Biometrics
WW – IBIA Approves New Facial Recognition Best Practices
The International Biometrics + Identity Association voiced its approval of a new set of facial recognition best practices. The guidelines were created by the Department of Commerce’s National Telecommunications and Information Administration, and have been hailed by the IBIA as a flexible guideline for numerous applications of the technology, including authentication and social media. “The clear benefits of facial recognition technology come with a responsibility to users and consumers,” said IBIA Managing Director Tovah LaDier. “These privacy best practices will help to assure the public that facial recognition is being used responsibly and accountably. They also demonstrate the strong commitment of the industry to protecting the public’s privacy, even as new technologies and applications emerge.” [Planet Biometrics] [NTIA group agrees on face recognition code of conduct]
Canada
CA – The OPCC has Released Its Annual Report for 2015-2016. [Source]
CA – PI Contained in Public Court or Tribunal Decisions is Publicly Available Information: OPC
The Office of the Privacy Commissioner investigated a complaint about an online legal database pursuant to PIPEDA. The OPC dismissed a complaint alleging an online legal database unlawfully published an individual’s PI by publishing a court decision about her; the PI appeared in a public judicial document for which there was no publication ban, and the company’s subscription-based research tools and services do not undermine the balance between privacy and the open courts principle. [OPC Canada – PIPEDA Report of Findings #2015-013 – Online legal database doesn’t need consent to use publicly available court decisions, in support of the open court principle]
CA – Decision Provides Rare Insight on the Applicability of RTBF in Québec
On April 14th, 2016, the Commission d’accès à l’information (the “CAI”) issued a decision discussing the relevance of the “right to be forgotten” with regards to the “right to rectification” found in the Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c. P-39.1. The CAI interestingly noted that a person’s right to rectification with respect to inaccurate, incomplete or equivocal information is distinct from the “right to be forgotten.” This right, which is recognized in the European Union, allows individuals to stop search engines from providing links to information about them that is deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue.” As a result of this decision, it is now clear that the right to be forgotten is irrelevant to the examination of the right to rectification, as the two rights are different, both conceptually and practically. [Source]
CA – Therrien to Trudeau: Government Privacy Law Outdated
In a letter to Prime Minister Justin Trudeau, Privacy Commissioner Daniel Therrien warns that without renewal, protections under Canada’s Privacy Act “are proving to be increasingly out of touch with Canadians and their engagement with the digital world.” The act, which governs federal government data handling, was passed in 1983 and no substantial changes have been made to it since, reports The Star, even while advances in technology have dramatically changed the way government does business. A representative for the prime minister says the issue is a priority and they “are committed to working with the commissioner on an active and ongoing basis,” noting the minister of justice is reviewing the recommendations. [Source]
CA – BCCLA Says Warrantless Spying on Canadians Must End
In the latest step in a court case launched in 2013, the British Columbia Civil Liberties Association is asking the federal court to allow access to government documents that would shed light on the surveillance activities of the Communications Security Establishment. Specifically, the BCCLA objects to the warrantless collection of information on Canadian citizens, and points to recent data mishandling by the CSE as part of its participation in the Five Eyes program with Australia, New Zealand, the U.K. and the U.S. “The CSE is engaged in what is surely one of the largest warrantless activities directed at Canadians,” the BCCLA Litigation Director Grace Pastine told On the Coast guest host Michelle Eliot. [CBC News]
CA – Federal Court Finds Individual’s Request for Review of OPC Report Misdirected
The Federal Court hears E.W’s request for review of the findings of the Privacy Commissioner of Canada in response to her privacy complaint against the Department of Human Resources and Skills Development Canada. The OPC (after an investigation of the individual’s complaint of alleged improper collection of personal information without her consent) could not reach a finding, since 12 years had passed since the alleged collection, and the file retention period for the information had elapsed; the individual was provided opportunity to make submissions, all relevant evidence was investigated by the OPC, and the individual’s grievance lies with the institution that collected the data, not the OPC. [E.W. v. Privacy Commissioner of Canada – Federal Court – 2015 FC 1420]
CA – Proposed Manitoba Bill to Protect Kids Draws Privacy Criticism
Proposed legislation that would make it easier for Manitoba agencies and police to share information about at-risk children is raising privacy concerns. The Progressive Conservative government introduced Bill 8, the Protecting Children (Information Sharing) Act, earlier this week. The bill authorizes organizations and others who provide services to at-risk and vulnerable children to collect, use and disclose personal information or personal health information about them. The act would apply not only to children in the care of CFS or those involved in the criminal justice system, but also to those who require disability services, mental-health services, addiction services, victim services and to schoolchildren with special needs who require an individual education plan. Information could be disclosed about parents or guardians of the children. Michelle Falk, executive director of the Manitoba Association for Rights and Liberties, said it appears the bill would give “ordinary bureaucrats” the power to make judgment calls that could have long-term implications for children in care and their families. “It gives unfettered authority to any government department, agency or the police department to share any information to any other department,” she said Thursday. [Winnipeg Free Press]
CA – Other Canadian News
- The Saskatchewan government plans to extend privacy laws to members of the legislature, cabinet ministers and police services, among other changes.
- Public Safety Minister Ralph Goodale has proposed revisions to the Customs Act that would allow the federal government access to the personal data of Canadian travelers leaving the country.
- Proposed amendments to Saskatchewan’s Freedom of Information and privacy laws would require the province’s police force to adhere to FOI requests.
- Nova Scotia is examining whether it needs to review its health privacy laws for disclosing mental health issues to a patient’s family.
- BC Privacy Commissioner Elizabeth Denham is urging the province to improve its health privacy laws and increase fines for those who snoop on private medical records.
- Doctors are concerned that a newly passed amendment to the Personal Health Information Protection Act compromises the privacy of the doctor-patient relationship.
Consumer
CA – New Online Tool Allows Users to Ask Companies About Their Data
A new version of a Canadian website allows individuals to contact companies to see what information they have collected. Access My Info Canada originally was created to message telecommunications companies, but the new version launched by developer Andrew Hilts now gives users the chance to reach out to companies making fitness trackers and dating apps. “This can help people answer questions if they’ve ever wondered if their cellphone provider is logging their location, or if their online dating app is ever sharing their sexual preferences,” said Hilts. Access My Info has been created to help consumers understand their rights under Canadian privacy laws, while also giving them information on what data could be compromised if a company were to suffer a data breach. [CBC News]
US – For Consumers, Injury Is Hard to Prove in Data-Breach Cases
The Wall Street Journal reports on consumer lawsuits following data breaches, and whether companies should be forced to compensate customers for attacks exposing sensitive information. Judges dismiss the majority of lawsuits spawning from major data breaches, including those in attacks against Target and Home Depot because customers have not been able to prove the breaches have caused any tangible harm. Companies argue having personal data exposed doesn’t equate to harm requiring compensation, and when stolen credit card information results in fraudulent purchases, customers often cannot prove the fraud was a result of the breach. Federal judges in Illinois and California, however, have let lawsuits proceed, possibly opening a door for corporate liability. [Wall Street Journal]
US – Privacy by the Numbers: A Deep Dive into the Structure of Privacy Policies
As researchers from the Common Sense District Privacy Evaluation Initiative analyze the correlation between the content and stylistic infrastructure of privacy policies, they have flagged “potential indicators” that they say will help them to analyze them more efficiently, the group’s Bill Fitzgerald writes. While Fitzgerald said he and his researchers “do not think we will find any direct correlation between policy structures and whether terms are good or bad,” technical elements of the policies, such as reading level, length of terms and structure, create patterns that matter. “It’s difficult to say what constitutes a ‘normal’ policy without a baseline, and the work we will be launching this summer will help create a clearer picture — supported by openly available data — of what a typical policy looks like,” he wrote. [The Journal]
US – Supreme Court Decision May Support Microsoft’s Position in Ireland Server Data Case
In a decision released earlier this week, the US Supreme Court wrote, “absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” The ruling was made in a RICO (Racketeer Influences and Corrupt Organizations) Act case. While unrelated to the Microsoft case in which the company is refusing to surrender data held on a server in Ireland to US officials, the decision could provide support for Microsoft’s position that the Electronic Communications Privacy Act (ECPA) does not say that congress intended it to “reach private emails stored on provider’s computers in foreign countries.” [Computerworld: Microsoft invokes Supreme Court opinion in Ireland email case]
WW – Board Members Increasingly Targeted by Spearphishing Schemes
A growing trend is corporate boards of directors falling victim to spearphishing attacks. Board members can be hit by these schemes by receiving malicious emails that ask for tax information and bank transfer requests and sending it to another employee who handles the response. Members have lost financial statements, cybersecurity documents and intellectual property, mainly through a lack of education on identifying spearphishing emails. “Most board members use personal email accounts to handle board communications so they don’t get mixed with the emails from the companies where they work,” said Experian Information Solutions Vice President, Data Breach Resolution Michael Bruemmer. “These are less secure, and we have seen examples of these accounts having been compromised.” [CSO Online]
Encryption
US – Apple Makes Encrypted Operating System Public
In a surprising move, Apple has exposed the inner workings of its encryption-based operating system for the first time. The tech giant did not reveal whether the disclosure of its kernel was by design, but many in the security industry believe Apple made the code public in order to help locate possible security weaknesses in the software. To date, Apple has not run any bug bounty programs. The move comes after Apple’s well-publicized battle with the FBI in the San Bernardino case. By choosing to expose its software rather than starting a bug bounty program, Apple is taking a big risk, the report states. “This is a gamble,” said forensic scientist Jonathan Zdziarski. “But I can see the possible reason that Apple may have decided to make this wager.” [MIT Technology Review]
EU Developments
EU – German Court Ruling: WhatsApp Must Translate English TOS and Privacy Policy to German
German courts have ruled WhatsApp has violated the country’s Telemedia Act by forcing users to agree to the app’s terms of service in English. When the judgement is finalized, WhatsApp will be required to translate its terms of service and privacy policy into German, or face a $283,000 fine. Klaus Muller, CEO of the Federation of German Consumer Organizations, said companies make it difficult for consumers to comprehend terms of services, and WhatsApp has made it even harder for German users with the conditions written in a foreign language. The courts ruled WhatsApp’s violation stems from not allowing users to contact a German country representative if they have any questions or concerns . WhatsApp has not announced whether it will appeal the ruling. [Neurogadget]
Facts & Stats
CA – Average Cost of a Data Breach Up 12.5% Among Canadian Firms: Report
Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show. If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million. Another way of looking at it is the average cost per record stolen or lost went up 10.6% to $278 compared to the same period the year before. These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations. The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million. [IT World Canada]
Filtering
UK – Mandatory Web Monitoring in Schools Opens a Slippery Can of Worms
Without Parliamentary or public discussion, children’s internet use will be monitored by third parties from September. This is despite widespread associated concerns – including choking off free speech, religious freedom, and staff feeling vulnerable – presented to the Joint Select Committee for Human Rights by experts in education and security legislation. The brief paragraph 75 in The Department for Education (DfE) “New measures to keep children safe online at school and at home“ statutory guidance Safeguarding in Schools, will impose a change from a duty ‘to consider’ web monitoring to one that ‘should ensure’ it for educational establishments, excluding 16-19 academies and free schools. The supporting advice to which the Government response points, suggests actively monitoring all screen activity during a lesson from a central console using appropriate technology as a solution, even in circumstances that suggest low risk. And that logfile information should be able to identify an individual user, and be reviewed regularly. Pro-active monitoring is suggested where alerts are managed by a third-party provider. The Department for Education’s summary response and advice however offers little practical support to school leaders how to concretely take these things into account, while still meeting human rights legislation. Without explicit clarity on the practice of monitoring personal electronic devices not owned by the school, we risk a slippery descent into schools made complicit in a privacy invasion of family life. [Schoolweek]
FOI
CA – Audit Finds Vancouver Failing to Meet FOI Deadlines, Deleting Emails
City hall has received a stern talking to from the province’s information and privacy commissioner following an audit of Vancouver’s compliance with freedom-of-information (FOI) laws. “It is clear to me there is a need for change to the approach city staff use in processing access requests,” commissioner Elizabeth Denham said in a June 23 media release. “We observed shortcomings in almost every step of the freedom of information process—from receipt of the request, to searching for records, to the timeliness of response to the applicant and the content of the response itself.” The audit, conducted by the Office of the Information and Privacy Commissioner of B.C., mostly focuses on FOI response times and delays that appear to target requests filed by members of the media. But the report’s most troubling findings concern the alleged deletion of records and evasion of FOI laws. The OIPC, however, found that an examination of these concerns fell outside the scope of its investigation. [Straight]
CA – NFLD Public Bodies Should Not Allow Staff Use of Personal Email Accounts for Work
The Office of the Information and Privacy Commissioner in Newfoundland and Labrador (“OIPC”) issues guidelines relating to the use of personal email accounts for public business. Use of personal email accounts does not relieve the duty to thoroughly search for records responsive FOI requests and produce them, however, officers and employees may be reluctant to produce records from these accounts or provide access for FOI purposes; personal accounts are less likely to meet requirements to protect personal information under a public body’s custody or control (terms of service may allow for third-party access, and security features may not be adequate). [OIPC NFLD – Use of Personal Email Accounts for Public Business]
US – Dropbox’s New Transparency Report Includes State-By-State Breakdown
Releasing its biannual transparency report, Dropbox has included a state-by-state breakdown of government requests in their July-December 2015 study. Dropbox received 574 requests for user data from around the globe, including 348 search warrants and 206 subpoenas, providing information on the vast majority of inquiries. California had more requests than any state in the U.S. with 70, followed by Texas with 49, Florida with 48, and Virginia with 32. “Although we continue to see an increase in requests from U.S. law enforcement, the numbers remain small compared to our user base of over half a billion users,” Dropbox said in a blog post. The company also detailed the joint efforts with tech companies to oppose government legislation forcing organizations to undermine their security protocols. [Dropbox Blog Post]
Genetics
CA – Supreme Court Rules Police Can Swab Suspected Rapist Without Warrant
In a ruling that adds to police powers in investigating rape, the Supreme Court of Canada says police have the right to take a penile swab (without a warrant) from suspected attackers, forcibly if necessary, as long as they do so in a private cell and have reasonable grounds to believe they will find relevant evidence. Just two Supreme Court judges, both of them women, said a penile swab should be deemed an illegal search. In a strong dissent in the case, Justice Andromache Karakatsanis accused the majority of straying from precedents that found a “close relationship between bodily privacy and human dignity.” Justice Rosalie Abella said she would have disallowed the penile swab and barred the evidence from being used. [G&M]
Health / Medical
CA – Trillium Health Partners Hit With Privacy Class Action
A class-action lawsuit has been filed against Trillium Health Partners, alleging a doctor’s assistant used patient credentials to access medical records. Former patient Katie Mallinson filed the suit against Dr. Tony Vettese and his assistant Lisa Lyons, claiming Lyons accessed Trillium’s database to review the confidential records of an unknown number of patients for many years. The records contain sensitive medical information, including medication history, treatments received and diseases suffered. The suit seeks $2 million in general damages, while stating Trillium’s privacy policies and procedures are “inadequate, underfunded and unenforced.” Trillium was not aware of Lyons’ improper access until Mallinson first became suspicious of illicit activity. [Press Release] See also: [397 medical records snooped at Hamilton General Hospital]
US – Workers May Soon Have to Share Health Data — Or Pay A Penalty
New Equal Employment Opportunity Commission regulations may force employees to share medical data in order to qualify for benefits, or face penalties. If employees choose not to share medical data with their employers, they face increases in health premiums and the possibility of the EEOC suing their organization. Privacy advocates are concerned employees will have to pay more for their privacy as well as face potential discrimination if an employee chooses to opt out of the program. Wellness programs also have access to medical records and insurance claims data, meaning employers can learn about genetic test results and access information on employee family history. “Our argument is participation in a wellness program is simply no longer voluntary if employees can be penalized in this way,” said American Society of Human Genetics Science Policy Director Derek Scholes. [BuzzFeed]
WW – Google Unveils Symptom-Search Functionality
Google has announced it will list related conditions when users search the site using health symptoms as keywords. “We create the list of symptoms by looking for health conditions mentioned in web results, and then checking [sic] them against high-quality medical information we’ve collected from doctors for our Knowledge Graph,” the report states. The move is an effort to simplify accessing and understanding online health information. The feature will go live in “the next few days” in the U.S. and will expand internationally in the future. [Google Blog]
US – OCR Releases Video Guidance on Provision of Medical Records
The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics as how records must be provided upon request, methods for calculating reasonable fees for copies, and provision of medical records to third parties at a patient’s direction. [Source]
Horror Stories
US – Three Hacked Hospital Databases Up For Sale on Deep Web
Breaches of three separate health databases by one hacker has resulted in more than 650,000 medical records for sale on the deep web. The hacker was able to tap into a vulnerability in each database’s Remote Desktop Protocol. One database from Georgia containing more than 400,000 records is priced at 607 bitcoin, the report states. “Although it remains unclear as to which hospital was attacked, this story goes to show how lackluster IT security keeps plaguing the health care industry,” the report adds. Meanwhile, a TrapX Security study has found that hackers are increasingly targeting medical devices used within hospital systems, ZDNet reports. These tools “often contain backdoors, botnet connections and remote access tunnels for cyberattackers to manipulate devices,” the report adds. [The Merkle]
WW – Hacker Plans to Release 100,000 Escort Site User Records
Moroccan hacker ElSurveillance has breached and defaced an additional 37 escort sites, which are mostly from the U.K., and pledged to leak 100,000 users’ data online in the coming week. This is not the first instance of ElSurveillance’s breach activity, with the hacker claiming 79 defacement incidents of similar sites in January, the report states. The hacks are religiously motivated. “[O]ur bodies are gifted from Allah to us to look after and not to destroy,” the hacker said. “Unlike [ElSurveillance’s] fellow ISIS-affiliated colleagues who spread fear, threats and warnings of violence, he’s spreading a message of peace and a religious-rooted message,” the report adds. [Softpedia]
CA – Personal Info in 100,000 IT Requests Compromised in SFU Privacy Breach
More than 100,000 Simon Fraser University information technology service requests from 2013-2016 were inadvertently stored in an unprotected server for four months. The data compromised included 20,294 email addresses, contact information and other personal data, the report states. The school’s IT team discovered the breach May 16 and brought the information offline the next day, notifying the affected students in early June, the report adds. “We have no evidence that any third party accessed the database during the time it was unprotected, nor do we have any evidence that there was any misuse of the information contained in the database,” said SFU Communications Director Kurt Heinrich. He added that the school was reviewing and modifying additional breach protections. [Burnabynow]
Identity Issues
WW – Dashcam Smartphone App to Employ License-Plate Detection
A new smartphone app takes all of the features of a dashcam and adds license-plate detection to warn users of potentially dangerous drivers. The Nexar app uses a smartphone’s camera to detect and record automotive activity and collisions. It also plans to add “real-time warnings” to help drivers avoid cars with bad track records. Nexar uses machine vision and artificial intelligence algorithms to locate license plates and record drivers who speed and perform illegal maneuvers. Privacy concerns will likely arise, but the recording process is likely legal. “Courts generally say that people generally have little or no expectation of privacy in the movements of their cars on public roads,” said University of Chicago law professor Lior Strahilevitz, “as long as cars aren’t being tracked everywhere they go for a lengthy period of time.” [PC Magazine]
Location
US – Ad Network Settles with FTC, Will Pay $950,000 for Location Tracking
The FTC announced it has settled with the Singapore-based mobile advertising company InMobi under charges that it “deceptively tracked” the locations of hundreds of millions of consumers — including children — without notification or consent. As part of the settlement, InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program. The FTC alleges that the company — whose ad software reaches nearly 1 billion consumers worldwide — also violated COPPA by collecting location information from apps directed at children. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises,” said FTC Bureau of Consumer Protection Director Jessica Rich. [FTC] – Ars Technica: Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users | – Computerworld: Mobile advertiser tracked users’ locations without their consent, FTC alleges | – FTC: Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission]
Online Privacy
US – Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant
US legislators have rejected an amendment to a criminal justice funding bill that would have allowed the FBI to conduct warrantless searchers of people’s browsing histories. While the measure garnered a majority of the votes, it failed to obtain the necessary 60 votes to advance. The issue may come up for consideration as soon as next week, however, because Senate majority leader Mitch McConnell submitted a motion to reconsider it. Sources: – CNET: Senate nixes plan for warrantless FBI searches of internet browsing histories | – ZDNet: Senate rejects FBI bid for warrantless access to internet browsing histories | – Washington Post: After Orlando, Senate rejects plan to allow FBI Web searches without court order]
WW – New Firefox Feature Allows Users to Create Individual ‘Personalities’
A new feature from Mozilla will allow users to separate their web history within their browser. Firefox Containers divides the browser into individual “personalities.” Each persona can be used for different internet activities, such as banking, work, shopping and for personal use. The browsing histories and cookies are kept within a “fully segregated cookie jar” by keeping each persona’s caches separate, according to a Mozilla blog post. “We all portray different characteristics of ourselves in different situations,” said Mozilla Security Engineer Tanvi Vyas. “But when I use the web, I can’t do that very well. There is no easy way to segregate my identities such that my browsing behavior while shopping for toddler clothes doesn’t cross over to my browsing behavior while working.” [The Christian Science Monitor]
US – Cloud-Based EHR Company Settles FTC Complaint It Failed to Advise that Reviews of Doctors Containing Patient Information Would Be Made Public
This FTC agreement settles allegations that Practice Fusion, Inc. failed to disclose that consumer reviews containing sensitive personal information would be publicly disclosed in violation of the FTC Act. The company is prohibited from misrepresenting the extent to which it makes certain information (e.g. health information) publicly available (including by posting on the Internet); prior to such disclosure, the company must provide notice and obtain express consent from consumers, and must not maintain any healthcare provider review information (except for review and retrieval by its healthcare provider customers, or as permitted by law, regulation or legal process). FTC – In the Matter of Practice Fusion, Inc. – Complaint and Agreement Containing Consent Order | Press Release | Complaint]
Other Jurisdictions
IS – Judge Approves $400 Million Class Action Against Facebook for Violating Privacy
Israel’s Central District Court has approved a $400 million privacy class-action suit against Facebook, ruling that the company’s terms-of-use requirement for all lawsuits to be heard in California was invalid. The suit alleged that the company both breached privacy protocols by targeting advertisements based off of users’ private posts, and failed to register its database in Israel’s national database registry as mandated by the country’s law, the report states. “Perhaps the time has come to examine the issue from a different angle, from the customer’s standpoint, especially when he’s the customer of huge international corporations that deal with customers all over the world,” said Judge Esther Stemmer. The court gave Facebook 90 days to respond to the suit. [Haaretz]
Privacy (US)
US – Tech Companies Oppose Government Hacking Rule Change
A group of 50 organizations including Google and the American Civil Liberties Union has called upon Congress to block “dangerously broad” changes that, effective Dec. 1, increase judges’ warrant jurisdiction. The changes to Rule 41 of the Federal Criminal Procedure “invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment,” the later states. Meanwhile, in an additional report from Morning Consult, Sen. John McCain, R-Ariz., expressed his support for FBI Director James Comey’s surveillance perspectives over those of privacy advocates. “I have great sympathy for them but I respect more the view of Director Comey,” he said. [Morning Consult]
US – NTIA Publishes Revised Best Drone Practices Guidance
The National Telecommunications and Information Administration has released an updated best drone practices guidance. The guide is the culmination of a two-month public comment session and subsequent May 18 meeting on drone privacy and transparency issues. Meanwhile, the Federal Aviation Administration has published a 600-page drone regulation document that does not include specific privacy protocols, The Intercept reports. The Electronic Privacy Information Center responded to the announcement with a statement on its website, recalling its 2015 suit of the FAA for failing to regulate drone privacy. [NTIA]
US – Obama Administration Approves FAA Rules for Small Drones
The Obama administration has approved the commercial use of small drones. The Federal Aviation Administration created a new class of rules for drones weighing less than 55 pounds, fly up to 400 feet, and below 100 miles per hour. Drone operators now have the ability to fly the unmanned aircraft without special permission, but must be at least 16 years old. Drones will not be allowed to fly at night, unless they have special lighting and stay at least 5 miles from an airport. Transportation Secretary Anthony Foxx said, “As this new technology continues to grow and develop, we want to make sure we strike the right balance between innovation and safety.” [Reuters] [Op-ed: FAA’s rules for small drones are flawed]
US – AG Enforcement, Algorithmic Discrimination Top PLSC Line-Up
The Privacy Law Scholars Conference held its ninth annual gathering in Washington at the beginning of this month, bringing together academics and practitioners to present papers that are still in development. The workshop environment is a closed circuit — no tweeting or blogging about what happens there is allowed, and papers may or may not ever be published. However, papers and ideas inevitably rise to the top, and the IAPP recognizes two of those with its annual IAPP Papers Award, voted on by attendees. [IAPP]
Privacy Enhancing Technologies (PETs)
WW – Silent Circle Launches Virtual Security Assistant Privacy Meter
Silent Circle has announced its Silent OS 3.0 for Android mobile phones will include a program that will regularly scan a device, alerting the user if any apps, services or settings contain privacy-compromising elements. The program, dubbed “Privacy Meter,” is automatically embedded into the operating system, the report states. “Think of it as an assistant that is always next to you helping you maintain the most awareness of your Privacy Profile,” said Silent Circle’s David Puron. “Whether you have available software updates, your browsing certificates have been altered, or an app is sharing your location, the Privacy Meter will show you what is happening then guide you through the appropriate configurations, if desired.” [ZDNet]
RFID / IoT
US – Chicago Needs More Detail in Array of Things Privacy Policy, Experts Say
The city of Chicago is preparing to install a network of sensors that will track people on city streets — walking, biking, driving — and privacy experts say it needs to better spell out how it will use that information. The nine-page privacy policy includes just a few paragraphs on how the data will be collected, used and shared. The city plans to install 500 Array of Things devices across the city by the end of 2018. They will house sensors including a low-grade camera and microphone that can capture images and sound from passersby, bringing a new scale of data collection to busy intersections. Officials say the project will help improve city life by analyzing patterns in environmental and human behavior. City officials are seeking public input on the policy before installing the first 42 devices, slated to go up around the city starting in late July. The second of two public forums on the policy is from 5:30 to 7 p.m. Wednesday at the Harold Washington Library downtown. [Chicago Tribune]
Smart Cards
US – California County Approves Ordinance Restricting Government Use of New Technologies
The Board of Supervisors of Santa Clara County approved Ordinance No. NS-300.897, relating to surveillance technology and community safety. Law enforcement must seek approval of the County Board before purchasing any new surveillance technologies (e.g. drones, automated license plate readers, GPS, cell-site simulators, RFIDs, facial recognition, biometric identification); annual surveillance reports must be submitted to the Board detailing usage, complaints, internal audits, and how successful different technologies have been. [Ordinance No. NS-300.897 – Surveillance Technology and Community Safety – Board of Supervisors of Santa Clara County]
US Government Programs
US – DHS Wants to Snoop on Travelers’ Facebook, Twitter, and Instagram Accounts
The Department of Homeland Security has opened its proposal to include an optional field to disclose social media handles in travel documents to public comment. The documents in question are the Electronic System for Travel Authorization and Form I-94W, a document foreign travelers complete when leaving and entering the U.S., the report states. “Please enter information associated with your online presence — Provider/Platform — Social media identifier,” the forms would read if the proposal is accepted. “As phrased that could include your Twitter handle, the URL for your Facebook page, your OkCupid or Grindr handle …” the report adds. “Where does it end?” DHS will accept comments here until Aug. 22. [Fusion]
US Legislation
US – McConnell Pushes Measure to Expand Surveillance Tools
Senate Majority Leader Mitch McConnell, R-Ky., has proposed an amendment to the bill funding the Department of Justice and Department of Commerce that would both increase federal law enforcement surveillance powers and “permanently extend” elements of the PATRIOT Act. “Both measures have been criticized by privacy and civil liberties advocates, who have fought the proposals on multiple fronts in recent months,” the report states. The bill is considered similar to the legislative revisions Senate Republicans aim to make to the Electronic Communications Privacy Act, the report adds. A procedural vote on McConnell’s amendment is predicted for Wednesday. [The Hill]
US – Other Privacy News
- Pending data breach legislation in New York would see medical information included in its definition of personal information.
- New Hampshire governor Maggie Hassan has signed into law a bill allowing the use of license-plate scanners and another to bring the state in line with the REAL ID program.
- An appellate court has upheld the Federal Communications Commission’s net neutrality rules.
- A group of bipartisan House representatives have submitted an amendment to the defense appropriations bill that would prohibit federal law enforcement from forcing a company to override or weaken device encryption to assist with an investigation.
- The House rejected a legislative measure to both ban warrantless government collection of electronic communications and prevent forced implementation of backdoor encryption.
- Senate Republicans will redouble efforts to expand the FBI’s warrantless surveillance practices in the wake of the Orlando Pulse nightclub shooting.
- Speaker of the House Paul Ryan’s national security plan looks to bring more “balance” between data privacy and national security.
- The U.S. Senate voted down an amendment that would have increased FBI surveillance powers; however, Reuters reports, Senate Majority Leader Mitch McConnell, R-Ky., changed his vote to no at the last minute to leave open the possibility to bring up the measure for consideration again.
- The U.S. House voted to expand the investigatory powers of inspectors general, giving them subpoena authority over agency officials and contractors in certain circumstances, reports Government Executive.
- Rep. Hank Johnson, D-Ga., has introduced two bills to protect consumer privacy. One is aimed at improving mobile privacy and the other sets rules for data brokers.
- A U.S. District Court in Milwaukee has dismissed a suit against Time Warner Cable that alleged the company retained client data illegally, the Milwaukee Journal Sentinel reports. U.S. District Judge Pamela Pepper dismissed the case on the basis of “actual harm,” citing the Supreme Court’s recent siding in favor of Spokeo as legal precedent.
Workplace Privacy
WW – BYOD Can Pose Privacy Risks to Employees: Study
Companies that use remote device management software to oversee employee devices used for business have the ability to collect a lot more information than employees may be comfortable with, according to a report released today. “The intent of these MDM solutions is not to spy on employees, but to monitor for things like malware and general security,” said Salim Hafid, product manager at Bitglass, which produced the report. But if the company wants to, these tools provide the ability to do a lot more, he said. That includes seeing where the phone is located, what apps are on the phone, and even what websites the user was accessing. “We were able to see virtually all the activity on the device,” he said. “We could see that some of our employees search for health information on the web.” [CSO Online]
WW – Russian Technology Allows Employers to Monitor Phone Calls
A Moscow security firm has created technology allowing companies to listen in on mobile calls made on their property. InfoWatch, a former subsidiary of Kaspersky Lab, says it has created the product for companies trying to curb information leaks by scanning employee phone calls for key terms that may prompt an investigation. While InfoWatch is legal in Russia, installing it in western countries would be very difficult. “This technology may become a hot ticket for any company seeking to protect its commercial secrets,” said Gartner analyst Petr Gorodetskiy. “But it can’t be rolled out in markets where it may trigger court claims.” Others question whether the product is truly functional. “The part that puzzles me is how successful speech recognition, transcription and automated analysis of texts can be,” said Polytechnic University of Milan professor Stefano Zanero “I would be surprised if any major company decided to buy into this.” [Bloomberg]
+++