5-17 November 2016


US – EPIC Sues FBI Over Biometric Database Records

The Electronic Privacy Information Center (EPIC) has filed a lawsuit against the FBI to force the bureau to release all relevant documents about its plan to share a huge amount of biometric information with the Department of Defense. The lawsuit concerns the FBI’s Next Generation Identification system, which comprises fingerprint, iris scan, and facial recognition data, and the bureau has been using it for several years. “With NGI, the FBI will expand the number of uploaded photographs and provide investigators with ‘automated facial recognition search capability.’ The FBI intends to do this by eliminating restrictions on the number of submitted photographs (including photographs that are not accompanied by tenprint fingerprints) and allowing the submission of non-facial photographs (e.g. scars or tattoos),” the EPIC lawsuit says. “The FBI also widely disseminates this NGI data. According to the FBI’s latest NGI fact sheet, 24,510 local, state, tribal, federal and international partners submitted queries to NGI in September 2016.” Privacy advocates, including EPIC, have said that the new database presents serious problems because of the high error rates seen with facial recognition systems. Also, the collection and storage of that data is a significant risk for the people whose information is in the database. [Source]

WW – INTERPOL Calls on Governments to Share Terrorists’ Biometric Data

In an effort to improve global security, INTERPOL’s General Assembly is urging governments around the world to share known terrorists’ biometric data. The move came after the INTERPOL’s General Assembly convened for the 85th ICPO-INTERPOL General Assembly Exhibition in Bali, Indonesia this week. “In a statement, the global police agency said it currently possesses information about 9,000 terrorists, but that only 10 percent of its files feature biometric information, with INTERPOL Secretary General Jürgen Stock calling the lack of such data ‘a weak link’ in the prevention of terrorism.” [FindBiometrics]

WW – Researchers Develop Lip-Reading Tool with 93.4% Accuracy

University of Oxford Computer Science Department researchers have developed a tool called LipNet that can read lips with 93.4 percent accuracy. “Instead of analyzing footage of someone speaking on a word-by-word basis, LipNet goes one step further by taking entire sentences into consideration, using Deep Learning techniques to then backtrack and decipher each word… Running on a smartphone, fed a live feed from a body-worn camera, LipNet could serve as an amazing tool for the hearing impaired. Even if they already know how to lip read, it could help boost their understanding while watching someone speak.” [Gizmodo]

AU – Australia’s New Facial Verification System Goes Live

Australia’s federal police and foreign affairs department are now able to match a person’s facial image against records held by Immigration after the government sent the first phase of its new face verification service live. Last year the federal government handed over $18.5 million to fund the development of a national facial recognition system, proposed by state and federal police ministers and attorneys-general. The face verification service (FVS), which will complement the existing document verification service (DVS), is intended to reduce cross-border criminal activities by letting law enforcement agencies share citizens’ facial images to verify identities and identify unknown individuals. Justice Minister Michael Keenan today said the first phase of the platform – allowing DFAT and the AFP access to images on citizenship applications held by Immigration so they can verify identities – was now live. Other types of images such as visa and passport photos will be added over time, he said, with the government also currently talking to states and territories to bring driver licence images into the FVS. Access will also gradually be expanded to other police and security agencies such as ASIO and Defence. The federal Attorney-General’s Department is the lead agency for the capability and manages access. [IT News]

Big Data

AU – Australia Productivity Commission Calls for Greater Sharing of Datasets amongst Private and Public Sectors

The Australian government’s Productivity Commission issued a draft report on the benefits and costs of increasing the availability and use of public and private sector data (“Big Data”): ◦comments are due by December 12, 2016. A new Data Sharing and Release Act could create a framework for the open release of non-sensitive datasets with few restrictions on their uses; for datasets that should not be publicly released, entities could apply for “trusted user” status, which would then make them eligible to access these restricted datasets. Individuals should have a right to opt-out of a process of data collection, however, this right to cease collection would not prevent the use of data already collected. [Data Availability and Use – Draft Report – Productivity Commission, Australian Government | Overview and Summary]


CA – CSIS: Agency Did Not Deliberately Violate Law When Holding onto Metadata

Canadian Security Intelligence Service Director Michel Coulombe released a statement saying the intelligence agency did not deliberately violate laws when it illegally held metadata on individuals who posed no security threat. The statement came after a federal court ruled CSIS violated the law by holding onto the metadata over a 10-year period. Coulombe said the data was collected legally using warrants, while adding the agency interpreted the CSIS Act in a way allowing it to retain the data. “The federal court has disagreed with this interpretation and we accept their decision. I would like to make it clear that the Service was not knowingly exceeding the scope of the CSIS Act,” Coulombe wrote. In related news, former Ontario Information and Privacy Commissioner Ann Cavoukian said the metadata should have been deleted from CSIS servers, and should not have been collected in the first place. [CBC News] [Spy agency declined to meet Federal Court judges to describe its methods] [Surveillance watchdog says C-22 not likely to be abused]

CA – Court Finds Federal Spy Agency Illegally Retained Metadata Indefinitely

The Canadian Security Intelligence Service applied to the Federal Court for amendments to conditions of draft warrant templates, pursuant to the CSIS Act. The agency retained phone logs and email trails of targets of past investigations, without informing the Court of its intention to do so (at the time it obtained warrants to collect the information) and in violation of its primary mandate (its jurisdiction is restricted to Canadian security threats); information retained must be assessed to determine if it is linked to an identified threat, or can assist with a prosecution, national defense, or international affairs, with all other information being destroyed. [In the Matter of an Application For Warrants Pursuant to the CSIA – Judgment and Reasons – 2016 FC 1105 | Summary]

CA – Quebec Announces Details of Inquiry into Surveillance of Reporters

A judge, a media lawyer and a former police chief …will preside over a 14-month public inquiry into police practices over the past six years, including allegations that calls from politicians led two police forces to spy on reporters. Justice Jacques Chamberland, of the Quebec Court of Appeal, will head the inquiry. A judge since 1993, he is a former Quebec deputy justice minister and deputy attorney general. The two other commissioners are media lawyer Guylaine Bachand and Alexandre Matte, a former Quebec City police chief. The commissioners will hold both closed-door and public hearings and are to publish a report by March 1, 2018. Their mandate will cover police activities beginning in May 2010, when the Supreme Court of Canada spelled out what judges should consider when asked by police to issue a warrant involving the identity of journalists’ sources. Quebec Premier Philippe Couillard announced the inquiry two weeks ago after a public uproar when several surveillance cases came to light. In one case, the SQ obtained six reporters’ phone records after then-Parti Québécois public security minister Stéphane Bergeron asked then-SQ director-general Mario Laprise to look into leaks to the news media about an investigation into union boss Michel Arsenault. In another case, Montreal police obtained a warrant to examine a La Presse reporter’s phone records after Mayor Denis Coderre asked police brass to look into how the reporter had learned Coderre had been given a $444 traffic ticket. [Montreal Gazette] See also: Media surveillance highlights privacy risk to all Canadians | How Montreal police were able to use legal means to track a journalist | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists | Quebec to hold public inquiry into police surveillance of journalists | An unprecedented crisis’: Quebec government calls inquiry into spying on journalists by police | Quebec launches commission of inquiry into police spying on journalists

CA – Therrien: Tracking Journalists Highlights Bigger Privacy Issues

In an op-ed, Privacy Commissioner of Canada Daniel Therrien explains why the surveillance requests made against journalists not only affects the media, but the privacy rights of all Canadian citizens. Therrien writes the privacy of all Canadians has been put at risk since the adoption of Bill C-13, making it easier for law enforcement to obtain electronic surveillance records and metadata warrants, possibly revealing sensitive information about Canadian citizens, including political beliefs and sexual orientation. “Recent events also demonstrate the fact that warrants for metadata are not exclusive to individuals suspected of criminal activity. These warrants can involve innocent people believed to have had contact with a suspect under investigation for reasons that may have nothing to do with the commission of a crime,” Therrien wrote. In another op-ed for The Globe and Mail, Yves Boisvert takes a closer look at the privacy battle between the media and law enforcement. [The Globe and Mail]

CA – OIPC NL Orders Eastern Health to Strengthen Security

Following a privacy breach at Eastern Health, Newfoundland and Labrador’s Privacy Commissioner Donovan Molloy issued a report warning the health care organization to shore up its security procedures. Molloy’s report states the incident was “an intentional breach of patient information” when an unknown person illicitly accessed and printed personal health information. The information was obtained from the account of a doctor who failed to log out of patient information software. Molloy told Eastern Health to remind its staff going forward of the importance of logging out. The patient information consisted of patient names, MCP numbers, gender, age, the date they were admitted to the hospital, their attending physician, and the reason for their visit. [CBC News]

CA – OIPC NB Pushes for Mandatory Breach Reporting

New Brunswick’s Privacy Commissioner Anne Bertrand is pushing for stronger legislation to require government departments to report data breaches involving personal information. Bertrand’s request comes as the Liberal government plans to install changes to New Brunswick’s privacy legislation. While health care agencies must alert the commissioner when personal health information is stolen, government departments do not have any requirements to report incidents. Bertrand examined a list of 11 data breaches since 2013, and heard of some of the attacks for the first time. The majority of the incidents involved stolen laptops. “When I see this kind of thing, you almost make a case for an argument that the commissioner’s office be notified, because we can report on that,” Bertrand said. “Reporting on this publicly will encourage concrete actions to be taken.” [CBC News]

CA – OIPC NS Recommends Reforms to the Personal Health Information Act

The OIPC NS has recommended areas of improvement under the Personal Health Information Act. Recommendations to bring PHIA up to date include permitting a substitute decision maker to exercise any right or power conferred on an individual, and setting clear standards for breach identification and notification to affected individuals, health custodians, and the OIPC; provisions should also allow the OIPC to require any relevant record to be produced (regardless of whether the record is subject to the provisions of PHIA), exchange information with extra-provincial commissioners, and receive immunity from privacy-related lawsuits. [OIPC NS – PHIA Review Recommendations]

CA – BC Supreme Court: Production Order for Text Messages Violated Accused’s Charter Rights

The Court considers an application concerning the alleged unconstitutionality of certain provisions of the Criminal Code. The order allowed police to collect more information than a cell phone tracking or number record warrant, and should have required the higher standard of reasonable and probable grounds to believe; there was an expectation of privacy in the messages and billing records, the invasion of privacy was for a long period (4 months), and the content of the messages potentially revealed private “core biographical information” (e.g. personal friends, business interests or communications from counsel). [R. v. Grandison – 2016 BCSC 1712 – In The Supreme Court Of British Columbia]

CA – Quebec Court Orders Court Proceedings to Remain Temporarily Confidential

The Court considered a request for a safeguard order confirming the sealing and non-publication of any defamatory or identifying information about a Plaintiff in relation to his lawsuit against Defendant Google. The Court accepted a Plaintiff’s argument that publicizing court proceedings from his lawsuit against a search engine (stemming from allegedly defamatory and sensitive search results) would invade his privacy rights under the Quebec Charter of Rights and Freedoms; the Court ordered a prohibition on the publication of exhibits and evidence and the redaction of Plaintiff’s name from the court file, but denied his request for a permanent sealing of the file (the trial decision is permitted to be confidential for only 31 days). [AB v. Google, Inc. – 2016 QCCS 4913 – Superior Court of Quebec]

CA – OIPC BC Recommends Improvements to the Govt Use of Mobile Device

The OIPC BC examined the management of mobile devices issued to employees by the B.C. Government, pursuant to the Freedom of Information and Protection of Privacy Act. There was no overarching privacy management program in place, and as a result mobile device usage assessments, reviews or audits were not conducted (there was a lack of capacity, expertise, resources and tools to provide such reviews); the consequences of this meant that there was a lack of personal information inventory (the types of personal information being stored on mobile devices was unknown), unauthorized personal devices were being connected to government servers, and the adoption of security controls and patches was being left to the end-user employee. [OIPC BC – Investigation Report F16-03 – Mobile Device Management in B.C. Government]

CA – OPC Canada Finds Gaps and Weaknesses in Government Agency’s Privacy Management Regime

The Office of the Privacy Commissioner of Canada conducted an audit of the personal information management practices of Employment and Social Development Canada’s Old Age Security Program. The agency did not use accredited or certified IT systems, employee access rights were not always removed on a timely or consistent basis, or limited to the minimum required to perform their duties, audit trails were not proactively reviewed, and electronic files were never deleted; the agency must modify and delete access rights consistently, review audit trails to ensure timely identification of inappropriate access, and implement new retention and disposal schedules. [OPC Canada – Audit of Employment and Social Development Canada’s Old Age Security Program]

CA – OPC Releases Tech Blog Series for Privacy Professionals

The Office of the Privacy Commissioner of Canada announced it has launched a Privacy Tech-Know series of blogs targeted toward privacy professionals looking to increase their technical awareness and knowledge. “The posts will help privacy professionals speak more confidently and accurately about new information technologies and their privacy implications. The series of blog posts planned for the coming months will cover everything from cookie contents to e-voting systems to license plate recognition,” the announcement read. The first entry, titled “Pay me to regain access to your personal information! Ransomware on the rise,” discusses the ransomware problem estimates say affect 1,600 Canadians per day. [priv.gc.ca]


WW – New App from Cloud Insurance Wants Users to ‘Regain Control of Their Digital Footprints’

Sydney-based Cloud Insurance is developing Opt Out, an app that will put data access controls in on the spot, “automates data access permissions” and streamlines users’ ability to “invoke de-identifications rights.” “We need to reassure the public that privacy is not dead,” said Cloud Insurance’s Joanne Cooper. “Privacy is the third and missing leg of a three-legged stool and in the current digital environment we have to make consent, whether you opt in or opt out, central to the topic,” she said. The app ultimately aims to “simplify a complex aspect of the internet by making it easier for internet users to make informed decisions and regain control of their digital footprints.” [The Australian Business Review]

WW – Report: Digital Marketing Affecting Children’s Health, Privacy

The University of Liverpool has teamed up with the World Health Organization and several other organizations to produce a report regarding digital marketing toward children and the ways it affects their health. Digital marketers aim ads toward children for foods high in fats, salt and sugars. Since there are no effective regulations for digital media in many areas in Europe, children are exposed to ads through social media sites and online games. “Children have the right to participate in digital media; and, when they are participating, they have the right to protection of their health and privacy and to not be economically exploited,” said the University of Liverpool’s Dr. Emma Boyland. [EurekAlert]


WW – Study: Governments Pose a Bigger Threat to Privacy than Companies

A study from the Montreal Economic Institute states governments are a bigger threat to privacy than companies. MEI economist Mathieu Bédard said companies gather information through mutual consent, while governments rarely ask individuals before collecting data. The study states it is more profitable for companies to retain information rather than selling it, while governments do not give citizens a choice when gathering information. For example, journalists discovered the RCMP decrypted 1 million private messages from BlackBerrys alone, while the number of intercepted communications by the government rose by 26 percent in 2015. “All of these revelations shatter the widespread prejudice by which companies are less respectful of privacy than governments are.” [Montreal Gazette] [MEI] [Media release: How far does secret government surveillance go?]


EU – European Commission Probes US on Yahoo Email Scanning Allegations

The European Commission has asked the U.S. about allegations of Yahoo scanning thousands of customer emails for law enforcement purposes. The European Commission is concerned the email scanning may be in violation of the Privacy Shield agreement. The commission is asking the U.S. for clarification on the allegations, while asking the U.S. to explain how the email scanning fits with its commitments to the agreement, even if the orders came before Privacy Shield was put in place. “The U.S. will be held accountable to these commitments both through review mechanisms and through redress possibilities, including the newly established ombudsperson mechanism in the U.S. State Department,” European Commission spokesman said. [Reuters]


WW – Encrypted Email Sign-Ups Rise After US Election

Sign-ups for Swiss-based encrypted email service provider ProtonMail are on the rise since last week’s U.S. presidential election. ProtonMail CEO Andy Yen wrote, “the number of new users coming to ProtonMail has doubled compared to the previous week. Telegram, which provides end-to-end encrypted messaging, has also seen a spike in new users since last week. “We did notice more users than usual signing up for Telegram globally,” said Telegram co-founder Pavel Durov. Yen said the rise in new users worried about the incoming administration “really demonstrates that privacy isn’t just a liberal or conservative issue, it is something that we all need to champion, regardless of our political leanings.” He also noted this paradigm shift “could be a potent trigger to accelerate the development of Europe’s tech sector and decrease … dependence on the U.S.” [TechCrunch]

WW – WhatsApp Adds Encrypted Video Calling Amid Unsure Privacy Climate

WhatsApp is adding fully encrypted video calling to its messaging platform. The new feature comes as privacy advocates are concerned about enhanced government surveillance efforts under President-elect Donald Trump’s administration and news that Facebook’s revised privacy policy would access WhatsApp user data. WhatsApp co-founder Jan Koum said the video call feature will be rolled out to 180 countries after it is introduced at an event in India. Koum also said the company will remain committed to security after Trump’s victory. While a Trump administration may require companies such as WhatsApp to redesign their policies to better assist law enforcement investigations, Koum does not feel WhatsApp will be threatened, as many diplomats and officials use the app around the world. “It would be like them shooting themselves in the foot,” Koum said. [Reuters]

EU Developments

EU – French Advisory Commission Objects to Biometric Database

France’s independent advisory commission, CNNum, is calling for the suspension of the biometric database designed to hold the information of the country’s citizens. The group said the biometric database would be a “target of inestimable value” in a time where every system is vulnerable. CNNum also stated the database is a sign democracy is on the wane in both Europe and the U.S. The French Socialists objected to an earlier database proposal submitted by the center-right government in 2012. The Socialist government was able to pass the new database by government decree during a holiday weekend, without France’s National Assembly agreeing to the new proposal. [BBC News]

EU – Ireland’s DOJ Releases Consultation Paper on ‘Digital Age of Consent’

The Department of Justice published a consultation paper on the digital age of consent for online services offered to children. The paper states the rates of children using online services is high, but younger children may be vulnerable to online risks, such as abuse or cyberbullying. “When their physical or emotional safety and welfare is at stake, the need for adequate safeguards for children is beyond question. Parents and guardians have an essential role to play in this context and the best interests of the child remains the paramount guiding principle,” the paper states. The target age for the restrictions is 16, but member states can set it to as low as 13 years of age. Minister for Justice Frances Fitzgerald plans to bring a proposal on the topic to the cabinet later this year, ahead of the General Data Protection Regulation. [The Irish Times]

UK – ICO: Facebook Agrees to Suspend Use of WhatsApp User Data

The U.K. Information Commissioner’s Office announced Facebook has agreed to suspend its use of WhatsApp data collected from users in the U.K.. “We’re pleased that they’ve agreed to pause using data from U.K. WhatsApp users for advertisements or product improvement purposes,” U.K. Information Commissioner Elizabeth Denham said in a statement. “If Facebook starts using the data without valid consent, they may face enforcement action from my office.” The ICO said consumers were not properly protected from the data sharing and asked the two companies to sign a plan to better explain the data sharing agreement to users. A Facebook spokeswoman said the company will work with the ICO to continue addressing any concerns. [Reuters]

Facts & Stats

WW – Study: Cost of Breach Rises to $7M

IBM-sponsored research by the Ponemon Institute has found that the overall cost of a U.S. company’s data breach has risen seven percent to total an average of $7.01 million. “On average, a single breach involved nearly 30,000 records, in a range of 5,125 to 101,520.” The study examined 64 companies and the majority of the breaches studied occurred in 2015. “The study did not include breaches involving more than 100,000 records because ‘they are not indicative of data breaches incurred by most organizations’ and would have artificially skewed the results.’” The research also examined how these numbers compare globally, finding that the cost of a breach was highest in the U.S., with Germany coming in second at $5.01 million. [Yahoo News]


CA – IPC ON Orders Municipality to Release CCTV Footage of Fatal Collision

This IPC ON Order reviews the decision by the City of Ottawa to deny CCTV footage requested under Ontario’s Municipal Freedom of Information and Protection of Privacy Act. The IPC agreed that unblurred footage could reveal an individual’s PI (e.g. personal characteristics, their presence at the accident, their conduct and location); however, the blurred footage does not contain personal information, and police unsuccessfully argued that disclosure of the footage would interfere with an ongoing law enforcement investigation (a federal agency had concluded its investigation, and the police were not conducting a collateral investigation themselves). [IPC ON – Order MO-3358 – City of Ottawa]

Health / Medical

AU – Health Organisations in Australia Must Establish Protocols for the Use of Smartphone Cameras

An overview of the use of smartphone cameras in the Australian healthcare sector, pursuant to the Australian Privacy Principles of the Privacy Act 1988. A photograph can only be taken by a health practitioner with the voluntary, informed consent of the patient, and can be used and disclosed as part of providing clinical care and treatment to a patient; organisations should use systems that will prevent images being automatically uploaded to dia or back-up sites, ensure practitioners delete clinical images from their personal mobile device once saved onto a patient’s health record, and provide mandatory training to all administrative staff. [Smartphone Cameras in Health Practice – Beware the Privacy Issues – Joanne Hayes, Senior Associate and Marie Feltham, Special Counsel, DibbsBarker]

Horror Stories

WW – 412M Friend Finder Network Accounts Breached

A data breach of Friend Finder Network has exposed more than 412 million accounts spanning 20 years. 339 million of the breached accounts come from AdultFriendFinder.com, more than 15 million “deleted” accounts not wiped from the company’s network, and 7 million accounts from Penthouse.com, which FFN sold to Penthouse Global Media in February 2016. The culprit hasn’t been identified, and Revolver “instead blamed users of an underground Russian hacking site” for the breach. [ZDNet] [Computerworld: Biggest hack of 2016: 412 million FriendFinder Networks accounts exposed | ZDnet: AdultFriendFinder network hack exposes e412 million accounts]

US – Car Dealership Data Exposed, Compromising Millions

The personal information of millions of people who recently purchased automobiles at over a hundred car dealerships across the country was discovered online. The information was held on a centralized record system built and operated by DealerBuilt. Security researchers at MacKeeper found 128 dealerships backed up their information on DealerBuilt’s central systems with no encryption or security protocols in place. Names, addresses, phone numbers and Social Security numbers, of both customers and employees, were among the data exposed online. The number of compromised records is currently unknown, but estimates put the number as high as five million. “This massive leak is just another painful lesson of what happens when private and sensitive data is stored without encryption or modern data security practices,” MacKeeper researchers wrote in a blog post. [ZDNet]

US – Job Recruitment Database Leaks Data on Millions

Millions of individuals who used global recruiting firm Michael Page had their personal information compromised when it was discovered a database had been left on the open internet. Capgemini, an outsourcing company, ran the exposed database, containing sensitive information such as the names, contact information, resumes and other personal data of numerous people who signed up with Michael Page. Security researcher and owner of Have I Been Pwned? Troy Hunt was made aware of the breach by a hacker who took a screenshot of a sample of the information. “Just the U.K. file was 780,000 people, and when you look at the list of how many countries are in there, and how big the U.K. is compared to everything else, you would assume that it’s lots of millions, if not more than 10 million,” Hunt said. [Motherboard]

Identity Issues

WW – Are Mobile Numbers the ‘Digital Equivalent’ to Social Security Numbers?

Cellphone numbers are increasingly becoming “key codes” to users’ information, and some analysts say that it is in many ways akin to a Social Security number. “The point is the cellphone number can be a gateway to all sorts of other information,” said the Federal Trade Commission’s Robert Schoshinski. “People should think about it.” The advent of the cellphone number also echoes that of the Social Security number, which “was never meant as a general-purpose identification number… But the strongest identifier and conduit to useful information is the cellphone number, which acts like ‘the digital equivalent of the Social Security number,’ said Affirm’s Max Levchin. Where the two differ is their ability to protect against fraud. “What you can do with the cellphone number and mobile technology represents a pretty substantial advantage in the ongoing war against fraud and identity theft,” said venture investor Rajeev Date. [New York Times]

EU – Web of Trust Add-On Sold User Data Without Proper Anonymization

German broadcaster NDR discovered the firm behind the Web of Trust add-on sold user data without ensuring it was properly anonymized. WoT rates websites’ safety by using information provided by users. The add-on collects data through searched terms, sites users visit, and shared documents. NDR received information WoT sold to one firm, and found personal data including email addresses and phone numbers, making it easy to tie the information to browsing histories and other personal details. WoT said the breakdown was “unacceptable,” and will reform its data handling policies to win back the trust of its users. [BBC News]

EU – Spanish DPA Issued Best Practices for De-Identification of Personal and Confidential Data

the Agencia Española de Protección de Datos has issued guidance on anonymising personal data. The initial stage of the anonymisation process should identify data to be de-identified, determine retention periods, and conduct a pilot project to assess costs and any re-identification risks; anonymisation policies should include risk management objectives, team responsibilities, identification and classification of variables (i.e., what is sensitive and what can be eliminated), terms of access to anonymised data, and control measures. [DPA Spain – Guidelines on Anonymisation of Personal Data]

EU – EMA Issues Guidance on Anonymization in Clinical Trials

The European Medicines Agency (EMA) issued guidance on the implementation of its Policy 0070 on the publication of clinical data for medicines, including with respect to anonymization of clinical reports for publication. Balancing subject privacy and transparency presents drug manufacturers with a difficult task—how to increase transparency of clinical studies while also attenuating the risk of subject reidentification. In its guidance, the EMA discusses three approaches to anonymization of clinical reports:

  • Masking – Described as the simplest method, masking is accomplished with a redaction tool that scrubs specified information.
  • Randomization – Randomization changes the data so it is less identifiable to an individual.
  • Generalization – This method dilutes the “attributes of the data.” For example an individual’s name could be substituted with an age range.

These anonymization techniques can be used separately or in combination. These techniques are consistent with the Article 29 Working Party’s Opinion 05/2014 (WP216) on Anonymisation Techniques. [Data Protection Report]

Internet / WWW

WW – Forrester’s Privacy Heat Map Highlights EU’s Impact on Regulations

Market research company Forrester has updated its data privacy heat map to highlight data protection guidelines and practices in 54 countries. The 2016 update looked back at the past five years of assessments and noted three high-level trends. The three trends included countries such as Nigeria, Argentina and Japan looking toward Europe as the standard for data protection, the General Data Protection Regulation affecting legislation both inside and outside the EU, and efforts to strengthen surveillance that undermines data protection laws. “In a world where privacy has become a competitive differentiator for multinational organizations, businesses must increasingly work with their general counsels and chief privacy officers to understand global data privacy requirements, implementing controls that protect personal data accordingly,” Sherman writes. [Forbes]

WW – Study Ranks Android Apps by Tracker Use

An Opera study of 60 companies in 10 countries has ranked Android apps by their use of data trackers. It found that Bukalapak and OLX “were the worst in terms of how many tracker requests they sent to users’ smartphones.” “Sharing data like bank account information through unsecured Wi-Fi networks can increase the risks of hacking and cybercrime,” said app Opera Max’s Sergey Lossev in the study. “A lot of users give up information without their realization; like when they shop online through their mobile phones.” The report added that “both companies say using trackers in applications is common practice in Indonesia and elsewhere.” [Business Standard]

Law Enforcement

US – FBI Can Access Most of the Encrypted Devices it Faces During an Investigation

During a public meeting in Washington on Nov. 11, FBI General Counsel Jim Baker said that the agency is able to access most of the locked computers or mobile phones during investigations. Analyzing data from the 2016 fiscal year disclosed by Baker, Motherboard calculates that the FBI can crack 87 percent of devices it interacts with. “The fed’s argument is that unbreakable encryption is stumping criminal investigations, making them harder, if not impossible, to sometimes access important evidence on a suspect or a victim’s phone or computer… The numbers disclosed by Baker on Friday, which have never been published before, seem to indicate that the reality, however, is a little different.” The FBI has yet to confirm or deny the accuracy of Motherboard’s calculations. [Motherboard] [Cops Have Given The FBI 6,814 iPhones They Couldn’t Access In 2016]

CA – Top-Secret RCMP Files Show Digital Roadblocks Thwarting Criminal Investigations in Canada

The RCMP has provided unprecedented access to the Toronto Star and the CBC in an effort to make its case that antiquated laws and diminished police powers in the digital age are allowing suspected terrorists, drug gangs and child abusers to operate beyond the law. Journalists from the two media outlets have reviewed the details of 10 high-priority cases after clearing RCMP security checks for access to “top-secret” information. In each case, investigators were stonewalled by legal and technical obstacles in accessing digital evidence, the Mounties say. Most of the suspects remain at large. These cases stand at the centre of an emerging national debate. Police argue they are on the losing side of a digital divide, while on the other side are tech-savvy criminals who are shielded by impenetrable encryption, telecommunication companies and technology manufacturers. Privacy advocates argue that police have never before had such powers of surveillance and that they have failed to provide evidence that the public’s safety is in jeopardy. The audience is Canadians who are alarmed to learn that some criminals are increasingly beyond the reach of the law. They are equally alarmed by the recent Federal Court ruling that denounced the national spy agency, CSIS, for illegally gathering the private information of Canadians, and by news that Quebec police forces intercepted and tracked the cellphones of as many as 10 journalists to discover their sources. [Toronto Star] See also: Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists  | Bill C-51: Less Free Speech, Undermines De-radicalization | The ‘New’ CSIS Brings Secret Police to Canada | Curbs Needed on Sweeping Powers to Spy on Canadians | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption | Top Mountie lobbying PM for greater digital surveillance powers | RCMP boss Bob Paulson says force needs warrantless access to ISP user data

Online Privacy

WW – Facebook to Stop Ads from Targeting Users Based on Race, Ethnicity

Facebook has announced it will prohibit advertisers from targeting or excluding users based on race and ethnicity. “We are going to turn off, actually prohibit, the use of ethnic affinity marketing for ads that we identify as offering housing, employment and credit,” said Facebook VP of U.S. Public Policy Erin Egan. She also said advertisers must affirm they will not use discriminatory ads on the site. Facebook will offer educational materials to help advertisers become familiar with their new obligations. The changes come shortly after Facebook met with New York Attorney General Eric Schneiderman, Rep. Robin Kelly, D-Ill., the Congressional Black Caucus, Rep. Linda Sanchez, D-Calif., and the Congressional Hispanic Caucus. Egan said the company recently had a “constructive dialogue” with other advocacy groups as well, including the American Civil Liberties Union and Center for Democracy & Technology. “In light of these concerns that have been raised, we are taking this step,” she added. [USA Today]

WW – Google Cracking Down on Websites’ End-Runs Around Security

Google is paying attention when websites take the easy way out of complying with its Safe Browsing terms. If a site is deemed unsecure, users will see warnings in most browsers. Webmasters can ask to have the warnings removed once they have brought their sites into compliance. Google was finding that some sites make changes to get the warnings removed, but quickly revert to unsecure practices. Google’s Safe Browsing rules now include a “repeat offender” category. “Repeat Offenders are websites that repeatedly switch between compliant and policy-violating behavior for the purpose of having a successful review and having warnings removed.” Webmasters of sites identified as repeat offenders must now wait 30 days before requesting a review. Computerworld: Google punished web backsliders in Chrome

Other Jurisdictions

HK – HK Privacy Commissioner Signs Privacy Research Declaration

At the Barun ICT Research Conference 2016 & Asia Privacy Bridge Forum in Seoul, South Korea on Nov. 2, the Hong Kong Office of the Privacy Commissioner for Personal Data, the Korea Internet & Security Agency, Barun ICT Research Center, and others from the Asia-Pacific privacy community signed the Asia Privacy Bridge Forum Joint Declaration 2016, the PCPD announced in a press release. The declaration aims “to strengthen privacy research and education as well as policy cooperation in [the] Asian region.” The declaration “reflects the recognition of our commitment to balancing the free flow of information and personal data privacy protection from our international counterparts,” said Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong. “I shall be very glad to share our experience in law enforcement as well as promotion and education on data protection in Hong Kong, and explore common interests in joint research topics and policy cooperation initiatives.” [PCPD.org]

Privacy (US)

US – FTC Announces Changing Consumer Demographics Workshop

On Dec. 6, the FTC will host a workshop in Washington examining the changes in consumer demographics, the agency announced in a statement. “According to the U.S. Census Bureau, the population is getting older and more racially and ethnically diverse… Understanding our changing communities will be necessary as the FTC continues its efforts to combat unfair and deceptive practices affecting all consumers.” The workshop will tackle questions of what “the consumers of the future” will look like and how tactics to reach them and protect them from fraud will change. Pre-registration is not required and the event is free and open to the public. Those interested in sharing research should reach out to the workshop team, the report adds. [FTC.org]

US – Court: Incorrectly Identifying Individual as Terrorist in Consumer Report Constitutes Concrete Harm

The Court considered Trans Union, LLC’s request for de-certification of two alleged violations under a class law suit for alleged violations under the Fair Credit Reporting Act. A consumer reporting agency wrongly described an individual as a terrorist, ascribing to him a criminal record that he did not have, and failing to provide him with access to his file; there is core harm in sharing erroneous and damning information about an individual, even if only narrowly disseminated (the report was only shared with a prospective landlord). Preventing a customer from monitoring their file presents of risk of real harm, which can satisfy the requirement of concreteness. [Patel v. Trans Union LLC – Case No. 14-cv-00522-LB – United States District Court Northern District of California]

US – Adobe Settles with States for 2013 Data Breach

Adobe has reached a settlement with the states that sued the company following its 2013 data breach. Adobe will pay $1 million dollars, to be divided evenly between the 15 states, while also enacting stronger security protocols. The states sued Adobe after the breach, claiming it did not take “reasonable security measures” to properly protect the data. “Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access,” said Connecticut Attorney General George Jepsen, who also praised Adobe for cooperating with the states while the settlement was reached. “Companies have a responsibility to consumers to protect their personal information, and this settlement will ensure Adobe establishes stronger safeguards in the future,” said Illinois Attorney General Lisa Madigan. [ConsumerAffairs]


US – Indiana County Government Will Pay to Remove Ransomware

After ransomware hit the IT systems of Madison County, Indiana government, the county commissioners voted unanimously to pay the ransom. The attack shut down county services for days. The county’s insurance company, Travelers, is covering the cost of the ransom, less a deductible. In a separate story, the Lansing (Michigan) Board of Water & Light acknowledged that it paid $25,000 to regain control of its accounting and email systems earlier this year. [Arstechnica: | Networkworld ]

Smart Cars / IoT

US – Court: Collection of Data from Logging Devices in Commercial Vehicles is Lawful

The Owner-Operator Independent Drivers Association Inc. et alia. argue that the US Department of Transportation Rule requiring installation of electronic logging devices in interstate commercial motor vehicles is contrary to the law. Data collected from the devices (installed in all vehicles required to maintain hours of service records) is intentionally limited in scope – exact vehicle locations are not collected, and recordings are only done when the vehicle is turned on, when the duty status changes, and once per hour while driving; drivers and motor carriers are responsible for maintenance and storage of the data (not the Dept. of Transportation), and personal information is redacted before release of the data (e.g. for civil litigation). [Owner-Operator Independent Drivers Association Inc. et al. v. US Dept. of Transportation et al. – Petition – US Court of Appeals for the 7th Circuit]

US – White House and DHS Publish Cybersecurity Guidelines for IoT Devices

Two independent IoT (Internet of Things) cybersecurity publications were released by the White House and the Department of Homeland Security, covering guidelines and principles for creating IoT devices with in-built security measures, as well as recommended protocols for implementing such measures. The Obama administration ‘rushed’ the NIST publication a month ahead of the planned release, primarily due to the escalated urgency surrounding cybersecurity for IoT devices following last month’s major Distributed Denial of Service attack that disabled parts of the United States’ internet infrastructure. Both publications are aimed at guiding for cybersecurity measures at the design and manufacture stage rather than at the user level. And that brings along with it the cost factor, the biggest question being: can device manufacturers be incentivized enough to make it worth their while to spend time, money and effort on incorporating security hardware and software on their devices? The guidelines themselves target the fundamentals and system lifecycle processes for device manufacture, and provide guidelines for incorporating security protocols as part of the product lifecycle itself. The Homeland Security publication goes a step further and addresses the issues from an industrial consumer standpoint. The purpose of these publications is to initiate a high-level awareness and evoke a sense of urgency in implementing the guidelines and principles outlined in them. As of now, the FCC has said it is not likely to enact any mandatory standards for IoT cybersecurity, but with IoT now permeating through critical industrial areas such as power production, medical technology and transportation infrastructure, the longer things stand the way they are, the greater the risk of such systems being compromised. [Source] NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors


WW – Pre-installed Phone Software Transmitted User Information to China

Security firm Kryptowire discovered certain Android phones had pre-installed software that sends user data to China every 72 hours. Shanghai Adups Technology Company wrote the software and said it is on more than 700 million phones, cars and other smart devices. The software transmitted users’ text messages, contact lists, call logs, location information, and other data to a Chinese server. While Adups intentionally designed the software to monitor user behavior, it was never meant to make its way to the U.S. American phone manufacturer BLU Products said 120,000 of its devices had the software, and has offered updates to remove the feature. BLU’s Chief Executive Samuel Ohev-Zion said Adups told him all the information collected from his customers has been destroyed. [The New York Times] [Budget US Android smartphones found secretly sending personal data to China | Android Phone Maker Ignored Researchers’ Warnings That Their Phones Had Backdoor]

WW – Is Social Media the ‘New Front in Warfare’?

Motherboard has published two reports on how governments are increasingly viewing social media as “a new front in warfare” and tool for the military. A global conference in London with senior military and intelligence personnel reveals social media can be an intelligence source on civilian populations and enemies and a channel for propaganda to influence public opinion. A separate Motherboard article reports on how spies use social media — Tinder, for example — to infiltrate activist groups. Though infiltrating activist groups is nothing new, the crop of personal information found on social media can be used to manipulate and socially engineer intelligence targets. [Full Story]

US – Art Installation Explores Surveillance

Student photographer at SUNY New Paltz Connor Henderson displayed the photos of students taken without their consent for an installation exploring surveillance and privacy. “We all had to create installations involving the ideas of ‘public v.s. private’ and ‘surveillance,’ so the project itself was for a class, [but] the idea for the project and the concept behind it came from me,” Henderson said. He added that he conspicuously took “hundreds of photos” of campus-dwellers walking through the school’s academic quad, but “not one person asked me what I was doing,” he said. “I feel like most people just don’t really realize how much surveillance we have in our society,” he continued. “We really are always being watched.” [The New Paltz Oracle]

US Government Programs

US – Federal Executive Branch Agencies Must Notify Congress of Major Incidents

The US Office of Management and Budget (OMB) released its 2017 FISMA Guidance to government agencies. The newest version of the document defines a major cyber incident as “any incident that is likely to result in demonstrable harm to the security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Major cyber incidents must be reported to Congress. The guidance defines any breach that exposes records of more than 100,000 to be a Major Breach, even if the other requirements are not met. The guidance also requires use of the NCCIC Cyber Incident Scoring System, which is new. [Federal News Radio: OMB tries again to define a major cyber incident | FCW: White House tweaks incident reporting in FISMA memo | Whitehouse.gov: OMB Memo: Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Management Requirements

US Legislation

US – Legislative Roundup




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: