01-08 April 2016

Biometrics

IN – Indian Gov’t Biometric Database at One Billion-Person Mark

India’s biometric database notched up one billion members this week, as the government sought to allay concerns about privacy breaches in the world’s biggest such scheme. India is home to 1.2 billion people. The database was set up 7 years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93% of India’s adult population have now registered their fingerprints and iris signatures and been given a biometric ID. IT minister Ravi Shankar said the initiative had enabled millions to receive cash benefits directly rather than dealing with middlemen. He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone – by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates. He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database. His comments come after parliament passed legislation giving government agencies access to the database in the interests of national security. It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house. [Agence France-Presse]

JP – Fingerprints to be Tested as ‘Currency’ in Japan

Starting this summer, the Japanese government will test a system in which foreign tourists will be able to verify their identities and buy things at stores using only their fingerprints. The government hopes to increase the number of foreign tourists by using the system to prevent crime and relieve users from the necessity of carrying cash or credit cards. It aims to realize the system by the 2020 Tokyo Olympic and Paralympic Games. The experiment will have inbound tourists register their fingerprints and other data, such as credit card information, at airports and elsewhere. Tourists would then be able to conduct tax exemption procedures and make purchases after verifying their identities by placing two fingers on special devices installed at stores. The Inns and Hotels Law requires foreign tourists to show their passports when they check into ryokan inns or hotels. The government plans to substitute fingerprint authentication for that requirement. A total of 300 souvenir shops, restaurants, hotels and other establishments will participate in the experiment. They are located in areas that are popular among foreign tourists. The government plans to gradually expand the experiment by next spring, to cover areas including tourist sites in the Tohoku region and urban districts in Nagoya. It hopes to realize the system throughout the country, including Tokyo, by 2020. [Source]

Canada

CA – CSE and CSIS Looking to Work Together, Say Top Secret Documents

Canada’s top two intelligence agencies looking for new ways to work together, while review bodies remain in silos. The heavily censored documents were sent by CSE chief Greta Bossenmaier and CSIS director Michel Coulombe to Richard Fadden, the national security adviser to the prime minister, in August 2015. Fadden was both a former director of CSIS and the former top bureaucrat at National Defence, which is responsible for CSE. Bossenmaier and Coulombe suggest the two agencies are trying to “leverage (CSE’s) Mandate C authorities,” and set up a working group to “maximize opportunities for operational collaboration.” That could spell trouble for the small group of independent watchdogs reviewing the spy agencies’ activities. Both Security Intelligence Review Committee and the CSE Commissioner’s office can review their respective agencies but can’t conduct joint investigations or see the big picture. [The Star]

CA – Liberals Postpone Full Access-to-Information Reform to 2018

The Liberal government says a full review of the outdated Access to Information Act will have to wait another two years. A comprehensive examination of the access law will begin in 2018, Treasury Board President Scott Brison said. Meantime, the government plans to introduce legislation as soon as this year with quick fixes to the law, based on promises the Liberals made during the election campaign and consultations already under way. The promised changes include giving the information commissioner the power to order government records to be released and ensuring the access law applies to the offices of the prime minister, his cabinet members and administrative institutions that support Parliament and the courts. A Commons committee recently began a study of the Access to Information Act, which has not been substantially updated since it took effect almost 33 years ago. In addition, the government began a public consultation on transparency on Tuesday. People can go to open.canada.ca to offer their views on what should be in the next federal strategy on open government. Officials will also hold in-person discussions across the country and the resulting plan is to be released this summer. [Source] See also: [Canadian officials requested to meet with Information Commissioner Suzanne Legault in order to find “a mutually satisfactory resolution” to a constitutional challenge to a law that protected Mounties after they destroyed data]

Consumer

US – FCC Exploring Supercookie Ban in Verizon Case

As part of the FCC’s proposal to require ISPs to gain consent before tracking consumers’ online behavior for ad purposes, it is also considering banning certain tracking technologies. The FCC is seeking comment on “whether the use of persistent tracking technologies may expose … customers to unique privacy harms and as such, whether the Commission should prohibit (Internet service) providers from employing such practices.” More specifically, it would like to know whether the technologies should require some form of customer consent, and whether the technology, or banning it, has benefits for consumers. [Full Story]

EU – Group of 75 Consumer Orgs Comes Out Against Shield

Trans Atlantic Consumer Dialogue, a collection of 75 consumer-rights groups based in the U.S. and Europe, issued a statement today urging the European Commission “not to adopt the Privacy Shield.” The group criticized the potential adequacy agreement for being a “self-declared, self-regulatory system, which will be adhered to by a limited number of companies” and said the U.S., because it lacks a “robust” privacy framework, cannot guarantee an essentially equivalent level of protection for personal information of European citizens. TACD also urged the Commission to hold off on signing the EU-U.S. Umbrella Agreement for the sharing of data between law-enforcement agencies and to “prompt those Member States engaging in mass surveillance of individuals to put an end to such practices.” [Full Story]

E-Mail

CA – CRTC Enters into MOU with FTC on Spam & DnC

On March 24, 2016, the CRTC signed a memorandum of understanding with the US FTC. The MOU is an effort by Canada and the US to work together on anti-spam enforcement measures, and expressly refers to unsolicited telecommunications, unsolicited commercial electronic messages (spam), and other unlawful electronic threats (e.g., malware and botnets). The MOU will allow the Participants to facilitate research and education related to unauthorized communications. Both Commissions also plan to share knowledge and expertise through training programs and staff exchanges, and to inform each other of developments related to the laws, among other activities. [Source]

US – FBI: $2.3 Billion Lost to CEO Email Scams

The U.S. FBI this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years. In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270% increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries. The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. [Krebs]

Encryption

WW – WhatsApp Just Switched on Encryption for a Billion People

WhatsApp, an online messaging service now owned by tech giant Facebook, has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. And today, the enigmatic founders of WhatsApp revealed that the company has added end-to-end encryption to every form of communication on its service. This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices. [WIRED] See also: [Public Safety, RCMP saying little about WhatsApp encryption]

EU Developments

EU – Deal with EU, Canada to Share Air Travellers’ Data Raises Privacy Fears

An agreement between the EU and Canada to share airline passenger data that they say is key to fighting terrorism drew tough scrutiny at an EU court hearing last week because of privacy concerns. The dispute over the retention and sharing of passenger name records (PNR) has become a shibboleth in Brussels for the debate over balancing people’s privacy with the need to protect against terrorism. The agreement with Canada foresees the retention and sharing with Canadian authorities of airline passenger data by carriers operating flights between the EU and Canada. The Luxembourg-based Court of Justice of the European Union (ECJ) heard arguments for and against the agreement at a six-hour proceeding. Islamist militant attacks in Paris last year and last month’s attacks in Brussels have stoked calls for law enforcement agencies to have easier access to people’s data. Ireland, France, Britain, Spain and Estonia, who intervened in the case, emphasized that PNR do not allow investigators to paint a detailed picture of someone’s private life. But the European Parliament and privacy advocates cast doubt on that assertion. [Reuters]

EU – Other News

Facts & Stats

WW – 2016 Data Security Incident Response Report

BakerHostetler has yet again compiled a year’s worth of breach response data into a compact report that analyzes trends in data breach response, released this year to coincide with the Global Privacy Summit. “Is Your Organization Compromise Ready?” documents lessons learned from more than 300 security incidents in 2015. Some of the major findings? Nearly a quarter of all breaches happened in the healthcare industry. It takes an average of 69 days from occurrence of a breach to its discovery, and an average of 40 days from discovery to notification. And nearly a quarter of incidents led to regulatory investigations or inquiries. [Read More]

Finance

WW – Panama Document Leak Exposes Global Corruption, Secrets of the Rich

The financial secrets of heads of state, athletes, billionaires and drug lords have been exposed in the latest — and biggest ever — leak of records from an offshore tax haven. The leak includes 11.5 million confidential documents shedding light on the assets and murky fiscal dealings of everyone from the prime ministers of Iceland and Pakistan to soccer player Leo Messi, movie star Jackie Chan and associates of Russian President Vladimir Putin. The records, dating as far back as 1977, come from a little-known but highly influential Panama-based law firm called Mossack Fonseca, which has 500 staff working in 40-plus countries. The firm is one of the world’s top creators of shell companies — corporate structures that can be used to hide ownership of assets. German newspaper Süddeutsche Zeitung obtained the files from a source and shared them with global media partners, including CBC News and the Toronto Star, through the Washington-based International Consortium of Investigative Journalists. The release of the leaked documents may prompt governments to seek “concrete sanctions” against jurisdictions and institutions that peddle offshore secrecy. [CBC] News

US – NAIC Seeks Feedback for Insurance Data Security Law

A cybersecurity task force of the National Association of Insurance Commissioners (NAIC) has proposed a new insurance data security model law. The initiative, introduced last month, establishes new standards for data security, breach responses and the roles of the regulator, the organization says. “Because insurance is a data-driven industry, regulators must understand what data is being collected and for what purpose,” the NAIC said. “Today, regulators and companies have a need for data beyond what has been traditionally collected. But what regulators need is greater insight, not just more data.” Early responses to the proposed law have been mixed, with other associations raising concerns about the law’s suggestion that insurance regulations be allowed to vary by state and variations in response allowed for jurisdictional commissioners. After several high-profile hacks in 2015, the insurance industry and its regulators still are learning about the hackers aggressively hunting customer’s personally identifiable information (PII) data, financial records and medical histories. [Source] [See Graphic] See also: [state data security breach notification laws] and also: [Cyber insurance underwriters may want to consider less “absolute” questionnaires: ICRMC speaker]

US – Cyber Insurance Rates Drop

The rates for cyber insurance for organizations usually deemed to be high risk, such as retailers and healthcare organizations, fell during the first three months of 2016 because of a drop in high-profile breaches. The average price for US $1 millions in insurance fell to US $18,756. Last year, in the wake of high profile breaches like those at Target and Home Depot, the average premium was as high as US $21,642. [Reuters]

FOI

CA – NL Teachers Going to Court to Fight Sunshine List Disclosure

The Newfoundland and Labrador Teachers’ Association (NLTA) plans to go to court to block the release of the names of about 300 people who earn more than $100,000 working in the province’s school system. NLTA president Jim Dinn said that when he became aware of an access to information request seeking the names and salaries of teachers, he “immediately” knew the association had to fight it. Dinn said he believes releasing the list of teachers, principals and other educators earning more than $100,000 would be an undue invasion of privacy. Last year, as part of the Progressive Conservative government’s push for greater government openness and transparency, then-minister Steve Kent committed to creating a so-called “sunshine list” that would include the names, positions and remuneration of all government employees earning more than $100,000. The project was never completed because the Tories were tossed from government by voters in the November election. Since they took power, the new Liberal government has been indecisive on whether to follow through. In the meantime, The Telegram filed a suite of access to information requests in an attempt to create an ad hoc sunshine list. Several public bodies — including Memorial University, the core civil service, Nalcor Energy and the Royal Newfoundland Constabulary — have provided the requested information, and that data will be posted online by The Telegram this week. However, the province’s four regional health authorities and the English School District have declined to provide employees’ names. Those five public bodies said they would first inform their employees about the potential disclosure, and if anybody objected, the matter would be sent to the Office of the Information and Privacy Commissioner, or to the courts, for a ruling. [Source]

CA – NL Salary Disclosures OK Under New Access Law, Watchdog Says

Newfoundland and Labrador’s information and privacy commissioner says the new transparency law that replaced Bill 29 permits the public release of salary details of employees of public bodies. “It is our view that such a disclosure is in compliance with the law,” Ed Ring said in a press release issued Monday afternoon. Ring noted that a number of public bodies have already released that information in response to open-records requests. But he said others “have been uncertain in their interpretation of the law,” and have notified affected employees before releasing the information. Ring noted that a panel led by former premier and judge, Clyde Wells, that reviewed access-to-information laws found that disclosure of salary details is not an unreasonable invasion of privacy, and therefore cannot be withheld by a public body. “It is the interpretation of this office that this means that names of public body employees and their salaries are to be disclosed to an access-to-information applicant upon request,” Ring noted. “This type of disclosure is not unusual in Canada, and for example, has been done for many years under different legislation in Ontario.” [Source]

US – The FBI Says a Piece of Code Broke Its FOIA System

In February, activist Michael Best took a novel approach to filing a mass of Freedom of Information Act requests at once: he wrote a script to automatically ask for the files of just under 7,000 dead FBI officials. The FBI has replied, and it is not happy. The agency decided to not accept any of Best’s related requests, and may have also blocked or otherwise filtered further emails sent to the agency’s FOIA department by him. The episode shows that the way FOIAs are processed is very much an antiquated practice, and that perhaps US government agencies should think of new ways to handle requests. “The FBI email portal is designed to provide a convenient, alternative means to all Freedom of Information Act (FOIA) and Privacy Act (PA) requestors [sic] to make requests for FBI records,” a letter from David M. Hardy with the FBI’s Records Management Division to Best, dated March 30, 2016, reads. “On February 29, 2016, the FBI received an exceedingly high volume of submissions from you via the FBI email portal which had been generated by script [sic] using a list of names. This matter of submission interfered with the FBI’s ability to perform its FOIA and PA statutory responsibilities as an agency. Accordingly, the FBI did not accept these submissions on February 29, 2016, via the FBI FOIA email portal,” it continues. Best’s script was simple enough: It took names of special agents and other FBI officials collated from the agency’s own “Dead List,” a list of people the FBI knows to be deceased, and placed each into a request template. The request was for records held concerning the subjects, which can be released after the person is deceased. (For what it’s worth, Best says he didn’t submit his requests via the “email portal” as the FBI’s letter states, but just sent them to the normal FBI FOIA email address.) “I think the letter’s vagueness is counterproductive,” Best told Motherboard in a Twitter message. “’The manner of submission’ could mean almost anything. The volume of requests, or using the script? If it’s the former, I’ve never heard of an agency discarding FOIA requests because there were too many, and if it’s the latter I don’t see how the locally run script would have created a problem.” The requests weren’t even “rejected,” at least in the traditional FOIA context. Requests can be rejected if they are determined to be too burdensome on the agency. But that’s not what happened here—the FBI didn’t even accept the requests in the first place. [Source]

CA – Residential School Abuse Stories Must Be Shredded After 15 Years: Court

Survivors of Canada’s notorious residential school system have the right to see their stories archived if they wish, but their accounts must otherwise be destroyed in 15 years, Ontario’s top court ruled in a split decision last week. At issue are documents related to compensation claims made by as many as 30,000 survivors of Indian residential schools — many heart-rending accounts of sexual, physical and psychological abuse. Compensation claimants never surrendered control of their stories, the Appeal Court said. “Residential school survivors are free to disclose their own experiences, despite any claims that others may make with respect to confidentiality and privacy,” the court said. The court rejected the idea the documents were “government records” but said the material fell under the court’s control. [Source]

US – ESPN Argues Athlete’s Medical Records Matter of Public Concern

Cable sports network ESPN has filed court papers arguing that journalists are entitled to provide the public with visual evidence to corroborate reports, even in cases involving the athlete’s medical records. Last summer, Jason Pierre-Paul, a player in the NFL, blew part of his hand off in a fireworks accident. Reporter Adam Schefter tweeted a picture of Pierre-Paul’s medical record as proof. The football player has sued ESPN, arguing his privacy was violated. The media outlet argues Pierre-Paul’s claims “cannot succeed where, as here, the subject-matter of a news report is a matter of public concern.” [Hollywood Reporter]

CA – Judges Reject Media Ban in Two Assisted-Death Cases

Canadian judges have refused to bar the media from assisted-death cases for the first time. Judges in Ontario and British Columbia both rejected requests to ban the media from the hearings, breaking precedent set in Canada’s first application for an assisted death in late February. While the judges in the two cases understand the request for privacy by the two clients, the cases are “uniquely significant,” and blocking the media would harm the “open court principle,” said Chief Justice Christopher Hinkson of the British Columbia Supreme Court. “Conducting these proceedings in camera would effectively prevent the public from having any information about the case, other than what is volunteered by the parties or provided by the court in its reasons for judgment,” Hinkson said. [The Globe and Mail]

Health / Medical

CA – BC Arbitration Board Rules Nurse Must Be Reinstated Despite Multiple Incidents of Patient Data Snooping

The BC Nurses Union brought a grievance on behalf of a member who was terminated by her employer, the Vancouver Coastal Health Authority, for improperly viewing patient medical records. An arbitrator determined that termination was an excessive response and orders the nurse reinstated, with seniority, but without back pay or benefits; none of the information accessed was disclosed, and the nurse had realized the seriousness of the unauthorized access (she has been out of work a long time and had taken courses to educate herself on the issue). [Vancouver Coastal Health Authority (Olive Devaud Residence) v. British Columbia Nurses Union – 2016 CanLII 11873 (BC LA) – Labour Relations Board]

Horror Stories

PH – Philippines Breach Largest In Government History?

Sensitive information of nearly 55 million Philippine voters has been exposed in possibly the biggest government-related data breach in history. Security researchers believe the entire database of the Philippines’ Commission on Elections has been exposed following a cyberattack compromising the organization’s website by Anonymous Philippines, after which LulzSec Pilipinas, a second hacker group, posted the complete COMELEC database online. The data dump included information such as fingerprints and passport information, although COMELEC officials claim no sensitive information was accessed. Officials also said the national elections being held 9 May will not be affected by the attacks, as the election-related systems will be held on a separate site. During the initial attack, Anonymous Philippines warned COMELEC it should strengthen the security of the voting systems. [The Register]

TU – Nearly 50M national IDs, PII of Turkish citizens leaked online

The national IDs and other personal information of nearly 50 million Turkish citizens — more than half the country’s population — was leaked on a website hosted in Romania. The other personal information included in the data leak included full name and parents’ names of citizens, address and date of birth. Victims of the data breach also include the current president of Turkey, Recep Tayyip Erdoğan and the previous president, Abdullah Gül as well as current Prime Minister Ahmet Davutoğlu. The site features a “lessons to learn” portion that hints on how the data was stolen, and mentions lack of encryption and poor database security. [The Guardian]

CA – Breach at Alberta’s Maintenance Enforcement Program?

An Alberta government employee is under investigation after Edmonton police discovered as many as 60 sensitive files in the province’s maintenance enforcement program may have been accessed inappropriately. The alleged privacy breach was discovered during a larger police investigation, Justice Minister Kathleen Ganley said. The enforcement program collects and enforces court-ordered child and spousal support payments, meaning the files contained financial information and other personal details. “Obviously, we’re deeply concerned because this is the private information of individuals who have come into the program — sometimes very vulnerable individuals,” Ganley said. The employee in question is under investigation by both Edmonton police and Justice Department officials. The employee still has a job with the government, but no longer has access to the client database. “To the best of our knowledge, there is only one individual involved,” she said. [Edmonton Journal]

Identity Issues

CA – Price of Stolen Canadian Identity Plummets On Black Market

The price of a stolen Canadian identity has dropped by half in the space of a few years, says a new report from tech firm Dell. A set of Canadian “fullz” — the basic data needed to steal someone’s identity — now trades for around US$20 on the global market, down from a range of $35 to $45 in 2014, Dell Secureworks said in its latest Underground Hacker Marketplace Report. A set of “fullz” includes a person’s name, date of birth, an identifying government ID like a Social Insurance Number or driver’s licence and some form of financial data, like credit card or bank account numbers. Physical documents are more expensive, with passports going in the thousands of dollars. Fake Canadian passports can run upwards of US$2,600, more than U.S. passports though not as much as those of some European countries. A Canadian SIN card “was observed being sold by cybercriminals out of China for approximately $173,” the report said. The cheaper prices may have to do with a growing supply of stolen identities. The Insurance Bureau of Canada reported last month that there has been an increase in identity theft in Canada in recent years. The Canadian Anti-Fraud Centre said 17,000 Canadians reported being victimized by identity theft in 2015, and losses topped $10.7 million. But the centre warned that, more often than not, identity theft goes unreported. [HuffPost]

US – ONC, NIST Partner on Federated Identity and Health Data Privacy

The National Institute of Standards and Technology is putting up $1 million to find a new approach for patients and providers to access health records in a joint endeavor with the Office of the National Coordinator (ONC) for Health IT. Instead of piling up individual accounts for each provider a patient sees – dentist, specialist, primary care, in the doctor’s office or in the hospital – NIST and ONC are looking for ways to streamline the entire process by enabling a single credential across multiple providers. “For providers, making strides in the efficiency of accessing medical records means time and money saved – and, if done right, better outcomes for security and privacy – what NIST calls a “Federated Identity.’” NIST deputy director Michael Garcia wrote announcing the pilot. ONC, for its part, will participate in the review of applications and also provide technical support regarding implementation and operation of the pilot. “The goal is for hospital systems to work with other regional health systems and provider groups on developing and using a federated identity system,” Garcia explained. “The identity solution must be: privacy enhancing and voluntary; secure and resilient; interoperable; cost effective and easy to use.” NIST said it will fund one award between $750,000 and $1 million for eighteen months Applications can be submitted at Grants.gov until the June 1, 2016 deadline. [Source]

Internet / WWW

WW – Countries that Use Tor Most Are Highly Repressive or Highly Liberal

You might assume that people in the most oppressive regimes wouldn’t use the Tor anonymity network because of severe restrictions on technology or communication. On the other hand, you might think that people in the most liberal settings would have no immediate need for Tor. A new paper shows that Tor usage is in fact highest at both these tips of the political spectrum, peaking in the most oppressed and the most free countries around the world. Eric Jardine, research fellow at the Centre for International Governance Innovation (CIGI), a Canadian think-tank, is the author of the new paper, recently published in peer-reviewed journal New Media & Society. Jardine analysed data from 157 countries, stretching from 2011 to 2013. That information included a rating for a country’s political repression, derived from assessments made by US-based research group Freedom House, and metrics for Tor usage, sourced from the Tor Project’s own figures. Jardine included data for use of both Tor relays, which are nodes of the network users typically route their traffic through, and bridges, which are essentially non-public relays designed to be used in censorship-heavy countries that might block access to normal relays. He also considered a country’s internet penetration rate, intellectual property rights regime, wealth, secondary education levels, and openness to foreign influences. “The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network,” Jardine writes. [Source]

WW – The Art of Privacy

Artist Trevor Paglen has exhibited a sculpture called the Autonomy Cube at museums around the world. The sculpture houses a custom wi-fi router. Museum visitors who connect to it will have their data redirected through the Tor network. The router also serves as a Tor relay. Paglen aims to install Autonomy Cubes in any museum that will pay for their creation. [Wired]

WW – Android Messaging Apps Leaking Data Through ‘Surreptitious Sharing’

German researchers have found a serious flaw in the way many popular Android email and messaging apps – including Skype and even secure systems like Telegram and Signal – share documents, images and videos. Dominik Schürmann and Lars Wolf from Braunschweig University of Technology say the bug, dubbed ‘Surreptitious Sharing’, allows attackers to capture data including passwords, private keys and message histories. They tested 12 popular email and messaging apps and found eight were exploitable. As a result, they said, the flaw is “definitely present in many more apps”. The affected messaging apps are Skype, Threema, Telegram and Signal. The vulnerable email apps are Google’s Gmail and AOSP Mail, K-9 Mail and WEB.DE. Four messaging apps were found to be safe – WhatsApp, Hangouts, Facebook Messenger and Snapchat. The bug lies in the main ‘Intent’ file-sharing API that Android apps use. This allows an attacker to access the receiving app’s private files. Worryingly, even privacy-focused messaging apps were “easily exploitable”, the researchers said. [Source]

Law Enforcement

US – Maryland Appeals Court Upholds Lower Court Stingray Ruling

An appeals court in Maryland recently ruled that police should not have used a stingray cell site simulator device without a warrant. The state had argued that by turning on cell phones, people were consenting to being tracked. The ruling upholds a lower court decision to suppress information gathered with the stingray. It also addresses the obfuscation police used in obtaining a warrant to use the stingray, writing, “A non-disclosure agreement that prevents law enforcement from providing details sufficient to assure the court that a novel method of conducting a search is a reasonable intrusion made in a proper manner and ‘justified by circumstances,” obstructs the court’s ability to make the necessary constitutional appraisal.” [Wired] See also: [Stingray ruling could challenge hundreds of Baltimore convictions]

CA – Canadian Police Forces Moving Towards Costly Body Cameras

Some Canadian cities and police forces already wrestling with cash-flow shortages are moving toward outfitting officers with body cameras despite privacy concerns and scant consensus on the technology’s cost-effectiveness. Body camera programs aren’t cheap, according to multiple forces across the country, and would require hiring more personnel to deal with the hundreds and thousands of hours of footage. Storage costs alone can run in the millions of dollars. Nonetheless, proponents say the cameras provide better evidence, lead to more convictions, improve officers’ interactions with the public and reduce police use-of-force incidents. Others, however, argue the videos invade the privacy of citizens, and worry that administrative duties related to body cameras will keep officers away from policing. [CTV News]

Location

UK – 93% of Mobile Users Have Their Location Tracked Every Day

A new campaign by privacy-focused advocacy group Krowdthink aims to raise aware of the privacy implication of owning a mobile phone in the UK. The ‘Opt Me Out Of Location’ campaign aims to highlight the fact that nearly every single mobile phone owner in the UK (93%) has unwittingly signed up for a contract that permits their location to be tracked. More than this, the data collected allows providers to build up highly detailed customer profiles which Krowdthink warns leaves millions of users just one serious data breach away from having private data exposed to and abused by criminals. Research by Krowdthink says that while most mobile users are suspicious of apps that make use of GPS, few people think about the fact that their location is highly trackable when they connect to wifi hotspots or cell towers. [Source]

Online Privacy

US – Judge Approves Sony Hack Settlement

U.S. District Judge R. Gary Klausner ruled in favor of the estimated 437,000 employees affected by the 2014 Sony hack, approving the settlement that would provide them identity theft protection through 2017. Klausner said the three years of credit monitoring is longer than granted in other class actions, the report states. Sony further agreed to “an optional service that will cover up to $1 million in losses,” with more specific figures relating to the monetary settlement forthcoming. [The Associated Press]

Other Jurisdictions

WW – Nymity and IAPP Announce New Privacy Management Tool

The IAPP and Nymity have announced the Nymity Privacy Management Workbook and supporting materials. Terry McQuay, Nymity’s President stated, “The Privacy Management Workbook is an unlocked Microsoft Excel Spreadsheet that can be used as is, or customized to meet a specific privacy officer’s needs. The Privacy Management Workbook is accompanied with the “Getting Started Manual”, that provides an operationalized approach to privacy management accountability and step by step instructions on how to use the Workbook. For organizations with mature privacy management embedded throughout the organization, there is a second manual called the “Demonstrating Compliance Manual”. This manual outlines an accountability approach to demonstrating compliance with privacy laws that is empowered by the documentation that was collected using the Privacy Management Workbook. [Privacy Management Workbook and the supporting materials]. [Source]

AU – Census Plan “A Massive Invasion of Privacy” Says EFA

Plans to retain people’s names and addresses for this year’s Census have sparked fear that the information could be used by Centrelink, the Tax Office and ASIO and may lead to mass civil disobedience or people lying on their forms, privacy groups believe. The Australian Bureau of Statistics (ABS), which has been around since 1905, conducts a Census every five years. While this has always involved collecting names and addresses, the difference is that this time it wants to hold on to all of this information. The Agency has said it wants to be able to combine Census data with other datasets, such as health and education statistics, to get a “richer and dynamic statistical picture of Australia.” Statisticians argue this could provide insights into many areas, for example, the employment outcomes of different educational programs or designing mental health services, and result in better service planning and delivery. Keeping names and addresses would also make surveys more efficient and reduce the cost and burden on Australian households, said the ABS. But Jon Lawrence from the Electronic Frontiers Australia said retaining such information was unwarranted and intrusive and “an exceptionally bad idea.” “At its very essence, it’s a massive invasion of the privacy of every Australian,” Mr Lawrence said. [Source] See also: [Benefits of the census retaining names and addresses should outweigh privacy fears]

Privacy (US)

US – FTC Releases Agency’s 2015 Annual Highlights Report

FTC Chairwoman Edith Ramirez released the FTC’s 2015 Annual Policy Highlights. The topics covered in the report include the FTC’s noteworthy legal actions in a variety of industries, including health care, technology and other consumer products and services. The report touches upon the FTC’s work to bring actions against technology companies to ensure the protection of consumers’ personal info, including settling a charge with Oracle over the safety provisions in updates to its Java platform. Also touched upon in Ramirez’s report was cross-device tracking, and educating consumers on fraud and deceptive business practices, including IdentityTheft.gov, a website to help people report and recover from identity theft. [FTC Press Release]

US – FTC Fines Organisation $79,659,262 for Payment Fraud Scheme

The FTC is granted an order against Ideal Financial Solutions Inc. for participating in violations of the Federal Trade Commission Act. The company and its subsidiaries are permanently restrained from selling, transferring, or otherwise disclosing a consumer’s personal information to any third party without consent, and misrepresenting that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v Ideal Financial Solutions Inc. – USDC for the District of Nevada]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

US – FTC Releases Web Tool for Mobile Health App Developers

The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply. The interactive developer tool presents users with questions that include topics such as:

  • the type of information the app will create, receive, maintain, and transmit
  • the type of entity creating the app (or on whose behalf the app is created)
  • the purposes of the app
  • the information the app will provide to consumers and/or patients

The answer to each question points the user to the laws and regulations that may likely apply to the app. The tool also directs users to definitions for common regulatory terms, links, tips and guidance regarding compliance, and other federal agency resources. In conjunction with the release of the developer tool, the FTC also released its own guidance aimed at developer compliance with the FTC Act. This guidance follows the release of OCR’s Health App Use Scenarios & HIPAA guidance and discussion portal and FDA Mobile Medical Applications guidance. Together, these agency releases reflect efforts to provide guidance that will help provide clarity to the growing mobile health app ecosystem.

US – DHS Unveils Privacy Guidelines for Mobile Apps

The U.S. Department of Homeland Security has issued a set of privacy rules for mobile applications developed for the agency. The guidelines include a privacy policy requirement as well as a rule that program managers notify a privacy official and the chief information officer prior to an app’s development. App developers must pass their apps through a DHS “Carwash,” a system that scans the app’s code, which are then reviewed by DHS Chief Privacy Officer Karen Neuman. The guidelines also lay out what kinds of personal information can be processed and require that user information in transit must be encrypted and “immediately transferred to a protected internal DHS system that is compliant with existing DHS IT security policy.” [FCW]

US – Market Surges For Outside Privacy Counsel

A significant portion of corporations—76%—employ outside counsel for privacy and data security matters, according to a Bloomberg Law/IAPP survey study on “The Market for Data Privacy Legal Services.” And that demand is growing. The survey report concluded that:

  • A dedicated privacy team and subject matter experience are the most important qualities—along with basic care and feeding of clients—that companies look for in hiring outside counsel.
  • On average corporations spend nearly $170,000 annually on outside counsel handling privacy and data protection matters.
  • Outside privacy attorneys command high hourly rates, an average of $474 for transactional services, $539 for litigation and $623 for specialized privacy and data protection services.

The survey found that privacy pros in companies generally don’t hire outside counsel for operational tasks, such as PIAs and privacy by design application. But at the same time, significant opportunities for lawyers to expand their revenue may be in advising companies on privacy by design/privacy engineering initiatives, the report said. [BNA] See also: [UK and European firms invest in data protection ahead of GDPR]

Security

WW – A Lot Will Plug a Random USB into Their Computer: Study

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year. As it turns out, it really works. In a new study, the researchers estimate that at least 48% of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98%) were picked up or moved from their original drop location. Very few people said they were concerned about their security. 68% of people said they took no precautions, according to the study. Some 135 people actually opened some files in the drives, according to the study. The researchers didn’t put any malware on the sticks, but had left an HTML file that contained an image allowing the researchers to detect when a file was opened. The HTML file also contained a survey, which had the goal of informing unbeknownst students and faculty that they had become part of an experiment, and trying to figure out why they had picked up the drive and opened files inside. Based on the participants’ survey answers, the researchers concluded that most people did it with “altruistic intentions.” In fact, 68% people said they did it to find the owners, while 18% admitted it was just out of curiosity. However, considering their actions, it seems some overestimated their good intentions. Despite the fact that some USB drives contained a resume file, almost half the users didn’t open that file, and, instead browsed vacation photos first, “overtaken by curiosity,” as the researchers put it. [Source]

US – US, Canada Issue National Alerts on Ransomware

The United States Computer Emergency Readiness Team within the Department of Homeland Security and the Canadian Cyber Incident Response Centre have jointly issued a special alert for both nations on the threat of ransomware and recent variants of the virus. The alert highlights the threat to the healthcare industry in the U.S. and worldwide, as well as threats to other businesses and individuals, outlining important steps to help organizations from falling victim to a ransomware attack, and guidelines for responding in incidents in which an organization is fending off ransom demands. The alert takes a hard line on whether organizations should pay to unlock information or computers, suggesting that there is no guarantee that paying a ransom will result in the release of information. Over the last few weeks, about a half dozen ransomware incidents have been reported among U.S. and Canadian hospitals, and in most cases, the organizations have been able to work around the attacks without paying a ransom. In February, Hollywood Presbyterian Medical Center reported that it paid the equivalent of $17,000 to unlock its information after a ransomware attack crippled the facility’s systems for about a week. The federal alert warns that ransomware is being spread via phishing tactics, as well as through “drive-by downloading,” which occurs when a user unknowingly visits an infected web site and malware is downloaded to the computer. [Source] See also; [Ransomware Threat Hits Critical Mass] and [Should Ransomware Attacks Be Considered Breaches? ]

US – Federal Agencies and Ransomware: Statistics

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security. Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [CBC: Ransomware Hits Another (Ontario) Hospital] [SC Magazine]

Smart Cars / IoT

US – NTIA Commences Internet of Things Proceedings

On April 5, 2016, the National Telecommunications and Information Administration (NTIA) initiated an inquiry to review the potential benefits and challenges presented by the Internet of Things (IoT). In its Notice and request for public comment (RFC), NTIA is seeking input on the current IoT technological and policy landscape with a goal of developing recommendations—in the form of a Green Paper—as to whether and how the federal government should play a role in fostering the advancement of IoT technologies. Comments are due on or before May 23, 2016; parties across industry sectors are encouraged to comment. The inquiry is part of the Department of Commerce’s Digital Economy Agenda through which the agency seeks to help develop a free and open Internet and innovation in the digital economy while promoting privacy, security, and broad access. [Source]

WW – IoT Privacy a Concern for 62% Globally, More in U.S.

A newly released study of 5,200 “mobile media users” in Brazil, China, France, Germany, India, South Africa, the U.K., and the U.S. has found 62% of respondents “concerned” about privacy and the Internet of Things. That number rises to 70% in the United States. According to the Mobile Ecosystems Forum, privacy outstrips security (54%), and is a far bigger concern than physical safety (27%) or “machines taking over the Earth” (21%). Which connected devices are most concerning? Respondents answered with their home security as most concerning (30%) followed by their car (12%) and television (10%). [MediaPost]

US – OTA Principles for IoT Privacy and Security Programs

15 months after forming an Internet of Things (IoT) working group, on March 2, 2016, the Online Trust Alliance (OTA) released a final version of its IoT Framework along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected devices. The creation of the OTA IoT principles represents a potential starting point for achieving privacy- and security-protective innovation for IoT devices. For now, the Framework focuses on wearable technology and connected home devices. In so doing, it avoids addressing some of the more challenging transparency and consent issues presented by devices lacking a direct buyer-seller relationship, such as those that arise in the retail or infrastructure context. The Framework also excludes connected medical devices and the associated potential life-or-death implications of medical technologies. Though purely voluntary and non-binding, the Framework differentiates between what it posits as “required” and “recommended” guidelines, thereby allowing for a broader consensus in a dynamic environment with many unresolved questions. Certain guidelines will likely be familiar to consumers—such as multi-factor verification for resetting credentials, and user notification after a password change. Other guidelines are particularly tailored to the IoT space—such as disclosure of the duration of patch support, and notice when a device initially pairs with a network. Themes of the Framework include guidelines designed to achieve the following:

CA – Allstate to Offer Albertans Usage-Based Auto-Insurance

A new Alberta insurance program could see motorists save money if they’re willing to install a device that monitors their habits behind the wheel. Allstate is the first company in the province to offer usage-based insurance, which uses technology to collect data on how a vehicle is driven and offer discounts for safe drivers. “It’s a little box you plug in under the steering wheel, and it sends out information,” Edmonton north agency manager Amanda Sawatzky said. “We take the measurements of the data over six months because that’s going to tell us over time what your driving habits are.” The company will check the frequency of hard braking, the time of day customers drive — accidents are more common between 11 p.m. and five a.m. — total kilometres covered and travelling at more than 125 km/h. The information comes from the vehicle’s diagnostic system and is sent out electronically. Drivers can log in to a website and monitor the results. “Hopefully, as you see a hard braking or speed incident, you’re more aware of it and it leads to safer driving habits,” Sawatzky said. After six months, the equipment will be removed and Allstate will offer participants premium discounts of up to 30%, depending on how well they did. Even if they do badly, their premiums won’t rise. Any discount remains as long as they own the vehicle. “It’s empowering drivers and there’s no downside to it. The safer you drive, the more you can save.” It’s unlikely someone will change how they drive for six months, then revert to bad habits once the monitor is out, she said. People who want to see whether they should sign up will receive a 5% premium cut for a year for using a test app. [Edmonton Journal]

Surveillance

US – New Hampshire Bill Regulates Government and Citizen Use of Drones

Last month lawmakers in the New Hampshire House of Representatives passed a bill regulating government and citizen use of drones. The bill includes strong privacy protections that address some of the most common concerns associated with police using flying robots. The legislation is the latest example of local lawmakers improving upon decades-old Supreme Court precedent amid rapidly changing technology. In a world where drones with cameras are well within many law enforcement budgets it is reasonable to ask when police can fly a drone over your backyard. It’s understandable if you think that you have a reasonable expectation of privacy in your backyard, but the fact is that the Supreme Court ruled in two cases from the 1980s (Florida v. Riley and California v. Ciraolo) that you don’t. In both cases justices on the Court held that observations from the air are analogous to observations from public roads. [Forbes] See Also: [FAA committee writing rules permitting small drones over crowds]

US – NTIA Postpones Drone Privacy Meeting

The National Telecommunications & Information Administration has postponed an April 8 multistakeholder meeting on drone privacy, saying some stakeholders said that work on a revised draft of voluntary drone privacy guidelines would not be ready to circulate to the full group until April 22. The meeting will be rescheduled for early May, according to John Verdi, NTIA’s director of privacy initiatives, in a note to stakeholders. The effort is among a number sets of best practices NTIA is trying to help industry and civil society representatives agree on to enforce the Obama administration’s privacy bill of rights. Others include on apps and facial recognition. It has been a year since NTIA sought comment on “privacy, accountability, and transparency issues” surrounding the use of unmanned aircraft systems (UAS), which are being increasingly used in TV news and film production. Those studios told NTIA they do not think there need to be any privacy guidelines for their use in such productions since they are either used on closed sets, or where they are not collecting information from the public. Back in November, major broadcast and print news operations and others in the News Media Coalition (NMC) asked NTIA to make sure it does not limit their First Amendment rights in its ongoing effort to come up with privacy guidelines for the new wave of UAS. [Source]

Telecom / TV

US – Federal Judge Says No Expectation of Privacy in Cell Site Location

In the Seventh Circuit — where there’s currently no Appeals Court precedent on cell site location info (CSLI) — federal judge Pamela Pepper has decided only about half of what other courts have said about this info’s expectation of privacy applies. That would be the half that finds the Third Party Doctrine covers cell phones’ constant connections to cell towers. (via FourthAmendment.com) Three circuits (4th, 5th and 11th) have ruled on whether obtaining CSLI from providers constitutes a search or seizure under the Fourth Amendment. Only the Fourth found that this information deserved greater privacy protections, mainly because of the ubiquitousness of cell phones. The other two held that CSLI is just another business record, even if it is the sort of business record that generates a detailed history of someone’s movements and can be used to track someone in near real-time. The Supreme Court also had something to say about the long-term tracking of people’s movements in its decision about GPS tracking devices. While not exactly the same thing, it was close, and the court here examines this decision as well. The government suggested long-term location tracking might have enough Fourth Amendment implications to justify a warrant requirement, but stopped short of making that call. With these non-precedents in hand, Judge Pepper finds there’s no expectation of privacy in cell location info because — like the government has argued in other cases — everyone should know their phones are acting as ad hoc government tracking devices. [TechDirt] [The ruling is here]

CA – Cases Highlight Legal Debate Over Texting Privacy Rights

The Ontario Court of Appeal is being asked to determine what privacy rights exist in the content of an individual’s text messages when they are obtained by police through the seizure of the phone of the recipient and not that of the sender. It is only the second time that the status of text messages on another person’s phone has been before an appellate court. The B.C. Court of Appeal ruled last year that there are privacy interests for the sender of the communications. At the Ontario Court of Appeal, the issues have been raised in two cases that are being heard together this week. The argument there is no privacy right once a text message has been sent is a very “old school” notion based on control, which does not fit with modern communications, says Laura Berger, acting director of the public safety program at the Canadian Civil Liberties Association. “For an increasing percentage of Canadians, especially younger people, text messages are supplanting voice telephone calls. We need to ensure that privacy protections in place [for phone conversations] are not diluted because of changes in technology,” says Berger. [Law Times]

US Government Programs

US – ODNI Signs Transparency Charter; NSA Sharing Plan Worries Rights Groups

Director of National Intelligence James Clapper signed a charter that formally transitions the Intelligence Community Transparency Working Group into the now permanent IC Transparency Council. Senior officials from across the intelligence community have comprised the working group, which was created two years ago. The council will oversee the Transparency Implementation Plan and ensure that transparency “becomes a comprehensive and sustainable practice” throughout the intelligence community. CSM Passcode reports privacy and civil liberties groups urge the NSA and DNI Clapper to reconsider a proposed data-sharing plan with other law enforcement agencies. Meanwhile, the surprise resignation of David Medine could spell trouble for the Privacy and Civil Liberties Oversight Board. Medine was the only full-time member of the five-member panel. [Full Story]

US Legislation

US – Legislative Roundup

Workplace Privacy

CA – OPC Issues Guidance on How to Prevent Employee Data Snooping

Six years ago a bank employee was caught going through the financial records of another staff member who was in a relationship with her ex-husband. The spying had been going on for four years. In another case hospital employees were caught selling patient data for their own gain. With organizations holding huge amounts of personal data on staff and customers, employee snooping — for curiosity or money — is tempting. The federal privacy commissioner suggested 10 ways employers can prevent staff spying on personal data. “Employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization,” the report warns. “By taking the appropriate steps to address this risk … organizations can go a long way in advancing their reputation as a privacy-conscious business, and more importantly, protect their valued customers’ information, with which they have been entrusted.” [Source] See also: [New OPC Guidance regarding Privacy Impact Assessments: At Two Pages, Why Bother?]

CA – Staff Have Privacy Rights Even if Company Provides Devices, CPOs Told

Talk, not spy technology, should be one of the first weapons employers should use if they suspect employee misuse of enterprise devices or data, two lawyers have told a privacy law conference. “I would be cautious about using all kinds of fun and highly efficient but intrusive technologies to monitor your workers’ productivity,” Emma Phillips, a partner at the Goldblatt Partners LLP law firm, told chief privacy officers in Toronto on Thursday. If management has a reasonable belief there’s been misconduct Canadian law potentially allows staff or a device to be monitored, she added, as long as its done in a reasonable way — for example, don’t install keystroke loggers before warning an individual what inappropriate behaviour is, or put up surveillance cameras that cover broad areas where employees work. [IT World Canada]

WW – Cybersecurity Remains Biggest Barrier to BYOD Adoption: Study

Crowd Research Partners’ recent 2016 BYOD and Mobile Security Report, surveying more than 800 global cybersecurity professionals, reveals that 39% of respondents consider security one of their greatest concerns surrounding bring-your-own-device adoption. An additional 12% expressed fears that BYOD would diminish employee privacy, the report states. The study “reveals that enterprise security risks and mobile data breaches are on the rise.” While these threats are serious, they also pose as “an opportunity for organizations to implement effective cybersecurity solutions to strengthen their security posture and capitalize on the promise of enterprise mobility.” [Security Brief NZ]

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: