26 March – April 1, 2016


US – NTIA Face-Recognition Privacy Talks Blasted as ‘Orwellian Farce’

The U.S. Commerce Department’s National Telecommunications and Information Administration held a meeting last week in its ongoing multistakeholder effort to establish face-recognition technology data best practices, and the results disappointed privacy advocates. Advocates argue that representatives from the technology industry “hijacked” discussions on privacy, the report states. The result? “This is no longer a multistakeholder process,” said the Center on Privacy& Technology. “It is an industry stakeholder process. These draft guidelines are a direct consequence of that decision.” Lack of privacy in this sphere is particularly egregious as “you cannot delete your face.” [IB Times]

Big Data

EU – Security Risks Can Be Mitigated with Robust Access Control and Encryption

The EU Agency for Network and Information Security (“ENISA”) examined the security challenges of and best practices for Big Data. Big Data-related security risks include access control and authentication, secure data management, source validation and filtering, and application software security; mitigating measures include strong and scalable encryption, mandated purchasing from authentic suppliers, use of security standard-compliant devices, and assigning confidence levels on endpoint sources. [ENISA – Big Data Security]


CA – Feds Consulting on Open Government and Access to Information

Treasury Board President Scott Brison invited Canadians to participate in public consultations to help deliver the Government of Canada’s agenda for more openness and transparency. In the context of open dialogue, this series of consultations will be used to develop Canada’s 2016-18 strategy on open government, to be released this summer. Beginning May 1, the Government will also be seeking input from Canadians on how best to implement its commitments to improve the Access to Information Act. Minister Brison will kick-off the consultations on open government by hosting a Google Hangout with leading experts and leaders on April 6. [Source]

CA – Spy Agency Watchdog Facing Huge Budget Cuts

The Security Intelligence Review Committee, which reviews select activities of CSIS, expects to lose, on average, $2.5 million annually in funding starting next spring. The confusion comes as CSIS increasingly flexes its new powers granted under last year’s Bill C-51 national security legislation. The service had long been limited to collecting and analyzing national security intelligence for government, but is now empowered to actively disrupt suspected threats to security and to exchange and collate information on suspect Canadians with other federal departments and agencies, which was not possible before C-51. [National Post]

US – Federal Agencies Sharing Information Under Bill C-51 Provisions

At least four federal agencies have used controversial information-sharing powers in Canada’s new anti-terrorism law, internal government documents show. Privacy commissioner Daniel Therrien said Bill C-51 set the threshold for sharing Canadians’ personal data far too low. It’s not surprising that agencies have begun using the information-sharing act, said University of Ottawa law professor Craig Forcese. “The risk is that it’s being used in ways that are going to be difficult to predict because of the overbreadth and uncertainty of that act, and it’s going to be used in ways that are difficult to police,” said Forcese, co-author of False Security, a book that squarely criticizes the omnibus bill. “It’s added complexity to a complex problem rather than simplifying life.” [Source] [Canada’s new ‘anti-radicalisation’ office met with caution by Muslim community]

CA – Guidance on How CSIS Should Use Anti-Terror Bill C-51 Largely Secret

The federal government has issued guidance to Canada’s spy agency on using contentious new anti-terrorism laws — but most of the instructions won’t be made public. Many passages of the ministerial direction to the Canadian Security Intelligence Service, issued last July, were withheld from release due to provisions of the Access to Information Act concerning security, internal deliberations and cabinet confidences. The federal decision to keep much of the ministerial direction under wraps did nothing to reassure those with concerns about C-51, the omnibus security bill that received royal assent early last summer. The legislation gave CSIS the power to actively disrupt suspected terrorist plots, even allowing the spy service to take actions that breach the Charter of Rights and Freedoms as long as a judge approves. “One of our greatest concerns with C-51 is that CSIS has been given extraordinary new powers, including the power to break the law and violate the Constitution,” said Josh Paterson, executive director of the British Columbia Civil Liberties Association. [Source] [How is the Liberal government using Bill C-51? Good question ] [We Must Question The Timing Of This Terrorism Case ]

CA – BC OIPC Launches Investigation on Phone-Monitoring Tool

BC Privacy Commissioner Elizabeth Denham has kicked off a closed-door inquiry of a surveillance tool known as Stingray, which impersonates a cellphone tower in order to deceive any phone within range and obtain data, possibly storing everything it receives. Law enforcement officials from all over Canada aren’t saying if they use Stingray, as the police work to keep their mass surveillance systems under wraps. The BC Civil Liberties Association’s Micheal Vonn condemned the use of Stingray by police: “What we’re saying here is, does it help to collect the data of tens of thousands of individuals that aren’t the subjects of police investigation? No, of course it doesn’t help.” [Full Story] See also [Maryland Court Says Police Must Disclose Stingray Purpose Before Use]

CA – BC Privacy Commissioner Offers Parting Advice

As Information and Privacy Commissioner Elizabeth Denham prepares to move on to a national posting in the UK, she’s got in mind what the B.C. Liberals could give her in lieu of their tentative offer of a second six-year term here at home.

  • Lobbying reform: Denham’s biggest ask is to change the legislation so what is registered is actual lobbying and not prospective lobbying, “It would make enforcement of the law so much more practical and easier for my office. It would also, I think, help lobbyists because they have to register anyone they might prospectively lobby. It would be more meaningful for the public to be able to see actual lobbying and not prospective lobbying. “
  • Denham favours a stand-alone law governing both public and private health care providers. She also says B.C. should follow other provinces and legislate fines of up to $50,000 for unauthorized snooping by health care staffers. “They’re supposed to look at health information for their own patients, not look up information on celebrities, not look at their ex-spouse’s health information,” said the privacy watchdog. “It’s a serious problem of trust in the system, and we need higher penalties and enforcement.”

Denham is also calling for tougher penalties for the deliberate destruction of public records. Her landmark report from last fall, Access Denied, highlighted a series of concerns in that regard. It also led to recent charges against a government staffer for misleading the commissioner about the destruction of records. The charges are not about the action of unauthorized destruction of records,” explained Denham. “We need that in the Freedom of Information and Protection of Privacy Act. We need an offence provision, and we need the associated penalties.” [The Vancouver Sun]

CA – Legal Community Masses Forces for Set Piece Battle Over Privilege

Organized bar groups are massing at the Supreme Court of Canada again to repel what they contend are state attacks on the adversarial justice system. “When, and under what circumstances, can a regulator pry into a lawyer’s litigation brief, while the litigation is still under way, in order to examine the lawyer’s litigation strategy, trial preparation and other material collected or prepared for the dominant purpose of actual or apprehended litigation?” “If the court finds that litigation privilege can be abrogated by inference, it would expose lawyers’ briefs to regulatory scrutiny while litigation is still under way, in the absence of clear and explicit statutory language. This would dramatically expand the circumstances in which regulators could access information protected by litigation privilege.” [Lawyers Weekly]

WW – Software Flags ‘Suicidal’ Students, Presenting Privacy Dilemma

Ontario Christian Schools (OCS) is a private K-12 school near Los Angeles with about 100 children per grade. Three years ago, the school began buying Google Chromebook laptops for every student in middle and high school. The students would be allowed to take them home. Although Google software, like that of other companies, comes with virus protection and the ability to filter search results and block certain Web sites, Ontario Christian Schools turned to a third party to provide an additional layer of security: a startup called GoGuardian. GoGuardian helped school leaders create a list of off-limits websites: porn, hacking-related sites and “timewasters” like online games, TV and movie streaming. The software also has another feature: It tracks students’ browsing and searches whenever they are using the computer, at home or at school. That’s how OCS was alerted that a student appeared to be in severe emotional distress. Suicide is the third leading cause of death among youth aged 10 to 24. Said a research fellow at NYU’s Information Law Institute and an expert on student privacy and data. “This is a growing trend where schools are monitoring students more and more for safety reasons,” she says. “I think student safety and saving lives is obviously important, and I don’t want to discount that. But I also think there’s a real possibility that this well-meaning attempt to protect students from themselves will result in overreach.” This type of dilemma is almost certainly going to become more common, as school-owned devices and laptops proliferate. In 2015 alone, according to a report released this month, U.S. K-12 districts bought 10.5 million devices like laptops and tablets, a 17.5 percent increase over the year before. [NPR] See also: [Student Privacy at Risk Absent Better Training for All] [U.S. Department of Education guidance]


WW – New ‘Commerce VPN’ Site Aims to Make Online Shopping Safer

Launched yesterday, Privacy.com is a VPN for netizens’ credit cards, aiming to spare online shoppers from the fear that their information is stolen, used in targeted ads, or otherwise employed improperly. The site “drops in a one-time credit card number with no connection to you personally” come check out, making it appear as if Privacy.com is the buyer. The site also permits a debit account shopping system, like PayPal, as well as pseudonyms. While the system isn’t bullet proof, the report states, “you get a new layer of insulation from the world of online fraud.” [The Verge]

WW – Internet Users Don’t Understand Security or Privacy: Survey

Canadian think-tank CIGI (the Centre for International Governance and Innovation) reckons ordinary citizens are more comfortable with government oversight of the Internet and their privacy than, for example, Apple. In an international survey (24,000 respondents in 24 countries), the group claims

  • more than 70% want the “dark net” shut down (which rests on the assumption that 70% of people actually know what the “dark net” is).
  • 26% of users don’t trust their governments at all over monitoring their communications without their knowledge (something not highlighted in either of the two CIGI-Ipsos media releases).
  • Only 8.47% of respondents said they trust their governments completely (the citizens that most trust their governments were in Tunisia, at 27%, and Pakistan, at 21%).
  • most respondents don’t understand that unbreakable encryption protects things like their online banking and shopping, as well as protecting criminals: 60% of Americans and 63% of the total sample reckon “companies should not develop technologies that protect law enforcement from accessing the content of a user’s online data”.
  • Regarding access to citizens’ data, the survey says 70% over users think agencies should have access to citizens’ content for “valid national security reasons” (emphasis added), versus 30% who disagreed. [The Register]


US – FTC Signs Agreement with CRTC to Fight Unlawful Spam

The FTC signed a memorandum of understanding with the CRTC in regards to enforcing commercial email and telemarketing laws. The MOU is effective March 24, 2016. The agreement requires both the FTC and the CRTC to limit retention of shared materials, safeguard any shared information containing PII (by using encryption, using a courier with tracking capabilities, using password-protected files for electronic information and locked storage for hard copies, and redaction of publicly released materials), and notify each other of any breaches. [FTC – MoU between the US FTC and the CRTC on Mutual Assistance in the Enforcement of Laws on Commercial Email and Telemarketing| [Press Release]

WW – Google Enhances Gmail Security

Google has made some changes to Gmail to protect users from malicious links and state-sponsored attacks. When users click on suspicious links that arrive in email, Gmail will display a full-page warning them that visiting the site could harm their computer. Users will be able to choose to click through to the site. Google will also display a full-page warning when it believes state-sponsored attackers have targeted users. Google’s blog post also notes the company’s participation in submitting a draft IETF specification for SMTP Strict Transport Security, which aims to “ensure TLS encryption works as intended.” [SC Magazine] [Google Blog]

WW – The Dream of Usable Email Encryption Is Still A Work in Progress

In 2014, in the aftermath of the Edward Snowden revelations, Google and Yahoo, the two largest email providers in the world, promised to change that once and for all with a browser plugin that would make sending encrypted emails so seamless anyone could use it. Yet, Google and Yahoo’s projects on secure end-to-end encrypted email have yet to see the light of day. That’s why some are starting to question how much Google and Yahoo really care about making this happen. In recent interviews with Motherboard, both companies publicly renewed their commitment. “Engineers from Google, Yahoo, and the open source community continue to work together on the End-To-End Mail extension project. It remains a work in progress,” a Google spokesperson said. A Yahoo spokesperson said the team of new security chief Bob Lord “is still cranking on it,” and pointed to the fact that the company even mentioned the project in its amicus brief in support of Apple in the case of the San Bernardino shooter. Neither of the companies, however, dared to venture a prediction on when the final product would be released. [Motherboard]

Electronic Records

US – CyberSecurity Information Sharing Is Here to Stay

The adoption of the Cybersecurity Information Sharing Act in the U.S., among other initiatives both in the U.S. and internationally, are “likely to bring about a significant change in the way information sharing and collaboration works.” Paired with emerging technical standards that “promise to enable efficient information sharing at scale,” we will begin to see how “cyber-threat intelligence is poised to transition from a revenue-generating resource to a public good.” [Hogan Lovells]. See also: [New NIST working group born out of IoT complexities] See also: [Canadian Federal privacy commissioner will watch threat information sharing, says OPCC official] and [IIROC to Focus on Dealer Members’ Cyber Threats Preparedness]

AU – Vic CPDP ‘Catastrophic’ Impact of Info Sharing Failures

Failure to share information effectively between agencies can have “catastrophic consequences”, the report of the Royal Commission into Family Violence has found. It’s not news for Victoria’s Commissioner for Privacy and Data Protection, David Eatts, who said. “It’s disappointing that it takes a royal commission to highlight these issues, because they’re issues our office has been pointing out ever since I was appointed.” Privacy law is often blamed for different agencies being unaware of risks raised elsewhere. Stories abound of justice, drug and alcohol and child protection services, for example, failing to speak to one another and pick up clear warning signs that may have prevented serious harm. But, while the legislation is complicated, Watts argues it’s the overly legalistic and risk averse approach to privacy law, rather than the law itself, that’s the primary problem. Watts’ comments align with those made by his New South Wales counterpart Elizabeth Coombs last year, who argued the problem is with misunderstandings of privacy law, rather than the law itself. [The Mandarin]


US – FBI Unlocks iPhone Without Apple’s Help

The FBI has managed to crack the iPhone in the San Bernardino case without intervention from Apple. The Justice Department has dropped its legal case against Apple and “has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone.” [CS Monitor] [ZDNet] [ArsTechnica] [Bloomberg] [Wired] [ComputerWorld] See also: [Apple scrambles to restore iPhone security after losing privacy fight]

EU – Silicon Valley Faces Encryption Fight in Europe

There are growing calls in some European countries for access to encrypted communications in the wake of recent terrorist attacks in the region. Though Apple is in a highly publicized debate in the U.S. about encryption in its devices, the company, along with other companies employing the security technology, may find similar fights in Europe. French lawmakers plan to debate new intelligence laws this week, and the U.K. is currently embroiled in the proposed Investigatory Powers Bill, which would give broad new powers to law enforcement. Other countries, however, including Germany and the Netherlands, do not back laws that would mandate access to encrypted devices. In the U.S., Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., are seeking support for their encryption legislation. Rep. Jackie Speier, D-Calif., has released a new bill that would require personal information before purchasing a so-called “burner phone.” [New York Times]

EU Developments

US – Bulk Surveillance Court Cases Could stymie Privacy Shield

The Article 29 Working Party is reportedly looking into three cases that will be heard by the European Court of Justice in weighing its own opinion as to whether the EU-U.S. Privacy Shield is valid. According to Reuters, four individuals familiar with the group’s deliberations said the regulatory body is looking at an airline passenger data sharing pact with Canada as well as two other cases involving data retention by telecommunications companies. According to the report, the three cases are relevant to the Shield because they involve restrictions on bulk surveillance. A senior U.S. government official said, “We have negotiated the Privacy Shield based on the current state of law in the EU … If the law changes, we’ll have to go back and relook at how we handle these things.” [Reuters]

Facts & Stats

US – ACLU Maps DoJ Use of All Writs Act to Force Techs to Crack Devices

The Justice Department said tech companies have accessed phones for it before. So the ACLU tried to find all the cases.  The ACLU on Wednesday published court documents and an interactive map for what it said were dozens of instances when the U.S. government tried to compel tech companies to unlock customer devices, offering a fairly comprehensive look at where and under what circumstances law enforcement sought what now might be seen as controversial help. The civil liberties group said it had confirmed 63 such cases and suspected there could be up to 13 more based on its review of court documents and public statements by government and tech company officials. The ACLU said it published the map to stoke public discussion about the use of the All Writs Act. It is also pursuing a Freedom of Information Act request to learn more. [Washington Post]


US – Effects of Copyright Takedown Abuse on Online Free Expression” Study

Three of America’s sharpest copyright scholars have released a landmark study of the impact of copyright takedowns on free expression in America: Notice and Takedown in Everyday Practice, by Jennifer Urban (UC Berkeley), Joe Karaganis (Columbia), and Brianna L. Schofiel (UC Berkeley) uses detailed surveys and interviews and a random sample from over 100,000,000 takedown notices to analyze the proportion of fraudulent, malformed or otherwise incorrect acts of censorship undertaken in copyright’s name, using the Digital Millennium Copyright Act’s takedown procedure. The DMCA is nearly 20 years old, and even before it was passed into law, virtually everyone who was paying attention said that creating a system that allows anything online to be censored through copyright infringement accusations, without due process or even penalties for getting it wrong, would get us into trouble. Now the evidence is in, and it couldn’t be more damning. [Source]

WW – Egypt Blocks Facebook Internet Service After Surveillance Request Denied

After Facebook allegedly prohibited the Egyptian government from using the company’s Free Basics Internet as a surveillance tool, the government blocked the service altogether. Free Basics provides Internet use to those in poverty-stricken areas for free, and Facebook launched the Egyptian version in October of last year. By December, the government suspended the site, saying at the time that permit issues were to blame. Yet sources “close to the situation” maintain that Facebook “was blocked because the company would not allow the government to circumvent the service’s security to conduct surveillance,” the report states. [Reuters]


WW – Panama Papers: Mossack Fonseca Leak Reveals Elite’s Tax Havens

A huge leak of confidential documents has revealed how the rich and powerful use tax havens to hide their wealth. Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca. They show how Mossack Fonseca has helped clients launder money, dodge sanctions and evade tax. The company says it has operated beyond reproach for 40 years and has never been charged with criminal wrong-doing. The documents show links to 72 current or former heads of state in the data, including dictators accused of looting their own countries. Gerard Ryle, director of the ICIJ, said the documents covered the day-to-day business at Mossack Fonseca over the past 40 years. “I think the leak will prove to be probably the biggest blow the offshore world has ever taken because of the extent of the documents,” he said. [BBC]


CA – OIPC BC Opposes Many Recommended Amendments to FOI Legislation

The OIPC responded to the recommendations made to the committee reviewing British Columbia’s FIPPA. The OIPC rejects a number of recommendations as unnecessary; the Law Society’s recommendation to exclude from disclosure to the OIPC all records subject to solicitor-client privilege is rejected because such disclosure may be necessary in the course of the OIPC’s functions and is subject to existing statutory confidentiality safeguards. The OIPC recommended that the law be amended to require a public body to automatically waive fees when it fails to meet its legislated timeline for responding to a request. [OIPC BC – OIPC Response to Stakeholder Recommendations to the Special Committee to Review the Freedom of Information and Protection of Privacy Act]

US – Study Offers Best Practices for Transparency Reporting: Institute

A new report from the Open Technology Institute at New America and the Berkman Center for Internet & Society at Harvard University examines best practices for transparency reporting. “The Transparency Reporting Toolkit: Survey & Best Practice Memos.” is a compilation of eight memos highlighting challenges major U.S. Internet and telecommunications companies face when reporting on law enforcement and government requests for user information. Transparency reports came into prominence after the Snowden leaks in 2013, but the study says technology companies, including Google, Twitter and Microsoft, have not utilized best practices when crafting these reports and it is therefore hard to compare metrics. “By conducting this survey, we’ve laid the groundwork for stronger and more comprehensive transparency reporting on government requests for user data and information,” said the Open Technology Institute. [Source] See also: [Reddit removes ‘warrant canary’ from transparency report] [ACLU released an online map tracking instances of the government’s abuse of the All Writs Act.]

CA – Why Was NEB Deleting an Email Sent In the Middle of the Night?

Canada’s pipeline watchdog is under investigation by Parliament’s information commissioner for deleting an email that drew attention to a mistake made by an employee, said the National Energy Board (NEB). An internal NEB email revealed that the employee who made the mistake was the pipeline regulator’s head of security. The NEB staff believe the deleted email contained references to how the regulator’s top security official had given personal information about a co-worker to a private investigator. But the email disappeared from the records of the Calgary-based NEB after a senior bureaucrat instructed staff to delete it. People can go to jail or pay hefty fines in the thousands of dollars for deleting records of the federal government’s day-to-day business and operations, under Canada’s access to information legislation. The NEB denied it broke the law. An NEB spokesman said that the contents of the deleted email had revealed it shared information about its employee with a potential contractor without verifying the firm’s security clearance. The spokesman also told National Observer that NEB staff decided to delete the email to mitigate the risk of “harm” caused to the employee whose name was mentioned in the correspondence. [National Observer] Fifth in an in depth series about the National Energy Board. Part I here, Part II here, Part III here, Part IV here.

WW – Microsoft Transparency Report for Second Half of 2015

Microsoft’s transparency report for the second half of 2015 shows that the company received 11% more legal requests for information than it did in the first half of last year. In all, law enforcement agencies made 39,083 requests for information regarding 64,614 accounts. Microsoft provided subscriber data for two-thirds of the requests. In two percent of the cases, Microsoft surrendered content, such as email, instant messages, and data stored in OneDrive. Microsoft also received 505 emergency requests for information. [ZDNet] [MSFT blog] [MSFT Transparency Hub] [New Microsoft Transparency Report Includes Revenge Porn Removal Stats]


US – Law Enforcement Investigators Seek Out Private DNA Databases

Investigators are broadening their DNA searches beyond government databases and demanding genetic information from companies that do ancestry research for their customers. Two major companies that research family lineage for fees around $200 say that over the last two years, they have received law enforcement demands for individual’s genetic information stored in their DNA databases. Ancestry.com and competitor 23andme report a total of five requests from law agencies for the genetic material of six individuals in their growing databases of hundreds of thousands. Ancestry.com turned over one person’s data for an investigation into the murder and rape of an 18-year-old woman in Idaho Falls, Idaho. 23andme has received four other court orders but persuaded investigators to withdraw the requests. The companies say law enforcement demands for genetic information are rare. [Associated Press]

Health / Medical

US – FTC’s Rich Outlines Health Data Protection Efforts, Calls for More Authority

Jessica Rich, the director of the FTC’s Bureau of Consumer Protection, gave testimony to the House Subcommittee on Information Technology and the Subcommittee on Health, Benefits, and Administrative Rules of the Oversight and Government Reform Committee last week, explaining the Commission’s current efforts to safeguard consumer health data, while reinforcing the Commission’s request for expanded authority to go further. Rich spoke about the FTC’s concerns regarding the large amounts of health information data generated on platforms such as websites, wearable technologies and communication portals. While those technologies are not covered under HIPAA, they do fall under FTC jurisdiction. Rich said the Commission has addressed health data privacy and security issues through enforcement, policy initiatives and education, but believes the organization can be more effective in stopping unfair and misleading practices if Congress passes regulation strengthening the Commission’s existing data security authority. [Full Story]

US – Hospital Settles Largest Per Plaintiff Breach Payout in History

A judge ruled that California-based St. Joseph Health System must pay more than $28 million to settle a 31,074-plaintiff class action suit, the largest per-member settlement in data breach history. This result comes after U.S. District Judge Kenneth Hoyt dismissed a similar suit against the organization in 2015, calling the plaintiff’s concern over “heightened risk of future identity theft” insufficient grounds for legal action. As a result of the 2012 breach, the settlement requires defendants to allot $7.5 million for plaintiffs, $7.4 million for lawyers’ fees, $4.5 million for credit monitoring services, and $3 million for identity theft compensation. [Source]

US – Nurse Hands Over License After Texting Compromising Patient Picture

A New York nurse surrendered her license to practice after snapping pictures of an unconscious patient’s genitals and sending them to peers via text. The surrender was part of a plea deal in which Kristen Johnson pleaded guilty to misdemeanor disseminating of unlawful surveillance photos. Her conviction marked the conclusion of a nine-month, Onondaga County District Attorney’s Office investigation after co-workers complained about her texts. [CBS 6 Albany] Police: Former Upstate nurse took pictures of patients’ intimate parts while unconscious | Central NY nurse loses license over cell phone photo]

US – MedStar Health System Infected with Malware

Washington-Baltimore area healthcare provider MedStar Health has shut down some of its computer systems following a malware infection. The organization says its clinical facilities are still open. MedStar operates 10 hospitals and more than 250 outpatient facilities. The FBI is investigating. [eWeek] [The Hill] [Reuters]

Horror Stories

US – Verizon Customer Data Breach

Verizon has acknowledged that a breach of its Verizon Enterprise Solutions unit compromised customer data. Verizon Enterprise Solutions helps companies respond to data breaches. Last week, a post on an underground cybercrime forum offered 1.5 million Verizon Enterprise Solutions customer records for sale. Verizon says the compromised data are “basic contact information [of] enterprise customers.” [Krebs] [eWeek]

US – University of Central Florida Spends $110,000 After Computer Hack

A computer hack affecting the personal information of 63,000 people at the University of Central Florida resulted in a nearly $110,000 invoice for the month of February. The costs include $64,000 to operate the call center where students and staff could learn if their information was compromised, and another $45,000 to print and mail packets warning people of the hack. UCF says their cybersecurity insurance, which comes from an outside company, covered the costs. While UCF has worked to help the victims, the university still faces lawsuits in the aftermath of the data breach. [WFTV 9]

Identity Issues

CA – Ottawa Man Claims Identity Stolen Using Canada Post Website

Mike Wood says someone stole his identity and changed his mailing address using Canada Post’s website. When he called Canada Post, he was told his mail was being forwarded to another address, after someone paid $117 to make the change online. Wood said the postal service official wouldn’t tell him where his mail was ending up, and that police told him they couldn’t help without that information. Wood said Canada Post told him whoever apparently stole his identity would have had to answer multiple security questions. He’s not sure how that’s possible. He added that a Canada Post representative also told him that tax season is a common time for identity theft, because tax forms include social insurance numbers. Canada Post wouldn’t comment about the case, beyond confirming that they are investigating. [CTV News[

Internet / WWW

US – Hogan Lovells Issues Legal Analysis of the EU-U.S. Privacy Shield

Law firm Hogan Lovells has released a 60-plus-page “Legal Analysis of the EU-U.S. Privacy Shield,” whereby the report’s authors assess the likelihood the Shield will withstand legal challenge by referencing jurisprudence of the Court of Justice of the European Union. Their conclusion? “[T]he Privacy Shield Framework provides an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the U.S.” The assembled lawyers, on both sides of the Atlantic, set up “detailed and complex criteria” for assessing the Shield, and “in every instance, we have concluded that each criterion is met.” [HLDA] See also: [Why the cloud makes the EU-US Privacy Shield meaningless  ]

Law Enforcement

CA – Town of Banff Considers RCMP Traffic Camera Use

Banff RCMP want to use the Town of Banff’s downtown traffic cameras to help them solve crimes and nab crooks. At a council meeting last week, council considered a proposal from Banff RCMP to use the traffic cameras to help them solve crimes, but issues of personal privacy first need to be addressed. Town council unanimously directed administration to return with a report considering the Freedom of Information and Protection of Privacy Act (FOIP) implications of using the traffic cameras to help solve crimes. “Banff has a very low crime rate and we live in a very safe community,” said Councillor Karlos Stavros, who voiced support for the move. “We’re not talking about active surveillance at all. It’s about the ability to provide evidence for cases.” The Town of Banff’s traffic cameras, set up at various intersections in the downtown core, are currently used only to capture traffic data to help monitor traffic flow and overall traffic management. One of the camera types takes a still photo every minute and also has potential to take video. Currently, no personal information such as licence plate numbers or car occupant faces is recorded. Banff RCMP wants to expand the purpose of the traffic camera systems, not for ongoing surveillance, but as an investigative tool. [Source]

Online Privacy

EU – France Fines Google Over ‘Right To Be Forgotten’

The French data protection authority said it has fined Google €100,000 for not scrubbing web search results widely enough in response to a European privacy ruling. The only way for Google to uphold the Europeans’ right to privacy was by delisting inaccurate results popping up under name searches across all its websites, the Commission Nationale de l’Informatique et des Libertes (CNIL) said in a statement. [Reuters] [CNIL – Deliberation No. 2016-054 – Google Inc] [Press Release]

Other Jurisdictions

WW – MSFT Creates Special Chinese Government Version of Windows 10

Microsoft is now ready to roll with a version of Windows 10 designed specifically for the Chinese government, it has emerged. Back in December, Microsoft and China Electronics Technology Group Corp  announced they were setting up a Beijing-based joint partnership called C&M Information Technologies. The new organization will develop a specific build of Windows 10 for Middle Kingdom mandarins. This version will be “a government-approved Windows 10 image, including Chinese capabilities such as government selected antivirus software,” and be made available to “state-owned enterprise customers” including “government and critical infrastructure.” C&M “will provide product activation, patch management, deployment services and product support, as needed, to these government customers.” It will also “collect feedback from these government customers on their specific use requirements to inform the creation of the successive updates of the government Windows 10 image, which may be developed by the joint organization.” Presumably this feedback won’t include all the data Windows 10 routinely sends back to Redmond; this telemetry will likely be curtailed seeing as it’s an enterprise-friendly build. [The Register] See also: [US Navy paid millions to stay on Windows XP]

Privacy (US)

US – FCC Votes To Propose New Privacy Rules for ISPs

FCC Chairman Tom Wheeler moved yet another of his controversial proposals forward last week. The commission voted on party lines, 3-2, to advance a proposed rule imposing strong privacy regulations on ISPs. Wheeler wants to improve how ISPs treat individuals’ privacy when the market makes customer data immensely valuable. That data can give providers and analysts a perfect picture of the details making up a person’s everyday life, and the commission’s majority thinks that’s intrusive. The proposed rule would obligate companies to tell their customers what information they collect, how and if they share it with third parties, and how customers can change those privacy preferences. The proposal also would allow ISPs to use consumer data to sell other communications services or share it with outside marketers in that field. But it would allow customers to opt out of those practices. This is only the beginning. Before officials begin drafting final rules, they’ll need to wait for comments from industry members, think tanks and the general public. It’s a controversial idea. Republicans on the commission, GOP lawmakers in the House, and even members of the broadband industry have all pushed back on the proposed rule. The Republican commissioners were vocal about their dissent. The FTC already regulates privacy. [Source] [FCC OKs Proposed Privacy Rules With a Lot of Pushback] [How The FCC’s Proposed Privacy Rules Would Create A False Sense Of Consumer Privacy] [FCC Sparks Turf Wars As It Raises Washington Profile] [EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules]

US – FTC to Host Fall Seminar Series on Emerging Consumer Technology Issues

The FTC will host a series of seminars this fall to examine three new and evolving technologies that are raising critical consumer protection issues. The FTC Fall Technology Series comprises three half-day events that will explore ransomware, drones, and smart TV. In 2014, the Commission held a series of seminars examining the privacy implications of mobile device tracking, consumer generated health data, and alternative scoring techniques. [Drone bazooka is here]

FTC Fall Technology Series: Ransomware – 9 a.m. to noon, September 7, 2016

FTC Fall Technology Series: Drones – 9 a.m. to noon, October 13, 2016

FTC Fall Technology Series: Smart TV – 9 a.m. to noon, December 7, 2016


US – US Federal Agencies and Ransomware

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security (DHS). Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [ComputerWorld: Ransomware Uses Windows PowerShell] [CarbonBlack] [Petya Ransomware Encrypt Master File Table]

US – FBI Seeking Help with Ransomware Investigation

Reuters obtained a copy of a confidential “Flash” advisory, dated March 25, 2016, in which FBI asked companies and security experts for help in its investigation of ransomware known as MSIL/Samas.A. This particular malware tries to encrypt data on an entire network rather than encrypting data on an individual computer. [Reuters] [With regards to Ransomware The Computer Incident Response Center Luxembourg (CIRCL) have released an excellent guide on “Proactive defenses and incident response“] In the wake of a number of high-profile attacks against hospitals, [legislators are moving to update cybersecurity laws to include protection against ransomware threats] [Ransomware not covered by e-health record laws]

US – Three More US Hospitals Infected with Ransomware

Three more US hospitals have disclosed that their systems were hit with ransomware. Methodist Hospital in Henderson, Kentucky information systems director Jaime Reid said the cause of the “Internal State of Emergency” at the hospital was Locky ransomware. Chino Valley Medical Center and Desert Valley Hospital in California were also struck with ransomware; both were operating normally by Wednesday, March 23. [Krebs] [BBC] [ArsTechnica] [NBCNews] See also: [Is Ransomware Considered A Health Data Breach Under HIPAA?]

US – Medical Dispensing Systems Have Remotely Exploitable Flaws

More than 1,400 remotely exploitable vulnerabilities were found in CareFusion’s Pyxis SupplyStation medical dispensing systems. More than half of the flaws found were given a severity rating of high or critical. The issues affect Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2, and 9.3 on Windows Server 2003/Windows XP. Version 9.3, 9.4, and 10.0 running on Windows Server 2008/Windows Server 2012/Windows 7 are not affected. The US Department of Homeland Security’s (DHS’s) Industrial Control System CERT has issued an advisory. [The Register] [SCMagazine] [ComputerWorld] [ICS-CERT Advisory]

US – Investigation Finds Security Gaps in State Department Visa Database

Security gaps discovered in a State Department system could allow hackers to doctor visa applications, or steal sensitive data. Several months ago, the State Department conducted an internal review learning its Consular Consolidated Database, the government’s “backbone” for vetting travels, was in danger of being compromised. The CCD, one of the largest biometric databases in the world, holds the personal information of nearly anyone who applied for a passport. A cyberattack could compromise sensitive information, including photographs, fingerprints and Social Security numbers, making it valuable for hackers looking to steal identities. Hackers could also alter records approving visa applications for individuals linked to terrorism who would normally be rejected. The State Department says it has addressed these concerns, and any vulnerabilities would be difficult to exploit. [ABC News]

CA – Keystroke Loggers Found at Concordia University

Keystroke logging devices were found on several workstations in the Webster and Vanier libraries at Concordia University in Montreal, Quebec. School officials have notified local authorities. [SC Magazine] [University Notice]

WW – Macro Blocking Now Available in Office 2016

Microsoft has added a feature to Office 2016 that allows enterprise administrators to block macros from executing. The feature can be configured for each application and is controlled through Group Policy. It can be used to disable macros in documents that come from the Internet zone. [The Register] [ComputerWorld] [MSFT Blog]


CA – Civil-Rights Group Appeals on Police Use of Cellphone Surveillance

Pivot Legal Society, a British Columbia-based legal-advocacy organization, filed an appeal with the province’s privacy commissioner after Vancouver police refused to disclose documents related to whether they use an invasive technology known as Stingray. …Wednesday was the deadline for interveners to file submissions on Pivot Legal’s appeal. Groups such as the B.C. Civil Liberties Association and OpenMedia argue that police are “stonewalling” attempts by the public to know the extent of the device’s use, which is putting Canadians’ constitutional rights at risk and preventing law enforcement from being held accountable. [Globe & Mail] [B.C.’s privacy commissioner launches inquiry into phone-monitoring device] [Canadian Cops Won’t Say if They Use ‘Stingray’ Mass Surveillance Devices] [Guilty pleas end risk of revealing RCMP surveillance technology]

CA – OIPC AB Finds Condominium Used Surveillance PI for Contrary Purposes

The Alberta OIPC investigated the Grandin Manor Ltd., a condominium corporation, for alleged violations of the Personal Information Protection Act. Unit owners of the condominium provided deemed consent for the collection and use of their personal information by the surveillance system because a majority of owners voted to implement the system and there is proper signage about the use of the cameras; however, personal information from the system was retrieved and used to send a warning letter to an individual for conduct unrelated to maintenance of building security. [OIPC AB – Order P2016-02 – Grandin Manor Ltd]

WW – Surveillance Silences Minority Opinions: Study

A new study published in Journalism and Mass Communication Quarterly found that those who felt their opinions on mass surveillance were in the minority were less likely to express them. The questionnaire exposed some to subtle reminders of government surveillance and others not. Once the idea of government surveillance is introduced, researcher Elizabeth Stoycheff found, participants — even those who indicated they support government surveillance for national security — were less likely to speak out about nonconformist ideas. [Washington Post]

US Government Programs

US – EPIC Scrutinizes DHS “Insider Threat” Database

In comments to the Department of Homeland Security, EPIC criticized a proposed “Insider Threat” database that would gather vast amounts of personal data on a wide variety of individuals outside the federal agency. The database would include information from the Standard Form 86, which is a 127-page questionnaire for national security positions. The form includes SSN, passport and driver license number, and medical reports among other sensitive data. The DHS database will cover broad categories of individuals, including persons who are not under investigation. The database will contain records not only on current and former DHS employees and contractors, but also on family members, dependents, relatives, and personal associates of individuals who are under investigation. EPIC urged DHS to narrow the scope of individuals included in the database and limit the amount of data collected. EPIC also urged DHS to significantly narrow the Privacy Act exemptions for its database and withdraw unnecessary proposed routine use disclosures. The Privacy Act exemptions DHS has proposed would allow the agency to ignore complying with a number of Privacy Act safeguards, including requirements to maintain accurate records and to limit collection to only that information necessary for the detection and prevention of insider threats. Moreover, DHS’s proposed routine uses would allow the agency to disclose database records to numerous entities for purposes unrelated to addressing “insider threats,” including hiring decisions and DHS public relations. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases. s

US Legislation

US – Senate Passes FOIA Reform Bill

The Senate passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), requires federal agencies to operate under a “presumption of openness,” and places time limits on the FOIA’s Exemption 5. Exemption 5 is most commonly invoked to protect the “deliberative process privilege” of inter- and intra-agency memoranda. The FOIA currently places no time limit on the exemption. The bill also seeks to strengthen the Office of Government Information Services (OGIS) and require new reporting on the use of exemptions and audits of agency FOIA processes. In promoting the legislation, Senator Leahy said the bill “will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency.” The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law. EPIC and a coalition of open government advocates previously urged the President to support the bipartisan legislation, pressing the President to honor his commitment to an “unprecedented level of openness” in his administration by pushing Congress to update the FOIA. The coalition identified six core ways the FOIA should be updated: (1) codify a presumption of disclosure; (2) require agencies seeking to withhold information to show foreseeable harm; (3) require agencies to weigh the public interest when withholding under Exemption 5; (4) exclude from Exemption 5 records older than 25 years; (5) waive fees when agencies miss statutory deadlines; and (6) expand the role of OGIS.




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: