24 April – 19 May 2017

Biometrics

US – Airport Facial Recognition Scans to be Mandatory for All Passengers

All US airports may soon have facial recognition software activated to scan each passenger regardless of their citizenship. The plan was first proposed for select airports and international passengers only, but the Customs and Border Protection (CBP) department has suggested it be made mandatory for all passengers, even if they are holding US passports. The initial plan was to register visitors leaving the country using facial recognition. But now it is proposed that facial scans be made mandatory for any passenger when they, leave, re-enter the country or pass through TSA checkpoints. The agency aims to create an airport-wide system dubbing it as The Biometric Pathway, where along with regular passenger details, facial scans become mandatory. At present, the Exit program is being tested on a flight from Atlanta to Tokyo, and will soon roll out in seven new airports. The mechanism is limited to the airport departure gates for now and expanding it to all check points will depend on the cooperation from partner agencies like the TSA. [IB Times]

AU – Australia Adds Millions of Citizen Photos to Govpass Face Rec System

The Australian government intends to add citizen’s passport photos to a national facial recognition database to be used for its Govpass digital identity system and criminal justice purposes. These 12 million records will bolster the system launched in 2016, which previously held only images of foreigners seeking Australian citizenship. But it has privacy advocates pushing for creation of a new national commissioner with biometrics oversight. In addition to the passport photos, InnovationAus.com reported that negotiations are underway that could result in the inclusion of millions of driver license images as well. A privacy impact assessment was conducted in 2015 but it focused on the design and governance rather than privacy protection. Recent academic research has led to the call for creation of a biometrics commissioner to address the governance gap. [Secure-IDNews]

US – NYPD Refuses to Disclose Information About Its Face Recognition Program, So Privacy Researchers Are Suing

Researchers at Georgetown University law school Center on Privacy and Technology [see here] filed a Freedom of Information lawsuit against the New York City Police Department today for the agency’s refusal to disclose documents about its longstanding use of face recognition technology. The researchers requested records pertaining to the NYPD’s program in January 2016 as part of The Perpetual Line-Up, a year-long study on law enforcement uses of facial recognition technology. After receiving public records from more than 90 agencies across the country the NYPD determined in January 2017 that it was unable to find any records responsive to the Center’s detailed records requests. Clare Garvie, one of the co-authors of Georgetown’s report and an expert on face recognition technology, described the NYPD’s lack of transparency as a “very worrying prospect” given the technology’s potential for invasive surveillance, including in real time. Because the NYPD’s own policies, manuals, and documents are “the only controls” on its own system, their disclosure is in the public interest, Garvie explained. “If no records exist, that means that there are no controls on the use of face recognition technology and we ought to worry about that. If there are records, then why did the Police Department say that it couldn’t find them?” said David Vladeck, a member of Georgetown’s law faculty, in a press release. [The Intercept]

US – Illinois Biometrics Privacy Law Could Be Adopted by Other States

Illinois’ Biometric Information Privacy Act [see here], which came into effect in 2008, established protocols which require organizations collecting biometric data to notify people about the practice before they begin to gather data, as well as provide an exact timeline for deleting the data. Five states are currently evaluating amendments to their biometric laws. Alaska, Montana and New Hampshire take a similar approach to BIPA and allow private causes of action. Connecticut’s bill takes a very different approach and aims to prohibit retailers from using facial recognition technology for marketing purposes. Washington has some similarities to BIPA and is also like Texas’ current biometric law, in that it can be enforced solely by the attorney general. The lack of federal laws has cleared the path for state-driven initiatives to take charge, with Illinois introducing three other privacy bills since January. BIPA allows for a private cause of action. ”It is unclear whether other states (will) adopt similar legislation, but we are seeing an uptick in states that care about biometric information,” Kadish said. [Biometric Update]

Canada

CA – MPs Calling on Government to Boost Protection of Canadian Civil Liberties

An influential group of Liberal MPs on the Commons standing committee on public safety released a report [see here] containing 41 recommendations [see here]. They urged Prime Minister Justin Trudeau to increase parliamentary, civilian and judicial oversight of national security agencies, to create a new watchdog agency for Canada’s border agency, and to dial back extraordinary threat reduction powers given to CSIS by the Conservatives in controversial changes to Canada’s anti-terror law under Bill C51. They want the law to require ministerial approval and prior judicial warrants for any measures that could be perceived as potential violations of the Charter of Rights and Freedoms. But the Liberals would not move to repeal that CSIS power altogether. Other recommendations say vague definitions in the Criminal Code, such as “terrorist propaganda,” must be clarified, and there must be an obligatory review of all appeals from persons who feel they are wrongly listed on the so-called “no fly” list for air travel. The Liberals recommended the government not legislate greater “lawful access” for police and intelligence agencies who want to acquire telecom companies’ customers’ subscriber information, online activities, telephone conversations, and encrypted communications, without further study. But the Liberals would make it easier to prosecute terror cases by allowing criminal trial judges to review secret information and decide on matters of confidentiality in national security cases, without requiring those questions be put before a separate Federal Court judge. The Conservatives issued a dissenting report that supported the previous government’s approach to Bill C51. Public safety critic Tony Clement said he supported the Liberal majority report on matters such as increased oversight for the Canada Border Services Agency, and the creation of an office with responsibility to oversee the information-sharing and national security activities of the roughly 17 departments and agencies that have some role in national security. [See here] The NDP issued a separate report that supported the majority of the Liberal report but said the government should go further and completely repeal Bill C51. [See here] Elizabeth May, Green Party leader, agreed. “I urge the Government to take this report as a floor, not a ceiling, of what is possible in undoing the harms of C-51.” Josh Paterson, head of the BC Civil Liberties Association, supported the call for a dedicated, integrated agency to provide review of national security operations across the whole of the government. [See here] [Toronto Star]

CA — Oversight of National Security in Canada Still Needs A Lot of Work, New Reports Show

Given the use of Stingrays, along with CSIS’s recently exposed (and illegal) practice of retaining large amounts of Canadian metadata, it should be clear that Canada’s capacity for holding our intelligence agencies accountable should be increased. And two recent reports show that there’s still a lot of work to be done on oversight of national security in Canada. One report is much more technical. It came from an assessment by the Commons Standing Committee on Access to Information, Privacy and Ethics of the Security of Canada Information Sharing Act, http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-5/ which is contained in the controversial Bill C-51, also known as the Anti-terrorism Act. The other is much broader in its scope and recommendations, and is the product of cross-country hearings on Canadian national security conducted last year by the Commons Standing Committee on Public Safety and National Security. While both reports reinforce, in spirit and content, that Canadian national security oversight needs to be bolstered, they don’t really get at the details of how to do so on a practical level. This is especially true of the report from SECU, the public safety and national security committee, given its broad range. [CBC] See also: Globe editorial: Ottawa should stop delaying and start fixing Bill C-51 | Time to rein in security overreach: Editorial | Don’t change lawful access rules, Parliamentary committee recommends | Restrict spy powers and increase oversight, Liberal and NDP MPs recommend]

CA – Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the 2017-18 Main Estimates

Privacy Commissioner of Canada, Daniel Therrien, appeared before the Standing Committee on Access to Information, Privacy and Ethics to discuss the 2017 Main Estimates. In his remarks, he noted that to face the sustained volume but increased complexity of the work, the OPC will continue to make the most efficient use of its resources. Amidst competing demands, the OPC will not lose sight of its mandate: Ensuring that the privacy rights of Canadians are respected and that their personal information is protected. [Source]

CA – Federal Privacy Commissioner to Initiate Investigations, Not Just Wait for Complaints

The federal privacy commissioner says he’s temporarily no longer going to wait until people file complaints about alleged privacy issues before acting. [see here] Instead, Daniel Therrien will be more proactive, including launching investigations into questionable privacy practices or “chronic problems” on his own when necessary. It’s what Therrien called the commission’s new policy of “proactive compliance.” His office will draw on complaints and trends to determine if there are issues or sectors that would benefit from a special investigation. In an interview he said investigations would be on “issues of broad concern.” This “proactive enforcement” will will last at least until September, when Therrien files his annual report to Parliament, where he may call for changes to federal legislation to update his office’s mandate. As part of being proactive, to help the private sector Therrien is considering offering to audit companies – perhaps for a fee – to see if they comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). [ITWorld] [Course correction for improved outcomes for Canadians]

US – To Fight ‘Surveillance Culture,’ Activists Release Kid-Focused Privacy Toolkit

“You shouldn’t need a PhD or law degree to ensure that your child’s sensitive student data isn’t shared with commercial entities” The Parent Toolkit for Student Privacy: A Practical Guide for Protecting Your Child’s Sensitive School Data from Snoops, Hackers, and Marketers, released by the Parent Coalition for Student Privacy (PCSP) and the Campaign for a Commercial-Free Childhood (CCFC), teaches families about federal laws safeguarding their information, how to ask about schools’ data policies, and how to advocate for stronger protections in an age when records are increasingly stored digitally. The toolkit was released after the Electronic Frontier Foundation (EFF) published a report in April which found that “surveillance culture begins in grade school,” with tech companies spying on students through devices and software used in classrooms to collect kids’ names, birth dates, browsing histories, grades, disciplinary records, and other information. [Common Dreams]

CA – Canada’s Spies Examining ‘Vulnerabilities’ in Election System

CSE, Canada’s signals intelligence and cyberdefence agency, is conducting a “risk assessment” into how vulnerable Canadian elections are to foreign hacking and information operations. The review was ordered by the Liberal government in February, as the scope of Russian meddling in the 2016 U.S. presidential election was being made public by American intelligence agencies. The review is unlikely to focus on the security of the actual vote, which still relies on pens and paper rather than electronic voting. The greater risk is likely the kind of information – and disinformation – campaigns seen in the U.S. and the recent French presidential election. [The Star]

CA – RCMP Created, Then Abandoned Metadata-Crunching Tool to Extract Criminal Intelligence

The RCMP created, then suddenly abandoned, a tool to crunch electronic message trails gathered during criminal investigations — a previously unknown foray into the controversial realm of big-data analysis. Telecommunications Analytical Platform was operating as recently as mid-November, say internal RCMP notes obtained by The Canadian Press through the Access to Information Act. “The TAP is a platform that regroups copies of certain telecommunications metadata from concluded investigations only, such as phone numbers, associated crime types, source links to police records management systems and the geographical region where the metadata was recorded which are lawfully collected by the RCMP and other Canadian police services in the course of criminal investigations,” the RCMP notes say. The tool was a “proof of concept” that turned out to be unsuccessful and “therefore the project was ended,” said Cpl. Annie Delisle, an RCMP spokeswoman. “No data was retained.” The Mounties would not say why the tool was ineffective, nor exactly how long it existed. [The Star]

CA – Queries for B.C. Liberal government Text Messages, Skype Calls, And Slack Logs All Turn Up Empty

In order to analyze government record-keeping, the Straight filed dozens of FoI requests for communication logs created via text message, Blackberry BBM, Skype, and Slack. Five ministries were targeted as a sample of the government. Within each ministry, records were requested for the minister, deputy ministers, and chiefs of staff for those offices. Those requests pertained to more than 20 public servants. Only three resulted in government records. Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association, noted that these communication tools are primarily used on mobile devices and are examples of tools that have become crucial for modern business. “It’s concerning that something that is this common a means of communication has no records,” he told the Straight. “That’s clear. There should be something there. How can you have a very common means of communication where there is nothing?” The B.C. Ministry of Information and Technology—the agency responsible for government computer systems—declined to grant an interview, on account of the ongoing provincial election. “It’s hard not to come to the obvious conclusion that there are missing records. I simply find it not credible, the suggestion that there is a group of people that does not use text messages” said David Eby the NDP incumbent candidate for Vancouver-Point Grey. [Source]

CA – Lawful Access: The Privacy Commissioner Reiterates its Position

On April 5, 2017, Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis for the Office of the Privacy Commissioner of Canada (the “OPC”), gave testimony [read here] before the Quebec Commission of Inquiry on protection of confidential media sources. Ms. Kosseim took the opportunity to present a clear view of the OPC’s position on how lawful access, as articulated in section 7(3) of PIPEDA, should be addressed. Of particular interest is how this position differs from the position taken by the federal government in recent years. Ms. Kosseim went on to reiterate the position that the Privacy Commissioner of Canada, Daniel Therrien, has taken on the subject. The OPC would like to see the lawful access rights of government institutions, including police, be limited, clearly articulated, and supervised by the judiciary. Canadians have the right to be secure against unreasonable search and seizure under the Charter and have the right to have their personal information protected under PIPEDA. These rights must be balanced with the reality that circumstances will arise when personal information will need to be disclosed for purposes such as public safety. [Canadian Cyber Security Law]

CA – Implied Consent: Creditors Can Directly Obtain Mortgage Discharge Statements

A review of a recent Supreme Court of Canada decision about whether the Personal Information Protection and Electronic Documents Act (PIPEDA) precludes disclosure of mortgage statements. The Supreme Court of Canada ruled that, if a judgment has been obtained, creditors are entitled to a court order requiring disclosure of a mortgage discharge statement from mortgagees without express consent of the debtor; however, lenders should still try to obtain borrower’s express consent to disclose certain financial information in the terms of the agreement to avoid legal proceedings, or having to file motions to compel disclosure. [Privacy and Property – The Supreme Court Clarifies The Limits of PIPEDA – Scott R. Venton and Kyle Kuepfer – Fogler Rubinoff LLP]

CA – Some Canadian Bank Record Information Being Sent Directly to IRS

Thousands of reports containing confidential Canadian banking information records have been sent directly to the U.S Internal Revenue Service, without the Canadian government’s knowledge. According to information obtained under a U.S. Freedom of Information Act request, 31,574 such reports have been sent directly to IRS over the past two years under the U.S. Foreign Account Tax Compliance Act (FATCA). Under U.S. law, anyone who is a U.S. citizen or considered a U.S. person for tax purposes has to file an income tax return to the IRS, regardless of whether they are living in the States. Some estimate as many as a million Canadian residents could be affected by FATCA — from Americans and dual citizens who are living in Canada to someone born in a U.S. border hospital who has lived their entire lives in Canada. This week, the impact of the reporting regime on Americans living outside the United States will be front and centre when a House of Representatives subcommittee holds hearings on the issue in Washington. Stephen Kish, a member of the group fighting in Canada’s Federal Court to have the banking record sharing deal struck down, said one of the key concerns of those affected by FATCA is the confidentiality of their banking information. [CBC]

CA – OIPC SK Believes Stand-Alone Legislation Required for Data Matching

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance for organizations on use of data matching. Data matching is a highly invasive activity that can lead to inaccurate information about individuals due to the incorporation of implicit and explicit biases, use of poorly selected data sets, and lack of knowledge about the logic used; legislation should include principles of data minimization, openness, accuracy, de-identification, and establishing purpose and safeguards, projects should be limited to government and health institutions, and require prior completion of PIAs and notification to the OIPC. [OIPC SK – Data Matching]

CA – Privacy and Property: The Supreme Court Clarifies Limits of PIPEDA

In Royal Bank of Canada v Trang (Trang) [see here], the Supreme Court removed a number of hurdles that judgment creditors often face when attempting to execute against a judgment debtor’s real property. Whereas a judgment creditor was previously required to obtain a debtor’s consent or a court order before obtaining a mortgage discharge statement (a prerequisite to a sheriff’s sale), the “Trang” decision allows the same creditor to obtain the debtor’s implied consent simply by filing a writ of seizure and sale with the sheriff. At a broader level, Trang makes clear that individuals cannot hide behind the “Personal Information Protection and Electronic Documents Act” (PIPEDA) to escape their legal obligations. While “Trang” provides a principled justification for the disclosure of a mortgagor’s personal information, a prudent lender might nonetheless wish to obtain a borrower’s express consent to the disclosure of certain financial information as a term of the standard mortgage agreement. This preventive step may assist in avoiding the expense and trouble associated with legal proceedings commenced under PIPEDA or, as was the case in “Trang”, motions to compel the disclosure of private financial information. [Mondaq]

CA – Ontario Bill Outlines Obligations for Handling Personal Information of Children Under Government or Foster Care

Bill 89, Supporting Children, Youth and Families Act, 2017 is introduced in the Ontario Legislative Assembly: the Act amends and repeals the Child and Family Services Act; The Bill has passed second reading and referred to the Standing Committee on Justice Policy; and if passed, will come into force on a day to be named by proclamation of the Lieutenant Governor. Service providers (e.g., Minister, licensee or society) and other ministries may disclose personal information (PI) and collect PI from each other for the purpose of planning, managing or delivering a service that the ministry provides, and must comply with a court order requiring the disclosure of PI for the purposes of inspection; notification must be provided to affected individuals, the Privacy Commissioner and Minister of Child and Youth Services in the event of a data breach. [Bill 89 – Supporting Children, Youth and Families Act, 2017 – Ministry of Children and Youth Services – Legislative Assembly of the Province of Ontario ]

CA – IPC Ontario Recommends Bill 89 Amendments Regarding Handling PI Under Government or Foster Care

The Information and Privacy Commissioner of Ontario presented his comments on Bill 89, the Supporting Children, Youth and Families Act. The bill provides too much authority to the Minister of Children and Youth Services by conflating the authorities to collect and use PI, and the purposes for which indirection collection of PI is allowed (service delivery versus planning and managing the delivery of services); amendments include using a privacy framework that incorporates data minimization, oversight and transparency, and provisions prohibiting the Minister from disclosing any PI if other information will serve the purpose [IPC ON – Comments of the Information and Privacy Commissioner of Ontario on Bill 89]

CA – PEI Privacy Commissioner Upholds Public Body’s Decision to Withhold Records Covered by Solicitor-Client Privilege

The Information and Privacy Commissioner reviewed a request denied by the Public School Branch pursuant to the Freedom of Information and Protection of Privacy Act. the Information and Privacy Commissioner reviews a request denied by the Public School Branch pursuant to the Freedom of Information and Protection of Privacy Act. [IPC PEI – Order No FI17004 Public Schools Branch]

CA – Ontario Court Orders Insurance Company to Collaborate With Insured on Reasonableness of Consent Form

The Court considered Intact Insurance Company’s application for a determination of rights based on the Court’s interpretation of the Statutory Accident Benefits Schedule (SABS). The SABS is silent on the issue of the form of any consent that may be required by an examiner related to evaluations for insurance claims, and health professionals could experience negative consequences if they perform medical-legal examinations without having obtained consent in advance; since the essence of SABS is to have relevant, reasonable and necessary measures in place, collaborative efforts to develop a consent form that is reasonable would be beneficial to both parties. [Intact Insurance Company v Beaudry – 2016 ONSC 6127 CANLII – Ontario Supreme Court of Justice]

CA – Privacy Concerns Raised as Calgary Considers Electronic Parking Permit Proposal

Some Calgarians are up in arms over a proposed change to residential parking zone enforcement that would do away with physical parking permits and introduce an electronic registry of licence plates. Some residents fear the registry will provide the City with the ability to track and analyze their movements and potentially share this information with third parties. The system would be similar to the Calgary Parking Authority’s ParkPlus scheme where patrol cars scan licence plates and issue tickets to the owners of vehicles found to be in violation of the posted rules. Under the proposal, the practice of providing residents with plastic permits to place on the rearview mirrors of their vehicles or the vehicles of their visitors would be eliminated. Residents in Calgary’s 77 residential parking zones would be required to register their licence plates, and the licence plates of their visitors, online. Enforcement of residential parking zones would be patrolled by vehicles equipped with cameras as opposed to having officers on foot checking for the placards. Lee Tasker, a resident of Hillhurst, believes the proposed system is an invasion of privacy and suggests the City is prioritizing monetary gains over the security of its citizens. A report projects the introduction of the proposed system would result in $200,000 in additional revenue in 2018 and $400,000 the following year. The estimated cost of implementing the program is $400,000. Tasker and representatives of the Privacy and Access Council of Canada, who refer to the program as Orwellian and Kafkaesque, say the storing of personal information for an extended time is completely unreasonable. [CiviNews]

CA – Let Territorial Job Applicants See Their References, Says Nunavut MLA

MLA Pat Angnakak says]”as soon as somebody makes a reference about you that’s your information, it belongs to you, so you should be able to say, ‘I want my information about myself,’“ She says unsuccessful candidates should have the opportunity to defend claims made by their referees. Nunavut’s Privacy Commissioner, Elaine Keenan Bengts, addressed the MLA’s concerns at a standing committee meeting last week. “A policy which says we are simply not going to disclose any of the information we get from references, is clearly, in my opinion, contrary to the act,” Keenan Bengts said. She said access to personal information, such as references, was of the “highest level of entitlement.” [CBC]

CA – Nunavut Privacy Boss Says Privacy Not a Priority for GN Health

Nunavut’s IPC, Elaine Keenan Bengts says the health department’s lack of communication on the privacy shortfalls at the Qikiqtani General Hospital in Iqaluit proved privacy was not it’s top priority. Keenan Bengts told a standing committee of Nunavut MLAs May 10 that she has heard nothing from the Department of Health since her report was tabled last fall. Some of the more egregious violations noted by Keenan Bengts during her two days of testimony were: Fax machines printing off sensitive medical data in public hallways, computers left idle, lackluster security for medical records and even employees unofficially accessing their own medical data, were some of the more egregious violations noted by Keenan Bengts during her two days of testimony. The commissioner submitted 31 recommendations following her audit, calling for MLAs to enshrine patients’ privacy rights in standalone health information legislation, shifting fully to electronic records, and creating a dedicated privacy officer position at the hospital. [Source] [Nunavut’s health records ‘ripe for privacy breach’, says territory’s information commissioner]

CA – Security Camera Makers Urged to Beef Up Privacy After School Streaming Incident

Canada’s privacy commissioner will once again press companies that make security cameras to strengthen privacy on their devices so users don’t unwittingly stream personal images on the internet. Jennifer Rees-Jones, a senior advisor at the Office of the Privacy Commissioner of Canada said the action was inspired by a CBC News story last week about Rankin School of the Narrows in Iona, Cape Breton, where a surveillance camera was streaming images of students outside a bathroom live to the internet. She said the privacy commissioner sent similar letters in early 2015, but the threat to Canadians’ privacy is still acute. Robert Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University said there are between 100 million and 200 million digital security cameras in Canada with varying levels of security. He thinks renewed action by the privacy commissioner will work. Currie said manufacturers “don’t want the government passing laws to fix this problem if they can fix it internally in the industry.” [CBC | N.S. privacy commissioner investigates after school webcam broadcasts images | Russian website broadcast live pictures of Cape Breton schoolchildren | Unsecured Webcams Are Broadcasting Canadian Daycares, Schools Online

Consumer

US – Over 80% of Americans Are More Worried About Privacy, Security Than a Year Ago

More than 80% of Americans are more concerned about their online privacy and security today than they were a year ago, a recent Anchor Free survey [PDF] of more than 2,000 Americans found. The survey found that over 95% of respondents are concerned about companies collecting and selling their personal information without their consent, and more than 50% are looking for new ways to safeguard their personal data. The survey also found that while 70% of respondents are doing more today to protect their online privacy than they were a year ago, just one in four believe they’re ultimately responsible for ensuring safe and secure Internet access. A separate TeleSign survey [PDF] of 1,300 U.S. adults found that 31% of consumers said their online life is worth $100,000 or more — and 55% said businesses are primarily responsible for account security. An EyeVerify survey of 1,002 U.S. adults recently found that 79% of respondents want the ability to use more biometric authentication methods beyond the fingerprint to access mobile banking or payment apps, and 42 percent said they wouldn’t use a banking or payment app that doesn’t offer biometric authentication. [eSecurity Planet]

E-Mail

CA – Sask Issue of MLA’s Using Private Email May Go to OIPC

A senior provincial cabinet minister says every MLA uses private email for government business, a statement seemingly at odds with the government’s position one week ago. All the members have used their private email for business related to government to respond to constituents and, you know, myself included, as has every other member,” Crown Investments Corporation Minister Joe Hargrave told reporters in Regina, following the end of the legislative session. Saskatoon man Marcus Grundahl said he was “surprised and alarmed” when Hargrave replied via private email to his concerns over the Saskatchewan Transportation Company. Hargrave has since admitted to the mistake and says it won’t happen again. Grundahl, though, said that isn’t the end of things. He’s taken the matter to Saskatchewan’s information and privacy commissioner for review. [CBC]

Electronic Records

UK – Hospitals Rapped for Sharing 1.6m Patient Records With Google

When the tie-up between Google’s DeepMind and London’s Royal Free NHS Trust was announced in 2016, it was praised as the sort of forward-looking innovation the NHS badly needed. But within weeks a wrinkle emerged – DeepMind had been given access to 1.6m patient records stretching back up to five years This week a leaked letter from the National Data Guardian (NDG) health watchdog described this transfer of data as having been carried out on an “inappropriate legal basis” – a formal way of saying it shouldn’t have happened in the way it did. The letter lays bare thorny issues, starting with the basis on which an NHS Trust can transfer data. Britain’s Information Commissioner’s Office (ICO) will soon publish its report on whether the data transfer to DeepMind was legal under the Data Protection Act (DPA). When it does, people on all sides of this tangled story will be paying close attention. [Naked Security]

EU Developments

EU – The State of Privacy 2017: EDPS Provides Mid-Mandate Report

As we approach the mid-point of the current EDPS mandate and continue the countdown to the General Data Protection Regulation (GDPR), the EU must build on current momentum to reinforce its position as the leading force in the global dialogue on data protection and privacy in the digital age, the European Data Protection Supervisor (EDPS) said to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), as he presented his 2016 Annual Report [see 75 pg pdf here]. [EDPS]

EU – European Data Protection Supervisor Calls for Additional Changes to Proposed ePrivacy Regulation

The European Data Protection Supervisor (EDPS) has recommended further changes to the proposed ePrivacy Regulation that would have significant impacts on the electronic communication sector and other online companies. In a 40-page opinion issued on April 24, 2017, the EDPS praises certain aspects of the current proposal as positive, voices key concerns about other aspects of the proposal, and makes several recommendations to change the proposed draft. The EDPS’s opinion follows another recent opinion by the Article 29 Working Party that recommended also changing the current proposal. The European Parliament and European Council are set to review and negotiate the final text over the coming months, with the ambitious goal of concluding negotiations by the end of 2017. The EDPS’s opinion focuses on the following key concerns and recommendations: 1) Privacy-focused definitions; 2) Strengthened consent requirements; 3) Limitations on legal grounds for processing electronic communications data and information related to terminal equipment of users; 4) Prohibition on “tracking walls” and other practices that exclude users with ad-blocking or similar applications installed; 5) Privacy-friendly default settings; 6) Mandatory adherence to accepted technical and policy compliance standards, which could include “Do Not Track”; 7) Restrictions on mobile location tracking; and 8) Safeguards against Member State restrictions on privacy rights and mandatory disclosures about government access requests. [WilmerHale]

EU – Article 29 Working Party Issues Guidance on Data Protection Impact Assessments

The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised. DPIAs are a key part of the GDPR accountability principle, and have to be carried out if a processing activity is “likely to result in a high risk” to data subjects. The Working Party’s guidance clarifies this phrase, and provides a series of concrete criteria which might trigger a DPIA There is a useful diagram in the guidance which sets out a seven-step generic process for DPIAs. There are also helpful Annexes to the guidance, including examples of existing national and Europe-wide DPIA frameworks and a checklist of items to be included in DPIAs. These are likely to be useful resources when preparing DPIA templates, as the regulators may well want to see clear evidence of each of these steps being followed and each element in the checklist covered. [HLDA]

UK – State of the Cyber Nation: Gov’t Report on Cybersecurity Breaches

On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cybersecurity breaches and how they affected UK companies in the last year. Headline statistics from the report include:

• 61% of businesses hold personal data electronically;
• 46% of all UK businesses identified at least one cybersecurity breach in the past year, rising to 51% of those that hold personal data on customers, 66% amongst medium-sized firms and 68% amongst large firms;
• The most common breaches involved members of staff receiving fraudulent emails. This demonstrates that technical measures can only take an organisation so far, and that strong procedures and training are vital;
• External reporting of breaches is still not common – only 26% of companies reported their most serious breach to someone other than a cybersecurity company who could assist with solving the problem. This will have to change where personal data is lost under the GDPR;
• Only 37% of businesses have any rules around encryption of personal data, and 37% of businesses have segregated wireless networks; and
• Only 13% of businesses require their suppliers to adhere to specific cyber security standards.

The report indicates that many UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. [HLDA]

EU – Article 29 Working Party Issues Recommendations on Draft Code of Conduct for Mobile Health Applications

The Article 29 Working Party issued recommendations on the draft code of conduct on privacy for mobile health (mhealth) applications. The definition of health data needs to be re-evaluated to ensure it is consistent with the definition provided in the General Data Protection Regulation (GDPR), and not all of the data protection principles are mentioned (the missing principles should be added, or it should be noted why they are absent); the Code should make clear that consent should fulfil all requirements of the GDPR, acknowledge the other conditions that render data processing fair and lawful, and ensure that wording does not imply that a controller may make a service conditional on consent for marketing. [Article 29 Working Party – Letter to the Project Editor of the Draft Code of Conduct on Privacy for Mobile Health Applications]

UK – ICO Recommendations on Prevention of Ransomware Attacks

The Information Commissioner’s Office in the UK has provided guidance on preventing ransomware attacks. Organizations should remove unnecessary user accounts, restrict user privileges to only what is necessary, ensure online and offline backups are encrypted, ensure remote access or control applications have strong credentials (2-factor authentication, and timely patch updates), and segment networks to limit any damage from successful attacks; if there is a successful attack, organisations should conduct a full security scan and penetration test of all systems and networks (attacks may have gained other undetectable access). [ICO UK – Statement on Recent Cyber Attacks at NHS]

UK – UK Information Commissioner Issues Guidelines for Organisations Using Big Data Analytics

The UK Information Commissioner’s Office issued guidance about big data, artificial intelligence, machine learning and data protection. Organizations should consider whether the analytics actually requires the processing of personal data (anonymized data is not considered personal data and does not fall under data protection laws); conduct privacy impact assessments to help identify privacy risks and assess the necessity and proportionality of the processing, and adopt a privacy by design approach (data minimization, purpose limitation and respecting individuals’ preferences in the metadata). [ICO UK – Big Data, Artificial Intelligence, Machine Learning and Data Protection]

EU – Facebook Fined $122 Million for Misleading EU Over WhatsApp

Facebook Inc. was fined 110 million euros by the E.U. for misleading regulators during a 2014 review of the WhatsApp messaging-service takeover. The European Commission won’t overturn approval for the $22 billion WhatsApp purchase as “the incorrect or misleading information provided by Facebook did not have an impact on the outcome of the clearance decision,” the regulator said. Vestager targeted Facebook after it announced privacy policy changes in August that would allow the advertising platforms on Facebook and Instagram to draw upon data from WhatsApp. The company informed the EU in 2014 it couldn’t combine WhatsApp data with its other services but moved to do that last year. Facebook said the firm “acted in good faith” in its interactions with the commission. “The errors we made in our 2014 filings were not intentional and the commission has confirmed that they did not impact the outcome of the merger review,” a Facebook spokesman said. “Today’s announcement brings this matter to a close.” The social networking company said it wouldn’t appeal the EU decision. [Bloomberg]

UK – Record Fine for Company Behind Nearly 100 Million Nuisance Calls

The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to a business responsible for nearly 100 million nuisance calls over an 18 month period. [See ICO PR here] Keurboom Communications did not have the necessary prior consent to engage in the marketing activity from the people it targeted with the 99,535,654 calls, and was in “serious contravention” of the UK’s Privacy and Electronic Communications Regulations (PECR), the ICO said. The fine issued by the ICO to Keurboom Communications is the highest it has ever issued for a breach of PECR. It previously fined TalkTalk £400,000 for a serious breach of the Data Protection Act after the company suffered a data breach affecting approximately 157,000 customers [Out-Law]

Facts & Stats

WW – New Symantec Report 1.1 Billion Identities Exposed In 2016 Breaches

1.1 billion identities exposed in data breaches in 2016, says Symantec report. In the last eight years, more than 7.1 billion identities have been exposed in data breaches globally, which is almost the equivalent of one for every person on the planet, according to the findings of Symantec’s Internet Security Threat Report.[see here] In 2016 alone, almost 1.1 billion identities were stolen globally, a big jump from the 563.8 million stolen in 2015. This is despite the fact that the number of data breaches actually fell between 2015 and 2016—dropping from 1,211 to 1,209, said the report. In 2016, there were 15 mega breaches—breaches in which more than 10 million identities were stolen—an increase from 11 in 2014 and 13 in 2015. [LiveMint]

Finance

CA – Survey: Half of Us Are Ready for Cashless Canada

Forget about the end of the Canadian penny or even the possible impending demise of the nickel — half of Canadians are ready to abandon cash altogether. A new survey from Payments Canada finds 50 per cent of Canadians are ready to get rid of banknotes and coins. Two-thirds of respondents said they are ready to say goodbye to personal cheques. Some observers have raised privacy concerns about digital payments, noting that in a cashless society, every purchase can be tracked. But the Payments Canada survey suggests a large share of the population is willing to accept lesser privacy for greater convenience: 48% of respondents said they would trade away some of their privacy when paying digitally. [HuffPost]

FOI

WW – Facebook Transparency Report Signals Need for Privacy Guidelines

Facebook’s latest Global Government Requests Report [see PR here see Report here] covering the second half of 2016. It showed that requests for account data increased by nine percent – from 59,229 to 64,279 requests, globally – over first half 2016. Half of the data requests the firm received from law enforcement in the U.S. contained a non-disclosure order that prohibited Facebook from notifying the user. Facebook used the report to reiterate that it does not provide governments with backdoors or direct access points to users’ information. The company continues to seek ways to work with industry partners and civil society to push governments around the world to reform surveillance in a way that protects their citizens’ safety and security while respecting their rights and freedoms, the report said. The report is also reminder of how governments around the world are regularly prying open the digital lives of subscribers. Facebook said that reform is needed in the legal process for handling data requests. “The current process for handling cross border requests for data is slow and cumbersome, and legitimate requests are often subject to months and months of delays,” the report said. “We believe that companies, governments, civil society organizations, and academics should work together to improve this process and to raise human rights standards throughout the world” [SC Magazine]

Genetics

CA – New Genetic Non-Discrimination Law to Promote Privacy and Human Rights

The Privacy Commissioner of Canada and the Chief Commissioner of the Canadian Human Rights Commission are welcoming the coming into force of the “Genetic Non-Discrimination Act” [see here], as an important step for privacy and human rights in Canada. The Act, which received Royal Assent on May 4th, now prohibits genetic discrimination across Canada. It bars any person from requiring individuals to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services, or entering into a contract. Both Commissioners acknowledge that the Government has stated it may refer the law to the Supreme Court of Canada for its opinion on the law’s constitutionality. In the meantime, the “Genetic Non-Discrimination Act” remains in place and represents the current law on this important public policy issue. Commissioner Therrien says he expects organizations subject to Canada’s federal private sector privacy law to re-examine their practices related to genetic tests and bring them in line with the new law. In light of Parliament’s passage of S-201, organizations that require genetic test results as a condition of providing a good or service will also generally be considered in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA). [Source]

Health / Medical

US – Health Care Industry Task Force Issues Recommendations to Protect Patient Information

The Health Care Industry Cybersecurity Task Force, established pursuant to the Cybersecurity Act of 2015, issued a report outlining recommendations to address challenges in protection of patient information. The health care industry faces cybersecurity risks from severe lack of security talent, use of unsupported legacy systems, significant recourse constraints, and lack of threat identification infrastructure; organizations should cooperate with vendors and providers to inventory and secure legacy systems, adopt strong authentication, ensure strategic, architectural approaches to reduce attack surfaces, and establish cybersecurity leadership positions. [Health Care Industry Cybersecurity Task Force – Report on Improving Cybersecurity in the Health Care Industry]

US – Five HHS Settlements Imposed for Lack of Safeguards, Risk Analysis and Management Plans

This article reviews the U.S. Department of Health and Human Services, Office for Civil Rights’ (OCR) 2017 settlements under the Health Insurance Portability and Accountability Act. Electronic personal health information was exposed due to hackers, inappropriate employee access and lost or stolen unencrypted devices; companies were asked to conduct a risk analysis and implement risk management plans to fix vulnerabilities, and to monitor their information systems’ activity (e.g., review audit logs, access reports and security incident tracking reports). [2017 OCR HIPAA Settlements Focus on Risk Analyses Safeguards – Elizabeth Snell – HealthIT and Security]

US – HHS Issues Guidance on How to Detect, Deter and Recover from Ransomware Attacks

A new HHS Fact Sheets reviews the U.S. Department of Health and Human Services’s guidance about ransomware and requirements under the Health Insurance Portability and Accountability Act and the HIPAA Rules. Entities may prevent malware intrusion by implementing security management processes to identify threats and vulnerabilities, to mitigate or remediate identified risks and to guard against and detect malicious software; ransomware attack recovery activities include conducting an initial analysis to determine the scope and origination of the incident, whether it is finished, how it occurred and vulnerabilities and restoring data lost during the incident. [HHS Fact Sheet: Ransomware and HIPPA]

Horror Stories

CA – 1.9 Million Bell Customer Email Addresses Stolen by ‘Anonymous Hacker’

Bell is apologizing to its customers after 1.9 million email addresses and approximately 1,700 names and phone numbers were stolen from a company database. The information appears to have been posted online, but the company could not confirm the leaked data was one and the same. Bell, the country’s largest telecommunications company, attributed the incident to “an anonymous hacker,” and says it is working with the RCMP to investigate the breach. “Bell said the incident was unrelated to the massive spike in ransomware infections that affected an estimated 200,000 computers in more than 150 countries late last week. It is not clear when the breach occurred, how the data was accessed, or how long the attacker had access to Bell’s systems. [Source]

WW – Two Billion Numbers Leaked by Chinese Phone App

The app, DU Caller, developed by DU Group, a subsidiary of Baidu, was initially for users to blacklist nuisance callers and filter them out. But a “reverse look-up” function allowed access to two billion phone numbers stored in Baidu’s Beijing server. Among those affected are security minister Lai Tung-kwok and privacy commissioner Stephen Wong, according to news agency FactWire – see here The Security Bureau has referred the case to the Office of the Privacy Commissioner for Personal Data for investigation. Independent news agency FactWire reported on Saturday that once downloaded and installed, the app would automatically gather sensitive information such as the address book and phone numbers even before users agreed to the privacy policy. [SCMP]

US – $2.5M Fine Imposed on Wireless Health Services Provider for PHI Breach

The Department of Health and Human Services, Office for Civil Rights entered into an agreement with CardioNet Inc. to settle alleged violations of the HIPAA Privacy and Security Rules. The provider did not have sufficient risk analysis and risk management processes in place at the time an employee’s laptop was stolen from their vehicle (containing ePHI of 1,391 individuals); the organization must conduct an enterprise-wide risk analysis, implement a risk management plan that addresses all security risks and vulnerabilities, revise and distribute policies and procedures among employees, and report the HHS at least annually for a 2 year period [HHS – Resolution Agreement – CardioNet Inc. [Press Release | Resolution Agreement]

Identity Issues

CA – Edmonton Man Sounds Alarm After ID Scanned While Buying Cigarettes

Nick Radloff said he was asked for ID last at an Esso Station owned by 7-Eleven. “She just automatically scanned it into her system” he said. A directive from 7-Eleven head office states that the store’s ID scanners do not collect personal information that could identify the customer. Instead the scanners “read only anonymous information (expiry date, province, date of birth, and only the last four digits of a driver’s licence).” A regional 7-Eleven manager wrote “if you do not want your ID or driver’s licence scanned, our sales associates have been instructed to respect your decision.” 7-Eleven’s policy was implemented on April 24 across their 650 stores. 7-Eleven said the policy was put in place “to further reduce the risk that tobacco products would be sold to minors.” The Office of the Information and Privacy Commissioner of Alberta has looked into a number of such complaints over the past decade. [CBC]

EU—Blockchain Startup Forms Partnership to Develop Identity Platform

Billed as an “identity platform,” the product is designed to allow businesses and consumers to store and exchange information while staying on the right side of regulations such as the European Union’s General Data Protection Regulation, which sets strict limits on what information companies are allowed to hold on their customers. The platform’s development, announced Monday, is a joint effort between Cambridge [see here] and LuxTrust [see here], an established firm that is already managing digital identities for the entire individual and corporate population of Luxembourg, according to a news release. [see here] A key piece of the platform will be Cambridge’s software, in which each individual holds his or her personal data in a private store and the blockchain holds proof that the data is valid. Such proof could include picture ID. A bank can refer to the blockchain to verify customers’ identities, but the information held there can’t be used to falsify personal data. [American Banker]

Internet / WWW

CA – WannaCry Ransomware “A Wakeup Event” for Directors

“It may be the WannaCry virus will be a watershed event for directors and officers liability in this area,” Bradley Freedman [see here], national leader of the cyber security law group at Borden Ladner Gervais, said. “And I say that because the primary result of it has been business disruption and financial loss. Shareholders are going to be asking what their directors did to make sure their organizations were doing the right thing to manage these types of risks. Did it have an appropriate patch management program? Was there proper oversight? Why was this organization running a Windows XP machine?” Freedman noted that when it comes to cyber risk management courts say directors and officers have to consider the same things when making any corporate risk decision: Exercise the care of a reasonable person, and make “reasonable and informed and properly advised independent decisions.” Perfection, he said, isn’t demanded. Still, he said, it may be the WannaCry attack, which according to the U.S. infected 300,000 computers around the world, may be a seminal event for directors. In making decisions in civil lawsuits relating to breaches on whether the organization took “reasonable care”, Freedman added, judges will look to what he called “soft law” — best practices, industry guidance, previous decisions in other jurisdictions. Rene Pelletier, IT audit principal in the Alberta auditor general’s office, said organizations are playing defensive because they don’t share their knowledge with other firms. Canada, he noted, is the second biggest target for reported ransomware incidents after the U.S. Ransomware works because it relies on ignorance and isolation of users, he said. “We all need to work together” on cyber security,” he added. “If we don’t we’re dead.” [IT World Canada]

Law Enforcement

CA – Alberta Police Inch Closer to Policy on Identifying Homicide Victims

After a meeting of the Edmonton Police Commission, police Chief Rod Knecht gave an update on a contentious issue which came to the fore this year after Edmonton police withheld the names of roughly half of the city’s 2017 homicide victims, a departure from long-standing practice. Critics say withholding names is a misreading of the province’s Freedom of Information and Protection of Privacy (FOIP) law, and which goes against the public interest. The opposition Wildrose has criticized the policy, saying in particular that withholding names in domestic violence cases could stigmatize victims. Edmonton police have cited privacy concerns and the lack of “an investigative purpose” in not naming some homicide victims this year. Members of the Alberta Association of Chiefs of Police met last Friday to discuss the issue, Knecht said. The departments’ FOIP lawyers will soon gather to discuss the legal issues. “We all agreed — every case on its own merits,” he said. “We may release the name in a certain case, and in another case we may not.” [Edmonton Journal See also: Alberta police chiefs try for common ground on naming homicide victims | Alberta chiefs of police to discuss homicide victim naming policies | Edmonton police chief defends policy of not releasing names of homicide victims | Edmonton police policy of not naming murder victims stands alone in Alberta | Secret murder: A tale of two police forces in Alberta | Bureaucratic secrecy erodes democratic rights | RCMP silent on Alberta murder victims citing Privacy Act ]

US – Police May Have Been Less than Forthcoming to Judge About Stingray Use

A California defense attorney maintains that law enforcement officers misled a judge when seeking a warrant to use cell-site simulator technology to track her client’s location. In a related story, the US Supreme Court plans to discuss the issue of whether law enforcement authorities require warrants to compel mobile phone companies to disclose customer’s cell site data. Read more in:

• arstechnica.com: Lawyer: Cops “deliberately misled” judge who seemingly signed off on stingray
• arstechnica.com: Supreme Court asked to rule if cops need warrant for cell-site data
• arstechnica.com: DHS now needs warrant for stingray use, but not when protecting president
• arstechnica.com: FBI, DEA and others will now have to get a warrant to use stingrays
• www.usatoday.com: Bipartisan bill seeks warrants for police use of ‘stingray’ cell trackers
• – arstechnica.com: Appeals Court: No stingrays without a warrant, explanation to judge
• www.reuters.com: In first, U.S. judge throws out cell phone ‘stingray’ evidence

Online Privacy

WW – Hundreds of Privacy-Invading Apps Are Using Ultrasonic Sounds to Track You

These near-silent tones can’t be picked up by the human ear, but there are apps in your phone that are always listening for them. This technology is called ultrasonic cross-device tracking, and it works by emitting high-frequency tones in advertisements and billboards, web pages, and across brick-and-mortar retail outlets or sports stadiums. Apps with access to your phone’s microphone can pick up these tones and build up a profile about what you’ve seen, where, and in some cases even the websites you’ve visited. In the past year, researchers found 234 Android apps that include the ability to listen for ultrasonic tones “without the user’s knowledge,” one paper said. The researchers criticize the technique as a “threat to the privacy of a user,” as they “enable unnoticeably tracking locations, behavior and devices.” Using this ad-tracking technology allows ad companies to link media-consuming habits to a person’s identity by picking up ultrasonic tones from websites, and radio and television broadcasts. The ultrasonic tones can also be used to track locations, behavior, and purchase habits across different devices, which allows the advertiser to serve more specific and tailored advertisements based on where you’ve been. Worst of all, the researchers say that this ultrasonic tracking technology can de-anonymize users of bitcoin, which is designed to be used without the need for a name. [ZDNet]

Other Jurisdictions

AU – Australian DPA Recommendations for Identifying Personal Information

The Office of the Australian Information Commissioner has provided guidance to organizations on determining whether information processed is personal information, pursuant to the Privacy Act 1988. Organizations should consider whether there is connection between the information and the individual, if the information reveals or conveys something about the individual, and whether the individual is reasonably identifiable (considering the nature and amount of information, and who will have access); personal information does not include de-identified information, information about deceased persons, business information, or cases where individuals are not identifiable (e.g. an aerial photo of a public event without enough detail to determine identifying features). [OIC Australia – What is Personal Information]

Privacy (US)

US – Advocates Urge FCC to Immediately Repeal Mandatory Data Retention Rule

Advocates urge the Federal Communications Commission to immediately end the data retention mandate. The rule, requiring telephone carriers to retain customer billing records for 18 months, is outdated (carriers no longer bill in a way that makes the retention of this data relevant), violates customers’ privacy rights by requiring carriers to retain sensitive personal data, and increases the likelihood of the data being exposed in a security breach. [Letter Urging FCC to Act Immediately on Petition to End Data Retention Mandate]

US – Security Spending: School Budgets Inadequate to Meet Increased Challenges

The Consortium for School Networks issued its 5th IT Leadership Survey: 495 surveys were completed by US school system technology leaders between January and February of 2017. 38% of IT departments spend 51-75% of their time reacting to technical problems as opposed to working in a proactive mode, and 37% see no change in the priority of security and privacy of student data compared to the last year; IT leaders overcome budget and funding issues by delaying maintenance and upgrades (65%), reducing technology purchases (37%), and relying on E-rate funds (53%) and grants (35%). [2017 K-12 IT Leadership Survey Report – Consortium for School Networking]

US – School Districts and Online Services Providers Must Better Protect Student Privacy

The Electronic Frontier Foundation has issued a report on student data handling practices of school districts and educational technology companies. Schools have issued devices to students without parental knowledge or consent, parents were unable to opt-out their children from device or software use, and provider policies (which lacked details about encryption, retention and sharing) were relied on by schools to ensure student data protection; schools and providers should have privacy policies that are accessible, not over-broad, and describe data collected, methods used, and data minimization measures employed, obtain explicit consent from parents before signing students up for services, and should not track student’s online behavior. [EFF – Spying on Students – School-Issued Devices and Student Privacy]

US – Parties Discuss Privacy Issues in Advance of FTC, NHTSA Workshop on Connected Cars

On June 28, 2017, the Federal Trade Commission and the National Highway Traffic Safety Administration (NHTSA) will hold a workshop to examine the consumer privacy and security issues posed by automated and connected vehicles. The workshop comes several months after the Department of Transportation and NHTSA promulgated a Notice of Proposed Rulemaking (NPRM) that would require all new passenger vehicles to be capable of vehicle-to-vehicle (V2V) communications by the early 2020s. The FTC and NHTSA have raised several questions to be addressed at the workshop Car manufacturers, tech organizations, privacy organizations, and other parties filed comments in advance of the workshop, responding to these questions and more. [Inside Privacy]

US – Second Circuit Limits Standing to Bring Data Breach Class Actions

The U.S. Court of Appeals for the Second Circuit issued an important decision [see 5 pg pdf here] in “Whalen v. Michaels Stores”, placing the court at the center of the controversy around what allegations are sufficient to establish Article III standing in data breach class actions. In “Whalen”, the plaintiff alleged that payment card information stolen in a data breach was used in unsuccessful, attempted fraudulent transactions. The payment card owner further alleged that she faced an increased risk of future identity fraud, forcing her to spend time and money resolving the attempted fraudulent charges and monitoring her credit. The court ruled that these allegations did not establish a concrete injury sufficient to confer Article III standing. [Fenwick]

US — California Senate Committee Votes Against Privacy for Our Travel Patterns

The Electronic Frontier Foundation and the ACLU of California joined forces with California State Sen. Joel Anderson (R-Alpine) to testify before the Senate Transportation and Housing Committee – watch the full hearing here] in favor of S.B. 712 (text), a bill that would have allowed drivers to cover their license plates when parked in order to protect their travel patterns from private companies operating automated license plate readers (ALPRs). Despite learning how this data may be misused to target vulnerable communities by the federal government, a Democratic majority voted to kill the bill 5-6. The bill would have adjusted current law, which allows drivers to cover their entire vehicles (for example with a tarp), so that a driver can cover just a portion: the plate. Police would still have the ability to lift the cover to inspect the plate, and since the measure only applied to parked vehicles, it would not have affected law enforcement’s ability to collect data on moving vehicles. [EFF.org]

US — Lawyers Demand Answers After Artist Forced to Unlock His Phone

In February, artist Aaron Gach flew home to San Francisco after putting on a gallery installation in Brussels. US Customs and Border Patrol (CBP) decided to interrogate Gach, to detain him, and to demand that he unlock and hand over his phone. It’s fruitless to try to surmise the actions of CBP detentions. The CBP isn’t in the habit of sharing whatever possibly reasonable suspicions they might have about a traveler that would lead agents to detain that traveler. But we are now in an era of skyrocketing device searches at the US border, and there are many who would very much like to dissect the reasons – and the constitutionality – of this type of search. As the American Civil Liberties Union (ACLU) notes, the Department of Homeland Security (DHS) has estimated that CBP officers searched 2,700 devices in January and 2,200 in February alone, putting it on pace to easily exceed the 19,000 devices they searched in all of 2016. On Thursday, the ACLU took action on behalf of Gach and others who’ve been subjected to similar non-consensual searches at the border. Six ACLU attorneys filed an eight-page administrative complaint, seeking answers from DHS, the parent agency of CBP. [Source]

US – Swabbing a Car Door Handle in A Public Lot to Collect DNA is a 4th Amendment Trespass Search

In United States v. Jones, 132 S.Ct. 945 (2012), the Supreme Court added a second test for what government action counts as a Fourth Amendment “search.” Since the 1970s, the Supreme Court had held that the government commits a search when it violates a person’s reasonable expectation of privacy. Jones added that the government also commits a search when it trespasses on to a person’s “persons, houses, papers, and effects.” The significance of Jones hinges on just what kind of trespass test courts interpret Jones to have adopted. In light of that uncertainty, I was fascinated by a new decision, Schmidt v. Stassi, from the Eastern District of Louisiana last week. When Schmidt drove to a local strip mall, parked and went inside a store, an agent used a cotton swab to wipe the exterior door handle on Schmidt’s Hummer to collect a DNA sample. Schmidt sued the officers, claiming that swabbing his car door handle was an unlawful Fourth Amendment search. In the new decision, Judge Lance M. Africk holds that collecting the DNA from the door handle using the cotton swab was a Fourth Amendment search because it trespassed on to the car. Notably, the idea here is that collecting the DNA was a search because it interfered with Schmidt’s rights in the car, not in the DNA itself. That’s different from the reasonable-expectation-of-privacy cases on collecting DNA, which generally focus on the potential privacy invasion in the testing of the DNA sample to reveal sensitive information. [Washington Post]

US – Google Data Privacy Fight Hinges on Cloud Storage Tech

U.S. District Court for the Northern District of California Magistrate Judge Laurel Beeler’s ruling [see here] that Alphabet Inc.’s Google turn over customer data stored overseas relied more on the specific storage technology at play than on an outdated federal email privacy law, attorneys told Bloomberg BNA. The ruling may not offer real clarity sought by companies that store large amounts of data in the cloud on whether they must comply with government demands for the release of consumer data stored outside the U.S. But it does offer some insight into how courts may parse the technological issues surrounding the storage of data and identification of the consumers tied to that data by focusing on the ability of the company to readily identify the citizenship of a particular user. [BNA]

US – NY Lawmakers Consider Adding a ‘Textalyzer’ to Accident Investigations

A bill before the New York State Senate would give law officers a tool to check drivers’ cell phones after an accident in order to determine if distracted driving was the cause. Titled Evan’s Law, named after Evan Lieberman, a New Castle teenager who lost his life in 2011 due to a distracted driver in Westchester County, the bill would be the first in the nation to receive legislative approval. But not everyone is excited about the prospect. Rashida Richardson of the New York Civil Liberties Union is concerned that private information would not be private with any phone-scanning technology. She also questioned its accuracy, according to CBS New York. [Patch.com]

Security

US – New ABA Opinion: Attorneys Must Take Reasonable Cybersecurity Measures to Protect Client Data

On May 11, 2017, the American Bar Association (ABA) issued Formal Opinion 477, making clear that a lawyer may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct so long as the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access to client information. Lawyers may also be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. This new opinion updates a prior opinion issued by the ABA in 1999 (Formal Opinion 99-413)[see here], in which the ABA concluded that attorneys may use the Internet to transmit unencrypted communications relating to a client without running afoul of the Model Rules of Professional Conduct. Although most enterprises and firms use some level of protection in their electronic communications, this new opinion highlights the growing focus on cybersecurity across all industries and professions. Encryption is increasingly becoming the industry standard in securing electronic data and communications, and is often the first line of defense when facing a data breach scenario. [Privacy and Security See also: 8 Steps to Evaluating Cloud Service Security]

WW – Google Docs Phishing Scam

An enormous phishing scheme disguised as a Google Docs request has been sent to as many as one million users. The attackers used Google developer tools that create an app that was designed to trick users into thinking they were viewing the real Google Docs app. It displayed a legitimate OAuth screen seeking permission to access and manage users’ email and contacts. Within an hour of learning about the phishing scheme, Google had taken steps to protect users. Read more in:
– computerworld.com: Google Docs phishing scam underscores OAuth security risks
– www.wired.com: Don’t Open That Google Doc Unless You’re Positive It’s Legit
– www.scmagazine.com: Massive Google Docs phishing attack targeted credentials, permissions
– www.eweek.com: Google Docs Phishing Attack Tricks Unsuspecting Users to Click
– www.cyberscoop.com: OAuth-based phishing campaign gives Gmail users a scare
– threatpost.com: 1 Million Gmail Users Impacted by Google Docs Phishing Attack
– www.bleepingcomputer.com: It Took Google One Hour to Shut Down Massive Self-Replicating Phishing Campaign

US – HHS to Launch Cybersecurity Center

The Department of Health and Human Services (HHS) will soon launch a healthcare focused cybersecurity initiative modeled on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC). The new center, to be called the Health Cybersecurity and Communications Integration Center (HCCIC) would seek to reduce the extensive “noise” in the health care industry about cyber threats and to analyze and “deliver best practices and the two or three things that a small provider, a small office, a doc in a box can do to protect his patient’s privacy and information security around those systems.” HHS also envisions the HCCIC working with developers of mobile health apps to promote data security best practices in that fast-growing area. In December, the Food & Drug Administration responded to the “growing number of medical devices designed to be networked to facilitate patient care” by issuing guidance addressing the management and reporting of post-market cybersecurity vulnerabilities in medical devices. On May 3, HHS’ Health Care Industry Cybersecurity Task Force released its draft report to Capitol Hill. The report includes recommendations to create a medical-device specific “MedCERT” modeled after the United States Computer Emergency Readiness Team, which “would assess vulnerabilities, evaluate patient safety risks, adjudicate between the vulnerability finder and product manufacturer, and consult organizations about how to navigate the vulnerability process.” [Security and Privacy Health Law]

WW – CompTIA Study Finds Old Tactics Often Used to Fight Breach Threats

Old tactics too often used to fight top data security threats Organizations recognize information security as a growing imperative, but too many remain on the defensive and use dated tactics and training to protect their data. That is the conclusion of the new study “The Evolution of Security Skills” from CompTIA, the leading technology association. According to the study, one of the challenges for many organizations is that they put their focus on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyberattacks, generally get the most attention. Of the 350 organizations surveyed, 29 percent said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures. Too many organizations remain on the defensive and use dated tactics and training to protect their data. That is the conclusion of the new study “The Evolution of Security Skills” [see here] from CompTIA . Of the 350 organizations surveyed, 29 percent said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures. Seth Robinson, senior director, technology analysis, at CompTIA calls on organizations to adopt proactive measures to protect their data. These include identifying weak links before they are exploited, broadening the skills of their technology professionals, and increasing security training top to bottom throughout the organization. [Info Mgmt]

UK – ICO Reports Record Number of Data Breaches and Fines

The ICO’s annual performance statistics for 2016/17 also reveal that the regulator received more reported data protection breaches and fined more companies for unlawful activities than any previous year. The statistics show that data protection complaint cases rose to 18,354, around 2,000 more than the previous year. Some 2,565 self-reported data breaches resulted in 16 civil monetary penalties totalling £1,624,500 for serious breaches across a range of public, private and voluntary sectors. The ICO received more than 166,000 reports about nuisance calls and texts. The ICO issued a record number of 23 fines in this regard, totalling £1,923,000, and issued nine enforcement notices and placed 31 organisations under monitoring. More than 5,400 freedom of information (FOI) cases were received and 5,100 closed during the year, with 1,351 decision notices, which was “broadly similar” to the previous year, the ICO said. The ICO expects its work to intensify next year in the run up to deadline for compliance with the EU’s General Data Protection Regulation (GDPR) on 25 May 2018. .Testifying to the House of Lords EU Home Affairs Sub-Committee in a hearing on the new EU data protection ackage, Denham planned to expand the ICO’s staff to deal with the extra work burden to be imposed by the GDPR. [Computer Weekly]

WW – Organizations’ Lack of Attention to Printer Security Makes Them Vulnerable

This white paper surveyed individuals responsible for printer security at 16 organizations, which averaged 51 million pages printed per year by 8,800 printers used by 57,200 IT users and involving 4,500 IT staff. More than half of companies experienced an IT security breach in the last year that involved print security, yet almost 2/5 of senior managers are more likely to be involved in decision making for overall IT security than for print security; breaches commonly occur from the device’s network ports, print/copy/scan job interception, print/MFP hard drives and memory, printed or copied documents left in output trays or illegal use of secure media (checks, prescriptions). [The Business Value of Printer Security – IDC]

WW – Mobile Devices: Only 36% of Organizations Believe Cyberattacks Can Be Prevented

410 security professionals from an independent global database participated in a survey on mobile device security. Types of attacks experienced on employees’ mobile devices include malware, phishing using text messages, network attacks, intercepted calls and text messages over a carrier network, key logging, and credential theft; 62% of organizations do not use mobile security solutions (due to lack of budget, shortage of resources, lack of experience, or insufficient risk), despite 94% of organizations believing that the frequency and types of mobile device attacks will increase in the next year. [The Growing Threat of Mobile Device Security Breaches – Global Survey of Security Professionals – Check Point Software Technologies]

US – Uber Responds to Report That It Tracked Devices After Its App Was Deleted

Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses. Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook. In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times [see here] and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015. An Uber spokesperson said “We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users” [TechCrunch]

US – DHS Provides Guidance on Implementing Security Improvements for Mobile Devices

The Department of Homeland Security, in coordination with the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence, conducted a study on current and emerging threats to the government’s use of mobile devices. Mobile devices are vulnerable to attacks on back-end systems that require a security approach different from protection developed for desktop workstations; organizations should ensure timely patching of known vulnerabilities, block network access for obsolete devices (those no longer supported with updates), enable strong authentication methods, automatically monitor, detect and report any security policy violations, and enable remote wiping capabilities. [DHS – Study on Mobile Device Security]

US – NIST: Let Passwords Be Longer and Eliminate Character Variation Requirements

Later this summer, the US National Institute of Standards and Technology (NIST) will release new Digital Identity Guidelines. NIST appears likely to recommend against requiring periodic changes for passwords and instead, employing other measures to make passwords both easier to remember and more difficult to crack. For instance, allowing up to 64 characters could let people use passphrases rather than passwords. And allowing spaces and doing away with character variation requirements would help with memorization. NIST is currently reviewing public comment received on the guidelines. Read more in:
– https://qz.com: The US standards office wants to do away with periodic password changes
– https://pages.nist.gov: Digital Identity Guidelines

Smart Cars & Cities

WW – Report on IoT, Automation, Autonomy, and Megacities in 2025

Engineers designing and implementing internet-connected IOT devices face daunting challenges that is creating a discomfort with what they see evolving in their infrastructures. This paper brings their concerns to life by extrapolating from present trends to describe plausible future crises playing out in multiple global cities within 10 years. Much of what occurs in the scenarios is fully possible today. IoT, Automation, Autonomy, and Megacities in 2025

US – California Bill Mandates Privacy by Design for IoT Devices

Manufacturers of Internet-connected devices (better known as the Internet of Things) should be following a new California bill closely because it would create a mandate under California law that all IoT devices have built-in security features appropriate to the device and information collected. California Senate Bill 327 [see here], amended in March, is the latest in a trend of legislative and regulatory efforts by state and federal authorities to hold IoT device makers more accountable for consumer data security. The California bill was introduced at nearly the same time the FTC brought an enforcement complaint in federal court in California against a computer networking equipment manufacturer for failing to take reasonable steps to secure its products from hackers. California’s Senate Bill 327 would go much further than the FTC has in “encouraging” manufacturers to adopt industry best practices for device security by codifying the State of California’s ability to bring enforcement complaints against those companies that do not build adequate security safeguards into their devices. It could be the first legislative mandate for IoT device manufacturers to proactively implement “security by design” [WCSR]

WW – Securing the Internet of Things

Microsoft is calling for the development of a cybersecurity policy for the Internet of Things (IoT). While “industry can build security into the development of IoT devices and infrastructure, the number of IoT devices, the scale of their deployments, the heterogeneity of systems, and the technical challenges of deployment into new scenarios require an approach specific to IoT.” In a separate story, Japan’s Internal Affairs and Communications Ministry will introduce a certification system for IoT devices that will rate their resilience to cyberattacks. Read more in:
– www.darkreading.com: Microsoft Calls for IoT Cybersecurity Policy Development
– mscorpmedia.azureedge.net: Cybersecurity Policy for the Internet of Things (PDF)
– www.sltrib.com: Japan to rate home devices on cyber-attack vulnerabilities

Surveillance

US – NSA Collected Americans’ Phone Records Despite Law Change: Report

The U.S. National Security Agency collected more than 151 million records of Americans’ phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report [see PR here & Report here] issued by the top U.S. intelligence officer the NSA collected the 151 million records of Americans’ phone calls last year even after Congress limited its ability to collect bulk phone records though it had warrants from the secret Foreign Intelligence Surveillance court to spy on only 42 terrorism suspects in 2016, in addition to a handful identified the previous year. The report came as Congress faced a decision on whether to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), which permits the NSA to collect foreign intelligence information on non-U.S. persons outside the United States, and is scheduled to expire at the end of this year. Officials on Tuesday argued that the 151 million records collected last year were tiny compared with the number collected under procedures that were stopped after former NSA contractor Edward Snowden revealed the surveillance program in 2013. The report said the names of 1,934 “U.S. persons” were “unmasked” last year in response to specific requests, compared with 2,232 in 2015, but it did not identify who requested the names or on what grounds. [Reuters]

US – Cop Union Opposes New Bill That Would Thwart License Plate Readers

If the Electronic Frontier Foundation and a San Diego-based Republican state senator have their way [and here], it will soon become legal for Californians to cover their license plates while parked as a way to thwart automated license plate readers. As written, the new senate bill would allow for law enforcement to manually lift a cover, or flap, as a way to manually inspect a plate number. The idea is not only to prevent dragnet license plate data collection by law enforcement, but also by private companies. A California company, Vigilant Solutions, is believed to have the largest private ALPR database in America, with billions of records. The California Police Chiefs Association has already filed its opposition to the bill. In a letter to Sen. Joel Anderson, the group argued that the bill would only benefit one group: “those who are trying to evade law enforcement and detection.” Similarly, the bill has faced resistance from the California Public Parking Association, among other groups. .In March 2015, Ars obtained the Oakland Police Department’s 4.6 million reads of more than 1.1 million unique plates, which were gathered between December 23, 2010 and May 31, 2014, as part of a public records request. The dataset showed precisely how revelatory such information can be—we were able to discern the home of a city council member with little difficulty. [Ars Technica]

US – Study Lays Out Privacy Concerns That Kids and Parents Have About Toys That Listen

University of Washington researchers explored the attitudes of kids and parents toward Wi-Fi-enabled toys in a study. “It’s inevitable that kids’ toys, as with everything else in society, will have computers in them, so it’s important to design them with security measures in mind,” said Franziska Roesner, one of the co-authors of the study, which was funded by the Consumer Privacy Rights Fund at the Foundation for Communities and the Environment and by UW’s Tech Policy Lab. This year, sales of My Friend Cayla were banned in Germany due to concerns that personal data could be stolen. In the U.S., advocacy groups have filed a complaint with the FTC over Cayla and i-Que Robot. (The FTC is reviewing the complaint.) The researchers say toy designers, parents and policymakers should become more aware of the potential vulnerabilities. and the potential solutions. One of the suggested strategies is to program the toys themselves to tell kids that they’re being recorded – and to alert parents to any concerns that come up. [Geekwire]

US Government Programs

US – FTC Requests Comments on Significant Changes Proposed to Organization’s Safe Harbor Program Under COPPA Rule

The Federal Trade Commission issued a notice on proposed changes to TRUSTe’s safe harbor program under the COPPA Rule: The proposed changes include measures to reduce the risk of misrepresentation by participants in the program (the organization would have greater control over use of the trustmark); new obligations require participants to conduct an annual internal assessment of third parties’ use of tracking technologies to collect children’s PI, describe their retention policies, undergo an annual compliance review, implement a user complaint process, enhance security measures, and notify affected users and the organization of any data breach. Public comments are due by May 24, 2017. [FTC – 16 CFR Part 312 – Children’s Online Privacy Protection Rule Safe Harbor Proposed Self-Regulatory Guidelines; TRUSTe COPPA Safe Harbor Program Application to Modify Program Requirements Press Release | Consultation

US – NSA Announces Data Collection Changes

The US National Security Agency says it has stopped collecting email traffic for simply containing the email address or phone number of a foreign target. The NSA agreed to end the practice as part of an agreement with a federal court that allows the agency to continue its Section 702 surveillance program. Sources- www.wired.com: A Big Change in NSA Spying Marks a Win for American Privacy
– www.theregister.co.uk: NSA pulls plug on some email spying before Congress slaps it down
– www.scmagazine.com: NSA to end controversial warrantless surveillance practice
– www.zdnet.com: NSA stops controversial program that searches Americans’ emails
– arstechnica.com: NSA ends spying on messages Americans send about foreign surveillance targets
– omputerworld.com: NSA ends surveillance tactic that pulled in citizens’ emails, texts
– www.washingtonpost.com: NSA halts controversial email collection practice to preserve larger surveillance program

Workplace Privacy

CA – Wearables in the Workplace Have Major Implications

With the growth of wearables in the workplace, how employee information is gathered, stored and used is becoming cause for concern. Researchers Steven Richardson and Debra Mackinnon at Queen’s University have published a report titled ‘Left to their own devices? Privacy Implications of Wearable Technology in Canadian Workplaces‘ and highlighted some of the issues that have to be considered by all stakeholders. Researchers have identified more than 420 devices that are currently available for use in the workplace. The researchers argue that there is a need for greater accountability and transparency in how the devices are being implemented so that we have a more informed approach to privacy in the workplace. Wearables offer huge benefits and the technology is undoubtedly here to stay. However, the privacy issues do need more careful consideration by all the stakeholders involved prior to implementation. [Toronto Sun]

CA – Mandatory Locomotive Recorder Bill ‘Addresses A Key Safety Issue,’ Says Transportation Safety Board

Amendments to the federal “Railway Safety Act” [see here] mandating recording devices, if passed into law, could provide “essential information” to Transportation Safety Board of Canada staff investigating rail accidents and could help prevent such accidents in the future, TSB suggested Tuesday. Bill C-49, an omnibus piece of legislation, was tabled Tuesday in the House of Commons by Transport Minister Marc Garneau. [See here] This would mandate installation of locomotive voice and video recorders, TSB said in a separate release Tuesday. [See here] In September, 2016, the Canadian branch of International Brotherhood of Teamsters stated that railway companies should “not to be given access to the recordings because that would be an unprecedented and unparalleled intrusion into the workplace, one that is unnecessary, and would be tantamount to violating workers’ right to privacy.” [Canadian Underwriter]

CA – New Legislation Requiring Cameras on Trains Will Violate Workers’ Privacy, Rail Union Says

The union representing rail workers says new legislation [see here & here] that would require cameras to be installed on Canada’s trains threatens workers’ privacy and came as a surprise. But Transport Minister Marc Garneau said he’s spoken with the Teamsters Canada Rail Conference about the proposal, and the union knew what was being planned. The law would require railway companies to equip locomotives with voice and video recorders that could be used by the Transportation Safety Board of Canada after an accident to assess what went wrong. The union is upset that railway companies would also have access to the recordings to conduct random samples and look for safety risks. “From the workers’ perspective, the government has abandoned them,” union president Doug Finnson said. “I’m particularly pissed at this.” Finnson claims that once railway companies have access to the recordings, the government won’t be able to control how they use them. It’s still unclear how much power companies will have to act on what they see and hear in the recordings. Jean Laporte, chief operating officer of the Transportation Safety Board, said if railway companies observe employees engaged in criminal activity or gross negligence, they will have a “moral obligation to take action and deal with that.” According to the proposed legislation, companies can use the recordings “to address a prescribed threat to the safety of railway operations.” [National Post]

+++

 

08-23 April 2017

Biometrics

US – Border Patrol Seeking Facial Recognition Drones

Customs and Border Protection (CBP), a Department of Homeland Security (DHS) agency, has used drones originally designed for foreign battlefields in order to conduct border surveillance, although these efforts have hardly been efficient. Federal solicitation documents reveal that DHS is looking to smaller drones with facial recognition capabilities. This ought to concern Americans who value civil liberties. The solicitation lists required sensor capabilities for the drones, including, “Provides a surveillance range of 3 miles (objective),” “Able to track multiple targets persistently,” and “Identification of humans via facial recognition or other biometric at range.” “The sensor technology would have facial recognition capabilities that allow it cross-reference any persons identified with relevant law enforcement databases.” If you’re an American adult reading this there is a good chance that your facial image is in one of these “relevant law enforcement databases.” A Government Accountability Office report from last year found that the Federal Bureau of Investigation’s facial recognition system has access to more than 411 million facial images, including the driver’s license photos from sixteen states. Current law allows CBP officials to stop and search vehicles within 100 miles of America’s external boundary in order to prevent illegal immigration.[see ACLU map here] Roughly two-thirds of Americans live in this so-called “Constitution-free” zone. Although DHS’ solicitation mentions facial recognition drones being used as part of border patrol we should be prepared for them to make appearances at interior checkpoints as well as at ports of entry. [CATO | The US Border Patrol is trying to build face-reading drones]

WW – Researchers Develop Synthetic Skeleton Keys for Fingerprint Sensors

Those fingerprint-based security systems in your mobile phone might not be quite as secure as you wish they were. That’s the takeaway from just-published research by engineering researchers at New York University and Michigan State University. According to NYU’s press room, “the team analyzed the attributes of MasterPrints culled from real fingerprint images, and then built an algorithm for creating synthetic partial MasterPrints.” And their digitally simulated “synthetic partials” proved worryingly effective. This kind of research helps to identify areas where our security is weaker than we thought rather than practical forms of attack. They may come in time though and according to MSU Today, the research team is now investigating potential solutions for this vulnerability. [Naked Security]

Big Data

WW – Artificial Data Reduces Privacy Concerns and Helps with Big Data Analysis

Big data, more often than not, contains sensitive information pertaining to individuals serviced by the organization, and releasing that information to outside resources may place the organization or business in jeopardy with state and federal privacy regulations. Three researchers at MIT may have figured out a way to assuage privacy concerns. Principal researcher Kalyan Veeramachaneni along with researchers Neha Patki and Roy Wedge in their paper The Synthetic Data Vault (PDF) describe a machine-learning system that automatically creates what the researchers call “synthetic data.” The beauty of the machine-learning model from Veeramachaneni and his team is that it can be configured to create synthetic data sets of any size, and this can be done quickly to accommodate development or to stress-test schedules. Artificial data is also a valuable tool for educating students, as there is no need to worry about data sensitivity. The MIT press release [see here] concludes with, “This innovation can allow the next generation of data scientists to enjoy all the benefits of big data, without any of the liabilities.” [TechRepublic See also: Brandon Purcell Q&A on AI & fulfilling the failed promise of big data]

Canada

CA – Proposed Amendments to the Privacy Act Enhance Transparency

The Standing Committee on Access to Information, Privacy and Ethics issued recommendations following its review of the Privacy Act. The OPC should be granted the discretion to publicly report on government privacy issues when it is in the public interest, and share audit and investigative information with domestic and international counterparts; the scope of the Act should be extended to include ministers’ offices and the Prime Minister’s Office, information requests from law enforcement should be reported, and right of access should be extended to foreign nationals. [Protecting the Privacy of Canadians – Review of the Privacy Act – Report of the Standing Committee on Access to Information Privacy and Ethics]

CA – Manitoba Government Seeks Comments on Access to Information

The Manitoba Minister of Sport, Culture and Heritage seeks public commented on the Freedom of Information and Protection of Privacy Act (FIPPA), as part of its legislative review. Comments can be submitted until May 31, 2017. Comments are sought on whether FIPPA is appropriate for local public bodies (schools, municipalities, regional health authorities), public bodies should have greater flexibility in access request response times and extensions, or charge fees for voluminous, multiple, or concurrent requests, and on current discretionary and mandatory exceptions that may limit access to information. [Manitoba Government – FIPPA Legislative Review]

CA – Saskatoon Police Prepare for Changes to Freedom of Information Law

Starting this fall, Saskatchewan police forces will be subject to provincial freedom of information law. The Saskatoon Police Service hired its first access and privacy officer this spring and she [Kayla Oishi] is in the process of developing the forms and procedures people will need to use to request documents from the police. [Here are some relevant questions Oishi answered, including]: 1) What kind of information can be requested from the police?; 2) What information won’t be given out?; 3) When can FOIP requests be filed?; 4) How can people file freedom of information requests?; 5) How much does it cost to submit a FOIP request?; 6) How long will it take for police to respond to FOIP requests?; 7) How many FOIP requests does the Saskatoon Police Service expect to process?; and 8) Can people in other provinces file FOIP requests with police? [Star Phoenix See also: Saskatoon police hire first access and privacy officer]

CA – Cellphone Surveillance Technology Being Used by Local Police Across Canada

Calgary police, Ontario Provincial Police and Winnipeg police all confirmed to CBC News they own the devices — known as IMSI catchers, cell site simulators or mobile device identifiers (MDIs) — joining the RCMP, which has used the technology for its own investigations and to assist Toronto and Vancouver police. While Ontario and Winnipeg police refused to say whether they use the technology to intercept private communications, Calgary police and the RCMP insist they only deploy their IMSI catchers to identify — and occasionally, in the RCMP’s case, track — cellular devices. Micheal Vonn, policy director of the B.C. Civil Liberties Association and a legal expert on privacy, says she’s concerned there isn’t a warrant process specific to IMSI catchers that establishes strict limits on how the technology is used given its potential for mass surveillance. “It’s nothing but a policy choice for some law enforcement not to use the content interception capabilities,” said Vonn, referring to features some IMSI catchers have to eavesdrop on any cellphone within a radius of several blocks. It’s hard to believe “the tantalizing availability of such technology is not going to be exploited,” she said. “It will.” CBC News has since contacted 30 provincial and municipal police forces across Canada to ask how many IMSI catchers they own, the number of operators trained to use them, and how many times the technology was used in 2015 and 2016. Only Calgary police answered in full. The Office of the Privacy Commissioner of Canada is investigating the RCMP’s use of IMSI catchers, following a complaint filed last year. [CBC]

CA – CSIS Waiting On Liberal Reforms Before Using Threat-Disruption Powers

Nearly two years ago, the Canadian Security Intelligence Service (CSIS) was granted expanded legal authority to actively disrupt threats to national security, not simply gather information about such threats. The change was made when the former Conservative government passed Bill C-51 in June that year. The new law allows CSIS agents to take nearly any action — short of causing bodily harm or death, violating a person’s sexual integrity or obstructing justice — to stop or disrupt a threat, as long as CSIS obtains a warrant from a Federal Court judge for any steps that would violate an individual’s Charter rights. However, senior CSIS officials decided it wouldn’t be appropriate to pursue more serious so-called “threat-reduction activities” that require a judge’s sign-off, while the Liberal government is actively considering how it will amend the law, a source with direct knowledge of the discussions told the Star. Documents obtained by the Star lay out in detail three agreements CSIS has negotiated with other government departments and agencies setting out how they will co-ordinate these kinds of actions and how CSIS will notify its partner agencies in advance. One key agreement is with the Communications Security Establishment, or CSE, Canada’s sophisticated electronic spying and cyber-defence agency, which answers to the minister of national defence. CSIS has struck similar agreements to co-ordinate with the RCMP and Global Affairs Canada. Another agreement obliges CSIS to notify the foreign affairs department of any foreign policy or “strategic outcomes” that result from CSIS flexing its muscle abroad, in countries where there could be diplomatic fallout for Canadian spies acting in ways that may not accord with local laws. [The Star]

CA – B.C. Privacy Commissioner Rejects Call To Probe NDP List Sharing

British Columbia’s privacy watchdog. Drew McArthur, said in a statement Monday that the Liberal complaint does not meet the threshold for an investigation by his office. The New Democrats called the complaint an attempt to divert attention from serious issues facing the Liberals on the eve of an election campaign. A Liberal official said the party was reviewing McArthur’s response, but did not comment further. B.C. Liberal party president Sharon White had requested the investigation in a letter to McArthur on Friday. McArthur explained that the Personal Information Protection Act applies to private organizations in B.C., including political parties, and there are two circumstances that can result in an investigation. “The first is most common: we investigate complaints from individuals whose personal information has been directly affected,” said McArthur’s statement. But since there is no individual complaint, an investigation cannot proceed on those grounds, he said. “The second option is for the commissioner to initiate an investigation into a potential contravention of (the Act) if he has ‘reasonable grounds to believe that an organization is not complying.’ We have reviewed the documents submitted by the B.C. Liberal party and have determined that the information provided does not meet the threshold for a commissioner-initiated investigation.” The Liberals sent a second complaint letter Monday, alleging the B.C. NDP was in breach of the Act by attempting to use a voter support list collected by the federal NDP in the 2015 federal election. [CTV News]

CA – OIPC NS Recommends Regularly Reviewing the Need for Video Surveillance

The Office of the Information and Privacy Commissioner for Nova Scotia has issued guidelines on the use of video surveillance, pursuant to the: Freedom of Information and Protection of Privacy Act; and Municipal Government Act. The need for video surveillance must be pressing and substantial, requiring concrete, verifiable evidence of the problem to be addressed (e.g., crime rates); organizations should regularly review the use of existing video surveillance systems to ensure that the original problem still exists and requires the use of CCTV, and whether or not there is a less invasive way of achieving the same goal. [OIPC NS – Video Surveillance Guidelines]

CA – How the B.C. Government Quietly Gained Access to the Non-Voter List

When the B.C. Liberal government amended the Election Act in 2015 what was tucked into the eight-pages of stricken sections and subsections was a change requiring Elections B.C. to provide parties and candidates not only with the list of people who voted in the last election, but the list of those who didn’t. Less than a month before the legislation was introduced, the privacy commissioner flagged that section as an unwarranted intrusion. The sole reason that political parties need/want that information, she said, is to gain access to “personal information in a comprehensive and accessible format after voting day in order to perform analytics and other uses.” She said the information was “likely to be linked with other information in political databases and elsewhere.” Provincial Attorney General Suzanne Anton was unmoved by critics’ concerns. Her response was essentially: Trust us, we won’t misuse it. So, what is the big deal about getting the list of non-voters? Well, for one thing, the best predictor of who will vote is whether they voted in the last election. That is why voter suppression tactics are aimed at those who have a history of voting. But the converse is also true. Knowing who didn’t vote last time allows parties to ignore non-voting individuals and communities and direct their money and energy at those who do. It’s cynical and the antithesis of democracy. [Vancouver Sun]

CA – Liberals Accuse NDP of Sharing Supporter Lists Without Consent

The B.C. Liberal party has filed a complaint with the province’s privacy commissioner, alleging the B.C. NDP has breached protection laws by sharing its supporter list with “politically friendly” groups. A letter to Privacy Commissioner Drew McArthur signed by B.C. Liberal president Sharon White called for an immediate investigation into alleged breaches of B.C.’s Personal Information Protection Act by the NDP. “We have obtained documentation concerning the activities of the B.C. NDP, Strategic Communications, the municipal political parties, Vision Vancouver, Coalition of Progressive Electors and the Surrey Civic Coalition, and B.C. NDP officials in Saanich, B.C., which show serious and ongoing breaches of the Personal Information Protection Act.” The Liberals allege in the letter “there are clearly reasonable grounds to believe that a number of political organizations in B.C. have not complied with the Personal Information Protection Act.” The complaint to the privacy commissioner includes documents of three agreements dated Oct. 5, 2005 between the NDP and Vision Vancouver, COPE and Surrey Civic Coalition. “These agreements set out a secret arrangement whereby the B.C. NDP would share lists regarding its supporters with these politically friendly municipal parties to help them identify supporters and assist them to elect their candidates in municipal elections,” stated the letter. [Vancouver Sun]

CA — NL Privacy Commissioner Calls Cameras in Rental Home ‘Incredibly Unsettling’

“I can’t think of any more egregious way for your personal privacy to be breached, than to have cameras in your home, unbeknownst to you,” said Donovan Molloy, Newfoundland and Labrador’s privacy commissioner. In February, Rachel Tribble and her roommate discovered an elaborate system of cameras inside their rental property — including cameras in their bedrooms. Tribble said the cameras were hooked up to video and audio cables, that connected to a recording device in the attic. Police have seized equipment from the home. Their investigation is ongoing. Homeowner Kevin Vokey said that the system was installed for personal security while he was living there and maintained that it was an internal system, with no external access outside of the home, and that footage from the system was never streamed. In general terms, Molloy noted that the province’s Privacy Act prohibits “surveillance, auditory or visual, whether or not accomplished by trespass, of an individual, by any means including eavesdropping, watching, spying, harassing or following” without consent. [CBC]

CA – Western Librarians Publish First-Ever Online Privacy Guide by a Canadian University

A guide on the first steps you can take to protect your online privacy is close to home — right on the Western libraries website. The work is a collaborative effort between Melissa Seelye, a graduate student in library and information sciences and Erin Johnson, a library assistant in research and instructional services at Weldon Library, and is the first online privacy guide published by a Canadian university. The guide is curated for a general audience, from beginners to more advanced users. The guide lists privacy protection tools such as Internet browser alternatives, browser extensions, search engine alternatives, private messaging apps and password managers. Included is also more information on privacy policies and legislation implemented by Western and the Canadian government. [Western Gazette]

Consumer

EU – Commission Launches Public Consultation On Internet Fears

The EU is launching an unprecedented public consultation to find out what Europeans fear most about the future of the internet. A succession of surveys over the coming weeks will ask people for their views on everything from privacy and security to artificial intelligence, net neutrality, big data and the impact of the digital world on jobs, health, government and democracy. A dozen leading European publications are to publicise the surveys over the coming three weeks. Results will be compiled in early June. Readers can complete the first questionnaire here. [The Guardian]

EU – Survey: Europe Less Concerned About Privacy Than Counterparts

The survey from Forrester [see here] included 3588 responses from employees involved in planning, funding and the purchasing of business and tech products and services. And found that while 50% of security and risk (S&R) pros worry about customer privacy concerns in the US, the number in emerging markets – where many firms are looking for new customers – is significantly higher. When asked to rate their concern for each source of information risk and the potential impact it could have on their organisation, security decision makers from Germany (34%), France (36%) and the UK (42%) are highly or extremely concerned. Elsewhere in the world, respondents are more concerned with customer privacy. Security decision makers from India (76%), China (71%), the US (50%), Brazil (51%), Canada (47%) and Australia/New Zealand (43%) expressed such concerns. In these same markets, a majority of more security decision makers from outside of Europe consider privacy a competitive differentiator: India (44%); China (37%); Brazil (33%); the US (32%); Germany (27%); Canada (26%); Australia/New Zealand (26%); the UK (26%) and France (23%). Firms across the globe must therefore understand the risks and opportunities that come with privacy. The report identifies an effective privacy organisation has these attributes for success: 1) A privacy leader; 2) Identify and limit potential conflicts of interest; 3) Create escalation procedures; 4) Define the relationship between privacy and compliance; and 5) Audit data assets. [SC Magazine]

E-Government

NZ – New Zealand Privacy Commish Blasts Gov’t NGO Data Collection Plans

Social Development Minister Anne Tolley is pushing a policy to force non-government organisations (NGOs) to hand over personalised data of their clients, in order to be eligible for Government funding. Privacy Commissioner John Edwards today rejected the plan [see PR here see 49 pg pdf report here]. He described the Government plans to capture the individual and personal data of vulnerable clients as “excessive and unnecessary,” and it could have serious and unintended consequences. Little or no thought had been given to developing possible alternative means to achieve the Government’s aims without risking those consequences. Tolley revealed the ministry was forced to shut down its information sharing portal following a privacy breach. An error allowed one provider to view another provider’s folder, but there was no data contained in the folder at the time. [see here | Privacy Commissioner has slammed Social Development data collection plans as too intrusive | Government demands non-profit clients’ personal data before releasing funds]

US – Erosion of Public Trust Biggest Long-Term Impact of OPM Breaches, Experts Say

It’s been nearly two years after the Office of Personnel Management first announced that hackers had stolen personally identifiable information from 21.5 million people in two separate cyber breaches, and counterintelligence officials say it’s still unclear just how the adversary may use that data, if at all. Instead, the biggest harm from the OPM breaches has been the public’s erosion of trust in the agency and in government at large to protect personal data, said Charlie Phalen, director of the National Background Investigation Bureau (NBIB). Counterintelligence and security officials have little information about the long-term impacts of the OPM breaches, experts say impacted individuals shouldn’t be paranoid. They should take basic precautions when they post on social media, travel abroad and connect with new people online, yet those measures are no different than the steps every other American should take to protect their personal information. “My best sense of what the long-term impacts of this is that this information in the hands of the adversary might help them learn more about me, might help them get a little bit of an edge on me, might help them sort through data, but all in all, if I take the same precautions tomorrow that I would have taken three years ago with traveling, with dealing with my business, with my life, with contacts, I don’t think I would do much very differently,” Phalen said. He said he feels “fairly comfortable” that OPM’s current information system is “protected as well as it can be.” As NBIB director, Phalen is now working with the Defense Information Systems Agency and other stakeholders to develop the specifications of a completely new security clearance information system. OPM looking to rebuild trust | Federal News Radio]

US – Most People Don’t Trust Government to Keep Their Personal Data Private, Report

New survey results released on Monday by research firm Accenture show that citizens generally lack faith in the ability of government to keep information safe and are calling for stronger protections. Most — 74% — said they lacked confidence in their government’s ability to keep citizen data private and secure, and 65% said they lacked confidence in the ability of law enforcement to investigate and prosecute on cybercrime cases. Accenture’s state and local security advisor, Lalit Ahluwalia said this survey confirms that “cyber insecurity” remains pervasive and bolsters the existing belief among government agency leaders that cybersecurity should be a top priority. Indeed, cybersecurity was named as the top priority for state chief information officers for the fourth year in a row, according to an industry list. Ultimately, policies are just words on paper — agencies “need to act,” said Lee Tien, senior staff attorney and Adams Chair for internet rights at the Electronic Frontier Foundation, in an email to StateScoop. Having a policy doesn’t mean an agency is being responsible with citizen data, he said. “Does the agency actually have a good IT department that routinely patches and upgrades software and operating systems whenever security weaknesses are discovered?” he said. “Equally important, does the agency allow the IT department to do its job?” [StateScoop]

US – Up to 100,000 Taxpayers Compromised in Fafsa Tool Breach, I.R.S. Says

The Internal Revenue Service said on Thursday that the personal data of as many as 100,000 taxpayers could have been compromised through a scheme in which hackers posed as students using an online tool to apply for financial aid. The agency became concerned last fall when it realized that it was possible for criminals to take advantage of the student loan tool that allows aid applicants to automatically populate the applications with their and their parents’ tax information. The worry was that thieves might use the stolen data to file fraudulent returns and steal refunds, as they did two years ago. “Fortunately we caught this at the front end,” John Koskinen, the I.R.S. commissioner, said Thursday at a Senate Finance Committee hearing. The I.R.S. does not expect the tool to be secure and operational again until October. “Our highest priority is making sure that we protect taxpayers and their identity,” he said. But the breadth of the breach remains unknown, and Mr. Koskinen faced tough questions during the hearing as to why he did not act sooner. [NY Times]

AU – Whistleblowing: Australian Privacy Commissioner Concerned by Possible Forensic Audit of Members of Parliament’s Mobile Phones

A report prepared by the Office of the Privacy Commissioner regarding a forensic audit of mobile phones requested by the Premier of Victoria. Privacy laws may have been contravened by the audit as personal information may have been collected without proper notice to individuals; several requests for information have been sent to the Premier’s office which has claimed cabinet confidentiality to hide violations of law. [DPA Australia – Forensic Audit of Mobile Telephone Records

AU – Privacy Concerns Remain Over Sydney’s Public Bus Wi-Fi

Patrons of Sydney’s public transportation have been “actively warned” against the complementary Catch Wi-Fi-provided internet service, citing privacy concerns, after the controversial program’s 50-bus trial run. “To protect your privacy we recommend against using the Wi-Fi on this bus,” the warning message states. “The terms and conditions state by connecting to it they may collect your ‘name, address, date of birth, location details, drivers licence details, photographs, videos, credit card details, employer and other details’ and sell them to other businesses.” NSW Greens MP and Transport spokeswoman Mehreen Faruqi wondered why the Victorian government could enact a similar program without collecting personal information, and the NSW could not. [News.co.au]

US – Organizations Must Monitor and Manage Risks from their Digital Footprint

Much of organization’s digital footprint is controlled by employees, suppliers, and others that unknowingly expose sensitive information; organizations should understand cyber threats faced (leverage threat intelligence, profile attackers’ tools/techniques, understand target industries/geographies), monitor for data leakage (sensitive code, private encryption keys, employee credentials, intellectual property, security procedures), and monitor for risks to reputation (phishing, domain infringement, spoofed social media accounts and mobile apps). [Digital Shadows – Digital Risk Management – Identifying and Responding to Risks Beyond the Boundary]

E-Mail

CA – Alberta OIPC Investigates Purposely Deleted Gov’t Emails

Alberta privacy commissioner investigates deleted government emails. Wildrose MLA Don MacIntyre sent the request to the commissioner in November regarding an email from James Allen, who was assistant deputy minister in the department of energy, to Balancing Pool CEO Bruce Roberts, in which Allen writes that the email is “sensitive and transitory” and to “please delete” it. Privacy commissioner Jill Clayton confirmed the investigation in a letter to MacIntyre, writing that it “appears from my review of the complaint that information may have been inappropriately withheld in response to access requests made” to the Balancing Pool. MacIntyre had also asked for a wider investigation into a “culture of secrecy” in the government, but the commissioner declined to take that on, saying she didn’t fully understand the request and wasn’t sure if it was part of her office’s jurisdiction. [Edmonton Sun]

CA – Canada’s Anti-Spam Law Adds Teeth, Leaves Potential Opening for Class Actions

Canada already has one of the world’s strictest regimes regulating commercial electronic messages, and, just in time for the country’s 150th birthday, the consequences for breach are about to get much more severe. On July 1, 2017, this regime will add additional teeth in the form of a private right of action, which could drastically increase the threat of legal proceedings and financial consequences for those who violate it. Until July 1, 2017 the primary concern is that violations of Canada’s Anti-Spam Law (“CASL”) would be prosecuted by the bodies responsible for its enforcement (Canadian Radio-television and Telecommunications Commission (the “CRTC”), the Competition Bureau, and the Office of the Privacy Commissioner). After July 1, 2017 those who send commercial electronic messages also face the risk of class proceedings specifically permitted by CASL. This post considers the following: 1) What is CASL?; 2) What is the private right of action?; 3) Why should companies be concerned with the private right of action? (Broad scope of CASL, Different liability standard, Class action concerns); and 4) What are the limitations? CASL has been in force for nearly three years now, and most organizations should be familiar with the legislation’s requirements. Come July 1, however, the availability of CASL’s private right of action will undoubtedly increase the consequences of violations, making compliance with the legislation essential for anyone engaged in sending CEMs. [Source]

Electronic Records

US — Few Patients Electronically Access Their Health Information When Provided the Option

The Government Accountability Office (“GAO”) has reviewed the state of patients’ electronic access to their health information through the Medicare Electronic Health Record Incentive Program. A majority of hospitals/health care professionals offered patients access to an electronic portal (where information could be viewed, downloaded and transmitted), however, only 15% of hospital patients and 30% of professionals’ patients accessed the portal; lower levels of access were seen in high poverty areas, rural areas, health care groups of less than 50 members, specialty practitioners and older patients, and there was variability in the information made available through the portals (lab test results, current medications, clinical history, radiology results). [GAO – HHS Should Assess the Effectiveness of Efforts to Enhance Patient Access to and Use of Electronic Health Information]

EU Developments

EU – MEPs Vote for Full Review of Privacy Shield

MEPs have voted for a review of the controversial Privacy Shield data transfer agreement between the EU and US, concerned over key areas of weakness. The European Commission will now be forced to investigate whether the agreement offers enough protections to EU citizens in compliance with the EU Charter of Fundamental Rights and forthcoming privacy regulation the GDPR. “This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses,” said civil liberties committee chair Claude Moraes. As the resolution outlines, MEPs are concerned about a number of recent developments, not least new rules that since January this year have allowed the NSA to share large amounts of private data – obtained without warrants, court orders or the like – with 16 other agencies including the FBI. [InfoSecurity | EurActiv: MEPs want Commission to toughen up Privacy Shield under Trump EU Reporter: #PrivacyShield: MEPs alarmed by US developments that undermine privacy safeguards ]

US – Europe’s Digital Single Market Strategy Must Accommodate Multiple Online Identities and a Balance of Control Over Personal Data

A high level group of scientific advisors under the European Commission has provided an opinion on cybersecurity in the European digital single market. Digital transactions should only require a minimum amount of personal data to be divulged, which is relevant and exclusive to the given context, and different levels of security should be required for separate transactions that deal with various sets of data; the General Data Protection Regulation will require organisations to provide more transparency about what happens to personal data online, and will shift control away from private organisations to the data subject (important in the online world where users unwittingly provide their data) [European Commission – Scientific Opinion No. 2 2017 – Cybersecurity in the European Digital Single Market]

EU – EDPS Publishes Toolkit for Privacy-Friendly Policymaking

The EDPS has published a necessity toolkit. The toolkit is designed to help policymakers identify the impact of new laws on the fundamental right to data protection and determine the cases in which the limitation of this right is truly necessary, the EDPS said today. Almost all EU policy proposals now involve some form of personal data processing. With policymakers increasingly required to respond quickly to acute public security challenges and keep up with developments related to the digital economy or international trade, the need for help to ensure that new proposals respect fundamental rights is greater than ever. In this necessity toolkit, the EDPS provides policymakers with a practical step-by-step checklist, setting out the criteria to be considered by policymakers when they assess the necessity of new legislation, and providing examples to illustrate each step. The toolkit is based on decisions issued by the Court of Justice and the European Court of Human Rights, as well as on Opinions published by both the EDPS and the Article 29 Working Party. It also incorporates feedback gathered on an EDPS background paper on the topic, published in June 2016. This feedback was used to develop the toolkit and ensure that it meets the needs of EU policymakers in all sectors, ranging from security to the digital economy. [EDPS]

EU – Article 29 Working Party Supports Proposed Regulation but Says Terminal Equipment is Insufficiently Protected

The Article 29 Data Protection Working Party has issued an opinion on the proposed ePrivacy Regulation. The proposed Regulation incorrectly suggests that valid consent can be given through non-specific browser settings (the end-user must be able to give separate consent per website or app), and there should be mandatory adherence to the Do Not Track standard; the European Commission should promote a technical standard for mobile devices to automatically signal an objection against WiFi tracking. [Article 29 Data Protection Working Party – Opinion 01/2017 on the proposed Regulation for the ePrivacy Regulation (2002/58/EC) – Working Paper 247 Article 29 Working Party – Opinion 01/2017

EU – Article 29 WP Issues Final Guidelines on Data Portability

The Article 29 Working Party has issued final guidelines (revised April 5, 2017) on the right to data portability, the new elements of which are analyzed by a law firm. The guidelines were first issued in December 2016. Data processors will have contractual obligations to assist the controller in responding to portability requests; a controller must assess the interplay between any competing rights on a case-by-case basis under sectoral legislation (but such legislation will not automatically displace the GDPR right). “Observed” data remains within the scope of the right (e.g. raw data processed by a smart meter), but “inferred” data does not (e.g. risk profiles for credit scores); “hindrance” to the right is defined to include fees, excessive delays/complexity, or deliberate obfuscation. [Article 29 WP – Guidelines on the Right to Data Portability | https://www.twobirds.com/en/news/articles/2017/global/article-29-working-party-issues-final-guidelines-on-the-right-to-data-portability Bird & Bird]

UK – ICO Recommends Organizations to Implement Appropriate Record Keeping Practices to Prevent Data Breaches

The UK ICO has issued recommendations for safeguarding health information. Health records must be properly secured and tracked to prevent loss or accidental disclosure; examples of recent breaches included health records being stored in a garage, records left behind when a doctor moved to a new home (the doctor had taken files home and not returned them to the office), and records left behind during an office relocation. [ICO UK – Garages New Homes and Old Offices – The Records Management Mistakes That Put Health Records at Risk]

EU – Yahoo/US Gov’t Email Surveillance Bothers WP29 Privacy Chiefs

European Union privacy regulators intend to question U.S. national intelligence officials about the extent to which the government orders online communications companies to cooperate in surveillance, they said April 10. [see here] The EU Article 29 Working Party will send a letter to U.S. Director National of Intelligence (DNI) Dan Coates “asking for additional information regarding the legal basis and justification for any surveillance activities concerning EU data subjects.” The move comes after the EU privacy regulators in October 2016 said they were concerned about the alleged scanning of Yahoo! Inc. customers’ incoming emails at the request of U.S. intelligence agencies. U.S. surveillance of EU citizens’ has increasingly become an issue with the approach of the EU-U.S. Privacy Shield data transfer program’s first annual review in September. Similar surveillance concerns were raised by an April 6 European Parliament resolution. There are “great concerns” about broadening the authority of the National Security Agency to share data it collects with other law enforcement agencies, the resolution said. EU lawmakers are also “alarmed” about reports of surveillance of emails by an unnamed “US electronic communications service provider,” it said. [Yahoo U.S. Email Surveillance Bothers EU Privacy Chiefs]

EU – WP29 Issues Final Guidelines on Data Protection Officers

At its plenary session on 5 April, the Article 29 Working Party (“WP29”) approved revised guidance interpreting elements of the General Data Protection Regulation (“GDPR”), including on the appointment of data protection officers. The revisions to the draft guidance, which was initially released in December 2016, followed a period of open public consultation that ran through the end of January 2017. You can find our summary of the December 2016 highlights here. Some of the new points raised by the WP29 in its final guidance are as follows: 1) Accountability means that DPO assessments need to be kept up-to-date and can be requested at anytime; 2) No “a la carte” DPO appointments; 3) Big data now an example of ‘regular and systematic monitoring’; 4) Preferably, the DPO should be located within this EU; 5) There can only be one DPO, but supported by a team; 6) Duty to ensure the confidentiality of communications between the DPO and employees; 7) Senior managers including Head of HR, Marketing or IT individuals are barred from serving as the DPO; and 8) The GDPR does not prevent the DPO from maintaining records of processing The revised guidance on portability is available here. For a redline comparison with the earlier draft, click here. [Source]

EU – Proposed e-Privacy Regulation Permits Unacceptable Processing of Personal Data

The European Digital Rights has issued comments on the Proposal proposed draft regulation concerning privacy in electronic communications. The Regulation permits tracking of communication devices in public spaces (provided there is user notification), on first use of software or smart devices, users would be forced to accept privacy settings that may negate their rights, and declining consent for tracking using device fingerprinting is not addressed (only through third parties); the scope of retention of electronic communications data has increased without sufficient protections to ensure storage is limited to what is strictly necessary, or that only anonymised data is used. [European Digital Rights’ Position on the Proposal of an e-Privacy Regulation]

EU – Commission Requests Standardisation in Data Protection & Security Policy

Insight into the role of standardisation as a form of co-regulation in the data protection context. As regulation shifts from the European Commission to co-regulation with industry, the Commission has requested that the EU Standardisation Organisations create standards to address how to address/manage privacy by design; standards will also be created on how to realise privacy and personal data protection management processes, including descriptions of necessary roles, tasks, documentation, hardware/software requirements, and templates for applying the standards. [Co-Regulation in EU Personal Data Protection – The Case of Technical Standards and Privacy by Design Standardisation Mandate – Irene Kamara – European Journal of Law and Technology]

EU – H&W’s CIPL Issues Discussion Paper on GDPR Certifications

The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP has issued a discussion paper on Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms. It sets forth recommendations concerning the implementation of the EU General Data Protection Regulation’s (“GDPR’s”) provisions on the development and use of certification mechanisms. Certifications, seals and marks have the potential to play a significant role in enabling companies to achieve and demonstrate organizational accountability and GDPR compliance for some or all of their services, products or activities. The capability of certifications to provide a comprehensive GDPR compliance structure will be particularly useful for small and medium-sized enterprises. For large and multinational companies, certifications may facilitate business arrangements with business partners and service providers. In addition, certifications, seals and marks can be used as accountable, safe and efficient cross-border data transfer mechanisms under the GDPR. [CIPL Issues Discussion Paper on GDPR Certifications]

Facts & Stats

US – Analysis Finds 1,800 Health Care Breaches Since 2009

An analysis of data from the Department of Health and Human Services found nearly 1,800 large data breaches involving patient information since 2009. Of the breaches, more than 1,200 affected health care providers, while 257 breaches were reported by 216 hospitals, including many large teaching hospitals. Trivalent CTO John Suit said the analysis shows data protection technology has failed to keep up with health care digitization, and traditional encryption is not enough to stop cyber threats. “The result is an extreme risk for patients who put their trust in health care organizations to address their medical concerns, but also protect their sensitive and personal information,” said Suit. “Hospitals, pharmacies, assisted living facilities, insurance providers, and research institutions must strengthen their security strategy and adopt a defense-in-depth approach with multiple layers of protection.” [Health Data Management]

Finance

WW – Hackers Release Files Indicating NSA Monitored Global Bank Transfers

Hackers released documents and files on Friday that cybersecurity experts said indicated the U.S. National Security Agency had accessed the SWIFT [Society for Worldwide Interbank Financial Telecommunication – see here] interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks. The documents and files were released by a group calling themselves The Shadow Brokers. Also published were many programs for attacking various versions of the Windows operating system, at least some of which still work, researchers said. In a statement to Reuters, Microsoft, maker of Windows, said it had not been warned by any part of the U.S. government that such files existed or had been stolen. The absence of warning is significant because the NSA knew for months about the Shadow Brokers breach, officials previously told Reuters. Under a White House process established by former President Barack Obama’s staff, companies were usually warned about dangerous flaws [Vulnerabilities Equities Process (VEP) – see here & here]. The SWIFT messaging system is used by banks to transfer trillions of dollars each day. Belgium-based SWIFT downplayed the risk of attacks employing the code released by hackers on Friday. Cris Thomas, a prominent security researcher with the cybersecurity firm Tenable, said the documents and files released by the Shadow Brokers show “the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor, if not disrupt, financial transactions to terrorists groups”. [Reuters]

FOI

CA – Two Alta OIPC Reports Highlight Obstacles Gov’t Oversight & FoI

The Information and Privacy Commissioner tabled two reports in the legislature related to the Commissioner’s functions under the Freedom of Information and Protection of Privacy Act (FOIP Act). Investigation Report F2017-IR-03 concerns allegations of delays and possible interference in the Government of Alberta’s (GoA) handling of access requests. The report identifies a number of factors that contribute to delays, including a significant increase in the number of access requests, the complexity of requests and applicant expectations. However, the investigation faced a number of challenges that made it impossible to make meaningful and reliable findings with respect to other potential issues in the access request response process. “I am deeply disappointed in how this matter has unfolded. What should have been a relatively straightforward investigation has concluded under a shadow that brings the very notion of independent oversight of the executive branch of government into question and has the potential to erode public confidence in an open and accountable government,” said Commissioner Jill Clayton. During the investigation, the question of whether the Commissioner has the power to require public bodies to produce records over which solicitor-client privilege has been claimed made its way through the court system. In November 2016, the Supreme Court of Canada (SCC) decided that the Alberta Legislature did not use the right words in the FOIP Act to give the Commissioner this power. [see here] Following the SCC’s decision, the Commissioner issued a statement saying that she would write to government with options for how to proceed on this issue. However, as an independent Officer of the Legislature who reports to the Legislative Assembly and not to government, and whose ability to perform core functions as an Officer of the Legislature has been compromised (as evidenced, in part, by the investigation referenced above), the Commissioner decided to table a Special Report and Request for Legislative Amendment in the legislature on producing records to the Commissioner. [Alberta Information & Privacy Commissioner Press Release | Investigation Report F2017-IR-03: Investigation into allegations of delays and possible interference in responding to access requests | Producing Records to the Commissioner: Restoring Independent and Effective Oversight under the FOIP Act]

CA – OIPC NFLD Recommends That Employees Who Conduct Searches for Records Do Not Determine Whether Records Are Responsive

New OIPC guidance outlines OIPC NL expectations and standards when it receives complaints alleging incomplete responses to requests for records pursuant to the Access to Information and Protection of Privacy Act (the “Act”). An FOI Coordinator is in the best position, as someone more experienced with requests for access to records, to determine whether records are responsive; the Coordinator should establish a written policy or practice as to how a search should be carried out and keep a copy of the instructions sent to employees regarding the search. [OIPC NFLD – Practice Bulletin: Reasonable Search]

CA — Institutions Should Provide Individuals with Information Regarding their Right to Access Records

The Office of the Saskatchewan Information and Privacy Commissioner has issued recommendations to government institutions on how to address access requests made under the Freedom of Information and Protection of Privacy Act or and the Local Authority Freedom of Information and Protection of Privacy Act. Individuals do not necessarily know about their right to access records; government institutions and local authorities should provide individuals with information on how to submit a formal access request, the timelines to receive a response, fees associated to the request, the right to appeal to the privacy commissioner and the importance of narrowing the request. [OIPC SK – Assisting the Applicant – Sharon Young]

WW – Microsoft Releases Biannual Transparency Reports

Microsoft released its most recent biannual transparency reports on the Microsoft Transparency Hub. These reports consist of the Law Enforcement Requests Report, U.S. National Security Orders Report which cover the period from July to December 2016, are largely consistent with previous reports and Content Removal Requests Report which details acceptance rates regarding requests to remove content from governments, copyright holders and individuals subject to the European Union’s “Right to Be Forgotten” ruling and victims of non-consensual pornography. It also disclosed a National Security Letter (NSL) received from the Federal Bureau of Investigation (FBI) in 2014, which sought data belonging to a customer of our consumer services. Microsoft is the latest in a series of companies able to disclose an NSL due to provisions in the USA Freedom Act requiring the FBI to review previously issued non-disclosure orders. The NSL was included in the aggregate data of a previous report, but we’re newly able to disclose its content for this reporting period. There are times when secrecy is vital to an investigation, but too often secrecy orders are unnecessarily used, or are needlessly indefinite and prevent us from telling customers of intrusions even after investigations are long over. That’s why we asked a federal court to weigh in on the increasing frequency of these orders. Our hope is this lawsuit will lead to new rules or laws that keep secrecy for times when it is truly essential. [MSFT Blog]

US – Trump’s White House on Defensive Over Transparency

The White House was forced Monday to defend its controversial positions to keep its visitor logs secret and President Donald Trump’s tax returns private. Under fire over the White House’s decision Friday to buck Barack Obama’s precedent by withholding visitor logs, Spicer said the prior administration was the one with a transparency issue. “Frankly, the faux attempt that the Obama administration put out where they would scrub who they didn’t want put out didn’t serve anyone well,” Spicer told reporters Monday. “It’s not really being transparent when you scrub out the names of the people that you don’t want anyone to know were here.” Spicer framed the visitor logs decision as a return to the pre-Obama policy and no different than the protocol for lobbyists and others who visit members of Congress. Spicer said the White House keeps the media abreast of the president’s activities. Reporters travel with Trump on Air Force One, after flying separately during the 2016 campaign. Members of the media also are given brief access to photograph many of Trump’s meetings, and he holds news conferences when major foreign leaders visit. [Politico]

Genetics

CA – Canada Passes Legislation Protecting Genetic Information

The Canadian Parliament recently passed Bill S-201, the Genetic Non-Discrimination Act, which protects individuals from having to disclose information related to genetic testing and test results. Contravention of the Act is punishable by significant fines and even potential imprisonment. There are express exceptions for health care practitioners who are providing health services to patients and researchers who are collecting information from participants in medical, pharmaceutical or scientific research. Supporters of the new legislation believe that this will remove perceived obstacles to genetic testing such as fear that the results of that testing will be used to discriminate against the patients. Canada’s legislative initiative on genetic testing is similar to the U.S. Genetic Information Nondiscrimination Act. Restrictions on the use of genetic test results have also been adopted in certain European jurisdictions, including France. The Association of British Insurers and government in the U.K. adopted a Concordat and voluntary moratorium limiting the use of genetic testing by insurers. Other countries have yet to address the issue. The evolving global quilt of responses to this issue indicates that a global consensus has yet to emerge. [Data Protection Report]

Health / Medical

CA – Ontario Proposes Prescribed Circumstances Under Which Health Information Custodians Must Notify IPC of Breach

Amendments are proposed to Ontario Regulation 329/04 under the Personal Health Information Protection Act (“PHIPA”). Public comments are due by May 8, 2017. The amendments, effective July 1, 2017, would require a custodian to notify the IPC of a suspected breach, if the breach is part of a pattern, if the custodian has notified a governing College of a breach, or if the breach is “significant” (based on the nature of the PHI, the number of records or individuals, or number of custodians/agents responsible for the breach”); a custodian would be required, effective 2019, to annually report the number of breaches it notified to affected individuals in the preceding calendar year. Proposed Amendments to Ontario Regulation 329/04 Regarding Notices to the Commissioner Under the Personal Health Information Protection Act – Ontario | Press Release | Proposed Amendments]

CA – Sask IPC: Private Health Firms Should Be “Trustees” Under HIPA

Sask. privacy commissioner recommends private health-care providers be governed by health info protections. It took a matter of moments for a ransomware attack to incapacitate the patient database of Saskatoon’s Professional Sport Rehabilitation Corporation. The ransomware incident in October 2016 affected [Saskatoon’s Professional Sport Rehabilitation Corporation – Pro Sport] database containing private information such as patients’ names, addresses, phone numbers, health numbers, details of their injuries and treatment plans. On the day of the incident (October 12), ProSport’s office manager reported the attack to Saskatchewan’s Information and Privacy Commissioner’s Office. On Oct. 26, it filed a formal incident report to the privacy commissioner’s office. In a report (see 10 pg pdf here) following his investigation into the incident, Information and Privacy Commissioner Ronald Kruzeniski recommended that patient information collected by private businesses whose primary purpose is to provide health services should be governed by provincial health information protections. Kruzeniski made the same recommendation previously, in his 2015-2016 annual report (see 19 pg pdf here). Kruzeniski recommended that ProSport only collect Saskatchewan Health numbers from patients for whom the service provided is publicly funded. He also recommended that the business “securely destroy” all health numbers it has on file that are not needed to collect public funding. [Star Pheonix]

WW – Google Study Seeks 10,000 Volunteers to Share Medical Data

Google’s health spinout, Verily, is looking for 10,000 American volunteers to share intimate and sensitive information about their bodies in an attempt to help predict heart disease and cancer. Called the Baseline Project, the multi-year study could cost upwards of $100 million. Volunteers will be asked to submit to an extensive amount of tests and physical monitoring, including a heart monitor to follow pulse and movements in real time. They will also get x-ray and heart scans, genomes deciphered, and blood tests over a four-year period. Sanjiv Sam Gambhir, a physician researcher at Stanford University and Baseline investigator, said, “No one has done this kind of deep dive on so many individuals. This depth has never been attempted. It’s to enable generations to come to mine it, to ask questions, without presupposing what the questions are.” [MIT Technology Review]

US – HIPAA Enforcement Issues Straight from the Regulator

At the March 26-29 Health Care Compliance Association’s annual “Compliance Institute,” [see here] Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors. Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA. Do any of them look familiar to you? These issues include: 1) Impermissible Disclosures; 2) Lack of Business Associate Agreements; 3) Incomplete or Inaccurate Risk Analysis; 4) Failure to manage identified risks; 5) Lack of transmission security; 6) Lack of Appropriate Auditing; 7) Patching of Software; 8) Insider Threats; 9) Disposal of PHI; and 10) Insufficient Backup and Contingency Planning. OCR also identified upcoming guidance and FAQs The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI. The presentation discussed the current status of OCR’s audit program. [Privacy and Security Matters]

US – Dept. of Health and Human Service Establishes Health Cybersecurity and Communications Integration Center

The US Department of Health and Human Services (HHS) is establishing its own version of the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center (NCCIC). The Health Cybersecurity and Communications Integration Center (HCCIC) is expected to be operational by the end of June 2017. HHS has given the National Health Information Sharing and Analysis Center grants to help encourage wide participation and ensure that small health services offices can benefit from the information that is gathered. [HHS to stand up its own version of the NCCIC for health]

US – HHS Imposes $400,000 Fine for Breach of 3,200 Patients’ ePHI

The Department of Health and Human Services, Office for Civil Rights enters into an agreement with Metro Community Provider Network to settle alleged violations of the HIPAA Privacy and Security Rules. [HHS – Resolution Agreement – Metro Community Provider Network]

US – HHS Provides Checklist to Help Organizations Measure Effectiveness of Privacy Programs

The Department of Health and Human Services’, Officer of the Inspector General has provided guidance to organizations on measuring the effectiveness of privacy and compliance programs. Organizations should ensure standards, policies and procedures are readily available to employees, reviewed from external experts, based on assessed risks, and there is no contradiction/overlap of policies; ensure training requirements for high risk positions are established, a formal process is in place to make staff aware of new laws, regulations, and policies, and review policies/procedures following investigations or raised issues. [HHS – Measuring Compliance Program Effectiveness – A Resource Guide]

Horror Stories

US – Breach Exposes Student Data of 1.3 Million Kids

Earlier this month 1.3 million K-12 students’ personal information was exposed in a data breach of data warehouse platform Schoolzilla. Originally discovered by security researcher Chris Vickery, a “file configuration error” led to the exposure of the student data, including the Social Security numbers of some. Vickery did not produce evidence of the breach because he deleted the database from his own computer. “The sheer volume of private student data, including (test) scores and Social Security numbers for children, convinced me that it should be purged from my storage in an expedited fashion.” Vickery did applaud Schoolzilla’s quick actions to fix the error that led to the breach. [The Daily Dot]

WW – InterContinental Hotels Data Breach Affects Nearly 1,200 Properties

InterContinental Hotels Group now says that the number of properties affected by a payment system breach is close to 1,200, a notable increase from its first estimate of 12. All but one of the affected properties are in the US. The systems were compromised between September 29 and December 29, 2016. [InterContinental Hotel Chain Breach Expands | InterContinental Hotels data breach expands from 12 to 1,200 hotels | Holiday Inn hotels hit by card payment system hack | InterContinental Hotels Group (IHG) Notifies Guests of Payment Card Incident at IHG-Branded Franchise Hotel Locations in the Americas Region]

Identity Issues

IN – Gov’t Site Posts Over a Million Aadhaar Numbers & Details

Digital identities of more than a million citizens have been compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security. The glitch by the Jharkhand Directorate of Social Security revealed the names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme. Jharkhand has over 1.6 million pensioners, 1.4 million of whom have seeded their bank accounts with their Aadhaar numbers to avail of direct bank transfers for their monthly pensions. Their personal details are now freely available to anyone who logs onto the website, a major privacy breach at a time when the Supreme Court, cyber-security experts and opposition politicians have questioned a government policy to make Aadhaar mandatory to get benefits of a variety of government schemes and services. [Details of over a million Aadhaar numbers published on Jharkhand govt website | Aadhaar & Lessons from countries that resisted biometric IDs]

Law Enforcement

US – Fight Continues Over CBP Prohibition On Recording Officers in Public

Government Can’t Shut Down Public Recording That Doesn’t Interfere with Law Enforcement

The US Border Patrol prohibits any recording within 150 feet of their location, which includes the public roadside. A federal district court found that the new rule was a valid time, place, or manner restriction on First Amendment-protected activity [see here]. Cato, with the assistance of the UCLA Law School First Amendment Clinic and noted scholar Eugene Volokh, has filed an amicus brief asking the U.S. Court of Appeals for the Ninth Circuit to reverse that ruling. [CATO At Liberty Blog]

Location

US – Uber Responds to Report That it Tracked Devices After its App Was Deleted

Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses. Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook. In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times [see here] and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015. An Uber spokesperson said]: “We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users” [TechCrunch]

Online Privacy

US – FTC Issues Recommendations on How to Assist Victims of Phishing Scams

The FTC has issued recommendations to prevent phishing scams. Organizations may support their customers by notifying them as soon as possible via social media sites, email or letter, including a warning to ignore suspicious emails or texts messages and a reminder that sensitive personal information is never required by the company through insecure channels; other steps organizations may take include, contacting law enforcement (FBI’s Internet Crime Complaint Center) and providing resources to affected customers (direct them to www.IdentityTheft.gov). [FTC – Has a Phishing Scam Hooked Your Company’s Good Name?]

US – Identity Theft: Services Are Limited at Detecting All Types of Fraud: GAO

The Government Accountability Office was asked to examine the marketplace for identity theft services;

• the potential benefits and limitations of ID theft services available to consumers;
• marketing, billing, and security issues associated with these services; and
• factors that affect government and private-sector decision making about offering ID theft services.

Credit monitoring does not detect existing account fraud, and the effectiveness of ID monitoring is unclear (some types of fraud are not monitored, such as debit/check card fraud, tax refund fraud and medical ID theft); ID theft services typically process a broad range of sensitive PI (putting customers at risk in the event of a cyberattack), and some providers’ websites appear misleading or vague (e.g. o incorrectly implying that credit monitoring prevents, rather than just detects, ID theft) [Government Accountability Office – Identity Theft Services]

WW – Google May Unveil Ad-Blocking Tool in Chrome

Google is mulling plans to roll out an ad-blocking feature in its Chrome browser, though it may decide not to move forward if certain details are not ironed out. The feature “could be switched on by default” and would filter out “certain online ad types deemed to provide bad experience for users as they move around the web.” An official announcement of the tool is expected within weeks. One possible application being considered would “block all advertising that appears on sites with offending ads, instead of the individual offending ads themselves. In other words, site owners may be required to ensure all of their ads meet the standards, or could see all advertising across their sites blocked in Chrome,” the report states. [The Wall Street Journal | Google Working on an Ad Blocker for Chrome |- Report: Google will add an ad blocker to all version of Chrome web browser |- : Chrome: Is ad giant Google about to roll out in its own ad blocker? | Coalition for Better Ads Releases Initial Better Ads Standards for Desktop and Mobile Web in North America and Europe

Other Jurisdictions

US – Google Must Give Gov’t Overseas Data, Judge Says

On April 19 San Francisco US magistrate judge, Laurel Beeler, ruled Google Inc. can’t quash a search warrant requesting certain user content stored overseas; holding that the tech giant must produce all responsive information that is retrievable from the United States, regardless of where it is stored, and finding that the disclosure of information from the company’s headquarters in the United States is a domestic application of the Stored Communications Act. [See 9 pg pdf here]. The dispute stems from a June search warrant requesting data from specific Google email accounts, including subscriber information, evidence of specified crimes and information about the account holders’ true identities, locations and assets, according to the opinion. The tech giant asked to quash the search warrant in December, contending that the government can’t force it to turn over the extraterritorial content. Google cited the Second Circuit’s July decision [see 63 pg pdf here] in a similar case involving Microsoft, which held that the SCA didn’t apply outside the United States and the company needn’t disclose user content housed on a server in Ireland In that matter, the government sought rehearing en banc, which the Second Circuit denied in a 4-4 decision. [See 60 pg pdf here] However, Judge Beeler said Wednesday that she found the dissenters’ reasoning persuasive, holding the statute’s application here is lawful. [Source]

US – Department of Education Site Accidentally Publishes Student, Parent Data

The Victorian Department of Education has announced that it has accidentally published on its website the information of up to 115 families who submitted comments on proposed regulations for state schools. Data that was up for part of the past weekend included information on a domestic violence case and student absence due to self-harm, the report states. While the DoE said it was “very sorry” about the incident, it didn’t elaborate on its cause and said it was conducting an independent investigation to discover how it happened. “The department took immediate action to take the submissions down as soon as the breach was discovered,” a spokesperson said. “We understand the seriousness of this incident, and we are contacting those affected to apologise directly.” [ZDNet]

Privacy (US)

US – FTC Continues to Scrutinize Mobile Apps and Security Practices

The FTC highlights its enforcement efforts in 2016. Highlights from 2016 include:

• policy;
• education; and
• statistics and data.

During 2016, the FTC investigated issues related to marketing (bypassing user permissions and illegal robocalls), consumer tracking (of children in violation of COPPA and of individuals who opted out) and security (failure to prevent unauthorized access to personal information); companies deceived consumers with false claims about their products/services, undisclosed/inflated debt fees, and used consumer information inappropriately (to take money from bank accounts, public disclosure of sensitive medical information). [FTC Annual Highlights 2016 – Enforcement]

US – FTC Seeks Comment on Proposed Changes to Truste’s COPPA Safe Harbor Program

In a press release, the Federal Trade Commission announced it is seeking comment on proposed changes to TRUSTe’s COPPA safe harbor program. The FTC said it will publish a notice in the Federal Register shortly seeking input, including “the addition of a new requirement that participants conduct an annual internal assessment of third-parties’ collection of personal information from children on their websites or online services.” Specific questions the FTC is seeking comment on also include “whether the mechanisms used to assess compliance with the proposed modified program requirements are effective.” The comment period will be open until May 24. [FTRC.gov]

US – FTC Seeks Comment on Proposed Changes to TRUSTE’s COPPA Safe Harbor Program

The Federal Trade Commission is seeking comment on proposed changes to TRUSTe’s safe harbor program under the agency’s Children’s Online Privacy Protection Rule. The FTC’s COPPA Rule includes a “safe harbor” provision designed to encourage increased industry self-regulation in this area. Under this provision, industry groups and others may ask the Commission to approve self-regulatory guidelines that implement the protections of the Rule. Companies that comply with the FTC-approved guidelines receive safe harbor from agency enforcement action under the Rule. In a Federal Register notice to be published shortly, the FTC is seeking comment on proposed changes to TRUSTe’s existing safe harbor program including the addition of a new requirement that participants conduct an annual internal assessment of third-parties’ collection of personal information from children on their websites or online services. Among the questions the Commission is seeking comment on is whether the mechanisms used to assess compliance with the proposed modified program requirements are effective. The comment period will last for 30 days until May 24. [FTC]

US – EFF Releases Report on Tech Companies and Data Collection in Schools

The Electronic Frontier Foundation has released a new report on the education technology industry and its student data collection practices. The report, “Spying on Students: School-Issued Devices and Student Privacy,” argues that state and federal laws as well as industry self-regulation “has failed to keep up with a growing” industry. “At the same time,” the EFF blog post states, “schools are eager to incorporate technology in the classroom to engage students and assist teachers, but may unwittingly help tech companies surveil and track students. Ultimately, students and their data are caught in the middle without sufficient privacy protections.” The report surveyed more than 1,000 stakeholders in the U.S. and reviewed 152 education technology policies over the course of the last year. The EFF’s Amul Kalia said, “In this whitepaper, we lay out specific strategies” for parents, teachers, and other stakeholders so they can “push their schools and districts in the right direction.” [EFF.org]

US – School Districts Should Implement Acceptable Use Policy for All Online Activity

The National School Board Association (NSBA) has issued a legal and policy guide for school boards on data security. The policy should govern all online activity both internally, and on the Internet for both staff and students to protect the school from legal ramifications from education apps that use lengthy terms and conditions written in legalese; school districts should consider incorporating school security policies into staff job descriptions, assign specific individuals to monitor compliance, train staff on common risks and errors that lead to breaches, and use encryption for sensitive data or files transmitted by unsecured email. [Data Security for Schools – A Legal and Policy Guide for School Boards – National School Board Association]

Security

WW – Global Survey: 64% Of Security Pros Can’t Stop a Mobile Data Breach

64% of security professionals doubt their organizations can prevent a breach to employees’ mobile devices, a recent Dimensional Research survey of 410 security leaders found. sponsored by Check Point Software, “Security professionals worldwide from an independent global database were invited to participate in a survey on the topic of mobile device security. A total of 410 participants who have security leadership or frontline responsibilities completed the global survey. Participants represented each of the five continents with the full spectrum of job responsibilities and company sizes. The survey was administered electronically and participants were offered a token compensation for their participation.” See pg 9 here] found that 20% of businesses have experienced a mobile breach, and another 24% don’t know, or can’t tell, whether they’ve experienced one. Strikingly, 51% of respondents believe the risk of mobile data loss is equal to or greater than that for PCs. More than a third of companies fail to secure mobile devices adequately, with only 38% leveraging a dedicated mobile security solution. When asked why, 53% of respondents cited a lack of budget, and 41% cited a shortage of resources. 94% of respondents expect the frequency of mobile attacks to increase, and 79% expect the difficulty of securing mobile devices to grow. Separately, a CITO Research survey of more than 100 mobility professionals found that 57% of respondents are concerned about corporate data on personal and other non-managed devices. That’s an increase of 13% over a similar survey in 2016. [eSecurity Planet]

WW – Report Shows Hacking, Phishing, Malware Top Cause of Data Incidents

BakerHostetler has released its 2017 Data Security Incident Response Report highlighting the need for business leaders to understand and be prepared for the risks associated with cyberthreats. Analyzing more than 450 cyber incidents that the firm’s privacy and data protection team handled last year, the report found phishing, hacking or malware cause the majority of incidents at 43%— a 12% jump from last year. Human error came in second at 32%. The report also offers information on typical ransomware attack scenarios, the average incident response timeline for events, the value of a good forensics investigation, and the frequency with which events caused an investigation by regulators and lawsuits. [Report]

Surveillance

WW – Popular Bose Headphones Spy on Users, Lawsuit Says

The audio maker Bose, whose wireless headphones sell for up to $350, uses an app to collect the listening habits of its customers and provide that information to third parties—all without the knowledge and permission of the users, according to a lawsuit filed in Chicago on Tuesday. The complaint accuses Boston-based Bose of violating the WireTap Act and a variety of state privacy laws, adding that a person’s audio history can include a window into a person’s life and views. In addition to the QuietComfort 35 headphones, the other Bose products cited in the complaint are the SoundSport Wireless, Sound Sport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II. If the allegations are true, the Bose case is just the latest privacy incident involving the so-called “Internet of things” in which more companies and devices that are connected to the web can’t resist the temptation of harvesting the consumer data they throw off. [Fortune]

CA – Winnipeg Police Using Technology to Intercept Cellphone Communications

In a statement, the Winnipeg Police Service said it “can confirm that it possesses a cell site simulator (CSS).” “It is only deployed under judicial authorization, or in exigent circumstances. We are concerned that providing too much information about investigative techniques could jeopardize active investigations and threaten public and officer safety. As such, we will not be providing the number of CSS technicians employed by the WPS, nor the number of investigations conducted using this device in 2015 and 2016.” A police spokeswoman admitted one of the main criticisms of CSS devices is about loss of privacy to third-party individuals. “The Winnipeg Police Service respects the privacy of innocent bystanders. The collected data does not include phone numbers or any other personal identifying information or data. The collected data relating to third parties is preserved and not accessed by anyone other than the CSS technicians, until ordered otherwise by an appropriate court,” she said. But lawyer Scott Newman, a spokesman for the Criminal Defence Lawyers Association, said he’s still concerned about the use of the technology by police. “It’s all well and good for police to say ‘trust us, we are protecting your privacy’, but without having seen the guidelines, we don’t know if the technology is being used appropriately.” [Winnipeg Free Press] See also: [CBC News: Cellphone surveillance technology being used by local police across Canada | Toronto Star: Regulate use of surveillance devices by police forces: Editorial  | CBC News: RCMP reveals use of secretive cellphone surveillance technology for the first time | Toronto Star: RCMP acknowledges using phone trackers to collect Canadians’ cellular details | Globe & Mail: RCMP reveals its use of cellphone-tracking machines | OpenMedia: After years of secrecy, RCMP finally admits to using mass cell phone surveillance tools on Canadians | CBC News: RCMP, CSIS launch investigations into phone spying on Parliament Hill after CBC story | CBC News: Someone is spying on cellphones in the nation’s capital

US – NSA/FBI FISA FAQ: We’re Spying On You for Your Own Protection

A new factsheet by the NSA and FBI [The FISA Amendments Act: Q&A – 10 pg pdf see here] has laid bare contradictions in how US intelligence agencies choose to interpret a law designed to prevent spying on American citizens, but which they use to achieve exactly that end. The document even claims that it is surveilling US citizens for their own protection while at the same time claiming that it is not doing so. The obvious and painful contradictions are testament to the very reason why the factsheet had to be prepared in the first place: Congress is threatening not to renew the legislation due to the intelligence agencies’ willful misrepresentation of the law to perform the very activities it was designed to prevent. There is of course one positive to the “factsheet” on Section 702: thanks to information in the public domain and Congressional hearings, the intelligence agencies have been forced to flag their own contradictions in how they chose to interpret the law. If Congress does its job properly, those contradictions will be removed and future-proofed before the intelligence agencies get their right to spy on US communications returned to them. [The Register]

US – Report: Tech Companies Are Spying on Children Through Devices and Software Used in Classroom

Technology companies are spying on school kids through devices and software used in classrooms. Those companies often collect and store children’s names, birth dates, browsing histories, location data and much more — often without adequate privacy protections or the awareness and consent of parents, according to a new report [Spying on Students: School-Issued Devices and Student Privacy] from the nonprofit Electronic Frontier Foundation (EFF). One-third of all K–12 students in the United States use school-issued devices running software and apps that collect far more information on kids than is necessary. Resource-poor school districts can receive these tools at deeply discounted prices or for free, as tech companies seek a slice of the $8 billion ed tech industry. But there’s a real, devastating cost — the tracking, cataloguing and exploitation of data about children as young as 5 years old. “Parents, teachers, and other stakeholders feel helpless in dealing with student privacy issues in their community. In some cases students are required to use the tools and can’t opt out, but they and their families are given little to no information about if or how their kids’ data is being protected and collected,” said EFF in a statement. [The Journal]

US Government Programs

US – Trump Fast Tracks Facial Recognition in US Airports

The United States is fast-tracking a facial recognition system in U.S. airports. Called Biometric Exit, the system employs facial matching to individuals leaving the country to identify whether a traveler entered the U.S. legally. Passengers would submit to a photo prior to boarding a plane; that photo would then be matched with passport-style photos in visa applications. If there’s no match, the report states, it could be evidence the traveller entered the country illegally. Biometric Exit has been under development for some time and has been tested on a flight from Atlanta to Tokyo, but, according to the report, the Trump administration has expedited implementation of the system, and it is expected to be used in other U.S. airports this summer, with the intention of rolling it out to every international flight and border crossing in the U.S. Larry Panetta, of the U.S. Customs and Border Protection, said, “Facial recognition is the path forward we’re working on.” [The Verge]

US Legislation

US – Bi-Partisan Federal Bill Provides Greater Privacy Protection for U.S. Citizens’ Digital Data at the Border

Senate Bill 823, the Protecting Data at the Border Act, is introduced. Border guards would generally be required to obtain a probable cause warrant to gain access to a citizen’s digital contents of their equipment or account; exceptions to the warrant requirement include government authority under FISA, emergency situations, protection of public health and safety and a citizen’s express consent. The bill imposes detailed audit and reporting requirements related to such searches on the Department of Homeland Security, which it must make publicly available and submit to Congress. Senate Bill 823 – Protecting Data at the Border Act – 115th Congress | The Register ]

US – CA Assemblyman Pulls Controversial Bill from Privacy Committee Hearing

California Assemblyman Jim Cooper (D-Elk Grove) has withdrawn AB-165 — a controversial bill that would have provided a student exclusion to the existing California Electronic Communications Privacy Act (CalECPA) — from a Privacy Committee scheduled for Tuesday, April 18. The bill would have allowed a local educational agency, or any individual acting on behalf of a local educational agency, to search an electronic device or online account of a student, parent, teacher of school staff member without complying with CalECPA rules. The bill faced massive opposition from civil rights and other groups. A coalition of more than 55 organizations, including the American Civil Liberties Union and Common Sense Kids Action, voiced their opposition to the bill and fueled an online campaign to tell legislators not to support the bill. [The Journal]

US – Federal Bill Amends FERPA to Regulate Access to Student Data Held by Outside Parties

Senators Edward Markey and Orrin Hatch introduced Senate Bill 877, the Protecting Student Privacy Act of 2017, amending the Family Education Rights and Privacy Act. The bill was previously introduced as the Protecting Student Privacy Act of 2015; and has been referred to the Committee on Health, Education, Labor and Pensions. If passed, outside parties (a person who is not an employee, officer or volunteer of an educational institution or government agency) must maintain educational records in a manner that provides parents with the right to access personal information, and a process to challenge, correct or delete inappropriate data held in an education record; institutions and agencies must require each outside party to whom data is disclosed to have in place information security policies and procedures that include a comprehensive security program to protect personal data. [Senate Bill 877 – Protecting Student Privacy Act of 2017 – 115th Congress – In The Senate of the United States]

US – Utah Act Mandates Privacy Training for School Employees Handling Student Records

Senate Bill 102, an amendment to the Utah Student Privacy Act has been passed into law. Authorized school employees must attest to having completed the privacy training and submit such certification to the School Board; unauthorized school employees may handle students records if consent is obtained or if authorized by federal and state privacy laws. [S.B. 102 – Amending the Utah Student Privacy Act – General Session 2017 – State of Utah Legislature]

US – California Bill Prohibits Disclosure of Criminal History on Job Application Forms

AB 1008, An Act to add Section 12952 to the Government Code, relating to Employment Discrimination, has been introduced in the California Assembly and been referred to the Committee on Labor and Education. It would be unlawful to include any question seeking disclosure of criminal history on job applications, inquire into/consider conviction history before an individual receives a conditional offer, or consider arrests not followed by conviction; denial of employment based on a prior conviction requires an individualized assessment of the nature/gravity of the offense, the time passed since the offense, and the nature of the job, and notification to the applicant, with examples of mitigation/rehabilitation evidence voluntarily provided by the job applicant. [AB 1008 – An Act to Amend section 12952 to the Government Code Relating to Employment Discrimination – State of California]

US – Maryland Legislation Would See Task Force Study Police Use of Facial Recognition

A bill [HB 1065 ] passed in the Maryland House of Delegates and currently under consideration by a Senate committee would see a task force formed to study police use of surveillance technologies, such as facial recognition software Under the proposed legislation, law enforcement departments would have to disclose to the task force surveillance technologies that they are using and the task force would ascertain which technologies are constitutional. Delegate Charles Sydnor, D-Baltimore, said. “It seems as if we are moving toward a surveillance state with the type of surveillance used by law enforcement.” The ACLU of Maryland, said that the task force would help to ensure that Fourth Amendment protections are not violated by police use of new surveillance technologies. Sydnor said that he is unsure whether the Senate committee would pass the bill, but plans to reintroduce it for the next General Assembly if the committee rejects it. Sydnor decided to back the bill in response to reports that Baltimore Police were using an aerial surveillance aircraft without first alerting city officials. [Biometric Update | Legislation creates task force to study surveillance tactics]

US – 10 States Take Internet Privacy Matters into Their Own Hands

Just days after President Donald Trump signed legislation into law allowing Internet service providers (ISPs) to sell the personal data of customers, several states moved ahead with legislation to protect the data of their constituents, including: 1) Connecticut, 2) Illinois, 3) Kansas, 4) Maryland, 5) Massachusetts, 6) Minnesota, 7) Montana, 9) Washington and 10) Wisconsin. [GovTech]

Workplace Privacy

WW – Insider Threats: 2/3 of Employees Have Access to Corporate Data After They Leave

This December 2016 study surveyed 187 IT and/or HR decision makers and influencers in organizations, primarily in North America, regarding the issue of taking data with them when they leave; and was sponsored by Archive360, Druva, Intralinks, OpenText, Sonian, Spanning by Dell EMC, ThinkHR, and VMware. 1 in 5 of those employees uploaded the data specifically for sharing it outside of the company; 1/4 of companies never require departing employees to sign a document indicating they returned all corporate data assets. Best practices include physical activities (obtain custody of all company-supplied equipment and security cards), account activities (disable access to user account/company network), archiving (be able to rapidly restore deleted/corrupted files), and management activities (create a positive work environment to reduce potential for malicious theft). [Best Practices for Protecting Your Data When Employees Leave Your Company – White Paper – Osterman]

US – Dell End-User Security Survey Highlights Security Concern vs. Productivity

Having to choose between data security and productivity, employees are more apt to go for the latter, according to the Dell End-User Security Survey 2017 released today.[see here] The recent Dell survey solicited responses from about 2,600 business professionals who handle confidential data at companies with more than 250 employees. The global survey was conducted in eight countries including Australia, Canada, France, Germany, India, Japan, the U.K. and the U.S. About two in three employees, or 65 percent, noted that they felt it is their responsibility to protect confidential data, including educating themselves on the possible risks and behaving in a way that protects the company. However, only 36 percent of employees feel confident in their knowledge of how to protect sensitive information. At the same time, about two-thirds of employees reported being required to complete cybersecurity training on protecting sensitive data. 76% of survey respondents said their company prioritizes security at the expense of employee productivity. At the same time about the same number of survey takers admitted that they would share sensitive, confidential or regulated company information under certain circumstances. [Source]

US – Case Illustrates Problems of BYOD & Commingled Work/Personal Info

Technology in the workplace has developed to a point where we now have our personal data and our employer’s data commingled on the same devices. This commingling of data and equipment is usually not a problem until an employee leaves their position and the employer must decipher what equipment and data the employee has a right to take with them. It is becoming increasingly clear that employee training, including discussions of acceptable uses of employer equipment and data, are the best way to avoid conflicts when an employee departs. One case in particular demonstrates the confusion that may arise when an employee commingles work and personal data with work and personal equipment was decided April 12, 2017 by the California Court of Appeals in Mendez v. Piper (unpublished) This is not the first time we have seen disputes arise over data when an employee is terminated. For example, we have seen disputes involving account passwords where, after being terminated, the sole person that has possession of important workplace passwords demands money to provide the passwords to his former employer. These situations are avoidable if employees and employers take the time before the stress of employee’s departure to determine how personal and business data and equipment should be treated. Further, these issues could be addressed during quarterly meetings employers should have with employees to address data and privacy issues in the workplace. [Privacy Risk Report]

+++