29 July – 05 August 2016


WW – New Snapchat Facial Recognition Patent Could Have Retail Ramifications

Snapchat received a patent for technology to identify the face of specific individuals, then blur or obscure their faces if they have set their privacy settings to do so. The technology would allow Snapchat to surf through the database for anyone who has used the app, and if it finds a match, the app will place “a privacy-protected version of the image, wherein the privacy-protected version of the image has an altered image feature.” However, similar facial recognition technology, the report points out, could be used in a retail setting, where an organization could scan customers to determine their shopping habits and other information through social media and other online outlets. [Computerworld]

WW – Facial Recognition for Monitoring Crowd Reactions?

At each of the recent major political conventions held in the United States last month, Microsoft was on-site as part of an event with POLITICO where it demonstrated its Microsoft Research Division capabilities. One exhibit was titled “Realtime Crowd Insights” and displayed functionality whereby individual faces in a crowd could be singled out and identified by approximate age, emotional state and gender. The report questions whether the technology’s abilities mesh with consent-based privacy policies. “It’s difficult,” said Georgetown professor Alvaro Bedoya,” to envision how companies will obtain consent from people in large crowds or rallies.” [The Intercept]

WW – How Hackers Could Get Inside Your Head With ‘Brain Malware’

Hackers have spyware in your mind. You’re minding your business, playing a game or scrolling through social media, and all the while they’re gathering your most private information direct from your brain signals. Your likes and dislikes. Your political preferences. Your sexuality. Your PIN. It’s a futuristic scenario, but not that futuristic. The idea of securing our thoughts is a real concern with the introduction of brain-computer interfaces—devices that are controlled by brain signals such as EEG, and which are already used in medical scenarios and, increasingly, in non-medical applications such as gaming. Researchers at the University of Washington in Seattle say that we need to act fast to implement a privacy and security framework to prevent our brain signals from being used against us before the technology really takes off. “There’s actually very little time,” said electrical engineer Howard Chizeck over Skype. “If we don’t address this quickly, it’ll be too late.” “Broadly speaking, the problem with brain-computer interfaces is that, with most of the devices these days, when you’re picking up electric signals to control an application… the application is not only getting access to the useful piece of EEG needed to control that app; it’s also getting access to the whole EEG,” explained Bonaci. “And that whole EEG signal contains rich information about us as persons.” And it’s not just stereotypical black hat hackers who could take advantage. “You could see police misusing it, or governments—if you show clear evidence of supporting the opposition or being involved in something deemed illegal,” suggested Chizeck. “This is kind of like a remote lie detector; a thought detector.” [MotherBoard]

Big Data

WW – Privitar receives 3M GBP from Illuminate Financial Management

Big data privacy startup Privitar will receive 3 million GBP in financing from Illuminate Financial Management, with other investments coming from existing investors. Privitar will use the funds to boost its growth both in the U.K., and in Europe for its big data software, designed to let companies publish and share data privately, while meeting regulatory compliance. “Every organisation that collects and analyses data is grappling with the issue of data privacy. They are all potential customers for our privacy-enhancing software solution,” said Privitar CEO Jason du Preez. “That is why we are excited to be partnering with Illuminate Financial with their deep connectivity into one of our target vertical market.” [Finextra]


CA – Newfoundland & Labrador’s New Information and Privacy Commissioner Speaks Up

In an interview, Newfoundland and Labrador’s newly-appointed Information and Privacy Commissioner Donovan Molloy discusses elements of the role he looks forward to tackling and his goals for the province’s privacy. “At the end of the day, the public is entitled to every piece of information that exists in government, unless it is specifically exempted in the [Privacy] Act,” Molloy said. “The role of this office is to make sure the exemptions and qualifications are properly applied.” He added that he has a particular interest in privacy issues. It’s “one of the areas of law that’s developing very quickly, and will increasingly become more important in our society,” Molloy said. [The Telegram]

CA – BC SC Orders Voyeur to Pay $85,000 In Privacy Damages

The BC Supreme Court ordered $85,000 in damages to be paid to a young woman whose stepfather surreptitiously recorded her while she was undressed in her bathroom and bedroom. The damages finding was driven significantly by the “thoroughly undignified and humiliating actions” of the defendant, the age of the defendant and proof that the defendant’s actions caused a significant psychological disorder that the plaintiff was still recovering from at the time of trial (which was four years after discovering the defendant’s wrong). The plaintiff was recovering, the judge also noted, as well as noting that the defendant conducted his defence with “appropriate restraint.” The judge did not consider evidence that the plaintiff was herself provocative in his damages assessment. The Court also ordered damages to be paid for past loss of earning capacity, the cost of medication taken and health care received and the cost of future care. [Source] T.K.L. v. T.M.P., 2016 BCSC 789 (CanLII).

CA – Alberta Commish Issues ‘Landmark’ Trans-Privacy Ruling

In what’s being described as a “landmark” decision for the transgender community, the Office of the Information and Privacy Commissioner of Alberta has decided trans students have the right to protect their birth names from becoming public information. Following repeated incidents where teachers displayed the student’s birth name in front of other students or otherwise discussed the student’s birth gender status in public, the family complained. In the ruling, the adjudicator found the school in breach of the Freedom of Information and Privacy Act for disclosing personal information and failing to make proper security arrangements. The school has already amended practices, but Kris Wells, a professor with the University of Alberta’s Institute for Sexual Minority Studies and Services, called it a “landmark decision” because of the way it will force school boards to re-examine policies across Canada. [GlobalNews] [Trans student at centre of Edmonton school’s privacy breach hopes it doesn’t happen to others]


WW – Windows 10 Privacy Concerns May Drive Customers Over to The Mac

A recent survey conducted by OnePoll reveals that two-thirds of the Windows-based population would consider switching to a Mac due to the privacy concerns over Microsoft’s latest platform, Windows 10. The poll arrives just after the French National Data Protection Commission (CNIL) presented Microsoft with examples late last month of how some of Windows 10’s user data collection is unwarranted. France’s reaction is just one of many reports of privacy concerns over Microsoft’s data collection. The OnePoll survey questioned 500 individuals in North America and 500 residents in the UK. It asked one simple question: If the controversial collection of user data in Windows 10 that’s causing privacy concerns would push them into considering a switch over to Mac. the survey found that 501 individuals said they “might” consider switching, while 141 individuals said they would “definitely” consider the switch. Another 358 individuals said they wouldn’t even consider it. The poll goes on to show that U.K. respondents are more concerned about the Windows 10 data collection than Americans, with 15.2% of the U.K. residents polled saying they would “definitely” consider a switch and 51.8 percent saying “maybe.” For the Americans, 13% said “definitely” and 48.4% said “maybe.” [Digital Trends]


CA – Government of Canada Releases Cloud Adoption Strategy

The Government of Canada recognizes that a strong IT workforce and modern IT infrastructure are the backbone of better service delivery to Canadians. Treasury Board President Scott Brison has taken another step to modernize the Government of Canada’s use of IT by releasing the Cloud Adoption Strategy for public comment. This strategy prioritizes the security and privacy of Canadians while providing departments with new modern and flexible alternatives to make more efficient use of information technology. Using cloud computing services provides the Government with even more options in terms of data storage and running applications. The strategy is designed to allow the Government to select the right cloud solution for its evolving needs. This is the result of consultations with industry and provincial governments over the past two years, and a review of global trends in cloud computing. Feedback on the strategy will be collected until September 30, 2016, and will be used to finalize the Government’s approach. [Press Release] [Government of Canada Cloud Adoption Strategy | Security Control Profile for Cloud | Right Cloud Selection]

CA – General Insurance Council of Manitoba Fines Broker $1,000 For Unauthorized Access to Customer Database

The General Insurance Council of Manitoba investigated whether Basil Galarnyk violated the Insurance Act and the General Insurance Agent Code of Conduct. The broker accessed customer information 42 times without performing any transactions, without customer approval, and for no discernible reason; the broker acted in a manner that showed a lack of trust with regard to consumer privacy, and the rules for use of customer files in conducting business. [Decision of the General Insurance Council of Manitoba respecting Basil Galarnyk]

Electronic Records

US – Prominent Senator Calls for Open Access to Patient Data

U.S. Sen. Elizabeth Warren called recently for greater access to patient data created by drug and medical-device testing. “I appreciate that there are many policy, privacy and practical issues that need to be addressed in order to make data sharing practical and useful for the research community,” Warren said in an editorial in the New England Journal of Medicine, “but the stakes are too high to step back in the face of that challenge.” Counter-arguments did not involve privacy, however, but rather concern about “research parasites” and other intellectual property concerns. As a compromise, the International Committee of Medical Journal Editors has recently proposed that scientists publish research data within six months of publishing results — “stripped of any information that could identify patients.” Meanwhile, eight plaintiffs have sued a pair of anti-abortion activists in federal court to prevent their personal information from being released as part of the University of Washington’s Birth Defects Research Laboratory. [STAT]

EU Developments

WW – Morocco Launches Program for 38th DPAs Conference

This year, the International Conference of Data Protection and Privacy Commissioners will be held for the first time in an Arabic-speaking nation, when commissioners gather in Marrakech, Morocco, Oct. 17 through 20. Sam Pfeifle speaks with Morocco National Commission for the Control and Protection of Personal Data General Secretary Lahoussine Aniss about how this year’s program is designed “to show the world that privacy and data protection is taken seriously in Morocco.” [IAPP] [Program]


CA – OIPC BC Finds Disclosure of Info Related to Water Quality is in the Public Interest

The OIPC BC reviewed a complaint alleging the Ministry of Environment failed to meet its obligations under the Freedom of Information and Protection of Privacy Act. Disclosure of regulatory actions taken by a ministry body to address water contamination is clearly in the public interest; water quality and management of nitrate application was the subject of debate in the Legislature and media, the issues giving rise to significant harm to the environment, public health or safety is still ongoing, and disclosure of a summary of the information would not allow the public to assure itself that actions undertaken were appropriate. [OIPC BC – Investigation Report F16-02 – Disclosure of  Information Quality in Spallumcheen]

Health / Medical

UK – National Data Guardian Finds Healthcare Organisations Are Not Adequately Protecting Personal Data

The UK National Data Guardian reviews current approaches to data security in the National Health Services. Organisations were often confused about which data standard or principle they were to follow, 41% of all breaches reported to the ICO were from the health sector (mostly caused by employees), and there was a lack of clarity in processing responsibilities; recommendations include using appropriate tools to identify vulnerabilities (dormant accounts, default passwords, multiple log-ins from the same account), allowing opt-outs for uses beyond direct care, and stronger sanctions for malicious or intentional breaches. [UK Government – National Data Guardian for Health and Care – Review of Data Consent and Opt-Outs]

US – Federal Healthcare Rule Expands Use and Disclosure of Medicare Data

The Department of Health and Human Services issued a Final Rule to implement requirements under section 105 of the Medicare Access and CHIP Reauthorization Act of 2015, expanding availability of Medicare data: this Rule is effective September 6, 2016. Qualified entities may provide or sell combined or non-public analyses to authorized users provided that analyses are limited to de-identified data, a data use agreement has been executed, and authorized users do not use the data for marketing, harm or fraud; any violations of the terms of a data use agreement can result in an assessment being imposed by the Centers for Medicare & Medicaid Services. [Final Rule – 42 CFR Part 401 – Medicare Program – Expanding Uses of Medicare Data by Qualified Entities]

US – Cancer Database Allows Patients to Share Data Anonymously

Inspired by the Obama administration’s Cancer Moonshot Initiative, two professors joined forces to create CancerBase, a database allowing patients to share personal medical data to further cancer research. Stanford associate professor of bioengineering Jan Liphardt, Ph.D., and University of Southern California professor of medicine and engineering Peter Kuhn, Ph.D., created the database to give patients an opportunity to share their diagnosis and their location without revealing their identities. “So that’s the simple idea: A global map and give patients the tools they need to share their data — if they want to. They can donate information for the greater good. In return, we make a simple promise: When you post data, we’ll anonymize them and make them available to anyone on Earth in one second. We plan to display this information like real-time traffic data. HIPAA doesn’t apply to this direct data sharing,” said Liphardt. [Scopeblog][stanford.edu]

US – Advocate Health Care to Pay Largest HIPAA Settlement for Privacy Violations

Advocate Health Care has agreed to pay the largest HIPAA settlement ever to the Department of Health and Human Services’ Office for Civil Rights. Advocate will pay $5.55 million to settle multiple data protection violations over the last three years. The health system is also penalized for not properly assessing potential risks to its ePHI systems, and for failing to ensure the organization and its business associates had satisfactory protections for their systems. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. [Modern Healthcare]

WW – Pregnancy-Tracking Exposes Extremely Sensitive Personal Information

Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app’s designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users’ passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app. After being alerted to these problems, Glow fixed the app and re-released it. Consumer Reports has verified that the app’s known major problems have been fixed. This is the first cybersecurity audit that Consumer Reports has published, and the beginning of a wider project they’re commencing. [BoingBoing]

Horror Stories

WW – Hacker Dumps More Than 200M Yahoo Accounts On Deep Web

More than 200 million Yahoo accounts were discovered on a deep web marketplace. A hacker known by the name “Peace” dumped the data onto a marketplace called The Real Deal. Peace said the data was “most likely” from 2012, and the passwords were hashed with an MD5 algorithm. Yahoo has not confirmed whether the data is authentic, but is aware of the leak. “We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously,” said a Yahoo representative. “Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.” [International Business Times]

US – Banner Health Alerting 3.7M Individuals Following Cyberattack

Banner Health suffered a cyberattack and has started to contact 3.7 million individuals whose information may have been compromised. The breach started on Banner’s credit card payment systems for food and beverage purchases, then expanded to include patient and health plan data. “The patient and health plan information may have included names, birth dates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and Social Security numbers,” read an investigation into the breach. Banner’s Vice President of Public Relations Bill Byron said there is no evidence the data has been used in an illicit manner. In related news, retailer Kmart agreed to settle their 2014 data breach lawsuit and will pay $5.2 million to hundreds of credit unions and banks. [Modern Healthcare]

WW – Sheer Number of Devices in Use Enlarges Security Gaps in Healthcare

Hospitals that want to improve network security should carefully assess the hundreds of medical devices they’re using, including fetal monitors, medical imaging devices, electrocardiographs, lasers and gamma cameras, to name a few. Some devices hold a sizable amount of data that can be hacked; others don’t have much data, but can increase network vulnerability. Infusion pumps, for instance, don’t have a lot of data but are a gateway to the network and “have become the poster child for medical device security gone wrong,” says Stephanie Domas, an ethical hacker and lead medical device security engineer at Battelle, a large research and development organization. [Source]

Internet / WWW

WW – Study: Mobile Streaming Represents New Privacy Frontier

In their research paper, “Up, Periscope: Mobile Streaming Video Technologies, Privacy in Public, and the Right to Record,” Lehigh University’s Jeremy Littau and Texas Christian University’s Daxton Stewart examine the privacy implications of live streaming technology. They found that U.S. privacy laws have yet to adapt to the new technology and that the First Amendment likely protects the rights of those streaming, the report states. “In this study, we advocate for less legal restraint of recording and live-streaming public matters or government officials in public places, which clearly deserve First Amendment protection,” Stewart said. “But we also call for wisdom by users and tech companies in controlling the spread of materials that may be more harmful to private individuals.” [Eurekalert] See also: [Amazon plans headphones that know when someone says your name]

Law Enforcement

US – Boston Police Used ‘Stingray’ Cellphone Spying Technology Without Warrants

Boston police never obtained warrants in the 11 instances when they used “Stingray” cell-site simulators, contradicting the commissioner’s claims that officers generally obtain permission from a judge to use the devices. The New England Center for Investigative Reporting (NECIR) reported that it had obtained documents indicating Boston police were using the spying devices without obtaining warrants. While Massachusetts does not have an explicit statute prohibiting the technology, judges will often throw out evidence obtained with Stingrays if their use is deemed to violate the privacy of the defendant. Boston Police Department (BPD) Commissioner William B. Evans said during a February radio interview that officers “normally” obtain a warrant before using the technology. In fact, the department had used Stingrays 11 times since 2009 and never obtained a search warrant for their use in any of those cases. However, BPD spokesman Lieutenant Detective Michael McCarthy told NECIR that there was no contradiction, because all of the situations in which the devices were used were considered to be emergencies. [RT]

US – Body Camera Scorecard Reveals Nationwide Failure to Promote Transparency and Accountability

An updated body camera scorecard highlights a disturbing state of affairs in body camera policy that lawmakers should strongly resist. A majority of the body camera policies examined by Upturn and the Leadership Conference on Civil and Human Rights received the lowest possible score when it came to officer review of footage and citizens alleging misconduct having access to footage, meaning that the departments were either silent on the issues or have policies in place that are contrary to the civil rights principles outlined in the scorecard. Such policies do not promote transparency and accountability and serve as a reminder that body cameras can only play a valuable role in criminal justice reform if they’re governed by the right policies. Upturn and the Leadership Conference on Civil and Human Rights looked at the body camera policies in fifty departments, including all departments in major cities that have either outfitted their officers with body cameras or will do so in the near future. Other departments that were scored include departments that received at least $500,000 in body camera grants from the Department of Justice as well as Baton Rouge Police Department and the Ferguson Police Department. Body cameras can only be tools for increased transparency and accountability in law enforcement with the right policies in place. Unfortunately, Upturn and the Leadership Conference on Civil and Human Rights’ scorecard reveals not only that many departments have poor accountability and transparency policies but also that the Department of Justice does not review these policies as disqualifying when it comes to body camera grants. [CATO] Also See: [Police body cam policies in San Jose and Oakland are flawed, report says | Police body cameras can provide accountability, but also risk, study finds | Harsh Consequences Required for Officers Who Fail to Activate Body Cameras]

Online Privacy

WW – Massive New Study Lifts the Lid on Top Websites’ Tracking Secrets

So, just how tracked are you? Plenty, according to the largest, most detailed measurement of online tracking ever performed: Princeton University’s automated review of the world’s top 1,000,000 sites, as listed by Alexa. To begin, huge numbers of folks are trying to track you: 81,000+ third-party trackers appeared on at least two of the top million sites. However, only 123 trackers showed up on at least 1% of those sites: “The number of third parties that a regular user will encounter on a daily basis is relatively small. [Moreover], all of the top 5 third parties, as well as 12 of the top 20, are Google-owned… Google, Facebook, and Twitter are the only third-party entities present on more than 10% of sites.” The researchers find “a trend towards economic consolidation” – fewer but larger third-party trackers. In their opinion, that’s actually good news for privacy advocates, as these “are large enough entities that their behavior can be regulated by public-relations pressure and the possibility of legal or enforcement actions.” According to the Princeton review, news, arts, and sports sites track the most, which typically provide content for free and “lack an external funding source, [and] are pressured to monetize page views with significantly more advertising.” The sites that track the least belong to government organizations, universities, and non-profit entities… websites [that] may be able to forgo advertising and tracking due to the presence of funding sources external to the web.” Oh, and adult sites, too. Next, the researchers turned to fingerprinting: techniques for individually identifying anonymous site visitors based on the unique characteristics of their hardware and software. (Check out our detailed primer on fingerprinting here.) The researchers wanted to know: Is it really being used in the wild? How widely? Which techniques? The reseachers say privacy tools like Ghostery do a nice job of protecting against standard tracking scripts from widely-used third-party trackers. However, they sometimes miss more obscure scripts using these emerging, exotic techniques. Since they’ve open-sourced OpenWPM, anyone can use it. That includes academics: it’s already been part of seven published studies. It also includes site owners who want to know what third-party trackers are doing on their sites. And it especially includes journalists and activists. [Naked Security]

CA – Ontario Defendant in Revenge Porn Case Seeking a Do-Over: Porter

How much is a lifetime of public humiliation worth? Ontario Superior Court Justice David Stinson pegged it at precisely $141,708.03 in January. That’s how much he ruled a young man had to pay his ex-girlfriend for the shame and psychological suffering he’d caused her by posting an intimate video of her on pornhub.com. He called it “college girl pleasures herself for ex boyfriends delight.” The decision set a new path for revenge porn victims. Since 2014, when Parliament passed the revenge porn law, victims can go to police and hope the jerk who put their images online without their permission lands in jail. But with Stinson’s ruling, they could also pursue some civil justice — cash, and a lot of it. He set the bar high, awarding the young victim the maximum damages — enough to pay her lawyer, and cover therapy bills for years of shame, fear, distrust … [Toronto Star]

Other Jurisdictions

EU – US Cloud Services Seeing Major Growth in Europe

U.S. cloud computing businesses is growing in Europe, despite pressure on European companies to keep sensitive data within the continent. The U.S. growth stems from European companies moving cloud computing needs to outside providers, with American organizations offering lower prices and the ability to rapidly put out new services and upgrades. Four U.S.-based businesses, for example, own 40 percent of the European market share, and more than a dozen new U.S. data centers have been built in Europe over the past couple of years, convincing European businesses U.S. providers can protect their data. “On paper, European companies should be poised to take advantage of this growth. But they are less nimble,” said RBC Capital Markets Senior Analyst Jonathan Atkin. [The Wall Street Journal]

Privacy (US)

US – FTC Issues Warnings to Companies Claiming APEC Privacy Certification

The FTC has issued warning letters to 28 companies claiming to be certified participants in the Asia-Pacific Economic Cooperative Cross-Border Privacy Rules system. This is an important reminder for companies, including Canadian companies, that the use of international certifications is something in which regulators take a keen interest. The FTC did not release the names of the organizations to which it sent letters. This gives the organizations a chance to demonstrate compliance and revise their websites and thereby avoid the reputational damage associated with being publicly cited by the regulator. However, the fact that the FTC publicized the issuance of the warning letters likely indicates that it views the problem of unsubstantiated certifications as an issue which needs to be addressed. [Cyberlex]

US – White House Announces New Drone Initiatives

Following a report on privacy by design in drones, the White House announced it will work on strengthening the integration of the technology by hosting workshops and deploying drones in different scenarios. The White House Office of Science and Technology Policy said the work will build on the Federal Aviation Administration’s drone rules from earlier this year. Reaction to the announcement was mixed: “Today’s announcement is another important step forward in realizing the enormous potential of unmanned aerial systems, and will help speed up our development and adoption of this technology, which still lags behind other countries,” said Sen. Mark Warner, D-Va. However, Sen. Ed Markey, D-Mass., expressed concern: “While I am pleased that the White House continues its efforts to safely integrate drones into our national airspace, when it comes to drone privacy, we are still essentially flying blind As more drones take flight, voluntary privacy guidelines and best practices are simply not enough.” [Broadcasting & Cable] See also: [FPF, Intel, PrecisionHawk advocate for privacy by design framework in drones] and May 2016 stakeholder-drafted Voluntary Best Practices for UAS Privacy, Transparency, and Accountability. And [New Hampshire town hit with wave of drone complaints]

US – Jimmy Carter Defends Edward Snowden, Says NSA Spying Has Compromised Nation’s Democracy

Former President Jimmy Carter announced support for NSA whistleblower Edward Snowden this week, saying that his uncovering of the agency’s massive surveillance programs had proven “beneficial.” Speaking at a closed-door event in Atlanta covered by German newspaper Der Spiegel, Carter also criticized the NSA’s domestic spying as damaging to the core of the nation’s principles. “America does not have a functioning democracy at this point in time,” Carter said,according to a translation by Inquisitr. No American outlets covered Carter’s speech, given at an Atlantic Bridge meeting, which has reportedly led to some skepticism over Der Spiegel’s quotes. But Carter’s stance would be in line with remarks he’s made on Snowden and the issue of civil liberties in the past. [Huffington Post]

US – Judge Blasts FBI for Bugging Courthouse, Throws Out 200 Hours of Recordings

The FBI violated the Fourth Amendment by recording more than 200 hours of conversation at the entrance to a county courthouse in the Bay Area, a federal judge has ruled. Federal agents planted the concealed microphones around the San Mateo County Courthouse in 2009 and 2010 as part of an investigation into alleged bid-rigging at public auctions for foreclosed homes. In November, lawyers representing five defendants filed a motion arguing that the tactic was unconstitutional, since the Fourth Amendment bans unreasonable searches. “[T]he government utterly failed to justify a warrantless electronic surveillance that recorded private conversations spoken in hushed tones by judges, attorneys, and court staff entering and exiting a courthouse,” US District Judge Charles Breyer wrote in an order published this week. “Even putting aside the sensitive nature of the location here, Defendants have established that they believed their conversations were private and they took reasonable steps to thwart eavesdroppers.” Breyer concluded that the disputed evidence must be suppressed. At a hearing next week, he’ll consider whether the recordings tainted the rest of the prosecution’s case. [Source]

Privacy Enhancing Technologies (PETs)

WW – Energy Monitoring Device Without the Cloud Sharing from MIT

MIT says it has the answer to those concerned with Google Nest’s privacy practices: an energy-monitoring device that measures in-home energy usage without sending data into the cloud. The system uses a wireless, sensor-based approach to energy measuring, the report states. “MIT electrical engineering professor Steven Leeb was particularly impressed with the team’s discovery that energy monitoring can be achieved despite keeping data within the home,” the report adds. “The system only releases ‘small subsets’ of data for cloud processing, which addresses bandwidth and privacy concerns.” If made commercially available, the device would cost an estimated $30 per household. [ZDNet]


US – NTIA Announces IoT Security and Education Initiative

The National Telecommunications & Information Administration has announced a new multistakeholder process to help consumers understand the security measures in internet of things devices and ensure security upgrades and patches are appropriately maintained. “The goal of the new multistakeholder process will be to promote transparency in how patches or upgrades to IoT devices and applications are deployed,” said NTIA Deputy Assistant Secretary for Communications and Information Angela Simpson. “Potential outcomes could include a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.” The NTIA is encouraging “broad participation and diverse perspectives” and hopes to have its first meeting in early fall. [NTIA]


WW – Most Healthcare Breaches Can Be Traced to One of Three Factors

Those include losses or thefts of laptops; improper or criminal accessing of credentials to information systems; and unintentional errors, such as sending sensitive information to the wrong person, according to Verizon Enterprise Solutions. [Information Management]


WW – Database Tracks Surveillance Companies Around the World

Privacy International has a new searchable database allowing users to find information on hundreds of surveillance companies around the globe. The Surveillance Industry Index possesses information on more than 520 surveillance companies, while also having information on the technology they have sent to government agencies and telecommunications companies. “State surveillance is one of the most important and polarizing issues of our time, yet the secrecy around it means it’s a debate lacking reliable facts,” said Privacy International Research Officer Edin Omanovic. “Understanding the role of the surveillance industry, and how these technologies are traded and used across the world, is crucial to not only understanding this debate, but also fostering accountability and the development of comprehensive safeguards and effective policy.” [The Verge]

US – Disney Obtains Patent to Track Theme Park Guests Through Their Feet

The U.S. Patent and Trademark Office has issued Walt Disney Co. a patent for a new type of technology: A system that can track theme-park guests through their feet. According to information supplied to the patent agency, sensors and cameras would help identify particular visitors, and the data “can be used to output a customized guest experience” including photographs. Theme parks could also use such a system to mine data about common paths from ride to ride. The company can already track guests at Walt Disney World who use MagicBands, RFID bracelets that function as theme-park tickets, FastPasses, hotel keys and credit cards. Current methods of tracking guests and matching them up “are limited to rather invasive methods, such as retinal and fingerprint identification methods,” the patent information said. “These methods are obtrusive and some guests may not feel comfortable providing this type of biometric information to a third party.” The company says that there are no immediate plans to use such a system. This project is part of Disney’s ongoing innovative research process, the company said, and many projects it explores may never actually end up in the parks. [Orlando Sentinel]

Telecom / TV

US – Comcast Asks FCC to Shoot Down Rules Prohibiting ‘Pay-For-Privacy’ Pricing

Comcast has sent a filing to the Federal Communications Commission requesting the agency to shoot down proposed rules stopping broadband providers from charging higher fees to customers declining behaviorally targeted ads. “A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy,” Comcast writes. The provider says prohibiting a pay-for-privacy pricing system “would harm consumers by, among other things, depriving them of lower-priced offerings,” while adding the FCC “has no authority to prohibit or limit these types of programs.” [MediaPost]

US Government Programs

US – Appointees named to New Evidence-based Policymaking Commission

All 15 appointees to the Evidence-Based Policymaking Commission have been named. The commission will determine whether the federal government should establish a clearinghouse for program and survey data, what data should be included in the clearinghouse, and which qualified researchers from both the private and public sector could access the data to perform program evaluations and related policy research. The commission will also study how best to ensure confidentiality of data and protect individuals’ privacy. See also: [H.R.1831 – Evidence-Based Policymaking Commission Act of 2016]

US – Student Data Policymaking Recommendations issued

DQC released its policy recommendations for state policymakers in April, and followed that up with district and federal recommendations. Each set of policy recommendations includes student data privacy and directs policymakers to align their policies across federal, state and district levels in four priority areas:

  • Measure What Matters
  • Make Data Use Possible
  • Be Transparent and Earn Trust
  • Guarantee Access and Protect Privacy

US – OMB Releases Updated Circular A-130

The Office of Management and Budget has released an update to Circular A-130, requiring every federal agency to, among other things, appoint a senior agency official for privacy, provide privacy training and conduct Privacy Impact Assessments. Under FISMA all NIST FIPS documents are now required. The 800 series documents are also going to be used by OMB as “best practices” when conducting their audits. Implementing these NIST standards is going to be quite a lot of work for most agencies. [FedScoop] [OMB] [Circular A-130] [Wikipedia on Circular A-130]




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: