5-12 July 2016

Biometrics

UK – NHS Sending 1M Eye Scans to Google’s DeepMind

Google’s DeepMind division will receive 1 million anonymized eye scans from Moorfields Eye Hospital to help train its artificial intelligence system to identify signs of disease. DeepMind’s machine learning algorithms will examine the scans for symptoms of diseases such as macular degeneration and diabetes-related vision loss. The collaboration, however, has already raised some privacy concerns. In a letter to Moorfields, tech journalist Gareth Corfield cited the Data Protection Act, writing, “To be crystal clear, I have not consented for my personal data to be used by Moorfields NHS Trust for any purpose other than treating me for genuine medical purposes.” The announcement comes after Google’s AI system faced criticism for its collaborations with three small London hospitals. [BBC]

Big Data

WW – IDEAS Conference to Address Digital Privacy Issues in an Era of Big Data

All it takes is 300 “likes” while you’re scrolling through your newsfeed — that’s the point at which Facebook knows you better than your own spouse or your best friend. So if you’re averaging 10 “likes” a day, it will take just a month for the social network behemoth to have you figured out more accurately than the people you consider your soul mates. And if you’re a compulsive clicker of the “thumbs up” icon, Facebook may have insight into your innermost thoughts and feelings in a mere week-and-a-half. [Montreal Gazette]

Canada

CA – PIPEDA Amendments Creating General Obligation to Notify Individuals and Privacy Commissioner of a Breach Not Yet in Force

Canada’s federal privacy law does not currently include a general obligation to provide notification of breaches (the OPC has issued best practice guidelines that strongly encourage such notification); after the amendments to PIPEDA come into effect, organizations will be required to notify the OPC and affected individuals of any breach where it is reasonable to believe that the breach creates a real risk of significant harm to the individual. [Global Guide to Data Breach Notification – Canada – Peter Ruby and Rachel Ouellette, Goodmans LLP and George Pollack, Davies Ward Phillips & Vineberg] (Pages 22 – 32)] See also: the Office of the Privacy Commissioner of Canada has issued a call for proposals seeking applicants to organize and host the next research symposium in the Office’s Pathways to Privacy series. Learn more

CA – Toronto Real Estate Board Increases Efforts to Overturn Tribunal’s Ruling

The Toronto Real Estate Board is stepping up its efforts in court to overturn a decision by the federal Competition Tribunal that allows more detailed home sales data to be released on the Internet. TREB reiterated its concerns that the tribunal’s April 27 order mandating wider access to the industry’s Multiple Listing Service (MLS) database violates privacy law and the rights of buyers and sellers. On May 27, the real estate board filed a notice of appeal to challenge the ruling in the Federal Court of Appeal and last week, it asked the court to stay the tribunal’s decision. After a subsequent hearing last month to work out the details of its ruling, the Competition Tribunal said TREB’s active realtor members would be allowed to publish information online that is not currently being widely disseminated, including sales figures, pending sales and broker commissions. As part of this arrangement, virtual brokers would be permitted to display and analyze this data as freely over the Internet as other realtors currently share such information with their clients in person, by fax or over e-mail. Even as TREB continues to contest the decision in court, its information technology staff are working to upgrade its systems so it’s ready to comply with the order, which is set to come into effect on Aug. 3. [The Globe and Mail]

CA – Do Photographs Taken by a Landlord for Marketing a Rental Unit Offend Privacy Rights?

A recent decision of the Ontario Divisional Court has ruled that landlords of residential tenancies are not permitted to enter into a tenant’s premises to take photographs in order to market the property for sale while it is occupied by another tenant, unless there is a consent of that tenant or a specific provision in the lease permitting the taking and publication of photographs. In Juhasz v. Hymas (2016 ONSC 1650,) the Ontario Divisional Court noted that the lease and legislation did allow the landlord to show the premises to prospective tenants or purchasers but that that the lease did not contain a clause permitting entry by a real estate agent to take photographs for marketing the property for sale. [Source]

E-Government

US – How Presidential Candidates Sell Supporters’ PII to Other Candidates

What do failed presidential candidates do with their supporters’ email addresses once they drop out of the race for the White House? Nearly every GOP candidate in the 2016 presidential election has sold, rented or loaned their supporters’ addresses to other candidates, marketing companies, charities or private firms, CNNMoney found through an analysis of thousands of emails and Federal Election Commission records. The failed candidates have been able to make thousands of dollars through data sharing, with Marco Rubio taking home $504,651 and Rand Paul making $212,495. The practice is not illegal, as the campaign tells donors what will happen with their personal information when they give money to a particular candidate. [CNN Money]

E-Mail

CA – Private Right of Action Under Canada’s Anti-Spam Law (CASL)

As of July 1, 2017, individuals and organizations will be entitled to institute a “private right of action” before the courts against those that contravene certain provisions of Canada’s Anti-Spam Law (“CASL”). In the event of a contravention of the message rules in CASL, a monetary penalty up to a maximum of $1,000,000 per day may be imposed. This private right of action should be taken seriously right now. From this perspective and building on previous publications, this bulletin discusses this new mechanism. [Fasken] See also: [Emerging Limits on the Certification of Privacy Class Actions]

Encryption

WW – Facebook Testing Encryption for Messenger

Facebook has begun testing Secret Conversations, an end-to-end encryption feature for Messenger. Users will be able to create secret conversations that can be read on only one of the recipient’s devices. The cryptographic keys “are generated or derived on-device,” which means that Facebook never has possession of the keys. Secret Conversations will also let users determine how long the message will be visible. Starting July 8, a select number of Facebook Messenger users will test the social media site’s opt-in, end-to-end encrypted “secret conversations” feature. The site’s will make its “secret conversations” widely accessible starting “later this summer or in early fall.” [SC Magazine: Facebook testing ‘Secret Conversations’ end-to-end encryption feature for Messenger | Quartz: Facebook is testing encrypted, self-destructing messages | CNET: Facebook adds encryption to Messenger | Facebook: Messenger Starts Testing End-to-End Encryption with Secret Conversations] [WIRED]

CA – Encryption Keeping Police Out, Government Documents Indicate

Encryption and privacy technologies are making Canadian law enforcement’s ability to use data in an investigatory capacity increasingly difficult. “Canadians are increasingly using mobile phone networks, the internet, and other electronic means to communicate and execute transactions with each other,” wrote public safety officials in the documents addressed to Minister Ralph Goodale. “This has led to a significant gap between the technologies available for criminal exploitation and our means to enforce Canada’s laws and keep Canadians safe.” The documents suggested having a “thoughtful discussion” on the best legal framework for encryption technology that benefits all, the report adds. [The Star]

WW – Google Testing New Encryption That Protects Against Quantum Attacks

Google has begun testing a new form of encryption in its Chrome browser designed to protect systems from quantum attacks. Google is adding a post-quantum key-exchange algorithm to a small number of connections between the desktop version of Chrome and Google’s servers. [Wired: Google Tests New Crypto in Chrome to Fend Off Quantum Attacks | ZDNet: Google is experimenting with post-quantum cryptography]

EU Developments

EU – EU Governments Approve Privacy Shield

The European Union’s 28 member states have approved Privacy Shield, the EU-US data transfer agreement crafted to replace Safe harbor, which the EU high court struck down last autumn. Once the European Commission approves Privacy Shield, the agreement will take effect. European privacy groups are likely to challenge the agreement in court because they believe it does not go far enough to protect EU citizens’ privacy. [The Hill: Week ahead: EU set to finalize new data pact | eWeek: European Member States Approve Privacy Shield Agreement | BBC: Privacy Shield data pact gets European approval | SC Magazine: Privacy Shield gets nod from EU, ripe for judicial challenge]

EU – EU-U.S. Privacy Shield 2.0 Signed, Sealed and Delivered

The European Commission and the U.S. Department of Commerce-approved updated version of the EU-U.S. Privacy Shield was green lighted by a regulatory committee of EU countries July 8 and will be formally adopted and finalized the following week, the authors write as they discuss the outlines of the new data transfer pact. The updated Decision also clarifies that while the general rule will be that the Principles apply to a U.S. business immediately upon filing of the self-certification documents with the U.S. Department of Commerce, there will be an exception for cases where an organization has a pre-existing relationship with third parties. [BNA] [EU-US Privacy Shield agreement goes into effect: Tech companies welcome new data transfer agreement, but activists say it doesn’t do enough to protect privacy | New ‘Privacy Shield’ deal between U.S. and Europe is already catching flak | Say hello to the General Data Protection Regulation |

EU – European Parliament Approves Cybersecurity Law

The European Parliament has approved cybersecurity legislation that “establish[es] a common level of network and information security and enhance[s] cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures.” The new rules affect a broad spectrum of business sectors, including finance, energy, transportation, and technology. [Bloomberg Technology | ZDNet: European lawmakers approve new cybersecurity law | Bloomberg: European Union’s First Cybersecurity Law Gets Green Light | European Parliament Press Release: Cybersecurity: MEPs back rules to help vital services resist online threats | European Parliament Press Release: Cyber security: new rules to protect Europe’s infrastructure] See also: The Digital Economy Bill had its first reading in the U.K. Parliament. The bill would allow for sharing of information between public bodies when there is a public benefit, increase online protection for minors, offer universal broadband access and more.

EU – EU Planning $2B Cybersecurity Research Investment

The European Union wants a $2 billion investment into cybersecurity research. The EU is planning on contributing $500 million to it and is asking industry to contribute the remaining $1.5 billion. The European Commission fears the EU economy is susceptible to cyberattacks, saying the incidents “could undermine the digital single market and economic and social life as a whole.” The $2 billion cybersecurity public-private partnership is “intended [to] boost cross-border research into cybersecurity, and to aid development of security products and services for the energy, health, transport and finance industries,” said the European Commission in a report published Tuesday. Developing strong levels of cybersecurity can also be a big advantage for the EU over other countries, the European Commission said, as IT security continues to accelerate in growth worldwide. [PCWorld]

EU – Norwegian DPA Critiques Facebook at Work’s Terms of Use

The Norwegian Data Protection Authority has reviewed Facebook at Work and found its terms of use do not stand up to the national Personal Data Act. The agency said businesses using Facebook at Work to conduct internal communications must create their own terms for Facebook’s part as the provider, as those companies are liable for protecting privacy and maintaining information security. Since Facebook is acting as the provider, and given the social network’s history of mining user data, the DPA said, “Facebook’s entry to the Norwegian workplace therefore requires vigilance in terms of privacy implications.” The agency expects to release a more in-depth analysis this September. [Telecompaper]

EU – Helen Dixon: DPC’s Resources Tied Up by ‘Ambulance Chasers’

Ireland Data Protection Commissioner Helen Dixon says her agency’s resources are being gummed up by “digital ambulance chasing.” At issue are a number of complaints about issues that could be considered “embarrassing or distressing” but not necessarily critical. “On this note,” she said, “I think we are starting to see the rise in digital ambulance chasers in terms of certain legal firms presenting volumes of cases to the office where essentially their goal is to obtain a formal determination of the data protection commissioner that organization x,y,z is in breach of data protection legislation.” Dixon said she wonders if these type of complaints “really represents anyone’s interests well,” noting they tie up the DPC when the “controller has already acknowledged the contravention and attempted to right the wrong.” [The Irish Times]

Finance

EU – Commission Places Stronger Controls on Bitcoin, Pre-Paid Credit Cards

The European Commission is looking to strengthen its efforts to stop financial crimes and terrorism funding by placing tighter controls on bitcoin transactions and pre-paid credit cards. “Today’s proposals will help national authorities to track down people who hide their finances in order to commit crimes such as terrorism,” said European Commission First Vice President Frans Timmermans. “Member States will be able to get and share vital information about who really owns companies or trusts, who is dealing in online currencies, and who is using pre-paid cards.” Virtual currency exchanges must now conduct stricter customer identification checks on customers exchanging fiat for bitcoin and other digital currency. To cut down on the number of anonymous transactions, pre-paid credit card thresholds for identification have been lowered from 250 euros to 150 euros. [Law360]

FOI

US – Private-Account Email Can Be Subject to FOIA: Court

On the same day that the FBI announced that the criminal investigation of Hillary Clinton’s use of a private email server is likely to conclude without any charges, a federal appeals court issued a ruling that could complicate and prolong a slew of ongoing civil lawsuits over access to the messages Clinton and her top aides traded on personal accounts. In a decision Tuesday in a case not involving Clinton directly, the U.S. Court of Appeals for the D.C. Circuit held that messages contained in a personal email account can sometimes be considered government records subject to Freedom of Information Act requests. The case ruled on by the D.C. Circuit focused on a relatively obscure White House unit: the Office of Science and Technology Policy. At least one federal judge handling a FOIA suit focused on Clinton’s emails said last month he was watching to see how the D.C. Circuit ruled in the dispute involving Obama science adviser John Holdren and an account he kept on a server at the non-profit Woods Hole Research Center in Massachusetts. After the free-market-oriented Competitive Enterprise Institute filed suit over a request for work-related emails sent to or from that private account used by Holdren, U.S. District Court Judge Gladys Kessler ruled last year that the government had no duty to search an email account that wasn’t part of OSTP’s official system. But the three D.C. Circuit judges who ruled Tuesday all said Kessler was too rash in throwing out the suit and they agreed the case should be reinstated. While the opinions in the case make no mention of Clinton or her private server, it seems evident that all three appeals judges involved are aware of the obvious analogy. [Source]

Genetics

EU – Sweden May Open National DNA Database to Law Enforcement

The Swedish government may allow law enforcement and possibly private insurance companies to access its massive DNA database. The PKU Registry contains the genetic information of every single Swedish citizen under the age of 43, as the government allowed blood samples to be collected of every newborn since 1975 in order to aid medical research. Privacy advocates are pushing back against opening up the database. The Pirate Party’s Rick Falkvinge believes the decision would be “an outrageous and audacious breach of contract with the parents who were promised the sample would be used only for the good of humanity in terms of medical research.” Falkvinge argues the insinuation of opening the database to police will stop individuals from providing samples in the future. [Ars Technica]

Health / Medical

CA – OIPC AB Provides Guidance for Safeguarding Electronic Health Systems

This OIPC guidance is intended for custodians and their information managers (i.e. EHR service providers) to assess the safeguards in electronic health record system. Practices include a system design that restricts access on a need-to-know basis, a system ability to reduce access, view or disclosure capability based on an individual’s request, tracking of research requests for disclosure of health information, the inclusion of privacy statements or reminders on system screens, availability of backup and restoration procedures (including the audit log information) at an offsite location, and systems/processes to securely dispose of health information where authorized. [OIPC AB – Guidance for Electronic Health Record Systems]

UK – Patients Should Have More Control Over How Their Medical Data Is Used, Says Caldicott

The national data guardian in England recommended that a new consent and opt-out model for data sharing be implemented in the NHS in England in a report presented at the end of her review of health and care data security and consent, which had been commissioned by the UK government. Dame Fiona said that NHS bodies should generally be free to share patients’ medical data for the purposes of delivering care directly to those people. However, patients should be given control over any other proposed uses of their health records, she said. “People should be able to opt out of their personal confidential data being used for purposes beyond their direct care unless there is a mandatory legal requirement or an overriding public interest,” Dame Fiona said. “Relevant information about a patient should continue to be shared between health professionals in support of their care. An individual will still be able to ask their doctor or other healthcare professional not to share a particular piece of information with others involved in providing their care and should be asked for their explicit consent before access to their whole record is given,” she said. Dame Fiona said that the new opt out and consent model could consist of either asking patients a single question about whether they will allow their data to be used for purposes beyond direct care or a “two-part” mechanism that would allow patients to be more specific about the way their data can be used. [Source]

US – Nursing Home Operator Agrees to Pay $640,000 for ePHI Breach

The Department of Health and Human Services, Office for Civil Rights entered into an agreement with the Catholic Health Care Services of the Archdiocese of Philadelphia a business associate, to settle alleged violations of the HIPAA Security Rule. An operator-provided smartphone was stolen that was unencrypted and not password protected and contained social security numbers, diagnosis/treatment information, medical procedures and names of family members/legal guardians; the operator must conduct a risk analysis, implement prescribed policies and procedures (e.g. regarding the encryption of ePHI, password management, security incident response, and mobile device controls), implement training programs, and submit reportable events and implementation and annual reports. [HHS – Resolution Agreement – Catholic Health Care Services of the Archdiocese of Philadelphia Press Release | Resolution Agreement] [Business Associates Beware: First HIPAA Settlement with Business Associate]

UK – Gov’t Takes Surgeon’s Knife to Controversial NHS Care.Data Scheme

A recent review published by National Data Guardian Dame Fiona Caldicott suggests moving forward with the data sharing plans of the U.K.’s now-extinct Care.data health database for the U.K.’s national health care system. In her review, Calidcott recommended “new data security standards for the NHS and social care, a method for testing compliance against the standards, and a new opt out to make clear how people’s health and care information will be used and in what circumstances they can opt out.” Meanwhile, Polly Toynbee criticizes the privacy concern-borne criticism that led to the demise of Care.data in an op-ed for the Guardian, calling it a “loss” for the country. [Ars Technica]

Horror Stories

WW – Analysts Concerned by ‘Insider Threat’ Trend

Insider threats are growing increasingly more dangerous than external hackers, some security analysts predict. “A lot of companies are really worried about employees walking off with their data,” said Gartner’s Avivah Litan. “Insider threats have become a major issue because external criminals are actively recruiting insiders to help perpetrate their crimes, while disgruntled employees are actively making their insider services available.” The influence of the Dark Web has incentivized these threats, he added. “Disgruntled employees, especially those working in data-rich organizations like financial services companies, pharmaceutical firms, and in government are being actively recruited by and selling access to network credentials and corporate data to criminals on the Dark Web.” An Intel report from September 2015 determined that insiders could be blamed for 43% of lost data, and Verizon’s 2016 breach report blamed disgruntled insiders for roughly one in ten security incidents. [Christian Science Monitor] See also: [Former SaskPower employee illicitly accessed more than 4,000 HR files]

UK – Police Departments Commit 10 Data Breaches a Week: Study

A study from civil liberties group Big Brother Watch finds police forces in the U.K. are responsible for 10 data breaches a week. Big Brother Watch’s report, “Safe in Police Hands?“ found police departments committed 2,315 data breaches between June 2011 and December 2015. Incidents include officers illicitly using information for financial gain and passing sensitive information to organized crime syndicates. More than half of the breaches resulted in no formal disciplinary action, with 13% resulting in a resignation or termination. “While there have been improvements in how forces ensure data is handled correctly, this report reveals there is still room for improvement. Forces must look closely at the controls in place to prevent misuse and abuse,” the report said. [Computer Weekly]

US – Wendy’s Payment Card Data Breach Affected More Than 1,000 Locations

Wendy’s fast food restaurant chain now says that malware was found on point-of-sale systems at more than 1,025 of its franchises, considerably more than the 300 initially reported earlier this year. The malware targeted: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. The investigation is still active. Fraudulent activity involving some of those accounts was first detected in fall 2015. [BBC: Food chain Wendy’s hit by massive hack | CNET: Wendy’s says payment card info accessed in malware attack | ZDNet: Wendy’s admits credit card hack is far worse than first thought | SecurityWeek: Over 1,000 Wendy’s Restaurants Hit by PoS Malware | USA Today: Wendy’s: Credit card numbers disclosed in cyber attack ]

Identity Issues

WW – ID Theft Cases Increased 57% as Thieves Mine Social Media

A study from fraud prevention service Cifas found the number of identity theft victims in the U.K. rose 57% in 2015. Cifas said there were 148,000 victims of identity theft last year, up from the 94,500 reported cases in 2014. The majority of the cases involved thieves assuming the identity of a real person, using their name, date of birth, address and bank details. Social media networks are becoming a popular place for identity thieves to garner the information necessary to commit the crimes. “The likes of Facebook, Twitter, LinkedIn and other online platforms are much more than just social media sites — they are now a hunting ground for identity thieves,” said Cifas Chief Executive Simon Dukes. “We are urging people to check their privacy settings today and think twice about what they share.” [BBC]

CA – OPC Releases Guidance on De-Identification

The OIPC Ontario outlined key issues to consider when de-identifying personal information in the form of structured data. An acceptable re-identification risk should assess information sensitivity, the level of detail of the information, the number of individuals, potential harms/injuries from a breach, and individual consent for disclosure; public and semi-public release should have a maximum risk measurement applied (non-public releases have an average risk), and agreements with recipients should prohibit re-identification, linking to external data sets, or sharing without permission. [IPC ON – De-identification Guidelines for Structured Data]

Internet / WWW

WW – The Cloud and Filing Cabinets Should Have the Same Privacy Rights

According to a civil complaint filed by Microsoft against the government in federal court, the U.S. government issued more than 5,600 demands to Microsoft over an 18-month period, seeking access to customer information hosted in the cloud. More than 2,500 of those demands came with court-issued secrecy orders that prevented Microsoft from alerting its customers that their information — including personal communications, business records and confidential documents — was being given to the government. Microsoft’s lawsuit challenges this abuse with a simple premise: citizens and businesses that store information on remote data centers are entitled to the same degree of privacy and freedom from unlawful seizure as those who store such information in filing cabinets or personal computers. [Source]

Law Enforcement

US – Minnesota Law Classifies Public and Private Law Enforcement Body-Worn Camera Footage

SB 498, classifying police body-worn camera data, has been signed into law by the Governor and is effective August 1, 2016. Footage is public data if it documents firearm discharge in the course of an officer’s duty, use of force that results in substantial bodily harm, and agencies may redact or withhold access to portion of public data that are clearly offensive to common sensibilities; individuals who are the subject of the footage may request access to a copy of the data, however data on other individuals who do not consent to its release must be redacted. [Senate Bill 498 – A Bill for an Act Relating to Portable Recording System Data – Minnesota Legislature]

UK – Police Suffered 2,315 Data Breaches in Last Five Years but Want More Data

A report from UK privacy watchdog Big Brother Watch (BBW) reveals that UK police suffered 2,315 data breaches between June 2011 and December 2015 as a result of insiders abusing their access to the data. BBW says that, in 869 cases, police officers accessed citizens private data without a work-related purpose, and in 877 incidents, police officers shared data with unauthorized third-parties. Few police officers who caused the breaches were punished. Despite the flagrant abuse, in 1,283 cases, authorities decided to take no disciplinary action against the individual that broke procedures. Only 297 cases resulted in the resignation or dismissal of the guilty employee. Authorities did decide to press charges, and for 70 cases, the investigation concluded with a criminal conviction or a caution warning. For 258 less flagrant cases, officers received a written or verbal warning. [Source]

EU – Swedish DPA Greenlights Security Police Registry of Terrorist Group Supporters

Swedish security police Säpo has received permission from the country’s data protection authority to register individuals who express support for ISIS and other terrorist groups. The authority deemed that public support of an EU or U.N.-recognized terror organization was not “sensitive personal information,” the report states. However, “according to Säpo, the decision from the Data Inspection Board does not mean that information can be registered based on political and religious beliefs, which is not generally allowed in Sweden,” the report adds. The move “will allow us to further streamline our work,” said Säpo Press Secretary Simon Bynert. “We will be able to register relevant tips and will be able to get a better overall picture of the people we follow.” [The Local]

Location

US – Researchers Develop Method for Stronger Location Data Control

A group of UCLA researchers are proposing a way to give users more granular control over their location in light of the growing amount of Internet of Things devices. Joshua Joy, Minh Lee, and Mario Gerla have come up with LocationSafe, a privacy module implemented directly into the GPSD of a user’s device, allowing the user to dictate the manner location data is provided before other applications can use it. “User applications requesting data of users is a binary permission, either I share my data or I don’t. However, sensitive data such as location needs finer control on how accurate and how often the location information is released,” the authors said in their paper. [Motherboard]

Online Privacy

EU – EU Submits Draft Code of Conduct on Privacy for Mobile Health Apps to Article 29 Working Party for Approval

the European Commission submitted a draft code of conduct for privacy for mobile health apps to the Article 29 Data Protection Working Party for its considerations and approval. The EC functioned as a facilitator with industry members who drafted a Code of Conduct. The Code of Conduct, once approved, can be voluntarily signed by app developers with a commitment to following its rules, including data protection principles (such as transparency and privacy by design), requires valid explicit consent for collect/use of data subject data, permits secondary use of data for scientific research or Big Data, and acknowledges that it can be difficult to irreversibly anonymise health data when a retention period expires. [European Commission – Draft Code of Conduct on Privacy for Mobile Health Applications Press Release | Draft Code of Conduct | Hogan Lovells]

EU – Tech Industry Gangs Up On European Commission, Calls for Cookie Law To Be Scrapped

A massive coalition of tech and telco companies have called for the EU’s so-called cookie law to be repealed. Ars reported yesterday that the European Commission was working to overhaul the current ePrivacy Directive, and had held a public consultation soliciting feedback. But a group of 12 trade bodies has now called for it to be scrapped altogether. The coalition includes the European Telecommunications and Network Operators association (ETNO), the European Competitive Telecommunications Association (ECTA), the GSMA representing mobile operators, the Computer and Communications Industry Association (CCIA), IAB, the interactive advertising bureau, and DigitalEurope. “We believe that simplifying and streamlining regulation will benefit consumers by ensuring they are provided with a simple, consistent, and meaningful set of rules designed to protect their personal data,” said the group. “At the same time, it will encourage innovation across the digital value chain and drive new growth and social opportunities. This is critical at a time when digital companies are striving to launch new innovative services and working to build a 5G Europe.” The coalition brings together telco operators, online service providers, hardware manufacturers, and online publishers. [Source]

US – MIT Researchers Develop Anonymity Network That Rivals TOR

Anonymity networks protect people living under repressive regimes from surveillance of their Internet use. But the recent discovery of vulnerabilities in the most popular of these networks — Tor — has prompted computer scientists to try to come up with more secure anonymity schemes. At the Privacy Enhancing Technologies Symposium in July, researchers at MIT’s Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne will present a new anonymity scheme that provides strong security guarantees but uses bandwidth much more efficiently than its predecessors. In experiments, the researchers’ system required only one-tenth as much time as existing systems to transfer a large file between anonymous users. The system …employs several existing cryptographic techniques but combines them in a novel manner. The heart of the system is a series of servers called a mixnet. Each server permutes the order in which it receives messages before passing them on to the next. If, for instance, messages from senders Alice, Bob, and Carol reach the first server in the order A, B, C, that server would send them to the second server in a different order — say, C, B, A. The second server would permute them before sending them to the third, and so on. [MIT News]

Privacy (US)

US – Obama Administration Unveils National Privacy Research Strategy

The White House has announced the National Privacy Research Strategy, a program which aims to foster more sophisticated privacy research alongside the development of innovative data use. This strategy proposes the following priorities for privacy research:

  • Foster a multidisciplinary approach to privacy research and solutions;
  • Understand and measure privacy desires and impacts;
  • Develop system design methods that incorporate privacy desires, requirements, and controls;
  • Increase transparency of data collection, sharing, use, and retention;
  • Assure that information flows and use are consistent with privacy rules;
  • Develop approaches for remediation and recovery; and
  • Reduce privacy risks of analytical algorithms.

“With this strategy, our goal is to produce knowledge and technology that will enable individuals, commercial entities, and the federal government to benefit from technological advancements and data use while proactively identifying and mitigating privacy risks.” The strategy suggests increased transparency of data use; a more “multidisciplinary approach” to privacy research, and the creation of system design methods that satisfy privacy requirements. The new Federal Privacy R&D Interagency Working Group will help facilitate these efforts. [Press Release]

US – DEA Changes Wiretap Procedure After Questionable Eavesdropping Cases

Following criticism for its dubious surveillance program in the L.A. suburbs, the Drug Enforcement Administration is overhauling its procedures for agents to secure permission for wiretaps. DEA agents must discuss any plans for a wiretap with federal prosecutors, and then receive permission from a senior DEA official before taking their request to a state court. The change comes after an investigation discovered the DEA had a wiretapping program monitoring millions of calls and texts in the Los Angeles area, getting approval from a single state court judge while bypassing Justice Department lawyers. “With federal courts, there’s a significant amount of scrutiny on something before you get a wiretap, and there’s a lot of layers of protection for privacy that don’t exist in state court,” said Louisville defense lawyer Brian Butler, who is challenging the legality of the DEA’s past surveillance efforts. [USA Today]

US – Sports Authority’s Post-Bankruptcy Data Sale Sparks Privacy Concerns

After Dick’s Sporting Goods bid on and won the now-bankrupt Sports Authority’s trove of an estimated 25 million email addresses and 14 million shoppers’ files for $15 million, former Sports Authority consumers are now concerned about the potential ramifications on their privacy. “It’s extremely valuable data for companies to identify customers who are looking for a new home,” said SSP Blue’s Hemu Nigam. “Customer emails are stolen every day [but] they lack awareness that this is a possibility,” Nigam said. “The auction is raising awareness of another way customer data can be sold without even thinking about it.” Representatives from Dick’s Sporting Goods and Sports Authority declined to comment, the report states. [Los Angeles Times]

US – CFPB Proposes Privacy Notice Requirement Amendment

The Consumer Financial Protection Bureau is pitching to amend the privacy notice requirement under the Gramm-Leach-Bliley Act and has opened up a request for public comment. “The bureau is proposing to amend Regulation P, which requires, among other things, that financial institutions provide an annual notice describing their privacy policies and practices to their customers,” the report said. The CFPB alteration installs a December 2015 statutory amendment to the act, “providing an exception to this annual notice requirement for financial institutions that meet certain conditions.” The report also states, “If financial institutions share certain consumer information with particular types of third parties, the annual notices must also provide customers with an opportunity to opt out of the sharing.” [Consumer Finance]

US – Facebook 3rd-Party Data Sharing Case Will Move Forward with One Plaintiff

U.S. District Judge Ronald Whyte has ruled that plaintiff Wendy Marfeo’s suit against Facebook for allegedly sharing her information with a third-party site via “referrer headers” will move forward. Whyte found “that she had suffered harm by Facebook sharing her personal and private information despite the tech company’s many assertions it would not do so,” the report states. The judge did respect Facebook’s motion to dismiss co-plaintiff Katherine Pohl’s allegations that the company had shared her information with a third party, the report adds. “We are pleased that the court ruled in our favor and determined that the case should not proceed as a class action,” said a Facebook representative. [Courthouse News Service]

US – EFF and ACLU-led Coalition Opposes Dangerous “Model” Employee and Student “Privacy” Legislation

EFF, ACLU, and a coalition of nearly two-dozen civil liberties and advocacy organizations and a union representative are urging the Uniform Law Commission (ULC) to vote down dangerous model employee and student privacy legislation. The bill, the Employee and Student Online Privacy Protection Act (ESOPPA), is ostensibly aimed at protecting employee and student privacy. But its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide. As our joint letter explains, ESOPPA will result in only further invasions of student and employee privacy. ESOPPA does next to nothing to prevent school administrators and employers—including public school employees and state officials—from coercing or requiring students and employees to turn over private, non-publicly available information from social media accounts. Furthermore, ESOPPA applies only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed. That’s why we’re asking the ULC to either address ESOPPA’s deficiencies or reject the bill outright at its upcoming meeting. Other organizations, including the Foundation for Individual Rights in Education (FIRE), have also sent their own letter to the ULC opposing the current draft of ESOPPA. You can read the full text of the letter below or access a PDF of the original letter here. Special thanks to all of our coalition partners, listed in full below. [Source]

US – More Than 95% of Public Comments Pan FCC Privacy Plans

More than 95% of public comments on a proposal by the Federal Communications Commission to regulate the privacy practices of broadband providers have been critical of that idea, according to a report. The figures were provided by “Protect Internet Freedom,” a nonprofit group that established an online platform for users to submit feedback to the FCC. “A total of 259,539 opposition comments were filed against the [rules], an overwhelming majority of the 271,669 total comments filed in the docket as the commenting deadline nears,” the group said in a press release. The public comment period is set to close this week. Democrats on the commission moved to issue the notice of proposed rulemaking, which would restrict how Internet providers are allowed to collect and use customer data. Critics say that tech companies like Google and Facebook represent a more significant threat and would be given an unfair advantage because the rule wouldn’t apply to them. [Washington Examiner]

RFID / IoT

US – Senator Asks FTC to Boost Privacy Efforts in IoT for Children

Sen. Mark Warner, D-Va., wrote a letter to FTC Chairwoman Edith Ramirez on her agency’s efforts to protect the privacy of the “Internet of Playthings.” In his letter, Warner says the FTC must work with Congress to safeguard children’s personal information as “smart toys” rise in popularity. “The ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of product and services,” Warner said in his letter. The senator cited researchers hacking into talking dolls and altering their responses and the ease of hacking the cloud to obtain conversations recorded by children’s toys as reasons for the FTC to take action. Warner also questioned Ramirez whether the FTC had enough authority to guard children’s privacy under the Children’s’ Online Privacy Protection Act with IoT on the rise. [Multichannel News]

Security

WW – Infrared Light Could Shut Off Forthcoming iPhones’ Camera

Apple has been granted a patent for an unnamed system that allows those with infrared-capable devices to disable the filming capabilities of proximate iPhones. While the system was initially developed to prevent bootlegging of films or illegal filming of concerts, there is concern that law enforcement agencies could manipulate it. “Given how police have secretly adapted new kinds of technology, from Stingrays that can intercept text messages in transit to license plate scanners, it’s not hard to predict how police could take [it] on as part of their arsenal, regardless of Apple’s recent anti-surveillance track record.” At the time of publication, Tech.Mic was still awaiting a potential response from Apple. [Tech.Mic]

US – Password Sharing Is a Federal Crime, Appeals Court Rules

One of the nation’s most powerful appeals courts ruled that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all “hacking” law that has been widely used to prosecute behavior that bears no resemblance to hacking. In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal’s use of a former coworker’s password to access one of the firm’s databases was an “unauthorized” use of a computer system under the CFAA. The decision is a nightmare scenario for civil liberties groups, who say that such a broad interpretation of the CFAA means that millions of Americans are unwittingly violating federal law by sharing accounts on things like Netflix, HBO, Spotify, and Facebook. Stephen Reinhardt, the dissenting judge in the case, noted that the decision “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who? [Motherboard] [Reuters]

WW – D-Link Camera Vulnerability Found in Other Devices

A vulnerability initially detected in D-Link wireless IP surveillance cameras is now known to affect as many as 400,000 devices, because the flawed software component was used in other D-Link devices. D-Link was notified of the issue by researchers; the company performed its own analysis of its devices and determined that 120 different products contain the vulnerable component. The flaw allows attackers to take control of the administrator account on the devices. There is currently no patch available. [ SANS ISC InfoSec Forums: Pentesters (and Attackers) Love Internet Connected Security Cameras! | SC Magazine: D-Link flaw affects 400,000 devices | The Register: 414,949 D-Link cameras, IoT devices can be hijacked over the net]

WW – Home Entertainment, Health Care Tools’ Security Ranks Most Vulnerable

Recent studies have found that while consumers are concerned with the overall costs and privacy implications of Internet of Things devices, security professionals have identified specific technologies as most vulnerable to attack. A survey by Lastline found that home entertainment systems, health care-related tools, and connected cars were among the top-ranking devices that troubled IT analysts the most. “The very nature of hacking dictates that people will find the new and innovative hacking targets, such as hacking into toys, smart TVs and refrigerators which are seemingly harmless, and try and compromise them — simply because they can,” said Lastline’s Brian Laing. “IoT presents one of those unchartered territories.” [MediaPost]

US – HHS Publishes HIPAA, Ransomware Fact Sheet

The Department of Health and Human Services has released a fact sheet on ransomware and HIPAA, noting that adhering to the rule’s requirements can help businesses prevent and recover from a data-hostage situation. Under HIPAA, “some of these required security measures include implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information and implementing security measures to mitigate or remediate those identified risks,” the report states. HIPAA’s data backup requirements are also helpful should a ransomware occur, the fact sheet adds. Meanwhile, Becker’s Health IT and CIO Review reports that June was the worst month so far for hospital breaches in 2016, with more than 11 million patient records compromised. [Fact Sheet: Ransomware and HIPAA]

Surveillance

UK – 15 Secretive Orders ‘Allow Spy Agencies to Collect Communications Data’

A new report published by the Interception of Communications Commissioner’s Office (IOCCO) disclosed that there were a total of 23 “extant” section 94 directions within the scope of its oversight. They were all given by the Home Secretary or Foreign Secretary at various times between 2001 and 2016 on behalf of MI5, GCHQ, the three intelligence agencies collectively – MI5, GCHQ, and MI6 – or the Metropolitan Police’s counter-terrorism command. Fifteen of the directions relate to the acquisition of bulk communications data, while t he remaining eight directions relate to the provision of services in emergencies, for “civil contingency purposes” or to help agencies in safeguarding the security of their personnel and operations. [Source]

EU – Police Scotland to Dump Millions of ANPR Records Over Privacy Fears

A freedom of information request made earlier this year revealed that Police Scotland kept records of every recorded vehicle movement dating back to 2012, even though data protection rules prohibit forces from keeping records that are not linked to criminal activity being kept for longer than two years. Now a trove of official documents on ANPR published by The Ferret shows that senior officers were aware that they could be breaking data protection rules by retaining ANPR records as early as 2013. [The Ferret] [ANPR records retained by Police Scotland ]

Telecom / TV

EU – Vodafone Customers Exposed to Potential Privacy Breach

The Data Protection Commissioner of Ireland will look into an alleged Vodafone breach after users discovered that anyone with knowledge of their phone number can check their balance without passing through security controls. Vodafone maintains that the service is both acclaimed and unproblematic. The company “does not view this as a data protection breach on the basis that the balance given is not identifiable personal data,” Vodafone said in a statement. “The privacy of Vodafone’s customers is afforded the highest priority and the company continuously seeks feedback from our customers on the services we provide as well as regularly reviewing the IVR (interactive voice response) functionality.” [Independent.ie]

US – FCC Rules Government Can Make Robo-Calls

A ruling from the Federal Communications Commission clarified that federal government employees and their contractors are exempt from robo-call regulations. The regulations specifically prevent “persons” from making the calls, defined as “an individual, partnership, association, joint-stock company, trust, or corporation.” The FCC felt that the U.S. government does not fit in those categories, and was therefore free to make these calls until the law changes to specifically prohibit them. “The implications of the decision could be far-reaching,” the report states. “It validates the ability of federal agencies to perform surveys and polls on the effectiveness of their programs. … It also affirms the ability of contractors to make robo-calls to inform people of their Social Security benefits.” [The Washington Post]

US – Federal Judge Rules Automated Calls Can Cause Harm, Cites Spokeo

A West Virginia federal judge ruled the plaintiff accusing Got Warranty Inc., N.C.W.C. Inc. and Palmer Administrative Services Inc., of violating the Telephone Consumer Protection Act can move forward with her lawsuit. U.S. District Judge John Preston Bailey cited the Spokeo decision in the ruling, saying Diana Mey’s suit against the companies proved she suffered both tangible and intangible harm. Mey alleges the companies sent her numerous automated phone calls causing her harm in the form of lost battery life, lost phone minutes, and the “intrusion upon and occupation of the capacity of the consumer’s cellphone,” said Bailey. [Law 360]

US Government Programs

US – OMB Leadership Mandates Breach-Response Contracts

According to a memo issued by Office of Management and Budget Chief Acquisition Officer Anne Rung, all government agencies providing credit monitoring and identity theft protection must contract via the General Services Administration’s Identity Monitoring Data Breach Response and Protection Services blanket purchase agreement. “Taking advantage of the IPS BPAs ensures agencies can meet their needs for expeditious delivery of best-in-class solutions from pre-approved and vetted companies at competitive pricing,” Rung wrote. “For these reasons, the IPS BPAs shall be treated as a preferred source for federal agencies.” This would help avoid violation of federal laws, as the inspector general said the Office of Personnel Management did after “choosing the wrong contract vehicle” in the wake of its 2015 breach, the report states. [Federal Times]

US – NSA Labels Privacy-Centric Internet Users as Extremists

The NSA is not making any friends these days, and their latest statement on privacy-centric journalists is not helping matters much either. To be more precise, an investigation by the agency revealed how they are continuing to target the Tor network. Moreover, The Linux Journal is referred to as an “extremist forum”. Quite a strong sentiment, and possibly completely misguided as well. [The Merkle]

US Legislation

US – Ohio Bill Would Provide Privacy Exemptions for Releasing Police Body Cam Videos

The bill introduced by Rep. Niraj Antani, a Miamisburg Republican, maintains that camera videos are public records but adds exemptions to address privacy concerns. Body camera use has proliferated in recent years as have the legal issues surrounding their public release. Antani said he’s not aware of any Ohio cases where privacy was invaded on body camera video, but that lawmakers should be proactive considering more police departments are using them. [Source]

Workplace Privacy

US – Employees Express Workplace Wearables, BYOD Security Concerns

A Tech Pro Research survey found that while mobile devices are nearly universally used in the workplace, not all employees feel their devices are completely secure, ZDNet reports. The respondents expressed specific concern over wearables’ security. “Only 57% of respondents said their companies require user IDs and passwords, and less than a quarter used data encryption or device management software,” the report states. Bring-your-own-device security was also called into question. While 76% of respondents’ employers allowed the practice, “IT departments are still divided about supporting these devices,” the report adds. [Full Story]

WW – Business Travellers Putting Organisations’ Cyber-Security at Risk

Business travellers are more likely to be targeted for their access to private and corporate data than be mugged, according to a new report. A survey by Kaspersky Lab of 11,850 people from across Europe, Russia, Latin America, Asia Pacific and the US found that the pressure from work to get online is clouding the judgment of business travellers when connecting to the internet. It said that three in five (59%) of people in senior roles say they try to log on as quickly as possible upon arrival abroad because there is an expectation at work that they will stay connected. The research also found that 47% think that employers, if they send staff overseas, must accept any security risks that go with it. Almost half (48%) of senior managers and more than two in five (43%) of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad. At least two in five (44% and 40%, respectively) use Wi-Fi to transmit work emails with sensitive or confidential attachments. One of the main reasons for business travellers acting the way they do on business is down to a widely held assumption that their work devices are inherently more secure than private communications tools, regardless of their connectivity. Two in five (41%) expect their employers to have set strong security measures. This is most pronounced among business leaders (53%) and mid-level executives (46%). One in five (20%) senior executives admit to using work devices to access websites of a sensitive nature via Wi-Fi – compared to an average 12%. One in four (27%) have done the same for online banking – compared to an average 16%. Kaspersky Lab said that the report showed that cyber-crime is a real hazard while traveling and employees are putting confidential business information at risk. [Source]

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: