4-15 February 2017


US – Fingerprinting for Federal Contractors Takes Effect Feb. 1

The RCMP is ending its old practice of checking criminal history using a person’s name. New contractors taking on work with the federal government will have to submit their fingerprints electronically to the RCMP as of Feb. 1, so the law enforcement agency can run a criminal record check in its database. Public Services and Procurement Canada said it needs to make the change because the RCMP is ending its old practice which sometimes led to problems because names could be misspelled, too common or swapped for nicknames. The new rules apply to all levels of clearance, from the basic “reliability status” to “top secret.” In some ways, it’s an expansion of a controversial new standard for public servants that is nearing the end of a three-year rollout that began in October 2014. That policy requires all federal employees to submit to an updated security screening, including credit checks and fingerprinting. [see here & here ] The Office of the Privacy Commissioner of Canada doesn’t have a problem with fingerprinting, in general. “I can tell you that our office believes that the use of fingerprints for a criminal record check is appropriate to ensure authentication,” wrote a spokesperson. “We understand that fingerprints submitted for security screening will be destroyed after the check is complete.” [CBC News]

CA – Feds Lobbying Against Trump Push for Biometric Screening for U.S. Visitors

Canada has launched a behind-the-scenes lobbying campaign against a push by Donald Trump to subject all visitors to the United States to biometric screening – such as finger-printing, retina scans or facial recognition tests – upon both entry and exit. Public Safety Minister Ralph Goodale raised the issue during a phone call with John Kelly, the new U.S. Homeland Security Secretary, Mr. Goodale’s office confirmed. The lobbying effort will likely be aimed not just at Mr. Kelly and other members of Mr. Trump’s administration but also at members of Congress, who would need to approve large related expenditures in order for implementation to proceed. To the extent the US has monitored who is exiting, other than a few biometric pilot projects, it has been through other measures – including an agreement with Canada, struck in 2011, in which the two countries inform each other when visitors return home. Ottawa appears optimistic that the success of that recent data-sharing will help it make the case that Canadians should be exempted from any new entry-exit measures. But it is also struggling with unpredictability of a new presidential administration that has thus far displayed very different priorities from any previous one. [G&M]

Big Data

WW – ACM Council Releases Seven Principles to Handle Algorithm Biases

The ACM US Public Policy Council released their “Statement on Algorithmic Transparency and Accountability,” including seven principles organizations should follow to address potentially harmful biases stemming from using algorithms. The seven principles include users of analytic systems maintaining awareness of biases arising within their design, institutions maintaining accountability for the decisions they make based on their algorithms, and ensuring all decisions are recorded in case an audit is conducted in the event harm is suspected. “Following these principles cannot guarantee that there will be no biased algorithms or biased outputs,” ACM US Public Policy Council Chair Stuart Shapiro said in a press release. “But they will serve to keep computing professionals on the lookout for ways biases could creep into systems and provide guidelines on how to minimize the potential for harm.” [Techpolicy]

WW – Pew, Elon Examine the ‘Age of Algorithms’

A newly released Pew Research Center and Elon University’s Imagining the Internet Center study on algorithms and the future hinges on the question, “Will the net overall effect of algorithms be positive for individuals and society or negative for individuals and society?” Pew Research Center reports that of 1,302 respondents, 38% answered algorithms would positively impact society, 37% answered they would have a negative impact, and 25% felt that their consequences could be evenly split. Among the potential pitfalls identified in the study is the way algorithms can create hyper-specific profiles of internet users, without those users having an ability to see how they were identified or targeted. “‘Algorithmic transparency’ should be established as a fundamental requirement for all AI-based decision-making,” said the Electronic Privacy Information Center’s Marc Rotenberg. “There is a larger problem with the increase of algorithm-based outcomes beyond the risk of error or discrimination — the increasing opacity of decision-making and the growing lack of human accountability.” [Pew Internet]

WW – Uber Is Making Ride-Booking Data Publicly Available

Uber recently debuted a new online tool called Movement, which provides data like ride durations between two points, based on GPS information. The tool is a dream for city planners and local governments, who can use it to learn more about commute patterns, and target infrastructure projects. And in the coming months, Uber wants to make Movement accessible to everyone. It’s a gift, for certain. But some privacy experts worry the new tool could be a Pandora’s box. “Key, of course, to all of this, is, ensuring that the privacy of individual user data will be protected,” says Marc Rotenberg, president of the Electronic Privacy Information Center.If it turns out that Uber’s ride information can’t be de-identified, for sure, Rotenberg says the data dump could open the door to a host of other serious concerns. “You have to be considering everything from surveillance, stalking, cyberhacking, credit card theft, identity theft, financial fraud,” he says. “There’s a long list of potential risk to the users of the Uber service, and that’s why you need to deal with a threshold problem, which is the de-identification issue.” [PRI.org]


CA – Court Awards Damages Against a Foreign Website Over PIPEDA

In a recent decision, A.T. v Globe24h.com, 2017 FC 114, Canada’s Federal Court asserted jurisdiction over a foreign-based website that republished Canadian court and tribunal decisions from Canadian legal websites and allowed them to be indexed and rendered searchable on Google and other search engines. The Court declared that the owner and operator of the website, based in Romania, contravened the provisions of the federal private sector privacy legislation (the Personal Information Protection and Electronic Documents Act – PIPEDA), by collecting, using and disclosing online personal information contained in publicly available legal decisions for inappropriate purposes, and without the consent of the individuals concerned. The Federal Court of Canada has previously determined that PIPEDA will apply to a foreign-based organization where there is evidence of a sufficient connection between the organization’s activities and Canada. The relevant connecting factors include: a) the location of the target audience of the website; b) the source of the content on the website; c) the location of the website operator; and, d) the location of the host server. The Court noted that Romanian authorities had cooperated with the Privacy Commissioner’s investigation, and had taken action to curtail Globe24h’s activities including by issuing a fine against it for contravening Romanian data protection laws. However, this fact did not prevent the Court from asserting jurisdiction over the matter, on the basis that the Court’s findings would complement rather than offend any action that taken in a Romanian court. While the monetary damages awarded in this case were modest, the Court sent a clear signal that damages will be awarded where the privacy rights of Canadians are disregarded in the pursuit of profit, in a manner that is non-compliant with Canadian privacy laws. The decision emphasizes that available exemptions under PIPEDA are limited and specific, and will be interpreted narrowly in order to afford maximum protection to individual privacy interests. [Gowling | PIPEDA’s global extra-territorial jurisdiction: A.T. v. Globe24h.com | When are public documents too public?: A.T. v. Globe24h.com tests the limits ] [PIPEDA’s global extra-territorial jurisdiction: A.T. v. Globe24h.com | When are public documents too public?: A.T. v. Globe24h.com tests the limits | Michael Geist: Canadian Court Makes ‘Landmark’ Ruling That Could Establish Its Own Right To Be Forgotten]

CA – The New U.S. Executive Order: Effects on Canadian Privacy Laws and Cross Border Data Transfers

President Donald J. Trump’s executive order issued January 25, 2017, contained one little paragraph with big words about Canadians’—and other non-U.S. citizens’—privacy: [see Section 14 here ] This paragraph has triggered alarm in some corners of the Internet. However, on closer inspection, it doesn’t appear to change much, at least legally speaking and from a Canadian private-sector perspective. The executive order has no direct impact on the treatment of personal information by the private sector. In particular, the order does not appear to change the circumstances in which US law enforcement or security agencies can compel private actors to disclose information about Canadians (or other non-U.S. citizens). The effect of the executive order on Canadian regulators’ views of cross border information transfers in the private sector is uncertain at this point in time. Canadian regulators generally require Canadian organizations to disclose the consequences of information sharing across national borders and it is currently unclear what, if any, effect, the executive order have on those disclosures. While President Trump’s executive order may not have altered substantive legal protections for personal information, it has clearly attracted public attention to the issue. Moving forward, it appears likely that the public will pay increased attention to cross-border information-sharing with the U.S.—a development of which organizations should remain cognizant. [Canadian CyberSecurity Law | Canadians’ personal data at risk thanks to U.S. executive orders | Canadians’ Internet Data Affected As Trump Cancels Privacy Rules | Trump’s Executive Order Eliminates Privacy Act Protections for Foreigners | One quarter of Canadian online traffic vulnerable to NSA sweeps: researchers

CA – Trudeau’s Bill C-23 Gives US Border Agents Spooky New Powers

U.S. border guards would get new powers to question, search and even detain Canadian citizens on Canadian soil under a bill proposed by the Liberal government. Legal experts say Bill C-23 [see here ] will give new powers to U.S. border guards to question, search and even detain Canadian citizens on Canadian soil. It could also erode the standing of Canadian permanent residents by threatening their automatic right to enter Canada. It takes away important rights found in the existing law and raises the prospect of a Canadian being arrested simply for deciding he or she has had enough with a certain line of questioning. Under the existing law, a strip search can only be conducted by a Canadian officer, though a U.S. officer can be present. Greene points out C-23 says if a Canadian officer is unavailable or unwilling, the U.S. officer can conduct the search. “So you could have a circumstance where the Canadian officer says, ‘No I don’t think a search is warranted here. I’m not willing to do it.’ But the U.S. officer just says, ‘Fine, we’re going to do it anyway.’” [CBC News See also: Your rights at the U.S. border: Three perspectives | Trump’s travel ban could run up against Canada’s pre-clearance agreement with U.S. | Is The Border Safe? US Could Detain Canadians In Canada Under Bill | A Guide to Getting Past Customs With Your Digital Privacy Intact | New border bill allows sharing of biographic data | New bill would allow border guards to collect biographic data on those leaving Canada | Op-Ed: Canada to share information with U.S. on land border crossers]

CA – Yukon IPC Believes Government ATIPPA Review Would Reduce Individuals’ Privacy Rights

The Information and Privacy Commissioner in the Yukon has commented on the review of the Access to Information and Protection of Privacy Act conducted by the Minister of Highways and Public Works. The review indicated that ‘personal information’ was defined too broadly; however, the definition is similar to other federal and provincial privacy laws, and it is unclear how the definition could be narrowed without a negative impact on individuals’ right to informational privacy. Any difficulties the public has in verifying what their information is being used for, or the accuracy of personal information held by public bodies can be resolved through better notice to individuals, and better procedures to ensure information collected is accurate. IPC Yukon – Comments on the ATIPPA Review Report Issued by Yukon Government in December 2016 | Press Release ]

CA – OIPC SK Issues Guidance on the Determining Who is a Trustee of Personal Health Information

A review by the Office of the Information privacy Commissioner of the trustee requirement under the Health Information Protection Act. The Trustee is the physician or organization that has custody (i.e. physical possession) and control (i.e. authority to manage use, disclosure and retention) of records containing PHI; to prevent confusion and disputes about who is the Trustee, physician associations or business corporations should have written agreements in place that clearly spells out which party (i.e. the entity or each physician) is considered the Trustee. [“A” Trustee vs. “THE” Trustee – Office of the Saskatchewan Information and Privacy Commissioner]

CA – OIPC NS Alarmed by Surveillance Camera Findings

The Office of the Information and Privacy Commissioner for Nova Scotia recently found 98 video surveillance cameras located on downtown streets in Halifax, Sydney, Kentville, Windsor, Digby and Yarmouth. Nova Scotia Privacy Commissioner Catherine Tully said about three-quarters of the cameras are owned by private businesses, while the others belong to the government, libraries, and Crown corporations. Tully’s office sent out a survey to 53 cities and towns in Nova Scotia, with 25 responding. Tully has expressed alarm with some of the findings. “It certainly heightened my concern, mainly because not only did they have cameras, very few had privacy policies,” Tully said. “Just six said they had privacy policies and none had conducted what we call a privacy impact assessment.” [CBC News]

CA – Class Action Lawsuit Granted in Quebec for Damages from Data Breach

The Court considered Target Corporation Inc.’s motion to dismiss a class action lawsuit filed by Evan Zuckerman for lack of jurisdiction. The expense incurred by an individual in Quebec for credit monitoring was sufficient for a Quebec court to establish jurisdiction; regardless of potential lawsuits in US courts, the lawsuit will proceed in a Quebec court because the plaintiff, his witness, and approximately 60,000 class members reside in Quebec. [Zuckerman c. Target Corporation – 2017 QCCA 110 CanLII – Superior Court of Quebec]

CA – BC Premier Clark: We’ll Fire Anyone Involved With Breach

A breach of PharmaNet, the system used to track information regarding prescription drugs, has British Colombia’s Premier Christy Clark “profoundly disturbed.” With 7,500 citizens affected, Clark said, “If anyone in the government, anyone in the employ of the public service, anyone who gets their fees from the government is found to be responsible for this, they will be fired immediately.” The issue, uncovered by a vendor contracted to identify unusual activity in the system, is being mitigated with help from the British Columbia Office of the Information and Privacy Commissioner. Acting Information and Privacy Commissioner Drew McArthur said he would liked to have seen quicker work: “It took them several months to get the notification letters out. We would have preferred that they notified people earlier, so that people can start to take action to protect their personal information.” [Global News] [PharmaNet breach compromises personal information of 7,500 B.C. residents, says province]

CA – BC Lib’s Consultation Effort Over Provincial Records Lampooned

The B.C. government is asking the public to weigh in on new rules for how the province handles its records. But critics say the exercise is meaningless without requiring the government to create records in the first place – a so-called “duty to document” that has been repeatedly recommended but ignored by the province. The former privacy commissioner, Elizabeth Denham, also called for a “duty to document” requiring government workers to keep records, after discovering that many Freedom of Information requests were coming back empty. In 2015 [she] released a scathing report on the government’s actions to frustrate public requests for information, including the deletion of records. A former government staffer was later charged and pleaded guilty. Ms. Clark appointed a previous privacy commissioner, David Loukidelis, to review the commissioner’s report. Mr. Loukidelis made 27 recommendations, including penalties for destruction of records. He, too, recommended a “duty to document.” [G&M]


EU – Netherlands Will Count Ballots by Hand

The Dutch government has said that ballots in the country’s parliamentary election scheduled for March 15, 2017, will be counted by hand to assuage concerns that digital tabulation systems could be compromised. Intelligence agencies have cautioned that elections in France, Germany, and the Netherlands could be at risk of manipulation. Watch This Security Researcher Hack a Voting Machine | Paperless voting machines a hacking risk | Edward Snowden Demonstrates How Easy It is to Hack a Voting Machine – All for Just $30 | Dutch will hand count ballots due to hacking fears | Dutch revert to an all-paper ballot, fearing election hack | Netherlands reverts to hand-counted votes to quell security fears]

CA – DVD Containing Tax Info on 28,000 Yukon Citizens Lost

The Canada Revenue Agency announced a courier company has lost an encrypted DVD containing the tax information of nearly 28,000 Yukon taxpayers. The CRA released a statement saying it has been made aware of the lost DVD, but did not identify when the incident occurred. The CRA has notified the Office of the Privacy Commissioner of Canada, while the courier service has commenced a search for the missing DVD. “At this time, there is no indication that the data has been accessed or used,” the CRA release states. “And given the strong security measures in place, the risk is thought to be very low that the taxpayers’ information would be compromised even if an unauthorized individual were to gain possession of the DVD.” [CBC.ca]

CA – Windsor Councillor Calls for Drone Use Regulations

Windsor Councillor Irek Kusmierczyk is pushing for specific rules concerning drone use in city parks, citing privacy and safety concerns. Kusmierczyk said individuals using remote control airplanes and similar devices must get a permit from the city. Kusmierczyk wants to ensure drone use does not make citizens uncomfortable. “They don’t want to have somebody snapping their pictures, taking photographs of their children playing soccer or baseball or in festivals,” he said. “I just want to make sure we’ve got coverage in terms of finding that right balance, where we don’t dissuade people from using drones, but we do protect residents that do utilize the parks.” [CBC News]


US – Judge Breaks Precedent, Orders Google to Give Foreign Emails to FBI

A potentially major blow for privacy advocates occurred when a U.S. magistrate [Judge Thomas Rueter in Philadelphia] ruled against Google and ordered it to cooperate with FBI search warrants demanding access to user emails that are stored on servers outside of the United States. The case is certain to spark a fight, because an appeals court ruled in favor of Microsoft in a similar case recently. In the ruling against Google, Judge Rueter is arguing that even though “the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.” It’s unclear if that decision means that evidence from a foreign server would be a violation of privacy if disclosed in a U.S. court of law. Clarity is what tech companies and privacy advocates have been pushing for over the years. Both the Microsoft and Google cases relied on warrants issued under the Stored Communications Act from 1986. The search giant released a statement today saying, “The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants.” Gizmodo | Reuters | US judge orders Google to hand over data to the FBI from overseas emails | Google must turn over foreign-stored emails pursuant to a warrant, court rules | Microsoft’s cloud privacy battle may go to US Supreme Court | Court Declines to Reconsider Microsoft Email Seizure Ruling | Court Keeps Microsoft’s Irish Servers Safe From U.S. | US government wants Microsoft ‘Irish email’ case reopened  | Lawmakers question DOJ’s appeal of Microsoft Irish data case | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Reuters: Court Rules Google Must Turn Over Emails Located on Foreign Server]


US – Minnesota State Court Upholds Compelled Unlocking of Criminal Defendant’s Cellphone

A Minnesota State court rules on a criminal Defendant’s appeal of his convictions partially based on evidence seized from his mobile phone. The Defendant’s Constitutional rights were not violated when a district court ordered him to provide his fingerprint so police could search his cellphone; the Defendant was not required to disclose any knowledge he might have (it was akin to standing in a lineup), and the district court did not ask Defendant whether his prints would unlock the phone or which print would unlock it (he asked which finger police wanted when he was ready to comply with the district court’s order, and he did not object at the time). [State of Minnesota v. Matthew Vaughn Diamond – A15-2075 – State of Minnesota In Court Of Appeals]

EU Developments

EU – Buttarelli Outlines EDPS’ Top Priorities for 2017

European Data Protection Supervisor Giovanni Buttarelli outlined his agency’s top three strategic areas of importance for 2017. The three areas include ensuring electronic communications receive the appropriate levels of privacy and protection, specifically within the context of the ePrivacy Directive; working toward a new framework for the EDPS; and contributing to a Security Union and stronger borders built upon respect for fundamental rights. “We aim to be accountable for our work across the range of our responsibilities, and in our priorities for advice you will find those European Commission proposals that, in our assessment, seem most likely to have implications for the fundamental rights to privacy and to the protection of personal data,” Buttarelli writes, adding his agency will be working with the Article 29 Working Party to make sure the EU has a consistent voice on data protection matters. [edps.eu]

EU – Facebook-Schrems Privacy Case Set to Begin

The highly anticipated privacy case that could determine the validity of standard contractual clauses is set to begin in the commercial division of Ireland’s High Court. Facebook and privacy campaigner Max Schrems are each part of the case. Ireland’s Data Protection Commissioner Helen Dixon wants the High Court to examine the validity of SCCs and to refer them to the Court of Justice of the European Union. Dixon has expressed concerns about the validity of the clauses in light of articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and the CJEU’s ruling in the first Schrems’ case. SCCs allow businesses to transfer EU citizens’ personal data to countries outside of the European Economic Area. Joining Schrems and Facebook in the case as “friends of the court” are the U.S. government, the Business Software Alliance, Digital Europe, and the Electronic Information Privacy Center. [The Irish Times] [The Irish Times: Govt Concerned About ‘Sweeping’ Ramifications of Facebook-Schrems Case]

EU – EU Verifies Google’s Data Transfer Contractual Clauses

The Article 29 Working Party has ruled the contractual clauses used by Google to cover international data transfers for European users of its G Suite applications and cloud services are compliant with EU data protection requirements. Google said EU data protection authorities approved the language used in the company’s contracts for business customers in the EU and that they align with the European Commission’s “model contract clauses.” Google’s Head of Global Compliance Marc Crandall and its Head of Security and Compliance Matthew O’Connor wrote about the news in a blog post, noting the confirmation will help the company get similar certifications in countries with data protection requirements similar to the EU. Crandall and O’Connor also said the move will give EU businesses the needed legal protection to proceed with international data transfers without further authorizations. [blog.Google]

EU – French Man Wants $48 Million from Uber for Allegedly Breaking Up His Marriage

A French businessman from Côte d’Azur has sued Uber, asking for no less €45 million in damages. As French news site Le Figaro explains, a notification bug in Uber allowed his wife to spy on him without his knowledge. The man used her iPhone to order Ubers, and then he signed out of the app. However, notifications for his Uber account kept arriving on her phone after that, even though he was signed out. She may not have been able to track his location in real time or see the destinations, but she received plenty of information that would let her know when he was lying. For example, a “working late at the office” excuse doesn’t really work in your favor if you keep taking Uber rides all evening long, and someone can prove it. Le Figaro was able to replicate the bug, but only on iPhones and only using an Uber app version older than the December 15th update. That update apparently fixed the issue. The case should head to court next month. [BGR.com]

Facts & Stats

CA – Data Breach Reporting Expected to ‘Skyrocket’ in 2017

Following the Canadian government passing the Digital Privacy Act and the Canadian Securities Administrators taking measures to ensure businesses are more transparent about their cybersecurity practices, the number of reported data breaches is expected to skyrocket in 2017. The changes will result in companies not only having to disclose the incidents after they happen, they must also disclose specific risks potentially leading to other data breaches in the future. KPMG’s Kevvie Fowler said the increased reporting in data breaches will likely result in more companies facing lawsuits, but the transparency could also lead to stronger efforts to protect data and fewer data breaches in the long term. [CBC News]

US – The Worst Data Breaches in the U.S., Ranked State by State

15.2m Americans had confidential personal and financial information compromised last year. Researchers at Safetica USA have explored a vast database maintained by the US Government’s Department of Health and Human Services of every major data breach by a health clinic, doctor, dentist or hospital since 2009. Each entry chronicles how 500 or more confidential records were compromised in a single breach. There are two basic ways of looking at which states were worst affected by data breaches last year: by the number of cases, and by the number of individual records compromised. When it comes to the highest number of cases, the list of the worst-hit states closely follows population. Overall, the number of major breaches across the US increased last year to its highest level on record: 318 cases in 2016 compared to 270 in 2015. California, New York, Texas, Florida and Illinois were also the five worst affected states in 2015. A slightly different top 10 emerges if you look at the number of records compromised. A single hacking incident suffered by Banner Health revealed last summer affected 3.7m people and pushed Arizona to the top of the list. [Entrepreneur]

UK – 1.1M GBP Study to Examine Human Error and Breaches

A University of Surrey-led study is giving 1.1 million GBP to researchers to discover why human error is the cause of so many cyberattacks and why users don’t seem to learn from cybersecurity awareness initiatives. “The project’s overall aim is therefore to develop a framework through which we can analyze the behavioral co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviors of a range of actors in the ecosystems in order to reduce human-related risks,” the researchers write. The project will take two years and begin in April, and will include contributors from multiple disciplines, like crime science, engineering, computer science, engineering, and behavioral science at University of Surrey, TRL, University of Warwick, and UCL. [CSO]

US – Breaches Snip $300M from Yahoo Price Tag

A new deal has been worked out for Verizon to buy Yahoo, at roughly $300 million less than Verizon’s original offer. The takeover deal was originally announced in July 2016, with a price of $4.8 billion. However, in the interim, Yahoo released information about two separate hacks that exposed the personal data of as many as a billion customers. Yahoo CEO Marissa Mayer said in January that the company has an “unwavering” commitment to security. [CNBC]

WW – App Extension Can Unveil Linkedin Users’ Email Addresses

Charlie, a free app that notifies users of forthcoming meetings and provides information on those in the meeting, now has a Chrome extension that gives users access to LinkedIn users’ emails. It also provides “the option to copy the email address, compose an email or request Charlie to research and send you information about that person.” “The research information is similar to what the app sends before a meeting, containing professional achievements and news.” Aaron Frazin, CEO of Charlie, explained that the tool will not override security measures that protect emails on LinkedIn, but rather uses algorithms to “take a guess,” at what the email address is. [CNET]


WW – Privacy and Anti-Piracy Advocates Square Off On Browser Updates

The World Wide Web Consortium is considering standardizing the digital rights/restrictions management-enabling Encrypted Media Extensions, which protect media from piracy while reportedly limiting a browser’s security and damaging the internet’s open architecture. The potential move is a controversial one, with anti-piracy advocates supporting it while privacy proponents are critical. “DRM is a dangerous feature to standardise and have enabled across everyone’s browser because it essentially enforces a black box of code to be installed on your browser which cannot be audited or looked at or even talked about by security researchers,” said former W3C employee Harry Halpin. This “black box” is not accessible by internet users, either. [Ars Technica UK]


EU – Brussels Eyes Sweeping Cash Ban: Are Gold and Silver Next?

European Union officials just published a “Proposal for an EU Initiative on Restriction on Payments in Cash.” Predictably, the restrictions are being sold to citizens as a means of fighting terrorism – much like a host of other privacy and liberty-destroying power grabs in recent decades. This despite a telling admission contained in the proposal: “There remains the lack of readily available and solid evidence on legitimate versus illegitimate cash transactions.” Ban the use of cash first, ask questions later. In Germany, 79% of transactions are done in cash. Many there aren’t going to take restrictions lying down. Some see the war on cash for what it is – bureaucrats using the lever of fear to once again ratchet up controls and restrict privacy. Attempts to regulate the trade of physical gold and silver will not be far behind any restrictions on cash. Precious metals are an obvious target because they are a premier form of private, off-the-grid, and portable wealth. [GoldSeek See also: Who’s Powering the War on Cash? | Cashless Economy will lead to a Starving Economy | India’s Demonetization “Shock Therapy”: State Sponsored Financial Repression | Government Invades Privacy Under Money Bill ]

Health / Medical

US – HHS Imposes $3.2 Million Fine on Children’s Medical Center for Loss of Unencrypted Devices 

the Department of Health and Human Services, Office for Civil Rights has issued a notice of final determination against Children’s Medical Center of Dallas, a covered entity, for violations of the HIPAA Privacy and Security Rule. An unencrypted, non-password protected mobile device was lost at an airport, which contained PHI of 3,800 patients; the penalty was imposed due to lack of access controls ($923,000) and device/media controls ($772,000) and impermissible disclosure of PHI ($1,522,000). Aggravating factors taken into account when imposing the penalty included 5 prior separate thefts of laptops and mobile devices, and a previous externally-produced report highlighting the need to encrypt such devices. HHS – Notice of Final Determination – Children’s Medical Center of Dallas Press Release | Notice of Final Determination

US – NY Bill  Prohibits Making or Broadcasting  Visual Images of Patient Medical Treament Without Consent

Assembly Bill 1190, amending Public Health Law and Civil Rights Law and relating to making and/or broadcasting visual images of patient medical treatment, is introduced and referred to the Health Committee: the companion bill is Senate Bill 3696. The right to privacy requires obtaining prior written express consent from the patient (or legal representative) for such broadcasting; exceptions include broadcasting for the purposes of health care treatment of the patient, a quality assurance program, the education/training of health care personnel (about which the patient has the right to know and refuse broadcasting), and necessary security purposes. [Assembly Bill 1190 – Relating to Prohibiting the Making and/or Broadcasting of Visual Images of Individuals Undergoing Medical Treatment Without Prior Consent – New York State Assembly

Horror Stories

US – VIZIO to Pay 2.2 Million to Settle Consumer Tracking Charges

Vizio, one of the world’s biggest makers of Smart TVs, is paying $2.2 million to settle charges [see 12 pg pdf here ] that it collected viewing habits from 11 million devices without the knowledge or consent of the people watching them. In an e-mailed statement, Vizio officials wrote: “The ACR [automated content recognition] program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors.” The tracking started in February 2014 on both new TVs and previously sold devices that didn’t originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information—including age, sex, income, marital status, household size, education level, home ownership, and home values—to be associated. …The allegations are only the latest to raise troubling privacy concerns about Internet-connected TVs and other so-called Internet-of-things devices. In late 2015, security researchers found that Vizio TVs failed to properly validate the HTTPS certificates of servers they connected to when transmitting viewing-habit data. That made it trivial for anyone who had the ability to monitor and control the Internet traffic passing between the TV and the Vizio servers to impersonate the servers and view or tamper with the transmitted data. Smart TVs manufactured by LG have also been caught collecting potentially sensitive data, including a list of shows being watched, the names of files contained on connected USB. Vizio must also delete any data collected before March 1, 2016, implement a comprehensive privacy program, and undergo biennial assessments of that program. FTC Acting Chairman Maureen Ohlhausen issued a concurring statement to the unanimous decision. [FTC.gov | WilmerHale See also [Samsung warns customers not to discuss personal information in front of smart TVs: Samsung has confirmed that its “smart TV” sets are listening to customers’ every word, and the company is warning customers not to speak about personal information while near the TV sets.]

Identity Issues

CA – OPC Canada Outlines Different Methods of Secure Authentication

The Office of the Privacy Commissioner of Canada has issued guidance on authentication types. Context-based authentication examines an individual’s current behaviour and habits and compares it with known/expected behaviour (significant deviations, such as a change in device/location, would result in a challenge to present other credentials), proximity-based authentication uses a token to enable automatic access when close to a device (e.g. smartphone or watch), and software-based authentication uses smartphone apps to calculate pseudo-random access codes (instead of carrying a separate hardware token). [OPC Canada – Your Identity – Ways Services Can Robustly Authenticate You]

CA – Canada’s SecureKey Wins U.S. 800K Grant for Digital Identity Network

SecureKey Technologies and The Digital ID and Authentication Council of Canada (DIACC) have received a grant for up to $800,000 from Command Control and Interoperability Center for Advanced Data Analytics (CCICADA), a research center funded by the U.S. Department of Homeland Security, to help build a digital identity network. The aim is to build a national system that allows the public to access online services without memorizing dozens of passwords, or prove their identity, while still maintaining their privacy and security by using blockchain to create a “triple blind” privacy protocol that allow individuals to easily connect to partnering online services using an existing, trusted log in credential, while limiting the actual amount of data being transmitted for security. [Reuters See also: What Role Does Government Play in Blockchain Technology’s Future? | Bank of Canada’s blockchain tests spotlight challenges | Project Jasper: Lessons From Bank of Canada’s First Blockchain ProjectA Complete Beginner’s Guide To Blockchain]

US – Data Re-Identification Law Should Be Passed: Senate Committee

Overriding concerns about the scope, burden of proof reversal, criminalization, and retrospective application of the law, a Senate committee has recommended that the data re-identification Bill be passed in a report tabled in Parliament. Under the laws introduced to the Senate in October, intentionally re-identifying a de-identified dataset will become punishable by up to two years’ imprisonment, with the laws to be retrospectively applied from September 29, 2016. Senators from both the Labor and Greens parties dissented with the committee’s recommendations, saying that the Bill should not be passed because it is “disproportionate” to the aforementioned gap in privacy legislation, and also does not achieve its objectives. “The Bill adopts a punitive approach towards information security researchers and research conducted in the public interest. In contrast, government agencies that publish poorly de-identified information do not face criminal offences and are not held responsible,” Labor and Greens senators argued. Electronic Frontiers Australia (EFA) said “The proposed Bill creates no incentives for Australian government agencies or other organizations to increase their data security, or to adopt data austerity measures. Conversely, the proposed Bill creates (as intended) a strong disincentive for researchers to announce a real or potential vulnerability of re-identification.” [ZDNet See also: Clear-cut definition of de-identified data critical in legislation: Pilgrim | De-identification: the de-vil is in the de-tail | Brandis flags Privacy Act changes to protect anonymised data Brandis to criminalise re-identifying anonymous data under Privacy Act | Research work could be criminalised under George Brandis data changes | Fears that patients’ personal medical information has been leaked in Medicare data breach | NZ privacy commissioner recommends Australia’s data re-identification criminalisation lead]

Internet / WWW

WW – CISPE Announces 30 Services Comply with its Code of Conduct

The Cloud Infrastructure Services Providers in Europe announced more than 30 services comply with the CISPE Data Protection Code of Conduct. The CISPE, a coalition of cloud providers serving millions of European customers, states Amazon Web Services and UpCloud are among the services committing to the code of conduct. Cloud infrastructure services are operated in data centers in Bulgaria, Finland, France, Germany, Ireland, Italy, the Netherlands, Spain, and the U.K. The CISPE Data Protection Code of Conduct is designed to help customers ensure cloud providers are using the proper data protection standards consistent with both the current Data Protection Directive, and the upcoming General Data Protection Regulation. “Any customer will know that if their Cloud Infrastructure Provider is complying with the CISPE Code of Conduct, their data will be protected to clear standards,” said CISPE Chairman Alban Schmutz. “CISPE Code of Conduct provides Europeans with the confidence that their information will not be used for anything other than what they stipulate.” [CISPE.cloud]

WW – Private Search Browser Cliqz Acquires Ghostery’s Consumer Biz

Cliqz, a Mozilla-backed German startup, has acquired Ghostery’s consumer-focused product suite. Ghostery will now revert to its former name, Evidon, and focus on its B2B business, helping enterprises with privacy compliance, especially related to self-regulatory programs like AdChoices. Cliqz, which is currently building its own anti-tracking browser with a built-in private search feature, will take on Ghostery’s anti-tracking browser extensions and mobile apps. The acquisition will help Cliqz gain Ghostery’s 10 million active users, in hopes of spurring international growth. “We plan to launch in the U.S. and some Western European markets soon,” said a Cliqz spokesman. “The Ghostery acquisition will be a big help. Ghostery users around the world can opt-in to contribute anonymous statistical data via our Human Web technology.” [TechCrunch]

Law Enforcement

US – Bills to Limit Use of ‘Stingray’ Data Are Back

The influential chairman of a House committee is again putting his support behind two bipartisan bills that would curb law enforcement’s use of intercepted mobile-phone data without a warrant. The revival of the legislation comes after the House Oversight and Government Reform Committee published a yearlong investigation in December that delved into the devices agencies use to intercept wireless communications, called cell site simulators, IMSI catchers or “stingrays.” Chaffetz and two other [ Sen. Ron Wyden & Rep. John Conyers ] members of Congress reintroduced The Geolocation Privacy and Surveillance Act, which would make it illegal to intercept Americans’ geolocation information without their knowledge, or to use or disclose information collected that way, except after obtaining a warrant or in other specified circumstances. Chaffetz also reintroduced Wednesday the Cell Location Privacy Act [see here], which [requires] law enforcement to get a warrant before using devices known as “stingrays,” cell-site simulators or IMSI-catchers. His committee [House Oversight and Government Reform Committee] released a bipartisan staff report in December that found the departments of Justice and Homeland Security spent more than $95 million cumulatively on cell site simulators, as FedScoop reported at its release. [FedScoop See also: Chaffetz: Autonomous Cars, Drones, IoT on Oversight Committee’s Agenda | Bipartisan bill seeks warrants for police use of ‘stingray’ cell trackers | Stingray: A New Frontier in Police Surveillance | FCC Helped Create the Stingray Problem, Now it Needs to Fix It | Feds back police in FOIA fight over cell site simulators | Government use of surveillance devices must be restricted: privacy experts | Long-Secret Stingray Manuals Detail How Police Can Spy on Phones | Stingray documents offer rare insight into police and FBI surveillance

US – Taser to Bring AI to Police Bodycams

Taser International has made a pair of acquisitions as it attempts to help police departments sift through the large amount of footage obtained by body cameras. Taser is acquiring both Dextro and the computer vision team of Misfit to create Axon AI, a group that will use artificial intelligence to help police departments categorize and analyze all bodycam footage, making it easily searchable. Bodycam use has been welcomed as a way to boost police accountability, but privacy advocates are concerned adding AI to the process could lead to issues down the line. “We support bodycams on the condition that they serve as an effective police oversight tool and not as yet another set of government surveillance cameras,”American Civil Liberties Union Senior Policy Analyst Jay Stanley said. “The storing of video and running analytics on it does not strike the right balance between privacy, oversight and usefulness to the police.” [Forbes]


US – Lawmakers Introduce GPS Act to Prevent Illicit Geolocation Tracking

Sen. Ron Wyden, D-Ore., Rep. Jason Chaffetz, R-Utah, and Rep. John Conyers, Jr., D-Mich., introduced a bill designed to create rules for when agencies can track and access a citizen’s geolocation data. The Geolocation Privacy and Surveillance Act is aimed at any law enforcement agencies looking to obtain geolocation information on any individual without their knowledge. The GPS Act will create penalties for anyone attempting to track any person without prior authorization, and prohibits commercial service providers from sharing geolocation data without the subject’s consent. “Outdated laws shouldn’t be an excuse for open season on tracking Americans, and owning a smartphone or fitness tracker shouldn’t give the government a blank check to track your movements,” Wyden said. “Law-enforcement should be able to use GPS data, but they need to get a warrant. This bill sets out clear rules to make sure our laws keep up with the times.” [Wyden.senate.gov]


WW – 2017 A Big Year for The Hybrid Cloud

The idea “hybrid cloud,” where companies use a mix of private and public cloud services as part of their operations, will “likely” enter the mainstream in 2017. Cloud services are not optional tools for companies anymore, and the forthcoming General Data Protection Regulation will require businesses to question how they are using data, and in some cases overhaul how they manage it in order to comply. Such processes “in turn will result in additional benefits in terms of reduced data storage and management costs.” [ITProPortal]

Online Privacy

WW – Anonymous Web Browsing Doesn’t Mean You Stay Anonymous: Study

A study conducted by Stanford University and Princeton University researchers has found that anonymous browsing data can be frequently tied back to actual identities. After having users “donate” their browsing history, researchers attempted to connect the data with their Twitter accounts. “Seventy-two percent of people who we tried to deanonymize were correctly identified as the top candidate in the search results, and 81% were among the top 15 candidates,” researcher Jessica Su writes. “This is, to our knowledge, the largest-scale demonstration of deanonymization to date, since it picks the correct user out of hundreds of millions of possible Twitter users,” she adds. “In addition, our method requires only that a person clicks on the links appearing in their social media feeds, not that they post any content — so even people who are careful about what they share on the internet are still vulnerable to this attack.” [The Conversation]

WW – Researchers Create Cross-Browser Tracking Method

Researchers have developed a way to track users across multiple browsers. The method uses code to instruct browsers to perform numerous tasks in the background while users visit a webpage, with those tasks then drawing on operating system and hardware resources that create a unique profile. While cross-browser tracking has its benefits, it also possesses numerous privacy concerns, the researchers note. “From the negative perspective, people can use our cross-browser tracking to violate users’ privacy by providing customized ads,” said lead researcher Yinzhi Cao. “Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. In order to defeat the privacy violation, we believe that we need to know our enemy well.” The researchers released a website to demonstrate the technique. During a test run conducted over a three-month period, it was able to correctly identify users 99.2% of the time. [Ars Technica]

UK – Study: Low Data Quality Plagues UK Marketers

Royal Mail Data Services has found that U.K. organizations estimate that “poor-quality consumer data” costs them an “average of 6% of their annual revenues.” Additionally, 91.4% of marketers said their organizations have data-quality issues, while 58% expressed concerns about the compliance of their “in-house customer data.” Organizations must improve their data quality by the time the General Data Protection Regulation goes live in May 2018. Specifically, “untangling this web starts with recognising the proliferation of sources that capture a variety of customer data, which needs to be permissioned, validated, cleansed and managed.” [Information Age]

UK – Some UK Dating Apps Have Privacy Vulnerabilities, Research Finds

Some of the most popular dating apps in the U.K. are leaking personal information. “During testing, four of the free apps exposed customer information by not fully securing data sent from the app’s owners to customers’ phones.” “These were Happn, Hookup Now, AnastasiaDate, and AffairD. The analysis also highlighted the amount of personal data being collected by MeetMe and specific location data being gathered by Once.” The investigation was conducted with the help of an American security researcher who wished to remain anonymous. “It is pretty clear some of the apps have significant consumer privacy issues,” the researcher said. “I don’t think any of these apps have bad intentions but some of them have negligent security practices that would allow an attacker or a person who has bad intentions to find out information about users the app doesn’t intend.” [Wired]

UK – Dear IAC: Clarify your Data Usage On Dating Apps

Privacy International Executive Director Gus Hosein has written a letter to IAC, owner of more than 150 brands that include many popular dating apps like Tinder and OkCupid, asking the company to better explain how and if it shares data among its brands. In conjunction with the letter, PI launched its “Way too Mutch“ campaign in an effort to highlight how one company owns many of these dating apps. “We appreciate that the Privacy Policy of each of your dating websites may well indicate how sensitive personal data from users’ dating profiles might be shared with other brands and companies,” the letter states. “But we seriously doubt that most people who sign up to one of your dating websites are aware that they are potentially giving their sensitive personal data to literally dozens of other brands and companies owned by IAC.” PI suggested IAC put its logo on all of its dating websites. [Privacy International]

US – Apps Not Up to Privacy Snuff to Get The Boot from Google Play Store

Google has announced it will either “limit the visibility” or remove apps from its Google Play Store that do not have privacy policies. The company has sent notices to various offending apps, giving them until March 15 to “include a link to a valid privacy policy which submits to Google’s rules on their application’s Store Listing page, as well as within the app itself… Alternatively, developers can simply remove the permissions request to collect sensitive user information.” The move “may also be an indication that the tech giant is seeking to tighten control and improve standards in the congested Android app marketplace.” [ZDNet]

US – Golden State Warriors Privacy Lawsuit Over So-Called Spying App Dismissed

A federal judge dismissed a lawsuit against the Golden State Warriors alleging the basketball team used a free mobile app to listen to users’ private conversations. The lawsuit claimed the app used “beacon” technology to track the plaintiff and turn on her phone’s microphone whenever it was running, even if it was on in the background. The judge found the plaintiff failed to prove the app used the contents of her conversation, according to The Recorder. The plaintiff may amend her complaint and refile, but must identify a specific time when she was having a private conversation, and the topic of the conversation then resulted in a targeted ad delivered from the beacon technology. [SiliconBeat]

Other Jurisdictions

US – EFF urges Democratic Control for Smart City Proposal

The Electronic Frontier Foundation has written a letter to the San Jose City Council urging them to implement an ordinance to ensure democratic control as the city considers a proposal to install 39,000 “smart streetlights.” The EFF argues that democratic decision-making is important in order to prevent police chiefs and other agencies from unilaterally installing new surveillance tools. The organization also believes “privacy by design” is a crucial element for San Jose to consider to prevent the smart city proposal from turning into a surveillance tool. “A critical procedural measure is for cities to employ their own privacy officers,” the EFF said in a statement. “With the great power of smart cities tools comes the great responsibility to competently manage them. A privacy officer must have expertise in the technological, legal, and policy issues presented by these powerful tools.” [EFF.org]

AU – Australia Passes Mandatory Data Breach Notification Law

Australian Privacy and Information Commissioner Timothy Pilgrim issued an official statement welcoming the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, establishing a mandatory data breach notification law across all of Australia. The bill requires government agencies or businesses covered by the Privacy Act to alert any individual affected by a data breach where serious harm is likely to occur. Pilgrim said his office will work with those organizations to ensure they are prepared for when the law is implemented next year. “The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches,” Pilgrim said in a statement. “It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.” His office received 107 voluntary breach notifications in 2015-2016. [OAIC.gov.au]

Privacy (US)

WW – Travelers Wonder Whether to Bring Phone to US

Software engineer Quincy Larson’s widely shared blog post advised travelers to leave their mobile devices at home when traveling to the U.S. Larson’s argument was sparked by the airport detainment and subsequent demand for the smartphone password of American-born NASA engineer Sidd Bikkannavar’s phone. Larson viewed this incident as a “dangerous precedent.” In light of his suggestion, BBC News’ Rory Cellan-Jones reached out to U.K. and U.S. officials for their take. The U.K. Foreign Office said that while “their travel advice did not cover this subject because they had not received any calls about it,” they advised someone in a similar situation to Bikkannavar’s to call the British Embassy and arrange for a lawyer. Meanwhile, the U.S. Embassy said “they would need to speak to Washington” on the matter. The results led Cellan-Jones to perhaps consider taking a “burner” phone to the U.S. [BBC.com] [NASA scientist asked by CBP agents to hand over phone containing sensitive info]


WW – Windtalker A Powerful Keystroke Inference Tool: Study

Researchers from Shanghai Jiao Tong University, University of Massachusetts at Boston, and the University of South Florida have released a paper on WindTalker, a “practical keystroke inference framework” that gives hackers the ability to “infer the sensitive keystrokes” on mobile devices through “WiFi-based side-channel information.” The paper, entitled “When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals,” details the researchers’ case study of the “practicality of the password inference towards Alipay,” ultimately finding that hackers can recover keys with a high rate of success. [Fermat’s Library]

EU – ENISA Provides Guidance for Developing Secure Mobile Devices

The European Network and Information Security Agency updated its previous guidance for developers of smartphone applications. App developers should identify and protect sensitive data on mobile devices (through encryption, verifications, permissions), authenticate users and sessions through password and cryptographic mechanisms, ensure authentication and authorization factors prevent unauthorised access, ensure sensitive data is protected in transit; privacy policies must explicitly notify users of personal data collected, purpose of collection, recipients of data, and data storage and length. [ENISA – Smartphone Secure Development Guidelines]

Smart Cars / IoT

WW – IoT is Expected to Include 8.4B Things This Year, Up 31%

The Internet of Things continues to gather steam. Research firm Gartner Inc. is forecasting that 8.4 billion connected things will be in use worldwide this year, up 31% from 2016, and will reach 20.4 billion by 2020. [see here ] From 2018 onward, cross-industry devices such as those designed for smart buildings will take the lead as connectivity is driven into higher-volume, lower cost devices. In 2020, cross-industry devices will reach 4.4 billion units, Gartner said, while vertical-specific devices will amount to 3.2 billion units. [Information Management]

US – FTC Issues Recommendations to Organisations Engaged in Cross-Device Tracking

The FTC has issued recommendations for cross-device tracking. Cross-device tracking allows companies to associate multiple devices with the same person, allowing advertisers to use the information to target ads to consumers; organizations should offer consumers choices about how their cross-device activity is tracked, truthfully disclose their tracking activities to both consumers and first-party companies, disclose limitations on how opt-outs are applied across devices, and refrain from tracking sensitive information (such as health, financial, children’s, or precise geolocation information). FTC – Cross-Device Tracking

UK – ICO: Ofgem’s Data Metering Plans Have Privacy Problems

The Information Commissioner’s Office has argued that Ofgem’s proposed “mandatory half-hourly settlement” in the U.K.’s new smart metering system violates the company’s data access privacy framework that it created “to govern how smart meter data can be used.” “Mandating half-hourly data be used for settlement directly contradicts that framework, and it is that framework that will have governed the access to consumption data when a large number of consumers will have made the choice to have a smart meter installed,” the ICO said in a response to Ofgem’s consultation on the matter. “Therefore changing the framework to allow for mandatory half-hourly settlement should not be taken lightly.” The ICO added that the DAPF should be amended to include mandatory half-hourly settlement. [Out-Law]


US – Washington Bill Outlines When Use of a Sensing Device Attached to a Drone Would Not Require a Warrant

House Bill 1102, relating to drones, and amending Chapter 9.73 of the Revised Code of Washington, has been introduced in the House and referred to the Committee on Public Safety: A previous version of this Bill was vetoed by the Governor Devices capable of remotely acquiring personal information can be operated without obtaining a warrant if personal information is not intended to be collected (environmental monitoring, surveys), an emergency situation exists that present immediate danger of death or serious physical injury, operation is for training purposes, or for emergency or disaster response; no efforts must be made to identify an individual from information collected, and personal information must be deleted within 30 days [House Bill 1102 – An Act Relating to Technology-Enhanced Government Surveillance – State of Washington]

Telecom / TV

US – Facebook, Manhattan District Attorney Clash Over Privacy

Manhattan District Attorney Cy Vance Jr. has challenged Facebook’s lawyers in New York’s Court of Appeals over the ability to perform bulk seizures of Facebook users’ accounts for criminal investigations. Facebook is attempting to block the move, citing privacy concerns. “The case is being closely watched by both law enforcement and the tech industry to see whether the very definition of search and seizure may have to change for the digital age.” Meanwhile, Washington, D.C., police have subpoenaed Facebook for data from users arrested while protesting President Donald Trump, Mashable | NY Post]

US Government Programs

US – CIA Guidelines Aim to Improve Public Trust in Handling of Citizens’ PI

The Central Intelligence Agency released its Executive Order 12333 Attorney General Procedures in order to improve public understanding and trust of the CIA’s protection of citizens’ personal information. The CIA has imposed restrictions on the querying of their data holdings (i.e. only for its authorized intelligence activities and queries of electronic communication contents require a statement of purpose); inadvertent collections of U.S. electronic surveillance information require limited access and special training. Electronic communications must generally be destroyed within 5 years, and unevaluated information must be destroyed within 25 years; CIA information systems must be designed to facilitate regular auditing of data queries. Release of the Updated Executive Order 12333 Procedures – Central Intelligence Agency Press Release | Statement of the Release | Detailed Overview | Guidelines]

US – CFPB Director May Have Violated Law by Failing to Store Text Messages

The Cause of Action Institute believes Consumer Financial Protection Bureau Director Richard Cordray may have violated federal records laws by failing to store text messages sent from his personal phone. The group states Cordray sent work-related text messages from his cellphone, but did not archive them according to federal regulations. According to federal law, government employees can work through their private devices, as long as all work is properly preserved with their employer. A CFPB spokesperson said all text messages sent between Cordray and CFPB employees were captured by the bureau’s electronic storage system and were produced to the public following a Freedom of Information Act request. The Cause of Action Institute still believes a violation may have occurred, as the text messages were only revealed after follow-up requests were made. [The Hill]

US Legislation

US – Lawmakers Prepare to Overturn FCC Broadband Privacy Rules

Republican lawmakers are preparing to make a legislative move to overturn the Federal Communications Commission’s broadband privacy rules following requests from ISPs to undo the legislation. Sen. Jeff Flake, R-Ariz., said he “plans to introduce a resolution that would roll back the FCC’s broadband privacy rules via the Congressional Review Act (CRA), which allows Congress to eliminate agency rules with a simple majority vote,” according to POLITICO. Flake claims to have several co-sponsors, but did not say when he will submit the resolution. The Chair of the Commerce Committee’s Subcommittee on Communications and Technology, Rep. Marsha Blackburn, R-Tenn., said she was speaking with Senate colleagues on a daily basis to properly use the CRA to revoke the broadband privacy rules. [Ars Technica]

US – Virginia Bill Requires Warrant for Law Enforcement Use of Surveillance Technology

House Bill No. 1657, amending and reenacting sections of the Code of Virginia relating to the Government Data Collection and Dissemination Practices Act, was re-introduced in the Virginia State Assembly: The Bill is referred to the Committee on Militia, Police and Public Safety. Law enforcement agencies are permitted to collect information from license plate readers, provided the information is not held for more than 7 days, not subject to any outside inquiries or internal usage, and purged from the system if it is not being used in an ongoing investigation; the bill prohibits the creation of a personal information system whose existence is secret, and information must not be collected unless the need for it has been clearly established in advance. [House Bill No. 1657 – A Bill to Amend and Reenact Sections of the Code of Virginia Relating to the Government Data Collection and Dissemination Practices Act – General Assembly of Virginia]

US – Nebraska Bill Permits Government Agencies to Use Automatic License Plate Reader Systems for Law Enforcement Purposes

Legislative Bill 93, the Automatic License Plate Reader Privacy Act, is introduced in the Nebraska Legislature and referred to the Judiciary Committee. Captured licence plate data can be used to compare plate data held by agencies for the purpose of identifying outstanding parking or traffic violations, unregistered or uninsured vehicles, or a vehicle registered to the subject of an outstanding warrant, or associated with a missing person; privately held plate data may be processed if it is no more than 14 days old, and subject to a criminal warrant or court order. [Legislative Bill 93 – Automatic License Plate Reader Privacy Act – 105th Legislature of Nebraska]

US – Minnesota Bill Prohibits Online Operators from Using Educational Data for Targeted Advertising to Minors and Students

House File 307, the Student Online Data Protection and Privacy Act, is introduced and referred to the House Education Innovation Policy Committee: The Bill would be effective for the 2017-2018 school year and later. Operators must not use information (including persistent identifiers) created or gathered by the operator’s site to create a student profile, or knowingly allow a third party to use a minor’s personal information to market or advertise products or services to a minor; the operator of a minor-directed service must notify any advertising service it uses that the operator’s service is directed to minors prior to ads being served. [HF 307 – Student Online Data Protection and Privacy Act – Minnesota House of Representatives]

US – Other Privacy News

  • U.S. Rep. Mark Sanford, R-S.C., has introduced a bill reforming the REAL ID Act to include privacy protections such as eliminating document archiving and to allowing states to decide opt out linking their databases nationwide. [Washington Times]
  • New Jersey Gov. Chris Christie has signed legislation making data transparency a requirement for all state agencies and codifying the chief data officer position into state law. [Govtech]
  • A New Mexico Senate Committee passed the Electronic Data Privacy Act, which would require police to obtain a warrant prior to the of stingrays and for accessing electronic communications from service providers. [Big Tenth]
  • Washington state legislators are working on efforts to keep state held data from being shared with the federal government for immigration enforcement or the creation of a Muslim registry. [Seattle Times]
  • The U.S. House of Representatives has once again passed the Email Privacy Act, and now the legislation makes its way to the Senate where it’s expected to continue facing resistance. [Reuters]
  • The Pennsylvania Superior Court has ruled that University of Pittsburgh Medical Center is not responsible for protecting employee data. [SC Magazine]
  • Following conflicting rulings in cases involving Google and Microsoft, cases involving law enforcement access to emails stored on servers outside the U.S. may continue to bounce back and forth until the U.S. Supreme Court makes an ultimate ruling. [Ars Technica]
  • A three-judge panel ruled New Jersey police officers can examine a suspect’s private social media messages without applying for an order under the state’s wiretapping laws. [NJ.com]

Workplace Privacy

US – Sensors Allows Employers to Track Workers Within Office Space

Employers are using sensors to monitor where their employees are within an office space. When used, sensors are often hidden from employees, whether in lights or ID badges. “Most people, when they walk into buildings, don’t even notice them,” said Enlighted CEO Joe Costello, whose company’s sensors are used at more than 350 companies, including 15% of Fortune 500 organizations. Advocates of the sensors say the technology helps create a more efficient work environment by tracking the ways employees move through an office, and to help maximize space. While some employees may feel the technology is invasive, employers ultimately have all the power. “Employers can do any kind of monitoring they want in the workplace that doesn’t involve the bathroom,” said National Workrights Institute President Lewis Maltby. [Bloomberg]





Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: