01-14 March 2017

Big Data

US – Privacy Pros and the Ethics of Big Data Tech

Uber has created a controversial program to allegedly evade law enforcement and regulation of its services. Called “Greyball,” the program leveraged information collected by Uber’s app with several other techniques to identify potential law enforcement and regulatory officials, including by geofencing offices, scraping publicly available social media posts, and identifying credit card information linked to law enforcement. Though many of these practices might not have violated the law, they are, at the very least, ethically dubious. The news is part of a larger trend whereby technology, and its corresponding surveillance capabilities, has the power to isolate groups or individuals for exploitation. Privacy Perspectives looks into the trend and the important role privacy pros can play curbing these practices within their organizations. [Privacy Perspectives]

WW – MIT Researchers Create System to Protect Privacy in Data Analytics

A group of researchers from the Data to AI Lab at the MIT Laboratory for Information and Decision Systems released a paper detailing a machine learning system designed to create synthetic data to help data scientists access data without compromising privacy. “Once we model an entire database, we can sample and recreate a synthetic version of the data that very much looks like the original database, statistically speaking,” said Principal Research Scientist Kalyan Veeramachaneni. “If the original database has some missing values and some noise in it, we also embed that noise in the synthetic version. In a way, we are using machine learning to enable machine learning.” [MIT News]

US – FTC Hosts FinTech Forum on AI and Blockchain Technologies, Summary

The FTC hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. This is the second of two entries on the March 9 FinTech Forum. Today’s post focuses blockchain technologies. Coverage of the opening remarks and the AI discussion may be found here. The panel discussions on blockchain technologies reflected the nascent stage of the technology, with industry representatives expressing confusion over the applicability of current regulation, and regulators expressing a lack of clarity over jurisdictional questions. The panelists all agreed that there was a great need for education on blockchain technologies—for consumers, regulators, and even large financial institutions. The panelists urged interested parties to begin educating themselves now so that they could be positioned to develop effective policies and practices when appropriate. Video and transcripts from the forum will be available here. [HLDA Data Protection]


CA – OPC Writes to the Ministers of Justice, Public Safety and Defence Calling for Greater Protection of Canadians’ Privacy Rights in The U.S.

The Privacy Commissioner of Canada has been asked by concerned Canadians to consider the implications of President Donald Trump’s Executive Order excluding non U.S. citizens and lawful permanent residents from the protections of the U.S. Privacy Act regarding personally identifiable information. Commissioner Daniel Therrien concluded that Canadians have some privacy protection in the United States, but that protection is fragile because it relies primarily on administrative agreements that do not have the force of law. Therefore, the Commissioner has called on Canadian government officials to ask their U.S. counterparts to strengthen privacy protections for Canadians. In the following letter, the Commissioner urged the Canadian federal government to ask the United States for Canada to be added to a list of designated countries under the Judicial Redress Act, which would extend certain judicial recourse rights established under the U.S. Privacy Act to Canadians. [priv.gc.ca]

CA – Canada, U.S. Talk Data Sharing

Homeland Security chief, John Kelly met March 10, 2017 with his Canadian counterpart Ralph Goodale, minister of Public Safety and Emergency Preparedness [see here], in a follow-up to a cross-border preclearance and data-sharing agreement signed a year ago  They talked about two pieces of legislation making their way through parliament that would increase biographic data sharing [Bill C-21 see here] and establish more preclearance facilities [Bill C-23 see here] in each other’s countries. [FCW]

CA – Whether Sending Threatening Emails or Youtube Videos, There’s No Anonymity Online

Carmi Levy, a tech analyst for CTV Bell Media, said in an interview with the Montreal Gazette “I’d be surprised if it took the cops more than 15 seconds to pinpoint this suspect and send the cruisers his way Anonymity and privacy no longer exist online and this should be a case study that anyone should think twice about doing something similar. If you think you can go online and be completely anonymous, you’ve got another thing coming. Truth of the matter is that everything we do online can and will be tracked. It is ridiculously easy for law enforcement to find out where we are.” Levy stressed that even though threatening emails may have refocused the spotlight on the Internet’s lack of actual anonymity, that same spotlight shines on every computer 24/7 no matter what it’s being used for. [Montreal Gazette]

CA – Proposed Security Oversight Committee ‘Shadow’ of What it Should Be, Opposition Says

Bill C-22, “An Act to establish the National Security and Intelligence Committee of Parliamentarians and to make consequential amendments to certain Acts,” comes up for debate this week. The government has already given notice it will reject opposition amendments that would have given the new committee powers to subpoena information and to stay on top of ongoing police investigations, and to make it more difficult for ministers to refuse to turn over information. During the 2015 election campaign, the Liberals also promised to repeal the “problematic elements” of bill C-51, the previous government’s anti-terrorism bill and introduce legislation that “better balances our collective security with our rights and freedoms.” The new oversight committee was to be at the heart of that balancing act. While the government plans to reject the opposition amendments, it is amending the bill to increase the number of members from nine to 11. If the bill becomes law, the committee would consist of eight MPs and three senators. [CBC]

CA – Comment: Security-Agencies Oversight Legislation Lacking

Canada’s three core security and intelligence agencies spend nearly $4 billion a year, employ 34,000 people and, since Liberals and Conservatives voted to pass Bill C-51, wield unprecedented powers to investigate and disrupt suspected threats. And yet Canada stands alone amongst our G7 peers in lacking parliamentary oversight of these powerful agencies To plug this gap in oversight, a proposal [Bill C-22 see here ] now before Parliament would give a committee of Top Secret-cleared MPs and senators access to classified information to oversee and investigate the security and intelligence activities of any government agency. parts of this plan sparked controversy in Parliament and raised red flags for security experts [on issues like: lack of independent oversight, gov’ts prerogative to withhold information and gov’ts prerogative to shut down investigations entirely] Why pursue such a weak oversight model? Part of the answer is the government’s plan isn’t new: In fact, the bill is cut and pasted from a 2005 initiative of the Paul Martin government. [Times-Colonist | Make sure security oversight is strong: Editorial | Give Parliamentary committee a chance to shine | New National Security Oversight committee likely to cost more than any other House or Senate security committees | Real Oversight Needed for Law-breaking National Security Agencies | Appearance before the Standing Committee on Public Safety and National Security (SECU) on Bill C-22 An Act to Establish the National Security and Intelligence Committee of Parliamentarians ]

CA – Critivcs Say B.C. Government’s Proposed Duty to Document Law is ‘Inadequate,’ ‘Pathetic’

The B.C. government is proposing a law requiring public servants and politicians to write down the reasons for their decisions, but it falls well short of what was asked for by the province’s independent information watchdog. The change comes after a scathing report last year [see here & here] into how government officials were “triple-deleting” emails to scrub them permanently from systems so they wouldn’t turn up in responses to freedom of information requests by the public and media. De Jong consulted with B.C.’s acting information and privacy commissioner, Drew McArthur, who asked for the law to give him oversight powers into any “duty to document” rules. Instead, the proposed legislation gives oversight to the chief records officer, and makes the changes under an act that McArthur, an officer of the legislature, can’t oversee. Still, he [McArthur] called the bill “a good first step.” [The Province]

CA – Feds Set to Regulate Reporting of Digital Data Breaches

Canadian companies will soon be legally required to file a report with the Office of the Privacy Commissioner (OPC) when they experience a network breach that compromises personal data. Companies will also be required to notify all those affected by the breach: employees, customers and relevant third parties. Companies that fail to comply could face fines of up to $100,000. Breaches that require notification are, according to the Digital Privacy Act [see here ], instances that pose “real risk of significant harm to affected individuals.” This definition includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft. Many companies will have to update their systems and invest in new technologies to meet these standards. That might seem like a costly investment, but if you don’t have the right tools, tracking down a breach and figuring out what happened can take a massive financial toll, along with drawing resources away from more important projects. [Canadian Manufacturing]

CA – BC Liberals Spied on NDP Youth Meeting, Eby Charges

When the British Columbia NDP hosted a youth meeting [10 young people, many of them minors] on housing on the weekend, they had an unexpected guest recording the proceedings — a BC Liberal caucus researcher. These young people had organized a discussion about politics for youth in a multipurpose room at their local community centre, yet a government employee showed up posing as a young New Democrat She then secretly recorded these youths, using a cell phone she tried to hide on her lap” NDP housing critic David Eby said in the legislature Eby said he believes that for a government official to record the meeting without the participants’ knowledge was a violation of the Freedom of Information and Protection of Privacy Act. “It violated the privacy rights of these youth.” Eby said the NDP has confirmed the woman is a research officer in government caucus research in the legislature. [The Tyee]

CA – Judge Denies Request to Keep Details About Top-Billing Doctors Secret

The Toronto Star has been seeking the identities of highest paid fee-for-service doctors in Ontario since 2014. The identities of the province’s [Ontario] top-billing physicians must be disclosed to the court, a Toronto judge has ruled, adding that details about some of them must also be made available to the public. In a seven-page decision released this week, Superior Court Justice Ian Nordheimer denied a request to keep the court and public in the dark about the doctors, pending a judicial review of an order [see here] from the province’s privacy commissioner to make the names public.  His decision is the latest development in a three-year quest by the Toronto Star for information on the 160 highest paid fee-for-service doctors. In 2014, the Star filed a Freedom-of-Information request to the province’s Health Ministry about the largest billers to the taxpayer-funded Ontario Health Insurance Plan. Three separate groups of doctors are seeking a judicial review of the privacy commissioner’s order. It will be heard before a three-judge panel on June 19 and 20. Nordheimer concluded the court must have access to the same material that the privacy commissioner’s office used to reach its decision. The relevance of the information cannot be determined until the judicial review is conducted, he said. Nordheimer turned down a request from lawyers for two of three groups of doctors to proceed without revealing to the court the names of their clients or making public any details about them. [TorStar | Even judges shouldn’t know names of Ontario’s top-billing doctors, lawyer argues]


US – Consumer Reports Will Evaluate Privacy and Data Security

The non-profit, product-testing organization Consumer Reports (CR) will start including evaluations of products’ online security and privacy features in its product reviews. CR is also part of a collective that is creating a standard to guide the development of digital products. “The goal [of the Digital Standard] is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data.” [Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security | – Consumer Reports to test products for privacy, data security | CNET: Consumer Reports to factor cybersecurity into reviews | The Digital Standard]

WW – Consumer Reports to Score Privacy, Security in Product Reviews

The nonprofit group Consumer Reports will begin to consider privacy and cybersecurity in its reviews. The group has worked with several organizations to develop methodologies for identifying whether a product can easily be hacked and how well a product can secure consumer data. Consumer Reports Director of Electronics Testing Maria Rerecich said the organization will start to implement the new methodologies gradually on a limited number of products. “We want to rate products on measures such as security, in much the same the way we currently assess products for physical safety and performance. That will give consumers the power to make choices based on solid information,” the company said in a statement. “When consumers vote with their wallets and their clicks, we’ve seen that companies pay attention. We think companies will strive to outdo their competitors when it comes to privacy, security, and other consumer rights.” [Reuters]

WW – Mozilla Survey 90% Don’t Know How to Protect Themselves Online

Mozilla asked [see here] about 30,000 members of its community from Australia, Canada, France, Germany, the UK, and the US questions about security, encryption, and privacy & how they rate their ability to protect themselves online. Ashley Boyd, VP of advocacy at Mozilla, said the company launched the survey knowing that, even among the web-savvy, many people feel their privacy and security is eroding. “What was surprising was the high percentage of people who identified as truly feeling defenseless,” said Boyd. “Over 90% of survey respondents said they don’t know much about protecting themselves online. And nearly a third of respondents feel like they have no control at all over their personal information online.” Mozilla also reports that 8 in 10 respondents fear being hacked and that 61 per cent expressed concern about being tracked by advertisers. The survey also found that those who were the most knowledgeable about privacy were the most concerned about being tracked by governments and law enforcement. Chief business and legal officer at Mozilla, Denelle Dixon said such worries are not just the product of experts playing out theoretical problems. “Concern about surveillance and tracking is realistic, even if you are completely abiding by the law,” she said. “No one wants to feel like they aren’t in control of their data or their online life.” [The Register]

WW – ‘Smart Billboards’ May Be Coming to A Highway Near You

Synaps Labs is planning to test its targeted advertising model on digital billboards in the U.S. this summer. Synaps expects to be operating on 20 to 50 billboards in Russia this year. The company uses high-speed cameras to identify cars and its “machine-learning” system to recognize the type of car and what corresponding ads advertisers want to target the driver with, the report states. “Synaps won’t sell data on individual drivers.” Additionally, “out of safety concerns, license plate data is encrypted, and the company says it will comply with local regulations limiting the time this kind of data can be stored, as well.” [MIT Technology Review]


WW – IA Leak Exposes Government Insider-Threat Problem

The disclosure this week of what appears to be documents detailing CIA hacking methods once again exposes the U.S. government’s failure to mitigate its insider-threat problem, if, as some U.S. officials and cybersecurity pros suspect, the source was from a government contractor. The CIA leak is the third major incident in recent years in which threat software and resource programs designed to prevent such threats did not work. Part of the problem, the report states, is the increased access government employees and contractors have to sensitive information — partly because of post-9/11 mandates that increased information-sharing. Agencies also tend to rely on contractors instead of permanent staff because of budget constraints. Meanwhile, UN Special Rapporteur on the Right to Privacy Joseph Cannataci has released a report on the need for civil liberties in light of growing surveillance in the digital world. [Reuters]

US – As Many as 7.5 Million Voter Records Involved in Georgia Data Breach

The Federal Bureau of Investigation opened an investigation at Kennesaw State University’s Center for Election Systems involving an alleged data breach. As many as 7.5 million voter records may be involved, according to a top state official briefed on the information but not authorized to speak on the record. Neither federal officials nor university officials would confirm the scope of the investigation or how many records had potentially been accessed. State officials found out about the breach after being notified by the university. The governor’s office said it asked the Georgia Bureau of Investigation to contact the FBI after learning about the scope of the problem. [MyAJC]

UK – More Than Half of UK Councils Give Body Cameras to Staff

More than half of UK councils have given body-worn cameras to their officials to snoop on minor offences such as littering, bad parking and dog-fouling. Two-thirds of the local authorities have also failed to conduct a privacy impact assessment before taking the controversial measure, according to research by Big Brother Watch. The civil liberties campaign group, which revealed its findings in a new report, claimed the “widespread filming” was not “proportionate” to the often trivial offences committed. The report found 227 local authorities (54%) were at least trialling the cameras, 3,760 cameras had been purchased and 150 local authorities (66%) did not know if they had completed a privacy impact assessment. Pensioner Sue Peckitt was fined £80 after a camera caught her pouring coffee down the drain in London. [Independent]


US – Apple, Amazon, and Microsoft Are Helping Google Fight an Order to Hand Over Foreign Emails

Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court [U.S. magistrate Judge Thomas Rueter in Philadelphia ruled February 3, 2017 that the company had to hand over emails stored overseas in response to an FBI warrant. [see 29 pg pdf here ] In the brief, the companies argue: “When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States — in the place where the customers’ private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer’s consent.” They claim that handing over foreign data “invites” other countries to demand emails from US citizens, stored on US soil, in the same way. They also referenced a similar case won by Microsoft in January. The company refused to hand over emails belonging to the non-US citizen stored on Irish servers, and the US government lost an appeal to have the case reheard. [Business Insider]

EU Developments

EU – EDPS Publishes Opinion on Border Screening System

European Data Protection Supervisor Giovanni Buttarelli released his opinion on the European Travel Information and Authorisation System, arguing that while it is important to secure borders, its equally important to ensure initiatives designed to strengthen them do not erode privacy rights. Buttarelli cautioned that screening techniques bring with them myriad privacy concerns, and stressed the need for a privacy assessment on the ETIAS’ proposal. Additionally, “as the information gathered will be used to grant or deny individuals access to the EU, based on the migration, security or health risks they may pose, it is vital that the law clearly defines what these risks are and that reliable methods are used to determine in which cases they exist,” Buttarelli said. [EDPS]

UK – ICO to Probe Use of Voters’ Personal Data in Political Campaigns

The U.K. Information Commissioner’s Office is launching an investigation into the collection and use of voters’ personal data in political campaigns. The move comes after a recent report from the Observer, which alleged U.S.-based technology company Cambridge Analytica played a role in the Brexit and Trump victories in 2016. “We are conducting a wide assessment of the data-protection risks arising from the use of data analytics, including for political purposes, and will be contacting a range of organisations,” an ICO spokeswoman said, adding, “We intend to publicise our findings later this year.” The ICO also said, “We have concerns about Cambridge Analytica’s reported use of personal data, and we are in contact with the organisation.” [The Guardian]

EU – Other EU Developments

  • A ruling from the Court of Justice of the EU is forcing the U.K. Home Office to delay the implementation of the Investigatory Powers Act. [Ars Technica]
  • The European Parliament announced Civil Liberties MEPs voted for stronger safeguards and a shorter period of data retention within the EU entry-exit system. [EuroParl]
  • In a blog post, 2 March, the U.K. Information Commissioner’s Office released its first specific GDPR implementation guidance, focusing on consent, for public consultation. [ICONewsBlog]
  • Germany’s interior ministry announced a draft law last month that would allow authorities to access personal data from electronic devices of asylum seekers without their consent. [The Verge]
  • After an inquiry, Australian Privacy Commissioner Timothy Pilgrim has said that “agency-specific laws” can override the Privacy Act, giving the heads of agencies the ability to access and release public information, iTnews reports. [Tnews]

Facts & Stats

WW – Verizon: 90% of Breaches Involve Phishing, Social Engineering

In Verizon’s newest “Data Breach Digest,” the companion to its annual breach report, researchers said that 90% of the data-loss incidents the team investigates have a “phishing or social engineering component” to them. User credentials are often the hot-ticket data for hackers, who sell the information on the dark web to those looking to masquerade as actual employees on company networks. “Because organizations don’t have multifactor [authentication] rolled out, it makes it trivial to get in.” [BankInfoSecurity]


CA – NFLD Court Finds Disclosure of Employee Names, Titles and Remunerations Unreasonable Invasion of Privacy

A Newfoundland and Labrador court reviewed the Newfoundland and Labrador English School District’s decision to disclose employee personal information, pursuant to the Access to Information and Protection of Privacy Act, 2015. A district school agreed to disclose the requested information to a member of the media (this was prior to legislation specifically designed for the release of “Sunshine Lists”); the records contained the names of the teachers in connection with their position and salaries, the information was held by the school for tax purposes, and the school did not supply any reasoning why the information should be released to the media. [Newfoundland and Labrador Teachers Association v. Newfoundland and Labrador English School District – 2016 CANLII 89960 NL SCTD – In the Supreme Court of NFLD and Labrador Trial Division]

CA – PEI Gov’t Redacts Information from Document It’s Already Made Public

The P.E.I. government says “human error” led it to redact information it had already made public from a document obtained under the province’s Freedom of Information legislation. CBC News filed a request in January 2017, seeking information on the province’s plans to implement a carbon tax. In response the province provided 228 pages comprised of various documents, with much of the information severed or redacted. The problem is, some of the information that was withheld had already been released to the public, and is freely available on the province’s website. [CBC]

CA – OPC Canada Finds Viewing Records Without Getting Copies Meets Organization’s Access Obligations

The Office of the Privacy Commissioner of Canada reviewed a complaint from a condominium owner, pursuant to PIPEDA. Organizations must respond to access to information requests at minimal or no cost to the individual; allowing individuals to view the records for free without also getting copies of them satisfies an organization’s access obligations under PIPEDA. [OPC Canada – Access to Personal Information Request Revised to Accommodate Both Requestor and Organization]

CA – OIPC BC Orders Disclosure of Law Enforcement Investigative Records

The Office of the Information and Privacy Commissioner of British Columbia reviewed the Insurance Corporation of British Columbia’s decision to withhold access to information, pursuant to the Freedom of Information and Protection of Privacy Act. Withheld records containing information that is not about identifiable individuals can be disclosed, such as time of the interview, date and place of the incident, insurance claim and SIU file numbers, and vehicle descriptions; consent was provided by the applicant’s spouse for the disclosure of her personal information, the applicant is already aware of details of the investigation, and it is unclear how disclosure of the information could unfairly damage the third party’s reputation. [OIPC BC – Order F17-06 – Insurance Corporation of British Columbia]

CA – OIPC AB Concludes Failure of Public Bodies to Timely Respond to Access Requests is Unacceptable

This OIPC report investigates the failure of Alberta Justice and Solicitor General to meet legislative timelines for responding to access requests pursuant to the Freedom of Information and Protection of Privacy Act. Reasons for delays include consultation within the government (despite no statutory requirement to do so), unnecessary application of discretionary exemptions to withhold access, an inefficient and unnecessary funneling of requests through the head of a public body, an increased volume of requests versus fewer staff to handle them, the need for judicious application of the “frivolous and vexatious” provision to some complex applicants, and a lack of respect for the FOI regime in some areas of government. [OIPC AB – Investigation Report IR-F2017-IR-01 – Alberta Justice and Solicitor General]

CA – OIPC BC Finds Disclosure of a City’s Job Evaluation Process Would Not Harm its Financial Interests

The Office of the Information and Privacy Commissioner in British Columbia reviewed a decision by the City of Nanaimo to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. Information relating to the evaluation process did not contain any plans or proposals (only the raw materials on which they would be based), and would not lead to morale issues (employees have already filed grievances without the information); the City did not provide any details showing how disclosure would put it at a disadvantage in collective bargaining or would result in an increase in employee wages. [OIPC BC – Order F17-03 – City of Nanaimo]

US – California Top Court: Information on Personal Devices Dealing With Official

The California Supreme Court ruled that texts and e-mails sent by public employees on their personal devices are a matter of public record when they deal with official business. The court found in its unanimous opinion that communications must be disclosed to the public if they “relate in some substantive way to the conduct of the public’s business.” The court did not provide a clear balancing rule on where such a line should be drawn between employees’ privacy and public record. [Jurist]

US – FBI’s New Online FOIA Portal is Now Live

The FBI’s controversial changes to its FOIA request system are now fully implemented. [see here and FAQ here] For the FBI, a popular target for FOIA requests, the new online portal replaces the standard email system. According to the bureau, the new online portal transitions the agency from a manual system to an automated system that will help it handle its large volume of requests, though detractors argue that the new web portal creates additional barriers to those seeking information from the FBI and makes tracking the paper trail more difficult. Afraid of change? If you feel more comfortable doing things the really old fashioned way, you can just file your FBI FOIA request by fax or mail, though we wouldn’t exactly recommend it. [TechCrunch]


CA – Debate Over Contentious Genetic Discrimination Bill Continues

The debate over the contentious Genetic Non-Discrimination Act continues through the House of Commons and could come down to a final vote. The legislation, also known as Bill S-201, would make it illegal for companies to require an individual to undergo or reveal the results of genetic testing in order to sign an insurance policy, or obtaining any other goods or services. The Canadian Life and Health Insurance Association believes health costs will rise if the bill passes, while the Canadian Coalition for Genetic Fairness’ Bev Heim-Myers said she supports the bill, as the fear of genetic discrimination could lead to people avoiding important diagnostic tests. [Global News]

CA – 100 Liberal MPs Defy Trudeau On & Vote for Genetic Privacy Law

The Genetic Non-Discrimination Act [Bill S-201] is aimed at preventing the use of information generated by genetic tests to deny health insurance, employment, and housing, or to influence child custody and adoption decisions. It calls for fines of up to $740,000 and prison terms of up to 5 years for anyone who requires any Canadian to undergo a genetic test, or to disclose test results, in order to obtain insurance or enter into legal or business relationships. The bill bars discrimination on the grounds of genetics, and the sharing of genetic test results without written consent (with exemptions for researchers and doctors). Trudeau’s Liberal Party cabinet also formally opposed the measure, with Justice Minister Jody Wilson-Raybould arguing that the bill is unconstitutional because it intrudes on powers given to Canada’s 13 provincial and territorial governments to regulate insurance. On 9 March, members of Parliament voted 222–60 to approve the measure. More than 100 Liberal members voted for the bill, taking advantage of a so-called free vote, which allows members to vote their conscience rather follow the party line. The result has prompted Trudeau’s government to consider extraordinary measures to block the legislation. To delay and potentially kill the legislation, Trudeau’s government is considering not sending the bill to the governor-general (a tactic that doesn’t appear to have been used since the 1920s), and instead asking Canada’s Supreme Court to rule on the bill’s constitutionality. That process could take up to 2 years. [Science Mag | Genetic non-discrimination bill unconstitutional: Trudeau | Liberal backbenchers defy cabinet wishes and vote to enact genetic discrimination law | | Does this genetic testing bill threaten the insurance industry? | Life insurers’ new genetic test policy called an 11th-hour stalling attempt | Canadian insurance industry pens rules on use of genetic test results | Genetic discrimination private member’s bill pits Grit backbenchers against cabinet | Canada: Genetic Discrimination And Canadian Law | Genetic testing bill perpetuates myths and fears]

CA – Google’s Montreal ‘Cloud Region’ Allows Data to Stay In Canada

Google Inc announces first Canadian ‘cloud region’ in Montreal, allows sensitive data to stay within borders. Located in Montreal, the new cloud region now lets customers such as large corporations move large amounts of information to online storage without having to leave Canadian borders It will not just store the information but also provide its algorithms to make more sense of the data. “Canadians always love to know that their data is still on this soil, especially as there is legislation in the U.S. that allows the government to go into data centres under the Patriot Act,” said Roland Gossage, chief executive of the Toronto-based e-commerce provider GroupBy Inc. Though Amazon.com Inc and Microsoft Corp has already offered cloud storage options in Canada, Google reiterates that what sets its services apart from others is the ability to gain insight from the large amounts of data being stored through machine learning and artificial intelligence. [Financial Post]

Health / Medical

WW – Medical Device Security Still a Major Problem

Health care organizations continue to face problems when trying to protect medical devices from hackers. U.S. hospitals average 10 to 15 connected devices per bed, and each of those devices create several points of exposure for hackers to compromise and implement ransomware and other types of network attacks. Security firm TrapX found hackers were specifically targeting medical devices connected to outdated software in order to avoid detection. The Food and Drug Administration is one of the first agencies to take a stand against medical device hacking. The FDA began to seriously examine device cybersecurity as a requirement for approval starting in 2013 and has continued to update the criteria to this day. [WIRED]

Horror Stories

US – Florida Senator Demands Answers from Spiral Toys After Cloud Hack

Sen. Bill Nelson, D-Fla., has written to the CEO of Spiral Toys, seeking answers on the company’s data protection practices in light of a breach affecting its CloudPets brand and more than 800,000 of its customers. Nelson said that incident called into question how well Spiral Toys was able to adhere to the Children’s Online Privacy Protection Act. Among his nine questions for the company were inquiries into the type of information Spiral Toys collects from its users via their products, if that information was sold to third-party vendors, and if the company provided notice of these collection practices, should they exist, to its customers, the letter states. He asked for a response from Spiral Toys by March 23. [ComputerWorld] [Is your IoT teddy bear safe? MondgoDB data breach allegedly leaks and ransoms millions of kid’s voice recordings | Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings | Banned In Germany: Kids’ Doll Is Labeled An Espionage Device | These Toys Don’t Just Listen To Your Kid; They Send What They Hear To A Defense Contractor | These Toys Don’t Just Listen To Your Kid; They Send What They Hear To A Defense Contractor | Talking Dolls May Spread Children’s Secrets, Privacy Groups Allege | You should probably still avoid toys that talk with your kids | Parents are worried about the new WiFi-connected Barbie, but should they be?]

WW – Spammer Accidentally Leaks 1.34B User Accounts

Email marketing group River City Media failed to protect its 1.34 billion user accounts, inadvertently making them available for anyone to see. MacKeeper security researcher Chris Vickery discovered the breach in January. He said that River City Media “masquerades as a legitimate marketing firm” when instead is a large-scale spamming organization. It’s accrued names, emails and IP addresses through emails advertising phony credit checks and sweepstakes. Vickery worked with CSO Online to verify the breach, ultimately finding that River City Media employees didn’t “properly configure its backup system.” The unsecured database is so vast that “chances are that you, or at least someone you know, is affected.” [Fortune]

Law Enforcement

US – DoJ Drops Child Porn Case to Protect Tor Hacking Technique

The US Department of Justice (DOJ) has asked a federal court to dismiss its case against an alleged suspect in a child pornography case because the department does not want to reveal the “network investigative technique” it used to discover identities of people on Tor who accessed a certain dark web site. Last spring, Mozilla filed a brief in the case asking the FBI to privately reveal the flaw the technique exploits because it affects users’ security. (The Tor browser uses much of the same code as Firefox.) [ZDNet: Justice Dept. drops Playpen child porn case to prevent release of Tor hack | To keep Tor hack source code secret, DOJ dismisses child porn case | Child porn case dropped to prevent FBI disclosure | U.S. drops child porn case to avoid disclosing Tor exploit | DoJ Wants to Keep Tor Hack Code Used Secret, Dismisses Playpen Child Porn Case]


US – Mass. Lawmakers Push for Restrictions on Use of Sensitive Driver Data

Massachusetts lawmakers have filed a proposal to restrict the ways the state can use sensitive driver data collected by its new all-electronic tolling system. A pair of bills sent to the state House and Senate would prohibit the Massachusetts Department of Transportation from using the data, including driving speeds and travel history, for anything but collecting tolls. The bills would stop the agency from sharing the data unless a warrant was involved. Representative Marjorie C. Decker said if the data must be shared, strong privacy protections must be in place, and the state needs to be transparent about the way the data is used. “Many people don’t even realize that if you have an E-ZPass, it can track your whereabouts,” Decker said. “People have a right to know this is happening.” [The Boston Globe]

Online Privacy

US – ACLU Challenges Facebook Search Warrant

The American Civil Liberties Union has filed a motion challenging a warrant allowing police to search a Facebook community page for information on a group protesting the Dakota Access Pipeline, according to an ACLU press release. The ACLU argued in its motion that the warrant eroded both First and Fourth Amendment rights. Additionally, the warrant wasn’t “particularized” as the Fourth Amendment requires, meaning that it hadn’t indicated “in detail items for which the government has probable cause to search,” the report states. The ACLU also argued that “when searches involve broad intrusions, such as searches of computers or online accounts like Facebook, the need for such limitations on warrants is especially great, courts have found.” The challenge is scheduled to have its day in Whatcom County Superior Court on March 14. [ACLU]

Privacy (US)

US – Survey Rates States With Best Online Privacy Protections

Comparitech has developed a scoring system to find the states with the most online data protection laws. The system was based on 14 different laws, including laws to protect internet-of-things data, safeguard employee and children’s privacy, and mandate data retention time limits. Delaware scored the highest out of all 50 states, with a privacy score of 85.7%, only missing two of the 14 criteria. California finished with the second best score, with 78.6%, while Utah and Arkansas tied for third with 71.4%. There was a three-way tie for the worst states for online privacy, with Wyoming, South Dakota and Alabama all finishing with a 28.6% score. [Comparitech]

US – EFF Releases Guide to Help Travelers Protect Privacy at the US Border

The Electronic Frontier Foundation released a guide to help travelers protect their digital information when traveling across borders. “Digital Privacy at the U.S. Border“ helps travelers perform a risk assessment by evaluating personal details such as immigration status and travel history. By assessing those factors, travelers may be able to protect themselves by leaving certain devices at home or using encryption. “Border agents have more power than police officers normally do, and people crossing the border have less privacy than they usually expect,” said EFF. “Border agents may demand that you unlock your phone, provide your laptop password, or disclose your social media handles. Yet this is where many of us store our most sensitive personal information.” [EFF]

US – FPF, George Mason Law Seeking Paper Submissions

The Program on Economics & Privacy at George Mason University’s Antonin Scalia Law School and the Future of Privacy Forum have announced they are seeking paper submissions considering the development of a benefit-cost framework for privacy policy. Potential areas of special interest for the papers include “developing metrics to measure the costs and impacts of privacy controls; unpacking the economics of privacy using microeconomic tools; and calculating the value of privacy for consumers through analysis of competitive offerings.” Chosen submissions will be presented at the Fifth Annual Public Policy Symposium on the Law & Economics of Privacy and Data Security Policy in June, and will also be published in an issue of the Journal of Law, Economics & Policy. The deadline for submissions is April 15. [FPF]

US – Washington CPO Releases Open-Source Privacy-Law App

The state of Washington’s Office of Privacy and Data Protection has launched a “privacy modeling” web app, which allows government agencies aiming to roll out various programs and products to find relevant state and federal privacy laws and, ostensibly, make smart choices based on those parameters. Washington Chief Privacy Officer Alex Alben said the office will release the app’s source code sometime this week on GitHub so other state agencies can adopt their own versions. [Privacy Advisor]

US – Other Privacy News

  • As data collection has become more ubiquitous, technologies more advanced and consumer data more valuable, the definition of “personal information” within U.S. state data breach notification laws has expanded to include things like login credentials, biometric information and health data. [org]
  • Voting along party lines, the U.S. Federal Communications Commission voted 2-1 last Wednesday to halt data privacy measures that were slated to go into effect March 2. [IAPP]
  • A landmark case about metadata in Australia has challenged the scope of Australian privacy laws, overruled the privacy commissioner, and left practitioners with questions. [org]
  • All this month, Max Schrems is back in court in Dublin. Not content with bringing down Safe Harbor, Schrems is sticking to his guns and coming after standard contractual clauses and may even inadvertently demolish Privacy Shield. [org]
  • The U.S. House of Representatives Judiciary Committee held a hearing last week on Section 702 of the Foreign Intelligence Surveillance Act. Testimony suggested, with caveats, that s.702 be reauthorized. [org]
  • Federal Communications Commission Chairman Ajit Pai is planning to delay the implementation of the agency’s broadband privacy rules. [Reuters]
  • A California court has ruled electronic communications sent by public employees on their personal devices that relate to public business are public information. [Jurist]

Privacy Enhancing Technologies (PETs)

US – Design Jam to Focus on Privacy Solutions

“Privacy by design” has come to mean a lot of things. For many, it has boiled down to simply thinking about privacy and data protection from the outset of a project and all the way through to completion. It’s getting privacy in at the “whiteboard stage.” Lost, perhaps, in that way of thinking is the “design” piece. How do organizations literally design and engineer their products and services to emphasize privacy and bring user control over their data to the fore? That’s the question being presented to participants in an inaugural Design Jam in Berlin, Germany this week, March 10 through 12, hosted by Facebook, Ctrl-Shift, Work Play Experience, and the University of Southampton. The Privacy Advisor discusses the event’s goals and potential outputs. [Full Story]

WW – R3 Consortium Study Compares Blockchain Privacy Tools

The R3 consortium released a summary last November of the various schemes that software developers have devised for protecting privacy for blockchain-based transactions The study [“Survey of Confidentiality and Privacy Technologies for Blockchains“, which has not previously been made public, provides a comparison of the level of privacy offered by each approach. The study was done by Jack Gavigan [with Danny Yang & Zook Wilcox], a co-founder of Zcash, a cryptocurrency that uses zero-knowledge proofs, one of the methods evaluated in the report. Financial institutions are anxious to use the efficiency features of blockchain technology, but the lack of privacy has proven a stumbling block. Following is a summary of the different privacy technologies reviewed in the report: 1) Permissioned Ledgers; 2) Off-Chain Approaches; 3) Coin Mixing; 4) Ring Signatures; 5) Pederson Commitments; 6) Zero-Knowledge Proofs; and 7) Stealth Addresses [CryptoCoinsNews]


WW – Amazon Echo Data Shared With Authorities in Arkansas Murder Case

Amazon has ended its fight against an Arkansas court’s subpoena demanding access to the defendant’s Amazon Echo device. James Andrew Bates had plead not guilty to first-degree murder of a man found dead in his house, adding that he “wouldn’t mind” if Amazon shared information from the device to aid investigators with their case, the report states. While Amazon had initially pushed back against the subpoena, arguing in favor of Bates’ privacy rights, it handed over the Echo data to the court, after Bates granted permission. “A hearing had been set on whether any information gathered was even pertinent.” [The Associated Press]

WW – The Latest Iot Device? A ‘Smart Condom’

The “world’s first smart condom,” the i.Con Smart Condom, is now available for preorder. The device functions akin to a Fitbit and has a ring-like design that allows it to go over basic condoms, where it is able to measure sexual performance and other elements. Users can track these measurements in an app. On the privacy front, distributor British Condoms said that “all data will be kept anonymous, but users will have the option to share their recent data with friends, or, indeed the world.” [CNet]


WW – WikiLeaks Releases Host of Alleged CIA Hacking Documents

In another leak with potentially massive implications for U.S. intelligence, WikiLeaks has released a trove of documents that appears to demonstrate the CIA’s hacking capabilities, The New York Times reports. The documents are said to show the agency’s ability to break into smartphones, computers and other internet-connected devices. The first release includes 7,818 web pages with 943 attachments. WikiLeaks claims the entire archive, which is dated from 2013 to 2016, includes several hundred million lines of code, the report states. WikiLeaks will not name the source of the documents but said the source “wishes to initiate a public debate about the security, creation, use, proliferation, and democratic control of cyberweapons.” [Full Story]

US – Tech Sector Scrambles in Wake of CIA-Hacking Leaks

As the dust begins to settle after Tuesday’s WikiLeaks data dump of the CIA’s hacking methods, the technology sector is scrambling to patch security fixes and warn users to update their software. The 9,000 pages of documents released by WikiLeaks, which security professionals believe are legitimate, reveal methods the CIA has developed to circumvent the hardware and software of some of the world’s top technology products, including exploiting smartphone operating systems, which allows agents to go around encryption apps. In this post for Privacy Tech, Jedidiah Bracy rounds up the latest reaction from several technology companies, comments from the CIA and FBI Director James Comey, and other developments since the leaks. [IAPP.org]

WW – CIA Hacking Disclosure Could Lead to Consumer Distrust of Iot Devices

Cybersecurity professionals believe the recent revelations about the CIA’s hacking efforts could affect the way consumers and companies view internet-of-things devices, Mashable reports. Professionals say consumers should take every measure they can to protect their privacy and inform themselves with what privacy protections companies will offer them. “I know that’s a big fear for a lot of these companies — they don’t want their product to be the one that is considered unsafe,” said the Center for Strategic and International Studies’ James Lewis. “There’s probably a competitive advantage to being more secure than your competitor.” The Atlantic Council’s Cyber Statecraft Initiative’s Beau Woods adds if consumers feel threatened by the vulnerabilities within smart technology, it could lead to an increased amount of distrust and a drop in sales. [Mashable]

WW – WikiLeaks Will Offer Tech Companies Access to CIA Hacking Tools

Julian Assange says that WikiLeaks will offer tech companies access to the technical details of hacking tools in the cache of leaked classified CIA documents so that the companies can address the vulnerabilities the tools exploit. Companies are wary of the offer because of the legal ramifications of accepting stolen classified data. [WikiLeaks promises to leak Vault 7 code archive to tech firms first | WikiLeaks: We will work with tech companies to fix CIA hacking holes | WikiLeaks Will Help Tech Companies Fix Security Flaws, Assange Says | Assange: WikiLeaks Will Help Tech Firms Defend Against CIA Hacking ]

EU – Risk Assessment: Proposed Guidelines Will Help Organisations Evaluate the Functionality and Effectiveness of Video Surveillance Systems

The CEN Workshop Agreement, based on the results of the Evaluation and Certification Schemes for Security Products (“CRISP project”), issues a final draft of guidelines for the evaluation of installed security systems based on STEFi dimensions. The STEFi approach (security, trust, efficiency, freedom infringement) applies to all types of security systems, but is specifically suitable for planned or installed video surveillance, and is intended to be used to establish a certification scheme; evaluation of a security system involves an assessment to identify conflicting criteria for the security system between the STEFi criteria, and resolving conflicts in consultation with relevant stakeholder and experts by negotiating solutions, and implementing technical changes to the system or operating procedures. [Guidelines for the Evaluation Process of Installed Security Systems Based on the S-T-E-Fi Criteria – CEN Workshop Agreement – European Committee for Standardization]

CA – A 5-Step Data Breach Risk Mitigation Plan for Boards & Directors

On January 19, 2017, the Canadian Securities Administrators (CSA) issued Multilateral Staff Notice 51-347 disclosure of cyber security risk and incidents. The Staff Notice only applies to reporting issuers, but it reflects a broader prevalence of, and heightened concern about, cyber security risks and the related liability exposure that all organizations, officers and directors face. Case in point: on February 3, 2017, the Québec Superior Court authorized a consumer privacy class action in Zuckerman v. Target Corporation seeking financial compensation for – you guessed it – a data / privacy breach. Here’s a five-step cyber security mitigation plan that organizations and their directors can and should implement now to minimize the growing liability risks of suspected and actual cyber attacks [including]: 1) Make it a (priority) corporate governance matter; 2) Get a good handle on your legal notification obligations; 3) And have a good handle on your risk and incident disclosure obligations too; 4) Assess your current situation; and, 5) Be well-prepared, well in advance. [McInnesCooper]

US Government Programs

US – DHS Issues Breach Notification Best Practices

The US Department of Homeland Security (DHS) is putting the finishing touches on breach notification guidance for agencies, state and local governments, and other organizations. The DHS Data Privacy and Integrity Committee approved a final draft of the best practices document last month. The guidance addresses deciding whether and how to notify affected individuals; the risks of over-notification; and offers suggestions for additional support for those affected by a breach. [DHS finalizing best practices for notifying victims of major cyber breaches | See ALSO: Best Practices for Notifying Affected Individuals of a Large-Scale Data Breach

US – The Data Tool Helping Enforce Trump’s New Immigration Policies

Immigration and Customs Enforcement has deployed a Palantir Technologies-developed intelligence tool, dubbed Investigative Case Management, to assist with the Trump administration’s potential immigration deportation plans, The Intercept reports. Documents indicate that ICE viewed the tool as “mission critical,” the report states, “meaning that the agency will not be able to properly function without the program.” The tool, which will hit “final operating capacity” in September of this year, allows users to access a vast “ecosystem” of information on a person from an array of federal agencies. “If President Trump’s rhetoric on mass deportations is going to be turned into reality, then we’re going to see these tools turned in that direction, and these documents show that there are very powerful and intrusive tools that can be used toward that end,” said the ACLU’s Jay Stanley. Earlier this week, several organizations sent letters to 50 data brokers asking them to not build any so-called “Muslim registries.” [Full Story]

US Legislation

US – Iowa Bill Imposes Restrictions and Limitations on Processing and Disclosure of Student Data

House Bill 48, adding a new section to Chapter 256 of Iowa Code and relating to student data collection policies and plans, has been introduced and referred to the Education Committee. The Department of Education, school districts and certain schools are prohibited from including certain data in student files of both the student and student’s family (such as income, certain personality traits, political/religious affiliations and criminal/juvenile justice records); student data must generally not be provided outside of the state and kept confidential (exemptions include a court order, the lawful custodian of the data, another authorized person, or for out-of-state student transfers. [House File 48 – An Act Relating to Student Data Collection – Iowa]

US – House Committee Forwards Bill That Would Give NIST Auditing Authority

The U.S. House Science Committee has passed (19-14) a bill that would place the onus of auditing government agencies’ cybersecurity on the shoulders of the National Institute of Standards and Technology (NIST). Those opposing the measure say that auditing is outside of NIST’s expertise. The bill calls for NIST to conduct an initial assessment of all agencies’ cybersecurity preparedness within six months. [NextGov: NIST as Enforcer? House Committee Passes Bill to Expand Agency’s Responsibilities | Full Committee Markup – H.R. 1224, the “NIST Cybersecurity Framework Auditing Act of 2017: “

US – Other Legislative Developments

  • Four U.S. lawmakers have proposed legislation to set up a cybersecurity grant program to help state, local and tribal governments more effectively fight cyber threats. [Augusta Free Press]
  • A Missouri Senate bill would require schools to notify affected individuals of a data breach. [KSPR]
  • In response to fears of a crackdown on legal marijuana by the new administration, a group of Oregon lawmakers has proposed legislation requiring marijuana businesses to destroy customer information within 48 hours. [CBS News]
  • A Utah bill aiming to protect voter-registration records has cleared committee and is now headed to the full House. [The Salt Lake Tribune]
  • The House Committee on Science, Space and Technology passed the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017. [The Hill]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: