Big Data

CA – Ontario Privacy Commissioner Hosting Event on Big Data and Government

The Information and Privacy Commissioner of Ontario is hosting a Privacy Day Event on government and big data. The IPC event, titled “Government and Big Data: Privacy Risks and Solutions,” will discuss the benefits and risks of big data analytics, the potential for bias, and appropriate safeguards. “How can we ensure that the privacy rights of Ontarians are respected and personal information is managed appropriately and fairly in a big data world? How do we ensure transparency and that results and findings are accurate and nondiscriminatory? How can we protect an individual’s right to challenge findings that are based on these powerful analytical tools?” This free event will take place on Jan. 26, at the Toronto Reference Library. [ipc.on.ca | See also: Big data and insureds: A conundrum?]

US – Hintze, Lafever Release White Paper on The GDPR and Data Analytics

Hintze Law’s Mike Hintze and Anonos’ Gary LaFever have released a white paper on balancing General Data Protection Regulation requirements with data analytic abilities. Entitled “Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics: Balancing the Interests of Regulators, Data Controllers and Data Subjects,” the 24-page paper covers topics like “controlled linkable data and the GDPR” and the “benefits of processing controlled linkable data.” [anonos.com] See also: Big Brother collecting big data — and in China, it’s all for sale

Canada

CA – Feds Need Help Tackling Cyberthreats, Internal Report Warns

The Canadian government is “simply not up to the overall challenge” of fending off cyberthreats on its own and must partner with the private sector and the United States to tackle the problem, warns a federally commissioned report on cyberthreat information-sharing protocols and policies in Canada and the United States obtained under the Access to Information Act. The report comes amid growing concern about damaging intrusions into computer systems that expose personal information, commercial secrets and sensitive government data — endangering everything from credit ratings to national security. The report, prepared for Public Safety Canada by consulting firm PricewaterhouseCoopers, found the government information-technology community is already overwhelmed with challenges such as aging systems and a move to cloud computing. [CNEWS]

CA – CSIS Assessing ‘Bulk Data’ Collection, Records Show

Canada’s domestic spy service has been trying to figure out ways of obtaining “bulk data” to better feed the holdings of its secretive analytics centre. A 2012 memo by the Canadian Security Intelligence Service speaks of an intelligence-agency pivot with profound implications for privacy and security. Details about the kinds of data being sought by CSIS, and even what exactly it considers bulk data to be, have not been disclosed. But the language used by the spy agency is reminiscent of other so-called bulk-data programs embraced by polarizing U.S. and British intelligence agencies since revealed to have been amassing records relating to the everyday transactions of millions of ordinary people. The Canadian government’s collection practices have never been revealed or debated publicly, even as the closest counterparts of CSIS now openly assert they need bulk data to function. The memo urged all of CSIS to figure out how to better contribute to holdings of the Operational Data Analysis Centre. This secretive facility, known as ODAC, was first publicly exposed by a scathing Federal Court ruling released in the fall of 2016. When the Federal Court of Canada exposed ODAC last year, it urged CSIS to stay mindful that “strictly necessary” is a term that remains the law. Parliament put this limitation on what records CSIS can collect to prevent “an overly expansive interpretation of the agency’s mandate,” the court said in a written ruling. The 14 specially cleared judges who approve CSIS intelligence officers’ wiretap warrants complained that no one ever told them about ODAC during its 10 year of operations. [Globe & Mail]

CA – Snowden Urges UW to Build Tools to Protect Privacy

Edward Snowden urged the University of Waterloo to help develop new technology to defend privacy, to fend off hackers and defeat the government surveillance that he exposed. A campus audience of more than 500 gathered in a theatre to watch him speak and hear his challenge. Snowden said hackers and watchers are using technology to go on the offence against vulnerable citizens who can’t defend their privacy. He’d like to see scholars and university students put their minds to turning that around. “The world needs you to come up with ideas of mixing these communications in ways that not only protects the content of communications … but it protects the fact that communications occurred at all.” Snowden made several Canadian references, about Montreal police spying on journalists, about Canada’s spy agency possibly spying on journalists, and about federal anti-terrorism legislation. The Record | Snowden inspires Waterloo audience]

CA – Clinic Video and Audio Recordings Unauthorized and Excessive: OIPC BC

The Office of the Information and Privacy Commissioner in British Colombia conducted an audit of a private medical clinic’s privacy management program, pursuant to the Personal Information Protection Act. The clinic had 8 cameras located throughout its facility (the lobby, hallways, back exits, workout room); patients, employees and others entering the clinic had not provided express or deemed consent for the surveillance (signage at the entrance was insufficient), there was no evidence monitoring/recording was necessary for safety, security or any other significant issue, and the personal information collected was used for purposes beyond security (liability protection, staff monitoring, internal loss auditing. [OIPC BC – Audit and Compliance Report P16-01 – Surveillance and Privacy Compliance in a Medical Clinic]

Consumer

WW – Microsoft Announces Privacy Updates for Windows 10

The Windows 10 Creators Update will include a “web-based privacy dashboard“ for users to better understand and control the information Microsoft collects on them. “From the page, Microsoft account holders will be able to clear their browser, Bing search and location activity,” along with digital assistant Cortana-saved information. “On the other side of the equation, Microsoft is trying to help people who install Windows with their data-sharing preferences, guiding them through virtually every data-sharing option, including location, speech recognition and diagnostics.” While the updates aren’t slated until spring 2017, Windows Insiders may download a beta version of the dashboard to test now. Coming later this year in the Windows 10 Creators Update is a reworking of the operating system-level privacy controls. The main thing these will do is to make the choice more explicit. As such, this moves the Windows 10 privacy settings from a model of tacit consent to explicit affirmation. Still missing, however, is the ability for most Windows users to disable telemetry entirely.  [Mashable | Ars Technica: Windows 10 Creators Update to Rejig Privacy Settings in a Move Unlikely to Please Anyone | Windows 10’s privacy settings will be simpler but more limited with Creators’ Update]

WW – The Future of Artificial Intelligence Becoming Top of Mind

A new $27 million fund is designed to promote research into artificial intelligence in the public interest. The Ethics and Governance of Artificial Intelligence Fund aims to support a “cross-section of AI ethics and governance projects and activities” in the U.S. and around the world. Meanwhile a supplementary paper from the World Economic Forum — which just released its Global Risks Report 2017 — raises concerns about weaponized AI, cyberattacks through internet-of-things devices, and the use of biotechnology. Researchers from Oxford University have released a report detailing how the General Data Protection Regulation could heavily impact the rollout of AI and machine learning. Separately, the European Parliament’s Legal Affairs Committee has urged the European Commission to create rules around the ethical use and liability of robotics. [TechCrunch]

E-Government

US – Minneapolis Settles More Lawsuits Over Snooping in Driver Database

The long list of lawsuits against Minnesota governments for employees improperly snooping into the state driver’s license database is slowly shrinking. A flood of lawsuits hit governments across the state several years ago after it became clear the state’s driver and vehicle services database was being misused. The database contains photographs, addresses and driving records of Minnesotans with a license. A number of those cases have been dismissed or severely narrowed by court decisions regarding the statute of limitations and which lookups will be considered improper. Minneapolis City Attorney Susan Segal said about a half-dozen cases remain active against the city, down from a peak of about 40. Some were settled. [Star Tribune]

E-Mail

CA – Private Right of Action under CASL Coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014. Since then, all eyes have been on the CRTC for decisions concerning CASL violations. In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million. Whatever steps Canadian and foreign companies have taken to date, 2017 will be the time to revisit CASL compliance. On July 1, 2017, the private right of action (PRA) comes into force under CASL. An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly. While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group. Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments. When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”. CASL also provides for extended liability. Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention. Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable. [Privacy and Security Law | Why the Private Right of Action afforded by Canada’s Anti-Spam Legislation should concern Insurers who underwrite Risks in Canada | Strap on your Helmet …CASL: The summer of 2017 is going to be brutal | Related: Lessons Learned: E-Learning Company Faces $50K Spam Fine | CRTC Enforcement Advisory – Records to Show Consent | Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner | Canada’s Anti-Spam Law: Not just for Canadians | CASL Applies to Software January 15 2015 | New CASL Compliance and Enforcement Guidelines |

Encryption

US – FBI Releases Censored Documents on San Bernardino Encryption Case

The FBI released 100 pages of highly censored documents covering its agreement with an anonymous vendor to hack into the iPhone used by one of the San Bernardino, California, shooters. The censored documents did not show the amount the FBI paid the vendor, the identity of the vendor, or the way the phone was unlocked. The information did include portions of the FBI’s nondisclosure agreement with the vendor and at least three inquiries from companies looking to create a product to unlock the phone. The three companies could not create the solution fast enough for the FBI to use. The records were produced in response to a federal lawsuit filed against the FBI by The Associated Press, Vice Media and Gannett under the U.S. Freedom of Information Act. [The Associated Press]

US – DARPA Announces Plans to Develop Data-Sharing Technology

The Department of Defense’s research branch, the Defense Advanced Research Projects Agency, has begun a project that would allow U.S. troops around the world to securely send and receive “sensitive information” from their own devices. “The program, dubbed SHARE, for Secure Handhelds on Assured Resilient networks at the tactical Edge, would be used on handheld devices, laptops or tactical radios.” “The vision of SHARE is to develop software that moves the multilevel security management function from a handful of data centers down to trusted, handheld devices on the tactical edge,” said DARPA’s Joe Evans. DARPA scheduled a Proposers Day for the initiative on Jan. 31. [ComputerWorld]

EU Developments

EU – EU Releases Proposed e-Privacy Regulation Repealing e-Privacy Directive

The European Commission officially released its proposed draft regulation concerning privacy in electronic communications – the Regulation:

  • enters into force on the 20th day following its publication in the Official Journal;
  • will apply from May 25, 2018; and
  • repeals the e-Privacy Directive from May 25, 2018.

The Regulation applies to OTT providers, does not contain any specific data retention provisions (Member States may create national targeted data retention frameworks, taking into account case-law of the Court of Justice on the interpretation of the ePrivacy Directive), and the Regulation imposes calling line identification requirements (including on calls to third countries originating in the EU and vice-versa); infringements can be subject to administrative fines (up to €20,000,000) or up to 4% of total worldwide financial turnover. [European Commission – Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (‘Regulation on Privacy and Electronic Communications’)

EU – Commission Proposes High Level of Privacy Rules

The Commission is proposing new legislation to ensure stronger privacy in electronic communications, while opening up new business opportunities. The measures presented today aim to update current rules, extending their scope to all electronic communication providers. They also aim to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market – a key objective of the Digital Single Market strategy. At the same time, the proposal aligns the rules for electronic communications with the new world-class standards of the EU’s General Data Protection Regulation. The Commission is also proposing new rules to ensure that when personal data are handled by EU institutions and bodies privacy is protected in the same way as it is in Member States under the General Data Protection Regulation, as well as setting out a strategic approach to the issues concerning international transfers of personal data. The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business:

  • New players: 92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators. Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.
  • Stronger rules: By updating the current Directive with a directly applicable Regulation, all people and businesses in the EU will enjoy the same level of protection for their electronic communications. Businesses will also benefit from one single set of rules across the EU.
  • Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes.
  • New business opportunities: Once consent is given for communications data, both content and/or metadata, to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.
  • Simpler rules on cookies: The so called “cookie provision”, which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.
  • Protection against spam: Today’s proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
  • More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

Source: European Commission – Press release | Stronger privacy rules for electronic communications – Questions and Answers | Communication on Exchanging and Protecting Personal Data in a Globalised World – Questions and Answers | Regulation on Privacy and Electronic Communications | Regulation on data protection rules applicable to EU Institutions | Communication on Exchanging and Protecting personal data in a globalised world | More information on ePrivacy | See also: IAPP.org | EU is failing to deliver Digital Single Market, says techUK | EU suggests certification schemes and codes of conduct could offer data transfer tools of the future, says expert | Plans for new e-Privacy Regulation published by European Commission | Facebook, Google face strict EU privacy rules that could hit ad revenues | New Notice and Consent Rules under Proposed EU e-Privacy Regulation | EU privacy proposal could dent Facebook, Gmail ad revenue]

EU – Hogan Lovells, Panthéon-Assas Create First DPO Degree Program

Panthéon-Assas University and Hogan Lovells have teamed up to create the first university degree for training Data Protection Officers under the General Data Protection Regulation. The program will include courses in law, cybersecurity, data analytics, management, and ethics, and will be taught by faculty including law school professors, practicing DPOs, information security specialists, lawyers CNIL regulators, and representatives from major companies, such as Google and Microsoft. [HL Data Protection]

EU – Every French Citizen Presumed to Be Organ Donor Under New Law

France has passed a law making every citizen an organ donor, unless they opt out by registering with a national refusal registry. The presumed consent law, which came into effect on Jan. 1, was passed in hopes of increasing organ and tissue donation. According to France’s national agency for biomedicine, individuals who do not wish to be an organ or tissue donor can either officially register their refusal or express their wishes to family who will be consulted before a donation is made. According to The Guardian, in a matter of one day, 150,000 citizens signed up for the refusal registry. In Canada, organ donation registration is managed provincially or territorially. Registration in Saskatchewan is the lowest in the country with less than one per cent of the province’s eligible residents having registered. In November, Saskatchewan Premier Brad Wall sought to implement the presumed consent model. The province’s Standing Committee on Human Services opposed the plan, but provincial Health Minister Jim Reiter said last month that they were still hoping to pass presumed consent in the province. Ronnie Gavsie, president and CEO of Ontario’s organ donation agency, Trillium Gift of Life, said presumed consent seems like a silver bullet but research shows it’s not. Citing Spain and Singapore as examples of where presumed consent alone didn’t have a dramatic impact on donation rates, Gavsie said implementing better policy and infrastructure to encourage more organ donation has seen increased rates. In Ontario, 30% of eligible donors are registered, up from around 24% in the last five years. Gavsie said new data being released in the next few months indicates a positive trajectory year over year. [Global News]

UK – Report: Children Do Not Comprehend Privacy Policies, Terms of Service

A report from the U.K. Children’s Commissioner revealed young internet users do not understand the privacy policies and terms of service of the social networks they join. Schillings law firm partner Jenny Afia rewrote the terms of service for Instagram in child-friendly language for the report. “One-third of internet users are children, but the internet wasn’t created for children,” Afia said. The report found the only people who could properly comprehend Instagram’s terms of service were people who had postgraduate levels of education. The report offered several suggestions, including rewriting the General Data Protection Regulation in terms children can understand and offering a “digital citizenship” program to teach young children about protecting their privacy online. [Quartz]

UK – Advocacy Group Spearheads Crowdfunding Campaign Against Investigatory Powers Act

Civil liberties group Liberty has started a CrowdJustice funding campaign to fuel a U.K. High Court challenge of the Investigatory Powers Act. Liberty takes particular umbrage with the act’s provision allowing internet service providers to log users’ internet use, calling the records “a goldmine of valuable personal information for criminal hackers and foreign spies.” The group has further called for the High Court to review the act’s “bulk interception, bulk hacking and bulk personal data sets… We’re very confident the High Court will rule that the powers we’re challenging are unlawful,” said a Liberty spokeswoman, who added that depending on the courts, the group could have a decision within the year. [TechCrunch]

EU – Paper Shows EU Affection for New Data-Transfer Mechanisms

Pinsent Masons’ Marc Dautlich has argued that a newly released paper from the European Commission indicates “the EU body’s appetite for new mechanisms for transferring personal data to emerge from certification schemes and codes of conduct provided for by the General Data Protection Regulation.” “Dautlich said that legal uncertainty over the future of some data transfer tools, including to EU model contract clauses, could help encourage the development of alternatives based on GDPR certification schemes and codes of conduct.” He added that a way for organizations to “engage and exercise some control over their international data transfers” is to embrace certification schemes and codes of conduct as ways to establish “more legal certainty over such transfers.” [Out-Law.com]

EU – Commission Unsatisfied With US Reasoning for Yahoo Email Scanning

After asking for clarification on the matter, the European Commission is not satisfied with the U.S. government’s explanation of Yahoo’s email scanning practices for intelligence purposes. The U.S. promised not to participate in bulk surveillance in order to secure the EU-U.S. Privacy Shield. “While Yahoo is not signed up to the Privacy Shield and the scanning took place before the framework existed, the issue is a first test case of how the new system and the U.S. commitments on spying work in practice.” “I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information,” said EU Justice Commissioner Věra Jourová. [Reuters]

EU – European Commission Clarifies Ad Blocker Detection’s Legality

In a proposed reform of Europe’s privacy law, the European Commission has said that websites’ detection of ad blockers is legal. “To combat the rise of ad blocking technology, which stops online adverts from showing up on websites, many publishers have opted to ban users who refuse to see advertising.” Previously, the move was largely seen as living in a “legal gray area.” EU digital policy head, Andrus Ansip, acknowledged the move might irk privacy advocates and those “people who want free access and couldn’t care [about] editorial costs,” he said. “But legal clarity is needed.” Publishers were pleased with the announcement. “It is vital that we retain the right to protect our content from those who wish to circumvent that value exchange,” said Dennis Publishing Chief Technology Officer Paul Lomax. [Financial Times]

EU – Draft German Law Pushes Private Video Surveillance in Public Areas

The German Government has presented a draft law that facilitates video surveillance for private operators of public areas and public events. The Federal Data Protection Law will be amended to introduce a legal basis for video surveillance. According to the draft law, the protection of life, health and freedom shall be regarded as a “particularly important public interest” that allows video surveillance. Private operators will not be obliged to install cameras. However, the government hopes that they will make more use of them. The German Association of Judges considers that the draft law conflicts with the German Constitution. [Global IP & Privacy Law Blog]

Finance

Study: Online Debt Lists Often Go Unencrypted

A Consumer Financial Protection Bureau study has found that lists of debts sold online to “would-be collection companies” are easily available and often unencrypted, including personal information like Social Security numbers and birthdates and other sensitive personal information of the purported debtors. “The Bureau is working to clean up abuses in this industry, and to see that all consumers are treated with fairness, decency, and respect,” CFPB Director Richard Cordray said. The study “expands public understanding of debt collection in the U.S. by providing the first comprehensive and nationally representative data on consumers’ experiences with a multibillion-dollar industry that includes more than 6,000 collection companies.” The bureau will host an event on debt collection in Washington this week. [USA Today]

FOI

CA – Nova Scotia’s New FOIPOP Website Welcomed, but ‘Systemic Problems’ Persist: Critics

Nova Scotia is making it easier for people to request and access government information. The government launched a new website with a warm welcome from people who make those requests but critics say more needs to be done to improve transparency. When requests are fulfilled, the applicants’ materials will be posted on the website after seven calendar days for anyone to access. The materials will stay on the website for three years. “These changes are cosmetic in nature, they’re positive, but they’re a small step forward,” said Kevin Lacey, Atlantic director for the Canadian Taxpayers Federation. [Global News]

CA – $180K for GTH Documents ‘Excessive’ and ‘Unreasonable’ –OIPC SK

Saskatchewan’s Information and Privacy Commissioner has rebuked the provincial government for demanding $180,000 for documents about the Global Transportation Hub land deal. In reports directed to each agency, commissioner Ron Kruzeniski concluded “this excessive fee was an unreasonable barrier to access.” In March, CBC filed 13 requests to the ministry and 15 to the GTH related to various aspects of the GTH land deal. Both agencies responded by lumping all the requests together and assessing the massive fee. Kruzeniski found they had “inappropriately issued one estimate of costs to respond to the applicant [CBC].” [CBC | Privacy commissioner calls for GTH land deal documents to be released; province not compelled to do so | Is the Sask. government hiding stuff behind huge info fees? | GTH won’t release land deal appraisal because it could ‘harm the reputation’ of preparer Province worried disclosure of appraisal could affect government negotiations

Genetics

CA – Life Insurers to Limit Genetic Test Disclosure

Canada’s life insurance industry has announced new measures aimed at protecting consumers from genetic discrimination. Insurance companies have agreed to a voluntary pledge stating they will no longer ask individuals applying for life insurance up to $250,000 for genetic testing information, or incorporate any information from previous genetic tests. The companies may still use tests for any person applying for higher amounts, but won’t inquire for results if the tests were done for medical purposes. Advocates for a federal bill (Bill S-201) making genetic discrimination illegal say the insurance industry’s pledge doesn’t go far enough and will still make citizens vulnerable to insurers, employers and other entities who may discriminate based on genetic testing results. [The Globe and Mail] [The Canadian Press]

Health / Medical

US – OCR Announces First HIPAA Settlement for Untimely Data Breach Reporting

The U.S. Department of Health and Human Services’ Office for Civil Rights announced Presence Health will pay $475,000 for the first HIPAA settlement based on the untimely reporting of a data breach involving unsecured protected health information. Presence Health sent a breach notification to the OCR in January 2014 stating it had discovered paper-based operating room schedules containing the PHI of 836 individuals had gone missing in October 2013. An OCR investigation found Presence Health did not notify the affected individuals, prominent media outlets, and the OCR within 60 days of discovering the breach. “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said the OCR Director. [Full Story]

US – OCR Releases FAQ Clarifying PHI Disclosures Within HIPAA Privacy Rule

The U.S. Department of Health and Human Services’ Office for Civil Rights released a FAQ clarifying aspects of personal health information disclosure policies with patients’ family members and other loved ones under the HIPAA Privacy Rule. The release of the FAQ is partially a response to the confusion surrounding the disclosure of health information following the 2016 Pulse nightclub shooting in Orlando, Florida. “In either circumstance, the person can be a patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” the FAQ reads. “The Privacy Rule defers to a covered entity’s professional judgment in these cases and does not require the entity to verify that a person is a family member, friend, or otherwise involved in the patient’s care of payment for care.” [HealthITSecurity]

US – Court Rules Reporting Patients Who View Child Porn Does Not Violate Privacy

An appellate court ruled a California law mandating psychotherapists report patients looking at internet child pornography is not a violation of patients’ privacy. The ruling also covers teenagers involved in any form of sexting. “The privacy interest of patients who communicate that they watch child pornography is outweighed by the state’s interest in identifying and protecting sexually abused children,” Division Two of the Second Appellate District ruled. The ruling came after several counselors aimed to block the Child Abuse and Neglect Reporting Act. CANRA required certain professionals to report any patients who made or exchanged child pornography. In 2014, the law was updated to include downloading child porn electronically. While the counselors said the act would scare off patients needing treatment, the three-judge panel said patients cannot expect privacy rights to cover child pornography, as viewing the material is illegal. [Courthouse News]

US – Joint Commission Reinstates Ban on Physicians Texting Patient Orders to Hospitals

The Joint Commission, which accredits and certifies healthcare organizations and programs in the US, issued a statement reinstating its ban on the use of text messaging to send healthcare orders. Privacy and security concerns remain about transmitting text orders even when a secure text messaging system is used; health care organizations should immediately suspend the process and revise their policies and procedures to prohibit the use of unsecured text messaging (computerized provider order entry systems remain the preferred method for electronically transmitting patient care orders. [TJC – Clarification – Use of Secure Text Messaging for Patient Care Orders is Not Acceptable | MWE.com]

US – FDA Discovers Security Vulnerabilities in St. Jude Health Tech

The U.S. Food and Drug Administration has discovered cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and its Merlin@home Transmitter, the agency reports in a safety communication. After FDA review, the agency “confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter… The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” While no reports of manipulated devices exist, St. Jude issued a patch to fix the technology’s vulnerabilities. [FDA.gov]

Horror Stories

US – 900 GB of Cellebrite Data Stolen and Released

Hackers have accessed and released 900 GB of data from Cellebrite, a “mobile phone hacking” company “popular with U.S. federal and state law enforcement” and potentially with governments like Russia and Turkey. The released information includes customer data, databases and information on Cellebrite’s products, and some appears to be from servers related to the company’s website. “The breach is the latest chapter in a growing trend of hackers taking matters into their own hands, and stealing information from companies that specialize in surveillance or hacking technologies.” After Motherboard informed Cellebrite of the breach, the company launched an investigation and advised Cellebrite users to change their passwords as a precaution. [Motherboard]

US – Big Law, Big Data, Big Problem

2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. Law firms are warehouses of client information and how that information is protected is being increasingly regulated and scrutinized. Annually, the ABA conducts a Legal Technology Survey (Survey) [see here] to gauge the state of our industry vis-à-vis technology and data security. The Survey revealed that the largest firms (500 or more attorneys) reported experiencing the most security breaches, with 26% of respondents admitting they had experienced some type of breach. This is a generally upward trend from past years and analysts expect this number only to rise. This is likely because larger firms have more people, more technology and more data so there is a greater exposure surface and many more risk touch-points. The 2016 Survey shows that while many law firms are employing some safeguards and generally increasing and diversifying their use of those safeguards, our industry may not be using common security measures that other industries employ. [Polsinelli on Privacy | Chinese hackers of NY law firms charged | Chinese Traders Charged With Trading on Hacked Nonpublic Information Stolen From Two Law Firms | U.S. Charges Three Chinese Traders With Hacking Law Firms | Chicago Law Firm Accused of Lax Data Security in Lawsuit | Chicago’s Johnson & Bell First US Firm Publicly Named in Data Security Class Action | Law Firms’ Security Cross-Examined | Exclusive: China Stole Data From Major U.S. Law Firms]

Identity Issues

US – REAL ID Warning Signs Appear at Airports

Signs are sprouting up at many airports to alert travelers that beginning Jan. 22, 2018, the Transportation Security Administration will begin strict enforcement of the REAL ID requirements at airport security checkpoints. As it does now, TSA will continue to accept alternate forms of ID at airports, such as a passport, military ID or permanent resident card. But next year, driver’s licenses and state-issued ID cards from the nine states that don’t yet have REAL ID-compliant driver’s licenses and IDs — Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina and Washington — won’t be accepted. While DHS emphasizes that REAL ID “is a national set of standards, not a national identification card,” opponents argue that the act creates a national identity card and allows the federal government to gather and store too much personal information. Citing costs and other issues associated with implementing the standards, many states have opposed the REAL ID Act as well. [USA Today | Our Opinion: Maine shouldn’t cave on Real ID law | DHS: Even-handed Enforcer or Punisher of Select States? | Feds Ramp Up REAL ID Bullying Tactics | Yes, Michael, REAL ID Is a Nationwide Data-Sharing Mandate | REAL ID, Rumor Control, and You] See also: [Power Arrangements in Identity Systems]

Internet / WWW

WW – ‘Datak’ Online Game Looks to Educate Players On Data Privacy

Radio Télévision Suisse has released “a serious game about data protection and privacy” in four languages on its website. The game, “Datak,” looks to “raise awareness of data collection in all areas of life and how it is used,” Radio Télévision Suisse said. The goal is to provide an educational tool but more importantly a fun and informative game that raises awareness without lecturing,” said On en Parle’s Julien Schekter. The online game is recommended for players ages 15 and up, and additionally doesn’t collect users data, Radio Télévision Suisse said. [Infomaniak]

Law Enforcement

CA – Street Checks by Halifax Police Are Unacceptable Says Privacy Lawyer

On Monday, Halifax Regional Police (HRP) released the preliminary analysis of data on “street checks” by patrol officers from 2005-2016. This came as a direct result of an investigative article by CBC, which found black people are three times more likely to be stopped by police in HRM than white individuals. [Halifax privacy lawyer David] Fraser says he was impressed to see HRP’s research coordinator, Chris Giacomantonio, taking a closer look at street checks. Still, he sees the practice as “inherently coercive” if police aren’t advising people that they don’t have to go along with it. He compares the issue to the act of “carding” in Toronto, as well as the more invasive “stop-and-frisk” practices in New York. Although HRP chief Jean-Michel Blais insisted during and after Monday’s board of police commissioners’ meeting that the cases in Halifax and Toronto aren’t the same, Fraser doesn’t see much of a difference. [The Coast | Tory MLA demands Alberta government stop police carding | City police reviewing street data collection amid civil liberties concerns over “carding” | Police stops based on racial profiling a reality, say Calgarians | Support for ‘bold’ Black Lives Matter carding data proposal | Trump Would Expand Stop-and-Frisk Program to Inner Cities Across U.S. | Donald Trump Embraces Wider Use of Stop-and-Frisk by Police | DNA Dragnet: In Some Cities, Police Go From Stop-and-Frisk to Stop-and-Spit ]

CA – Ontario Police Force May Post Names of Alleged Drunk Drivers Online

A major southern Ontario police force is considering naming and shaming alleged impaired drivers on social media, following one of the worst years on record for such offenses and few signs that current efforts will be sufficiently effective in 2017. York Regional Police tweeted about the possible policy change on Monday, following the arrest of a driver found passed out at the wheel in the middle of a busy intersection. “We’ve been discussing posting the names of all charged with impaired driving,” the force tweeted. “More to follow on that one” Impaired driving charges have been on the rise in the region north of Toronto for the past five years. While the practice of identifying those facing criminal charges online is by no means new, York Regional Police Const. Andy Pattenden said individuals charged with impaired driving offences would be listed on a separate page for 30 days and their names would be made public on social media. The strategy would also take aim at those who breach the automatic 90-day licence suspension that comes with an impaired driving charge in Ontario. York Region isn’t the first police force to put an extra spotlight on alleged impaired drivers. Const. Pattenden said Niagara Regional Police Service and Durham Regional Police Service, as well as other in the province, have implemented similar strategies. [CTV News]

Location

US – Uber Makes Urban Traffic Data Available to City Officials, Researchers

As more cities seek access to Uber’s data, the ride-hailing company announced it is making its urban traffic data accessible to city officials and researchers, with future plans to make the information available to the public. Officials can access the data on a website called Uber Movement, allowing users to access Uber’s large amount of traffic information. Uber posted blog entries designed to show the ways urban planners and city officials can use the company’s data. Uber ensured all the information on the website will be private. The data will not include individual rides, but rather the travel times between specific locations. In areas where trips are not prevalent, maps will be grayed out to protect consumer privacy. [The Hill]

Online Privacy

US – TV Anchor Says Live On-Air “Alexa, Order Me A Dollhouse” – Guess What Happens Next

A San Diego TV station sparked complaints after an on-air report about a girl who ordered a dollhouse via her parents’ Amazon Echo caused Echoes in viewers’ homes to also attempt to order dollhouses. Telly station CW-6 said the blunder happened during a morning news package about a Texan six-year-old who racked up big charges while talking to an Echo gadget in her home. According to her parents’ Amazon account, their daughter said: “Can you play dollhouse with me and get me a dollhouse?” Next thing they knew, a $160 KidKraft Sparkle Mansion dollhouse and four pounds of sugar cookies arrived on their doorstep. During that story’s segment, a CW-6 news presenter remarked: “I love the little girl, saying ‘Alexa ordered me a dollhouse’.” That, apparently, was enough to set off Alexa-powered Echo boxes around San Diego on their own shopping sprees. The California station admitted plenty of viewers complained that the TV broadcast caused their voice-controlled personal assistants to try to place orders for dollhouses on Amazon. Voice-command purchasing is enabled by default on Alexa devices. [The Register] See also: [Servant or spy? Law enforcement, privacy advocates grapple with brave new world of AI assistants]

CA – Experts Divided on Social Media Surveillance

Experts are divided on whether actions taken against Media Sonar of London, Ont. [losing access to Twitter], were justified, but are united in the view that the case highlights the elusive balance between public safety and basic privacy rights. Media Sonar touts its social media monitoring software and algorithms as ideal tools for police and corporations to aggregate and filter data to improve safety and protect corporate assets. Twitter cut off the company’s access to its application program interface (API), saying its policies explicitly state that no third party can make use of Twitter data for surveillance purposes. [Waterloo Record | Twitter cuts off third surveillance firm for encouraging police to spy on activists | How Despots Use Twitter to Hunt Dissidents | Police Searches Of Social Media Face Privacy Pushback | Facebook, Instagram, Twitter block social media tool Geofeedia over protest surveillance | Police Use Surveillance Tool to Scan Social Media, A.C.L.U. Says | Facebook, Instagram, and Twitter Provided Data Access for a Surveillance Product Marketed to Target Activists of Color | Social media companies rescind access to Geofeedia, which fed information to police during 2015 unrest | Facebook, Instagram, Twitter Block Tool For Cops To Surveil You On Social Media

US –FTC Study Examines Depths of Cross-Device Tracking

In a paper penned by the FTC Office of Technology Research and Investigation (OTech for short) [see FTC PR here], it was revealed that the majority of Alexa’s 100 most popular websites have policies that reserve the right to allow for third-party tracking and data collection, including browser data. According to the findings only three of the 100 sites tested linked to a privacy policy that clearly acknowledge enabling third-party cross-device tracking. [Read the full report here.] While the report acknowledged several benefits related to cross-device tracking – saving credit card information, past purchase history, shipping information, et cetera – it’s also possible for companies to match cross-device data to offline data without the consumer being aware. Privacy policies were resoundingly mum on whether this was happening or to what extent. [AdExchanger | Advertising Age | FTC’s Cross-Device Study Reveals Opacity of Data-Sharing Practices]

Privacy (US)

US – LabMD Files Review Petition Against Data Breach Allegations

LabMD filed a petition for review on December 27, 2016, following a U.S. federal appeals court granting a stay of an FTC order in the continuing battle between the two parties over data breach allegations. The U.S. Court of Appeals for the 11th Circuit ruled that there was a low possibility of consumer risk or injury from the emotional harm and acts from the security issue. Additionally, the judges maintained that the FTC claims of “unfairness” did not meet the standards of the law that the agency was citing. In its petition for review, LabMD claimed that there had been “significant issues of statutory and constitutional interpretation” from the FTC. The agency overstepped its bounds in authority and “destroyed a small medical testing company.” The agency also did not prove that the document exposure was in any way connected to LabMD being able to “reasonably protect data maintained on its computer network” and it was not proven if those documents were even maintained on or taken from the network. The judge added that the “probability” that a health data breach would occur due to LabMD’s action was not proven. [Health IT Security | FTC Overstepped Data Security Authority: Appeal Briefs | Leaders from medical, business, tech rally around LabMD appeal of FTC ruling | LabMD’s 11th Circuit FTC Appeal: The Opening Shot | LabMD challenges scope of FTC’s cyber authority | The FTC Faces an Embarrassing Set-Back in its Data Security Enforcement Authority as the LabMD Saga Continues | LabMD Presses Appeals Court on FTC Data Security Case | Did the FTC Just Rewrite its Statute? What LabMD Means for Data Security Cases Going Forward]

US – U.S. Promotes Risk-Based Data Breach Response Model

The exiting Obama administration has embraced a risk-based approach to data breach preparation and mitigation for federal agencies in an Office of Management and Budget memorandum Although aimed at agencies, official OMB guidance carries weight in the private sector. The endorsement of a risk-based approach is an acknowledgment that breaches are inevitable and resources should be directed at where the risk of breaches are more likely, the cybersecurity pros said. In addition, the report supports efforts to limit breach notices. The OMB Jan. 3 memo to federal agencies’ senior privacy officials outlined a “framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach as well as guidance on whether and how to provide notification and services to those individuals.” The OMB memo said that agencies should assess “whether and when to notify individuals potentially affected by a breach.” Agencies should “balances the need for transparency with concerns about over-notifying individuals” as notifications may not always be helpful. [BNA.com | OMB Publishes Memorandum on Responding to Data Breaches | White House Issues Data Breach Guidance for Federal Agencies | White House issues gov’t-wide breach notification protocols]

US – Labor Department Sues Google Demanding More Detailed Employee Data

The U.S Department of Labor is suing Google to obtain more detailed employee compensation data, but the Web giant says the agency’s demand is too broad and would reveal personal information. The request for the “compensation snapshot” was sent in September 2015 and Google was supposed to have responded with the data by June 2016. The requested information included job and salary history for certain employees including their starting salaries, starting job levels, starting organization within Google and all changes to their jobs and salaries since being hired by the company. In a statement, the company denied that it was resisting the government’s request to turn over the data to the Department of Labor and said that its actions were based on the fact that the requested data was far too broad and intrusive. [eWeek]

US – D-Link Fights Back Against ‘Baseless’ Data Security Lawsuit

Suing companies for the potential of a data security breach would stifle IoT innovation, the firm representing D-Link against the FTC’s lawsuit has argued. Cause of Action Institute has announced that it will be defending D-Link against the FTC’s “unwarranted and baseless” lawsuit claiming that the technology company put thousands of customers at risk of unauthorised access by failing to secure its IP cameras and routers. [See here ] The FTC should not be able to “bring a lawsuit on the mere potential of a data security breach”, Cause of Action Institute assistant VP Patrick Massari argued, as this would stifle innovation and uptake of the Innovation of Things (IoT). “This lawsuit is another instance of the FTC’s unchecked regulatory overreach nearly every company will be subject to unconstrained and unexplored data security liability. Such limitless liability coupled with FTC’s history of unrelentingly litigious oversight will no doubt have a chilling effect on innovation in the Internet of Things.” D-Link Systems chief information security officer William Brown said the company is committed to fighting the FTC’s “false allegations” alongside Cause of Action Institute, which also represented LabMD in its successful data security suit against the FTC in 2015. [ZDNet | FTC vs D-Link: The legal risks of IoT insecurity | FTC sues D-Link for ‘insecure’ routers and IP cameras | FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras | FTC IoT privacy and security push points out D-Link router and webcam flaws | D-Link Calls The FTC’s Router And IP Camera Security Allegations ‘Baseless’ | The FTC Brings Section 5 Charges Against Internet-of-Things Companies]

WW – Your Data Is Being Held for Ransom. Now What?

Ransomware is an old topic in information security circles. Attackers have been hijacking computers and holding files hostage for years now, typically demanding that ransom be paid in bitcoins. Some might expect that a majority of people are well aware of the threat by now and that they’re taking the appropriate precautions. It’s therefore reasonable to assume that online thieves have moved on to new tactics. Sadly, according to a survey Sophos recently conducted, that’s not the case. According to a survey Sophos recently conducted [which asked 1,250 consumers in five countries about their biggest safety fears, where they sought advice for keeping their computers safe and how much they know about ransomware and other malware.] Consumers still feel in the dark about how ransomware works and how to guard against it. One of the toughest questions is what to do if your data is in fact hijacked. Do you pay the crooks or tell them to take a hike? As always, the best defense is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful. [Naked Security] [Extortionists Wipe Thousands of Databases, Victims Who Pay Up Get Stiffed]

US – More States Moving to Include Usernames & Email Addresses as PII

A key issue in determining whether notification is required following a data breach is whether “personal information” (PI) was acquired by an unauthorized person. US states vary significantly in defining what information qualifies as PI. Some data breach notification statutes have been expanding the definition of PI, by adding usernames and email addresses. Illinois, Nebraska, and Nevada are the latest Three other states (California, Florida, and Wyoming) had previously enacted laws mandating that either a username or email address constitutes PI when combined with a password or security question and answer that would permit access to an online account. Private and government entities should also be aware that different jurisdictions apply varying standards to the collection of such information. Under European and many other international data privacy laws, PI includes any information that identifies an individual or from which an individual can be identified when aggregated with other information. [Lawfish]

US – States Making Lists of Breached Companies Public

All but three U.S. states require organizations that experience security breaches affecting their residents to report those breaches. While this information is available if people know to ask for it, four states – California, Indiana, Washington, and Massachusetts – have begun making the information publicly and freely available. [Wired: A Few States Now Actually Help You Figure Out if You’ve Been Hacked]

US – Cybersecurity Law Initiative Opens at GW Law

The George Washington University Law School has announced its Cybersecurity Law Initiative. The initiative aims “to bring together the law school’s nationally recognized strengths with expertise from across the university.” Located in Washington, it hosts “regular events on cybersecurity law and technology that are open to GW students as well as members of the public.” Directed by Orin Kerr, affiliated faculty include Daniel Solove and Jeffrey Rosen. [law.gwu/edu]

RFID / IoT

US – Montana Bill Prohibits Government Use of License Plate Scanners

Montana introduced House Bill No. 149, amending Montana Code Annotated Title 46, Chapter 5, Part 1 and relating to the use of license plate scanners by State and local government. Exemptions to the prohibition include use of a scanner for planning purposes (subject to anonymisation of vehicle, owner and passenger identity), state regulations concerning weight requirements for vehicles at ports of entry and weight stations, or on the State’s own vehicles; the data may only be accessed by a state employee for the purpose of providing customer service or necessary government statistical, administrative, or legal activities, and may only be retained for a maximum of 18 months. [House Bill No. 149 – An Act Generally Prohibiting the Use of a License Plate Scanner by the State or a Local Government – 65th Legislature, Montana]

EU – ENISA Issues Assessment Criteria for Privacy Enhancing Technologies Used in Online and Mobile Applications

The European Network and Information Security Agency (“ENISA”) has issued a paper on parameters that can be used to assess privacy enhancing technologies for secure messaging applications. The criteria aim to provide a general understanding of how applications take user privacy and security into consideration through assessment of maturity and stability (maintenance, community support, audits/reviews), usability (difficulty of use, personal data when installed, user support), privacy policy implementation (types of data stored, number of times data is accessed, profiling), secure messaging (type of encryption used, security of stored data, user/client server/message authentication), anti-tracking tools (mechanisms used, data recipients, known performance issues), and VPNs (firewalls/kill switches used, type of logs used, protection/mitigation methods). [ENISA – PETs Controls Matrix – A Systematic Approach for Assessing Online and Mobile Privacy Tools]

EU – Institutions Should Ensure Applications Processing Personal Data Comply with Data Protection Principles

The European Data Protection Supervisor issued guidelines on protection of personal data in mobile devices developed and provided by EU institutions. Assessments should be done prior to use of mobile applications, taking into account the nature of the personal data to be processed, specific risks identified, and targeted data protection/security features of the operating system; users should be provided with an easily accessible and high visible layered notice, and must provide specific, freely given consent before installation of the applications, data collected and/or transferred must be strictly necessary, and appropriate risk and vulnerability management processes must be implemented. [EDPS – Guidelines on Protection of Personal Data Processed By Mobile Applications Provided by EU Institutions]

Security

CA – Survey: Organizations Overconfident in Cybersecurity Efforts

An Accenture survey found 65% of cybersecurity and IT executives in Canadian organizations are confident their cybersecurity efforts produce valuable results, but the professional service companies says security pros should not be as assured. Of the 124 respondents, more than three-quarters feel their top strategies are achieving desired business outcomes, but one-third also said they have discovered successful data breaches in the last 12 months. The results indicate “that (Canadian) companies have become and remain complacent,” Accenture’s Canadian Cybersecurity Lead Russell Thomas said. “There’s an over-confidence in the marketplace… We really need a wake-up call. Companies need to pay attention to security. Security is at the heart of systems today, supporting an enabling secure business and trusting business.” [IT World Canada]

US – Cyber-Risk Oversight Guide Aims to Inform Boardroom Decisions

The National Association of Corporate Directors at a press conference in Washington yesterday released guidance for directors struggling to manage cyber risks in the boardroom, Angelique Carson reports. Government officials from the Department of Justice and Department of Homeland Security joined the Internet Security Alliance and the NACD in releasing the “Director’s Handbook on Cyber-Risk Oversight,” and took the opportunity to encourage private-sector businesses to collaborate with the government before a data incident occurs. “Opening the kimono is not just good for one entity, but for everyone involved,” said Danny Toler, acting assistant secretary for cybersecurity and communications at DHS. [The Privacy Advisor]

Surveillance

US – NSA Given Expanded Power to Share Intercepted Communications

The Obama administration has given the National Security Agency expanded power to share globally intercepted personal communications with the other 16 government agencies before any privacy protections are implemented. Privacy advocates are concerned the move will harm the rules in place to protect the privacy of American citizens. “Rather than dramatically expanding government access to so much personal data, we need much stronger rules to protect the privacy of Americans,” American Civil Liberties Union lawyer Patrick Toomey said. “Seventeen different government agencies shouldn’t be rooting through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant.” [The New York Times] See also: Best Buy technicians flagged customers’ computers with signs of child porn for FBI, lawyers say.

WW – Researchers: China Knows What Citizens Are Doing at ‘Micro Level’

Researchers from the Citizen Lab at the University of Toronto’s Munk School of Global Affairs contend there is a network inside China’s “Great Firewall” designed to collect information on hundreds of millions of individuals everyday in addition to private and state-owned organizations designed to exploit such data. The lab has used popular messaging apps like WeChat, which serves more than 800 million people in China. Citizen Lab’s Ronald Deibert said Chinese authorities “have a wealth of data at their disposal about what individuals are doing at a micro level in ways they never had before.” He adds, “What the government has managed to do, I think quite successfully, is download the controls to the private sector, to make it incumbent upon them to police their own networks.” [CBC News]

US – Oakland Privacy Commission Passes First-of-Its-Kind Surveillance Ordinance

A local privacy committee has sent a proposed surveillance oversight ordinance to the city council. This is a rare example of a major American city set to impose stricter controls on the acquisition, use, and evaluation of spy gear. The “Surveillance and Community Safety Ordinance“ unanimously passed out of Oakland’s Privacy Advisory Commission, formally moving it to the Oakland City Council. Passage of the ordinance was roundly applauded by local civil liberties advocates and legal scholars, some of whom spoke at the meeting. For years, American cities have often accepted federal, state, or regional grant money to obtain various surveillance equipment for their local law enforcement agencies. Lawmakers often don’t ask questions as to how and in what circumstances such gear will be used, neither do they typically evaluate after the fact whether those tools have been actually effective in reducing crime. Catherine Crump, a law professor at the University of California, Berkeley, and a former ACLU attorney, told the commission that the ordinance it has drafted “is thorough, clear, comprehensive, and has the potential to be adopted nationwide.” The draft ordinance may still be subject to minor changes before being adopted by the city council, particularly as to how it will be enforced. [Ars Technica | Oakland Privacy Commission Holds Hearing on ‘Stingray’ Cell Phone Surveillance Devices | Committee vote on police heat sensors signals cooperation between police, privacy activists | We know where you’ve been: Ars acquires 4.6M license plate scans from the cops | Oakland Poised to Lead in Protecting Privacy]

US – Baltimore Police Use Military Technology to Secretly Track You

When protesters took to the street after police shot and killed Michael Brown in Ferguson, Missouri, they were greeted by law enforcement in full body armor, flanked by armored vehicles. In the two and a half years and countless shootings since, militarized police have become an all too familiar sight. In response, citizens have overwhelmingly begun to film these interactions on their smartphones, making the technology the eyes of our nation. But as we watch the police, they also watch us – only they don’t use an iPhone. Often, they use military grade surveillance equipment that gives them a much broader view than simple cell phone cameras ever could. “They view people as enemy combatants,” says activist, as cops adopt surveillance, tracking, facial recognition programs designed for war zones. The city of Baltimore has, in many ways, become ground zero for the military surveillance technology that is slowly making its way from the battlefields into the hands of police departments across the country. The Baltimore Police Department has used surveillance technology such as large-scale aerial surveillance, advanced cell phone tracking and facial recognition technology on Baltimore’s citizens, yet these technologies have had little to no oversight from city government, and most have a disproportionate impact on communities of color. Examined together, these surveillance technologies demonstrate an extended record of secret surveillance by the Baltimore Police Department. [RollingStone | Baltimore surveillance plane documents reveal ignored pleas to go public, who knew about the program, and differing opinions on privacy | Eye in the sky: the billionaires funding a surveillance project above Baltimore | Secret aerial surveillance by Baltimore police stirs outrage | Secret Cameras Record Baltimore’s Every Move From Above | Baltimore police accused of illegal mobile spectrum use with stingrays | Potential FCC Probe of Police Cellphone Trackers Could Serve as Proxy for Congressional Battle]

CA – Vancouver Using Heat-Vision Camera to ID Poorly Insulated Homes

A new pilot project has been announced that will use a heat-vision camera to help Vancouver homeowners cut down on their energy bills. The images will help pinpoint places that heat is escaping, such as poorly insulated doorways, windows and roofs, but won’t show anything that’s happening inside, said Sean Pander, manager of green buildings for Vancouver. “Privacy is well-protected,” Pander said. “[The camera] can’t see anything inside the house, it just sees the surfaces and the temperatures of the surfaces.” .Imaging capturing could start as early as Jan. 15 if the weather is cold and dry enough for the thermal camera, and is expected to last several weeks. Before that begins, however, the city has promised four public information sessions where people can learn more about the program. People can also opt-out if they’re uncomfortable having a thermal image taken of the outside of their home. [Source]

Telecom / TV

US – Google Wins App Data-Sharing Case Against Customer

A U.S. district judge sided with Google in a case between the tech company and a customer alleging it had illicitly shared her information with an app developer. Illinois resident Alice Svenson bought an app designed to convert SMS messages to emails. Svenson alleged Google shared her personal information with the app’s developer, YCDroid, and in doing so, broke its contract by sharing her information with a third party and lessened the value of her personal data. U.S. District Judge Beth Labson Freeman said in her ruling Svenson did not adequately show she had suffered any damages. “Consequently, Svenson has failed to show the existence of a triable issue of material fact with respect to her claim of injury in fact based on diminution in value of her personal information.” Google also successfully argued there was no evidence YCDroid actually viewed Svenson’s data. [MediaPost]

US Legislation

US – Email Privacy Act Reintroduced in Congress

A bipartisan group of lawmakers has reintroduced the Email Privacy Act [see here]. This law would update the 1986 Electronic Communications Privacy Act (ECPA). ECPA is the main statute governing law enforcement access to email. If passed, government agents would have to get a warrant to look at your emails. Current law allows law enforcement and government agencies to obtain your messages from email service providers without a warrant if they are older than 180 days. Federal agencies, which have heavily relied on keeping the old and outdated ECPA law, have also pushed for there to be no changes to the law. Mary Jo White, head of the Securities and Exchange Commission (SEC), has told the head of the Senate Judiciary Committee that the warrant requirement would block the SEC from obtaining digital content from service providers. Therefore, she asked that the government grant the SEC the power to compel email providers without a warrant. By extension, this would also give such agencies as the Internal Revenue Service (IRS) the right to demand your emails from your provider, say Google Gmail or Microsoft Outlook.com, without a warrant. [ZDNet | Bipartisan House Group Re-Introduces Email Privacy Bill | Email Privacy Act Revived for Another House Vote]

US – Washington Bill Prohibits Operators from Flying Over Private Property Without Consent

House Bill 1049, relating to unmanned aircraft, and adding new sections to Chapter 47.68 and Chapter 4.24 of the Revised Code of Washington, was introduced and scheduled for public hearing in the House Committee on Technology & Economic Development. An owner or occupant of the property may bring an action for trespass if the drone has been flown over the property on at least one previous occasion, and the operator has been previously notified that flight over the property is prohibited; damages can be recovered of up to $500 without proof of special damages, or an injunctive relief may be awarded. [House Bill 1049 – An Act Relating to Unmanned Aircraft – 65th Legislature of the State of Washington]

Workplace Privacy

WW – Departing Employees Greatest Threat to Data Protection: Study

The number one data protection problem faced by organizations – cited by 69% – is the loss of data or knowledge suffered when employees leave the company. That is the finding of a new study by IT research and consulting firm, Osterman Research, entitled, “Best Practices for Protecting Your Data When Employees Leave Your Company“. Many of these problems are related to employees actually taking data with them when they depart, or leaving it in locations that are unknown or inaccessible to corporate data managers. [Information Management | How companies can deal with insider data theft | Thousands and thousand of times: a tale of an insider data breach | Heal Thyself: Insider Threats to Heed, Especially for Industries with Large Amounts of Personal Information | Insider Threats Behind a Sharp Rise in Data Theft

WW – Privacy Third-Highest Concern When Employers Surveil Mobiles: Study

A TSheets study of 1,000 employees in various industries “where monitoring is most prevalent” has found a majority of workers are more concerned with how employer snooping affects battery life and data allotment than privacy, Fortune reports. “From a worker perspective, it apparently doesn’t feel like Big Brother is overreaching… According to TSheets, the majority of workers tracked by GPS said the technology gave them greater ability to track mileage and time, more accountability, and ensuring they got paid what they are owed.” Roughly two-thirds of respondents said that GPS tracking “built trust with employers, and promoted efficiency and safety.” [Fortune]

WW – BYOD a Threat to Business: Study

Bring Your Own Device (BYOD); the concept of allowing employees to work in the office or remotely using their own devices, rather than company owned, has been around for a while now and really makes the most of this ‘personal device era’. It’s convenient for employees to use their own devices, reduces burden on IT admin and saves Capex costs for the business. But, could BYOD end up being the company’s biggest threat? According to the Crowd Research Partners BYOD & Mobile Security 2016 Spotlight Report, it finds that: 72% of respondents are concerned with data leakage and loss, 56% with unauthorized access to company data and systems, 52% with downloading unsafe apps or content by users and 52% with malware. The areas of highest concern within the enterprise are: data leakage and loss, unauthorized access to company data and systems, downloading unsafe apps or content and malware. [Unfortunately] there are no universal set of guidelines for employers and employees to work too. But there are some best practices that security experts recommend. [Beta News | Striking the balance between employee productivity and data security | 6 Best Practices for Managing BYOD Technology | How should companies deal with data security when they have a BYOD policy? | BYOD can pose privacy risks to employees | 72 per cent of organisations support BYOD despite privacy and security concerns

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: