15 Sept – 14 Oct 2016

15 September-14 October 2016


EU – Facial Recognition Tech Goes Live for MasterCard in Europe

MasterCard has announced it will move its facial scan-trigged payment authentication from trial to live status in Europe. This program, entitled “MasterCard Identity Check,” allows users to authenticate payments with a selfie or fingerprint scan. “One extant issue with using biometrics for authentication is that, unlike passwords, they cannot be changed,” the report adds. “So let’s hope MasterCard is properly encrypting whatever biometric data it is storing/accessing.” Regarding data storage, a MasterCard spokeswoman said that the company was currently working to eventually store facial recognition data at a device level. She added that MasterCard used the collected biometric information only to verify identity. The company expects a global rollout of the recognition technology in 2017, the report adds. [TechCrunch] [MasterCard Rolls Out Selfie Payments Decreasing Privacy One Step Further]

EU – CNIL Announces Implementation of Two New Biometric Rules

French data protection authority, the CNIL, announced the implementation of two new biometric rules. Single Authorizations AU-052 and AU-053 will repeal previous biometric rules created by the CNIL and have been enforced in anticipation of the General Data Protection Regulation. The authorizations differentiate between two types of biometric systems. Single Authorization AU-052 covers biometric systems controlled by an individual, such as a chip card, or within a database in a form unusable without the user’s involvement. Single Authorization AU-053 covers biometric systems not permitting users to keep control of their biometric template. The CNIL advises organizations to use biometric access systems allowing users to maintain control of their biometric template. [Hunton & Williams’ Privacy & Information Security Law Blog] [CNIL Advises Biometric Data Should Be Used For Employee Access Only if Alternative Means are Insufficient: CNIL – Biometrics – A New Framework for Biometric Access Control in the Workplace]

WW – Uber to Use Facial Recognition Technology

Ride-sharing service Uber has announced it will use facial recognition and matching technology to verify driver identity, prevent fraud and increase user safety. “It also protects riders by building another layer of accountability into the app to ensure the right person is behind the wheel,” said Uber Chief Safety Officer Joe Sullivan. The app will begin using Microsoft’s Cognitive Services tool to match photos by the end of the week. While some are concerned about the move’s privacy implications, other maintain there aren’t any. “Face verification is less problematic than other uses of the technology — such as when face recognition is used to identify an unknown person,” said the Center on Privacy and Technology Executive Director Alvaro Bedoya. [The Hill] [Portland Uber drivers will now be prompted for selfies]

US – Invasion of Privacy: Hotels Are No Longer Places of Enforced Privacy

A law firm examines the lack of privacy in hotels. Hotels, like other organizations, are increasingly using big data and new technology to track and build guest profiles (e.g. using WiFi, TV viewing habits, facial recognition software and surveillance cameras, and reward programs); guest privacy is also impacted by government access (e.g. subpoenas, municipal ordinances, or covert surveillance in some countries), and hackers (e.g. malware attacks on payment card information). [Sleep with an Eye Open: The New Age of Hotel Privacy Intrusion – Theodore Claypoole, Partner, Womble Carlyle Sandridge & Rice, LLP]


CA – Therrien: Canada Needs to Modernize Its Data Protection Efforts

The Privacy Commissioner of Canada Daniel Therrien calls for more modernized methods to protect personal data in his Annual Report to Parliament. Therrien said technological advances and new business models are putting more pressure on privacy, and with 90% of Canadians concerned about their inability to safeguard their privacy, it’s time to look at new ideas and possibly revamp outdated laws. Therrien also said the government has not done enough to protect the privacy of “law-abiding Canadians” from information-sharing powers under the C-51 legislation. “We’re trying to use 20th century tools to deal with 21st century privacy problems and it’s clear those tools are increasingly insufficient … The government should give greater priority to the modernization of laws and policies and it should invest more resources in building robust privacy protection frameworks.” [OIPC Canada] [Privacy chief says tools must keep pace with technology; takes aim at TV show] [Government failing to protect privacy of citizens, says watchdog]

CA – C-22 ‘Good First Step’ But Government Still Needs National Security Advice

Appearing before the House of Commons public safety and national security committee, Canada’s privacy commissioner Daniel Therrien said that while the government’s legislation to create a committee of parliamentarians tasked with reviewing national security activities is a “good first step,” it should expand the idea to include a panel of national security experts. Therrien’s comments kicked off the committee’s new study on Canada’s national security framework and how it balances privacy and civil rights with the need to keep Canadians safe. The committee also will examine C-22 before Parliament rises for the winter but the meeting (the first of seven) dealt more broadly with witnesses on the national security framework. Therrien pointed out that while the nine members of Parliament and senators appointed to the committee will be sworn to secrecy, they won’t necessarily be subject matter experts in national security. While three of Canada’s security agencies are subject to expert review (CSE, CSIS and the RCMP), the vast majority of the 17 government departments and agencies able to exchange information on Canadians under C-51 still would not be, and Therrien suggested that should change in conjunction with the creation of the committee. [I Politics] Commissioner Therrien is pushing for laws to regulate the Communications Security Establishment’s access to and collection of citizens’ metadata] See also: [Spies use C-51 to gather intelligence from Canadians detained overseas]

CA – Report: Six Provinces Have No Breach Notification Laws for Health Data

Six provinces do not possess any legislation requiring hospitals, doctors or other health care organizations to notify patients when their data is breached. British Columbia, Alberta, Saskatchewan, Manitoba, Quebec, and Prince Edward Island currently have not implemented or have no laws at all for breach notifications. The six provinces have a combined population of nearly 20 million people. CBC News found there were 1,300 health care breach reports in 2015, up from 922 in 2014. Those numbers include breaches occurring in provinces with no notification rules. Alberta and Prince Edward Island are working to implement passed legislation to make breach notifications mandatory. [CBC News]

CA – P.E.I.’S New Law Makes It Mandatory to Inform Patients of Privacy Breaches

Prince Edward Island’s Information and Privacy Commissioner Karen Rose discussed the province’s Health Information Act, making it mandatory for patients to be notified if their privacy is breached. “What the Health Information Act states is the public body, when they discover the breach, they manage it as quickly as possible by responding to it, trying to contain it, notifying the people who are affected by it, investigating it, and then looking at what additional systems they could put in place to ensure this doesn’t happen again,” said Rose. The commissioner said all breaches will be reported to her and she will provide oversight on how they are handled. [CBC News] [New P.E.I. Health Act Will Disclose Privacy Breaches]

CA – Kruzeniski: HIPA Has ‘Gaps’ Needing Fixing

Saskatchewan Information and Privacy Commissioner Ron Kruzeniski is pushing to fix a “gap” in the Health Information Protection Act following a situation involving patient information and a photocopier. An anonymous individual purchased a photocopier from an auction that possessed printed pages of personal health information from Midway Walk-in Healthcare Centre. The individual attempted to sell the information for $5,000. Kruzeniski said HIPA doesn’t apply to business owners of health facilities, adding the definition of a trustee needs to be expanded. “I find the situation extremely frustrating and concerning,” Kruzeniski wrote in a report. “To think that my personal health information was given to and collected by a physician, but when stored or processed, my personal health information did not have the protection of HIPA.” [Regina LeaderPost]

CA – Op-ed: British Columbia Must Update FOI, Privacy Law

Vincent Gogolek explains why BC needs to reform the Freedom of Information and Protection of Privacy Act. Gogolek cites repeated efforts from former Information and Privacy Commissioner Elizabeth Denham to update the law. “Some of these recommendations include setting out a legal duty to document government actions, increasing penalties for interfering with information rights, and expanding coverage of the Act to include private contractors working for the public sector,” writes Gogolek, who also explains the downsides to delaying the revisions. “By waiting until February 2017, it seems unlikely the government will introduce, never mind pass into law, the necessary reforms to the Freedom of Information and Protection of Privacy Act, despite years of detailed reports and recommendations by commissioners, former commissioners, a unanimous Special Legislative Committee, and a slew of experts and citizens,” Gogolek writes. [The Huffington Post]

CA – Stoddart Invested by Governor General

His Excellency, the Right Hon. David Johnston, Governor General of Canada, invested 46 recipients into the Order of Canada in a ceremony at Rideau Hall in Ottawa, on September 23. Among the new Officers of the Order of Canada, recognizing National service, was former Bradford West Gwillimbury resident and Privacy Commissioner, Jennifer Stoddart, who has been a passionate defender of the privacy rights integral to a free and democratic society. Trained as a lawyer and historian, she was prominent in human rights and employment equity before her appointment as Canada’s 6th Privacy Commissioner. During her tenure, she led a number of initiatives demonstrating how to protect privacy, in the Information Age – recognizing that the global reach of social media necessitated a co-ordinated response. She rallied the international community to defend privacy rights, setting an example. [Bradford Times]


WW – Consumer Tool Helps Users Understand Pricing Algorithms

ProPublica has unveiled tool focused on pricing algorithms, in its series designed “to explain and peer inside the black-box algorithms that increasingly dominate our lives.” Because websites are “created, literally, the moment you arrive,” companies can easily develop websites for different users. “Each element of the page — the pictures, the ads, the text, the comments — live on computers in different places and are sent to your device when you request them.” For example. The Princeton Review was citing different SAT prep course prices depending on ZIP codes, and the new tool allows users to test their findings. “That’s the thing with algorithms — they can discriminate unintentionally.” “And as we enter a world of mass customization, we need to be on the lookout for this kind of discrimination.” [ProPublica]

WW – 92 % of Consumers Don’t Understand How Companies Use Their Data

A study conducted by the Chartered Institute of Marketing found 92% of the 2,500 consumers surveyed did not understand how companies used their data. Of those participants, 57% did not trust companies to responsibly handle their data, while 51% claimed they had been contacted by an organization after their data had been misused. After compiling their findings, the CIM said personal data policies should be clearer and simpler on websites. The study also found only 16% of respondents take the time to read terms and conditions and privacy policies. [BBC.com]


US – Montana Department of Justice Listing Data Breaches on Its Website

Following legislation passed in 2015 requiring companies in Montana to report data breaches, the state’s Department of Justice will now post the breaches on its website. “You can arrange the data in different ways,” said the department’s John Barnes. “You can export it into an Excel sheet, a PDF, or however you want to do it. It has information such as the business name, the notification documents that were sent to us are linked there, the date of the start and end of the breach, the data that it was reported to us, and the estimated number of Montanans impacted by each specific breach.” [KGVO.com]

AU – Agency Pulls 96,000-Person Dataset from Internet Over Privacy Concerns

The Australian Public Service Commission has removed an anonymized dataset of 96,000 surveyed government employees after concerns that a numerical data code assigned to each of the surveyed could be used to discover respondents by their answers. “We decided that extra care should be taken to make certain that individual officers could not be identified, especially if cross referenced with a range of other publicly available data,” an APSC representative said in a statement. “A review of the dataset is underway.” The set had been downloaded 58 times before it was removed, the report adds. [iTnews] See also: [Media Researchers May Need To Onboard Privacy Controls To Avoid Matching Respondent Identities]

US – Foreign Hackers Breach Voter Databases In Four States

Foreign hackers breached the voter registration databases in four states. Officials acknowledged cyberattacks in both Arizona and Illinois, while sources say Florida was one of the other states breached. The fourth state has not been identified. One source said a phishing attack was likely the cause of the attacks, as the hackers targeted both government systems, and computers maintained by private contractors hired to keep voter data. “The attack was successful only in the sense that they gained access to the database, but they didn’t manipulate any of the voter [information] in the database,” the ABC News source said. Homeland Security Secretary Jeh Johnson said 21 states have asked his department for help in order to prevent similar attacks from occurring. [ABC News]

US – DHS Says Attackers Probing US States’ Voting Systems

According to a US Department of Homeland Security (DHS) official, voter registration systems in at least 20 states have been breached or probed by attackers. DHS says there is no evidence that data have been altered. However, the fact of the intrusions themselves could cause people to doubt the integrity of US voting systems. [Fortune | Darkreading]

US – Bill Would Punish Agency Heads for Breaches

Legislation introduced in the US House of Representatives would allow for agency heads to be punished in the event of certain security breaches. The Cybersecurity Responsibility and Accountability Act of 2016 would allow the Office of Management and Budget (OMB) to recommend demotion, pay penalties, or even firing if a breach is found to be due to the agency head’s failure “to comply sufficiently with the information security requirements, recommendations, or standards.” The proposed Cybersecurity Responsibility and Accountability Act of 2016 would mean government agency heads could be fired, demoted or punished for breaches resulting from their failure to “comply sufficiently with the information security requirements, recommendations or standards. [Nextgov.com]


US – Yahoo Scanned eMail for US Government

Yahoo created a tool to scan all customers’ incoming emails for a certain set of characters at the behest of US intelligence. There is speculation that this is the first instance of a US Internet company agreeing to comply with a government demand to scanning all incoming messages. Former employees say that some senior executives were unhappy with the company’s decision to comply with the demand. Alex Stamos, who at the time was Yahoo’s CISO, left that company in June 2015. – Reuters: Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence – sources | Arstechnica: Yahoo’s CISO resigned in 2015 over secret e-mail search tool ordered by feds | Washington Postm: Yahoo helps the government read your emails. Just following orders, they say] [Yahoo Mail suspends automatic mail forwarding as privacy controversies swirl]

US – Yahoo Updates Email Security Features

In the wake of Yahoo’s confirmation of a 2012 breach with 500 million victims, the company has updated its email security features. It added a user tracking screen, showing “the recent devices (e.g., Chrome, Mac OS X) where the Yahoo account has been used, followed by a log of the most recent activity or changes to your Yahoo account,”. However, critics argue that the screens features aren’t comprehensive enough, and that the lack of a straightforward account deletion button is problematic. Meanwhile, the Morning Consult reports that half of the 1,989 registered voters surveyed by the publication are “uneasy” about allegations that Yahoo may have scanned emails for intelligence information on behalf of the U.S. government. [TechCrunch] See also: [Access Now asks Verizon to examine email scanning allegations against Yahoo] [Verizon reportedly wants $1B taken off Yahoo sale after privacy fallout] [Yahoo faces wave of breach class actions, EU regulators raise ‘serious questions’]

CA – OIPC ON Cautions Custodians about the Risks of Using Email to Communicate PHI

A new Ontario IPC fact sheet addresses the risks of emailing personal health information. The risks include inadvertently sending the PHI to the wrong recipient (e.g. mistyping an email address or using the autocomplete feature), the theft or loss of portable devices, unauthorized forwarding or changing of the email, and interception or hacking by third parties; risk mitigation measures include notifying patients about the custodian’s written email policy and obtaining their consent prior to the use of unencrypted email, using end-to-end encryption, and encrypting backups (including those located offsite). [IPC ON – Communicating Personal Health Information by Email | Press Release]

CA – NL OIPC Recommends Ban on Personal Emails for Government Business

Province has ‘duty to document,’ according to information commissioner Donovan Molloy, Newfoundland and Labrador’s information and privacy commissioner, who said the provincial government should prohibit the use of personal email accounts to conduct government business. Donovan Molloy made that recommendation in a report issued this week. That report was specific to the Department of Natural Resources. But in it, Molloy also dealt with the broader issue of the “duty to document” within the government. “True commitment to accountability and transparency dictates the implementation of record-keeping practices and policies that preclude use of personal email accounts or other means that either avoid creating records or make records inaccessible,” Molloy wrote. “Premiers, ministers, chairs, directors and other executives who use personal email to conduct the business of a public body set a tone throughout the body that this is acceptable, and perhaps preferred. Citizens of the province are entitled not to have their access to information subverted by the use of personal email. The public also must be satisfied that communications surrounding a public body’s decisions and its actual decisions are documented so that there are records to access.” [CBC News]

CA – NS OIPC: Personal Email and Government Work Should Never Mix

Government records not properly secured, search for info not easy on outside servers. Nova Scotia’s information watchdog wants any provincial and municipal employees paid by taxpayers to be prohibited from using personal cellphones, tablets and email accounts for work-related tasks — unless those tools can be set up to retain and store records automatically. Information and privacy commissioner Catherine Tully issued new guidelines warning public employees not to use personal emails or send texts if it involves their jobs. She said the policy is needed to safeguard government records. [CBC News]

CA – Risk Managers Unsure Whether their Cyber Insurance Policy Covers Data in Cloud Servers

Four in five risk managers surveyed said their company has a stand-alone cyber insurance policy, though only three in four reported their policy covers network/business interruption, Risk and Insurance Management Society Inc. said in the 2016 RIMS Cyber Survey. When asked whether their company has a “stand-alone cyber insurance policy,” 80% of respondents said yes, 19.5% said no and 0.5% said they were not sure. Respondents were asked whether their organization’s cyber insurance extends to data stored in cloud servers. More than two-thirds (69%) said yes, 9% said no and 22% said they were not sure. RIMS also asked members which losses were included in their cyber insurance policies. More than nine in 10 (91%) said breach notification costs. About one in four (27%) said theft of trade secrets; 80% said data recovery; 50% said professional liability; 76% said network/business interruption; 78% cyber extortion and 63% said fines and penalties. Among U.S. respondents, 48% the U.S. government should mandate breach reporting. [Canadian Underwriter]

US – Donald Trump Rented Ted Cruz’s Supporter Email List 31 Times

Before endorsing Donald Trump for president, Sen. Ted Cruz, R-Texas, had rented the email list of his supporters to the Trump campaign numerous times for financial gain. While the financial conditions of the agreement are unclear, an “email rate sheet shows that Cruz asks campaigns to pay more than $22,000 for the right to send a single email [to] his list of 280,000 digital donors. He charges more than $51,000 to ping his full email file of 1.28 million supporters.” Cybersecurity professional Robert Graham donated $10 to most presidential candidates using different email addresses to determine how many times his address was shared. Graham’s records found Trump consulted the Cruz list 31 times, more than any other candidate or committee. [POLITICO]

Electronic Records

WW – How Medical PHI Is Sold On Deep Web and Why That Matters

Perhaps no industry sector has been hit harder in recent years by data breaches than the health sector. To delve further into the issue, researchers at the Institute for Critical Infrastructure Technology dove into the so-called “deep web,” and discovered marketplaces where users can buy prescription drugs, access government and pharmacy databases, and buy medical information from stolen electronic health records. Ryan Chiavetta looks into the report — Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims — and discusses its results with one of the report’s researchers, James Scott, as well as Protenus CEO Robert Lord. [Privacy Tech] See also [Why medical breaches run rampant and what can be done to stop them]


WW – Prepare for Threat of Quantum Computing to Encrypted Data

The race to create new cryptographic standards before super-fast quantum computers are built that can rip apart data protected by existing encryption methods isn’t going fast enough, two senior Canadian officials have warned a security conference. “I think we are already behind,” Scott Jones, deputy chief of IT security at the Communications Security Establishment (CSE), responsible for securing federal information systems, told the fourth annual international workshop on quantum-safe cryptography in Toronto. “Quantum represents a fundamental change and challenge to encryption for all of us,” Jones said, noting that encrypted transactions are the backbone of security and trust on the Internet. [itworldcanada.com] [National Electronic Intelligence Agency Executive Calls for ‘Rational Debate’ on Encryption]

WW – Facebook Now Offers Opt-in Encryption for Mobile Messenger App

Facebook is now offering an opt-in encryption for its Messenger mobile app. The “Secret Conversations” feature allows users to send messages that no one but the sender and the recipient will be able to read. It also allows senders to set a destruction time of between five seconds and one day for sent messages.[ZDnet.com | CS Mmonitor]

EU Developments

UK – ICO Endorses Use of ‘Just-In-Time’ Notices

The UK Information Commissioner’s Office has endorsed the use of “just-in-time” notices in its new code of practice. The agency said the notices, consisting of video messages or other forms of communication, can help companies receive the consent they need to process personal data correctly. The ICO said organizations should not restrict privacy notices to a single document or page on their websites. “Often, and particularly when on an organisation’s website, people will provide personal data at different points of a purchase or interaction. When filling out a form people may not think about the impact that providing the information will have at a later date. Just-in-time notices work by appearing on the individual’s screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used,” the ICO said. [ICO.iuk.org]

UK – ICO Fines TalkTalk Over Customer Data Theft

The UK Information Commissioner’s Office has fined telecommunications company TalkTalk £400,000 (US $497,000) for inadequate security resulting in the theft of customer data. The incident occurred in October 2015. The attackers were able to access the personal information of more than 156,000 TalkTalk customers; roughly 16,000 of those records included bank account information. If TalkTalk pays the fine by November 1, 2016, it will be reduced by 20 percent. [ICO Report | BBC | v3.co.uk] [UK ICO Fines Telecom £400,00 For Failing to Safeguard Online Customer Personal Data]

EU – Commission Plans Cybersecurity Rules for Internet-Connected Machines

The European Commission is getting ready to propose new legislation to protect machines from cybersecurity breaches, signalling the executive’s growing interest in encouraging traditional European manufacturers to build more devices that are connected to the internet. A new plan to overhaul EU telecoms law, which digital policy chiefs Günther Oettinger and Andrus Ansip presented three weeks ago, aims to speed up internet connections to meet the needs of big industries like car manufacturing and agriculture as they gradually use more internet functions. But that transition to more and faster internet connections has caused many companies to worry that new products and industrial tools that rely on the internet will be more vFulnerable to attacks from hackers. EU lawmakers want to dispel those fears by creating rules that force companies to meet tough security standards and go through multi-pronged certification processes to guarantee privacy. “That’s really a problem in the internet of things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification,” Thibault Kleiner, Oettinger’s deputy head of cabinet, said at a Brussels conference yesterday evening (4 October). Kleiner said the Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure. [EurActiv]

EU – Europe Drafting IoT Security Requirements

The European Commission is drafting new laws aimed at improving security of the Internet of Things (IoT). The rules are a part of the European Commission’s plan to rework its telecommunications laws. The medical machinery/devices and industrial control systems, have had over a decade to self-regulate and have failed. And those are industries selling to business. The current and future wave of “things” in the IoT is consumer-driven and built and sold by thousands of companies that can’t even spell cybersecurity. The European Commission seems to be aiming at UL or Energy Star like certification program. If the “basic security hygiene” certification bar is high enough (a big “if”), that is a good starting point. [ krebsonsecurity]

EU – Smart Meters Receive New Guidelines to Protect Data from Hackers

Technical guidelines for a new digitization law designed to protect smart meters from cyberattacks, while putting consumers in control of what happens to their data. Employing privacy-by-design principles, the guidelines will incorporate a system requiring consumers to allow a “fine-grained data transmission” before the information can be used by various entities. The smart meters collect and transfer data on consumers and are used by third-party metering companies, direct marketers, data aggregators, virtual power plant operators, and storage companies. [Ethical Corp]

EU – Watchdog Groups Sue US, UK and Other Countries for Violating European Convention on Human Rights

Ten privacy watchdog organizations from Canada, Egypt, Ireland and the U.S., including Amnesty International, have sued the U.S., New Zealand, Australia, the U.K. and Canada for bulk surveillance practices that they contend violates the European Convention on Human Rights. The surveillance “violates the Convention’s right to privacy because the U.K.-based wing of the program does not implement adequate safeguards’” “In framing a government which is to be administered by men over men, the great difficulty lies in this: you must first enable the government to control the governed; and in the next place oblige it to control itself,” the groups said in their brief. [The Hill]

EU – Researchers Find Privacy Policies Lack Privacy Considerations

German third-party testing laboratory the AV-Test Institute has criticized privacy policies in a new study. It argues companies have too much access to the personal information of users. “In almost every privacy policy examined, the manufacturers presume a vast number of access rights to data that should not be necessary for using a security software application,” AV-Test Institute’s study states. Some policies called for access to biometric data. While the AV-Test Institute’s CEO Andreas Marx didn’t want to specify which policies asked for what, he did say that the average policy is 12 pages and most were composed of “impenetrable jargon.” He added that the study’s feedback found that some companies were working to improve their policies. [Fedscoop] [Study]

Facts & Stats

CA – Federal Data Breaches Up 16%, Canadian Privacy Commissioner Reports

The number of material data breaches suffered by federal government departments increased 16 % to 298 for the 12 month period ending March, 2016, compared to 256 the previous year according to the federal privacy commissioner’s annual report. “As in years before, ‘accidental disclosure’ was the most common cause cited for breaches, “highlighting the need for institutions to ensure proper procedures are in place to protect Canadians’ personal information. The report says new technologies and business models are putting ever-greater pressures on privacy and demand a more modern approach to protecting personal information. “The government should give greater priority to the modernization of laws and policies and it should invest more resources in building robust privacy protection frameworks. This is essential to maintaining public confidence in government and the digital economy.” The data breach numbers for the last fiscal year were the second year government departments were obliged under Treasury Board rules to report to the privacy commissioner’s office “material” data breaches. In the years before 2012-2013 reporting was voluntary. But, the report adds, there is still inconsistency in reporting. For example, there were more than 5,800 breaches recorded across all departments in 2015-2016, but just over five per cent of those reported to Therrien. The report says it’s time for breach notification to be elevated from a policy directive to a legal requirement. The report also notes a sharp increase in voluntary data breach reports submitted by organizations covered by PIPEDA. For calendar year 2015, there were 98 reports, more than double the 44 received in 2014. That is expected to increase even more when mandatory data breach reporting comes into effect, perhaps next year, when regulations are proclaimed under the Digital Privacy Act. [itworldcanada.com]


CA – OPC Canada Warns About Privacy Risks Associated with Electronic and Digital Payments

The OPC issues guidance on privacy of electronic and digital payments. Privacy and security risks are generally greater due to the multiple entities processing PI; there can be significant association of purchases with location and social media connections, virtual currencies do not necessarily permit anonymous purchasing (e.g. account registration may require a user to provide PI that can include driver’s licence and passport information), data brokers and marketers may buy purchase data from retailers or loyalty/reward programs, and some digital wallet apps may post who a user paid and what they paid for. [OPC Canada – Electronic and Digital Payments and Privacy] See also: [UK: Are card firms are putting YOU at risk online as they scale back verified schemes to stop shops missing out on sales?]


CA – NL Privacy Commissioner Pushes to Post Contracts for Goods and Services Online

The province’s information and privacy commissioner believes he has a way to save the Newfoundland and Labrador government money and fight corruption at the same time: by posting its contracts with companies for various goods and services online. He said other countries have started posting the contents of contracts online and seen savings, and his idea has caught the attention of some people in this province. Right now, the province does maintain an Open Data web site where it posts data on a variety of topics such as fuel prices, wildlife permits, and mining industry employment. [CBC News]

US – US-EU Join Forces to Create Open-Source, Open-Data System

U.S. Department of Commerce counselor Justin Antonipillai and the Director-General of DG Connect at the European Commission Roberto Viola announced a partnership to create a joint U.S.-EU open-source, open-data system, designed to speed up access to open data on both sides of the Atlantic. Open Government Data is the product of the two agencies exchanging ideas on digital issues, and represents “a substantial source of trusted and quality information which can speed up the transition towards a truly data-driven economy …We want to ease the reuse of open data by businesses for development of new products and services and to help public authorities exchange best practices in publishing open data,” the announcement read. “Also, we want to more broadly seek to identify needs from data users for a better usability of open data originating from the EU and the U.S.” [Medium.com]

CA – OIPC AB Finds Public Body Did Not Meet Burden of Proof for Exemption

The Alberta Office of the Information and Privacy Commissioner reviewed a decision by the Alberta Justice and Solicitor General to deny a request for records, pursuant to the Freedom of Information and Protection of Privacy Act. The public body provided an affidavit stating that all records over which privilege had been claimed are the subject of an exemption; however, privilege can only be claimed document by document, with each document being required to meet the criteria (a communication between solicitor and client which entails the seeking or giving of legal advice, and is intended to be confidential by the parties). [Office of the Information and Privacy Commissioner – Order F2016-31 – Alberta Justice and Solicitor General]

CA – BC Supreme Court Compels Newspaper to Disclose Information Related to Professional Association Investigation

The BC Supreme Court considered a motion to quash production orders issued by the Law Society to a journalist and his employer newspaper in relation to an internal investigation. The Legal Profession Act, which includes subpoena powers, applies to non-lawyers, and the production order issued by a law society to the newspaper and journalist for purposes of investigating a member’s conduct was reasonable; the order was not seeking the petitioner’s PI or proprietary corporation information, the petitioners’ article placed the information in the public domain, and the regulation of professions is a compelling objective. [Mulgrew v. The Law Society of British Columbia – 2016 BCSC 1279 – In The Supreme Court of British Columbia]

CA – OIPC SK Confirms Ministry Cannot Charge for Time Spent Preparing Fee Estimate

The Office of the Saskatchewan Information and Privacy Commissioner reviewed a fee estimate provided by the Ministry of Agriculture, pursuant to the: Freedom of Information and Protection of Privacy Act; and Freedom of Information and Protection of Privacy Act Regulations. The Ministry could not charge the applicant the same preparation fee after he narrowed the scope of his request simply because the Ministry had already completed the search for records before the fee estimate was agreed on (completing the entire search before reaching agreement on the fees was a waste of government time); once the fee was expected to surpass $50, the Ministry should have stopped its search for responsive records and provided a fee estimate. [Office of the Saskatchewan Information and Privacy Commissioner – Review Report 115-2016 – Ministry of Agriculture]

CA – OIPC BC Finds Solicitor-Client Privilege Applies to Final Report About a Workplace Investigation

The BC Office of the Information and Privacy Commissioner reviewed a decision by the Provincial Health Services Authority to deny access to records requested, pursuant to the Freedom of Information and Protection of Personal Privacy Act. The report was a confidential communication between the public body and the law firm retained to conduct the investigation; the firm was retained to provide legal advice (not just investigate the issue), Terms of Reference explicitly state that the investigation was privileged and confidential, the investigating lawyers expressly agreed that all information collected would be treated confidentially, and each page of the report was stamped with the word ‘confidential’. [OIPC BC – Order F16-40 – Provincial Health Services Authority]


US – DNA Database Poses Potential Privacy Risks: Op-ed

David Lazarus explains why U.S. President Barack Obama’s “precision medicine” database containing DNA information of a million volunteers needs strong privacy protections. While the system represents a big leap in big data analytics by allowing doctors and hospitals to help piece together a person’s risk for disease, it also has its downsides. “The darker possibility, however, is a disturbing prospect of genetic haves and have-nots, and of discrimination based not on race, age or gender but on health.” “My sense is that when it comes to big data and health care, we don’t know what we don’t know. That is, the full benefits and dangers will become apparent only as these systems are brought online and start to interact,” he added. [Los Angeles Times]

US – White House’s OSTP Requests Info on Data Portability

The Office of Science and Technology Policy has issued a request for information on data portability and “whether and how to increase your ability to get and use your data,” the White House said. “Proponents of increased data portability point to numerous, significant benefits for users, service providers and the broader public,” while “some privacy and security advocates also worry that the strength of data portability could encourage more information sharing, including when it might be inadvisable from a privacy perspective.” Therefore, the OSTP hopes to discover the benefits and detriments of increased data sharing; those industries most affected by the practice; what the federal government and other organizations can be doing to increase data portability; and best practices, the report adds. The OSTP will accept comments until Nov. 23. [White House]

Health / Medical

CA – Ontario: Doctors Worry About Patient Privacy As They Speculate On Government Plans For Ehealth

The province’s doctors are expressing “grave concerns” about the Liberal government’s plans for eHealth Ontario. In the wake of Health Minister Eric Hoskins’ decision to ask Premier Kathleen Wynne’s privatization guru, Ed Clark, to appraise the monetary value of the electronic health records agency, the Ontario Medical Association is sounding the alarm over patient privacy. Wrote OMA president Dr. Virginia Walley in an open letter to Clark: “We have grave concerns about how your mandate from Minister Hoskins is being interpreted… We are particularly concerned to read in media reports that the government may be seeking to monetize this data-gathering ability for profit,” she continued, as she urged “safeguards” to protect patients. Walley, whose organization represents the province’s 42,000 doctors, also took issue with the government’s assertion that its digital health strategy is paying off dividends. “The blunt reality is that we do not currently have a functional eHealth system that benefits patient care and it is unclear to us currently how your mandate from Minister Hoskins will help encourage or support this,” she wrote. [Toronto Star] See also: [Ontario asks privatization czar to look at digital health system]

US – HHS Releases Cloud Computing Guidance for HIPAA Covered Entities

The U.S. Department of Health & Human Services has released guidance on the best ways for HIPAA covered entities and business associates to use cloud computing solutions while protecting electronic health records. “This guidance focuses on cloud resources offered by a CSP [cloud service provider] that is an entity legally separate from the covered entity or business associate considering the use of its services. CSPs generally offer online access to shared computing resources with varying levels of functionality depending on the users’ requirements, ranging from mere data storage to complete software solutions,” the announcement said. The guidance answers several concerns, including whether covered entities can use a cloud service to store or process ePHI, and if HIPAA rules allow health care providers to use mobile devices to access ePHI in the cloud. [HHS.gov]

CA – Health Crackdown on Doctor Double-Billing Hindered by Privacy Laws

The New Brunswick Department of Health contends privacy laws are preventing it from stopping doctors who are double billing Medicare and WorkSafe New Brunswick for the same medical services. The department’s Deputy Minister Tom Maston said privacy legislation makes it impossible for the two agencies to determine whether they are paying for the same service two times. “One of the challenges we have with the data is you cannot use the data for something other than what the data was collected for,” said Maston. “Each act will specify that this piece of data is collected for this reason, and if you want to use it for a different reason, sometimes the act will not permit that. Even within our department, within divisions, it is difficult to share data because of privacy concerns.” [CBC News]

US – Affordable Care Act Hurts Fight Against Medical Identity Theft: Op-ed

ID Experts CEO Bob Gregg explains how the Affordable Care Act works against patients who are victims of identity theft. Gregg speaks to health industry executives who wish to develop relationships with patients based on trust, but the ACA’s requirement to spend 80-85% of customer premiums on claims or quality improvement initiatives creates an issue. “The problem is that security measures to protect data or fight fraud are considered administrative expenses and not quality of care improvements. Insurers are effectively barred from spending beyond a certain amount on protections for their customers’ medical identities, protections that could potentially save their lives,” writes Gregg. “Health plans should not be penalized for spending money to protect their customers.” [The Hill]

US – NYT Writer Attempts to Obtain His Entire Medical History in 72 Hours

Proclaiming it “an exercise that most people could benefit from,” Ron Lieber challenged himself to obtain his entire medical history within 72 hours. The project came in response to a colleague’s article that stated “there’s often no such thing as a complete medical dossier on anyone.” Gathering all his medical data in one place could help him correct any errors in his medical history “that make me look like a bad insurance bet,” he wrote. “I spent three full days pestering my pediatrician in Chicago for immunization records and wandering New York in search of the travel medicine specialist I saw in 2005… Then, I tried to figure out what life insurance underwriters would find out from services that gather prescription drug histories upon request.” Lieber was not successful in obtaining all the information in the allotted time frame, but said he learned a lot about obtaining data from different health care entities. [The New York Times] See also: [How robots could fill a gap in health-care]

US – WakeMed Health Penalized for Publishing PHI Within Online Court Documents

A federal court penalized WakeMed Health and Hospitals for publishing sensitive patient information online in filings it made for court cases. WakeMed must pay $70,000 in punitive damages, including $50,000 to the court and $10,000 going to each of the two individuals filing a complaint, while also paying $60,000 to cover the plaintiffs’ legal fees. Thousands of patients had their Social Security numbers and dates of birth published online in court documents WakeMed was using to seek payments for debts supposedly owed by individuals who filed for bankruptcy protection. “The court’s decision highlights the need to offer certain staff members compliance training that goes far beyond HIPAA and addresses all relevant patient privacy legal requirements — including those tied to bankruptcy issues.” [GovInfoSecurity]

Horror Stories

US – More than 58 Million Records Stolen from Data Aggregator

Data aggregator Modern Business Solutions suffered a database breach that compromised at least 58 million records. Modern Businesses Solutions works primarily with the automotive and real estate industries. [SC Magazine | The Register]

CA – Ex-AHS Employee Inappropriately Accessed Thousands of Patient Records

A former Alberta Health Services employee inappropriately accessed the health information of 1,300 patients, and the hospital is now in the process of notifying those affected. AHS also said the same employee viewed demographic information on another 11,539 Alberta patients, including names, addresses, dates of birth and health care numbers. The hospital said patient records were not altered, and the employee is no longer working in the organization. “The accuracy of that health care information has not been altered or tampered with,” AHS Interim Vice President of Quality Dr. Francois Belanger said. “We also know that health care information has not been printed and likely not shared with anybody else. “We understand that this information will be concerning to Albertans, and it is to us as well.” [Global News]

CA – Vancouver Marijuana Dispensary Site Exposed Patient Medical Information

A Vancouver marijuana dispensary website suffered a data breach when it was discovered the information of several patients was openly available to the public with no password protection. The website had personal information and medical records on patients, including birth certificates, medical imaging, passports, prescriptions, biopsy reports and mental health assessments. The BC Information and Privacy Commissioner has started an investigation, and it has not been determined whether the breach was accidental, or malicious. The breach comes after Ottawa marijuana dispensary chain Magna Terra Health Services accidentally sent an email containing information on 470 customers who purchased cannabis at their stores. [Times Colonist] see also [300,000 urology patients’ info exposed online]

CA – Marijuana Dispensary Accidentally Sends Email With Customers’ Addresses

Ottawa marijuana dispensary chain Magna Terra Health Services accidentally sent an email containing the addresses of 470 individuals who had purchased medical cannabis at their locations. A second email was sent out by Magna Terra President Franco Vigile apologizing for the breach, saying the employee responsible for sending the first email had been fired. “We take risks daily to ensure all of our members have safe and convenient access to their medication which I believe outlines our sincerity and dedication towards caring about our members which leaves me extremely upset over this situation,” Vigile wrote in the email, while also saying he has reached out to the service provider to “try and rectify the error by recalling all of the emails sent out.” [Ottawa Citizen]

NZ – More than 1M Dating Site Accounts Leaked on The Internet

The personal information of approximately 1.5 million users of a New Zealand-based dating company was discovered on the internet. The C&Z Tech Limited leak revealed usernames, email addresses, passwords, genders, dates of birth, countries of residence, and other personal information. The company was alerted to the breach by the MacKeeper Security Research Center, and quickly secured the data. “While we acknowledge the data breach, only a small number of users were affected,” said C&Z employee Anton who did not provide his last name “The data leak was from one of our test databases, the majority of data were dummy data and were randomly generated, and the vulnerability was immediately remediated.” Media reports questioned the legitimacy of the dating site’s claims. [ZDNet]

Identity Issues

AU – Bill Making Re-Identifying Data Criminal Debuts in Senate

Australian Attorney-General George Brandis has moved on his plans to criminalize re-identification of de-identified data “published by the Commonwealth,” introducing into the Senate his proposed amendments to the Privacy Act. “It will also be an offence to counsel, procure, facilitate or encourage anyone to do this, and to publish or communicate any re-identified dataset,” the exploratory memorandum said. Lawbreakers could face up to two years in prison. The bill “will be retrospectively applied from 29 Sept.,” the report adds. [ZDNet] See also: [Japan’s Government Releases Guidance on De-identification of Personal Data | Press Release] and [Irish DPA Advises that Removal of Direct Identifiers Does Not Make Data Sets Anonymous – see the Data Protection Commissioner in Ireland provides guidance on anonymisation and pseudonymisation of personal data- Anonymisation and Pseudonymisation]

AU – New Amendments Would Criminalize ‘Re-Identified’ Government Data

Australia Attorney-General George Brandis plans to amend the Privacy Act to make it a criminal offense to publish or disseminate “re-identified” government datasets. “The amendment to the Privacy Act will create a new criminal offence of reidentifying de-identified government data’ … It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.” Researchers and privacy advocates believe the new amendments will only impede progress for finding security issues. “Security through obscurity doesn’t work — keeping the algorithm secret wouldn’t have made the encryption secure, it just would have taken longer for security researchers to identify the problem. It is much better for such problems to be found and addressed than to remain unnoticed,” wrote University of Melbourne researchers in an article. [Guardian]

Internet / WWW

WW – GPEN Unimpressed With State of Connected Devices

The Global Privacy Enforcement Network, a group of data protection authorities from around the globe, has released the results of its latest annual privacy sweep, this time examining connected devices. The findings? “The privacy communications of internet-connected devices are generally poor and fail to inform users about exactly what personal information is being collected and how it will be used,” reads a press release. Twenty-five privacy enforcers took part in the sweep, which took place in April. A total of 314 connected devices were examined, including smart meters, health monitoring devices, smart TVs and connected toys. DPAs studied the privacy communications included with the products, both “in the box” and online, and often interacted with the devices to see how reality matched the communications. While this was not a proper “investigation,” and no enforcement actions are connected to the findings, the DPAs’ message is clear: “It is imperative,” they write, “that companies do a better job of explaining their personal information handling practices.” [OIPC Canada] See also: [Alberta’s connected devices fared well in global privacy sweep] [ICO UK Found 59% of Devices Do Not Inform Customers How Personal Data is Collected, Used and Disclosed] [DPA France Finds that Most Connected Devices Are Not Transparent About Data Practices] [DPA Italy Finds Smart Devices Do Not Adequately Inform Customers About Personal Data Handling Practices] [DPA Ireland Finds Transparency of Smart Device Data Practices Requires More Focus] and [Norwegian Data Authority Cites Privacy Issues With Telemedicine Products]

WW – Poorly Secured IoT Devices Are Making the Web Less Safe

Distributed denial-of-service attacks have been around for a long time, but with the rise of internet of things devices — particularly ones that are poorly secured — DDoS attacks are getting exponentially more powerful. Respected infosecurity blogger Brian Krebs felt the brunt on one such powerful attack over the weekend. The attack was so powerful that Krebs’ website went down for several days, and the company providing pro bono security services had to pull out because of cost. Jedidiah Bracy looks into this rising issue, the dangers it could pose for e-commerce, and explores whether there’s a role privacy pros can play to help. [Privacy Tracker] See also: [The IoT zombies are already at your front door] See also: [Potential Apple Watch snooping: A not-so-paranoid cyberespionage risk]

WW – Trying to Comply With SOC 2? Things Just Got Easier

In 2016, the American Institute of Certified Public Accountants revised the SOC 2 trust principles with the issuance of TSP 100, Trust Services Principles and Criteria. One of the most significant revisions in this update was a simplified set of criteria for the privacy principle. Overall changes The AICPA is constantly working on improvements for SOC reports and the guidance that goes with them. In 2015, the AICPA revised its SOC 2 guide, but privacy remained a 64-page effort of management criteria, illustrations, and additional considerations based on Generally Accepted Privacy Principles. Because this information seemed to repeat itself quite a bit; was difficult to understand, and had so many aspects that appeared to be needed for compliance, many companies avoided the privacy principle in SOC 2 as much as possible. The AICPA revised the trust principles again recently with the biggest change coming to the privacy principle. Instead of 64 pages of guidance, the new TSP 100 simplified privacy to eight criteria with a total of 20 control objectives. [IAPP.org]

Law Enforcement

US – Wyoming Lawmakers Examine Rules for Police Body Cameras

State lawmakers are looking at establishing rules for police body camera footage, with the intention of protecting law enforcement, privacy rights and the public interest. Last week, members of the Wyoming Legislature’s Task Force on Digital Information Privacy decided to move forward with a proposal to address the process for how police body camera video is released. Currently, state law does not address how those recordings should be handled, and as a result, some agencies are reluctant to use body cameras. The proposal from the task force would make all body camera footage private by default. However, the public, media, law enforcement or other entities could ask a court to have the footage released if there is a public interest in doing so. Sen. Chris Rothfuss, D-Laramie, and a co-chairman of the task force, said the legislation began as a result of conversations nationally about body cameras. He said he thinks having legislation to protect both law enforcement officers and the public interest will encourage more agencies to use body cameras. If law enforcement is comfortable with privacy protections, they’ll adopt the technology,” Rothfuss said. “I think it’s critical we have this. I think it protects our law enforcement, and I think it protects the public.”[Wyoming News]

US – Report: Police Misuse of Law Enforcement Databases Abounds

An investigation has found that police officers nationwide have abused data access privileges into law enforcement databases to find information on everything from journalists and romantic partners in ways that are not related to their daily work. “No single agency tracks how often the abuse happens nationwide, and record-keeping inconsistencies make it impossible to know how many violations occur.” “But the AP, through records requests to state agencies and big-city police departments, found law enforcement officers and employees who misused databases were fired, suspended or resigned more than 325 times between 2013 and 2015.” While law enforcement agencies train officers not to abuse the databases and that their usage is subject to audit, “misuse persists.” [The Associated Press]

UK – Report: Four Police Employees Fired for Data Breaches

Privacy advocate group Big Brother Watch revealed three Dorset Police officers and one police staff member were fired for committing data breaches. Big Brother Watch discovered the four employees violated the Data Protection Act, while an additional seven officers and 13 staff members were internally disciplined. Two of the staff members resigned during the disciplinary process. The Big Brother Watch report found 30 incidents of officers not receiving any form of discipline for a data breach, with 12 police staff falling into the same category. “Dorset Police takes a very proactive approach to data breaches,” said Dorset Police’s Tim Whittle. “We have a robust audit system in place to monitor the use of police systems and as such the statistics will reflect this.” [Dorset Echo]

US – ACLU Launches Police Transparency Initiative as Surveillance Grows

The American Civil Liberties Union of California has announced a “multi-city legislative initiative” to increase police transparency around its surveillance practices. The ACLU began the Community Control Over Policing Surveillance initiative after requesting records from 63 California law enforcement agencies, ultimately finding that 40 percent of the responding groups used social media surveillance tools, “and most of them started using them within the last year” without notifying the government or the public. Meanwhile, The Hill reports that New York City officials have asked the Federal Communications Commission to overhaul its mobile emergency alert system in the wake of the New York and New Jersey bombings. [TechCrunch

US – Law Enforcement Investigating People Based Solely On IP Addresses

Law enforcement is using IP addresses to track potential criminals, only to discover they belong to innocent parties. Officers attempt to track down an individual involved in online criminal activity by tracing an IP address, but run into innocent people who either run a Tor exit relay, have an open Wi-Fi network, or have had their IP address reassigned. Privacy advocates are asking law enforcement to be more cautious when using IP addresses as leads. “Although IP addresses can sometimes be reliable indicators of locations or individuals when combined with other information, such as ISP records, use of the IP address alone, without more, can too often result in dangerous, frightening and resource-wasting police raids based on warrants issued without proper investigation,” the Electronic Frontier Foundation wrote in a paper. [Fusion] See also: [Data seized by Toronto police can be shared with Dutch authorities, judge rules]


US – MassDOT Wants to Hold Drivers’ Speed Data for 30 Days

The Massachusetts Department of Transportation is planning to create a proposal asking to keep data on the speed of drivers traveling under the Massachusetts Turnpike’s new all-electronic toll gantries for 30 days. MassDOT has said in the past it needs the speed data to synchronize the tolling system’s cameras, and for research purposes, but is declining to say why it needs the data for 30 days. Privacy advocates are concerned the data will be used to punish speeding drivers, and could also be turned over for law enforcement investigations. MassDOT should say “why it is collecting personally identifiable speed data in the first place, and how it arrived at a 30-day retention period for those records,” said American Civil Liberties Union of Massachusetts’ Kade Crockford. “It’s not clear what business purpose the collection and retention of these data serves.” [The Boston Globe]


HK – Privacy Commissioner Releases Information Leaflet On Hong Kong BYOD Practices

The Hong Kong Privacy Commissioner has published an Information Leaflet with bring-your-own-device guidelines. “The Information Leaflet suggests organizations adopt a risk-based approach to BYOD security, implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and likelihood of loss or unauthorized disclosure,” the report states. “The commissioner has suggested as best practice that organizations should, at the outset of any BYOD implementation, conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance.” [JD Supra Business Advisor]

Online Privacy

WW – Tool Helps Users Understand the Data Facebook Has on Them

ProPublica has announced the first tool in a series to let users see inside the “black box” that is the algorithms used to define their digital lives. The first experience revolves around Facebook and what it knows about users. The Chrome browser-based tool “lets you see what Facebook says it knows about you,” the report states. ProPublica encourages users to then rate the information it generates for accuracy and return it to them. “We will, of course, protect your privacy,” it adds, promising not to collect “identifying details” or share data with others. While the report specified that the data its tool gleans is “the same information that Facebook itself offers users,” it added that researchers were unsure whether it represented all that the social media site knew about a user. [Propublica]

WW – Cisco Using Data Science to Stop Password Sharing

Cisco has announced that it is working toward a method to thwart video service password sharing — a practice that cost the media industry $500 million in 2015. The concept uses data science to determine “where authorized users would normally be (geographically), the times of day they use the service (typically) and other behavioral characteristics that can identify them.” Cisco demonstrated this work in progress at IBC 2016 and is in testing for creating a deployable product. The company also aims to use similar methods to identify legitimate subscribers to pay TV that redistribute broadcast signals. The next question is what to do once they can identify individuals sidestepping the systems. [Videonet]

WW – Messaging Apps’ Privacy Features Compared

The Wall Street Journal takes a look at the different privacy settings for several messaging apps. The report examines the default settings of WhatsApp, iMessage, Signal, Facebook Messenger, and Google’s Allo app. The comparisons include whether the apps use end-to-end encryption, and other important privacy features. “End-to-end encryption can prevent you from being snooped on, and prevent your personal and private information from being stolen as well,” said American Civil Liberties Union’s Christopher Soghoian. “The reason why some companies like Google and Facebook don’t use this by default is they’re willing to sacrifice your privacy to build features like chatbots and response predictions that aren’t that useful.” [WSJ]

Other Jurisdictions

WW – More U.S. Cloud Services Open, Invest In Europe

Amazon Web Services has announced it would open data centers in the U.K. and France, the latest tech giant to announce a new round of European-based cloud service investments. A major impetus for the moves is increasing European user trust amid stricter regulation. “Countries like Germany are well aware of data privacy, and it has made them more wary of where data is kept,” said Gartner’s Gregor Petri. “Local data sovereignty has become important, and American companies are now aware of that.” [The New York Times]

IS – Marketing Leader Predicts 50% of Big Data Startups Are in Israel

Many of the startups that collect significant amounts of user data are Israeli, GO Digital Marketing owner and founder Adir Regev said. “I think that about 50 percent of the startups are coming from Israel,” he said. “We’re very good at analytical advertising, and we’re very good at surveillance. You put those together and we become very good at predicting which products you will buy.” He added that many consumers are unaware of the true extent of companies’ data collection, and that “privacy has all but lost … People don’t realize that most of their lives are digitalized in places that we don’t think of,” Regev said. “Even when we’re not posting on Facebook, companies are tracking what we’re doing, not just online but offline.” [The Jerusalem Post

Privacy (US)

US – Bill Would See Firings For Poor Security In Government

A bill introduced in the House this week would mean government agency heads could be fired, demoted or punished for breaches resulting from their failure to “comply sufficiently with the information security requirements, recommendations or standards.” The Cybersecurity Responsibility and Accountability Act of 2016 would also allow the director of the Office of Management and Budget to recommend their removal; tasks the National Institute of Standards and Technology director with identifying major security concerns and supporting agencies in security training; and requires NIST, OMB and the Department of Homeland Security to create a job description for a chief information security officer within six months of its enactment. [NextGov]

US – Pew Research on the State of Privacy in the US

A series of studies released by the Pew Research Center detail the opinions U.S. citizens have on privacy following the Snowden leaks. One study found 49% of citizens feel anti-terrorism surveillance programs do not go far enough to protect the U.S., while only 33% say the programs unfairly restrict civil liberties. Another survey found 86% of internet users have taken steps to mask their digital footprints. And yet another study found 74% of citizens say it’s “very important to them to be in control of who can obtain information about them.” Pew Research’s Lee Rainie wrote, “Americans’ awareness and concerns over issues of privacy also extend beyond the kinds of surveillance programs revealed by Snowden and include how their information is treated by companies with which they do business.” [Pew Reseasrch]

US – Montana Department of Justice Listing Data Breaches on Its Website

Following legislation passed in 2015 requiring companies in Montana to report data breaches, the state’s Department of Justice will now post the breaches on its website. “You can arrange the data in different ways,” said the department’s John Barnes. “You can export it into an Excel sheet, a PDF, or however you want to do it. It has information such as the business name, the notification documents that were sent to us are linked there, the date of the start and end of the breach, the data that it was reported to us, and the estimated number of Montanans impacted by each specific breach.” [KGVO.com ]

US – CDT, Bakerhostetler Compile Student Privacy Laws for All 50 States

To help navigate the “maze” of student privacy laws in the U.S., the Center for Democracy & Technology teamed up with BakerHostetler to create a survey for all 50 states, plus the District of Columbia. The resource includes a full rundown of each state’s privacy laws, including the definition of those laws, whether there are any use limitations, data minimizations, and individual participation, among other categories. “As the compendium makes clear, many state laws are far less protective and use very different approaches, including variations in when personally identifiable information may be collected and stored, or in determining when school administrators and third parties have access to student data and what they are allowed to do with it,” the CDT’s Michelle De Mooy wrote. [CDT]

US – PCO Offers New Guidance for FERPA Application

The U.S. Department of Education’s Family Policy Compliance Office has issued new guidance on “the application of the Family Education Rights and Privacy Act to the disclosure of student medical records by institutions of higher education.” The FPCO guidance covers what should happen when medical records are disclosed for litigation as well as for health and safety emergencies. The agency also detailed action items and best practices related to FERPA interpretation. “As data privacy, and particularly health care privacy, continues to be a priority of students, parents, government regulators and other stakeholders, institutions of higher education should expect further guidance and scrutiny from FPCO and others with respect to how institutions use, disclose and safeguard student health information,” the guidance stated. [JD Supra]

Privacy Enhancing Technologies (PETs)

US – FPF Receives Grant to Create Privacy Research Network

The Future of Privacy Forum announced it has received a $300,000, two-year grant from the National Science Foundation to create a Privacy Research and Data Responsibility Research Coordination Network. The goal of the network is to produce academic researchers and industry practitioners to back research priorities for the National Privacy Research Strategy. The grant will allow FPF to discuss the RCN with numerous privacy professionals, including chief privacy officers and civil rights advocates. “The overarching goal of the National Privacy Research Strategy is to produce knowledge and technology that will enable individuals, commercial entities, and the government to benefit from transformative technological advancements, enhance opportunities for innovation, and provide meaningful protections for personal information and individual privacy,” said FPF’s CEO Jules Polonetsky. [FPF]


US – Law Firm Releases Cybersecurity Guidebook

Mayer Brown has announced the publication of its new guidebook, “Cybersecurity Regulation in the United States: Governing Frameworks and Emerging Trends.” The 80-page book authored by members of the Mayer Brown Cybersecurity and Data Privacy practice “offers insights on the regulatory frameworks applicable across key sectors of the US economy as well as emerging regulatory trends across sectors.” The handbook aims to “guide, assist, and help” companies across different industries, “from banks to the Internet of Things.” “Mayer Brown’s interdisciplinary team of cybersecurity and data privacy lawyers work closely with clients across a wide range of industries to achieve these goals, and launched this handbook to help companies navigate the ever-changing landscape of cybersecurity regulation.”  [MayerBrown] [Press Release]

Smart Cars

US – Fears of Hacks, Privacy Issues Surround Autonomous Cars

Privacy and cybersecurity jitters are consumers’ biggest fears around self-driving cars. “The No. 1 reason why people say they are unlikely to buy an autonomous vehicle is that they don’t feel that they’re safe,” said Altman Vilandrie and Company’s Moe Kelley. “The worst case scenario is that a hacker will be able to drive someone off the road. People also fear for their privacy with automated vehicles. Even minor hacks that allow someone’s movements to be tracked over the internet are scary to many consumers as well.” Regulators and car companies “must respond to these concerns” in order to assuage buyers’ fears. [The Christian Science Monitor] the National Highway Traffic Safety Administration (NHTSA) released new guidelines for the vehicles in September | The Government Accountability Office (GAO) said in a March 2016 report that while NHTSA is “examining the need for government standards or regulations regarding vehicle cybersecurity,” officials “estimated that the agency will not make a final determination on this need until at least 2018.”

US – DOT Outlines Connected Car Privacy Parameters

Automobile safety is not just about crash safety anymore, unless that includes computer crashes. The Department of Transportation has released guidelines for broadband-connected cars (highly automated vehicles, or HAVs) and the first sub-topics under “Safety Assessment” are “data recording and sharing” and related “privacy.” DOT cited the White House Consumer Privacy Bill of Rights and the FTC’s privacy guidance in saying that it strongly believes in protecting privacy rights. DOT laid out the following guidelines on privacy, targeted at auto manufacturers: A. Transparency: B. Choice: C. Respect for Context: “ D. Minimization E. Data Security: F. Integrity and Access: and G. Accountability. DOT plans to solicit comment on the guidelines and hold workshops and says regulation could follow if necessary to govern the rollout of connected cars. [broadcastingcable.com]


US – Senators Send Letter to FCC Over Stingray Use

Last Thursday, 12 U.S. senators sent Federal Communications Chairman Thomas Wheeler an open letter expressing concern about the use of Stingrays — a technology used by law enforcement to intercept mobile phone communications — along with a set of 10 detailed questions about the FCC’s role in overseeing the use of such technology. In addition to concerns about whether it violates the Communications Act, the senators also expressed concern about the alleged disproportionate use of Stingrays in minority neighborhoods. Jedidiah Bracy reports on the letter for The Privacy Advisor and includes comments from Georgetown University’s Alvaro Bedoya and Justice First’s Eugene Puryear. [IAPP.org] See also: [Privacy Advisory Commission of Oakland nearer to Stingray vote] and [‘Shady, secretive system’: Public Safety green-lit RCMP, CSIS spying devices, documents reveal]

WW – Study: Latin America’s Surveillance Laws Do Not Hinder Widespread Governmental Snooping

An Electronic Frontier Foundation study has found that the laws in many Latin American nations have fallen out of step with current governmental surveillance practices. The research examines the surveillance laws and practices in 12 countries in Central and South America. “Many intelligence agencies in the region were formed under these military dictatorships, and even after transitioning to democratic rule, most Latin American countries maintained strong executive branch powers ‘without well-placed controls or public oversight mechanisms. … Without public oversight — not just judicial oversight — the laws on the books just won’t work.” [The Intercept] See also: The Massachusetts Supreme Judicial Court ruled that police must have “particularized evidence” a cellphone was connected to a crime in order to use data from the phone in court.

US – Amzon’s License Plate Reading Tech Comes with Privacy Concerns

Amazon’s grocery-delivery service plan faces potential privacy issues. The tech company wants to build convenience stores where users can buy groceries, with some stores offering the option to buy them online. Amazon wants to incorporate license plate reading technology to speed up wait times, and while it would be beneficial to users, it also opens up privacy concerns. Amazon could use the data, combined with information from other companies, to determine where a user’s car has gone, and thus determine the user’s habits and preferences. If Amazon were to access a commercially available database where information is held on where a license plate has been seen, the company could figure out where a user lives, works and shops. [The Atlantic]

WW – Signal Messaging App Reveals Information It Turned Over For First Subpoena

The developer of encrypted messaging app Signal revealed the amount of information it was able to provide after it received its first subpoena earlier this year. A Virginia assistant attorney requested Open Whisper Systems produce email addresses, history logs, browser cookie data, and other information in connection with two phone numbers as a part of a grand jury probe. Due to its encryption technology, Open Whisper Systems was only able to give the user registration dates and the date one of the numbers last used the app. “We’ve designed Signal so it minimizes the amount of data we retain on users, and we don’t really have anything to respond with in situations like this,” Open Whisper Systems’ Moxie Marlinspike said. On its website, Open Whisper Systems included a redacted copy of the subpoena and said it plans to continue to publish transcripts of its responses to future government requests. [Reuters]

Telecom / TV

US – FCC Releases Broadband Consumer Privacy Proposal

In a highly anticipated announcement and Fact Sheet, U.S. Federal Communications Commission Chairman Tom Wheeler has issued a new broadband consumer privacy proposal. In it, he proposes internet service providers get opt-in consent for “sensitive data,” and opt-out consent for non-sensitive data. Categories of data considered sensitive would be geo-location, children’s information, health and financial information, Social Security numbers, web browsing, app usage history, and the content of communications. The proposed rules would also require ISPs “to take reasonable measures to protect consumer data from breaches and other vulnerabilities,” he wrote. FTC Chairwoman Edith Ramirez said she was “pleased to see the FCC moving forward to protect the privacy of millions of broadband users across the country.” Industry, however, is not happy with the proposal. [FCC]

CA – Gov’t Re-Opens Privacy Debate on Access to Telecom Subscriber Info

The Canadian government has revived a discussion on a particularly controversial privacy topic: how much access law enforcement should have to telecom subscriber information in the name of public safety. In September 2016 the government opened a public consultation on national security, releasing a ‘green paper’ and background document that details issues, challenges and general questions surrounding national security threats like domestic terrorism. Many topics are covered in the documents, but there’s one in particular that may sound familiar to Canadians: the issue of warrantless access to subscriber information from telecom companies. The public consultation — started by Public Safety Minister Ralph Goodale — has put the issue back up for debate. “The Public Safety consultation skips over the years of lawful access debate by putting everything back on the table,” writes Geist, “acknowledging that the law was updated less than 24 months ago but suggesting that more change may be needed.” The issue has also been brought to the forefront by the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic in a report titled “Canada’s National Security Consultation I: Digital Anonymity & Subscriber Identification Revisited… Yet Again.” The report, written by Tamir Israel and Christopher Parsons, notes that attempts to legislate access to subscriber identification data — which can include IP addresses, home addresses and mobile IMEI numbers — have always proven controversial and “fallen in the face of public resistance.” As for the Minister’s thoughts on the matter, a spokesperson stated to that the green paper was meant to “provoke discussion.” The public consultation remains open until December 1st, 2016 and can be accessed here if you’d like to add your voice to the conversation. [Mobile Syrup]

US Government Programs

US – Company Used by Twitter, Facebook, Instagram Gave Data on Protestors to Police: ACLU

The American Civil Liberties Union has discovered that a data analyzer was collecting feeds from social media sites Twitter, Facebook and Instagram and supplying that information to law enforcement agencies, which then used it to surveil people who had participated in protests in Baltimore, Maryland, and Ferguson, Missouri. “The companies provided the data — often including the locations, photos and other information posted publicly by users — to Geofeedia, a Chicago-based company that says it analyzes social media posts to deliver real-time surveillance information to help 500 law enforcement agencies track and respond to crime.” The companies have since restricted Geofeedia’s access to their information after the ACLU notified them of its discovery. [The Washington Post]

US – White House Releases Strategic Plan for AI Research & Development

Teaming up with the National Science and Technology Council and the Networking and Information Technology Research and Development Subcommittee, the White House has a strategic plan for the research and development of artificial intelligence. “This ‘National Artificial Intelligence R&D Strategic Plan’ establishes a set of objectives for federally funded AI research, both research occurring within the government as well as federally-funded research occurring outside of government, such as in academia,” the report said. “The ultimate goal of this research is to produce new AI knowledge and technologies that provide a range of positive benefits to society, while minimizing the negative impacts.” The report details seven strategies for the federally funded AI research, including making long-term investments in the research, and ensuring the safety and security of AI systems. [White House]

US Legislation

US – States Passing Laws to Determine Who Gets Deceased User Data

Illinois and 18 other states have passed laws this year in order to clarify what happens to a user’s internet data when they die. The new laws state tech companies will release basic user information, such as an email contact list, to help gather assets, or find friends. A user would have to specify who will receive the actual contents of their digital footprint, including contents of emails, and photos and documents stored on the cloud. Tech companies such as Facebook and Google allow users to choose who can access their data if they were to pass away. [The Associated Press]

Workplace Privacy

CA – Video Monitoring of Quebec Employees Must be Based on Serious Concrete Grounds

A look at the use of video surveillance in Quebec to ensure security of employees and company property. Employers must be able to establish serious grounds for surveillance (e.g. repeated occurrences of theft, fraud, or vandalism), other investigative means must be proven insufficient to address the problem, employees must have full knowledge of the surveillance, and the intrusion to employees’ privacy rights must be minimal (prohibitions of constant surveillance, and individual tracking, limited access to images and minimal retention periods). [Demystifying Video-Camera Surveillance – Georges Samoisette Fournier and Charles Wagner – Langlois Lawyers LLP]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: