18-27 November 2016


US – Facebook Says Illinois Biometrics Privacy Law Violates Constitution

Facebook Inc. says an Illinois biometrics law that prevents interstate-sharing of facial recognition data violates the U.S. Constitution In August, three class actions against Facebook over allegations that the company’s ‘tag suggestion’ feature violates users’ privacy rights, were moved from Chicago’s federal courts to San Francisco’s. Facebook said that the BIPA infringes on a constitutional protection under the commerce clause, which restricts a state’s ability to pass legislation that would improperly strain or discriminate against interstate commerce. Last month, both Facebook and Google stated that collecting facial biometrics data isn’t against the law, even without the user’s consent. [Biometrics Update | Federal Court in Illinois dismisses biometric data privacy case against Smarte Carte ]


CA – OPC Canada Recommends Amending Federal Privacy Act to Require Breach Notification and Improved OPC Powers.

The federal Privacy Commissioner of Canada appears before a committee studying potential reviews of the Privacy Act. Government institutions should be required to report material breaches of personal information to the OPC in a timely manner and notify affected individuals in certain cases. The ombudsman model for complaint investigation should be replaced with OPC powers to issue binding orders, and the OPC should be granted discretionary power to decline complaints or discontinue investigations on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith. [OPC Canada – Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Study on Review of the Privacy ActOpening Statement | Recommendations]

CA – Therrien Calls on Parliament for Clear Rules on Surveillance

Privacy Commissioner Daniel Therrien has called on Parliament to enact clearer rules around how law enforcement collects, obtains and destroys data on Canadian citizens. He said Bill C-51 needs more protections built in. “Security agencies, with (Bill C-51 powers) and with the absence of rules around retention, for instance, would be able to collect and retain information that they don’t really need,” Therrien said. “I don’t dispute that CSIS needs to analyze information in order to do their job but once the analysis has been completed and the vast majority of people about whom they’re collecting information are found not to be a threat, and that’s the case, then they should destroy that information.” [Toronto Star]

CA – Ottawa Approves Redress System for Canadian Travellers Affected by No-Fly List

The federal government has approved a redress system to protect Canadian travellers, including children who can’t board airline flights due to aviation security lists. Unlike the U.S. stand-alone system, Canada’s no-fly-list database was designed to piggyback on to airline computers, making it more problematic to deal with misunderstandings about passenger identity. Canada is now poised to set up its own independent data system that will be controlled by Public Safety, Transport Canada and the Canada Border Services Agency. The redress system will allow Canadians whose names closely match those on the no-fly list to apply for a unique identification number. They will be able to use the number at the time of ticket purchase to clear their name in advance and prevent flight delays. [Globe & Mail | Six-year-old’s name still on Canada’s no-fly list, mother says | Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists | Families say shared Canada-U.S. no-fly lists must include safeguards for children  | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics

CA – Canada Steps Away from Online Redress System, But ‘No Fly List Kids’ Parents Still Waiting

Canada could implement a redress system as early as spring of 2018 to make it easier for children and adults falsely flagged as security threats to get past extra airport security checks when their names match those of people on no-fly lists. Public Safety Minister Ralph Goodale described the future system at a town hall on national security Saturday afternoon in Markham, Ont. Goodale pointed to the American redress model, which provides a redress number to “false-positives” on the list that can be entered online anytime they make a booking to avoid additional screening. “That’s the way the Canadian system should work,” the public safety minister said, adding that once implemented, Canada’s system will be interactive, automatic and done entirely online. But in the meantime, the public safety minister announced no interim solutions for people falsely flagged by the list, something the parents advocacy group No Fly List Kids had been hoping for. “It was a little bit disappointing,” said a spokesperson for the group, who added she was nevertheless encouraged to hear changes are coming. Consultations began on Sept. 8 and will be completed on Dec. 15. Submissions can also be made online. Feedback from the town halls will be compiled into a report that will be made public, the government said. [CBC | Liberals ask public to weigh in online about national security issues | Ontario man stranded in Amsterdam by U.S. no-fly list back home | Markham man still stranded in Amsterdam says his name is on no-fly list | ‘As a Canadian citizen I felt very helpless’: Man on U.S. no-fly list stranded overseas | Mom of boy on no-fly list ‘really looking forward’ to travelling after feds announce plan to end mix-ups | Mother insists plan for Canada-US no-fly list must protect children | Human rights tribunal questions Air Canada’s ‘no-fly list’ policies | Boy, 6, still flagged in no-fly list mix-up, family says | Mother of boy on no-fly list ‘pleased’ by Ottawa’s response | Families affected by no-fly list reach out to mother of Ontario boy | U.S. no-fly list could be behind Canadian air travel nightmares | Ottawa says there’s no need for additional airport security screening for under-18s | Getting on Canada’s no-fly list is ‘a very mysterious process,’ says critic | Ottawa approves redress system for Canadian travellers affected by no-fly list | Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists | Families say shared Canada-U.S. no-fly lists must include safeguards for children | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics]

CA – New Brunswick Benefits Bill Changed Due to Privacy Concerns

A benefits bill that details what information is shared between the New Brunswick and federal governments has been altered because of privacy concerns. The bill will simplify the sharing of personal data between the governments deciding which provincial residents are eligible for welfare, housing and nursing home subsidies. One change included a more narrow and specific definition of personal information. Families Minister Stephen Horsman said, “Personal information’ means the name and date of the birth of the person.” Ultimately, he said, the bill will cut down on waiting times so residents can get the services they need more quickly. [CBC]

CA – Nova Scotia Privacy Breach Shows Why Faxing Personal Information Must End

Nova Scotia’s privacy commissioner is urging the provincial health authority to stop allowing doctors to send faxes with sensitive information A number of organizations still use fax machines for sending data, particularly in the health care field where paper is the most trusted form of documentation. But a fax sent to the wrong number can cause a major privacy breach. That’s what has been happening in Nova Scotia, where for years a private business has been receiving faxes from family doctors referring patients to a mental health clinic with a similar fax number. It got bad enough that Catherine Tully, the Information and Privacy Commissioner, stepped in to investigate. [IT World Canada | Privacy commissioner says doctors should move away from faxing patient referrals | Doctors should move away from faxing patient referrals: Nova Scotia Privacy Commissioner]

CA – SCC Decision Reaffirms Protection of Solicitor-Client Privilege

In a pair of decisions, the Supreme Court of Canada has reaffirmed robust protections for solicitor-client privilege, while elevating litigation privilege. In Lizotte v. Aviva Insurance Company of Canada, the Supreme Court upheld a 2015 Quebec Court of Appeal ruling that determined a provincial regulator could not have access to information Aviva Insurance claimed was protected by litigation privilege. In the second decision released Friday, Alberta v. University of Calgary, the court determined a provincial regulator could not abrogate solicitor-client privilege on inference. “…solicitor-client privilege cannot be set aside by inference but only by legislative language that is clear, explicit and unequivocal,” Justice Suzanne Côté wrote for the majority in the decision. [Canadian Lawyer | SCC deals blow to privacy commissioner powers – privilege reigns supreme | Alberta’s information and privacy commissioner loses Supreme Court case

CA – Quebec Government Launches Online Privacy Awareness Campaign

The Quebec government is introducing a new campaign designed to raise online privacy awareness. National Assembly of Quebec Minister Rita de Santis will tour with actor Nicolas Ouellet to explain to teens between the ages of 14 and 17 why they need to be careful about what they share on social media. De Santis also plans to introduce legislation to the National Assembly to increase privacy protections, but admits more needs to be done. “The law alone can’t change how people behave,” de Santis said. The tour will finish in May 2017. [Full Story]

CA – Monsef Says She’s Heard No Concerns on Political Parties’ Big Data Operations

Democratic Institutions Minister Maryam Monsef says she hasn’t heard concerns about political parties’ unfettered ability to collect and use data from Canadians. There are virtually no rules or oversight into how parties collect, store and analyze data collected from Canadian voters. But Monsef said the issue hasn’t come up as she’s crisscrossed the country talking about how to reform Canada’s election system. All three major federal parties have been ramping up their big data operations to help guide their electoral efforts. Data can be drawn from fundraising emails and online petitions, interactions on voters’ doorstep, even social media postings. Privacy Commissioner Daniel Therrien noted that, while government agencies, including intelligence and law enforcement agencies, are subject to strict privacy laws, political parties have no rules or oversight. “All of these rules that apply to government departments, or to private organizations, which are basic privacy safeguards, do not apply to political parties,” [The Star | Political parties need rules for collecting Canadians data, says privacy watchdog | Ottawa may review parties’ use of Canadians’ private data

CA – Ontario Court Determines Customer Consent Allows for Production of Medical Documents

An Ontario Court reviewed a request by Fairview Assessment Centre seeking directions concerning the production of medical documents from non-party insured individuals. The Court ordered the production of medical documents of non-party insured individuals who made claims for statutory accident benefits; by signing the insurance application form, applicants expressly consented to the use and disclosure of their PHI for legitimate purposes (including investigation, adjudication and preventing and detecting fraud), and acknowledged that their PHI can be disclosed for purposes of complying with a legal order or participating in a proceeding as a witness. [Economical Insurance Company v Fairview Assessment Centre Inc. – cv-10-414992 – Superior Court of Justice – Ontario]


WW – MEF Releases White Paper On Personal Data Economy

The Mobile Ecosystem Forum has released a new white paper focused on the personal data economy, the concept of “letting individuals take ownership of their information so they can share it with businesses on their terms.” The white paper, commissioned on behalf of the MEF Consumer Trust Working Group, defines the personal data economy, provides case studies, includes regulation and compliance issues, outlines potential benefits, and details key challenges. [Mobile Ecosystem Forum]


CA – Poll: Only 15% of Citizens Use Encryption

A CBC News and Toronto Star poll found few Canadian citizens use advanced personal security tools to protect their data. While 81% of respondents said they clear cookies and erase their browser histories, only 15% said they use encryption, and only 17% use services such as virtual private networks to hide their identities (and locations) online. The poll found men are more likely to take steps to protect their privacy online than women. [CBC]

CA –Therrien Memo Indicates Support for Encryption

A memo prepared for Privacy Commissioner of Canada Daniel Therrien states that it “would be difficult for any one country to weaken or ban encryption technology.” “Encryption tools very much are now ubiquitous, globally distributed and irrevocable, which plainly no piece of domestic regulation or lawmaking will undo, given that two-thirds of encryption products are produced and sold by non-U.S. firms,” the memo states. While some critics argue that the practice protects criminals, a U.S. committee on homeland security report, summarized within the memo, counters that weakened encryption could have adverse effects on public safety. “What we are really dealing with is not so much a question of ‘privacy versus security,’ but a question of ‘security versus security.” [FToronto Star]

EU Developments

UK – Investigatory Powers Bill Passes Parliament

Britain’s Parliament has passed the Investigatory Powers Bill, a controversial surveillance law that grants UK intelligence agencies what some have called “overreaching, draconian and intrusive” authority to snoop on citizens. The bill is expected to become law before the end of the calendar year. It compels Internet service providers (ISPs) to retain every customer’s browsing history for up to a year; grants intelligence agencies the authority to gather “bulk personal datasets,” which could include information belonging to individuals not associated with an investigation; and requires companies to decrypt information upon demand. [ZDNet | v3.co.uk | SCMagazine | Sweeping UK spy bill dubbed ‘snoopers’ charter’ becomes law | Snoopers’ Charter will face legal challenge as privacy groups decry mass surveillance regime | The Investigatory Powers Bill (Snoopers’ Charter) Is Here, Now What Do We Do? | How to avoid the UK’s new online surveillance powers] See also: [Germany planning to ‘massively’ limit privacy rights]

EU – Other Privacy News

Facts & Stats

CA – CRTC Signs Agreement with FTC to Fight Unlawful Robocalls and Caller ID Spoofing

Effective November 17, 2016, the CRTC signed a memorandum of understanding with the U.S. FTC in regards to enforcing:

  • automated telephone calls (“robocalls”); and
  • inaccurate caller identification laws (“caller ID spoofing”).

The agreement will allow both organizations to work more collaboratively on the growing threat that unwanted robocalls pose to citizens of both countries, and requires both the CRTC and FTC to share complaints and other relevant information, provide investigative assistance, and facilitate a mutual exchange of knowledge and expertise through training programs and staff exchanges. [CRTC – Memorandum of Understanding Between the United States FTC and the CRTC on Mutual Assistance in the Enforcement of Laws on Automated Telephone Calls and Inaccurate Caller Identification | CRTC Press Release | FCC Press Release]


CA – Supreme Court of Canada Holds that Bank Can Disclose Mortgage Discharge Statements to Creditors

Royal Bank of Canada appealed the decision of the Ontario Court of Appeal holding that PIPEDA precludes Scotiabank from disclosing a mortgage statement to RBC. The court overrules lower court decisions by holding that a reasonable mortgagor would be aware that a judgment creditor has a legal right to obtain information necessary to realize their right to recover the debt against the individual’s assets; a creditor should be entitled to a court order requiring disclosure of a mortgage discharge statement if it has obtained judgment, filed a writ of seizure and sale, had the debtor either refuse consent to the disclosure or fail to attend an examination, and served the debtor with a motion to obtain disclosure (PIPEDA does not bar such disclosures). [Royal Bank of Canada v. Trang – 2016 SCC 50 (CanLII) – Supreme Court of Canada]

US – IRS Looking for Bitcoin Users’ Identity, Have Analysts Concerned for the Currency’s Future

The IRS is searching for both the identity of Coinbase users and their transactional activity after evidence suggests they violated U.S. tax laws. “As indicated by the summons, two things are clear: one, the IRS has tracked bitcoin-related activity sufficiently to be able to determine that certain users may not be in compliance with tax law, and two, this activity has been traced back to Coinbase wallets.” The move ultimately has some wondering if bitcoin is “over… Although bitcoin was initially touted as an ‘anonymous’ currency, people who understand the technology have always known it’s actually easily trackable. This sweeping action by the IRS demonstrates why it’s important for the crypto world to be advancing both convenience and anonymity in its currency,” said Dash’s Eric Sammons. [Cointelegraph]

EU – ENISA Examines Insurers’ Assessment Criteria and Best Practices

ENISA issued recommendations on cyber insurance companies and cyber insurance customers. Assessment criteria includes geographic spread of business (size, operations and revenue), business details (activities, outsourced functions and risk exposure), IT dependencies, processing of data (volume, sensitivity and liability), incident history, corporate social media presence, policy/claims history, and requested policy limit; a risk assessment is a best practice which should include review of dedicated resources (CISO), policies and procedures, employee awareness, incident response, security measures, vendor management and Board oversight. [ENISA – Cyber Insurance: Recent Advances, Good Practices and Challenges]


CA – Waits for Access to Information Get Longer in Alberta: Report

Albertans are facing increasingly lengthy waits for the province and its agencies to respond to information requests, says a newly published government report that was itself delayed by more than two years. The report reveals a worsening trend of failures to meet a legally mandated 30-day limit for fulfilling information applications. Newly released statistics from the 2014-15 fiscal year show the government and its agencies hit the deadline for 59% of the requests they received, while nearly a quarter of requests took 60 days or longer to complete. While offering plenty of statistics, the latest annual report offers little insight as to what factors might be behind the response times, such as a lack of FOIP staff, inadequate training, increased volume or complexity of requests, or heightened government scrutiny of requests. The report was released the same week as a new annual report from Information and Privacy Commissioner Jill Clayton, who also expressed confusion at the trend and speculated the government may not have enough FOIP staff. Regardless of what the reasons might be, Clayton said the government’s performance has Alberta “fast approaching a crisis situation” in information access. [Edmonton Journal | The Report | Access to information in Alberta nearing ‘crisis situation,’ FOIP commissioner says]

US – Yahoo Disclosed User Content in 1,115 US Gov’t Requests in First Half of 2016

Yahoo! provides its transparency report on requests for customer information from US and global government agencies between January 1, 2016 and June 30, 2016. The transparency report only includes government data requests. Yahoo received a total of 4,709 requests from US government agencies between January 1, 2016 and June 30, 2016, with most requests relating to criminal investigations; the company scrutinizes each request to ensure that it complies with the law, but may voluntarily disclose information where a disclosure without delay will prevent imminent danger of death or serious physical injury to a person. [Yahoo Transparency Report 2016]


EU – Council of Europe Issues Recommendations for Non-Discrimination in Insurance Contracts

The Committee of Ministers for the Council of Europe issued essential principles to protect the rights of individuals whose personal data are processed for insurance purposes. Predictive genetic tests should only be used if authorised by law, and an independent assessment can confirm that individuals have provided free, express, informed consent, processing is specified, justified and proportional, the quality and validity of the data is in line with generally accepted scientific and clinical standards, and the data has a high positive predictive value. Family members’ health data, and data obtained from the public domain, or for research should not be processed for insurance purposes. [Council of Europe – Recommendation CM-Rec(2016)8 – Processing of Personal Health-Related Data for Insurance Purposes, Including Data Resulting from Genetic Tests]

Health / Medical

CA – OIPC NFLD Finds Physician Names, Specialties and Unique Numbers are not Personal Information

The Office of the Information and Privacy Commissioner of Newfoundland and Labrador reviewed a decision by the Department of Health and Community Services to deny the disclosure of records, pursuant to the Access to Information and Protection of Privacy Act, 2015. A physician’s name and specialty is considered professional or business information, and their gross billing information would not be an accurate representation of their income, such that it would reveal anything of a personal nature; for the purposes of the Access to Information and Protection of Privacy Act, 2015, physicians shall be treated as employees (not third parties), because they practice in the context of a contractual relationship with the government to perform services for the public. [OIPC NFLD – Report A-2016-019 – Department of Health and Community Services]

CA – OAIPC NB Finds 3 Health Custodians Jointly Responsible for Preventable Breach of PHI

A new OAIPC report investigates a privacy breach incident at a hospital pursuant to New Brunswick’s Personal Health Information Protection Act. An employee’s unencrypted and uncabled laptop was stolen from an unlocked office; notification was given to all affected patients, the OAIPC, and law enforcement (the OAIPC agreed it was burdensome to notify 78 other patients who were not easily identifiable). All 3 custodians agreed to undertake appropriate corrective measures; a joint committee establishing policies around devices holding PHI, and a mandatory policy for passwords/encryption on portable devices. [OAIPC NB – 2014-2214-H-640 – Case About a Laptop Containing Unencrypted Personal Health Information Stolen from a Hospital]

UK – DeepMind has Signed a Major New Deal With the NHS Despite Concerns About Patient Privacy

DeepMind, an AI lab acquired by Google for £400 million, has secured a landmark deal with the NHS, paving the way forward for the company’s growing healthcare division. Royal Free London NHS Foundation Trust announced on its website on Tuesday that it will start rolling out DeepMind’s Streams app to clinicians at its hospitals from early 2017. Under the new five-year partnership, DeepMind and the Royal Free intend to expand the app’s abilities so that it can be used to help doctors monitor and detect patients at risk of other conditions, including sepsis and organ failure. DeepMind’s work on the Streams app with the Royal Free was criticised by privacy campaigners in April when New Scientist published an article highlighting the extent of the data-sharing agreement between the two organisations. [Business Insider | DeepMind hits back at criticism of its NHS data-sharing deal | Google company’s access to NHS records raises privacy concerns | DeepMind’s cofounder defended a controversial data-sharing agreement with the NHS | ICO probes Google DeepMind patient data-sharing deal with NHS Hospital Trust | DeepMind NHS health data-sharing deal faces further scrutiny

Horror Stories

US – Dept of Housing and Urban Development Breach of 600,000 Records

A Department of Housing and Urban Development website error led to the exposure of an estimated 600,000 users in August of this year, and victims have just heard of the breach via letters from the agency. While the breach only exposed the partial Social Security numbers and names of public housing residents, “some people who worked for employers that sought HUD/Empowerment Zone-related tax credits, including name, address and full or partial Social Security numbers, was also disclosed,” the letter states. The agency is offering those affected a year’s worth of credit monitoring. [Forbes]

UK – Three UK Suffers Data Breach After Hackers Obtain Employee Login

Hackers may have compromised the information of millions of Three UK customers after gaining access to an employee login. Three UK estimates hackers may have access to the information of two-thirds of its 8.8 million active customers after using the employee login to trigger bonus upgrades for premium smartphones in hopes of intercepting devices before they were delivered to customers. The customer data includes names, phone numbers, addresses and dates of birth. “We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity. We’d like to reassure customers that their financial details are not at risk,” Three UK said in a statement on Facebook. | TechCrunch | ZDNdnet | The Register]

Identity Issues

CA – OIPC AB Finds Public Body Inappropriately Disclosed Individual’s Address to the CRA

The Office of the Information and Privacy Commissioner in Alberta reviewed a decision by Service Alberta to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. After a previous CRA request to the public body for an individual’s residential address, the public body contacted the CRA when the individual renewed her vehicle registration and provided a new address; the individual was not informed about the disclosure, and the CRA’s request for the information did not describe the nature of the investigation against the individual, how the address would be of assistance, or show that the CRA was authorized to obtain her address from the public body. [OIPC AB – Order F2016-41 – Service Alberta]

CA – Quebec Commission Finds Bank’s Collection of Personal Information Excessive for Identification Purposes

The Commission d’Accès à l’Information du Québec investigated a complaint alleging the unnecessary collection of personal information pursuant to the Act respecting the Protection of Personal Information in the Private Sector. The bank’s collection of notices of assessments was justified for the purpose of assessing a customer’s creditworthiness in relation to a credit application; however, the collection of a customer’s SIN, driver’s licence number and health card number for the purposes of identification is not proportionate to the intended use and sensitivity of the documents (e.g. health card is only to be used in relation to health services and SIN is not required if there is no tax implication). [CAI QC – Decision 061063 – Banque Nationale du Canada]

Law Enforcement

US – RCMP Seeks Stronger Surveillance Capabilities from Prime Minister

The Royal Canadian Mounted Police is pushing the Prime Minister’s Office for the ability to circumvent digital roadblocks, including obtaining basic subscriber information without a warrant in matters of national security. RCMP Commissioner Bob Paulson said criminal activity is taking place with technology the police force cannot act upon. “Because of our inability — and the future inability — to protect Canadians, both from garden variety criminality and from the national security threat, I see that as really significant,” Paulson said. “I’m consumed with trying to make sure that we’re able to mitigate the threat.” In an op-ed for Motherboard, however, Jordan Pearson claims the RCMP is using the media to “create moral panic” on the topic of encryption. [CBC News]

CA – RCMP is Overstating Canada’s ‘Surveillance Lag’

The RCMP has been lobbying the government behind the scenes for increased surveillance powers on the faulty premise that their investigative powers are lagging behind those foreign police services. The RCMP lobbying efforts paint an image of crisis where none exists. Surveillance capacities of other countries are overstated, while the formidable powers already available to Canadian agencies are disregarded. the RCMP appears to have convinced the federal government to transform a process intended to curb the excesses of Bill C-51 into one dominated by proposals for additional surveillance powers. The RCMP’s proposal to bypass the courts — historic front line watchdogs of our policing agencies — in favour of direct police access to sensitive digital identifiers is reducible to a desire to save “time and paperwork.” Collectively, the RCMP lobbying efforts paint an image of crisis where none exists. Surveillance capacities of other countries are overstated, while the formidable powers already available to Canadian agencies are disregarded. Far from “going dark,” the amount of data available to policing agencies in Canada and abroad is at historic heights, making this truly the golden age of investigative surveillance. [The Star | The RCMP needs you scared — and the media seems happy to help | Canadian Media Is Selling Citizens Short In a Nationwide Surveillance Debate | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption

CA – Should Police Be Able to Force You to Hand Over Your Digital Passwords?

CBC News/Toronto Star demo a $450 device that cracks iPhones to explore existing investigative capabilities. Police say they need the power to compel suspects to hand over cellphone passwords and computer encryption codes in serious crime cases where potential evidence is hidden behind digital walls. But the proposal has not only provoked an outcry from civil liberties advocates, it has even caused division among police leaders. The idea is being floated in a federal government discussion paper and was endorsed by the Canadian Association of Chiefs of Police (CACP) as one measure to help investigators collect evidence on tech-savvy suspects who hide their identities and activities. But legal and civil liberties advocates warn that a law to compel the surrender of passwords flies in the face of the right to remain silent enshrined in the Charter of Rights and Freedoms. Micheal Vonn, policy director of the BC Civil Liberties Association, called it a “a very radical proposal in Canadian law.” Obtaining a suspect’s passwords is only one way for police to access encrypted devices. Critics say law enforcement has developed many other techniques to bypass passcodes and data protections on encrypted phones. CBC News and the Toronto Star asked a local data forensics expert who has worked closely with law enforcement to demonstrate how he can use a device to get past a password. [CBC News | RCMP can spy on your cellphone, court records reveal | Canadians want judicial oversight of any new digital snooping powers for police: Poll | RCMP boss Bob Paulson says force needs warrantless access to ISP user data | RCMP want new powers to bypass digital roadblocks in terrorism, major crime cases | Your cellphone password could hold the key in legal battle over collecting evidence | Canadians support police calls for more digital powers — with a catch: Toronto Star/CBC poll | Top Mountie lobbying PM for greater digital surveillance powers | Top-secret RCMP files show digital roadblocks thwarting criminal investigations in Canada]

CA – Canadians Want Judicial Oversight of New Digital Snooping Powers for Police: Poll

A CBC News/Toronto Star survey finds many willing to sacrifice some privacy under certain conditions Nearly half of the respondents to an Abacus Data survey of 2,500 Canadians agreed that citizens should have a right to complete digital privacy. But many appeared to change their mind when asked if an individual suspected of committing a serious crime should have the same right to keep their identity hidden from police. Respondents were evenly split on whether police should be able to demand suspects or witnesses hand over passwords or codes to unlock devices and encrypted data. But support for granting police this authority increased to 77% if a judge is required to first approve a warrant. Less than half of respondents agreed communications providers should be forced to keep text, email, phone and internet records for two years to assist potential criminal investigations. But support jumped to 66% if access to the stored information is protected and police would need a judge’s order before accessing a suspect’s records. Opposition was strongest to the third proposed new power for police: access to basic subscriber information (such as a user’s name and IP address) without authorization from a judge. Most respondents (78%) said police should need judicial approval to ask a communications company for a person’s basic digital identity, and only 35% said they’d support a system where a senior police officer or prosecutor could sign off. The survey, conducted on behalf of CBC News and the Toronto Star, asked Canadians about their views on three specific proposals to expand police powers, which are raised in a federal discussion paper that’s part of a review of Canada’s Anti-Terrorism Act. [Toronto Star | RCMP boss Bob Paulson says force needs warrantless access to ISP user data RCMP want new powers to bypass digital roadblocks in terrorism, major crime cases | Top Mountie lobbying PM for greater digital surveillance powers | Top-secret RCMP files show digital roadblocks thwarting criminal investigations in Canada | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption | Canadians support police calls for more digital powers — with a catch

CA – Commercial Drone Operators Violating Privacy Could Face Criminal Charges

A law firm examines the current state of drones (“UAVs”) in Canada. Drones with cameras raise privacy concerns among the general public; PIPEDA’s consent obligation likely applies to drone footage, and there are criminal code provisions related to covert video surveillance, voyeurism and interception of private communications. Aeronautics fall under federal jurisdiction, but municipalities are starting to regulate the recreational use of drones in public areas (e.g. one B.C. municipality has banned drone flights in city parks and on school grounds). [Canadian Skies Abuzz – The Regulation of Drones and UAVs in Canadian Airspace – Kirsten R. Embree, Partner, and Jawaid Panjwani, Associate, Dentons]

Online Privacy

US – Civil Rights Leaders Fear BPD’s Social Media Tracking Will Target Blacks

Civil rights groups say they want answers from Boston police on how the department will use its $1.4 million social media tracking system — citing fears that it will broadly target young blacks and try to link them to gang activity. The concern is that police efforts to take down violent gangs — with predominantly minority membership — could mean an overly intensive focus on social media use by black youths, including both those who have nothing to do with gangs, and those who may have relationships with gang members but aren’t involved in crime. Advocates say they want police to reveal the search criteria for tracking Facebook and Twitter accounts, and report on the race and locations of people investigated or prosecuted via social media posts. BPD is due to award a $1.4 million contract by Dec. 5 for a system to “proactively alert personnel to threats communicated via social media and/or online open source and/or social media platforms.” [Boston Herald | Council seeks clarity from police on just ‘who is being monitored’ | McGovern: Constitutional dangers lurk in tracking of social media | Boston police set to buy social media monitoring software]

WW – Tor Project Creates Android Smartphone Prototype

The Tor Project has created a prototype of its Tor-enabled Android smartphone. The phone runs the Android firewall, OrWall, to protect user privacy by routing traffic over Tor, while blocking other forms of traffic. Tor developer Mike Perry said, “The prototype is meant to show a possible direction for Tor on mobile,” Perry wrote in a blog post. “We are trying to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users.” [Ars Technica]

WW – Firefox Focus Browser for iOS is All About Privacy

Mozilla has launched a new browser for iOS. Firefox Focus aims to protect users’ privacy. It blocks ad trackers, analytics trackers, and social trackers by default. All records of a browsing session can be deleted with one tap. [v3.co.uk | TechCrunch.com]

US –FTC Report Covers Rise of App-Based ‘Sharing Economy’ Platforms

The FTC released a new report detailing the rise of internet and app-based “sharing economy” platforms. The study, titled “The ‘Sharing’ Economy: Issues Facing Platforms, Participants, and Regulators,” addresses concerns from state and local regulators and stakeholders worried the sharing economy platforms give new entrants the opportunity to avoid regulations designed to safeguard consumers and promote public safety. “This report provides fresh insights about ‘sharing economy’ platforms that continue to disrupt traditional industries,” said FTC Chairwoman Edith Ramirez. “It is important to allow competition and innovation to continue to flourish, while at the same time ensuring that consumers using these online and app-enabled platforms are adequately protected.” [FTC] [Hogan Lovells Summary]

Privacy (US)

US – IoT Security Takes Center Stage at FBI, DHS, NIST and Congress

In light of recent attacks, there has been an increased focus on IoT security at the FBI, the U.S. Department of Homeland and Security (DHS), the National Institute of Standards and Technology (NIST) and Capitol Hill. [Privacy and CyberSecurity Law | FBI Notification | DHS guidance | NIST guidance | A video of the hearing can be found here | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT

US – California AG Guidance for the Ed Tech Industry: 6 Recommendations to Protect Student Data Privacy

Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”). “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data“ provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models. Given the size of the California market, any guidance issued by the California Attorney General’s office should be carefully considered and reviewed. Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps. The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015. The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results. However, according to the Recommendations, federal laws “are widely viewed as having been significantly outdated by new technology.” Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.

  1. Data Collection and Retention: Minimization is the Goal
  2. Data Use: Keep it Educational
  3. Data Disclosure: Make Protections Stick
  4. Individual Control: Respect Users’ Rights
  5. Data Security: Implement Reasonable and Appropriate Safeguards
  6. Transparency: Provide a Meaningful Privacy Policy [Privacy and Security Matters]


CA – Carleton University Recovering from Ransomware Attack

The university said it has made progress on restoring IT services after detecting “an attempt by an external group or individual to hack into the IT network.” However, it isn’t known how many PCs or servers were infected. At one point the university warned the community through its Web site that “any system accessible from the main network, that is Windows based, may have been compromised.” With their large student bodies and valuable research databases, universities are tempting targets. Some students — and universities — are willing to pay up to not have work on their computers unreachable. Earlier this year the University of Calgary paid $20,000 for decryption keys after some 100 PCs ir servers were hit by the malware. It isn’t clear, though, if the university had to use the keys or was able to recover the data either from backups or other ways. [IT World Canada]

US – Guidance for Defending and Responding to Ransomware Attacks

On November 10, 2016, the United States Federal Trade Commission issued basic ransomware guidance (How to defend against ransomware and Ransomware – A closer look) and an accompanying video (Defend against Ransomware) to help consumers and businesses defend against and prepare to respond to ransomware attacks. The FTC’s guidance cautions against paying a ransom, but acknowledges that a ransom payment might be necessary in some circumstances. The FTC’s guidance is consistent with other guidance from Canadian and United States regulators An organization should prepare to respond to a ransomware attack by establishing and testing a detailed incident response plan that will enable the organization to make important technical, business and legal decisions in a timely manner. Those legal decisions may include whether the organization should give notice of the ransomware attack to regulators (e.g. privacy commissioners), affected individuals (e.g. customers), other organizations (e.g. business partners), stakeholders (e.g. shareholders and investors) and insurers. In many circumstances, an organization might have a legal obligation (under statute, generally applicable common or civil law or contract) to give notice of a ransomware attack. In addition, there might be important business reasons to give notice of a ransomware attack even if there is no legal obligation to do so. [BLG] FTC Announces New Guidance on Ransomware

WW – Ransomware May Target ‘Smart Cities,’ Autonomous Cars

A ransomware attack recently hit the San Francisco transport agency, and the attackers asked for $70,000 to unlock the systems. The agency cleared its systems, but we may see many more attacks on public “smart” systems that use outdated or unpatched operating systems and firmware. Ransomware attacks have kept climbing over the past few years. Soon, ransomware may even target autonomous cars and other smart city systems as they become more commonplace. Right now, the biggest threat of insecure Internet of Things devices is that botnets can take them over and then use them in massive distributed denial of service (DDoS) attacks against large companies or organizations. However, ransomware could leverage the same vulnerabilities as well, especially if attacking them could lead to a whole city infrastructure being locked-down Cities are starting to adopt IoT devices [to] power transportation systems, information systems, power plants, water and electricity supply networks, law enforcement, and so on. Once these systems use insecure IoT devices that aren’t well supported, they can become easy targets for ransomware and other types of attacks, which could then create major disruptions in cities. [Source | Warding off the blues of ransomware | 12 Keys For a Ransomware Game Plan | Why it’s time to take new strategies for beating ransomware | [San Francisco Rail System Hacker Hacked | SF Gate: Hacked Muni Refused $73,000 Ransom Demand; Computers Restored | SF Examiner: Alleged Muni ‘Hacker’ Demands $73,000 Ransom, Some Computers in Stations Restored | Info Mgmt News: Healthcare Is Prime Target of Gatak Trojan Malware]

WW – Are Images on Facebook Spreading Ransomware onto Devices?

Check Point researchers claim to have found a Locky ransomware variant doing the rounds on social media, using a unique mode of attack. However, Facebook denies that images on its service are hosting this ransomware [saying in a] statement: “This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook. We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week. We also reported the bad browser extensions to the appropriate parties.” [Silicon Republic]

Smart Cars / IoT

US – NIST Issues Internet of Things (IoT) Guidance

After four years of research and collaboration with stakeholders, the National Institute of Standards and Technology recently released its final version of Special Publication 800-160 to provide much-needed guidance for securing IoT devices and systems throughout their entire life cycle. Special Publication 800-160 emphasizes the vulnerability of devices that rely on post-manufacture features such as firewalls, encryption and systems monitoring to ward off evolving and sophisticated cyber threats. Instead, the NIST encourages commercial and government technology developers to focus on simplifying design architecture and building out functional capability to counter threats, mitigate damage, and recover quickly from successful attacks. The guidance highlights engineering-based solutions and includes a range of technical standards and security principles to consider over the full life cycle of a product or system, including the development phase, upgrades and maintenance, and during retirement. This life cycle approach is intended to ensure that the IoT remains secure and that intellectual property and consumer personal data are also protected [Privacy and Security Matters |Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT]

US – Experts Testify Before Congress About IoT Security

Experts told the US House Committee on Energy and Commerce that action must be taken to secure the Internet of Things (IoT). Among the ideas raised were consequences for manufacturers that release products with inadequate security; a federally-funded IoT testing laboratory; and a new federal agency focused on cybersecurity. The committee hearing was a post-mortem of the distributed denial-of-service (DDoS) attack against Dyn last month that caused a number of popular websites to experience temporary outages. [Computerworld | Darkreading | The Register |-The Hill]

US – Google, Other Tech Giants Outline Ways to Improve IoT Security

Broadband Internet Technical Advisory Group (BITAG) laid out its recommendations for a rapidly growing industry within the world of online communication: the Internet of Things. BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified “secure” devices. [ BITAG | EnGadget | Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers

US – Lyft Seeks Explicit Consumer Data Protection from NHTSA on Autonomous Vehicles

Lyft has released its extended comments on the National Highway Traffic and Safety Administration’s guidelines on autonomous driving. While Lyft agreed with the NHTSA policy in several areas, the ride-hailing company’s primary complaint stems from the agency’s lack of data collection guarantees. Lyft claims the guidelines do not explicitly state the NHTSA is not interested in collecting consumer data, such as names, phone numbers, credit card info and usage data. “Ultimately, Lyft believes that assuring the public that the data the federal government is seeking on such vehicles is limited to maintaining the safety of the vehicle is key to gaining public acceptance. A belief that “big government” will be sifting through PII and collecting consumer ride history will erode public trust and inhibit public acceptance and adoption of this transformational technology,” the company said in its letter to the NHTSA. [TechCrunch]

US – CDT: NHTSA Should Take Lead in Smart Car Privacy, Security Regs

In a post for the Center for Democracy and Technology, CDT Policy Counsel Joseph Jerome discusses what roles agencies should take in creating privacy and cybersecurity regulations in smart cars. The National Highway Traffic Safety Administration should take the lead in regulating autonomous vehicles, he argues. It has sent mixed signals about whether privacy and cybersecurity are safety priorities and has been even less transparent on how it views driver privacy. “NHTSA must address important privacy considerations regarding driver data, such as when and how to de-identify data, enacting data minimization, and setting data retention limits,” Jerome contends. He also said the Federal Trade Commission should play a secondary role, ensuring it monitors any unfair or deceptive business practices with implementation of security measures, while the Federal Communications Commission should establish privacy and security standards in communication technologies used in autonomous cars. [CDT]


WW – Twitter to Crack Down on Third-Party Surveillance

Twitter announced in a blog post that it will “take on expanded enforcement and compliance efforts” to quell third-party surveillance and misuse of data on its site. “The post is likely to reassure Twitter users and civil liberties groups who are concerned about the use of social media as a surveillance tool” in the wake of reports that third parties use Twitter’s stream of real time data to identify protesters and others, then market their surveillance tools to law enforcement and authoritarian regimes. Twitter has already cut off “firehose” access to some of those companies. In response to questions about recent news of the FBI’s use of Dataminr, a Twitter representative said, “A narrowly tailored news alert product is available to some first responders, like the FBI.” [Fortune]

CA – CSIS Admits Reporters May Have Been Under Surveillance in the Past

A senior CSIS official admitted Monday the spy agency may have spied on the communications of Canadian journalists in the past. The admission comes weeks after Quebeckers were shocked to learn Montreal city police and Quebec provincial police had tracked communications of several high-profile columnists and investigative journalists in that province in attempts to find suspected leaks of information by police sources. It runs contrary to assurances offered by Prime Minister Justin Trudeau, Public Safety Minister Ralph Goodale, RCMP Commissioner Bob Paulson, and the country’s top spook, CSIS director Michel Coulombe, that federal agencies do not target journalists’ communications. [The Star]

CA – Govt Surveillance Overshadows Free Speech for Canadian Journalists

Mass surveillance causes reporters to avoid writing or speaking about some topics, according to a recent survey of journalists by Ryerson’s Centre for Free Expression (CFE). The survey, published Nov. 14, was prepared by Turk. A total of 129 Canadian writers and journalists volunteered to complete the survey between May 27 and June 20. Over 80% of respondents reported they were concerned about government surveillance of their communications and more than 90 per cent said they were concerned with government collection and analysis of metadata. The Eyeopener Read the survey: Chilling Free Expression in Canada: Canadian Writers’ and Journalists’ Views on Mass Surveillance | Canadian journalists push for ‘shield law’ to protect sources | ‘We were a bit naive’ about police surveillance, journalist panel says | Canadian police spied on reporters, raising questions of press freedom | Quebec must uphold freedom of the press | Why spying on the press damages our democracy

US Legislation

US – Privacy Developments

Workplace Privacy

US – Law Prohibits Employers from Forcing Employees to Use Social Media

Illinois employers may be punished for violating state law starting next year if they coerce employees to use their own social media accounts to boost their company’s social media presence. The newly amended Right to Privacy in the Workplace Act makes it illegal for companies to ask or require employees to use personal social media profiles to join their employer’s online accounts. Rulings by the National Labor Relations Board state employers cannot restrict what employees post on their own accounts. “Employers cannot restrain the type of information an employee can post in their own personal online account, according to the NLRB,” Faegre Baker Daniels associate Sylvia B. St. Clair said. “And, as of Jan. 1, 2017, employers cannot request to access an employee’s personal online account or require an employee to authenticate their personal online account pursuant to this act.” [Cook County Record]

US – Privacy Debate Over Employee Wellness Programs Continues

The debate surrounding employee wellness programs and the corresponding privacy trade-off continues. More workplaces are requesting employees’ medical history details for wellness programs, offering cash incentives and insurance premium savings for participating. “Employees are giving up some aspect of their privacy and their personal health information,” Georgetown University Health Policy Institute Assistant Professor Dania Palanker said, adding some workers question “whether their privacy is worth the amount of money that is at stake.” Some health care professionals believe the fears associated with sharing medical information are overblown. “The allegation that somehow you’ve given your health information or your spouse’s health information to your boss and they’re going to use that against you, it’s just to scare people, it’s not real,” said Erisa Industry Committee Senior Vice President of Health Policy James Gelfand. [CNBC]

CA – OPC Commissioner Finds Company’s Disclosure of Employee’s Drug Test Results was Unnecessary

The Office of the Privacy Commissioner of Canada reviewed a complaint of inappropriate disclosure of an individual’s personal information by their employer, an international trucking company. The company disclosed the individual’s drug test results to the worker’s compensation board without his knowledge or consent (the individual had an active claim with the board following a workplace accident); although the drug test results were collected to fulfill the company’s substance abuse policy requirement, disclosure to the board for his claim and return to work process was not necessary to process his claim, and required his consent. [OPC Canada – PIPEDA Case Summary 2016-009 – Trucking Company Inappropriately Disclosed Employee Drug Test Results to WCB]




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: