01-07 February 2016


EU – Revised Edition of Biometric Privacy Guidelines Now Available*

The Biometrics Institute has completed revisions on its Biometrics Privacy Guidelines, Biometric Update reports. The guide is a document comprising 16 principles that assist users “across many different countries and jurisdictions,” considering that “biometrics and information technologies do connect beyond national boundaries and across different fields as diverse as health records, border controls, retail, consumer based applications in the telecommunications industry, finance and banking and driver’s licenses,” the report states. “It is the public’s assurance that the biometric managers have followed best practice privacy principles when designing, implementing and managing biometric based projects,” said Biometrics Institute CEO Isabelle Moeller on the guide’s update. The resource is only available to Biometrics Institute members. [Biometric Update] [Biometrics Institute Issues Privacy Guidelines] * To Biometric Institute Members only

WW – New App Employs Selfies to Help Users Find Pictures of Themselves

Waldo, a free app hitting iPhones this spring, utilizes a selfie and location data to find other pictures of the user that have been uploaded to the service. It primarily scours public events, like concerts, for pictures of users, alerting them when it finds their photo elsewhere. The technology has already garnered comparisons to Facebook’s Moments app. However, Waldo’s CEO maintains that the app is aimed toward simplifying a user’s social media experience. “We’re going to make it really painless to get those so you’re not constantly nagging and saying, ‘Hey, will you text me that photo from that party the other night?’“ [MIT Technology Review]


CA – Ontario Court Expands Scope of Privacy Tort to Include ‘Revenge Porn’

A recent ruling that found a man financially liable for posting a private sex tape of a former girlfriend online is being hailed as a case that is the first of its kind in Canada. Experts are calling the decision a win, which makes sense given we live in an age where there is a rapidly climbing sensitivity to victimization of all kinds, particularly in social media. “Personal and private communications and the private sharing of intimate details of person’s lives remain essential activities of human existence and day to day living. To permit someone who has been confidentially entrusted with such details — and in particular intimate images — to intentionally reveal them to the world via the Internet, without legal recourse, would be to leave a gap in our system of remedies,” said the ruling. “I therefore would hold that such a remedy should be available in appropriate cases.” [Source]

CA – Tax Agency Staffer Gone After Taxpayer Data Leaks to CSIS

No one’s saying much about what happened and who’s been held accountable for several breaches of taxpayer privacy at the Canada Revenue Agency. The privacy breaches came to light last week in the annual report of the watchdog for CSIS, Canada’s spy agency. The report described how intelligence officers, repeatedly and without a warrant, improperly obtained taxpayers’ information. Canada Revenue Agency has confirmed that an employee implicated in a leak of taxpayer information to CSIS is no longer with the tax agency. When CRA was asked what happened on its side, and whether anyone has been fired or disciplined, a spokesman responded, “The employee is no longer with the agency (…) For more information about the incident, please contact CSIS.” A follow-up question about whether the former employee had taken the well-worn path of resigning or retiring before being fired, prompted a politely worded response from Brideau that the agency won’t be able to provide such details. The public may learn more if Canada’s Privacy Commissioner decides to investigate. [Source] [CRA doesn’t even know what taxpayer information it shared improperly with spy agency]


US – How You Handle Data Privacy, Security Is Key to Customer Loyalty

How your organization handles issues related to data privacy and data security will have an enormous impact on the willingness of consumers to do business with you. That is one of the key findings of a new study by New York-based Morrison & Foerster. The firm has just released the results of its latest consumer survey on privacy. The survey, “Morrison & Foerster Insights: Consumer Outlooks on Privacy,” examines the attitudes and concerns that U.S. consumers across the country have regarding multiple privacy-related issues, such as the disclosure of personal information, data breaches, and privacy policies. The study results offer some important lessons for IT and data professionals. “The findings indicate that a significant percentage of the American people continue to be concerned about numerous facets of security.” [Source] [MoFo]


UK – Communication Providers Should Not Have to Decrypt Messages: MPs

The UK Science and Technology Committee, which has assessed the technical feasibility of the draft Investigatory Powers Bill, said, though, that the new laws should allow intelligence agencies to request that communication providers decrypt data they have encrypted “in tightly prescribed circumstances”. New UK surveillance laws should not impose obligations on communication providers to decrypt messages sent over their networks if they have not added the encryption to those messages, a committee of MPs has said. Giving evidence in December to another parliamentary committee that is scrutinising the Bill, Vodafone raised concern about provisions of the draft laws that would force communication network operators to decrypt communications sent over their networks via other communication services, like Skype and WhatsApp, if requested to do so. In its report, the Science and Technology Committee said that there is a lack of clarity in the current draft of the Bill with how some terms are defined as well as over “the extent to which ‘internet connection records’ (ICRs) will have to be collected” by communication providers. [Source]

EU Developments

EU – The “Privacy Shield” Faces an Uphill Battle

This week, European VP Andrus Ansip and Commissioner Vera Jourová announced that the EU Commission had approved a political agreement on what will henceforth be known as the “EU-US Privacy Shield.” Over the coming weeks they will have to draft a fresh EU Commission adequacy decision to replace the previous “Safe Harbor” decision, which the Court of Justice of the European Union found invalid in Schrems. There is already speculation that the validity of this new decision will itself be challenged in the CJEU; as much is clear from discussions in the European Parliament the night before. So Ansip and Jourová will need to draft as robust a decision as they can, if that decision is to withstand review by the CJEU. [IAPP] [How sturdy is the Privacy Shield?] [FTC, DoC answer Privacy Shield questions] [EU DPAs respond to Privacy Shield; BCRs are a go, for now] [EU-US Privacy Shield scrutinized in Article 29 Working Party initial response] [Deal on EU-US Privacy Shield leads EU watchdogs to extend moratorium on data transfers enforcement action] [EU-US Data Transfers Won’t Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29] [Privacy Shield mauled by European tech suppliers but successor to Safe Harbour agreement cheered by US firms] [FTC Commissioner Julie Brill comments on EU-US Privacy Shield] [What businesses need to know about Privacy Shield] [The EU-US Privacy Shield. Not quite there yet!]

UK – Investigatory Powers Bill Loopholes Will Lead to Unbridled Surveillance

The House of Commons Science and Tech Committee has published its report on the draft Investigatory Powers Bill, influenced by comments submitted by 50 individuals, companies, and organizations. The report is the first of three investigations by different Parliamentary committees. While it was intended to concentrate on the technological and business ramifications of the bill, their conclusions reflect the key concern of lawmakers, companies, and human rights groups about the bill’s dangerously vague wording. The Investigatory Powers Bill, as written, is so vague as to permit a vast range of surveillance actions, with profoundly insufficient oversight or insight into what Britain’s intelligence, military and police intend to do with their powers. It is, in effect, a carefully-crafted loophole wide enough to drive all of existing mass surveillance practice through. Or, in the words of Richard Clayton, Director of the Cambridge Cloud Cybercrime Centre at the University of Cambridge, in his submissions to the committee: “the present bill forbids almost nothing … and hides radical new capabilities behind pages of obscuring detail.” The series of successful challenges in the UK and EU against previous surveillance law and practice shows that vague and unbounded language cannot survive a serious challenge in the courts. If the UK government wants its surveillance rules to stand the test of time, it needs to build them on a firm foundation of clarity, necessity, and proportionality. [Source]

EU – Companies Subject to Multiple EU Data Protection Regimes: Watchdog

Companies that are operational in multiple EU countries can be forced to comply with each of the different national data protection laws that apply in the countries in which they operate, according to new guidance. The Working Party’s guidance also explained how EU data protection laws can apply to non-EU based companies, even if they process personal data outside of the EU. In this context the guidance expands on a 2014 case involving internet giant Google in which the CJEU ruled that Google was subject to Spanish data protection laws despite the company not processing any personal data in the country. The CJEU assessed the fact that Google had a Spanish subsidiary based in Madrid that promoted and sold advertising space for its search service when arriving at its decision. [Out-Law]

Health / Medical

US – Obama: ID Theft Victims Should Have Access to Thieves’ Medical Records

The Obama administration says those who’ve had their identities stolen have the right to review and correct their medical records and also have the right to look at the medical records of those who stole their records. To date, it’s been difficult at times for victims of ID theft to correct their records because they haven’t been able to access the thieves’ medical data because of health care privacy laws. The Senate Health, Education, Labor and Pensions Committee has been looking at ways to help victims of medical identity theft, and the Obama administration — recently criticized by Republicans for not doing enough on the issue — outlined the policy in a letter to the committee. [Wall Street Journal] [FierceHealthIT]

ON – Hospital Improperly Refused to Disclose PHI Because They Consist of Mental Illness Records: IPC ON

This IPC decision reviews the Halton Healthcare Services’ handling of a request for disclosure of health information pursuant to the Personal Health Information and Protection Act. The hospital, which must re-exercise its discretion, relied on irrelevant considerations in deciding against disclosure, such as the fact that there was an the absence of “specimens” and the records are about mental illness; some mental illnesses seem to run in families and it is possible that the PHI may be relevant to health care decisions by family members. [IPC ON – PHIPA Decision 21 – Halton Healthcare Services]

CA – OIPC BC Determines Public Body Did Not Follow Privacy Policies

The BC Office of the Information and Privacy Commissioner investigated the Ministry of Education for failure to protect personal information in its custody. A hard drive containing student personal information (i.e. names, dates of birth, gender, financial aid data, special needs, health and behaviour issues and personal education numbers) went missing; the Ministry should conduct mandatory training with periodic refresher courses, maintain an accurate inventory of personal information assets and store mobile storage devices in a government-approved facility. [OIPC BC – Investigation Report F16-01 – Ministry of Education] See also: [Privacy breach in B.C. points to need for policies in Yukon: commissioner]

UK – Health Care Breaches on the Rise

Healthcare is responsible for more data breaches than any other UK sector, and the number of cases is rising fast. There were 734 instances in 2014, and year-on-year numbers doubled from April-June 2013 to the same quarter the following year. UK trends could be set to follow those of the United States, where 91% of healthcare organisations have suffered at least one data breach in the past 2 years, and 40% have suffered more than 5 incidents. More importantly, mistakes and negligence are no longer the principle cause: criminal attacks on the healthcare sector have increased by 125% since 2010. Hackers can also steal far more information than is usually lost in error: the recent attack on Excellus is believed to have involved up to 10 million individual records. [Source]

Horror Stories

US – Health Insurer Loses Hard Drives with 950,000 Medical Records

Health insurer Centene Corp. is hunting for six computer hard drives containing the PHI records of about 950,000 individuals, the company said Monday afternoon. The drives were being used in a data project that sought to utilize lab test results to improve members’ health outcomes. The records on the missing drives include individuals’ names, dates of birth, Social Security numbers, member ID numbers and unspecified “health information.” [Source]

Identity Issues

CA – BCCLA Raises Privacy Concerns Over Compass Card Tracking

The BC Civil Liberties Association is warning the public about a possibility of a privacy breach for people using Compass Cards. BCCLA claims it is possible to track travel history by simply obtaining a person’s Compass Card. The BCCLA says they are concerned about abusive partners, stalkers or police abusing the system to track someone’s movement. The BCCLA is recommending people pay cash for the card or use cash to buy single-use Compass tickets if they want to make sure their name is not linked to a travel itinerary.[Source]

Internet / WWW

WW – The Case for Ethical Standards in (Big Data) Analytics

A paper by Carnegie Mellon researchers raised a red flag about the analytics behind Google job search ads, revealing that Google’s analytical modeling serves ads for a career coaching service for higher-paying jobs to men more frequently than it does to women. Other research and publications have also pointedly raised concerns and risks regarding the perils associated with breaches or questionable use of data. [Source] [“Automated Experiments on Ad Privacy Settings“]

Law Enforcement

US – EFF and ACLU Say Milwaukee Police Used Stingray Without a Warrant

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have filed an amicus brief in the US Court of Appeals for the Seventh Circuit, alleging that the Milwaukee, Wisconsin police department used a stringray without first obtaining a warrant. [SCMagazine]

US – Berkeley Students File ECPA Suit Against Google

Four U.C. Berkeley students and an alumni have filed a lawsuit against Google accusing it of targeting U.C. Berkeley emails for data mining between 2012 and 2014. The suit follows complaints in 2014 that Google was scanning emails in “Apps for Education,” when nine plaintiffs accused the company of collecting their information for advertising without their consent. In this most recent suit, the plaintiffs say Google’s alleged email scanning violated the Electronic Communications Privacy Act. They say a 2014 post by Google acknowledging it had scanned Apps for Education emails is proof. Google said it doesn’t comment on pending litigation. [The Daily Californian] [Class Action lawsuit webpage] [U of Big Brother? ]

Online Privacy

WW – Extension Allows Users to Block Ads and Avoid Online Tracking

A new Firefox extension called Decentraleyes is aimed at helping users block ads and avoid being tracked online. The tool is free and available for Firefox users. It allows for the loading of content delivery networks with direct access to them, meaning users aren’t tracked once they’ve visited a site. While many sites “chose to host critical libraries on external services, like Google Hosted Libraries, to improve load times and ensure they don’t go down,” doing so “provides another avenue for companies to track the sites you visit.” Decentraleyes stores commonly used files locally “instead of from remote sources” to circumvent that problem. [The Next Web] See also: [Privacy Badger]

WW – Service Creates Ad-Blocker Workaround

Softpedia reports on a new service aimed at “helping online publishers counteract users that employ ad-blocking browser extensions when accessing their sites.” BlockBypass was developed by BlockIQ and responds to the proliferation and usage of ad-blocking extensions, which, according to one study, went up 41% in 2015 compared to the year prior. The trend led to a loss of $21.8 billion in ad revenue. The BlockBypass technology “would allow publishers to hide the location of the ad server from where the ad is being downloaded,” and will sit between the user and the ad server. [Softpedia]

Privacy (US)

US – Where do US Presidential Candidates Stand on Privacy and Surveillance?

Through the various debates and out on the campaign trail, the U.S. presidential election has begun to feature topics of privacy and cybersecurity. Sophos’ Naked Security blog rounds up each candidate’s stance in neat fashion. Republican Ted Cruz, who topped the recent Iowa caucuses, has publicly “opposed many politicians in his own party who were calling for expanded government surveillance powers.” Donald Trump, meanwhile, has called for “closing that Internet up” and said Americans “would be willing to give up some privacy in order to have more safety.” On the Democratic side, Hillary Clinton has “taken a hard line on NSA leaker Edward Snowden” and Bernie Sanders “voted against the USA PATRIOT Act in 2001 and 2006.” [NakedSecurity] See also: [Five senior U.S. administration officials, announced the National Background Investigations Bureau, which will conduct all background checks on federal employees and contractors going forward].

Privacy Enhancing Technologies (PETs)

WW – Google Expanding Safe Browsing in Chrome

Google’s safe browsing technology will now cover online advertisements that try to trick people into entering account access credentials or downloading malware that pretends to be a legitimate software update. If a site is deemed to be deceptive, Chrome will display a red screen and a text warning. [Source]

Smart Cars

EU – German DPA Issues Joint Declaration with Automotive Industry

The data protection authority in Germany issued a joint declaration with the Association of the Automotive Industry on the privacy aspects when using connected and non-connected vehicles. Organisations storing data collected from vehicles should inform individuals of how to exercise access rights and what measures will be taken if the database is lost or stolen; informed consent should be obtained when the vehicles are purchased and users should be able to change or reset settings on any user-entered information (i.e. navigation data and email or messaging contacts). [DPA Germany – Joint Declaration of the Conference of Independent DPAs of the Federal and State Governments and the Association of the Automotive Industry] (in German)


US – Felon’s Lifetime GPS Monitoring Upheld by US Federal Appeals Court

A federal appeals court is upholding lifetime GPS monitoring of a convicted felon, in this instance a Wisconsin pedophile who served time for sexually assaulting a boy and a girl. The court upheld the constitutionality of a Wisconsin law that, beginning in 2008, requires convicted pedophiles to wear GPS ankle devices for the rest of their lives. A federal judge had sided with the offender. Wisconsin appealed to the 7th US Circuit Court of Appeals, which ruled in the state’s favor and derided the lower court’s ruling as “absurd.” Among other things, Belleau said the GPS device violated his privacy because he had served his time and was not on post-prison supervision. The three-judge appeals court did not agree. The court’s reasoning, however, could apply to other criminals who have a propensity to reoffend. The court said that the burden on privacy “must in any event be balanced against the gain to society from requiring that the anklet monitor be worn. It is because of the need for such balancing that persons convicted of crimes, especially very serious crimes such as sexual offenses against minors, and especially very serious crimes that have high rates of recidivism such as sex crimes, have a diminished reasonable constitutionally protected expectation of privacy.” [Ars Technica]

WW – Fitness Trackers Put Users’ Health Data at Risk, Study Suggests

A recent study out of the University of Toronto suggests that wearable devices are full of security holes. The study, conducted by digital research group Open Effect and U of T’s Citizen Lab, found that many of the most popular devices leak information and are vulnerable to manipulation of recorded data. The devices, which can track everything from heart rate to quality of sleep, collect fitness data that wearers use to keep track of their health goals. These trackers aren’t just for the health conscious: lawyers and insurance companies have used data to verify users’ fitness. But while the devices collect an enormous amount of personal health information, key security flaws make it easy to tamper with the data, the study found. Only the Apple Watch received a clean bill of health from researchers because it connected to other tech, such as cellphones, anonymously. [Source]

WW – Berlin Group Issue Recommendations on with Intelligent Video Analytics

The International Working Group on Data Protection in Telecommunications (the “Berlin Group”) issues a working paper on intelligent video analytics technologies by both private and public sector. Privacy implications include a chilling effect, interference with fundamental rights, and lack of public awareness of collection practices; recommendations include respect for the principle of lawfulness and fairness through adequate transparency mechanisms (e.g. use a layered notice), and the principle of proportionality (e.g. apply data minimization practices). [Working Paper on Intelligent Video Analytics]

UK Privacy Watchdog Warns Consumers That Shops Can Track Them

The UK’s privacy watchdog has warned that facial recognition software and handset identifiers broadcasted via Wi-Fi are allowing UK retailers to track and target customers through their smartphones. “This technology, which is starting to be rolled out in shops, allows retailers to use the customer journey to build up a picture as to how people typically use the store. It uses the MAC address of a smartphone which can, in many cases, be linked to a specific individual,” says Simon Rice, group manager for technology at the UK ICO. The technology has also been implemented in airports, transport hubs and using city-wide Wi-Fi networks. The ICO warns that smart CCTV systems and facial recognition cameras are capable of identifying individuals, and similar technology is used on the internet to target adverts at uses based on their behaviour instead of their faces. [Out-Law]

WW – Retailers Urged to Notify Customers of Mobile Tracking

Retailers have been urged to create a standard symbol, similar to the one used to denote the use of CCTV, to inform customers that their location within shopping areas is being tracked through their mobile device. The recommendation was contained in a new working paper that has been issued by an international working group on data protection in telecommunications on the topic of location tracking from communications of mobile devices. The working group’s paper said retailers should not “seek to collect and monitor outside their premises” and can avoid doing so “through careful placement of receivers, limiting data collection through a sampling method and to specified time periods or times of day.” [Out-Law]

US – At Berkeley, A New Digital Privacy Protest

After hackers breached the computer network of the U.C.L.A. medical center last summer, Janet Napolitano, president of the University of California, and her office moved to shore up security across the university system’s 10 campuses. Under a program initiated by Ms. Napolitano, the former secretary of Homeland Security in the Obama administration, the university system began installing hardware and software in its data centers that would monitor patterns of digital traffic, like what websites are being visited by faculty and students, or telltale signs of cyber intruders. The program, which was begun with little notice or consultation, soon rankled a group of professors at one campus, Berkeley, which has a deep-seated ethos of academic freedom as the cradle of the free speech movement in the 1960s. The faculty group of 11 professors critical of the monitoring program said the university system enacted the program largely in private, with little transparency about what data is being collected. The monitoring could compromise and constrain academic freedom to research topics that some find objectionable, among other repercussions, they said. In a formal meeting with the University of California’s chief information officer in December, the professors asked for the program to be halted. [New York Times]

Telecom / TV

US – Judge Says You Have No Expectation of Privacy When Using Tor

Last week, a federal judge in Washington state issued a baffling opinion suggesting that you don’t have a reasonable expectation of privacy when using Tor, the widely-used anonymity software literally designed to give its users privacy. The judge bizarrely argued that Tor doesn’t give its users complete anonymity because a user has to give their IP address to their ISP to connect to the Tor network. Therefore, he concluded, Michaud’s IP address was “public information, like an unlisted telephone number” that “eventually could have been discovered.” This makes no sense to anyone with a basic understanding of how Tor works. [Source]

Workplace Privacy

CA – Ontario Tribunal Grants Employer Access to Employee Health Information

The Toronto Transit Commission requested that the Human Rights Tribunal of Ontario grant access to an employee’s personal health information. The Order permits the employer to access and disclose the employee’s information in its occupational health file, to meaningfully respond to allegations of discrimination; access and disclosure is granted to the employer’s advisors, individuals giving instructions to counsel, and potential witnesses. [Scott Coutts v. Toronto Transit Commission and Amalgamated Transit Union Local 113 – 2016 HRTO 7 – CanLII – Human Rights Tribunal of Ontario] See also: [European Court of Human Rights Decides that Accessing an Employee’s Work IM Account Did Not Breach His Privacy Rights]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: