23 March – 07 April 2017


US – Facial Recognition Database Used by FBI Is Out of Control, House Committee Hears

Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people. These are just some of the damning facts presented at last week’s House oversight committee hearing, where politicians and privacy campaigners criticized the FBI and called for stricter regulation of facial recognition technology at a time when it is creeping into law enforcement and business. “No federal law controls this technology, no court decision limits it. This technology is not under control,” said Alvaro Bedoya, executive director of the center on privacy and technology at Georgetown Law. Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos. Last year, the US government accountability office (GAO) analyzed the FBI’s use of facial recognition technology and found it to be lacking in accountability, accuracy and oversight, and made recommendations of how to address the problem. “It doesn’t know how often the system incorrectly identifies the wrong subject,” explained the GAO’s Diana Maurer. “Innocent people could bear the burden of being falsely accused, including the implication of having federal investigators turn up at their home or business.” [The Guardian | Facial-recognition technology will make life a perpetual police lineup for all | Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines | Police Body Cameras Will Do More Than Just Record You]

US – California Cops and the FBI Want to Keep Their Facial Recognition Tech Secret

A California proposal requiring law enforcement agencies to disclose all surveillance equipment to the public took the first steps towards becoming law this week, while a congressional committee gave the side-eye to FBI officials who declined to give specifics about some of the bureau’s own surveillance tech. First, California.A bill [see here] sponsored by State Sen. Jerry Hill (D-San Mateo) would require police and sheriff’s departments to explain to local officials how they use surveillance technology like facial recognition programs and social media trackers. The disclosures would have to be made at a hearing that is open to the public. Hill’s proposal builds on two laws that took affect last year in California requiring law enforcement to disclose when they use license plate scanners to track vehicles, and when they use so-called “Stingrays” [see here & here] the committee voted 4-2 on Tuesday [see here] to approve the bill. It is now awaiting another vote in the Senate Judiciary Committee. There’s really no good reason to oppose this sort of transparency. The bill does not jeopardize ongoing investigations and does not limit what law enforcement agencies can do Keeping those secrets also jeopardizes the outcomes of investigations to a greater degree. We know that the FBI has ordered local prosecutors to drop cases rather than risk the public exposure of secret surveillance technology that helped track suspects [also see here & here]. We have no idea how often this happens, but it’s clear that potential criminals have gotten off scot-free because law enforcement inverted its priorities to value secrecy over keeping the public safe. There’s one key element missing from the bill: an outline of how law enforcement agencies would be punished for violating the mandatory disclosures. That matters, as we saw this week in Washington, D.C., when officials from the FBI were in front of the House Oversight and Government Reform Committee to answer questions about how the bureau secretly uses facial recognition software and other surveillance technology. The FBI has agreements with 18 states to share photos from state-level drivers’ license databases, and that report from the GAO revealed that as many as 64 million Americans might be entered into the FBI’s facial recognition database without knowing it. When you include similar databases maintained by the state and local law enforcement agencies around the country, one in every two American adults is included in a facial recognition network, the Center on Privacy and Technology at Georgetown Law concluded in a recent report. Other states, and Congress, would do well to require similar transparency from local, state, and federal law enforcement agencies—and to hold those law enforcement agencies accountable for failing to make public disclosures when required by law. [Reason.com | Now it’s easier to know if the FBI’s facial-recognition team can access your driver’s license photo ]

WW – Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines

For years, the development of real-time face recognition has been hampered by poor video resolution, the angles of bodies in motion, and limited computing power. But as systems begin to transcend these technical barriers, they are also outpacing the development of policies to constrain them. Civil liberties advocates fear that the rise of real-time face recognition alongside the growing number of police body cameras creates the conditions for a perfect storm of mass surveillance. On Wednesday morning, the House Oversight Committee held a hearing on law enforcement’s use of facial recognition technology, where advocates emphasized the dangers of allowing advancements in real-time recognition to broaden surveillance powers. As Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown Law, told Congress, pairing the technology with body cameras, in particular, “will redefine the nature of public spaces.” A recent Justice Department-funded survey conducted by Johns Hopkins University found that at least nine out of 38 manufacturers of body cameras currently have facial recognition capacities or have built in an option for such technology to be used later. At least five U.S. police departments, including those in Los Angeles and New York, have already purchased or looked into purchasing real-time face recognition for their CCTV cameras, according to a study of face recognition technology published by Bedoya and other researchers at Georgetown. The databases, too, have already been built. Georgetown researchers estimated that one in every two faces of adults in the United States — many of whom have never committed a crime — are captured in searchable federal, state, or local databases. The Department of Defense, the Drug Enforcement Administration, and Immigration and Customs Enforcement are just a few of the federal agencies that can gain access to one or more state or local face recognition systems. Other types of real-time searches of biometric databases — such as mobile fingerprinting and rapid DNA tests — are now part of law enforcement routines and face few legal challenges. FBI searches of state driver’s license databases using face recognition software are almost six times more common than federal court-ordered wiretaps, according to the Georgetown study. [The Intercept | Police Body Cameras Will Do More Than Just Record You | It’s time to face the ugly reality of face recognition | Can automatic facial recognition systems account for aging?]

WW – Facebook Unveils New Tools To Combat Nonconsensual Pornography

To help stymie the unauthorized dissemination of intimate photos on its social network, Facebook has launched a new set of tools, including photo-matching technology, to prevent so-called revenge porn. Members of Facebook’s content operations team will review flagged images and the accounts of those sharing said images. The photo-matching tool will detect images that have been previously flagged and removed. Rep. Jackie Speier, D-Calif., who introduced federal anti-revenge porn legislation last year, said, “These new tools are a huge advancement in combatting non-consensual pornography and I applaud Facebook for their dedication in addressing this insidious issue, which impacts the lives of individuals and their loved ones across the country and around the world.” University of Miami School of Law professor Mary Anne Franks recently published a research paper on revenge porn reform. [The Hill]

Big Data

AU – Australian Privacy Foundation Criticizes Machine-Learning Centrelink Tech

In a submission to the Senate Community Affairs References Committee, the Australian Privacy Foundation has recommended that the Department of Human Services’ Centrelink bring back the human involvement in its automated debt-recovery process, instead of its new data-matching technology. Among the APF’s many concerns was the security of the data as the set size grows, as well as the accuracy of the data. However, the DHS said in its latest inquiry submission that “that the data-matching process is not new; rather it is just being performed at a larger scale.” Regardless, the APF called the robo-debt process “procedurally unfair,” requiring “evidence from the Centrelink recipient to prove that a debt is ‘not’ owed. The individual needs to prove a negative,” it wrote. [ZDNet]

US – Minority Neighborhoods Pay Higher Insurance Premiums with Same Risk

In a report copublished with Consumer Reports, ProPublica has released an in-depth investigation into car insurance premiums based on location and how minority neighborhoods pay higher premiums than white areas with the same risk. The investigation looked into premiums in four states — California, Illinois, Texas, and Missouri — and found that minority neighborhoods paid as much as 30 percent more than non-minority regions for similar accident costs. The report states that “many of the disparities in auto insurance prices between minority and white neighborhoods are wider than differences in risk can explain.” The American Civil Liberties Union’s Rachel Goodman said, “We already know that zip code matters far too much in our segregated society.” The Insurance Information Institute, however, disputes the report’s findings. I.I.I. Chief Actuary James Lynch said companies “do not discriminate on the basis of race.” [ProPublica]


CA – Canada’s Spy Agencies Work Out Deal on ‘Threat Disruption’ Operations

Canada’s two most powerful intelligence agencies have crafted a formal deal to cooperate on using controversial powers to disrupt domestic threats to the country’s security. The spy agency Canadian Security Intelligence Service (CSIS) and the electronic signals-gathering agency Communications Security Establishment (CSE) signed an agreement in July 2016 on how CSE will assist with “threat reduction” activities. The power to actively intervene to disrupt threats to Canadian national security, rather than simply collect information on them, was granted to CSIS in the previous Conservative government’s contentious anti-terrorism law, Bill C-51. It allows CSIS to actively disrupt perceived threats to national security, with few limits to the power except obtaining a warrant. The agreement with CSE allows for the combination of CSIS’s expertise in human intelligence and field work with the technical sophistication of Canada’s premier electronic intelligence agency. CSIS has the power to collect intelligence on Canadian citizens who are deemed a threat to national security whether they are on Canadian soil or abroad. On the other hand, CSE is explicitly prohibited from directing its electronic intelligence-gathering powers at Canadian citizens; its job is to gather signals intelligence on foreigners deemed a threat. [The Star]

CA – Manitoba Gov’t Launches Review of Two Pieces of Privacy Legislation

Government of Manitoba announced on Wednesday that it is reviewing two pieces of privacy legislation: the Personal Health Information Act (PHIA) [see here] and the Freedom of Information and Protection of Privacy Act (FIPPA) [see here] and is inviting residents to provide input. PHIA came into force in 1997, with major amendments in 2010 and 2011, the provincial government reported. The legislation provides a right of access for an individual to their personal health information and protects this information by setting rules for the collection, use, disclosure, security and destruction of this information by public bodies and healthcare providers. FIPPA came into force one year after PHIA (in 1998) and was significantly amended in 2011. The legislation provides a right of access to information in records held by public bodies and also protects personal information by setting rules for the collection, use and disclosure by public bodies. Public consultations will begin on March 31 and remain open until May 31. To review information about, and possible issues related to, PHIA and to share ideas or concerns, visit www.gov.mb.ca/health/phia/review.html. For FIPPA, visit www.gov.mb.ca/fippareview [Canadian Underwriter]

CA – Key Priorities of the Privacy Commissioner of Canada in 2017

On March 21, 2017, senior representatives of the Office of the Privacy Commissioner of Canada (OPC) met with privacy practitioners in Toronto to provide updates on policy, legal, compliance and enforcement activities of the OPC. The information disseminated at this annual meeting is important to all businesses collecting personal information of Canadians for two reasons: 1) The information highlights what the OPC believes to be its most significant actions from the prior year; and 2) The information signals the policy and enforcement priorities of the OPC for the current year. This alert summarizes three of the significant topics addressed by the OPC of concern to businesses whose operations involve the collection, use or disclosure of personal information of Canadians. Including updates on: a) Policy (the consent conundrum); b) Enforcement (extra-territorial application of PIPEDA); and c) Compliance (flexible use of compliance agreements) [DLA Piper]

CA – What the Federal Privacy Watchdog Did After an Insurer Pried into Crash Victim’s Credit Rating

An insurance company handling a car-crash victim’s accident claim violated the senior citizen’s privacy rights by accessing his credit rating for no good reason, the federal Privacy Commissioner has ruled. The Personal Insurance Company argued it needs such information to help weed out fraudulent claims, but the privacy watchdog said there was little evidence that examining clients’ credit worthiness helps counter insurance cheating. The decision this month dealt a blow to what appears to be a common industry practice. “This is very worrisome,” said [Rhona DesRoches, who heads the Association of Victims for Accident Insurance Reform]. “Just knowing how much debt a person carries might be an indicator of what that breaking point is. If they know a person is in dire financial straits, then they know how far along that person might go before giving in to perhaps a lower settlement than they should.” [National Post]

CA – P.Commish OK with Bill Allowing More Snooping Into Your Mail

On March 30, 2017, Privacy Commissioner of Canada, Daniel Therrien, appeared before the Standing Senate Committee on Legal and Constitutional Affairs to discuss Bill C-37, An Act to amend the Controlled Drugs and Substances Act and to make related amendments to other Acts. In his remarks, he acknowledged the importance of addressing drug abuse and addiction in a comprehensive manner. While Bill C-37 touches upon a number of matters, the Commissioner focused his comments on those clauses that amend the Customs Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. [Appearance before the Senate committee on Legal and Constitutional Affairs (LCJC) on Bill C-37, An Act to amend the Controlled Drugs and Substances Act and to make related amendments to other Acts | C-37 gets privacy commissioner’s approval, despite concerns raised | The Canada Border Services Is Getting Authority To Open All Cross-Border Mail]

CA – Ottawa Airport Kiosks Launched Before Independent Privacy Review Was Complete

Last fall, the immigration department and Canada Border Services Agency met with the federal privacy commissioner to discuss a “biometric expansion project” that included the new Primary Inspection Kiosks, which scan international travellers’ faces to verify they match passport photographs. At that time, the commissioner noted the need for a Privacy Impact Assessment (PIA), according to spokeswoman Anne-Marie Cenaiko. Federal departments are required to complete PIAs to identify potential privacy risks for new programs, along with how they plan to reduce them. The privacy commissioner doesn’t approve or reject the PIAs, but his staff often make recommendations.. But in an email, Cenaiko said the commissioner was still studying the PIA when the kiosks launched Monday. “We received the PIA at the beginning of March and are currently in the process of reviewing it,” she wrote. That means there’s been no independent look at how much data is collected, how securely it’s stored or deleted, and whether it will be shared. Micheal Vonn, policy director for the BC Civil Liberties Association, said she was alarmed by CBSA announcing the kiosks publicly before submitting a PIA. [MetroNews]

CA – BC OIPC Reminds Businesses Video Surveillance Is a Last Resort

In February 2017, at the 18th annual Privacy and Security Conference, Acting Commissioner Drew McArthur commented on the first-ever audit of a private sector business conducted by the Office of the Information and Privacy Commissioner for British Columbia, Acting Commissioner Drew McArthur stated that OIPC “used this audit as an important opportunity for public education, and a reminder to private businesses that they should only use video surveillance as a last resort after exploring other less privacy-invasive options.” [see here] OIPC initiated the audit of the lower mainland medical clinic after receiving a complaint about the Clinic’s collection of personal information through video and audio surveillance. The Clinic used surveillance cameras on a 24/7 basis in its lobby, hallways, back exists, and fitness room to collect personal images and audio of patients, employees, contractors, and others. The Commissioner concluded that the Clinic’s use of video and audio surveillance was excessive in the circumstances. The Privacy Audit and Compliance Report [see PR here & Audit/Report here ] covers: 1) the methodology used; 2) the information covered; 3) the Commissioner’s findings; and 4) 12 recommended actions [BC Employer Law]

CA – Bill C-22: Liberals Undermining Goal of Strong National Security Oversight

The protection of Canadians’ rights is at a crossroads. Since 2001, the Canadian government — under the leadership of both the Conservatives and Liberals — has consistently and continuously granted new powers and resources to Canada’s national security agencies. This has been ostensibly in the pursuit of protecting Canada from terrorist threats. The result, though, has been the creation of a far-reaching national security apparatus spanning 20 government agencies — all without consistent, in-depth or independent review or oversight. So when the Liberals announced Bill C-22 to establish a Committee of Parliamentarians to oversee our national security agencies and activities, it was a welcomed and long-awaited announcement. It is also why the government’s recent actions, culminating with last Friday’s vote to reject sending the bill back to committee and passing it on to third reading, are all the more frustrating. The final vote in the House of Commons is slated for Monday, April 3, and it is fully expected to pass, sending the bill on to the Senate. Canadians should be concerned: What we have ended up with is an oversight committee in name only. And that is no comfort at all. [HuffPost]

CA – OPC Guidance: Disclosure Exceptions for Investigations & Fraud

On March 17, 2017, the Office of the Privacy Commissioner of Canada (OPC) published guidance [see here] on two new exceptions in PIPEDA permitting disclosure without consent. The guidance is very helpful to interpreting these new provisions and the OPC’s expectations of organizations. However, as expected, there is an undercurrent to the guidance suggesting that that the OPC would like to restrict organizations from setting up systematic information-sharing programs. This is very unfortunate given that these provisions are directly connected to improving confidence in the digital economy. Systematic sharing of information, particularly for fraud detection, suppression and prevention should be able to be accomplished if PIPEDA is truly technologically neutral. Without these tools, the OPC is incentivizing organizations to use much less transparent methods, such as predictive analytics. [Privacy and CyberSecurity Law]

CA – NB IPC Says Gov’t Hiding Behind “Privacy Law” in Child Deaths

New Brunswick’s IPC, Anne Bertrand, says government is using privacy law to maintain ‘secrecy’ around child deaths it is incorrectly using privacy law to maintain a level of “secrecy” around the child death review process.. The government has said privacy law prevents it from revealing the findings of the committee that reviews child deaths. It has also said reports written by the child death review committee are confidential advice to minister. Bertrand, the independent officer who is responsible for interpreting New Brunswick’s privacy laws, disagrees.” This is not rocket science,” she said. Bertrand cited a section of the province’s Right to Information and Protection of Privacy Act that overrides the privacy of third parties in cases of “significant public interest” where “public health or safety or protection of the environment” is at stake. [CBC]

CA – Will Mandatory Breach Reporting Spread to the Public Sector?

Hard on the heels of legislation requiring mandatory reporting of data breaches for the private sector come recommendations for a similar overhaul of the public sector. In relation to the private sector, s. 10.1 of the federal Personal Information and Electronic Documents Act [see here] requires mandatory reporting of data breaches that pose a substantial risk of harm to individuals. The new legislation was passed in 2015, underwent a consultation period in 2016 and is expected to come into force once regulations have been passed. The Ministry of Innovation, Science and Economic Development Canada advises that regulations will be published this year and will be subject to public consultation and a transition period. In relation to the public sector, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled a report in December 2016 entitled “Protecting the Privacy of Canadians: Review of the Privacy Act.” It includes recommendations “to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner” and “to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.” [Law Times | See also: Feds set to regulate reporting of digital data breaches ]

CA – Man Arrested in Relation to BC Pharmanet Privacy Breach

One man has been arrested in connection to a series of PharmaNet breaches that may have compromised the personal medical information of about 20,500 British Columbians. Health Ministry spokeswoman Lori Cascaden said “This inappropriate access to PharmaNet is not because of a direct hack into the system. It is suspected that access was obtained through impersonation of physicians and other methods.” In February, the Health Ministry sent out letters to about 7,500 people affected by the breach, which officials became aware about after users and vendors reported incidents of “suspicious access.” Since then, another 13,000 people may have had their PharmaNet information accessed, said the ministry Monday. An independent security review of PharmaNet and an overall modernization of the system, which would include security enhancements, are underway. [Vancouver Sun | Thousands more affected by PharmaNet privacy breach, government reveals and PharmaNet breach compromises personal information of 7,500 B.C. residents, says province ]

CA – BC Government Action Needed to Protect Privacy of Student Data

Delegates at the 2017 B.C. Teachers’ Federation (BCTF) Annual General Meeting approved a six-part recommendation on Saturday about student-data protection. It states “employer-mandated digital programs for reporting and communication with parents should only be used when privacy impact assessments have been developed and district, school, and classroom policies have been defined and are followed. It also says district, school, and classroom policies should include definitions of how the data will be used during the time that it is being collected (e.g., a school year), whether it will be saved and accessible after the current use, and if so, who has access to that data, and a plan for how and when the data will be destroyed. It adds that students and parents should have access to all privacy impact assessments and technology-use policies and that “all data created by a student should be recognized as belonging to the student and not to the provider of the program, nor should it be used for any commercial purpose nor linked to other education, government, or commercial databases.” [Vancouver Observer]

CA – Alberta’s Wildrose Bill Aims to Fight Cyber-Bullying/Photo Abuse

On March 14, Alberta MLA Scott Cyr introduced Bill 202, the Protecting Victims of Non-Consensual Distribution of Intimate Images Act, to the Alberta Legislature. Bill 202 would create laws in Alberta that would allow for victims of these types of actions to seek damages in a court of law. Cyr commented on the bill saying, “We know Albertans, especially youth, across Alberta, are suffering from cyber-bullying. The sharing of an intimate image without consent can have a devastating impact on a victim, leading them to feel betrayed and violated. This legislation if passed would raise awareness about this issue, and remove barriers to seeking damages for victims.” Under Bill 202, provisions would also be added to the Education Act, allowing for students who engage in that behaviour to be suspended or otherwise punished. Bill 202 would apply to anyone under the age of 18 who has their images shared without their consent and is similar to other laws in place in Manitoba [see here] and Nova Scotia [see here & here]. [Cold Lake Sun]

CA – Ontario Court Allows Class Action Complaint Alleging Risk from Pre-Installed Software

The Court considered Lenovo (Canada) Inc.’s motion to strike pleadings for a class action complaint alleging it sold a computer with a malicious adware program. Pre-installed adware on new laptops scanned web traffic to inject unauthorized advertisements into the web browser without consumers’ knowledge and consent, and created security vulnerabilities that allowed hackers to collect confidential sensitive information; the act of implanting the software was an intrusion upon the plaintiff’s privacy (it exposed him to significant risks that his personal and financial information would be stolen), and the risk of unauthorized access to private information is a concern in itself (even without any actual removal or theft. [Bennet v Lenovo – 2017 ONSC 1082 CanLII – Superior Court of Justice – Ontario]

CA – Alberta Bill Prohibits Non-Consensual Distribution of Intimate Images

Bill 202, Protecting Victims of Non-Consensual Distribution of Intimate Images Act passed the second reading in the Legislative Assembly of Alberta: The Act will next be reviewed by the Committee of the Whole. If passed, the bill would make it illegal to distribute an intimate image of another person without consent or being reckless as to whether or not that person consented to the distribution; the courts may award general, aggravated and punitive damages or issue an injunction. [Bill 202 – Protecting Victims of Non-Consensual Distribution of Intimate Images Act – Legislative Assembly of Alberta]

CA – Canada’s Ministry of Transport Imposes New Rules for Recreational Drone Use, Including Penalties

The Minister of Transport issues an interim order for recreational drone use. The Order is effective March 13, 2017. Drone operators must mark their drone with contact information, and may not fly higher than 90 metres, at night, within 75 metres of building, vehicles, animals or people, or within 9 kilometres of a working airport; any recreational drone operator who fails to comply with the restrictions could be subject to fines of up to $3,000 for individuals and up to $15,000 for corporations. The rules do not apply to drones operations for commercial, academic or research purposes. Interim Order Respecting the Use of Model Aircraft – Transport Canada | Press Release]

CA – Trudeau Gov’t Reneges on Promise, Delays Transparency Reforms

Treasury Board President Scott Brison says the government has run up against “important considerations” in the efforts to broaden the access system to include ministers’ offices, the Prime Minister’s Office and the federal court system. Those considerations include “the neutrality of the public service,” “the independence of the judiciary” and Canadians’ privacy rights, the minister said. The Star asked Brison’s office on Sunday how Canadians’ privacy rights are an impediment to making government documents available to Canadians. In an emailed response, Brison’s office suggested minister was speaking broadly about the principles that underpin the access system, including censoring information about private citizens. Canada’s access to information (ATIP) system was established in 1982. It allows any Canadian to access internal federal government documents. Citizens, businesses and researchers can use it to figure out how Ottawa makes decisions and to dig up historical records, basically pry loose information the government has kept from public eyes for whatever reason. In the 2015 campaign, the Liberals proposed sweeping reforms to the system, including expanding its application to ministers’ offices, giving an independent watchdog the power to compel departments to release information and making access to government documents “open by default.” A number of those changes have now been delayed indefinitely. [Scott Brison explains delay in promised transparency reforms |Justin Trudeau’s promise of transparency is starting to look empty: Editorial]

CA – Ontario Court Refuses to Restore Landmark Damages Award in Revenge Porn Case

The Court considers a Plaintiff’s appeal of a court judgment setting aside damages awarded to her for non-consensual distribution of intimate images. The Court ruled that the motion judge, in setting aside the findings of liability and assessment of damages against the Defendant, did not fail to look at ongoing psychological harm as a form of non-compensable prejudice to the Plaintiff; the Defendant must pay $10,000 in costs, and present a statement of defence (i.e. the case will proceed to trial. [Jane Doe 464533 v. N.D. – 2017 ONSC 127 – Superior Court of Justice Ontario]

CA – Employees Continue to be the Weakest Link in IT Security

An overview of the biggest risks to IT systems. 60 to 90% of the time, insiders are the cause of IT security threats, specifically for responding to phishing emails that appear to come from an internal source (e.g., senior management); employers should hold training sessions every 4 to 6 months to educate employees on specific social engineering behaviours such as suspicious URLs or requests for personal information. [Employee Behaviours and IT Cyber Risk – Paige Backman, Partner, Meghan Cowan, Associate, and Donald Johnson, Lawyer, Aird and Berlis LLP

CA – Manitoba Ombudsman Issues Recommendations to Prevent Employee Snooping

The Manitoba Ombudsman issues recommendation for public bodies and trustees to prevent employee snooping. Steps to ensure the information is only accessed by employees who need it and when it is required include, promoting a culture of privacy by establishing clear expectations and requirements for employees (supported by senior management), raising employee awareness by conducting regular training and reminders, making sure employees understand the consequences, granting access to information on a need-to-know basis, monitoring employees’ behaviour and investigating all snooping allegations. [Ten Tips for Addressing Employee Snooping – Manitoba Ombusman]

CA – BC Government Ordered to Disclose Aggregate Health Data to Tobacco Industry

The Court considers the Province of British Columbia’s appeal against an order compelling production of documents containing personal health information. In an action against the tobacco industry to recover health care expenditures for tobacco related disease, the government refused to produce anonymised data from its health databases, even though it would be relying on that same data to determine damages; provisions under the Tobacco Damages and Health Care Costs Recovery Act does not prohibit the production of anonymized or statistical health data, and once stripped of personal identifiers, the data poses no realistic threat to personal privacy. [HMTQ v. Philip Morris International Inc. – 2017 BCCA 69 CanLII – Court of Appeal for British Columbia]


WW – UN Human Rights Council Resolution Calls on Nations and Private Sector to Respect Individual Rights

The UN Human Rights Council, along with 35 other UN member states, adopted a resolution on the right to privacy in the digital age on March 23, 2017. Member states should implement domestic oversight mechanisms to ensure transparency of and accountability for State surveillance of communications, permit individuals subject to arbitrary or unlawful surveillance an effective judicial remedy, and enable business enterprises to adopt adequate voluntary transparency measures; business enterprises should implement technical solutions to secure digital communications (including encryption and anonymity), with which states should not interfere. [Resolution 34/7 – The Right to Privacy in the Digital Age – United Nations Human Rights Council]

CA – CPAC Survey: Consumers Conflicted Over Safety of Personal Info

Consumers from the Great White North worry that Canadian businesses are vulnerable to cyberattacks yet trust that companies are doing their best to protect the personal information of customers, according to a new fraud survey by the 2017 Chartered Professional Accountants of Canada. Perceptions about the safety of personal information and trust in business could drastically change by the time the next survey is conducted. Canada’s tightened up data breach notification laws take effect later this year. Some privacy professionals warn that there could be a huge uptick in breach reporting as guidance from the Canadian Securities Administrators requires companies to report more information about cyberattacks [see here], and expected Digital Privacy Act regulations will require more breaches to be reported. [BNA] See also: Fewer Canadians concerned about identity theft, says CPA Canada]

US – Americans Unwilling to Share Electronic Info for Terrorist Investigations

A Reuters-Ipsos poll found a majority of American citizens are unwilling to share their electronic communications and online activity with U.S. counterterrorism agencies. Compared to results from when the poll was last conducted in 2013, Americans are even more reluctant to share information. Of the respondents, 75% said they would not allow law enforcement agencies to access their internet activity to aid in terrorism investigations, up from 67% in 2013. Opinions on surveillance were mixed, with 32% saying agencies such as the FBI and National Security Agency are conducting “as much surveillance as is necessary,” while 37 percent said those agencies are “conducting too much surveillance on American citizens.” [Reuters]

US – Most Americans Unwilling to Give Up Privacy to Thwart Attacks: Survey

A majority of Americans are unwilling to share their personal emails, text messages, phone calls and records of online activity with U.S. counter-terrorism investigators – even to help foil terror plots, according to a Reuters/Ipsos opinion poll released on Tuesday. 75% of adults said they would not let investigators tap into their Internet activity to help the U.S. combat domestic terrorism. That’s up from 67% who answered the same way in June 2013. But Americans were more evenly divided when asked whether the government is conducting too much surveillance. According to the March 11-20 survey, 32% said intelligence agencies such as the FBI and National Security Agency are conducting “as much surveillance as is necessary” and 7% said they wanted more surveillance. Another 37% of adults said agencies are “conducting too much surveillance on American citizens.” The remaining 24% said they did not know. For a graphic of the poll results see here The entire poll can be found here. [Reuters/Ipsos poll]

EU – EU to Propose New Rules Targeting Encrypted Apps in June

The European Commission will propose new measures in June to make it easier for police to access data on internet messaging apps like WhatsApp, EU Justice Commissioner Věra Jourová said yesterday (28 March), heeding calls from national interior ministers. The announcement comes as interior ministers from EU countries have amped up pressure on the Commission to introduce new rules to help police crack through secure encryption and demand private data for investigations. “At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” said [EU Justice Commissioner Věra] Jourová. Jourová said the measures would make it easier for law enforcement authorities to request and access data from online services that are registered outside their jurisdictions. UK Home Secretary Amber Rudd said on Sunday (26 March) that encrypted messaging services should be forced to give access to police. German Interior Minister Thomas de Maizière and his French counterpart Matthias Fekl told MEPs they want police to have the same legal right to access online services as they do to demand phone call information from telecoms companies. National ministers in favour of laws regulating encryption complain that they have no legal power to force internet firms to hand over secured data. Five out of 12 EU countries – Hungary, Croatia, Italy, Latvia and Poland – that responded to a questionnaire sent out last year by the Slovakian government, when it held the rotating Council of the EU presidency, said they wanted an EU-wide law on encryption. [Euractiv] WhatsApp must be accessible to authorities, says Amber Rudd | Call for encryption ban pits Rudd against industry and colleagues | Encryption debate needs to be nuanced, says FBI’s Comey]


NZ – Privacy Commissioner of NZ Rejects Data-for-Funding Proposal

New Zealand Privacy Commissioner John Edwards has rejected the controversial Ministry of Social Development-proposed policy to require nongovernment organizations to provide personalized data of their clients in exchange for government funding, Stuff.co.nz reports. His decision comes the day after the MSD had to shut down their information-sharing portal after a breach. While Edwards acknowledged that good information allowed for the government to weigh the efficacy of NGOs, the MSD had taken “insufficient consideration” regarding the consequences of its proposal and that its data capture plan was “excessive and unnecessary.” Ultimately, “there is a real risk that the new arrangement will deter some people who are most in need from seeking support or assistance,” Edwards said. [Stuff.co.uk]

WW – Google and Jigsaw Are Offering Free Election Cybersecurity Tools

Google and Jigsaw, both part of the Alphabet family, have developed a package of tools to help organizations facilitating elections protect themselves from digital threats. The “Protect Your Election” suite of tools includes two-factor authentication, the Password Alert Chrome extension, and access to Project Shield, which offers free DDoS defense to independent news site and human rights groups. [A Cybersecurity Arsenal That’ll Help ‘Protect Your Election’ | Google, sister company Jigsaw offer cybersecurity to election groups | Google, Jigsaw seek to stop election hacks | Google will provide free cybersecurity tools for election organizers in Europe]

HK – Tablet with Census Data Lost Last Year, Government Announces

Hong Kong’s Census and Statistics Department has revealed that a tablet containing the personal information of 46 citizens was lost last year after it was misplaced by a census officer gathering information. The department said “the tablet was one of two such devices lost by census officers” but that in this case, the officer misplaced the device while eating at a fast-food restaurant, the report states. A department spokesman said that while the information on the tablet wasn’t deleted quickly enough by remote software, it “believed the risk of data leakage was ‘extremely low’ because the information had been encrypted and the tablet was locked by dual-password authentication.” Additionally, while the public was just hearing about the breach, victims, law enforcement, and the privacy commissioner were informed last year. [South China Morning Post] and [Lawmakers dub explanation behind voter data theft ‘nonsensical’]

IN – 46,000 Phone Numbers Leaked Via Local Indian Police’s Twitter Account

Bengaluru police leaked the 46,000 phone numbers of those who dialed 100 via the Suraksha app to complain about harassment, quarrels and more, to Twitter. The police made the account private after concern about the leak increased, but were otherwise “unapologetic regarding the matter,” the report states. The police said the leak was a result of tweets auto-generated from its Twitter account. Policy Director at the Centre for Internet and Society Pranesh Prakash argued that the “police officer who ordered to create such an account should be held responsible if any harm comes to a complainant.” [India Today]

US – FPF Smart City Resource Looks To Assuage Iot Fears

The Future of Privacy Forum has unveiled a new interactive tool to help companies, communities, and citizens understand internet-of-things technology used in so-called smart cities. FPF notes that while smart cities do inspire their fair share of privacy concerns, mature data privacy programs can protect citizens while allowing cities to embrace IoT technology. The infographic explores typical concerns about smart city innovation, like discrimination, surveillance, and unexpected uses of data. It couples those issues with practical solutions, such as transparency and consent, vendor management, and de-anonymization tactics, as well as providing readers with additional smart city resources. [FPF.org]

US – Senator Asks FTC to Look Into IoT Toy Privacy Concerns

Sen. Bill Nelson, D-Fla., has written a letter to the FTC asking the agency to address issues surrounding internet-connected children’s toys. Nelson is concerned about the privacy and security risks the toys possess as they continue to gain prominence in light of a recent data breach. “Please explain what actions the FTC has taken in response to these recent data breaches, which have exposed the personal information of millions of children,” writes Nelson. “Specifically, I would like to know what actions the FTC has taken under the COPPA Rule to protect the personal data of children using connected toys.” Nelson has previously written a report and a letter to the CEO of connected-toy company Spiral Toys outlining similar concerns. [SD Times]


US – USPS Daily Mail Digital Preview a Double-Edged Security Sword, Some Say

Informed Delivery, a new, free offering from the U.S. Postal Service, allows users to access pictures and information of the mail they’re set to receive that day, and could be used to help those enrolled protect against identity theft and fraud. “If an important piece of mail that was supposed to be delivered isn’t in the mailbox … [users] can assume it was stolen or delivered to the wrong address and start working to find out what happened,” the report states. However, some critics contend it’s not that simple. Should a hacker compromise a user’s account, he or she could discover that a check or important document was en route and grab it before the intended recipient does. That’s why strong passwords for these types of services are imperative, said CyberScout’s Adam Levin. [NBC News]

UK – Startup Raises $2.7M for Pro-Privacy Email Tool

British startup CheckRecipient looks to protect employee-generated data breaches by utilizing machine learning to keep emails from being mailed to the wrong recipient. So far, the startup has raised $2.7 million in capital. The funds were raised in conjunction with companies like Accel, Amadeus Capital Partners and LocalGlobe. “While there are lots of products on the market designed to make email more secure, they all require a high degree of behavior change from end users or significant administration from IT teams, meaning that their effectiveness is diminished,” the startup argues, maintaining that its product makes those practices obsolete. The team added that the startup has seen success in London, working with legal, health care and financial service companies, and hopes to launch in the U.S. “shortly.” [TechCrunch]


CA – Court Nixes Probation Condition Forbidding Encryption Use

The US government has much broader authority over the speech of probationers than it does over ordinary citizens; but even probation conditions are subject to some scrutiny. Thursday’s California appellate decision in In re Mike H. concluded that a ban on the probationer’s use of anonymizing tools to access the Internet, and a requirement that he accurately identify himself when setting up any online communications services, was permissible: “The juvenile court could reasonably conclude that requiring Mike to use his true identity online and avoid encryption or hacking tools could help the probation department assess whether Mike was in violation [of] other uncontested conditions of his probation.” But the ban on using any electronic devices that contain “any encryption software” was too broad: “While it may not be apparent to the everyday user, encryption technology is now a fact of everyday life This means that encryption is applied automatically without a user needing to switch it on. As drafted, [this condition] is therefore unconstitutionally overbroad.” [Washington Post | Court Strikes Probation Condition Against Using a Device Containing Encryption–In re Mike H.]

UK – New Survey Claims Most Brits Feel “Safer” Without Encryption

Two-thirds of the British public claim the ability of police to intercept and read communications between terrorists is more important than privacy, according to a new study. Advice site Cable.co.uk polled [see here] 2000 UK adults last week following the home secretary’s controversial and widely criticized comments that WhatsApp and other services should effectively be backdoored to allow law enforcement to monitor suspects. Along with the headline stat, over half (51%) claimed they’d feel safer if services like WhatsApp were unencrypted, whilst only a quarter (25%) said they’d feel less safe because cyber-criminals could potentially intercept their communications. Nearly a quarter of men (23%) compared to just 14% of women said the digital privacy of UK citizens should come first, while 26% of 25-34-year-olds felt the same, as opposed to just 10% of the over-55s. [InfoSecurity See also: UK government can force encryption removal, but fears losing, experts say | Politicians call – again – for backdoors into encrypted messages | WhatsApp must be accessible to authorities, says Amber Rudd | Call for encryption ban pits Rudd against industry and colleagues ]

EU Developments

UK – UK Seeks To Create Independent Body to Monitor Police Online Surveillance

The Home Office is creating an independent surveillance program to prevent police officers from granting themselves permission to access personal emails and browsing histories. Labour Party Deputy Leader Tom Watson said the project is a response to a judgment made by the European Court of Justice demanding stricter legal safeguards for law enforcement agencies handling communications data. Members of Parliament have yet to be notified about the project, but information about the new body recently appeared in an online tender document. [Guardian]

UK – Interactive Map Shows Intrusive Surveillance-Tech Exports

The UK is a worldwide exporter of surveillance technology. From devices that hoover up phone calls and text messages, to hardware for monitoring internet traffic, Her Majesty’s Government has granted myriad licenses to ship spying gear over the past few years. Some of the recipient countries will have legitimate uses for such products, but many—Egypt, Turkey, Saudi Arabia—also have abhorrent human rights records, especially when it comes to abusing powerful surveillance tech. IMSI catchers, intrusion software, internet monitoring solutions: UK companies provide it all. Her Majesty’s Government has granted myriad licenses to ship spying gear over the past few years. Some of the recipient countries will have legitimate uses for such products, but many—Egypt, Turkey, Saudi Arabia—also have abhorrent human rights records, especially when it comes to abusing powerful surveillance tech. To better illustrate this proliferation, Motherboard has created an interactive map using data published by the Department of International Trade, as well as extra details obtained through the Freedom of Information Act, such as the specific product exported, or the company that sold it. The map shows which countries the government has granted export licenses to since 2015, and includes telecommunications interception equipment, intrusion or hacking software, and internet monitoring tools. Motherboard will update the map as more data becomes available. (Currently, the map dates back to April 2016). You can find the map here, and various related datasets [here, here & here] [MotherBoard]

EU – Lawmakers Question Data Transfer Program Ahead of Review

The European Union-U.S. Privacy Shield data transfer pact has flaws that must be addressed during the first annual review of the program, EU lawmakers said in a draft [European Parliament Civil Liberties, Justice and Home Affairs Committee or LIBE] resolution narrowly adopted March 23 [see 6 pg pdf here]. The resolution said the review of the program scheduled for this summer should focus on continued U.S. surveillance of foreigners abroad and the viability of redress mechanisms for EU citizens over alleged U.S. government misuse of data. Claude Moraes, the committee’s chair and resolution’s sponsor, told Bloomberg BNA March 23 that EU lawmakers are concerned about data retention provisions in the Privacy Shield agreement. Additionally, the Privacy Shield doesn’t prevent U.S. authorities from carrying out “the bulk collection of personal data for national security purposes,” he said. The draft resolution also called into question the “effective independent oversight” of the program by a U.S.-based ombudsman The LIBE resolution is provisional until confirmed by a vote of the full European Parliament. LIBE backed the resolution in a 29-25 vote, with one abstention. The European Commission, the EU’s executive arm, is obligated to review the Privacy Shield annually. The pact became effective Aug. 1, 2016. [BNA.com]

EU – Resolution Adopted by European Parliament Criticizing Privacy Shield

The European Parliament adopted a resolution criticizing the EU-U.S. Privacy Shield agreement. German Green MEP Jan Philipp Albrecht calls upon the European Commission and EU Justice Commissioner Věra Jourová to ensure more is done to protect European citizens’ data. “The Privacy Shield does not make the US a safe haven. Personal data from people in the European Union is not being adequately protected against access by intelligence services in the US. People in the EU have no real rights when it comes to accessing their data or having it deleted,” Albrecht stated, adding, “The European Justice Commissioner should not allow the US government to palm her off with non-binding declarations of intent or letters of assurance. Vera Jourová must increase the pressure on the US government to make the Privacy Shield a genuine safeguard.” [Greens-EFA]

EU – ePrivacy Reform & the UK ICO Role and Plans

While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services are moving at an equally rapid pace. The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR). Earlier this year, the European Commission published its proposal for the new updated ePrivacy Regulation (ePR), to better protect people’s privacy in the digital age. This proposal is just the beginning of the process, and the details are likely to change as we move forward. It will be a tough deadline for EU lawmakers to meet – the ePR is due to come into effect in May 2018 alongside the GDPR. As a regulation, it will apply directly within every EU member state. As with GDPR, the UK government has confirmed it would be implemented in the UK before we leave the EU. The current draft proposal includes some headline changes The responsibility for enforcement will mirror the GDPR and therefore will fall to the ICO. We’ll be watching the negotiations closely to understand how they might affect the UK. [Information Commissioner’s Office Blog]

UK – ICO UK Issues Guidelines to Health Sector on Managing Patient Records

The UK Information Commissioner’s Office has issued guidelines for the health sector. Organisations should assign responsibility for ensuring the location of records is known at all times, including appointing a records manager, records officer, and local information asset owner; tracking procedures should be put in place (including what to do if a file goes missing), records should be logged in and out, and a formal records management training programme should comprise mandatory induction and periodic refresher training for all staff with access to personal data. [ICO UK – Health Sector Resources | News Release]

EU – European Parliament Issues Opinion on the Fundamental Rights Implications of Big Data

The European Parliament has issued its opinion on the fundamental rights implications of big data. The complexity of automated processing of big data can be challenging for individuals to assess the collection, analysis and use of personal data, the merging of personal and non-personal data can create new personal data, and it can be possible to re-identify individuals by correlating different types of anonymised data; organisations should apply the principle of data protection by design and pseudonymize, anonymize or encrypt personal data used in big data applications. [European Parliament – Resolution of 14 March 2017 – Fundamental Rights Implications of Big Data]

UK – Government Advised to Establish Minimum Internet Safety Standards

The House of Lords Select Committee on Communications released its 2nd report of session 2016-17 on children and the Internet. Social media sites terms and conditions are at odds with children’s right to privacy, the commercial uses of data in regards to children present difficulties in regards to transparency, choice and control, the effectiveness of filters is limited by children’s use of multiple devices/access points, encryption of websites and use of apps; there is widespread flouting of rules concerning age (particularly on social media sites and in gaming), and internet services are not designed with children in mind (an updated operating system automatically restores default settings. [Growing Up With The Internet – House of Lords]

CA – British Columbia Man Arrested For Stealing Patient Information

A British Columbia man has been arrested for stealing the information of more than 20,000 PharmaNet patients. The Vancouver Police Department released a statement saying the man gained unauthorized access to the PharmaNet system to obtain the patient data, then used the information for “fraudulent purposes.” Law enforcement agencies have not shared any information on the ways the data was used or how the man breached the system. The Ministry of Health said the man may have gained access by impersonating a doctor and promised to implement stronger security measures with PharmaNet vendors. British Columbia offered free credit monitoring for all of the impacted patients. [CTV News]

Facts & Stats

WW – Reports: Number Of Compromised Records in the Billions In 2016

Gemalto released its 2016 data breach report, finding the number of compromised records increased 86 percent from 2015. Gemalto’s Breach Level Index found 1.4 billion records were compromised in 2016, pushing the overall total to 7 billion since the BLI was created in 2013. The report found most of the cyberattacks targeted large consumer databases, such as social media, entertainment, and email websites. Despite the record amount of compromised records, the number of data breaches actually decreased by 4 percent last year. Another report from IBM Security found more than 4 billion records were leaked worldwide in 2016, a 566 percent increase from the previous year. [Gemalto]

US – Eight Companies Plan to Pay $5.3M to Settle Privacy Lawsuit

A group of eight companies could pay $5.3 million for a proposed privacy settlement. The payments from Instagram, Foursquare, Kik, Gowalla, Foodspotting, Yelp, Twitter, and Path would help settle a 2012 lawsuit surrounding the use of the “Find Friends” iOS feature. The feature allowed users to find out if their friends were using the same app, but the plaintiffs in the case allege the app makers violated their privacy by failing to alert users it would send their contact lists to company servers. A judge still needs to approve the settlement before it takes effect. If approved, only Apple and LinkedIn will be among the 18 original defendants still attached to the case. [Fortune]


US – Coalition of US Groups Push to Repeal Globally-Hated FATCA

A coalition of 23 taxpayer protection and grassroots organizations sent a letter today urging Congressional leadership to include repeal of the Foreign Account Tax Compliance Act (FATCA) as part of comprehensive tax reform. Co-authored by the Center for Freedom and Prosperity and the Campaign to Repeal FATCA. The letter makes 5 key points: 1) FATCA fails in its primary goal to catch wealthy tax cheats; 2) It ensnares innocent Americans with excessive reporting requirements and draconian penalties for the slightest oversights; 3) It makes U.S. citizens living and working abroad toxic assets in the eyes of both financial institutions and employers; 4) Its compliance costs far outstrip the revenue it collects; and 5) It encourages other nations and international organizations to pursue aggressive tax grabs that threaten American businesses and the global economy. [Freedom and Prosperity]

US-Born Canadian Citizens Allege FATCA Infringes on Their Right to Privacy

Virginia Hillis, Gwendolyn Deegan and Kazia Highton (“Plaintiffs”) filed a statement of claim against the Attorney General of Canada and the Minister of National Revenue (“Defendants”) arguing that the Foreign Account Tax Compliance Act (“FATCA”) violates their rights as Canadians under the Charter Of Rights And Freedoms: Defendants filed a response to Plaintiffs’ claims. Canadian financial institutions are required to disclose account information relating to US reportable accounts without notice to the individual, an opportunity for the individual to object, consideration of the usefulness of information, or sufficient restrictions on the use of the information; the government argues that reported information can only be disclosed for tax purposes, and FATCA is tailored to only collect required information. [Virginia Hillis et al v. Attorney General of Canada and the Minister of National Revenue – Amended Statement of Claim to the Defendants – Federal Court | Government Response]

US – IRS Seeks Bitcoin Exchange User Data, Raising Privacy Concerns

Privacy concerns have arisen as the Internal Revenue Service aims to obtain consumer information from popular bitcoin service, Coinbase. The IRS served a “John Doe” summons to Coinbase demanding transaction and user profile records on all of its U.S. users from 2013 to 2015 as part of a tax evasion probe. Coinbase has yet to turn over any of the data and is asking the government to narrow the scope of the information it is seeking. While Coinbase’s general practice states they will cooperate with law enforcement agencies, the company said it will fight back against the request unless the demands are scaled back. “It amounts to nothing more than asking for large amounts of hay in the hope they might find a needle,” said Internet Association CEO Michael Beckerman. [The Wall Street Journal]

CA –Canada’s First Commercial Blockchain Service Could Become the ‘Interac’ for Digital Transactions

With the announcement of a major commercial service with backing from Canada’s ‘Big 5’ banks and a new research institute driven by the Tapscotts, complete with government funding, it’s fair to say that blockchain is having its moment in emerging to the mainstream. “Banks haven’t done something like this since the formation of Interac in 1984” says Greg Wolfond, founder and CEO of SecureKey Technologies [see here] They are getting ready for a push to launch a new brand that is centered around enabling privacy-protected digital transactions Later this year. The service will be the first blockchain project with such a wide commercial launch in Canada, signaling that the digital ledger technology has moved on from its days as the stuff of cryptocurrencies bearing odd names and firmly into the establishment. The bottom line is that customers will just have more control over their privacy than they do today [says Chuck Hounsell, senior vice-president of payments at TD Bank]. Blockchain hasn’t just arrived in Canada, its commercial embrace is global. SecureKey [see here] plans to collaborate with IBM to take the work its done in Canada to other countries. It may be buoyed in part by its status as a Privacy by Design ambassador, showing it’s adopted former Ontario privacy commissioner Anne Cavoukian’s internationally-recognized privacy framework in its design. That helped facilitate a triple-blind model that ensures user privacy, Wolfond says. The provider of the attribute doesn’t know what you’re using it for, the receiver doesn’t know who’s providing it, and there’s no middle man in between to watch what you’re doing. [IT World]

US – FTC releases 2016 Annual Highlights, Cites Continued Efforts Toward Privacy

The Federal Trade Commission released its 2016 Annual Highlights, touting the agency’s efforts to protect consumers. Acting FTC Chairman Maureen Ohlhausen said, “2016 was a historic year for the FTC. We obtained almost $12 billion in redress for consumers, and took action in more than a dozen merger cases to preserve competition. The Commission’s enforcement, policy and consumer and business education work shows our strong commitment to protecting consumers and promoting competition and innovation.” The report also discusses the FTC’s continued efforts to make privacy and security a high priority. [FTC]

WW – Study Evaluates Top Companies’ Privacy Commitments

A new study examined 22 of the top global telecommunications, internet, and mobile companies on their public commitments to and disclosed policies on users’ freedom of expression and privacy. “The 2017 Ranking Digital Rights Corporate Accountability Index” measured the companies based on three sets of criteria: governance, freedom of expression, and privacy. Key findings include evidence that companies are not doing a proper job disclosing information to consumers, mobile ecosystems lack disclosure, freedom of expression “is getting shortchanged,” and handling of user data is opaque, among others. Among internet and mobile companies, Google had the best marks, while AT&T had the best score among telecommunications companies. [Ranking Digital Rights]


CA – Alta Gov’t Opposition Recommendations on Fixing FOI System

The Wildrose, Alberta’s Official Opposition party, made 10 suggestions for improving Alberta’s broken freedom of information system, including firing issues managers in the premier’s office and Public Affairs Bureau to free up cash for processing requests. [see PR here & pdf report here] Nathan Cooper, the Wildrose critic for democracy and accountability, said access to information is a critical tool for the opposition, media and the public to hold the government to account. He said the government needs to change its attitude.. Earlier this year, Alberta privacy and information commissioner Jill Clayton issued a scathing assessment of the government’s attitude towards the FOIP act. [see PR here & report pdf’s here & here] Clayton said the government has a “lack of respect” for freedom of information and needs a culture change that starts at the top. [CBC] See also: [Information commissioner slams Alberta government for poor state of freedom of information]

CA – Despite SK OIPC’s insistence, Gov’t does not Release GTH Info

Saskatchewan’s Highways minister is defending his ministry’s record of providing information on its projects, despite not following Information and Privacy Commissioner recommendations or even reading the commissioner’s reports on his ministry’s actions. “I just think that our ministry has been very responsible and respective of the FOIs,” Dave Marit said. That’s despite the fact he told CBC he hasn’t read any of the Information and Privacy Commissioner’s five reports condemning his ministry on its handling of requests for information about the Global Transportation Hub. The Ministry of Highways has consistently dragged its feet on information requests — a fact the commissioner has pointed out time and again after CBC filed complaints about the delays. See OIPC reports from Nov. 9, 2016, Nov. 10, 2016, Jan. 5, 2017 and Jan. 17, 2017 ] Here’s a summary of those reports:

  • Nov. 9, 2016: Commissioner recommends the ministry release a land sale agreement with CP for property at the GTH. The ministry refuses to release the document.
  • Nov. 10, 2016: Commissioner finds the ministry was more than three months late in responding to CBC’s requests related to the GTH. He described the delays as excessive and a violation of the law. “Highways must take their obligations under FOIP [Freedom of Information and Protection of Privacy] more seriously. The Legislative Assembly has passed FOIP and I expect that ministries will comply with the laws passed by it. Highways has failed to do so,” he wrote.
  • Jan. 5, 2017: Ministry proposes to charge CBC $70,000 for a series of 13 information requests. The commissioner found the ministry failed to consult with CBC as it is required to do. He also found the ministry’s “excessive fee was an unreasonable barrier to access.”
  • Jan. 17, 2017: Commissioner finds the ministry had delayed its response to information requests in a way that “was unnecessary, inappropriate and unauthorized under FOIP.”

When asked why he hadn’t read any of the commissioner’s reports, Marit responded, “I guess that’s where I trust my deputy minister and my ministry staff to look after the FOIs.” [CBC | 3 strikes: Sask. government chastised again for handling of GTH document requests]

CA – OIPC AB Requires Disclosure of Former Employee Records

The Office of the Information and Privacy Commissioner in Alberta reviewed a decision by Children’s Services to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. Disclosure of information relating to an Edmonton Police Service file involving the individual would not reveal information supplied in confidence by the police (the police service already disclosed some information to the individual), or harm relations between the public body and the police service. [OIPC AB – Order F2017-28 – Children’s Services]

CA – Unauthorized Disclosure of Images Penalized by Laws in Manitoba

A review of changes in common law and in statute in regards to cyber-bullying. Non-consensual sharing of intimate images creates a private right of action, empowering the courts to award damages to the plaintiff to amend humiliation and cyber-bullying acts; perpetrators can be held liable for invasion of privacy. A similar law in Nova Scotia has been found unconstitutional. [Cyberbullying and Revenge Porn – An Update on Canadian Law – Kristen thompson – CyberLex]

CA – BC OIPC Upholds Public Body’s Decision to Deny Parent Access to Child’s Records

The British Columbia Information and Privacy Commissioner reviewed an access request made to the Ministry of Children and Family Development pursuant to the Freedom of Information and Protection of Privacy Act and the Freedom of Information and Protection of Privacy Regulation. [OIPC BC – Order F17-04 – Ministry of Children and Family Development]

WW – Study: Large Teaching Hospitals More Likely To Suffer Data Breach

A study published by JAMA Internal Medicine found large teaching hospitals are more likely to suffer data breaches, SC Magazine reports. The study found 216 hospitals accounted for 257 of the 1,798 data breaches between Oct. 21, 2009 and Dec. 31, 2016. Most of the affected hospitals were discovered to be teaching hospitals. Larger teaching hospitals are more likely to be targets due to more individuals having access to private patient data and aging infrastructure. “Due to tight budgets, aging systems and rich confidential data, hospitals will continue to be victimized by targeted attacks in 2017,” Plixer International CEO Michael Patterson said. “To avoid falling prey, insured contractors should be leveraged to patch systems and audit cyber defenses.” [SC Magazine]

US – Twitter Sues DOJ Over Request For User’s Information

After receiving a summons from a Customs and Border Protection agent related to an account, Twitter is filing a lawsuit against the Department of Justice in order to protect the user from being revealed. The agent is ordering Twitter to turn over information regarding the @ALT_USCIS account, including usernames, account login, phone numbers, mailing address, and IP addresses. Twitter said revealing the user’s identity “would have a grave chilling effect.” Center for Democracy and Technology’s Emma Llansó said, “These tech companies have so much really personal information about all of us, and part of what we do when we give them this information is trust them to be stewards of it,” adding, “For Twitter to fight back against such a broad demand from the government to unmask is really significant.” [San Francisco Chronicle]

US – NY Attorney General’s Office Announces COPPA Settlement

The New York Attorney General’s office today announced a settlement with TRUSTe regarding its certifying of companies under the U.S. Federal Trade Commission’s COPPA safe harbor program. TRUSTe will pay a $100,000 fine and has agreed to make certain changes to its certification program. The case is a continuation of what the New York Attorney General calls “Operation Child Tracker,” which led to nearly $1 million in fines for four firms this past September. [IAPP.org]


US – FDA Approves DNA-Test Company’s at-Home Genetic Diagnostic

The Food and Drug Administration has approved 23andMe to market its at-home genetic test allowing users to test their DNA for 10 diseases, like Parkinson’s or Alzheimer’s. While questions remain about the accuracy of these tests, proponents argue that they’re ultimately beneficial. “We’re moving as a society toward empowering people with health related information and this is, I think, a welcome step, along that journey,” said Harvard University geneticist, Dr. Robert Green. New York University bioethicist Art Caplan, however, who maintained the at-home tests could end up “frightening” consumers, said that “it’s also not clear what privacy people have and how well 23andMe could safeguard their test results, or even their actual samples,” the report adds. [NBC News]

Health / Medical

CA – Ontario Bill Amends FOI Legislation to Create Disclosure Exemptions for Medical Assistance in Dying

Bill 84, amending the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act and related to medical assistance in dying, is read and referred to the Standing Committee on Finance and Economic Affairs. The Freedom of Information and Protection of Privacy Act and Municipal Freedom of Information and Protection of Privacy Act are amended to provide that they do not disclose identifying information relating to medical assistance in dying; “identifying information” means information that identifies a person or facility or that could be utilized with other information, to identify a person or facility. [Bill 84 – Medical Assistance in Dying Statute Law Amendment Act, 2017 – 41st Legislature, Ontario]

CA – Retiring Doctors Must Notify Patients of Who Will Hold Their Health Records

The Information Protection Commissioner of Ontario has issued recommendations regarding medical records. To ensure the ongoing right of access, either before or shortly after their retirement, doctors and other health care providers must give patients notice indicating who will take over their practice or details on the specialized medical record storage facility where they will be transferred to. [IPC ON – Your Doctor Is Retiring – What You Should Know About Your Medical Records]

EU – OCR Leader: Agency Will Release Guidance on ‘Hot Button’ Privacy Issues

At the Health Care Compliance Association’s Compliance Institute, Iliana Peters of the Health and Human Services Office for Civil Rights said that the agency will prioritize guidance surrounding “hot button” privacy issues this year. She added that the OCR was wrapping up a round of audits and predicted that enforcement fines would increase in the future. In tandem with her talk, the HHS Office of Inspector General released “Measuring Compliance Program Effectiveness: A Resource Guide.” It covers the results of an “effectiveness roundtable” in collaboration with the Health Care Compliance Association in early 2017, and looks to “provide measurement options to a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.” [WilmerHale]

Horror Stories

CA – McDonald’s Canada Jobs Web Site Hacked, 95,000 Affected

The home page of McDonald’s Canada .revealed that its career Web site — where job applicants leave their resumes — has been hacked. The personal information of approximately 95,000 restaurant job applicants has been compromised,” he company said in a statement.[see here] That covers anyone who applied online for a job between March 2014 and this month. “The personal information compromised was limited to applicant name, address, email address, phone number, employment background and other standard application information. Our application forms do not request highly sensitive personal information such as social insurance numbers, banking information or health information” the company said. Ann Cavoukian, head of Ryerson University’s Privacy and Big Data Institute, said “All sensitive documents that retain personal identification, especially in an employment context, should be encrypted In this day and age it is not a big deal to encrypt data. And it doesn’t matter that they don’t have the social insurance number [of applicants]. They have a lot of other sensitive information — their employment history, when they worked. Just because they don’t have your social insurance number or banking information doesn’t mean its not sensitive. Why not protect the data when you can do it so easily in this day and age?” In an interview Ira Nishisato, national leader of the cyber security and risk practice at the law firm Borden Ladner Gervais said Canadian law on an organization’s “standard of care” for personal information is still evolving. A court would likely look to best practices suggested by industry associations, he said. But he believes these days “encryption is expected” even if personal information doesn’t include social insurance numbers and the like. “If you fail to encrypt you’re at risk.” [IT World]

UK – Data From UK Parliament’s Staff Accidentally Published Online

The Independent Parliamentary Standards Authority has said that “extremely sensitive” information about an estimated 3,000 members of Parliament’s staff was accidentally published online for four hours before someone noticed the mistake, BBC reports. The information included salaries, work and vacation patterns and was accidentally uploaded to a version of the MP site soon to be archived, the report states. A Parliament spokesman said that a “small number” of people had viewed the information until the watchdog was alerted and the data removed. “An investigation is currently underway and we have notified the Information Commissioner,” the spokesman added. “We will be writing directly to all of those affected.” [BBC.com]

Identity Issues

US – NIST Extends Comment Period for Digital Identity Guidelines

The US National Institute of Standards and Technology (NIST) has extended by one month the deadline for public comment on part of its digital identity guidelines. Initially, comments were due by March 31, 2017, but the deadline has been extended to May 1, 2017 for the parent volume, SP 800-63-3 because of changes made to risk management and mitigation issues. http://trustedidentities.blogs.govdelivery.com | – https://gcn.com: NIST extends comment period for digital identity guidelines |

WW – ‘Internet Noise’ Website Helps Obscure Users’ Online Identity

Responding to Congress rolling back the Federal Communications Commission’s broadband privacy rules, a new website has launched to help make it difficult for anyone to collect browser data, Wired Reports. Internet Noise is a site designed to deliberately obscure a user’s online identity by repeatedly opening browser tabs going to random webpages. The site’s founder, Dan Schultz, accomplished this by Googling “Top 4,000 nouns” and implementing it into the site’s code. When a user clicks the “make some noise” button,” a new tab will generate every couple of seconds, functioning similar to Google’s “I’m Feeling Lucky” button. The site features another button to stop the process from occurring. While Schultz admits the site has been created mainly for awareness purposes, users have reached out to offer fixes in order to make it a more effective privacy tool. [Wired]

Law Enforcement

US – Prosecutors Post Data from Locked Phones of 100 Trump Protesters

Federal prosecutors are creating a cloud-based database full of personal data extracted from the locked phones of Trump protesters arrested on Inauguration day. Police seized the phones of more than 100 of those arrested. Although all of the devices were locked They want to make the data available to the lawyers of 214 defendants accused of felony rioting. According to court papers (PDF) prosecutors filed on Wednesday, the Feds are seeking an order from the court that would prohibit the defense lawyers from copying or sharing the information unless it’s relevant to defend their clients. If there’s one thing this case makes crystal clear, it’s that the authorities’ success in getting past Apple encryption [see here] goes well beyond the prolonged battle over the unlocking of Syed Farook’s iPhone following the San Bernardino shootings. In the case of the Trump protesters, government officials said they have search warrants to extract data from the phones. Arraignments are scheduled through early April. Follow-up hearings will start in mid-April. At that point, the judge will likely consider evidence-related issues and motions. [Naked Security]

US – ACLU Lawsuit Over Cop Confiscating Phone & Deleting Pics

ACLU of Louisiana filed a federal lawsuit [see 11 pg pdf here] alleging a Lafayette police officer improperly deleted cellphone photos a woman [Chelline Carter] had taken of her son in the back of police cruiser. The suit claims the officer told the woman she was breaking the law by taking pictures of “evidence,” then deleted those photos before handing the phone back to her ACLU of Louisiana Executive Director Marjorie Esman said citizens have a long-established First Amendment right to photograph police in a public place if they are not interfering with an officer’s duties and that law enforcement officers must have a warrant to access a cellphone. The lawsuit seeks damages, a court judgment declaring that the officer’s actions violated Carter’s rights and an injunction blocking police in the future from interfering with citizens who are photographing police and from seizing and searching their cellphones or other photographic equipment. [The Advocate]

CA – Fredericton Police Try on Body Cameras for 90-Day Test

Six Fredericton police officers started using body cameras Friday for a 90-day trial of the technology that could help increase public trust, the Deputy Chief Martin Gaudet says. He hopes the cameras will raise the public’s trust in the force, now that more police interactions with residents will be recorded. “We want to always continue to build public trust,” he said. “This is just another tool to help us in our investigations and in public transparency.” The Fredericton department also worked with the province’s privacy commissioner, the Office of the Attorney General and the city solicitor on the project. Once an officer hits record, the file is directly uploaded to encrypted cloud storage, where it can only be accessed by an authorized member of the force, which will be Staff Sgt. Paul Battiste. Battiste said he can only share a file with the courts if the person on the other end is authorized to receive it. The public can request access to footage by submitting a right to information request to the force by email. Battiste said the videos are stored based on the same policing standards that apply to any other information collected as part of an investigation. Officers cannot access the footage, edit or delete files, he said. People will be told that they are being recorded, and they cannot refuse, he said. To protect the privacy of people not connected to a case, videos will be redacted when necessary, “but the original file is always kept,” he said. [CBC News]

US – Taser to Provide Free Body Cameras To Police Nationwide

Stun gun company Taser has announced that it will offer free body cameras to all American law enforcement, and one year of access to the company’s cloud storage service. The organization added that it has changed its name to Axon to better reflect its range of products. “Our belief is that a body camera is to a cop what a smartphone is to a civilian,” said Axon CEO Rick Smith. “We believe, within 10 years, we can automate police reporting. We can effectively triple the world’s police force.” The move has raised some eyebrows, with University of California, Davis’ Elizabeth Joh speaking out against the “basic relationship” between a vendor and the police. “A tech vendor is making important decisions about policing,” Joh said. [Ars technica]


US – Illinois Bill Restricts Processing of Geolocation Information by Private Sector

House Bill 3449, the Geolocation Privacy Protection Act, receives first reading: The Act takes effect upon becoming law. A private entity cannot generally process geolocation data from a location-based app unless the individual provides informed express consent; an aggrieved individual may file a civil action for damages. Exemptions from the consent obligation include location of a minor, a legally incapacitated person, or provision of emergency services; the general prohibition does not apply to healthcare or other providers subject to HIPAA, financial institutions or affiliates subject to GLBA, or a cable, Internet or telecom services provider. [House Bill 3449 – Geolocation Privacy Protection Act – 100th General Assembly, State of Illinois]

Online Privacy

US – Facebook Loses Appeal to Block Bulk Search Warrants

New York State’s highest court dealt a blow to Facebook and other social media companies seeking to expand privacy protections, ruling [see 74 pg pdf here] that Facebook had no right to ask an appellate court to quash search warrants ordering the company to hand over information from hundreds of accounts in a disability fraud case. The state Court of Appeals, in a 5-to-1 decision, with one judge recusing himself, upheld lower court rulings that New York law does not allow a social media company to appeal a judge’s decision to issue search warrants in a criminal case, even if the company believes those warrants violate the constitutional rights of its users. The Facebook case is part of a broader battle between the government and technology companies over the limits on law enforcement requests for data under the federal Stored Communications Act. Much of that fight is playing out in New York.. The case — known formally as In Re 381 Search Warrants Directed to Facebook Inc. — had been closely watched as a test as Facebook sought to expand its ability to fight what it sees as fishing expeditions by prosecutors. Several tech giants, including Google, LinkedIn, Amazon, Microsoft and Twitter, filed amicus briefs, as did the New York Civil Liberties Union. [NYT | New York’s top court rejects Facebook search warrant challenge]

US – NAI, DAA Launch New Version of Consumer Choice Tools

The Network Advertising Initiative and Digital Advertising Alliance have together launched new versions of consumer choice tools for interest-based advertising. Changes to the “NAI tool and DAA tool include an enhanced user experience, the ability for companies to easily disclose to consumers their use of both cookie-based and non-cookie technologies for digital interest-based advertising … and controls for users to opt-out of such use,” a press release states. “The tool is the first to offer a technology-based opt-out for both cookie-based and non-cookie technologies,” said NAI President and CEO Leigh Freund. “The improvements in this tool provide increased transparency into emerging data practices, regardless of technology,” added DAA Executive Director Lou Mastria. [NAI]

Other Jurisdictions

US – Pew Researches Future Of Online Anonymity, Fake News

The Pew Research Center has released a new report on the future of free speech, trolls, anonymity, and fake news online. “Many experts fear uncivil and manipulative behaviors on the internet will persist — and may get worse.” “This will lead to a splintering of social media into AI-patrolled and regulated ‘safe spaces’ separated from free-for-all zones. Some worry this will hurt the open exchange of ideas and compromise privacy.” The research also revealed that those surveyed believe anonymity has contributed to much of the “uncivil discourse” online, but such anonymity will likely get purged in the future, “setting the stage for governments and dominant institutions to even more freely employ surveillance tools to monitor citizens, suppress free speech and shape social debate.” [PEW Internet]

Privacy (US)

US – Data Localization Laws Tracked in USTR Trade Barriers Report

Barriers to digital trade have spread to such an extent that the Office of the U.S. Trade Representative analyzed how the topic is playing out in dozens of countries in its 2017 annual report on foreign barriers to trade. The 492-page U.S. Trade Representative annual report, released March 31, defined digital trade barriers as “restrictions and other discriminatory practices affecting cross-border data flows, digital products, Internet-enabled services, and other restrictive technology requirements.” The report tracked “data residency” laws, requiring companies to store certain types of data within a country’s borders, that have sprung up around the world. Two broad trends are emerging with data residency laws The first is the increasing emergence of data residency laws “that require private sector companies to store information locally”— with Russia’s law [see here] serving as the model for such private-sector aimed residency laws The second trend involves laws that require government data to be stored locally, Cohen said. Such laws can be found in China, Indonesia, Canada and Nigeria. Lothar Determann, a privacy partner at Baker McKenzie LLP in Palo Alto, Calif., told Bloomberg BNA that Data residency laws are often sold by government’s as “privacy and civil rights protection measures but they really have the opposite purpose and effect” in that they really just secure access to data for intelligence and law enforcement purposes [Data Residency Laws Tracked in Trade Barriers Report]

US – 4th Circuit Weighs in on “Injury-in-Fact” in Data Breach Cases

In Beck v. McDonald, the U.S. Court of Appeals for the Fourth Circuit joined at least five other circuits in analyzing whether mere allegations of future identity theft can establish injury-in-fact as required to confer Article III standing [see here]. There, the Court found that allegations of future harm were too speculative, particularly where there was no allegation or evidence that the confidential information was targeted or had been used fraudulently. The analysis aligns with distinctions made by other circuits between misplaced or stolen physical property cases, where the loss of confidential information is incidental, and cyberattack and hacking cases, where the thief’s intent to wrongfully use the information can be inferred. This ruling shows that district and circuit courts are looking at the allegations in data breach cases with care, and not simply assuming an injury just because plaintiffs’ confidential information has been compromised. Rather, the courts are looking at the particulars of the breach itself – physical property vs. data hack, allegations of actual fraudulent use or access vs. conclusory allegation of prospective harm – in determining whether plaintiffs have suffered injury-in-fact sufficient to confer Article III standing. [Data Protection Report | The Fourth Circuit Holds That Threat of Future Harm Is Insufficient To Confer Standing on Victims of a Data Breach]

US – Geek Squad Under Fire for ‘Cozy’ and ‘Extensive’ Links to FBI

When Best Buy customers need to retrieve lost data, stores from around the US send their computer equipment to a giant Best Buy repair shop in Brooks, Kentucky, for its Geek Squad techs to work on and, apparently, to search for child abuse imagery on behalf of the FBI. Unbeknown to customers, recent federal court documents claim, the [Best Buy] Geek Squad techs have been in a “cozy” secret relationship with the FBI, which over a few years has trained and paid them to search for child abuse imagery on computer equipment. Geek Squad employees have gone so far as to search unallocated space on hard drives – ie the place where forensics specialists use specialized software to find and retrieve deleted files. That’s what happened to Mark Rettenmaier. His house was subsequently searched, and Rettenmaier was indicted in November 2014 by a federal grand jury on two counts of possessing child abuse imagery. The case has dragged on. it’s looking like that image – and others like it – might not be permissible as evidence, given that the Geek Squad employees are accused of acting as government agents. That’s because government agents need to first get a warrant, based on probable cause, to search a computer. The government is facing multiple problems with its case against Rettenmaier. As pointed out by R Scott Moxley, a few weeks before Rettenmaier was arrested, federal judges ruled in a separate case that images found in unallocated space couldn’t be used to win a possession conviction, since there’s almost no way to figure out who put them there, who viewed them, or when/why they were deleted. A trial is tentatively scheduled to begin on June 6 in Santa Ana. [Naked Security]

US – Minnesota Police Obtain Warrant Asking Google to Identify People Who Searched for Man’s Name

Police in Minnesota are asking Google to identify people who searched for certain terms associated with a crime they are investigating. Edina police are working in a bank fraud case in which USD 28,500 was wired out of an individual’s account earlier this year. The perpetrator used a passport photo possibly obtained online. The warrant applies only to residents of Edina and only to searches conducted between December, 2016 and January 7, 2017. [Minn. Police seek data on who Googled a victim’s name | Minnesota judge signs a search warrant for personal information on anyone who Googled someone’s name | Judge Wants Google to Tell Cops Everyone Who Googled One Man’s Name]

US – Fourth Amendment Border Search Exception Should Not Apply to Digital Devices and a Probable Cause Warrant Should Be Required

Various advocacy group submit an amicus brief in support of an appeal by an individual (the “appellant”) of a denial of his motion to suppress evidence seized from his iPhone, which was searched at the U.S. border. The border search exception is intended to serve the narrow purpose of enforcing immigration and customs laws (which are enforced through inspection of physical documents, luggage, vehicles and persons); both manual and forensic searches of digital devices, containing vast amounts of highly personal information, are “non-routine” (in light of the CBP’s current use of sophisticated forensic tools that can be rapidly deployed at the border). [United States of America v. Hamza Kolsuz – Brief of Amici Curiae Electronic Frontier Foundation, Asian Americans Advancing Justice-Asian Law Caucus, Brennan Center for Justice, Council on American-Islamic Relations (CAIR), CAIR California, CAIR Florida, CAIR Missouri, CAIR New York, CAIR Ohio, CAIR Dallas/Forth Worth, and The National Association of Criminal Defense Lawyers in Support of Defendant-Appellant]

WW – Advocates Emphasize Risks of IoT and Request Algorithmic Transparency

Advocates submit their comments on cybersecurity to a U.S. Senate committee. IoT poses numerous risks to privacy (the vast quantity of data reveals a wealth of PI about consumers that can be used for secondary purposes, and many devices feature “always on” tracking technology) and security (current security risks are able to expand due to increasingly large array of networks in which to spread); algorithms are often used to make adverse decision about individuals (regarding employment, insurance and credit) who rarely know about the decisions, or whether those decision were fair or accurate. [Letter to U.S. Senate Committee on Commerce, Science, & Transportation’s Hearing on “The Promises and Perils of Emerging Technologies for Cybersecurity” – Electronic Privacy Information Center]

US – NY AG Settles with App Developers for Insufficient Privacy Notice

New York’s Attorney General has settled with Cardiio, Runstastic and Matis, three application developers for misleading marketing and privacy practices. The developers’ privacy policies were updated to request affirmative consumer consent to the privacy policy and to indicate the personal information that they process including, users’ GPS location, unique device identifier, possible re-identification of de-identified information. [A.G. Schneiderman Announces Settlements With Three Mobile Health Application Developers For Misleading Marketing And Privacy Practices – NY AG]

Privacy Enhancing Technologies (PETs)

WW – Splinter: Protecting the Privacy of Public Database Queries

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed a system called Splinter that protects the privacy of users querying public databases by breaking the query into pieces to be handled by different but identical databases. As long as just one of the providers is trustworthy, the content of the query cannot be detected. Splinter employs a “cryptographic primitive” called Function Secret Sharing (FSS) that keeps the query private “unless all the providers collude” and does not make undue demands on system CPUs. The researchers presented a paper on Splinter at the USENIX Symposium on Networked Systems Design and Implementation in Boston earlier this week. [CompSci boffins propose scheme to protect privacy in database searches | Practical Private Queries on Public Data]

WW – Privacy Badger Surpasses 1M Users

The Electronic Frontier Foundation reports the Privacy Badger browser extension has surpassed 1 million users. The extension is designed to automatically block hidden third-parties tracking users’ browsing history. “With this milestone, the Privacy Badger team remains as committed as ever to end non-consensual browser tracking and promote responsible advertising. Although Privacy Badger blocks many ads in practice, it is more a privacy tool than a strict ad blocker,” the EFF blog post states. “Privacy Badger encourages advertisers to treat users respectfully and anonymously rather than follow the industry status quo of online tracking.” [EFF.org]

WW – Privacy-Focused AI Bot Warns Users When Posting Personal Data Online

A study published by researchers at the Max Planck Institute for Informatics in Germany outlines an AI-powered privacy tool designed to stop individuals from posting private information online. The Visual Privacy Advisor analyzes a user’s privacy preferences on their phone or computer, then alerts them whenever sensitive information, such as a medical prescription or bank account details, may be exposed when they post a picture onto social media. “Our model is trained to predict the user specific privacy risk and even outperforms the judgment of the users, who often fail to follow their own privacy preferences,” the researchers wrote in a recent paper. “In fact — as our study shows — people frequently misjudge the privacy relevant information content in an image — which leads to failure of enforcing their own privacy preferences.” [Vocativ]

US – If You Want a VPN to Protect Your Privacy, Start Here

On March 28 the House of Representatives voted to reverse FCC privacy regulations It’s a disappointing setback for anyone who doesn’t want big telecoms profiting off of their personal data. So what to do? Try a Virtual Private Network. It won’t fix all your privacy problems, but a VPN’s a decent start. A VPN is a private, controlled network that connects you to the internet at large. Your connection with your VPN’s server is encrypted, and if you browse the wider internet through this smaller, secure network, it’s difficult for anyone to eavesdrop on what you’re doing from the outside. VPNs also take your ISP out of the loop on your browsing habits, because they just see endless logs of you connecting to the VPN server. For a VPN to be any more private than an ISP, the company that offers the VPN needs to be trustworthy. That’s a very tricky thing to confirm. One solid indicator? Check whether the VPN keeps logs of user activity. Many privacy-focused VPNs are intentionally very up front about their no-log policies, because they want to make it clear to law enforcement groups around the world that even if they are served with a warrant or subpoena, they won’t have the ability to produce customer records. It’s worthwhile to specifically check a company’s Terms of Service to see what it says there about logging and scenarios where it would (or wouldn’t) disclose user information. A simple way to improve your chances of landing on a safe and well-meaning VPN is to pay for one. Free VPNs aren’t inherently bad, but all services have to make money somehow. [Wired | Post-FCC Privacy Rules, Should You VPN? | A VPN can protect your online privacy. But there’s a catch | Unblock-Us: Smart DNS And VPN For The Masses? | Protect your online privacy with the 5 best VPNs | VPN and maintaining corporate privacy | How to use a VPN: How to set up a VPN for secure, private browsing & access to blocked content | Make sure your VPN is setup correctly using a DNS Leak Tool | The actual privacy benefits of virtual private networks | Krebs on Security: To VPN or Not to VPN]


EU – Swedish Company Implanting Microchips in Employees

Swedish startup Epicenter has begun implanting microchips in employees’ bodies, allowing them to buy smoothies, open doors and manage printers via the device. Some employees are even hosting parties for those interested in getting chipped, the report states. However, the move is not without privacy worries, and some technologists warn that hackers can easily access the chips and gain a wealth of information from them. “Conceptually you could get data about your health, you could get data about your whereabouts, how often you’re working, how long you’re working, if you’re taking toilet breaks and things like that,” said microbiologist Ben Libberton. The ethical dilemmas will also grow, the more sophisticated chip programs become, the report adds. [The Associated Press]

WW – IoT Device Maker Shuts Down Customer’s Device After ‘Abusive’ Review

Denis Grisak, the creator of Wi-Fi-powered garage door opener Garadget, has come under fire after bricking a “toxic” customer who reviewed his product negatively after experiencing a technical difficulty. The consumer in question had posted to the Garadget message board seeking assistance for his difficulty over the weekend. Having not received an immediate response, he took to Amazon and gave the device a one-star review. Grisak responded, calling the poster’s language “abusive” and denying the user’s unit server connection. The dialogue sparked outrage on Twitter, leading Grisak to issue a statement arguing that the move wasn’t based off the review, but rather his desire “to distance from the toxic individual ASAP,” he said. [Ars Technica]


US – If You Want to Stop Big Data Breaches, Start With Databases

Over the past few years, large-scale data breaches have become so common that even tens of millions of records leaking feels unremarkable. One frequent culprit that gets buried beneath the headlines? Poorly secured databases that connect directly to the internet. Any type of database can be left open or unprotected, a string of breaches over the last few years have all centered around one type in particular: open-source “NoSQL” databases, particularly those using the popular MongoDB database program. Memorable unprotected database breaches include the 2015 MacKeeper incident in which usernames, passwords and other data leaked for more than 13 million of the security scanner’s customers. In April 2016, security researcher Chris Vickery discovered an exposed database containing the full names, addresses, birthdays and voter registration numbers for all 93.4 million Mexican voters, which had been accessible online for seven months. Also in April, hackers stole user data for 1.1 million people from the insecure database of the dating website BeautifulPeople.com, and in October hackers compromised personal data from 58 million customers of the data storage firm Modern Business Solutions. And those are just some of the most publicized hacks. Unprotected databases are also trivial to find. Both criminals and researchers alike use network visibility tools like the search engine Shodan, which indexes internet-connected devices, to get a sense of how many exposed databases are out there. Currently searching “MongoDB” on Shodan reveals more than 50,000 exposed databases. They may or may not be vulnerable to attack, but simply being visible increases their risk. [Wired]

US – Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures

According to a survey from the Pew Research Center, most Americans lack a basic understanding of online security measures. While most of the people responding to the survey were able to identify string passwords from a list and knew that public Wi-Fi is not safe, just one-third knew what HTTPS is and just one-tenth were able to identify two-factor authentication. The survey of 1,055 American adults consisted of a 13 question online quiz. The median score was 5.5. [Americans ignorant on cybersecurity, Pew poll shows | Most American Internet Users Have No Idea How to Protect Their Accounts | What the Public Knows About Cybersecurity ]

UK – Survey: UK Employees Among the Worst At Protecting Data

The Barclays Digital Development Index found U.K. employees were among the worst at protecting their data and devices. The survey placed the U.K. ninth out of 10 countries, finishing behind Brazil, China and South Africa. Among the issues cited by Barclays was the lack of digital skills in U.K. businesses. The survey found only 13% of U.K. employees use password-generating software, compared to 32% in both China and India, while only 41% change their passwords on a regular basis. Barclays found the majority of respondents store payment information on frequently visited websites. “Productivity and convenience are put above security,” said Glasswall Solutions Vice President Chris Dye. [Financial Times]

Smart Cars

US – Self-Driving Cars Will Collect Your Data — and Canada’s Privacy Commissioner is Concerned

At a hearing held by a Senate committee studying autonomous cars, Privacy Commissioner Daniel Therrien testified [see here] that cities, parking facilities, carmakers and other groups could be interested in data collected by vehicles. “There are probably hundreds of players, public or private, that can ultimately receive information from the car,” he told senators. He said his office is working on a Code of Practice for the automotive industry and also looking at online consent forms that Canadians tend to click through blindly. He said carmakers seem open to suggestions so far. Therrien said his office has received few complaints about autonomous or connected vehicles so far, as well as some complaints about GPS devices. Consumers generally don’t realize what they’ve agreed to in purchasing and setting up such devices, he said. “What we found in the investigation is that the consumer, the owner of the device, is rarely if ever well informed about who will get the information,” he said. [MetroNews | Appearance before the Senate Committee on Transportation and Communications (TRCM) on the Study on the regulatory and technical issues related to the deployment of connected and automated vehicles]

US – FTC and NHTSA to Explore Vehicle Privacy and Security Issues

The Federal Trade Commission (FTC) and National Highway Traffic Safety Administration (NHTSA) are co-hosting a workshop on June 28, 2017, to explore the privacy and security issues raised by automated and connected vehicle technologies. [see PR here] The agencies are looking to explore the types of data such technologies collect, store, transmit, and share; the potential benefits and challenges posed by the technologies; the privacy and security practices of vehicle manufacturers; the roles that federal agencies should play in regulating privacy and security issues; and how self-regulatory standards apply to connected vehicle privacy and security issues. In advance of the workshop, the FTC and NHTSA are seeking public comment on privacy and security issues. The workshop and the public comments present industry with a valuable opportunity to educate the agencies about the ways in which they have already been addressing privacy and security concerns and to provide the agencies with feedback regarding possible legislative and regulatory proposals.. Comments may be submitted through April 20, 2017. [HLDA]

US – For Privacy Sake Say No to NHTSA Vehicle-to-Vehicle Comms Rule

Comments on the National Highway Traffic Safety Administration‘s proposed vehicle-to-vehicle communications mandate are due on April 12. If approved, it will add around $300 dollars to the price of every car, or (at recent car sales rates) well over $5 billion per year. Despite the high cost, the NHTSA predicts the rule will save no more than 31 lives in 2025, mainly because it will do little good until most cars have it. The danger is not that it will cost too much per life saved but that mandating one technology will inhibit the development and use of better technologies that could save even more lives at a lower cost. All of the benefits claimed for the DSRC mandate assume that no other technology improvements take place. In fact, self-driving cars (which will work just as well with or without vehicle-to-vehicle systems) will greatly reduce auto fatalities, rendering the projected savings from vehicle-to-vehicle communications moot. A mandate that one technology be used in all cars also opens the transportation system to potential hackers. There is also a privacy issue: vehicle-to-vehicle also means infrastructure-to-vehicle communications, raising the possibility that the government could monitor and even turn off your car if you were doing something it didn’t like, such as drive “too many” miles per year. That’s a very real concern because the Washington legislature has mandated a 50% reduction in per capita driving by 2050. Oregon and possibly other states have passed similar rules. [CATO See also: Cars Would Be Required to Talk to Each Other Under U.S. Plan]

US – The Fourth Amendment and Access to Automobile ‘Black Boxes’

Most cars manufactured in the past three years come with event data recorders, sometimes known as “black boxes.” These devices are computers that record and store crash data in the event of an accident. A new Florida state court decision, State v. Worsham, considers an interesting question: How does the Fourth Amendment apply to government efforts to retrieve data from event data recorders? Worsham was in a terrible accident, and his car was impounded. Twelve days later, the police downloaded the data from the event data recorder without obtaining a warrant. Worsham has been charged with drunken driving and vehicular homicide, and the police want to use the data from the event data recorder to show Worsham’s guilt. The question is: Does the Fourth Amendment allow it? The Florida court divides 2-1. According to the majority, accessing the data is a search that requires a warrant. Because the police accessed the data without a warrant, the evidence must be suppressed. The dissent argues that people have no reasonable expectation of privacy in the data stored in event data recorders. Here’s my tentative take: This is a pretty tricky question based on current Fourth Amendment caselaw. Applying that caselaw, I would think that accessing the event data recorder was likely a search. On the other hand, it’s not obvious to me that it requires a warrant. [Washington Post]


CA – RCMP Reveals Use of Secretive Cellphone Surveillance Technology for the First Time

The RCMP for the first time is publicly confirming it uses cellphone surveillance devices in investigations across Canada. RCMP Chief Supt. Jeff Adam, who is in charge of technical investigations services, held an unprecedented technical briefing with reporters from CBC News, the Toronto Star and the Globe and Mail. The RCMP held the briefing in the wake of a CBC News investigation that found evidence that devices known as IMSI catchers may be in use near government buildings in Ottawa for the purpose of illegal spying. Public Safety Minister Ralph Goodale said the devices detected did not belong to any Canadian police or intelligence agency. Adam told reporters that while he isn’t “personally aware” of foreign agencies using the technology in Canada, “I can’t rule that out.” The RCMP and CSIS are now investigating. The RCMP says that MDIs — of which it owns 10 — have become “vital tools” deployed scores of times to identify and track mobile devices in 19 criminal investigations last year and another 24 in 2015. He says in all cases but one in 2016, police got warrants. The one exception was an exigent circumstance — in other words, an emergency scenario “such as a kidnapping,” said Adam, whose office tracks every instance where an MDI has been used by the RCMP. He said the RCMP’s devices are restricted in their use, with software that only allows them to identify a mobile device and to potentially track the location of that phone. “What the RCMP technology does not do is collect private communication,” Adam said. “In other words, it does not collect voice and audio communications, email messages, text messages, contact lists, images, encryption keys or basic subscriber information.” Adam conceded that until two months ago the RCMP itself failed to get express approval to use MDIs from Innovation, Science and Economic Development Canada (ISED, formerly Industry Canada), the government body responsible for regulating technology that might interfere with wireless communications. [CBC | RCMP acknowledges using phone trackers to collect Canadians’ cellular details | RCMP reveals its use of cellphone-tracking machines  | After years of secrecy, RCMP finally admits to using mass cell phone surveillance tools on Canadians | RCMP, CSIS launch investigations into phone spying on Parliament Hill after CBC story | Someone is spying on cellphones in the nation’s capital ]

US – Obama’s Rule Changes Opened Door for NSA Intercepts to Reach Political Hands

To intelligence professionals, the public revelations affirm an undeniable reality. Over the last decade, the assumption of civil liberty and privacy protections for Americans incidentally intercepted by the NSA overseas has been eroded in the name of national security. Today, the power to unmask an American’s name inside an NSA intercept — once considered a rare event in the intelligence and civil liberty communities — now resides with about 20 different officials inside the NSA alone. The FBI also has the ability to unmask Americans’ names to other intelligence professionals and policymakers. [in his final days in office, Obama created the largest ever expansion of access to non-minimized NSA intercepts, creating a path for all U.S. intelligence to gain access to unmasked reports by changes encoded in a Reagan-era Executive Order 12333.[see here] The government officials who could request or approve an exception to unmask a U.S. citizen’s identity has grown substantially. Executives in 16 agencies — not just the FBI, CIA and NSA — have the right to request unmasked information.] And the justification for requesting such unmasking can be as simple as claiming “the identity of the United States person is necessary to understand foreign intelligence information or assess its importance,” according to a once-classified document that the Obama administration submitted in October 2011 for approval by the Foreign Intelligence Surveillance Court. It laid out specifically how and when the NSA could unmask an American’s identity. [see here] But those directly familiar with the processes acknowledged the breadth of access today could be abused for political espionage or pure prurient interests, instead of just compelling national security interests. “There may be very good reasons for some political appointees to need access to a non-minimized intelligence reporting but we don’t know and given the breadth of unmasked sharing that went on, there is the strong possibility of abusive or excessive access that harmed Americans’ privacy,” said an intel source familiar with the data. Added another: “Wholesale access to unmasked incidental NSA intercepts essentially created the potential for spying on Americans overseas after the fact, which is exactly what our foreign intelligence arms are not supposed to be doing.” Perhaps the most consequential outcome of the new revelations is that it may impact the NSA’s primary authority to intercept foreigners: Section 702 of the Foreign Intelligence Surveillance Act is up for renewal at the end of the year. [Circa | See also: Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community, Just in Time for Trump | National Security Agency Databases Open for Business | Obama Expands Surveillance Powers on His Way Out | E.O. 12333 Raw SIGINT Availability Procedures: A Quick and Dirty Summary | N.S.A. Gets More Latitude to Share Intercepted Communications | Trump to Inherit Vast Surveillance Powers ]

Telecom / TV

US – Legislators Vote to Undo FCC’s ISP Privacy Laws

The US House of Representatives has voted to undo the Federal Communications Commission’s broadband privacy rules, allowing Internet service providers to sell customers’ data, including browsing history, without obtaining their consent. This include browsing history. The Senate approved the change earlier this month. [House votes to repeal FCC privacy laws for ISPs]

US – Democrats Ask ISPs to Obtain Customer Consent Before Using Data

A group of senators have written a letter to seven broadband providers pressing them to obtain customers’ permission before using their data, despite the repeal of the Federal Communications Commission’s broadband privacy rules. The letter was sent by Sens. Ed Markey, D-Mass., Al Franken, D-Minn., Richard Blumenthal, D-Conn., Bernie Sanders, I-Vt., Ron Wyden, D-Ore., Patrick Leahy, D-Vt., and Chris Van Hollen, D-Md. In the letter, the senators ask the broadband providers to clarify whether they receive opt-in consent before using and sharing data and whether they use a pay-for-privacy strategy. “We … believe that broadband providers should follow strong privacy and security rules that give consumers control over how their information is used and shared, as well as confidence their information will be protected,” the senators wrote. [MediaPost]

WW – Ranking Digital Rights 2017 Corporate Accountability Index

The 2017 Ranking Digital Rights Corporate Accountability Index [see Index here, to watch the March 23 Index launch event see here] finds the world’s most powerful internet, mobile and telecommunications companies leave users in the dark, failing to disclose key information about policies affecting users’ rights. While some companies have improved since they were first evaluated in 2015, most of the world’s internet users do not receive adequate information about how companies’ policies affect what users can or cannot say online or who is tracking them. Ranking Digital Rights analyzed a representative group of 22 companies whose products and services collectively are used by over half of the world’s 3.7 billion internet users. It builds on the 2015 Corporate Accountability Index, which found widespread failure by companies evaluated to disclose key information about their policies and practices affecting freedom of expression and privacy. Selected findings are included below. [Ranking Digital Rights]

US Government Programs

US – Bipartisan Bill Aims to Rein in Warrantless Device Searches at Border

As promised by Sen. Wyden in February, a bill was introduced this week in Congress that would require U.S. Customs and Border Protection or other government agents to obtain a probable cause warrant before searching the digital devices of U.S. citizens and legal permanent residents at the border. Sen. Wyden (D-OR) and Sen. Paul (R-KY) are original sponsors of the Protecting Data at the Border Act in the Senate (S. 823), while Rep. Polis (D-CO), Rep. Smith (D-WA), and Rep. Farenthold (R-TX) are taking the lead on this issue in the House (H.R. 1899). US advocacy group EFF has been arguing for a while that the Fourth Amendment requires a warrant based on probable cause for border searches of cell phones, laptops, and other digital devices that contain gigabytes of highly personal information. EFF most recently made these arguments in an amicus brief before the U.S. Court of Appeals for the Fourth Circuit in the case U.S. v. Kolsuz. CBP unreasonably argues that the privacy interest travelers have in digital devices is no different than that of luggage or other physical items travelers may bring with them across the border, thus CBP applies to digital devices the traditional “border search exception” to the Fourth Amendment, which permits warrantless and suspicionless “routine” border searches. However, there is nothing “routine” about unregulated government intrusion into a device that contains, as the Supreme Court has said, “the sum of an individual’s private life.” As the bill’s findings state, the privacy interest in digital data “differs in both degree and kind from [the] privacy interest in closed containers.” In addition to the warrant requirement, the Protecting Data at the Border Act would prohibit the government from delaying or denying entry or exit to a U.S. person based on that person’s refusal to hand over a device passcode, online account login credentials, or social media handles to a border agent. [EFF] | Bill would block warrantless searches of Americans’ phones at borders | Lawmakers Move To Stop Warrantless Cellphone Searches at the U.S. Border | Lawsuit Seeks Transparency as Searches of Cellphones and Laptops Skyrocket at Borders | Digital Privacy at the U.S Border: A New How-To Guide from EFF]

US – Re-Introduced Federal Bill Would Require Vehicle Manufacturers to Protect Against Hackers

S.680, the SPY Car Act of 2017, was introduced in the US Senate and referred to the Committee on Commerce, Science and Transportation. Protection measures would include isolation of critical software systems from non-critical systems, evaluation of security vulnerabilities, and securing all driving data stored on-board or in transit; an opt-out from collection and retention of driving data must be provided to drivers without any impact on access to navigation tools, and information collected by vehicles cannot be used for marketing/advertising without express consent. [S.680 – SPY Car Act of 2017 – US Senate – 115th Congress]

US Legislation

US – GOP Votes to Destroy Online Privacy to Serve AT&T and Comcast

It’s hard to overstate what a blow to individual privacy this is. There is literally no constituency in favor of this bill other than these telecom giants. It’d be surprising if even a single voter who cast their ballot for Trump or a GOP Congress even thought about, let alone favored, rescission of privacy-protecting rules for ISPs. So blatant is the corporate-donor servitude here that there’s no pretext even available for pretending this benefits ordinary citizens. It’s a bill written exclusively by and for a small number of corporate giants exclusively for their commercial benefit at the expense of everyone else. But the inane idea that individuals should lose all online privacy protections in the name of regulatory consistency or maximizing corporate profits is something that is almost impossible to sell even to the most loyal ideologues. [The Intercept | Six Reasons FCC Rules Aren’t Needed to Protect Privacy | Clearing up the Senate’s confusion on FCC privacy rules]

US – Tennessee Bill Aims to Clarify Breach Notice Encryption Exemption

Tennessee’s 2005 breach notice law specifically provided an exception to providing notice if the breached data were encrypted. But in 2016, the law was amended to remove the specific exemption but still mentioned encryption as a means of protecting data. That change cast doubt for many on whether the breach notice encryption exception was still allowed under the Tennessee law. The new amendment [see S.B. 547 here] would reinstate the encryption language in the statute to remove any doubt that companies need not give breach notice of encrypted data, unless the encryption key was also breached. The bill helps remove a perceived disincentive to encrypt data, its sponsors said when introducing it. The bill would help harmonize Tennessee’s data breach notification standards with those of other states, Jason C. Gavejian, privacy attorney and principal at Jackson Lewis PC in Morristown, N.J., told Bloomberg BNA. In addition to exempting encrypted data from notification requirements, S.B. 547 would clarify that the 45-day time limit for providing notice of a breach could be extended “due to the legitimate needs of law enforcement.” [BNA]

US – New York’s ‘Unconstitutional’ Right to Be Forgotten Bill Sparks Concern

New York state politicians have introduced a right-to-be-forgotten bill that would require the removal of some online statements about others. To be exact, statements that are judged “inaccurate”, “irrelevant”, “inadequate” or “excessive.” New York Assembly Bill 5323 was introduced by David Weprin and as Senate Bill 4561 by state senator Tony Avella.. The bill would cover the following wide range of online publishers, running the gamut from search giants like Google all the way down to ordinary individuals like you and me: “search engines, indexers, publishers and any other persons or entities which make available, on or through the internet or other widely used computer-based network, program or service, information about an individual. Failure to comply would carry fines of at least $250/day, plus attorney fees. The bill contains no exception for materials of genuine historical interest Nor would it exempt autobiographic material, whether it’s found “in a book, on a blog or anywhere else.” Ditto for information on political figures or celebrities. How does the NY bill compare to Europe’s right to be forgotten? For one thing, the European Commission has made it clear that the courts meant for journalistic work to be protected when they passed the right to be forgotten judgment. In comparison, the NY bill is toddling into this contentious debate practically stripped of any exceptions at all for freedom of speech and with no signs that it’s been crafted to protect against censorship.[NakedSecurity | NY Legislators Looking At Installing A Free Speech-Stomping ‘Right To Be Forgotten’ | ‘Right to Be Forgotten’ Legislation Attempts Foothold in New York| N.Y. bill would require people to remove ‘inaccurate,’ ‘irrelevant,’ ‘inadequate’ or ‘excessive’ statements about others]

US – Dem Senators Reintroduce Cybersecurity Bills for Cars, Planes

Democratic Sens. Ed Markey (Mass.) and Richard Blumenthal (D-Conn.) are reintroducing two bills aimed at improving cybersecurity in automobiles and airplanes. “Whether in their cars on the road or in aircraft in the sky, Americans should be protected from cyberattack and violations of their privacy,” said Markey in a joint press release [see here] announcing the legislation on Wednesday. The Security and Privacy in Your Car (SPY Car) Act [see here] would require the National Highway Traffic Safety Administration and Federal Trade Commission to develop automotive cybersecurity and privacy standards. It also calls for a “cyber dashboard” rating system that would inform consumers how cars went above and beyond those standards. The Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act [see here] would introduce a bevy of new baseline standards for air carriers. [The Hill | Sens. Reintroduce Connected-Car Data Security, Privacy Bill]

Workplace Privacy

CA – Ontario Court Finds Company’s Substance Abuse Testing Practices Reasonable

The Court considers Amalgamated Transit Union, Local 113’s motion for an interlocutory injunction against random alcohol and drug testing by the Toronto Transit Commission. The policy requires all employees in safety sensitive positions (drivers and operators of the city’s public transportation), as well as senior management, to undergo random drug and alcohol testing; the procedure is non-invasive (includes a breathalyzer and cheek swab) and takes place in a secluded place, test results are not used in a manner inconsistent with the expectations of the person being tested, and there is little to no chance of flawed or false-positive results (a second swab is taken in the event of a dispute). [Amalgamated Transit Union Local 113 v Toronto Transit Commission – 2017 ONSC 2078 CanLII – Ontario Superior Court]

AU – Australian DPA Recommends Holding Employees and Contractors Liable for Data Breaches

The New South Wales Office of the Privacy Commissioner has issued recommendations to amend the Privacy and Personal Information Protection Act 1998 and Health Records and Information Privacy Act 2002. Proposed amendments to privacy legislation provide victims of privacy breaches with a right to complain against public or private employees and contractors, and to ensure organizations make contractual arrangements capable of binding contractors and any subcontractors for the proper handling of personal information; where organizations have adequate safeguards, employees should be added as respondents in the case. [DPA Australia – NSW informational Privacy Rights – Legislative Scope and Interpretation – Employer Employee and Agent Responsibilities]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: