10-17 June 2016


US – GAO Criticizes FBI on Facial Recognition Database

The Government Accountability Office has issued an in-depth report critical of the FBI’s use of facial recognition technology. Specifically, the GAO has “concerns regarding both the effectiveness of the technology” and the “protection of privacy and individual civil liberties.” The FBI has collected 411 million photos in various databases. “The FBI has entered into agreements to search and access external databases — including millions of U.S. citizens’ driver’s license and passport photos,” the GAO states, but until the FBI can assure the data they receive is accurate, “it is unclear whether such agreements are beneficial to the FBI.” Meanwhile, the National Telecommunications and Information Administration released suggested best practices derived from its multi-stakeholder process on facial recognition. Several consumer and privacy advocacy organizations have come out against the guidelines. [ZDNet] [Huge FBI facial recognition database falls short on privacy and accuracy, auditor says ]

AU – Australian Cops Want to Use Fingerprint Scanners to ID People In Public

The South Australian state parliament is considering a proposal to give police the power to scan fingerprints in public. If passed, the bill will give police the ability to request fingerprints from anyone they suspect of committing a crime—and anyone they think may be able to assist with an inquiry. Police are currently able to stop anyone on the street and request to see some form of traditional ID, but fingerprints are only allowed to be taken once a person has been charged. If the bill gets passed, suspects will be required to have their prints scanned upon request. Since 2014, the SA Government has trialled 150 scanners sporadically across the state and plans to spend $3.4 million on the technology if approved. The new scanners would be wirelessly linked to the National Automated Fingerprint Identification System, which will allow officers to access criminal records within a minute of scanning a suspect’s prints. Deputy Premier John Rau has released a statement arguing why fingerprint scanners are a good idea. “Legislative reform is necessary to enable police to use the scanners in wider circumstances, where a person does not have to give consent and police can scan for prints without the need to arrest,” he said. However, there’s been considerable backlash from both sides about the ramifications for privacy and civil liberties. Greens leader Mark Parnell likened the changes to something out of George Orwell’s 1984. “This is the realm of science fiction and it should send shivers down everyone’s spine,” he told The ABC. “It enables all manner of biometric testing and it does actually lead to a situation where the state could hold a database of every single person’s fingerprints.” [Source]

WW – Apple’s New Photo System to Include Facial Recognition

An update to Apple’s Photos software will include facial recognition technology. The upgrade will catalog photos within the app by the face of the person within the image. Apple’s new feature comes as Facebook and Google are locked in lawsuits over facial recognition capabilities, specifically possible violations of the Illinois Biometric Information Privacy Act. Apple Senior VP of Software Engineering Craig Federighi said the system uses local data rather than storing it on company servers. Though Apple’s features differ from that of Google and Facebook, it is not yet known if they would violate the Illinois law. [The Verge]


CA – New Spy Watchdog Will Have Power to Examine ‘Any Activity, Any Operation’

Sweeping powers to scrutinize “any issue, any activity, any operation” will be granted to a new committee of parliamentarians to watch over federal spying and other clandestine security and intelligence activities, the government has announced. The long-promised Bill C-22 tabled in the Commons proposes to create an unprecedented “national security and intelligence committee of parliamentarians” to hold to greater account the nation’s two chief spy services and at least 15 other departments and agencies with national security responsibilities. The move fulfils a major Liberal election promise to increase parliamentary scrutiny of national security operations to offset the expansive and controversial counterterrorism powers under the Anti-terrorism Act of 2015, formerly Bill C-51, to investigate, detain, arrest, silence or otherwise thwart individuals suspected as threats to the security of Canada. The all-party committee of nine MPs and two Senators, to be chosen by Prime Minister Justin Trudeau and supported by a small secretariat, would be sworn to permanent secrecy and handed a broad mandate to probe, mainly ex post facto, any and all national security activities to gauge whether they are effective, efficient and legal. Its primary investigative tool would be a statutory power to access many of the nation’s most guarded secrets. “They will be able to ask questions and conduct inquiries and satisfy themselves that two important objectives are being met: to make sure our security and intelligence agencies are being effective in keeping Canadians safe and to make sure they are safeguarding the rights and freedoms of Canadians.” Though the legislation clearly empowers the committee to explore and review the country’s deepest confidences, it also offers government a handful of disclosure escape clauses. Chief among them is the state’s power to deny the committee information “injurious to national security,” a catch-all clause that past governments have used to slam the door on politically sensitive or otherwise damaging inquiries. [National Post]

CA – New Bill Would Allow Border Guards to Collect Data on Those Leaving Canada

Public Safety Minister Ralph Goodale has proposed revisions to the Customs Act that would allow the federal government access to the personal data of Canadian travelers leaving the country. The information collected wouldn’t extend beyond information collected in a passport’s second page — meaning “full name, nationality, date of birth, gender and issuing authority of the passport,” the report states. “Having this data will allow us to better respond to Amber Alerts, for example, on missing children,” Goodale said. “It will help us deal with human trafficking. It will help us deal better with illegal travel by terrorist fighters.” [CBC News]

CA – Privacy Watchdog Seeks More Stringent Laws in Wake of Health Breach

B.C.’s privacy commissioner is calling on the province to step up its privacy laws and impose fines of up to $50,000 for health-care workers found snooping. “It’s a significant issue of public trust when one or more individuals access electronic health records without authorization,” B.C. privacy commissioner Elizabeth Denham said in an interview. B.C.’s privacy laws are outdated when it comes to protecting electronic health records from general snooping, Denham said. [Times Colonist] See also: 2 BC health workers fired in breach that included high-profile people

CA – Sask Cops, MLAs & Ministers to Fall Under FOI Legislation

New legislative amendments brought forward by the Saskatchewan government on Monday could soon mean police in the province will be subject to freedom of information requests. The proposed amendments to Saskatchewan’s FOI and privacy laws received first reading in the Legislature on June 13. One of the proposed changes is to extend the FOI legislation to include police services. Other changes include creating a new offence for snooping, extending privacy requirements to include MLA and cabinet ministers’ offices and increasing penalties for privacy violations. The Saskatchewan Information and Privacy Commissioner, Ronald Kruzeniski, said in a statement he is pleased with the proposed amendments and will work further on FOI regulations once the amendment is passed. [Global News]

CA – Frustration Over Health Disclosure Doesn’t Trump Privacy Protection: Experts

After a case involving a 21-year-old taking her own life following a battle with depression, Nova Scotia is examining whether it needs to review its health privacy laws for disclosing mental health issues to a patient’s family. Currently, Nova Scotia law allows for mental health disclosures when it’s determined there is an immediate threat to the health of any person, including the patient. Nova Scotia Privacy Commissioner Catherine Tully is apprehensive about whether officials and government body officials have enough knowledge to determine what can and cannot be disclosed. “It is absolutely a training issue,” said Tully. “I have travelled around the province and talked to hundreds of people responsible for administering our privacy laws and training is a very key issue and one that requires constant work.” [Global News]


WW – Privacy Concerns Around Alternative Credit Reporting

Companies are trying alternative credit reporting using nontraditional data to determine a candidate’s reliability and creditworthiness, but privacy concerns surround the tactics. In addition to privacy concerns, efforts to determine an individual’s chances for receiving a loan, house, or a job often hurt those in low-income brackets. Though companies are using a wide range of ways to determine a person’s creditworthiness and reliability — as students, prospective employees, or credit applicants — the methods of doing so fall in a legal area that’s murky at best. Overseas, companies in parts of Africa and Latin America monitor cellphones and social media to evaluate potential loan recipients. While U.K. startup Tenant Assured has started a service mining social media accounts, selling information to landlords and other parties. [The Atlantic]

US – Data Breach Simulation Explores Notification Timing

During a mock data breach at Stanford University’s Hoover Institution, a group of journalists studied the art of post-breach notification, learning that sometimes waiting to sort out technical errors before notifying victims is the wisest route to take. “It takes time to figure out what happened, and sometimes notification can cause more damage because you haven’t had time to remediate it,” said Intel Chief Privacy and Security Counsel. [Los Angeles Times]


US – Board of Elections Posts DC’s Compete Voter List Online

D.C. makes it shockingly easy to snoop on your fellow voters. A little-known law in the nation’s capital is leading to complaints over the way it lets anyone on the Internet find out D.C. voters’ names, addresses, voting history and political affiliations, with little more than a click or two. It’s not the existence of the file itself that’s shocking, critics say. It’s the fact that the D.C. Board of Elections made it available on the Internet. Typically, every state has this kind of voter information; it’s just held at the statehouse or at the public library where you have to physically retrieve it from the stacks — probably with the help of a staffer — in order to see it. Putting that data on the open Internet changes the game because it allows virtually anyone, from anywhere, to view the data with no questions asked. [The Washington Post] [Washington voter registry publication sparks debate]

UK – 36% of Public Trust Government to Protect Their Data: ICO SUrvey

An ICO survey, published on 15 June, asked more than 1,200 people for their views on data protection. It found that the public were only slightly more likely to trust government with their information as they were to trust energy providers. Just 36% of respondents to the survey said they trusted government departments with their information. High street banks garnered the highest overall levels of trust, with 53% saying they trusted them with their information. However, trust in government increased for those in the higher socio-economic group AB1, at 41%, and millennials, at 43%. The survey also found that almost half of respondents disagreed with the statement that existing policy and regulation were sufficient to protect their data. Just 20% said policies were sufficient, which shows little change since the ICO’s 2014 survey, when 19% said policies were sufficient. [Public Technology]


CA – CRTC Partners With International Agencies to Fight Spam, Unsolicited Calls

The Canadian Radio-television and Telecommunications Commission (CRTC) announced that it has signed a memorandum of understanding with ten enforcement agencies from across the globe, including the Office of the Privacy Commissioner of Canada, to fight unlawful spam and unsolicited telecommunications. The agreement promotes cooperation between the CRTC and its international counterparts in enforcing Canadian and international spam and unsolicited telecommunications laws. The agencies have committed to sharing information and intelligence, where permitted by the laws of its jurisdiction, regarding unsolicited communications. By working closely with its partners, the CRTC will be able to more effectively ensure that all those who engage in unsolicited communications, whether local or foreign, comply with the Unsolicited Telecommunications Rules and Canada’s Anti-Spam legislation. [Press Release]

EU Developments

UK – IP Bill Extends GCHQ Snooping Powers to All Law Enforcement

The Investigatory Powers Bill, which was passed by the House of Commons last week, will effectively give the police and other authorities the same powers of surveillance that are currently enjoyed by GCHQ. That’s according to Raegan MacDonald, senior policy manager EU principal at Mozilla. “It’s about legally justifying the previously secret practices of GCHQ and also allowing those powers to go to all levels of law enforcement.” The IP Bill, commonly known as the Snooper’s Charter, requires telecoms companies and ISPs to store records of telephone and internet communications for one year. What is less widely known is that the Home Office is also building a search engine for all this data known as “request filter”, which will allow authorities to conduct detailed searches across all of this data. These queries will be subject to the “filtering” oversight of the Investigatory Powers Commissioner, and for this reason request filter is being sold by the Home Office as a privacy enhancing measure. “The request filter, when used, acts as an additional safeguard for communications data requests made by public authorities, to ensure that the data they acquire is limited only to that which is absolutely necessary,” says the government in a fact sheet. But pointing out that the Bill is short on mechanisms to ensure that oversight is effective, Jim Killock, executive director of Open Rights Group, questioned how this will work in practice. [Source] See also: The U.K. House of Commons passed the controversial Investigatory Powers Bill with a 444-69 vote. The bill now moves to the upper house of Parliament, the House of Lords.

EU – 75% of Cloud Apps Are Not Ready for New EU Data Protection Rules

More than 75% of cloud apps in the EU lack key capabilities to ensure compliance under the new EU General Data Protection Regulation (GDPR), according to a new study by Netskope. In particular, these businesses failed to meet the minimum requirements of new regulations in areas like deleting personal data in a timely manner and violating data portability requirements. Netskope tracked 22,000 cloud apps in use in the EU by giving them a rating between 1 and 100 in terms of GDPR readiness.

  • Just under 28% of cloud apps were deemed unready.
  • Half (48%) were scored as somewhat ready.
  • Only 25% were deemed ready.

The results of the report are especially troubling for businesses, as the adoption of mobile and cloud strategies gains momentum. The shift to cloud brings with it increasing complexity and a greater volume of security challenges for enterprises. Chief among them is the need to comply with new GDPR laws. These businesses have less than two years to ensure their cloud apps are up to regulation or face fines of either $22 million, or 4% of their global turnover (whichever is higher). [Source]

US – Ransomware Attacks Taking Huge Toll on Healthcare Resources

Healthcare organizations are aware of the omnipresent threat of ransomware on their information systems, and the danger it poses to their HIPAA compliance efforts and reputations, and are struggling to bear the expense of shoring up their defenses. The rising number of ransomware attacks against providers is prompting security professionals to intensify data security efforts, as well as consider entirely different approaches to security. Ransomware is turning the tables on how healthcare organizations now deal with security. For years, top security professionals have struggled with thefts that took data out of an organization’s control—for example, through the theft of data on stolen unencrypted laptops or through employee snooping of records that contain protected health information. The incentive for avoiding these types of breaches was to avoid landing on the HHS Office for Civil Rights’ web site of major breaches, and possibly face OCR-imposed financial sanctions and corrective action plans. But ransomware is different. Information remains in a provider’s system but is inaccessible, locked away until a provider makes a financial payment to free it. That scenario in large part has not been considered as a possibility until recently. Consequently, intensified data security is not the answer in the ransomware era, he believes; organizations must look at different approaches to data protection. [Source]

EU – Google Announces EU-Based Machine Learning Research Group

Google has struck a research group in Switzerland dedicated to machine learning. Machine learning consists of “systems that can learn things and come up with predictions from sets of data, without being specifically programmed to do so.” Machine learning currently powers Google’s translation engine, its Inbox “smart reply” feature, spam recognition in Gmail, and assists Google’s driverless cars examine their surroundings. The research group will work on machine intelligence, speech recognition, natural language processing, and machine perception, such as identifying images in photos and recognizing handwriting. “We look forward to collaborating with all the excellent computer science research that is coming from the region, and hope to contribute towards the wider academic community through our publications and academic support,” wrote Emmanuel Mogenet, head of Google Research in Europe. [Fortune]

EU – Other EU News

Facts & Stats

WW – Data Breach Costs Up 29% Since 2013: Study

A study from the Ponemon Institute and IBM found the average cost of a data breach is $4 million, a 29% increase from 2013. Ponemon’s study examined 283 companies, finding the average cost per compromised record was $158 in 2016, up from $154 last year. The study also revealed a 26% probability of an enterprise suffering one or more data breach where 10,000 records will be compromised over the next two years. Ponemon found that the healthcare industry has the highest costs per breached record, and that U.S. data breaches were the most costly per record, coming in at $223, with the average total cost estimated at $7.01 million. In related news, hackers have stolen the information of more than 45 million users of car, sports and tech sites in what could be one of the largest data breaches ever. Compromised data appears to include email and IP addresses, usernames and passwords. [ZDNet]

CA –Data Breaches Detection, Escalation Costs Highest in Canada: Report

Detection and escalation costs related to data breaches were the highest in Canada and lowest in India, note findings of a new global survey. The average detection and escalation costs for Canada was US$1.60. In contrast, the average costs were US$0.53,” states 2016 Cost of Data Breach Study: Global Analysis, benchmark research sponsored by IBM and conducted by Ponemon Institute LLC. “Data breach costs associated with detection and escalation are forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and Board of Directors,” notes the report. …The average cost per record to resolve being US$170 compared to US$138 per record for system glitches and US$133 per record for human error or negligence. Canada held a distinction in this respect. “Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack (US$236 and US$230 per record, respectively),” the report states. [Canadian Underwriter]

WW – Study: Most Companies Struggle to Restrict Sharing of Confidential Data

A new study found only 36% of surveyed IT practitioners from large companies are able to control how confidential data is shared with third parties. The study of more than 600 IT professionals also found that companies are rarely able to track where their most sensitive documents go. Only 27% of the those surveyed were able to restrict the sharing of confidential data between employees. According to the survey, conducted by the Ponemon Institute on behalf of Fasoo, 58% of companies say their employees use free online file sharing applications, and almost half say their employees, on occasion, keep confidential documents on their home computers or personal mobile devices. In addition, 68% of those surveyed say they don’t even know where their company’s confidential information is located. The study also revealed a deficiency in employee education about protecting data. Of the respondents, 56% said their companies did not educate their employees about protecting confidential information. The study found that careless employees were the primary cause of company data losses 56% of the time. The second most common cause was lost or stolen devices. In March, a SailPoint survey revealed that more than a quarter of employees said they uploaded sensitive information to cloud apps intending to share the information outside the company. According to Gartner, more than 70% of unauthorized access to data is committed by an organization’s own employees. Employees are frequently the cause of many security weaknesses in the enterprise. Most of these insider threats actually carry no malicious intent, but instead are the result of weak access controls and a lack of employee awareness. [CIO Dive] CSO: Study: Most companies can’t protect confidential documents


US – Home Depot Suit Claims U.S. Credit-Card Firms Block Security Upgrades

The Home Depot has alleged that MasterCard and Visa use faulty security measures prone to fraud in a new federal lawsuit. The company accused the financial institutions of putting cybersecurity behind economic gain and “dominant market positions,” calling its reliance on chip cards behind other, more secure, global methods. “Regardless of how the cardholder’s identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions,” said a MasterCard spokesman. Meanwhile, Bob Hedges urged banks to engage in privacy debates in an op-ed for American Banker. “If they don’t, they run the risk that the public policy debate could eventually hurt their historical ‘trusted agent’ position,” he said. [The Seattle Times]


EU – ENISA Creates Free Personal Data Breach Notification Tool

ENISA, in co-operation with the Office of the Federal Commissioner for Data Protection and Freedom of Information of Germany (German DPA), developed a tool for the notification of personal data breaches. In particular, the purpose of the tool is to provide for the online completion and submission of a personal data breach notification by the data controller to the competent authority (DPA/NRA). It covers all types of personal data breaches and all types of business sectors, public or private. Based on the input of the notification, the tool also provides to the competent authority an assessment of the severity of the breach. The assessment is based on the relevant Personal Data Breach Severity Assessment Methodology developed by ENISA in co-operation with the DPAs of Greece and Germany. The tool is free for use by any interested party, in particular national competent authorities who would like to facilitate the notification of personal data breaches by data controllers in their countries. [Source]

Health / Medical

US – Oregon Prescription Database Access Ignites Privacy Debate

The Drug Enforcement Administration hopes to access Oregon’s Prescription Drug Monitor Program database in an effort to curb drug abuse, causing privacy concerns. The agency is fighting a 2014 U.S. 9th Circuit Court of Appeals ruling that decided warrantless seizure of the data was illegal. The DEA countered that as the PDMP is a third-party data host, users shouldn’t have an expectation of privacy, the report states. Not everyone agrees. “The primary purpose of PDMPs is health care, not law enforcement,” said the American Medical Association in an amicus brief. The database wasn’t created to be “a tool or repository for law enforcement to initiate access to gather information,” the AMA added. [The Daily Beast]

CN – China Pledges Tighter Privacy as it Centralises Personal Health Data

Chinese Premier Li Keqiang has announced the Chinese government’s intention to increase privacy regulations as it increases developments for health care data systems. “Enhancing the development of medical big data is a pressing task now,” Keqiang said. “It is also an important project for public welfare, in the context of a growing need for health and medical services.” To that end, “more comprehensive regulation and legislation in personal information and data protection” is necessary, he added. The State Council’s plans would call for the creation a countrywide health database, as well as a guide for medical record portability, the report states. [The Register]

Horror Stories

US – Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements. Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application. In its complaint Columbia contends, first, that the “Failure to Follow Minimum Required Practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application”—precludes coverage for Cottage Health’s losses. Columbia further contends that it has a right to void its policy altogether due to alleged misstatements in the “Risk Control Self Assessment” that Cottage Health completed as part of its cyber insurance application. Any new cyber policy wording requires expert legal scrutiny before purchase, because these specialty insurance products can contain gaps or hidden traps. For example, Cottage Health might have averted its dispute with Columbia if the policy’s potentially onerous “Failure to Follow Minimum Required Practices” exclusion had been modified or deleted. [Source] See also: [Cyber insurance is changing the way we look at risk ]

WW – Other Horror Stories

Identity Issues

WW – Apple to Use ‘Differential Privacy’ in New Software

Apple is using a special technique to balance user privacy with its data collection efforts. Apple’s Senior VP of Software Engineering Craig Federighi discussed “differential privacy” during his company’s Worldwide Developers Conference in San Francisco. “We believe you should have great features and great privacy,” Federighi said during the conference. “Differential privacy is a research topic in the areas of statistics and data analytics that uses hashing, subsampling and noise injection to enable … crowdsourced learning while keeping the data of individual users completely private. Apple has been doing some super-important work in this area to enable differential privacy to be deployed at scale.” [Wired] See also: [What Apple’s differential privacy means for your data and the future of machine learning] and [A Few Thoughts on Cryptographic Engineering]

IN – Alibaba Launches App With Face Recognition Lock Feature In India

Alibaba has unveiled Privacy Knight in India, a free app-lock that uses a one-second selfie to verify and grant access to users’ protected apps, BiometricUpdate.com reports. According to Alibaba, the program’s facial recognition with blink detection has 99.47% accuracy, the report states. “Face lock is set to change the way people protect their privacy,” said Alibaba’s Mobile Business Group. [Full Story]

Internet / WWW

WW – Microsoft’s Acquisition of Linkedin Faces Some Privacy Concerns

While Microsoft’s purchase of LinkedIn will benefit both companies, some are raising privacy concerns. BigID CEO Dimitri Sirota said the purchase is meaningful as Microsoft is acquiring “the world’s second largest personal database,” but the use of the data will determine the success of the sale. “Given that the value of the purchase will derive from the usage of personal data it will be natural to ask how this data usage gets governed so it doesn’t compromise either personal privacy or many privacy regulations,” said Sirota. Acquiring large amounts of personal data is an issue many companies now deal with, he said, adding, “Organizations gain tremendous marketing, sales and intelligence value from collecting and aggregating as much customer data as they can, but the tools to govern the privacy risk and compliance of the aggregated ‘identity’ data are only now being developed.” [TechRepublic]

Law Enforcement

CA – Constable Fired for Accessing Data

A Gatineau police officer was fired this week after pleading guilty in April to illegally accessing police records. For the crime of unauthorized use of a computer, whereby the constable checked information on three former friends in police databases, she received no jail time, but had to make a donation of $1,000 to a crime victims’ assistance center. Despite no data being passed to a third party, nor the constable apparently seeing any benefit from the access to the data, the Gatineau Police Service released a statement saying she was fired because it “requires its police officers meet the highest ethical standards and professional standards.” [Ottawa Citizen]

Online Privacy

US – OTA Releases Privacy Assessment of Consumer-Facing Websites

Consumer services websites are improving privacy practices while news sites need vast improvements. That’s according to the release of the 8th annual Online Trust Audit & Honor Roll. Conducted by the Online Trust Alliance, this wide-ranging audit looks at nearly 1,000 consumer-facing websites to assess their consumer protections, privacy practices and data security. [Full Story]

Other Jurisdictions

SG – Singapore PDPC Publishes Data Protection Guidelines

The Personal Data Protection Commission of Singapore has published a number of guidelines for data access, notification and privacy protection, among other related subjects, on its official website. Its newest guideline, Guide to Handling Access Requests, details “information and considerations for organizations in handling requests for access to personal data, including sample access request and acknowledgement forms,” the site states. [Full Story]

IN – TRAI Consultation Paper Talks Cloud Computing

The Telecom Regulatory Authority of India has released a 119-page consultation paper on cloud computing regulation. The paper’s six sections cover interoperability, cloud security, and bringing cloud services to governments, among other topics. Frameworks for cloud services remain a major focus, the report adds. “Regulations should be put in place to protect the interests of both cloud services providers and the consumers,” the paper states. “Legal framework under which the cloud operates becomes very important.” [The Wire]

Privacy (US)

US – FBI Says Utility Pole Surveillance Cam Locations Must Be Kept Secret

The US FBI has successfully convinced a federal judge to block the disclosure of where the bureau has attached surveillance cams on Seattle utility poles. The decision stopping Seattle City Light from divulging the information was expected, as claims of national security tend to trump the public’s right to know. However, this privacy dispute highlights a powerful and clandestine tool the authorities are employing across the country to snoop on the public—sometimes with warrants, sometimes without. Just last month, for example, this powerful surveillance measure—which sometimes allows the authorities to control the camera’s focus point remotely—helped crack a sex trafficking ring in suburban Chicago. Meanwhile, in stopping the release of the Seattle surveillance cam location information—in a public records act case request brought by activist Phil Mocek—US District Judge Richard Jones agreed with the FBI’s contention that releasing the data would harm national security. “If the Protected Information is released, the United States will not be able to obtain its return; the confidentiality of the Protected Information will be destroyed, and the recipients will be free to publish it or post the sensitive information wherever they choose, including on the Internet, where it would harm important federal law enforcement operational interests as well as the personal privacy of innocent third parties,” Jones ruled. [Ars Technica]

US – More States Adopt Education Privacy Protections

As students’ online presence grows due to schools’ growing reliance on digital third-party student databases, lawmakers and privacy advocates have expressed concern for the potential mishandling of students’ information. Some states have turned to stricter privacy laws, with nine states adopting new data regulations in 2016. “The conversation is looking different in every state and district at this point,” said the Data Quality Campaign’s Rachel Anderson. “Some states are really taking the approach of parents can decide if they want to opt-in or out of these additional recommendations.” In 2014, 21 states passed 26 student data laws mostly targeted at states and school districts. Many echoed a 2013 Oklahoma law that requires state approval to release student data and mandates that only aggregated data — no data tied to individual students — can be released. By last year, lawmakers had shifted their focus to third-party companies. They passed 28 student privacy laws, in many cases mirroring a California statute that prohibits service providers from using data to target ads to students, selling student information, and creating student profiles for commercial purposes. This year nine states — Arizona, Connecticut, Hawaii, Kansas, New Hampshire,Tennessee, Utah, Virginia and West Virginia — have added 11 new student data laws, mostly based on the California standard. A similar proposal is awaiting the signature of Colorado’s governor. Between 2014 and 2015, state legislators introduced 98 bills that included opt-in or opt-out provisions, and this year Arizona passed a law requiring schools to obtain parents’ permission before collecting certain data. [PBS Newshour]


US – Health and Human Services IG to Assess Medical Device Security Monitoring

The US Department of Health and Human Services (HHS) Office of Inspector General’s Fiscal Year 2016 Mid-Year Work Plan calls for an assessment of the Food and Drug Administration’s (FDA’s) review of cybersecurity control on wireless and Internet-connected medical devices. The HHS IG also plans to look into state Medicaid agency and contractor breach notification practices and responses. [GovInfoSecurity]

US – NSA Could Use Internet-Connected Medical Devices for Surveillance

NSA Deputy Director Richard Ledgett told an audience at the Defense One Tech Summit in Washington, DC, last week that the agency is examining ways to exploit the Internet of Things (IoT) to conduct covert monitoring. Ledgett said that the NSA is “looking at it sort of theoretically from a research point of view right now,” and noted that conducting surveillance through medical devices could be “a tool in the toolbox.” [ComputerWorld] [The Intercept]

US – Chicago Seeks Input on Privacy Policy for Sensor Network

Chicago officials will soon release their privacy policy for the city’s traffic sensor project, the Array of Things, for citizen input. The first of 500 devices will go live in July, collecting vehicular and environmental data, the report states. The policy aims to protect collateral information that could identify an individual. “We’ve always been focused on making sure there was a privacy policy to inform the public about how the data that the nodes are collecting is going to be managed,” said Department of Innovation and Technology Commissioner and Chicago Chief Innovation Officer Brenna Berman. Open policy screenings begin June 14, the report adds. [Chicago Tribune]

CA – Who is Watching You on B.C. Highways?

At any time thousands of drivers are on B.C. highways trying to get places as soon as they can. And there is a team of people keeping an eye on all of that that traffic – in a building nestled between Highway 1 and Lougheed Highway in Coquitlam. Transportation Management Centre staff keep watch on over 600 cameras throughout the province. And when you are on the Lions Gate Bridge, Penny Martin is watching and decides when to flip the counterflow lane. There are sensors and computers but Martin says it is often simply watching the causeway cameras for volume that will guide her decision to flip the lane. And it’s not just for Metro Vancouver. With the flick of a mouse people here can change the speed limits on the Sea to Sky or Coquihalla highways using the new variable speed limit signs. Centre manager Brigid Canil says they use advanced traffic management software to change speed limits, almost instantly, based on weather or traffic conditions. But what if the speed limit changes from 120 kilometres an hour to 80 km/hr and police pull you over? “We would know exactly what times the signs would change and be able to correlate what time the ticket was written to ensure the individual is treated fairly,” said Transportation Minister Todd Stone. Another big issue is privacy. On the Drive BC website you can see a “Replay the Day” video of many locations – but they say they don’t keep piles of surveillance. “We don’t keep the data and that is directly in response to concerns about privacy,” said Stone. [Global News]


WW – Study: Weak Passwords, Phishing Attacks Top Breaches

Verizon’s 2016 Data Breach Investigations Report has found that 63% of recent breaches were due to weak passwords. Phishing scams are also a major culprit, the report states. Nearly one-third of the analyzed phishing emails were opened by recipients. While the sophistication and success rate of these attacks is growing, strategies for keeping oneself safe remains the same. “The surest anti-phishing protection is also one of the rarest assets around: common sense,” the report adds. “No matter who an email comes from, never click on a link in an email — instead cut and paste it into a web browser and read the address. If it smells phishy, it probably is.” [TechCrunch] [Employee Error Accounts for Most Security Breaches]

US – FICO to Offer ‘Enterprise Security Scores’

Fair Isaac Corp. has acquired cybersecurity startup QuadMetrics to create an industrywide “enterprise security score” for businesses. The security score will act as an equivalent to the FICO consumer-credit scores, giving chief information officers and other IT professionals an “easy-to-understand” metric to determine their company’s online risks, while handling other possible issues from third-party software vendors and acting as a guide for cyber breach insurance underwriting. “Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise security risk,” said FICO’s Vice President of Cybersecurity Solutions Doug Clare. [The Wall Street Journal]


CA – RCMP Can Spy on Your Cellphone, Court Records Reveal

A judge lifted the publication ban on information surrounding a suspected mafia murder, revealing different surveillance methods used by the RCMP. While investigating the 2011 murder of Salvatore Montagna, the RCMP used IMSI catchers, commonly known as “Stingrays,” to mimic cellphone towers in order to obtain information on a suspect’s phone. The RCMP used the collected information to intercept and decode BlackBerry PIN-to-PIN messages as part of the murder cover-up. “Our biggest concern with Stingrays is there’s really no regulation or oversight as to how they’re being used,” said OpenMedia Digital Rights Specialist Laura Tribe. “We right now, as the Canadian public, have no idea where they’re being used, when, what the requirements are for these technologies being used and what’s happening to the data of everyone being caught up in their sweep.” [CBC News] See also: [VPD admits to not owning a Stingray surveillance device, but is it ‘borrowing’ one?] and [Santa Clara County, California, has approved an ordinance that requires government agencies to put policies in place before acquiring or activating new surveillance technologies.]

US Government Programs

US – Federal Government Releases Final Guidance on CISA

The Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December. The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents.

  1. The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA.
  2. The second document establishes “privacy and civil liberties guidelines governing the receipt, retention, use, and dissemination” of cyber threat indicators and defensive measures by the federal government.
  3. The third document, which was released in final form on February 16, describes procedures through which information is shared by the federal government to participating non-federal entities.
  4. The fourth document describes procedures for the receipt of cyber threat indicators and defensive measures by the federal government. [Inside Privacy]





Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: