Privacy News Highlights: 19-25 April 2016


CA – Manitoba Ombudsman Lays Charges for “Snooping”

The Manitoba Ombudsman has laid charges for snooping under new provisions in the Personal Health Information Act. Individuals using, accessing or attempting to access personal health information without cause are now committing a fineable offence under the Personal Health Information Act. [Manitoba Ombudsman lays “snooping” charge under The Personal Health Information Act]

CA – Ransomware: OIPC SK Provides Guidance on Preventive Measures

The OIPC in Saskatchewan released guidance to public and private sector organisations on how to manage ransomware. Organizations should install anti-virus software, educate employees about phishing attacks, maintain offline backups of data and have an infection response plan in place; if attacked remove the infection, and attempt to restore the files or system from backup. [Office of the Saskatchewan Information and Privacy Commissioner – Ran$omware…What You Need to Know]

CA – Assisted Dying Bill C-14 Could Violate Charter, Feds Acknowledge

In a written explanation of the reasoning behind the proposed new law on medical assistance in dying, the Justice Department acknowledges that the bill could violate the charter of rights on a number of fronts.

They include:

  • Excluding those who are suffering intolerably but whose natural death is not reasonably foreseeable could violate the right to life, liberty and security of the person.
  • Treating people differently on the basis of their different medical conditions could violate equality rights.
  • Not allowing advance directives could force those with competence-eroding conditions like dementia to take their lives prematurely or risk permanently losing access to medically assisted death once they no longer have capacity to consent, thereby violating equality rights and the right to life, liberty and security of the person.
  • Restricting access to adults at least 18 years of age could violate the right not to be discriminated against based on age.
  • Requiring two independent people to witness a written request for medical assistance in dying could violate privacy rights. [Source]

CA – OPC to Investigate RCMP Over Alleged Stingray Cellphone Surveillance

While the outcome of the Privacy Commissioner’s investigation may hinge on whether the RCMP obtained proper judicial authorization prior to the use of Stingrays in particular cases, the validity of the legislation providing for such authorization could be open to an attack under the Canadian Charter of Rights and Freedoms and might also contravene telecommunications legislation. Whatever the legal outcome, the disclosure of the use of Stingrays has already sparked a public debate that could act as a catalyst for new legislation specifically regulating the use of Stingray devices. [Source]

CA – Brison Pledges to Improve Reporting of Privacy Breaches

Treasury Board will work with Canada’s Privacy Commissioner to improve the reporting of privacy breaches by federal government departments, said Treasury Board President Scott Brison following a committee meeting. “It’s an area that we will work with the commissioner and the commissioner’s office and with departments and agencies to understand fully what we can do to improve results and we’re seized with it.” Brison’s comments come after documents tabled in Parliament last week revealed that federal government departments and agencies breached the privacy of thousands of Canadians last year but only a fraction of those incidents were ever reported to Canada’s Privacy Commissioner Daniel Therrien. While departments don’t have to inform the privacy commissioner’s office of every incident, the documents also revealed that there was a wide range in the proportion of the breaches reported to the Privacy Commissioner’s office. [Source]

CA – RCMP Memo Details Public Safety Risks Via Surveillance Devices

A 2011 internal Royal Canadian Mounted Police memo warns of the ways in which IMSI catchers can negatively affect public safety. The memo mentions how the devices, which mimic cellphone towers to obtain data, can block important phone calls, including people dialing 911. RCMP has been using IMSI to surveil for potential crimes, but the internal memo indicates warnings of a risk to innocent third parties. Details within the memo also hint at expanded use of the devices by the RCMP. “When considering whether the use of the [IMSI catcher] should be authorized … officers should weigh the need to prevent imminent bodily harm, preserve life and investigate serious crimes … against the importance of having a reliable 911 system that Canadians can count on in all circumstances,” the memo reads. [The Globe and Mail]


US – Poll: American Voters Overwhelmingly Want Privacy, Encryption

Voters overwhelmingly support encryption and other measures to protect their digital privacy, according to a new poll from ACT | The App Association trade group. In the survey, 93% of respondents said it’s important that the photos, health data or financial information they store on their phones and apps, or share online, stay secure and private. Nearly the same number (92 percent) said they need “powerful, consumer-focused encryption technology” to make sure their information is secure. Meanwhile, the survey also found that 54% of respondents trust tech companies like Apple, Google and Facebook more than federal agencies, like the FBI, to protect personal information on their electronic devices. Only 21% said the reverse. [FedScoop]

US – Study: Trust in Social Media Companies Ranks Very Low

An Environics Communications study found only 26% of those surveyed ranked social media with a five or higher on a seven-point scale of trustworthiness. “These are relatively new industries, they haven’t had a lot of time to accumulate baggage … but there’s something about what’s going on that is not creating trust,” said Environics CEO Bruce MacLellan. Companies’ use of personally identifiable information and other elements of a user’s social media content for targeted advertising may be the source of anxiety. “The whole privacy issue is a huge part of this,” MacLellan said. “People are wary about what’s going on with that content, and how it’s being used.” [The Globe and Mail]


US – Email Privacy Act Expected to Pass in House Vote

House Majority Leader Kevin McCarthy, R-Calif., docketed a vote for the Email Privacy Act in the upcoming week. If passed, the legislation would mandate law enforcement officials get a warrant before accessing users’ electronic communications stored by tech companies, the report states. It came through committee in early April with only minor revisions. While the bill is believed to pass the House with ease due to its more than 300 co-sponsors, its Senate journey might not be so clear-cut, the report adds. Senate Judiciary Committee Chairman Chuck Grassley, R-Iowa, “has previously expressed sympathy for some agencies’ concerns.” [The Hill]

US – Study: Phishing Email Attacks on the Rise

Verizon’s ninth annual Data Breach Report found that phishing emails were the primary catalyst for data loss, with the amount of emails opened growing from 23-30% in the last year. Embracing two-factor authentication is one potential for companies looking to avoid falling prey to phishing attacks, said Verizon’s Bryan Sartin. “It would mitigate an entire swathe of these breaches.” [CSO Online]


US – Tech Groups Write Open Letter Criticizing Encryption Bill

Four major tech groups, representing companies including Facebook, Netflix and Google, have written an open letter to a pair of senators regarding their bill requiring all encryption have the ability to be cracked when needed. The bill, by Senators Richard Burr, R-N.C, and Dianne Feinstein, D-Calif., was recently leaked and widely criticized. “We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm,” the letter’s opening reads. The letter arrives at the same time a new survey from ACT reveals that 93% of respondents said it’s important their data is secured, with 92% needing strong encryption on their devices. [TechCrunch]

EU Developments

EU – EDPS Finds Commission Proposal to Exchange Non-EU Citizens’ Criminal Data Disproportionate

The European Data Protection Supervisor provides an opinion on the European Commission’s proposal to extend the European Criminal Records Information System to third country nationals. Member States would be obliged to store the fingerprints of all convicted non-EU citizens to ensure proper identification of individuals; however, not all Member States store fingerprint data or are connected to the national automated fingerprint identification system, and it is not necessary or proportionate to require storage of fingerprint data regardless of States’ sanction thresholds or the nature of the offence. [EDPS – Opinion 3/2016 – Exchange of Information on Third Country Nationals as Regards the European Criminal Records Information System]

EU – German Constitutional Court Finds Police Investigative Powers Too Broad

The German Federal Constitutional Court hears a complaint alleging that certain provisions introduced into the Federal Criminal Police Office Act are unconstitutional. Criteria for collection of personal data do not have requirements that a specific and foreseeable incident is present or an individual’s behavior substantiates a specific probability for terrorist offences, surveillance of private homes is not fully proportionality and constitutes a serious interference with individual privacy (it should focus exclusively on target persons communications), and the body charged with viewing the collected data (members of the police force) are not sufficiently independent. [Germany Federal Constitutional Court Declared BKA Act Partly Unconstitutional]

EU – US Hesitant to Renegotiate Privacy Shield Following EU Regulators’ Opinion

After European privacy regulators articulated concerns with Privacy Shield, the U.S. is reluctant to reopen negotiations. European data protection authorities weren’t pleased with the amount of U.S. surveillance permitted in the new Shield agreement, and while their approval is not needed to finish the deal, they will be enforcing it and aiming to ensure it doesn’t meet the same fate as Safe Harbor. With massive amounts of business on the line, delays to Privacy Shield implementation might be too costly to consider, the report states. “Given the pressure that currently exists with U.S. organizations and even in Europe, with organizations there trying to conduct business, my bet is that we’re going to see the Commission go forward with Privacy Shield,” said a lawyer from Foley & Lardner LLP. [The Hill] [The U.K. Information Commissioner Christopher Graham voiced his disappointment that the U.S. has articulated it isn’t interested in reopening negotiations for the Privacy Shield] U.S. businesses expressed their anxieties after the Article 29 Working Party released its opinion of the E.U-U.S. Privacy Shield agreement.


CA – Identity Management: FINTRAC Clarifies Which Client ID May Be Requested and/or Recorded for Identity Verification

FINTRAC has issued guidelines to securities dealers on client identification. Acceptable ID must have a unique identifier number, have been issued by a provincial, territorial or federal government, be valid (unexpired), and an original (not a copy); examples include an individual’s birth certificate, driver’s licence, Canadian or foreign passport, record of landing, permanent resident card, or certificate of Indian status or a provincial or territorial identification card (issued by prescribed entities). [Financial Transactions and Reports Analysis Centre of Canada – Guideline 6E: Record Keeping and Client Identification for Securities Dealers]


CA – Doctors, Pharma Company Funding and Privacy

Your doctor could be getting money from pharmaceutical companies and doesn’t have to tell you. It’s not uncommon for health practitioners to have relationships with industry — companies may be in touch about new drugs, sponsor educational conferences or compensate doctors financially for consultation, for work on advisory boards or in clinical trials. If your doctor’s in the United States, you can search their name in a public database and find each payment itemized by date, company and amount, thanks to the Sunshine Act, part of the Affordable Care Act. The legislation requires any pharmaceutical company giving payments or “transfers of value” of any kind or amount to American doctors to disclose them in detail. Canada has no such law. Canadian pharmaceutical companies are legally required to itemize all of their payments to doctors in Detroit, Fargo, Spokane and Seattle — but none of their payments to doctors in Windsor, Winnipeg, Calgary or Vancouver. Disclosures for presentations, not patients Nav Persaud, a researcher and physician with St. Michael’s Department of Family and Community Medicine in Toronto, wants that to change. “There are requirements to disclose that funding when, for example, you’re giving a talk to your colleagues. What there’s not clear guidance on is whether those gifts or payments need to be disclosed to patients.” Provincial governments could do it easily, Persaud argues: Ontario, for example, could pass a law requiring all the companies manufacturing drugs covered under the Ontario Drug Benefit to disclose and itemize all of their payments to Ontario health practitioners. [Global News]

US – FBI Officials Keep Tactics Secret, Even from Fellow Agents

According to documents recently disclosed under a Freedom of Information Act lawsuit, FBI officials have long aimed to keep their surveillance tactics secret even from fellow law enforcement officials. Officials “once warned agents not to share details even with federal prosecutors for fear they might eventually go on to work as defense attorneys.” Privacy advocates are concerned that secrecy makes court scrutiny of such practices difficult. Meanwhile, it’s been reported that the Drug Enforcement Administration has been taking tips from National Security Agency data. [USA TODAY]

CA – Ontario’s Police Watchdog Lags Behind Others in Transparency

When a BC man died after being Tasered during an arrest last year, the province’s civilian police watchdog launched an investigation that ultimately cleared the five Chilliwack RCMP officers involved in the death. The officers “acted appropriately” when they used the Taser, wrote Chief Civilian Director Richard Rosenthal in his recent report. Their force was not excessive and no officer should be charged in relation to the death. Then Rosenthal backed that decision up — in a detailed, 12-page public report posted on the watchdog’s website, a document that is “virtually identical” to the report sent to B.C.’s Ministry of Justice, according to the watchdog’s spokesperson, Marten Youssef. That report includes: a timeline of 911 and dispatch calls and a description of their content; a breakdown of the evidence provided by two witness officers and five civilian witnesses; a summary of an analysis of the conducted-energy weapon and of the autopsy report; an explanation of the legal issues, including whether the officers used excessive force that resulted in his death; and the director’s analysis of the evidence.

In cases where B.C.’s Independent Investigations Office clears an officer, the agency releases a decision that is as detailed as possible, because in cases with no charges, “there better be an explanation, and a comprehensive one,” Youssef said. He acknowledges that few people will actually read them from start to end, “but it needs to be there.” “It’s a question of transparency,” he said. Ontario — once a leader in civilian oversight after establishing Canada’s first provincial police watchdog, the Special Investigations Unit, in 1990 — is now lagging behind other provinces when it comes to the transparency measures of its independent police oversight agencies. [Source]

Health / Medical

NO – Norwegian Appeals Board Upholds DPA’s Denial of Approval for Health Data Research Project

The Privacy Appeals Board reviewed the Norwegian Data Protection Authority’s decision to reject an application from the University of Oslo’s to process health data for a research project. The research project’s proposed collating of data from various sources, including a national patient register, would have permitted the indirect identification of individuals, which did not sufficiently meet pseudonymisation requirements; the DPA was correct in finding that relevant legislation requires that such pseudonymisation be irreversible. [Privacy Appeals Board, Norway – PVN-2015-12 – University of Oslo Health Research Project]

WW – Health Data: Challenges in Providing Notice to Users of Wearable Devices

Current and future challenges of obtaining meaningful consent, before collecting or processing health-related data generated by individuals’ wearable devices. Organizations collecting mHealth data via wearable devices face challenges in obtaining meaningful consent from users (owing to small screen sizes and the need to provide a privacy statement including proposed uses of the data); prior consent is still required (with limited exceptions, including for preventive medicine, for medical diagnosis) and the new GDPR will impose even more stringent requirements. [mHealth – Wearables, technical innovation and Data Protection – CMS Law]

UK – Privacy Concerns Limit Social Media-Based Health Campaigns: Study

A “qualitative evaluation” of HIV Prevention England’s awareness program, “It Starts With Me,” found that online privacy concerns inhibit the wider reach of social media-mired intervention campaigns. “Nearly all of our participants held concerns about privacy relating to their social media use and their engagement with sexual health interventions,” the researchers said. They added that their study did not contain privacy-specific questions, but that respondents expressed their privacy concerns organically. [NAM Aidsmap] [Witzel TC et al. It Starts With Me: Privacy concerns and stigma in the evaluation of a Facebook health promotion intervention. Sexual Health, 2016]

Horror Stories

WW – Private Data of 1.1 Million ‘Elite’ Daters for Sale

Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web. Other leaked data included weight, height, job, education, body type, eye colour and hair hue, as well as email address and mobile phone number. Location data, in the form of latitude and longitude, were also leaked, along with smoking and drinking habits, interests and favourite TV shows, movies and books. Anyone using the site expecting privacy should now consider themselves exposed, right down to their appearance, whereabouts and interests. “We’re looking at in excess of 100 individual data attributes per person. Everything you’d expect from a site of this nature is in there.” [Source]

US – NY Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients

NewYork-Presbyterian Hospital has agreed to pay a $2.2 million penalty to federal regulators for allowing television crews to film two patients without their consent — one who was dying, the other in significant distress. Regulators said that the hospital allowed filming to continue even after a medical professional asked that it stop. At the same time, regulators clarified the rules regarding the filming of patients, prohibiting health providers from inviting crews into treatment areas without permission from all patients who are present. That could end popular television shows that capture emergencies and traumas in progress, getting permission from patients only afterward. “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation or voice alteration software) for whom an authorization was not obtained,” the Office for Civil Rights with the federal Department of Health and Human Services said in an online post. “I think this will have a chilling effect on hospitals going forward. Any hospital legal counsel worth his salt or any P.R. director would be committing malpractice in order to allow it to occur. It’s now embodied in a federal directive.” [Source]

US – North Carolina Clinic Settles HIPAA Breach for $750,000

The Raleigh Orthopaedic Clinic must pay $750,000 in a settlement after the Department of Health and Human Services’ Office for Civil Rights discovered it had shared the health data of 17,300 individuals in 2013 without “executing a business associate agreement,” a violation of HIPAA. “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels. “It is critical for entities to know to whom they are handing personal health information and to obtain assurances that the information will be protected.” [Healthcare IT News]

CA – Class Action Lawsuit Filed for Privacy Breach in Lanark, Leeds and Grenville

A Class Action lawsuit has been filed following a massive privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville earlier this week that saw the names of 285 families involved with children’s services leaked on Facebook. The class action filed in the Ontario Superior Court of Justice on behalf of a person identified only as M.M. names the agency, its executive director, Children and Youth Services Minister Tracy MacCharles and John Doe – the person responsible for sharing the information – as defendants. The lawsuit calls for $25-million in general damages, $25-million in special damages and $25-million in punitive, aggravated and exemplary damages on behalf of M.M. the families whose names were shared in a document on the Smiths Falls Swapshop and Families United Facebook pages earlier this week. “This is a very serious breach of privacy, made possible by the Family and Children’s Services of Lanark, Leeds and Grenville,” said Sean Brown of Flaherty McCarthy LLP in Toronto. “That institution made the decision to use an on-line portal system that was easily accessed by an individual without any obvious hacking skills. The most sensitive and confidential information held by that body, specifically the names of those under its investigation, have now been published on the Internet. The damage has been done. That bell can not be unrung.” [CFRA]

Identity Issues

WW – FPF Reports on the Full Spectrum of Practical Data De-Identification

One of the most hotly debated issues in privacy and data security is the notion of identifiability of personal data and its technological corollary, de-identification. De-identification is the process of removing personally identifiable information from data collected, stored and used by organizations. Once viewed as a silver bullet allowing organizations to reap the benefits of data while minimizing privacy and data security risks, de-identification has come under intense scrutiny with academic research papers and popular media reports highlighting its shortcomings. At the same time, organizations around the world necessarily continue to rely on a wide range of technical, administrative and legal measures to reduce the identifiability of personal data to enable critical uses and valuable research while providing protection to individuals’ identity and privacy. This paper proposes parameters for calibrating legal rules to data depending on multiple gradations of identifiability, while also assessing other factors such as an organization’s safeguards and controls, as well as the data’s sensitivity, accessibility and permanence. It builds on emerging scholarship that suggests that rather than treat data as a black or white dichotomy, policymakers should view data in various shades of gray; and provides guidance on where to place important legal and technical boundaries between categories of identifiability. It urges the development of policy that creates incentives for organizations to avoid explicit identification and deploy elaborate safeguards and controls, while at the same time maintaining the utility of data sets. [Source] [Infographic] [Privacy Advisor]

US – Judge: Ashley Madison Breach Victims Must Use Real Names

Victims of the Ashley Madison data breach wishing to be named plaintiffs in the upcoming litigation will need to use their real names. U.S. District Judge John Ross made the decision, saying fake names should only be used in civil litigations in certain cases. “The disclosure of Plaintiffs’ identities could expose their sensitive personal and financial information — information stolen from Avid when its computer systems were hacked — to public scrutiny and exacerbate the privacy violations underlying their lawsuit,” Ross said. “At the same time, there is a compelling public interest in open court proceedings, particularly in the context of a class action, where a plaintiff seeks to represent a class of consumers who have a personal stake in the case and a heightened interest in knowing who purports to represent their interests in the litigation.” Victims have until June 3 to join the class. [Ars Technica]

WW – More than 1 Million Facebook Users Access via TOR Network

It seems that every few weeks or so, a new study about how the dark web is mostly vile and mostly harbors criminals crops up. The majority of people, in fact, would be pretty OK about it were the dark web to be padlocked, according to a recent survey. The battle over anonymizing technologies – encryption and the Tor network that the dark web runs on – is a polemic issue: it often boils down to a simplistic battle between the advocates of innocent individuals’ privacy rights (and of security that isn’t weakened via backdoors) vs. the shielding of criminals. On one side of the argument, Tor is used by whistleblowers, human rights activists, journalists and others to protect their identities. On the other side: it’s also used by people shielding their activities around cybercrime, drugs, illegitimate porn and violent extremism. As it turns out, a large number of people who want to use Facebook secretly without revealing their identities fall into the “legitimate use” side of the battle. Facebook said on Friday that over a million people accessed Facebook through the Tor network this month. That’s up from the 525,000 people who were coming in over Tor over a 30-day period last June, and it follows two years of work to enable people to find the social network on Tor. [Source]

Internet / WWW

WW – Google Beefs Up Chrome Web Store User Data Policy

Google has made changes to the Chrome Web Store User Data Policy to protect users from data theft. Third-party developers must encrypt personal data that they transmit. The revised policy also requires developers to create and publish a privacy policy explaining which data they collect and how it is used. [Register] [Google]

Law Enforcement

CA – Surrey’s License Plate-Scanning & 300 Traffic Cameras Remain Limited

Although the RCMP have now been given 24-hour access to Surrey’s 300 traffic cameras in the fight against gang violence, there is a line Mounties are not attempting to cross. They aren’t proposing to use the 330 city intersection cameras to rapidly scan licence plates and check drivers against policing databases, as now happens with the Automated Licence Plate Recognition (ALPR) system on use on about 40 police cars in B.C. In theory, a stationary system of cameras integrated with ALPR could act as a surveillance network, tracking the movements of known gangsters or quickly identifying suspect vehicles fleeing the scene of a shooting – if that was allowed here as it is in the U.K. “That’s not what exists here in British Columbia or anywhere else in Canada,” RCMP Dep. Commissioner Craig Callens said, giving a short answer of “no” when asked if such a London-style system is being pursued. “I have not been involved in any discussions to this point,” he told Black Press. “And I think to do so would require some considerable consultation with the provincial privacy commissioner.” A University of the Fraser Valley study in 2015 suggested much more could be done with the licence-scanning system to tackle more serious crime. “ALPR is not being used in Surrey to its full potential,” according to the report by UFV criminologists. In other jurisdictions, they noted, the second most common use is for crime intelligence – using ALPR equipped vehicles to patrol high-crime areas to run plates, collect data and identify and track potential suspects. [Source]


US – Support Increases for Legislation to Halt Government Location Tracking

The House Judiciary Committee may consider halting the government’s ability to track citizens’ locations via their cellphones without a warrant sooner rather than later. During its meeting on the Email Privacy Act last week, Chairman Bob Goodlatte, R-Va., said he wants to hold a meeting on how the committee is dedicated to safeguarding geolocation data when the next Congress commences. Goodlatte’s stance is drawing praise from both sides of the aisle and has been compared to legislation from Rep. Zoe Lofgren, D-Calif., requiring the government to seek a warrant in order to intercept or request geolocation data from any citizen. Goodlatte has the support of privacy advocates including Sen. Ron Wyden, D-Ore., who believe location tracking to be a prominent issue to be addressed in the widespread surveillance debate. [Morning Consult]

Privacy (US)

UK – Supreme Court Believes IT Progress Make Privacy Laws ‘Unenforceable’

Lord Neuberger, president of the UK Supreme Court, expressed skepticism about the overall effectiveness of privacy laws, claiming such orders are “unenforceable.” Delivering his opinions in front of lawyers in Edinburgh, Neuberger believes gains in technology have made it impossible to properly enforce privacy laws, and developments in IT have greatly increased the tensions between personal privacy and freedom of expression. “The existence of the Internet inevitably affects what can be practically achieved in terms of enforcement of privacy, and the law should never seek to acknowledge or enforce rights which are in practice unenforceable,” Neuberger said. [Daily Mail]

US – Legislators Lack Unbiased Scientific and Technical Advice

Budget cuts more than twenty years ago eliminated the US Office of Technology Assessment (OTA), which provided legislators with unbiased scientific and technological information. Former congressman Rush Holt, a trained research physicist, tried to bring OTA back, but did not succeed. He noted, “Most members of Congress don’t know enough about science and technology to know what questions to ask, and so they don’t know what answers they’re missing.” [Wired]


US – DHS Red Teams Conduct Penetration Tests on Government Agencies

The US Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has conducted penetration tests on three unnamed US government civilian agencies. The red teams were able to “own those agencies from top to bottom and side-to-side.” NCCIC now plans to help those agencies fix their network weaknesses. The agencies will also have help developing internal cybersecurity talent so they can continue to conduct similar assessments more frequently. [Source]

US – More Bad News for NASA Cybersecurity

Two more reports have found serious cybersecurity problems at NASA. The agency’s inspector general found that NASA needs to improve continuous monitoring management, configuration management, and risk management. And a private security company, Security Scorecard, ranked NASA last among 600 federal, state, and local government agencies surveyed in its report. Security Scorecard found that NASA had issues with secure sockets layer (SSL) certificates, unsecure open ports, and misconfigured email sender policy frameworks. [Source] [NASA IG Report]

WW – 93 Million Mexican Voter Records Exposed on Cloud

A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken out of the cloud and offline. The database sat exposed to the public for at least eight days after its discovery by a researcher, but originally went public in September 2015. The security researcher discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon’s AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter’s name, address, voter ID number, date of birth, the names of their parents, occupation, and more.

Eventually, after a speaking engagement at Harvard University’s Center for Government and International Studies, the researcher was able to reach someone the Mexican Instituto Nacional Electoral (INE). The database was pulled offline earlier this morning. Given that the database has been online since September 2015, it isn’t clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown. Mexico has strict laws regarding the usage and access of voter information, and the last time such records were in the hands of a company in the U.S., it became an international incident. “Under Mexican law this data is strictly confidential, carrying a penalty of up to 12 years in prison for transfer or extraction for personal gain. The Mexican Elections Commissioner has confirmed that the database is authentic. The data is now secured but the real question is who else had access to this sensitive information, and who put it on a US-based Amazon cloud server?” he said in a brief statement. [Source] [Hacker discovers information on nearly all Mexican registered voters]

EU – Security Frameworks – EDPS Details Components of Information Security Risk Management Process

The European Data Protection Supervisor has released a guidance document on Information Security Risk Management practices in support of requirements found in Article 22 of Regulation 45/2001. Key steps include establishing a company’s context (collecting relevant information, defining scope, assigning roles), identification and assessment of risks, deciding on responses, management sign-off of residual risks, and ongoing monitoring of risks as well as the process itself. [European Data Protection Supervisor – Guidance – Security Measures for Personal Data Processing – Article 22 of Regulation 45/2001]


US – Federal Appeals Court Says Warrant Not Needed for Stingray Use

The 6th US Circuit Court of Appeals has agreed with the federal government that a warrant is not necessary when using cell-site location technology like Stingrays. The majority of federal appeals court rulings share this position; the only federal appeals court that sided against has agreed to rehear the case, so the opinion has been set aside. The issue is unlikely to head to the Supreme Court anytime soon unless more federal appeals courts disagree with the government. [Ars Technica]

UK – Surveillance Bill Would Require Government Vetting of New Communications Technology

Draft surveillance legislation in the UK would require technology and telecommunications companies to run new products, services, and features by the government prior to their release, to ensure that they provide capability for the government to intercept communications or access stored data. [ZDNet] Privacy International has flagged a provision in the U.K.’s draft Investigatory Powers Bill that would mandate tech firms like Google and Apple to inform spies when their technologies were to be upgraded.

UK – Documents Reveal British Intelligence Agencies Collecting Bulk Personal Data Since 1990s

A collection of more than 100 documents reveals how British intelligence agencies, including MI5, MI6 and GCHQ, have been collecting bulk personal data in secret since the late 1990s. The documents show how the agencies have been stockpiling the data, which includes travel records, financial data and communications information, for longer than previously divulged. The internal memos also reveal how the agencies gathered information on individuals who are “unlikely to be of intelligence or security interest.” Other revelations include continuous issues intelligence agencies face regarding data handling errors, resulting in the disciplining of two MI5 and three MI6 agents between 2014 and 2016 for mishandling bulk personal data, while a GCHQ staff member was fired for unauthorized searches. [Guardian]

CA – Saskatchewan OIPC Issues Best Practices on Public Surveillance

The OIPC SK has provided guidance on video surveillance of public areas, aimed at public bodies who may be subject to:

Images of individuals are personal information under privacy legislation; public bodies deploying CCTV cameras (or similar) should consider the following – confirming that the collection is necessary and lawful (i.e., proper authority under the law), minimizing impact on personal privacy (avoid washrooms, post notices that the area is under surveillance), conducting a PIA, and ongoing audit and review of the program. [Video Surveillance Guidelines for Public Bodies – OIPC SK]

Telecom / TV

US – 60 Minutes Segment Demonstrates Ease of Tracking Smartphones

US television investigative news magazine 60 Minutes ran a segment showing just how vulnerable smartphones are to tracking and eavesdropping. US Senator Ted Lieu (D-California) participated in the demonstration. Using just the 10-digit number associated with the smartphone, Security Research Labs’ Karsten Nohl was able to record calls made to and from the device and track its precise location. Nohl exploited a weakness in the Signaling System No. 7 (SS7) routing protocol to access the phone Lieu was using. [Ars Technica] [ComputerWorld] [The Register] [The Hill]

US – FCC to Examine Mobile Network Security

Following a 60 Minutes television news magazine segment that demonstrated a vulnerability that could be exploited to eavesdrop on phone calls, the head of the US Federal Communications Commission’s (FCC) Public Safety Bureau has directed his staff to look into the Signal System 7 (SS7) vulnerability. [SC Magazine] [The Hill]

AU – 60 Minutes Australia Covered SS7 Vulnerability Last Year

The SS7 vulnerability was demonstrated last year on a segment for Australia’s 60 Minutes program, which also noted that a relatively inexpensive and readily obtainable device known as an IMSI catcher, or cell-site simulator, could be used to conduct man-in-the-middle attacks against cellphones. [YouTube] [NDTV]

CA – BC Appeals Court Affirms Its Position on Text Message Privacy

On April 11th, the BC Court of Appeal held that a defendant convicted of internet luring and sexual touching of a minor had a reasonable expectation of privacy in direct messages he sent to the complainant and others via a social media platform. The trial judge had found no such expectation – a finding that rested in part on the nature of the messages. The trial judge held that the messages contained no personal information that the defendant had not posted in his public profile and were not sent to an intimate, trustworthy contact. The Court of Appeal viewed the messages differently – as “flirtatious” – and held that the trial judge rested too heavily on the “risk analysis” that characterizes American Fourth Amendment law. It reasoned: While recognizing that electronic surveillance is a particularly serious invasion of privacy, the reasoning is of assistance in this case. Millions, if not billions, of emails and “messages” are sent and received each day all over the world. Email has become the primary method of communication. When an email is sent, one knows it can be forwarded with ease, printed and circulated, or given to the authorities by the recipient. But it does not follow, in my view, that the sender is deprived of all reasonable expectation of privacy. To find that is the case would permit the authorities to seize emails, without prior judicial authorization, from recipients to investigate crime or simply satisfy their curiosity. The analogy between seizing emails and surreptitious recordings [as considered by the Supreme Court of Canada in R v Duarte] is valid to this extent. In the end, the Court found a breach of section 8 but held the evidence was after conducting its section 24(2) analysis. The Court’s reasonable expectation of privacy finding follows its earlier similar finding in R v Peluco. For the context see this Law Times article. [BCCA affirms its position on text message privacy]

US Government Programs

US – U.S. Administration Refuses Information About Spying On Americans

A group of lawmakers from both parties are unhappy that they are being asked to reauthorize two key surveillance programs without the Obama executive branch answering how much data is being gathered on innocent Americans. The two programs authorized by Section 702 of the Foreign Intelligence Surveillance Act, are PRISM and Upstream. PRISM is a clandestine surveillance program under which the US NSA collects internet communications from at least nine major US internet companies. Since 2001 the US government has increased its scope for such surveillance, and so this program was launched in 2007. The major companies include Facebook, Yahoo, and Skype. Upstream collection involves four different surveillance programs: In a Foreign Intelligence Surveillance Court (FISC) order from October 3, 2011, it’s said that the Upstream collection accounts for approximately 9% of the total number of 250 million internet communications which NSA collects under the authority of section 702 FAA every year. During the first half of 2011, NSA acquired some 13.25 million internet communications through Upstream collection. “The program is unable to exclude domestic communications due to technical difficulties. The government refuses to tell politicians how much data is collected from Americans. Fourteen members of the House Judiciary Committee sent a letter to James Clapper, the Director of National Intelligence, asking for at least a rough estimate of the number. The letter said: “In order that we may properly evaluate these programs, we write to ask that you provide us with a public estimate of the number of communications or transactions involving United States persons subject to Section 702 surveillance on an annual basis.” Senator Rony Wyden has been asking for the number since 2011. The Privacy and Civil Liberties Oversight Board also asked in 2014. More than 30 privacy groups have also asked for the number. [Source] [Clapper: ‘We’ll do our best’ to figure out surveillance numbers]

US Legislation

US – Legislative News Roundup

Workplace Privacy

CA – Employee Privacy: Ontario Arbitration Board Rules that Employer’s Search of Employee’s Personal USB Key Did Not Infringe Charter Rights

An arbitration board heard a termination complaint filed by a union for federal employees against an Ontario government ministry. A supervisor was permitted by a management rights clause in the collective agreement to search the lost USB key (which was reported to contain employer documents) for evidence of employee misconduct. Any Charter-infringing conduct was minor; some degree of intrusion into personal documents was inevitable because the key was used for both personal and work purposes. [Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v. The Crown in Right of Ontario (Ministry of Government and Consumer Services) – 2016 CanLII 17002 – The Grievance Settlement Board, Ontario]

CA – ONSC Affirms Damages Award for “Friend’s” Leak of Work Schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend. The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife. Among the issues raised in this scenario: Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information? The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. [Source]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: