28 Nov —09 Dec 2016


QW – Blippar Introduces Facial Recognition Smartphone App

New software from augmented-reality app Blippar will allow customers to use facial recognition technology on their smartphones. The app allows users to scan an individual’s face in print, on TV, or in real life, then learn their names and other information. “Augmented Reality Face Profiles will change the way we communicate and express ourselves,” said Blippar, Co-Founder and CEO Ambarish Mitra. “Our face is our most expressive form of communication and with this release we are allowing this to become digital for the first time.” Blippar has created a database with 70,000 public figures, but privacy concerns may arise, as users can upload people’s faces without consent. In other news, facial recognition startup Megvii Inc. has received $100 million from investors to improve its technology, while L.A. Tan Enterprises agreed to pay $1.5 million to settle a class-action lawsuit under the Illinois Biometric Information Privacy Act. [Newsweek]

Big Data

CA – Naborly Screenings Compiles 500 Data Points to Assess Renter Credibility

Naborly Inc.’s digital screening solution allowing landlords to examine 500 data points to determine a renter’s credibility. Naborly compiles information from a potential renter’s social media accounts, phone records, and criminal records to assign a score for their “chance of success” as a tenant. “It’s not just trying to gather dirt on you or gather information,” said Naborly Inc. CEO Dylan Lenz. “It basically explains where the risk is. What is the likelihood of a person being late on rent payment, causing property damage, being evicted, jumping out of the lease early?” Privacy concerns with the service have emerged. “The extent of it makes me nervous,” said former Ontario Information and Privacy Commissioner Ann Cavoukian. “I understand why you would want to assure that the person renting the property is solid and reliable, but this company is collecting a ton of very sensitive personal information.” [CTV News | Report landlords who break privacy rules, urges BC agency | Waterloo changes rental bylaw after privacy complaint | Company scraps ‘bad tenant list’ after privacy commissioner upholds complaint ]

WW – IBM’s Watson Beta to Help Fight Cybercrime

Forty companies have been named to take part in IBM’s Watson for Cyber Security beta. The cognitive computing technology will be used to address computer and network security issues. IBM began training Watson in the fundamentals of cybersecurity months ago. Watson is intended not to replace humans, but to help people identify cybersecurity threats. [Wired.com | ZDnet.com | eWeek.com | v3.co.uk]


CA – Privacy Commissioners Urge More Privacy in National Security Policy

All of Canada’s federal, provincial and territorial privacy commissioners have urged the federal government to make privacy a fundamental piece of the country’s national security policy. The commissioners have signed a formal joint submission to the Trudeau government’s security review to address key privacy-related issues, including information sharing, encryption and the collection and use of metadata by national security agencies and law enforcement. Ontario Information and Privacy Commissioner Brian Beamish and Jean Chartier of Quebec appeared Tuesday in Ottawa to discuss the submission. In a press release, Privacy Commissioner of Canada Daniel Therrien said, “In my view, this is not the time to further expand state powers and reduce individual rights. Rather, it is time to enhance both legal standards and oversight to ensure that we do not repeat past mistakes and that we ultimately achieve real balance between security and respect for basic individual rights.” [Times Colonist]

CA – Don’t Repeat Past Mistakes, Privacy Commissioner Warns

Commissioner Therrien and his provincial and territorial counterparts are stressing the need to address privacy risks related to information sharing and collection of metadata; raising concerns about government proposals on police access to basic subscriber data and encrypted communications The importance of strengthening privacy protections is highlighted in a formal submission to the government’s public consultation on Canada’s national security framework signed by Commissioner Daniel Therrien and all provincial and territorial privacy commissioners and ombudspersons. Commissioner Therrien was joined by Jean Chartier, President of the Commission d’accès à l’information du Québec and Brian Beamish, Ontario Information and Privacy Commissioner, at a press conference to unveil and discuss the submission. “In my view, this is not the time to further expand state powers and reduce individual rights. Rather, it is time to enhance both legal standards and oversight to ensure that we do not repeat past mistakes and that we ultimately achieve real balance between security and respect for basic individual rights,” says Commissioner Therrien. [Office of the Privacy Commissioner of Canada News release | Backgrounder: Privacy and Canada’s national security framework | Submission to the Consultation on Canada’s National Security Framework | Statement]

CA – Goodale Keeps Door Open to CSIS Use of Metadata from Innocent People

The federal public safety minister is keeping the door open to the idea of Canada’s spy agency crunching potentially sensitive data about innocent people. Ralph Goodale told MPs at a House of Commons committee he is weighing views on whether the CSIS should be allowed to retain and use such information. Last month Federal Court Justice Simon Noel said CSIS violated the law by keeping electronic data about people who were not actually under investigation. The court ruling means metadata can be kept and used by CSIS only if it relates to a specific threat to Canadian security or if it is of use to an investigation, prosecution, national defence or foreign affairs. NDP public safety critic Matthew Dube expressed concern. “So you’re not closing the door, then, Because to me it seems that if the Federal Court has deemed this illegal, then the answers should be clear.” Conservative public safety critic Tony Clement wondered why CSIS was keeping the data in question at all. [National News Watch | Don’t repeat past mistakes, Privacy Commissioner warns as government reviews national security framework | Spies should not be allowed to keep innocent people’s data, privacy czars say | Former Ontario privacy commissioner wants CSIS metadata deleted | Federal security review to examine CSIS powers in the digital age, Goodale says | What you need to know about the CSIS metadata ruling | In scathing ruling, Federal Court says CSIS bulk data collection illegal | CSIS, Bill C-51 and Canada’s growing metadata collection mess | ‘Difficult to determine’ scope of privacy breach in Five Eyes data sharing

CA – OPCC to Investigate Electoral Reform Survey

The Office of the Privacy Commissioner of Canada will investigate the government’s new electoral reform online survey after privacy concerns were raised. In order for respondents to have their views on electoral reform included in the MyDemocracy.ca survey, they need to disclose information such as gender, age, occupation, combined household income, level of interest in politics, and whether they identify as a specific minority group. “I just think it’s inappropriate in the context of a government consultation to link disclosure of so much demographic information to participation in a consultation,” Ottawa University’s Michael Geist said. A spokeswoman for Privacy Commissioner Daniel Therrien said the office has yet to look into the details of the survey, and his office could not comment. [Toronto Sun] Canada’s Supreme Court offers guidance for the interpretation of the Personal Information Protection and Electronic Documents Act in its Royal Bank of Canada v. Trang ruling.

CA – Alberta Justice Hires Ontario Lawyer to Represent Ministry in FOIP Investigation

Toronto lawyer Murray Segal has been hired to represent Alberta Justice as it faces an investigation into whether the ministry wilfully tried to mislead or obstruct the province’s freedom of information commissioner, or altered or falsified a record to evade FOIP requests. Jill Clayton, Alberta’s freedom of information commissioner, ordered the investigation in October based on a recommendation from former Nova Scotia FOIP commissioner Dulcie McCallum. McCallum is adjudicating an inquiry into how Alberta Justice processed FOIP requests from CBC News and lawyers for the tobacco industry. The requests related to the Alberta government’s ongoing lawsuit against the tobacco industry and its choice of a legal consortium to conduct the litigation. At the time Clayton ordered the investigation, she also requested a special outside prosecutor to avoid a conflict of interest with Alberta Justice. Justice Minister Kathleen Ganley, in another emailed statement, said she asked Ontario to select a special prosecutor and the Ontario Attorney General’s office has identified Mabel Lai to act as counsel for the matter. This is the second investigation of Alberta Justice this year. In September, Clayton ordered an investigation into chronic delays in the ministry’s processing of FOIP requests. [CBC | FOIP commissioner orders investigation of Alberta Justice | Alberta Justice criticized for disrespecting freedom of information commissioner | Waits for access to information get longer in Alberta, report finds | Access to information in Alberta nearing ‘crisis situation,’ FOIP commissioner says ]

CA – OIPC NU Audit Reveals Hospital Needs Improvement

Nunavut’s Information and Privacy Commissioner has stated a lack of leadership at Qikiqtani General Hospital could put patient information at risk. A privacy audit was conducted at the territory’s only hospital. The audit discovered no individual was in charge of making sure staff adhere to privacy regulations, and the hospital has no system to track who is accessing patient data. “What is required is a strong privacy culture within the [Qikiqtani General Hospital] now,” the audit report stated. “Our audit revealed a somewhat confusing array of different ‘privacy’ policies and instruments not well understood by all staff.” The report offered 31 recommendations, including creating policies for faxing information and ensuring former employees cannot access electronic health records after they depart. [CBC News]

CA – Got a Secret? Copy Your Lawyer: Supreme Court Decision Most Recent Threat to Access to Information

A Supreme Court decision released late last month offers a safe haven for government secrets that threatens the basic right of individuals to access personal information about themselves. Sometimes, the government may refuse to disclose information because it is confidential, for example, it is a communication with a lawyer — or what is called “solicitor-client privilege.” A procedural check is in place to ensure that such claims of privilege are not improperly asserted by government. This check is the privacy commissioner’s office which reviews claims of privilege to ensure they are valid or warranted; when they are, the information is not released. Two weeks ago, the Supreme Court of Canada ruled on a case in which an employee involved in a wrongful dismissal action against the University of Calgary was refused information about herself on the basis of solicitor-client privilege. From a policy point of view, government secrets can now be shielded — unchecked — in the safe haven of lawyer files. The legislation must be amended to give the commissioner’s office the unqualified right to review claims of solicitor-client privilege. [Edmonton Journal | Supreme Court of Canada confirms robust protection of solicitor-client and litigation privilege | SCC decision reaffirms protection of solicitor-client privilege | Alberta privacy commissioner cannot compel production of records subject to solicitor-client privilege: Supreme Court | SCC deals blow to privacy commissioner powers – privilege reigns supreme | Alberta’s information and privacy commissioner loses Supreme Court case | Calgary Herald: Alberta Privacy Commissioner Loses Lack-of-Authority Appeal]

CA – OIPC NL Voices Concern Over Drone Harassment

Responding to a series of reports of harassment from drones with cameras, Information and Privacy Commissioner of Newfoundland and Labrador Donovan Molloy expressed his concern over the incidents, saying the drone use is “very troubling.” “We all have a right to our privacy, not to be harassed by others. It’s clear in our own province’s privacy act that if you do that, then you’re liable for damages to the person that you’re harassing.” The commissioner said using drones to spy on individuals could legally qualify as harassment. “The Criminal Code makes an offence of harassment if you’re besetting somebody — watching somebody, repeatedly — and if you are, you must intend to have done it or be reckless or willfully blind.” [CBC News]

CA – OIPC BC Warns Against Illicit Surveillance Camera Use

Following the investigation of a Lower Mainland medical clinic, British Columbia’s Acting Privacy Commissioner Drew McArthur is warning private businesses about illicitly installing video surveillance cameras. McArthur said the clinic likely violated British Columbia’s privacy laws by using the cameras, rejecting the clinic’s argument it implemented the cameras to protect itself against crime, improve security, and to monitor its employees. “The fundamental premise of our private-sector privacy legislation is you require the purpose for collection has to be reasonable for the circumstances,” McArthur said. “In this case, there’s no crime issue or threat-to- security issue, it’s just a medical clinic in a stand-alone location and they have not had a rash of crime or security issues. And so they don’t meet the threshold for reasonableness in terms of the collection of personal information. So where they are, they are over-collecting personal information.” [Vancouver Sun]


NZ – Study: Withholding Information from Social Services Has Adverse Effects

Methodist Mission Southern’s research, supported by the New Zealand Office of the Privacy Commissioner’s Privacy Good Research Fund, has found that not sharing information with social services can exacerbate situations of child abuse and family violence, the Office of the Privacy Commissioner reports. The study “looked at practitioner and organizational competency across a range of agencies relating to Principle 11: Limits on disclosure of personal information and Part 9A: Information sharing of the Privacy Act 1993.” It’s often necessary to share information in order to provide comprehensive and wraparound services for clients.” “The consequences of not sharing information can be significant, with a lack of information sharing a contributing factor in several high profile family violence and child abuse cases.” [Full Story]

CA – Liberal Party Can’t Use Emails Collected on Mydemocracy.ca for Fundraising, Government Says

The government says information collected by an online electoral reform consultation isn’t accessible to the Liberal Party, after an Ontario man alleged he started getting fundraising emails soon after completing the survey. Sean Fullerton, a database analyst in Kitchener, Ont., told the National Post he unsubscribed from Liberal emails more than a year ago, but started receiving them again almost immediately after entering his email address on MyDemocracy.ca, a website being used to gather opinion on democratic values. But both the government and Vox Pop Labs, the company that designed the site, deny email addresses are even being collected. Fullerton explained he found it “really, really odd” when Liberal fundraising emails started pouring into his email account within a few hours of completing the electoral reform consultation Monday. Fullerton insisted he didn’t engage in any other activity, or fill out any other forms, that could’ve caused him to start receiving emails again. That’s why he found it “suspicious.” He plans to make a formal complaint against the Liberal Party for going against anti-spam legislation by sending him emails he doesn’t want to receive. Canada’s privacy czar is looking into the electoral reform survey, but hasn’t said if and when a formal investigation will be conducted. [Vancouver Sun | Liberals’ Electoral Reform Survey A Personal Privacy Nightmare | Your electoral reform survey won’t count if you don’t tell them how much you make | Privacy watchdog to look at electoral reform survey amid privacy concerns | No privacy risks in online electoral reform consultation: Monsef | See also: Liberals’ Electoral Reform Survey A Personal Privacy Nightmare | Your electoral reform survey won’t count if you don’t tell them how much you make | Privacy watchdog to look at electoral reform survey amid privacy concerns | No privacy risks in online electoral reform consultation: Monsef | Privacy watchdog to look at electoral reform survey amid privacy concerns]


US – Encryption App Use Rises 400% After Trump Win

After the recent presidential election of Donald Trump, encrypted communications app Signal, which employs end-to-end encryption, has seen a 400% increase in daily downloads. Moxie Marlinspike, the founder of the company behind Signal, said, “There has never been a single event that has resulted in this kind of sustained, day-over-day increase… Trump is about to be put in control of the most pervasive, largest, and least accountable surveillance infrastructure in the world. People are maybe a bit uncomfortable with him.” [BuzzFeed News]

EU Developments

UK – ICO Fines Charities for ‘Wealth Screening’

An Information Commissioner’s Office investigation has found that the Royal Society for the Prevention of Cruelty to Animals and the British Heart Foundation violated the Data Protection Act by screening donors for wealth in an effort to increase their donations. “The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources.” “And they traded personal details with other charities creating a massive pool of donor data for sale. Donors were not informed of these practices, and so were unable to consent or object.” Information Commissioner Elizabeth Denham fined the RSPCA 25,000 GBP and BHF 18,000 GBP. “This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information,” she added. [ICO.uk]

EU – Under German Law, Some Wearables, Apps Not Up to Data Privacy Snuff

The German Commissioner for Data Protection and Freedom of Information has warned fitness app and wearables developers that many of their practices do not meet legal requirements. An agency study, testing an array of unnamed devices, found “many of the products fail to adequately protect user data,” the report states. “In many cases, privacy statements concerning wearables are overly long, difficult to understand, insufficiently detailed and often not available in German.” “In many cases, health data was processed by external third parties, putting user privacy at risk. While some manufacturers alert users to the potential for data sharing with third parties, users often do not know who these third parties are or how to lodge an objection.” [Telecompaper]

EU – Current Privacy News

Facts & Stats

WW – Experian Releases Fourth Annual ‘Data Breach Resolution’ Report

For the fourth straight year, Experian has released its forecast for the data breach industry for the upcoming year. The “2017 Experian Data Breach Resolution” highlights five predictions for the industry, including the death of the password, the prospects of a cyberwar, more sophisticated attacks on the health care industry, the shift for cybercriminals to focus on payment-based attacks, and the likelihood of international breaches for multinational companies. “As our fourth annual edition, this data breach industry forecast report hopes to shed light on emerging trends companies should know about and prepare for. The industry predictions included here are rooted in Experian’s history helping companies navigate more than 17,000 breaches over the last decade,” the Experian announcement states. [Experian]


WW – Study: Marginalized Groups More Likely to Self-Censor Online

A Data & Society Research Institute and the Center for Innovative Public Health Research report found women, LGBTQ individuals, and people of color are more likely to self-censor their online activity due to fear of harassment. The “Online Harassment, Digital Abuse, and Cyberstalking in America“ report discovered 47% of Americans have experienced online harassment and abuse. While men and women are equally likely to face abuse online, women experience a wider variety of serious online harassment, including cyberstalking and doxing. The study reveals young women, LGB people, and people of color are less likely to contribute online out of fear of suffering some form of attack, while men feel less vulnerable online, and are less likely to report any form of abuse as harassment. [Quartz]

WW – Study Examines Privacy Law, ‘Newsworthiness’ and Algorithms Influence

Georgetown University associate professor of legal research Erin Carroll has released a paper studying newsworthiness, algorithms and how they apply to privacy law. “Given the dominance of platforms like Facebook, the related influence of algorithms on how news is made, and specifically how algorithms are beginning to supplant editorial discretion and the editorial process, courts need to rethink their rationales for deference to the press,” Carroll writes. “In the realm of privacy law, courts have long trusted the Fourth Estate to vet the newsworthiness of a subject before publishing, so that the courts themselves did not have to. Today, that trust is becoming misplaced.” [Wall Street Journal]


CA – OIPC SK Issues Guidance on Retention of Transitory Records

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance on transitory records and freedom of information requests, pursuant to: the Freedom of Information and Protection of Privacy Act; and the Local Authority Freedom of Information and Protection of Privacy Act. Transitory records are exact copies of official records made for convenience of reference (such as to complete a routine task or prepare an ongoing document), and can come in any format (including post it notes, handwritten notes, emails, and texts); records should be destroyed in accordance with internal disposal procedures one year after a response to an applicant, or in the case of convenience copies, the official record has been identified [OIPC SK – Transitory Records and Access-to-Information Requests]

CA – OIPC Yukon Finds Disclosure of Individual’s Telephone Number Would Be an Invasion of Privacy

The Information and Privacy Commissioner in Yukon reviewed a decision by the Department of Justice to deny access to information requested, pursuant to the Access to Information and Protection of Privacy Act. The telephone number of a property bidder was not provided in the individual’s bid (suggesting they did not intend for it to be publicly disclosed), was handwritten on a piece of paper below the bidder’s name (to be contacted about changes in court dates), and the number was not intentionally provided in the public bid of the property. [IPC YK – Inquiry Report ATP15-037AR – Department of Justice]

CA – OIPC NL: Public Bodies Bear Burden of Proof When Relying on Extraordinary Circumstances Exception

The Office of the Information and Privacy Commissioner of Newfoundland and Labrador provides guidance to public bodies on the use of section 24 of the Access to Information and Protection of Privacy Act. Parties seeking to establish extraordinary circumstances (such as natural disasters, labour disputes, or disruptions of postal service or power services) should present to the OIPC evidence that events were external to the party, unanticipated, and beyond the party’s control (such that exercising due diligence would not have avoided the impact of the event); the time to make an application for an extraordinary circumstances exception does not suspend the time period for responding to an applicant. [OIPC NFLD – Section 24 – Extraordinary Circumstances]


US – InsideDNA’s Genome-Scouring Uses Health Data, Faces Privacy Concerns

Bioinformatics startup InsideDNA is looking to discover the best “drug interaction” for patients. It does this by “using data to look for an association between genes and diseases and then checking if proteins produced by those genes associated with a disease are suitable drug targets.” Health data fuels these connections. While the startup faces myriad critics’ concerns, one of the biggest is privacy. “Patients need to voluntarily offer their DNA data.” “However, accurate diagnoses would rely on a vast and diverse repository of genetic information.” InsideDNA says its more worried about a bigger challenge: “establishing credibility in the biopharma world.” [TechCrunch | See also: Canada’s Genetic Non-Discrimination Act is headed back to the Senate due to the passing of an accompanying clause aimed at protecting the intent of the bill.]

Health / Medical

US – OCR to Conduct More On-Site Hospital Audits in 2017

The Department of Health and Human Services’ Office for Civil Rights will conduct more on-site audits of hospitals in 2017. OCR Senior Advisor Linda Sanches said the agency is currently conducting more than 200 audits with HIPAA-covered entities, with 167 focused on examining providers. Sanches said the audits are designed to discover the risks and vulnerabilities the government is currently unaware of, and would not be able to learn about through filed complaints. “We’re looking for evidence that you are implementing the policies and procedures… Two huge problems we’re seeing are implementation of risk analysis and risk management.” UPMC Vice President and Associate Counsel John Houston voiced concerns about the OCR’s demands. “We do a lot of stuff we consider to be a risk assessment but there’s not clarity on what that really means from OCR’s perspective.” [Healthcare IT News]

CA – Saskatchewan Nurse Disciplined for Social Media Comments

A Saskatchewan nurse was found guilty of professional misconduct after using social media to voice her concerns over a family member’s care. The Saskatchewan Registered Nurses Association ruled Carolyn Strom acted illicitly when she posted on Facebook and Twitter about the staff at St. Joseph’s Health Facility in Macklin, Saskatchewan. Strom is not a nurse at the facility, but staff members at St. Joseph’s filed a complaint regarding Strom’s remarks. The committee ruled Strom’s comments were not protected by free speech, as she identified herself as a registered nurse in the comments. While the committee stated Strom did not act out of malice with her comments, she is still required to conduct herself professionally on social media. [CBC News]

CA – BC Lower Mainland Clinic Scolded for Excessive Surveillance of Patients

BC’s Information and privacy Commissioner is asking a Lower Mainland clinic to immediately stop collecting audio and video surveillance of clients. Acting commissioner Drew McArthur investigated the un-named medical clinic after complaints were brought forward to his office in June. Auditors examined the organization’s use of video and audio surveillance in its lobby, hallways, back exits, and fitness room. The main finding from the privacy commissioner is that the clinic is not authorized to collect personal information through video and audio surveillance. Both B.C.’s privacy commissioner and the privacy commissioner of Canada view video surveillance as highly invasive. Private sector privacy laws require that organizations collect as little information as is reasonable for business purposes. [CBC.ca | Medical clinic collects too much personal info through surveillance: B.C. audit]

Horror Stories

HK – Mobile Apps Leak ‘Billions’ of Users’ Phone Numbers, Including Hong Kong’s Chief Executive

A breach of mobile apps CM Security, Truecaller and Sync.ME leaked the phone numbers of billions of users, including Hong Kong Chief Executive Leung Chun-ying and the Chief Secretary for Administration Carrie Lam Cheng Yuet-ngor. “Users of the apps can trace the names of billions of number holders by inputting their digits into a ‘reverse look-up feature,’” the report states. “Contact details for more than 60 out of 70 sitting lawmakers were available across CM Security and Truecaller.” Additionally, Chinese University’s Stuart Hargreaves said the apps’ violated two privacy laws under the Hong Kong’s Personal Data Privacy Ordinance, as it was “unlikely users would seek permission from every individual in their phone book before agreeing to share their contact details.” [South China Morning Post]

Identity Issues

IS – Interior Minister Urges Joining of National Biometric Database with ID Cards

Israeli Interior Minister Aryeh Deri has “decided to push to mandate” the joining of a national biometric database and identity cards. “It is still unclear whether Deri will garner a Knesset majority to make the requirement law, but every recent interior minister has supported the initiative.” Database initiatives have been controversial in Israel, with the Movement for Digital Rights promising to continue to challenge Deri’s move. In the meantime, “those objecting would still have their fingerprints and facial recognition picture taken, but it would only be connected to their smart-card, not placed in the database.” [The Jerusalem Post]

US – Report: Health Care’s Need to Embrace ID Management Solutions

A new report from Synchronoss details ways the health care industry can better protect sensitive data and reduce risk by using different identity challenges. “Healthcare’s ID Management Challenge” was created by Synchronoss Technologies’ Tracy Hulver, and goes over several subjects, including common characteristics of health care data breaches, the reasons why health care organizations have been slow to implement multifactor authentication, and ways to gain business support for ID management solutions. “Everyone is in danger; all the data has a threat against it… But in other ways healthcare is different because people’s privacy is at the heart of healthcare information, so not only is there a financial component and motivator. but also there’s a strong privacy element as well.” [GovInfoSecurity]

CA – OIPC SK Recommends Municipality De-Identify or Redact Personal Information in Council Meeting Minutes

The Office of the Saskatchewan Information and Privacy Commissioner investigated a complaint regarding the disclosure of personal information on the Rural Municipality of Rosthern’s website, pursuant to The Local Authority Freedom of Information and Protection of Privacy Act. The municipality has the authority to disclose to the public full details included in its council meeting minutes; however, the municipality should record the least amount of personal information necessary in its council meetings (e.g. referring to the individual as “a complainant” or by his initials). [OIPC SK – Investigation Report 237-2016 – Rural Municipality of Rosthern]

Intellectual Property

CA – Google Is Fighting Global Search Censorship in Canada’s Supreme Court

This week Google went in front of the Supreme Court of Canada to argue that the country’s courts shouldn’t have the authority to order the search giant to censor links worldwide. It appears Google’s argument is that if a Canadian court wants to block search results in another country, the court should obtain a court order against the company in the country where it’s based. Google is also reportedly echoing the concerns of Canadian privacy experts who’ve argued that the ability to block search results worldwide could be used to silence legitimate free speech online. It’s a strange case with an even stranger origin, mostly because Google wasn’t even involved in the initial litigation. If the Supreme Court of Canada upholds these previous rulings, then Canadian courts will have a new, global censorship power at their disposal. [Motherboard | Internet freedom at stake in Supreme Court of Canada case | Supreme Court hears arguments in case pitting Google against B.C. firm | Google brings internet free-speech battle to Supreme Court | We Won’t Let You Forget It: Why We Oppose French Attempts to Export the Right To Be Forgotten Worldwide | Global Application of French “Right to Be Forgotten” Law Would Pose Threat to Free Expression | How ‘right to be forgotten’ puts privacy and free speech on a collision course ]

Internet / WWW

WW – McAfee Highlights IoT and Cloud Security Threats, Trends

Internet of Things (IoT) security and cloud security threats are key areas to watch for critical developments in 2017, according to Intel Security’s McAfee Labs 2017 Threats Predictions Report. The report also highlighted 14 trends to keep an eye on in the next year, and also listed the six “most difficult-to-solve” cybersecurity challenges. Overall, the report listed 10 predictions as the most prominent and probable outcomes during the next two to four years, including that “IoT will significantly reduce consumer privacy.” [HealthIT Security | 14 Cyber Security Predictions for 2017]

Law Enforcement

CA – Technical Hurdles Mean No Body-Worn Cameras for Mounties

The RCMP says it is postponing the deployment of body-worn cameras after testing revealed technical problems, including limited battery life and lack of durability. Rolling out the cameras would mean purchasing thousands of units for over 750 detachments. The national police force says that means it must have confidence in the technology and ensure the expenditure is justified. Body-worn cameras generally clip on a uniform, or can be embedded in glasses or a helmet. They are used to gather evidence for prosecution should criminal behaviour be recorded and to bolster accountability if questions arise after an incident. The small video cameras are intended to openly capture an “accurate, unbiased and reliable” audio and video account of incidents from the officer’s perspective, the RCMP said in an interim summary on use of the devices, made public earlier this year. The Mounties began exploring body-worn cameras — including privacy, legal and recording storage issues — three years ago. The interim RCMP policy said Mounties wearing cameras must hit the record button when there is “a high likelihood” they’ll use force against someone. The RCMP has told the federal privacy commissioner another assessment of the technology would be undertaken and provided to the watchdog for comment in advance of any national roll-out of the cameras. [National News Watch | RCMP decides not to outfit officers with body-worn cameras | Police body cams not ‘worthwhile’ if officers can turn them off, lawyer says | Mounties wearing video cameras told to record use of force]

US – Court of Appeals Finds Use of Stingray to Locate Individual was Lawful

Damian Patrick challenges the validity of his arrest by law enforcement: The Electronic Frontier Foundation, the American Civil Liberties Union Foundation and the ACLU of Wisconsin previously filed an Amicus Brief in support of Appellee. Law enforcement was permitted to use a cell-site simulator to execute a location warrant on an individual; he was wanted on probable cause and arrest warrants, was taken into custody in a public place (there was no legitimate expectation of privacy), the simulator was not used to generate the probable cause for his arrest (he was in possession of firearms), and law enforcement did not have to reveal to the warrant-issuing judge that they planned to use a simulator to locate him. [USA v. Damian Patrick – 2016 US App. LEXIS 21090 – US Court of Appeals for the 7th Circuit]

CA – Law Enforcement Seeks Access to Mail to Combat Opioid Deliveries

As illicit opioid use rises in Canada, law enforcement agencies across the country are pushing for revisions to laws forbidding them from investigating mail in transit. Law enforcement is specifically targeting fentanyl, a small drug often sent through Canada’s postal service by traffickers. The Canadian Association of Chiefs of Police has discussed changes to the Canada Post Corporation Act with several groups, but no movement has been made on possible alterations. McInnes Cooper privacy lawyer David Fraser said while he normally doesn’t support the expansion of police powers, the fentanyl issue is an exception. “The Canada Post Act that says that the mail is sacred and it can’t be detained, which is quaint,” said Fraser. “But I think in the circumstances when you’re dealing with very dangerous items that are going through the mail, it does make sense to intercept them at that point before they represent a risk to the public.” [CBC News]

UK – Police Nab Suspect While Phone is Unlocked

Police in London waited until a suspect’s phone was unlocked before arresting him in a bid to gain access to information on the device without having to demand the password. The suspect allegedly manufactured phony payment cards using stolen data; the cards were then used to purchase luxury items. [SCmagazineUK ]


US – Uber Commences Background Collection of User Location Data

The latest Uber app update has changed the way it collects location data from its users. Uber now requests users share their location at all times, rather than only when the app is open. The ride-hailing company wants to have user’s location data from the moment they request their ride to five minutes after reaching their destination. Uber said the change in data collection is to help improve its drop-offs and pickups, while also assisting in enhancing user safety. “We’re always thinking about ways we can improve the rider experience from sharpening our ETA estimates to identifying the best pickup location on any given street,” said an Uber representative, adding, “Location is at the heart of the Uber experience, and we’re asking riders to provide us with more information to achieve these goals.” [TechCrunch]

Online Privacy

HK – Study: Cyber incidents in Hong Kong, China increased by more than 900%

A PwC study has found that China and Hong Kong have had a 969 percent increase in cyber incidents since 2014. “The level of espionage or activity relating to cybersecurity incidents, such as data leakage or data theft is a lot higher [in China and Hong Kong] than any other countries,” said PwC’s Kenneth Wong. The increase of incidents may be credited to the “huge rate of adoption” of internet of things devices without adequate security measures in the region, added Marin Ivezic. [South China Morning Post]

Privacy (US)

US – Chief Data Scientist Rallies Technologists to Embrace Public Service

White House Chief Data Scientist DJ Patil encouraged technologists to embrace public service as data needs continue to grow. “Data is a force multiplier in every level of society… In cancer, the answer isn’t in a database; it’s in thousands of databases… It’s fragmented. The answer is likely out there. We just don’t know how to put it together.” The best way to “put things together” is to add technological voices to the discussion. “When do you jump in? The time is now.” “Why? These problems can’t wait. You can help transform that — city level, nonprofits, the time is now to serve.” [NextGov]

US – Evaluating Digital Risks for Public Companies

As organizations move from compliance-based to risk-based approaches to privacy operations, the natural question arises: How does privacy risk compare with other risks faced by the enterprise? To investigate, the IAPP Westin Research Center combed through the annual 10-K disclosure statements to the U.S. Securities and Exchange Commission of more than 100 publicly traded companies. The findings? Losing customers’ or employees’ personally identifiable information ranks first among disclosed information-related risks. Find in this new IAPP Westin Center report, “Loss of PII Is Top Digital Risk for Public Companies,” how companies rank hacking vs. employee error, which consequences they fear most, and whether the looming GDPR moves the risk needle — plus, find an annex of risk-language used by the world’s biggest organizations. [IAPP.org]


US – Commission on Enhancing National Cyber Security Issues Final Report

The President’s Commission on Cybersecurity has released its final report. Intended to serve as a transition guide for the next administration, the report calls for increasing cooperation between the government, the private sector, academia, and US citizens. It identifies six imperatives for enhancing cybersecurity: Protect, Defend, and Secure Today’s Information Infrastructure and Digital Networks; Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy; Prepare Consumers to Thrive in a Digital Age; Build Cybersecurity Workforce Capabilities; Better Equip Government to Function Effectively and Securely in the Digital Age; and Ensure an Open, Fair, Competitive, and Secure Global Digital Economy. [White House.gov | [NIST | The Hill | WIRED | SCmagazine]

EU – MIT, Amsterdam U Receive Grants to Research Smartphone Privacy

The Internet Policy Research Initiative at the Massachusetts Institute of Technology and the Institute for Information Law at the University of Amsterdam have received grants to research privacy in smartphones. The two groups recently worked together on their EU-U.S. Privacy Bridges project and will join forces to investigate the differences between privacy expectations, preferences and behaviors in the EU and the U.S. “The joint research project will undertake a cross-cultural investigation of how different app ecosystems (Android, Apple iOS) shape privacy and transparency towards users through user control mechanisms, while analyzing the impact of different legal frameworks on smartphone privacy in Europe and the U.S.,” a University of Amsterdam release states. [IVIR.nl]

Smart Cars / IoT

EU – European Commission Publishes Internet-Connected Vehicles Strategy

The European Commission has published a strategy on internet-connected vehicles. The EU plans on having cars become equipped with digital systems warning drivers about traffic, road work, and approaching emergency vehicles by 2019, with newer car models implementing smart parking information and systems designed to protect pedestrians. The European Commission strategy prevents car manufacturers from using, processing, and selling driver data to third parties, a right pushed for by the European Automobile Manufacturers’ Association. “Users must have the assurance that personal data are not a commodity, and know they can effectively control how and for what purposes their data are being used,” the strategy states. [EurActiv]

WW – Researchers Find New Vulnerabilities Within Iot Cameras

Two research groups have found security vulnerabilities in internet-of-things technologies making them vulnerable to cyberattacks. Austrian security firm SEC Consult found two backdoors within Sony IPELA Engine IP Cameras. The firm said the backdoors could be compromised by attackers taking control of web servers built into the cameras. “We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other Cases,” SEC Consult wrote. Security firm Cybereason claimed to have found two security flaws in dozens of white-labeled IP cameras available to consumers through Amazon and eBay. Cybereason found the flaws make the cameras vulnerable to IoT attacks, even if they are behind a firewall. [KrebsOnSecurity]

US – Privacy Groups Call for Investigation of IoT Toymakers

Privacy advocacy groups in the U.S. and Europe are asking consumer protection agencies to investigate two internet-connected toy manufacturers to see if the companies are violating children’s privacy laws. The complaints will be filed in the U.S., France, Sweden, Greece, Belgium, Ireland, the Netherlands, and Norway against Genesis Toys and Nuance Communications. “We are putting the Internet of Things industry on notice that consumer advocacy groups are aggressively watching these developments with alarm, and expect them to create products that protect young people and positively support their psychosocial development,” said Center for Digital Democracy Executive Director Jeffrey Chester. “The industry must adopt safe practices.” [PCWorld]

US – USPS Could Help Development of Smart Cities

The U.S. Postal Service could become a key component for the future of smart cities. A Smart Cities Summit panel in Boston, Massachusetts, mapped out the ways the USPS could help develop smart cities. USPS trucks drive through cities each day, and through their travels, could monitor conditions and the environment. The data would be sent back to the cities to enhance services, and would give the USPS a new stream of revenue to help expand into new services. In order to use the USPS to develop smart cities, interoperability between regions, technologies and data flows would need to be worked upon, while the USPS would also be subjected to new regulatory restrictions. [ZDNet]


US – Class Action Complaint Alleges Software Installed on Cell Phones Collected and Transmitted Personal Data Without Consent

An individual files a class action complaint alleging Blu Products Inc, Inc et al for the installation of firmware on customer cell phones. Firmware was installed on approximately 120,000 phones that allows the phones to continuously capture and transmit personal data (such as text messages, personal contacts, call logs; and physical locations) to a server in China; harm was deliberate as the company knew that by intentionally installing the firmware on the phones it would collect personal and confidential data without the knowledge and consent of the customer. [Aaron Bonds v. Blu Products Inc et al – Case No. 1-16-cv-24892-MGC – United States District Court Southern District of Florida]

UK – TfL Program Tracks London Underground Users’ Access to Wi-Fi

Transport for London has started a four-week trial designed to read Wi-Fi connection-request data from the mobile phones of London Underground passengers. The program aims to discover where citizens move through stations and interchange between services, and determine how crowding develops. TfL only has access to data when people enter and exit the Underground, leaving the interpretation of the results to educated guesswork. Once the data has been taken from the phones, it is “automatically depersonalized” and sent to a private database for analysis. “The trial will work by collecting Wi-Fi connection requests from mobile devices as customers pass through stations. When a device has Wi-Fi enabled, it will continually search for a Wi-Fi network by sending out a unique identifier – known as a Media Access Control address – to nearby routers,” TfL stated. [The Register]

US Government Programs

US – FTC Holds Seminar on Smart TV Privacy Issues

The Federal Trade Commission held a seminar to discuss privacy concerns surrounding smart TVs. Panelists discussed a variety of topics, such as consumer attitudes toward smart TVs, and whether industry self-regulation can properly address privacy concerns with connected devices. “It matters whether consumers think of their smart TV as a PC or a television,” said Director of the FTC’s Bureau of Consumer Protection Jessica Rich. “From the moment we bought our first personal computer, there was data collection and data-driven advertising. By contrast, the television industry did not evolve with data collection as a critical component.” Some panelists are skeptical of industry self-regulation. “Self-regulation in the privacy space has been an abject failure” said University of California, Berkeley’s Serge Egelman. “I’m not saying we need new regulations to regulate how data is shared. But we do need to do much better in terms of disclosure.” [MediaPost] [How the connected toys industry can protect customers’ privacy] [FTC Explores Privacy Concerns Raised By Smart TVs]

US Legislation

US – DoJ Will Seek Legislative Fix to Obtain Evidence Held Abroad

The US Department of Justice (DoJ) plans to submit a legislative fix that would allow it to demand evidence stored on servers in other countries. The action is designed to circumvent a court ruling which said that DoJ could not demand emails from Microsoft because they were held on a server in Ireland. The courts said that there must be an international agreement between the US and a foreign country for US officials to request data stored in that country. [The Hill ]

US – 9th Circuit Upholds Warrantless Email Surveillance of Person in the U.S. Communicating with Foreigners Abroad When the Foreigners are the ‘Targets’

The U.S. Court of Appeals for the 9th Circuit has handed down United States v. Mohamud, an important case on how the Fourth Amendment applies to the global Internet. The case involves monitoring under Section 702 of the Foreign Intelligence Surveillance Act. Warrantless monitoring of a foreign national’s email account from inside the United States revealed emails between the foreign national and Mohamud inside the United States. That led the government to obtain a FISA warrant to monitor Mohamud’s account. Among the questions in the case was whether the initial warrantless collection of the Mohamud’s emails, incidental to the targeting of the foreign national’s emails, was consistent with Fourth Amendment. In an opinion by Judge John Owens, the court ruled that the Fourth Amendment was not violated. Here’s an overview of the reasoning together with a few (mostly critical) comments from me. [Washington Post] [Court: Secret spying of would-be Christmas tree bomber was OK | Terrorism Conviction of a Wiretapped American Is Upheld on Appeal ]

US – FBI’s Expanded Surveillance Powers Take Effect

An attempt by US legislators to block changes to the search and seizure provision of Rule 41 of the Federal Rules of Criminal Procedure did not succeed. The changes grant the FBI expanded surveillance powers, granting judges the authority to issue warrants that allows the government to remotely access computers outside the judge’s jurisdiction, even outside the country, for the purpose of criminal investigations. [ZDnet.com | Computerworld]

US – New Bill Prevents Companies from Punishing Users for Negative Online Reviews

Congress has passed the Consumer Review Fairness Act,making it illegal for companies to retaliate against customers who post negative online reviews. The legislation passed unanimously through the Senate, and had already been approved by the House of Representatives. The bill only needs a signature from President Barack Obama to become law. The act prevents companies from implementing penalties for negative online reviews and gives the Federal Trade Commission the power to enforce the law when necessary. “Every consumer has the right to share their honest experiences and opinions of any business without the fear of legal retaliation, and the passage of our bill brings us one step closer to protecting that right,” said Sen. Brian Schatz, D-Hawaii. [Ars Technica]

US – Other Privacy News


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: