01-07 March 2016

Canada

CA – OIPC SK Finds Health Authority Allowed Technologists to Work Under Each Other’s Log-Ins

The Saskatchewan Information and Privacy Commissioner investigated a breach at the Saskatoon Regional Health Authority. It took 3-5 minutes for technologists to log-in and out of the system between patients which was too time-consuming; a number of solutions are being explored including providing each user with their own workstations (this would be very expensive and there is limited physical space), going paperless (there is still heavy reliance on paper requisitions and communications that require scanning), and having an assistant do all the scanning (this could compromise patient safety). [OIPC SK – Investigation Report 176-2015 – Saskatoon Regional Health Authority] See also: [Regina Leader: Saskatchewan Patient Access to Online Health Records Requires Big Focus on Security]

CA – OPC NS Outlines Privacy Rights for Government Info Sharing Initiatives

The Nova Scotia Information and Privacy Commissioner has released guidance on privacy rights in information sharing initiatives. Government entities should be open and transparent about how information sharing initiatives will be implemented, share the least amount of information needed to satisfy the goals of the initiative, and be accountable by implementing initiatives that establish and follow policies and procedures, risk assessment tools, formal agreements and contracts, and privacy breach reporting protocols. [OIPC NS – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] See also: Privacy Commissioner of Canada Daniel Therrien addressed the Senate and detailed his privacy goals in a keynote posted on the OPC’s site.

Consumer

WW – Billboards Can Track Your Location; Privacy Advocates Hate It

The next time you see a billboard on the side of the road, it may also be scanning you. A geolocation-tracking feature on billboards owned by Clear Channel Outdoor gives the company new ways to target advertising and measure its effectiveness. The service has caught the eye of privacy advocates, who worry that the so-called Radar tracker will be able to collect massive amounts of information from smartphones in cars driving past. Radar will collect mobile data from three Clear Channel partners, including AT&T. Clear Channel Outdoor receives aggregated and anonymous data from its partners, not personal information, said the VP of corporate communications at the company. The company launched the service in 11 markets earlier this week. [Source] See also: [Hey, Siri and Alexa: Let’s talk privacy practices]

Electronic Records

US – Healthcare Organizations Commit to Improve EHR Information Sharing

Several of the nation’s largest players in the private sector have committed to an initiative to improve the ability of providers and patients to share and use information in electronic health records. The effort has gained support from some of the nation’s largest developers of electronic health records systems, representing 90% of the health records used by U.S. hospitals, said the secretary of the Department of Health and Human Services . And the five largest private provider systems in the country are among a group of 16 hospital and health systems that have also indicated support for the initiative. Several large industry professional organizations—including the American Medical Association, the American Health Information Management Association, HIMSS and the College of Healthcare Information Management Executives—were quick to add support for the movement. The vendors and providers have agreed to implement three core commitments: Consumer access: To help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community. No information blocking: To help providers share individuals’ health information for care with other providers and their patients whenever permitted by law, and not block electronic health information (defined as knowingly and unreasonably interfering with information sharing). Standards: Implement federally recognized, national interoperability standards, policies, guidance, and practices for electronic health information and adopt best practices including those related to privacy and security. [Information Management]

Encryption

US – Why N.Y. judge’s All Writs Act Decision Is Huge Win for Apple

U.S. Magistrate Judge James Orenstein of Brooklyn does not have the power to bind other courts. The 50-page opinion he issued this week, denying the Justice Department’s application for an order under the All Writs Act to compel Apple to help the government unlock the phone of a convicted drug dealer, will not end the California federal-court showdown between Apple and the Justice Department over an iPhone belonging to San Bernardino shooter Syed Farook. Judge Orenstein’s decision isn’t even the last word in the Brooklyn case – the Justice Department said that it will ask for the order to be overturned by a district court judge. But Orenstein’s opinion is a milestone in the ongoing debate over privacy and national security. He is the first federal judge to analyze the reach of the All Writs Act in the age of the smartphone, yet he roots his discussion not in technological terms but in fundamental U.S. constitutional principles. Orenstein’s conclusions do not rely on the specific facts of the case before him or on the particulars of the operating system at issue. They are based on his reading of constitutional and Congressional history, providing broad context for his assertion of government overreaching. Judges considering contested All Writs Act requests in other courts may differ with Orenstein but they ought not ignore him. [Source] [Apple and FBI testify in hearing on locked iPhone: What we learned] [Apple’s Tim Cook defends privacy at shareholder meeting]

EU Developments

EU – EU-US Officials Release Privacy Shield Details

The European Commission and U.S. Department of Commerce have released details about the highly anticipated EU-U.S. Privacy Shield arrangement this week. The 132-page Privacy Shield Package includes a set of “Privacy Shield Principles,” two annexes, and letters from the International Trade Administration, U.S. Federal Trade Commission, U.S. Department of Transportation, the U.S. Director of National Intelligence, U.S. Department of State, and the U.S. Department of Justice. The proposed data transfer agreement is being met with criticism from privacy advocates, leaving US companies in limbo regarding the handling of EU citizens’ data. Privacy Shield was created as a replacement for the Safe Harbor Agreement, which the European Court of Justice nullified last October. Privacy Shield now faces scrutiny of EU regulators. [Ars Technica] [The Hill] [ComputerWorld] [Fortune] [The Privacy Advisor]

EU – WP29 Issues Statement on Privacy Shield

The group of EU data protection authorities — the Article 29 Working Party — issued a statement this week in response to the newly published details of the proposed EU-U.S. Privacy Shield arrangement. The group says it “welcomes the publication of the draft ‘adequacy decision’ of the European Commission” and the corresponding texts comprising the arrangement. It also said it will “analyze the safeguards” both in terms of the commercial and national security aspects and will finalize a draft opinion at its next plenary meeting on April 12 and 13. Meanwhile, reaction to the 132-page package is underway, including from Schleswig-Holstein DPA Marit Hansen. [Source]

UK – Techs, Privacy Wonks & Politicos Blast Investigatory Powers Bill

A tweaked version of the Investigatory Powers Bill—which seeks to augment surveillance of Brits’ online activity—landed with a thud in parliament this week, as privacy groups, the tech world, and politicians lined up to attack home secretary Theresa May’s proposed law. Time and time again, the word “disappointment” was bandied around by companies, organisations, and individuals that will be directly affected by the planned legislation. Many critics expressed anger about May’s dismissive response to the key recommendations laid out in three separate parliamentary reports about the Snoopers’ Charter, as it is colloquially known. [Ars Technica] [Everything you need to know about the redrafted IP Bill] [According to opinion polls voters don’t mind mass surveillance] [UK: Surveillance law: Revised bill to add privacy safeguards] [The UK government has been hacking for years—and now it’s legal]

EU – Facebook Hit With German Antitrust Investigation Over User Terms

Germany’s Federal Cartel Office will begin an investigation on Facebook’s data collection and advertising agreements. The unclear terms create “an abusive imposition of unfair conditions on users,” the Bundeskartellamt argued in a statement. “There is considerable doubt as to the admissibility of this procedure, in particular under applicable national data protection law,” the statement continued. “If there is a connection between such an infringement and market dominance, this could also constitute an abusive practice under competition law.” Facebook disagrees. “We are confident that we comply with the law and we look forward to working with the Federal Cartel Office to answer their questions.” [Fortune]

EU – German Privacy Watchdog Plans to Fine US Companies

Hamburg (Germany) Data Protection Authority (DPA) plans to fine three US companies for mishandling EU citizens’ data. The companies were following the Safe Harbor agreement that an EU court nullified last fall. Because there is not a firm new agreement in place, companies that are transferring data are breaking the law. Two other companies are reportedly under investigation. [Fortune] See also: Germany’s new data protection enforcement law went live on Feb. 24, and it could pose “an additional risk” for companies. See also: French data protection authority, CNIL, published its Single Authorization Decision No. 46, which aims to simplify the “administration burden” of legal compliance upon data processing.

Facts & Stats

WW – National Security Trumps Digital Privacy: 24 Country Survey

According to a new survey commissioned by the Centre for International Governance Innovation (CIGI) and conducted by global research company Ipsos, most global citizens favour enabling law enforcement to access private online conversations if they have valid national security reasons to do so, or if they are investigating an individual suspected of committing a crime. The survey also found that a majority of respondents do not want companies to develop technologies that would undermine law enforcement’s ability to access much needed data.

  • Seven in ten (70%) global citizens agree that law enforcement agencies should have a right to access the content of their citizens’ online communications for valid national security reasons, including 69% of Americans and 65% of Canadians who agree.
  • When someone is suspected of a crime, 85% of global citizens agree that governments should be able to find out who their suspects communicated with online, including 80% of Americans who agree.
  • More contentious is the idea of whether companies should be allowed to develop technologies that prevent law enforcement from accessing the content of an individual’s online conversations. On this issue, 63% agree that companies should not develop this technology, including 60% of Americans, and 57% of Canadians whom are most likely to agree with this statement.

Read the news release here. [Centre for International Governance Innovation (CIGI)]

Finance

CA – CRA Automates Most of Your Return, Helping Tax Software

Electronic tax filing is getting easier this year with Auto-fill, a CRA service that enters information for taxpayers using most kinds of certified tax software. The CRA has always had copies of most of the forms about each taxpayer, receiving them from banks and employers before you do. Last year it began a pilot program with the service it calls Auto-fill that allowed chartered accountants and other certified tax professionals to have this data entered onto a personal tax form automatically. This year that program rolls out to everyone. As long as you are filing on a software program that offers the option and have a “MyAccount” file with the CRA, the Auto-fill function will work. Groups such as Open Media and the Canadian Civil Liberties Association say Auto-fill is too new to assess the privacy implications. The CRA insists the Auto-fill function is secure, as information is only available if a taxpayer logs into MyAccount, which requires a robust password. Ann Cavoukian, a former privacy commissioner, said it is right to worry about privacy and security whenever a new feature like this is rolled out. [Source]

WW – Google’s New Payments App Means Never Having to Pull Out Your Wallet

Pay with your voice. Google has released to the public a new app called Hands Free, which lets people pay for items in stores by simply telling the cashier, “I’ll pay with Google.” The app, available for Android and Apple phones, is only being piloted in a few locations in the San Francisco area, including some McDonald’s and Papa John’s restaurants.Hands Free, which is separate from Google’s Android Pay mobile payments app, works by tracking your location using Wi-Fi and other sensors in your smartphone to detect whether you’re near a participating store. After you say “I’ll pay with Google,” the cashier confirms your identity by using your initials and the photo you’ve loaded onto the Hands Free app. At some stores, Google is also experimenting with an in-store camera to verify your identity automatically based on your Hands Free profile picture. Google said images and data from these cameras are deleted immediately and can’t be accessed by the stores. [Source]

FOI

CA – OIPC BC Upholds City’s Decision to Withhold Records

The Office of the BC Information and Privacy Commissioner reviewed a decision by the City of Nanaimo to deny access to records requested pursuant to the Freedom of Information and Protection of Privacy Act. The City was ordered to continue to withhold records which could reveal a motion made at an in camera Committee, emails exchanged between the City and regional district containing explicit markers of confidentiality, and assessment and evaluation records of how a City employee performed his job duties. [OIPC BC – Order F16-03 – City of Nanaimo]

Genetics

US – Obama Says People Who Give Genetic Samples for Research Should Own the Data

During last week’s summit on the Precision Medicine Initiative at the White House, President Barack Obama acknowledged the thorny issues surrounding genetic data ownership, a move some view as unprecedented. “It requires, first of all, us understanding who owns the data,” Obama said. “And I would like to think that if somebody does a test on me or my genes, that that’s mine. But that’s not always how we define these issues, right? So there’s some legal issues involved,” he added. “I had not heard this before from the president or anyone high-up at the White House, said Genetic Alliance’s Sharon Terry. [Slate] See also: [Manitoba DNA sweeps pose wrenching ethical questions: Carol Goar]

Health / Medical

US – Health IT Firms Ally with White House on Initiatives

The Obama administration announced that it has received commitments from various health IT developers to assist the president’s health care modernization initiatives. Among the proposed plans are allowing patients to access their records and test results with greater ease; streamlining data sharing between entities, while ensuring adherence to privacy legislation: and making the “data language” between groups universal, the report states. “We are working to unlock healthcare data and information so that providers are better informed and patients and families can access their healthcare information, making them empowered, active participants in their own care,” said Health and Human Services Secretary Sylvia Burwell. [The Hill]

EU – German Hospitals Hit with Ransomware

Computer systems at two hospitals in Germany were infected with ransomware. The cleanup process is expected to take several weeks. At Lukas Hospital in Neuss, the attack affected an x-ray system, an email server, and other network components. At Klinikum Arnsberg in North Rhine-Westphalia, the attack was detected after it infected one server. There are reports that a third hospital was targeted as well. [ZDNet] [The Register] [SCMagazine] [DW.com] See also: [The “HawkEye” attack: how cybercrooks target small businesses for big money]

UK – NHS Suffers 105 Security Breaches Over Personal Data in Year

Security breaches over personal data held by the NHS nearly doubled to more than 100 during the last financial year. Figures obtained under the Freedom of Information Act show that there were 105 such breaches in hospitals and other bodies in the National Health Service in the financial year 2014-15. This was an increase of 81% on the previous year, with 58 security breaches over personal data. The UK Information Commissioner’s Office said that action was taken to prevent repetitions, including six “enforcement notices” against NHS bodies in 2014-15. [ExaroNews]

Horror Stories

US – IRS Breach Now Estimated to Affect 724,000 People

The number of people affected by the US Internal Revenue Service (IRS) data breach keeps growing. The agency now estimates that the personal information of as many as 724,000 people has been stolen since January 2014. When the breach was first disclosed, the IRS estimated that it affected roughly 100,000 people; that figure was revised to 334,000 on August 2015. [NextGov] [NBCNews] [The Hill] [ComputerWorld] [The Register] [Krebs on Security]

WW – Companies Underestimating Breaches’ ‘Human Element’: Study

The breach catalyzed by a Snapchat employee who fell for a phishing scam is symptomatic of many companies’ data security problems. “Even if your technical security is up to snuff, your people may let you down.” A 2015 CompTIA survey found that more than half of security breaches that year were caused by human error, with 30% of respondents considering the “human element” to be a significant cybersecurity concern. The survey “suggests that companies may not be doing enough to prepare their workers for a world where a new scam might be in their inbox everyday.” [Washington Post] See also: [Hackers Can Steal Passwords, But Not User Behavior: In almost every publicized breach, security analysts ignored the crucial alerts due to the copious amounts of false alarms triggered on a daily basis]

Identity Issues

CA – Manitoba’s Multi-use PID Cards: Convenience Trumps Privacy

On January 11, 2016, Manitoba announced its approval of an all-in-one personal identification card (PIC). The PIC will offer Manitobans a combined driver’s licence, photo ID, Personal Health Identification Number (PHIN) and travel document as early as fall 2017. While the consolidation of identification into one location is a blessing for consumers, it raises privacy concerns and creates some challenges for business. BC introduced a similar combined card in February 2013. But unlike BC, where the province was criticized for not consulting the public, Manitoba Health Minister Sharon Blady emphasized that the move towards PICs came after a five-week public consultation process where overwhelmingly positive responses were reported. 80% of Manitobans surveyed said they agreed with the idea of creating an all-in-one PIC. However, a closer look at Manitoba’s full consultation report reveals interesting data on why PICs were supported. For example, when asked what the most important benefits of the proposed PICs were, 73% of respondents indicated convenience while only 18% cited enhanced protection. Similarly, in an online survey of 1,515 Manitobans, 71% rated convenience as the top benefit while only 16% indicated protection of identity theft/fraud. Public sentiment towards the convenience of PICs illustrates how privacy concerns, which trumped proposals for a national identity card in 2002, could be overlooked in today’s digital age. As a recent survey by the Pew Research Centre demonstrates, people are consistently willing to share personal information in exchange for something of perceived value. For example, 52% of respondents in the Pew survey said they would allow their doctor’s office to upload their personal health information onto a website described as “secure” if it made scheduling appointments easier and facilitated easy access to medical records. [CyberLex Blog (McCarthy Tétrault)]

CA – Inadvertent Sharing of Canadians’ Metadata by Intelligence Agency Shows Weaknesses of De-Identification

Two lawyers examine the sharing of intelligence data between the Five Eyes allies. The agency’s de-identification techniques failed when mixed with its allies’ re-identification capabilities; the risk of re-identification increases significantly where a data set includes data such as location-based data, IP addresses or cookies, or where the attack vector includes significant amounts of secondary data that can be linked to the de-identified dataset. [Why We Need to Reevaluate How We Share Intelligence Data With Allies – Tamir Israel and Christopher Parsons, Just Security]

Internet / WWW

WW – New Project Monitors Social Media for Signs of Mental Illness

Canadian and French researchers are working on algorithm to screen online posts for warning signs. $464,100 has been granted to the University of Ottawa for a three-year-long project called “social web mining and sentiment analysis for mental illness detection.”   “Social media is everywhere,” reads a news release issued by the university. “Internet users are posting, blogging and tweeting about almost everything, including their moods, activities and social interactions.”    The release goes on to explain how scientists from the universities of Ottawa, Alberta and Montpellier in France, will explore the use of social media data in screening for individuals at risk of mental health issues. [CBC]

Law Enforcement

CA – Saskatchewan Police Don’t Have or Want Stingray Tech

Municipal police agencies in Saskatchewan say they’re currently not using — and have no plans to use — “stingray” technology employed by other law enforcement agencies for tracking cellular devices. The technology has come under criticism south of the border from the ACLU; about 60 police agencies across 23 states and the DC in the U.S. have been reported to use the devices. According to a 2015 report from the ACLU, “stingrays,” also known as cell site simulators, are considered “invasive cellphone surveillance devices that mimic cellphone towers and send out signals to trick cellphones in the area into transmitting their locations and identifying information.” Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance project, said stingray technology is on the rights advocacy group’s radar. She said requests for information on the devices within the Vancouver Police Department by Vancouver-based advocacy organization Pivot Legal Society, and of the RCMP and the Ontario Provincial Police by the Toronto Star in 2015, have gone largely unanswered. However, McPhail said chances are slim the device is nowhere to be found in Canada. [Saskatoon StarPhoenix] See also: [StingRays breach cell phone privacy]

US – Maryland Bill Permits Govt Use of Automatic License Plate Reader Systems

The State of Maryland has introduced a Bill related to the use of Automated License Plate Readers by law enforcement. Law enforcement agencies are not permitted to use captured data from an automated license plate reader unless the agency has a legitimate law enforcement purposes; the Department of State Police must adopt procedures including an audit process to ensure that information obtained through the use of an automatic license plate reader system is used only for legitimate law enforcement purposes, and safeguards to ensure that staff with access to the automatic license plate reader database are adequately screened and trained. [Maryland Public Safety Code 3-509 – License Plate Readers]

CA – MPPAC: RCMP Commissioner Should Resign Over Breach

The Mounted Police Professional Association of Canada (MPPAC) is calling for the resignation of the RCMP Commissioner Bob Paulson, following an investigation from the Office of the Privacy Commissioner of Canada which found that the release of RCMP members medical information was a “well-founded serious privacy breach.” Commissioner Paulson admitted that he authorized the investigation. Just this week Commissioner Paulson admitted to authorizing the release of sensitive health information of RCMP officers to the College of Psychologists without their permission. Canada’s Privacy Commissioner concluded that by sharing private medical information without the consent of the officers, the RCMP breached the Privacy Act. If the Commissioner does not resign, MPPAC is calling on the Government of Canada to take appropriate action. [Canada NewsWire]

Online Privacy

WW – Protect Your Privacy Online—and See Better Prices Doing It

The prices you see while shopping on the Web are aren’t always the same as the deals displayed to your spouse, neighbors or co-workers. But now, at least one technology company is helping customers see the unadulterated costs of their online purchases. eBlocker is a device that attaches to customers’ Wi-Fi routers to mask their identity from online tracking software. eBlocker protects every device in your home by combining the power of an advertising blocker, an IP address rerouter and by protecting you from being identified by third-party trackers. In other words, when you get online, you get a clean slate as if you’ve never used that device before. You can still use first-party cookies, like those that remember your passwords, but once you leave that website, you’re anonymous again. It’s like a combination of encryption, Adblock Plus and Tor, a so-called onion router often associated with the “dark Web.” But eBlocker avoids the hassle of installing all these on each device. It’s all part of an elaborate industry aimed at stopping a largely opaque phenomenon of online tracking: dynamic pricing. [CNBC]

Other Jurisdictions

AU – NSW May Introduce Tort/Law of Invasions of Privacy

Secret mobile phone recordings and revenge porn-style social media posts could be subject to tough new laws in NSW allowing people to sue for damages for invasion of privacy. The State Parliament’s law and justice committee recommended that NSW should “lead the way” in Australia in creating a new legal action for serious invasions of privacy. The laws could be replicated across the country. Under the plan, a person could sue for damages if their privacy had been invaded intentionally or recklessly. Governments and corporations would be held to a higher standard, and could also be pursued for damages over “big data”-style privacy breaches committed negligently. But experts have raised questions about whether the laws go too far, and might catch a wide range of “common human errors” such as government or corporate employees sending an email containing private information to the wrong recipient. The recommendations, endorsed unanimously by committee members drawn from the ranks of the Coalition, Labor and the Greens, follow renewed debate about the adequacy of existing laws protecting against invasions of privacy. [Sydney Morning Herald]

Privacy (US)

US – Apple Wins Ruling in New York iPhone Hacking Order

U.S. Magistrate Judge James Orenstein denied a government request that Apple help it gather data from an iPhone in a drug case, a ruling that bolsters Apple’s pro-privacy posture and potentially paves the way for similar judgments in other pending cases, including the iPhone of one of the San Bernardino shooters. Orenstein ruled the government was expanding its authority too broadly by using the All Writs Act to compel Apple to extract the locked phone’s data. Apple’s top lawyer, Bruce Sewell will testify in front of Congress today, along with FBI Director James Comey, on encryption and government access for law enforcement purposes. Meanwhile, Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Texas, have officially introduced legislation that would create a National Commission on Security and Technology Challenges to help find solutions to the encryption and data security issue. [New York Times] See also: [Privacy groups wary of compromise encryption bill]

US – NY Court Rejects FBI Argument for Breaking iPhone Lockscreen in 2nd Case

Apple just won a victory in an iPhone warrant case although it may not help the company in its San Bernardino trial. The victory comes from a New York district court that’s been facing something legally similar to the higher-profile warrant case playing out in San Bernardino. In a 50-page ruling, Magistrate Judge Orenstein found that the All Writs Act did not justify the government’s request, and denied the government’s request to legally compel Apple’s help. [The Verge] See also: [Huge data cache retrieved from electronic devices belonging to men accused of Tim Bosma murder: OPP]

US – Legislators Speak Out in Support of Apple

Representative Darrell Issa (R-California) has published a column on Wired.com in which he writes, “The FBI cannot mandate that Apple create a backdoor to override the iPhone’s encryption features without creating a dangerous precedent that could cast a long shadow over the future of how we use our phones, laptops, and the internet for years to come.” [Wired] In a letter to FBI Director James Comey, US Congressman Ted Lieu (D-California) writes, “As a computer science major, I have seen far-reaching unintended consequences when government applies outmoded concepts to out fast changing technological world.” [FCW] As the debate surrounding the FBI’s case against Apple continues, two U.S. lawmakers have proposed a new multi-stakeholder commission to investigate data security issues.

US – Digital Equilibrium Project on Privacy and Security in the Connected World

The Digital Equilibrium Project, a collection of privacy and infosecurity veterans from government and industry have launched a white paper to define the issue and announce plans for a summit this summer to tackle what they describe as the “growing tension between privacy and security.” This paper is meant to foster a new, collaborative discussion on the most pressing questions that could determine the future safety and social value of the internet and the digital technologies that depend on it. It urges governments, corporations and privacy advocates to put aside the polarizing arguments that have cast security and privacy as opposing forces, posing 4 fundamental questions that must be addressed to ensure the digital world can evolve in ways that ensure individual privacy while enabling the productivity and commercial gains that can improve quality of life around the globe. Ann Cavoukian is among the authors. [Read Now]

US – California DMV Sued for Alleged Illegal Data Retention

Six plaintiffs maintain that California’s Department of Motor Vehicles breached the Information Practices Act and due process by unlawfully collecting and sharing private criminal records. The court papers, filed last week, argue that the agency has a trove of “upwards of one million” Californians’ data, a move that “violates privacy protections for certain records by retaining them after the statutory period has expired,” the report states. “California employers are aware that the DMV’s loose record retention and reporting practices allow them access to criminal history records they would otherwise be unable to obtain,” the suit states. “They take full advantage of this criminal record reporting loophole.” [Courthouse News]

Privacy Enhancing Technologies (PETs)

US – DHS Awards Yale University $1.7M for Data Privacy Research

Yale University’s “PriFi Networking” project now has $1.7 million from the Department of Homeland Security, a grant from the agency that aims to assist the university’s anti-tracking and surveillance technology development. The gift was thanks to the DHS Science and Technology Cyber Security Division’s Data Privacy program that invests in the creation of cost-effective and approachable pro-privacy tools. “Keeping the homeland secure depends on both guarding and granting access to secure systems, facilities, and other resources,” said DHS Undersecretary for Science and Technology Dr. Reginald Brothers. “Protecting Personally Identifiable Information is vital to the DHS mission and S&T has a long-standing interest in privacy-enhancing technologies.” [Newswise]

Security

US – IBM to Acquire Resilient Systems, Bringing Bruce Schneier on Board

Cybersecurity firm Resilient Systems and its Chief Technology Officer Bruce Schneier will become a part of the IBM family. “The acquisition will give IBM Security the industry’s first integrated end-to-end platform combining analytics, forensics, vulnerability management and incident response,” the report states. “The deal should be good for both companies, and will certainly benefit their respective customers.” [PCWorld]

US – CFPB Dives Into Data Security Enforcement

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced its first data security enforcement action in the form of a Consent Order with online payment platform Dwolla, Inc.  The five-year Consent Order is based on CFPB allegations that Dwolla engaged in deceptive acts and practices by misrepresenting to consumers that it had “reasonable and appropriate data security practices.”  Dwolla neither admitted nor denied that it engaged in data security misrepresentations.  The CFPB fined Dwolla $100,000, enjoined it from making further misrepresentations, and is requiring that it develop a written, comprehensive data security program, designate a person responsible for the program, provide employee training, conduct risk assessments, and undergo independent third party audits annually, among other things.  The CFPB also places primary responsibility for compliance with the Consent Order on Dwolla’s board of directors. [HLDA]

WW – Securing Data for Remote Access Users

Business requirements, distributed operations, and cloud deployments are forcing organizations to rethink remote access requirements, including how to secure the data and applications they access. According to a study conducted by software company Intuit, by 2020 more than 40% of the U.S. workforce will be contractors and contingent workers; that’s more than 60 million people. Why so? Because of the almost ubiquitous needs for organizations to share data in such a way that it speeds the flow of business transactions. The result is that most users are outside the enterprises, accessing data and applications as credentialed guests. And hence, the ‘outside-in’ network is the new normal. [Source]

Surveillance

US – California Courts Demand Total Access to Email and Social Media Accounts

The California Electronic Communications Privacy Act. Which took effect on Jan 1, 2016, has privacy advocates concerned that its “Fourth waiver” element railroads the privacy of individuals under probation or parole. This component of the act permits law enforcement to check the laptops or other devices of individuals on parole without a warrant. “Folks on parole, probation, even supervised release, they have a reduced expectation of privacy while they’re under supervision,” said the ACLU of California. “But that’s not the same as no right to privacy online or offline.” [The Intercept]

Telecom / TV

US – Cable/Telecom Operators Offer Up Privacy Framework to FCC

The National Cable & Telecommunications Association and American Cable Association have joined with other trade and tech groups to offer up what is being billed as a consensus privacy framework outlining guiding privacy principles. In essence, the framework is an articulation of NCTA’s argument that rather than come up with new rules and regs, the FCC should, as the new proposal says, “[pursue] reasonable enforcement actions against telecommunications service providers that have clearly violated these principles.” That is the FTC model. The FTC has enforcement authority but very limited authority to promulgate new regulations. The proposal, which was offered up in a letter to FCC chairman Tom Wheeler comes as the FCC prepares a proposal on how to oversee broadband sub privacy–a new authority under its Title II reclassification–as it currently does traditional video CPNI (customer network proprietary information). A vote on that proposal could come as early as this month’s public meeting. NCTA and ACA, joined by USTelecom, CTIA and the Competitive Carriers Association, said the FCC should focus on four things: “(1) transparency; (2) respect for context and consumer choice; (3) data security; and (4) data breach notification.” [Source] See also: [The 5 Things Every Privacy Lawyer Needs to Know about the FTC]

US – Publishing Group Calls on FCC to Regulate Broadband Data Use

As the Federal Communications Commission begins to draft privacy regulations for broadband providers, online publishing group Digital Content Next advised the FCC to ensure broadband companies both inform and empower their customers about the companies’ use of personal data. “In light of their access to sensitive information about consumers, we urge the FCC to require broadband providers to provide consumers with transparency and meaningful choice with regard to the collection and use of personal information,” DCN wrote in its letter to the FCC. “Consumers should have the ability to exercise choice via a mechanism that is easy to use, persistent and universal.” [MediaPost]

US – Swire Study: Encryption, Mobile Devices Curb ISP Knowledge

In a new report, Alston & Bird’s Peter Swire says that the employment of encryption and mobile devices has shrunk Internet service providers’ knowledge regarding their customers’ online habits. His study aims to counter advocacy groups’ “widely-held but mistaken view about Internet service providers and privacy,” he said, one that sees ISPs as entities collecting treasure troves of user data without consent. While staying away from definitive policy suggestions, Swire says overall, “public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem.” [MediaPost]

US Government Programs

US – TSA Defends Full-Body Scanners at Airport Checkpoints

Three years, more than 1,000 comments and multiple challenges by advocacy groups later, the TSA issued a rule finalizing its policy for using full-body scanners at airports. While TSA insists the machines are the best way to protect the nation’s travelers from terror attacks, critics challenge the use of devices over privacy and health concerns. The legal battle went all the way to an appeals court, which said TSA could keep the machines if it took legal steps to justify their use. In a 157-page report that summarizes arguments for and against the machines, and their hefty price tag — $2.1 billion from 2008 through 2017 — the agency said the devices provide “the most effective and least intrusive” way to search travelers for weapons hidden under their clothes. And with that, the agency finalized its regulation governing the machines. The rule won’t change anything for travelers. Even as the question wound its way through courts, TSA deployed the machines and now uses 793 full-body scanners at 157 airports. [Source]

US Legislation

US – Legislative Roundup

+++

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: