Monthly Archives: June 2016

18-24 June 2016

June 28, 2016 – 9:04 am

Biometrics

WW – IBIA Approves New Facial Recognition Best Practices

The International Biometrics + Identity Association voiced its approval of a new set of facial recognition best practices. The guidelines were created by the Department of Commerce’s National Telecommunications and Information Administration, and have been hailed by the IBIA as a flexible guideline for numerous applications of the technology, including authentication and social media. “The clear benefits of facial recognition technology come with a responsibility to users and consumers,” said IBIA Managing Director Tovah LaDier. “These privacy best practices will help to assure the public that facial recognition is being used responsibly and accountably. They also demonstrate the strong commitment of the industry to protecting the public’s privacy, even as new technologies and applications emerge.” [Planet Biometrics] [NTIA group agrees on face recognition code of conduct]

Canada

CA – The OPCC has Released Its Annual Report for 2015-2016. [Source]

CA – PI Contained in Public Court or Tribunal Decisions is Publicly Available Information: OPC

The Office of the Privacy Commissioner investigated a complaint about an online legal database pursuant to PIPEDA. The OPC dismissed a complaint alleging an online legal database unlawfully published an individual’s PI by publishing a court decision about her; the PI appeared in a public judicial document for which there was no publication ban, and the company’s subscription-based research tools and services do not undermine the balance between privacy and the open courts principle. [OPC Canada – PIPEDA Report of Findings #2015-013 – Online legal database doesn’t need consent to use publicly available court decisions, in support of the open court principle]

CA – Decision Provides Rare Insight on the Applicability of RTBF in Québec

On April 14th, 2016, the Commission d’accès à l’information (the “CAI”) issued a decision discussing the relevance of the “right to be forgotten” with regards to the “right to rectification” found in the Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c. P-39.1. The CAI interestingly noted that a person’s right to rectification with respect to inaccurate, incomplete or equivocal information is distinct from the “right to be forgotten.” This right, which is recognized in the European Union, allows individuals to stop search engines from providing links to information about them that is deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue.”  As a result of this decision, it is now clear that the right to be forgotten is irrelevant to the examination of the right to rectification, as the two rights are different, both conceptually and practically. [Source]

CA – Therrien to Trudeau: Government Privacy Law Outdated

In a letter to Prime Minister Justin Trudeau, Privacy Commissioner Daniel Therrien warns that without renewal, protections under Canada’s Privacy Act “are proving to be increasingly out of touch with Canadians and their engagement with the digital world.” The act, which governs federal government data handling, was passed in 1983 and no substantial changes have been made to it since, reports The Star, even while advances in technology have dramatically changed the way government does business. A representative for the prime minister says the issue is a priority and they “are committed to working with the commissioner on an active and ongoing basis,” noting the minister of justice is reviewing the recommendations. [Source]

CA – BCCLA Says Warrantless Spying on Canadians Must End

In the latest step in a court case launched in 2013, the British Columbia Civil Liberties Association is asking the federal court to allow access to government documents that would shed light on the surveillance activities of the Communications Security Establishment. Specifically, the BCCLA objects to the warrantless collection of information on Canadian citizens, and points to recent data mishandling by the CSE as part of its participation in the Five Eyes program with Australia, New Zealand, the U.K. and the U.S. “The CSE is engaged in what is surely one of the largest warrantless activities directed at Canadians,” the BCCLA Litigation Director Grace Pastine told On the Coast guest host Michelle Eliot. [CBC News]

CA – Federal Court Finds Individual’s Request for Review of OPC Report Misdirected

The Federal Court hears E.W’s request for review of the findings of the Privacy Commissioner of Canada in response to her privacy complaint against the Department of Human Resources and Skills Development Canada. The OPC (after an investigation of the individual’s complaint of alleged improper collection of personal information without her consent) could not reach a finding, since 12 years had passed since the alleged collection, and the file retention period for the information had elapsed; the individual was provided opportunity to make submissions, all relevant evidence was investigated by the OPC, and the individual’s grievance lies with the institution that collected the data, not the OPC. [E.W. v. Privacy Commissioner of Canada – Federal Court – 2015 FC 1420]

CA – Proposed Manitoba Bill to Protect Kids Draws Privacy Criticism

Proposed legislation that would make it easier for Manitoba agencies and police to share information about at-risk children is raising privacy concerns. The Progressive Conservative government introduced Bill 8, the Protecting Children (Information Sharing) Act, earlier this week. The bill authorizes organizations and others who provide services to at-risk and vulnerable children to collect, use and disclose personal information or personal health information about them. The act would apply not only to children in the care of CFS or those involved in the criminal justice system, but also to those who require disability services, mental-health services, addiction services, victim services and to schoolchildren with special needs who require an individual education plan. Information could be disclosed about parents or guardians of the children.  Michelle Falk, executive director of the Manitoba Association for Rights and Liberties, said it appears the bill would give “ordinary bureaucrats” the power to make judgment calls that could have long-term implications for children in care and their families. “It gives unfettered authority to any government department, agency or the police department to share any information to any other department,” she said Thursday. [Winnipeg Free Press]

CA – Other Canadian News

Consumer

CA – New Online Tool Allows Users to Ask Companies About Their Data

A new version of a Canadian website allows individuals to contact companies to see what information they have collected. Access My Info Canada originally was created to message telecommunications companies, but the new version launched by developer Andrew Hilts now gives users the chance to reach out to companies making fitness trackers and dating apps. “This can help people answer questions if they’ve ever wondered if their cellphone provider is logging their location, or if their online dating app is ever sharing their sexual preferences,” said Hilts. Access My Info has been created to help consumers understand their rights under Canadian privacy laws, while also giving them information on what data could be compromised if a company were to suffer a data breach. [CBC News]

US – For Consumers, Injury Is Hard to Prove in Data-Breach Cases

The Wall Street Journal reports on consumer lawsuits following data breaches, and whether companies should be forced to compensate customers for attacks exposing sensitive information. Judges dismiss the majority of lawsuits spawning from major data breaches, including those in attacks against Target and Home Depot because customers have not been able to prove the breaches have caused any tangible harm. Companies argue having personal data exposed doesn’t equate to harm requiring compensation, and when stolen credit card information results in fraudulent purchases, customers often cannot prove the fraud was a result of the breach. Federal judges in Illinois and California, however, have let lawsuits proceed, possibly opening a door for corporate liability. [Wall Street Journal]

US – Privacy by the Numbers: A Deep Dive into the Structure of Privacy Policies

As researchers from the Common Sense District Privacy Evaluation Initiative analyze the correlation between the content and stylistic infrastructure of privacy policies, they have flagged “potential indicators” that they say will help them to analyze them more efficiently, the group’s Bill Fitzgerald writes. While Fitzgerald said he and his researchers “do not think we will find any direct correlation between policy structures and whether terms are good or bad,” technical elements of the policies, such as reading level, length of terms and structure, create patterns that matter. “It’s difficult to say what constitutes a ‘normal’ policy without a baseline, and the work we will be launching this summer will help create a clearer picture — supported by openly available data — of what a typical policy looks like,” he wrote. [The Journal]

E-Mail

US – Supreme Court Decision May Support Microsoft’s Position in Ireland Server Data Case

In a decision released earlier this week, the US Supreme Court wrote, “absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” The ruling was made in a RICO (Racketeer Influences and Corrupt Organizations) Act case. While unrelated to the Microsoft case in which the company is refusing to surrender data held on a server in Ireland to US officials, the decision could provide support for Microsoft’s position that the Electronic Communications Privacy Act (ECPA) does not say that congress intended it to “reach private emails stored on provider’s computers in foreign countries.” [Computerworld: Microsoft invokes Supreme Court opinion in Ireland email case]

WW – Board Members Increasingly Targeted by Spearphishing Schemes

A growing trend is corporate boards of directors falling victim to spearphishing attacks. Board members can be hit by these schemes by receiving malicious emails that ask for tax information and bank transfer requests and sending it to another employee who handles the response. Members have lost financial statements, cybersecurity documents and intellectual property, mainly through a lack of education on identifying spearphishing emails. “Most board members use personal email accounts to handle board communications so they don’t get mixed with the emails from the companies where they work,” said Experian Information Solutions Vice President, Data Breach Resolution Michael Bruemmer. “These are less secure, and we have seen examples of these accounts having been compromised.” [CSO Online]

Encryption

US – Apple Makes Encrypted Operating System Public

In a surprising move, Apple has exposed the inner workings of its encryption-based operating system for the first time. The tech giant did not reveal whether the disclosure of its kernel was by design, but many in the security industry believe Apple made the code public in order to help locate possible security weaknesses in the software. To date, Apple has not run any bug bounty programs. The move comes after Apple’s well-publicized battle with the FBI in the San Bernardino case. By choosing to expose its software rather than starting a bug bounty program, Apple is taking a big risk, the report states. “This is a gamble,” said forensic scientist Jonathan Zdziarski. “But I can see the possible reason that Apple may have decided to make this wager.” [MIT Technology Review]

EU Developments

EU – German Court Ruling: WhatsApp Must Translate English TOS and Privacy Policy to German

German courts have ruled WhatsApp has violated the country’s Telemedia Act by forcing users to agree to the app’s terms of service in English. When the judgement is finalized, WhatsApp will be required to translate its terms of service and privacy policy into German, or face a $283,000 fine. Klaus Muller, CEO of the Federation of German Consumer Organizations, said companies make it difficult for consumers to comprehend terms of services, and WhatsApp has made it even harder for German users with the conditions written in a foreign language. The courts ruled WhatsApp’s violation stems from not allowing users to contact a German country representative if they have any questions or concerns . WhatsApp has not announced whether it will appeal the ruling. [Neurogadget]

Facts & Stats

CA – Average Cost of a Data Breach Up 12.5% Among Canadian Firms: Report

Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show. If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million. Another way of looking at it is the average cost per record stolen or lost went up 10.6% to $278 compared to the same period the year before. These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations. The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million. [IT World Canada]

Filtering

UK – Mandatory Web Monitoring in Schools Opens a Slippery Can of Worms

Without Parliamentary or public discussion, children’s internet use will be monitored by third parties from September. This is despite widespread associated concerns – including choking off free speech, religious freedom, and staff feeling vulnerable – presented to the Joint Select Committee for Human Rights by experts in education and security legislation. The brief paragraph 75 in The Department for Education (DfE) “New measures to keep children safe online at school and at home“ statutory guidance Safeguarding in Schools, will impose a change from a duty ‘to consider’ web monitoring to one that ‘should ensure’ it for educational establishments, excluding 16-19 academies and free schools. The supporting advice to which the Government response points, suggests actively monitoring all screen activity during a lesson from a central console using appropriate technology as a solution, even in circumstances that suggest low risk. And that logfile information should be able to identify an individual user, and be reviewed regularly. Pro-active monitoring is suggested where alerts are managed by a third-party provider. The Department for Education’s summary response and advice however offers little practical support to school leaders how to concretely take these things into account, while still meeting human rights legislation. Without explicit clarity on the practice of monitoring personal electronic devices not owned by the school, we risk a slippery descent into schools made complicit in a privacy invasion of family life. [Schoolweek]

FOI

CA – Audit Finds Vancouver Failing to Meet FOI Deadlines, Deleting Emails

City hall has received a stern talking to from the province’s information and privacy commissioner following an audit of Vancouver’s compliance with freedom-of-information (FOI) laws. “It is clear to me there is a need for change to the approach city staff use in processing access requests,” commissioner Elizabeth Denham said in a June 23 media release. “We observed shortcomings in almost every step of the freedom of information process—from receipt of the request, to searching for records, to the timeliness of response to the applicant and the content of the response itself.” The audit, conducted by the Office of the Information and Privacy Commissioner of B.C., mostly focuses on FOI response times and delays that appear to target requests filed by members of the media. But the report’s most troubling findings concern the alleged deletion of records and evasion of FOI laws. The OIPC, however, found that an examination of these concerns fell outside the scope of its investigation. [Straight]

CA – NFLD Public Bodies Should Not Allow Staff Use of Personal Email Accounts for Work

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador (“OIPC”) issues guidelines relating to the use of personal email accounts for public business. Use of personal email accounts does not relieve the duty to thoroughly search for records responsive FOI requests and produce them, however, officers and employees may be reluctant to produce records from these accounts or provide access for FOI purposes; personal accounts are less likely to meet requirements to protect personal information under a public body’s custody or control (terms of service may allow for third-party access, and security features may not be adequate). [OIPC NFLD – Use of Personal Email Accounts for Public Business]

US – Dropbox’s New Transparency Report Includes State-By-State Breakdown

Releasing its biannual transparency report, Dropbox has included a state-by-state breakdown of government requests in their July-December 2015 study. Dropbox received 574 requests for user data from around the globe, including 348 search warrants and 206 subpoenas, providing information on the vast majority of inquiries. California had more requests than any state in the U.S. with 70, followed by Texas with 49, Florida with 48, and Virginia with 32. “Although we continue to see an increase in requests from U.S. law enforcement, the numbers remain small compared to our user base of over half a billion users,” Dropbox said in a blog post. The company also detailed the joint efforts with tech companies to oppose government legislation forcing organizations to undermine their security protocols. [Dropbox Blog Post]

Genetics

CA – Supreme Court Rules Police Can Swab Suspected Rapist Without Warrant

In a ruling that adds to police powers in investigating rape, the Supreme Court of Canada says police have the right to take a penile swab (without a warrant) from suspected attackers, forcibly if necessary, as long as they do so in a private cell and have reasonable grounds to believe they will find relevant evidence. Just two Supreme Court judges, both of them women, said a penile swab should be deemed an illegal search. In a strong dissent in the case, Justice Andromache Karakatsanis accused the majority of straying from precedents that found a “close relationship between bodily privacy and human dignity.” Justice Rosalie Abella said she would have disallowed the penile swab and barred the evidence from being used. [G&M]

Health / Medical

CA – Trillium Health Partners Hit With Privacy Class Action

A class-action lawsuit has been filed against Trillium Health Partners, alleging a doctor’s assistant used patient credentials to access medical records. Former patient Katie Mallinson filed the suit against Dr. Tony Vettese and his assistant Lisa Lyons, claiming Lyons accessed Trillium’s database to review the confidential records of an unknown number of patients for many years. The records contain sensitive medical information, including medication history, treatments received and diseases suffered. The suit seeks $2 million in general damages, while stating Trillium’s privacy policies and procedures are “inadequate, underfunded and unenforced.” Trillium was not aware of Lyons’ improper access until Mallinson first became suspicious of illicit activity. [Press Release] See also: [397 medical records snooped at Hamilton General Hospital]

US – Workers May Soon Have to Share Health Data — Or Pay A Penalty

New Equal Employment Opportunity Commission regulations may force employees to share medical data in order to qualify for benefits, or face penalties. If employees choose not to share medical data with their employers, they face increases in health premiums and the possibility of the EEOC suing their organization. Privacy advocates are concerned employees will have to pay more for their privacy as well as face potential discrimination if an employee chooses to opt out of the program. Wellness programs also have access to medical records and insurance claims data, meaning employers can learn about genetic test results and access information on employee family history. “Our argument is participation in a wellness program is simply no longer voluntary if employees can be penalized in this way,” said American Society of Human Genetics Science Policy Director Derek Scholes. [BuzzFeed]

WW – Google Unveils Symptom-Search Functionality

Google has announced it will list related conditions when users search the site using health symptoms as keywords. “We create the list of symptoms by looking for health conditions mentioned in web results, and then checking [sic] them against high-quality medical information we’ve collected from doctors for our Knowledge Graph,” the report states. The move is an effort to simplify accessing and understanding online health information. The feature will go live in “the next few days” in the U.S. and will expand internationally in the future. [Google Blog]

US – OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics as how records must be provided upon request, methods for calculating reasonable fees for copies, and provision of medical records to third parties at a patient’s direction. [Source]

Horror Stories

US – Three Hacked Hospital Databases Up For Sale on Deep Web

Breaches of three separate health databases by one hacker has resulted in more than 650,000 medical records for sale on the deep web. The hacker was able to tap into a vulnerability in each database’s Remote Desktop Protocol. One database from Georgia containing more than 400,000 records is priced at 607 bitcoin, the report states. “Although it remains unclear as to which hospital was attacked, this story goes to show how lackluster IT security keeps plaguing the health care industry,” the report adds. Meanwhile, a TrapX Security study has found that hackers are increasingly targeting medical devices used within hospital systems, ZDNet reports. These tools “often contain backdoors, botnet connections and remote access tunnels for cyberattackers to manipulate devices,” the report adds. [The Merkle]

WW – Hacker Plans to Release 100,000 Escort Site User Records

Moroccan hacker ElSurveillance has breached and defaced an additional 37 escort sites, which are mostly from the U.K., and pledged to leak 100,000 users’ data online in the coming week. This is not the first instance of ElSurveillance’s breach activity, with the hacker claiming 79 defacement incidents of similar sites in January, the report states. The hacks are religiously motivated. “[O]ur bodies are gifted from Allah to us to look after and not to destroy,” the hacker said. “Unlike [ElSurveillance’s] fellow ISIS-affiliated colleagues who spread fear, threats and warnings of violence, he’s spreading a message of peace and a religious-rooted message,” the report adds. [Softpedia]

CA – Personal Info in 100,000 IT Requests Compromised in SFU Privacy Breach

More than 100,000 Simon Fraser University information technology service requests from 2013-2016 were inadvertently stored in an unprotected server for four months. The data compromised included 20,294 email addresses, contact information and other personal data, the report states. The school’s IT team discovered the breach May 16 and brought the information offline the next day, notifying the affected students in early June, the report adds. “We have no evidence that any third party accessed the database during the time it was unprotected, nor do we have any evidence that there was any misuse of the information contained in the database,” said SFU Communications Director Kurt Heinrich. He added that the school was reviewing and modifying additional breach protections. [Burnabynow]

Identity Issues

WW – Dashcam Smartphone App to Employ License-Plate Detection

A new smartphone app takes all of the features of a dashcam and adds license-plate detection to warn users of potentially dangerous drivers. The Nexar app uses a smartphone’s camera to detect and record automotive activity and collisions. It also plans to add “real-time warnings” to help drivers avoid cars with bad track records. Nexar uses machine vision and artificial intelligence algorithms to locate license plates and record drivers who speed and perform illegal maneuvers. Privacy concerns will likely arise, but the recording process is likely legal. “Courts generally say that people generally have little or no expectation of privacy in the movements of their cars on public roads,” said University of Chicago law professor Lior Strahilevitz, “as long as cars aren’t being tracked everywhere they go for a lengthy period of time.” [PC Magazine]

Location

US – Ad Network Settles with FTC, Will Pay $950,000 for Location Tracking

The FTC announced it has settled with the Singapore-based mobile advertising company InMobi under charges that it “deceptively tracked” the locations of hundreds of millions of consumers — including children — without notification or consent. As part of the settlement, InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program. The FTC alleges that the company — whose ad software reaches nearly 1 billion consumers worldwide — also violated COPPA by collecting location information from apps directed at children. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises,” said FTC Bureau of Consumer Protection Director Jessica Rich. [FTC] – Ars Technica: Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users | – Computerworld: Mobile advertiser tracked users’ locations without their consent, FTC alleges | – FTC: Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission]

Online Privacy

US – Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant

US legislators have rejected an amendment to a criminal justice funding bill that would have allowed the FBI to conduct warrantless searchers of people’s browsing histories. While the measure garnered a majority of the votes, it failed to obtain the necessary 60 votes to advance. The issue may come up for consideration as soon as next week, however, because Senate majority leader Mitch McConnell submitted a motion to reconsider it. Sources: – CNET: Senate nixes plan for warrantless FBI searches of internet browsing histories | – ZDNet: Senate rejects FBI bid for warrantless access to internet browsing histories | – Washington Post: After Orlando, Senate rejects plan to allow FBI Web searches without court order]

WW – New Firefox Feature Allows Users to Create Individual ‘Personalities’

A new feature from Mozilla will allow users to separate their web history within their browser. Firefox Containers divides the browser into individual “personalities.” Each persona can be used for different internet activities, such as banking, work, shopping and for personal use. The browsing histories and cookies are kept within a “fully segregated cookie jar” by keeping each persona’s caches separate, according to a Mozilla blog post. “We all portray different characteristics of ourselves in different situations,” said Mozilla Security Engineer Tanvi Vyas. “But when I use the web, I can’t do that very well. There is no easy way to segregate my identities such that my browsing behavior while shopping for toddler clothes doesn’t cross over to my browsing behavior while working.” [The Christian Science Monitor]

US – Cloud-Based EHR Company Settles FTC Complaint It Failed to Advise that Reviews of Doctors Containing Patient Information Would Be Made Public

This FTC agreement settles allegations that Practice Fusion, Inc. failed to disclose that consumer reviews containing sensitive personal information would be publicly disclosed in violation of the FTC Act. The company is prohibited from misrepresenting the extent to which it makes certain information (e.g. health information) publicly available (including by posting on the Internet); prior to such disclosure, the company must provide notice and obtain express consent from consumers, and must not maintain any healthcare provider review information (except for review and retrieval by its healthcare provider customers, or as permitted by law, regulation or legal process). FTC – In the Matter of Practice Fusion, Inc. – Complaint and Agreement Containing Consent Order | Press Release | Complaint]

Other Jurisdictions

IS – Judge Approves $400 Million Class Action Against Facebook for Violating Privacy

Israel’s Central District Court has approved a $400 million privacy class-action suit against Facebook, ruling that the company’s terms-of-use requirement for all lawsuits to be heard in California was invalid. The suit alleged that the company both breached privacy protocols by targeting advertisements based off of users’ private posts, and failed to register its database in Israel’s national database registry as mandated by the country’s law, the report states. “Perhaps the time has come to examine the issue from a different angle, from the customer’s standpoint, especially when he’s the customer of huge international corporations that deal with customers all over the world,” said Judge Esther Stemmer. The court gave Facebook 90 days to respond to the suit. [Haaretz]

Privacy (US)

US – Tech Companies Oppose Government Hacking Rule Change

A group of 50 organizations including Google and the American Civil Liberties Union has called upon Congress to block “dangerously broad” changes that, effective Dec. 1, increase judges’ warrant jurisdiction. The changes to Rule 41 of the Federal Criminal Procedure “invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment,” the later states. Meanwhile, in an additional report from Morning Consult, Sen. John McCain, R-Ariz., expressed his support for FBI Director James Comey’s surveillance perspectives over those of privacy advocates. “I have great sympathy for them but I respect more the view of Director Comey,” he said. [Morning Consult]

US – NTIA Publishes Revised Best Drone Practices Guidance

The National Telecommunications and Information Administration has released an updated best drone practices guidance. The guide is the culmination of a two-month public comment session and subsequent May 18 meeting on drone privacy and transparency issues. Meanwhile, the Federal Aviation Administration has published a 600-page drone regulation document that does not include specific privacy protocols, The Intercept reports. The Electronic Privacy Information Center responded to the announcement with a statement on its website, recalling its 2015 suit of the FAA for failing to regulate drone privacy. [NTIA]

US – Obama Administration Approves FAA Rules for Small Drones

The Obama administration has approved the commercial use of small drones. The Federal Aviation Administration created a new class of rules for drones weighing less than 55 pounds, fly up to 400 feet, and below 100 miles per hour. Drone operators now have the ability to fly the unmanned aircraft without special permission, but must be at least 16 years old. Drones will not be allowed to fly at night, unless they have special lighting and stay at least 5 miles from an airport. Transportation Secretary Anthony Foxx said, “As this new technology continues to grow and develop, we want to make sure we strike the right balance between innovation and safety.” [Reuters] [Op-ed: FAA’s rules for small drones are flawed]

US – AG Enforcement, Algorithmic Discrimination Top PLSC Line-Up

The Privacy Law Scholars Conference held its ninth annual gathering in Washington at the beginning of this month, bringing together academics and practitioners to present papers that are still in development. The workshop environment is a closed circuit — no tweeting or blogging about what happens there is allowed, and papers may or may not ever be published. However, papers and ideas inevitably rise to the top, and the IAPP recognizes two of those with its annual IAPP Papers Award, voted on by attendees. [IAPP]

Privacy Enhancing Technologies (PETs)

WW – Silent Circle Launches Virtual Security Assistant Privacy Meter

Silent Circle has announced its Silent OS 3.0 for Android mobile phones will include a program that will regularly scan a device, alerting the user if any apps, services or settings contain privacy-compromising elements. The program, dubbed “Privacy Meter,” is automatically embedded into the operating system, the report states. “Think of it as an assistant that is always next to you helping you maintain the most awareness of your Privacy Profile,” said Silent Circle’s David Puron. “Whether you have available software updates, your browsing certificates have been altered, or an app is sharing your location, the Privacy Meter will show you what is happening then guide you through the appropriate configurations, if desired.” [ZDNet]

RFID / IoT

US – Chicago Needs More Detail in Array of Things Privacy Policy, Experts Say

The city of Chicago is preparing to install a network of sensors that will track people on city streets — walking, biking, driving — and privacy experts say it needs to better spell out how it will use that information. The nine-page privacy policy includes just a few paragraphs on how the data will be collected, used and shared. The city plans to install 500 Array of Things devices across the city by the end of 2018. They will house sensors including a low-grade camera and microphone that can capture images and sound from passersby, bringing a new scale of data collection to busy intersections. Officials say the project will help improve city life by analyzing patterns in environmental and human behavior. City officials are seeking public input on the policy before installing the first 42 devices, slated to go up around the city starting in late July. The second of two public forums on the policy is from 5:30 to 7 p.m. Wednesday at the Harold Washington Library downtown. [Chicago Tribune]

Smart Cards

US – California County Approves Ordinance Restricting Government Use of New Technologies

The Board of Supervisors of Santa Clara County approved Ordinance No. NS-300.897, relating to surveillance technology and community safety. Law enforcement must seek approval of the County Board before purchasing any new surveillance technologies (e.g. drones, automated license plate readers, GPS, cell-site simulators, RFIDs, facial recognition, biometric identification); annual surveillance reports must be submitted to the Board detailing usage, complaints, internal audits, and how successful different technologies have been. [Ordinance No. NS-300.897 – Surveillance Technology and Community Safety – Board of Supervisors of Santa Clara County]

US Government Programs

US – DHS Wants to Snoop on Travelers’ Facebook, Twitter, and Instagram Accounts

The Department of Homeland Security has opened its proposal to include an optional field to disclose social media handles in travel documents to public comment. The documents in question are the Electronic System for Travel Authorization and Form I-94W, a document foreign travelers complete when leaving and entering the U.S., the report states. “Please enter information associated with your online presence — Provider/Platform — Social media identifier,” the forms would read if the proposal is accepted. “As phrased that could include your Twitter handle, the URL for your Facebook page, your OkCupid or Grindr handle …” the report adds. “Where does it end?” DHS will accept comments here until Aug. 22. [Fusion]

US Legislation

US – McConnell Pushes Measure to Expand Surveillance Tools

Senate Majority Leader Mitch McConnell, R-Ky., has proposed an amendment to the bill funding the Department of Justice and Department of Commerce that would both increase federal law enforcement surveillance powers and “permanently extend” elements of the PATRIOT Act. “Both measures have been criticized by privacy and civil liberties advocates, who have fought the proposals on multiple fronts in recent months,” the report states. The bill is considered similar to the legislative revisions Senate Republicans aim to make to the Electronic Communications Privacy Act, the report adds. A procedural vote on McConnell’s amendment is predicted for Wednesday. [The Hill]

US – Other Privacy News

Workplace Privacy

WW – BYOD Can Pose Privacy Risks to Employees: Study

Companies that use remote device management software to oversee employee devices used for business have the ability to collect a lot more information than employees may be comfortable with, according to a report released today. “The intent of these MDM solutions is not to spy on employees, but to monitor for things like malware and general security,” said Salim Hafid, product manager at Bitglass, which produced the report. But if the company wants to, these tools provide the ability to do a lot more, he said. That includes seeing where the phone is located, what apps are on the phone, and even what websites the user was accessing. “We were able to see virtually all the activity on the device,” he said. “We could see that some of our employees search for health information on the web.” [CSO Online]

WW – Russian Technology Allows Employers to Monitor Phone Calls

A Moscow security firm has created technology allowing companies to listen in on mobile calls made on their property. InfoWatch, a former subsidiary of Kaspersky Lab, says it has created the product for companies trying to curb information leaks by scanning employee phone calls for key terms that may prompt an investigation. While InfoWatch is legal in Russia, installing it in western countries would be very difficult. “This technology may become a hot ticket for any company seeking to protect its commercial secrets,” said Gartner analyst Petr Gorodetskiy. “But it can’t be rolled out in markets where it may trigger court claims.” Others question whether the product is truly functional. “The part that puzzles me is how successful speech recognition, transcription and automated analysis of texts can be,” said Polytechnic University of Milan professor Stefano Zanero “I would be surprised if any major company decided to buy into this.” [Bloomberg]

+++

 

By privacynewshighlights | Posted in Uncategorized | Comments (0)

10-17 June 2016

June 20, 2016 – 8:58 am

Biometrics

US – GAO Criticizes FBI on Facial Recognition Database

The Government Accountability Office has issued an in-depth report critical of the FBI’s use of facial recognition technology. Specifically, the GAO has “concerns regarding both the effectiveness of the technology” and the “protection of privacy and individual civil liberties.” The FBI has collected 411 million photos in various databases. “The FBI has entered into agreements to search and access external databases — including millions of U.S. citizens’ driver’s license and passport photos,” the GAO states, but until the FBI can assure the data they receive is accurate, “it is unclear whether such agreements are beneficial to the FBI.” Meanwhile, the National Telecommunications and Information Administration released suggested best practices derived from its multi-stakeholder process on facial recognition. Several consumer and privacy advocacy organizations have come out against the guidelines. [ZDNet] [Huge FBI facial recognition database falls short on privacy and accuracy, auditor says ]

AU – Australian Cops Want to Use Fingerprint Scanners to ID People In Public

The South Australian state parliament is considering a proposal to give police the power to scan fingerprints in public. If passed, the bill will give police the ability to request fingerprints from anyone they suspect of committing a crime—and anyone they think may be able to assist with an inquiry. Police are currently able to stop anyone on the street and request to see some form of traditional ID, but fingerprints are only allowed to be taken once a person has been charged. If the bill gets passed, suspects will be required to have their prints scanned upon request. Since 2014, the SA Government has trialled 150 scanners sporadically across the state and plans to spend $3.4 million on the technology if approved. The new scanners would be wirelessly linked to the National Automated Fingerprint Identification System, which will allow officers to access criminal records within a minute of scanning a suspect’s prints. Deputy Premier John Rau has released a statement arguing why fingerprint scanners are a good idea. “Legislative reform is necessary to enable police to use the scanners in wider circumstances, where a person does not have to give consent and police can scan for prints without the need to arrest,” he said. However, there’s been considerable backlash from both sides about the ramifications for privacy and civil liberties. Greens leader Mark Parnell likened the changes to something out of George Orwell’s 1984. “This is the realm of science fiction and it should send shivers down everyone’s spine,” he told The ABC. “It enables all manner of biometric testing and it does actually lead to a situation where the state could hold a database of every single person’s fingerprints.” [Source]

WW – Apple’s New Photo System to Include Facial Recognition

An update to Apple’s Photos software will include facial recognition technology. The upgrade will catalog photos within the app by the face of the person within the image. Apple’s new feature comes as Facebook and Google are locked in lawsuits over facial recognition capabilities, specifically possible violations of the Illinois Biometric Information Privacy Act. Apple Senior VP of Software Engineering Craig Federighi said the system uses local data rather than storing it on company servers. Though Apple’s features differ from that of Google and Facebook, it is not yet known if they would violate the Illinois law. [The Verge]

Canada

CA – New Spy Watchdog Will Have Power to Examine ‘Any Activity, Any Operation’

Sweeping powers to scrutinize “any issue, any activity, any operation” will be granted to a new committee of parliamentarians to watch over federal spying and other clandestine security and intelligence activities, the government has announced. The long-promised Bill C-22 tabled in the Commons proposes to create an unprecedented “national security and intelligence committee of parliamentarians” to hold to greater account the nation’s two chief spy services and at least 15 other departments and agencies with national security responsibilities. The move fulfils a major Liberal election promise to increase parliamentary scrutiny of national security operations to offset the expansive and controversial counterterrorism powers under the Anti-terrorism Act of 2015, formerly Bill C-51, to investigate, detain, arrest, silence or otherwise thwart individuals suspected as threats to the security of Canada. The all-party committee of nine MPs and two Senators, to be chosen by Prime Minister Justin Trudeau and supported by a small secretariat, would be sworn to permanent secrecy and handed a broad mandate to probe, mainly ex post facto, any and all national security activities to gauge whether they are effective, efficient and legal. Its primary investigative tool would be a statutory power to access many of the nation’s most guarded secrets. “They will be able to ask questions and conduct inquiries and satisfy themselves that two important objectives are being met: to make sure our security and intelligence agencies are being effective in keeping Canadians safe and to make sure they are safeguarding the rights and freedoms of Canadians.” Though the legislation clearly empowers the committee to explore and review the country’s deepest confidences, it also offers government a handful of disclosure escape clauses. Chief among them is the state’s power to deny the committee information “injurious to national security,” a catch-all clause that past governments have used to slam the door on politically sensitive or otherwise damaging inquiries. [National Post]

CA – New Bill Would Allow Border Guards to Collect Data on Those Leaving Canada

Public Safety Minister Ralph Goodale has proposed revisions to the Customs Act that would allow the federal government access to the personal data of Canadian travelers leaving the country. The information collected wouldn’t extend beyond information collected in a passport’s second page — meaning “full name, nationality, date of birth, gender and issuing authority of the passport,” the report states. “Having this data will allow us to better respond to Amber Alerts, for example, on missing children,” Goodale said. “It will help us deal with human trafficking. It will help us deal better with illegal travel by terrorist fighters.” [CBC News]

CA – Privacy Watchdog Seeks More Stringent Laws in Wake of Health Breach

B.C.’s privacy commissioner is calling on the province to step up its privacy laws and impose fines of up to $50,000 for health-care workers found snooping. “It’s a significant issue of public trust when one or more individuals access electronic health records without authorization,” B.C. privacy commissioner Elizabeth Denham said in an interview. B.C.’s privacy laws are outdated when it comes to protecting electronic health records from general snooping, Denham said. [Times Colonist] See also: 2 BC health workers fired in breach that included high-profile people

CA – Sask Cops, MLAs & Ministers to Fall Under FOI Legislation

New legislative amendments brought forward by the Saskatchewan government on Monday could soon mean police in the province will be subject to freedom of information requests. The proposed amendments to Saskatchewan’s FOI and privacy laws received first reading in the Legislature on June 13. One of the proposed changes is to extend the FOI legislation to include police services. Other changes include creating a new offence for snooping, extending privacy requirements to include MLA and cabinet ministers’ offices and increasing penalties for privacy violations. The Saskatchewan Information and Privacy Commissioner, Ronald Kruzeniski, said in a statement he is pleased with the proposed amendments and will work further on FOI regulations once the amendment is passed. [Global News]

CA – Frustration Over Health Disclosure Doesn’t Trump Privacy Protection: Experts

After a case involving a 21-year-old taking her own life following a battle with depression, Nova Scotia is examining whether it needs to review its health privacy laws for disclosing mental health issues to a patient’s family. Currently, Nova Scotia law allows for mental health disclosures when it’s determined there is an immediate threat to the health of any person, including the patient. Nova Scotia Privacy Commissioner Catherine Tully is apprehensive about whether officials and government body officials have enough knowledge to determine what can and cannot be disclosed. “It is absolutely a training issue,” said Tully. “I have travelled around the province and talked to hundreds of people responsible for administering our privacy laws and training is a very key issue and one that requires constant work.” [Global News]

Consumer

WW – Privacy Concerns Around Alternative Credit Reporting

Companies are trying alternative credit reporting using nontraditional data to determine a candidate’s reliability and creditworthiness, but privacy concerns surround the tactics. In addition to privacy concerns, efforts to determine an individual’s chances for receiving a loan, house, or a job often hurt those in low-income brackets. Though companies are using a wide range of ways to determine a person’s creditworthiness and reliability — as students, prospective employees, or credit applicants — the methods of doing so fall in a legal area that’s murky at best. Overseas, companies in parts of Africa and Latin America monitor cellphones and social media to evaluate potential loan recipients. While U.K. startup Tenant Assured has started a service mining social media accounts, selling information to landlords and other parties. [The Atlantic]

US – Data Breach Simulation Explores Notification Timing

During a mock data breach at Stanford University’s Hoover Institution, a group of journalists studied the art of post-breach notification, learning that sometimes waiting to sort out technical errors before notifying victims is the wisest route to take. “It takes time to figure out what happened, and sometimes notification can cause more damage because you haven’t had time to remediate it,” said Intel Chief Privacy and Security Counsel. [Los Angeles Times]

E-Government

US – Board of Elections Posts DC’s Compete Voter List Online

D.C. makes it shockingly easy to snoop on your fellow voters. A little-known law in the nation’s capital is leading to complaints over the way it lets anyone on the Internet find out D.C. voters’ names, addresses, voting history and political affiliations, with little more than a click or two. It’s not the existence of the file itself that’s shocking, critics say. It’s the fact that the D.C. Board of Elections made it available on the Internet. Typically, every state has this kind of voter information; it’s just held at the statehouse or at the public library where you have to physically retrieve it from the stacks — probably with the help of a staffer — in order to see it. Putting that data on the open Internet changes the game because it allows virtually anyone, from anywhere, to view the data with no questions asked. [The Washington Post] [Washington voter registry publication sparks debate]

UK – 36% of Public Trust Government to Protect Their Data: ICO SUrvey

An ICO survey, published on 15 June, asked more than 1,200 people for their views on data protection. It found that the public were only slightly more likely to trust government with their information as they were to trust energy providers. Just 36% of respondents to the survey said they trusted government departments with their information. High street banks garnered the highest overall levels of trust, with 53% saying they trusted them with their information. However, trust in government increased for those in the higher socio-economic group AB1, at 41%, and millennials, at 43%. The survey also found that almost half of respondents disagreed with the statement that existing policy and regulation were sufficient to protect their data. Just 20% said policies were sufficient, which shows little change since the ICO’s 2014 survey, when 19% said policies were sufficient. [Public Technology]

E-Mail

CA – CRTC Partners With International Agencies to Fight Spam, Unsolicited Calls

The Canadian Radio-television and Telecommunications Commission (CRTC) announced that it has signed a memorandum of understanding with ten enforcement agencies from across the globe, including the Office of the Privacy Commissioner of Canada, to fight unlawful spam and unsolicited telecommunications. The agreement promotes cooperation between the CRTC and its international counterparts in enforcing Canadian and international spam and unsolicited telecommunications laws. The agencies have committed to sharing information and intelligence, where permitted by the laws of its jurisdiction, regarding unsolicited communications. By working closely with its partners, the CRTC will be able to more effectively ensure that all those who engage in unsolicited communications, whether local or foreign, comply with the Unsolicited Telecommunications Rules and Canada’s Anti-Spam legislation. [Press Release]

EU Developments

UK – IP Bill Extends GCHQ Snooping Powers to All Law Enforcement

The Investigatory Powers Bill, which was passed by the House of Commons last week, will effectively give the police and other authorities the same powers of surveillance that are currently enjoyed by GCHQ. That’s according to Raegan MacDonald, senior policy manager EU principal at Mozilla. “It’s about legally justifying the previously secret practices of GCHQ and also allowing those powers to go to all levels of law enforcement.” The IP Bill, commonly known as the Snooper’s Charter, requires telecoms companies and ISPs to store records of telephone and internet communications for one year. What is less widely known is that the Home Office is also building a search engine for all this data known as “request filter”, which will allow authorities to conduct detailed searches across all of this data. These queries will be subject to the “filtering” oversight of the Investigatory Powers Commissioner, and for this reason request filter is being sold by the Home Office as a privacy enhancing measure. “The request filter, when used, acts as an additional safeguard for communications data requests made by public authorities, to ensure that the data they acquire is limited only to that which is absolutely necessary,” says the government in a fact sheet. But pointing out that the Bill is short on mechanisms to ensure that oversight is effective, Jim Killock, executive director of Open Rights Group, questioned how this will work in practice. [Source] See also: The U.K. House of Commons passed the controversial Investigatory Powers Bill with a 444-69 vote. The bill now moves to the upper house of Parliament, the House of Lords.

EU – 75% of Cloud Apps Are Not Ready for New EU Data Protection Rules

More than 75% of cloud apps in the EU lack key capabilities to ensure compliance under the new EU General Data Protection Regulation (GDPR), according to a new study by Netskope. In particular, these businesses failed to meet the minimum requirements of new regulations in areas like deleting personal data in a timely manner and violating data portability requirements. Netskope tracked 22,000 cloud apps in use in the EU by giving them a rating between 1 and 100 in terms of GDPR readiness.

  • Just under 28% of cloud apps were deemed unready.
  • Half (48%) were scored as somewhat ready.
  • Only 25% were deemed ready.

The results of the report are especially troubling for businesses, as the adoption of mobile and cloud strategies gains momentum. The shift to cloud brings with it increasing complexity and a greater volume of security challenges for enterprises. Chief among them is the need to comply with new GDPR laws. These businesses have less than two years to ensure their cloud apps are up to regulation or face fines of either $22 million, or 4% of their global turnover (whichever is higher). [Source]

US – Ransomware Attacks Taking Huge Toll on Healthcare Resources

Healthcare organizations are aware of the omnipresent threat of ransomware on their information systems, and the danger it poses to their HIPAA compliance efforts and reputations, and are struggling to bear the expense of shoring up their defenses. The rising number of ransomware attacks against providers is prompting security professionals to intensify data security efforts, as well as consider entirely different approaches to security. Ransomware is turning the tables on how healthcare organizations now deal with security. For years, top security professionals have struggled with thefts that took data out of an organization’s control—for example, through the theft of data on stolen unencrypted laptops or through employee snooping of records that contain protected health information. The incentive for avoiding these types of breaches was to avoid landing on the HHS Office for Civil Rights’ web site of major breaches, and possibly face OCR-imposed financial sanctions and corrective action plans. But ransomware is different. Information remains in a provider’s system but is inaccessible, locked away until a provider makes a financial payment to free it. That scenario in large part has not been considered as a possibility until recently. Consequently, intensified data security is not the answer in the ransomware era, he believes; organizations must look at different approaches to data protection. [Source]

EU – Google Announces EU-Based Machine Learning Research Group

Google has struck a research group in Switzerland dedicated to machine learning. Machine learning consists of “systems that can learn things and come up with predictions from sets of data, without being specifically programmed to do so.” Machine learning currently powers Google’s translation engine, its Inbox “smart reply” feature, spam recognition in Gmail, and assists Google’s driverless cars examine their surroundings. The research group will work on machine intelligence, speech recognition, natural language processing, and machine perception, such as identifying images in photos and recognizing handwriting. “We look forward to collaborating with all the excellent computer science research that is coming from the region, and hope to contribute towards the wider academic community through our publications and academic support,” wrote Emmanuel Mogenet, head of Google Research in Europe. [Fortune]

EU – Other EU News

Facts & Stats

WW – Data Breach Costs Up 29% Since 2013: Study

A study from the Ponemon Institute and IBM found the average cost of a data breach is $4 million, a 29% increase from 2013. Ponemon’s study examined 283 companies, finding the average cost per compromised record was $158 in 2016, up from $154 last year. The study also revealed a 26% probability of an enterprise suffering one or more data breach where 10,000 records will be compromised over the next two years. Ponemon found that the healthcare industry has the highest costs per breached record, and that U.S. data breaches were the most costly per record, coming in at $223, with the average total cost estimated at $7.01 million. In related news, hackers have stolen the information of more than 45 million users of car, sports and tech sites in what could be one of the largest data breaches ever. Compromised data appears to include email and IP addresses, usernames and passwords. [ZDNet]

CA –Data Breaches Detection, Escalation Costs Highest in Canada: Report

Detection and escalation costs related to data breaches were the highest in Canada and lowest in India, note findings of a new global survey. The average detection and escalation costs for Canada was US$1.60. In contrast, the average costs were US$0.53,” states 2016 Cost of Data Breach Study: Global Analysis, benchmark research sponsored by IBM and conducted by Ponemon Institute LLC. “Data breach costs associated with detection and escalation are forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and Board of Directors,” notes the report. …The average cost per record to resolve being US$170 compared to US$138 per record for system glitches and US$133 per record for human error or negligence. Canada held a distinction in this respect. “Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack (US$236 and US$230 per record, respectively),” the report states. [Canadian Underwriter]

WW – Study: Most Companies Struggle to Restrict Sharing of Confidential Data

A new study found only 36% of surveyed IT practitioners from large companies are able to control how confidential data is shared with third parties. The study of more than 600 IT professionals also found that companies are rarely able to track where their most sensitive documents go. Only 27% of the those surveyed were able to restrict the sharing of confidential data between employees. According to the survey, conducted by the Ponemon Institute on behalf of Fasoo, 58% of companies say their employees use free online file sharing applications, and almost half say their employees, on occasion, keep confidential documents on their home computers or personal mobile devices. In addition, 68% of those surveyed say they don’t even know where their company’s confidential information is located. The study also revealed a deficiency in employee education about protecting data. Of the respondents, 56% said their companies did not educate their employees about protecting confidential information. The study found that careless employees were the primary cause of company data losses 56% of the time. The second most common cause was lost or stolen devices. In March, a SailPoint survey revealed that more than a quarter of employees said they uploaded sensitive information to cloud apps intending to share the information outside the company. According to Gartner, more than 70% of unauthorized access to data is committed by an organization’s own employees. Employees are frequently the cause of many security weaknesses in the enterprise. Most of these insider threats actually carry no malicious intent, but instead are the result of weak access controls and a lack of employee awareness. [CIO Dive] CSO: Study: Most companies can’t protect confidential documents

Finance

US – Home Depot Suit Claims U.S. Credit-Card Firms Block Security Upgrades

The Home Depot has alleged that MasterCard and Visa use faulty security measures prone to fraud in a new federal lawsuit. The company accused the financial institutions of putting cybersecurity behind economic gain and “dominant market positions,” calling its reliance on chip cards behind other, more secure, global methods. “Regardless of how the cardholder’s identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions,” said a MasterCard spokesman. Meanwhile, Bob Hedges urged banks to engage in privacy debates in an op-ed for American Banker. “If they don’t, they run the risk that the public policy debate could eventually hurt their historical ‘trusted agent’ position,” he said. [The Seattle Times]

FOI

EU – ENISA Creates Free Personal Data Breach Notification Tool

ENISA, in co-operation with the Office of the Federal Commissioner for Data Protection and Freedom of Information of Germany (German DPA), developed a tool for the notification of personal data breaches. In particular, the purpose of the tool is to provide for the online completion and submission of a personal data breach notification by the data controller to the competent authority (DPA/NRA). It covers all types of personal data breaches and all types of business sectors, public or private. Based on the input of the notification, the tool also provides to the competent authority an assessment of the severity of the breach. The assessment is based on the relevant Personal Data Breach Severity Assessment Methodology developed by ENISA in co-operation with the DPAs of Greece and Germany. The tool is free for use by any interested party, in particular national competent authorities who would like to facilitate the notification of personal data breaches by data controllers in their countries. [Source]

Health / Medical

US – Oregon Prescription Database Access Ignites Privacy Debate

The Drug Enforcement Administration hopes to access Oregon’s Prescription Drug Monitor Program database in an effort to curb drug abuse, causing privacy concerns. The agency is fighting a 2014 U.S. 9th Circuit Court of Appeals ruling that decided warrantless seizure of the data was illegal. The DEA countered that as the PDMP is a third-party data host, users shouldn’t have an expectation of privacy, the report states. Not everyone agrees. “The primary purpose of PDMPs is health care, not law enforcement,” said the American Medical Association in an amicus brief. The database wasn’t created to be “a tool or repository for law enforcement to initiate access to gather information,” the AMA added. [The Daily Beast]

CN – China Pledges Tighter Privacy as it Centralises Personal Health Data

Chinese Premier Li Keqiang has announced the Chinese government’s intention to increase privacy regulations as it increases developments for health care data systems. “Enhancing the development of medical big data is a pressing task now,” Keqiang said. “It is also an important project for public welfare, in the context of a growing need for health and medical services.” To that end, “more comprehensive regulation and legislation in personal information and data protection” is necessary, he added. The State Council’s plans would call for the creation a countrywide health database, as well as a guide for medical record portability, the report states. [The Register]

Horror Stories

US – Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements. Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application. In its complaint Columbia contends, first, that the “Failure to Follow Minimum Required Practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application”—precludes coverage for Cottage Health’s losses. Columbia further contends that it has a right to void its policy altogether due to alleged misstatements in the “Risk Control Self Assessment” that Cottage Health completed as part of its cyber insurance application. Any new cyber policy wording requires expert legal scrutiny before purchase, because these specialty insurance products can contain gaps or hidden traps. For example, Cottage Health might have averted its dispute with Columbia if the policy’s potentially onerous “Failure to Follow Minimum Required Practices” exclusion had been modified or deleted. [Source] See also: [Cyber insurance is changing the way we look at risk ]

WW – Other Horror Stories

Identity Issues

WW – Apple to Use ‘Differential Privacy’ in New Software

Apple is using a special technique to balance user privacy with its data collection efforts. Apple’s Senior VP of Software Engineering Craig Federighi discussed “differential privacy” during his company’s Worldwide Developers Conference in San Francisco. “We believe you should have great features and great privacy,” Federighi said during the conference. “Differential privacy is a research topic in the areas of statistics and data analytics that uses hashing, subsampling and noise injection to enable … crowdsourced learning while keeping the data of individual users completely private. Apple has been doing some super-important work in this area to enable differential privacy to be deployed at scale.” [Wired] See also: [What Apple’s differential privacy means for your data and the future of machine learning] and [A Few Thoughts on Cryptographic Engineering]

IN – Alibaba Launches App With Face Recognition Lock Feature In India

Alibaba has unveiled Privacy Knight in India, a free app-lock that uses a one-second selfie to verify and grant access to users’ protected apps, BiometricUpdate.com reports. According to Alibaba, the program’s facial recognition with blink detection has 99.47% accuracy, the report states. “Face lock is set to change the way people protect their privacy,” said Alibaba’s Mobile Business Group. [Full Story]

Internet / WWW

WW – Microsoft’s Acquisition of Linkedin Faces Some Privacy Concerns

While Microsoft’s purchase of LinkedIn will benefit both companies, some are raising privacy concerns. BigID CEO Dimitri Sirota said the purchase is meaningful as Microsoft is acquiring “the world’s second largest personal database,” but the use of the data will determine the success of the sale. “Given that the value of the purchase will derive from the usage of personal data it will be natural to ask how this data usage gets governed so it doesn’t compromise either personal privacy or many privacy regulations,” said Sirota. Acquiring large amounts of personal data is an issue many companies now deal with, he said, adding, “Organizations gain tremendous marketing, sales and intelligence value from collecting and aggregating as much customer data as they can, but the tools to govern the privacy risk and compliance of the aggregated ‘identity’ data are only now being developed.” [TechRepublic]

Law Enforcement

CA – Constable Fired for Accessing Data

A Gatineau police officer was fired this week after pleading guilty in April to illegally accessing police records. For the crime of unauthorized use of a computer, whereby the constable checked information on three former friends in police databases, she received no jail time, but had to make a donation of $1,000 to a crime victims’ assistance center. Despite no data being passed to a third party, nor the constable apparently seeing any benefit from the access to the data, the Gatineau Police Service released a statement saying she was fired because it “requires its police officers meet the highest ethical standards and professional standards.” [Ottawa Citizen]

Online Privacy

US – OTA Releases Privacy Assessment of Consumer-Facing Websites

Consumer services websites are improving privacy practices while news sites need vast improvements. That’s according to the release of the 8th annual Online Trust Audit & Honor Roll. Conducted by the Online Trust Alliance, this wide-ranging audit looks at nearly 1,000 consumer-facing websites to assess their consumer protections, privacy practices and data security. [Full Story]

Other Jurisdictions

SG – Singapore PDPC Publishes Data Protection Guidelines

The Personal Data Protection Commission of Singapore has published a number of guidelines for data access, notification and privacy protection, among other related subjects, on its official website. Its newest guideline, Guide to Handling Access Requests, details “information and considerations for organizations in handling requests for access to personal data, including sample access request and acknowledgement forms,” the site states. [Full Story]

IN – TRAI Consultation Paper Talks Cloud Computing

The Telecom Regulatory Authority of India has released a 119-page consultation paper on cloud computing regulation. The paper’s six sections cover interoperability, cloud security, and bringing cloud services to governments, among other topics. Frameworks for cloud services remain a major focus, the report adds. “Regulations should be put in place to protect the interests of both cloud services providers and the consumers,” the paper states. “Legal framework under which the cloud operates becomes very important.” [The Wire]

Privacy (US)

US – FBI Says Utility Pole Surveillance Cam Locations Must Be Kept Secret

The US FBI has successfully convinced a federal judge to block the disclosure of where the bureau has attached surveillance cams on Seattle utility poles. The decision stopping Seattle City Light from divulging the information was expected, as claims of national security tend to trump the public’s right to know. However, this privacy dispute highlights a powerful and clandestine tool the authorities are employing across the country to snoop on the public—sometimes with warrants, sometimes without. Just last month, for example, this powerful surveillance measure—which sometimes allows the authorities to control the camera’s focus point remotely—helped crack a sex trafficking ring in suburban Chicago. Meanwhile, in stopping the release of the Seattle surveillance cam location information—in a public records act case request brought by activist Phil Mocek—US District Judge Richard Jones agreed with the FBI’s contention that releasing the data would harm national security. “If the Protected Information is released, the United States will not be able to obtain its return; the confidentiality of the Protected Information will be destroyed, and the recipients will be free to publish it or post the sensitive information wherever they choose, including on the Internet, where it would harm important federal law enforcement operational interests as well as the personal privacy of innocent third parties,” Jones ruled. [Ars Technica]

US – More States Adopt Education Privacy Protections

As students’ online presence grows due to schools’ growing reliance on digital third-party student databases, lawmakers and privacy advocates have expressed concern for the potential mishandling of students’ information. Some states have turned to stricter privacy laws, with nine states adopting new data regulations in 2016. “The conversation is looking different in every state and district at this point,” said the Data Quality Campaign’s Rachel Anderson. “Some states are really taking the approach of parents can decide if they want to opt-in or out of these additional recommendations.” In 2014, 21 states passed 26 student data laws mostly targeted at states and school districts. Many echoed a 2013 Oklahoma law that requires state approval to release student data and mandates that only aggregated data — no data tied to individual students — can be released. By last year, lawmakers had shifted their focus to third-party companies. They passed 28 student privacy laws, in many cases mirroring a California statute that prohibits service providers from using data to target ads to students, selling student information, and creating student profiles for commercial purposes. This year nine states — Arizona, Connecticut, Hawaii, Kansas, New Hampshire,Tennessee, Utah, Virginia and West Virginia — have added 11 new student data laws, mostly based on the California standard. A similar proposal is awaiting the signature of Colorado’s governor. Between 2014 and 2015, state legislators introduced 98 bills that included opt-in or opt-out provisions, and this year Arizona passed a law requiring schools to obtain parents’ permission before collecting certain data. [PBS Newshour]

RFID / IoT

US – Health and Human Services IG to Assess Medical Device Security Monitoring

The US Department of Health and Human Services (HHS) Office of Inspector General’s Fiscal Year 2016 Mid-Year Work Plan calls for an assessment of the Food and Drug Administration’s (FDA’s) review of cybersecurity control on wireless and Internet-connected medical devices. The HHS IG also plans to look into state Medicaid agency and contractor breach notification practices and responses. [GovInfoSecurity]

US – NSA Could Use Internet-Connected Medical Devices for Surveillance

NSA Deputy Director Richard Ledgett told an audience at the Defense One Tech Summit in Washington, DC, last week that the agency is examining ways to exploit the Internet of Things (IoT) to conduct covert monitoring. Ledgett said that the NSA is “looking at it sort of theoretically from a research point of view right now,” and noted that conducting surveillance through medical devices could be “a tool in the toolbox.” [ComputerWorld] [The Intercept]

US – Chicago Seeks Input on Privacy Policy for Sensor Network

Chicago officials will soon release their privacy policy for the city’s traffic sensor project, the Array of Things, for citizen input. The first of 500 devices will go live in July, collecting vehicular and environmental data, the report states. The policy aims to protect collateral information that could identify an individual. “We’ve always been focused on making sure there was a privacy policy to inform the public about how the data that the nodes are collecting is going to be managed,” said Department of Innovation and Technology Commissioner and Chicago Chief Innovation Officer Brenna Berman. Open policy screenings begin June 14, the report adds. [Chicago Tribune]

CA – Who is Watching You on B.C. Highways?

At any time thousands of drivers are on B.C. highways trying to get places as soon as they can. And there is a team of people keeping an eye on all of that that traffic – in a building nestled between Highway 1 and Lougheed Highway in Coquitlam. Transportation Management Centre staff keep watch on over 600 cameras throughout the province. And when you are on the Lions Gate Bridge, Penny Martin is watching and decides when to flip the counterflow lane. There are sensors and computers but Martin says it is often simply watching the causeway cameras for volume that will guide her decision to flip the lane. And it’s not just for Metro Vancouver. With the flick of a mouse people here can change the speed limits on the Sea to Sky or Coquihalla highways using the new variable speed limit signs. Centre manager Brigid Canil says they use advanced traffic management software to change speed limits, almost instantly, based on weather or traffic conditions. But what if the speed limit changes from 120 kilometres an hour to 80 km/hr and police pull you over? “We would know exactly what times the signs would change and be able to correlate what time the ticket was written to ensure the individual is treated fairly,” said Transportation Minister Todd Stone. Another big issue is privacy. On the Drive BC website you can see a “Replay the Day” video of many locations – but they say they don’t keep piles of surveillance. “We don’t keep the data and that is directly in response to concerns about privacy,” said Stone. [Global News]

Security

WW – Study: Weak Passwords, Phishing Attacks Top Breaches

Verizon’s 2016 Data Breach Investigations Report has found that 63% of recent breaches were due to weak passwords. Phishing scams are also a major culprit, the report states. Nearly one-third of the analyzed phishing emails were opened by recipients. While the sophistication and success rate of these attacks is growing, strategies for keeping oneself safe remains the same. “The surest anti-phishing protection is also one of the rarest assets around: common sense,” the report adds. “No matter who an email comes from, never click on a link in an email — instead cut and paste it into a web browser and read the address. If it smells phishy, it probably is.” [TechCrunch] [Employee Error Accounts for Most Security Breaches]

US – FICO to Offer ‘Enterprise Security Scores’

Fair Isaac Corp. has acquired cybersecurity startup QuadMetrics to create an industrywide “enterprise security score” for businesses. The security score will act as an equivalent to the FICO consumer-credit scores, giving chief information officers and other IT professionals an “easy-to-understand” metric to determine their company’s online risks, while handling other possible issues from third-party software vendors and acting as a guide for cyber breach insurance underwriting. “Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise security risk,” said FICO’s Vice President of Cybersecurity Solutions Doug Clare. [The Wall Street Journal]

Surveillance

CA – RCMP Can Spy on Your Cellphone, Court Records Reveal

A judge lifted the publication ban on information surrounding a suspected mafia murder, revealing different surveillance methods used by the RCMP. While investigating the 2011 murder of Salvatore Montagna, the RCMP used IMSI catchers, commonly known as “Stingrays,” to mimic cellphone towers in order to obtain information on a suspect’s phone. The RCMP used the collected information to intercept and decode BlackBerry PIN-to-PIN messages as part of the murder cover-up. “Our biggest concern with Stingrays is there’s really no regulation or oversight as to how they’re being used,” said OpenMedia Digital Rights Specialist Laura Tribe. “We right now, as the Canadian public, have no idea where they’re being used, when, what the requirements are for these technologies being used and what’s happening to the data of everyone being caught up in their sweep.” [CBC News] See also: [VPD admits to not owning a Stingray surveillance device, but is it ‘borrowing’ one?] and [Santa Clara County, California, has approved an ordinance that requires government agencies to put policies in place before acquiring or activating new surveillance technologies.]

US Government Programs

US – Federal Government Releases Final Guidance on CISA

The Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December. The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents.

  1. The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA.
  2. The second document establishes “privacy and civil liberties guidelines governing the receipt, retention, use, and dissemination” of cyber threat indicators and defensive measures by the federal government.
  3. The third document, which was released in final form on February 16, describes procedures through which information is shared by the federal government to participating non-federal entities.
  4. The fourth document describes procedures for the receipt of cyber threat indicators and defensive measures by the federal government. [Inside Privacy]

 

+++

 

 

By privacynewshighlights | Posted in Uncategorized | Comments (0)

03-09 June 2016

June 10, 2016 – 10:27 am

Biometrics

CA – Federal Photo-Matching Scheme Quietly Singles Out Passport Fraudsters

Federal officials used photo-matching technology to identify 15 high-risk people – all wanted on immigration warrants – who used false identities to apply for travel documents. The Liberal government might make the facial-recognition scheme permanent to help find and arrest people ineligible to remain in Canada due to involvement with terrorism, organized crime or human rights violations. The photo-matching idea emerged from concerns that people wanted by the Canada Border Services Agency might use fake names to obtain genuine Canadian travel documents from the Immigration Department’s passport program, say internal memos released under the Access to Information Act. The privacy commissioner’s office has not been consulted on the project. However, both the border agency and the passport program have shared information about other facial-recognition initiatives with the commissioner. Passport officials have used the image-matching technology for years to see if someone has applied for multiple travel documents in different names. The border agency has quietly been working with other agencies since at least 2011 to gauge the ability of devices to extract usable facial images from video footage. [Source]

Canada

CA – Court Rules that Health Records Do Not Require Vetting Prior to Disclosure to Childrens Aid Society

The Court considers a request for a protection application for the production of records from non-parties. The records, containing mental health information of a parent, do not require vetting by counsel for the society or the parent (this approach could give either party an unfair advantage in litigation), or the Court (the mental health records are relevant to whether the parent’s children are in need of protection, and the production order will be structured to preserve the parent’s privacy interests). [Catholic Children’s Aid Society of Hamilton v. L.K. – 2016 CanLII 15148 (ONSC) – Superior Court of Justice of Ontario]

CA – BC Appeals Court Finds Senders of Texts and Emails Have a Reasonable Expectation of Privacy in the Content of the Message

a review of impact of the BC Court of Appeal’s decision in R. v. Craig. Senders have a reasonable expectation that their text messages will be confidential; senders do not abandon their right to privacy in the content of the message, to the extent that they should be able to count on the recipient’s duty of confidentiality. While there is inherent risk in any human interaction, the risk that a message might be improperly shared (i.e. breach of confidentiality) is not enough to vitiate a reasonable expectation of privacy. ‘[Privacy, technology, and instant messaging – The British Columbia Court of Appeal sends a (instant) message – Dara Jospé, Michael Shortt, and Antoine Guilmain – Fasken Martineau, Montréal]

CA – Other Canada News

E-Government

US – Survey: A Year After the OPM Hack, Victims Don’t Feel Safer

A Federal News Radio survey on the Office of Personnel Management breach has found that roughly 55% of government employees and contractors don’t feel their personal information is safer a year after the hack. George Mason University’s Jim Jones said one reason for these responses is that many acknowledge that the risks move faster than security efforts. “The threat is so flexible and responsive in the sense that when we do something, we close one hole they simply move on to another one,” he said. Meanwhile, NPR also examines the changes in security practices at the OPM in a subsequent report. [Federal News Radio]

E-Mail

CA – OIPC ON Cautions Against Using Personal Email and Instant Messaging When Doing Public Business

Ontario’s Information and Privacy Commissioner, Brian Beamish, is calling on the leaders of all public institutions to educate staff and enact policies to strictly control the use of personal email and messaging tools, such as BlackBerry Messenger, to conduct business. All public servants should be aware that records relating to government business are subject to provincial access legislation, even if they are created, sent or received through instant messaging tools or personal email accounts. The use of these tools and accounts can create a number of challenges for institutions in meeting their obligations under Ontario’s access and privacy laws. To avoid these issues, Beamish is asking all Ontario institutions to either strictly control the use of personal email or instant messaging when doing business, and implement clear policies to help public servants meet their legal obligations. If it is necessary to use these tools, institutions must plan for compliance by conducting thorough risk assessments and implementing appropriate administrative and technical measures to ensure that records are saved. A new guide to assist Ontario’s public institutions, Instant Messaging and Personal Email Accounts: Meeting Your Access and Privacy Obligations, is now available. [Office of the Information and Privacy Commissioner of Ontario]

Electronic Records

CA – Alberta OIPC Issues Guidance for EHR Systems

The OIPC of Alberta has published Guidance for Electronic Health Record Systems. This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Two versions of the document are available on our website. A PDF version and an editable Word document:

EU Developments

US – US and EU Officially Ink Umbrella Agreement

Officials from the EU and U.S. officially signed the so-called Umbrella Agreement, which sets privacy protections on European citizens’ personal data when transferred to the U.S. for law enforcement purposes. It will give EU citizens judicial redress in U.S. courts — something the EU already provides for U.S. citizens. U.S. Attorney General Loretta Lynch, Dutch Minister Ard van der Steur, and EU Justice Commissioner Věra Jourová signed the deal Thursday. Privacy advocates, however, have expressed concern about the deal. Access Now’s Estelle Massé said the new rules are “toothless” and that it “should absolutely be brought back to the drawing board.” [Ars Technica]

EU – British Lawmakers Pass New Digital Surveillance Law

The House of Commons passed the controversial Investigatory Powers Bill, which would provide security agencies with stronger monitoring abilities. The bill was approved 444-69. Interior Minister Theresa May said the new law will help “keep us safe in an uncertain world.” While May noted the scrutiny of the Investigatory Powers Bill was “unprecedented,” a new privacy clause has been added requiring agencies to contemplate less intrusive ways to surveil, while also offering special protections for lawmakers, journalists and lawyers. “It provides far greater transparency, overhauled safeguards and adds protections for privacy and introduces a new and world-leading oversight regime,” May said. The bill now moves to the upper house of Parliament, the House of Lords. [Reuters]

EU – European Commission Creates Code of Conduct for Mobile Health Apps

The European Commission has formally submitted a code of conduct to the Article 29 Working Party to increase privacy capabilities on mobile health apps. The code has been handed in for comments, and once approved, app developers can voluntarily commit to them. The European Commission code is based on EU data protection legislation, and aims to raise awareness for all parties, including small and medium enterprises as well as individual developers who may not have legal teams on hand, and “increase compliance at the EU level for app developers.” The code covers numerous issues, including user consent, purpose limitation, privacy by design and default, and data security. The European Commission also covered advertising within mHealth apps, disclosing data to third parties, children’s privacy, and data transfers. [Telecompaper] [Press Release] [Public Consultation]

EU – EDPS Announces New Accountability Initiative

European Data Protection Supervisor Giovanni Buttarelli announced a new accountability initiative to help EU bodies transition to the General Data Protection Regulation. The EDPS started working on a project to enhance accountability in data processing in 2015, when the agency examined itself as an institution. “We developed a specific tool to ensure and demonstrate our accountability as an organisation, to plan and to keep track of related actions. This document consists of a set of questions for the supervisors, the director, the staff responsible for managing processing operations and our data protection officer,” Buttarelli wrote in a blog post. “This year, we aim to visit — and have already started — small, medium, and large EU bodies to explain the new obligations,” he continued, adding, “As part of our efforts … we will recommend our accountability document during these visits and suggest that they tailor it to suit their specific needs.” [EDPS Blog Post]

Finance

WW – Facebook is Using Your Phone to Listen to Everything You Say: Professor

Facebook admits to using people’s microphones to listen to what they say, but they claim this is somehow a good thing. Kelli Burns, mass communication professor at the University of South Florida claims to have tested devices running the Facebook mobile app, and found that all of them are listening to everything you say, providing customized ads based on what you are saying. “I’m really interested in going on an African safari. I think it’d be wonderful to ride in one of those jeeps,” she said out loud with her phone in hand. According to the NBC report, less than a minute later, the first story in her Facebook feed was about a safari. And a car ad soon appeared on her page – go figure. Of course, this is not scientific evidence at this point, but Burns is not one to shun. Before becoming an academic, she spent seven years in corporate marketing and is a well-known figure in social media circles. Facebook didn’t deny the claims. Instead, it admitted that it picks up sounds from users, but said that it only does this to recommend they post things on Facebook. It’s not the first time Facebook has come under fire for something like this. Last years it was also accused of the same thing, and they said at the time that users had to turn their microphone on in order for this to work. But now, the microphone is on by default, so this does seem to confirm that Facebook is listening to you. [zmescience.com]

FOI

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

Ontario’s privacy watchdog has ordered the province to publish the names of the 100 doctors whose billings to the Ontario Health Insurance Plan are highest. An adjudicator, ruling on an access-to-information request from the Toronto Star, said the billings are “not personal information” and, even if they were, it would be in the public interest to reveal them. The Ontario Medical Association, which represents the province’s 28,000 physicians, opposed release of the data, saying it could be misconstrued. (Billings are not salaries but gross payments from which doctors must pay office overhead, benefits and pension.) The OMA has not yet decided if it will appeal the ruling. If it does not, the data will be made public on July 8. [Source] [IPC Decision] [54-page order] [Ontario Doctors’ Billings: Transparency is the Best Medicine] [End the secrecy over doctors’ billings: Editorial]

CA – OIPC NFLD Expects Redaction to be Used Sparingly

The Office of the Newfoundland and Labrador Information and Privacy Commissioner provided its expectations for Public Body Coordinators on handling non-responsive information in an access request, pursuant to the Access to Information and Protection of Privacy Act. Redact non-responsive information only where necessary and appropriate; best practices include, releasing the information if it is just as easy as claiming non-responsive (this will save time-consuming consultations and time weighing discretionary exceptions), avoid breaking the flow of information (do not claim non-responsive within sentences or paragraphs), and explain what non-responsive means in the final response to the Applicant, and that information has been redacted on this basis. [Newfoundland and Labrador OIPC – Practice Bulletin – Redacting Non-Responsive Information in a Responsive Document]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications to Vice News revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Full Story]

Genetics

US – Biden Unveils Launch of Major, Open-Access Database to Advance Cancer Research

Vice President Joe Biden will unveil a 12,000-patient, open-access cancer research database called the Genomic Data Commons today. The database will include “raw genomic and clinical data” as well as information regarding patients’ treatment types and their bodies’ response to it, the report states. “This is good news in the fight against cancer,” Biden said. “Increasing the pool of researchers who can access data and decreasing the time it takes for them to review and find new patterns in that data is critical to speeding up development of lifesaving treatments for patients.” The GDC will have privacy protections in place, with representatives from cancer centers drafting a model consent form, the report adds. [Washington Post] See also: [Canada: Genetic Discrimination And Canadian Law] and [How new DNA testing is cracking open long-stalled cold cases]

Health / Medical

US – OCR: Sharing Electronic Patient Data Crucial, Requires Cooperation

A slew of breakthroughs will put the pressure on health care leaders to start becoming more transparent with data. Deputy Director of Health Information Privacy in the Department of Health and Human Services’ Office for Civil Rights Deven McGraw highlighted this during the Office of the National Coordinator for Health Information Technology’s annual meeting in Washington, where she said cooperation will be key for successfully sharing patient data. “I can enforce people to comply with the law, but the culture change that makes a difference is not because the government is going to force it down people’s throat,” said McGraw. “It’s going to happen because people want it and demand it.” McGraw said providers should release electronic patient data at their request. “Whatever the patient wants to do with that information, it’s her right to have it and to have it in the form or format that she wants it,” McGraw said. [Healthcare IT News]

Horror Stories

WW – 32M Twitter Passwords Held at Ransom

A hacker with purported ties to the LinkedIn, Myspace, and Tumblr breaches is now claiming to have a database of 32 million Twitter login credentials at ransom. “The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” said a statement from breach-notification company LeakedSource, which analyzed the database and was able to verify accounts. The company added that the passwords taken were most likely in plain text with no hashing. “The lesson here? It’s not just companies that can be hacked, users need to be careful too,” the statement said. [ZDNet]

EU – Dutch DPA Receives More Than 1,500 Breach Notifications in First 4 Months

Review of the first 4 months of new breach notification requirements in the Netherlands shows that, in approximately two-thirds of breaches, the DPA had reason to more closely examine the circumstances of the breach or it opened formal investigations; subsequent action was taken against about 70 organisations. DPA’s classification of breaches found that 3 of the four categories related to inadvertent disclosures by the organisation (e.g. loss of unencrypted devices, insecure disposal, or insecure transfers); the remaining category related to malicious access to databases and ransomware. [130 days, 1,500 notifications: Does Dutch breach rule foreshadow GDPR? – Lokke Moerel and Alex van der Wolk, Morrison & Foerster LLP]

Identity Issues

WW – Search Queries Could Leave Medical Clues: Study

A Microsoft study published June 7 has found that by analyzing large sets of anonymized search engine queries, scientists may be able to detect those internet searchers with pancreatic cancer before an official diagnosis. “We asked ourselves, ‘If we heard the whispers of people online, would it provide strong evidence or a clue that something’s going on?’” researcher Dr. Eric Horvitz said. He acknowledged that using data in this way was uncharted territory for the health care industry. Regardless, “We’re hoping that this stimulates quite a bit of interesting conversation,” he said. [The New York Times]

WW – Inventor of the Web Creates Identity on Bitcoin Blockchain

Sir Timothy Berners-Lee, an english computer scientist and the inventor of the World Wide Web has created his first Bitcoin blockchain ID on June 9, through the popular blockstack-based platform Onename. Built on the decentralized, privacy-centric, and Bitcoin blockchain-secured database Blockstack, Onename is an open source platform which enables users to register their social media accounts and IDs through the Bitcoin blockchain network. The concept of embedding an account on the Bitcoin blockchain is fairly simple. Each Bitcoin transaction has a feature which allows users to store data apart from the core transaction information, creating space for anyone to embed small pieces of data in accordance with transaction data in a full transaction. Through the Blockstack nodes, Onename then verifies and authenticates various social media accounts, linking it to their network and enabling users to identify others through the account. “With the Blockstack software, a network of computers collectively maintain a global registry of identities, public keys and names. When you run a Blockstack node, you join this network, which is more secure by design than traditional identity, naming, and digital registry systems,” explains the Blockstack team. [Source]

Law Enforcement

CA – BC Police Act Violates Charter (sec.8), Suspended Vic Chief Says

Suspended Victoria Police Chief Frank Elsner is asking the courts to declare that sections of B.C.’s Police Act violate the Charter of Rights and Freedoms’ search and seizure provisions and are therefore not enforceable. Under the act, independent investigators with the Office of the Police Complaint Commissioner are not required to obtain warrants to search police premises, equipment and records when looking into allegations of misconduct at municipal departments. Those provisions violate Section 8 of the charter, because they relate to matters to which there is a high expectation of privacy, Elsner says. Section 8 protects against unreasonable search and seizure. [The Victoria Times Colonist]

Online Privacy

US – Android Users Seek Class-Action in Privacy Battle Over App Purchases

Android users are requesting to go forward with a class-action lawsuit against Google’s app store for allegedly disclosing personal information to developers. The lawsuit, started by Illinois resident Alice Svenson in 2013, is on behalf of numerous Android users who made purchases on the Google app store. “Casting aside the express promises made in their own terms of use, for years, defendants have routinely and systematically disclosed to third-parties, their buyers’ personal contact and billing information — including, names and email addresses — which they now admit was not necessary to complete the transactions or otherwise authorized for disclosure,” the users’ lawyers wrote in the motion. Svenson’s initial lawsuit was thrown out, but after revising her complaint by saying the disclosure lessened the value of her personal data, it was allowed to proceed. Last year, U.S. District Court Magistrate Paul Grewal in San Jose dismissed a separate lawsuit that also alleged Google violated app purchasers’ privacy by sending their names to developers. [MediaPost]

EU – Researchers Re-identify 40% of RTBF Subjects

One of the world’s most widespread efforts to protect people’s privacy online —RTBF— may not be as effective as many policymakers think, according to research by computer scientists based, in part, at New York University. The academic team said that in roughly a third of the cases examined, the researchers were able to discover the names of people who had asked for links to be removed. Those results, based on the researchers’ use of basic coding, came despite the individuals’ expressed efforts to remove their names from searches. The research paper raises questions about how successful Europe’s “right to be forgotten” can be if the identities can still be found with just a few clicks of a mouse. The paper says such breaches undermine “the spirit” of the right to be forgotten. The research also will add increased pressure on some European authorities, particularly the French privacy regulator, who would like Google and other online search engines like Microsoft’s Bing to extend the reach of the right to be forgotten across all of the companies’ global domains, including Google.com in the United States. “This poses a threat to whether the ‘right to be forgotten’ can be maintained in the long-term,” said Keith Ross, dean of engineering and computer science at NYU Shanghai, who led the project and who said he had contacted Google with his research. “If a hacker can easily find 30 or 40% of people’s names from delisted articles, what is the point?” he said. [New York Times]

Privacy (US)

US – Federal Appeals Court Says No Warrant Needed for Stingray Use

The Fourth US Circuit Court of Appeals has overturned a lower court verdict that ruled law enforcement must obtain warrants before using cell-site simulators to determine a suspect’s location. According to the ruling, obtaining the information does not violate a suspect’s Fourth Amendment rights because the information is already being shared with the suspect’s wireless carrier” “Whenever [an individual] expects his phone to work, he is permitting – indeed, requesting – the service provider to establish a connection between his phone and a nearby cell tower.” [ZDNet]

US – Yahoo Publishes National Security Letters

Yahoo has published three National Security letters it has received from the federal government. National Security Letters allow federal law enforcement officers to demand customer records and transaction information from communication companies without the need for a warrant. The letters also carried a gag order that until recently never expired – anyone or organization receiving an NSL was not permitted to disclose its contents or even its existence. The USA Freedom Act, which became law last year, changed those requirements. The FBI must now review gag orders once the investigation is closed or three years after it was opened, to determine if lifting the order will or will not be detrimental to the investigation. Yahoo’s disclosure is the first since the USA Freedom Act passed. [Wired] [eWeek] [Redacted letters] [Yahoo’s position]

US – NTIA Issues Best Practices for Operators of Commercial and Private Drones

The National Telecommunications and Information Administration released its best practices for use of drones by operators for private and commercial uses. Public comments were sought in 2015. Operators should making a reasonable effort to provide prior notice to individuals of the general timeframe and area in which they intend to operate a drone to collect data; provide a publicly available privacy policy that includes the purposes of collection, the types of data the drone will collect, the operator’s data retention and de-identification practices, the types of entities with which data will be shared, how to submit privacy/security complaints or concerns, and a description of response practices to law enforcement requests. [National Telecommunications and Information Administration – Voluntary Best Practices for UAS Privacy, Transparency, and Accountability]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Vice News] [Snowden and the NSA Gets Curiouser and Curiouser]

US – Court Certifies Class Action Alleging Social Networking Site Unlawfully Scanned Users’ Private Messages

A US Court has considered a motion for class certification of a complaint alleging Facebook violates users’ privacy by scanning their private messages. The Court accepted the Plaintiffs’ argument that injunctive relief is appropriate for the class as a whole because Facebook has utilized a uniform system architecture and source code to intercept and catalog its users’ private message content; the Court rejects the social networking site’s argument that individual proof will show that many class members impliedly consented to the challenged practices. [Matthew Campbell et al. v. Facebook, Inc. – 2016 U.S. Dist. LEXIS 66267 – United States District Court For The Northern District Of California]

US – Electronic Health Records Company Settles FTC Charges It Deceived Consumers About Privacy of Doctor Reviews

The FTC announced electronic health records company Practice Fusion has settled with the agency over claims it mislead customers by asking for reviews of its doctors without telling customers the reviews would be made public, resulting in the disclosure of sensitive medical data. “Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it — especially before posting such information publicly on the internet.” In its settlement with the FTC, Practice Fusion is prohibited from making deceptive statements about the privacy and confidentiality of consumer information it collects, while requiring consumer opt-in before disclosing any information in the future. [Full Story]

Security

US – Three Bills Approved To Boost Security for California’s IT systems

California lawmakers passed three bills designed to strengthen the security of the state’s information technology systems. One of the bills would mandate a statewide response plan for cybersecurity threats on critical infrastructure by July 1, 2017. “Ensuring that these preparations are made for cybersecurity will make our state networks more resilient, improve response coordination, reduce recovery time and costs and ultimately limit the damage that is done,” said bill author Jacqui Irwin, D-Thousand Oaks. Another bill requiring state agencies to create detailed data breach response plans was unanimously approved by the California Senate, along with legislation making it illegal to knowingly put ransomware on a computer’s system, network or data. [Techwire]

CA – New Conference Board Centre to Focus on Cyber Security Policy

A new Conference Board of Canada research Centre is working to tackle cyber security issues that affect all Canadian citizens, starting with the critical issue of personal data privacy in the digital world. The first research from the Centre aims to get decision-makers and Canadians up-to-speed on privacy regulations and capable of making smart decisions. The report, Private Matters: Regulating Privacy in Canada, the European Union and the United States, highlights key trends that firms should address in order to maintain proactive privacy compliance. They include:

  • Consent—The broad concepts of informed and implied consent are no longer sufficient. Regulators are increasingly demanding that consent be active, explicit, and easily understood.
  • Breach notification—Enhanced regulations require organizations to report privacy breaches in a timely, comprehensive way. Failure to do so can result in steep fines and costs to a firm’s reputation.
  • Territoriality—Privacy will have to balance the rights of national citizens against the borderless nature of e-commerce. The new EU-U.S. Privacy Shield will have an impact on this debate. If EU demands prevail, EU citizens’ right to privacy will travel with their data.
  • Individual rights after consent—As regulators and industry get closer to figuring out how to get consent right, they will need begin enumerating the rights of individuals who have consented to data collection. They will also need to determine the appropriate remedies when those rights are violated.
  • Answering public demands—As the pace and pervasiveness of technology continue to accelerate, regulators will have to strike a balance between protecting the public and insisting the public more meaningfully contributes to its own protection.

The Conference Board of Canada’s new Cyber Security Centre examines the evolving nature of cyber security at the strategic and policy level, in order to meet the needs of senior executives and board members across all sectors and industries. [Conference Board of Canada News Release]

Surveillance

CA – BlackBerry Hands Over User Data to Help Police ‘Kick Ass,’ Insider Says

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals. CBC News has gained a rare glimpse inside the struggling smartphone maker’s Public Safety Operations team, which at one point numbered 15 people, and has long kept its handling of warrants and police requests for taps on user information confidential. A number of insiders, none of whom were authorized to speak, say that behind the scenes the company has been actively assisting police in a wide range of high profile investigations. But unlike many other technology companies, which regularly publish transparency reports, it is not clear how many requests BlackBerry receives each year, nor the number of requests it has fulfilled. [Source] See also: [More Canadian telcos should detail police data requests: Privacy commissioner]

US – Google Wants Privacy Lawsuit Dismissed, Cites Spokeo Case

Citing the Supreme Court’s decision in the Spokeo case, Google is asking a U.S. district judge to dismiss claims it disregards privacy laws. Google filed court papers in response to allegations it violates federal and state privacy laws by scanning emails in order to serve ads. A lawsuit from San Francisco resident Dan Matera claims Google illegally “intercepts” email messages, which forced him to interact with Gmail users, even though he did not have a Gmail account. Thanks to the result of the Spokeo case, Google wants Matera’s case thrown out, saying he cannot show a concrete injury, the report states. “Plaintiff does not allege, for example, that the alleged violations led to the disclosure of his confidential information to third parties, or that he suffered any other purported harm from the alleged ‘interceptions’ of his emails,” Google wrote in the papers. [MediaPost]

UK – Spies Circumvented Surveillance Laws With No ‘Meaningful’ Oversight

Privacy International has released previously confidential government documents that shed light on how British spy agencies circumvented legal restraints on their surveillance powers, with little interference from the commissioner charged with overseeing them. The documents detail correspondence carried out in 2004 between lawyers for two UK spy agencies — the Government Communications Headquarters (GCHQ) and MI5 — and Sir Swinton Thomas, the Interception of Communications Commissioner at the time. Thomas was responsible for overseeing the two agencies, but Privacy International, a London-based watchdog organization, says his correspondence with the GCHQ and MI5 “exposes the lack of meaningful restraint of the agencies’ over-reaching and intrusive powers.” The release of the document comes ahead of a Parliamentary debate on the controversial Investigatory Powers (IP) Bill. Introduced last year, the bill aims to provide a legal framework for bulk data collection, while increasing transparency and strengthening oversight for British spy agencies. But privacy advocates, internet service providers, and major technology companies have expressed alarm over the law — referred to by critics as the “snooper’s charter” — arguing that it gives police and intelligence agencies broad surveillance powers under vaguely defined terms. Privacy International says that the correspondence released today demonstrates the flimsiness of existing oversight mechanisms. [The Verge] [UK: Official correspondence reveals lack of scrutiny of MI5’s data collection]

+++

 

By privacynewshighlights | Posted in Uncategorized | Comments (0)

27 May – 02 June 2016

June 3, 2016 – 11:56 am

Biometrics

WW – Car’s Computer Can ‘Fingerprint’ You in 5 Min Based on How You Drive

The way you drive is surprisingly unique. And in an era when automobiles have become data-harvesting, multi-ton mobile computers, the data collected by your car—or one you rent or borrow—can probably identify you based on that driving style after as little as a few minutes behind the wheel. In a study they plan to present at the PETs Symposium in Germany this July, a group of researchers from the University of Washington and the University of California at San Diego found that they could “fingerprint” drivers based only on data they collected from internal computer network of the vehicle their test subjects were driving, what’s known as a car’s CAN bus. In fact, they found that the data collected from a car’s brake pedal alone could let them correctly distinguish the correct driver out of 15 individuals about nine times out of ten, after just 15 minutes of driving. With 90 minutes driving data or monitoring more car components, they could pick out the correct driver fully 100 percent of the time. “With very limited amounts of driving data we can enable very powerful and accurate inferences about the driver’s identity.” And the researchers argue that ability to pinpoint could have unexpected privacy implications: Everything from letting insurance companies punish drivers who loan their cars to their teenage kids, to confirming the identity of a driver who violated traffic laws or caused a collision. [Wired] [Is driving style the next biometric?]

US – Tattoo Recognition Research Threatens Free Speech and Privacy: EFF

An EFF Investigation Finds NIST/FBI Experimented with Religious Tattoos, Exploited Prisoners, and Handed Private Data to Third Parties Without Thorough Oversight …Now, with NIST and the FBI on the precipice of a new, larger experiment that will use upwards of 100,000 tattoo images, officials must suspend any further research into tattoo recognition technology until they address the First Amendment, ethical, and privacy concerns EFF has identified. [Source] See also: [Six Things You Need to Know Before Collecting Biometric Information]

Canada

CA – Company Scraps ‘Bad Tenant List’ After OPC Upholds Complaint

A property management company that maintained a “bad tenant” list for a landlord association has agreed to scrap it after the office of federal Privacy Commissioner Daniel Therrien concluded the personal information it contained was improperly collected. Therrien’s office investigated after receiving a complaint in February 2014 from a single parent with a disabled child. The unidentified woman had applied to the company for new rental accommodation that was fully accessible to her child, but was turned down. She was told by the company that her inclusion on the bad tenant list — for allegedly having skipped payments and for owing money for damages — was one of the reasons it was denying her housing services. The management company, which wasn’t named, told privacy commissioner investigators that members of the unidentified landlords association added the names of “bad tenants” to the list. The personal information on the list included the tenant’s name, the alleged incident for which the individual’s name was added to the list and the rental accommodation where the problem occurred. The company said the information was used to help landlords “avoid credit default” by potential tenants and determine “valid renters.” The complainant said she never consented to her personal information being collected for that purpose and wasn’t allowed to see the information about her or find out which landlord had added her name to the list. The property management company pointed to a clause in its rental agreement authorizing the landlord to obtain credit reports “or other information as may be deemed necessary.” But in a recently posted decision, the privacy commissioner’s office says it did not see how those words “would lead individuals to understand they were consenting to their personal information being collected, used and disclosed for the purposes of a ‘bad tenant’ list.” [Source]

CA – Office of the Privacy Commissioner Announces First Investigation Under Address Harvesting Provisions

The OPC announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses. The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices. This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the CRTC, who issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016. The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies. The CRTC’s proceedings against Compu-Finder are still on going. You can read the full report of findings and compliance agreement online here. [Source]

CA – Spy Agency Accidentally Shared Canadians’ Data With Allies for Years

A federal spy agency inadvertently shared logs of Canadians’ phone calls and Internet exchanges with intelligence allies such as the United States for years, a newly disclosed report says. The revelation that the CSE compromised Canadians’ privacy while sharing clandestinely captured data appears in a confidential watchdog’s report obtained from court filings related to a lawsuit against the Canadian government. The report said software that was supposed to remove identifying information on Canadians from material CSE captured during international surveillance operations had failed. This meant that Canada’s intelligence allies received data that Canadian laws say they should not see. The confidential report was written by Jean-Pierre Plouffe, a retired Quebec judge who heads the Office of the CSE Commissioner, the spy agency’s watchdog agency. In it, he suggests the unlawful seepage of Canadians’ phone and Internet records to foreign intelligence agencies could date back to the mid-2000s, and that the overall amount of compromised material is unclear. Given this, Mr. Plouffe is urging Parliament to pass laws spelling out how it wants the spy agency to function. “As CSE’s collection posture has strengthened, … the volume of metadata collected has increased considerably,” Mr. Plouffe writes in his 2015 report. He urged federal politicians to give clearer direction on surveillance. [The Globe and Mail]

CA – TREB Seeks ‘Opt-In’ Consent for MLS Data to Protect Consumer Privacy

Canada’s largest real estate board is urging the federal Competition Tribunal to protect consumer privacy by requiring homeowners to consent to sharing their housing information over the Internet. In filings posted on the tribunal’s website ahead of a hearing on Thursday in Ottawa, the Toronto Real Estate Board argues that electronic access to the board’s Multiple Listings Service should be made available to online real estate brokerages only after both buyers and sellers have checked an “opt-in” box on their sale and purchase agreement. TREB also asked the tribunal to make electronic home-sales data available for only six months after a house has sold, and said the data should not contain details of house sales that occurred before the tribunal issues its final order. It also argued that online brokers should not be able to use its MLS information for “data analytics” – such as building home-price heat maps or neighbourhood-level price trends – without the explicit consent of both buyers and sellers. The hearing comes a month after a three-member panel of the Competition Tribunal ruled that TREB was stifling competition in the Greater Toronto Area’s real estate industry by restricting how member realtors who run online brokerages access and share electronic data about homes that have sold. [The Globe and Mail]

Consumer

CA – Majority of Canadians Feel Their PI is Vulnerable to Security Breach

A report released earlier this month has indicated that the majority of Canadians believe the personal data the government holds on them, is vulnerable to a security breach. The study, conducted by Ipsos on behalf of Accenture Cyber, indicated that Canadians feel distrustful of their data in the hands of municipal, provincial and federal governments. A total of 54% of Canadians believe that personal information held by the federal government is vulnerable to a security breach. 20% of those surveyed feel they are “very vulnerable” and 33% feel they are “somewhat vulnerable,” according to the results of the survey. Albertans feel most distrustful of their governments, as 62% of those in the province report feeling vulnerable, followed by those from British Columbia (58%), Ontario (55%), and Atlantic Canada (53%). Quebec, Saskatchewan and Manitoba tied for last place with 49 % feeling their data could be compromised. On average, the results also say that women feel more vulnerable than men, and older Canadians are more skeptical of the safety of their data than younger ones. [Source]

E-Government

US – Uber Says New York Can’t Be Trusted With Its Data

Uber has gone to court to ensure confidentiality over records it provided for New York’s investigation of how the ride-sharing service secures data. New York began collecting the information two years ago after media reports surfaced about real-time tracking of rides — known internally as “God View” — that included personal information about riders. Uber provided the information at issue in response to an attorney general’s probe, so the company “thus enjoys categorical exemption from disclosure,” the petition states. Attorney General Eric Schneiderman’s office would only discourage similar cooperation from companies if it released the confidential information, the petition continues. [Source]

Electronic Records

US – Certified EHR Technology Now Widely Used at U.S. Hospitals

Nearly all of the country’s hospitals have adopted certified electronic health records, according to new survey data released May 31 by the Office of the National Coordinator for Health Information Technology. Results of the survey show the industry has a long way to go in sharing and then using from other healthcare organizations in treating patients—only a minority say they use patient information from outside their organization in treating patients. Based on the American Hospital Association IT Supplement to the AHA annual survey, the adoption rate of certified EHRs has increased from almost 72% in 2011 to 96% in 2015. Last year, 84% of hospitals adopted at least a basic EHR system, representing a nine-fold increase since 2008. ONC defines basic EHR adoption as a minimum use of core functionality determined to be essential to an EHR system, including clinician notes. The set of EHR functions must be implemented in at least one clinical unit to be considered basic EHR adoption. While small, rural, and critical access hospitals continue to have significantly lower basic EHR adoption rates compared with all hospitals, ONC notes that the new data show that adoption rates for these hospitals has increased significantly. Since 2014, small and rural hospitals increased their adoption of basic EHRs by at least 14 percentage points and CAHs increased their adoption of basic EHRs by 18 percentage points. Currently, about eight out of 10 small, rural, and CAHs have adopted a basic EHR. [Source]

Encryption

US – Proposed Senate Bill Requiring Backdoors in Encryption Appears Dead

A proposed anti-encryption bill has stalled out in the US Senate. The draft legislation would have required that encryption be breakable so investigators could access communications. The bill lacked White House support, and the intelligence community were reportedly “ambivalent” because the law could have impeded their own encryption efforts. [Reuters] [The Register] [CNET] [ComputerWorld] [ZDNet]

EU Developments

EU – Privacy Shield Doesn’t Hold Up: EDPS

European Data Protection Supervisor Giovanni Buttarelli has published his opinion on the EU-U.S. Privacy Shield, which he says is “not robust enough to withstand future legal scrutiny.” While he expressed appreciation for the legislative effort behind the agreement, “significant improvements are needed should the European Commission wish to adopt an adequacy decision,” he wrote. Buttarelli isn’t the only recent Privacy Shield critic. “We keep thinking we’re going to reach a date and from that date onwards we won’t have any more issues. That won’t happen,” said Intel Global Privacy Officer David Hoffman. “The idea that we’re going to solve the international data transfer issue with Privacy Shield, to me, is an incorrect assumption.” [v3] [BBC: EU Data Protection Supervisor Rejects Privacy Shield Agreement]

Facts & Stats

US – Most 2016 Healthcare Data Breaches from Unauthorized Access

Last year is often referred to as the “Year of the Hack” for healthcare, with the majority of healthcare data breaches being caused by third-party cyber attacks. The top three incidents alone combined to potentially affect nearly 100 million individuals, and were all involved hacking. So far, 2016 is not immune from healthcare data breaches, but the leading cause of incidents is unauthorized access, according to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach reporting database. There have been 114 incidents reported to OCR between Jan. 1, 2016 and June 1, 2016. Of those, 47 were classified as being caused by unauthorized access or disclosure. The rest of the classification breakdown is as follows:

  • 34 – hacking/IT incident
  • 26 – theft
  • 5 – loss
  • 2 – improper disposal

However, the largest healthcare data breach so far this year was due to a hacking incident. [Source] Top 10 Healthcare Data Breaches of 2015

UK – Sloppy Human Error Still Prime Cause of Data Breaches: ICO

FOI data from ICO reveals usual failings: loss of paperwork, data sent to wrong recipients, insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data …Of the sectors compared over the three years, 66% reported an increase in data breach incidents, with the courts and justice sector recording a rise of 500% over the period. Healthcare organisations continue to top the list for total number of reported incidents at 184. Human error continues to be mainly to blame. For January – April 2016, human error accounted for almost two-thirds (62%) of the incidents reported to the ICO, outstripping other causes such as insecure webpages and hacking, which stands at just 9% combined. Despite this, market attention and resource continues to focus on external threats, notably cyber-attacks and hackers. [Source] See also: [Human error causes more data loss than malicious attacksHuman Error to Blame as UK Data Breaches Soar | Courts and justice sector see 500 per cent rise in data breaches]

Filtering

CA – BC Supreme Court Orders Search Engine to Deny Access to Defamatory Statements

An individual seeks an injunction against a website that allegedly posted defamatory comments. An individual who filed a defamation lawsuit against two individuals and a website was granted a permanent injunction against those U.S. Defendants (who are prohibited from publishing such statements) in light of the possibility that they may resist enforcement of a monetary judgment of a Canadian court; a permanent injunction was also granted against a search engine, through which links can be obtained to the defamatory statements. [Nazerali v. Mitchell – 2016 BCSC 810 – In The Supreme Court of British Columbia]

CA – Officials Examining ‘Right-To-Be-Forgotten’ Potential in Canadian Law

As Google and the CNIL continue their battle over Europe’s “right-to-be-forgotten” law in France, Canadian officials are mulling whether the law has a place in their own legal system. A case involving Google and Datalink Technologies Gateways, Inc., has drawn parallels to the case in France, as the search engine is challenging an order in front of the Canadian Supreme Court to remove listings of Datalink, which is being accused of trademark violations across its worldwide search. To address their course on the RTBF, the Office of the Privacy Commissioner of Canada has received 23 formal submissions on the subject. “The law is broadly struggling to address these issues, and so we thought it was a legitimate question to ask,” said Patricia Kosseim, director general of the Legal Services, Policy, Research and Technology Analysis branch of the OPC. [The Globe and Mail]

FOI

CA – OPC Urges Committee to Rethink Information Commissioner’s Legal Jurisdiction

Privacy Commissioner of Canada Daniel Therrien suggested limiting the “proposed authority” for Information Commissioner Suzanne Legault in a brief to the Commons committee considering the Access to Information Act. Therrien argued that the current balance of power “illustrates the healthy tension between opposing interpretations” of what the law defines personal information to be. Said balance should be taken into consideration before revising job descriptions, he added. Instead, he suggested “the matter should only be discussed two years from now, when the government does a full-scale review of the access law,” the report states. [CTV News]

Health / Medical

CA – Saskatchewan Adopts Anti-Snooping Law for Health Records

The government is toughening up its laws around the protection of personal health information in Saskatchewan. The changes are in response to a member of the public finding thousands of medical records in a Regina dumpster in 2012, something the privacy commissioner at the time called the “worst breach of patient information” his office had ever seen. Despite that, there were no prosecutions. That incident sparked the government to create a working group made up of doctors, nurses, government officials and a patient representative to come up with stronger rules. The amendments to the Health Information Protection Act (HIPA) are effective June 1. They include a reverse onus clause for trustees of medical records to show they took reasonable steps to prevent their abandonment. [Source]

AU – Australian HealthCare Providers Must Protect Against Insider Risk

Recommendations for Australian healthcare providers to protect health information. Providers should adopt an approach that manages the risk of an external attack and aims to prevent internal data breaches from negligent or malicious staff; ensure employees have a high level of cybersecurity awareness (training and policies), encrypt all portable devices and allow for remote wiping, and revoke employee access to the network immediately after notice of termination is given. [Cybersecurity and the Risk of Inside Jobs – Marie Feltham, Special Counsel and Leonard Lozina, Lawyer – DibbsBarker]

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

The province’s privacy commission has ordered the health ministry to release the names of doctors along with their OHIP billings, in the interests of transparency and accountability. The decision comes two years after the Toronto Star began requesting physician-identified billings from the health ministry, and brings the province more in line with other jurisdictions that are opting to disclose public funds paid to doctors. In granting an appeal the IPC said physician-identified billings are not “personal information” and are, therefore, not exempt from disclosure under the province’s Freedom of Information and Protection of Privacy Act. Even if they were deemed personal, a compelling public interest in their disclosure would outweigh the purpose of the act’s privacy exemption, the IPC wrote in a 54-page order released Wednesday and received by the Star Thursday. The IPC has ordered the health ministry to release the information to the Star by July 8. [Source]

Horror Stories

WW – Recently Confirmed Myspace Hack Could Be the Largest Yet

A report from LeakedSource.com says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale. Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack. That estimation seems to hold up – while there are a number of other large-scale data breaches, even some of the biggest were not of this size. The U.S. voter database breach included 191 million records, Anthem’s was 80 million, eBay was 145 million, Target was 70 million, Experian 200 million, Heartland 130 million, and so on. [Source]

WW – LinkedIn Sends Out Breach Notification Emails

Users of LinkedIn likely received breach notification emails from the social network earlier this week. The emails come four years after a 2012 hack of the service in which millions of passwords and usernames were accessed. The incident was widely reported in 2012, but came back into the spotlight last week with news that 117 million email and password combinations — significantly more than the 6.5 million originally reported in 2012 — were for sale on the Dark Web. “While we do all we can, we always suggest that our members visit our safety center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible,” the email stated. [Fortune] See also: [Unencrypted Laptops Expose Over 400,000 Patients’ Medical Data]

WW – Hackers Stole 65 Million Passwords from Tumblr, New Analysis Reveals

On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected. As it turns out, that number is 65 million, according to an independent analysis of the data. Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set. Hunt said the data contained 65,469,298 unique emails and passwords. The passwords, however, were not in plaintext, but were “hashed,” a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or “salted” them, as Tumblr said when it disclosed the breach. The company, however, didn’t say exactly what algorithm it used to hash the passwords. Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack. [Source]

Identity Issues

US – Doctors Fire Back at Bad Yelp Reviews – and Reveal PHI Online

Burned by negative reviews, some health providers are casting their patients’ privacy aside and sharing intimate details online as they try to rebut criticism. In the course of these arguments — which have spilled out publicly on ratings sites like Yelp – doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients’ diagnoses, treatments and idiosyncrasies. [Source]

Internet / WWW

US – Tech in U.S. Schools Collects Student Data for Marketing Purposes: Report

The National Education Policy Center has issued its 18th annual report about commercialization of student information. Current regulatory frameworks do not effectively protect against application service providers using student’s personal information for marketing purposes; legislators should eliminate loopholes that provide companies with opportunities to collect and exploit children’s data, and pass enforceable legislation that holds schools, districts, and companies with access to student data accountable for violations of student privacy. [NEPC: Learning to be Watched: Surveillance Culture at School]

Law Enforcement

US – ACLU joins Microsoft’s Challenge to DoJ Gag Orders

The American Civil Liberties Union has filed a motion to join Microsoft’s challenge to the Justice Department’s use of gag orders that prevent companies from telling users when the government is demanding access to their data. “A basic promise of our Constitution is that the government must notify you at some point when it searches or seizes your private information,” said ACLU Senior Staff Attorney Alex Abdo. “Notice serves as a crucial check on executive power, and it has been a regular and constitutionally required feature of searches and seizures since the nation’s founding.” A Microsoft spokesman said the company “appreciates the support from the ACLU and many others in the business, legal and policy communities who are concerned about secrecy becoming the norm rather than the exception.” [USA Today]

Location

US – Appeals Court Delivers Blow to Cellphone-Privacy Advocates

Courts across the country are grappling with a key question for the information age: When law enforcement asks a company for cellphone records to track location data in an investigation, is that a search under the Fourth Amendment? By a 12-3 vote, appellate court judges in Richmond, Virginia, on Monday ruled that it is not — and therefore does not require a warrant. The 4th Circuit Court of Appeals upheld what is known as the third-party doctrine: a legal theory suggesting that consumers who knowingly and willingly surrender information to third parties therefore have “no reasonable expectation of privacy” in that information — regardless of how much information there is, or how revealing it is. Research clearly shows that cell-site location data collected over time can reveal a tremendous amount of personal information — like where you live, where you work, when you travel, who you meet with, and who you sleep with. And it’s impossible to make a call without giving up your location to the cellphone company. [The Intercept]

WW – Collaborative Project Maps Areas Where Governments Spy on People

The Digital Freedom Alliance has launched a collaborative open source project to map places in the world where governments use malware to conduct surveillance on journalists, activists, lawyers, and NGOs. The project gathers information from a variety of sources and maps the locations, noting the dates, targets, and type of malware used. [Wired]

Online Privacy

WW – Facebook to Begin Sending Targeted Ads to Nonusers

In an attempt to grow its online ad network, Facebook will display ads to consumers who do not have accounts with the social media network. Facebook plans to reach nonmembers through cookies, “like” buttons, and plug-ins on third-party sites. While Facebook says its new method will better serve relevant ads to nonusers, European regulators have cited privacy concerns in their criticism of the practices. Facebook feels they are in a great position to target nonmembers through the large amounts of data it holds on current users. “Because we have a core audience of over a billion people [on Facebook] who we do understand, we have a greater opportunity than other companies using the same type of mechanism,” said VP of Facebook’s Ad and Business Platform Andrew Bosworth to the Journal. [The Verge] See also: [You Should Go Check Facebook’s New Privacy Settings]

WW – Googling Yourself Now Leads to Personal Privacy Controls

Soon, all you’ll need to do is Google yourself if you’re wondering how deeply Google has been digging into your digital life. In coming weeks, a shortcut to personal account information will appear at the top of Google’s search results whenever logged-in users enter their own names in the query box. The feature is part of an update to the “My Account” hub that Google introduced a year ago to make it easier for people to manage the privacy and security controls on the internet company’s services. While Google isn’t making any additional information available, it is making it easier to find. The link to personal accounts will appear at the top right of the listings for searches done on personal computers and at the top of requests entered on smartphones. Google is making the change because it learned that many users doing a “vanity search” under their name wanted a quicker way to find out what the company knew about them, as well as to see how they are depicted on various sites across the internet, said Guemmy Kim, a Google product manager. A new feature on Google’s mobile app will also quickly take users to their account information with a spoken request. All that will be required are the words: “OK Google, show me my Google account.” This option initially will only be available in English. [Source]

WW – IETF Publishes RFC for DNS Encryption

The Internet Engineering Task Force has released an RFC (request for comments) proposing that DNS requests be encrypted with Transport Layer Security (TLS). DNS requests and responses are often collected by law enforcement because they are classified as metadata. [The Register] [RFC]

Privacy (US)

US – Report: Employee Cybersecurity Knowledge Low, Despite Training Programs

A study from Experian and the Ponemon Institute reveals security training programs aren’t efficient enough at altering workers’ unsafe online behavior. “Managing Insider Risk through Training & Culture” is a survey of companies providing data protection courses to their employees. The study revealed 60% of respondents said their employees were either not knowledgeable or had no knowledge of cybersecurity, despite having training available. Only 35% said senior executives placed a high priority on employee data threat education, and 43% said their corporate training consisted of one course covering all departments. Low numbers were also reported on courses containing information on phishing and social engineering. “Phishing and social engineering attacks have been shown to result in data breaches. Training programs should show the consequences of these attacks and how to avoid falling prey to them.” [SC Magazine]

US – Obama Releases Final Privacy Framework for Precision Medicine Initiative

The White House announced the release of the final Data Security Policy Principles and Framework for its Precision Medicine Initiative. The framework is based on the administration’s cybersecurity framework and creates data security expectations and a risk-management approach for organizations taking part in the initiative. All federal PMI agencies will also integrate the framework across all PMI activities. President Barack Obama said, “We’re going to make sure that protecting patient privacy is built into our efforts from day one.” [White House]

US – Other Privacy News

Security

US – New System Monitors Govt Employees for Potential “Insider Threats”

The Defense Department is creating a system designed to expose potential “insider threats” by monitoring national security personnel. The Pentagon is hiring a team of “cross-functional experts” who are trained in cybersecurity, privacy, law enforcement, intelligence, and psychology to help discover potential traitors. The DOD Component Insider Threat Records System will also examine employees’ social media posts, and their digital work habits, while also incorporating keystroke tracking, screen captures and email. Civil liberties advocates are voicing their opposition to the system, saying the constant surveillance will stop whistleblowers from coming forward. “When you read the insider threat material, what they view as a threat is somebody reporting information about government activity to the press, which is, in a democratic society, not only important but necessary,” said FBI veteran Michael German. [Nextgov]

US – DOD is Creating an Insider Threat Database

The US Defense Department (DOD) is creating a system that contains information about national security personnel and other people with security clearances to help identify potential insider threats. The DOD Component Insider Threat Records System was created in response to the Pfc. Chelsea Manning data leaks that occurred in 2010. [NextGov]

WW – CIOs Say Organized Cybercrime is Top Threat to Business Operations

According to the Harvey Nash/KPMG 2016 CIO Survey, one-third of the respondents said they had dealt with a significant IT emergency or a cyberattack over the past two years. CIOs say organized cybercrime is the biggest cyber-threat to their organizations. The report found that 46% of CDOs (chief digital officers) report to their organization’s CEO, while just 21% report to the CIO. And 65% of respondents said they believe that a shortage of technical talent will hinder their ability to keep pace with the changing digital landscape. The survey comprises data gathered from 3,352 CIOs and technology leaders in 82 countries. [Press Release] [v3.co.uk] [v3.co.uk]

US – Medical Devices Could Be Used as Point of Entry into Healthcare Networks

The US Department of Veterans Affairs (VA) deputy director of health information security told Nextgov that attackers are more likely to break into Internet-connected medical devices to gain access to a hospital network than to disrupt a patient’s treatment. Medical records are a valuable commodity on the data black market. Medical devices are not as readily patched as computers and phones. Lynette Sherrill also said that her agency removes devices that are found to be infected with malware, even if it means cancelling appointments. [NextGov]

WW – ICSA Launches IoT Certification Testing Program

ICSA Labs has launched its IoT (Internet of Things) Certification Testing program. The devices that pass muster will receive the ICSA seal of approval. The ICSA program will test both consumer products and enterprise products over six components: alerts and logging; cryptography; authentication; communications; physical security, and platform security. Earlier this year, Underwriters Laboratories launched its Cybersecurity Assurance Program (UL CAP). [DarkReading] [ComputerWorld]

WW – Microsoft Ends Common Password Use and Password Lockout

Microsoft has announced plans to dynamically prohibit common passwords, like the word “password,” while congruently using the smart password lockout system. The lockout program would keep hackers from continually attempting to access users’ accounts while not freezing out legitimate users at the same time, the report states. The changes respond to the recent hacker dump of LinkedIn data, the report adds. Reddit also took action in light of the breach, announcing it would reset user passwords, SC Magazine reports. Meanwhile, a hacker is selling more than 65 million Tumblr passwords on the Dark Web, while 427 million MySpace passwords were found for sale online for $2800. [SC Magazine]

WW – Unbox Your Laptop, and Say Hello to Security Risks

Powering up a new laptop can be exhilarating. It can also be full of security risks. Software update tools that are preinstalled on Acer, Asus, Dell, HP and Lenovo laptops all contained at least one critical security vulnerability that hackers could easily exploit, said Duo Labs, the research arm of Duo Security, in the results of an investigation published Tuesday. In total, Duo Labs uncovered 12 different OEM software vulnerabilities across all the computer makers. OEM (original equipment manufacturer) software includes programs like product registration and 30-day free trials that come installed on a laptop right out of the box. They’re often referred to as bloatware since they’re largely unnecessary and weren’t installed at the user’s request. Not only is bloatware superfluous, it’s often a weak link in the security chain, according to Duo Labs. “The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant — meaning, trivial,” wrote Darren Kemp, a security researcher with Duo Labs, in a blog post Tuesday. [Source]

Surveillance

WW – Governments Turn to Commercial Spyware to Intimidate Dissidents

A growing number of U.S. companies are teaching foreign law enforcement agencies to code unique surveillance devices, often to track dissidents. The tools can override encryption measures, the report states. “There’s no substantial regulation,” said Bill Marczak of the University of Toronto’s Munk School of Global Affairs. “Any government who wants spyware can buy it outright or hire someone to develop it for you. And when we see the poorest countries deploying spyware, it’s clear money is no longer a barrier.” [New York Times]

CA – Interim RCMP Policy Sets Body Cam Guidelines

A new RCMP policy will require Mounties wearing small video cameras to hit record when they believe force will be used against a suspect. The interim policy is being considered with two purposes in mind: To gather evidence for prosecution against criminal behavior, and to answer any questions surrounding the aftermath of an incident. “Police are making use of a relatively new technology to hold both police officers, and members of the public we interact with, accountable for any actions taken,” the RCMP says. Other privacy concerns addressed in the interim policy include telling an individual when officers are wearing cameras, teaching RCMP members of best video policies and practices, and making sure recordings are uploaded securely. [The Canadian Press] See also: [As More Police Wear Body-Cams, States Set New Rules Limiting Access to Footage] [Minnesota’s police body camera law is bringing privacy concerns.]

WW – Sports World Embraces Data Analytics

The Seattle Mariners’ use of sleep tracking tool Readiband last year is a window into the professional athletics’ community’s adoption of data-collecting tools. This use of data analytics is changing how coaches and players interact, Chicago Cubs Baseball Operations Assistant John Baker argues. “Welcome to the next frontier in baseball’s analytic revolution,” the report states. “Many of this revolution’s tenets will be familiar to anyone who works for a living — the ever-growing digitization and quantification of things never-before measured and tracked, for instance, or the ever-expanding workplace, the blurring distinction between the professional and the personal, and the cult of self-improvement for self-improvement’s sake.” [Vice Sports]

AU – ACT Govt Launches Review Into Civil Surveillance

The ACT government has announced a review of the use and conduct of civil surveillance in the territory that could lead to Australia’s first law to allow victims to sue over privacy intrusions. According to the statement, the review’s terms of reference be looking at a range of issues including:

  • Surveillance in civil litigation claims
  • Surveillance businesses
  • Surveillance technology and practices, such as geo-tagging
  • Expansion of the existing Listening Devices Act 1992 to capture video surveillance and electronic monitoring
  • Possible need for a tort of breach of privacy
  • Current regulation of civil surveillance and the Information Privacy Act 2014.

An independent reviewer will be engaged by the Justice and Community Safety Directorate in order to undertake the review. [Source]

Telecom / TV

WW – Charging Mobile Devices Could Put Data at Risk

Smartphones can be compromised when charged using a standard USB connection connected to a computer, Kaspersky Lab experts have discovered in a proof-of-concept experiment. The researchers are now evaluating what the impact of such an incident might be. To learn more, read the blog post available at Securelist.com. [Kaspersky Corporate News]

US Legislation

US – Legislative Roundup

+++

 

By privacynewshighlights | Posted in Uncategorized | Comments (0)