15-22 March 2017


CA – Canada Revenue Agency Can Collect Your Fingerprints

Did you know the Canada Revenue Agency can collect your fingerprints? Neither did the rest of us. All it takes now for someone to be fingerprinted is to be charged, but not necessarily convicted, of tax evasion. Toronto tax lawyer David Rotfleisch sees the CRA’s approach as problematic, for two reasons. First, “there are plenty of cases where someone accused of tax evasion will be acquitted.” Second, even when tax evasion charges are laid, they can be prosecuted either as a major or minor offence. The CRA’s approach means you’d get fingerprinted like a bank robber even if prosecutors decided your tax-dodging amounted to something more akin to getting caught with a bit of marijuana. Your fingerprints, taken by agencies like the RCMP and local police, would be recorded in Canada’s national police database at the Canadian Police Information Centre (CPIC). The CPIC database is accessible not only to all Canadian police officers but also some foreign law enforcement agencies, including the U.S. Department of Homeland Security and its border protection officers, said Rotfleisch. [Global News] See also: [ComputerWorld: It’s Time to Face the Ugly Reality of Face Recognition]

WW – Privacy-Enhancing Technologies Provide Advantages Over Traditional Biometric Systems

The International Working Group on Data Protection in Telecommunications has issued a paper on use of biometrics for online authentication. Biometric encryption and cancellable biometrics allow for the revocability of stored biometric data, and a remote biometric authentication protocol provides security if a user’s device or a server is compromised; organisations should ensure that systems securely store biometric templates locally, delete raw data once a template has been generated, and do not make biometric authentication a condition of service (non-biometric options should be available) [Working Paper on Biometrics in Online Authentication – International Working Group on Data Protection in Telecommunications – Guidance Document ]

US – House Oversight Committee Grills FBI Over Facial Recognition

The House Oversight Committee held a two-hour hearing exploring privacy and security issues around the deployment and use of facial recognition technology. Though the panel featured witnesses from government, industry, and civil society, much of the discussion turned on the FBI’s use of and access to nearly 412 million face images from various databases and its apparent difference of opinion with a Government Accountability Office report that was critical of the FBI program. Additionally, one specific concern among congressional lawmakers from both sides of the aisle was the FBI’s access to state driver’s license photos. [Privacy Tech]

WW – Beijing-Based Facial Recognition Startup Allows Users to Authorize Payments

MIT Technology Review released its list of 10 Breakthrough Technologies, including a startup located in a suburb of Beijing working on facial recognition technology used in several popular apps. Face++ technology allows Chinese citizens to make money transfers using only their face as credentials through the Alipay mobile payment app used by more than 120 million users. China’s most popular ride-hailing company, Didi, uses the Face++ software to allow passengers to confirm the person driving the vehicle is a legitimate driver. Face++, currently valued at roughly $1 billion, is gaining prominence as facial recognition technology becomes more popular within China, a country already possessing a large centralized database of ID card photos. “The face recognition market is huge,” said Peking University assistant professor Shiliang Zhang, adding, “Lots of companies are working on it.” [Technology Review]

Big Data

EU – MEPs Call for Stronger Considerations for Big Data Use

Members of the European Parliament are calling for stronger protections around the use of big data. The nonlegislative resolution was drafted by MEP Ana Gomes and discusses the increasing use of big data as well as the ways it impacts fundamental rights, specifically privacy and data protection. MEPs are hoping to minimize the amount of discrimination stemming from the use of big data, including in law enforcement investigations, and price differentiation among consumers. “It is not just a question of data protection. These algorithms do have a real impact on peoples’ private lives because they can actually provoke what is happening and they can actually call into question and put at risk our fundamental rights through social media,” Gomes said. The MEPs are also seeking better security measures, including privacy by design, mandatory privacy impact assessments and encryption. [Europarl]

UK – ICO Updates Big Data Advice for GDPR

In March 2017, the ICO issued an update to its 2014 Report on Big Data in light of the imminent implementation of the GDPR. The updated ICO report has added a focus on artificial intelligence and machine learning to its discussion of big data. The ICO argues it is the combination of the three that makes up ‘big data analytics’. The ICO looks at big data analytics from the GDPR perspective and provides practical guidance for compliance in its new report. Data accuracy and data quality are key issues raised in the updated Big Data report. If big data analytics is based on inaccurate data, machine learning algorithms may make decisions that are erroneous or unjustified. Businesses relying on big data analytics will need to ensure that they build discrimination detection into their machine learning systems to prevent discriminatory outcomes. The ICO provides six key recommendations for compliance with the GDPR: 1) anonymise personal data, where personal data is not necessary for the analysis; 2) be transparent about the use of personal data for big data analytics and provide privacy notices at appropriate stages throughout a big data project; 3) embed a privacy impact assessment process into big data projects to help identify privacy risks and address them; 4) adopt a privacy by design approach in the development and application of big data analytics; 5) develop ethical principles to help reinforce key data protection principles; and, 6) implement internal and external audits of machine learning algorithms to check for bias, discrimination and errors. [Global IP & Privacy Law Blog] [Out-Law] [Data protection report] See also: [National Magazine: The $4 trillion question: How can we protect online privacy without stifling innovation?]


CA – Federal Courts Extra-Territorial Application of PIPEDA

Earlier this year, a Canadian trial court ruled that Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) has extra-territorial application and restricts the dissemination of personal information of Canadians, even where the information is already public, and even though it is made available from outside Canada. In “A.T. v. Globe24h.com et al.”, 2017 FC 114, the Federal Court applied Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) expansively and granted declaratory and injunctive relief against a Romanian national operating a Romanian-based website. This decision underscores the broad application that Canadian courts will give to PIPEDA in order to prevent the use and dissemination of personal information of Canadians. While Globe24h.com’s scheme to profit from the misuse of personal information was particularly offensive, the implications of this decision extend beyond the particular facts. Companies, regardless of the jurisdiction in which they are operating, that possess personal information of Canadians can expect to have their use of that information scrutinized for compliance with PIPEDA. [Data Protection Report]

CA – Privacy Commissioner investigating CBSA Over Electronic Media Searches

The Office of the Privacy Commissioner is launching an investigation into the way the Canada Border Services Agency searches the electronic devices of travelers at the Canadian border. The inquiry comes as concerns have arisen over whether the CBSA’s U.S. counterparts are also downloading data when searching through the devices. CBSA spokeswoman Line Guibert-Wolff said the agency does not collect statistics on device searches and would only collect data for “customs purposes.” While the CBSA states it is committed to balancing privacy with national safety, some are concerned about the border procedures. “There’s an enormous amount of uncertainty in what feels like a no-privacy zone,” said University of Ottawa law professor Michael Geist. “There’s a sense that customs officials are empowered to do whatever they see fit … But the lack of transparency associated with these processes is enormously disturbing.” [National Post]

US – Organizations Must Implement Security Measures to Protect Information When Employees Travel Internationally

A law firm has reviewed the options available to employers for protecting company data on personal devices when employees travel internationally. Possible solutions include policy directives development, and providing employees with phones that are wiped of all company information and full encryption of the information (although employees may be asked to provide the key just like any other option. [Border Searches May Compromise the privacy and Security of Company Technology – Taylor A. Gast – Foster Swift Collins and Smith PC]

US – Border Check Methods Have Privacy Advocates Concerned

While the U.S. borders have long been considered a constitutional “gray area,” privacy advocates and some in Congress are concerned that more aggressive stances bolstered by the Trump administration could lead to increasingly egregious privacy violations for travelers and immigrants. Instances of travelers stopped for lengthy secondary security checks, coupled with comments from some officials like Homeland Security Secretary John Kelly acknowledging that the administration wants to ask for social media passwords as part of visa applications, have increased concern, the report states. “There’s been bad cases in terms of the scope of privacy rights,” said the American Civil Liberties Union. [CNN]

CA – SCoC Throws Out Conviction Over Warrantless Search/Seizure

Is the smell of marijuana emanating from a home enough evidence to allow police to enter without a search warrant and uncover a trove of guns and illegal drugs? The Supreme Court of Canada, in a strong defence of privacy rights in the home, said no, dismissing convictions against Langley, B.C., resident Brendan Patterson, who was caught with four loaded guns and large stashes of cocaine, methamphetamine and ecstasy. Although two of the seven judges disagreed, the majority ruled in favour of the sanctity of the home. Writing for the majority, Justice Russell Brown pointed out in his judgment, police can enter a home without a warrant if there are “exigent circumstances” that make it impractical to get a warrant, if there is a need for urgency, or if there is a risk of evidence being destroyed or a risk to officer or public safety. But in this case, the officers stated they intended to destroy the evidence anyway, thereby removing that urgency, according to the judgment. “The police conduct, while not egregious, represented a serious departure from well-established constitutional norms” Brown wrote. Caily DiPuma with the BCCLA says the case sets an important precedent. “The BCCLA is very pleased that the court has clarified the law around no-case seizures and affirmed the sanctity of Canadians’ homes when it comes to police searches of their property” [CBC]

CA – CSIS Failed To Give Updates On Data Spying: Privacy Commissioner

When intelligence-agency analysts reported to federal privacy officials about their budding data-mining efforts they conceded the scale and scope of the early efforts would surely snowball over time, [and] they vowed to give formal, written updates to the Office of the Privacy Commissioner of Canada. This has not happened in the seven years since CSIS submitted its first Privacy Impact Assessment (PIA) in 2010 ”It’s the only PIA that we have received,” Privacy Commissioner Daniel Therrien said in an interview with The Globe and Mail on Thursday. In 2006, CSIS launched an initiative known as the Operational Data Analysis Centre. Details have lately emerged about failed followups and curious omissions related to ODAC that the spy service has had with judges, ministers and federal watchdog bodies. The Globe recently reported that, in 2012, CSIS analysts circulated a PowerPoint where they mulled how much could they enhance the efficacy of ODAC by obtaining “bulk datasets.” [The Globe and Mail]

CA – Drew McArthur Re-appointed Acting BC IPC

British Columbia has had no information and privacy commissioner since Monday March 13 when the acting commissioner’s appointment expired. A special committee of the legislature has been seeking a new commissioner after Elizabeth Denham resigned a year ago to take a similar role in England. On Thursday that committee reported that it had failed to come to a unanimous agreement on a new commissioner, and recommended that a new committee be appointed following the May 9 election. The report, signed by chair Sam Sullivan, also said the committee would like to thank “Drew McArthur for his continuing service as Acting Information and Privacy Commissioner during this time of transition, ensuring strong leadership and continuity for the Office of the Information and Privacy Commissioner.” “It’s our understanding that Acting Commissioner’s term expired on Monday, March 13. As to when a new Acting Commissioner will be appointed, as s. 39 notes, that is the responsibility of the Lieutenant Governor and Council.” The spokesperson said the work of the office had not stopped and they expected McArthur to be reappointed via an order in council [This was done Friday March 17] [The Tyee]


US – Federal Judge Rejects Google Class Action Deal Over Email Scanning

San Francisco federal judge Lucy Koh rejected a legal settlement that proposed to pay $2.2 million to lawyers, but nothing to consumers who had the contents of their email scanned by Google without their knowledge or permission. ”This notice is difficult to understand and does not clearly disclose the fact that Google intercepts, scans and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles of the Gmail users to create targeted advertising for the Gmail users,” Koh wrote in her March 15 opinion. Any future settlement will presumably also have to do more to inform email users about Google’s scanning practices and, possibly, direct some of the settlement money to consumers instead of only the lawyers. Under the deal Koh rejected, Google would have paid $2.2 million to the attorneys, plus up to $140,000 in online ads to publicize the agreement. [Fortune] [Google Privacy Settlement Draws Fire in 9th Circ] [Ninth Circuit Hears Critique of Cy Pres in Google Privacy Settlement

CA – Two Important CASL Changes in Effect July 1, 2017

Canada’s anti-spam law (CASL) came into effect on July 1, 2014. Almost three years later, Canadian businesses and their lawyers are still grappling with CASL compliance issues and trying to understand how CASL’s broad and often unclear provisions apply in practice. And, on July 1, 2017, two new things happen under CASL. These are: 1) When CASL came into force in 2014, it included a 3-year transition period that allowed organizations to rely on deemed implied consent for sending commercial electronic messages (CEMs) in certain circumstances. That transition period, and the implied consent, expire on July 1, 2017 meaning organizations can no longer rely on this implied consent, and will have to remove those recipients from their mailing lists; and, 2) CASL’s private right of action comes into effect on July 1, 2017 CASL creates a statutory cause of action under which persons who allege that they are affected by a CASL breach can apply to court for an order against the alleged violator. Available remedies include compensation in an amount equal to the actual loss or damage suffered or expenses incurred, and additional amounts for different CASL violations (each with a maximum amount). For example, the court can award statutory damages of $200 per day for each breach of section 6 (the CEM obligations), not exceeding $1 million for each day on which a breach occurred. [DLA Piper Publications]

Electronic Records

UK – Study: NHS, Deepmind Made ‘Inexcusable’ Errors In Health Care Partnership

An academic report published in “Health and Technology” contends that Google’s AI subsidiary DeepMind had made “inexcusable” oversight and transparency errors analyzing medical data during its partnership with the U.K.’s NHS Royal Free Trust. While DeepMind had said at the beginning of the project that it would only access certain data, it was in fact allowed access to a wide range of sensitive health information, in some cases going back five years. Both the Royal Free Trust and DeepMind denied the study’s allegations, arguing that they had taken steps to protect data and inform the public on its work. However, study authors Hal Hadson and the University of Cambridge’s Julia Powles contend those moves aren’t sufficient, calling for the two groups to respond to their criticisms in a public forum.  [The Verge | HNS Deal with DeepMind: How Tech Could Outgun Privacy Laws]

UK – ICO Close to Concluding Investigation Into Deepmind-NHS Partnership

The U.K. Information Commissioner’s Office said it is close to finishing its investigation into consent complaints stemming from the patient data-sharing agreement between Google’s AI subsidiary DeepMind and Royal Free NHS Trust. DeepMind agreed to create an app, called Streams, using an NHS algorithm to alert to the risk of a person developing acute kidney injury. The data used for the app was obtained without permission, while 1.6 million medical records were said to have gone through DeepMind under the agreement. “We continue to work with the National Data Guardian and have been in regular contact with the Royal Free and DeepMind who have provided information about the development of the Streams app,” an ICO spokesperson said. “This has been subject to detailed review as part of our investigation. It’s the responsibility of businesses and organisations to comply with data protection law.” [TechCrunch]

EU Developments

UK – National Surveillance Camera Strategy Encourages Voluntary Adoption of Code of Practice

The UK Surveillance Camera Commissioner launched a national surveillance camera strategy for England and Wales. The strategy applies to the entire surveillance camera sector, which includes CCTV, body worn video, automatic number plate recognition, vehicle borne cameras, and drones; strategy objectives include enabling certification for manufacturers, installers, designers, and system operators, and make training requirements freely available for organisations operating or supporting surveillance camera systems. [Surveillance Camera Commissioner – A National Surveillance Camera Strategy for England and Wales] | Executive Summary | Press Release]

Facts & Stats

WW – People Who Identify as ‘Tech Savvy’ Are 18% More Likely to Suffer ID Theft

IT training specialist CBT Nuggets carried out some research among more than 2,000 people in the US to find out, with some intriguing results. People who self-identified as ‘tech savvy’ are 18% more likely to be victims of online identity theft than those who didn’t. Additionally, respondents with PhDs are more frequently victims than high school graduates. Plus Apple users are 22% more likely than Windows users to be victims of ID theft. That flips around with mobiles though, with Android users 4.3 times more likely to suffer ID theft than iOS users. When asked why they fail to follow basic security recommendations, 40% of Americans say it’s because they’re too lazy, find it to be too inconvenient, or don’t really care. This attitude is strongest among millennials at 53% and lowest among baby boomers at 29%. You can read more about the results on the CBT Nuggets blog [Beta News]

US – More Than 300 Data Breaches to Date in 2017

The latest count from the Identity Theft Resource Center (ITRC) reports that there have been 312 data breaches recorded this year through March 14, 2017, and that over 1.3 million records have been exposed since the beginning of the year. The medical/health care sector leads all sectors in the number of records compromised so far in 2017. The sector posted 25.3% (79) of all data breaches. The number of records exposed in these breaches tops 740,000, or about 57.2% of the 2017 total. The business sector accounts for more than 470,000 exposed records in 155 incidents. That represents 49.7% of the incidents and 36.4% of the exposed records so far in 2017. The educational sector has experienced 54 data breaches since the beginning of the year. The sector accounts for 17.3% of all breaches for the year and nearly 40,000 exposed records, about 3% of the year’s total. The government/military sector has suffered 19 data breaches to date in 2017, representing about 3.4% of the total number of records exposed and 6.1% of the incidents. More than 43,000 records have been compromised in the government/military sector. [247 Wall Street] [New York suffered a 60-percent increase in data breaches last year]


CA – Agency Monitors Social Media of Citizens Making Large Financial Transactions

The Financial Transactions and Reports Analysis Centre is monitoring the social media accounts of Canadian citizens who make large cash transactions, international wire transfers, or even if they hit the jackpot at a casino for potential money laundering and terrorist financing. FINTRAC states rules coming from those governing the agency allow it to monitor social media posts, but others feel the agency is too invasive. “One of the things about social media right now is it’s kind of the Wild West, because the technology has moved a lot faster than regulation and a lot of Canadians may not realize that their social media account is being used and viewed in this way,” said New Democratic Party MP Daniel Blaikie. “So, it does make sense to have a look at that and to ask whether or not there ought to be rules around how government uses information that’s available on people’s social media accounts.” [CBC News]

CA – Canadians Should Be Told If Their Banking Info Shared with IRS, says MP

NDP’s revenue critic Pierre-Luc Dusseault says informing Canadian residents their information is being sent to the IRS could prevent others from landing in the same predicament as Jeffrey Pomerantz, a Vancouver area man facing a $1.1-million lawsuit for failing to file a form reporting his bank accounts outside the U.S. Canada’s Privacy Commissioner Daniel Therrien has already recommended that Canadian residents be notified when their bank account information is transferred, Dusseault pointed out. In September 2016, the CRA shared information about 315,160 bank accounts — double the number it shared a year earlier in the first year of the agreement. While the government has no plans to inform people whose bank account information has been shared, those who want to know can contact their financial institution or the CRA, the Revenue Minister’s spokesperson Chloé Luciani-Girouard said The CRA will respond to any request to confirm whether information relating to a particular individual or entity has been reported and provided to the U.S. under FATCA. To date, fewer than 10 such requests have been received by the CRA,” she added. [CBC News]


CA – OIPC NFLD Warns Use of Personal Email Accounts for Public Body Business May Violate FOI Legislation

This OIPC guidance advises the public sector about the use of personal email accounts for public body business pursuant to the Access to Information and Protection of Privacy Act, 2015. In the absence of a clear prohibition, FOI legislation applies to the use of personal email to conduct such business; all public bodies should create a policy requiring use of its own email system for work purposes and make it a condition of employment. A personal email account, often web-based, is unlikely to meet the statutory security requirements; the terms of service for personal accounts may allow third-party access to content in a way that contravenes the law, and security features for webmail services may be inadequate. [OIPC NFLD and Labrador – Use of Personal Email Accounts for Public Body Businesses]

CA – University of PEI Creates New Access to Information Policy

University of Prince Edward Island UPEI says it’s playing catch up with other universities in Canada, and adopting a new policy aimed at making accessing information easier. However, unlike in every other province, colleges and universities on P.E.I. don’t have to follow provincial freedom of information legislation. And while UPEI has had its own personal information and privacy policy in place since 2004, its stated purpose isn’t to help people access information, but solely to “provide for the protection and privacy of personal information held by the University.” In comparison, the new policy — which takes effect in May — lays out a process on how to apply for information, and the circumstances where the university can withhold it. It also gives the responsibility to enforce the policy to a newly hired access to information and privacy officer. UPEI’s Student Union said it’s pleased to see the university creating an access to information policy, but as it’s been demanding for a few years, the union still wants to see P.E.I. colleges and universities included under the province’s Freedom of Information and Protection of Privacy Act. At this point, it’s not clear whether the P.E.I. government plans to add colleges and universities to its freedom of information act. [CBC News]

CA – PEI Municipalities, Post-Secondary Under FOI: Commissioner

Privacy commissioner Karen Rose says many towns, cities and post-secondary institutions in P.E.I. do have policies that cover information disclosure and protection, but they lack oversight by an independent commissioner. She says she will likely make a formal recommendation to government to place them under access of information law. Rose is set to deliver a number of recommended changes and updates to the freedom of information act as part of the Communities, Land and Environment committee’s ongoing review of the legislation. The review was spurred by a unanimous motion passed by the legislature last fall. Premier Wade MacLauchlan has repeatedly stated he will not make towns, cities and post-secondary schools subject to access to information law, despite the fact this has drawn criticism. [The Guardian]


New Federal Law Prohibits Mandatory Employee Genetic Testing

Bill S-201, the Genetic Non-Discrimination Act has passed the House of Commons and the Senate, and awaits royal assent. An employee’s refusal to undergo or disclose the results of a genetic test cannot be used to dismiss, suspend, demote or lay off an employee, impose any penalty on an employee, refuse remuneration, or threaten to take disciplinary action against an employee; no individual can disclose to an employer that an employee had undergone a genetic test or the results of an employee’s genetic test without written consent. [Bill S-201 – An Act to Prohibit and Prevent Genetic Discrimination – Senate of Canada]

US – House Bill Would Circumvent Genetic Privacy Protections

On March 2, Rep. Virginia Foxx, R-N.C., introduced to the U.S. House HR 1313, the Preserving Employee Wellness Programs Act. The bill “includes findings that Congress seeks to protect and preserve employee workplace wellness programs,” and considers them to be a means of reducing health care costs. What’s notably missing “are findings that wellness programs are in any way at risk and requiring preservation. Even so, the bill proposes means of preserving wellness programs while weakening employee rights to privacy and confidentiality with respect to their genetic information.” This overview of the bill’s provisions highlights the effect it would have on protections put in place by the Genetic Information Nondiscrimination Act, the Public Health Service Act and the Americans with Disabilities Act. [Privacy Tracker]

Health / Medical

CA – Ont. Grad Student Issued $25K Fine for a Health Privacy Breach

A Masters of Social Work student who was on an educational placement with a family health team in Central Huron, has been ordered to pay a $20,000 fine and a $5,000 victim surcharge for accessing personal health information without authorization. This is the highest fine to date for a health privacy breach in Canada. The student pled guilty to willfully accessing the personal health information of five individuals. As part of her plea, she agreed that she accessed the personal health information of 139 individuals without authorization between September 9, 2014 and March 5, 2015. This is the fourth person convicted under the Personal Health Information Protection Act (PHIPA). Previous convictions include two radiation therapists at the University Health Network and a registration clerk at a regional hospital. [Information and Privacy Commissioner of Ontario]

CA – CHEO Employee Breached Privacy; 300 Patients’ Info Shared With Students

A former part-time instructor at Algonquin College and CHEO [Children’s Hospital of Eastern Ontario] employee shared the private information of 283 patients with students, prompting the end of their employment at the college and a privacy investigation at the hospital. The instructor, a CHEO employee, disclosed the medical information on handouts distributed during classes on Feb. 1 and 2. The handouts listed an operating room schedule “meant as teaching resources during class time.” The handouts were distributed “to teach future health professionals how to support surgeries in a hospital setting.” They revealed patients’ names, dates of birth, their CHEO medical registration number, their surgical procedure, their allergies, gender, age and any other pertinent information related to the surgery they were scheduled to receive at the hospital, CHEO said. [Ottawa Citizen]

Horror Stories

UK – Security Breach Fears Over 26 Million NHS Patients

The medical records of 26 million patients are embroiled in a major security breach amid warnings that the IT system used by thousands of GPs is not secure. The Information Commissioner is investigating concerns that records held by 2,700 practices – one in three of those in England – can be accessed by hundreds of thousands of strangers. The investigation centres on one of the most popular computer systems used by GPs SystmOne, owned by TPP see here]. Unbeknown to doctors, switching on “enhanced data sharing” – so records could be seen by the local hospital – meant they can also be accessed by hundreds of thousands of workers across the country. Phil Booth, from privacy campaign group medConfidential said: “This is a truly devastating breach which involves millions of patients’ GP records – for some, the most deeply personal, sensitive and confidential data about them – being exposed to hundreds of thousands of people, with no mechanism to prevent them if any of them chooses to look.” A TPP spokesman said practices using SystmOne must either “fully inform patients about who might be able to see their records, what parts of the their records and in what circumstances” or “turn off record sharing”. [The Telegraph]

Identity Issues

CA – BC Tribunal Grants Application for De-Identified Wage Records

The British Columbia Human Rights Tribunal considered an application to compel the disclosure of documents and anonymize information relating to a third party. There is no public interest in knowing the identity of a non-party individual who was a newly hired supervisor at the time of the plaintiff’s termination (disclosure may hinder his ability to negotiate his compensation with future employees, and harm his reputation); disclosure of the wages earned by an anonymized individual does not constitute an invasion of privacy. [Preik v. Finning Canada – 2017 BCHRT 47 CANLII – British Columbia Human Rights Tribunal]

Internet / WWW

IS – Israel Enacts Landmark Data Security Regulations

Culminating more than six years of back and forth negotiations, the Israeli Parliament approved extensive, far-reaching data security regulations March 21. The Privacy Protection Regulations (Data Security), 5777-2017, gives expanded powers to the Israeli Law, Information and Technology Authority and includes requirements for breach notification to ILITA and, in some cases, data subjects; data minimization; an information security officer; and privacy training, among others. “The regulations set forth a long list of requirements practically unprecedented around the world for their scope, level of detail, and legal effect,” writes Tene, and they will surely pose compliance challenges for many organizations operating in Israel. [Full Story]

Law Enforcement

CA – Montreal Mafia Stayed Charges Raise Questions of Privacy

When the RCMP announced the first batch of arrests resulting from an investigation dubbed “Project Clemenza” back in 2014, it proudly boasted the force had intercepted more than a million private cellphone messages through the use of wireless signal interception techniques. But now federal prosecutors are set to seek a stay of proceedings in the cases, a decision that is being linked back to those intercepted cellphone messages. Though the Crown is not required to divulge why it will cease prosecuting a case, it’s believed one of the factors behind the decision is the RCMP’s refusal to disclose how it was able to intercept the Blackberry messages in the first place. ”If that is the core reason, it’s a really serious problem,” said Christopher Parsons, a research associate with the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Across the country, Parsons said, law enforcement agencies are using devices known as “IMSI catchers” or as they’re called in Canada, “mobile device identifiers.” But police have been hesitant to release information about how the devices work, Parsons said. If the Project Clemenza cases had gone to trial, the Crown would have had to reveal the full extent to which the RCMP relied on the devices, exposing the technique to defence lawyers rightfully trying to determine exactly how accurate and reliable they are. [Montreal Gazette] [RCMP Fights to Keep Lid on High-Tech Investigation Tool]

Online Privacy

US – Twitter Releases Its Latest Transparency Report

Twitter released its 10th Transparency Report, highlighting a couple of new additions. One of the new sections in the U.S. report covers the social media network’s ability to shed light on national security letters after the FBI lifted the gag order on the requests. Twitter also added a section covering requests to remove content from journalists and other media and news outlets. “The need for transparency into government and company actions has never been more important given the current climate of continued crackdowns on freedom of expression and limitations on citizens rights around the globe,” the announcement read. “On the positive side, it has been encouraging to see transparency reports become a mainstay of the technology industry, with more than 60 reports now in existence.” [Full Story]

Privacy (US)

US – 3rd Circuit Upholds Contempt Ruling for Man Who Didn’t Unlock Devices

On March 20 the U.S. Court of Appeals for the Third Circuit held that a court order compelling a suspect to decrypt his laptop and hard drives did not violate his right against self-incrimination. The appeals court decision affirmed a civil contempt order against a John Doe defendant, who refused to provide law enforcement with passwords to some of his devices while doing so for others. Under the “foregone conclusion” doctrine, the Fifth Amendment didn’t come into play because much of the evidence law enforcement wanted they obtained themselves, according to the decision. That included images found on the devices Doe did provide passwords for, images uncovered through forensic investigations, and through testimony provided by Doe’s sister, who said he showed her hundreds of the images. Judge Thomas Vanaskie wrote in the Third Circuit’s opinion: “Based on these facts, the magistrate judge found that, for the purposes of the Fifth Amendment, any testimonial component of the production of decrypted devices added little or nothing to the information already obtained by the government. The magistrate judge determined that any testimonial component would be a foregone conclusion. The magistrate judge did not commit a clear or obvious error in his application of the foregone conclusion doctrine.” An attorney with the Electronic Frontier Foundation, Mark Rumold, said the Third Circuit’s ruling was a lost chance to dive deeper into the interplay between the Constitution and technology. “The court missed the opportunity to clarify that the Fifth Amendment prohibits the government from forcing someone to disclose a password to a device, whether that’s by announcing it in court or entering it into the device itself.” [Legal Intelligencer]

US – Drones: Advocacy Group Challenges FAA Order in Federal Court for Unlawfully Failing to Include Privacy Hazards

An advocacy group has submitted a petition for review of the Federal Aviation Administration’s June 2016 drone order. Privacy concerns were raised by 180 commentators prior to the issuance of the final order, and the FAA itself previously underscored the need for privacy protections in its letters to Congressional representatives, requests for public comment and comprehensive plan; there are substantial threats to privacy posed by increased drone operations in the U.S. (small drones are capable of widespread covert surveillance due to their small size and low flight path, and lack cybersecurity safeguards to prevent being hacked. [Electronic Privacy Information Center v. Federal Aviation Administration – On Petition for Review of an Order of the Federal Aviation Administration – Brief For Petitioner – In The United States District Court Of Appeals District Of Columbia Circuit]

US – FTC, NHTSA to Host Workshop on Connected Vehicles

The Federal Trade Commission will team up with the National Highway Traffic Safety Administration to host a workshop on the consumer privacy and security issues raised by automated and connected motor vehicles. The workshop, taking place June 28 in Washington, will feature opening remarks by Acting FTC Chairman Maureen Ohlhausen and bring together stakeholders, consumer advocates and government regulators. Topics will include the types of data collected, stored, transmitted, and shared by vehicles; the potential benefits and challenges posed by data collection; the privacy and security practices implemented by vehicle manufacturers; the FTC, NHTSA, and other government agencies’ role in monitoring the privacy and security concerns surrounding connected vehicles; and self-regulatory standards that could factor into those privacy and security issues. [FTC]


US – Secrets from Smart Devices / IoT Find Path to US Legal System

Vast amounts of data collected from our connected devices—fitness bands, smart refrigerators, thermostats and automobiles, among others—are increasingly being used in US legal proceedings to prove or disprove claims by people involved. Trying to come to grips with data collected, stored and analyzed by all these devices can be daunting. “When one looks at the expectation of privacy today it is radically different than it was a generation ago,” said Erik Laykin, a digital forensics specialist with the consultancy Duff & Phelps and author of a 2013 book on computer forensics. “Privacy is dead.” He said the “always on” nature of “internet of Things” devices means huge amounts of personal information is circulating among companies, in the internet cloud and elsewhere, with few standards on how the data is protected or used. “The net result of these technologies is that we are forgoing our personal privacy and our personal autonomy and even sovereignty as humans and relinquishing that to a combination of state, harvesters of big data, omnipresent institutions and systems.” John Sammons, a Marshall University professor of digital forensics and a former police officer He presented research on use of connected cars this year at the American Academy of Forensic Sciences, saying newer vehicles with improved connectivity offer “a significant new source of potential evidence” for both criminal and civil litigation. Privacy activists meanwhile worry that these devices can unleash new kinds of surveillance without the knowledge of users, and that the legal system must define limits for constitutional protections against unreasonable searches. Jay Stanley of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, said gathering data from connected speakers such as the Amazon Echo should face the same standard as wiretaps, which need a warrant from a judge based on probable cause of a crime, rather than a more streamlined law enforcement subpoena. “In your house you should have absolute privacy,” Stanley said. One gray area in the law is that conversations recorded on home speakers may be sent to the cloud; in that case the holding of the data by a “third party” may wipe away constitutional privacy protection. “We think there needs to be jurisprudential and legislative means of addressing these issues,” Stanley said. “The privacy invasions are so significant.” [Phys.Org] See also: [A deep dive into FTC’s first smart TV action]


US – Advocates Provide Recommendations for Physical Destruction or Overwriting of Data

A U.S. Privacy advocacy group has issued guidelines on the safe destruction of personal information. According to the CDT guidelines, organizations should establish a data life-cycle that includes requirements for regular disposal of unnecessary data and review how often data has been accessed or used to determine what can be disposed (criteria include data that is redundant or owned by employees no longer with the company); deletion requests should be logged so regular audits of deletion practices can be performed to provide a basis for companies to modify their deletion schedules as necessary. [Should It Stay or Should It Go – The Legal Policy and Technical Landscape Around Data Deletion – – Centre for Democracy and Technology | Press Release]

US – Department of Defense May Require Physical Access to Cloud Computing Data Centers

The U.S. Department of Defense (“DoD”) issued updated FAQs on the implementation of the rules regarding network penetration reporting and contracting requirements for cloud services. Updated FAQs on security requirements for contracts involving “covered defense information” (e.g., unclassified information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-policy) state that such contracts must include a requirement that the DoD may physically access cloud computing data centers where necessary to conduct a forensic analysis; DoD will not normally require physical access if the cloud service provider captures, preserves and protects images and the state of all systems known to be affected by a cyber incident. [Network Penetration Reporting and Contracting for Cloud Services – FAQs – Department of Defense] See also: [FTC releases video on its alignment with the NIST Cybersecurity Framework]


UK – Surveillance Cam Commissioner Unveils New Three-Year Strategy

UK Public Faces Mass Invasion of Privacy As Big Data And Surveillance Merge: Surveillance camera commissioner, Tony Porter, has launched a new three-year strategy. He said he was alarmed by the way overt surveillance from CCTV, body cameras and drones could become even more invasive than intended as captured images of people are brought together with advances in facial recognition and then compared against other monitored data about individuals and their movements. “What most worries me is the impact of big data and integration of video surveillance” he said. As an example, he warned that the Metropolitan police was playing “fast and loose” with citizens’ data by its failure to delete number-plate records beyond a two-year limit. The database of millions of vehicle number plate records has been retained since the London Olympics in 2012. Porter’s new strategy points out that an overwhelming majority of people currently support the use of CCTV in public places. But he questions whether this support can continue because of the way surveillance is changing. Porter said part of his new strategy would set a “tripwire” to warn authorities about the privacy impact of new technology. In recent weeks Porter has expressed alarm about the proliferation of body-worn video, notably in hospitals, and by the way the security contractor G4S was using it in the homes of asylum seekers without their consent. [The Guardian] [New strategy to curb officials’ drone, phone and CCTV snoop jollies

US – Trump’s Wiretap Accusations Renew Debate About Privacy

Elizabeth Goitein, a director of the liberty and national security program at the Brennan Center for Justice who has no sympathy for Mr. Trump’s policies, believes his clumsy comments on wiretapping, even if not true, should be an opening for a broader discussion of government surveillance and American privacy. She is among the civil libertarians who believe Mr. Trump’s critics have been too quick to dismiss the real possibility that the National Security Agency or F.B.I. might actually have picked up Trump campaign communications under eavesdropping rules that civil libertarians see as too permissive. “I don’t think we can laugh it off,” she said. When the libertarian Senator Rand Paul, Republican of Kentucky, used the Trump claims to suggest a broader concern about privacy, Glenn Greenwald, a left-wing writer for the online publication The Intercept, backed him up in a column titled “Rand Paul Is Right.” “Paul’s explanation is absolutely correct,” Mr. Greenwald wrote. He said that the National Security Agency “is empowered to spy on Americans’ communications without a warrant,” calling current procedures a violation of the Fourth Amendment and “the dirty little secret of the U.S. Surveillance State.” What these odd political bedfellows were pointing out is a truism inside the intelligence world but less understood outside it: When the National Security Agency or the F.B.I. eavesdrop on foreigners’ communications, they often pick up the Americans who are talking to them. National Security Agency and F.B.I. officials call this “incidental” collection, but it can have serious consequences. There is also the possibility of what is called “reverse targeting” — say, eavesdropping on Mr. Kislyak, ostensibly to find out what the Russian ambassador is up to — but with the real goal of catching Mr. Flynn. Reverse targeting is prohibited by law, but Ms. Goitein points out that it is difficult to prove because it requires showing what was in the eavesdropper’s mind. The volume of communications available for searching can be mind-boggling. In 2011, the National Security Agency collected and stored 250 million internet communications from a single program, known as Section 702, according to a report from the government’s Privacy and Civil Liberties Oversight Board. In 2015, the same program targeted more than 94,000 foreigners — and carried out more than 23,000 searches of its data for “U.S. persons,” meaning citizens or permanent residents. Many Americans inevitably turn up in the data, either because they are communicating with a foreigner or are mentioned in a foreigner’s messages. [New York Times]

US Legislation

US – Indiana Proposes Restrictions on Automated License Plate Readers

House Bill 1558, an act to amend the Indiana Code concerning criminal law and procedures, and relating to the privacy of license plate information, was introduced in the General Assembly of Indiana: the Bill was referred to the Committee on Veterans Affairs and Public Safety. License plate data captured by an automated reader can only be used for law enforcement investigations and cannot be retained for longer than 30 days unless it was obtained under a warrant, or the investigation is ongoing; law enforcement agencies must maintain staff that is properly trained in the use and maintenance of all software and hardware related to captured data, and establish and implement protocols that allow for compliance with warrants, subpoenas, court orders, and written requests for disclosure. [House Bill No. 1558 – An Act to Amend the Indiana Code Concerning Criminal Law and Procedure – Legislature of the State of Indiana]

US – Kentucky Supreme Court to Weigh Privacy Concerns With License Plate Readers

The Kentucky Supreme Court will consider whether license plate readers can be used for traffic stops. A Burlington man contends he was unlawfully arrested when his plate was caught by a tracker. A police officer followed the man, despite the fact no moving violation had been made, after it was found he failed to appear for a misdemeanor charge for writing a bad check. The man was arrested for drunken driving. The cameras can capture up to 60 plates a second, across four lanes at speeds up to 150 mph. Law enforcement officials say the readers help police identify stolen cars and find missing people, while privacy advocates believe the readers are a potential tool for mass surveillance. [The Courier-Journal]





Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: