06–18 August 2016


WW – Algorithms Can Identify Individuals Trying to Evade Facial Recognition

German researchers published a paper revealing algorithms can be used to identify individuals even if they have obscured their faces. The researchers from the Max Planck Institute call it the “Faceless Recognition System,” which “trains a neural network on a set of photos containing both obscured and visible faces, then uses that knowledge to predict the identity of obscured faces by looking for similarities in the area around a person’s head and body.” Depending on the level of obscurity, the success rate can range from 14.7% to 91.5%. Meanwhile, Facebook users filing a lawsuit against the social media network say the level of damages they received meet the level set in the Spokeo decision. Editor’s Note: The IAPP will be hosting a discussion on biometrics and consumer privacy at the Privacy. Security. Risk. conference from Sept. 13-16, in San Jose, California. [Motherboard]


CA – OPC Canada Provides Tips Protecting Employee Privacy

the Office of the Privacy Commissioner of Canada has published tips to human resources professionals regarding the protection of employee personal information. HR professionals should ensure the bcc field is used for emails sent to multiple recipients that include sensitive personal information, vet documents to remove personal information before disclosing to third parties, and only share information that is factual, objective and pertinent; HR professionals should be knowledgeable about relevant privacy legislation requirements when handling personal information and advising clients on sensitive personal matters. [OPC Canada – Key Privacy Protection Tips for Federal Human Resources Professionals – Fact Sheets]

CA – Clayton Rules Former Premier Violated Privacy Law

Alberta Privacy Commissioner Jill Clayton said the office of former Premier Alison Reford violated privacy laws when she leaked personal information about former Deputy Premier Thomas Lukaszuk and three other government officials. The information revealed Lukaszuk rang up more than $20,000 in international data roaming charges during a personal trip to Europe in 2012. Clayton said the disclosure of the information goes against the Freedom of Information and Privacy Act. “While it is arguable that the release of information about cellphone charges may have been in the public interest, it was leaked in an uncontrolled manner — nobody’s privacy interests were considered,” Clayton said. [Global News[

CA – NL OIPC Reports 66 Breaches between March and June

The Information and Privacy Commissioner has disclosed 66 breaches within public entities between March and June 2016, an increase from the 51 breaches during 2016’s first quarter. “Most of the private information was released through email or regular mail, and only one was intentional,” the report states. Institutions like Service NL, Central Health and the Newfoundland and Labrador English School District all reported breaches. [CBC News]

CA – Newfoundland OIPC Sees Rise in Access to Information Requests

Newfoundland and Labrador’s new Information and Privacy Commissioner Donovan Molloy has seen a large increase in access to information requests. Molloy said changes to the Access to Information and Protection of Privacy Act have made asking for information far easier, resulting in a large influx of applications. “It’s my understanding that there’s been a substantial increase in the number of requests since 2015,” said Molloy. Since taking over last month, Molloy said the large amount of requests have been taxing on his office. “It’s a real struggle right now in terms of volume, keeping up with the number of requests,” said Molloy. “Because of the capacity to store large volumes of information electronically, then the requests are often quite broad as well.” [CBC News]

CA – Lawsuits Filed Against ‘Pokemon Go’, IP Mapping Company

Two separate lawsuits have emerged against companies that use location data. A family in Alberta, Canada, has initiated a class-action lawsuit against the makers of “Pokemon Go” because their house is a “Gym” in the augmented reality game, meaning it’s a destination for players. Homeowner Barbra-Lyn Schaeffer said more than 100 players have wandered onto her property in the past month. A separate lawsuit has been filed by a Kansas, U.S., family against IP mapping company MaxMind. The issue, originally reported on by Fusion’s Kashmir Hill, involves a default GPS setting — which happens to be where the family lives, meaning law enforcement is often called out to the family’s home thinking it’s a place where a crime has been committed. MaxMind has changed the IP location, but not all users have updated their settings, meaning the issue could affect the family for years to come. [Calgary Herald]


US – Interior Dept. Needs to Update Logical Access Controls: Report

According to a report from the US Department of the Interior (DOI) Office of the Inspector General (OIG), eight of nine systems OIG tested at the agency did not meet minimum federal standards for logical access controls. The report also found that DOI needs to encrypt mobile devices and to develop “the ability inspect encrypted traffic for malicious content.” The OIG report acknowledges that “DOI has implemented multifactor authentication to reduce the risk of unauthorized access” to systems. [SC Magazine: Interior Dept. must update access control standards to meet NIST guidelines – report | FCW: IG: Interior needs to tighten computer security | DOIOIG: Inspection of Federal Computer Security at the US Department of the Interior]

US – OIF Finds GSA Access Controls in Good Shape

The Office of Inspector General (OIG) of the US General Services Administration (GSA) found the agency’s “policies and procedures regarding access controls” to be in line with federal standards. Eleven of the GSA’s 18 examined systems use “multifactor authentication for privileged users consistent with government-wide policies.” The seven systems that do not have multifactor authentication use “compensating controls for privileged user access.” [Nextgov: GSA Gets Thumbs Up on Cybersecurity Act Assessment | GSAIG: US General Services Administration Office of Inspector General Cybersecurity Act Assessment]


WW – Google to Warn Users About Potentially Dangerous e-Mail

In a blog post, Google says it will send warnings to users when they receive email messages that could harm their computers. The warning will ask users if they want to open messages that Google deems untrustworthy either because they contain links to sites known to host malware, or because Google cannot authenticate that the sender is who it claims to be. [CNET: Don’t click on that: Google updates email warnings | ZDNet: Google Gmail: Now you about get security alerts about senders to beat email spoofing | Google: Making email safer with new security warnings in Gmail]

EU Developments

WW – ICDPPC Updates Upcoming Morocco Conference

In its latest communique, the International Conference of Data Protection and Privacy Commissioners provides an update to this year’s conference in Marrakech, Morocco. The conference’s closed session will feature discussion on artificial intelligence, robotics and encryption, while the program will also include themes such as “privacy as a driver for sustainable development, security and privacy, digital education, technology and social trends,” New Zealand Privacy Commissioner and ICDPPC Chair John Edwards wrote. The newsletter also features highlights from the executive committee’s meeting in Singapore, a Q&A with Macedonia Director of the Directorate for Personal Data Protection Goran Trajkovski, and an update on the cloud computing resolution that was adopted in 2012. [Full Story]

EU – E-Privacy Directive Draft on September Docket for European Commission

The European Commission will release its E-Privacy Directive update draft in September, which will mandate that apps like Skype and WhatsApp fall under the same privacy regulatory umbrella as SMS text messages and both mobile and landline calls. “It was obvious that there needs to be an adjustment to the reality of today,” said Green MEP Jan Philipp Albrecht. “We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.” He added that the proposed law will take special aim at upholding strong encryption. Critics counter that these laws must be careful not to curb economic innovation, and that re-tailoring older legislation to fit newer technology is “well-nigh impossible,” the report states. [The Gurdian]

Facts & Stats

WW – Study: ‘Insider Negligence’ Most Likely Cause of Data Breaches

A Ponemon Institute study revealed “insider negligence” is the most common cause of a data breach. The study polled more than 3,000 employees in the U.S., U.K., France and Germany, and found 76% of their organizations suffered a data breach in the last two years. The respondents said insider negligence results in more breaches than hackers, malicious employees or poor contractor security. The study also found that 87% of those polled said their jobs require access and use of customer data, employee records and financial information, but only 29% said their organizations allow access on a “need-to-know” basis, with 25% monitoring employee email and file activity. [ZDNet]


CA – OIPC SK Outlines Steps for Responding to Access and FOI Requests

The Office of the Information and Privacy Commissioner in Saskatchewan has provided guidance on granting individuals access to records within public bodies, pursuant to the: Freedom of Information and Protection of Privacy Act; and Local Authority Freedom of Information and Protection of Privacy Act. Applicant identity should not disclosed to anyone without a legitimate need to know, public bodies are not entitled to require applicants to explain the reason for their request (unless to refine/narrow it, deciding to waive fees, or it believes it is frivolous, vexatious, or in bad faith); fee estimates should be proportionate to the work required to respond efficiently and effectively, and notice should be given to third parties any time access is denied due to a third party exemption, or there is an OIPC review. [OIPC SK – Best Practices for Responding to Access Requests]

CA – OIPC NFLD Finds Government Employee Names, Titles and Remuneration Amounts Should Be Disclosed

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has reviewed a complaint by third parties, regarding the decision of the Newfoundland and Labrador English School District to allow access to records pursuant to the Access to Information and Protection of Privacy Act, 2015. Disclosure is not an unreasonable invasion of privacy if the information is about a public employees’ position, function, or remuneration; the privacy of public employees must be balanced against the public’s right to know how tax dollars are spent, and to release specified information about employees without employee names would undermine the purpose of the Access to Information and Protection of Privacy Act. [OIPC NFLD – Report A-2016-015 – NFLD English School District]


US – MIT Scientists Create System Protecting Patient Privacy Within Genomic Databases

MIT’s Computer Science and Artificial Intelligence Laboratory and Indiana University at Bloomington have developed a research database that allows queries from genome-wide association studies while decreasing privacy threats to “almost zero.” The database employs differential privacy techniques to keep vulnerabilities so low. “It does that by adding a little bit of misinformation to the query results it returns,” the report states. “That means that researchers using the system could begin looking for drug targets with slightly inaccurate data. But in most cases, the answers returned by the system will be close enough to be useful.” Decreased privacy risks and increased access cut database wait times down from the months-long queue period, the report adds. [MIT News] [Nature] See also: [Genetic analysis and its privacy pitfalls]

Health / Medical

WW – Some mHealth Apps Aren’t Making Privacy a Priority

A new study finds that health and wellness apps in particular aren’t making privacy policies easily available to users, even though they are collecting sensitive data. A study by the Future of Privacy Forum finds an overall improvement in the mHealth industry, with 76% of apps surveyed having a privacy policy – an 8% increase since the last survey in 2012. Among their findings was a marked difference in transparency between free and paid apps. Some 86% of the free apps have an accessible privacy policy, while only 66% of the paid apps have a policy. Researchers noted that free apps are usually sustained by advertising, and often are required to disclose their tracking practices to comply with that industry’s standards. [mHealthIntelligence]

Horror Stories

WW – IoT Sex Toy Shares Private Data With Manufacturer

Security researchers have revealed that an internet-connected sex toy is sending intimate data back to the manufacturer for “market research.” The We-Vibe 4 Plus can be controlled remotely through a mobile device and is intended to help couples be more intimate when they’re away from each other. However, the researchers demonstrated the device also shares temperature and vibration intensity data with the manufacturer, and can be easily hacked. “As teledildonics come into the mainstream,” their presentation description noted, “human sexual pleasure has become connected with the concerns of privacy and security already familiar to those who previously only wanted to turn on their lights, rather than their lover.” The president of the manufacturer said the data it receives is not granular enough to know how it’s being used. [Newsweek]


EU – Irish Commissioner Releases Guidance on Location Data

The Office of the Data Protection Commissioner today released guidance on location data. “Aimed at both individuals and organizations, our guidance will assist individuals in understanding how much information relating to their location is collected and processed, and provides clarity to organizations on their obligations regarding such data. The overriding principle of the guidance centers on the protection of the individual’s right to data privacy,” the DPC said in a press release. Included in the guidance are tips about smartphone apps and public Wi-Fi networks collecting location data, as well as wearable devices. The guidance is part of an ongoing educational effort on behalf of the DPC. [Full Story]

US – FTC Offers Analysis, Guidance from InMobi Location Tracking Case

In a new FTC blog post, Nithan Sannappa and Lorrie Faith Cranor offer a deep dive into the location privacy issues revealed in the InMobi case. “In this post,” they write, “we explain the mechanism that the commission alleges InMobi used to track users’ location without permission, and discuss technical steps that mobile operating systems have taken to try to address this practice.” In addition to a detailed analysis of how InMobi tracked the location of users, Sannappa and Cranor write, “Given these complexities, all actors in the mobile ecosystem have a role to play in protecting consumer privacy.” Further, app developers should “consider contractual terms or other steps to help ensure that their third party service providers do not circumvent consumers’ privacy choices.” [Full Story]


TH – Thai Government Could Require SIM Cards for Tourists

Thailand’s National Broadcasting and Telecommunications Commission could mandate tourists to carry “location-tracking SIM cards.” “It is not to limit tourists’ rights. Instead it is to locate them which will help if there are some tourists who overstay or run away (from police),” said Secretary-General Takorn Tantasith. Details surrounding the potential program are sparse, like the cost of the cards, how location tracking would work on the card, and when the program could start, the report states. [The Nation]

Online Privacy

WW – Facebook Update Overrides Ad Blockers

Ad blockers will no longer work on Facebook thanks to site updates. While ad blockers will continue to work on others sites and Facebook users can tailor their ad preferences on-site, the move will spark more debate about ads, privacy, and the blockers used to prevent them, the report states. Many are frustrated at the erosion of user control. “It takes a dark path against user choice,” said Eyeo G.m.b.H’s Ben Williams. Some feel Facebook’s updates strike a balance. “Many users rely on ad blockers because they are concerned about privacy or malware,” said the Future of Privacy Forum’s Jules Polonetsky. “Facebook’s change lets users continue to use ad blockers to protect themselves, while ensuring ads are displayed.” [The New York Times]

Other Jurisdictions

NZ – Privacy Commissioner Launches Tool for Privacy Questions

New Zealand’s Office of the Privacy Commissioner launched an online service allowing people to ask privacy-related questions whenever they need to. The “Ask Us“ tool allows anyone from individuals to small-business owners to government workers the chance to access privacy information, according to Privacy Commissioner John Edwards. “We have designed this tool with a 360-degree view of who might find it useful,” said Edwards. “We believe this is a leading model that is available to be shared with other public-sector agencies that are also on the Common Web Platform. People will be able to access information that is relevant to them in a convenient way without having to join a phone queue to a call centre.” [CIO]

Privacy (US)

US – FTC to Host Ransomware Event Sept. 7

The Federal Trade Commission will host a three-panel discussion on ransomware in Washington on Sept. 7 as part of its Fall Technology Series, the agency announced in a press release. FTC Chairwoman Edith Ramirez, FTC Chief Technologist Lorrie Faith Cranor, and representatives from organizations like PhishLabs, Red Canary and the FBI will speak. “In addition to the panel discussions, the FTC’s Office of Technology Research and Investigation and New York University’s computer science department will present research based on a study of dozens of ransomware variants,” the report states. This event is free and public. [FTC]

US – Judge Denies Google’s Request to Dismiss Email Interception Lawsuit

U.S. District Judge Lucy Koh denied Google’s request to dismiss a class-action lawsuit alleging the company illicitly intercepts and scans emails before reaching a user’s inbox. Google claims its process for obtaining emails and scanning their contents for use in targeted advertising is part of their standard operating procedure. Koh disagreed with Google, saying its policy may violate the California Wiretap Act. “Under the plain meaning of the Wiretap Act, the ‘ordinary course of business’ exception protects an electronic communication service provider’s interception of email where there is ‘some nexus between the need to engage in the alleged interception and the [provider’s] ultimate business, that is, the ability to provide the underlying service or good,’” Koh wrote in her ruling. [Courthouse News Service]

US – DOC Releases First List of Privacy Shield-Compliant Companies

Late last week, the International Trade Administration — an arm of the U.S. Department of Commerce — released a list of nearly 40 companies that have been approved under the EU-U.S. Privacy Shield. A DOC spokesman said the list would be updated on a rolling basis, adding, “There are nearly 200 applications currently involved in our rigorous review process.” However, businesses have been slow to join the agreement, mostly due to a lack of legal uncertainty in the EU. PwC’s Jay Cline, CIPP/US, said, “we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids.” [Wall Street Journal] See also: The EU-U.S. Privacy Shield is fully operational, as the U.S. Chamber of Commerce has opened registration for U.S. companies, the European Commission announced in a press release, and [Could privacy trust marks be a better Privacy Shield alternative?]

US – California’s Gang Member Database May Violate Privacy Rights

California’s database of suspected gang members may violate the privacy rights of those within the system. A state auditor report examined the CalGang database, a system shared by police agencies across the state, and contains information on nearly 150,000 gang members. The system “does not ensure that user agencies collect and maintain criminal intelligence in a manner that preserves individuals’ privacy rights,” wrote auditor Elaine Howle. The report found four court cases where the database was used as proof of an individual’s gang involvement, and three law enforcement agencies using the database for employment or military-related screenings. “These instances emphasize that inclusion in CalGang has the potential to seriously affect an individual’s life,” the report states. “Therefore, each entry must be accurate and appropriate. [SFGate]

Privacy Enhancing Technologies (PETs)

WW – Enterprise Privacy Tech Solutions Are On the Rise

With a major new privacy regulation on the horizon in Europe, and increased media and regulatory scrutiny of companies’ privacy practices around the world, the job of engendering consumer trust and maintaining privacy compliance is getting seemingly more difficult every day. Of course, employing privacy pros is the obvious first step in ensuring a robust internal privacy regime, but more and more, privacy pros are in need of tools to help them do their jobs. Fortunately, startups and venture capitalists are recognizing this need for better privacy and information management tools. In this post for Privacy Tech, Jedidiah Bracy, CIPP, looks at two startups looking to work further with privacy pros in an effort to provide technological solutions designed directly for the privacy pro. [IAPP] See also: [Op-ed: New tech could be the boon health care privacy needs]


US – Study: 91% of Visual Hacking Attempts Successful

A Ponemon and 3M Company study found the vast majority of visual hacking attempts are successful. The Global Visual Hacking Experiment spanned 157 trials in 46 participating companies across eight countries, including China, France, Germany and the U.K. The study had a white hat visual hacker take information in different ways, including walking through offices for information, taking confidential business documents off desks and placing them into briefcases, or taking a picture of confidential information using a smartphone. The attempts were successful 91% of the time, with 52% of the sensitive information taken from employee computer screens. Hackers were normally not confronted, as 68% of visual hacking attempts resulted in the malicious party not receiving any questioning. [Full Story]

US – Active Response, Behavior Baselining Hot at Black Hat Conference

One of the popular security terms making their way into conversations during the Black Hat conference last week in Las Vegas is behavior baselining, where an organization focuses on understanding its system’s typical behavior in order to identity any deviations. “Most organizations accomplish this by employing people and technologies utilizing data science and machine learning for automated analysis,” the report reads. This is complemented by active response, another term making its way around Black Hat. “Active response is the ability to respond to an attack as soon as it is detected within the organization’s environment. The response could include communication with secondary systems such as a ticketing system, or it could include creating a ticket or collecting additional data.” [TechCrunch]


US – NYC Art Exhibit Examines Privacy in the Surveillance Age

An art exhibit in New York City is focusing on the attempts to stay private in a growing age of surveillance. “Public, Private, Secret” features a wide range of privacy-themed surveillance art from the 1940s to today, a video diary made up of an individual’s private online thoughts, and photos of celebrities. One of the themes of the exhibit is the growing number of people who have access to cameras, allowing more people to engage in visual communication. “The big difference is, it used to be a few people taking images that went out to millions,” said the International Center of Photography’s Executive Director Mark Lubell. “Now it’s millions and millions of people going out to millions and millions of people. I think that’s a seismic shift in the medium, and it’s something we should be looking at and exploring.” [PBS Newshour]

WW – AI Company Develops Drone Risk Analysis Program

An artificial intelligence company is developing a risk analysis program for commercial drones. Flock’s program allows drone operators to safely use their devices by leveraging real-time weather information, locating buildings, and predicting when areas will be filled with people in order to find less congested routes. “We extract actionable insights and predictions from big data by extracting multiple data sources and amassing a wealth of historical data in cities,” said Flock CEO Ed Leon Klinger. “The machine learning element of our technology is what allows us to predict when and where certain areas of cities will become particularly hazardous for drones.” Flock may also be used by insurance companies to help determine the risks of drone flight. [Yahoo!]

US Government Programs

US – Court of Appeals Finds Government’s Warrantless Use of Cell Phone Location Information was Justified

The US Court of Appeals reviewed an appeal by Frank Caraballo for a conviction by the District Court for the District of Vermont for conspiring to distribute drugs, possession of a firearm in furtherance of a drug trafficking crime, and causing the death of an individual. The Court found that emergency circumstances may make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment; the Defendant was reasonably believed to be armed, had recently been identified by the victim as a person who was likely to cause harm, was likely to escape if not quickly apprehended, and posed an imminent threat to law enforcement (undercover police and confidential informants). [US v. Frank Caraballo – 2016 US App. LEXIS 13870 – United States Court of Appeals for the Second Circuit]

US Legislation

US – New Illinois Law Requiring Stricter Rules for Stingray Use

SB 2343, An Act Concerning the Use of Cell Site Simulator Devices, was signed by the Illinois Governor. Before deploying cell site simulators, law enforcement agencies must submit a court application that includes a description of the nature and capabilities of the device to be used, the method of deployment, and procedures to protect the privacy of non-targets; all non-target data must be deleted within 24 hours (if the device is used to location or tracking) or 72 hours (if used for device identification). The Act is effective January 1, 2017. [SB2343 – An Act Concerning the Use of Cell Site Simulator Devices – Illinois General Assembly]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: