Privacy News Highlights: 22-29 February 2016


CA – Mastercard to Bring ‘Selfie Pay’ to Canada This Summer

MasterCard will officially be rolling out its biometric payment service, MasterCard Identity Check – a smartphone app which allows users to verify purchases by taking a selfie instead of entering a password – to 14 countries, including Canada, this summer, the company announced this week according. The service, which MasterCard has tested in app form with nearly 1,000 consumers in the U.S. and Netherlands, requires users to provide a photo of their face when signing up, after which the service measures prominent facial “landmarks” and converts them into an algorithm that can be compared to future pictures. To avoid fooling the app with an existing picture, users must blink while snapping the photo to prove their humanity. Biometrics carry their own set of risks: many of us have posted our faces on multiple websites or had them picked up by surveillance cameras – and it’s difficult, for the average person to change their face. Other smartphone companies such as Apple and Samsung have incorporated biometrics technology including facial recognition and fingerprint scanning software into their devices, and hackers have proven themselves capable of bypassing them. Details regarding the Canadian version of Identity Check, which has already been colloquially dubbed “selfie pay,” are not yet available. [ITBusiness] [video explaining the technology]


CA – CSE Unlawful Sharing of Metadata Went on for Years

It’s impossible to know how many Canadians had their personal data shared by the country’s electronic spy agency in a metadata glitch, according to its watchdog. Jean-Pierre Plouffe, commissioner of the Communications Security Establishment (CSE), told a Senate committee Monday that data were erased from the agency’s system, making it difficult to find out the number of people impacted. A month ago, Plouffe tabled his annual report in the House of Commons, revealing for the first time that CSE illegally and unintentionally shared metadata with Canada’s Five Eyes intelligence allies: the United States, United Kingdom, Australia and New Zealand. That data may include Canadians’ personal information, including phone numbers or email addresses, but not the content of emails or recordings of phone calls.

“It’s not accidental,” Plouffe said in an interview about the CSE breaking the law. “It’s because of a lack of due diligence.” Metadata is information associated with communication that is used to identify, describe or route information. CSE is supposed to monitor only foreign communications for intelligence that may be of interest to Canada. [CBC] [Canadian electronic spy agency’s unlawful metadata sharing went on for years before being fixed] [Outrage over CSE metadata collection and blunders ‘Difficult to determine’ scope of privacy breach in Five Eyes data sharing ]

CA – CSIS Using New Powers to Disrupt Terrorists Since Bill C-51 Became Law

Powers to disrupt include blocking financial transactions, shutting down websites. The disruption powers allow CSIS to interfere with, telephone calls, travel plans and bank or financial transactions. The agency can also disrupt radical websites and Twitter accounts of groups or people inside and outside of Canada. This provision in the act has garnered criticism from the outset, because there is no clear definition of what “disrupt” means in the legislation, causing some to be concerned the power would be abused by police and intelligence services. [Source] [Canada: CSE can assist in ‘threat reduction’ without a warrant, documents show]

CA – PEI’s OIPC Finds Privacy Breaches by 5 Gov’t Agencies

P.E.I.’s Information and Privacy commissioner has ruled five different provincial government departments and agencies violated the privacy of someone who filed multiple applications under the Freedom of Information and Protection of Privacy Act by circulating his name, mailing address, telephone number, email address and signature with copies of his requests for information. After submitting applications for information from the various government agencies, the applicant filed a complaint with the commissioner, saying his personal information and details about his access requests were shared among them, and as a result, his requests were subjected to an “unequal, prejudicial and arbitrary process.” The privacy commissioner determined a meeting had taken place, but said there was insufficient evidence that “any public body improperly collected the complainant’s personal information” during the meeting. However, the commissioner concluded all five public bodies did violate the privacy of the applicant by circulating his name, mailing address, telephone number, email address and signature with copies of his requests for information. The commissioner said she believed the violation was inadvertent. The commissioner noted all public bodies have since been told to sever personal information from information request forms. The applicant also charged one of the agencies involved, the P.E.I. Liquor Control Commission, violated his privacy by compiling personal information from internet searches, including his photo, employment history and educational background. The commissioner agreed the information was collected, but determined that did not constitute a breach because it was publicly available, and it was gathered in order to respond to the applicant’s privacy complaint. [Source]

Other Ontario News


US – Cognitive Dissonance in How Americans Value Privacy: Survey

How much do Americans really value their online privacy? According to study findings, a considerable majority of 63% of respondents experienced some sort of online security issues. But despite the frequency of these issues, just over half of them (56%) actually made permanent behavior changes to guard against their reoccurrence. 24% of respondents admitted to using unsecured public Wi-Fi, meaning that their data is effectively ripe for the picking, “quite often or all the time.” And despite the fact that 67% said they wanted extra layers of privacy, a very small percentage actually utilize available tools to this end. In fact, only 16% use privacy-enhancing browser plug-ins, just 13% use two-factor authentication, only 11% use a VPN, and just 4 percent use anonymity software. [Source]


CA – Legal Trends 2016: Anti-Spam

In each of the three instances in which the CRTC entered into an undertaking in 2015, the undertaking included a monetary payment (ranging from C$48,000 to C$200,000) and an agreement by the company to update and implement a compliance program that would (1) cover elements such as corporate compliance policies and procedures, training and education, monitoring, auditing, and reporting mechanisms, and (2) apply consistent disciplinary procedures. In one enforcement action, the CRTC took issue with the fact that a company was allegedly sending CEMs to email addresses without proof of consent for each recipient. [Mondaq]


US – Apple Faces U.S. Demand to Unlock 9 More iPhones

The Justice Department is demanding Apple’s help in unlocking at least nine iPhones nationwide in addition to the phone used by one of the San Bernardino, Calif., attackers. The disclosure appears to buttress the company’s concerns that the dispute could pose a threat to encryption safeguards that goes well beyond the single California case. Apple is fighting the government’s demands in at least seven of the other nine cases. “Apple has not agreed to perform any services on the devices.”. Starting in December, Apple has in a number of cases objected to the Justice Department’s efforts to force its cooperation through a 1789 statute known as the All Writs Act, which says courts can require actions to comply with their orders. [The New York Times] [Apple, the FBI, and the All Writs Act] [The Lowdown on the Apple-FBI Showdown] [Apple calls for commission to discuss FBI’s iPhone unlocking demands]

Facts & Stats

WW – Gov’t Accounted for 43% of 2015 Breaches Worldwide

Digital security firm Gemalto this week released its latest Breach Level Index database report which revealed that 707 million records worldwide were compromised in 1,673 data breaches across the globe during 2015. That breaks down to a staggering 1,938,383 records lost every day, or 22 per second. Unsurprisingly, 1,222 of last year’s incidents occurred in the U.S., and Gemalto estimated 419.7 million records were compromised. Government agencies were hit the hardest in 2015 and comprised 43 percent of all recorded breaches, skyrocketing up a full 476% from the previous year. Unsurprisingly, incidents in the healthcare sector resulted in 134 million compromised records, a 217% jump from 2014. Quieting fears that attackers are mainly after financial information, the report shows that only 22% of incidents were designed to steal financial data. On the other hand, a full 53% were aimed at identity theft. “If security executives needed further evidence that identity theft is a still a serious problem,” said researchers. “This is it.” The report contained a wealth of information and tips aimed at security professionals, but records protection is obviously a concern for records managers as well, so it’s worth a quick read. [Source] [Gemalto’s Breach Live Index Report]


CA – PEI Province Must Turn Over Documents on E-Gaming Loan

The P.E.I. government has been ordered to release a document that outlines details of a $950,000 government loan that funded the province’s controversial e-gaming scheme. P.E.I. Privacy Commissioner Karen Rose delivered this ruling as a result of a FOI request by TC Media requesting details of this e-gaming loan. The province refused to disclose a one-page document that provides a breakdown of where and how the money from the e-gaming loan was to be spent. In her decision, Rose states the financial e-gaming document is not information that belongs to the Mi’kmaq Confederacy and is thus a public document. She also determined the information within this record was not supplied in confidence nor was there sufficient evidence provided that disclosing the information would significantly harm the confederacy’s competitive or negotiating position. However, she rejected TC Media’s assertion the information falls within the public interest, citing an interpretation that this argument can only be used if it is matter of “compelling public interest,” applying mainly to matters of health or safety and not to political issues. [Source]

CA – OIPC NS Find Jobs Forecast and Actual Jobs Report Can be Released

The Office of the Information and Privacy Commissioner in Nova Scotia reviewed a decision by the Nova Scotia Business, Inc. to refuse to disclose records pursuant to the Freedom of Information and Protection of Privacy Act. The public body successfully claimed that jobs information supplied by third parties applying for financing and rebates was provided in confidence (the proprietary information was submitted on the basis of it being held in the strictest of confidence), but did not establish that there was a reasonable expectation of harm if released (no evidence was provided that it would significantly harm the third party’s planned growth or rebate performance targets). [OIPC NS – Review Report 16-01 – Nova Scotia Business Inc.]


CA – OPC Voices Support for Genetic Discrimination Bill, But Wants Changes

Daniel Therrien testified at the Senate human rights committee on Bill S-201, which aims to prevent discrimination against a person based on their genetic testing. He offered broad support to Senator James Cowan’s bill that would prevent unsanctioned access to a person’s genetic test results, but worried that changes it would make to federal privacy laws could cause unintended consequences in future court cases.

“It’s crucial individuals remain in control to their data,” he told the committee. Therrien spoke in favour a clause which would prohibit the collection or use of “the results of a genetic test of the individual without the individual’s written consent.” He said it creates a “good and balanced way to represent the wishes of those who wish to share their genetic test results and those who do not.” But Therrien recommended removing clauses that would add a definition for “personal information” into the Privacy Act by adding the wording “information derived from genetic testing of the individual.” [iPolitics]

Health / Medical

US – OCR Releases mHealth Guidance for App Developers

Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights (OCR) has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation. The guidance, titled “Health App Use Scenarios& HIPAA,” builds on the mHealth Developer Portal, which serves as a platform for users to share difficult use cases and best practices. On the portal, developers can also submit questions to OCR that will inform future guidance releases. OCR announced the guidance with a statement that the agency hopes it will help developers determine “how federal regulations might apply to the products they are building” and reduce uncertainty. The guidance offers developers background information on HIPAA and then details various scenarios, identifying when an app developer is—and is not—acting as a business associate. [Source]

CA – Edmonton Health Worker Fined For Illegally Accessing Patient Information

An Edmonton health worker who admitted to illegally accessing the medical records of seven people has been fined $1,000. Denise Tourneur pleaded guilty Feb. 5 to the violations under the province’s Health Information Act. The Court heard the breaches occurred on 44 separate occasions between September 2011 and September 2013. The guilty plea is the fourth conviction under the Health Information Act since the legislation came into force in 2006. However, the amount of the fine is considerably lower than past penalties. [The Winnipeg Sun]

CA – OIPC AB Orders Public Body to Implement Safeguards to Protect Personal Health Information from Unauthorized Access and Disclosure

The OIPC AB reviewed the results of an investigation conducted by the Alberta Health Services (“public body”) into a potential breach of personal health information by a nurse (“Affiliate”). The policy that a public body had in place regarding the monitoring and auditing of IT resources establish the public body’s intent to protect unauthorized use or access; this policy remained in place when a nurse inappropriately accessed, used, and siclosed the personal health information of a patient; the public body must implement mechanisms to ensure that individual’s are in compliance with policies at all times and that patient health information is safeguarded. [OIPC AB – Order H2016-02 – Alberta Health Services]

Identity Issues

US – Secret Police? Virginia Considers Bill to Withhold All Officers’ Names.

It started with a reporter’s attempt to learn whether problem police officers were moving from department to department. It resulted in legislation that is again bringing national scrutiny to the Virginia General Assembly: a bill that could keep all Virginia police officers’ names secret. The Virginia Senate has already approved Senate Bill 552, which would classify the names of all police officers and fire marshals as “personnel records,” exempting them from mandatory disclosure under the state’s freedom of information law. In a climate where the actions of police nationwide are being watched as never before, supporters say the bill is needed to keep officers safe from people who may harass or harm them. But the effort has drawn the attention of civil rights groups and others who say police should be moving toward more transparency — not less — to ensure that troubled officers are found and removed. If it is made law, experts say the restriction would be unprecedented nationwide. [The Washington Post]

Law Enforcement

US – Fed Judge Limits 1st Amendment Right When Videorecording Cops

Court: No First Amendment right to videorecord police unless you are challenging the police at the time. In recent years, lower federal courts have generally held that the First Amendment protects a right to videorecord (and photograph) in public places, especially when one is recording public servants such as the police. Because recording events that you observe in public places is important to be able to speak effectively about what you observe, courts held, the First Amendment protects such recording. Some restrictions on such recording may be constitutional, but simply prohibiting the recording because the person is recording the police can’t be constitutional. This is the view of all the precedential federal appellate decisions that have considered the issue. [Watch: What you need to know about filming the police]. But Friday’s federal trial court decision in Fields v. City of Philadelphia takes a different, narrower approach: There is no constitutional right to videorecord police, the court says, when the act of recording is unaccompanied by “challenge or criticism” of the police conduct. Therefore, the court held, simply “photograph[ing] approximately twenty police officers standing outside a home hosting a party” and “carr[ying] a camera” to a public protest to videotape “interaction between police and civilians during civil disobedience or protests” wasn’t protected by the First Amendment. [Source]

Privacy (US)

US – Former Employee Deletes Data, Gets Prison Sentence

A US district judge in North Carolina has sentenced Nikhil Nilesh Shah to 30 months in prison for sabotaging his former employer’s servers. Shah was an IT manager at SmartOnline. He left that company in March 2012, and in June of that same year, he sent malicious code to his previous employer’s servers, deleting much of the company’s intellectual property. [The Register] [SCMagazine] []

US – Asus Settles FTC Charges Over Unsecure Home Routers

Asus has agreed to the terms of a settlement with the US FTC regarding vulnerabilities in its home routers and cloud services. The FTC noted that Asus frequently “did not address security flaws in a timely manner and did not notify customers about the risks posed by the vulnerable routers.” The settlement calls for Asus to establish and maintain a comprehensive security program and to undergo audits every two years for the next 20 years. [FTC] [eWeek] [SCMagazine] [The Register] [ComputerWorld]


WW – Obama’s National Action Plan on Cybersecurity Addresses IoT

The White House’s national action plan on cybersecurity addresses concerns about the security of the Internet of Things (IoT). According to the plan, the US Department of Homeland Security (DHS) is working with Underwriters Laboratories to develop a cybersecurity assurance program that could evaluate IoT devices before they go to market. [NextGov]

CA – OPC Releases Research Paper on Internet of Things

The OPC released a research paper titled ‘The Internet of Things (IoT): An introduction to privacy issues with a focus on the retail and home environments’, which examines the key privacy challenges posed by the IoT, such as customer profiling, accountability, transparency, and information security. The Paper assesses whether the definitions of both consent and personal information, as included in the current privacy regulation, are suitable for a ‘fast-developing online environment’ as the IoT. The Paper also considers various technologies used by the retail industry to monitor consumer behaviours, such as wearables and smartphone apps, and to connect the devices among them, namely cellular, Wi-Fi, Bluetooth, Near Field, communication and Radio-Frequency Identification. The Paper does not offer specific guidance to them or propose any new regulatory measures.” [Source]

WW – Microsoft, Cisco, Intel and others Form Open Iot Standards Group

Microsoft is leading a band of tech titans to found a new Internet of Things standards group. The Open Connectivity Foundation (OCF) will seek to define interoperability standards for the billions of internet-connected devices expected to arrive in the next few years. Up until now the OIC was in competition with the Allsee Alliance, another IoT standards group formed in 2013, with members such as Microsoft, Electrolux, and Qualcomm — all of whom are now part of the OCF. There’s also the two-year-old Industrial Internet Association formed by Intel, IBM, ATT, Cisco, and GE. [ZDNet]

WW – IoT: SimpliSafe Alarms Transmit Codes in Plaintext

SimpliSafe wireless home alarm systems are vulnerable to replay attacks.

The system’s keypad uses the same, unencrypted personal identification number each time it sends a message to the base station. Attackers could sniff the code, then replay it to trick the system into thinking that a home is secured when there is actually a break-in occurring. The microcontroller chips used in the system are write-once, which means they cannot be updated with firmware. SimpliSafe is used in more than 200,000 homes. [Ars Technica] [The Register]


WW – Eliminating Browser Plugins Improves Security, Decreases Functionality

In an effort to improve security, browser makers have begun disabling plugins. Oracle said last month that it would end support for its Java plugin. The plugin will be “deprecated” in the next release version of Java Development Kit, which is scheduled for release next year. [eWeek]

US – California AG Says Not Adopting Critical Security Controls Indicates “Failure to Provide Reasonable Security”

A report from the California Attorney General’s Office includes recommendations for organizations to protect their systems from breaches. The “report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security.” The report recommends organizations adopt the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program. The Attorney General’s Office stated “not doing so would be indicative of an organization’s failure to provide reasonable security.” [Source] [SANS Critical Controls]

US – California Data Breach Report Identifies Exploited Flaws and Defines Legal Minimum Standard of Due Care for Cyber Security

The California Data Breach Report “provides an analysis of the data breaches reported to the California attorney general from 2012-2015.” In nearly all cases, the breaches exploited vulnerabilities for which fixes had been available for more than a year. California state law states, “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature if the information.” The report goes on to say that organizations that do not implement the Center for Internet Security’s (CIS) 20 Critical Security Controls would be found to demonstrate “a lack or reasonable security.” [NextGov] [NatLawReview]

WW – PwC Report: Cybercrime Second Most Reported Economic Crime

According to PwC’s Global Economic Crime Survey 2016, nearly one-third of organizations surveyed said they had experienced cybercrime. The report explains the surprisingly low percentage by noting, “the insidious nature of this threat is such that of the 56% who say they are not victims, many have likely been compromised without knowing it.” The report also found that just 37 percent of organizations have established a cyber incident response plan. “Many boards are not sufficiently proactive regarding cyber threats.” The report draws its statistics from responses from more than 6,000 organizations in 115 countries. [ZDNet] [Newsmarket]

US – IRS reports 400% increase in phishing& malware in the past 12 months

The US tax-filing season has only been under way for a month, but already the IRS is warning that it’s seen a 400% surge in phishing and malware compared with the previous tax year. Phishing messages are asking taxpayers about a wide range of sensitive information, including data related to refunds, filing status, confirmation of personal information, transcript orders and PIN verifications. The messages are rigged to look official, as if they came from the IRS itself or from others in the tax industry, such as tax software companies. The phishing attempts are being seen in every part of the country, the IRS says. [Source]


Texas – City Dumps License Plate Readers for Being “Big-Brotherish”

At the beginning of the year, the City of Kyle, Texas, approved a controversial agreement to install automated license plate recognition (ALPR) technology in its police vehicles. The devices would come at no cost to the city’s budget; instead, police would also be outfitted with credit card readers and use ALPR to catch drivers with outstanding court fees, also known as capias warrants. With each card swipe, an added 25% surcharge would go to Vigilant Solutions, the company providing the system. As an added bonus the company would also get to keep all the data on innocent drivers collected by the license plate readers—indefinitely. But before the license plate readers could even be installed, the Kyle city council voted 6-1 to rescind the order. The reason: public and media outcry over how the system would turn police into debt collectors and data miners. In late January, EFF published a report about Vigilant’s latest business scheme: licensing ALPR systems to law enforcement agencies for free, in exchange for their participation in what Vigilant calls its “Warrant Redemption Program.” In addition to the City of Kyle, the City of Orange and Guadalupe County in Texas had also signed similar deals. [EFF]

US Legislation

US – Obama Signs Bill Extending Privacy Protections to Allies

President Barack Obama signed legislation that would extend some U.S. privacy protections to citizens of allied countries and let foreigners sue the U.S. government if their personal data is unlawfully disclosed. The bill extending certain privacy protections was aimed at shoring up trust among European allies following leaks by former NSA contractor Edward Snowden. Obama said the new law makes sure data is protected under U.S. privacy laws, “not only American citizens, but also foreign citizens.” Even as the U.S. government works to protect American’s security, Obama said “we’re mindful of the privacy that we cherish so much.” Supporters say extending privacy protections helps ensure that other nations will continue sharing law enforcement data with the United States. [The Winnipeg Free Press]

US – Congress Looks to Boost Email Privacy; Increase Social Media Surveillance

While civil liberties advocates are encouraged by the House push to protect Americans’ emails, they are keeping a close eye on separate efforts by lawmakers to increase surveillance of social media. Earlier this month, the Senate Homeland Security and Governmental Affairs Committee approved the bipartisan Combat Terrorist Use of Social Media Act, which requires President Obama to develop a comprehensive strategy to counter terrorists’ use of social media. The Obama administration has been promising such a strategy since late 2011. [Source]

US – DC Introduces Bill Prohibiting Tracking of School Issued Devices

Bill 21-0578, Protecting Students Digital Privacy Act of 2016, was introduced and referred to the Committee on Education. Device location tracking technology cannot be used to track a device given to students unless the student has reported the device missing or stolen, a judicial warrant has been obtained or it is necessary to respond to an imminent threat to life or safety; students cannot be required to or coerced into providing usernames and passwords or providing any school personnel with access to personal social media accounts. [B21-0578 – Protecting Students Digital Privacy Act of 2016]




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: