14-20 January 2017


US – Court Rules Against Man Forced to Fingerprint-Unlock His Phone

Unlocking a phone like this “is no more testimonial than furnishing a blood sample.” A Minnesota appellate court ruled against a convicted burglar who was forced by a lower state court to depress his fingerprint on his seized phone, which unlocked it. This case, State of Minnesota v. Matthew Vaughn Diamond, marks the latest episode in a string of unrelated cases nationwide that test the limits of digital privacy, modern smartphone-based fingerprint scanners, and constitutional law. As has been reported before, under the Fifth Amendment, defendants cannot generally be compelled to provide self-incriminating testimony (“what you know”). But giving a fingerprint (“what you are”) for the purposes of identification or matching to an unknown fingerprint found at a crime scene has been allowed. It wasn’t until relatively recently, after all, that fingerprints could be used to unlock a smartphone. The crux of the legal theory here is that a compelled fingerprint isn’t testimonial, it’s simply a compelled production—like being forced to hand over a key to a safe. Had the defendant been forced to disclose his passcode (instead of depressing his fingerprint) to his phone, the constitutional analysis likely would have been different. [Ars Technica | To beat crypto, feds have tried to force fingerprint unlocking in 2 cases | Apple’s Touch ID blocks feds—armed with warrant—from unlocking iPhone | Woman ordered to provide her fingerprint to unlock seized iPhone | Minnesota court on the Fifth Amendment and compelling fingerprints to unlock a phone | Here’s Why Feds Are Winning The Fight To Grab iPhone Passcodes And Fingerprints | Cops Could Force Google Pixel Users To Voice-Unlock Their Phones | Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones | How the Feds Justify Collecting Fingerprints to Unlock Everyone’s Phones | Can warrants for digital evidence also require fingerprints to unlock phones? | For the First Time, Federal Judge Says Suspect Must Use Fingerprint to Unlock Smartphone | Search Warrants Could Force You to Unlock Your iPhone via Touch ID]

WW – Researchers Extract Fingerprint Data from Digital Photograph

A pair of Japanese researchers have copied the fingerprint data from a digital picture of an individual making a peace sign. “One can use it to assume another identity, such as accessing a smartphone or breaking and entering into a restricted area such as an apartment,” Japan’s National Institute of Informatics professor Isao Echizen said. Working with fellow researcher Tateo Ogane, Echizen’s fingerprints were extracted from a digital photograph taken three meters away. [Reuters]

CA – Gemalto Wins Privacy Design Award for Biometric ID Verification Solution

Gemalto announced that it has won the ACT Canada IVIE Award in the “Privacy by Design” category for its ID Verification solution. As banks and mobile operators look to provide more convenient services through digital and self-service channels, the need to validate a customer`s identification becomes even more necessary. Gemalto`s ID Verification enables this new convenience while maintaining security by allowing customers to scan their picture ID remotely on their device. The service helps to comply with anti-money laundering and Know Your Customer regulations by providing a way to verify ID documents, such as drivers licenses or passports, across customer service channels – online, face-to-face, ATM or mobile app. Gemalto`s technology validates legitimate IDs, flags counterfeits, and provides a trust score in real time. In a face-to-face scenario, for example, to open a bank or mobile phone account, a representative will use a tablet to scan the customer`s ID, which the system verifies against a database of document templates from 180 countries for visual integrity, data consistency, and ID security features. In a self-service scenario, customers first scan their driver`s license or ID and then take a selfie. The system uses facial biometrics to verify that the picture on the card matches the selfie, and if so, can automatically fill out the name, address and other fields in the bank`s online forms. The award was presented by Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario and now Executive Director of the Privacy and Big Data Institute – Where Big Data meets Big Privacy at Ryerson University. [Yahoo]


CA – Canada Revenue Agency Monitoring Facebook, Twitter Posts of Canadians

The Canada Revenue Agency is scrutinizing the Facebook pages, Twitter feeds and other social media posts of Canadians it suspects could be cheating on their taxes.  The agency is increasing its focus on what it can learn by collecting and analyzing many kinds of data — both its own internally generated information and what it calls “publicly available information.” “The CRA does practice risk-based compliance, so for taxpayers identified as high risk, any relevant, publicly available information relating to the specific risk-based factors for the taxpayer may be consulted as part of our fact-gathering processes,” said a spokesperson. Among those considered high risk are wealthy Canadians with offshore bank accounts. Tobi Cohen, spokesperson for the privacy commissioner, said CRA notified it of its plan to collect publicly available information from social media in connection with “tax fraud and non-compliance risk analysis, audits and investigations.” However, David Christopher, of the advocacy group Open Media, said his organization opposes government agencies monitoring what Canadians are saying on social media. “When Canadians post something on Facebook, they believe that they are sharing that with their friends and with their family. They don’t believe that they are sharing that with some government bureaucrat in Ottawa… Unfortunately, Facebook’s privacy settings are notoriously complex and many people might think that they are posting something to their friends and it ends up getting shared with the whole world.” The revelation that the Canada Revenue Agency is checking social media posts comes as the agency is also expanding its use of cutting-edge technology and data analysis to better catch tax cheats, to target people for audits and to improve its service for Canadians. Business intelligence, also known as big data, is a rapidly growing area within CRA. In 2016 alone, the agency posted three separate privacy impact assessments centred on its plans to use business intelligence techniques in its operations. [CBC News]

CA – Waterloo Rolls Out Licence Plate Scanner, Approves Privacy Rules

The licence plate recognition software the city has been interested in since 2011 will finally be implemented. A review was conducted to find out if bylaw officers taking photos of parked cars will have a negative impact on privacy. “The Licence Recognition Program is supplementing an existing manual process and doesn’t really increase the amount of information being collected. We now have an electronic database and information that includes photographs and GPS location of the vehicle. Other than that, the information we collect is the same” said Julie Scott, deputy city clerk. The new system [has] camera equipment loaded onto the front and back of the clearly marked City of Waterloo vehicle [that] will capture parked cars’ licence plates and tire valves, to see if cars were moved and re-parked. A computer will log the plate numbers, GPS locations of vehicles, dates and times. Non-violator information will be purged immediately, said Scott. Violator information will be housed on secure city servers at city facilities and will be transferred using secure encrypted methods. Any personal information collected accidentally when a picture is taken will be redacted. “Officers who use the system don’t, by virtue of the system, have access to personal information,” said Julie Scott, deputy city clerk. As part of the licence plate recognition software privacy impact assessment, the city collaborated with legal, legislative and enforcement services. It also had guidance from the information privacy commissioner’s office. [Waterloo Chronicle | New tech modernizing parking enforcement in Waterloo | Waterloo approves privacy rules for licence plate scanner]

CA – Manitoba Scraps Plan to Combine Health Cards with Driver’s Licenses

Manitoba will not be going forward with a plan to combine health cards with driver’s licenses. Health Minister Kelvin Goertzen said concerns about additional costs, the work needed to change legislation, and the impact on storing health information were the primary reasons for why the idea will not proceed. Goertzen said if Manitoba wants to revive the idea of a single personal information card, it will need to be done correctly from the start. “We also have to determine how to assess privacy legislation compliance,” said Goertzen. “The work compiled to date will be used to develop and implement a strategy for identity management that can be applied across government.” [The Canadian Press]

CA – MPI Will No Longer Publish Home Addresses on Vehicle Registrations

Privacy concerns are pushing Manitoba Public Insurance to remove home addresses from noncommercial vehicle registrations this spring. “Vehicle registration cards are often left inside the vehicle, which makes them susceptible to being taken should the vehicle be broken into,” Crown Services Minister Ron Schuler said. “Removal of the registered owner address will ensure the privacy, confidentiality and security of registered vehicle owners is maintained in these cases.” As of March 1, anyone renewing their registrations will no longer have their home addresses on the documentation, with the Crown corporation planning to issue the new cards at no extra cost. [CBC News]

CA – Alberta Orgs Push for More Data Sharing in Vulnerable Children Cases

Several organizations called for more information sharing and transparency when handling the data of vulnerable children. Alberta School Boards Association’s Jim Gibbons cited a case where data sharing could have helped in a case where a child had died. Gibbons said the death could have been avoided had all the present information been shared. “We need to protect privacy but also share information, particularly when it pertains to an at-risk child or youth. It could mean the difference between living and dying,” said Gibbons during a review of the Child and Youth Advocate Act. [Edmonton Journal]

CA – OIPC SK: Trustees Can Rely on Deemed Consent

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance on deemed consent under the Health Information Protection Act. Deemed consent means that the data subject has given no signal that they have consented to, and there is no mechanism to opt-out of, the collection, use or disclosure of personal health information; trustees can forgo express or implied consent only when an individual is unable to give consent, unconscious, or in emergency circumstances. [OIPC SK – Deemed Consent in HIPA – What Is It?]

CA – Full Bell Aliant Contract Should Be Public: PEI Privacy Commissioner

P.E.I.’s privacy watchdog has ordered Bell Aliant to release its telephone services contract with the P.E.I. government in its entirety. Privacy commissioner Karen Rose disagreed with Bell Aliant’s argument that releasing the full document would harm the business interests of the company. “The goals of transparency and accountability would be futile if public bodies were permitted to form contracts whose terms were kept secret from Islanders,” Rose says in her ruling. “Businesses who contract with government should be mindful of government’s accountability to the public. This accountability is especially applicable to government’s expenditure of public funds.” The ruling comes in response to a freedom of information request asking for the full Bell Aliant contract. [The Guardian]


WW – Companies Should Shoulder Most of the Data Protection Efforts: Report

A report from Gemalto finds a majority of consumers believe organizations holding their data are responsible for protecting their information. Surveying 9,000 people from around the world, respondents said 70% of the data protection efforts should fall on the companies, with the remaining 30% going toward consumers. “Consumers have clearly made the decision that they are prepared to take risks when it comes to their security, but should anything go wrong they put the blame with the business,” said Gemalto Chief Technology Officer for Data Protection. “The modern-day consumer is all about convenience and they expect businesses to provide this, while also keeping their data safe.” [ZDNet]

US – Mississippi AG Sues Google for Allegedly Violating Student Privacy

Mississippi Attorney General Jim Hood is suing Google for allegedly violating student privacy. Hood is accusing the tech company of violating the state’s consumer protection law by selling ads using data it collects from services it provides to schools, specifically citing a test involving student accounts from the state-run Mississippi School of Math and Science in Columbus. During the test, targeted ads have appeared from previous searches, and Hood is asking a judge to force Google to stop the practice. “They’re building a profile so they can advertise to them,” Hood said. “They expressly stated in writing that they would not do that.” Hood’s lawsuit said Google could be fined $10,000 per student account, with the total penalties possibly exceeding $1 billion. [The Associated Press]

US – It’s Grades, Not Privacy, That Matter to Generation Z: Study

For generations of students, the prospect of their lecturers prying into their study habits would have been anathema, but for Generation Z it’s not privacy but grades that matter. Three quarters of students would welcome closer monitoring of their study habits as a way to cut drop-out rates, while almost half said it could help them get better grades, according to a new survey. The findings turn on its head the widely-held assumption that students jealously guard their privacy and are highly resistant to efforts to monitor their behaviour outside of the lecture hall. In 2015 Google was forced to defend itself from accusations that it was snooping on students by harvesting data on students using Chromebooks, in order to generate target advertisements. [Forbes]


EU – Institution Web Services Shouldn’t Assume User Consent Is Valid Forever

The European Data Protection Supervisor has issued guidance focusing on specific aspects of web services provided by EU institutions. The processing of personal data on the server side and through tracking and profiling should give the user the possibility to review their decision; periodically remind users that they gave their consent to tracking and of what they consented to, which could be done at least every 6 months, and more frequently in the case of profiling. [EDPS – Guidelines on the Protection of Personal Data Processed Through Web Services Provided by EU Institutions]

EU Developments

EU – New A29WP Guidelines on Data Protection Officers

The EU’s Article 29 Working Party has published new Guidelines on the role of Data Protection Officers under the General Data Protection Regulation. Data Protection Officers are seen as a cornerstone of data protection compliance, and many businesses will be subject to a mandatory obligation to appoint a Data Protection Officer. The Guidelines provide businesses with useful information on the appointment and role of Data Protection Officers. The GDPR will introduce significant new obligations which will require many businesses to appoint DPOs. The GDPR will also implement a much more formal framework around the roles and responsibilities of DPOs. [White & Case]|

UK – CJEU Ruling in Tele2, Takeaways & Impact on Snooper’s Charter

The CJEU’s recent decision in the Tele2/Watson case contains interesting guidance on the rules around the retention of communications data and the safeguards that must be in place to protect it. It may also call the viability of the new Investigatory Powers Act into question. The key issue in the case was whether legislation in Sweden and the UK, which imposed an obligation on public communications providers to retain traffic and location data, was compatible with EU law. The UK legislation required public telecommunications operators to retain all such communications data for a maximum of 12 months where required to by the Secretary of State. The CJEU gave guidance on the aspects of national legislation that would be deemed unlawful under EU law. Here are the most important takeaways from the judgment:

  1. The intrusiveness of traffic and location data;
  2. The purpose for retention must be limited to fighting serious crime;
  3. Retention must be targeted to what is “strictly necessary” to fight serious crime;
  4. Access to the data must be subject to prior review by a court or independent authority;
  5. Data subjects must be informed as soon as possible; and,
  6. Retained data must stay within the EU.

It is clear that many aspects of the new Investigatory Powers Act 2016 (IPA) still fall short of satisfying the CJEU’s criterion above. The UK will need to consider carefully what amendments, if any, it will make to the IPA to bring it into conformity with EU law. [Privacy, Security and Information Law Blog | CJEU holds that mass surveillance must not be general and indiscriminate | The CJEU Gives the UK Government Another Brexit Dilemma | The Court of Justice of the European Union Limits the Scope of National Data Retention Laws | EU court ruling on ISP data retention may influence Canada | In Major Privacy Victory, Top EU Court Rules Against Mass Surveillance | EU’s highest court delivers blow to UK snooper’s charter | EU ruling means UK snooper’s charter may be open to challenge ]

US – Switzerland and US Regulators Agree to Privacy Shield Framework

The Switzerland Government has reached an agreement with the US Department of Commerce on a new Swiss-U.S. Privacy Shield framework (“Swiss Shield”). The Framework is needed for secure, efficient transfers of personal data to the US (which does not have an adequate level of protection), and is similar the EU-US Framework, guaranteeing the same conditions for individuals and businesses in Switzerland; US companies that obtain certification will be recognised as having adequate data protection standards, and Swiss companies will be able to transmit data to these companies without requiring additional contractual guarantees. [Switzerland Federal Council – Swiss-US Privacy Shield – Better Protection for Data Transferred to the USA]

EU – Swedish Government Provides Protection for Whistleblowers

The Swedish Ministry of Employment issued Act 216-749 on Special Protections Against Victimisation of Whistleblowing Employees, which is effective on January 1, 2017. Employees can report incidents to union representatives, using internal reporting procedures, to the employer, or to the public (if the employer does not take reasonable action in response to reporting, or inform the employee of measures taken); employees that incriminate themselves when reporting an incident do not have protections under the law, and employers are prohibited from retaliation against whistleblowing employees (e.g dismissal, redundancy. [Act 2016-749 on Special Protection Against Victimisation of Whistleblowing Workers – Sweden Ministry of Employment]


EU – Mobile Payments Provide Multiple Threat Opportunities

The European Network Information Security Agency has issued guidance on mobile payments and digital wallets applications. Threats includes those from users (phishing), devices (lost/stolen), apps (reverse engineering), merchants (relay attacks on near field communication enabled POS contactless terminals), payment service providers (data connectivity compromise), acquirers (repudiation of mobile payment authorization), payment network providers (token services provider services & servers compromise), issuers (payment fraud), servers & cloud services (DDoS attacks), and digital wallets enrolment (potentially immature code may have security weaknesses. [ENISA – Security of Mobile Payments and Digital Wallets | Press Release]


WW – Study Applies Game Theory to Genomic Privacy

A new study presents an unorthodox approach to protect the privacy of genomic data, showing how optimal trade-offs between privacy risk and scientific utility can be struck as genomic data are released for research. The framework can be used to suppress just enough genomic data to persuade would-be snoops that their best privacy attacks will be unprofitable. [ScienceDaily]

Health / Medical

WW – New Report Assesses State of Data Sharing for Healthcare Analytics

A new report from Privacy Analytics, in collaboration with the Electronic Health Information Laboratory, summarizes the key findings from a survey that assessed the state of data sharing in healthcare and the challenges in disclosing data for secondary use. Secondary use of health data applies to protected health information that is used for reasons other than direct patient care, such as data analysis, research, safety measurement, public health, payment, provider certification or marketing. Key findings:

  • There is a lack of total confidence in the ability to protect privacy: More than two out of three respondents lack complete confidence in their organization’s ability to share data without putting privacy at risk.
  • The demand for data is growing as fast as the amount of data being collected. More than half of the respondents plan to increase the volume of data stored or shared within 12 months and two-thirds currently release data for secondary use.
  • Individuals lack familiarity with advanced methods of de-identifying data. As a result, they release information that has been stripped of its usefulness or share data in a way that puts them at an unacceptably high risk of a breach.
  • Most organizations use approaches that can result in high risk datasets. More than 75% of respondents said that their organization uses one or more of the following: data-sharing agreements, data masking or Safe Harbor.
  • Healthcare organizations are slowly starting to monetize data assets. One in six says they share data with other organizations for profit. [Source]

US – Health Data Breaches Doubled in 2016, but Fewer Records Lost: Report

A Protenus report reveals data breaches nearly doubled in health care organizations last year, but far fewer patient records were lost in the cyberattacks. The report found 27.3 million records were compromised in 2016, down from 113 million in 2015. Health care suffered 450 breaches in 2016, up from 253 in 2015. “While it may seem that there is a significant drop between the total patient records affected by health data breaches from 2015 to 2016, most of that difference is attributable to a single event. Anthem was the largest health data breach of 2015, affecting 80 million patient records. Once this single breach is removed, the side-by-side comparison between 2015 and 2016 isn’t drastically different, 33 million vs. 27 million respectively.” [SC Magazine]

Horror Stories

AU – Accident Leads to Breach of 8,709 Gun Owners’ Details

Staff at the Victorian government’s Department of Environment, Land, Water and Planning accidentally emailed out the personal details of 8,709 gun owners. “The error occurred on eight separate occasions, with the attached files including between 800 to 1,900 names,” the report states. “It really was a simple case of human error,” the department said. “The [staff] concerned are horrified … and have been counselled.” The department contacted the recipients of the eight emails and confirmed that they were either deleted or not received. Additionally, “on advice from the state’s privacy commissioner, the department is posting letters to each of the 8,709 people involved… The department has also contacted Victoria Police.” [ABC]

Identity Issues

EU – UN Free Speech Advocate Criticises UK Plan to Curb Access to Online Porn

The UN’s free speech advocate has warned that British government plans to enforce age verification and some censorship of pornographic websites risk breaking international human rights law and would contribute to a “significant tightening of control over the internet”. David Kaye, the special rapporteur on the promotion and protection of the right to freedom of opinion and expression, called on ministers to conduct a comprehensive review of the digital economy bill, which he said facilitated state surveillance and lacked judicial oversight. The bill, intended to regulate a range of issues relating to the internet and electronic records, also includes measures to increase data sharing between government departments and protect intellectual property. But it is the measures to control pornography that have sparked an outcry amid fears that they will create a database of internet users’ sexual proclivities and roll back Britain’s censorship regime to the pre-internet era. If the bill passes it will outlaw the depiction online of a range of legal-to-perform sex acts. Its passage is highly likely, with support in parliament from both Labour and the Conservatives, and only the Liberal Democrats indicating they will oppose it. Kaye’s objections focus on the risk posed by age verification requirements to individuals’ privacy. In a letter to the UK’s ambassador to the UN, he says he is concerned that the new rules “fall short of the standards of international human rights law”. [The Guardian]

Law Enforcement

CA – Federal Officials Approved Winnipeg Police Purchase of Spying Devices

Federal public safety officials approved a licence that would enable the Winnipeg Police Service to purchase devices from an undisclosed company designed to intercept the private communications of citizens. The licence, was approved for a 12-month period by the assistant deputy minister of Public Safety Canada’s national security branch on June 23, 2016. Approvals were also signed for Durham Regional Police, Ontario Provincial Police, RCMP and the Canadian Security Intelligence Service, according to the records. The records also showed evidence of 93 occasions dating back to 2008 of licence requests processed by Public Safety Canada. Often referred to as IMSI (international mobile subscriber identity) catchers, these covert tools masquerade as conventional cellular towers, causing mobile phones to transmit signals to the rogue device, rather than directly to towers operated by wireless providers. [CBC | Application form for selling spyware in Canada | ATIP release from Public Safety Canada | Winnipeg Mayor & Privacy Lawyer A-OK with Cops Using IMSI | ‘Shady, secretive system’: Public Safety green-lit RCMP, CSIS spying devices, documents reveal | Ottawa should tell the truth about ‘stingrays’: Editorial | Government use of surveillance devices must be restricted: privacy experts | Long-Secret Stingray Manuals Detail How Police Can Spy on Phones | Vancouver police admit using StingRay cellphone surveillance, BCCLA says | Local Police In Canada Used ‘Stingray’ Surveillance Device Without a Warrant | Privacy watchdog to investigate RCMP over alleged ‘stingray’ cellphone surveillance | StingRays breach cell phone privacy]

UK – Police Should Need Warrants to Search Mobile Phones: Campaigners

Police use of data extraction equipment to download information from suspects’ mobile phones should require a search warrant, according to privacy campaigners. The practice is becoming increasingly routine across most forces but is inadequately regulated and being carried out by insufficiently trained officers, Privacy International claimed. Digital forensic equipment has been used under counter-terrorism powers at ports and airports to download data from mobile phones for several years. Concerns over the practice were first raised by the independent reviewer of terrorism legislation, David Anderson QC, in 2012. The technology has now spread to other police forces. Mobile phone data can contain an enormous amount of private information, including photographs. [The Guardian]

Online Privacy

WW – Startup Allows Users to Control Data When Signing Up for Websites

A new startup is working to create a product allowing users to have more control over their data when signing up for websites. Blockstack will be releasing software later this year allowing users to control their digital identity. Whenever a user signs up for a website needing personal information, users will have the ability to grant access under a profile they control. If they wish to stop using a service, the user can revoke the access to the profile and data. Blockstack plans to accomplish this functionality by using blockchain technology to track usernames and associated encryption keys. “We’re trying to turn the existing model on its head,” says Blockstack CEO and co-founder Ryan Shea. “You can try to work with the existing model from within, but sometimes it’s easier to step outside of it and build s something new from a clean slate.” [MIT Technology Review]

EU – Proposed Reputational Profiling Not Compliant with Data Protection Code

The Italian data protection authority considered a request for approval for personal data processing to produce a “reputation rating” by Mevaluate Holdings, Ltd., Mevaluate Italy, and Mevaluate Onlus Association pursuant to the Data Protection Code. Such profiling via web platform would violate multiple statutory requirements; the processing implicates sensitive data that impacts personal dignity, and is not subject to guarantees of impartiality and independence (i.e. the decisions are automated). There are concerns with the reliability of the data (documents used for profiling can be forged), possible misuse (i.e. blacklist purposes), inadequate security measures (encryption only for judicial data), and consent is not freely given (due to the potential for adverse effects of the profiling on individuals. [DPA Italy – Decision No. 488/2016 – Web Platform for Development of Reputational Profiles | Summary available in Italian]

Other Jurisdictions

AU – Pilgrim Cautions Senate Committee Against Drone Deregulation

Australian Privacy and Information Commissioner Timothy Pilgrim has warned against deregulating commercial drone use in a submission “to the Senate committee investigating the safety implications of the new rules that allow commercial operators to fly without a license, drones weighing less than 2 kg.” While drones have economic impact, they also have privacy concerns as well, Pilgrim said. “Privacy risks presented by drone use range from inadvertent privacy breaches through the collection of personal information, such as photographs of individuals and their activities, to potential conduct that meets criminal-offence thresholds such as stalking” Pilgrim said he would “support increased training and education to inform drone pilots of their responsibilities and to protect the privacy of individuals.” [The Australian]

Privacy (US)

US – Obama Releases Report on Privacy, Surveillance and Innovation

In the last week of his presidency, former President Barack Obama released a report summing up his administration’s work on privacy, surveillance and innovation. The report includes the administration’s work on domestic and international privacy initiatives, including the Privacy Shield and APEC frameworks as well as reforms to national surveillance. [Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation]

Privacy Enhancing Technologies (PETs)

US – NIST Publishes Guidance on Privacy Engineering and Risk Management in Federal Systems

This document from NIST provides an introduction to the concepts of privacy engineering and risk management for federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within federal systems, and the effective implementation of privacy principles. This publication introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model. [NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems]

Smart Cars / IoT

US – Smart City Prevalence to Increase by 2019: Study

Research firm Gartner has estimated half the citizens within million-people cities will voluntarily fuel smart city enterprises with their data by 2019. “As citizens increasingly use personal technology and social networks to organize their lives, governments and businesses are growing their investments in technology infrastructure and governance,” said Gartner. “This creates open platforms that enable citizens, communities and businesses to innovate and collaborate, and ultimately provide useful solutions that address civic needs.” While machine-readable data is already generated in bulk, “the city becomes ‘smart’ when data is collected and governed in such a way that can produce valuable real-time streams, rather than simply backward-looking statistics or reports,” Gartner’s said. [FZDNet]

AU – Internet-of-things Tools With Augmented Reality Worry Australians: Study

ISACA research has found that 70% of Australians are concerned that internet-of-things devices with augmented reality pose a threat to their privacy, increasing a chance of a breach. “With the proliferation of IoT-enabled devices and the drive to provide enhanced user experiences, IoT and AR have the power to become a source of unprecedented value and opportunity, as well as significant risk,” said ISACA. “Individuals and enterprises should focus on rapidly getting up to speed on these technologies while learning how to manage risk so they do not compromise their company’s ability to innovate.” [iTWire]


UK – Britain’s Draconian Surveillance Laws Called “Disproportionately Dangerous” by New Amnesty International Report

The Investigatory Powers Act, which legalised the bulk surveillance of everyone’s internet activity “threatens to have devastating consequences for privacy and other human rights in the UK and beyond”, according to Amnesty International. The damning verdict on Britain’s surveillance state comes as part of the human rights group’s new “Disproportionately Dangerous” report, which looks at the Europe-wide trend towards more draconian laws that threaten our rights – like the IP Act, which is also known as the Snooper’s Charter. After describing the powers that the law enables, Amnesty concludes that “Such provisions, lacking any requirement for individualized, reasonable suspicion, are contrary to human rights law. Even the allegedly targeted ‘thematic’ warrants are so broad that they will undermine privacy rights well beyond what human rights law allows.” “The last two years, however, have witnessed a profound shift in paradigm across Europe: a move from the view that it is the role of governments to provide security so that people can enjoy their rights, to the view that governments must restrict people’s rights in order to provide security. The result has been an insidious redrawing of the boundaries between the powers of the state and the rights of individuals.” [Gizmodo]

US – Privacy Threat from Always-on Microphones Like the Amazon Echo: ACLU

A warrant from police in Arkansas seeking audio records of a man’s Amazon Echo has sparked an overdue conversation about the privacy implications of “always-on” recording devices. This story should serve as a giant wakeup call about the potential surveillance devices that many people are starting to allow into their own homes. The Amazon echo is not the only such device; others include personal assistants like Google Home, Google Now, Apple’s Siri, Windows Cortana, as well as other devices including televisions, game consoles , cars and toys. We can safely assume that the number of live microphones scattered throughout American homes will only increase to cover a wide range of “Internet of Things” (IoT) devices. Overall, digital assistants and other IoT devices create a triple threat to privacy: from government, corporations, and hackers. We fear that some government agencies will try to argue that they do not need a warrant to access this kind of data. We believe the Constitution is clear, and that, at a minimum, law enforcement needs a warrant based on probable cause to access conversations recorded in the home using such devices. But more protections are needed. Unfortunately the existing statutes governing the interceptions of voice communications are ridiculously tangled and confused and it’s not clear whether or how data recorded by devices in the home are covered by them. Digital assistants, like smart meters and many other IoT devices, split open a contradiction between two legal doctrines that both sit at the core of privacy law: 1) The sanctity of the home; and 2) The third-party doctrine. The contradiction arises when devices inside the home stream data about activities in that home to the servers of a third-party corporation. If microphones are going to be part of our daily lives in our intimate spaces, we need broader awareness of the issues they raise, and to settle on strong protections and best practices as soon as possible. [ACLU | Devices sprout ears: What do Alexa and Siri mean for privacy? | The battle to use Siri as a key witness | Mozilla: ‘IoT will be the first big battle of 2017,’ calls for responsible IoT | Tips on protecting your privacy on Amazon Echo and Google Home | Murder case will test privacy rights of Amazon Echo users | Police mull gathering crime evidence from smart home devices |  ‘IoT will be the first big battle of 2017,’ calls for responsible IoT]

US – Documents Reveal 15 Years-Worth of ‘Cartapping’ Surveillance Efforts

Court documents reveal 15 years-worth of law enforcement requests to vehicle technology providers for handing over real-time audio and location data to aid in investigations. The surveillance actions, known as “cartapping,” include New York police demanding SiriusXM to provide location information to target a car in an alleged illegal gambling ring, and General Motors handing over OnStar data from a Chevrolet Tahoe rented by a suspected crack cocaine dealer. Attempts to have the evidence thrown out of court are normally not successful, as the government possesses a solid argument stating drivers’ right to privacy does not hold up when using services such as OnStar. “I could make an argument to the contrary, which is based on the fact that we are increasingly surrounded by embedded interactive, broadcast technologies and therefore can tend to forget the fact that we may be broadcasting as we hold what we think are private conversations,” said University of Dayton, Ohio, law professor Susan Brenner. [Forbes]

Telecom / TV

AU – Australian Federal Court Sides With Telstra in Metadata Case

The Federal Court of Australia has sided with telecom company Telstra in a case about whether all metadata constitutes personal information. The court ruled Telstra did not need to hand over its telecommunications metadata to former Fairfax journalist Ben Grubb under the Privacy Act. The case rested on whether metadata held by Telstra is information “about Ben Grubb,” or if it’s “about the service delivered to him.” The Administrative Appeals Tribunal sided with Telstra. The appeal filed by Australian Privacy Commissioner Timothy Pilgrim was denied by the Federal Court. “I think the Privacy Commissioner’s lawyers played a high stakes game with a narrow approach to this appeal, and it backfired on them,” said Salinger Privacy’s Anna Johnston. “The Federal Court did not clearly answer the question of what defines personal information because they were not asked to.” [iTnews]

US Government Programs

US – Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community

The Obama administration announced new rules [Executive Order 12333] that will let the NSA share vast amounts of private data gathered without warrant, court orders or congressional authorization with 16 other agencies, including the FBI, the Drug Enforcement Agency, and the Department of Homeland Security. The new rules allow employees doing intelligence work for those agencies to sift through raw data collected under a broad, Reagan-era executive order that gives the NSA virtually unlimited authority to intercept communications abroad. Previously, NSA analysts would filter out information they deemed irrelevant and mask the names of innocent Americans before passing it along. The last-minute adoption of the procedures is one of many examples of the Obama administration making new executive powers established by the Bush administration permanent, on the assumption that the executive branch could be trusted to police itself. Under 12333, the NSA taps phone and internet backbones throughout the world, records the phone calls of entire countries, vacuums up traffic from Google and Yahoo’s data centers overseas, and more. The new rules still ostensibly limit access to authorized foreign intelligence and counterintelligence purposes — not ordinary law enforcement purposes — and require screening before they are more widely shared. But privacy activists are skeptical. [The Intercept | National Security Agency Databases Open for Business | Obama Expands Surveillance Powers on His Way Out | E.O. 12333 Raw SIGINT Availability Procedures: A Quick and Dirty Summary | N.S.A. Gets More Latitude to Share Intercepted Communications | Trump to Inherit Vast Surveillance Powers | Trump to inherit vast surveillance system | Commander-In-Chief Donald Trump Will Have Terrifying Powers. Thanks, Obama]

US – Border Agents Demanding Americans’ Social Media Accounts

Customs and Border Protection agents have been invasively questioning Muslim-Americans at U.S. border crossings about their political and religious beliefs, asking for their social media information, and demanding passwords to open mobile phones, according to a set of complaints filed by the Council on American-Islamic Relations (CAIR). The complaints deal with the cases of nine people who have been stopped at various U.S. border crossings, eight of whom are American citizens, and one Canadian. They were filed to the Department of Homeland Security, Customs and Border Protection and the Department of Justice. While warrants are normally required for federal authorities to search cellphones, this requirement does not apply at border crossings. The complaints filed by CAIR allege that CBP agents have been asking travelers questions including, “are you a devout Muslim”, “what do you think of the United States”, and “what are your views about jihad?” The complaints also say that people have reported being asked whether they attend a mosque and what their opinions are about various terrorist groups. The complaints also allege that border agents have asked American citizens to provide their social media information at the border. The ACLU notes that, although they may suffer delays, “U.S. citizens cannot be denied entry to the United States for refusing to provide passwords or unlock devices.” [The Intercept | See also: Revealed: The FBI’s Secret Methods for Recruiting Informants at the Border | U.S. Border Questionnaire: Is Anyone in Your Family a “Martyr”? | With Power of Social Media Growing, Police Now Monitoring and Criminalizing Online Speech | Will US border officials demand social network handles from visitors? | Surveillance of Everyone: Europe’s “Smart Borders” Would Automatically Monitor Individuals | Op-Ed: Canada to share information with U.S. on land border crossers | New border bill allows sharing of biographic data | New bill would allow border guards to collect biographic data on those leaving Canada | Government must face scrutiny over hacking of migrants’ phones by UK border guards]

US Legislation

US – State Bill Permits Automatic License Plate Readers for Investigations

New York Senate Bill S00023, amending the General Business Law and Executive Law and relating to the use of automatic license plate reader systems, is introduced in the New York Legislature and referred to the Committee on Consumer Protection. Law enforcement agencies may use automated license plate readers for immediate comparisons of captured data held by other government agencies, for the purposes of identifying outstanding parking or traffic violations, violations of vehicle registration or inspection requirements, and stolen vehicle and license plates; operators of ALPRs must preserve captured plate data upon request from law enforcement, and must destroy the data after 14 days or if an application for a disclosure order is denied.[SB S00023 – An Act to Amend General Business Law and the Executive Law in Relation to the Use of Automatic License Plates Reader Systems – State of New York]

US – Bill Increases Public Transparency of Use of Surveillance Technologies

California Senate Bill 21, adding Chapter 15 to Division 2 of Title 5 of California Government Code and relating to law enforcement use of surveillance technology, is introduced and referred to the Committees on Public Security and the Judiciary. Agencies must, as of July 1, 2018, submit to their governing body a policy regarding their use of surveillance technologies (e.g. drones, license plate readers, CCTV, IMSD trackers, GPS, RFID, and biometrics-ID/facial-recognition); the policy must include the types of technologies and authorized purposes, a description of privacy compliance and security measures, restrictions on use/disclosure, any public access to collected data, the data retention period, and the destruction process. [Senate Bill 21 – Relating to Law Enforcement Agencies – California]

Workplace Privacy

US – Court Rules UPMC Under No Obligation to Protect Employee Data

The Superior Court of Pennsylvania ruled workers from the University of Pittsburgh Medical Center had no reasonable expectation their employee data would be secure following a data breach resulting in their information having been used to file phony tax returns. The decision states the UPMC workers turned over their information as a condition of their employment, not for protection. The court also ruled UPMC is not responsible for paying for stolen data resulting in economic loss, and the law should not require employers to take on the costs of enhancing employee data security. “We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether,” the decision states. [Network World]

EU – Deutsche Bank Prohibits Texting, Comms Apps on Company Phones

Deutsche Bank AG will no longer allow employees to send text messages and use communication apps on company-issued phones as the organization attempts to improve compliance standards. Deutsche Bank’s Chief Regulatory Officer Sylvie Matherat and Chief Operating Officer Kim Hammonds sent a staff memo stating the functionality will be turned off this quarter. The policy will also apply to employees’ private phones used for work purposes and includes communication apps such as WhatsApp, Google Talk and iMessage. The move comes as Deutsche Bank works to improve its compliance efforts, as data compiled by Bloomberg found the bank has been slapped with more than $13.9 billion in fines and legal settlements since 2008. [Bloomberg]

US – Federal Privacy Council Launches Hiring Toolkit

The U.S. Federal Privacy Council has launched a new toolkit aimed at assisting federal agency human resources staff and hiring managers in understanding the new world of U.S. government privacy, making decisions about which types of positions they should use in their privacy offices, designing federal privacy positions, and then conducting recruitment and selection activities. [IAPP.org]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: