21 January – 03 February 2017


AU – Biometric ID for 90% at Airports Raises Privacy Concerns

The Australian Department of Immigration and Border Protection is tendering for a company to provide it with an “automated processing solution” to allow for the automated processing of passengers using biometric identification. Tender documents say 90% of passengers would go through through automated processing points, which would rely on biometric capturing “including but not limited to facial, iris and fingerprints”. Biometrics Expert Prof Katina Michael said such technology had not been proven to have improved security or airport efficiency. Michael said the plan posed a risk to individual privacy and raised ethical dilemmas that had not been properly explained to the public. Michael said recent threats to the security of government-held data such as the census failure should raise real concerns about the storage of biometric data en masse. But others have played down concerns about the government’s plan. Information security expert and reporter Patrick Gray said airport passengers were already the subject of heavy surveillance and biometric testing. “Airports are already among the most surveilled places on the planet. The time to be worrying about this is when someone seriously proposes running live facial recognition against CCTV in public places like city streets and train stations with insufficient oversight on use. Then we’ve got a problem,” he said. “Better, highly-automated facial recognition is going to be a massive privacy issue one day, but the technology at least makes sense in airports.” [The Guardian]

US – Memo: New York Called for Face Recognition Cameras at Bridges, Tunnels

The state of New York has privately asked surveillance companies to pitch a vast camera system that would scan and identify people who drive in and out of New York City, according to a December memo obtained by Vocativ. which asks for surveillance at nine NYC ‘crossing points’ The call for private companies to submit plans is part of Governor Andrew Cuomo’s major infrastructure package, which he introduced in October. Though much of the related proposals would be indisputably welcome to most New Yorkers — renovating airports and improving public transportation — a little-noticed detail included installing cameras to “test emerging facial recognition software and equipment.” “This is a highly advanced system they’re asking for,” said Clare Garvie, an associate at Georgetown University’s Center for Privacy and Technology, and who specializes in police use of face recognition technologies. “This is going to be terabytes — if not petabytes — of data, and multiple cameras running 24 hours a day. In order to be face recognition compliant they probably have to be pretty high definition.” The proposed system would both scan drivers as they approached or crossed most of the city’s bridges and tunnels at high speeds, and would also capture and pair those photos with the license plates of their cars. “The biggest risk that comes with a system like this is its ability to track people, by location, by their face,” Garvie said. “So what needs to be put in place is a prohibition on the use of these cameras and the technology as a location tracking tool.” New York City wouldn’t be the first in the U.S. to have a network of facial recognition cameras for law enforcement. In 2013, for instance, the Los Angeles Police Department admitted it had deployed 16 cameras equipped with face recognition software, designed to search for particular suspects. [Vocativ]


CA – Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists

First in a series to help you participate in the federal consultation on national security. Anti-Terrorism Act (Bill C-51) passed last year brought in the Secure Air Travel Act, which modifies the Canadian “no-fly” scheme People on one of the lists are not permitted to board airplanes (“no-fly”). People on another list are subjected to additional security scrutiny when they try to board airplanes (“slow fly”). Under the new law it is illegal to tell an individual if they are on the no-fly list or not. If you are denied boarding or delayed in security, neither the government nor the airline can confirm or deny listing. Travellers on these lists are deemed too dangerous to fly, and yet too harmless to arrest. They are restricted from boarding aircraft, but not trains, ferries, subways, or buses. The new scheme provides for an appalling and probably unconstitutional lack of due process for people listed. There is no timely and appropriate mechanism for appeal of the minister’s secret decision. Canada should repeal the Secure Air Travel Act and keep suspected terrorists away from airplanes using the existing tools under the criminal law. Micheal Vonn – September 22, 2016 – TheTyee.ca | Canada’s Secretive No-Fly List Is Only Getting Worse | Time to overhaul Canada’s no-fly program | Thousands flagged by Canada’s new air passenger screening system | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics | . [CBC News: Kids Still Caught By No-Fly Lists Despite New Redress Office]

CA – Majority of Canadians Support Privacy Act Reform, Greater Transparency

Canadians want tougher privacy laws and for government institutions and private sector organizations to be more upfront about how they collect and use personal information, according to a new survey commissioned by the OPC that found a majority of Canadians support amendments to the Privacy Act, which covers the personal information handling practices of federal government institutions. Canadians broadly support requiring government institutions to properly safeguard the personal information they collect about Canadians (78%) and that the Privacy Act be expanded to the Prime Minister’s Office and the offices of cabinet ministers (71%). Another 69% of Canadians support granting the Privacy Commissioner order-making power to enforce recommendations made following an investigation, while 66% think government institutions should be required to take steps to assess the privacy risks of any new program or law. “Canadians agree it’s time to modernize the Privacy Act, which has gone largely unchanged since it was introduced in 1983,” says Commissioner Daniel Therrien, who recently proposed a series of amendments which were largely supported by a parliamentary committee. “This survey also confirms that Canadians are increasingly concerned about what happens to their personal information in the age of big data, biometrics and the Internet of Things. They want more transparency in their dealings with both business and government.” [Office of the Privacy Commissioner of Canada]

CA – 75% Canadians Want a National Inquiry into Surveillance of Journalists

According to a new national public opinion survey released by Canadian Journalists for Free Expression (CJFE), 70% support a new law that would allow journalists to protect the identity of confidential sources and whistleblowers. 70% of Canadians agree that placing journalists under surveillance undermines press freedom. Only 27% of Canadians agree that the CSIS or the police should use public resources to monitor organizations and advocacy groups which do not pose a known threat to national security. The potential monitoring of such groups was a core concern voiced by advocates when Bill C-51 was first introduced. The inability or unwillingness of CSIS to verify the precise number of journalists spied on in the course of federal national security investigations leaves serious questions about the state of press freedom nationwide. 72% of Canadians believe that there should be an independent crosscountry inquiry into the surveillance of journalists by police. CJFE is supporting the passage of Private Member’s Senate Bill S-231 [see here ], which would create legal protections for journalists and the sources, including whistleblowers, who allow them to undertake in-depth investigative work. 70% of Canadians support a press shield law such as Bill S-231, and 77% of Canadians feel that journalists should investigate public authorities such as the government, the police and state companies. [Canadian Journalists for Free Expression | See also: Hey Big Brother, are you listening in? How Canada is quickly becoming a surveillance nation | Canadian journalists push for ‘shield law’ to protect sources | Quebec announces details of inquiry into surveillance of reporters | ‘We were a bit naive’ about police surveillance, journalist panel says | Media surveillance highlights privacy risk to all Canadians | Canadian police spied on reporters, raising questions of press freedom | Quebec must uphold freedom of the press | Why spying on the press damages our democracy | How Montreal police were able to use legal means to track a journalist | Quebec to hold public inquiry into police surveillance of journalists | An unprecedented crisis’: Quebec government calls inquiry into spying on journalists by police | Quebec launches commission of inquiry into police spying on journalists | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists ]

CA – Govts Can Use Big Data Without Sacrificing Privacy: Ontario Commissioner

Though Brian Beamish believes that municipal, provincial, and federal governments alike have much to gain from big data, which he says could be used in sectors ranging from education to the environment to health care, it will require fundamental changes to privacy legislation involving government, citizens, and the private sector alike. Current legislation decrees that any personal information collected must be certified as “necessary,” while big data, which Beamish called “equal parts buzzword and concept,” tends to be indirectly obtained. Big data carries potential risks, Beamish acknowledged: since by definition it’s often collected automatically, and without a goal in mind, it may be inaccurate, lack information, disproportionately represent specific populations while excluding others, or be poorly collected, and applied based on pseudo-scientific insights confusing correlation with causation. The worst-case scenario, therefore, could be not only a surveillance state, but poorly delivered government services, he says. [ITBusiness.ca]

CA – OPC Investigating Complaints Around Sharing Economy

In documents obtained under access to information law, privacy commissioner Daniel Therrien’s office suggested sharing-economy companies such as Uber and Airbnb are creating a “growing risk” to Canadians’ private information. The key question, according to the documents, is who ultimately controls extremely sensitive personal information such as location data and financial information. “In the sharing economy, certain personal information — going well beyond that traditionally needed for reserving lodging and hailing taxis — is collected to establish identity and trust,” the documents read. “It is of great concern what might happen with (personal information) in the sharing economy in the event of a breach, especially given lack of clarity regarding accountability.” [The Star]


UK – 75% Brits Afraid for their Personal Data Under President Trump

Four out of five Brits are afraid that the incoming [US] president will use their personal data for his personal gain. That’s according to a poll commissioned by digital rights group Privacy International to coincide with Trump’s inauguration. The online poll was carried out by YouGov, between January 15 and 16, with 1,645 adults surveyed and the data weighted to be representative of the UK population. Why should Brits be afraid of what the incoming president means for their personal data? Because of historical intelligence sharing links between the two nations. And the fact the UK recently passed expansive new surveillance legislation that cements bulk collection as a core state investigatory strategy, including hacking en masse. The vast majority (three-quarters) of respondents to Privacy International’s poll said they want the UK government to explain what safeguards exist against Trump misusing their personal data. Privacy International notes that the historical UKUSA agreement , which was  drafted shortly after World War II , allows UK and US agencies to “share, by default, any raw intelligence, collection equipment, decryption techniques, and translated documents” [TeckCrunch | Four in Five Britons Fearful Trump Will Abuse their Data

US – Privacy Worries Are on the Rise Among US Consumers: Survey

A recent IDC survey found 84% of U.S. consumers are concerned about the privacy of their personal information, with 70% saying their concern is greater today than it was a few years ago. “Consumers can exact punishment for data breaches or mishandled data by changing buyer behavior or shifting loyalty,” said Sean Pike, an analyst at IDC, in a statement. The survey, released last week, polled 2,500 U.S. consumers about their privacy concerns across four verticals: Financial services, healthcare, retail and government. The survey found that shoppers increasingly are willing to evaluate a store’s track record for protecting personal information. “It is in a retailer’s best interest to define what information they are tracking firmly and clearly, and to provide consumers methods to manage those preferences,” IDC’s report said. “Retailers who do not take consumer data protection seriously may find that they permanently lose customers to competitors that offer more transparency and manageability of their Personally Identifiable Information.” [CSO Online]


CA – Privacy Experts Call for Rules on Gov’t Monitoring Social Media

Top privacy advocates are calling for rules to govern how government employees access Canadians’ social media posts, following the revelation that the Canada Revenue Agency checks posts on social media sites like Facebook to catch tax cheats. Privacy commissioner Daniel Therrien and former assistant commissioner Chantal Bernier say the Treasury Board should draft guidelines. Bernier, who now works as a lawyer with the firm Dentons, says it is “urgent” for the government to act. “It has become a normal manner to gather intelligence. So we absolutely must give it a framework. We absolutely must clarify what the limits are.” CBC News reported last week that the Canada Revenue Agency’s compliance section is scrutinizing the social media posts of Canadians it suspects are at “high risk” of cheating on their taxes. Among those the agency considers at high risk are wealthy individuals who have offshore bank accounts. In a 2013 report, the privacy commissioner’s office found the Justice Department and the department of Aboriginal Affairs and Northern Development Canada violated First Nations activist Cindy Blackstock’s privacy by monitoring her personal Facebook page. [CBC News See also: Canada Revenue Agency monitoring Facebook, Twitter posts of some Canadians | Twitter and Instagram ban London, Ont., company for helping police track protesters | Experts divided on social media surveillance  | Police Searches Of Social Media Face Privacy Pushback | Facebook, Instagram, Twitter block social media tool Geofeedia over protest surveillance | Facebook, Instagram, Twitter Block Tool For Cops To Surveil You On Social Media ]

AU – Govt Apologises After Thousands of Gun Owners’ Personal Details Released in Email Error

The Victorian Government has apologised to almost 9,000 gun owners after a “deeply concerning” data breach resulted in thousands of gun owners’ personal details mistakenly being emailed out. Customer service staff at the [Victoria] Department of Environment, Land, Water and Planning last month intended to email gun licence renewal forms, but uploaded the wrong attachment and accidentally sent the names, addresses and gun licence details of 8,709 people. The error occurred on eight separate occasions, with the attached files including between 800 to 1,900 names. The Shooters and Fishers Party said the mistake proves why gun registries should be dumped. On advice from the state’s Privacy Commissioner, the department is posting letters to each of the 8,709 people involved. The department has also contacted Victoria Police. [ABC.net]

EU Developments

EU – Privacy Shield Intact Despite Trump Executive Order

The Information Commissioner’s Office (ICO) says there is no indication that an executive order [ Enhancing Public Safety in the Interior of the United States ] introduced by President Donald Trump revoking protections in the country’s Privacy Act for information held by the state on non-US citizens will impact a major EU data sharing arrangement. the ICO said the US Privacy Act has never offered data protection rights to European citizens. A spokesperson for the European Commission reiterated that the Privacy Shield was one of two instruments introduced to try and safeguard personal information when transferred to the US by companies. The second mechanism, called the EU-US Umbrella Agreement, will come into force on February 1 under law adopted by the US Congress last year. It will be supported by the US Judicial Redress Act that extends benefits of the US Privacy Act to Europeans, allowing them access to the country’s courts to seek legal redress. [Government Computing Network See Also: Trump’s Executive Order Does Not Impact U.S. Privacy Shield Commitments – HoganLovells Chronicle of Data Protection | Privacy Shield: Impact of Trump’s Executive Order – Hunton & Williams | Trump’s executive order won’t destroy Privacy Shield, says EU | A White House Executive Order May Affect Validity of Privacy Shield | U.S.-EU Privacy Shield: Trump Executive Order Puts Privacy Agreement In Jeopardy | Trump order strips privacy rights from non-U.S. citizens, could nix EU-US data flows | Trump Is Killing Obama Plans For World Privacy Rights – Forbes | Trump Order Won’t Harm Privacy Shield Pact Say Attorneys | Trump’s Executive Order Does Not Impact U.S. Privacy Shield Commitments | EU Privacy Shield intact despite Trump executive order | Privacy Shield: Impact of Trump’s Executive Order | Trump’s executive order won’t destroy Privacy Shield, says EU

EU – Trump’s E.O. Doesn’t Impact US Privacy Shield Commitments

Trump’s Executive Order (EO) titled “Enhancing Public Safety in the Interior of the United States,” among other things, removed the ability of federal agencies to extend protections under the Privacy Act to anyone other than U.S. citizens or legal permanent residents. The EO does not impact any of the U.S. commitments under the Privacy Shield, nor does it revoke protections for EU citizens under the Privacy Act provided pursuant to the Judicial Redress Act. Under U.S. Constitutional law, the President cannot enact Executive Orders to overturn statutes duly enacted by Congress. Section 14 of the EO acknowledges this, stating that the EO can only be enforced “to the extent consistent with applicable law.” Therefore it cannot (and does not) revoke coverage from jurisdictions already designated as covered under the Judicial Redress Act or countries that could receive such designation in the future from the Department of Justice pursuant to the Judicial Redress Act. But even if coverage under the Privacy Act were affected by this EO—which it is not—it would not impact any explicit commitments made by the U.S. under Privacy Shield. This is for a simple reason: the Privacy Shield Framework and the European Commission’s official Adequacy Decision approving Privacy Shield did not rely on the Privacy Act’s protections. EU citizen rights under both Privacy Shield and the Privacy Act are not directly affected by this EO. However, going forward, it will be important to pay attention to European officials’ reaction to the EO. It will also be important to watch how the EO may impact the Attorney General’s designations of countries covered under the Judicial Redress Act or countries that could receive such designation in the future. [HL Chronicle of Data Protection (HoganLovells) Also See: Privacy Shield: Impact of Trump’s Executive Order | Trump’s executive order won’t destroy Privacy Shield, says EU | A White House Executive Order May Affect Validity of Privacy Shield | U.S.-EU Privacy Shield: Trump Executive Order Puts Privacy Agreement In Jeopardy | | Trump order strips privacy rights from non-U.S. citizens, could nix EU-US data flows | Trump Is Killing Obama Plans For World Privacy Rights

EU – Collecting Info from Kids, a Comparison of US law and GDPR

In the United States the Children’s Online Privacy Protection Act (“COPPA”) requires that a website obtain parental consent prior to collecting information from children under the age of 13 Historically the European Union’s Directive on data protection did not explicitly mention the privacy rights of minors, but applied the same data protection principles to children and adults alike. The EU’s new General Data Protection Regulation (“GDPR”), which goes into force in Spring 2018, specifically recognizes that “children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights ….” the GDPR also requires that a company obtain the consent of a parent if it offers an information society service to a child The following analysis provides a snapshot of information concerning fines. [Bryan Cave]

Facts & Stats

US – Data Breaches Increase 40% in 2016: ITRC Report

The number of U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911). This represents a substantial hike of 40% over the near record high of 780 reported in 2015. This raises the question: are there actually more breaches or is it because more states are making this information publicly available? In 2016, the business sector, healthcare/medical industry, education sector and banking/credit /financial sectors led the list of data breach incidents. “For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks. With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data. In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution,” said CyberScout and Vice Chair of ITRC’s Board of Directors. [Identity Theft Resource Center PR | ITRC Breach Package | Overview 2005 – 2016 See also: OCR Settles First Enforcement Action for Untimely Reporting of a Breach | The White House’s Revisions to its Breach Response Policy For Federal Agencies and Departments Also Affect Contractors | U.S. Promotes Risk-Based Data Breach Response Model | OMB Publishes Memorandum on Responding to Data Breaches | White House Issues Data Breach Guidance for Federal Agencies | White House issues gov’t-wide breach notification protocols ]


CA – CRA Transfer Bank Records to US Tax Agency Doubled Last Year

The Canada Revenue Agency transmitted 315,160 banking records to the IRS on Sept. 28, 2016 — a 104% increase over the 154,667 records the agency sent in September 2015. The transmission of banking records of Canadian residents is the result of an agreement worked out in 2014 between Canada and the U.S. after the American government adopted FATCA. The U.S. tax compliance act requires financial institutions around the world to reveal information about bank accounts in a bid to crack down on tax evasion by U.S. taxpayers with foreign accounts. Prime Minister Justin Trudeau, Treasury Board President Scott Brison and Public Safety Minister Ralph Goodale have dropped calls to scrap the deal, which they had made before the Liberals came to power. Privacy Commissioner Daniel Therrien has raised concerns about the information sharing, questioning whether financial institutions are reporting more accounts than necessary. Therrien has also suggested the CRA proactively notify individuals that their financial records had been shared with the IRS. However, the CRA has been reluctant to agree to Therrien’s suggestion. Lynne Swanson, of the Alliance for the Defence of Canadian Sovereignty, which is challenging the information sharing agreement in Federal Court [says] “A foreign government is essentially telling the Canadian government how Canadian citizens and Canadian residents should be treated. It is a violation of the Charter of Rights and Freedoms.” [CBC News See also: FATCA has Americans renouncing citizenship, tax lawyer says | So now the CRA is going after infants? | Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS) | The Liberal privacy campaign that died with the election | Liberals flip-flop on privacy rights | Brison, Garneau endorse deal to share Canadian banking records with IRS | Trudeau Liberals reverse position on controversial IRS information sharing deal ]

US – Financial Industry Reg. Authority Seeks Comment on Blockchain

On Jan. 18, 2017, the Financial Industry Regulatory Authority (FINRA) published a report examining the impact of blockchain [distributed ledger technology (DLT)] on the financial services industry. While DLT’s development and implementation across industries are evolving at different rates, a recent World Economic Forum report predicts that, by 2025, 10 percent of GDP will be stored on blockchains or blockchain-related technology, and finds that over the past three years the financial services industry has invested more than $1.4 billion in DLT. According to FINRA, there are several regulatory issues financial service institutions should consider while exploring DLT, including customer data privacy, record keeping, know your customer, and anti-money laundering. More specifically, FINRA recommends that firms participating in a DLT network evaluate and update their procedures and security measures to ensure compliance with customer data privacy rules. FINRA is encouraging all interested parties to provide comments on all aspects of the report by March 31, 2017. Information on how to comment is provided at the end of the report. [Data Privacy Monitor (BakerHostetler) | Chain Previews New Blockchain Privacy Tech ‘Confidential Assets’ See also: A Complete Beginner’s Guide To Blockchain | Blockchain’s brilliant approach to cybersecurity | Crypto-Currency Software Emerges as Tool to Block Cyberattacks | Power Arrangements in Identity Systems | Why Etherium is the most promising Blockchain technology | Privacy fix for blockchain from Blythe Masters | How blockchain can help fight cyberattacks | Using Blockchain to Protect Against Data Tampering | Legal implications of expanded use of blockchain technology ]

Health / Medical

US – HHS Modifies Drug and Alcohol Abuse Confidentiality Regulations, Proposes Additional Revisions

On January 18, 2017, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) released the Final Rule modifying the federal regulations governing the confidentiality of drug and alcohol abuse patient records. Largely following the changes that SAMHSA introduced in the 2016 Notice of Proposed Rulemaking (Proposed Rule), the Final Rule may have fallen short of many providers’ desire for less complexity in the rules and a more practical balance between patient privacy and facilitating the provision of care. The authors consider, these 11 points: 1) Background; 2) Effective Date; 3) New and Expanded Definitions; 4) Patient Consent – Designating the Recipient of Information; 5) List of Disclosures; 6) Additional Modifications to Form of Consent; 7) The Notice to Patients of Federal Confidentiality Requirements; 8) Security for Electronic Records; 9) Re-disclosure Requirements; 10) Additional Disclosures; and, 11) Additional Guidance on Disclosures for Payment and Operations to Follow [Bass, Berry & Sims | Also See: Research Data Privacy Regulations Updated in Final Federal Rule | Researchers, privacy experts clash on new human research rule | Patient advocacy groups worry about lax consent requirements in Common Rule]

CA – Yukon Gov’t Workers’ File Complaint over Privacy of Health Info

The Yukon Employees Union (YEU) says it’s worried about how the government handles sensitive medical information of its 3,700 workers. “Basically what we wanted to find out was, when a department gets some medical information, where does it go, who has custody of it, how long is kept, that type of thing. We couldn’t get a straight answer from anybody,” [Union president Steve] Geick said. Geick said the complaint filed with the Yukon privacy commissioner has triggered what he calls a “government-wide privacy impact assessment.” [CBC See also: Yukon gov’t vows privacy not at risk after commissioner raises concerns | Act doesn’t need overhaul: privacy commissioner | Yukon privacy commissioner sounds alarm over gov’t review | Yukon government releases scathing review of access-to-information laws | Health department, psychiatrist lock horns over sharing of private medical information | Yukon gov’t denies asking doctors for sensitive medical files | Yukon gov’t routinely demands to see patients’ private medical records, doctors say | | Northern Ontario doctors rebel over Health Canada rules that breach First Nation patient’s privacy | Health Canada breaches Indigenous patients’ privacy, MDs say ]

UK – Gov’t Refuses to Enforce Privacy Code on NHS Staff Using Video

The government has rejected a request by the surveillance camera commissioner Tony Porter to monitor CCTV and body-worn video cameras in hospitals. The body cameras are deployed in hospitals in an effort to tackle abuse of frontline health service staff. It emerged that Porter had warned ministers last year that the privacy of millions of NHS patients was put at risk by the unchecked use of the cameras. Porter recommended adding NHS trusts to a list of public bodies required to comply with a code of practice on the use of surveillance A letter to Porter sent last week from the home office minister Brandon Lewis, and released by the government on Wednesday, said the recommendation was unnecessary as: “We had not exhausted the possibilities of increasing voluntary compliance.” Porter said the government’s decision to allow surveillance to go unchecked in the NHS raised a series of questions about the privacy of patients. [Guardian]

Identity Issues

CA – Canada’s ‘Pre-Crime’ Model of Policing Is Sparking Privacy Concerns

In cities across Canada, police are partnering with social service agencies that work in housing, addictions, mental health, and child welfare to identify and intervene with people who they believe are at risk of harming themselves or others. Proponents say this pre-crime approach, called the Hub and COR, is the future of law enforcement and social service delivery. But some experts warn that taking a data-driven approach to solving social problems can lead to discrimination. Hubs rely on public health agencies and social services to share unprecedented amounts of information about their clients with police. The disclosure of personal health information is tightly regulated by provincial law, and while Hub guidelines encourage agencies to get consent before sharing it, agencies can get around these requirements thanks to language in health privacy laws that lets them share an individual’s personal information if a “probability of harm” exists. Hubs inspired by the Prince Albert model have been rolled out in more than two dozen Canadian cities, including Toronto, Ottawa, Surrey, Edmonton and Halifax, with participation from police at the local, provincial and federal levels. Ontario’s IPC hasn’t conducted a formal privacy assessment of Hubs in the province. Beamish said that his office worked with the provincial Ministry of Community Safety and Correctional Services (MCSCS) to develop information sharing guidelines for Hubs, but they’re not necessarily mandatory. Risk-driven policing also involves storing and analyzing the data gathered by Hubs. In Saskatchewan, every Hub in the province has access to a centralized database of information. MCSCS spokesperson Brent Ross said that Ontario Ministry maintains a Hub database that does not contain personally identifying information. Valerie Steeves, a professor of criminology, said that while Hubs have good intentions, the information used to assess young people often doesn’t tell the whole story. “One of the things being used to identify risk of suicide or depression is the posting of ‘emo’ lyrics [online].” said Steeves. She also noted the rise of companies that train school staff how to surveil students on social media to identify risk factors. “This surveillance makes it tough for [kids] to develop relationships of trust with people in the real world who might be better placed to help them.” [Motherboard] Also See: [Calgary police to launch terrorism intervention program | NHS Tayside scraps data sharing form after Named Person court ruling | Health board scraps leaflet after Named Persons ruling | Supreme Court rules against Named Person scheme

CA – Putting A Dollar Figure on Breach of Privacy In Canada

Section 16 of PIPEDA authorizes courts to award damages, including damages for humiliation that a complainant has suffered, arising from a breach of the legislation. Over the past few years there has been an evolution towards courts awarding greater damages amounts. In the notable case of “Chitrakar v. Bell TV” [see here], involving a non-consensual credit check the Federal Court awarded the applicant $10,000 in damages, $10,000 in exemplary damages, plus $1,000 in costs. The court acknowledged the difficulty of assessing damages absent evidence of direct loss, but in a marked departure went on to say “there is no reason to require that the violation be egregious before damages will be awarded”. Nevertheless, given the PIPEDA requirement that a complaint assessment by the Privacy Commissioner be completed prior to an application being filed with the Federal Court, it has been difficult to envision how the statutory damages regime could be leveraged in support of a class action lawsuit. In June of 2014 the first Ontario class action was certified based on the tort of intrusion on seclusion in the case of “Evans v. The Bank of Nova Scotia” [see here ] (there have subsequently been other intrusion on seclusion based class actions certified both in Ontario and elsewhere in Canada). The Evans case was settled in 2016 when the bank agreed to pay each of the identity theft victims an additional amount of approximately $7,000 (giving rise to a total payout of approximately $1.1M plus actual losses suffered) in return for a full release. The settlement in Evans involving a deep-pocketed and well-advised defendant should be seen as important additional evidence that the activist stance taken by Canadian courts in response to innovative lawsuits launched by individuals seeking redress for alleged breaches of privacy rights must be accommodated and that policies, procedures and technologies aimed at minimizing the risk of privacy breaches are to be proactively implemented by organizations operating in this fast changing enhanced risk exposure environment. [Mondaq]

Law Enforcement

CA – Why Police Services Are Not Adopting Body Cameras

Thousands of law enforcement agencies in the U.S. have already implemented BWC technology. Conversely, only a handful of agencies in Canada have adopted body cameras. Among the larger services, only Toronto, Calgary, Edmonton, and Montreal have tested or are currently studying the technology. The only police service in the country to standardize BWCs for its officers is the Amherstburg Police Service — a small agency in southwestern Ontario. Why is body camera adoption in Canada moving at a snail’s pace compared to that of the U.S.? One reason is because of the cost. However, the most important reason agencies in Canada are not rushing to adopt BWCs is because of policy concerns. Creating an effective policy may be one of the most challenging issues regarding this technology. There has yet to be a definitive discussion around privacy, officer discretion over recording, access to footage, and storage. The Office of the Privacy Commissioner of Canada published a guide in 2015 for the use of BWCs by law enforcement agencies. The document addresses the issues around privacy, access, and storage, but it only serves as a guideline for agencies wishing to adopt BWCs. Thus, local agencies are responsible for creating and enforcing a BWC policy. For most police services in Canada, and for the communities they serve, it may be wiser to spend money on necessary resources or invest it back into the communities rather than take a risk on something that has yet to be proven. [Huffington Post Canada | See also: Technical hurdles mean no body-worn cameras for Mounties, for the time being | RCMP decides not to outfit officers with body-worn cameras | Police body cams not ‘worthwhile’ if officers can turn them off, lawyer says | Calgary police say body cameras unreliable in the field; possible legal battle ahead | Mounties wearing video cameras told to record use of force | Canadian police forces moving towards costly body cameras

Online Privacy

US – FTC Extends Privacy Principles to Cross-Device Tracking

Ad-tech companies that track consumers across their smartphones, laptops and other devices should inform consumers — as well as publishers and app developers — about the practice, the Federal Trade Commission recommends in a new report. The agency adds that companies engaged in cross-device tracking should allow consumers to opt out of the practice, and should only track “sensitive” data, including some health and financial information, with consumers’ opt-in consent. The new staff report also advised companies that they should not refer to information that can be linked to users — or their devices — as “anonymous. “Often, raw email addresses and usernames are personally identifiable, in that they include full names,” the report states. “Even hashed email addresses and usernames are persistent identifiers and can be vulnerable to reidentification in some cases.” [MediaPost | Not Much Fresh Advice in FTC Cross-Device Tracking Report | FTC Releases Cross-Device Tracking Report | FTC Staff Report Details Best Practices for Cross-Device Tracking | FTC Staff Issues Long-Awaited Cross-Device Tracking Report | FTC Extends Privacy Principles To Cross-Device Tracking | FTC’s Cross-Device Study Reveals Opacity of Data-Sharing Practices]

WW – Facebook Revamps ‘Privacy Basics’ User Guide

Facebook updated [see here ] its Privacy Basics [introduced in 2014] user guide to make it easier for people to learn how to protect their personal information on its platform. the guide has been updated to answer the most frequently asked questions and reorganized to make it even easier for people to find answers. Facebook said Privacy Basics now has 32 interactive guides available in 44 languages, which should allow many of its 1 billion users to learn how to limit what they share on the social network. Privacy Basics also explains how people can control their ad experience and bolster their account’s security. Facebook said the updated Privacy Basics are part of a broader push to educate people about their privacy The updated Privacy Basics can be found on Facebook’s website. The company also released a short video about the new guide. [Tom’s Hardware]

Other Jurisdictions

AU – Landmark Australian Ruling on What Counts as ‘Personal Information’

A full bench of the Federal Court has served a rebuff to Australian Privacy Commissioner Timothy Pilgrim, who has been fighting to secure a broad definition of personal information in the courts, to ensure that everything that could reasonably be used to identify an individual will fall under the protection of the Privacy Act. But federal court judges dismissed the commissioner’s appeal, siding with Telstra and the Administrative Appeals Tribunal over whether the telco needs to hand a full suite of telecommunications metadata over to Telstra customer and former Fairfax journalist Ben Grubb, under the personal information access provisions of the Act. The case has hinged on whether metadata stored by Telstra is information “about” Ben Grubb or “about” the service delivered to him. Privacy Commissioner Pilgrim warned earlier this year that the case would set the parameters for “arguably the most important term in the Privacy Act”. Today’s ruling establishes a narrower definition of personal information than the Privacy Commissioner would like. [itNews (Australia) See also: Australia’s privacy laws gutted in court ruling on what is ‘personal information’ | The Australian “Ben Grubb” decision and its link to Canada | Federal Court interprets ‘personal information’. What’s it all about people? | Landmark Australian ruling on what counts as ‘personal information’ | Australia’s privacy laws gutted in court ruling on what is ‘personal information’ | [Federal Court interprets ‘personal information’. What’s it all about people? ]

CH – Beijing Clamps Down Tighter On Web Use With New VPN Ban

The Chinese government has announced new restrictions on operating VPNs that in effect make it illegal to offer them without approval to anyone other than large organisations. The officials who run the so-called Great Firewall of China have been experimenting with VPN-blocking for a couple of years, but this is the first time a formal legal clampdown has been put into effect. The best-known providers include VyperVPN (Golden Frog), StrongVPN, Astrill, and ExpressVPN, all of which are based outside China. This raises the obvious question of how China can stop them. With the effect on providers uncertain – disruption has been reported but it’s hard to say how much – this could be another case of a cat chasing an unexpectedly large mouse. According to Golden Frog’s co-CTO, Phil Molter: “China has targeted VPN providers in the past but VyprVPN has been able to quickly and effectively update our service to defeat these blocks.” The VPN clampdown comes only days after China announced a similar tightening of restrictions on mobile app stores, which must now register with the country’s Cyberspace Administration. [Naked Security See also: China Orders Registration of App Stores

Privacy (US)

US – Court Declines to Reconsider Microsoft Email Seizure Ruling

A split U.S. Court of Appeals for the Second Circuit denied rehearing a July decision the Justice Department says handicaps investigators by making it easier for criminals to move incriminating data outside their reach, and that Microsoft defended as a victory for privacy rights. The vote leaves the Supreme Court as the last resort for U.S. investigators trying to get data from Microsoft and other internet service providers who poured into the case as amici. All four of the judges who wanted en banc rehearing issued dissents slamming the July decision [which] explored the limits on extraterritorial application of U.S. laws outlined by Morrison v. National Australia Bank Ltd. , 561 U.S. 247 (2010), and held Congress did not explicitly authorize the offshore reach of the Stored Communications Act. Judges Susan Carney, Robert Katzmann, Peter Hall and Denny Chin voted to deny, with Carney answering the dissents. Carney said the focus of the privacy protections in the SCA is at the place of data storage, so “the execution of the warrant would have its effect when the service provider accessed the data in Ireland, an extraterritorial application of the SCA.” [New York Law Journal] See also: Court Keeps Microsoft’s Irish Servers Safe From U.S. | US government wants Microsoft ‘Irish email’ case reopened | Lawmakers question DOJ’s appeal of Microsoft Irish data case | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Government Seeks Do-Over On Win For Microsoft And Its Overseas Data | Microsoft’s cloud privacy battle may go to US Supreme Court | Court Declines to Reconsider Microsoft Email Seizure Ruling | Court Keeps Microsoft’s Irish Servers Safe From U.S.  | US government wants Microsoft ‘Irish email’ case reopened ]

US – New Privacy Report Already Removed from White House Site

Following the inauguration of President Donald Trump, the “Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation” report was removed from the White House website (It can still be found here.) the irony seemed particularly fitting. Civil liberties advocates worry about potential privacy infringements that could emerge under an administration that has promised to strengthen law enforcement, enhance surveillance efforts and monitor immigrant groups, steps that could very well involve increased data collection by the U.S. government, some of it derived from the same commercial sources advertisers use. Pam Dixon, executive director of World Privacy Forum, calls this moment a defining one. “The privacy movement has to mature right now,” she said. “The concern that I have is we are going to have very aggressive implementations of technology that are not preceded by policy.” Ms. Dixon cited her most immediate concern, national identity cards. [Adage]

US – Mississippi Attorney General Sues Google Over Student-Data Privacy

Last week, Mississippi state attorney general Jim Hood filed a lawsuit alleging that Google’s policies and practices regarding online tracking of students remain unclear, despite the company’s public pledge to not collect and use student data for commercial purposes, such as targeting advertisements to students. The suit seeks to force Google to be more transparent about its free, web-based G Suite for Education service, used by tens of millions of students worldwide, including more than half of the roughly 500,000 K-12 students in Mississippi. In its lawsuit, the state alleged that Google uses student GSFE accounts to track Mississippi K-12 students in order to build profiles that can be used for advertising. The state also accuses Google of failing to abide by its own privacy policies, terms of service, contracts, and agreements, as well as the public commitment it made in signing the Student Privacy Pledge. Some observers expressed skepticism about the suit. The Future of Privacy Forum, the industry-affiliated Washington think tank responsible for the Student Privacy Pledge, reiterated its belief that “Google’s practices are consistent with its obligations under the pledge.” In a blog post, the group noted that Google clearly states that no ads are served to students using G Suite for Education services. It also pointed out that school administrators must choose to let students use their school accounts to access Google’s consumer services. As a result, the suit’s legal prospects are unclear. [Edweek.org | See also: Mississippi sues Google for allegedly violating student privacy

Privacy Enhancing Technologies (PETs)

WW – Protonmail Combats ‘Totalitarian’ Govt Surveillance With Tor

ProtonMail, the popular Switzerland-based encrypted email provider, has announced it is now offering users the ability to log in to their accounts via the Tor network, a platform favoured by privacy advocates, journalists and activists to surf the web anonymously. the move is aimed at “countering actions by totalitarian governments around the world that are cutting off access to privacy tools”. In a blog post, the outspoken email provider provided users with an “onion” link, which is the term used to describe the Tor network’s version of a traditional website domain. Once Tor is downloaded and installed, it can be found here. [IBTimes]


US – NIST Updates Cybersecurity Framework Guidance

In the past month, the National Institute of Standards and Technology (NIST) has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications. On January 10, 2017, NIST issued draft version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity (Framework). On December 21, 2016, NIST issued Special Publication 800-184, Guide for Cybersecurity Event Recovery (NIST SP 800-184). Together, these documents signal the United States government’s ongoing substantive focus on the Framework as a vehicle for communicating cybersecurity risk management expectations. [Global Media and Communications Watch]

US – NIST Releases Internet of Things (IoT) Security Guidance

Late last year, the National Institute of Standards and Technology (“NIST”) released  Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices. The Guidance is intended to provide a framework for software engineers to better address security issues and to develop more defensible and survivable systems in a sustainable manner throughout the life cycle of these devices. [It] is designed to help prevent the vulnerabilities that lead to their exploitation and to facilitate “a disciplined, structured, and standards-based set of systems security engineering activities.” To accomplish this, the Guidance focuses on assessing the trustworthiness of various internet-connected devices and their impacts through a series of processes governed by the life cycle of each device. From a legal perspective, the Guidance can be seen as a double-edged sword for organizations that manufacture or use IoT devices. [Data Protection Report see also: NIST Issues Internet of Things (IoT) Guidance | Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT | FTC’s Latest Enforcement Action Signals Scrutiny of IoT Industry | D-Link fights back against ‘baseless’ data security lawsuit | FTC vs D-Link: The legal risks of IoT insecurity | Cause of Action Institute to Defend D-Link Systems Against FTC’s Baseless Data Security Charges | FTC sues D-Link for ‘insecure’ routers and IP cameras | FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras | FTC IoT privacy and security push points out D-Link router and webcam flaws | D-Link Calls The FTC’s Router And IP Camera Security Allegations ‘Baseless’ | The FTC Brings Section 5 Charges Against Internet-of-Things Companies | [Pacemaker data used to help indict alleged arsonist | Murder case will test privacy rights of Amazon Echo users | Police mull gathering crime evidence from smart home devices ]

WW – Blockchain Enhances Cybersecurity

Hackers can shut down entire networks, tamper with data, lure unwary users into cybertraps, steal and spoof identities, and carry out other devious attacks by leveraging centralized repositories and single points of failure. The blockchain’s alternative approach to storing and sharing information provides a way out of this security mess. The same technology that has enabled secure transactions with cryptocurrencies such as Bitcoin and Ethereum could now serve as a tool to prevent cyberattacks and security incidents. Blockchains can increase security on three fronts: blocking identity theft, preventing data tampering, and stopping Denial of Service attacks. [Venturebeat | See also: | A Complete Beginner’s Guide To Blockchain | Crypto-Currency Software Emerges as Tool to Block Cyberattacks | Power Arrangements in Identity Systems | Why Etherium is the most promising Blockchain technology | Privacy fix for blockchain from Blythe Masters | How blockchain can help fight cyberattacks | Using Blockchain to Protect Against Data Tampering | Legal implications of expanded use of blockchain technology ]

Smart Cars

WW – FPF & NADA Launch Guide to Privacy in the Connected Car

The Future of Privacy Forum (FPF) and the National Automobile Dealers Association (NADA) released a first-of-its kind consumer guide, Personal Data In Your Car [see 8 pg pdf here https://fpf.org/wp-content/uploads/2017/01/consumerguide.pdf ] . The Guide will help consumers understand the kind of personal information collected by the latest generation of vehicles, which use data to further safety, infotainment, and customer experience. “The release of this Guide is a critical step in communicating to consumers the importance of privacy in the connected car, as well as the benefits that car data can provide,” said FPF CEO Jules Polonetsky. As vehicles become more connected, it will be increasingly important to communicate with consumers how their information is collected and shared. For further information about technology in the car, consumers should contact their local dealer and review their vehicle’s owner’s manual. [Future of Privacy Forum See Also: My pal the car: emotionally intelligent vehicles a technology dream but potential privacy nightmare | Cars Would Be Required to Talk to Each Other Under U.S. Plan | ENISA Jumpstarts Connected Car Cybersecurity Study for EU | Data Privacy, Security, and the Connected Car | European Multi-Stakeholder Group Releases Connected Vehicles Report | Smart cars share revealing personal data, raise privacy concerns ]

CA – The Data You Leave In a Rental Car Could Threaten Your Privacy

Information not deleted from onboard infotainment systems in vehicles is a ‘considerable problem’ CBC checked several cars in Fredericton and found contact information on both rental and pre-owned cars, leaving breadcrumb trails of information visible to the next person who sits behind the wheel. It’s information car rental companies and resellers are often not deleting, leaving a digital footprint that can threaten the privacy of those unsuspecting drivers. “It’s a considerable problem, actually,” said Rajen Akalu, an assistant professor at the University of Ontario Institute of Technology. Akalu did a report for Canada’s privacy commissioner on infotainment platforms in vehicles and their implications for privacy. Ultimately, if you are going to pair your phone, experts suggest finding out how to reset the car to its factory setting. In the case of car rental companies, “they check whether or not the car has a full tank of gas when you return it,” Akalu said. “They can equally ensure that the data is wiped from the unit, right?” [CBC News See also: My pal the car: emotionally intelligent vehicles a technology dream but potential privacy nightmare ]


US – Twitter Reveals FBI NSLs that May Have Infringed On Legal Guidelines

Twitter has for the first time disclosed that it received two national security letters (NSLs) from the FBI. [one in September 2015 and one in June 2016] The firm said that the disclosures mark the first time it was allowed to publicly reveal the NSLs. However, the FBI’s request for Twitter data may have reportedly gone beyond the scope of current legal guidelines. Twitter said in a blog post, “We have provided each of the account holders with copies of the relevant NSLs (certain information redacted to protect privacy) as well as the account data we were compelled to produce. Twitter remains unsatisfied with restrictions on our right to speak more freely about national security requests we may receive. We continue to push for the legal ability to speak more openly on this topic in our lawsuit against the U.S. government, Twitter v. Lynch.” [International Business Times UK See: Did FBI overstep its bounds in requesting information from Twitter? | FBI request for Twitter account data may have overstepped legal guidelines | Cloudflare’s In-House Lawyers Open Up About Privacy Fight With FBI | Progressive Phone Company Discloses Legal Battle Over FBI’s National Security Letters | Google Publishes Eight Secret FBI Requests | What Happens When My Company Receives a National Security Letter? A Primer | Freed From Gag Order, Google Reveals It Received Secret FBI Subpoena | EFF Urges Senate Not to Expand FBI’s Controversial National Security Letter Authority | Senate Intelligence Committee Expands FBI NSL Powers With Secret Amendment To Secret Intelligence Bill | Requests for data rise sharply under secretive U.S. surveillance orders ]

CA – Privacy & Winnipeg’s New TMC With 70 Zoomable Street Cams

The City of Winnipeg unveiled its splashy new Transportation Management Centre and launched its Waze traffic app. City staff at the hub will look to a wall of big screens hooked up to a network of data feeds and 70 cameras already installed at busy intersections. The cameras can zoom in as far as three kilometres from where they’re mounted, said a city engineer. But questions about privacy remain as the city has yet to push through an associated privacy protocol to prevent the unintended use of the network of data and cameras. Mayor Brian Bowman said privacy concerns over the potential misuse of the system by police for surveillance purposes are valid, but he’s been assured the sole purpose of the system is to gather information for traffic management. [CBC | Winnipeg’s traffic centre opens ]

Telecom / TV

CA – Canadians’ Internet Data Affected As Trump Cancels Privacy Rules

Activists and academics are calling on Canada’s privacy commissioner to investigate after an executive order [ see here https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united ] signed last Wednesday by Donald Trump which declared that federal agencies “shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Ronald Diebert of the University of Toronto’s Citizen Lab estimated that some 90% of Canadian Internet traffic is routed through the United States. Many have wondered whether any privacy protections really exist for Internet traffic in the U.S. the Obama administration expanded the ability of intelligence agencies to share surveillance data, shortly before leaving office. Trump’s new executive order “has real life implications,” consumer activist group OpenMedia said in a statement. “Everything from your financial status, to your medical history, your sexual orientation, and even your religious and political beliefs are exposed.” [It is] calling for “a reassessment of what information our government chooses to share with the U.S.” [Huffington Post Canada Also See: Trump’s Executive Order Eliminates Privacy Act Protections for Foreigners





Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: