21-28 July 2016


CA – The RCMP is Trying to Sneak Facial and Tattoo Recognition into Canada?

In November of 2015, the Royal Canadian Mounted Police had a problem. At the time, the US FBI had been using its massively controversial database of biometric information—photos of people’s faces, tattoos, iris scans, and more—at “full operational capacity” for about a year. The RCMP, on the other hand, was stuck with a national fingerprint database that didn’t allow officers to scan and search people’s faces or other body parts. Canada’s federal police force was falling behind its southern counterpart. The RCMP had “no authority” to support new capabilities for its nationwide Automated Fingerprint Identification System, or AFIS, according to an internal presentation from November 24 of 2015 obtained through an access to information request. Still, the police felt a pressing need to improve “interoperability with international partner systems”—in other words, to make sure their system meshed with what police in other countries were doing—but lacked an opportunity to do so. Undeterred, the RCMP went ahead and began working to procure a new AFIS system that could analyze and capture faces, fingerprints, palm prints, tattoos, scars, and irises—all without clear authorization or approval by the country’s federal privacy watchdog, or even a plan to implement it.  So, yeah, the RCMP is trying to bring biometric identification to Canada without anybody noticing. “There are no immediate plans to use facial recognition features,” RCMP spokesperson Annie Delisle wrote. “The priority for the RCMP is to replace AFIS. Once the new AFIS is operational, the RCMP may consider the use of facial recognition features.” According to Delisle of the RCMP, “There is currently no RCMP policy with regards to the use and retention of facial recognition images. In the event a new service requirement is identified in the future, consultation with the Office of the Privacy Commissioner of Canada would first be initiated.” The OPC has not received any privacy impact assessments from the RCMP relating to the use of facial recognition technology, an OPC spokesperson said. “[Motherboard]

WW – Snapchat Turns Facial Recognition Technology on its Head

While facial recognition technology is often criticized for invading people’s privacy, smartphone messaging company Snapchat is looking at how it can use the same technology to enhance the privacy of its users. Snapchat has filed a patent for a technology that automatically modifies a photo and restricts its distribution according to the privacy settings of the photo’s subjects. Facial recognition is very different to the object recognition used in Snapchat lenses. Object recognition simply uses algorithms to understand the general nature of objects within a photo so users can add real-time special effects and sounds to them. With a new facial recognition feature, Snapchat users would be able to dictate how and where images of them are displayed. Here’s how it would work:

  1. You take a photo.
  2. Snapchat scans it to work out if any of the faces belong to its users.
  3. If any do, it checks their privacy settings.
  4. Their face or body would be altered according to their privacy setting.
  5. The modified image would then be shared according to the subjects’ privacy settings.

For facial recognition to work, Snapchat would need to store images of all users that sign up to the feature – as a reference image to compare photos against. [Source]

Big Data

AU – OAIC Asks for Public Comment on Big Data Draft Guide

The Office of the Australian Information Commissioner is looking for public comment on a draft guide on big data. The OAIC Draft Guide aims to assist big data activities across public and private sectors, while ensuring personal information is protected under the Australian Privacy Principles. In order to have a balance between big data use and privacy protection, the Draft Guide advises APP entities to “introduce a holistic approach of ‘privacy by design’ to embed privacy protection in their cultures, practices, processes, systems and initiatives; conduct privacy impact assessments as part of their risk management and planning processes; and consider whether de-identified information can be used before undertaking any big data activities involving personal information.” The Draft Guide also mentions big data privacy issues, including notice and consent, retention minimizations, and use limitations. [Image & Data Manager]

WW – Victoria Commissioner Tapped for UN Big Data Study

Joe Cannataci, U.N. special rapporteur for privacy, has asked Victoria, Australia, Privacy Commissioner David Watts to lead a study looking at big data and open data and how they affect the right to privacy globally. According to the report, the study “will seek to bed down a globally recognized definition of big data, plus a list of its benefits, risks, and the kinds of management frameworks that could be endorsed as best practice on the international stage.” Watts will remain in his capacity in Victoria during the study. A report will be delivered to the U.N. General Assembly in October 2017. [iTnews]


CA – OPC/OIC Releases Annual Reports on the Privacy Act

The Office of the Privacy Commissioner of Canada has published its annual reports on the privacy and the access to information acts. Both the short reports are short (22 pages0 and provide overviews of the OPC mandate, governance structure and activities, with statistical breakdowns and charts. [2015-16 Annual Report to Parliament on the Privacy Act | PDF] [2015-16 Annual Report to Parliament on the Access to Information Act | PDF]

CA – OPC Announces Funding for 2017 Privacy Research Symposium

The Office of the Privacy Commissioner of Canada (OPC) has issued a call for proposals seeking applicants to organize and host the next research symposium in the Office’s Pathways to Privacy series. The OPC is inviting academic institutions and not-for-profit organizations, including industry associations and trade associations, eligible under its Contributions Program to submit proposals to organize and host an event to be held between January 15 and March 31, 2017. The proposed event should put a strong emphasis on innovation, in terms of both format and themes. The content should prominently feature previously funded projects under the Contributions Program and address one or more of the OPC’s privacy priorities: Economics of Personal Information, Government Surveillance, Reputation and Privacy, and Body as Information. The goal of the Pathways to Privacy series is to expand the reach and application of existing privacy research and knowledge translation projects, so that more people can benefit from this work. It also promotes and encourages a dialogue between the people who do privacy research and those who can apply it in the private or public sectors. There is a maximum of $50,000 available for this initiative. Eligible organizations must submit proposals in accordance with the established parameters, as outlined in the Applicant’s Guide, by August 15, 2016.

CA – Annual Report On CSE Activities Begins in Parliament

The Annual Report of the Communications Security Establishment Commissioner began in Parliament. The Honourable Jean-Pierre Plouffe’s report reviews the CSE’s activities to determine if the organization complied with Canadian law and protected the privacy of Canadian citizens. “Transparency continues to be a cornerstone of my approach, to inspire better informed public discussion and maintain confidence in the work of CSE. As such, I am committed to providing as much explanation as possible with respect to my investigations,” Plouffe said. “I have continued to encourage CSE to make as much information public as possible.” [Yahoo]

CA – New Privacy Commissioner of Newfoundland and Labrador Named

The provincial government of Newfoundland and Labrador named Donovan Molloy as its new information and privacy commissioner. A St. John’s lawyer and former assistant deputy justice minister, Molloy replaces former commissioner Ed Ring, who retired in June. “I am confident that his leadership abilities, senior executive experience and extensive legal background will serve the office well,” said Speaker Tom Osborne. The provincial government announced the new appointment Thursday and said Molloy officially takes over the position July 22. [CBC News]

CA – Overview of Proposed National Security Laws

A few weeks ago, the government of Canada introduced three bills in Parliament dealing with national security issues. One bill proposes a new National Security and Intelligence Committee for greater oversight of the intelligence community and the other proposals aim to continue strengthening Canada-U.S. cooperation at the border. Timothy Banks writes for Privacy Tracker about these bills, including the authority of the proposed committee and whether the new legislation will set the stage for expanded biometric screening of individuals heading from Canada into the U.S. [Privacy Tracker]

CA – Toronto Real Estate Board Gets Extension On Sales-Data Deadline

Canada’s Federal Court of Appeal has granted the country’s largest real estate board temporary relief from an impending deadline to make home-sales data more widely available online. In a decision published on the court’s website, Appeal Justice Mary Gleason ruled that the Toronto Real Estate Board would not be required to meet an Aug. 3 deadline issued by Canada’s Competition Tribunal to make data such as a home’s selling price available to the public over the Internet. In April, the Tribunal ruled that the real estate board’s restrictions on how its members share electronic home-sales data from the Multiple Listings Service was stifling competition and innovation in the Greater Toronto Area’s resale housing market. Under TREB’s existing rules, realtors were free to share details about the housing market with their individual clients, but were not allowed to publish such data in bulk on publicly accessible websites. [Source]

CA – Sask Updating FOIP & LAFOIP: Bills 30 and 31 Amendments

At a June 28 news conference presenting his 2015-16 annual report, Saskatchewan privacy commissioner Ronald Kruzeniski said he was pleased the government was updating the acts. “The first reason is because of the time since they were last amended, which is way too long for any legislation to not be looked at,” said Kruzeniski. “Secondly, we made proposals, and a good number, but not all, have shown up in the proposed amendments.” Maybe it’s a remnant of Saskatchewan’s old “party line” tradition where neighbours used to listen in on each other’s calls on shared phone lines, but as a province, our privacy and access to information track record is not good. IPC Kruzeniski flagged several amendments as highlights in Bill 30 and 31, including a duty to assist. “A public body has an obligation when an access request comes in to deal with it openly, accurately and completely,” he said. “Other provinces have this duty, and I’m pleased to see it’s there. My hope is that by public bodies communicating with those who request information that the issue gets solved so fewer people have to launch appeals with our office.” The amendments also introduce a duty for public bodies to report any breaches that occur so the affected party can take protective action, and broaden the definition of “employee” to include consultants and contractors who work for public bodies on service contracts. Considering how much outsourcing there is these days, that’s a no-brainer. [Source]


US – State Supreme Court to Consider the Privacy of Government Metadata

Noah Feldman examines the role metadata plays when determining the privacy rights of the government and the public based on a lawsuit currently in front of the New Jersey Supreme Court. The case was brought by Open Government Advocacy Project Chairman John Paff, who has demanded the email logs — their metadata, not content — of government officials under New Jersey’s Open Public Records Act. According to Feldman, the “lawsuit in effect asks: if metadata isn’t that private, why not give the public access to the government’s records of who contacted whom, and when?” In defense of the government, lawyers have essentially echoed concerns of privacy advocates, stating that metadata reveals a lot about an individual and “would compromise confidentiality.” Privacy advocates have long called for more metadata protections for citizens. Feldman notes that the public shouldn’t get the metadata of government officials because of how much is revealed, but adds, “the police have something like the same privacy interests in their communications metadata that you and I should have in ours.” [Bloomberg View]

US – OMB Now Requires Privacy Head, Training, PIAs for All Agencies

The Office of Management and Budget will release on July 28 in the Federal Register an update to Circular A-130, a document that regulates how the federal government manages its information, the White House said in a press release. “Today’s update to Circular A-130 gathers in one resource a wide range of policy updates for federal agencies regarding cybersecurity, information governance, privacy, records management, open data, and acquisitions,” the release states. Most interesting for privacy professionals, the new regulations now require every federal agency to appoint a senior agency official for privacy, provide privacy training, conduct PIAs, maintain an inventory of PII, and actively limit the collection, use, storage, and processing of PII. [WhiteHouse.gov]


CA – CRTC Enforcement Advisory: Remember, You Must Have Records To Prove Consent

The CRTC has issued an enforcement advisory to both businesses and individuals that send commercial electronic messages (CEMs) to keep records of consent. The CRTC reminded senders of CEMs that section 13 of Canada’s anti-spam legislation (CASL) places the onus on the sender to prove they have consent to send every single CEM. The advisory made a point to note the CRTC has observed businesses and individuals unable to demonstrate they have obtained consent before sending CEMs. Failure to meet record keeping requirements has been alleged in recent CRTC enforcement decisions against organizations. However, today’s enforcement advisory may suggest the CRTC is finding record keeping to be a widespread concern, warranting this advisory. Record keeping is one of the most contested provisions under CASL as the financial, organizational and technical burden weighs on senders to meet the high record-keeping standards set by the CRTC. Having the record keeping requirements on the CRTC’s radar adds further urgency to ensure a sender’s compliance program is sufficient. The CRTC emphasized in its advisory that good record-keeping practices can assist senders establish a due diligence defense in the case of a violation under CASL. Violations of CASL may result penalties of up to CAD $1,000,000 for individuals, and up to CAD $10,000,000 for organizations. [Source] [CRTC’s guidelines to help develop a corporate compliance program.]

US – Court Orders Yahoo to Explain Email Access in Drug Trafficking Case

Magistrate Judge Maria-Elena James has requested Yahoo explain how it accessed emails that were thought to be deleted for use in a case against a U.K. drug trafficker. The plaintiff “claims Yahoo circumvented British law and included four ‘snapshots’ of content from the email account,” as he never actually sent an email through the service, the report states. While “Yahoo claims the ‘snapshots’ were files created by the company as part of its email autosave feature, which keeps versions of email drafts on its email server for ‘periodic intervals,’” the attorney maintains that Yahoo broke British surveillance law. Yahoo must respond to the court order by Aug. 31. [Threatpost]

WW – Yahoo Still Retains a Copy of Your Emails After They Are Deleted From Your Inbox

Yahoo’s ‘auto-save’ feature saves a copy of emails even after they have been deleted from Trash and Draft. A judge is now demanding that Yahoo explicitly define how it is able to retrieve deleted emails. The email provider is ordered present a witness and provide documents on how the email retention system works, as well as a copy of the software’s source code and instruction manuals used by Yahoo staff on how to retrieve the emails. Yahoo has argued that it is able to recover the emails via its “auto-save” feature, which creates snapshots of an email account preserving its contents at a certain date, and that it provided law enforcement with four snapshots from the Yahoo account used by Knagg and his accomplice. [IBTimes]

Electronic Records

UK – Government Consults on Data Security Standards and Data Sharing in the Health Sector

On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes. The two independent reviews are the:

  • Care Quality Commission review of data security in the NHS; and
  • Dame Fiona Caldicott’s (who is the National Data Guardian for Health and Care) review of data security, consent and opt-outs (the ‘Caldicott Report’).

The Care Quality Commission is the independent regulator of health and social care in England and is responsible for ensuring health and social care services are safe and effective through its monitoring and inspection activities. In its report examining data handling within the health sector, the CQC’s findings indicated that the main areas of concern are leadership, behaviours and systems. Accordingly, the CQC recommendations focus on senior leadership, staff training and support, patient-designed IT systems, audits and external validations as well as ensuring that the proposed new data security standards come within the CQC’s monitoring remit. The Caldicott Report acknowledges that the public still finds the data sharing model within the health sector confusing and that the case for data sharing still needs to be made to the public. At the heart of the proposals for data sharing are the principles of transparency and control. In other words, giving individuals clearer information on how their personal data can be used and a greater degree of control through a new consent/opt-out model. [Source]

EU Developments

EU – Article 29 Working Party Releases ePrivacy Directive Opinion

The Article 29 Data Protection Working Party has released its opinion on the evaluation of the ePrivacy Directive. “The Article 29 Working Party (WP29) supports the European Commission’s recognition of the need to have specific rules for electronic communications in the EU,” the opinion read. The Article 29 opinion also discussed how the ePrivacy Directive must not undermine the General Data Protection Regulation. “The revised ePrivacy instrument should keep the substance of existing provisions but make them more effective and workable in practice, by extending the scope of the rules on geolocation and traffic data to all parties, while simultaneously introducing more precisely defined conditions that take the intrusiveness of the processing of communication data to the private life of users thoroughly into account,” the group states. [EU Opinion]

EU – EDPS Publishes ePrivacy Directive Opinion

European Data Protection Supervisor Giovanni Buttarelli has expressed favor for strong encryption and against the use of backdoors within the revised ePrivacy law in his published opinion on the ePrivacy Directive on July 25. “Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited,” Buttarelli wrote. “In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design.” He also maintained that the law’s encryption protections should include over-the-top service providers in addition to “publicly available electronic communication services,” the report states. [Ars Technica]

EU – Article 29 Working Party Issues Statement on Privacy Shield

The official group of the EU’s data protection authorities, the Article 29 Working Party, issued a statement on the EU-U.S. Privacy Shield. Though they commend the European Commission and U.S. Department of Commerce, the group still has concerns, particularly with regard to a lack of clarity on automatic decisions in the commercial sector and access by government authorities to EU citizens’ data. “The first joint annual review will therefore be a key moment for the robustness and efficiency of the Privacy Shield mechanisms to be further assessed,” the document states. Significantly, WP29 said the results of the first joint review “regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.” The group said in the intervening year it will commit to “proactively and independently assist data subjects” and work to provide guidelines to data controllers as to their obligations under Shield. [Europa] [A29WP promise one-year moratorium on Privacy Shield litigation]

EU – CNIL Formally Orders Microsoft to Limit Windows 10 Data Collection

The French data protection authority, the CNIL, has formally ordered Microsoft to alter the data collection practices in its Windows 10 operating system within the next three months, according to an official CNIL press release. Between April and June 2016, the CNIL “carried out seven online observations” and queried the company on “certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act,” the release states. The formal notice applies to France only, the CNIL points out, noting that other European data protection authorities are still conducting their own investigations. The CNIL also points out that “formal notices are not sanctions and no further action will be taken if the company complies with the Act” within the three months allotted. Microsoft VP and Deputy General Counsel David Heiner said it will work with the CNIL to fully understand the regulator’s concerns and “to work toward solutions that it will find acceptable.” [CNIL.fr]

Facts & Stats

WW – 75% of US Firms Have Failed to Detect Breach: Ponemon Study

Nearly two-thirds (60%) of US firms believe some of their data is now in the hands of a competitor because of a breach, according to a new study from Ponemon Institute. These “knowledge assets” could include profiles of high-value customers, product design, development and pricing, pre-release financial reports, strategic plans, and confidential information about existing relationships or anticipated transactions, according to the report. In fact, three-quarters (74%) of the 600 respondents to the study, carried out on behalf of law firm Kilpatrick Townsend, claimed that their firm had failed to detect a breach involving such assets. [Infosecurity Magazine]


WW – Microsoft Approved 63% of Revenge-Porn Takedown Requests

Within six months of instituting a revenge-porn removal policy, Microsoft received 537 content removal requests from around the world, approving 63% of them, Microsoft reports in a blog post. The rest were denied, mainly because the content was not deemed revenge porn. The company added that it wanted to make the process continually easier for victims to report abuse. Meanwhile, Microsoft has announced it will adopt the EU-U.S. Privacy Shield, Out-Law.com reports, while company President and Chief Legal Officer Brad Smith discusses Microsoft’s recent win in the Irish data-storing appeals case in an interview with The Washington Post. [Full Story]


WW – Audit: Every Piece of Sensitive Data Could Have 1,000 Unnecessary Copies

An Identity Finder audit conducted at a multinational manufacturer, university, and health care tech company claims that unmanaged sensitive data will “will create up to 1,000 unnecessary copies.” It also found that for every accessor of unmanaged sensitive data, “up to 100 additional users will have access to it,” the audit states. Identity Finder CEO Dr. Jo Webber urged companies to identify their sensitive data and “start taking control by automatically classifying it according to [their] rules and policies.” This “should be able to remove extra, unneeded copies; stop additional spread at the time of creation; and apply appropriate controls and protection over needed copies,” she said. [Network World] [Betanews] See also: Study reveals security gap in big data projects

Health / Medical

WW – Concerns Raised and Addressed About Health Research Apps

Privacy concerns have been raised regarding apps created using Apple’s relatively new ResearchKit, which connects health researchers with patients willing to provide data for studies, often collected via the iPhone’s various sensors. GlaxoSmithKline, for example, has released a new arthritis study that gets 300 patients to do wrist exercises and record their experiences. The article raises concerns about re-identification of anonymous data, and the company doing much of the anonymizing is clear that perfect de-identification is virtually impossible. There is also some concern from a bioethicist about how informed the consent is, given a nine-page pdf in 12-point font explains data use, though a GSK spokeswoman’s response added as an update seems to address that concern. Finally, there is a question as to whether the for-profit ethical review board is appropriate for the app’s creation, though another update makes clear that GSK also conducted two separate internal reviews. [Gizmodo]

WW – Apple’s Health Experiment Is Riddled With Privacy Problems

Pharmaceutical giant GlaxoSmithKline (GSK) has partnered with Apple on a new clinical study on rheumatoid arthritis. The study relies on an iPhone app to collect data about arthritic symptoms from users as they go about their daily lives. That sounds great at first glance, but how well will it protect your privacy? The app was built by the London-based GSK using Apple’s ResearchKit, an open source software framework to transform your iPhone into a handy diagnostic tool for clinical studies. Launched last year, ResearchKit is designed to make it easier for medical researchers to access data about millions of potential subjects. As Lifehacker’s Alan Henry wrote at the time, “The platform aims to give anyone with an iOS device the opportunity to participate in medical research, join programs that can help them track their symptoms, or share information with their doctors.” So far there are just a handful of ResearchKit apps tied to clinical studies, but the GSK partnership is the first time Apple has joined forces with a major drug company. The Patient Rheumatoid Arthritis Data from the Real World (PARADE) study will use its app to track the mobility of over 300 participants suffering from rheumatoid arthritis, including information on their level of joint pain, fatigue, and changing moods. No drugs are being tested. Rather, the app guides users through a simple wrist exercise, with the iPhone’s built-in sensors recording data from that motion. That data may help Glaxo design better clinical trials in the future. [Source]

US – ProPublica Publishes Hundreds of OCR Closing Letters

Investigative news outlet ProPublica is releasing hundreds of closing letters issued to providers by the U.S. Department of Health and Human Services’ Office for Civil Rights. When the OCR fines a company for violating HIPAA, it issues a press release with details, but, the report points out, the agency sends thousands of letters per year to providers to resolve complaints about possible HIPAA violations. The letters tend to remind providers of legal requirements and provide advice on how to ameliorate any issues they have uncovered. Though the OCR could make such letters public, it chooses not to. “As part of its examination into the impact of privacy violations on patients,” the report states, “ProPublica has posted about 300 of these ‘closure letters’ in our HIPAA Helper tool.” The goal is to allow users to “review the details of these cases and track repeat offenders.” ProPublica said it obtained the letters through Freedom of Information Act requests. [ProPublica]

Horror Stories

US – Medical Center Settles With OCR For $2.75M After 2013 Breach

The University of Mississippi Medical Center has agreed to pay the Department of Health and Human Services’ Office for Civil Rights $2.75 million after a laptop theft in 2013 put data of 10,000 patients at risk, the Hattiesburg American reports. While the information was allegedly not accessed or disclosed, an OCR investigation found the medical center had known about lax security standards since 2005, the report states. “We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard,” said Vice Chancellor for Health Affairs Dr. LouAnn Woodward in statement. The UMMC will further commit to an OCR-sanctioned three-year HIPAA corrective program, as per the settlement. [Full Story]

WU – Five Million Danish ID Numbers Sent to Chinese Firm

The Danish Data Protection Agency (Datatilsynet) said that the CPR numbers of 5,282,616 people were mistakenly delivered to the Chinese Visa Application Centre, a Copenhagen-based Chinese company. The CPR numbers and health information of 5.3 million residents was sent to a Chinese company. If you lived in Denmark between 2010 and 2012, it’s almost certain that your personal identification number (CPR number) and health information ended up in the hands of a Chinese company. SSI acknowledged that “we are talking about sensitive personal data of a very extensive character and it cannot be ruled out that it could have had concrete consequences for the affected individuals if the information had actually reached unauthorized individuals”. [The Local Denmark]

Identity Issues

UK – Govt Tests Whether ‘Online Activity History’ Can Serve to Verify Identity

The UK government has tested whether internet users’ “online activity history”, including data from social networks, can be used to verify their identity when they use online public services. Under the Verify system, individuals using government online services choose a certified ID assurance provider with which to verify their identity. This involves answering security questions and entering a unique code sent to an individuals’ mobile number, email address or issued in a call to their fixed-line telephone number. [Out-Law]

WW – Spotify Sharing Data on 70M Users for New Marketing Initiative

The Christian Science Monitor reports on Spotify’s plan to incorporate user data in a new personalized marketing initiative. The streaming music service will use the data collected on its 70 million free subscribers to generate targeted, automated advertising. The data will integrate users’ age, gender, location, music preferences and behavioral habits, allowing advertisers to send ads to specific demographics. The new process will allow advertisers to buy ads in real time, a major step in digital advertising, the report states. However, Spotify’s new method will be examined by concerned privacy advocates. “If, as advertisers claim, consumers are truly interested in receiving targeted ads, then they can affirmatively choose to do so, but the default is set the other way around because advertisers know that many people will not want to agree to that,” said Consumer Federation of America Director of Consumer Protection and Privacy Susan Grant. [Full Story]

SG – PDPC Releases Guidelines for Personal Data Removal Techniques

Singapore’s Personal Data Protection Commission delivered new guidelines to businesses for disposing personal information. The guidelines state papers that reveal personal information must be shredded in at least two different directions, and cannot be placed in unsecured dumpsters. The commission also said data stored on electronic devices such as hard disks, USB drives or DVDs need to be deleted using specialized software to avoid data leaks. The guidelines come as the commission and the Monetary Authority of Singapore conduct an investigation on United Overseas Bank for allegedly leaving intact client documents in a trash bag at Boat Quay. [The Straits Times]

Internet / WWW

US – Privacy Advocates Ask FTC to Investigate ‘Pokemon Go’ Creator

The Electronic Privacy Information Center is requesting the Federal Trade Commission investigate Niantic, Inc., the creator of “Pokemon Go.” The privacy advocacy group wrote a letter to the FTC alleging the app captures and stores information of its users, including children, in violation of federal privacy laws. “We want the FTC to establish concrete limits on the amount of information “Pokemon Go” is collecting and how long they are keeping it,” EPIC Consumer Protection Counsel Claire Gartland said. “Niantic should only be allowed to collect data that is necessary for the operation of the app. Data collection should not be a free-for-all of sensitive consumer data.” In related news, a man is suing Niantic in a Florida Court, claiming “Pokemon Go’s” terms of service and privacy policy are deceptive, unfair and violate state contract laws. [EdScoop]

Law Enforcement

AU – Queensland Police Begin Rolling Out Body-Worn Cameras

The Queensland Police Service has started its statewide rollout of 2,200 Axon body-worn cameras. Police Minister Bill Byrne said the cameras will be available to specialty teams, including tactical crime units, rapid action and patrol groups, the Railway Squad, Dog Squad, and the Road Policing Command. Police Commissioner Ian Stewart believes the cameras will assist in gathering evidence, while saying the technology has helped save 10 minutes per officer per shift in the initial trials. “Through use of the evidence management system, officers were able to add metadata to their recordings in the field, reducing the amount of time officers had to spend manually managing their data at the end of a shift,” said Stewart. [ZDNet]

WW – Company Wants Police Body Cams Live Streamed With Facial Recognition

Taser International is planning on live streaming police body camera footage to the cloud starting in 2017 as well as eventually integrating facial recognition technology. The combination would allow law enforcement to possibly identify criminals by looking at them. Facial recognition and body camera technology has caught the attention of other companies outside of Taser. “You’ve already got the ability to use cameras to tap into databases to find the license plates of stolen vehicles and overdue parking tickets,” said Digital Ally CEO Stan Ross, adding police and law enforcement are also excited to use facial recognition technology. “Why wouldn’t we be pushing to bring that technology to the next level?” Ross said. Georgetown Law’s Clare Garvie expressed concern about such capabilities, saying citizens would not be able to receive notice or give consent. “And there’s no police interaction even in place. No probable cause for a search,” she added. [Motherboard]

US – Wisconsin Supreme Court Upholds Use of Criminal Risk-Assessment Software

The use of risk-based software is being used to identify potential criminals and its involvement in a Wisconsin legal case. The software, covered in a ProPublica investigation earlier this year, assigns an individual points based on the likelihood they will commit a crime. Eric Loomis objected to the use of this data when he was arrested and sentenced for his alleged involvement in a drive-by shooting. Northpointe’s software known as COMPAS was used, and Loomis decided to appeal his conviction saying the software violated his rights to due process. The Wisconsin Supreme Court disagreed with Loomis, saying the software will continue to be used, but added, “some studies of COMPAS risk assessment scores have raised questions about whether they disproportionately classify minority offenders as having a higher risk of recidivism.” [Fusion.net]

Online Privacy

WW – Majority Still Unaware of Adchoices Program for Online Advertising

The AdChoices program is an attempt to persuade the public to get comfortable with “targeted” ads based on their Web browsing behaviour. But almost three years since its launch, more than 60 per cent of people don’t recognize that little symbol. The Digital Advertising Alliance of Canada (DAAC) has conducted a survey to gauge the awareness of the self-regulatory program. Of the 1,000 Canadians surveyed, 38 per cent recognized the blue icon that, when clicked, gives people information about how ads are targeted to them, and gives them options to opt out of targeting. (The recognition was higher among millennials – identified as those aged 18 to 34 for this survey – at 46 per cent.) [Source]

US – Anti-Domestic Violence Group, Twitter Release Harassment Protection Guide

The National Network to End Domestic Violence has released “Safety & Privacy on Twitter: A Guide for Survivors of Harassment and Abuse,” a guideline published “with the support of Twitter,” the group announced in a press release. “This new guide walks through a number of safety tips to help users control their privacy and explains several features to ensure that users are making informed decisions on how they use Twitter,” the report states. The release pushes back against the notion that those suffering from harassment shouldn’t go online. “This is not an acceptable solution,” it states. “Survivors should be able to use social media and online spaces while also maintaining control over their personal information and feeling safe.” [NNEDV]

Privacy (US)

US – FTC’s Ramirez Calls for Comprehensive Data Security Laws

FTC Chairwoman Edith Ramirez is pushing for comprehensive data security laws. With cyberattacks continuing to be a major issue, Ramirez believes Congress and the tech industry need to do more in order to protect user privacy. The FTC wants to create federal standards for the ways organizations can collect, share and store data, while also seeking greater authority to punish businesses for putting citizens’ data at risk. “So much of the data collection that’s taking place happens behind a curtain. It’s largely invisible to consumers,” said Ramirez. The FTC chair also hopes to see organizations step forward to install strong privacy initiatives. “It’s an issue on which I think a company can differentiate itself. And speaking also as a competition agency, we want to see more and encourage more competition in the area of privacy,” Ramirez said. [BuzzFeed]

US – Albany Law School to Offer Data Privacy Master’s Degree

The Albany Business Review reports on a new online master’s program offered by the Albany Law School focusing on cybersecurity and data privacy. Starting in January, students can obtain a Master of Science in Legal Studies degree in cybersecurity and data privacy through the institution. “We developed this program for students across the state, nation and globe to take advantage of our rich history and deep connections in the heart of New York State’s Tech Valley,” said Albany Law School President and Dean Alicia Ouellette in a press release. [Full Story]

US – US Privacy News Roundup


US – NSA Releases IoT Report

In the newest edition of the NSA’s publication “The Next Wave,” dedicated to reviewing emerging tech, the focus is on the internet of things. Over 50 pages, and with a mix of highly technical academic pieces and more informative magazine-style articles, the publication features everything from agile block cyphers to the NSA’s newest NiFi developments to an investigation into nascent privacy issues. In fact, NSA Director of Civil Liberties and Privacy Becky Richards is the publication’s guest editor. “NSA sees itself as a facilitator,” she writes, “bringing together diverse people and ideas to foment multidisciplinary research, and perhaps even to develop a true science of privacy.” [NSA.gov]

WW – Government Intervention Necessary Against IOT Manipulation: Schneier

Protection against internet of things manipulating can only come from government agencies taking a hard legislative stance, Bruce Schneier writes in an op-ed for Motherboard. Security solutions aren’t a silver bullet, he writes. “This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand … and the interests of the companies often don’t match the interests of the people.” The government needs to fill in the gaps, “setting standards, policing compliance, and implementing solutions across companies and networks,” he adds. [Full Story]

WW – The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters: Schneier

On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door—or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location. With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete. [Motherboard]


US – White House’s New Cyberattack Directive Faces Criticisms

The White House and FBI issued official releases on the new cyberattack directive, but cybersecurity professionals are voicing their criticisms of it. One issue professionals see with the color-coded system is it’s oversimplification of the complexity of a cyberattack. “There [are] a lot of hacks that, over time, seem to affect a national or foreign policy interest — and we’re going to have to be more flexible and creative about the way these agencies are going to be involved,” said Digital and Cyberspace Policy Program at the Council on Foreign Relations Director Adam Segal. Other criticisms focus on the severity rankings of different cyberattacks. “I could steal $1 billion from the Federal Reserve, and that is probably more consequential than turning off the generator for the electric power in a town of 20,000 people,” said Stanford Center for International Security and Cooperation’s Herb Lin. [The Christian Science Monitor]

WW – Wireless Keyboard Vulnerabilities

Researchers have found that security weaknesses in some wireless keyboards could allow attackers to inject keystrokes and to read everything users type, spelling trouble for the security of account access credentials and any other sensitive communications. To sniff this information, attackers would need to be within 250 feet of a targeted device. [CNET: Hackers could sniff out your passwords if you’re typing nearby | ZDNet: Flaws in wireless keyboards let hackers snoop on everything you type | Wired: Radio Hack Steals Keystrokes from Millions of Wireless Keyboards | V3: Wireless keyboards and mice vulnerable to keystroke ‘sniffing’]

EU – Portal Offers Help with Ransomware

Europol, along with the Dutch National Police, Kaspersky Lab, and Intel Security, has launched the No More Ransom portal. Its goal is to educate people about ransomware and to provide resources to help people recover files without paying a ransom. The site includes tools for unlocking certain strains of ransomware, and will allow people whose computers have been infected to upload encrypted files to determine which strain of the malware was used. [BBC: Ransomware advice service to tackle extortion gangs | ZDNet: This initiative wants to help ransomware victims decrypt their files for free | Dark Reading: New Portal Offers Decryption Tools For Some Ransomware Victims] SEE ALSO: [The Register: Security firms team to take down rudimentary ransomware | Computerworld: Free decryption tools released for PowerWare and Bart ransomware] See also: US Civil Rights Office Issues Ransomware Guidance]

Smart Cars

EU – ENISA Launching Smart Car Cybersecurity Study

The European Union Agency for Network and Information Security is launching a study on cybersecurity measures for smart cars. “The objective of this project is to establish a comprehensive list of cybersecurity policies, tools, standards, measures and provide recommendations to enhance the level of security of smart cars. The study focuses on the assets inside the cars as well as on data exchanges related to safety,” the organization said. ENISA is looking for car manufacturers, Tier 1 and Tier 2 suppliers to participate in the study, with a workshop scheduled for 10 Oct., to review the findings. [Full Story]

US – Auto Industry Now Has Best Practices Guidelines for Cybersecurity

The Automotive Information Sharing and Analysis Center has published a set of cybersecurity best practices for the automobile industry. The guidelines cover “governance; risk assessment and management; security by design; threat detection and protection; incident response; training and awareness; and collaboration and engagement with appropriate third parties,” the report states. The “suggested measures” include standards from the International Organization for Standardization and National Institute of Standards and Technology, the report adds. [Covington Inside Privacy]

US – The case of traveling odometer data

Fusion reports on consumer surprise regarding the sharing of odometer data between companies like car dealerships and oil-change shops and insurance companies. One consumer got a letter earlier this year from his insurer letting him know his “low annual mileage” rating was being revoked, because he had driven too many miles. Another noticed his oil changes mentioned in a CarFax report. In fact, State Farm’s policy reads: “To ensure we’ve priced our insurance coverage accurately, we verify odometer readings through a third-party provider.” But what about those supplying the information? “If they’re following privacy best practices,” the article states, “they should be disclosing to their customers that they’re passing that data along to third parties.” The article does not ask any dealerships or oil-change shops for their policies or whether they inform customers in any way, however. [Fusion.net]

US Legislation

US – US Legislative Roundup


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: