Biometrics
CA – Researchers Considering Iris Biometrics to Help Homeless Get Healthcare
A Canadian research project is looking at the use of iris recognition to help homeless people get around the problem of accessing healthcare without proper identification. The iris recognition project will begin later this month with researchers asking those at select temporary shelters whether they’d be comfortable having their iris image captured to be used as a form of ID. An algorithm developed by engineering students at Western University will turn those images into a number that will become the test subjects’ unique ID numbers. Ontario NDP member of provincial parliament Peggy Sattler said, “This (project) is not intended to stigmatize homeless people. It will shed light on how this could work and it can help homeless people have access to health care.” In fact, the technology could also be expanded for all Ontarians, Sattler said. “There are 100,000 more OHIP (Ontario Health Insurance Program) numbers than there are Ontarians.” “Eventually, you could get an iris scan at your doctor’s office and it would go into some kind of database, and every time you access health care, you don’t need a card.” Details about the storage and protection of the biometric data have yet to be worked out. [London Free Press]
Big Data
WW – Twitter, Dove Using Data to Raise Body-Shaming Awareness
Dove unveiled the newest development in its #SpeakBeautiful campaign last week, a tool developed with Twitter that tracks a user’s body-centric buzzwords on the site. The tool issues a link to a user’s own “custom microsite” after they retweet Dove’s official content. The microsite then shows users their own Twitter data, comparing how their “negative tweets stack up to other women.”“ [AdWeek]
Canada
CA – OPC Outlines Recommendations for Modernizing the Privacy Act
The Privacy Commissioner of Canada welcomes a Parliamentary committee review of the Privacy Act and has unveiled his priorities for modernizing the law governing how the federal government handles personal information, which has remained largely unchanged since it was proclaimed in 1983. The OPC recommended changes under three broad themes: Responding to technological change, legislative modernization and the need for transparency. The Privacy Act should be amended to
- Require that all information sharing be governed by very explicit written agreements;
- Create an explicit requirement for institutions to safeguard personal information, as well as a legal requirement to report breaches to the OPC;
- Broaden the grounds to seek a Federal Court review to include all contraventions of the Privacy Act, not just denials of access to personal information;
- Require government departments to consult the OPC on bills that impact privacy before they are tabled in Parliament;
- Allow the OPC to report in a more timely and proactive manner on the privacy practices of federal institutions, beyond annual and special reports to Parliament; and
- Extend the application of the Privacy Act to all government institutions, including Ministers’ Offices and the Prime Minister’s Office.
Commissioner Therrien also urged Parliament to consider regulating the collection, use and disclosure of personal information by political parties, but noted the Privacy Act is probably not the best instrument to do this. [Commissioner Therrien’s full statement]
CA – Alberta Privacy Commissioner Aims to Bring Non-Profits Under Provincial Privacy Legislation
The AB OIPC has recommended to the standing committee on Alberta’s economic future that nonprofits should comply with privacy legislation. The Calgary Sun reports that more than 20,000 nonprofits have been exempted from complying with privacy legislation. Privacy Commissioner Jill Clayton wants to eliminate this exemption as her office was only able to address 9% of the privacy complaints it received regarding nonprofits last year. [Calgary Sun]
CA – Nova Scotians Not Keen on Tech Saving Them Money on Car Insurance
Several insurance companies in Nova Scotia are offering a program that allows people to save up to 25% on their car insurance, but few people are opting to take part, according to OTC insurance and the Insurance Bureau of Canada. In order to apply for the discount, people have to volunteer to install what’s known as a telematics device in their car. The small device is installed under a car’s steering wheel and records an individual’s driving habits for six months. The device records things like driving distances, the time of day the car is driven, and sudden acceleration or braking. At the end of the six months the device is turned over to the insurance company and it uses the data to determine if the user should get a discount on their insurance. “We’ve been advertising quite heavily on the radio and seems like people are very leery about having this device in their vehicle for the insurance companies to look at.” David Fraser, a privacy lawyer, has mixed feelings about telematics. “Once this information is generated, it exists and it can be used for other purposes. It can be subpoenaed in connection for with a lawsuit, the police could get a search warrant and it just adds to the amount of digital debris that we leave behind in the run of the day.” He also questions how accurate the information will be and how it will be interpreted. [CBC News]
CA – BC Law gives Coroners Wide Power to Protect Privacy of the Dead
The BC Coroners Service has refused to release the medical records of a murder victim asserting the deceased still has privacy rights. There aren’t any Freedom of Information and Protection of Privacy Act provisions that compel “public bodies … to disclose certain types of information,” said Michelle Mitchell, communications officer for the Office of the Information and Privacy Commissioner for British Columbia. “Therefore, it is not within the commissioner’s powers to require a public body to include specific kinds of information in a report,” she added. [Vancouver Sun]
CA – Trudeau Agrees to Hand Over Even More Data About Travelers to the US
Justin Trudeau’s pilgrimage to Washington has produced one clear result. Canada’s new Liberal government says it will push through a long-delayed plan to share with Washington biographic and other information on Canadian citizens travelling overland to the U.S. The Americans, in turn, will reciprocate. [Source] [US Travel cheers expansion of Border Preclearance Program in Canada] The announcement came as a sidenote to the climate change strategy announced by the two leaders, with fanfare, in DC on last week. “The government of Canada has assured the U.S. it will complete the last phase of a coordinated entry and exit information system so the record of land and air entries into one country establishes an exit record from the other,” the statement from the two leaders reads. Obama framed the deal around stemming the flow of foreign fighters between the two countries — even though evidence for that supposed trend appears to be non-existent — but the effects of the deal could impact the privacy rights of all cross-border shoppers, tourists, and anyone else who crosses the world’s largest land border. The entry/exit deal dates back to the 2011 ‘Beyond the Border’ plan to boost security and reduce trade restrictions between the two countries. The 2011 plan commits the two countries to “establish coordinated entry and exit systems at the common land border” and “exchange biographical information on the entry of travelers, including citizens, permanent residents, and third country nationals” whenever they cross one country into the other. But that part of the plan never came into force, at least not as envisioned. Canada began sharing information with its American counterparts on all third-country nationals — border-crossers who were neither American nor Canadian — but never began doing so for its own citizens, even though it committed to start in June 2014. [Source] [Op-Ed: Canada to share information with U.S. on land border crossers] [Canada, U.S. to share more passenger information ] [Trudeau quietly agrees to share info on Canadians with U.S.]
CA – CSIS Head Says New Powers to Disrupt Plots Used Almost 2 Dozen Times
The head of Canada’s spy agency told a Senate committee that his agency has used its extraordinary powers to disrupt extremist plots close to two dozen times since the fall of 2015. Michel Coulombe, director of CSIS, made the admission to the national security and defence committee, revealing for the first time how frequently this power was used. Canada’s spy agency was granted the power to disrupt suspected plots rather than just relay information about those plots to the federal government and the RCMP when Bill C-51 became law this past summer. [CBC] [CSIS hasn’t crossed line with controversial new powers under Bill C-51, director tells Senate committee]
CA – Toronto Fire/Paramedic Services to Post Emergency Call Data Online
City councillors are getting ready to make vital information about fires and medical emergencies available to the public. A council committee approved two motions this week to have the fire and paramedic services make data from their LiveCAD system — which tracks calls for help in real time — open for the public to see and download. Both were instructed to work with the city’s legal department to make the information available without compromising the privacy of Torontonians. One solution proposed to the committee, for example, was releasing the nearest major intersection to each incident rather than the specific address. [Source]
CA – Regina Police Posting Photos of Potential Witnesses, Suspects and Victims
Can you identify this individual? That question is written under photos of various people, usually appearing in security camera footage, posted on the Regina Police Service’s website. Most of the pictures are of men and women entering stores, walking down aisles or buying something at a cash register. A form underneath the photos allows someone to leave a confidential tip. In some photos, police have put more information about why they are seeking someone, usually because they are a suspect in a crime. But in others, no information about why police want to talk to the individual is provided. The practice began shortly after police started posting photos of individuals wanted on outstanding warrants to its website in February. When explaining the “Can You Identify” page, a separate section of the website, police stress the individuals appearing there are not necessarily suspects in a crime. Once the individual has made contact with police, their photo is taken off of the website. Walter said police have had success with the initiative, and some of the individuals have turned out to be suspects. Before beginning the practice, the RPS consulted its legal counsel through the City of Regina. The approval was given on the basis that a person in a public space does not have the expectation of privacy, and their image is not considered personal information. What police are doing is legal, but it still doesn’t sit well with the Canadian Civil Liberties Association. “It’s not clear what they were suspected of doing, or why the police are seeking them. And once the police locate them, it may turn out that these individuals are innocent. However, other members of the community could assume that someone being sought by the police is guilty of some kind of wrongdoing, and this stigma is particularly troubling given how long images can stay on the Internet,” said Berger. [Leader-Post]
CA – Federal Government Launches Consultations on Breach Notification
On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed to PIPEDA pursuant to the Digital Privacy Act (Bill S-4). The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations. The discussion paper not only solicits comments, it identifies issues that may arise in respect of certain regulatory approaches. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely that we would see breach reporting come into force in Canada before the last quarter of the year. [Source] [Industry Canada] [Discussion document] [Source]
Consumer
WW – How Canadians Feel About Data and Privacy (Survey)
Concern about data privacy and security is down among consumers across the globe, but companies still have a long way to go to earn their trust, according to a new study from SAS. The analytics company conducted an online survey of more than 4,300 adults in 15 countries, including Canada. Globally, 63% of respondents said recent events like hacks and data breaches of government agencies and financial websites have heightened their concerns around sharing personal information, down from 69% in SAS’s 2014 survey. In Canada, 64% of consumers report concern about what businesses do with their personal data; 24% of respondents feel they have no control at all over what businesses do with their information, and only 13% believe they have total control. [Mobility, Vulnerability and the State of Data Privacy] [Marketing Magazine]
US – Time, Mansueto Ventures Sued for Alleged Data-Selling Practices
The ability to sell subscriber information to third parties is at the center of two separate lawsuits. Plaintiffs maintain that both Time Inc., the company behind magazines People and Sports Illustrated, and Mansueto Ventures’ data usage violated their respective states’ privacy legislation. “Unfortunately for its subscribers, Time supplements its sales and advertising revenue by secretly selling their statutorily protected information — including their full names, titles of magazines subscribed to and home addresses (collectively ‘Personal Reading Information’) — to data miners and other unrelated third party companies,” one suit reads. [NY Post]
US – Don’t Post About Me on Social Media, Say Children
Recently, university researchers asked children and parents to describe the rules they thought families should follow related to technology. In most cases, parents and children agreed — don’t text and drive; don’t be online when someone wants to talk to you. But there was one surprising rule that the children wanted that their parents mentioned far less often: Don’t post anything about me on social media without asking me. [New York Times]
E-Government
CA – Canada: Federal Government Lagging on Online Services, Documents Warn
The federal government is lagging behind both private sector offerings and Canadians’ expectations in online services, internal documents warn. A full 77% of federal services still cannot be completed over the Internet. Services like passport applications, requesting access to government information, or obtaining proof of citizenship all require in-person treks to Service Canada locations or mailed application forms. A minority of services, like filing taxes or updating pension information, can be done online through government websites. In addition to raised expectations, the documents note that it takes a long time for the sprawling federal bureaucracy to implement changes in how it delivers services. [Source]
US – California Judge Reverses Court Order on Student Information Release
A federal judge tweaked her initial court order for the release of sensitive student data to a statewide parent group of special education advocates March 1, as a result of a “large number of objections” from parents who mailed in opt-out forms to the U.S. District Court in Sacramento. [The ruling] In her March 1 order, U.S. District Court Judge Kimberly Mueller noted the large number of objections to the potential release of student data received by the court following the posting of the “Notice of Disclosure of Student Records” on Feb. 1. In response, the court ordered that the CDE maintain custody of the most sensitive of its databases—the California Longitudinal Pupil Achievement Data System (CALPADS)—while running searches for information requested by the plaintiffs. The court also reiterated that no student’s personally identifiable information may be released to the plaintiffs unless and until they demonstrate to the satisfaction of the court that the method to be used to store the sensitive student data is secure, the CDE noted. The parties are still litigating the extent of the disclosure of student data. [Morgan Hill Times] See also: [Special ed court case causes stir] [Teachers union supports opt-out option]
E-Mail
CA – Claim that Minister Doesn’t Use Email Adds Questions About B.C. Libs Compliance With FOI Laws
The B.C. finance minister has joined a growing list of senior provincial government officials who either claim they do not use email or who have been caught routinely deleting their emails. The practice has gained prominence following freedom-of-information requests by the media and a damning report by the OIPC BC, which rebuked the Liberal government for failing to adequately create and maintain records. It also singled out specific staff for routinely “triple deleting” emails as a means of permanently destroying records. BC Premier Christy Clark responded with a public statement. “The practice of ‘triple-deleting’ will be prohibited, ministers and political staff will continue to retain sent emails and a new policy and specific training will be developed,” she said in a December 16 media release. Clark also said the government would “study and consider the establishment of duty to document”. According to his press secretary, “(Finance) Minister de Jong has the longstanding practice of requiring information such as briefing notes, decision notes, memos and other correspondence to be delivered to him through his office on paper, rather than to an email account,” it reads. “His choice not to receive information or hold conversations by email is a matter of personal preference as a way to manage and prioritize the volume of information his portfolio already entails,” the statement continues. De Jong’s aversion to the world’s most common form of interoffice communication puts him in good company among Liberal government senior staffers. On December 16, the Straight reported that the premier herself had essentially stopped using email. [Vancouver free press] [Finance Minister Mike de Jong doesn’t do email, says premier — and that’s OK with her] See also: [FOI response suggests B.C. Premier Christy Clark has basically stopped sending emails] and [NDP cites evidence of emails deleted from top government accounts, including premier’s]
CA – Former BC Staffer Charged in E-Mail Deletion Probe
A former B.C. government employee who allegedly deleted e-mails involving the Highway of Tears has been charged with two counts of willfully making false statements to mislead, or attempt to mislead, the province’s information and privacy commissioner. The B.C. Criminal Justice Branch announced the charges Friday – approximately 4 1/2 months after Commissioner Elizabeth Denham released a scathing report that said Premier Christy Clark’s government routinely thwarted freedom-of-information requests through tactics such as triple-deleting e-mails. The charges were laid under FIPPA. Mr. Gretes faces a maximum fine of $5,000 a count. [The Globe and Mail]
Electronic Records
AU – Updated eHealth Record System Still Sparks Criticism
The Australian government’s revised eHealth program, now dubbed “My Health Record,” still faces the criticism of privacy advocates. While this newer iteration of the Personally Controlled Electronic Health Record permits an opt-out function, critics like the Australian Privacy Foundation argue that the program lacked specific instructions for doing so. “There are many people who should be very careful about letting the government put lots of identifying information into a central database,” the APF said in a statement. [Computerworld] [Opt-out e-Health a ‘Fundamental Breach of Trust’: Victorian Regulator]
Encryption
UK – ICO Issues Guidance on Use of Encryption
The U.K.’s Information Commissioner’s Office has released a new set of encryption guidelines, urging companies to embrace the practice before it’s too late. Although encryption practices are relatively simple, companies “often have no idea whether their data is encrypted or not,” the report states. The ICO said in a blog post that while choosing to forgo encryption isn’t illegal, “the ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data,” resulting in a high number of fines and the loss of many a company’s reputation. [ZDNet] See also: [U.K.’s Investigatory Powers Bill would mean even small startups would be required to create backdoors to their systems] and [France Clears Bill That Could Force Apple to Unlock Terror Data] [A bill under consideration in France would impose powerful new penalties for companies that do not provide access to encrypted communications in terrorism-related investigations]
UK – Snooper’s Charter Would Require Even Startups to Build in Backdoors
Should the U.K.’s Investigatory Powers Bill pass through Parliament, even small startups would be required to “bake insecurities into their systems in order to be able to hack users on demand.” And, while Apple has been able to make public the fact that the FBI wants backdoor access in the U.S., the U.K. bill would require companies to keep quiet about law enforcement requests. “They built in systems that would force companies who have more than 10,000 users — which for a startup 10 years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold,” said Privacy International’s Eric King. [TechCrunch]
US – EFF on Why FBI Can’t Force Apple to Sign Code
Code is speech: critical court rulings from the early history of the Electronic Frontier Foundation held that code was a form of expressive speech, protected by the First Amendment. The EFF has just submitted an amicus brief in support of Apple in its fight against the FBI, representing 46 “technologists, researchers and cryptographers,” laying out the case that the First Amendment means that Apple can’t be forced to utter speech to the government’s command, and they especially can’t be forced to sign and endorse that speech. In a “deep dive” post, EFF’s Andrew Crocker and Jamie Williams take you through the argument, step by step. [Source]
US – Encrypted WhatsApp Messages Frustrate New Court-Ordered Wiretap
The US Department of Justice has opened another legal front in the ongoing war over easy-to-use strong encryption. Prosecutors have gone head-to-head with WhatsApp, the messaging app owned by Facebook. Citing anonymous sources, the Times reported that “as recently as this past week,” federal officials have been “discussing how to proceed in a continuing criminal investigation in which a federal judge had approved a wiretap, but investigators were stymied by WhatsApp’s encryption.” The case, which apparently does not involve terrorism, remains under seal. [The New York Times]
WW – Google Adds Worldwide HTTPS Info to Transparency Report
Google has launched a transparency report specifically to track the progress of the Internet’s encryption efforts. The aim is in support of the general push to have encryption available everywhere. Even within the Google universe HTTPS is far short of 100% of traffic. Excluding YouTube traffic, but with Gmail, Drive, Search and increasingly Blogger and advertising traffic over HTTPs, only 75% of what’s served from Google domains is currently encrypted. Google will be updating that reporting each week, the company says. The second plank of the strategy is looking at Certificate Transparency: a public search interface letting users check that a certificate is valid and is being used correctly. [The Register]
EU Developments
EU – MEPs Vote Against Passenger Name Record Vote
Members of the European Parliament voted 7 March against placing the Passenger Name Record on the plenary session agenda, citing privacy objections. “It is true that the Council has never been particularly helpful on the legislative package related to data protection,” said French Socialist Delegation President Pervenche Berès. “But the fact that PNR has still not been adopted in March 2016, after it was promised for December last year, does not give a very good impression of the EU.” MEPs rejected placing PNR on the agenda for “fear a vote on PNR may allow member states to abandon the personal data protection package they have promised as a counterweight to the new surveillance powers.” [EurActiv] See also:
[some analysts are predicting the EU-U.S. Privacy Shield will not stand up to judicial scrutiny in Europe]
EU – EDPS Releases Case Law Overview
The European data protection supervisor has released a working document covering relevant privacy and data protection case law in the EU between Dec. 1, 2014 and Dec. 31, 2015. The case law pertains to the Court of Justice of the EU, European Court of Human Rights, and national courts of member states “on the right to the protection of personal data, the right to protection of private life, access to documents, and the right to freedom of expression,” the EDPS working document states. The overview also includes pending cases and is “intended to provide factual summaries of case law.” [Source]
Facts & Stats
US – Verizon Issues Data Breach Digest Report
Verizon has released a Data Breach Digest Report, a set of 18 case studies that comprise common scenarios that the majority of breaches fall into. The incidents include a water utility at which intruders managed to manipulate water treatment processes and flow; a developer who outsourced his work to China; and pirates (the seafaring variety) who used information stolen from a shipping company’s computers to target specific containers on vessels they boarded. [eWeek] [DarkReading] [Ars Technica] [CSO Online]
US – Businesses Reluctant to Report Attacks: Report
According to a report, Cyber Security: “Underpinning the Digital Economy,” from the Institute of Directors and Barclays bank, many organizations do not report cyberattacks to law enforcement. Just 28% of cyberattacks are reported. The report also found that while most business leaders believe cybersecurity is important, just half have established plans to protect themselves from attacks. [ZDNet]
CA – 53% Have Been ID Theft or Fraud Victims: Equifax Survey
More than half of Canadians (53%) say they have been a victim of financial fraud according to an Equifax Canada survey. Additionally, new data suggests that millennials (Generation Y) are increasingly the ideal target for fraudsters and organized crime syndicates. Throughout Fraud Prevention Month in March, Equifax Canada will work with the Canadian Anti-Fraud Centre (CAFC) to educate consumers, especially millennials about the impact of fraud and how to protect themselves. The CAFC estimates that mass marketing fraud losses to businesses and citizens has grown to greater than $10 billion annually, and it’s believed that almost 80% of all fraud is committed by organized crime groups. [Source]
Finance
US – FTC Wants Details on Credit Card Audit Practices
The FTC has issued orders to nine companies to share their Payment Card Industry Data Security Standards auditing practices, the agency said in a statement. The FTC aims to measure “the state of PCI DSS assessments,” the report states. The agency further hopes to gauge “the ways assessors and companies they assess interact” and to glean “information on additional services provided by the companies, including forensic audits.” [FTC]
FOI
CA – OIPC BC Orders Disclosure of 3rd Party Pricing Info Withheld by Public Body
The BC OIPC reviewed a decision by the Capital Regional District to withhold records requested pursuant to FIPPA. Disclosure of the information would not significantly harm the competitive position of the third party; the information does not directly state hourly rates, is not sufficiently detailed to reveal the hourly rates of individual personnel, and is dated information from 2009 and of limited use to competitors. [Order F16-05 – Capital Regional District]
CA – OIPC BC Orders Elections Body to Disclose Administrative Records
This OIPC order reviewed Elections BC’s refusal to disclose records requested under BC FIPPA. The administrative records are subject to FOI legislation and must be disclosed (e.g. job descriptions and a delegation matrix indicating who the Chief Electoral Officer has chosen to assist with his various functions); operational records do not fall under the legislation and may be withheld (e.g. an event plan that relates to the CEO’s planning of electoral processes, and memorandums of understanding related to the exercise of the CEO’s powers in relation to the prosecution of electoral offences). [Order F16-07 – Elections BC]
CA – OIPC SK Partially Upholds the Decision to Withhold Certain Records
The Saskatchewan OIPC reviews the decision of the Saskatchewan Arts Board’s to withhold records requested pursuant to The Freedom of Information and Protection of Privacy Act. The Board withheld records containing third party information which qualifies as advice, proposals, recommendations, analyses or policy options (such as, the analysis of and recommendations for issues faced by the Board, reports prepared for the Board which included advice and recommendations) that would be part of the Board’s responsibility and were prepared for the purpose of taking action or making a decision. [Review Report 154-2015 – Saskatchewan Arts Board]
Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows
An Advisen study, commissioned by ID Experts, found that the cost of the average data breach is less than most cyber insurance policies’ deductibles. “Most data breaches are small — consisting of fewer than 500 records lost,” the report states. “But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000.” As a result, more than 70% of those surveyed employ internal resources to clean up these smaller incidents. “There’s a lot of misconceptions around cybersecurity insurance — what it does, what it could do. It’s not for everyday occurrences.” [DarkReading]
CA – Commercial Liability Policies Likely Do Not Protect Companies from Data Breach Costs
A law firms examines why Commercial General Liability (CGL) policies may not protect companies in the event of a breach. The standard CGL policy usually requires “compensatory damages” to have been incurred, but the tort of breach of privacy does not require proof of damages; breach notification often requires legal assistance, which is not covered. U.S. case law suggests that CGL coverage for privacy-invasive “publication” does not apply to publication by third parties (e.g. hackers). [Breach: How New Types of Privacy Claims are Changing the Litigation Landscape – Daniel Reid, Associate, Harper Grey, Insurance Brokers Association of BC]
Genetics
UK – Police Hold DNA Profiles of 7,800 Terrorism Suspects
A police counter-terrorism database contains the DNA profiles and fingerprints of more than 7,800 identified individuals, an official government watchdog has revealed. The figure revealed by the biometrics commissioner, Alastair MacGregor QC, in his annual report last week, is far higher than any previous indications of the number of suspected terrorists in Britain. The commissioner reveals that the number of individuals whose DNA profiles and fingerprints are being logged on the little-known database as a result of counter-terrorism investigations is growing rapidly, having risen from 6,500 identified individuals in October 2013. The watchdog also reports that errors and delays in an official drive to delete the biometric records of those who have never been convicted of an offence – which account for 55% or 4,350 of those on the counter-terrorism database – have led to the destruction of a significant number of biometric records of terrorism suspects that should have been kept on national security grounds. In his second annual report, MacGregor says 1.7m DNA profiles and 1.6m sets of fingerprints have been deleted from the police national DNA database since the home secretary, Theresa May, introduced legislation in 2012 requiring the removal of details of those who have never been convicted of a criminal offence. He says the fact that the national DNA database still holds the biometric details of 12.5% of all men and 3% of all women in Britain and has not had any “demonstrably adverse impact” on its effectiveness; indeed, if anything, its overall “match” rate with DNA evidence found at crime scenes has gone up. But the commissioner raises serious concerns about the standalone national counter-terrorism police database. It has been quietly built up under powers in the Terrorism Act 2000 by collating DNA profiles and fingerprints gathered from searches, arrests and crime scenes during counter-terrorism investigations. MacGregor says he decided to publish the number of individuals on the counter-terrorism database after it was suggested to him in 2014 that to do so would be contrary to the interests of national security. He says he was “not wholly persuaded” by the argument and this year he sought and obtained agreement to disclose the number. [The Guardian]
Health / Medical
CA – Ont. Court Docs in Assisted Death Cannot Be Named by Press
An Ontario judge agreed to ban media from reporting the names of doctors for a Toronto man seeking assisted death, arguing that anonymity is needed to ensure health workers keep helping out in such cases. The ruling by Justice Thomas McEwen of the Ontario Superior Court also prohibits identifying the cancer patient and his family, citing the “intensely private and personal matter of his death.” A lawyer representing the National Post and other news media had objected to the scope of the ban requested by the 80-year-old man, saying it was important to make public the physicians’ names, partly to help identify any doctors who might “rubber-stamp” assisted-death requests. But the physicians and other health workers had asked to remain anonymous and they were justified in doing so, said Justice McEwen. “Their wish and concerns are entirely reasonable, in my opinion, given the publicity and controversy surrounding physician-assisted death,” said his 10-page decision. “This is a public interest of great importance … There may be a serious risk (with naming names) of impairing access to physicians willing to assist.” The judge also ruled the patient’s lawyer could edit out the required information from the court file before making it available to the media or their lawyers. [Source]
US – Study: Health Apps Pose Major Privacy Concerns
An Illinois Institute of Technology Chicago-Kent College of Law study of Android mobile apps for diabetes management found privacy practices wanting. “Many health apps transmit sensitive medical information, such as disease status and medication compliance, to third parties, including aggregators and advertising networks,” the report states. More than 80% of the apps had no privacy policies. An undefined legal landscape encourages these behaviors, the researchers argue. “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case,” they said. [CBS News]
EU – Estonian Citizens to Have World’s Most Hack-Proof Health-Care Records
Estonia is moving its citizens’ health records to a database, based on blockchain technology, that nobody can mess with. While financial institutions rave about the potential for blockchain—the technology that powers bitcoin—as a way to revolutionize the financial world, it can also help keep private data secure. A blockchain is essentially a digital ledger that, thanks to some computational tricks, records every change made to it indelibly. This means it can act as a database for health data. Whenever someone’s health records are accessed, that “event” is recorded on the blockchain, alongside what information was changed or added. That way, the information remains both secure and tamper-proof; nobody can change it without leaving traces. Eventually, there will be a dashboard for the public to see their own health records and any changes made to them. [Estonia using Blockchain to secure health records] [Estonian citizens will soon have the world’s most hack-proof health-care records] [Guardtime secures over a million Estonian healthcare records on the blockchain]
US – Senator Asks Privacy Regulators to Stop Abuse of Nursing Home Residents on Social Media
After a December 2015 ProPublica report documented more than 35 incidents involving employees at assisted living homes sharing photos of residents on social media, U.S. Sen. Tom Carper, D-Del., wrote the Department of Health and Human Services’ Office for Civil Rights asking what it’s doing to curb these instances. Of the photos, which often depict naked, ill residents, Carper said in a statement, “This type of abuse is unacceptable and falls short of our moral obligation to the ‘least of these’ in our society.” The OCR’s Deven McGraw said the office would reply to Carper’s inquiries. [ProPublica] See also: [Newfoundland health worker fired for privacy breach involving 25 patients]
Identity Issues
EU – EMA Published Guidance on De-Identification of Clinical Reports
The European Medicines Agency (EMA) has published guidance on the anonymization of clinical reports according to EMA policy on publication of clinical data for medicinal products for human use (EMA/240810/2013). Under the European Medicines Agency Policy 0070 for medicinal products for human use, manufacturers are required to submit anonymized versions of clinical reports to the agency, as well as a risk analysis report documenting how the risk of re-identification is considered sufficiently small. The specificities of the clinical data should be taken into consideration when selecting the most appropriate anonymisation technique (e.g. masking, randomisation or generalisation); a data controller must continuously follow development in re-identification techniques and, if necessary, reassess the risk of re-identification. These documents will then be made publicly available under two different data sharing mechanisms. Many manufacturers are now trying to figure out how to meet these requirements for their new submissions. [Source] [Webinar by Privacy Analytics – March 31, 2016). [European Medicines Agency – External Guidance on the Implementation of the European Medicines Agency Policy on the Publication of Clinical Data for Medicinal Products for Human Use]
Internet / WWW
UK – New Guide to Help Build Child Safety into Platforms
The U.K. Department for Culture Media & Sport has released a new guide designed to help organizations ingrain online child safety into Web and mobile businesses. The guide, Child Safety Online: A Practical Guide for Providers of Social Media and Interactive Services, uses the six principles of the ICT Coalition for Children Online safety framework, a European industry initiative to make online platforms safer for younger users. The principles include content; parental controls; dealing with abuse/misuse; child abuse or illegal contact; privacy and controls; and education and awareness. [Source]
Law Enforcement
CA – Vancouver Police Investigates Leak About Visiting Photographers
The Vancouver Police Department claims it is still investigating how a local website obtained an internal police bulletin and photographs of three men who were wanted for questioning after they were seen taking photographs at Pacific Centre Mall last January. “As this matter remains under investigation by the Vancouver Police, we are relying on section 15 of the Freedom of Information and Protection of Privacy Act to withhold records related to this issue.” Section 15 of the act consists of a number of provisions that allow government organizations to refuse to release information if doing so would be “harmful to law enforcement”. The Straight filed the requests in question after the local website published photographs that the website later said it had obtained from an internal police bulletin it had received from a member of the VPD. The original post published on January 14 included photographs of the three men wanted for questioning and quoted the VPD internal bulletin describing them as “men who look Middle Eastern”. The following morning, VPD chief Adam Palmer said the force was never planning to go public with a warning about the men. He explained the VPD only responded with information intended for the public after an internal report was leaked to media. The VPD subsequently released a statement that cleared all three men of any wrongdoing. [Source]
US – Use of Stingrays Violates Fourth Amendment: Court
The Maryland Court of Special Appeals upheld a historic decision by a state trial court that the warrantless use of cell-site simulators, or Stingrays, violates the Fourth Amendment. The trial had suppressed evidence obtained by the warrantless use of a Stingray – the first time any court in the nation had done so. Last April, a Baltimore police detective testified that the department has used Stingrays 4,300 times since 2007, usually without notifying judges or defendants. Stingrays mimic cellphone towers, tricking nearby phones into connecting and revealing users’ locations. Stingrays sweep up data on every phone nearby — collecting information on dozens or potentially hundreds of people. The ruling has the potential to set a strong precedent about warrantless location tracking. [Slashdot]
CA – Surveillance Device Used In Prison Sets Off Police Probe
Federal prison authorities are under criminal investigation for possible illegal surveillance. The probe centres on Correctional Service Canada’s use of a dragnet surveillance device inside a penitentiary. Fallout from the 2015 surveillance incident, involving a device that CSC officials called a “cellular grabber,” has led to a lawsuit from jail guards and a criminal inquiry by the Ontario Provincial Police. [Source]
CA – RCMP Fight to Keep Lid on High-Tech Investigation Tool
Police in Canada are fighting to keep secret the specifics of advanced technology they’ve used to spy on mobile phones in a criminal investigation into organized crime. Court documents filed in the Quebec Court of Appeal show government lawyers have acknowledged that the RCMP used an extraordinary communications-interception technique involving “mobile device identifier” equipment. But the Crown will be fighting to keep details of the operation under wraps during a court hearing scheduled for March 30 in Montreal. Chris Parsons, a researcher with the Citizen Lab at the University of Toronto’s Munk School, said this case “wouldn’t be the first time [these devices] have been used – but it would be the first time [authorities] have been caught out in court.” The public is bound to want to know more, Mr. Parsons said. “These are fundamentally devices of mass surveillance,” he said. [Source]
AU – Fears Policing Databases Will Be Exempt from Privacy Laws
National policing databases for firearms, domestic violence and child offenders will no longer be overseen by Australia’s privacy watchdog and could be exempt entirely from privacy laws if they are handed over to the Australian Crime Commission under proposed laws. The information commissioner, Timothy Pilgrim, has warned in a Senate inquiry submission that if a proposed bill to merge Crimtrac’s functions into the Australian Crime Commission is passed the data held by CrimTrac will no longer be subject to Australia’s privacy laws. The federal government has put forward bills that would see the secretive Australian Crime Commission, which has the power to conduct coercive interviews, essentially take over the functions of CrimTrac and other agencies. CrimTrac is the national policing organisation that holds major databases surrounding firearms, domestic violence, child offenders and missing persons. It also assists in the collection of biometric data for the immigration department. As a result it holds large quantities of personal information on millions of Australians. The agency will continue to be overseen by the commonwealth ombudsman and the Australian Commission for Law Enforcement and Integrity. But Pilgrim said the “scope of that oversight differs” from the specific privacy related oversight of the Office of the Australian Information Commissioner. [The Guardian]
Location
UK – Unmasking Banksy: Did ‘Predictive Policing’ Tool Catch An Artist?
A geographic profiling tool, developed to find serial criminals and terrorists, may have helped unmask the mystery identity of Banksy. Researchers say they have identified the elusive artist – creator of million-dollar works of political graffiti – as Robin Gunningham, supporting a theory published by Daily Mail in 2008. Scientists at Queen Mary University of London used a statistical tool to map 140 locations of Banksy’s works around Bristol and London and compare them to the homes of possible candidates, they wrote in the Journal of Spatial Science. That led them to Mr. Gunningham. This mathematical method of analysis, known as criminal and geographic profiling, is often used by law enforcement to identify serial criminals. The idea behind the technique is that people tend to commit crimes close to where they live. The technique has also been used to trace breeding sites for malaria outbreaks or to locate the roosts of wild bats, and the researchers suggested that what helped find one graffiti artist could also help locate terrorists. “More broadly, these results support previous suggestions that analysis of minor terrorism-related acts (e.g., graffiti) could be used to help locate terrorist bases before more serious incidents occur,” they wrote in their abstract. Not everyone accepts that geographical profiling can accurately pinpoint perpetrators, though it’s used by several US police departments. Data-fueled analytics also called “predictive policing,” has drawn considerable critics, arguing that the method is discriminatory and often targets minorities. “What data are they using? How are they weighing variables? What values and biases are coded into them? writes the Guardian. “Even the companies that develop them can’t answer all those questions, and what they do know can’t be divulged because of trade secrets.” “Police departments are opening the way for corporations to have disproportionate influence over what policing means in society. Technologies are not just neutral tools, and they are not divorced from politics; they are designed with certain values and goals in mind.” [Source] See also: [The Crime You Have Not Yet Committed]
Online Privacy
WW – Researchers Translate Privacy Policies into Layman’s Terms
A team of Stanford University, Carnegie Mellon University and Fordham University researchers — during a two-year span — simplified more than 20,000 privacy policies from nearly 200 websites into a more approachable and user-friendly form for their Usable Privacy Project . “Our objective is to produce succinct yet informative summaries that can be included in browser plug-ins or interactively conveyed to users by privacy assistants that inform users about salient privacy practices,” said Carnegie Mellon’s “principal investigator.” [SC Magazine]
WW – Google Agrees to Delist Links More Broadly For RTBF Compliance
Google will begin delisting links more broadly in order to better align with data protection authorities’ interpretation of the EU’s right-to-be forgotten mandate. Previously, the company said it wasn’t responsible for delisting links from Google.com and other non-EU search domains. Now, it will use geolocation data to “restrict access to delisted URLs on all Google search domains accessible from the country of the person making the delisting request,” the report states. Google Global Privacy Counsel Peter Fleischer said that, since the European Court’s ruling, the company has worked hard to find the right implementation balance. “Despite occasional disagreements, we’ve maintained a collaborative dialogue with data protection authorities throughout. We’re committed to continuing to work in this way,” he said. According to Fleischer, Google will apply its new policy retrospectively to all search results it has already delisted following RTBF requests. Google’s Transparency Report shows that the company so far has evaluated more than 1.4 million URLs for removal in response to nearly 399,000 RTBF requests. It has delisted about 43% of the links so far while leaving the remaining 57% in place. [eWEEK]
CA – Controversial Calgary-based App Peeple Launches
Curious about your kid’s soccer coach? Wondering what others think of that guy who asked you out? There’s an app for that. Sort of. The Calgary-conceived app Peeple, announced to a firestorm of controversy late last year, is finally launching Monday after retooling a number of features. Peeple will let users rate each other in three areas: personal, professional, and romantic. In a change from the original concept, reviews are only posted with the consent of the person being reviewed — that is, the service is opt-in and a user can hide their negative reviews. But a planned future paid subscription Cordray called the “truth license” — not available for Monday’s launch — will let users see all reviews, even hidden ones. [Calgary Herald] See also: [Fortney: Peeple app creator stands firm, in a bathroom] [and [‘You can’t possibly be that naive’: Dr. Phil delivers a folksy smackdown on Peeple app co-founder]
UK – ‘HAT’ trick: Service Allows Users to See and Trade Their Data
The Hub of all Things is a new service designed by U.K. researchers and aims to be the one-stop-shop for Internet users wanting to control who accesses their data and for how long. It’s a virtual personal data “store,” which allows users to see the data corporations store about them, then trade it, thus reaping the benefit of its value. Designers have launched an Indiegogo campaign to “mobilize a social movement to put the power of the Internet back into individual hands,” the report states. IOT data has “enormous value,” said HATDEX CEO Paul Tasker. “We believe that if all of us have our own HATs, we will have more power in the future to influence how our data is collected, stored and used; hugely benefitting ourselves and society whilst providing new opportunities to firms wanting to sell to us.” [ZDNet]
Other Jurisdictions
NZ – Privacy Commissioner Overwhelmed As Digital Generation Overshares
During a New South Wales parliamentary oversight committee meeting last week, Australian Privacy Commissioner Elizabeth Coombs argued to an oversight committee last week that expanding her role from part time to full time while increasing her office’s resources are necessary to expand the agency’s influence. “So much sharing of data was increasing the demand for her work,” the report states. It’s now “apparent that the digital generation cares about its privacy,” and as such Coombs “has welcomed the call for a significant expansion of her powers.” [The Sydney Morning Herald]
NZ – NSW Parliamentary Committee Backs New Privacy Laws for Individuals
The New South Wales Parliament’s Standing Committee on Law and Justice has announced its support of new legislation that would provide legal redress for individuals after a privacy breach. The laws would “fill gaps” left by the Commonwealth Privacy Act, as the legislation currently only applies to information and not small businesses or individuals, the report states. “The NSW committee has called on the state government to take a lead in the implementation of individualised privacy rules, in the face of ‘a lack of political will federally’ to put in place uniform national legislation,” the report continued. [iTnews]
NZ – NSW Pawnbrokers Association Criticizes MAC Address Requirement
New state laws require pawnbrokers to collect and store the MAC addresses of any Wi-Fi enabled tools that come through their stores. While police argue it will help track stolen devices, the NSW Pawnbrokers Association believes the requirements have “workability” and privacy problems, the report states. Customers are “averse to giving us that information if they don’t have to because they don’t want us to have access in that privacy sense,” said the association’s spokesman. “Some people don’t care — the computer is just a toy or a novelty item, but for others it’s a serious business tool … and they just don’t want people having unfettered access to that information.” [iTnews]
Privacy (US)
US – Apple Tells Judge that US Gov’t is Well-Meaning but Wrong in Privacy Fight
Apple filed its final court brief in the San Bernardino iPhone case. Apple softened its rhetoric against the Justice Department, which has been heated on both sides of the debate in the last few weeks. The 26-page brief is the last court filing by either side until they meet in court March 22. “The government’s motivations are understandable,” Apple wrote in its latest filing, “but its methods for achieving its objectives are contrary to the rule of law, the democratic process, and the rights of the American people.” According to the report, the Department of Justice said Apple was attempting to usurp power from the federal government, adding, “The Constitution and the laws of the United States do not vest that power in a single corporation.” [the Guardian]
US – Verizon Wireless to Pay $1.35 Million Fine to Settle U.S. Privacy Probe
Verizon will pay a $1.35 million fine and agreed to a three-year consent decree after the FCC said it found the company’s wireless unit violated the privacy of its users. Verizon Wireless agreed to get consumer consent before sending data about “supercookies” from its more than 100 million users, under a settlement. The largest U.S. mobile company inserted unique tracking codes in its users traffic for advertising purposes. Supercookies are unique, undeletable identifiers inserted into web traffic to identify customers in order to deliver targeted ads from Verizon and others. The FCC said Verizon Wireless failed to disclose the practice from late 2012 until 2014, violating a 2010 FCC regulation on Internet transparency. The FCC also said the supercookies overrode consumers privacy practices they had set on web browsers, which led some advocates to call it a “zombie cookie.” Under the agreement, consumers must opt in to allow their information to be shared outside Verizon Wireless, and have the right to “opt out” of sharing information with Verizon. Until March 2015, Verizon Wireless consumers could not opt out of the “supercookies,” but after several U.S. senators raised concerns about the practice, the company agreed to allow an opt-out. [Source]
WW – PWC Releases 2015 Enforcement Guide
PricewaterhouseCoopers has released its Privacy and Security Enforcement Tracker 2015. The second-annual guide aims to reflect on the past year’s most significant regulatory movements in the U.K. and across the globe. “If 2014 sounded an alarm to encourage the controllers and users of networks, computer and communications systems and [personnel] to review and improve their practices for privacy and security, then 2015 was the year when the final alarm was sounded,” the guide states. “The message of 2015 is clear: Entities that fail to take voluntary action to remedy bad practices will be forced to change.” [Source]
US – Erin Andrews Awarded $55M for Privacy Invasion
Sports reporter Erin Andrews was awarded $55 million in an invasion of privacy lawsuit. In 2008, a stalker had surreptitiously recorded the well-known reporter while she was getting dressed in her hotel room, thanks to knowledge supplied by the hotel. Though she had asked for $75 million in the lawsuit, the jury was clearly sending a message, recognizing a very real and lasting privacy harm. [Privacy Perspectives]
US – Drone Regulation Faces Committee Approval
The Senate Committee on Commerce, Science, and Transportation looks to approve legislation that would place drone regulation under the Federal Aviation Administration’s control. “Its key provisions would facilitate specific drone tests with set deadlines for progress reports and ensure that the FAA is involved at every step,” the report states. The bipartisan bill pleases drone industry representatives. “These policies will accelerate the safe use of commercial [unmanned aircraft systems] as well as expand collaborative research and operational efforts,” said the Association of Unmanned Vehicle Systems International’s Brian Wynne. “We urge the Senate to pass this bill quickly, as delaying this measure risks stunting a still-nascent industry and restricting many of the beneficial ways that businesses could use UAS technology.” [Morning Consult] See also: the smattering of state drone laws may conflict in with the drone policies of the Federal Aviation Administration
Security
US – Weak Online Banking Password Policies
An investigation revealed that out of these 17 major banks six of them have a significant weakness in their password policy – they ignore case-sensitivity. In total, this security weakness may impact more than 350 million customers nationally. The researchers attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue. When contacted via telephone hotline, most representatives were only trained for everyday business activities. e.g.:
- 1 org was adamant that they have a case-sensitive password policy, but testing showed otherwise
- 1 org was not even aware of the existence of a security / IT-department
- 1 org simply said that this is their policy without any further statement or explanation [Source]
CA – KPMG Report Identified Five Key Cybersecurity Trends
Increased risks of ransomware and extortion-driven attacks as well as the rise of the Internet of Things (IoT) are challenging Canadian organizations in new ways, according to a recent report from audit, tax and advisory services firm KPMG LLP, who have identified five key cybersecurity trends impacting Canadian businesses in its Cyber Watch Report, released last week. These security risks are putting heightened pressure on organizations to protect, detect and respond to new adversaries and threat tactics, while preserving their trust and reputation with customers. [Daily News]
US – University of California Breach Monitoring System Creates Controversy
After a 2015 cyberattack, University of California President and former Secretary of Homeland Security Janet Napolitano secretly ordered a data monitoring security system installed on all state campuses, a move that, when recently exposed, has started a statewide debate. The system “monitors Internet traffic [and] it also stores it for at least 30 days. The idea is to allow security personnel to go back through the traffic to look for breaches.” Both the monitoring system and the secretiveness surrounding it have sparked ire among students and faculty. “The very substance of higher learning really would not be possible unless the faculty and students have some guarantee of confidentiality,” said the American Association of State Colleges and Universities. [NPR]
WW – Windows 10 Will Add APT Protection
At the RSA conference in San Francisco, Microsoft revealed that it would be adding protection against advanced persistent threats (APTs) to Windows 10. The service, Windows Defender Advanced Threat Protection, detects anomalous system activity. It is currently in private beta on about 500,000 systems. [NextGov] [ArsTechnica]
Surveillance
US – FBI Quietly Changes Privacy Rules for Accessing NSA Data
The FBI has quietly revised its privacy rules for searching data involving Americans’ international communications that was collected by the NSA, US officials have confirmed. The classified revisions were accepted by the secret US court that governs surveillance, during its annual recertification of the agencies’ broad surveillance powers. The new rules affect a set of powers colloquially known as Section 702, the portion of the law that authorizes the NSA’s sweeping “Prism” program to collect internet data. Section 702 falls under the Foreign Intelligence Surveillance Act (FISA), and is a provision set to expire later this year. A government civil liberties watchdog, the Privacy and Civil Liberties Oversight Group (PCLOB), alluded to the change in its recent overview of ongoing surveillance practices. The watchdog confirmed in a 2014 report that the FBI is allowed direct access to the NSA’s massive collections of international emails, texts and phone calls – which often include Americans on one end of the conversation. The activists also expressed concern that the FBI’s “minimization” rules, for removing or limiting sensitive data that could identify Americans, did not reflect the bureau’s easy access to the NSA’s collected international communications. FBI officials can search through the data, using Americans’ identifying information, for what PCLOB called “routine” queries unrelated to national security. The oversight group recommended more safeguards around “the FBI’s use and dissemination of Section 702 data in connection with non-foreign intelligence criminal matters”. As of 2014, the FBI was not even required to make note of when it searched the metadata, which includes the “to” or “from” lines of an email. Nor does it record how many of its data searches involve Americans’ identifying details – a practice that apparently continued through 2015, based on documents released last February. The PCLOB called such searches “substantial”, since the FBI keeps NSA-collected data with the information it acquires through more traditional means, such as individualized warrants. But the PCLOB’s new compliance report, released last month, found that the administration has submitted “revised FBI minimization procedures“ that address at least some of the group’s concerns about “many” FBI agents who use NSA-gathered data. “Changes have been implemented based on PCLOB recommendations, but we cannot comment further due to classification,” said Christopher Allen, a spokesman for the FBI. [The Guardian]
US – Court Approves $9 Million Class Action Settlement to Resolve Allegations of Unauthorized Installation of Tracking Software on Mobile Devices
The Court approved a class action settlement resolving allegations that multiple smartphone and tablet makers installed wiretapping software on their devices. Defendants are the following mobile device manufacturers: HTC; Huawei, LG Electronics, Motorola; Pantech, and Samsung. Net proceeds of the settlement will be awarded equally to class members (after payment of service awards, attorneys’ fees, costs and expense, taxes, and the costs of notice and administration of the settlement); a website must be established to provide class members with notice of the material terms of the settlement, procedures to receive benefits or exclude themselves, and how to provide comments about the settlement. [In Re Carrier IQ Inc. Consumer Privacy Litigation – US District Court Northern District of California – Case No. C-12-md-2330-EMC]
Telecom / TV
US – FCC Proposes New Privacy Rules for ISPs
Federal Communications Commission Chairman Tom Wheeler announced the agency’s highly anticipated proposal for new privacy rules for Internet service providers Thursday. Though the agency did not release the actual proposal, Wheeler described the main points of it — which centered around choice, security and transparency — and offered a three-page fact sheet. Not everyone supports this big move by the agency, however. [Source] See also: [How the FCC’s Privacy Proposal Could Affect More Than ISPs] [U.S. FCC Internet privacy proposal could harm broadband providers – Moody’s] [Wheeler: ‘Customers ought to have a say’]
US Government Programs
US – DHS Cyber Threat Sharing Program Review Shows Privacy Risks
A Department of Homeland Security review has revealed that an information-sharing program required under the Cybersecurity Information Sharing Act, passed in December, has privacy protection issues. According to the DHS report, safeguards put in place to prevent personally identifiable information may not be working. There is “residual privacy risk that these processes may not always identify and remove unrelated [personal information], thereby disseminating more [information] than is directly related to the cybersecurity threat,” DHS wrote. Under CISA, any PII shared through the program must be directly related to a cybersecurity threat, the report states. [Source]
US Legislation
US – Colorado May Ease Student Health Privacy Rules in Response to Shootings
A bipartisan Colorado bill aims to grant private therapists and counselors more legal latitude to communicate with school officials when a patient’s behavior could result in “a dangerous environment in a school,” a move that has some mental health workers concerned about its privacy impact. While the bill emphasizes the confidentiality of disclosure practices, some argue it might not be enough. “The main concern is that confidentiality is the backbone of successful therapy and treatment,” argued Mental Health America of Colorado’s Moe Keller, also a former legislator. “You have to be able to trust the person you’re talking to.” The bill passed in the state’s House of Representatives and is posed for a Senate vote. [The Wall Street Journal]
Workplace Privacy
EU – Netherlands: Companies Should Not Track Workers Through Wearables
Dutch Companies may not use wearables to monitor the health of their employees, even if the employees permission controls. This is in breach of the Data Protection Act. That the Authority Personal (AP) determined after investigation of two companies that used wearables to gain insight into the amount of movement of workers. One of the two employers also had insight into the sleep pattern of the employees. The employees of the companies were free to decide whether or not to participate in the experiment. According to the AP, there is an employment relationship, however, no question of free consent, because the employee financially dependent on the company. [Source] [(Original – in Dutch] [Google translation]
US – Approved Bill Deals with Internet Privacy At Work
A bill preventing employers from accessing their employees’ social media accounts passed the legislature on the final day of the 60-day regular session. Del. Stephen Skinner (D-Jefferson) sponsored the Internet Privacy Protection Act (HB 4364) to establish guidelines when it comes to employees’ online privacy. The legislation would prevent employers from obtaining social media passwords from their employees and also help employers, according to Skinner. There are currently no federal laws in place regarding social media privacy at work, Skinner said. [Source]
+++
Privacy News Highlights 