13-20 July 2016

Canada

CA – OICC Recommends Reform to Access to Information Act

The Information Commissioner of Canada provided an opinion on the Access to Information Act. Priority recommendations to bring the Access to Information Act up to date include extending coverage to ministers’ offices and institutions supporting Parliament and the courts, establishing a comprehensive legal duty to document (with appropriate sanctions for non-compliance), addressing delays, repealing the exclusion for Cabinet confidences and replacing it with mandatory exemption, narrowing the exemption for advice and recommendations, and ensuring mandatory periodic review. [Office of the Information Commissioner of Canada – The Act is Ripe for Amendments | Consultation]

CA – Federal Warrant Reports Understate True Police Activity

“Clear gaps” in how the federal government reports invasive surveillance practices may hide the true scope of police activities, according to documents prepared for Canada’s privacy watchdog. Although the number of authorized wiretaps has “plummeted” since 2002, a January briefing for Privacy Commissioner Daniel Therrien suggests those numbers may mask police surveillance practices. “It would be erroneous to infer from the drop in overall warrants issued that surveillance is affecting fewer individuals,” reads the document, obtained under access to information law. “While federal authorities issued just over a hundred surveillance warrants last year (2014), they issued 792 notifications of surveillance to individuals previously targeted. From this, one can conclude more and more individuals are being named as targets in a warrant application. “With a single warrant from the Federal Court (police) may list dozens of individuals for surveillance targeting.” [Chronicle Herald]

CA – Ontario Privacy Watchdog Drops Case Against Toronto Police Over Attempted Suicide Info

Ontario’s privacy commissioner is no longer taking legal action against Toronto police over the sharing of attempted suicide-related information with U.S. border services. The Information and Privacy Commissioner’s office says it has withdrawn its case because the force has developed new procedures to better protect people’s privacy. The privacy commissioner’s office, which investigated the issue, said since launching its legal action, Toronto police worked with the RCMP to create a new mechanism allowing all police services to suppress suicide-related entries from being accessed by U.S. users of the Canadian Police Information Centre database. [GlobalNews]

CA – OIPC AB: Access to PI Puts Individuals at Risk of ID Theft and Fraud

The Alberta OIPC reviewed a breach notification for ABS-CBN Canada Remittance Inc., pursuant to the Personal Information Protection Act. The incident resulted from a deliberate attempt to obtain unauthorized access to personal information, and the information was successfully used to process fraudulent transactions; the personal information involved was sensitive information, including name, address, identification document and number, place of issue and expiry date (if SIN was listed, only last 4 digits recorded), and information about whether an individual or family member is a politically exposed foreign person. [OIPC AB – P2016-ND-31 – ABS-CBN Canada Remittance Inc.]

EU Developments

UK – ICO Issues Guidance on ‘Internal Breach Reporting Procedure’

Although it remains unclear whether the General Data Protection Regulation (GDPR) will directly apply in the UK in light of the country’s vote to leave the EU, the UK watchdog has published a new piece of general guidance to help companies understand what their duties are under the new legislation. In its overview of the GDPR, the ICO explained, among other things, what organisations should do to prepare for new data breach notification rules. Those rules require them to tell data protection authorities and the public about personal data breaches they experience in certain circumstances. Organisations should put in place an “internal breach reporting procedure” so that they can comply with their obligations to notify personal data breaches under new EU data protection laws, the UK ICO has said. “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data,” the ICO said. “You should ensure that you have an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.” [Out-Law] See also: U.K. Information Commissioner has issued guidance on the General Data Protection Regulation and what the country’s imminent exit from the EU does to implementation.

EU – UK’s ICO Pushes Alternative to Consent as Based Cookie Rules

In response to a European Commission consultation on potential reforms to the EU’s Privacy and Electronic Communications (e-Privacy) Directive, the ICO said the rules should be updated and “seek to achieve a proportionate balance between the legitimate interests of information society services and the privacy rights of individuals”. “There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal,” the ICO said. In its consultation response the ICO also said that all forms of direct marketing via electronic communications should be subject to an opt-in consent requirement. Currently, some types of direct marketing activity can be carried out on an opt-out basis. Some social media communications should be considered subject to the e-Privacy rules on direct marketing. The ICO criticised rules that place restrictions on the processing of location and traffic data by internet service providers and mobile network operators. It urged the provisions to be deleted as conditions on such data processing are “covered by the GDPR”. The GDPR, or General Data Protection Regulation, is the EU’s new broad data protection framework which and will come into effect in May 2018. The ICO said: “Revised e-Privacy rules should avoid dictating business models, especially where there is minimal privacy impact for the individual.” The watchdog also said that the penalties regime for infringement of e-Privacy rules should not necessarily reflect that outlined under data protection laws since breaches do not always concern personal data. At the moment, the maximum fine for infringement, of £500,000, that can be issued under the UK’s Privacy and Electronic Communications is the same as that which can be issued under the Data Protection Act. [The ICO’s consultation response] [Out-Law News]

EU – Study: More than 75% of Cloud Apps Not in Line with GDPR Regulation

A Netskope survey of 22,000 cloud apps has found that more than 75 percent are out of compliance with the General Data Protection Regulation that will go into effect in less than two years. “This is the first time that data processors [cloud providers] actually have a direct compliance risk and obligation under the regulation,” said Intralinks Global Data Privacy Officer. “Now, it’s actually both data processors and data controllers. They would be liable and they have their own obligations under the GDPR.” As such, “Every organization should be keeping a frequently updated and well-documented data security risk assessment within easy reach,” said ESET’s Stephen Cobb. “You should be doing that regardless of GDPR, but GDPR is one more reason you should be doing it.” [SearchSecurity]

Filtering

CA – Google Faces Landmark Legal Fight, Advocacy Groups Rally in Support

The Supreme Court of Canada will soon have to assess whether Canadian courts have the authority to block search results outside of Canada’s borders, and under which circumstances a litigant can seek an injunction against a “non-party” that had nothing to do with the original lawsuit — in this case, Google. A spokesperson has confirmed that it submitted its brief to the Supreme Court last month, and it expects the court to hear the case in early December. The Wikimedia Foundation isn’t the only body to file a motion in support of Google — according to the SCC’s official proceedings page, the following entities have recently filed motions to intervene: Software Freedom Law Centre, Center for Technology and Society, Dow Jones & Company, Reporters Committee for Freedom of the Press, American Society of News Editors, Association of Alternative Newsmedia, The Center for Investigative Reporting, First Amendment Coalition, First Look Media Works, Human Rights Watch, and others. [Venturebeat]

US – Judge Reignites Debate Over Researching Jurors Online

Mining prospective jurors’ Facebook, Twitter and other social media accounts is common practice for many attorneys looking to spot biases that might cost their clients a fair trial. The American Bar Association has said the searches are ethical, and a ruling by the Missouri Supreme Court bolstered arguments that attorneys have a duty to do online research of prospective jurors. Still, some judges have deemed the online searches invasive and banned them. Now a federal judge’s ruling in a copyright battle between Silicon Valley heavyweights Oracle and Google has reignited debate about the practice while also offering a potential middle ground. U.S. District Judge William Alsup, raising concerns about prospective jurors’ privacy, said attorneys could research the jury panel, but would have to inform it in advance of the scope of the online sleuthing and give the potential jurors a chance to change online privacy settings. Otherwise, they had to agree to forego the searches. The ruling prompted a fresh wave of discussion in legal circles about how aggressively attorneys should be allowed to investigate jurors’ online personas and how beneficial the searches are. [Source]

Finance

UK – Bitcoin Benefits System Criticized On Privacy, Security Grounds

Much to the consternation of privacy advocates, the Department for Work and Pensions has begun a test of the GovCoin Systems’ bitcoin and blockchain program to provide welfare recipients with their benefits. While some maintain that blockchain payments increase security, others, like the Open Data Institute, aren’t so sure. “Experimenting with putting highly personal data in immutable data stores is fraught with danger,” said ODI Technical and Deputy Director. “To avoid undermining trust in government’s use of data, DWP should be much more open and transparent about the policy objective of these trials.” Both GovCoin and the DWP said they were aware of the security concerns and were continuing to develop safeguards. [Financial Times]

FOI

CA – OIPC SK Issues Guide to Exemptions for FOIP and LA FOIP

The OIPC SK has published guidance on exemptions pursuant to Saskatchewan’s: The Freedom of Information and Protection of Privacy Act; and The Local Authority Freedom of Information and Protection of Privacy Act. Exemptions in both statutes can be distinguished by the wording of the provision; use of the phrase “shall refuse” indicates a mandatory exemption, but some exemptions specify the conditions under which a public body may still release information. Many discretionary exemptions require the application of a multi-part test that must be met in order for the exemption to apply, and/or a clear cause and effect relationship between the disclosure of a record and the harm that is alleged to reasonably result. [OIPC SK – IPC Guide to Exemptions for FOIP and LA FOIP]

US – Database of Excuses the Govt Uses to Withhold Public Info Being Built

We’ve entered something of a golden era of government transparency—or at least, a golden era of journalists and interested citizens filing information requests with government agencies. Freedom of Information Act requests have increased greatly as the internet and services such as Muckrock, a tool that fills out sample language for information requests and then tracks them, have made filing easier. But there’s one major problem: Federal agencies use lots of different tactics to avoid actually releasing all sorts of documents, and few journalists actually know how to fight back against the system. It’s not entirely their fault: Enforcement of different FOI “exemptions” varies by agency and often depends on which specific FOIA officer handles the request. At the state level, where a patchwork of “sunshine” laws govern what records are public well, things are even more of a mess. By creating a central repository for FOI exemptions, Muckrock is in a better place to challenge them and to effect change. If most states, for example, allow FOI requesters to obtain police body camera footage but a couple exempt that data, Muckrock and others can push for greater transparency in those states that don’t allow it by floating model FOI legislation with friendly lawmakers. Crowdsourcing data on which FOI exemptions are most common will also help Muckrock identify problem areas—if certain states are inappropriately claiming that certain records are part of “internal deliberations” (a common FOI exemption in many states) when they shouldn’t be, there may be grounds for a lawsuit or a public shaming campaign that could help change things. [Motherboard]

CA – Edmonton Council Votes to Review Privacy Rules

City council voted to review its privacy rules this week, with some councillors musing more information should become public once sensitive matters have been decided. Edmonton has no automatic process for declassifying information. Coun. Michael Oshry wasn’t sure if the audio of the discussions should ever be public, even after 10 or 15 years. Coun. Mike Nickel put the privacy issue on the agenda, suggesting all private discussions should eventually become public and asking administration to come back with a list of policy options. He filed a two-page inquiry that Mayor Don Iveson ruled had to be entered as a motion. Council voted unanimously to accept it. Nickel also wants a policy to make council memos public, especially when they are a followup to a question asked at a public meeting. He also wants Edmonton to review its freedom of information process and add a review so redacted information can be released when it’s no longer sensitive. [Edmonton Journal]

CA – Canadian Researchers Who Commit Scientific Fraud Are Protected by Privacy Laws

78 Canadian scientists have fabricated data, plagiarized, misused grants, or engaged in dodgy scientific practices in projects backed by public funds, a Star analysis has found. But the publicly funded agency responsible for policing scientific fraud is keeping secret the details surrounding these researchers. The scientists’ names, where they worked and what they did wrong is not made public because that information is protected under federal privacy laws. “If you were going to be a fraudulent scientist or plagiarist, or you want to steal grant money, Canada is an excellent place to live,” said Amir Attaran, a professor in the faculties of law and medicine at the University of Ottawa. Making public the names of research wrong-doers and their transgressions, he said, would “keep scientists honest.” And because the agency doesn’t follow up with police, it’s not known if any of the researchers faced criminal charges. [The Star]

WW – Google Says Government Requests for User Data at All-Time High

Government requests worldwide for user data related to search engine traffic on Google increased 29% from 2014 to 2015, according to the search site’s most recent Transparency Report, which was published today. Google reports on the government requests every six months. In the second half of 2015, it said it received more than 40,000 requests for data related to more than 81,000 user accounts; That compares to the first half of the year when Google received about 35,000 requests related to about 69,000 accounts. In the second half of 2014, Google received 31,140 requests from U.S. entities for user information related to more than 50,000 accounts. By far, the U.S. leads the world in government requests for data, followed by Germany with 11,562 requests. Google agreed to hand over “some” user data for 64% of the requests worldwide, but it handed over data for U.S. government requests 79% of the time. [ComputerWorld] Google’s latest transparency report shows record government data requests | How Google became a champion for government transparency.

Health / Medical

US – HHS: HIPAA Struggling to Keep Up with Health Apps, Wearables

A U.S. Department of Health and Human Services study found HIPAA is struggling to keep up with the growing number of wearable fitness trackers, mobile health apps and online patient communities. “Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” said the HHS’ Office of the National Coordinator for Health Information Technology report. “Moreover, even entrepreneurs, particularly those outside the health care industry … may not have a clear understanding of where HIPAA oversight begins and ends.” The HHS report, which was originally due in 2010, does not offer any suggestions to filling the lapses in legislation. “At the end of the day, it’s a very complicated environment that we find ourselves in,” said ONC for Health Information Technology Chief Privacy Officer. “We believe we’re fulfilling our duties. If Congress has concerns about that, I’m sure that we will hear about them.” [ProPublica] [Morning Consult: US – Lawmakers Call for Privacy Safeguards in Health Apps, Wearables] [Health Data Management: US – Privacy, Security Concerns Continue to Cloud Mhealth’s Future]

US – NIST and ONC Host White Paper Challenge on Blockchain in Health Care

The Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology have created a challenge asking for white papers on the potential benefits of blockchain technology in health care. The “Blockchain and Its Emerging Role in Healthcare and Health-related Research” asks for submissions addressing the “privacy, security and scalability of health records.” Submissions are accepted through Aug. 20, and winners will present their papers at an ONC and NIST workshop. [HealthITSecurity]

WW – Active Market for Healthcare Records Looms as Newest Cyber Threat

Offers to sell patient records with protected health information on the “Dark Web” market represent a new level of threat for healthcare organizations trying to protect health information, offering further monetary inducement to hackers trying to access records. The addition of a new potential for profiting from hacking could increase the “demand” side of the equation for records, increasing the likelihood of attacks and the need for healthcare organizations to stiffen defenses. In late June, a hacker known as “The Dark Overlord” reported the theft of nearly 10 million patient medical records from providers and a major insurer and put them on the Dark Web market where hackers conduct buy and sell data taken from a variety of sources. The extent of the data theft has not been verified by outside sources. But what this hacker started—the creation of a new market for patient records—will only expand, cybersecurity professionals believe. OWL Cybersecurity said the information that is available is unencrypted plain text that includes usernames and passwords, It said the Dark Overlord reported the total includes 48,000 records from a provider in Farmington, Mo.; 210,000 records from a healthcare organization in the Midwest; 397,000 records from a provider in the Atlanta region; 34,000 records from a provider in New York State; and 9.3 million records from an unidentified insurer. Those figures have not been independently verified. [Info Management]

US – HHS Releases Healthcare Ransomware, HIPAA Guidance

According to new HIPAA guidance, ransomware attacks must be reported to the Department of Health and Human Services (HHS). The guidance “describes ransomware attack prevention and recovery from a healthcare sector perspective, including how HIPAA breach notification processes should be managed in response to a ransomware attack.” HHS has created a fact sheet to help covered entities keep ePHI secure and follow HIPAA regulations. Conducting a risk analysis, regular user training, and maintaining an overall contingency plan are just a few of the recommendations from the Department of Health and Human Services (HHS) in its recent healthcare ransomware and HIPAA guidance. The new guidance is meant to help covered entities and business associates reinforce their adherence to HIPAA regulations, and also better prevent, detect, contain, and respond to threats. Electronic data being compromised through cybersecurity threats, including ransomware, is one of the biggest current threats to the industry, Office for Civil Rights Director Jocelyn Samuels explained in a blog post. [HealthIT Security]

Horror Stories

CA – Doctor Fired for Unauthorized Access to Patient Files

Vitalité Health Authority has fired a doctor who accessed more than 100 sensitive medical records of young women. A New Brunswick College of Physicians and Surgeons notice said Dr. Fernando Rojas violated the ethics of the Canadian Medical Association and the College of Physicians and Surgeons. Vitalité CEO Gilles Lanteigne said processes are being implemented to prevent a similar breach from happening in the future. He said, “We put in place the systems where as we would receive red lights way sooner in the process, so that’s one thing we’ve learned,” adding, “The other thing is that the magnitude of the impact of the breach has on a person, you know, it really brought this to light how important that is.” [CBC] See also: [P.E.I. care home employee fired after photo of deceased resident shared on Snapchat]

CA – Phoenix Pay System Also Breached Federal Workers’ Privacy

A dysfunctional compensation system that’s withholding paycheques from federal workers has also been breaching their privacy. Newly released documents show senior officials were warned as early as Jan. 18 that the new Phoenix system has a flaw that allows widespread access to employees’ personnel records, including social insurance numbers. Despite the warning, the faulty software was broadly implemented this spring — without alerting the unions or any employees that their private details were no longer secure. The disclosure of a massive privacy breach appears in documents obtained by CBC News under the Access to Information Act, deepening a crisis that has already touched some 80,000 public servants and triggered a wave of hiring to patch the problems. The briefing material prepared by Public Services and Procurement Canada indicates that up to 70,000 public servants had access to the personal details of all 300,000 employees covered by the system. A spokeswoman for Canada’s privacy commissioner confirmed the department “has reported this matter to our office and we have followed up with them.” Valerie Lawton said she could provide no further details. [CBC]

Identity Issues

CA – OPCC Issues Guidance on Customer Identification and Authentication

The Office of the Privacy Commissioner of Canada has published updated guidance on identification and authentication of individuals. Organizations should only identify or authenticate customers when necessary (i.e. to fulfill the transaction), individuals should provide appropriate consent for provision of personal information, and authentication levels (e.g. single factor, multi-layer, or multi-factor) should be commensurate with identified risks; reliable audit records should be maintained (including date, time, and failed attempted authentications) with the level of detail reflecting associated risks. [OPC Canada – Guidelines for Identification and Authentication]

Law Enforcement

US – Boston Police Body Camera Pilot Program Raises Privacy Questions

A group of 100 Boston Police officers will soon volunteer to take part in a six-month pilot program that would explore the use of body cameras by the department, the mayor’s office announced last week. The program incorporates recommendations from several privacy and police accountability groups they believe balance privacy with improving department transparency. The ACLU, along with the Boston NAACP and the Boston Police Camera Action Team, praised the Boston Police Department for incorporating recommendations it felt balanced civilian protection while improving transparency in police interactions with the public. Those include a requirement officers activate the cameras when engaged in most “potentially adversarial” encounters with the public; privacy protections for those in homes or other sensitive situations with an expectation of privacy; an explicit ban on using the cameras to record civilians based only on their “political or religious beliefs or upon the exercise of the civilians’ First Amendment rights;” and a ban on any kind of biometric capabilities in the camera — including face recognition technology. [Source]

US – Taser Plans to Livestream Police Body Cam Footage to the Cloud by 2017

Could police officers someday identify criminals just by looking at them? That’s the vision being touted by Taser International, which holds a monopoly on “conducted electrical weapons” for law enforcement and is aiming to build one for police body cameras. Facial recognition has been part of Taser’s plan. It’s been mentioned in Taser press releases as far back as 2009. In 2010, a Taser spokesman told GQ that Axon would turn “every cop [into] RoboCop.” “You’ve already got the ability to use cameras to tap into databases to find the license plates of stolen vehicles and overdue parking tickets,” said Stan Ross, CEO of Digital Ally, one of a growing number of companies fighting for market share in the fast-growing body camera industry. The business case for facial recognition is obvious. Cops and police chiefs who are aware of facial recognition “are really excited to try it.” Robert Vanman of WatchGuard—another body camera competitor—had similar thoughts. “In regards to facial recognition, WatchGuard will certainly be deploying that technology in the future,” he said. “We are the clear technology leader in hardware, and we plan to keep it that way.” But Vanman brought the discussion down to earth. “Facial recognition will require enough pixel resolution to be effective (to get good recognition results the image needs to contain about 50 pixels between the eyes),” he wrote. “To run facial recognition algorithms in real time will require substantial processing power and an on-camera database (which will require frequent updating). Those elements work against the battery life needs.” So there are practical challenges—video resolution that isn’t yet crisp enough; and battery life that isn’t yet long enough. Not to mention that some police departments can’t even get decent enough internet speeds to download their body cam footage to in-house servers, let alone livestream them to the cloud. [Motherboard]

Online Privacy

US – Nobody Reads Terms of Service, Privacy Policies: Study

A new study found that nearly three-quarters of the 543 university students surveyed skipped over the terms of service of a social media site they thought was real. Researchers included clauses that users agreed to, that they had until 2050 to give up their firstborn and that their data will be shared directly with the U.S. National Security Agency. The paper, titled “The biggest lie on the Internet: Ignoring the privacy policies and terms of service policies of social networking services,” was written by York University communication technology professor Jonathan Obar and University of Connecticut communications assistant professor Anne Oeldorf-Hirsch. For those few who did read the terms of service and privacy policy, they on average spent 51 seconds and 73 seconds on each respectively. [Ars Technica] [PC World]

Privacy (US)

US – Court: U.S. Agents Can’t Access Data Held On Overseas Computers

Microsoft Corp. won a major legal battle with the U.S. Justice Department Thursday when a federal appeals court ruled that the government can’t force the company to turn over emails or other personal data stored on computers overseas. The case, closely watched by Silicon Valley, comes amid tensions between Europe and the U.S. over government access to data that resides on the computers of social-media and other internet companies. The ruling is another setback for the Justice Department’s efforts to force technology companies to comply with government orders for data, following the collapse earlier this year of two cases involving Apple Inc.’s refusal to help open locked iPhones. The ramifications of Thursday’s ruling by the Second U.S. Circuit Court of Appeals in Manhattan could be sweeping. If the appeals court’s legal rationale stands, it could influence companies’ and their customers’ decisions about how and where to store data. It also alters the course of talks between the U.S. and other governments, in terrorism and criminal cases, about access to evidence stored in servers on foreign soil. In a statement, Microsoft President and Chief Legal Officer Brad Smith called the decision “a major victory for the protection of people’s privacy rights under their own laws, rather than the reach of foreign governments.” [Wall Street Journal]

US – US Plans Would Allow Foreign Gov’ts to Serve Warrants on US Tech Firms

In the wake of last week’s U.S. court decision in the Microsoft warrant case, the Justice Department plans to secure a series of international agreements with certain countries that would allow them to serve warrants on U.S. internet companies. Justice Department senior official Brad Wiegmann said the deals would allow governments — for example, the U.K. — to serve warrants directly on U.S. companies. Such an arrangement between the U.S. and U.K., however, would require legislative approval from both nations. “These agreements will not be for everyone,” Wiegmann explained. “There will be countries that don’t meet the standards.” The Center for Democracy & Technology’s Greg Nojeim expressed concern about the plan, noting it would be “swapping out the U.S. law for foreign law,” arguing the U.K. has less robust warrant requirements. A British diplomat disputed Nojeim’s assessment, stating the U.K. would apply strict judicial scrutiny of such warrants. [The Wall Street Journal]

US – Appeals Court Rules Mugshots Do Not Need Public Release

The 6th U.S. Circuit Court of Appeals ruled mugshots do not need to be released to the public, but instead, can be reviewed on a case-by-case basis. The hearing was held en banc, with a 9-7 vote in favor of the notion that arrested individuals have a privacy interest in not having their mugshots publicized, overturning a decision the same court made in 1996. Judge Deborah Cook said booking photos falls under the Freedom of Information Act exemption criteria 7(c), which includes potentially “embarrassing” personal information. “Booking photos — snapped ‘in the vulnerable and embarrassing moments immediately after [an individual is] accused, taken into custody, and deprived of most liberties’ — fit squarely within this realm of embarrassing and humiliating information,” Cook wrote. The Detroit Free Press may ask the Supreme Court for further review. [Courthouse News Service]

US – Precedent Set for Stingray-Gleaned Evidence

In a first-of-its-kind ruling, U.S. District Judge William Pauley has decided that the U.S. Drug Enforcement Administration’s use of stingrays when collecting evidence against defendant Raymond Lambis was a violation of his rights. Agency officials had used the device to determine the location of Lambis’ cellphone for a drug-trafficking case, evidence that Judge Pauley suppressed. “Absent a search warrant, the government may not turn a citizen’s cellphone into a tracking device,” Pauley said in his decision. The third party doctrine does not apply; cell phone users do not voluntarily submit their location data to their provider, and there is no third party (with the cell-site simulator, the government cuts out the provider and obtains the information directly). The ACLU hailed the move as one that “strongly reinforces the strength of our constitutional privacy rights in the digital age.” While the prosecutors can pursue an appeal, they have not yet moved to do so, the report states. [Reuters: Precedent Set for Stingray-Gleaned Evidence] [United States of America v. Raymond Lambis – 2016 U.S. Dist. LEXIS 90085 – United States District Court For The Southern District Of New York]

Security

WW – Ponemon Study: Companies Lack Resources to Spot Cyberattacks

According to a report from the Ponemon Institute, nearly 80% of businesses say they do not have sufficient infrastructure or personnel to monitor their networks for and defend their networks against cyberattacks. Only 17% say they have established formal, company-wide intelligence gathering processes. [ZDNet]

UK – UK ICO Issues Basic Security Guidance on Baby Monitors

Two years after it was revealed that a creepy Russian website was allowing users to watch more than 73,000 live streams from unsecure baby monitors, the UK’s data watchdog has warned that manufacturers still aren’t doing enough to keep their devices safe from hackers. The privacy breaches have prompted the ICO to issue guidance to help users guard against opportunistic hackers, and people using the murky likes of the Shodan search engine to browse the Internet of Things. The ICO lists six basic steps parents can take to help prevent casual hackers:

  • Research the most secure products
  • Secure your router with a strong password
  • Secure the device by changing its default password
  • Check manufacturer’s websites for security updates to out-of-the-box software
  • Read the manual to see if there are extra measures listed
  • Use two-step authentication, if you can

The ICO declined to name any of the sites where streams are available, but a spokesperson said that “you can connect to these devices directly, so there’s no intermediary website as such.” [Ars Technica]

Surveillance

US – FAA Drone Bill Drops Key Privacy Provisions

A Federal Aviation Administration reauthorization bill that was passed by the Senate this week has excluded key privacy provisions, including a requirement that commercial and government users of drones must disclose if they collect personally identifiable information of a person. The provisions would put checks on the collection of personal data by drone operators, including the government. The bill passed this week would prohibit drones from interfering with emergency response activities, such as wildfire suppression and law enforcement, and provides for civil penalties of not more than US$20,000 for those found in violation. Drones are also to be used for firefighting and restoration of utilities. The bill, which is a compromise short-term extension to ensure continued funding at current levels to the FAA, was passed by the Senate and goes to President Barack Obama to be signed into law, two days before the current authorization is to expire. It was earlier passed by the House of Representatives. But Senator Edward J. Markey, a Democrat from Massachusetts and a member of the Commerce, Science, and Transportation Committee, said that the new bill, called the FAA Extension, Safety, and Security Act of 2016, was “a missed opportunity.” It does not include drone privacy provisions that he authored and were included in the Senate version of the FAA reauthorization bill that passed in April this year, the senator said in a statement. [PC World]

US Legislation

US – Legislative Roundup

+++

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: