16-28 February 2017


CA – CRA to Record Fingerprints of Tax Evaders

The Canada Revenue Agency has started to record the fingerprints of every individual charged with tax evasion. “Introducing a mandatory fingerprinting policy would serve as a powerful deterrent to those considering committing a serious tax offence or those who may contemplate reoffending,” an internal CRA memorandum states. “The mobility restriction is an important deterrent, especially for people engaged in offshore tax evasion.” The fingerprints of all accused tax evaders will be stored in the Canadian Police Information Centre database. Nearly 70,000 Canadian police officers have admittance to the database, with foreign agencies such as the U.S. Department of Homeland Security having access as well. The move could end up affecting foreign travel for individuals who have been accused, but not convicted of a criminal tax offense. [CBC News]

CA – Parliamentary Press Gallery Pushes Back Against Plan to Fingerprint, Screen Reporters

The parliamentary press gallery is challenging a plan to impose RCMP security screening measures on new members, including fingerprinting for criminal record checks. The proposal from the House of Commons made public today recommends that all new members of the press gallery be subject to mandatory screening to access Parliament Hill, which would include the RCMP running the person’s fingerprints against a database to determine a match with anyone convicted of a criminal offence. The same measures are recommended for MPs’ staff, contractors, volunteers and interns. The proposed changes follow an independent security assessment and an internal audit of physical access to the Parliamentary Precinct carried out in 2015. It concluded that mandatory site access security screening should be conducted for all individuals who regularly access buildings within the Parliamentary Precinct, according to a fact sheet created by the House of Commons. [CBC |

US – Montana May Regulate ‘Faceprints

A proposed biometric privacy bill in Montana is drawing support from the digital rights group Electronic Frontier Foundation, which argues that new laws are needed to protect people from privacy threats posed by facial recognition technology. “Cameras are increasingly accurate at long distances, and facial recognition algorithms are increasingly able to match images against each other,” the organization wrote in a letter to Montana lawmakers. “Once captured, it is easy for someone to use our biometrics against us.” The potential Montana law (HB 518) would require companies to obtain people’s written permission before collecting, sharing or using biometric identifiers like faceprints, retinal scans and voice patterns. The measure excludes photos from the definition of biometric identifier, unless a company has collected the photos in order to use them as a source of biometric data. The definition means that Facebook and other Web companies would be required to obtain consumers’ consent before applying the kind of software that enables them to create faceprints, according to EFF. Montana isn’t the only state considering new biometric privacy protections. Lawmakers in Alaska, Connecticut, New Hampshire and Washington also have introduced similar measures. To date, only Illinois and Texas have passed laws specifically protecting biometric privacy. The Illinois law has been at the center of class-action privacy complaints against several companies, including Google, Shutterfly and Facebook. The case against Shutterfly has been resolved, but Google and Facebook are still fighting the lawsuits. [MediaPost Policy Blog] Outlines of biometric privacy bills being considered in U.S. states including Alaska, Connecticut, Illinois, Montana, New Hampshire and Washington. legislature is considering a biometric privacy bill similar to that of Illinois. [Find Biometrics]

UK – Police Told to Delete on Request Millions of Images of Innocent People

The home secretary has ordered police forces to delete on request millions of images of innocent people unlawfully retained on a searchable national police database. A Home Office review published this week found that police forces make extensive use of more than 19m pictures and videos, known as custody images, of people they have arrested or questioned on the police national database. Despite a high court ruling in 2012 that keeping images of innocent people was unlawful, police forces have quietly continued to build up a massive database without any of the controls or privacy safeguards that apply to police DNA and fingerprint databases. Renate Samson, of Big Brother Watch, said: “Whilst the opportunity for people to have their custody photo deleted from the database is welcome, we believe they shouldn’t have to ask, it should be an automatic process. The explanation as to why this can’t be done reveals a poorly designed IT system which is impacting innocent people’s right to privacy. A system should be created whereby those who are found to be innocent have their images deleted automatically, as is the case with DNA and fingerprints.” [The Guardian]

IN – India to Share World’s Largest Biometric Database With Tech Firms

India’s efforts to create the world’s largest biometric identity database and share that data with tech companies. The initiative, known as “India Stack,” is designed to standardize the exchange of digital data to help tech firms, health care providers, and app developers transfer official documents to help citizens get jobs, make financial transactions, and access government services, but the database has caught the eye of privacy advocates. “It’s the worst time for privacy policy in the country,” said Centre for Internet and Privacy Executive Director Sunil Abraham. “We are very caught up in technological exuberance. Techno-utopians are ruling the roost.”[The Wall Street Journal]


CA – CSIS Saw ‘No High Privacy Risks’ With Metadata Crunching: Internal Report

The Canadian Security Intelligence Service centre touched off a firestorm late last year when a judge said CSIS had broken the law by keeping and analyzing the digital metadata of innocent people.[see here ] The ruling also prompted debate about what future role the spy service should have — if any — in using such potentially revealing information in its work. But a privacy impact assessment of the [CSIS] Operational Data Analysis Centre prepared in August 2010 — and secret until now — offered little hint of such concerns. “The assessment process has identified no high privacy risks,” says the 62-page CSIS report. CSIS director Michel Coulombe testified that he hoped the spy service would be in a position within about six months to decide what to do with the associated metadata collected over the 10-year period. [CBC]

CA – US Border Guards Can Ask for Your Passwords

The BC Civil Liberties Association is warning people to think hard before deciding to take cell phones or other electronic devices across the border between Canada and the United States. Even if they have no grounds for suspicion, border guards can ask for them and might arrest a person who refuses to give them the passwords. The charge would be obstruction, but in Canada, such a case would probably violate the Charter of Rights and Freedom guarantees of privacy, says Micheal Vonn, policy director of the B.C. Civil Liberties Association. In the U.S., there is a document which clearly sets out the policy on border guards’ examination of electronic devices. But in Canada, there is not and the information has been pieced together through requests under the Access to Information Law. The Canadian Border Services Agency does believe it has the right to ask for passwords. Vonn would like the Canadian government to produce a clear policy for the public and have it reviewed by Canada’s privacy commissioner to ensure it conforms with the constitution. [Listen to the full interview is here] [RCINet | Are U.S. border agents allowed to search phones and other devices? | I’ll never bring my phone on an international flight again. Neither should you | If A Border Agent Asks You To Unlock Your Phone, Do You Have To Comply? | A Guide to Getting Past Customs With Your Digital Privacy Intact | A US-born NASA scientist was detained at the border until he unlocked his phone]

CA – Canadian Border Officials Can Search Your Cellphone, Confiscate Your Device

Canada Border Services Agency (CBSA) officers have the right to inspect your device. And if you don’t comply, they might even confiscate your phone. Devices such as cellphones and laptops are classified as “goods,” according to CBSA policy. Under the Customs Act, officers have the authority to examine them as part of a routine examination. The CBSA does not require a warrant, the Office of the Privacy Commissioner of Canada notes, and “Officers may examine devices for photos, files, contacts and other media.” What they do with those files — and whether the CBSA can make a copy of any or all the information found on your phone — is unclear. Travellers are really left few options. Anyone with concerns about their experience during a search at the border can file a complaint with the Office of the Privacy Commissioner. [Global News | Is The Border Safe? US Could Detain Canadians In Canada Under Bill | Pre-clearance bill would give U.S. border agents in Canada new powers | The Canada Border Services Is Getting Authority To Open All Cross-Border Mail | Looking for fentanyl: Should the government be able to open your letters? | Fentanyl fear drives police to push for greater power to search mail]

CA – Bill Letting U.S. Border Guards Detain Canadians Could Face Legal Challenges

A bill [C-23] proposing to bolster the powers American border guards yield in Canada – including the ability to strip search and detain Canadians – could lead to legal challenges against the federal government, immigration experts are warning. Part of a bilateral agreement with the U.S., the bill, when passed, will grant American customs agents the right to carry weapons within Canada, perform body searches and detain – but not arrest – them. It will also allow U.S. agents to force a Canadian in a preclearance area, who has decided not to travel to the U.S., to stay in the area for questioning. Right now, that same traveller has the right to simply turn around and leave the area without action or consequence. Howard Greenberg, an immigration lawyer in Toronto, agrees the bill could be open to court challenges [GlobalNews]

CA — British Columbia Privacy Commissioner Investigating Vigilante Group

The Office of the Information and Privacy Commissioner for British Columbia is investigating the controversial vigilante group, Surrey Creep Catchers. Creep Catchers is a group of organizations across Canada that aim to expose people they claim are sexual predators by posing as minors online, then setting up meetings in person to shame their targets. The group was allegedly involved in an incident involving an RCMP officer who was arrested and charged for attempting to meet an underage child. Law enforcement agencies have voiced their concerns about the groups, stating citizens could be in danger if a potential child predator was confronted in public. [CBC News]

CA – Privacy Issues Still Not Fixed on Gov’t Computers: B.C. Auditor General

A 2015 audit found social work case management system did not adequately protect personal info. B.C.’s auditor general says the government has made progress in addressing potential privacy issues with a problematic computer system, but there’s still work to be done. Carol Bellringer’s office first audited the $182-million Integrated Case Management System in 2015 and found it was incomplete and did not protect sensitive personal information. The system, used by the Ministry of Social Development and Social Innovation, dates back to 2008 and was meant to replace outdated computer systems used to deliver social programs including child protection, child-care subsidies and income assistance. [The Canadian Press]

CA – OPC Canada Identifies Best Options for VPN Access to Corporate Info

The Office of the Privacy Commissioner of Canada analyses what to look for when choosing between different Virtual Private Networks services. IPsec is an end-to-end security protocol (the data is only meant to be accessible by the device and the server that is being tunneled to) and SSL/TLS provides highly encrypted communications by relying on the same key exchange standards as HTTPS-secured websites (provided the software has been properly patched if based on open source software libraries); PPTP is an older method no longer recommended as it possesses a range of vulnerabilities that undermine the security and authentication process. [OPC Canada – Privacy Tech-Know Blog: The actual privacy benefits of virtual private networks | Make sure your VPN is setup correctly using a DNS Leak Tool | How to use a VPN: How to set up a VPN for secure, private browsing & access to blocked content | VPN and Maintaining Corporate Privacy]

CA – Alberta Court Refuses to Accept Photos from Locked Mobile Phone into Evidence

The Court considered the Crown’s application to enter photos from a locked mobile device into a main voir dire. Law enforcement failed to meet the standards of the Supreme Court’s decision in Fearon when determining what use to make of notifications displayed on a seized cellphone; the fact that an individual cellphone owner has locked the device but allowed notification of incoming communications to be displayed on the screen does not mean that the owner has waived his right to privacy, and the police failed to record what they did with the cellphone. [Her Majesty the Queen v. Trevor Leigh Millett – 2017 ABQB 9 – Court of Queen’s Bench of Alberta]

CA – Superior Court of Québec Authorizes Privacy Class Action in Zuckerman v. Target Corporation

Privacy class actions triggered by data breaches are growing in popularity in Canada, with more than 30 of them pending throughout the country. While none of these cases have yet been heard on their merits, some are being certified or authorized. In Québec, there are at least seven privacy class actions before the courts. The Superior Court of Québec recently rendered judgment on a motion to authorize a privacy class action in Zuckerman v. Target Corporation, in which the petitioner alleged damages as a result of a data breach involving an estimated 40 million credit and debit cards, as well as the personal information of up to 70 million customers. This case provides a number of takeaways for businesses on how to manage privacy breaches. [Mondaq]

CA – Secrecy Often Chokes Off Public Information from Tribunal Hearings

When attending a public hearing at the Ontario Labour Relations Board, lots of personal information, including names and employment history, is said out in the open. All of this can be reported by the media. But trying to access the same documents that are relied upon in those hearings is an entirely different matter. Case in point: Toronto Star reporters had been researching [ Laborers’ International Union of North America (LiUNA) and its Local 183 ], including possible connections with organized crime. But their quest for documents [from the Ontario Labour Relations Board] that were filed at a public hearing turned into a legal and bureaucratic nightmare, and ultimately sparked the Star’s much broader legal challenge launched last week against secrecy in Ontario’s tribunals. The tribunal system was created to take cases out of the overcrowded court system, and into a more efficient process. But as mentioned in an editor’s note published last week when the Star launched its legal challenge, “tribunals appear, on the surface, no different than traditional courts — with adjudicators, hearing rooms, dockets and generally open hearings — but they depart dramatically from open court rules when it comes to providing records.” [The Star]


US – New CDT Study Examines Data-Deletion ‘Disconnect’

The Center for Democracy and Technology’s new research paper, “Should it stay or should it go? The legal, policy, and technical landscape around data deletion,” examines the “disconnect” between how companies delete data and how its consumers understand what deletion means, the CDT’s Michelle De Mooy writes. While some companies have viewed data removal in the past as unfathomable, now embracing the practice could improve data quality. “As the novelty of big data wears off, companies are faced with enormous data holdings that present huge risks and high costs for them and their customers,” she says. “Not only do huge data stores generate costs and liability, they damage customer trust and loyalty, and make it much harder to find the data diamonds among the slurry.” [CDT.org]


AU – Rogue Public Servants Stealing Information to Use in Court Cases

ROGUE public servants are snooping on people’s private lives and stealing information to use in court cases and neighbourhood disputes. Bureaucrats have accessed confidential databases to pay their own parking fines and road tolls using other people’s names and addresses, the state’s privacy watchdog revealed yesterday. Australian Privacy Commissioner Elizabeth Coombs warned gaps in privacy laws let nosy public servants and government contractors get away with shocking invasions of privacy. She wants to let victims sue individual workers, as well government agencies. In a new report to state parliament, Dr Coombs revealed personal information had been accessed and leaked for neighbourhood disputes and court cases, while health information had been stolen to use in family law cases or inheritance disputes. Dr Coombs wants the state government to give victims the right to lodge complaints against government agencies and private companies — as well as the employee who stole or leaked data. Dr Coombs said government agencies and private businesses were not required to report data breaches but had voluntarily notified her office of 50 violations in the past seven months. She said notifications had almost doubled in each of the past three years. [The Daily Telegraph]


US – 25% of Healthcare Orgs Not Encrypting Patient Data in Cloud

While more healthcare organizations are considering some form of cloud computing, they might be putting sensitive information at risk by failing to encrypt patient data, according to a recent survey. HyTrust found that even though healthcare entities list security as a top concern in cloud migration, 25% that are already utilizing the public cloud report that they are not encrypting patient data. Even with the lack of encryption, 82% of those surveyed said that security was their top concern. The Department of Health and Human Services (HHS) released updated HIPAA cloud computing guidance toward the end of 2016. The goal was to assist covered entities, business associates, and cloud service providers (CSPs) in understanding how properly utilize cloud computing while still remaining HIPAA compliant. The agency added that covered entities and business associates can also store or process ePHI in a cloud service. The guidance also did not specifically require encryption for cloud computing, but it noted that it can significantly reduce the risk of data exposure. [HealthIT Security]

WW – Cellebrite Announces Product That Can Crack Locked Phones

Cellebrite has announced its Advanced Investigative Service tool can “unlock and extract” locked iPhones’ full file system, including those from the 6 and the 6+. “These capabilities dramatically increase law enforcement’s ability to access critical digital evidence and solve cases faster, by providing forensically sound access and extraction capabilities not found anywhere else in the industry,” the company said. “Furthermore, we now make the world’s first ‘decrypted physical extraction’ capability a reality for key iPhone and Samsung Android devices.” Their announcement comes a little over a year after Apple and the FBI’s clash over decrypting the San Bernardino shooter’s locked iPhone, which the agency was able to eventually do without the help of Apple. Meanwhile, the Princeton University Center for Information Technology Policy’s Edward Felten has released a paper called “Nuts and Bolts of Encryption: A Primer for Policymakers.” [CyberScoop]

EU Developments

EU – WP29 Releases Privacy Shield Rules of Procedure and Complaint Form

The Article 29 Working Party has released two forms related to the EU-U.S. Privacy Shield agreement. The rules of procedure for the “Informal Panel of EU DPAs” provides a road map for handling complaints under Shield. “The panel is competent for providing binding advice to the US organisations following unresolved complaints from individuals about the handling of personal information that has been transferred from” the EU under Shield. According to the document, the panel will attempt to provide advice for a complaint within 60 days after receipt. The group also released a form for submitting commercial-related complaints to EU DPAs. Though the use of the form “remains optional,” the document requests all of the necessary data for completing a request. In related news, the high stakes Facebook-Ireland court case continues. A lawyer for Facebook argued the EU would face an “enormous” crisis if it does not trade with countries that do not match its data-protection standards. [Irish Tmes]

EU – Article 29 Working Party Still Concerned With Windows 10 Privacy Settings

The Article 29 Working Party is still expressing concerns about the privacy settings within Microsoft’s Windows 10 operating system. The Working Party’s questions come a year after the group wrote to Microsoft voicing concerns with Windows 10’s default installation settings. “In light of the above, which are separate to the results of ongoing inquiries at a national level, even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data,” the group said in a statement. The group said it is still unclear to what extent users will be informed about the specific data Microsoft will collect, despite the changes to the installation process. However, the group also said Microsoft has been cooperative, and in January, Microsoft announced a new web-based privacy dashboard for users to see and control what data is collected about them. [Reuters]

UK – Privacy Office to Issue Consent Standard Guidance

The U.K. privacy office will issue guidance for companies on obtaining consent from consumers to use their data. In order to be legally sufficient, consent “will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data.” A check the box approach won’t be sufficient to show valid consent. The ICO also plans to publish GDPR-relevant guidance on individual profiling once the Article 29 Working Party of data protection officials from the 28 EU countries has completed updating its profiling guidance. [BNA]

EU – Other Privacy News

  • Security Intelligence reports, The U.K. Home Office has stalled data collection plans under the new Investigatory Powers law after a European Court of Justice Ruling. [Ars Technica]
  • The Article 29 Working Party has released two forms related to the EU-U.S. Privacy Shield agreement. The rules of procedure for the “Informal Panel of EU DPAs” and a form for submitting commercial-related complaints to EU DPAs.
  • European Data Protection Supervisor Giovanni Buttarelli outlined his agency’s top three strategic areas of importance for 2017. [More]
  • The Article 29 Working Party discussed announced that it will publish amended guidelines for the DPO, lead authority and data portability provisions of the General Data Protection Regulation by April at the latest. [More]

Facts & Stats

US – Survey: 26% of US Consumers Had Health Care Data Compromised

An Accenture survey found 26% of 2,000 U.S. consumers have had their health care information exposed in a data breach. Of those compromised, 36 percent said it happened at a hospital, with 22 percent stating the breach occurred either at an urgent care clinic or a pharmacy. The study found half the victims detected the breach on their own, normally through anomalies on their credit card statements. Only a third of the victims were alerted by the organization suffering the attack. Accenture’s health practice Managing Director of Cybersecurity Reza Chapman said, “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.” [SC Magazine]

US – One in Four U.S. Consumers Victim of Healthcare Data Breach: Accenture

Just over one in four U.S. consumers (26%) have had their personal medical information stolen from technology systems, according to results of a survey from Accenture released on Monday. [see 14 pg pdf here] [the] survey of 7,580 consumers aged 18+ to assess their attitudes toward healthcare data, digital trust, roles and responsibilities, data sharing and breaches. The online poll included consumers across seven countries: Australia, Brazil, England, Norway, Saudi Arabia, Singapore and the U.S. The survey was conducted by Nielsen on behalf of Accenture. In the U.S., half (50%) of 2,000 consumers polled who experienced a breach were victims of medical identity theft and had to pay approximately US$2,500 in out-of-pocket costs per incident, on average, Accenture said in a press release. [See here] [Canadian Underwriter]


US – Digital Copyright Holders Want US ISPs to Filter Out Pirated Content

The Recording Industry Association of America (RIAA) and other digital copyright groups are asking U.S. legislators to require Internet service providers (ISPs) to filter out pirated content. Currently, the Digital Millennium Copyright Act (DMCA) offers ISPs safe harbor as long as they remove identified pirated content “expeditiously.” The groups say that the current DMCA notice-and-takedown process is “burdensome – and ultimately ineffective.” Forget DMCA takedowns – RIAA wants ISPs to filter for pirated content | RIAA, Other Copyright Holder Want ISPs to Introduce Piracy Filters


EU – European Supervisory Authorities Issue Joint Discussion Paper on the Use of Big Data by Financial Institutions

The European Securities and Markets Authority, European Banking Authority and European Insurance and Occupational Pensions Authority have issued a joint discussion paper on the use of big data by financial institutions: Comments must be submitted by March 17, 2017. Under the forthcoming GDPR, organisations will need to acknowledge the wide range of rights that will be afforded to consumers by implementing mechanisms to comply with a request for human intervention in profiling, and objection to a decision based on profiling, or profiling for direct marketing purposes; financial institutions must implement appropriate technical and organisational measures at the time the processing system is designed, and during the data processing. [ESMA, EBA and EIOPA – Joint Committee Discussion Paper on The Use of Big Data By Financial Institutions ]


CA – OIPC AB Slams Government for Poor State of Freedom of Information

Alberta’s information and privacy commissioner says [see PR here] the government of Premier Rachel Notley needs a top-down culture change to address a “lack of respect” for freedom of information. In the preface to one of two scathing investigation reports issued Thursday [see pdf’s here & here ], Commissioner Jill Clayton said the investigations uncovered a troubling attitude toward freedom of information (FOIP). for years, delays in processing these requests have grown steadily worse. Last year, Clayton ordered investigations into delays in processing FOIP requests from the Wildrose Party by Alberta Justice and Solicitor General, the Public Affairs Bureau, and Executive Council, which includes the premier’s office. The investigations by senior information and privacy manager Catherine Taylor [found a] main factor in the delays was simply the unwillingness of program areas to respond to requests for records from FOIP staff within the legislated timeframes. Taylor said she heard from FOIP staff that one contributing factor to the delays was “a lack of respect for the FOIP Act itself across pockets of the (Government of Alberta).” [CBC | Alberta privacy commissioner blasts government for ‘lack of respect for the FOIP Act itself’ | Alberta Education using FOIP laws to ‘prevent disclosure’: privacy expert | Alberta Justice hires Ontario lawyer to represent ministry in FOIP investigation | Waits for access to information get longer in Alberta, report finds | Access to information in Alberta nearing ‘crisis situation,’ FOIP commissioner says | Alberta MLA says request for documents detailing opioid deaths was rejected | Reality of Right to Know Week in Alberta is grim | Opinion: Citizens have the right to know what governments know about them | Calgary presses ahead with ‘Orwellian’ freedom of information policy draft ]

US – EPIC Handed FBI’s PIAs and Threshold Analyses in FOIA Request

The Electronic Privacy Information Center was handed two legal victories involving public access to the FBI’s record-keeping systems and their impact on privacy. EPIC originally filed the Freedom of Information Act requests in 2014 seeking the FBI’s privacy impact assessments and privacy threshold analyses of its databases containing personal information. The agency handed EPIC approximately 2,200 pages of “heavily” redacted pages on grounds they involved sensitive investigatory data. But in an “unusual” ruling Tuesday, U.S. District Court Judge Amit Mehta said the FBI failed to demonstrate the redacted information met a threshold test for exemption. The legal victory for EPIC, however, may be short-lived, as Mehta will give the agency and Justice Department attorneys another chance to defend the redactions. [Politico]


CA – Does This Genetic Testing Bill Threaten The Insurance Industry?

Bill S-201, the Genetic Non-Discrimination Act, seeks to revise the Canada Labour Code and the Canadian Human Rights Act to make it illegal for employers, insurance companies and anyone else entering into a contract or providing goods or services to require anyone to undergo genetic testing or to disclose the results of a genetic test. The insurance industry, however, disagrees with the bill. It argues the legislation would impede Canadians’ access to insurance and severely compromise the industry’s viability. Others argue that the bill’s potential impact is much less: the Office of the Privacy Commissioner of Canada, citing 2011 and 2012 studies, has concluded the legislation “would not have significant adverse impact on the viability of the life and health insurance industry,” and that premiums would likely rise about three per cent overall, an increase the industry could absorb. [Benefits Canada | Life insurers’ new genetic test policy called an 11th-hour stalling attempt | Canadian insurance industry pens rules on use of genetic test results | Genetic discrimination private member’s bill pits Grit backbenchers against cabinet | Canada: Genetic Discrimination And Canadian Law | Genetic testing bill perpetuates myths and fears]

Health / Medical

US – $5.5M HIPAA Fine Shows Importance of Audit

Memorial Healthcare System, of Hollywood, Florida, has settled with the U.S. Department of Health and Human Services for $5.5 million following a HIPAA violation. It must also institute “a robust corrective action plan.” While Memorial did have access control policies in place, a former employee of an affiliated physician’s office was still able to access protected health information repeatedly, without detection, for a year, affecting 80,000 individuals. Acting HHS Office for Civil Rights Director Robinsue Frohboese said the settlement shows “organizations must implement audit controls and review audit logs regularly.” [HHS.gov]

Horror Stories

WW – Breach of Smart Teddy Bear Data Leaks 800,000 Users’ Info

Smart toy manufacturer Spiral Toy’s CloudPets database of 800,000 customer credentials and more than two million users’ messages was stored for a little over two weeks on an unsecured server and discovered by security researchers and potentially hackers. Researchers said that the exposed data has been overwritten twice. However, the company has not yet publicly disclosed the breach or notified victims. “They were very irresponsible because they had to know about this,” GDI Foundation’s Victor Gevers said. “People make mistakes. It’s the action that follows up which defines your character. Handling serious data leaks like this proves a lack of the right personality and then you should not be in this industry or in any in which you are responsible for such data.” [Motherboard]

Identity Issues

US – NY Bill Restricts Unlawful Use of a Driver’s License or Identification Card

S00271, relating to the unlawful use of a New York driver’s license or identification card, and amending the General Business Law, has been introduced in the New York Senate and referred to the Consumer Protection Committee: The act will take effect immediately upon being passed. An individual’s driver’s license or identification card may be scanned to verify the identify of an individual making a purchase or returning or exchanging an item, prevent fraud, or transmit information to a consumer reporting agency, financial institution, or debt collector; unlawful collection and use of a license or identification card is punishable by a civil penalty of not more than $1,000. [Bill S00271 – Unlawful Use of a New York Driver’s License or Identification Card]

US – Philly’s Municipal-ID Plan on Ice Over Privacy Concerns

When Mayor Kenney committed to launching a municipal ID program, he argued that having a photo identification card would improve the lives of undocumented immigrants living in the shadows. A year later, his plans are on hold amid concerns that the program could actually put undocumented immigrants at risk. The programs have always faced controversy. Some critics see the cards as a stealth path to legal status for undocumented immigrants. Even some immigration advocates have opposed the efforts. The New York Civil Liberties Union did not endorse the municipal ID card there, saying the city had not done enough to protect application documents from being used by law enforcement. That issue is now being tested [in an] ongoing fight in New York over the applications of nearly a million people issued municipal ID cards in the last two years. A judge recently blocked Mayor Bill de Blasio’s attempts to destroy the personal information on those applications. A bill introduced to the state Senate goes one step further, requiring the city to hand over the information to the U.S. Department of Homeland Security. Philadelphia officials are watching cautiously. [Philly.com]

WW – Researchers De-Anonymise Your Web Surfing Using Twitter Handles

Researchers have found a way to de-anonymise web surfing records. What if you could deduce a person’s identity by matching their anonymous web surfing with their social media timeline? What if, instead of a customer ID, you could replace it with their Twitter handle? Academics from Stanford and Princeton have done just that. Their research relies on the idea that people are more likely to follow links showing up on their social media feed, and in particular the links from people they follow on Twitter that show up in their feed. They reasoned that because the set of links in a Twitter feed is often unique, you can match it against links in an anonymous surfing history. The researchers found that they could identify more than 70% of volunteers on average. This isn’t just a theoretical exercise. The team built a system to de-anonymise web browsing histories in under a minute using the concept, proving that it’s workable in practice. Who else might use this information? The NSA, for one. It already tracks Google ads to find Tor users. The research points out that well-resourced adversaries could eavesdrop on network traffic to work out which domains a particular device is visiting (although thankfully HTTPS makes that more difficult). How can you stop this from happening? Tracker-blockers such as Ghostery, uBlock Origin or Privacy Badger can help, the researchers say, while not revealing your real-world identity on social media profiles is a useful albeit cumbersome form of protection. Given the recent actions of US border guards, the latter might be a good idea anyway. [NakedSecurity]

CA – New Online Survey Platform Complies With Canadian Privacy Laws

Surveypal, a San Francisco, Calif.-based online survey platform, has launched a business-level survey solution designed to be compliant with Canada’s Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how organizations in the country collect, use and disclose personal information while doing business. In order to be compliant with these privacy regulations, all data collected by both public and private organizations must be stored within Canadian borders. Surveypal’s new data servers in Toronto guarantee that Canadian government agencies and businesses can collect data safely and legally. [ITWorld]

Internet / WWW

EU – ENISA Issues Guidelines for Digital Service Providers on Minimum Security Measures

The European Union Agency for Network and Information Security (“ENISA”) issues security guidance for digital service providers. Cloud providers, online market places and search engines are provided with 27 security objectives (e.g., information security policy, change management, and monitoring and logging), broken down by industry standard and state-of-the-art security measures to be implemented; by conforming to these security objectives, digital service providers will comply with ISO27001, BSI C5, CoBiT, NIST guidance and PCI-DSS, among other security frameworks. [ENISA – Technical Guidelines for the Implementation of Minimum Security Measures for Digital Service Providers]

WW – Cloudflare Bug Exposes Private Data

A bug discovered in Cloudflare’s software earlier in February accidentally exposed data like private messages on dating sites, frames from adult sites, and hotel bookings. “Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it,” said Cloudflare Chief Operating Officer John Graham-Cumming. The company has since fixed the issue, and Graham-Cumming said he wasn’t worried that the exposed data was misused. “I am not changing any of my passwords,” he said. “I think the probability that somebody saw something is so low it’s not something I am concerned about.” [BBC News]

Law Enforcement

US – Federal Court: Cops Can’t Just Walk Into a Building and Force Unlock iPhones With Fingerprints

Earlier this year, FORBES revealed a search warrant that allowed police to walk into a building and unlock all phones inside that could be opened with a fingerprint, including iPhones with Apple’s famous TouchID feature. Not long after, multiple other warrants allowing similar access were uncovered. At the time, lawyers declared the warrants overly broad. And now, in what may be a landmark decision, a federal court in Illinois has determined that feds could not proceed with such a search, saying the government needed to be more specific about the devices and data they wanted. [see here] Judge M. David Weisman wrote “This Court agrees that the context in which fingerprints are taken, and not the fingerprints themselves, can raise concerns under the Fourth Amendment. In the instant case, the government is seeking the authority to seize any individual at the subject premises and force the application of their fingerprints as directed by government agents. Based on the facts presented in the application, the Court does not believe such Fourth Amendment intrusions are justified based on the facts articulated,” He raised Fifth Amendment issues around self-incrimination too. Previously, courts had argued that fingerprints were not testimonial as they did not constitute a form of communication, so Fifth Amendment protections didn’t apply. “with a touch of a finger, a suspect is testifying that he or she has accessed the phone before, at a minimum, to set up the fingerprint password capabilities, and that he or she currently has some level of control over or relatively significant connection to the phone and its contents.” [Forbes | Judge: No, feds can’t nab all Apple devices and try everyone’s fingerprints | Minnesota court on the Fifth Amendment and compelling fingerprints to unlock a phone | Court rules against man who was forced to fingerprint-unlock his phone | Here’s Why Feds Are Winning The Fight To Grab iPhone Passcodes And Fingerprints | Cops Could Force Google Pixel Users To Voice-Unlock Their Phones | Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones | How the Feds Justify Collecting Fingerprints to Unlock Everyone’s Phones | Can warrants for digital evidence also require fingerprints to unlock phones? | For the First Time, Federal Judge Says Suspect Must Use Fingerprint to Unlock Smartphone | Search Warrants Could Force You to Unlock Your iPhone via Touch ID ]

UK – Proposed Legislation Would Allow Justice Secretary to Order the Use of IMSI Catchers Around Prisons

Legislation introduced in British Parliament would allow the use of IMSI catchers, or cell-site simulators, around prisons. The Justice Secretary would have the authority to order mobile networks to deploy the technology near prisons to prevent, detect, or investigate the use of mobile phones in prisons. Currently, the technology can be used only within prison walls and must be commissioned by prison governors. New prison law will let mobile networks deploy IMSI catchers | New bill to allow prisons to deploy IMSI catchers outside of prisons ]


US – Legislators Introduce Bills to Curtail Access to Geolocation Data Without a Warrant

Bills introduced in the U.S. House and Senate aim to establish rules regarding law enforcement agencies’ access to geolocation data. The Senate’s Geolocation Privacy and Surveillance Act would establish rules for when law enforcement agencies may access geolocation data. The House’s Cell Location Privacy Act of 2017 would require law enforcement to obtain a warrant prior to the use of cell-site simulators with exceptions for certain emergencies. Proposed federal law demands probable-cause warrants for geolocation data | Legislation revived to curb warrantless geolocation tracking ]

Online Privacy

WW – Goodbye Privacy, Hello Personalisation

A new study of Millennials across four countries suggests that the future of digital devices, apps and services is going to be personal, public and artificially intelligent. Top of the list is greater personalization. Nearly 60% of respondents said they’d be happy to pay for services that exactly reflect their needs, and 71% said they’d be willing to sacrifice data anonymity in return for it. Taking customisation a step further, 53% of those polled said that they’d be willing to pay for a mobile service that doubled as a personal assistant or concierge service. Four-in-ten also want such services to be intuitive — whether it be setting up and inviting people to a meeting or automatically posting certain types of content to social media for instance. That level of intuition is only possible via artificial intelligence. [AFP Relaxnews]

Open Government

US – Harvard Issues Privacy Guide for Cities and Open Data Initiatives

For any city, open data is a double-edged sword; the most useful information can also be the most sensitive. To help officials balance the risks and benefits, researchers at Harvard University have created a playbook for open data, complete with best practices, examples of what has and hasn’t worked so far, and a thorough checklist of what to consider when embarking on a new data project. The playbook makes four main recommendations for technology officers in the municipal government, and each is broken down into “here’s what you need to know, here’s what you need to do, and then here’s how you do it.”

  1. Find the balance between risk and value: Zero risk is impossible. But according to the researchers, the trick is to find a level of risk that officials and the public are willing to accept. That can be done by conducting thorough risk-benefit analysis before designing any data sharing program. In determining the value, the key question to ask is who will use the data, who benefits from it, and how.
  2. Consider privacy at each stage of the data lifecycle: That lifecycle includes data collection, maintenance, release, and retirement—when unpublished data should be removed because it’s no longer relevant. It’s typical for cities to think about privacy only when data is about to be released, but those concerns should be considered at the very first stage.
  3. Develop a structure for privacy management: “The harder challenge is developing the internal and operational expertise, and valuing protecting privacy as an essential component of open data program,” The researchers call for cities to develop their own privacy standards and establish a formal process for releasing data.
  4. Keep the public informed: Nearly 80% of Americans are concerned about government surveillance, according to Pew surveys cited in the report. So the researchers stress the need for cities to engage the public, to earn its support by showing how open data has benefited the city and gaining trust by being transparent about the entire process. [citylab.com]

Privacy (US)

US – Sen .Wyden to Introduce Legislation Limiting Phone Searches at Border

“I intend to introduce legislation shortly that will guarantee that the Fourth Amendment is respected at the border by requiring law enforcement agencies to obtain a warrant before searching devices, and prohibiting the practice of forcing travelers to reveal their online account passwords,” Wyden wrote in a letter [see here ] to Department of Homeland Security Secretary John Kelly, condemning the practice. Wyden’s letter also requests that Kelly respond to questions about the legal authority and frequency of such searches by March 20, 2017. [Meritalk | Wyden objects to DHS password collection plan | Sen. Wyden Calls for Warrants for Tech Searches on the Border | A US-born NASA scientist was detained at the border until he unlocked his phone | Complaints Describe Border Agents Interrogating Muslim Americans, Asking for Social Media Accounts | Will US border officials demand social network handles from visitors? | Wyden Pushes for Warrants for Phone Searches at US Border ]

WW – What Makes A Great DPA?

The global population of privacy and data protection regulators is understandably diverse. Some data protection agencies are still in their infancy, established by brand-new laws. Others have robust histories of enforcement and deep, experienced staffs. But what makes a regulatory agency effective? Is it experience, approach, philosophy, the law that creates it? Such are the questions explored in a new report authored by the U.S. Chamber of Commerce and Hunton & Williams, “Seeking Solutions: Attributes of Effective Data Protection Authorities.” The 40-page white paper identifies seven key traits that effective DPAs share and offers examples of how those traits play out in the real world. [Full Story]


WW – Samsung Warns Customers Not To Discuss Personal Information in Front of Smart TVs

Samsung has confirmed that its “smart TV” sets are listening to customers’ every word, and the company is warning customers not to speak about personal information while near the TV sets. The company revealed that the voice activation feature on its smart TVs will capture all nearby conversations. The TV sets can share the information, including sensitive data, with Samsung as well as third-party services. The news comes after discovery of a troubling line in Samsung’s privacy policy: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” Samsung has now issued a new statement clarifying how the voice activation feature works. The company added that it does not retain or sell the voice data, but it didn’t name the third party that translates users’ speech. [The Week]


CA – CSA Publishes Expectations for Cyber Security Risk Disclosure

The results of the Canadian Securities Administrators’ (CSA) review of the cyber security risk disclosure of S&P/TSX Composite issuers were recently reported by the the Autorité des marchés financiers, the Ontario Securities Commission and the B.C. Securities Commission in CSA Multilateral Staff Notice 51-347 (the Notice). Focused particularly on risk factor disclosure and disclosure of cyber security incidents, the CSA’s review follows last year’s publication of CSA Staff Notice 11-332 Cyber Security, which reiterated that cybersecurity would continue to be one of the CSA’s priorities through 2019. With respect to risk factor disclosure, the CSA focused on three topics: 1) the disclosure of the risk itself; 2) the disclosure of potential impacts of a cyber security incident; and, 3) the disclosure of governance practices and cyber security risk mitigation. [Canadian Securities Law] New York’s mandated cybersecurity regulations for banking and financial services are set to go into effect March 1. [SC Magazine]

US – Data-Related Jobs See Huge Growth in January Hirings

The information technology sector added 1,200 data-related jobs in January, more than four times the average monthly gain for all of 2016. “An analysis of U.S. employment numbers by the Bureau of Labor Statistics reveals a net increase of 7,000 information technology jobs in January 2017 across four industry job segments commonly associated with technology professionals.” Those four job segments are: 1) Management/technical consulting services; 2) Computer systems design/related services; 3) Telecommunications; and, 4) Data processing/hosting/related. [Source]

US – Less Than 25% of Cybersecurity Job Applicants Are Qualified

According to a report from ISACA, fewer than 25% of applicants for cybersecurity positions are qualified for the job. More than half of available positions take from three to six months to fill. The report notes that hands-on experience is more important than training. [Fewer Than One Fourth Of Cybersecurity Job Candidates Are Qualified | Growing security skills gap raising fears of cyberattacks

CA – 50% of Canadian Executives Say Their Businesses Were Hacked Last Year

A new survey [see here ], conducted by Ipsos Canada found that nearly 60% of Canadian small business owners and C-suite executives either suspect or know for certain they were the victims of an external cyberattack during the last year, with 50% of C-suite executives indicating that they know for certain that their company experienced a breach. An additional three in 10 suspected their company was the victim of a breach in the past year, but didn’t know for certain. And despite the overwhelming evidence indicating otherwise, eight executives in 10 reported being confident in their business’s ability to prevent an external hacking attempt, while 93% of survey respondents indicated confidence in their ability to protect customer data. [ITWorld | Canadian infosec pros still too confident they can protect enterprise, says Accenture ]

Smart Cars

US – Privacy Makes IoT Toy Innovation Difficult, Say Developers

Smart toy developers must walk a “fine line” between technological innovation, protecting children’s privacy, and complying with the laws that regulate it. For many toymakers, privacy considerations are a considerable roadblock. “To take smart toys to the next level of engagement and give kids what they want, you have to take data and create an engaging experience that’s connected to their friends and based on their persona,” said Dynepic CEO Krissa Watry. She added that requirements for children’s privacy in the tech sphere were a “massive burden for toy companies.” She’s not alone. “Companies have been moving cautiously when it comes to smart toys because children’s privacy gets a great deal of scrutiny.” [CNet ]

US – Used Connected Cars Pose Security Risk: RSA

IBM’s Charles Henderson told an audience at the RSA Security Conference in San Francisco how he was able to remotely access systems on a car he had traded in several years earlier. Even though Henderson did a factory reset to remove all personal data from the car before he sold it, the car remained connected to the app on his phone. Even when the app is deleted from a phone, information still in the cloud is not as simple to delete. Connected car in the second-hand lot? Don’t buy it if you’re not hack-savvy | Warning on used on cars failing to forget old owners | IBM Reveals Security Risks to owners of Previously Owned IoT Devices | Android Phone Hacks Could Unlock Millions of Cars | Android apps create theft risk ]


US – Judge: FBI’s NIT Warrant Invalid, IP Addresses Have Expectation of Privacy, But No Suppression Granted

Thanks to the FBI’s one-to-many NIT [Network Investigative Technique see here] warrant, which was issued in Virginia but reached thousands of computers all over the world, yet another federal judge is dealing with the fallout of the feds’ efficiency. Michigan federal judge Thomas Ludington finds plenty he doesn’t like about the FBI’s malware and the DOJ’s defense of it, but still can’t quite find enough to warrant suppression of the evidence [PDF link]. That being said, the opinion does offer plenty of counters to the DOJ’s legal rationale. The court, like others, finds the FBI exceeded the jurisdictional limitations of Rule 41 [see here ] and no amount of creative phrasing is going to change that. In the future, the FBI won’t have to deal with nearly as many suppression hearings, thanks to changes to Rule 41. These decisions are becoming relics of statutorial limitations almost as soon as they’re issued. Even if courts find the malware deployment to be a search invasive enough to trigger Fourth Amendment protections, the lack of jurisdictional limits going forward will prevent them from being challenged. [Techdirt | Firefox users left feeling vulnerable as judge keeps Tor hack under wraps | Privacy Watchdogs Vow to Fight ‘Dystopian’ Rule 41 | This rule change just made it easier for the government to hack you, wherever you are]

UK – Cameras in Classrooms: Invasion of Privacy or Future of Teaching?

In a world-first, two British schools are trialling body-worn video cameras for teachers, triggering outrage among privacy campaigners. For their part the teachers have been kitted out with cameras that can be activated at the touch of a button to record “incidents” or bad behaviour among pupils in class. Footage is then securely stored online for a month, before being deleted. Privacy campaigners are already rallying against the cameras as yet another intrusion. However, surveillance has been shown to be effective in policing. Over 20,000 body-worn cameras have been given to Met police across London, with thousands more being rolled out across the UK. “We’ve noticed huge drops in complaints against police officers, because people knew their actions are recorded, people generally calm down quicker and become more apologetic because of the cameras… We’re expecting to see similar outcomes in education.” [The Memo]

Telecom / TV

WW – Mobile-Based Spyware for Consumers Is Powerful and Cheap

A Motherboard reporter tested spyware software that uses an SMS message to access the user’s camera, GPS and microphone, allowing the spy to hear the conversation of the person being surveilled. These types of software are easily available for both iPhone and Android users for $170 or less. These products are vastly unregulated and “can be extremely potent.” While governments use similar malware, this “consumer spyware is not marketed to governments. Instead, many of the companies explicitly gear products toward jealous lovers — especially men — who want to monitor their spouses.” [Motherboard]

US Government Programs

US – Homeland Security’s New Privacy Review Process to Tighten Programs

The Department of Homeland Security has issued an official policy on its new Privacy Compliance Review process, which aims to help improve the agency’s methods for documenting compliance efforts and their efficacy. A PCR might be used, for example, to revisit an already-conducted Privacy Impact Assessment to evaluate how things are working, examine any changes that may have taken place within the privacy program since the PIA was conducted, and ensure the program is still effective. [IAPP]

US – Legislators Question Use of Secure Messaging Apps at EPA

U.S. legislators are seeking an inquiry into reports that staff at the Environmental Protection Agency (EPA) are using end-to-end encrypted messaging apps to communicate. The legislators say that the use of the apps such as Signal runs afoul of federal record-keeping requirements, which demand transparency. In a related story, reports suggest that “numerous senior GOP operatives and several members of the trump administration” may be using the Confide app, which also uses end-to-end encryption. Confide messages self-destruct GOP demands inquiry into EPA use of encrypted messaging apps | House members: EPA officials may be using Signal to “spread their goals covertly | Republicans send anti-Signal signal to US EPA | Self-destructing messages won’t fly in government | Washington Elites Use Secure Messaging Apps to Keep or Leak Secrets]

US Legislation

US – Legislative news

  • U.S. House Judiciary Committee Chairman Bob Goodlatte, R-Va., has set the committee agenda for the year, underscoring the importance of the Email Privacy Act. [The National Law Review]
  • Sen. Ron Wyden, D-Ore., Rep. Jason Chaffetz, R-Utah, and Rep. John Conyers, Jr., D-Mich., introduced the Geolocation Privacy and Surveillance Act, designed to create rules for when agencies can track and access a citizen’s geolocation data. [More]
  • Republican lawmakers are preparing to make a legislative move to overturn the Federal Communications Commission’s broadband privacy rules following requests from ISPs to undo the legislation. [More]
  • Sen. Ed Markey, D-Mass., and five public interest groups are rallying against Republican lawmakers’ push to overturn FCC broadband privacy rules using the Congressional Review Act. [Broadcasting Cable]
  • U.S. Republican Reps. Justin Amash, R-Mich., and Thomas Massie, R-Ky., have introduced legislation to repeal the Cybersecurity Act of 2015. [The Libertarian Republic]
  • A Colorado bill to eliminate a loophole allowing government agencies to access certain emails without a warrant has died in committee. [The Durango Herald]
  • A Georgia state Representative has introduced the Social Media Privacy Protection Act, which would prohibit employers from demanding access to employees’ social media accounts. [More]
  • A Missouri bill that aims to help bring the state in compliance with the REAL ID Act passed the House. [St. Louis Post-Dispatch]
  • The Article 29 Working Party is planning to formally petition the Trump administration to clarify the executive order’s impact on Shield in the upcoming days. [BNA]
  • New Mexico’s Senate unanimously approved the Electronic Data Privacy Act, which would block the use of cell site simulators and ban law enforcement agencies from accessing electronic communications data from service providers without a warrant. [The Tenther]
  • A Florida court has struck down parts of a law restricting doctors from asking patients about gun ownership, saying it violates the doctors’ First Amendment rights. [More]
  • Georgia’s State Senate has passed a law that would make “upskirting” illegal in the state. It now goes to the House. [More]
  • A Massachusetts senator has introduced a bill to require law enforcement to get a warrant before accessing data collected through automatic tolls in the state. [More]
  • Massachusetts Rep. Kate Hogan, D-Stow, has introduced a bill that would protect confidential information from being shared when multiple people are on the same plan. [More]
  • JDSupra offers part two of its U.S. state privacy and data security laws. [More]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: