22 Dec 2016 – 06 Jan 2017


SG – Iris Scans Now a Part of Singaporean Registration Process

The Singapore government has begun collecting iris scans for citizens and permanent residents as part of its registration process. Amendments to the National Registration Act legalized the move, and according to the Ministry of Home Affairs, “was part of efforts to improve the ‘effectiveness and efficiency’ of operations undertaken by the Immigration and Checkpoints Authority.” [ZDNet]


CA – Security, Spy Agencies Will Follow ‘Letter and Spirit’ of the Law: Trudeau

Prime Minister Justin Trudeau said the government will make sure security and spy agencies obey the country’s laws following concerns the groups have abused the privacy rights of the country’s journalists. Trudeau said the Liberal government will “make sure that our security agencies and intelligence agencies obey the letter and the spirit of the laws that frame them.” The concerns sprung from the revelation of law enforcement agencies tracking the communications of several journalists. Trudeau spoke on the subject as the Liberal government finished a national consultation on federal security policy. [The Canadian Press]

CA – La Presse Asks Court to Stop Warrants Monitoring Journalist

La Presse is asking a court to stop the 24 warrants allowing Montreal’s police force to monitor its reporter, Patrick Lagacé. The newspaper argues the judicial orders were issued to stop leaks rather than as a part of a legitimate investigation. La Presse also states the Montreal police force went further than other law enforcement agencies in history to discover a journalist’s confidential sources. “In this matter, the Montreal Police Service deliberately created a complete registry of telephone communications by a reporter who was not under investigation, giving itself the means to identify all of the confidential sources that he contacted over a period of many months,” La Presse said in its request for judicial review. [The Globe and Mail]

CA – OIPC BC Issues Guidance to Organizations on the Use of Video Monitoring

The Information and Privacy Commissioner of British Columbia has issued guidance to organizations on the use of video surveillance. Video surveillance should only be used as a last resort after other less privacy-invasive alternatives have been exhausted (such as improved workplace supervision and financial controls), and cameras should not monitor private areas such as change rooms, washrooms, or into windows; organizational needs should be regularly reviewed to ensure that using video surveillance is still required for the original purpose, and monitoring should only take place during the time period that meets the specific purpose. [OIPC BC – Guide to Using Overt Video Surveillance] See also: A Minnesota judge has ordered that prosecutors and defense attorneys must follow guidelines of a law classifying police body camera footage as non-public information, with certain exceptions.

CA – Majority of Manitoba Organizations Do Not Offer Data Breach Training

A survey conducted by Manitoba Ombudsman Charlene Paquin found the majority of institutions within the province do not train their staff on handling data breaches. The survey was sent to 238 organizations, including universities, municipalities, health authorities, and boards, but only 118 organizations fully completed the questionnaire. Of those respondents, 78 percent said they do not offer training on what to do during a data breach, while 29% said they have suffered an incident within the last three years. The survey found the most common form of data breaches involved losing paper records, while 24% of respondents said they suffered a breach due to a stolen computer or other device. [CBC News]

CA – OIPC SK Finds Ministry Was Authorized to Collect Personal Information Directly from Third Parties

The Office of the Saskatchewan Information and Privacy Commissioner reviewed a complaint that the Ministry of Social Services allegedly over collected personal information, pursuant to The Saskatchewan Assistance Act; and the Freedom of Information and Privacy Act. The ministry was authorized to collect the bank statement of a social services applicant directly from the bank for the purpose of verifying the eligibility in a government program when the applicant failed to provide the information herself; although appropriate authorization was obtained in a consent form, it is recommended that the ministry analyze the types of information generally required during the application and review process to more clearly define the types of information being collected, and from where it will be collected. [OIPC SK – Investigation Report 212-2016 – Ministry of Social Services]


UK – Taskforce Finds Half of UK Kids Agree to Murky Social Media Terms

Children’s Commissioner Anne Longfield’s Growing Up Digital taskforce has found that “almost half” of eight- to 11-year-olds have agreed to “impenetrable” terms of and conditions for social media sites. “The yearlong study found children regularly signed up to terms including waiving privacy rights and allowing the content they posted to be sold around the world, without reading or understanding their implications.” Longfield recommends a special ombudsman for children “to represent their rights to social media companies” as well as an obligatory “digital citizenship program” in all schools for students ages four through 14. [The Guardian] See also: [Office of the Australian Information Commissioner – Teens, Privacy and Social Media]


HK – Honest Shanghai App Gives Citizens Public Credit Score

Shanghai’s city government has released a new voluntary app called Honest Shanghai that uses a combination of facial recognition and government data to assign citizens with a “public credit” score. “We want to make Shanghai a global city of excellence,” said Shanghai Municipal Commission of Economy and Informatization’s Shao Zhiqing. “Through this app, we hope our residents learn they’ll be rewarded if they’re honest. That will lead to a positive energy in society.” The app has caused some unease, however. “You’re wrong if I say so,” said Tongji University’s Zhu Dake. “You have bad credit if I say so. Where will this lead? They could easily expand the criteria and start judging people on moral or ideological grounds. They’re using modern technology to create a vision of Orwell’s 1984.” [NPR.org]

CA – CRA Employees Continue to Illicitly Access Confidential Tax Information

Canada Revenue Agency workers are continuing to illicitly access the confidential tax files of businesses, acquaintances and others. The breaches continue despite the CRA spending at least $10.5 million since 2013 to prevent its employees from continuing to access the personal data. CBC News discovered nine major cases since Jan. 1, where tax workers used the government’s electronic records to gather sensitive private information on income, deductions, benefits, payments, and employment. Privacy Commissioner Daniel Therrien wrote in his annual report his office was assured the CRA had implemented nearly all the safeguards it recommended from a 2013 audit. “The agency reports that it has made several important improvements to its management of personal information including introducing new policies, increasing corporate oversight and ensuring more timely assessment of privacy and security risks.” [CBC News]


US – Congressional Encryption Working Group 2016 Year-End Report

According to a report from the Encryption Working Group, weakening encryption by requiring backdoors is contrary to the country’s national interest, yet acknowledges law enforcement’s need to access communications for investigations. The Encryption Working group was created when the FBI and Apple were unable to come to an agreement over the government’s demands that Apple decrypt a shooting suspect’s iPhone. It is composed of members of the US House Judiciary Committee and Energy and Commerce Committee. The Encryption Working Group report argued that there isn’t a “one-size-fits-all” solution to whether or not “data encryption should be utilized by organizations or the government.” “There is no ‘us versus them,’ or ‘pro-encryption versus law enforcement,’” the bipartisan study states. “This conversation implicates everyone and everything that depends on connected technologies — including our law enforcement and intelligence communities.  [HealthITSecurity | eWeek | ZDNet | Encryption Working Group Releases Year-End ReportYear-End Report]

US – Not All Federal Agency Websites Have Met HTTPS Migration Deadline

Roughly 30% of federal government agency websites have not yet implemented HTTPS. The Office of Management and Budget (OMB) mandated that “all publicly accessible federal websites and web services” transition to HTTPS by December 31, 2016. Agencies were instructed to prioritize domains that are used to exchange sensitive data or that receive large volumes of traffic. [FCW.com]

EU Developments

EU – CJEU Rules Against ‘General and Indiscriminate’ Data Retention

EU law unequivocally precludes the “general and indiscriminate retention of traffic data and location data.” This is clear following the judgment of the Court of Justice of the European Union in Tele2, which affirms that Court’s previous judgment in Digital Rights Ireland, from 2014. In that judgment, the CJEU held that the EU’s Data Retention Directive was invalid. Some EU member states, such as Sweden and the U.K., then continued to oblige telecommunications providers to generally retain data under their national laws. This week the EU held that such national laws must similarly comply with EU data protection rules and are thus similarly invalid. [IAPP.org]

EU – EU Regulators Say More Big Data Rules May Be Necessary

European Union regulators believe additional rules could be required to examine the growth of big data. EU banking, insurance and market regulators are concerned big data may lead certain customers to become classified as “undesirable” as companies gather more personal information. The regulators launched a public consultation on the benefits and risks of big data for both consumers and financial firms in order to determine if more “regulatory or supervisory” actions are needed. “For example, consumers seeking household insurance for properties located in areas exposed to high risks such as floods, earthquakes or crime may have to pay very high premiums or might not be offered an insurance coverage,” the regulators said in a joint statement. [Reuters]

EU – German Privacy Laws to Obscure Face of Terrorist Suspect in Photo

As Germany searches for the individual who authorities believe is responsible for the terrorist attack on a Christmas market in Berlin, a photo of the suspect has been released by the German media. The photo of the suspect obscures the man’s face, and police have only identified him as “Anis A.” Photos of the suspect appearing in the U.K.’s press, show the man’s face without any form of obstruction. Journalist David Meyer said Germany’s strict privacy laws are the reason why the country’s media outlets have blocked out the suspect’s face, and why only the initial of his surname has been published. Meyer notes German investigators detained an innocent man earlier in the manhunt, leading to more caution when publishing photos. [Fortune]

EU – A Common Risk Identification and Classification System Should Be Developed for Data Protection Impact Assessments

Hunton & Williams examines risk assessments and data protection impact assessments under the General Data Protection Regulation. Organisations must assess the likelihood and severity of risks to individuals associated with processing activities (taking into account the nature, scope, context, and purpose of processing); an identification and classification system should have a repeatable and consistent framework to identify risks in multiple scenarios and over time, include material and non-material harms, and enable organisations to define the scope of risk management. [Risk, High Risk, Risk Assessments and DPI Assessments under the GDPR – Centre for Information Policy Leadership – Hunton and Williams LLP See also: the European Commission published the results of the public consultation on the ePrivacy Directive and a Eurobarometer survey.

Facts & Stats

UK – CFC Underwriting Sees 78% Increase in Data Breach Claims in 2016

CFC Underwriting handled more than 400 claims on its data breach policies in 2016. CFC Underwriting Chief Innovation Officer Graeme Newman said data breach claims were up 78% from 2015. CFC stated the most common types of attacks involve privacy breaches and the theft of cash. Newman said a “disproportionate” amount of claims were made by British firms. “This is largely down to the fact that on the whole, UK businesses have a lower level of security maturity than their US counterparts,” Newman said, who also added 90% of the claims by volume were made by businesses with less than 50 million GBP in revenue. [BBC]


US – FINRA Fines 12 Financial Institutions $14.4M for Illicit Data Storage

The Financial Industry Regulatory Authority fined 12 financial institutions a total of $14.4 million for improperly storing electronic broker-dealer and customer records. FINRA found the 12 firms did not store the business-related electronic records in a “write once, ready many” format. FINRA’s news release on the penalties stated “each of these 12 firms had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records.” The fines ranged from $500,000 to $4 million. “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records,” said FINRA. [Hunton & Williams’ Privacy and Information Security Law Blog]


CA – OIPC NS Issues Guidelines to Councillors on Disclosure of Municipal Records and Applying Privacy Rules to Personal Information

The Office of the Information and Privacy Commissioner in Nova Scotia has issued guidelines to Councillors on providing access to public records pursuant to the Municipal Government Act and applying privacy rules to personal data. Councillors must understand which municipal records can and cannot be disclosed, as certain reports, minutes and correspondence may be protected from disclosure (such as legal advice, personal information, and confidential business or government information); councillors should use the municipality’s secure email system when conducting municipal business, employ strong passwords (that change regularly and are not shared with others), and encrypt laptops and cellphones. [OIPC NS – Access and Privacy Rules – A Councillor’s Guide Councillor’s Q&A | Brochure]

Health / Medical

US – Majority of Patients Unwilling to Disclose All Medical Information: Survey

A Black Book survey found a majority of patients are skeptical of the use of health IT and are not divulging as much information as they had in the past. Of the 12,090 survey participants, 57% of those who had interacted with technology in a health care setting said they are unsure of the overall benefits of health IT technology. Other findings include 87% of patients were unwilling to disclose all of their medical information in detail during the fourth quarter of 2016, up from the 66% in 2013. The survey revealed 89% of respondents who visited a provider in 2016 withheld health information during visits, with 93% expressing concern regarding the security of their financial information. [Becker’s Hospital Review]

US – FDA Medical Device Postmarket Cybersecurity Guidelines

The U.S. Food and Drug Administration (FDA) has released the final version of security guidance for network-connected medical device manufacturers. The guidelines, which are not mandatory, address post-market cybersecurity issues and are a companion to pre-market guidelines issued in 2014. The FDA believes that “medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks,” which would ideally include ensuring a means to monitor and detect vulnerabilities; assessing the risks vulnerabilities pose to patients; establishing a process for vulnerability disclosure; and releasing fixes in a timely fashion.[Govinfosecurity | FDA Postmarket Management of Cybersecurity in Medical Devices]

Identity Issues

CA – Ontario Police No Longer Allowed to ‘Card’ Individuals in Certain Situations

A new law in Canada prohibits Ontario police officers from carding individuals in certain situations. The rule stops officers from collecting identifying information based on a person’s race or presence in a high crime area, or if they are investigating possible criminal activity. The new rule does not apply during traffic stops, executing a warrant, or when an individual is arrested. “These new rules protect the rights of people who are not under investigation while also laying the foundation for more positive, trusting and respectful relationships between police and the public,” said the Ontario Community Safety and Correctional Services Minister. [CBC News]

CA – Mail-Forwarding Fraud Up More Than Seven Times in 2016

The Canadian Anti-Fraud Centre received more than seven times the amount of mail-forwarding fraud complaints in 2016 than in the previous year. The centre handled 479 complaints in 2016, up from 63 in 2015, with centre officials stating the number of complaints are only a fraction of actual fraud activity. Mail-forwarding fraud normally involves an individual impersonating someone and rerouting that person’s mail through Canada Post, either to a different residence or a business address. [CBC News]

US – Massachusetts’ Scanning of ID Cards Raises Privacy Concerns

Privacy advocates are raising concerns about a Massachusetts facial recognition program that uses photos from state-issued driver’s licenses and other ID cards to help law enforcement track down criminals. Those opposed to the practice say the ID scanning is a privacy violation and could lead to false matches that result in investigations of innocent people. Law enforcement agencies in other states are also employing similar programs. “When you go to the DMV to get your license, you do not expect your photo to be part of what has essentially become a law enforcement database used for criminal investigations,” said the ACLU. State officials defended the practice and have said proper measures are in place to address privacy concerns. [The Boston Globe]

US – Privacy Concerns Keeping Maine from Real ID Law Compliance Deadline

Should Maine not comply with the federal Real ID law by Jan. 22, its state licenses will neither function as formal commercial airline nor federal building entrance identification. Maine is one of the five U.S. states to forgo compliance with the law, citing privacy concerns. “This is a tightly aggregated set of data on every single citizen,” said Maine Secretary of State Matthew Dunlap. “That eastern European (Communist Bloc) show-me-your-papers-at-the-border thing, that really turned people off.” Regardless, Democratic Sen. Bill Diamond, is fighting to get the state to comply with the law, as other U.S. states prepare to. “I understand and believe privacy is very important, but we are talking about some minimum standards here.” [Portland Press Herald]

WW – Carnival to Incorporate Smartband Technology on Future Cruises

Carnival Corporation is planning to introduce smartband devices designed to allow customers to customize their vacation. The app, called Ocean Compass, is paired with a small medallion customers can use to pay for food, drinks and merchandise, gamble, and enter rooms without having to remove it from their person. Carnival executives Arnold W. Donald and John Padgett took the idea from a similar system used at Walt Disney World, where they both worked before joining Carnival. Padgett said he expects some customers will have questions regarding the system’s “creepiness factor,” but still expects the majority of visitors to participate. “As long as you benefit the guest, they don’t mind sharing” personal information, Padgett said. [The New York Times]

Law Enforcement

US – Court: Abandoned, Locked Phones Still Have Privacy Protections

A Florida court of appeals ruled abandoned cellphones with a passcode still maintain the user’s privacy expectations. The case involved a teen leaving his phone behind after fleeing a traffic stop. Law enforcement were able to unlock the phone and retrieve information without a warrant. The court determined phones are not locked containers, but are closer to locked houses. Since law enforcement cannot search a locked house without a warrant, the same standards should be held for phones. “While we acknowledge that the physical cell phone in this case was left in the stolen vehicle by the individual, and it was not claimed by anyone at the police station, its contents were still protected by a password, clearly indicating an intention to protect the privacy of all of the digital material on the cell phone or able to be accessed by it,” the court’s ruling stated. [Techdirt | Florida Appeals Court Upholds Decision to Suppress Evidence Obtained By a Warrantless Search of a Cell Phone | State of Florida v. K.C. – No. 4D15-3290 – District Court of Appeal of the State of Florida]

US – Police Ask Amazon for Echo Data in Murder Investigation

Police officers in Arkansas are asking Amazon to produce data from one of the company’s Echo devices for possible evidence in a murder investigation. The police are not sure what information is available on the Echo device, but are hoping for any conversations it may have overheard. The case has raised several privacy concerns. “I think about the fuzzy line of where the privacy of data is out there in the cloud… The question is, will governments or other people be able to access data that you have on request? Will companies comply? How does that work? How does it work in a criminal investigation? Where’s that line — because that’s — that’s the part that is a little mysterious.” MIT Technology Review reports on what Amazon’s role should be in the investigation. [NPR.org]


CA – British Columbia to Allow Drone Use for Search and Rescue

Emergency Management BC approved a pilot program permitting teams across British Columbia to use drones for search and rescue efforts. The drones will be used in situations where helicopters are not available, or the area cannot be reached by aircraft. Coquitlam Search and Rescue Manager Mike Coyle said privacy concerns have limited the widespread use of drones, but the British Columbia privacy commissioner has formally reviewed the drone project. “Even in the wilderness, I think it’s just a way people have seen [drones] as an invasion of privacy,” Coyle said. “Our intent is to just use them to look for missing people in the wilderness and not fly over built up areas, and that’s why I think the privacy commissioner said it’s a good use.” [CBC News]

US – Sen. Franken Asks Uber to Clarify Its Location Data Collection Practices

Sen. Al Franken, D-Minn., has written to Uber requesting it clarify its policies surrounding its storage of users’ location data, “three weeks after the ride-hailing company updated its app to restrict privacy options for sharing location information.” “Franken asked the company to take steps to ‘restore users’ control over their sensitive location information,’ and update its privacy policy to ‘reflect the company’s public assurances and justifications related to the most recent app update,’” in his letter to Uber CEO. He cited “renewed allegations” of Uber employees’ “past abuse of customer data” as part of the reason for his letter. [PCMag]

Online Privacy

WW – Facebook Buying Detailed Data on Users, Advocates Say

ProPublica and other privacy advocates maintain Facebook buys more detailed information about its users from commercial data brokers, such as users’ “income, the types of restaurants they frequent and even how many credit cards are in their wallets.” Facebook doesn’t additionally “show users any of the often remarkably detailed information it gets from those brokers.” The Center for Digital Democracy’s Jeffrey Chester said “Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well.” Facebook said “that it doesn’t tell users about the third-party data because it’s widely available and was not collected by Facebook.” [ProPublica]

US – Advocacy groups Ask FTC to Review Google’s Privacy Policy Changes

Consumer Watchdog and Privacy Rights Clearinghouse filed a complaint with the FTC concerning the changes Google made to its privacy policy in June. Google has been able to build profiles of individuals by requesting users to opt-in to the new privacy settings permitting the tech company to merge its browsing history with its search history to generate more personalized ads. The two privacy groups claim the privacy settings violate deceptive- practices laws and a prior FTC order. Google said in a statement it changed the policy “to match the way people use Google today: across many different devices,” and “it is 100% optional — if users do not opt-in to these changes, their Google experience will remain unchanged.” Google also stated it informed regulators around the world about the new policy and incorporated their feedback. [The Wall Street Journal] [In re Google Inc.’s Change in Data Use Policies – Complaint,Request for Investigation, Injunction and Other Relief – Consumer Watchdog and Privacy Rights Clearing House]

Other Jurisdictions

AU – Australian Govt to Extend Data Retention Law to Civil Litigation Information

The Australian Attorney-General’s Department is accepting submissions through 27 Jan., on a government review to potentially extend the Data Retention Act to allow warrantless access of “retained metadata to lawyers acting for clients in civil litigation.” On 13 April, “it will be legally impossible to access data retained by telcos in connection with civil proceedings,” and the government is worried about the potential consequences. However, critics feel this proposed step is one in the wrong direction. “Opening up the data retention scheme to civil matters flies in the face of the government’s claim that it was urgently needed in the fight against terrorism and its assurances that its use would be tightly controlled,” said Internet Australia. [The New Daily | The Australian government is considering making metadata available to courts for civil lawsuits.

US – FTC Settles with Ad-Tech Firm Turn

California-based digital-advertising company Turn has agreed to settle FTC charges that it deceived customers when it used persistent identifiers to track them online and on their mobile apps, even when those customers opted out, according to an FTC press release. The FTC’s complaint and investigation involved Turn’s use of Verizon’s unique, un-deletable identifiers, or so-called “zombie cookies,” and alleged lack of transparency about that use. [IAPP.org]

Privacy (US)

US – LabMD Receives Support in Appeal of FTC Ruling

Several groups have filed amicus briefs in support of LabMD’s appeal against the Federal Trade Commission. The briefs, filed by a group of doctors, cybersecurity professional Gary Miliefsky, TechFreedom, the International Center for Law and Economics, the National Federation of Independent Business Small Business Legal Center, and the National Technology Security Coalition, back the now defunct LabMD, stating the FTC operated outside of its authority when it went after the company for allegedly violating Section 5 of the FTC Act. “I am heartened that leaders from business, healthcare and technology are so supportive of LabMD,” said LabMD President and CEO. “They understand how this case will impact their own compliance efforts.” [SC Magazine]

US – House Committee Presses Congress for Stingray National Standards

The House Oversight and Government Reform Committee released a bipartisan report calling for Congress to pass laws creating national standards for law enforcement’s use of Stingrays. The committee seeks clear rules for government and private entities using the devices, designed to mimic cellphone towers in order to force all phones within range to identify themselves. The report found the Justice Department has 310 devices, while the Department of Homeland Security has 124. Until the standards are created, the committee contends the DOJ and DHS should not fund technology for local law enforcement unless they agree to certain privacy standards. The report concludes the technologies “represent a valuable law enforcement tool, but their domestic use has obvious and serious implications for citizens’ Constitutional rights … There must be a universal and well-understood standard by which these technologies are deployed.” [The Wall Street Journal]

US – Consumer Groups Push Amazon, Wal-Mart to Stop Selling ‘Spying’ Doll

Several consumer groups are asking top retailers such as Amazon and Wal-Mart to stop selling My Friend Cayla due to privacy concerns. The doll, created by Genesis, is designed to listen and respond to children’s questions, and uses a Bluetooth microphone and a mobile app requiring access to a child’s or parent’s devices. The groups are concerned the doll could be compromised by hackers, lead to privacy violations, and other problematic incidents. “My Friend Cayla poses significant security risks that could place children in physical danger,” Campaign for a Commercial-Free Childhood Executive Director Josh Golin wrote in a letter to Amazon CEO Jeff Bezos. “Genesis fails to require basic authentication mechanisms to prevent unauthorized Bluetooth connections between the doll and a smartphone or tablet.” [CBS News]

US – White House Issues Gov’t-Wide Breach Notification Protocols

The U.S. administration may be turning over this month but the Office of Management and Budget is churning out policies even while the boxes are being stuffed with Bubble Wrap. OMB released both a guidance on how government agencies must prepare-for and respond-to data breaches as well as how to comply with the Privacy Act in these modern times. OMB Senior Privacy Advisor Marc Groman said the breach-notification guidance updates a 10-year-old document, revising it to require that agencies take a risk-based approach, and responds to a new, more dangerous threat-landscape. “But it’s important to highlight every breach is different and very context-specific, and therefore the memo must allow for flexibility,” Groman said. [IAPP.org]

US – NYC, Uber Face Off in Privacy Public Hearing

Uber is gearing up to fight against the New York City government in a public hearing on the city’s December-born proposal requiring ride-hailing companies to share more data on their users. “Regulators said it was an effort to combat driver fatigue and help enforce caps of 60 hours a week.” “Uber described the requirement as an invasion of privacy.” Uber has “an obligation to protect our riders’ data, especially in an age when information collected by government agencies like the [NYC Taxi and Limousine Commission] can be hacked, shared, misused or otherwise made public,” said Uber spokeswoman Alix Anfang. The hearing comes on the heels of the company’s own privacy controversy, spurring a letter from Sen. Al Franken, D-Minn. [Bloomberg Technology] See also: [For-hire vehicle base reporting rules a privacy problem, advocates argue in letter]


US – FTC Announces IoT Security Challenge

The US FTC is holding a contest that will award a prize of up to USD 25,000 for the best technical solution to Internet of Things (IoT) security for home networks. The tool could be a physical device that connects to a home network and checks for updates for other connected IoT devices; it could also be an app, a cloud-based service, or a user interface. Registration forms will be available on or about March 1, 2017. The deadline for submissions is May 22, 2017; winners will be announced at the end of July 2017. [KrebsonSecurity | Darkreading | FTC.gov: IoT Home Inspector Challenge]

US – OTA Releases Updated IoT Trust Framework

The Online Trust Alliance released a new version of its IoT Trust Framework. The updated framework is designed to help internet-of-things developers, purchasers and retailers develop products, while offering a risk assessment guide. The framework includes 37 principles, including entries on security, user access, and ensuring companies are compliant with the General Data Protection Regulation and the Children’s Online Privacy Protection Act. “Recent IoT attacks like those which compromised hundreds of thousands of connected devices to take websites like Amazon, Twitter and Netflix offline were just a ‘shot across the bow.’ The next incident could create significant safety issues. While most IoT devices are safe and secure, many still lack security safeguards and privacy controls placing users and the Internet at large at risk,” said OTA Executive Director and President Craig Spiezle. [OTA Alliance]


WW – DDoS Attacks, Ransomware Among Biggest Security Threats in 2017

Wired reports on the biggest security threats coming in 2017. The most pressing concerns in the privacy realm include the increased spread and use of ransomware, a growing divide between the intelligence community and President-elect Donald Trump, and another encryption battle between law enforcement and device makers. “It’s only a matter of time until the FBI or other cops make another legal demand that an encryption-maker assist in cracking its protections for users, setting the conflict in motion again.” Cyberattacks will also continue to be a problem in 2017, as more distributed denial of service attacks appear to be on the horizon. [Wired]

US – Cybersecurity Pro: Carelessness Often to Blame for Breaches

Company carelessness is often to blame for breaches, said cybersecurity professional and BitSight Technologies co-founder Stephen Boyer. “A lot of these breaches happen because somebody had a very obvious detail that they overlooked or a well-known vulnerability that was exploited,” he said. “You think about other controls that [companies] need to put in place such as good password control, multifactor authentication. They need to be able to monitor, protect, not only look at their own systems but their supply chain and monitor and watch that very diligently.” For consumers, it doesn’t come down to avoiding smaller businesses and solely working with larger ones, he said. “It’s not necessarily small versus large, it’s just somebody who’s put in the proper protections to protect the consumers.” [CNBC]

WW – Hackers Can Easily Manipulate Travel Booking Systems: Study

Security Research Labs has found that major travel booking systems like Sabre, Amadeus and Travelport lack the ability to authenticate travelers, allowing hackers to easily manipulate or steal travel details via Passenger Name Records. “While the rest of the Internet is debating which second and third factors to use, [global distribution systems] do not offer a first authentication factor,” the researchers said. “Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” added SRLabs’ Karsten Nohl. Meanwhile, the Guardian reports that the U.S. government has begun requesting select foreign travelers to disclose their social media activities. [Reuters] See also: [Privacy a casualty of password storing on shared devices?]

US – FTC Suing D-Link Over Unsecure Routers and Cameras

The U.S. FTC has initiated legal action against D-Link for “fail[ing] to take steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access.” The security issues could be exploited to steal information and to spy on consumers. [arstechnica | computerworld | Thehill | Ars Technica: FTC Complaint | FTC.gov]

EU – ‘Find My Phone’ Documentary Uses Decoy Mobile to Spy On Thief

Dutch film student Anthony van der Meer has made a 22-minute documentary, “Find My Phone,” from footage gleaned after downloading security software onto a decoy phone that he got stolen. His inspiration for the film came after having his personal phone pickpocketed and his subsequent frustration with police assistance. “The documentary offers a valuable lesson in cybersecurity (if not also an ethically gray commentary on surveillance).” “Our smartphones often contain our most sensitive data, including photographs, emails and bank information, that can be exploited by thieves in any number of harmful ways.” [The Verge]

UK – EU’s Network and Information Security Directive to Get UK Implementation

The U.K. government will implement the EU’s Network and Information Security Directive, regardless of the Brexit vote. “The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure… “It will apply to operators of such ‘essential services’ and to ‘digital service providers.’” EU countries have through 9 May 2018 “to implement the Directive into national law,” and the U.K. government added that it was “considering whether additional regulation might be necessary for critical sectors, including in the context of the NIS Directive due to be implemented in 2018 as well as wider national infrastructure considerations.” [Out-Law.com]

US – NIST Publishes Cyber Attack Recovery Guidebook

The US National Institute of Standards and Technology (NIST) has published the Guide for Cybersecurity Event Recovery. The document describes the two phases of recovery: tactical and strategic. Tactical recovery is based on procedures established prior to a cyber attack; strategic recovery involves identifying lessons learned from the event and using those lessons to plan for recovery from future events. Recovery is one of five aspects of NIST’s Cybersecurity Framework. The others are identification, protection, detection, and response. [Federal News Radio | http://nvlpubs.nist.gov: Guide for Cybersecurity Event Recovery]

US – NIST Publishes Report on Privacy Engineering and Risk Management

The National Institute of Standards and Technology has published its Internal Report 8062, “An Introduction to Privacy Engineering and Risk Management in Federal Systems.” In a blog post announcing the report, the authors describe the report as a “document that we believe hardens the way we treat privacy, moving us one step closer to making privacy more science than art.” They continue: “NISTIR 8062 introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on federal systems.” NIST has a history of providing guidance on information security risk management, “but there is no comparable body of work for privacy.” The guidance attempts to bridge the communications gap between the security and privacy fields “and produce processes that are repeatable and could lead to measurable results.” [NSTIC]


AU – Government Considering Allowing Metadata from Retention Laws

The Australian government is considering making metadata stored under the country’s data retention laws available to courts for civil lawsuits. “The bill itself prohibits the use of the data in civil cases, but it includes the ability for the government to make exceptions — through regulations — for ‘appropriate’ cases… The government tweaked the bill after the parliamentary committee on intelligence and security recommended it include the ability to make a regulation allowing for the data to be used in appropriate civil cases.” Initial critics of the data retention law expressed concern that the government would use it for these purposes. The Attorney-General’s Department is seeking public comment on the potential move until 13 Jan. [iTnews]

WW – Media Sonar Tools Used to Surveil American Protests

An American Civil Liberties Union investigation has found that U.S law enforcement used technology from London, Ontario company Media Sonar to monitor protests. Although the company describes the tool as one that scours social media for public safety threats, the ACLU found that police used it to track hashtags like “#BlackLivesMatter, #DontShoot, #ImUnarmed and #PoliceBrutality, to name a few.” “Law enforcement should not be using tools that treat protesters like enemies,” the ACLU said in a blog post on the issue. “The utter lack of transparency, accountability and oversight is particularly troubling.” [National Post]

Telecom / TV

CA – Quebec Court Finds Cell Phone Data Unlawfully Extracted by Law Enforcement Can Be Admitted at Trial

The search of cell phones involved in a telemarketing fraud scheme used sophisticated forensic methods to scour the devices and extract data (which required specific authorization, separate from the warrant issued to seize and search the phones); the extracted data should not be excluded because law enforcement had grounds to justify the search, specific authorization would have been granted if requested, the search did not go further than what was authorized by the warrant, and the evidence is reliable and pivotal to prove the individuals’ offences. [Kamaldin et al. v. USA – Quebec Superior Court – 2016 QCCS 5818 CanLII]

CA – Court Finds Arrest and Warrantless Search by Law Enforcement Breached Individuals’ Charter Rights

The Supreme Court of Newfoundland and Labrador considers whether evidence obtained by law enforcement breached the Charter rights of Luke Wiseman and Ibrahim Nassar. The arresting officer did not have reasonable grounds to arrest 2 individuals suspected of trafficking a controlled substance (a hunch was relied on which lacked any reference to previous drug activity by the individuals, there was no tip of an imminent drug transaction), the officer could have sought a warrant (the address and phone number of the individuals were on the boxes believed to contain drugs), and the individuals were arrested and the boxes searched in a public parking lot. [HMQ v. Luke Wiseman and Ibrahim Nassar – 2016 CanLII 78004 NL SCTD – Supreme Court of Newfoundland and Labrador]

CA – Yukon IPC Issues Advisory on Ransomware

The Yukon Information and Privacy Commissioner has issued an advisory about ransomware. Preventative measures against ransomware include regularly backing up information and system files, testing those backups, installing internet security software and patches, and educating users about phishing attacks (including how to respond in the event of an attack); during a ransomware attack, the affected device or system should be disconnected from the rest of the network and notification to affected individuals should be considered if the intrusion presents a risk of significant harm. [IPC Yukon – Ransomware Advisory]

US Government Programs

US – US Government Shuts Down Registry for Foreigners

The Department of Homeland Security has announced it is canceling an inactive registry system that would require visitors from countries with extremist groups to participate. Dubbed the National Security Entry-Exit Registration Systems program, it began “a year after the Sept. 11, 2001, al-Qaida attacks on the United States” and “expanded within a year to require registration from visitors from 25 countries, most of them with majority-Muslim populations.” In the years since, “DHS concluded that the program, which was suspended in 2011, was redundant and inefficient and did not provide increased security.” The government will publish the change in the Federal Register on Friday, and the dissolution of the registry “takes effect immediately.” [Reuters]

US Legislation

US – California Ransomware Bill Goes into Effect

A new law that took effect in California on January 1, 2017 punishes conviction of distributing ransomware with a prison sentence of up to four years. In the past, ransomware cases were tried under existing extortion statutes. According to the bill’s sponsor, California State Senator Bob Hertzberg, “This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware.” [SCMagazine | Ars Technica | sd18.senate.ca.gov: Gov. Brown Signs Legislation Punishing Ransomware]

Workplace Privacy

WW – Anonymous Plaintiff Sues Employer Over Confidentiality Agreement

A Google employee has sued the company over its confidentiality agreement, contending that its provisions violate California labor laws. “Rules prohibit employees from writing about potential illegal activity within the company, and even from writing works of fiction based on their experiences there.” “The unnecessary and inappropriate breadth of the policies are intended to control Google’s former and current employees, limit competition, infringe on constitutional rights, and prevent the disclosure and reporting of misconduct,” the lawsuit reads. While the identity of the plaintiff is unknown, a person familiar with the matter said he or she “is the same person who filed a similar complaint with the National Labor Relations Board earlier this year.” Google pledged to fight the suit. [PCMag]

EU – French Employees Win ‘Right to Disconnect’ From Work Emails

A new employment law now requires French companies to guarantee their employees do not need to check their emails after hours. The law states any organization with more than 50 employees will have to define the rights of employees to step away from their smartphones when they are not at work. The goal of the law is to stop burnout, while ensuring work does not intrude on employees’ private lives. “There’s a real expectation that companies will seize on the ‘right to disconnect’ as a protective measure,” said Aristat Director Xavier Zunigo. “At the same time, workers don’t want to lose the autonomy and flexibility that digital devices give them.” [Guardian] See also: Illinois’ amended Right to Privacy in the Workplace Act is now in effect, meaning employers may not request access to prospective employees’ social media accounts.

CA – OIPC AB Finds Society Had Reasonable Purpose and Methods for Conducting Employee Background Check

The Office of the Alberta Information and Privacy Commissioner investigated a complaint against REDI Enterprises Society for the alleged unauthorized collection of personal information (“PI”), in violation of the Personal Information Protection Act. The Society screens for previous criminal activity because employees work with vulnerable individuals, and it seeks to ensure a safe and secure environment for those clients; a written, signed account of prospective employees’ criminal activity is collected (applicants have the choice not to provide this information), and current employees may refuse to provide this information without threat to their employment. [OIPC AB – Order P2016-07 – REDI Enterprises Society]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: