies. This is expected to disrupt the cyber security industry and place new challenges on IT workers. However, it is good news for customers because it drives improvements to companies’ ability to handle threats and protect customer information. (RSA)

WW – Survey: Half of IT Pros Don’t Know Where Their Payment Data is Stored

A recent study indicates a “critical need” for organizations to improve their payment data security practices. A study by Gemalto of more than 3,700 IT professionals found 54% said their companies had experienced a data breach involving payment data “an average of four times in the past two years,” and 55% said they don’t know where their payment data is stored. Meanwhile, researchers say they’ve found four vulnerabilities in Lenovo ShareIT, which they say could mean data leaks. [InformationAge]

CA – Disclosure of PI for Purposes of Debt Collection: How Far Can You Go?

The applicable federal private sector legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), allows the disclosure of personal information about an individual without their consent for the purpose of collecting a debt owed by the individual. However, based on the position reportedly taken by the Privacy Commissioner in this case, publicly posting private financial information of identifiable individuals does not fit within the ambit of the exception and the exception does not give a blanket permission to indiscriminately disclose a debtor’s personal information. [Lexology]


CA – Info Commissioners Call on Governments to Create a Duty to Document

Canada’s Information Commissioners have called on their respective governments to create a legislated duty requiring public entities to document matters related to their deliberations, actions and decisions.

In a joint resolution, information commissioners expressed concerns about the trend towards no records responses to access to information requests. This lack of records weakens Canadians’ right of access and the accountability framework that is the basis of Canada’s access to information laws. Without adequate records, public entities also compromise their ability to make evidence based decisions, fulfill legal obligations, and preserve the historical record. Canada’s information commissioners have urged governments to create a positive duty for public servants and officials to create full and accurate records of their business activities. This duty must be accompanied by effective oversight and enforcement that ensures Canadians’ right of access to public records remains meaningful and effective. [Source]

CA – BC OIPC Rejects Third Party’s Assertion that Contract Information is Supplied and Subject to Exemption from Disclosure

This OIPC order reviews the Ministry of International Trade and Ministry Responsible for Asia Pacific Strategy and Multiculturalism’s decision not to withhold records requested under B.C.’s Freedom of Information and Protection of Privacy Act. The information does not meet the second part of a 3-part test because it is not supplied to a government ministry, but negotiated; the disputed information contains the sort of detail about contractual arrangements that would have been susceptible to change through negotiation, and it is clear that an agreement was reached between the parties to amend certain obligations of an existing contract. [OIPC BC – Order FEW-71 – Ministry of International Trade and Ministry Responsible for Asia Pacific Strategy and Multiculturalism]

CA – The Northwest Territories’ Health-Specific Privacy Legislation In Effect

The Northwest Territories have enacted the Health Information Act, SNWT 2014, c 2 (HIA) which took effect on October 1, 2015. The HIA sets out rules for the collection, use and disclosure of personal health information; the Act is designed to protect health information and facilitate the provision of health services. Much like the health privacy statutes of other provinces, the HIA recognizes the sensitive nature of personal health information, which is frequently shared in the provision of health care and the management of our publicly funded health care system. Other Canadian provinces and territories have similar legislation, including Alberta, Saskatchewan, Manitoba, Ontario, Newfoundland and Labrador, New Brunswick, Nova Scotia, British Columbia and Quebec. Similar laws have also been passed in Prince Edward Island (Bill 42 – Health Information Act) and Yukon (Bill 61 – Health Information Privacy and Management Act), but have yet to be enacted into force. [Lexology]

Health / Medical

US – Academy of Family Physicians Clarifies HIPAA Disclosure Amendments

The American Academy of Family Physicians clarifies the amendments to the HIPAA Privacy Rule. Covered entities can disclose the minimum necessary identifying information about individuals who have been involuntarily committed to a mental health institution, lack the mental capacity to manage their own affairs, or have been determined to be a danger to themselves or others; the Rule is not applicable to most health care professionals and diagnostic or clinical information may not be disclosed. [Modified HIPAA Rule Allows Limited Reporting of Patient Information – American Academy of Family Physicians]

US – Health Care Entities Unite for Privacy’s Sake

In an effort to curb cyberattacks, privacy gaffes and HIPAA breaches, the Electronic Healthcare Network Accreditation Commission and the National Health Information Sharing and Analysis Center have become allies, with plans to initiate blended teams to analyze threats, present research, and plan education events. “We are our own worst enemy, and if we don’t come together and share information, the bad guys are sharing information, and shame on us,” said NH-ISAC President. “The collaboration is significant, because there’s growing need for healthcare organizations to share threat level data,” the report adds. “This information has been ineffectively shared in the past because of competitive pressures and the disjointed nature of the industry.” [HealthData Management]

US – HIPAA Modified in Light of President Obama’s Executive Order

The U.S. Department of Health and Human Services’ Office of Civil Rights updated HIPAA in accordance with President Obama’s executive order regarding firearms. Entities under the HIPAA umbrella will be able to provide the National Instant Criminal Background Check System with the identities of individuals with a “mental health prohibitor” that would prevent them from “transporting, possessing or receiving a firearm,” starting Feb. 5 of this year. The revision “does not apply to most health care providers, allows only limited demographic and certain other information needed for the purposes of reporting to the background check system, and specifically prohibits the disclosure of diagnostic or clinical information from medical records or other sources.” [National Law Review]

US – FDA Issues Medical Device Cybersecurity Draft Guidance

The US Food and Drug Administration (FDA) has issued draft guidance, “Postmarket Management of Cybersecurity in Medical Devices,” for device manufacturers. In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process. [News-Medical] [GovInfoSecurity] [January 2016 Draft Guidance] [October 2014 Guidance]

Horror Stories

US – LinkedIn’s Individual Payment in Data Loss Settlement Sets It Apart

Class counsel has dubbed the $13 million, $16-per-victim LinkedIn class-action settlement “particularly impressive” in comparison to the outcome of other cyber privacy suits due to the individual-by-individual payoff. More than 550,000 LinkedIn netizens reported that they were victims of the company’s misuse of contact information after it sent invitational emails to user connections. In addition to user payment, the settlement requires LinkedIn to improve and clarify its disclosure policy in regards to its “Add Connections” feature, among others. The arrangement is still awaiting final approval by California’s U.S. District Court Judge Lucy Koh. [Media Post]

Identity Issues

FTC: Tax Fraud Behind 47% Spike in ID Theft

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47% increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks. [Source]

US – FTC Announces Significant Enhancements to IdentityTheft.gov

For the first time, identity theft victims can now go online and get a free, personalized identity theft recovery plan as a result of significant enhancements to the FTC’s IdentityTheft.gov website. The new one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved. [FTC Press Release]

Intellectual Property

WW – Netflix Cracking Down On Proxy Users

Netflix says it’s going to crack down on customers using VPN software to access content that isn’t available or licensed in their country of origin. “Some members use proxies or ‘unblockers’ to access titles available outside their territory,” the company said in a statement. “In coming weeks, those members using proxies and unblockers will only be able to access the service in the country where they currently are.” The move is aimed at appeasing content producers’ licensing agreements with Netflix. [TechCrunch]

Internet / WWW

WW – Winners of FPF Best Privacy Papers Announced

The Future of Privacy Forum announced its choices for the best privacy research papers of 2015 at the Sixth Annual Privacy Papers for Policymakers. The winners were Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor, for “A Design Space for Effective Privacy Notices“; Ira S. Rubinstein and Woodrow Hartzog’s “Anonymization and Risk“; Arvind Narayanan, Joanna Huey, and Edward W. Felten’s “A Precautionary Approach to Big Data Privacy“; Ryan Calo’s “Privacy and Markets: A Love Story,” and Neil Richards and Woodrow Hartzog’s “Taking Trust Seriously in Privacy Law.” Honorable mention went to Peter Swire for “Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy“ and Joel R. Reidenberg’s “The Transparent Citizen.” A summary of each of the winning papers can be found here. [FPF]

Law Enforcement

US – CDT Sides with ACLU on Unconstitutionality of Sex Offender Regulations

A Center for Democracy & Technology amicus brief for the Sixth Circuit’s Doe v. Snyder case supports the ACLU of Michigan’s assertion that the online registration regulations for former sex offenders are indeed a constitutional breach, the organization said in statement. “The district court wrongly concluded that the identifiers requirement does not infringe registrants’ constitutionally protected right to engage in unidentified expression, because the law does not unmask their anonymity to the public. But the right to speak without identifying oneself or one’s content to the government is critical — particularly for engaging in expression that may be controversial or highly personal,” the statement reads, adding that the regulation does not further state any plans for data protection. “We urge the Sixth Circuit to hold Michigan’s ‘Internet identifiers’ requirement to that standard and declare it unconstitutional on its face,” the report continues. [CDT.org]


US – ALPR “Unprecedented Threat to Privacy”

Throughout the United States—outside private houses, apartment complexes, shopping centers, and businesses with large employee parking lots—a private corporation, Vigilant Solutions, is taking photos of cars and trucks with its vast network of unobtrusive. A private company has captured 2.2 billion photos of license plates in cities throughout America. It stores them in a database, tagged with the location where they were taken. And it is selling that data. [The Atlantic]

WW – Industry Group Issues Safeguards to Mitigate Privacy Risks Associated with Location Tracking

The International Working Group on Data Protection in Telecommunications issued a working paper on location tracking in mobile devices. Privacy risks of location tracking of mobile devices includes covert collection of device specific identifiers, and the combination of tracking data with other online/offline information; recommendations include conducting a PIA, notifying individuals, limiting the bounds of data collection, anonymising data without delay, appropriate retention of individual level data, consent for combination with other information and for sharing of individually identifiable data with third parties, and implementing a simple and effective means to control collection. [Working Paper on Location Tracking from Communications of Mobile Devices]

Online Privacy

WW – Skype Now Hides Your Internet Address

Ne’er-do-wells have long abused a feature in Skype to glean the Internet address of other users. Indeed, many shady online services that can be hired to launch attacks aimed at knocking users offline bundle so-called “Skype resolvers” that let customers find a target’s last known location online. At long last, Microsoft says its latest version of Skype will hide user Internet addresses by default. [Krebs]

Privacy (US)

EU – Schrems Responds to US Lobby Groups on Safe Harbor

In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that “attempts by lobby groups and the US government to ‘reinterpret’ or ‘overturn the clear judgement of the Union’s highest court are fundamentally flawed.” Schrems brought the successful case to theEuropean Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide “protection against government surveillance and “essentially equivalent” protection against the commercial use of data by certified companies.” Max Schrems received the 2013 EPIC Champion of Freedom Award.

US – Law Firm Argues US, EU Privacy Laws ‘Essentially Equivalent’

A recent report from a US law firm concludes that the US offers essentially equivalent privacy protection to Europe. The report also finds that “This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate.” However, all travel records of Europeans are routinely transferred to the US Department of Homeland Security without any legal protection, and under Section 702 of the Patriot Act, the US government routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity. Executive Order 12333 provides even broader surveillance authorities. [Sidley Austin LLP: “Essentially Equivalent” (Jan. 2016)]

US – FTC Issues Privacy Update Report

The FTC announced the publication of its Privacy & Data Security Update 2015. The report aims to highlight the agency’s commitment to ensuring consumers are able to reap “the benefits of innovation in the marketplace, confident that their personal information — online and offline — is being handled responsibly,” citing a host of its 2015 initiatives, from the PrivacyCon event to its IdentiyTheft.gov, as evidence of meeting that goal. “Each of our projects in the privacy and data security arena has been informed by a central message: Even in the face of rapidly changing business models and technologies, companies still need to follow fundamental privacy principles.” [FTC]

US – Wyoming Legislature to Consider ‘Right to Privacy’

The Wyoming State Legislature will debate whether Wisconsin voters will vote on the addition of privacy as a citizen’s right in the state’s constitution. This will be the second attempt by privacy advocates to get the legislature to consider such an addition, after it was thrown out last year for imprecise language and confusing implications. This measure specifies that it “wouldn’t deprive people of the right to inspect public records or observe government operations” and has the support of the chief information officer for the State of Wyoming. According to the National Conference of State Legislatures, 10 other state constitutions already recognize citizens’ right to privacy. They are: Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington. [ABC News]

US – ACLU Leads Privacy Charge In 16 States

Frustrated with the lack of federal leadership on privacy issues, the ACLU has orchestrated a rollout of state-level legislation that would work to make privacy regulations more sophisticated across 16 states. The ACLU has found allies in exasperated legislators as well. Regarding privacy issues, “our federal gov­ernment didn’t take the lead and should have taken the lead,” said Rep. Peter Lucido, R-Mich., adding, “But now it left us all to go ahead and fend for ourselves at the state level.” The bills cover everything from law enforcement surveillance to student and employee privacy rights. “This movement is about seiz­ing control over our lives,” said the ACLU’s Anthony Romero. “Everyone should be empowered to de­cide who has access to their personal information.” [The National Journal]

US – New York Bill Requires Mobile Devices to Have an Enabled Solution to Render the Device Permanently Inoperable

Senate Bill S.51, the Smartphone and Tablet Security Act, was introduced in the New York State Senate and referred to the Consumer Protection Committee. Owners of devices sold after January 1, 2016 must be able to disable voice communications, connections to the internet, and access and use of mobile software applications when the device is no longer in their possession; these features can be disabled by consumers after purchase (but not by retail sellers). [S.51 – The Smartphone and Tablet Security Act – New York Senate]

US – EPIC Gives 2016 Freedom Award to Viviane Reding

EPIC has presented the 2016 International Champion of Freedom Award to former EU Justice Minister Viviane Reding. Ms. Reding led the effort in the European Common for adoption of the new European privacy law, the General Data Protection Regulation. The EPIC award was presented January 27, 2016, at the annual Computers, Privacy & Data Protection conference in Brussels. [EPIC]

US – How Facebook Tracks and Profits from Voters in a $10bn US Election

The Cruz campaign is using Facebook to target voters on a range of broad issues like immigration controls to niche specific causes such as abolishing state laws against the sale of fireworks. Facebook told investors it was “excited about the targeting”, and does not let candidates track individual users. But it does now allow presidential campaigns to upload their massive email lists and voter files – which contain political habits, real names, home addresses and phone numbers – to the company’s advertising network. The company will then match real-life voters with their Facebook accounts, which follow individuals as they move across congressional districts and are filled with insightful data. The data is encrypted and not maintained by Facebook after ads run, the company said. Acxiom, a massive data broker based in Little Rock, Arkansas, helps campaigns upload the voter info. But a campaign operative said the Texas senator has been using Facebook ads to raise money, among other things, and a Guardian analysis shows Cruz-affiliated donors are spending $10,000 per day on Facebook “placement” as the first vote nears. [The Guardian]

Privacy Enhancing Technologies (PETs)

UK – Government Rolls Out Massive Blockchain Report

In a major 88 page tome on Blockchain and distributed ledgers, the UK Government’s Chief Scientist sets out how this technology could transform the delivery of public services and boost productivity. The UK report states that Blockchain technology could provide government with new tools to reduce fraud, error and the cost of paper intensive processes and it also has the potential to provide new ways of assuring ownership and provenance for goods and intellectual property. The report also includes a lengthy look at Estonia who is already moving quickly to adopt distributed ledgers — and the case study of Estonia shows how quickly a small country with an effective digitally-aware leadership can progress and considers the features of advancing digital nations. [Source] See also: [Privacy on the Blockchain: Exploring the Blockchain technology and its privacy potential]


WW – Study: Cybersecurity Fears Top Terrorism, Climate Worries

The World Economic Forum’s annual Global Risks Report named cybersecurity among its gravest industry threats, ranking higher than terrorism and climate change. This is the third time in a row that the issue has made the study. “As the Internet of Things leads to more connections between people and machines, cyber dependency — considered by survey respondents as the third most important global trend — will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem.” [SC Magazine]

CA – Regulator Issues Vendor Risk Assessment and Cyberincident Checklist

The Investment Regulatory Organization of Canada (“IIROC”) has issued a guide for vendor risk management for small and mid-sized Dealer Members. Assessing vendor risk requires a detailed response from vendors regarding their consideration of issues such as vendor controls, security architecture, information system configuration, access controls, security monitoring, physical security, contingency planning, and their business associates. [Vendor Risk Management – Investment Industry Regulatory Organization of Canada] Organizations should undertake activities before an incident (e.g. create a prioritized list of information assets critical to the functioning of the organization), during an incident (e.g. convene one teleconference to discuss what is required to restore operations), and after an incident (e.g. discuss any changes in process or technology needed to mitigate future incidents [Cybersecurity Best Practices Guide – Investment Industry Regulatory Organization of Canada]

WW – Software Bugs Rampant in Home Wi-Fi Routers

There has been a proliferation of software bugs in basic home Wi-Fi routers and the subsequent difficulty in getting security patches out to users. In one example, a bug that was fixed by Allegro Software Development nearly 10 years ago was still found to exist in more than 10 million devices. It turns out that a router manufacturer had been including the pre-2002 version of Allegro’s software on new routers. “The router flaw highlights an enduring problem in computer security: Fixing bugs once they have been released into the world is sometimes difficult and often overlooked,” the report states. [Wall Street Journal]

Smart Cars

US – Auto Industry, DoT Agree on Cybersecurity Best Practices

The U.S. Department of Transportation and 17 automakers have reached an agreement designed to improve safety and increase the sharing of cyber-threat information. With regard to cybersecurity, the automakers — including General Motors, Ford, and Toyota — also agreed to suggest best practices, share lessons learned, and work with the info-sharing and analysis center created by the auto industry last year. The group released a list of “proactive safety principles” that aim to help the industry improve cybersecurity. The list includes plans to create an automotive industry Information Sharing and Analysis Center (ISAC). Automobile supply companies will be urged to join as well. The car makers also want to work with bug hunters. [ComputerWorld] [Wired] [Proactive Safety Principles 2016] Last year, security specialists successfully hacked into and took control over a connected car, prompting a first-of-its-kind recall by Fiat-Chrysler. [Bloomberg]

CA – OIPC AB Issues PIA Guidelines for Auto Insurers Offering Usage-Based Insurance Programs

The Alberta Office of the Information and Privacy Commissioner issued privacy impact assessment guidelines for insurers implementing usage-based insurance programs. When submitting a PIA for review, details should be provided about the organization’s management structure, policy management, training, incident response, and access and correction requests; an analysis of program-specific privacy topics should be completed (such as information flow, notifications, consent, contracts, agreements and use of PI outside Canada) and include a description of access controls, mitigation plans and monitoring procedures. [OIPC AB – Privacy Impact Assessment Guidelines for Insurers]

EU – European Commission Issues Recommendations for Data Protection and Privacy in Intelligent Transport Systems

The European Commission Cooperative Intelligence Transport Systems (“CITS”) Platform Working Group issued its final report relating to privacy and data protection in the context of CITS. Messages sent between vehicles and the IT infrastructure raises potential concerns because of the potential indirect identification of users; a list of clearly identified applications where consent is necessary should be accessible to drivers and all situations where secondary use or re-purposing of data may take place should be identified. [European Commission – C-ITS Platform Final Report]

EU – Security and Privacy Challenges in Developing an EU Legal Framework for Automated Vehicles

The European Parliamentary Research Service issued a report on data protection and cyber security in automated vehicles. Connected cars can generate, store and transmit users’ personal data (route to work, time of driving, appointments, etc.) that have significant potential for other uses; the connection between the in-vehicle system and the vehicle manufacturer’s central server has to be secure to prevent unauthorised disclosure and manipulation. [European Parliamentary Research Service – Automated Vehicles in the EU]


US – NSA Civil Liberties and Privacy Office Issues Results of Assessment of its Metadata Collection

The Civil Liberties and Privacy Office at the NSA issues a report on a privacy impact assessment examining implementation of changes effected by the USA FREEDOM Act. Collection of call record details satisfies the transparency principle through release of detailed implementation information and mandatory reporting requirements (i.e. number of targets, unique identifiers used and search terms); the principle of data minimization is satisfied because only telephone metadata can be collected, records that do contain foreign intelligence information must be promptly destroyed and data can only be retained for a maximum of 5 years. [NSA Civil Liberties and Privacy Office – Transparency Report – the USA FREEDOM Act Business Records FISA Implementation]

US – California Police Department Uses Stingrays from Planes

According to documents obtained by the ACLU, the police department in Anaheim, California, has used surveillance technology that has been referred to as “stingray on steroids.” Known as Dirtboxes, the powerful cell-site simulators are mounted on airplanes to collect data on thousands of phones at once — listening to conversations, reading emails and text messages — beginning in 2009. A California state law that came into effect on January 1, 2016 requires law enforcement agents to obtain a warrant before using a cell-site simulator. [Ars Technica] [Wired] [Document Cloud] [BuzzFeed] SEE ALSO: [Hailstorm surveillance tool in privacy advocates’ crosshairs]

US – Commonwealth Court Rules Pro-Police In Phone Rummaging Case

Massachusetts Supreme Judicial Court ruled in favor of police officers who obtained a warrant to search a suspect’s iPhone and checked both his texts and photographs. The defendant argued that police only had probable cause to inspect his texts. “Communications can come in many forms including photographic,” the majority opinion countered. “So long as such evidence may reasonably be found in the file containing the defendant’s photographs, that file may be searched.” Critics are calling for new regulations to protect mobile privacy. “We need very clear standards for police officers who are issuing warrant applications,” said the ACLU Massachusetts. [Ars Technica]

US – Report Says the Threat of “Going Dark” is Overstated

A report from Harvard’s Berkman Center for Internet & Society, titled, “Don’t Panic: Making Progress on the ‘Going Dark’ Debate,” says that US law enforcement’s concerns about encryption allowing terrorists to “go dark” overstate the problem. The report said that while encryption may hinder some surveillance activity, the increasing spread of Internet connected devices can “likely fill some of these gaps and … ensure that the government will obtain new opportunities to” conduct surveillance. [The Hill] [ComputerWorld] [ZDNet] [CNET] [New York Times] and also: [Hillary Clinton Hints At Apple, Facebook Compromise Over Encryption]

US – NYC Dept of Consumer Affairs Investigating Baby Monitor Security

The New York City Department of Consumer Affairs is investigating baby monitors that are vulnerable to attacks. The agency has sent subpoenas to four as-yet unnamed companies asking for information about the way they address the security of their products. It has also posted an alert for consumers that includes advice on how to protect their monitors. [NBC News] [Wired] [NYC.gov] [NYC launches investigation into hackability of baby monitors ]

Telecom / TV

CA – Cell Phone Evidence Should Not Be Excluded: Ontario Court

The Ontario Superior Court of Justice considers an application by an arrestee to exclude from evidence at trial his cell phone and cell phone number, pursuant to the Canadian Charter of Rights and Freedoms. Defendant has only a low privacy interest in the cell phone and the number (e.g. it is less personal than health records and the call log was acquired only after obtaining judicial authorization); Defendant himself made reference to his cell phone after he had been given the opportunity to consult with his counsel, and the cell phone number could have been extracted from the cell phone itself (which was already in police possession). [Her Majesty the Queen v. Andre Palmer – 2016 ONSC 153 – Ontario Superior Court of Justice]

CA – Ontario Court: Production Order for Cell Tower Information is Unreasonable Search and Seizure

The Ontario Superior Court of Justice issued a decision on the application by Rogers Communications and Telus Communications to revoke a production order pursuant to section 487.012(5) of the Criminal Code. The required disclosure of personal information was beyond what was reasonably necessary to gather evidence, such as bank and credit card information, information of any subscriber near to the scene, and the location of the other party to the call (who could be far removed from the crime scene); production orders should include an explanation of why the requested information is relevant, details to conduct a narrower search and request a report based on the data (not the data itself). [Her Majesty the Queen v Rogers Communications Partnership and Telus Communications Company – Ontario Superior Court of Justice – Court File No CRIMJ P 299-14] See also: [Dragnet No More? Recent guidance on production orders] and also: [D. Fraser: Tower dump case raises troubling questions about law enforcement and privacy] and [Canadian Judge Offers Guidelines to Make Cellphone Surveillance Less Intrusive]

US – NY Bill Requires Smartphones to be Decrypted or Unlocked by Manufacturers or System Providers

Assembly Bill A8093, relating to the Manufacturing and Sale of Smartphones That are Capable of Being Decrypted and Unlocked by the Manufacturer was introduced in the General Assembly. An Assembly Bill, if passed, would require that any smartphone that is manufactured on or after January 1st, 2016, and sold or leased in New York, be capable of being decrypted and unlocked by its manufacturer or its operating system provider; the seller or lessor of any smartphone that is not capable of being decrypted and unlocked will be subject to a civil penalty of $2500 for each smartphone sold or leased (a civil suit may be brought by the attorney general or the district attorney). [AB A8093 – An Act to Amend the General Business Law in Relation to the Manufacturing and Sale of Smartphones That are Capable of Being Decrypted and Unlocked by the Manufacturer]

US Government Programs

US – New US Government Agency Will Handle Background Checks

The White House has announced that a new agency will assume the job of conducting background checks on contractors and government employees. The Office of Personnel Management’s (OPM) Federal Investigative Services (FIS) will become part of the National Background Investigations Bureau (NBIB). “The Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB.” [FCW] [Whitehouse.gov] [NextGov] [The Hill] [v3.co.uk]

WW – FIDO Issues Privacy White Paper

The FIDO Alliance has issued a new Privacy White Paper to mark Data Privacy Day explaining how FIDO’s protocols and specifications help to protect user privacy; as the consortium put it in a synopsis, “there is no privacy with security.” FIDO points to recent research on data breaches indicating that 95% of web app hacks rely on stealing customer credentials from mobile devices—and of course those credentials are virtually all passwords. FIDO’s goal is to replace archaic password-based security systems with more advanced frameworks incorporating measures like risk-based authentication and two-factor authentication. Security systems that adhere to FIDO protocols don’t involve third parties, keep biometric data on the user’s device, require user consent for the release of data, and incorporate many other principles designed to ensure that user data is protected behind advanced authentication apparatuses. [MobileIDWorld]

US Legislation

US – Senate Marks Data Privacy Day With Passage of Critical Bill for Safe Harbor

The US Senate celebrated Data Privacy Day by passing a critical piece of legislation that will extend US privacy rights to Europeans. The Judicial Redress Act passed the Senate’s Judiciary Committee this week, putting it in front of the full Senate and making it a virtual certainty to become law. The Act will extend the same privacy rights that US citizens enjoy to European citizens, and will provide European citizens with the right to proper judicial redress over how their data is handled by American corporations and the US government. Europeans will be able to access records about themselves collected by the US government, and amend those records. It the records are disclosed unlawfully, they will be able to sue. [Source]

US – Sweeping Vermont Privacy Bill Passes State Senate

The legislation would restrict the use of drones by state and local law enforcement, generally prohibit police from obtaining electronic data (including emails, web browsing history, call and text message content, location information and files stored on third party servers such as the “cloud.” ) from service providers without a warrant or judicially issued subpoena, and would also provide some restrictions on sharing of data gathered by automatic license plate readers in the Vermont. The bill does not place limits on the use of ALPRs for “legitimate law enforcement purposes,” but it does require data to be destroyed after 18 months unless the law enforcement agency obtains a warrant, or if the plate data is relevant to the defense of a pending or reasonably anticipated charge or complaint. Under the proposed law, state and local law enforcement could share data with other agencies for a “legitimate law enforcement purpose,” but the receiving agency must adhere to the date retention limits under the state law. [Source] The bill passed with no recorded opposition. See also: [Missouri state Rep. Ken Wilson has proposed a bill to exempt police body camera footage from Freedom of Information Act requests when there is a reasonable expectation of privacy] and [Washington, DC, Council member David Grosso has introduced a bill to protect student privacy]

Workplace Privacy

CA – Court Finds Employee Incident Did Not Meet Threshold to Warrant Drug or Alcohol Testing

The International Brotherhood of Electrical Workers on behalf of George Degg file a grievance against Jacobs Industrial for violations of the Grievor’s privacy. The privacy interest of the employee should prevail over the company’s desire to positively rule out the possibility of drugs or alcohol as a factor in a vehicle accident given that minimal damage was caused (less than $5,000 in repairs) and the link between the employee’s situation and the incident (the employee had no record of safety violations, sign of impairment, injury from the accident or evidence of a potential for greater damage). [Jacobs Industrial v International Brotherhood of Electrical Workers – 2016 CanLII 198 – ON LA]

US – Study: Employee Data Not Encrypted to Level of Customer Data

A new Sophos global study of organizational security techniques found that employee data protection falls far below the organization’s treatment of customer data in mid-sized organizations, with nearly one-third of companies not routinely encrypting employee financial information and nearly 50% not doing the same for health care records. The results aren’t necessarily all bad. “Two years ago, the number of them not encrypting was in the 75% range. The fact that we’re going toward the 50-50 range is actually an awareness on their part that they don’t want to be [the organizations] in the press.” [DarkReading]

US – Census Bureau Decides Against BYOD

The US Census Bureau has decided not to allow employees to use their own Internet-connected devices while gathering information for the 2020 census. Instead, the bureau will procure devices that will run its Compass application, which runs on multiple operating systems. [FCW]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: