9-18 April 2016


WW – Fingerprint Identification Technology Expanding Beyond Smartphones

Biometric fingerprint technology has surged in popularity among smartphone users, and now companies are looking to bring the technology to new places. Credit card use, rail commuting and entrances to buildings could be the next wave of opportunities to implement fingerprint identification. Specifically, Sweden’s Fingerprint Cards, already leading the market for fingerprint identification sensors in smartphones, believes biometric smart cards could be its most rapidly expanding market by 2018. Security advocates praise fingerprint identification as a superior alternative to pin codes, and the market for the technology continues to grow, with many companies jumping into the business. [Reuters]

WW – Russian Photographer’s Project Shows Ease of Finding People Online

A Russian photographer’s project looks to show how an individual’s private life is becoming less and less private. Egor Tsvetkov created an experiment titled “Your face is big data,” where he took pictures of nearly 100 people sitting across from him on the subway, then used the facial-recognition app FindFace to discover them on VK, a Russian social media site. Tsvetkov located about 60 to 70% of the people he photographed who were between 18 and 35 years old. [PCWorld]

US – Shutterfly Settles Facial Recognition Lawsuit

An undisclosed settlement has been reached between Shutterfly and an Illinois man who brought a lawsuit against the photo-sharing website, claiming the company violated his privacy. Brian Norberg alleged Shutterfly used facial recognition software to identify his face, which ended up in the company’s database after a friend tagged him in a photo in February 2015. Norberg’s suit said Shutterfly analyzed the details of his face and offered other photos he should be tagged in, which the suit asserts violates Norberg’s rights under the Illinois Biometric Information Privacy Act. “Helping a user re-identify his own friends within his own digital photo album does not violate any law,” Shutterfly countered. Had the lawsuit gone to trial, it could have had repercussions for companies using facial recognition software. [Chicago Tribune]


CA – Nova Scotia to Craft New Cyberbullying Law

The province’s Justice Department says it is working on new cyberbullying legislation to replace the Cyber-safety Act, which was struck down in December by the Nova Scotia Supreme Court. Since then the province has had no law on the books specifically dealing with cyberbullying. Over the next several months the province said it will seek legal expertise to craft a new act that balances the right to freedom of speech with a way to protect the victims of cyberbullying. The earliest new cyberbulling legislation could be introduced is the fall. [Source]


WW – Men and Women Differ in Their Approach to Online Privacy and Security

What do internet users want in terms of security and privacy? What do they do to protect their own privacy and security when they use the internet? Hide My Ass! (HMA) commissioned a nationwide survey to find out. The main results revealed a striking disconnect between what people want and what they do while a deeper look uncovered some intriguing differences between men and women. HMA is a VPN (virtual private network) service provider. VPNs hide an internet user’s identity, location and internet activity by encrypting their data and routing their internet connection through multiple IP addresses and remote servers. HMA summarized the results of their survey with an attractive infographic and a more detailed report. While most people want more internet security and privacy, they do very little to make use of the tools and techniques that are available to give them what they want. The survey found that 70% of consumers say they restrict their level of social media use in order to avoid exposing personal information. However, only 25% enable strict privacy restrictions on the social media platforms they use. Likewise, 67% say they want additional layers of security while only 9% use email encryption programs, 11% use a VPN and 13% use two-factor authorization. [Forbes]

WW – RAND Corporation Examines Consumers’ Reactions to Data Breaches

When a data breach occurs within an organization, how do affected consumers respond? It’s the question the RAND Corporation sought to answer in “a nationally representative survey of the consumer experience” following a data breach. Of their findings, RAND reports 26% of respondents, roughly 64 million adults in the U.S., received a breach notification in the 12-month period before the survey, with 44% of those individuals saying they were already aware of the attack from sources other than the affected company. Free credit monitoring was a popular choice among respondents, with 62% of individuals accepting the service. Many were pleased with a company’s reaction to the incidents, with 77 percent reporting high satisfaction with the organization’s post-breach response, and only 11% discontinuing a relationship with the organization following the breach. [Full Story] [Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information]

WW – Firm Releases 2016 Data Breach Litigation Report

Data breach litigation “remains one of the top concerns of general counsel, CEOs and boards alike,” Bryan Cave, a law firm, points out in its latest report on data breach litigation, adding, “there remains a great deal of misinformation reported by the media, the legal press and law firms.” The 2016 Data Breach Litigation Report found a 25% decline in the amount of cases that were filed from its 2015 report. Additionally, when “multiple filings against single defendants” were removed, there were only 21 unique defendants during that 15-month time period, and only 5% of reported data breaches ended up facing class-action litigation. According to the report, such a decline in class actions may derive from an overall decline in reported breaches. [Report]


US – Government Agencies Dead Last in Cybersecurity: Report

The cybersecurity protections at U.S. government agencies — from federal to local levels — ranked dead last compared to 17 other private industries, according to a report from security risk startup SecurityScorecard. SecurityScorecard analyzed the security capabilities of major industries across 10 categories, including weaknesses to malware and rates of password exposure. The security startup examined 35 major government data breaches between April 2015 and April 2016, saying agencies had the worst scores on network security, software patching defects and malware. Among the 600 government entities SecurityScorecard examined, NASA was the worst performer, particularly its susceptibility to email spoofing and malware attacks. Other low ranking agencies included education and telecommunications, while information services, food and construction industries received high marks. For more on the report: here. [Reuters] [Newsweek]


US – House Judiciary Committee Unanimously Approves Email Privacy Act

In a 28-0 vote, the Email Privacy Act has been approved by the House Judiciary Committee. The new bill, created to update the 1986 Electronic Communications Privacy Act, requires law enforcement to obtain a warrant before requesting email providers to hand over a suspect’s electronic communications stored for more than 180 days. The bill is expected to pass through the House, but might face opposition in the Senate, as civil enforcement agencies — including the Securities and Exchange Commission and the FTC — are concerned the bill could hamper civil investigations. [Morning Consult]

Electronic Records

US – 96% of Health Care Organizations Susceptible to Data Threats: Report

The results of the Healthcare Edition of the 2016 Vormetric Data Threat Report revealed 96% of health care organizations feel susceptible to data threats, the organization said in a press release. Findings included 63% of respondents saying they have experienced a data breach, with nearly 20% experiencing one in the last year. Meeting compliance requirements was the top IT security spending priority, coming in at 61%, with data breach prevention “well behind at 40%.” Complexity clocked in at 54% as the toughest barrier to overcome for better adoption of data security, with lack of staff coming in second. [Full Story]

EU Developments

EU – WP29 Refuse to Endorse Privacy Shield Scheme

The Article 29 Working Party (WP29) met in Brussels to discuss the European Commission’s Privacy Shield scheme, the proposed replacement for Safe Harbor. As anticipated, WP29 decided that in their view Privacy Shield does not offer adequate protection. Whilst the decision is not binding on the Commission it will be hard to ignore if Privacy Shield is to be successful, especially since enforcement is still in the hands of the data regulators who sat around the table at WP29 and not in the hands of the Commission. WP29’s position is not a surprise, especially given the rumours coming out of Germany. Some German data protection authorities have had a long-held objection to Safe Harbor and they have been the most aggressive in enforcement since Safe Harbor died (for more on this see our alert here).Amongst WP29’s criticisms are:

  • A lack of clarity over the ombudsman role; and
  • Exceptions allowing the US to still collect European bulk data.

Most companies will have to plan for a world without Safe Harbor or Privacy Shield at least in the short term. They will have to explore alternative solutions including EU model terms and Binding Corporate Rules (BCRs). BCRs are likely to gain momentum and sources close to WP29 tell us that we can expect statements soon from regulators removing some of the existing objections to BCRs. In addition BCRs will gain in use once their statutory status is confirmed by the forthcoming General Data Protection Regulation (GDPR) – there is more on this in our GDPR FAQs here. [The WP29 issues draft adequacy decision] [IAPP GDPR Resources] [Data watchdogs do not endorse the EU-US Privacy Shield as drafted] [WP29 Privacy Shield opinion sparks anxieties for US businesses] The Hill also reported on businesses’ Privacy Shield related fears, and the potential challenges of trying to alert the agreement. [WP29 on Privacy Shield: More work needed]

EU – European Commission Seeks Views on ePrivacy Directive

The European Commission seeks stakeholders’ views on the current text of the ePrivacy Directive as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital area; the consultation is open until July 5, 2016. Learn more

EU – Passenger Name Record Bill Passes

The European Parliament approved the EU Passenger Name Record bill after five years of discussion. The bill will permit federal law enforcement officials to share airline-passenger information, like name and payment data, across national borders for up to five years in an attempt to curb terrorist activity. “It is one all EU governments and indeed the U.S. government have requested as a very important tool to tackling terrorism,” said U.K. MEP Timothy Kirkhope. Critics in the Green Party disagree. “This EU PNR system is a false solution, based on the flawed political obsession with mass surveillance,” said Green MEP and Home Affairs spokesman Jan Philipp Albrecht in a statement. [EUobserver]

UK – CJEU Hears Case on British Data Retention Laws

The EU’s highest court will hear a legal challenge this week concerning the validity of UK data retention laws. In July last year the High Court in London ruled that DRIPA was incompatible with human rights legislation but that decision was appealed by the UK government to the Court of Appeal. The Court of Appeal has asked the CJEU to rule on whether its previous judgment on the Data Retention Directive sets out “mandatory requirements of EU law applicable to a member state’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the EU Charter”. [Source]

EU – Belgian DPA Advises Data Controllers to Have Detailed Cloud Contracts

The Belgian data protection authority issued guidelines for data controllers contracting with cloud service providers regarding compliance with the Data Protection Act. Provisions should include requirements that the provider only process the data upon the controller’s instructions and obtain controller approval for all subcontractors, and a list of the physical locations where the processing takes place for the duration of the contract. [DPA Belgium – Opinion No 10/2016 – Use of Cloud Computing for Data Controllers]

Facts & Stats

CA – Reporting of Government Privacy Breaches Varies Widely

Federal government departments breached the privacy of more than 45,000 Canadians last year but only a small fraction of those breaches were ever reported to Canada’s Privacy Commissioner. Moreover, the proportion of breaches reported to the Privacy Commissioner’s office varied widely from one department to another. For example, while the Justice Department reported 80% of the breaches it discovered, the agency with the largest number of breaches – the Canada Revenue Agency – only revealed less than 1% of its 3,868 breaches to Privacy Commissioner Therrien’s office. While departments are not required to notify Therrien of every breach that occurs, last year he was only notified about 5.3% of the 5,853 privacy breaches discovered by departments. See Chart: Privacy breaches reported to privacy commissioner. [Source] [Document: Order/Address of the House of Commons] [Feds made 5,670 privacy breaches last year; CRA worst offender] [Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS) ] [Ottawa open for comments on proposed breach notification regulations]

CA – Half a Billion Identities Were Stolen or Exposed Online in 2015

500 million identities were stolen or exposed online in 2015 according to a report by digital security firm Symantec. The report also revealed that the amount of malware online increased by 36%, with 430 million new pieces of malicious code being created in 2015. Ransomware attacks are also on the increase, with 35% more attacks than the previous year. The UK ranked as the most targeted nation for spear-phishing campaigns that attempt to steal data by targeting employees within a specific organisation. This type of attack increased by 55% in 2015. We’re also beset upon by fake technical support scams and social media fakes, with the UK being the second most targeted nation globally in both categories. Symantec drew particular attention to the increased number of zero-day vulnerabilities in 2015. It identified 54 zero-day vulnerabilities in 2015, the majority of which existed in widely-used pieces of software. Four out of the five most exploited zero-day vulnerabilities were found in Adobe’s much-maligned Flash Player. On average, each data breach exposed more than 1.3 million identities, but Symantec identified nine ‘megabreaches’ – the leaking of over 10 million records in a single attack – in 2015. [Source] [BBC] See also: [The seven types of e-commerce fraud explained]

CA – Hamilton Using Google Maps to Enforce Bylaws

Since 2002, Hamilton city officials have been quietly collecting aerial photographs that allow enforcement staff to investigate breaches of bylaws, especially the requirement that homeowners acquire a building permit before building a deck or some other construction project. Images from past years can be compared to get an idea when a deck, pool or addition was built. If the structure wasn’t there one year, and appeared the next, it means it was built sometime in between. But Jorge Caetano, the manager of plan examination in the city’s building division, says the information is never used to go on fishing expeditions for violators. It’s only consulted after the city receives a complaint. “We use it as a tool. We don’t use it in place of going there in person to investigate, to see the property,” he said. “At this point, we don’t base enforcement on aerial photographs. We would have to go out there physically and inspect the property. We still have to carry out the proper investigation.” He said information from past aerial photographs could be consulted to verify whether a structure has been there for many years and was, say, built by a former owner. A spokesperson from the IPC Ontario said the use of aerial maps would not appear to violate privacy rules: “As defined in Ontario privacy legislation, personal information means recorded information about an identifiable individual. Several IPC decisions have found that information about properties and businesses does not qualify as personal information as it does not reveal something of a personal nature about identifiable individuals.” [Source]


CA – CRA Should Notify People When Their Bank Records are Shared: Therrien

The CRA should automatically notify individuals when it shares their banking information with the U.S. IRS under a controversial information sharing agreement, says Canada’s Privacy Commissioner. Testifying before Parliament’s Access to information, Privacy and Ethics committee Daniel Therrien said there is no reason for the CRA not to advise people when their information is transferred. “Can it be realized? It is certainly an effort but we know that the government wants to facilitate access to data by citizens so it seems to me that would be a move that would fit in that objective.” Therrien said there are likely electronic ways to notify people when the CRA shares their banking information with the U.S. Therrien said he is also concerned that Canada’s banks and the CRA may be over reporting the number of people considered “U.S. persons” under the information sharing agreement. While the CRA originally estimated that the deal it signed would result in it sending 30,000 to 90,000 banking records to the IRS, it ended up sending 155,000 records. [Source]

US – Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording

With most data now stored electronically, businesses are facing new challenges in relation to data retention and keeping it secure and safe. Bespoke cyber insurance policies and, increasingly, data protection coverage as part of a general commercial liability policy will generally cover both first and third party liabilities in the event that anything happens to that data – but how will these policies respond in the face of deliberate or criminal behaviour by an employee who decides to release data to harm either colleagues or the business? As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result. In the absence of specific wording, insurers may be able to reject claims arising out of deliberate data breaches by disaffected employees. .As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result.

CA – Privacy Law Gives Insurers a Boost in the Battle Against Fraud

With amendments to federal privacy laws last year, group benefits providers are facing a host of new consent and disclosure-related obligations that can offer helpful tools or signal potential headaches. Bill S-4, the Digital Privacy Act, came into force in June 2015. It amended PIPEDA to include new provisions around obtaining consent, disclosing information without consent and mandatory breach notification. For group benefits providers, the most positive development is likely the new provision that will help them fight fraud by allowing for increased disclosure of information without consent in certain cases. Before the amendment, insurers had to obtain the consent of anyone they had a contract with before disclosing their personal information even if that person was suspected of involvement in fraudulent activity. Many of the amendments also create consistency with privacy legislation in Alberta and British Columbia. Industry efforts will include helping insurers to consider ways to share claims data in order to identify fraud trends that the association says can be hard to pinpoint when each provider is working independently. [Benefits Canada] See also: [Out-Law: Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording]


US – Microsoft Sues Justice Department over ECPA Gag Orders

Microsoft is suing the Justice Department for its frequent use of gag orders that prevent the company from telling users when the government has obtained a warrant to search their emails. Microsoft claims the gag order statute in the Electronic Communications Privacy Act is unconstitutional and violates both the First and Fourth Amendments. In its suit, Microsoft argues that the government has “exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” Brad Smith, the company’s top legal advisor, said, “People should not lose their rights just because they are storing their information in the cloud.” The House Judiciary, earlier this week, unanimously passed a bill that would reform parts of the ECPA. [The New York Times] [Microsoft Corporation Delivers a Reality Check to the U.S. Government – Microsoft Corporation Challenges the Government] [Microsoft Sues Justice Department to Protest Electronic Gag Order Statute]

US – Making Records Accessible on the Internet is a “Publication” –Federal Court

A federal appeals court upheld a ruling against insurance firm Travelers Indemnity Company of America, saying, under the terms of a commercial general liability policy, the company should have defended a client in a lawsuit resulting from an electronic data breach. Travelers was found by a three-judge panel in the 4th U.S. Circuit Court of Appeals in Virginia to have failed to prove its two CGL policies with its client, Portal Healthcare Solutions, excluded the defense of a 2013 class-action lawsuit filed when Portal publicly posted the records of Glens Falls Hospital patients. The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” The ruling goes against decisions in Connecticut and New York where CGL policies were determined not to cover damages from cyberattacks. “I think it’s a shocker to CGL insurers to see a decision like this,” said a research analyst. “CGL insurers don’t really think that they should be on the hook for this type of claim. They see this as a cyber and privacy claim, not a general liability claim.” [SC Magazine] [Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016)] [Source] [Court Opinion] [Appeal] [Federal Court Rules CGL Insurance Covers Data Breach] [4th Circuit affirms Travelers v. Portal Healthcare breach decision]

CA – BC Judge Calls for Restrictions on Court Database Searches

Thomas Crabtree, Chief Judge of the BC Provincial Court, wants restrictions placed upon searches for individuals who were ultimately not convicted of a crime. Crabtree declared a consultation regarding Court Services Online, an online database providing access to criminal records in the Provincial Court. Crabtree believes individuals who weren’t convicted of a crime should not be stigmatized, and cases ending in acquittals, dismissals and withdrawals will only be available in the database in the 30 days after the information is entered. Media outlets are displeased, believing court records should be fully open. “On balance, the need to protect individuals who have not been convicted from misuse of court record information outweighs the desirability of broad online public access to information about such cases and the individuals affected,” Crabtree wrote in a statement. [The Globe and Mail]

US – NSA appoints First Transparency Officer

The National Security Agency has appointed current Civil Liberties and Privacy Director Rebecca Richards as its first ever transparency officer. An NSA announcement states her dual role “complements ongoing initiatives to ensure that NSA has the best civil liberties and privacy practices.” The new role will serve under the Office of the Director of National Intelligence’s Intelligence Transparency Council, which aims to make “information publicly available in a way that enhances understanding of intelligence activities, while continuing to protect information when disclosure would harm national security.” [The Washington Times]

Health / Medical

CA – GPEN Launches 2016 “Internet of Things” Global Privacy Sweep

The Global Privacy Enforcement Network will focus their 2016 Global Privacy Sweep around the Internet of Things. The group, made up of data protection authorities from around the world, including the IPC, will specifically look into the accountability practices of IoT companies during this year’s Sweep. Regulators participating in the event — taking place April 11 through 15 — will examine the privacy practices of various devices, ranging from wearables to smart TVs. The OPC says it will investigate health devices. The IPC is surveying two dozen class 2 medical devices available for sale in Ontario. DPAs will have the flexibility to focus on actual products taken right off the shelf, by investigating statements on company websites, or by directly connecting with a manufacturer. [Office of the Privacy Commissioner of Canada] [Privacy watchdog to study impact of personal Internet devices]

UK – 15,000 Expectant Parents’ Info Compromised

The personal information of more than 15,000 expectant parents was compromised after hackers breached the National Childbirth Trust. The NCT alerted users of the breach, which exposed information including email addresses, usernames and encrypted passwords. No sensitive personal or financial information was accessed in the incident. The cyberattack has been reported to both the police and the U.K.’s data protection authority. A spokesman for the NCT said the organization reached out to affected individuals, advising them to change their usernames and passwords. NCT also posted information on their Facebook page about the hack, while also sending a message on social media telling users their website may face further disruptions. [The Telegraph]

Horror Stories

US – FDIC Breach of 44,000 Customers Caused by Storage Device

A former employee of the Federal Deposit Insurance Corp. (FDIC) departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. A former FDIC employee departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. While FDIC Chairman Martin J. Gruenberg said in a March 18 memo that the data was downloaded to the storage device “inadvertently and without malicious intent,” the device included customer names, addresses and Social Security numbers, according to a media report. The former employee signed an affidavit indicating the breached information was not used, the representative noted. [Source]

Identity Issues

CA – BC Law Firm’s Request for ID is Contrary to PIPA

The BC OIPC mediated a complaint from an individual who was asked to produce identification during a free initial consultation with a law firm. PIPA prohibits businesses from collecting more information than is required (a law firm requested ID from a potential client to comply with money laundering legislation, however confirmed that the law society did not require this collection when providing free services). [Potential Client Questions Law Firm Demand for Identification (P16-06-MS)]

CA – CAI PQ Reminds Landlords They May Only Collect Limited Contact and Credit Related Information from Prospective Tenants

The Commission d’accès à l’information du Québec issued reminders to landlords regarding privacy issues in light of July 1st, the traditional “moving day” in Quebec. A landlord may request a prospective tenant’s name and current full address, may ask to see ID, collect the name of a previous landlord, and perform a credit check (with tenant consent); the landlord may not collect data from a health card, driver’s license or passport, and should not request a SIN, employment or salary information, car details (e.g. brand, colour, or license plate number), or details of the tenant’s financial institution. [CAI PQ – Leases and Personal Privacy Principles and Guidelines To Be Respected]

Internet / WWW

WW – New Guidelines Help Cloud Providers Handle Data Breaches

Technology law specialist Bryan Tan discusses new guidelines in Singapore designed to help cloud providers and their business clients handle data breaches while following the country’s data protection regime. According to the new guidelines released by the Infocomm Development Authority of Singapore, the cloud outage incident response rules “are not meant to resolve issues due to cybersecurity, malicious act or breach of personal data protection laws.” The cloud outage incident response, or COIR, guidelines explain how the standards work with Singapore’s Personal Data Protection Act when a data breach occurs, discussing security arrangements to protect personal data, and ensuring security measures are compliant with the PDPA. COIR advises cloud providers on assessing and planning for outages, encouraging for response plans for any incidents, while also structuring the severity of the attacks into a four-tier system. [Full Story]

WW – Box to Let Overseas Customers Store Files Locally in Privacy Bid

Box is trying to lure international customers, offering overseas clients concerned about privacy the option to store information locally in cloud datacenters belonging to Amazon.com Inc. or IBM Corp. Starting in May, Box Zones will give customers the choice of locating their files in Germany, Ireland, Japan, and Singapore. The company plans to add more regions in the future, said CEO Aaron Levie, and is looking at further choices in Europe and Asia as well as adding Australia and Latin America. Customers, particularly in some parts of Europe and South America, face laws that require certain types of data to be stored in their country or have strong preferences for that. Storage closer to the customer can also speed up computing. Box runs data centers in the U.S. but didn’t want to incur the costs of building out internationally to attract these customers, and it’s cheaper to pay Amazon and IBM to use their facilities, Levie said. [Source]

Law Enforcement

CA – Report: Canadian Police Have Had BlackBerry Encryption Key Since 2010

The Royal Canadian Mounted Police (RCMP) have had a key to access encrypted BlackBerry messages since 2010, a joint report from Vice News and Motherboard found. According to the report, the RCMP first obtained the key in 2010 as part of an investigation into a series of violent crimes committed between 2010 and 2012. The investigation, dubbed Project CLEMENZA, resulted in the take down of two Italian-based organized crime cells in June 2014. Over the course of the investigation, the RCMP said it read more than one million private messages sent by members of the cell using a PIN to PIN interception technique. The RCMP said the investigation was the first time the encryption-breaking technique was used on such a large scale in a major investigation in North America. Court documents obtained by Vice Canada show the RCMP has a server in Ottawa – called the “Blackberry interception and processing system” – that cracks messages by simulating a mobile device that receives messages as though it were the intended recipient. The documents cite the RCMP’s use of the “correct global key” in decrypting the messages, though the documents do not specify how police obtained the key. [WirelessWeek] [Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages]

EU – Danish DPA Finds License Plate Information Retained Longer Than Necessary

The Data Protection Authority in Denmark investigated the processing of personal data by a parking lot company pursuant to the Act on Processing of Personal Data. The company retained license plate information on individuals for 15 months (for those exiting within the free parking period), and 5 years (for individuals that made correct payments, and those that did not pay); information for individuals not required to pay and individuals that have provided correct payment should be deleted without delay, and information for individuals that have not paid should be retained until a payment is made or a claim has been settled. [DPA Denmark – File No. 2015-631-0122 – Registration of License Plates in Parking]

CA – Chatham PD Registry of “Vulnerable” People 10% of Population

The Chatham-Kent Police Service is creating a registry of people considered to be vulnerable, through a voluntary online registry service. Data available to police would be submitted by a legal guardian or caregiver to be used by police should they need to interact with or search for them. Chief Gary Conn said the Vulnerable Persons Registry will be implemented with the service through a new online program they purchased called COP Logic. “In two to three weeks it will be soft-launched, so probably at the end of April or beginning of May,” said Conn, who also called the registry, “another investigative tool in our tool kit.” Conn added, “The advantages of the system are pretty self-evident.” He said the information in the vulnerable persons registry could be used, for example, if someone goes missing. If that person’s profile shows they have an attraction to certain places, it could mean finding them more quickly. People who may benefit from listed with the registry would include those who wander, have an inability to communicate, have fascinations or attractions to places of possible danger such as water or construction sites, or who have social responses such as aggression or fear of the police. When police receive a call involving a registered person or flagged address, the responding officers are notified and given the information contained in the registry to help them in responding more effectively to the situation. Acknowledging that the definition of “vulnerable” is a broad one, Conn said up to about 10,000 people in Chatham-Kent – nearly one-10th of the entire population – might meet the mandate of the definition. The information that will be contained in the registry will be treated as confidential by officers, subject to the Personal Health Information Protection Act, and will be used when responding to incidents or investigations involving the registered person. [Source]

Online Privacy

WW – Study: Shortened URLs Not As Private As You Think

In a paper released April 14, researchers at Cornell Tech outlined how Google, Bit.ly, and Microsoft’s shortened URLs can be “brute-forced” by hackers to access and manipulate so-called “private” sites. “With a decent number of machines you can scan the entire space,” said Cornell Tech’s Vitaly Shmatikov. “You just randomly generate the URLs and see what’s behind them.” Once the process is complete, “online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone,” the researchers said in their report. “This leads to serious security and privacy vulnerabilities.” [Wired]

WW – Google Unveils Privacy-Protective Beacon

Seeking an answer to Apple’s iBeacon, Google released new information on its open-source beacon format Eddystone. Eddystone has four different frame types, one for identifying other beacons, a second to send URLs to other devices, and a third that sends diagnostic data on a user’s phone. The fourth option, the Ephemeral Identifiers mode, offers a secure connection between the beacon and user. The EID is the only format to keep device information private and can be used to act as a Bluetooth tracker to locate various objects, like car keys. No identifiable or traceable information is available outside the connection as EIDs are equipped with a constantly changing identifier that alters the beacon ID — anywhere from a couple of seconds to hours at a time — making it difficult for third parties to capture any usable information. [Ars Technica]

WW – How Should Crowdfunding Platforms Deal With Privacy?

Crowdfunding has seen explosive growth, both domestically and globally, in the past few years. As the industry continues to mature, U.S.-based crowdfunding platforms are beginning to find that privacy considerations deeply impact their business. Aside from the usual considerations facing traditional financial service companies, crowdfunding platforms must be conscientious in the type of borrower or sponsor data they choose to display to investors on their website. Depending on the particular measures employed to protect the individual’s identity, the website may end up publishing very sensitive information in violation of strong public policies in favor of identity protection. [Privacy Advisor]

US – NAI Members’ Privacy Practices Up to Snuff: Study

The Network Advertising Initiative published its 2015 Annual Compliance Report, compiled by NAI Counsel and Director of Compliance Anthony Matyjaszewski. The report studied its “members’ adherence to the NAI Code of Conduct,” and found NAI members “­met their obligations under the provisions of the code and demonstrated their commitment to consumer privacy and industry best practices.” The NAI’s Noga Rosenthal said, “NAI is set apart in the industry by its high standards for Internet­-Based Advertising and related business models, and our robust monitoring program that ensures compliance with these standards. The 2015 Compliance Report shows that member companies continue to take their obligations under the code seriously.” [Network Advertising Initiative]

WW – As Friend Network Grows, Facebook Sharing Decreases

Facebook is trying to combat a growing lack of “personal sharing” that occurs as social media users’ friend groups increase and a sense of online intimacy diminishes. The trend of sharing news articles instead of personal status updates has led to what insiders dub a “context collapse,” with “original sharing” of personal anecdotes down 21% since mid-2015, the report states. Instead, users are employing outlets like Instagram and Snapchat to share, where their audience is comparatively small. Facebook’s newer “On This Day” feature is an attempt to combat the trend, the report adds. Meanwhile, a forthcoming Chrome extension, “Data Selfie,” will let users see their data profile as Facebook and other advertisers do, Motherboard reports. [Bloomberg Technology]

Privacy (US)

US – FTC Accepting Research Proposals for 2016 Events

The FTC is accepting proposals via public comment from privacy researchers for its upcoming PrivacyCon and Fall Technology Series events. The FTC’s 2016 focus is on research papers that “quantify consumers’ privacy and security interests, discuss attack trends and responses, and describe research on transparency and control,” the report states. “It is extremely valuable for us to hear from privacy and security researchers about their work,” the report continues. “This helps us stay up-to-date with technology and identify potential areas for investigation and enforcement.” The FTC will accept PrivacyCon submissions until Oct. 3. [Source]

US – Uber to Pay Up To $25M in Driver Background Checks Lawsuit

Uber has settled a civil lawsuit with the district attorneys of L.A. and San Francisco over claims the company deceived customers on its safety practices and driver background checks. In papers filed in a U.S. District Court, Uber will pay $5 million to each of the district attorneys and faces an additional $15 million fine if the terms of the settlement aren’t met within two years. Additionally, the safety-related language Uber uses around the ride fees must be reworded. The lawsuit claimed Uber overstated safety measures used to screen drivers, only requiring a driver pass a background check carried out by a third-party service. [The New York Times]

US – Lawsuit: Seattle Compost Ordinance Is Rotten

A Seattle ordinance that bars people from throwing their coffee grounds, pizza scraps and other potential compost into their trash cans is being challenged by critics who say the liberal city is turning garbage collectors into trash investigators. A group of homeowners has sued the city over the tactic, claiming it violates privacy protections provided by the state Constitution. The rule that went into effect early last year requires trash collectors to tag garbage cans that contain more than 10% compostable material with educational information. The tactic is projected to divert as much as 38,000 tons of extra food waste from a landfill every year. Several other cities have passed similar food waste laws, including Vancouver, B.C., San Francisco and Portland, Oregon. Lawyers for the homeowners cited a case that was argued in front of the Washington Supreme Court in which Port Townsend police searched a man’s garbage for evidence that he was selling drugs after the trash was placed on a curb. The court ruled police needed a warrant to search the rubbish, even if it was in plain view near the sidewalk. Homeowners also presented an affidavit from someone claiming they were tagged for compost violations twice when their trash had been secured in black plastic bags, suggesting collectors opened the bags to search for compost. [Source]

US – Uber has Given US Agencies Data on More than 12 Million Users

Uber has released its first ever transparency report. More than 12 million riders and drivers were affected by regulators’ data demands between July and December 2015. The fact that regulators are doing the demanding is what makes the number so big. Uber’s the first company, it claims, to include regulatory requests. Uber says the reason it’s including regulatory requests is that its business is “different.” Besides regulatory data, Uber provided data on 469 users to state and federal law agencies. The agencies requested information on trips, trip requests, pickup and dropoff areas, fares, vehicles, and drivers. It got 415 requests from law enforcement agencies, the bulk of which came from state governments. It produced data in nearly 85% of these cases. Uber used the transparency report release to push back against regulatory agencies that it thinks could compromise users’ privacy by going after more data than necessary. From the Medium post: In many cases they send blanket requests without explaining why the information is needed, or how it will be used. And while this kind of trip data doesn’t include personal information, it can reveal patterns of behavior  –  and is more than regulators need to do their jobs.It’s why Uber frequently tries to narrow the scope of these demands, though our efforts are typically rebuffed. This isn’t the first time Uber has wrangled with the California Public Utilities Commission (CPUC) over rider and driver data. In January, the CPUC fined Uber $7.6 million for failing to meet data reporting requirements in 2014. The CPUC was after data about accessible cars, the number of rides requested and accepted per ZIP code, and driver safety information. [Source]


UK – Brits Suffer More than 2,000 Ransomware Attacks Each Day

DON’T PANIC but the amount of cyber crime bashing the UK is increasing, at least according to Symantec and one of its regular round robin threat missives. The Symantec 2016 Internet Security Threat Report warned that threats are rising in several areas. The firm logged an international increase of 35% in crypto-ransomware attacks, the UK taking the third largest chunk with up to 2,215 attacks a day. Some of the best advice from the security community is to use strong passwords, a suggestion Symantec makes in its summaries and guidance information. The security firm said that the enemy is now more organised than ever before, and that most groups have the same kind of resources, skills and support as nation-state hacker groups. “ [The Inquirer]

Smart Cars / IoT

US – NTIA Begins Internet of Things Consultation

The National Telecommunications and Information Administration (“NTIA”) has initiated an inquiry regarding the Internet of Things (IoT) to review the current technological and policy landscape; NTIA is seeking input from interested stakeholders on the potential benefits and challenges of these technologies and what role, if any, government should play – comments are due before May 23, 2016. [Source]


CA – RCMP Being Investigated Over Controversial Spy Tech

An OPC spokesperson confirmed that it has opened an investigation into the RCMP’s use of IMSI catchers, or “StingRays.” These devices are essentially fake cell phone towers that force phones in the vicinity to connect and reveal identifying information. The use of such devices has been the topic of much heated discussion and public debate in the US. The Florida Supreme Court ruled that the warrantless use of StingRays by police is unconstitutional in 2014. StingRays are controversial because they target devices within a certain area, and thus risk violating the privacy of innocents. A leaked email from Correctional Services Canada last year indicated that an unnamed, StingRay-like device was installed in an Ontario prison to monitor inmate communications, but also caught innocent people outside the facility in the dragnet. “These are fundamentally tools of mass surveillance,” said David Christopher of OpenMedia, the organization that filed the privacy complaint that spurred OPC’s investigation. Canadian police have been extraordinarily unforthcoming when it comes to the use of IMSI catchers, or StingRays. Last month, seven men accused in a Quebec court case relating to a mafia slaying pleaded guilty, but not before the RCMP was forced to reveal in open court that they had used a so-called “mobile device identifier”—the RCMP’s term for IMSI catchers—in the course of their investigation. The end of the case meant that the RCMP will reveal no more information about its use of IMSI catchers in court. In BC, Vancouver police are embroiled in a public battle to keep the details of their use of IMSI catchers secret. [Source] See also: [Feds back RCMP secrecy on possible use of ‘stingrays’ for surveillance] [Privacy watchdog to investigate RCMP over alleged ‘stingray’ cellphone surveillance]

US – Bill Permits Government Use of Automatic License Plate Reader Systems

HB 93, An Act to Amend Article 1 of Chapter 1 of Title 40 of the Official Code of Georgia, has passed the House and is tabled in the Senate. Law enforcement agencies are permitted to store (immediately upon collection) and exchange license plate data; the data cannot be accessed except for a law enforcement purpose, must be destroyed no later than 1 year after collection, and policies and procedures for use and operation of an automated license plate recognition system must be maintained. [HB 93 – An Act to Amend the Georgia Code to Prohibit Law Enforcement from Retaining License Plate Data Obtained from License Plate Recognition Systems]

Telecom / TV

US – California Says No to Phone Decryption Bill

A California bill that aimed to punish companies for making smartphones that can’t be cracked has failed. The bill, introduced by assembly member Jim Cooper was introduced in January and required any smartphone sold in California to have the ability to be decrypted. It was “rejected without a vote,” the report states. “The bill, both before and after it was amended, posed a serious threat to smartphone security,” said Rainey Reitman of the Electronic Frontier Foundation. “It would have forced companies to dedicate resources to finding ways to defeat their own encryption or insert backdoors to facilitate decryption.” [ZDNet]

WW — Google Changes App Developer Rules

Aiming to improve privacy and mitigate risk, Google has released a new set of users’ data policy rules for its Chrome Web Store. Developers will be required to publish a privacy policy and use encryption for sensitive or personal information, the report states. And if sensitive data is being collected for a reason that isn’t directly related to an app feature, a prominent disclosure is required, separate from the privacy policy. The change comes following the passage of the GDPR, which requires “clear and affirmative consent” when processing personal data, the report states. Google says developers have until July 14 to makes the necessary changes to comply. [ZDNet]

US Government Programs

US – Privacy Orgs Encourage FCC to Ignore Comment Extension Requests

The Center for Digital Democracy, Electronic Privacy Information Privacy, and eight additional agencies have asked the FCC to disregard the Association of National Advertisers’ request to extend the evaluation time of the FCC’s new behavioral advertising regulations. The ANA’s wish for a request for a 60-day deliberation extension is “unwarranted,” as “the public has long had notice of many of the questions the FCC would attempt to address in this proceeding,” the groups said in a letter to the FCC. “This issue is extremely important and timely. In order to protect consumers without undue delay, the FCC should decide it as quickly as possible.” [MediaPost] [Association of National Advertisers seeks extension for comments on FCC’s broadband rule]

US Legislation

US – Draft Crypto Bill Criticized as “Ludicrous, Dangerous, Technically Illiterate”

US senators have introduced legislation that would require technology companies to comply with requests from law enforcement to unlock encrypted devices. A “discussion draft” of the bill was leaked last week. It has been criticized for weakening security and hindering competitiveness. The bill requires compliance with court orders for information, and if the information is “unintelligible,” the bill requires that the information be made “intelligible.” [Wired] [SC Magazine] [CNET] [InformationWeek]

US – House Bill Would Require Verification of Identification to Purchase Pre-Paid Mobile Devices

H.R. 4886, Closing the Pre-Paid Mobile Device Security Gap Act of 2016, was introduced in the House of Representatives and referred to the Committee on Energy and Commerce. Authorized resellers of mobile devices and SIM cards would be required to collect identifying information at time of purchase and share the information with the device’s wireless carrier; failure to comply with these provisions can result civil penalties of $50 for each separate offense. [H.R4886 – To require purchasers of pre-paid mobile devices or SIM cards to provide Identification]

Workplace Privacy

CA – Secret Video Surveillance Allowed In Ontario Dismissal Case

In a preliminary award, an Ontario arbitrator allowed covert video surveillance footage to be used as evidence in a wrongful dismissal grievance. The complainant, Mr. Donnelly, was one of three elementary school custodians dismissed for allegedly smoking marijuana, adjacent to school grounds during working hours. The wrongful dismissal case between Ottawa-Carleton District School Board and Ontario Secondary School Teachers’ Federation, District 25 (Donnelly Grievance) was mediated by Arbitrator Knopf. The three dismissed custodians were reported by a fellow employee who maintained alleged marijuana use and trafficking, while at work. Following the report, the Board’s Director of Human Resources sought approval to hire a private security company to conduct covert video surveillance. The surveillance team was strictly instructed to record only illegal drug use within the vicinity of the school. Following such footage being obtained, the complainant was reprimanded and his employment terminated by the Board. In Donnelly’s defence, the union highlighted the failings of the surveillance footage in adhering to the Board’s policies and procedures. The union maintained that the security company had failed to deliver the video evidence in a secure manner, without proper documentation of the approval process. They argued the video evidence be inadmissible, as policy permitted video surveillance, only to enhance safety, protect property or identify intruders, and not to collect dismissal evidence. Furthermore, they contended such covert video surveillance should only be used as a last resort, which this was not. Privacy rights were taken into account when assessing the admissibility of the video footage, however, Arbitrator Knopf accepted the evidence in light of the management’s right to provide a safe workplace. She decided this was a last resort situation, and the former employee had a low expectation of privacy since he allegedly performed illegal drug use and trafficking in a public space, while at work, and wearing a work uniform. She said that the Board had a reasonable basis to carry out the surveillance, amid credible allegations of illegal behaviour on school grounds. [Source] See also: [Ireland CCTV images of illegal dumpers raise privacy concerns: Data Protection Commissioner contacts Dublin City Council over litter poster]

CA – Tribunal Denies Request by Employer to Submit Surreptitiously Obtained Evidence from Employee’s Social Networking Account

A Quebec labour tribunal considered an appeal of an earlier decision, including a request to consider evidence from an employee’s social networking site. The employer obtained the social networking profile content through the deceptive actions of an unknown third party, and it is not the first occasion on which the employer has done so; the employer has not demonstrated sufficient grounds to justify such an invasion of privacy (i.e. a serious purpose that would appropriately allow the employer to discover dishonest content of the employee’s Facebook page, without the employee’s knowledge). [Maison St-Patrice Inc. v. Julie Cusson – 2016 QCTAT 482 – Administrative Labour Tribunal]

CA – Best Practices: OPC Guidance on Handling Employee “Snooping”

The OPC guides entities on addressing inappropriate employee access to personal information. Organizations must set clear expectations with their employees (through clear communication concerning snooping, its harm and consequences), monitor for unauthorised access to records (audit access logs), and be prepared to respond appropriately when snooping is discovered (conduct of investigation, mitigate harm to affected individuals, and include disciplinary action). [OPC Canada – Ten Tips for Addressing Employee Snooping]

AU – New Legislation Allows Companies to Surveil Suspicious Employees

New Australian legislation allows employers to watch their employees outside of the workplace if there’s suspicion of unlawful activity tied to their job. The law covers 160,000 Canberra workers, UnionsACT Chief Alex White said. “If someone has done the wrong thing, if they are breaking the law or engaging in criminal activity, the appropriate agency to investigate that is the police, it’s not the employer or insurance company,” said White. Justice Minister Shane Rattenbury said strict safeguards are enacted to ensure workers have a right to privacy. “There are important safeguards there with the requirement for a magistrate to permit any sort of surveillance that is undertaken,” said Rattenbury. “We also worked very closely with the Human Rights Commission to make sure that these rights, these new powers, were compliant.” [Full Story]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: