19-25 August 2016


US – N.Y. State DMV Facial Recognition Tech Helps Nab 100 ID Thieves

In January, the New York State DMV enhanced its facial recognition technology by doubling the number of measurement points on a driver’s photograph. The DMV said this vastly improves its chances of matching new photographs with one already in a database of 16 million photos. As many as 8,000 new pictures are added each day. The state’s governor says has led to the arrest of 100 suspected identity thieves and opened 900 unsolved cases. In all, since New York implemented facial recognition technology in 2010, more than 14,000 people have been hampered trying to get multiple licenses. “Facial recognition plays a critical role in keeping our communities safer by cracking down on individuals who break the law,” Gov. Andrew M. Cuomo said in a statement. “New York is leading the nation with this technology, and the results from our use of this enhanced technology are proof positive that its use is vital in making our roads safer and holding fraudsters accountable.” The DMV said new licenses won’t be issued until a photo clears the DMV database. At least 39 US states use some form of facial recognition software. New York’s DMV first implemented facial recognition technology in 2010. Since then, more than 3,600 people have been arrested for possessing multiple licenses. The agency said it resolved another 10,500 facial recognition cases outside the criminal justice system because the statute of limitations had expired. In those instances, the cases were handled administratively—and the agency revoked licenses and transferred all tickets, convictions and accidents to the scofflaw’s true identity. New York’s DMV photo database is not among those databases forwarded to an FBI program containing about 411.9 million facial recognition images of people who have committed no crimes. [Ars Technica]

EU – Germany Eyes Facial Recognition Tech for Airports, Train Stations

Germany’s interior minister revealed plans for facial recognition systems in the country’s airports and train stations over the weekend—but digital rights activists have told Ars that the plan goes too far and would prove ineffective. Thomas de Maiziere told Bild am Sonntag that he wanted a system that would allow biometric information gathered from surveillance cameras to be matched against intelligence databases of known terror suspects. “There are opportunities for individuals to photograph someone and use facial recognition software on the Internet to find out if they have seen a celebrity or a politician. I want to use such face recognition software on video cameras at airports and train stations to show if a suspect is detected,” he said. “The authorities must use technology they are legally allowed to use.” [Ars Technical]

WW – Researchers Use 3-D Models to Break Facial Recognition Security

Security and computer vision specialists from the University of North Carolina have developed a method to break through facial recognition authentication systems. Using photos found on the internet, the researchers created 3-D models rendered with the motion and depth cues needed to pass through facial recognition security. The hack successfully spoofed four of the five authentication systems the researchers tested. The team also noted the photos were not supplied by any of the 20 volunteers, but were collected through search engines and social media networks. “We could leverage online pictures of the [participants], which I think is kind of terrifying,” says study author True Price. “You can’t always control your online presence or your online image.” [Wired]

Big Data

WW – CSA Issues 100 Best Practices for Keeping Big Data Secure

Big data is best known for its volume, variety, and velocity — collectively referred to as the “3 Vs” — and all three of those traits make security an elusive goal. Targeting companies grappling with that challenge, the Cloud Security Alliance has released a new report offering 100 best practices. As its name would suggest, the CSA focuses on promoting the use of security best practices within the cloud computing world; In an earlier report, the CSA broke down big data security risks into a set of the top 10 major challenges. Now, for each of those, it presents 10 best practices designed to help enterprises keep their information safe. To ensure that the privacy of data subjects is not compromised, all personally identifiable information such as names, addresses, and Social Security numbers must be either masked or removed. It’s also important to watch for the presence of “quasi-identifiers” that can almost identify a data subject, including ZIP code, date of birth, or gender, the report warns. Companies that use nonrelational data stores such as NoSQL databases, meanwhile, are hampered by the fact that such products typically include few robust embedded security features, the report’s authors say. For that reason, they suggest using strong encryption methods such as the Advanced Encryption Standard (AES), RSA, or Secure Hash Algorithm 2 (SHA-256) for data at rest. “The storage of code and encryption keys must be separate from the data storage or repository,” they advise. “The encryption keys should be backed up in an offline, secured location.” Also included in the report are suggestions for real-time security and compliance monitoring, privacy-preserving analytics, data provenance, cryptographic techniques, and more. The handbook is now available as a free download. There’s been growing concern about the use of big data and the associated risks to privacy and security. Early this year, the U.S. FTC issued a report with caveats and guidelines for businesses. Market researcher Gartner, meanwhile, predicts that the improper use of big data analytics will cause half of all business to experience ethics violations by 2018. [CIO.com] [CSA Big Data Privacy and Security Handbook]


CA – Canadian Security Establishment Increased Interceptions 26-fold in 2015

An Office of the Commissioner of the Communications Security Establishment report of the Canadian Security Establishment has found that the agency increased its rate of private communication interception 26-fold in 2015. While the government won’t explain the reason for the increase, the agency did find that all of the CSE’s proceedings were lawful. CSE watchdog Bill Robinson predicts that that agency “may have targeted social media conversations between individuals and counted each separate message in the string as a private communication,” the report states. “A small number of online conversations could be responsible for the rather large total.” [National Post] [Canada’s Spy Agency Now Intercepting Private Messages 26 Times More Than Previously]

CA – Main Terror Threat to Canada Comes From Lone Wolves: Report

The main terrorist threat on Canadian soil remains lone wolves or small groups inspired by ideology to carry out attacks, a new public safety report states. The 2016 report on terrorist threats to Canada drew a distinction between attacks “inspired” by extremist ideology versus those “directed” by terrorist organizations abroad. The report points out one area where that balance will be tested: the use of encrypted communications technology. Encryption allows private citizens, companies, and governments to protect their communications, business transactions and sensitive information. But law enforcement officials in Canada and beyond have argued that it also allows criminals and terrorists to evade arrest or capture. While encryption has been intensely debated in other Western countries — notably the United States — Canada has yet to have a public debate over its merits. “Encryption technology helps protect the privacy of Canadians but also creates new barriers in law enforcement and national security investigations,” the report states. “The government intends to work with Canadians, industry, and other key stakeholders and the international community to address these privacy and security concerns.” [Source]

CA – Online Privacy a Must in New Alberta Curriculum: Advocate

As the Alberta Education Ministry sets out on the massive task of overhauling the province’s school curriculums, one advocate is hoping to see a focus on privacy in the digital age. Sharon Polsky, director of the Rocky Mountain Civil Liberties Association said she feels it’s important Alberta Education make online privacy a priority in the Career and Life Management (CALM) portion of the new curriculum. “Considering something like 30% of children have a tablet for their own exclusive use by the time they’re one and the vast majority have daily time with electronic devices by the time they’re two– it’s the same thing as giving a kid your car keys and saying have a nice time, stay safe on the road– they don’t understand the implications of what they’re doing,” she said. Larissa Liepins, press-secretary for David Eggen, Minister of Education, said they’re interested in hearing input from concerned citizens about what should be included in the new provincial curriculum. [Source]

CA – Waterloo Changes Rental Bylaw After Privacy Complaint

The City of Waterloo had to change its rental housing bylaw after a complaint to the Ontario Privacy Commissioner about Waterloo collecting tenants’ personal information. Council voted this week to approve the changes. Waterloo’s controversial rental housing licensing bylaw limits bedrooms and requires landlords pay fees. It was criticized by landlords who called it a cash grab. It went into effect in 2012. At issue was a city requirement for landlords to provide the names and contact information for all tenants. In 2014, someone complained to the privacy commissioner about personal information being collected and an investigation was launched. Waterloo finally agreed to stop collecting tenant information altogether in late 2015, but didn’t want to make the bylaw change until a review of the entire licensing bylaw currently underway is complete. Staff relented at the privacy commission’s request and changed the bylaw this week. [Source]


WW – Voting Online Means You’re Giving Up Privacy, Researchers Warn

A research initiative conducted by groups including the Electronic Privacy Information Center and the Verified Voting Foundation found that in the 32 states and one district where online voting is permitted, voters usually accept “technical limitations” that give up their right to a private ballot. Researchers therefore suggest voting in person instead of online. “Even if offered, avoid the use of an online method for marking and/or transmitting votes,” the study states. “Marking ballots without the use of a connection to the internet is the best way to keep your vote secret.” [Vocativ]  [Wired: America’s Electronic Voting Machines Are Scarily Easy Targets]


WW – Study: Business Email Compromise Costs $3B in Damage Worldwide

A new report from Trend Micro reveals an oft-underreported scam has bilked more than $3 billion from businesses around the world. “Business email compromise” — a method by which adversaries use email to trick employees into wiring company funds — has affected approximately 22,000 organizations, according to the FBI, since the beginning of 2015. Trend Micro tracked more than 2,000 BEC incidents in the U.S. and found that attackers often closely research a given target. An adversary may research a company’s legal settlement and imitate the law firm’s email account, for example. Trend Micro Chief Cybersecurity Officer Ed Cabrera said, “BEC doesn’t fall in line with data breach laws — it’s just a digital con game. And unlike other attacks, it does not cause a loss of operational time.” [The Hill]

Electronic Records

US – Many Hospitals Transmit Your Health Records Unencrypted

Healthcare IT organizations often lack budget and personnel to address security needs About 32% of hospitals and 52% of non-acute providers — such as outpatient clinics, rehabilitation facilities and physicians’ offices — are not encrypting data in transit, according to a new survey. Additionally, only 61% of acute providers and 48% of non-acute providers are encrypting data at rest. The Survey, conducted by the Healthcare Information and Management Systems Society (HIMSS), a Chicago-based trade group for the health information technology sector, also revealed that many of the facilities’ networks don’t even have firewalls. A study by the Brookings Institution predicts that one in four data breaches this year will hit the healthcare industry [IT World]


WW – One Third of Transmitted Health Care Data Left Unencrypted: Study

The Healthcare Information and Management Systems Society’s Cybersecurity Survey found that 35% of hospitals and 52% of non-acute providers do not encrypt their transmitted data. Additionally, 61% of acute providers and 48% of non-acute providers encrypt resting data. The study also found that many health care facilities do not use firewalls. Researchers cautioned that where there is tech, there are opportunities for breaches or ransomware. “Without a program in place, there can be a large time window for hackers to exploit an unpatched system (especially if systems are patched or upgraded on a reactive, ad hoc basis).” “Time is money, including for hackers, and they are likely to go after low-hanging fruit.” [ITWorld] [Computerworld: Many hospitals transmit your health records unencrypted | HIMSS: 2016 HIMSS Cybersecurity Survey ]

EU – German, French Legislators Want EC Help Accessing Encrypted Tech

In the wake of multiple deadly terrorist attacks in their respective countries, German and French officials will petition the European Commission to provide states with the ability to force encrypted technology companies to provide governmental access. “It’s a central issue in the fight against terrorism,” said French Interior minister Bernard Cazeneuve. “The European Commission said it ‘welcomed’ the initiatives between the two countries, but said that data protection laws are already under review,” the report states. [ZDNet]

US – NIST Scientists ‘Nervous’ About Lightweight Crypto for IoT

Federal scientists at the National Institute for Standards and Technology are working on new cryptographic standards for the tiny computers embedded into car engines, lightbulbs and others devices connected to the internet — but the process makes some of them uneasy. The Internet of Things presents a unique challenge for cryptographers: How long should a key be? For instance, the tiny RFID chips embedded in electronic passports have very limited memory. And the standards for connected cars have to enable ultra-low latency — meaning those chips have to be near instantaneous as they encrypt and decrypt information. But as a result, some of the lightweight crypto standards might end up weaker, and this easier to crack. Keys for use in current NIST-approved encryption standards must be at least 112 bits long. Some have proposed using keys as short as 80 bits in the new lightweight standards. [FedScoop]

Facts & Stats

CA – Trying to Measure the Cost of a Breach

CISOs know that data breaches cost money. One question is how much; another is whether the rest of the organization knows. To answer the first question Deloitte recently issued a white paper with a calculation to show how many costs aren’t being considered by management. In one hypothetical case, as reported by David Wheldon, the damage could be up to US$1.6 billion over five years. That’s right. For a theoretical breach of 2.8 million records from a U.S. private health insurance company the damage could run into 10 figures. [Read the full report here] Not all of the numbers would be applicable to Canada in this particular example. For example, because most Canadians are covered under the government funded heath insurance, private insurers here are smaller — and, of course, we have a smaller population. While the dollar values would be smaller, the factors would be the same. So the Deloitte calculation includes an estimated $230 million loss to brand image to the insurer. There’s a lost value of customer relationships at $430 million over three years. These would apply to a retailer or manufacturer. However, there are a lot of other so-called beneath the surface costs the C-suite may not be thinking of today: operational costs, insurance premium increases, and, if necessary, the cost of raising debt to pay for these and other costs. Then there’s the expected costs: Notifying potentially-affected customers and partners, paying for customer protection services, hiring forensic investigators, possibly hiring a crisis reaction team for public relations, facing customer/partner lawsuits, paying regulatory fines, loss of intellectual property (perhaps incalculable) and — of course — cyber security improvements including awareness training. [Source]

WW – Study: Breaches Could Cost One-Fifth of Retail Customers

A KPMG survey found that one-fifth respondents said they would stop shopping with a company after a data breach, regardless of how it handled the data loss post-breach. One-third of the surveyed added that they would avoid shopping there for at least three months after the breach, the report states. Regardless, only 55% of surveyed organizations said they had invested in upgraded cybersecurity in the past year. “Make no mistake, there is a lot at stake here for retailers,” said KPMG’s Mark Larson. “Consumers are clearly demanding that their information be protected and they’re going to let their wallets do the talking.” [FedScoop]


CA – OIPC AB Upholds Law Enforcement Body’s Refusal to Confirm or Deny Existence of Disciplinary Records

This OIPC AB order addresses the Calgary Police Service’s handling of a request for access to records pursuant to Alberta’s Freedom of Information and Protection of Privacy Act. Confirmation or denial of the existence of a disciplinary record would indicate whether a complaint had been made or proceedings taken against an officer; disclosure of a disciplinary record would be an unreasonable invasion of privacy (it would reveal his/her employment history, and unfairly damage his/her reputation if a complaint did not go to a hearing) – the only exception would be a disciplinary record that arises from a public hearing. [OIPC AB – Order F2016-24 – Calgary Police Service]

CA – NFLD Public Bodies Should Consider Scope and Intention When Applying the Solicitor-Client Privilege Exception

The OIPC Newfoundland and Labrador has provided guidance on the scope of the legal advice exception in section 30 of the Access to Information and Protection of Privacy Act The scope of solicitor-client privilege must consider the context and rational for the privilege (e.g. civil litigation, criminal investigations or prosecutions), and whether the client intended that the communication be kept confidential; the privilege will not include documents that are attached, but not otherwise related to obtaining legal advice, and the capacity in which the communications are sent does not determine privilege (context must be assessed for each case). [OIPC NFLD – Section 30 – Legal Advice]

CA – IPC ON Upholds Hospital’s Decision to Withhold Meeting Notes Provided to Legal Counsel by Hospital Staff

The OIPC Ontario reviews a decision by a hospital to deny access to records, pursuant to the: PHIPA and FIPPA. In anticipation of litigation, staff were asked by a senior hospital staff member to provide their recollections of a meeting with Complainant where the health care of Complainant’s mother was discussed; the purpose of the records were to document the meeting for legal counsel with the intent of obtaining legal advice and preparing for litigation. [IPC Ontario – PHIPA Decision 30 – Mackenzie Health]

Health / Medical

UK – British Government Mulls Plans to Sell Patient Data

The British government is considering a plan to sell patient health data to private organizations. New guidelines state patient data will be collected and stored in a centralized database run by NHS Digital. The decision comes after the British government dropped their care.data plan after two independent reviews criticized the plan over poor consent and a lack of transparency regarding where patient data would be shared. The government is saying data sharing will only be for the patients’ benefit. “We have a strong legal framework to make sure NHS Digital only shares personal information where there is a clear health or care purpose,” a Department of Health spokesperson said. “This means data will only ever be used to deliver real benefits for people and puts beyond any doubt that data can be shared for commercial insurance or other solely commercial purposes.” [Politico]

US – Blockchain in Healthcare Getting a Lot of Attention

When the Office of the National Coordinator of Health Information Technology recently challenged developers and health IT thinkers to come up with uses for blockchain in healthcare, officials were surprised by the vigor of the response. While the blockchain-backed bitcoin cryptocurrency has become a worldwide phenomenon attracting both devotion and criticism, perhaps lesser known is that thinking around blockchain in healthcare is moving past the theoretical stages and is even spurring activity from major companies and venture capitalists. Health IT giant Philips has launched a blockchain-in-healthcare lab and joined a new blockchain-in-healthcare network led by blockchain vendor Gem. And accounting and consulting firm Deloitte has released several bullish reports on blockchain in healthcare and formed partnerships with several blockchain startups. Blockchain is in essence a distributed public ledger linked by what supporters say is a nearly impregnable cryptographic chain. As such, they say, it has the potential to solve health IT’s most intractable problems: lack of interoperability and securing the integrity, completeness and privacy of health records. [Source]

Horror Stories

CA – OPC Finds Dating Website’s Security Measures Were Lacking, Misled Consumers

The lead privacy regulators of Canada and Australia have released the results of their joint investigation into the Ashley Madison data breach. The dating service had inadequate authentication processes for employee remote access, stored encryption keys and passwords as plain, clearly identifiable text on its systems, fabricated the security trust-mark on its homepage, and inappropriately retained personal information after user profiles had been deactivated or deleted; the service must conduct a comprehensive review of its protections, augment its security framework, adequately train staff, and cease indefinite retention of personal information from deactivated and inactive accounts. [OPC Canada – PIPEDA Report of Findings 2016-005 – Joint investigation by the Privacy Commissioner, the Australian Privacy Commissioner and Acting Australian Information Commissioner News Release | Report of Findings | Compliance Agreement | Takeaways for All Organizations] [OAIC.gov.au | The Globe and Mail | OPCC: Ashley Madison investigation finds security measures lacking; fictitious security trustmark was ‘deceptive’]

Identity Issues

AU – Australia’s Government Is Copping Flack for its ‘Digital Identity’ Plans

“Digital Identity is having the ability for the government to trust that you are who you say you are,” is the explanation the Federal Government’s Digital Transformation Office (DTO) gives for the establishment of a singular digital profile that will allow you to access various government services. But trust has to go both ways, and the Australian Privacy Foundation (APF) has expressed “serious concern” about federated identity, stating the process has been “seriously deficient” and conducted “in a context of increasing distrust of government.” The DTO says the global trend of services moving online, and the economic benefits that produces, necessitates an online identity verification process — particularly in cases of sensitive data. The DTO is building both a verification model and a method for logins. The APF’s concerns surround the fact that the Digital Identity project has now been running for over a year, has reached the beta stage, and statements are being made about deployment. “Yet civil society has yet to be engaged,” APF says. “A single meeting has now been held, but materials were withheld until the last moment, and the very few advocates present had limited opportunity to gain clarifications, and virtually none to provide feedback”. The APF says that by its nature the project “harbours enormous threats to individuals, and to society as a whole”, warning the whole thing has “a very high” risk of failure. “This is the latest of many proposals that have come and gone over the last 30 years relating to citizen identifiers, accounts, authenticators and credentials,” the APF says. The APF says overall, there is a “lack of clarity” surrounding the scheme. “Apart from a brief remark to the effect that the scheme could be implemented administratively, i.e. without parliamentary approval or even oversight, no information has been provided about applicable laws, and the impact of laws in such areas as data retention, data breach notification, cybersecurity, disestablishment of the OAIC, and a privacy right of action”. [Gizmodo]

US – FTC’s Ramirez: We’re Expanding Definition of PII

Speaking at the Technology Policy Institute in Aspen, Colorado, FTC Chairwoman Edith Ramirez said consumer control and consent need to remain at the forefront of innovation, despite online privacy issues becoming increasingly complex. “We hear with increasing frequency the claim that technological innovation and big data have rendered certain fundamental tenets of privacy, particularly the idea of consumer consent, outdated and ill-suited for today’s digital world. I disagree,” said Ramirez. The FTC is working to address this issue by broadening the definition of personally identifiable information. “We now regard data as personally identifiable when it can be reasonably linked to a particular person, computer, or device,” Ramirez said. “In many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses, and retail loyalty card numbers meet this test.” [FedScoop]

Internet / WWW

WW – Survey: 51% of IT Execs Believe Public Cloud More Secure

A SADA Systems survey of 210 tech executives found that 51 percent feel that the public cloud is more secure than their private one, while 58% believe the public cloud is the most cost-efficient and safe data-storage option. In total, 84% of the surveyed said their companies used public clouds. Yet just because cloud “comfort levels” continue to grow doesn’t mean information technology professionals should dial back their vigilance, the report states. “Security still needs to be the front and center concern when you are relying on someone else to manage your data,” the report adds. “The key is that while cloud providers may have all the newest and shiniest security solutions … the cloud customer still needs to take ownership of security.” [ZDNet]

Law Enforcement

CA – Canada’s Police Chiefs Pass Resolution to Obtain Passwords

The Canadian Association of Chiefs of Police passed a resolution requesting legal measures to force people to deliver electronic passwords with a judge’s consent. The police chiefs cite criminals increasing use of encryption to hide illegal activities. RCMP Assistant Commissioner Joe Oliver said there is nothing in Canadian law compelling an individual to hand over a password during a law enforcement investigation. “The victims in the digital space are real,” Oliver said. “Canada’s law and policing capabilities must keep pace with the evolution of technology.” OpenMedia spokesman David Christopher called the proposal “wildly disproportionate,” believing handing over a password for a piece of technology such as a laptop would be similar to “handing over the key to your whole personal life.” A Toronto Star op-ed argues Canadian citizens need to protect their privacy rights when considering any proposal involving law enforcement password requests. [The Canadian Press] The lobbying group Canadian Association of Chiefs of Police is calling for a legal framework requiring Canadians to share electronic passwords during a police investigation]

CA – Police Don’t Want to Talk About How They Spend Surveillance Dollars

Police in Toronto, Ottawa, and the municipalities of Peel and York have received hundreds of thousands of dollars each to pay for the Provincial Electronic Surveillance Equipment Deployment Program (PESEDP). This little-known project is described by police as “funding for the purchase of, or improvements to, equipment used in the investigation of organized crime”, which doesn’t reveal much. Mentions of the program can be found in publicly-available meeting agendas and reports dating back to 2011. A 2016 report detailing the latest payment to the York Regional Police notes that the force has agreements with the Ontario Provincial Police to “share services to intercept personal communications” and “to monitor personal communications,” both expiring in November of 2017. Tamir Israel, staff lawyer at the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic, says that the PESEDP money could be spent in a number of ways. “Police services are investing in a range of new surveillance technologies, from license-plate recognition devices, to facial recognition or IMSI catchers. As for whether a privacy assessment has been done on the program, a media request made to the federal Office of the Privacy Commissioner was referred to the provincial office, then to MCSCS, which would neither confirm nor deny it. At this point, no one other than the police forces involved knows what kinds of equipment PESEDP is paying for, but some of the surveillance programs operated by police in Ontario and elsewhere in Canada are coming to light. [Source]

Online Privacy

US – EFF Voices Criticisms of Microsoft’s Windows 10 Updates

The Electronic Frontier Foundation voiced its criticisms over Microsoft’s Windows 10 updates, saying the reminders violate user privacy. The EFF also says Microsoft collects an “unprecedented amount of usage data,” including location data, text input, browsing history, and running programs. Microsoft defended its practices, saying the data collected helps make Windows 10 a more customizable experience for the user. The EFF wants to see Microsoft clarify whether opting out of the features is enough to ensure the user’s privacy rights are intact. “Microsoft should come clean with its user community,” said EFF Intake Coordinator Amul Kalia. “The company needs to acknowledge its missteps and offer real, meaningful opt outs to the users who want them, preferably in a single unified screen.” [Digital Trends] [Microsoft forces you to choose between privacy and security, say campaigners]

WW – WhatsApp to Begin Sharing User Data with Facebook

WhatsApp will start sharing user information with Facebook. The messaging app plans to send members’ phone numbers and analytics data to the social network, marking the first time WhatsApp has connected user accounts to Facebook. WhatsApp said neither company would be able to view users’ encrypted messages, and promised not to share phone numbers with advertisers. “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp,” Co-founder Jan Koum wrote in a blog post explaining the update to the company’s privacy policy. “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else.” [The New York Times] [WhatsApp gives users 30 days to opt-out of handing phone number over to Facebook]

UK – UK Data Privacy Regulator to Track Whatsapp’s Data Sharing with Facebook

The UK’s data privacy regulator will monitor how the mobile messaging app WhatsApp shares data with parent business Facebook following an update to its privacy policy. The Information Commission’s Officer (ICO) aims to ensure that WhatsApp is being transparent about what and how its users’ data are shared, observing that new policy would likely split opinion among them. Under the new policy, the phone numbers of the more than one billion users of the app will be shared with Facebook, paving the way for more targeted ads and friend recommendations. “Some might consider it’ll give them a better service, others may be concerned by the lack of control. Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared and protecting consumers by making sure the law is being followed” said Information Commissioner Elizabeth Denham. While the ICO does not have the power to block such a move, any change does need to abide by data protection laws. If it doesn’t and is found to breach the Data Protection Act then it could be fined up to £500,000 by the regulator. [Source]

Other Jurisdictions

NZ – Privacy Commissioner: Children’s Safety Comes Before Privacy Laws

New Zealand Privacy Commissioner John Edwards has officially agreed with the Minister of Social Development’s proposal to update privacy laws so that federal agencies can disclose information about children in danger with both greater ease and less fear about potential enforcement action, the Office of the Privacy Commissioner announced in a statement. “Agencies should not be concerned about breaking privacy laws when it comes to vulnerable children,” Edwards said. “They should already be sharing information and not be waiting for the law reform to take effect.” He added that whatever the proposed legal revisions, government officials should continue to encourage those who know of a child at risk to report that information. [privacy.org]

Privacy (US)

US – FTC Will Host Ransomware Panel Discussions

Next month, the FTC will host three panel discussions on ransomware to help organizations and consumers protect their computers. The event is scheduled for September 7 at 1:00PM ET and will be webcast from the FTC site. [Computerworld: Ransomware attracts FTC attention |- FTC: Fall Technology Series: Ransomware]

US – FTC Notice Workshop Agenda Announced

The FTC has released its agenda for its Sept. 15 workshop entitled, “Putting Notices to the Test,” the agency said in a press release. The free event will feature 22 different presentations and remarks by FTC Chairwoman Edith Ramirez and FTC Chief Technologist Lorrie Cranor, among others. The workshop will begin with a presentation of cognitive models and then split into six topic areas: “methods and procedures to evaluate the effectiveness of disclosures; whether and when people notice or pay attention to various types of disclosures; how much people understand or comprehend the information presented in disclosures; disclosures’ impact on consumers’ decision making processes; case studies; and a look at the future of research on disclosures,” the release states. [FTC]

US – Pennsylvania Court Confirms Unlawful Disclosure of Legally Protected Information Constitutes an Injury

The Court reviewed a debt collector’s motion in limine to dismiss an individual’s claim of injury under the Fair Debt Collection Practices Act. An individual received a debt collection letter in the mail that included a barcode next to his name and address, which was visible through the envelope’s glassine window; the Court found the injury was particularized because the individual alleged that his personal identifying information was disclosed, and concrete because the unlawful disclosure of legally protected information is sufficient to demonstrate a concrete harm. [John Daubert v. NRA Group, LLC – 2016 U.S. Dist. LEXIS 105909 – United States District Court for the Middle District of Pennsylvania | Subscription required

US – EPIC suing FAA for Lack of Privacy in Drone Regulations

The Electronic Privacy Information Center has sued the Federal Aviation Association for not including privacy regulations in its first formal rules for drone use. “EPIC argues that, since Congress directed the FAA to develop ‘comprehensive’ rules that ‘safely’ integrate drones into U.S. airspace, it’s obligated to consider privacy issues,” the report states. The suit calls for the DC Circuit Court of Appeals to overturn the regulations and compel the FAA to consider privacy protocols. [ZDNet]

Privacy Enhancing Technologies (PETs)

WW – Bitcoin Privacy Tool ‘CoinShuffle’ Sees First Transaction

A type of anonymous bitcoin transaction that privacy enthusiasts have been awaiting for years has finally been tested successfully. Sent on the bitcoin test network earlier this month, the transaction is possibly the first real-world implementation of CoinShuffle, a proposal that first generated excitement in April 2014 for building on existing privacy techniques in a way that doesn’t rely on third parties. Until now, it was just a proof-of-concept, but on 15th August, bitcoin developer Daniel Krawisz sent what he believes is the first transaction utilizing this tool. The big idea behind the technique is that it guards sensitive user information that may otherwise be visible on bitcoin’s public blockchain, but the short-term goal is to incorporate the technique into the bitcoin wallet service Mycelium, which is sponsoring the project. Launched in 2013, Mycelium recently released a roadmap with CoinShuffle scheduled for “phase 5”, or the final step, of its development plan. [Coindesk]


US – Forthcoming NIST Guidelines On Passwords Embrace Emojis

The U.S. National Institute for Standards and Technology is developing guidelines for strong computer passwords. The guidelines recommend elongating the length of passwords, using emojis, and allowing users to check whether their potential password is among the most popular, the report states. Furthermore, the guidelines advise against hint questions, SMS verification, and “special character” or knowledge-based authentication hurdles. “Password policies need to evolve as we learn more about how people use and abuse them,” the report states. “NIST’s goal is to get us to protect ourselves reliably without unneeded complexity, because complexity works against security.” [Naked Security]

WW – Study: SMBs Lack Security Training

The Shred-it 2016 Security Tracker survey found security training is lacking in a majority of companies. The study found 78% of small- and medium-sized businesses only conduct security training once a year or less, with 51% of C-suite executives responding with similar results. 28% of organizations state they have never trained their employees on legal compliance requirements and 22% conduct training on an ad hoc basis. “With employees returning to work in the fall, business leaders have a prime opportunity to engage their teams and raise awareness of information security risks,” said Shred-it Global Director Andrew Lenardon. “They can consider taking advantage of this time to launch a comprehensive training program that makes information security best practices a part of all employees’ daily routine and responsibilities.” [Infosecurity Magazine]


UK – Terror Watchdog Backs Bulk Hacking Powers, Calls for Expert Tech Panel

Bulk hacking of equipment at home and abroad by UK spies can be justified, an independent review of proposed terror law has said—even though an operational case for such surveillance is yet to be proven. David Anderson QC confirmed in his 204-page report that mass snooping powers—some of which have been used by MI5, MI6, and GCHQ for years—were vital to help the security services combat terrorism and other serious crime in the UK. He said, in a review of the government’s operation case for bulk powers (PDF), that bulk interception and the scooping up and storing of vast amounts of communications data and bulk personal datasets had, over the years, helped those agencies to avert a wide range of threats. [Ars Technica] [Mixed reaction to Anderson review of bulk surveillance powers] [Review finds ‘proven’ or ‘distinct’ operational case for bulk surveillance powers]

US – Chicago’s ‘Smart City’ Networks Face Law Enforcement Access Questions

Chicago’s Array of Things sensor network approved a new privacy policy, but questions remain surrounding law enforcement requests. Chicago will activate the first wave of sensors, cameras and microphones later this summer, monitoring the city’s environment, as well as pedestrian and vehicular traffic. As for law enforcement requests, Chicago’s Commissioner of the Department of Innovation and Technology Brenna Berman believes law enforcement requests will be low, while saying the requests were not included in the privacy policies, as “a policy is designed to set a general framework around operations. We can’t actually answer what action would be taken under any possible circumstance in the future.” Senior Staff Attorney for the Electronic Frontier Foundation Lee Tien was critical of the omission. “The handling of law enforcement, it seems pretty clear it’s not in there at all and it should be,” Tien said. “So that’s definitely a failure.” [The Chicago Tribune]

US – Privacy and the New Tolling System in Massachusetts

Massachusetts is making the shift to an all-electronic tolling system that will end the need for drivers to stop, or even slow down, to pay tolls. State officials have said the new system will reduce congestion, pollution, accidents at toll plazas, and, hopefully, drivers’ commute times. But concerns have also been raised about the volume of data the technology collects as drivers pass through toll zones, and about how that data is being stored and used. According to a state transportation department spokeswoman, the new all-electronic tolling system captures the following information each time a vehicle passes through a toll zone: date and time, location, lane, vehicle speed, E-ZPass transponder number, photos of the front and rear of the vehicle to capture the license plate number and plate date, a video to capture vehicle axle count. The data is retained indefinitely and used primarily for business purposes, but also for “ research purposes “in the interest of identifying traffic patterns.” The new tolling system also includes a “hot list” feature that can send law enforcement instant alerts when cars with specified license plates or transponders pass under toll gantries. Officials say the feature will only be used to track vehicles in the case of urgent public safety emergencies, such as AMBER Alerts, the notices issued when children are abducted and believed to be in danger. Officials have said vehicle speed data that are collected are used to synchronize the cameras that record each license plate. Officials have pledged that speed data will not be used to ticket drivers. The department has reciprocal agreements to share a limited amount of tolling data with other states so that the department can bill out-of-state vehicle owners who drive on Massachusetts toll roads. Otherwise, the department said it shares tolling data when legally required to do so, including with federal officials, law enforcement agencies, and lawyers representing individuals in divorce and other civil cases who obtain court orders. The department said, that in accordance with state law, it notifies people whose information is sought through subpoenas allowing them to take legal action to fight the subpoenas. However, exceptions could be made for serious and time-sensitive cases in which law enforcement request to able to use the hot list feature, officials said. MassDOT offers special transponders that can be loaded by paying cash so the devices will not be associated with a drivers’ name, address, bank account, or credit card. [Boston Globe]

US Government Programs

US – Stolen NSA Tools Take Advantage of Zero-Day Vulnerabilities

Sophisticated “hacking tools” allegedly stolen from an NSA-related server have been leaked online. The thieves have said they plan to sell the tools in a digital auction. The tools bear digital signatures that match those used by the Equation Group, a group that has alleged links to the NSA. The incident highlights the risk of hoarding zero-day vulnerabilities. When intelligence agencies use them to develop tools, those tools could be stolen and make their way into the hands of malicious actors. [ eWeek: Hard Facts Scarce in Purported Theft of Hacking Tools from NSA Server | Washington Post: NSA hacking tools were leaked online. Here’s what you need to know. | Wired: The Shadow Brokers Mess is What Happens when the NSA Hoards Zero-days | Ars Technica: Confirmed: hacking tool leak came from “omnipotent” NSA-tied group | Computerworld: Alleged NSA data dump contains hacking tools rarely seen]

Workplace Privacy

UK – Ex-officer Wins Lawsuit After Department’s Illicit Monitoring

A former Met Police officer won her case after suing the department for illicitly monitoring her activities. The Met surveilled former Detective Constable Andrea Brown after she went on vacation with her daughter while on sick leave. The Met Police and the Greater Manchester Police both admitted to violating the Data Protection Act and Brown’s right to privacy before the final ruling. “What is significant is that the judge commented that the senior police officers involved in this case didn’t appear to have any appreciation or understanding of the laws that regulate their conduct in this area, and didn’t acknowledge that they had done anything wrong,” said Brown’s Solicitor Advocate David Gray-Jones. [BBC]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: