Biometrics
US – Airport Facial Recognition Scans to be Mandatory for All Passengers
All US airports may soon have facial recognition software activated to scan each passenger regardless of their citizenship. The plan was first proposed for select airports and international passengers only, but the Customs and Border Protection (CBP) department has suggested it be made mandatory for all passengers, even if they are holding US passports. The initial plan was to register visitors leaving the country using facial recognition. But now it is proposed that facial scans be made mandatory for any passenger when they, leave, re-enter the country or pass through TSA checkpoints. The agency aims to create an airport-wide system dubbing it as The Biometric Pathway, where along with regular passenger details, facial scans become mandatory. At present, the Exit program is being tested on a flight from Atlanta to Tokyo, and will soon roll out in seven new airports. The mechanism is limited to the airport departure gates for now and expanding it to all check points will depend on the cooperation from partner agencies like the TSA. [IB Times]
AU – Australia Adds Millions of Citizen Photos to Govpass Face Rec System
The Australian government intends to add citizen’s passport photos to a national facial recognition database to be used for its Govpass digital identity system and criminal justice purposes. These 12 million records will bolster the system launched in 2016, which previously held only images of foreigners seeking Australian citizenship. But it has privacy advocates pushing for creation of a new national commissioner with biometrics oversight. In addition to the passport photos, InnovationAus.com reported that negotiations are underway that could result in the inclusion of millions of driver license images as well. A privacy impact assessment was conducted in 2015 but it focused on the design and governance rather than privacy protection. Recent academic research has led to the call for creation of a biometrics commissioner to address the governance gap. [Secure-IDNews]
US – NYPD Refuses to Disclose Information About Its Face Recognition Program, So Privacy Researchers Are Suing
Researchers at Georgetown University law school Center on Privacy and Technology [see here] filed a Freedom of Information lawsuit against the New York City Police Department today for the agency’s refusal to disclose documents about its longstanding use of face recognition technology. The researchers requested records pertaining to the NYPD’s program in January 2016 as part of The Perpetual Line-Up, a year-long study on law enforcement uses of facial recognition technology. After receiving public records from more than 90 agencies across the country the NYPD determined in January 2017 that it was unable to find any records responsive to the Center’s detailed records requests. Clare Garvie, one of the co-authors of Georgetown’s report and an expert on face recognition technology, described the NYPD’s lack of transparency as a “very worrying prospect” given the technology’s potential for invasive surveillance, including in real time. Because the NYPD’s own policies, manuals, and documents are “the only controls” on its own system, their disclosure is in the public interest, Garvie explained. “If no records exist, that means that there are no controls on the use of face recognition technology and we ought to worry about that. If there are records, then why did the Police Department say that it couldn’t find them?” said David Vladeck, a member of Georgetown’s law faculty, in a press release. [The Intercept]
US – Illinois Biometrics Privacy Law Could Be Adopted by Other States
Illinois’ Biometric Information Privacy Act [see here], which came into effect in 2008, established protocols which require organizations collecting biometric data to notify people about the practice before they begin to gather data, as well as provide an exact timeline for deleting the data. Five states are currently evaluating amendments to their biometric laws. Alaska, Montana and New Hampshire take a similar approach to BIPA and allow private causes of action. Connecticut’s bill takes a very different approach and aims to prohibit retailers from using facial recognition technology for marketing purposes. Washington has some similarities to BIPA and is also like Texas’ current biometric law, in that it can be enforced solely by the attorney general. The lack of federal laws has cleared the path for state-driven initiatives to take charge, with Illinois introducing three other privacy bills since January. BIPA allows for a private cause of action. ”It is unclear whether other states (will) adopt similar legislation, but we are seeing an uptick in states that care about biometric information,” Kadish said. [Biometric Update]
Canada
CA – MPs Calling on Government to Boost Protection of Canadian Civil Liberties
An influential group of Liberal MPs on the Commons standing committee on public safety released a report [see here] containing 41 recommendations [see here]. They urged Prime Minister Justin Trudeau to increase parliamentary, civilian and judicial oversight of national security agencies, to create a new watchdog agency for Canada’s border agency, and to dial back extraordinary threat reduction powers given to CSIS by the Conservatives in controversial changes to Canada’s anti-terror law under Bill C51. They want the law to require ministerial approval and prior judicial warrants for any measures that could be perceived as potential violations of the Charter of Rights and Freedoms. But the Liberals would not move to repeal that CSIS power altogether. Other recommendations say vague definitions in the Criminal Code, such as “terrorist propaganda,” must be clarified, and there must be an obligatory review of all appeals from persons who feel they are wrongly listed on the so-called “no fly” list for air travel. The Liberals recommended the government not legislate greater “lawful access” for police and intelligence agencies who want to acquire telecom companies’ customers’ subscriber information, online activities, telephone conversations, and encrypted communications, without further study. But the Liberals would make it easier to prosecute terror cases by allowing criminal trial judges to review secret information and decide on matters of confidentiality in national security cases, without requiring those questions be put before a separate Federal Court judge. The Conservatives issued a dissenting report that supported the previous government’s approach to Bill C51. Public safety critic Tony Clement said he supported the Liberal majority report on matters such as increased oversight for the Canada Border Services Agency, and the creation of an office with responsibility to oversee the information-sharing and national security activities of the roughly 17 departments and agencies that have some role in national security. [See here] The NDP issued a separate report that supported the majority of the Liberal report but said the government should go further and completely repeal Bill C51. [See here] Elizabeth May, Green Party leader, agreed. “I urge the Government to take this report as a floor, not a ceiling, of what is possible in undoing the harms of C-51.” Josh Paterson, head of the BC Civil Liberties Association, supported the call for a dedicated, integrated agency to provide review of national security operations across the whole of the government. [See here] [Toronto Star]
CA — Oversight of National Security in Canada Still Needs A Lot of Work, New Reports Show
Given the use of Stingrays, along with CSIS’s recently exposed (and illegal) practice of retaining large amounts of Canadian metadata, it should be clear that Canada’s capacity for holding our intelligence agencies accountable should be increased. And two recent reports show that there’s still a lot of work to be done on oversight of national security in Canada. One report is much more technical. It came from an assessment by the Commons Standing Committee on Access to Information, Privacy and Ethics of the Security of Canada Information Sharing Act, http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-5/ which is contained in the controversial Bill C-51, also known as the Anti-terrorism Act. The other is much broader in its scope and recommendations, and is the product of cross-country hearings on Canadian national security conducted last year by the Commons Standing Committee on Public Safety and National Security. While both reports reinforce, in spirit and content, that Canadian national security oversight needs to be bolstered, they don’t really get at the details of how to do so on a practical level. This is especially true of the report from SECU, the public safety and national security committee, given its broad range. [CBC] See also: Globe editorial: Ottawa should stop delaying and start fixing Bill C-51 | Time to rein in security overreach: Editorial | Don’t change lawful access rules, Parliamentary committee recommends | Restrict spy powers and increase oversight, Liberal and NDP MPs recommend]
CA – Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the 2017-18 Main Estimates
Privacy Commissioner of Canada, Daniel Therrien, appeared before the Standing Committee on Access to Information, Privacy and Ethics to discuss the 2017 Main Estimates. In his remarks, he noted that to face the sustained volume but increased complexity of the work, the OPC will continue to make the most efficient use of its resources. Amidst competing demands, the OPC will not lose sight of its mandate: Ensuring that the privacy rights of Canadians are respected and that their personal information is protected. [Source]
CA – Federal Privacy Commissioner to Initiate Investigations, Not Just Wait for Complaints
The federal privacy commissioner says he’s temporarily no longer going to wait until people file complaints about alleged privacy issues before acting. [see here] Instead, Daniel Therrien will be more proactive, including launching investigations into questionable privacy practices or “chronic problems” on his own when necessary. It’s what Therrien called the commission’s new policy of “proactive compliance.” His office will draw on complaints and trends to determine if there are issues or sectors that would benefit from a special investigation. In an interview he said investigations would be on “issues of broad concern.” This “proactive enforcement” will will last at least until September, when Therrien files his annual report to Parliament, where he may call for changes to federal legislation to update his office’s mandate. As part of being proactive, to help the private sector Therrien is considering offering to audit companies – perhaps for a fee – to see if they comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). [ITWorld] [Course correction for improved outcomes for Canadians]
US – To Fight ‘Surveillance Culture,’ Activists Release Kid-Focused Privacy Toolkit
“You shouldn’t need a PhD or law degree to ensure that your child’s sensitive student data isn’t shared with commercial entities” The Parent Toolkit for Student Privacy: A Practical Guide for Protecting Your Child’s Sensitive School Data from Snoops, Hackers, and Marketers, released by the Parent Coalition for Student Privacy (PCSP) and the Campaign for a Commercial-Free Childhood (CCFC), teaches families about federal laws safeguarding their information, how to ask about schools’ data policies, and how to advocate for stronger protections in an age when records are increasingly stored digitally. The toolkit was released after the Electronic Frontier Foundation (EFF) published a report in April which found that “surveillance culture begins in grade school,” with tech companies spying on students through devices and software used in classrooms to collect kids’ names, birth dates, browsing histories, grades, disciplinary records, and other information. [Common Dreams]
CA – Canada’s Spies Examining ‘Vulnerabilities’ in Election System
CSE, Canada’s signals intelligence and cyberdefence agency, is conducting a “risk assessment” into how vulnerable Canadian elections are to foreign hacking and information operations. The review was ordered by the Liberal government in February, as the scope of Russian meddling in the 2016 U.S. presidential election was being made public by American intelligence agencies. The review is unlikely to focus on the security of the actual vote, which still relies on pens and paper rather than electronic voting. The greater risk is likely the kind of information – and disinformation – campaigns seen in the U.S. and the recent French presidential election. [The Star]
CA – RCMP Created, Then Abandoned Metadata-Crunching Tool to Extract Criminal Intelligence
The RCMP created, then suddenly abandoned, a tool to crunch electronic message trails gathered during criminal investigations — a previously unknown foray into the controversial realm of big-data analysis. Telecommunications Analytical Platform was operating as recently as mid-November, say internal RCMP notes obtained by The Canadian Press through the Access to Information Act. “The TAP is a platform that regroups copies of certain telecommunications metadata from concluded investigations only, such as phone numbers, associated crime types, source links to police records management systems and the geographical region where the metadata was recorded which are lawfully collected by the RCMP and other Canadian police services in the course of criminal investigations,” the RCMP notes say. The tool was a “proof of concept” that turned out to be unsuccessful and “therefore the project was ended,” said Cpl. Annie Delisle, an RCMP spokeswoman. “No data was retained.” The Mounties would not say why the tool was ineffective, nor exactly how long it existed. [The Star]
CA – Queries for B.C. Liberal government Text Messages, Skype Calls, And Slack Logs All Turn Up Empty
In order to analyze government record-keeping, the Straight filed dozens of FoI requests for communication logs created via text message, Blackberry BBM, Skype, and Slack. Five ministries were targeted as a sample of the government. Within each ministry, records were requested for the minister, deputy ministers, and chiefs of staff for those offices. Those requests pertained to more than 20 public servants. Only three resulted in government records. Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association, noted that these communication tools are primarily used on mobile devices and are examples of tools that have become crucial for modern business. “It’s concerning that something that is this common a means of communication has no records,” he told the Straight. “That’s clear. There should be something there. How can you have a very common means of communication where there is nothing?” The B.C. Ministry of Information and Technology—the agency responsible for government computer systems—declined to grant an interview, on account of the ongoing provincial election. “It’s hard not to come to the obvious conclusion that there are missing records. I simply find it not credible, the suggestion that there is a group of people that does not use text messages” said David Eby the NDP incumbent candidate for Vancouver-Point Grey. [Source]
CA – Lawful Access: The Privacy Commissioner Reiterates its Position
On April 5, 2017, Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis for the Office of the Privacy Commissioner of Canada (the “OPC”), gave testimony [read here] before the Quebec Commission of Inquiry on protection of confidential media sources. Ms. Kosseim took the opportunity to present a clear view of the OPC’s position on how lawful access, as articulated in section 7(3) of PIPEDA, should be addressed. Of particular interest is how this position differs from the position taken by the federal government in recent years. Ms. Kosseim went on to reiterate the position that the Privacy Commissioner of Canada, Daniel Therrien, has taken on the subject. The OPC would like to see the lawful access rights of government institutions, including police, be limited, clearly articulated, and supervised by the judiciary. Canadians have the right to be secure against unreasonable search and seizure under the Charter and have the right to have their personal information protected under PIPEDA. These rights must be balanced with the reality that circumstances will arise when personal information will need to be disclosed for purposes such as public safety. [Canadian Cyber Security Law]
CA – Implied Consent: Creditors Can Directly Obtain Mortgage Discharge Statements
A review of a recent Supreme Court of Canada decision about whether the Personal Information Protection and Electronic Documents Act (PIPEDA) precludes disclosure of mortgage statements. The Supreme Court of Canada ruled that, if a judgment has been obtained, creditors are entitled to a court order requiring disclosure of a mortgage discharge statement from mortgagees without express consent of the debtor; however, lenders should still try to obtain borrower’s express consent to disclose certain financial information in the terms of the agreement to avoid legal proceedings, or having to file motions to compel disclosure. [Privacy and Property – The Supreme Court Clarifies The Limits of PIPEDA – Scott R. Venton and Kyle Kuepfer – Fogler Rubinoff LLP]
CA – Some Canadian Bank Record Information Being Sent Directly to IRS
Thousands of reports containing confidential Canadian banking information records have been sent directly to the U.S Internal Revenue Service, without the Canadian government’s knowledge. According to information obtained under a U.S. Freedom of Information Act request, 31,574 such reports have been sent directly to IRS over the past two years under the U.S. Foreign Account Tax Compliance Act (FATCA). Under U.S. law, anyone who is a U.S. citizen or considered a U.S. person for tax purposes has to file an income tax return to the IRS, regardless of whether they are living in the States. Some estimate as many as a million Canadian residents could be affected by FATCA — from Americans and dual citizens who are living in Canada to someone born in a U.S. border hospital who has lived their entire lives in Canada. This week, the impact of the reporting regime on Americans living outside the United States will be front and centre when a House of Representatives subcommittee holds hearings on the issue in Washington. Stephen Kish, a member of the group fighting in Canada’s Federal Court to have the banking record sharing deal struck down, said one of the key concerns of those affected by FATCA is the confidentiality of their banking information. [CBC]
CA – OIPC SK Believes Stand-Alone Legislation Required for Data Matching
The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance for organizations on use of data matching. Data matching is a highly invasive activity that can lead to inaccurate information about individuals due to the incorporation of implicit and explicit biases, use of poorly selected data sets, and lack of knowledge about the logic used; legislation should include principles of data minimization, openness, accuracy, de-identification, and establishing purpose and safeguards, projects should be limited to government and health institutions, and require prior completion of PIAs and notification to the OIPC. [OIPC SK – Data Matching]
CA – Privacy and Property: The Supreme Court Clarifies Limits of PIPEDA
In Royal Bank of Canada v Trang (Trang) [see here], the Supreme Court removed a number of hurdles that judgment creditors often face when attempting to execute against a judgment debtor’s real property. Whereas a judgment creditor was previously required to obtain a debtor’s consent or a court order before obtaining a mortgage discharge statement (a prerequisite to a sheriff’s sale), the “Trang” decision allows the same creditor to obtain the debtor’s implied consent simply by filing a writ of seizure and sale with the sheriff. At a broader level, Trang makes clear that individuals cannot hide behind the “Personal Information Protection and Electronic Documents Act” (PIPEDA) to escape their legal obligations. While “Trang” provides a principled justification for the disclosure of a mortgagor’s personal information, a prudent lender might nonetheless wish to obtain a borrower’s express consent to the disclosure of certain financial information as a term of the standard mortgage agreement. This preventive step may assist in avoiding the expense and trouble associated with legal proceedings commenced under PIPEDA or, as was the case in “Trang”, motions to compel the disclosure of private financial information. [Mondaq]
CA – Ontario Bill Outlines Obligations for Handling Personal Information of Children Under Government or Foster Care
Bill 89, Supporting Children, Youth and Families Act, 2017 is introduced in the Ontario Legislative Assembly: the Act amends and repeals the Child and Family Services Act; The Bill has passed second reading and referred to the Standing Committee on Justice Policy; and if passed, will come into force on a day to be named by proclamation of the Lieutenant Governor. Service providers (e.g., Minister, licensee or society) and other ministries may disclose personal information (PI) and collect PI from each other for the purpose of planning, managing or delivering a service that the ministry provides, and must comply with a court order requiring the disclosure of PI for the purposes of inspection; notification must be provided to affected individuals, the Privacy Commissioner and Minister of Child and Youth Services in the event of a data breach. [Bill 89 – Supporting Children, Youth and Families Act, 2017 – Ministry of Children and Youth Services – Legislative Assembly of the Province of Ontario ]
CA – IPC Ontario Recommends Bill 89 Amendments Regarding Handling PI Under Government or Foster Care
The Information and Privacy Commissioner of Ontario presented his comments on Bill 89, the Supporting Children, Youth and Families Act. The bill provides too much authority to the Minister of Children and Youth Services by conflating the authorities to collect and use PI, and the purposes for which indirection collection of PI is allowed (service delivery versus planning and managing the delivery of services); amendments include using a privacy framework that incorporates data minimization, oversight and transparency, and provisions prohibiting the Minister from disclosing any PI if other information will serve the purpose [IPC ON – Comments of the Information and Privacy Commissioner of Ontario on Bill 89]
CA – PEI Privacy Commissioner Upholds Public Body’s Decision to Withhold Records Covered by Solicitor-Client Privilege
The Information and Privacy Commissioner reviewed a request denied by the Public School Branch pursuant to the Freedom of Information and Protection of Privacy Act. the Information and Privacy Commissioner reviews a request denied by the Public School Branch pursuant to the Freedom of Information and Protection of Privacy Act. [IPC PEI – Order No FI17004 Public Schools Branch]
CA – Ontario Court Orders Insurance Company to Collaborate With Insured on Reasonableness of Consent Form
The Court considered Intact Insurance Company’s application for a determination of rights based on the Court’s interpretation of the Statutory Accident Benefits Schedule (SABS). The SABS is silent on the issue of the form of any consent that may be required by an examiner related to evaluations for insurance claims, and health professionals could experience negative consequences if they perform medical-legal examinations without having obtained consent in advance; since the essence of SABS is to have relevant, reasonable and necessary measures in place, collaborative efforts to develop a consent form that is reasonable would be beneficial to both parties. [Intact Insurance Company v Beaudry – 2016 ONSC 6127 CANLII – Ontario Supreme Court of Justice]
CA – Privacy Concerns Raised as Calgary Considers Electronic Parking Permit Proposal
Some Calgarians are up in arms over a proposed change to residential parking zone enforcement that would do away with physical parking permits and introduce an electronic registry of licence plates. Some residents fear the registry will provide the City with the ability to track and analyze their movements and potentially share this information with third parties. The system would be similar to the Calgary Parking Authority’s ParkPlus scheme where patrol cars scan licence plates and issue tickets to the owners of vehicles found to be in violation of the posted rules. Under the proposal, the practice of providing residents with plastic permits to place on the rearview mirrors of their vehicles or the vehicles of their visitors would be eliminated. Residents in Calgary’s 77 residential parking zones would be required to register their licence plates, and the licence plates of their visitors, online. Enforcement of residential parking zones would be patrolled by vehicles equipped with cameras as opposed to having officers on foot checking for the placards. Lee Tasker, a resident of Hillhurst, believes the proposed system is an invasion of privacy and suggests the City is prioritizing monetary gains over the security of its citizens. A report projects the introduction of the proposed system would result in $200,000 in additional revenue in 2018 and $400,000 the following year. The estimated cost of implementing the program is $400,000. Tasker and representatives of the Privacy and Access Council of Canada, who refer to the program as Orwellian and Kafkaesque, say the storing of personal information for an extended time is completely unreasonable. [CiviNews]
CA – Let Territorial Job Applicants See Their References, Says Nunavut MLA
MLA Pat Angnakak says]”as soon as somebody makes a reference about you that’s your information, it belongs to you, so you should be able to say, ‘I want my information about myself,’“ She says unsuccessful candidates should have the opportunity to defend claims made by their referees. Nunavut’s Privacy Commissioner, Elaine Keenan Bengts, addressed the MLA’s concerns at a standing committee meeting last week. “A policy which says we are simply not going to disclose any of the information we get from references, is clearly, in my opinion, contrary to the act,” Keenan Bengts said. She said access to personal information, such as references, was of the “highest level of entitlement.” [CBC]
CA – Nunavut Privacy Boss Says Privacy Not a Priority for GN Health
Nunavut’s IPC, Elaine Keenan Bengts says the health department’s lack of communication on the privacy shortfalls at the Qikiqtani General Hospital in Iqaluit proved privacy was not it’s top priority. Keenan Bengts told a standing committee of Nunavut MLAs May 10 that she has heard nothing from the Department of Health since her report was tabled last fall. Some of the more egregious violations noted by Keenan Bengts during her two days of testimony were: Fax machines printing off sensitive medical data in public hallways, computers left idle, lackluster security for medical records and even employees unofficially accessing their own medical data, were some of the more egregious violations noted by Keenan Bengts during her two days of testimony. The commissioner submitted 31 recommendations following her audit, calling for MLAs to enshrine patients’ privacy rights in standalone health information legislation, shifting fully to electronic records, and creating a dedicated privacy officer position at the hospital. [Source] [Nunavut’s health records ‘ripe for privacy breach’, says territory’s information commissioner]
CA – Security Camera Makers Urged to Beef Up Privacy After School Streaming Incident
Canada’s privacy commissioner will once again press companies that make security cameras to strengthen privacy on their devices so users don’t unwittingly stream personal images on the internet. Jennifer Rees-Jones, a senior advisor at the Office of the Privacy Commissioner of Canada said the action was inspired by a CBC News story last week about Rankin School of the Narrows in Iona, Cape Breton, where a surveillance camera was streaming images of students outside a bathroom live to the internet. She said the privacy commissioner sent similar letters in early 2015, but the threat to Canadians’ privacy is still acute. Robert Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University said there are between 100 million and 200 million digital security cameras in Canada with varying levels of security. He thinks renewed action by the privacy commissioner will work. Currie said manufacturers “don’t want the government passing laws to fix this problem if they can fix it internally in the industry.” [CBC | N.S. privacy commissioner investigates after school webcam broadcasts images | Russian website broadcast live pictures of Cape Breton schoolchildren | Unsecured Webcams Are Broadcasting Canadian Daycares, Schools Online
Consumer
US – Over 80% of Americans Are More Worried About Privacy, Security Than a Year Ago
More than 80% of Americans are more concerned about their online privacy and security today than they were a year ago, a recent Anchor Free survey [PDF] of more than 2,000 Americans found. The survey found that over 95% of respondents are concerned about companies collecting and selling their personal information without their consent, and more than 50% are looking for new ways to safeguard their personal data. The survey also found that while 70% of respondents are doing more today to protect their online privacy than they were a year ago, just one in four believe they’re ultimately responsible for ensuring safe and secure Internet access. A separate TeleSign survey [PDF] of 1,300 U.S. adults found that 31% of consumers said their online life is worth $100,000 or more — and 55% said businesses are primarily responsible for account security. An EyeVerify survey of 1,002 U.S. adults recently found that 79% of respondents want the ability to use more biometric authentication methods beyond the fingerprint to access mobile banking or payment apps, and 42 percent said they wouldn’t use a banking or payment app that doesn’t offer biometric authentication. [eSecurity Planet]
CA – Sask Issue of MLA’s Using Private Email May Go to OIPC
A senior provincial cabinet minister says every MLA uses private email for government business, a statement seemingly at odds with the government’s position one week ago. All the members have used their private email for business related to government to respond to constituents and, you know, myself included, as has every other member,” Crown Investments Corporation Minister Joe Hargrave told reporters in Regina, following the end of the legislative session. Saskatoon man Marcus Grundahl said he was “surprised and alarmed” when Hargrave replied via private email to his concerns over the Saskatchewan Transportation Company. Hargrave has since admitted to the mistake and says it won’t happen again. Grundahl, though, said that isn’t the end of things. He’s taken the matter to Saskatchewan’s information and privacy commissioner for review. [CBC]
Electronic Records
UK – Hospitals Rapped for Sharing 1.6m Patient Records With Google
When the tie-up between Google’s DeepMind and London’s Royal Free NHS Trust was announced in 2016, it was praised as the sort of forward-looking innovation the NHS badly needed. But within weeks a wrinkle emerged – DeepMind had been given access to 1.6m patient records stretching back up to five years This week a leaked letter from the National Data Guardian (NDG) health watchdog described this transfer of data as having been carried out on an “inappropriate legal basis” – a formal way of saying it shouldn’t have happened in the way it did. The letter lays bare thorny issues, starting with the basis on which an NHS Trust can transfer data. Britain’s Information Commissioner’s Office (ICO) will soon publish its report on whether the data transfer to DeepMind was legal under the Data Protection Act (DPA). When it does, people on all sides of this tangled story will be paying close attention. [Naked Security]
EU Developments
EU – The State of Privacy 2017: EDPS Provides Mid-Mandate Report
As we approach the mid-point of the current EDPS mandate and continue the countdown to the General Data Protection Regulation (GDPR), the EU must build on current momentum to reinforce its position as the leading force in the global dialogue on data protection and privacy in the digital age, the European Data Protection Supervisor (EDPS) said to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), as he presented his 2016 Annual Report [see 75 pg pdf here]. [EDPS]
EU – European Data Protection Supervisor Calls for Additional Changes to Proposed ePrivacy Regulation
The European Data Protection Supervisor (EDPS) has recommended further changes to the proposed ePrivacy Regulation that would have significant impacts on the electronic communication sector and other online companies. In a 40-page opinion issued on April 24, 2017, the EDPS praises certain aspects of the current proposal as positive, voices key concerns about other aspects of the proposal, and makes several recommendations to change the proposed draft. The EDPS’s opinion follows another recent opinion by the Article 29 Working Party that recommended also changing the current proposal. The European Parliament and European Council are set to review and negotiate the final text over the coming months, with the ambitious goal of concluding negotiations by the end of 2017. The EDPS’s opinion focuses on the following key concerns and recommendations: 1) Privacy-focused definitions; 2) Strengthened consent requirements; 3) Limitations on legal grounds for processing electronic communications data and information related to terminal equipment of users; 4) Prohibition on “tracking walls” and other practices that exclude users with ad-blocking or similar applications installed; 5) Privacy-friendly default settings; 6) Mandatory adherence to accepted technical and policy compliance standards, which could include “Do Not Track”; 7) Restrictions on mobile location tracking; and 8) Safeguards against Member State restrictions on privacy rights and mandatory disclosures about government access requests. [WilmerHale]
EU – Article 29 Working Party Issues Guidance on Data Protection Impact Assessments
The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised. DPIAs are a key part of the GDPR accountability principle, and have to be carried out if a processing activity is “likely to result in a high risk” to data subjects. The Working Party’s guidance clarifies this phrase, and provides a series of concrete criteria which might trigger a DPIA There is a useful diagram in the guidance which sets out a seven-step generic process for DPIAs. There are also helpful Annexes to the guidance, including examples of existing national and Europe-wide DPIA frameworks and a checklist of items to be included in DPIAs. These are likely to be useful resources when preparing DPIA templates, as the regulators may well want to see clear evidence of each of these steps being followed and each element in the checklist covered. [HLDA]
UK – State of the Cyber Nation: Gov’t Report on Cybersecurity Breaches
On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cybersecurity breaches and how they affected UK companies in the last year. Headline statistics from the report include:
- 61% of businesses hold personal data electronically;
- 46% of all UK businesses identified at least one cybersecurity breach in the past year, rising to 51% of those that hold personal data on customers, 66% amongst medium-sized firms and 68% amongst large firms;
- The most common breaches involved members of staff receiving fraudulent emails. This demonstrates that technical measures can only take an organisation so far, and that strong procedures and training are vital;
- External reporting of breaches is still not common – only 26% of companies reported their most serious breach to someone other than a cybersecurity company who could assist with solving the problem. This will have to change where personal data is lost under the GDPR;
- Only 37% of businesses have any rules around encryption of personal data, and 37% of businesses have segregated wireless networks; and
- Only 13% of businesses require their suppliers to adhere to specific cyber security standards.
The report indicates that many UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. [HLDA]
EU – Article 29 Working Party Issues Recommendations on Draft Code of Conduct for Mobile Health Applications
The Article 29 Working Party issued recommendations on the draft code of conduct on privacy for mobile health (mhealth) applications. The definition of health data needs to be re-evaluated to ensure it is consistent with the definition provided in the General Data Protection Regulation (GDPR), and not all of the data protection principles are mentioned (the missing principles should be added, or it should be noted why they are absent); the Code should make clear that consent should fulfil all requirements of the GDPR, acknowledge the other conditions that render data processing fair and lawful, and ensure that wording does not imply that a controller may make a service conditional on consent for marketing. [Article 29 Working Party – Letter to the Project Editor of the Draft Code of Conduct on Privacy for Mobile Health Applications]
UK – ICO Recommendations on Prevention of Ransomware Attacks
The Information Commissioner’s Office in the UK has provided guidance on preventing ransomware attacks. Organizations should remove unnecessary user accounts, restrict user privileges to only what is necessary, ensure online and offline backups are encrypted, ensure remote access or control applications have strong credentials (2-factor authentication, and timely patch updates), and segment networks to limit any damage from successful attacks; if there is a successful attack, organisations should conduct a full security scan and penetration test of all systems and networks (attacks may have gained other undetectable access). [ICO UK – Statement on Recent Cyber Attacks at NHS]
UK – UK Information Commissioner Issues Guidelines for Organisations Using Big Data Analytics
The UK Information Commissioner’s Office issued guidance about big data, artificial intelligence, machine learning and data protection. Organizations should consider whether the analytics actually requires the processing of personal data (anonymized data is not considered personal data and does not fall under data protection laws); conduct privacy impact assessments to help identify privacy risks and assess the necessity and proportionality of the processing, and adopt a privacy by design approach (data minimization, purpose limitation and respecting individuals’ preferences in the metadata). [ICO UK – Big Data, Artificial Intelligence, Machine Learning and Data Protection]
EU – Facebook Fined $122 Million for Misleading EU Over WhatsApp
Facebook Inc. was fined 110 million euros by the E.U. for misleading regulators during a 2014 review of the WhatsApp messaging-service takeover. The European Commission won’t overturn approval for the $22 billion WhatsApp purchase as “the incorrect or misleading information provided by Facebook did not have an impact on the outcome of the clearance decision,” the regulator said. Vestager targeted Facebook after it announced privacy policy changes in August that would allow the advertising platforms on Facebook and Instagram to draw upon data from WhatsApp. The company informed the EU in 2014 it couldn’t combine WhatsApp data with its other services but moved to do that last year. Facebook said the firm “acted in good faith” in its interactions with the commission. “The errors we made in our 2014 filings were not intentional and the commission has confirmed that they did not impact the outcome of the merger review,” a Facebook spokesman said. “Today’s announcement brings this matter to a close.” The social networking company said it wouldn’t appeal the EU decision. [Bloomberg]
UK – Record Fine for Company Behind Nearly 100 Million Nuisance Calls
The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to a business responsible for nearly 100 million nuisance calls over an 18 month period. [See ICO PR here] Keurboom Communications did not have the necessary prior consent to engage in the marketing activity from the people it targeted with the 99,535,654 calls, and was in “serious contravention” of the UK’s Privacy and Electronic Communications Regulations (PECR), the ICO said. The fine issued by the ICO to Keurboom Communications is the highest it has ever issued for a breach of PECR. It previously fined TalkTalk £400,000 for a serious breach of the Data Protection Act after the company suffered a data breach affecting approximately 157,000 customers [Out-Law]
Facts & Stats
WW – New Symantec Report 1.1 Billion Identities Exposed In 2016 Breaches
1.1 billion identities exposed in data breaches in 2016, says Symantec report. In the last eight years, more than 7.1 billion identities have been exposed in data breaches globally, which is almost the equivalent of one for every person on the planet, according to the findings of Symantec’s Internet Security Threat Report.[see here] In 2016 alone, almost 1.1 billion identities were stolen globally, a big jump from the 563.8 million stolen in 2015. This is despite the fact that the number of data breaches actually fell between 2015 and 2016—dropping from 1,211 to 1,209, said the report. In 2016, there were 15 mega breaches—breaches in which more than 10 million identities were stolen—an increase from 11 in 2014 and 13 in 2015. [LiveMint]
Finance
CA – Survey: Half of Us Are Ready for Cashless Canada
Forget about the end of the Canadian penny or even the possible impending demise of the nickel — half of Canadians are ready to abandon cash altogether. A new survey from Payments Canada finds 50 per cent of Canadians are ready to get rid of banknotes and coins. Two-thirds of respondents said they are ready to say goodbye to personal cheques. Some observers have raised privacy concerns about digital payments, noting that in a cashless society, every purchase can be tracked. But the Payments Canada survey suggests a large share of the population is willing to accept lesser privacy for greater convenience: 48% of respondents said they would trade away some of their privacy when paying digitally. [HuffPost]
FOI
WW – Facebook Transparency Report Signals Need for Privacy Guidelines
Facebook’s latest Global Government Requests Report [see PR here see Report here] covering the second half of 2016. It showed that requests for account data increased by nine percent – from 59,229 to 64,279 requests, globally – over first half 2016. Half of the data requests the firm received from law enforcement in the U.S. contained a non-disclosure order that prohibited Facebook from notifying the user. Facebook used the report to reiterate that it does not provide governments with backdoors or direct access points to users’ information. The company continues to seek ways to work with industry partners and civil society to push governments around the world to reform surveillance in a way that protects their citizens’ safety and security while respecting their rights and freedoms, the report said. The report is also reminder of how governments around the world are regularly prying open the digital lives of subscribers. Facebook said that reform is needed in the legal process for handling data requests. “The current process for handling cross border requests for data is slow and cumbersome, and legitimate requests are often subject to months and months of delays,” the report said. “We believe that companies, governments, civil society organizations, and academics should work together to improve this process and to raise human rights standards throughout the world” [SC Magazine]
Genetics
CA – New Genetic Non-Discrimination Law to Promote Privacy and Human Rights
The Privacy Commissioner of Canada and the Chief Commissioner of the Canadian Human Rights Commission are welcoming the coming into force of the “Genetic Non-Discrimination Act” [see here], as an important step for privacy and human rights in Canada. The Act, which received Royal Assent on May 4th, now prohibits genetic discrimination across Canada. It bars any person from requiring individuals to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services, or entering into a contract. Both Commissioners acknowledge that the Government has stated it may refer the law to the Supreme Court of Canada for its opinion on the law’s constitutionality. In the meantime, the “Genetic Non-Discrimination Act” remains in place and represents the current law on this important public policy issue. Commissioner Therrien says he expects organizations subject to Canada’s federal private sector privacy law to re-examine their practices related to genetic tests and bring them in line with the new law. In light of Parliament’s passage of S-201, organizations that require genetic test results as a condition of providing a good or service will also generally be considered in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA). [Source]
Health / Medical
US – Health Care Industry Task Force Issues Recommendations to Protect Patient Information
The Health Care Industry Cybersecurity Task Force, established pursuant to the Cybersecurity Act of 2015, issued a report outlining recommendations to address challenges in protection of patient information. The health care industry faces cybersecurity risks from severe lack of security talent, use of unsupported legacy systems, significant recourse constraints, and lack of threat identification infrastructure; organizations should cooperate with vendors and providers to inventory and secure legacy systems, adopt strong authentication, ensure strategic, architectural approaches to reduce attack surfaces, and establish cybersecurity leadership positions. [Health Care Industry Cybersecurity Task Force – Report on Improving Cybersecurity in the Health Care Industry]
US – Five HHS Settlements Imposed for Lack of Safeguards, Risk Analysis and Management Plans
This article reviews the U.S. Department of Health and Human Services, Office for Civil Rights’ (OCR) 2017 settlements under the Health Insurance Portability and Accountability Act. Electronic personal health information was exposed due to hackers, inappropriate employee access and lost or stolen unencrypted devices; companies were asked to conduct a risk analysis and implement risk management plans to fix vulnerabilities, and to monitor their information systems’ activity (e.g., review audit logs, access reports and security incident tracking reports). [2017 OCR HIPAA Settlements Focus on Risk Analyses Safeguards – Elizabeth Snell – HealthIT and Security]
US – HHS Issues Guidance on How to Detect, Deter and Recover from Ransomware Attacks
A new HHS Fact Sheets reviews the U.S. Department of Health and Human Services’s guidance about ransomware and requirements under the Health Insurance Portability and Accountability Act and the HIPAA Rules. Entities may prevent malware intrusion by implementing security management processes to identify threats and vulnerabilities, to mitigate or remediate identified risks and to guard against and detect malicious software; ransomware attack recovery activities include conducting an initial analysis to determine the scope and origination of the incident, whether it is finished, how it occurred and vulnerabilities and restoring data lost during the incident. [HHS Fact Sheet: Ransomware and HIPPA]
Horror Stories
CA – 1.9 Million Bell Customer Email Addresses Stolen by ‘Anonymous Hacker’
Bell is apologizing to its customers after 1.9 million email addresses and approximately 1,700 names and phone numbers were stolen from a company database. The information appears to have been posted online, but the company could not confirm the leaked data was one and the same. Bell, the country’s largest telecommunications company, attributed the incident to “an anonymous hacker,” and says it is working with the RCMP to investigate the breach. “Bell said the incident was unrelated to the massive spike in ransomware infections that affected an estimated 200,000 computers in more than 150 countries late last week. It is not clear when the breach occurred, how the data was accessed, or how long the attacker had access to Bell’s systems. [Source]
WW – Two Billion Numbers Leaked by Chinese Phone App
The app, DU Caller, developed by DU Group, a subsidiary of Baidu, was initially for users to blacklist nuisance callers and filter them out. But a “reverse look-up” function allowed access to two billion phone numbers stored in Baidu’s Beijing server. Among those affected are security minister Lai Tung-kwok and privacy commissioner Stephen Wong, according to news agency FactWire – see here The Security Bureau has referred the case to the Office of the Privacy Commissioner for Personal Data for investigation. Independent news agency FactWire reported on Saturday that once downloaded and installed, the app would automatically gather sensitive information such as the address book and phone numbers even before users agreed to the privacy policy. [SCMP]
US – $2.5M Fine Imposed on Wireless Health Services Provider for PHI Breach
The Department of Health and Human Services, Office for Civil Rights entered into an agreement with CardioNet Inc. to settle alleged violations of the HIPAA Privacy and Security Rules. The provider did not have sufficient risk analysis and risk management processes in place at the time an employee’s laptop was stolen from their vehicle (containing ePHI of 1,391 individuals); the organization must conduct an enterprise-wide risk analysis, implement a risk management plan that addresses all security risks and vulnerabilities, revise and distribute policies and procedures among employees, and report the HHS at least annually for a 2 year period [HHS – Resolution Agreement – CardioNet Inc. [Press Release | Resolution Agreement]
Identity Issues
CA – Edmonton Man Sounds Alarm After ID Scanned While Buying Cigarettes
Nick Radloff said he was asked for ID last at an Esso Station owned by 7-Eleven. “She just automatically scanned it into her system” he said. A directive from 7-Eleven head office states that the store’s ID scanners do not collect personal information that could identify the customer. Instead the scanners “read only anonymous information (expiry date, province, date of birth, and only the last four digits of a driver’s licence).” A regional 7-Eleven manager wrote “if you do not want your ID or driver’s licence scanned, our sales associates have been instructed to respect your decision.” 7-Eleven’s policy was implemented on April 24 across their 650 stores. 7-Eleven said the policy was put in place “to further reduce the risk that tobacco products would be sold to minors.” The Office of the Information and Privacy Commissioner of Alberta has looked into a number of such complaints over the past decade. [CBC]
EU—Blockchain Startup Forms Partnership to Develop Identity Platform
Billed as an “identity platform,” the product is designed to allow businesses and consumers to store and exchange information while staying on the right side of regulations such as the European Union’s General Data Protection Regulation, which sets strict limits on what information companies are allowed to hold on their customers. The platform’s development, announced Monday, is a joint effort between Cambridge [see here] and LuxTrust [see here], an established firm that is already managing digital identities for the entire individual and corporate population of Luxembourg, according to a news release. [see here] A key piece of the platform will be Cambridge’s software, in which each individual holds his or her personal data in a private store and the blockchain holds proof that the data is valid. Such proof could include picture ID. A bank can refer to the blockchain to verify customers’ identities, but the information held there can’t be used to falsify personal data. [American Banker]
Internet / WWW
CA – WannaCry Ransomware “A Wakeup Event” for Directors
“It may be the WannaCry virus will be a watershed event for directors and officers liability in this area,” Bradley Freedman [see here], national leader of the cyber security law group at Borden Ladner Gervais, said. “And I say that because the primary result of it has been business disruption and financial loss. Shareholders are going to be asking what their directors did to make sure their organizations were doing the right thing to manage these types of risks. Did it have an appropriate patch management program? Was there proper oversight? Why was this organization running a Windows XP machine?” Freedman noted that when it comes to cyber risk management courts say directors and officers have to consider the same things when making any corporate risk decision: Exercise the care of a reasonable person, and make “reasonable and informed and properly advised independent decisions.” Perfection, he said, isn’t demanded. Still, he said, it may be the WannaCry attack, which according to the U.S. infected 300,000 computers around the world, may be a seminal event for directors. In making decisions in civil lawsuits relating to breaches on whether the organization took “reasonable care”, Freedman added, judges will look to what he called “soft law” — best practices, industry guidance, previous decisions in other jurisdictions. Rene Pelletier, IT audit principal in the Alberta auditor general’s office, said organizations are playing defensive because they don’t share their knowledge with other firms. Canada, he noted, is the second biggest target for reported ransomware incidents after the U.S. Ransomware works because it relies on ignorance and isolation of users, he said. “We all need to work together” on cyber security,” he added. “If we don’t we’re dead.” [IT World Canada]
Law Enforcement
CA – Alberta Police Inch Closer to Policy on Identifying Homicide Victims
After a meeting of the Edmonton Police Commission, police Chief Rod Knecht gave an update on a contentious issue which came to the fore this year after Edmonton police withheld the names of roughly half of the city’s 2017 homicide victims, a departure from long-standing practice. Critics say withholding names is a misreading of the province’s Freedom of Information and Protection of Privacy (FOIP) law, and which goes against the public interest. The opposition Wildrose has criticized the policy, saying in particular that withholding names in domestic violence cases could stigmatize victims. Edmonton police have cited privacy concerns and the lack of “an investigative purpose” in not naming some homicide victims this year. Members of the Alberta Association of Chiefs of Police met last Friday to discuss the issue, Knecht said. The departments’ FOIP lawyers will soon gather to discuss the legal issues. “We all agreed — every case on its own merits,” he said. “We may release the name in a certain case, and in another case we may not.” [Edmonton Journal See also: Alberta police chiefs try for common ground on naming homicide victims | Alberta chiefs of police to discuss homicide victim naming policies | Edmonton police chief defends policy of not releasing names of homicide victims | Edmonton police policy of not naming murder victims stands alone in Alberta | Secret murder: A tale of two police forces in Alberta | Bureaucratic secrecy erodes democratic rights | RCMP silent on Alberta murder victims citing Privacy Act ]
US – Police May Have Been Less than Forthcoming to Judge About Stingray Use
A California defense attorney maintains that law enforcement officers misled a judge when seeking a warrant to use cell-site simulator technology to track her client’s location. In a related story, the US Supreme Court plans to discuss the issue of whether law enforcement authorities require warrants to compel mobile phone companies to disclose customer’s cell site data. Read more in:
- arstechnica.com: Lawyer: Cops “deliberately misled” judge who seemingly signed off on stingray
- arstechnica.com: Supreme Court asked to rule if cops need warrant for cell-site data
- arstechnica.com: DHS now needs warrant for stingray use, but not when protecting president
- arstechnica.com: FBI, DEA and others will now have to get a warrant to use stingrays
- www.usatoday.com: Bipartisan bill seeks warrants for police use of ‘stingray’ cell trackers
- – arstechnica.com: Appeals Court: No stingrays without a warrant, explanation to judge
- www.reuters.com: In first, U.S. judge throws out cell phone ‘stingray’ evidence
Online Privacy
WW – Hundreds of Privacy-Invading Apps Are Using Ultrasonic Sounds to Track You
These near-silent tones can’t be picked up by the human ear, but there are apps in your phone that are always listening for them. This technology is called ultrasonic cross-device tracking, and it works by emitting high-frequency tones in advertisements and billboards, web pages, and across brick-and-mortar retail outlets or sports stadiums. Apps with access to your phone’s microphone can pick up these tones and build up a profile about what you’ve seen, where, and in some cases even the websites you’ve visited. In the past year, researchers found 234 Android apps that include the ability to listen for ultrasonic tones “without the user’s knowledge,” one paper said. The researchers criticize the technique as a “threat to the privacy of a user,” as they “enable unnoticeably tracking locations, behavior and devices.” Using this ad-tracking technology allows ad companies to link media-consuming habits to a person’s identity by picking up ultrasonic tones from websites, and radio and television broadcasts. The ultrasonic tones can also be used to track locations, behavior, and purchase habits across different devices, which allows the advertiser to serve more specific and tailored advertisements based on where you’ve been. Worst of all, the researchers say that this ultrasonic tracking technology can de-anonymize users of bitcoin, which is designed to be used without the need for a name. [ZDNet]
Other Jurisdictions
AU – Australian DPA Recommendations for Identifying Personal Information
The Office of the Australian Information Commissioner has provided guidance to organizations on determining whether information processed is personal information, pursuant to the Privacy Act 1988. Organizations should consider whether there is connection between the information and the individual, if the information reveals or conveys something about the individual, and whether the individual is reasonably identifiable (considering the nature and amount of information, and who will have access); personal information does not include de-identified information, information about deceased persons, business information, or cases where individuals are not identifiable (e.g. an aerial photo of a public event without enough detail to determine identifying features). [OIC Australia – What is Personal Information]
Privacy (US)
US – Advocates Urge FCC to Immediately Repeal Mandatory Data Retention Rule
Advocates urge the Federal Communications Commission to immediately end the data retention mandate. The rule, requiring telephone carriers to retain customer billing records for 18 months, is outdated (carriers no longer bill in a way that makes the retention of this data relevant), violates customers’ privacy rights by requiring carriers to retain sensitive personal data, and increases the likelihood of the data being exposed in a security breach. [Letter Urging FCC to Act Immediately on Petition to End Data Retention Mandate]
US – Security Spending: School Budgets Inadequate to Meet Increased Challenges
The Consortium for School Networks issued its 5th IT Leadership Survey: 495 surveys were completed by US school system technology leaders between January and February of 2017. 38% of IT departments spend 51-75% of their time reacting to technical problems as opposed to working in a proactive mode, and 37% see no change in the priority of security and privacy of student data compared to the last year; IT leaders overcome budget and funding issues by delaying maintenance and upgrades (65%), reducing technology purchases (37%), and relying on E-rate funds (53%) and grants (35%). [2017 K-12 IT Leadership Survey Report – Consortium for School Networking]
US – School Districts and Online Services Providers Must Better Protect Student Privacy
The Electronic Frontier Foundation has issued a report on student data handling practices of school districts and educational technology companies. Schools have issued devices to students without parental knowledge or consent, parents were unable to opt-out their children from device or software use, and provider policies (which lacked details about encryption, retention and sharing) were relied on by schools to ensure student data protection; schools and providers should have privacy policies that are accessible, not over-broad, and describe data collected, methods used, and data minimization measures employed, obtain explicit consent from parents before signing students up for services, and should not track student’s online behavior. [EFF – Spying on Students – School-Issued Devices and Student Privacy]
US – Parties Discuss Privacy Issues in Advance of FTC, NHTSA Workshop on Connected Cars
On June 28, 2017, the Federal Trade Commission and the National Highway Traffic Safety Administration (NHTSA) will hold a workshop to examine the consumer privacy and security issues posed by automated and connected vehicles. The workshop comes several months after the Department of Transportation and NHTSA promulgated a Notice of Proposed Rulemaking (NPRM) that would require all new passenger vehicles to be capable of vehicle-to-vehicle (V2V) communications by the early 2020s. The FTC and NHTSA have raised several questions to be addressed at the workshop Car manufacturers, tech organizations, privacy organizations, and other parties filed comments in advance of the workshop, responding to these questions and more. [Inside Privacy]
US – Second Circuit Limits Standing to Bring Data Breach Class Actions
The U.S. Court of Appeals for the Second Circuit issued an important decision [see 5 pg pdf here] in “Whalen v. Michaels Stores”, placing the court at the center of the controversy around what allegations are sufficient to establish Article III standing in data breach class actions. In “Whalen”, the plaintiff alleged that payment card information stolen in a data breach was used in unsuccessful, attempted fraudulent transactions. The payment card owner further alleged that she faced an increased risk of future identity fraud, forcing her to spend time and money resolving the attempted fraudulent charges and monitoring her credit. The court ruled that these allegations did not establish a concrete injury sufficient to confer Article III standing. [Fenwick]
US — California Senate Committee Votes Against Privacy for Our Travel Patterns
The Electronic Frontier Foundation and the ACLU of California joined forces with California State Sen. Joel Anderson (R-Alpine) to testify before the Senate Transportation and Housing Committee – watch the full hearing here] in favor of S.B. 712 (text), a bill that would have allowed drivers to cover their license plates when parked in order to protect their travel patterns from private companies operating automated license plate readers (ALPRs). Despite learning how this data may be misused to target vulnerable communities by the federal government, a Democratic majority voted to kill the bill 5-6. The bill would have adjusted current law, which allows drivers to cover their entire vehicles (for example with a tarp), so that a driver can cover just a portion: the plate. Police would still have the ability to lift the cover to inspect the plate, and since the measure only applied to parked vehicles, it would not have affected law enforcement’s ability to collect data on moving vehicles. [EFF.org]
US — Lawyers Demand Answers After Artist Forced to Unlock His Phone
In February, artist Aaron Gach flew home to San Francisco after putting on a gallery installation in Brussels. US Customs and Border Patrol (CBP) decided to interrogate Gach, to detain him, and to demand that he unlock and hand over his phone. It’s fruitless to try to surmise the actions of CBP detentions. The CBP isn’t in the habit of sharing whatever possibly reasonable suspicions they might have about a traveler that would lead agents to detain that traveler. But we are now in an era of skyrocketing device searches at the US border, and there are many who would very much like to dissect the reasons – and the constitutionality – of this type of search. As the American Civil Liberties Union (ACLU) notes, the Department of Homeland Security (DHS) has estimated that CBP officers searched 2,700 devices in January and 2,200 in February alone, putting it on pace to easily exceed the 19,000 devices they searched in all of 2016. On Thursday, the ACLU took action on behalf of Gach and others who’ve been subjected to similar non-consensual searches at the border. Six ACLU attorneys filed an eight-page administrative complaint, seeking answers from DHS, the parent agency of CBP. [Source]
US – Swabbing a Car Door Handle in A Public Lot to Collect DNA is a 4th Amendment Trespass Search
In United States v. Jones, 132 S.Ct. 945 (2012), the Supreme Court added a second test for what government action counts as a Fourth Amendment “search.” Since the 1970s, the Supreme Court had held that the government commits a search when it violates a person’s reasonable expectation of privacy. Jones added that the government also commits a search when it trespasses on to a person’s “persons, houses, papers, and effects.” The significance of Jones hinges on just what kind of trespass test courts interpret Jones to have adopted. In light of that uncertainty, I was fascinated by a new decision, Schmidt v. Stassi, from the Eastern District of Louisiana last week. When Schmidt drove to a local strip mall, parked and went inside a store, an agent used a cotton swab to wipe the exterior door handle on Schmidt’s Hummer to collect a DNA sample. Schmidt sued the officers, claiming that swabbing his car door handle was an unlawful Fourth Amendment search. In the new decision, Judge Lance M. Africk holds that collecting the DNA from the door handle using the cotton swab was a Fourth Amendment search because it trespassed on to the car. Notably, the idea here is that collecting the DNA was a search because it interfered with Schmidt’s rights in the car, not in the DNA itself. That’s different from the reasonable-expectation-of-privacy cases on collecting DNA, which generally focus on the potential privacy invasion in the testing of the DNA sample to reveal sensitive information. [Washington Post]
US – Google Data Privacy Fight Hinges on Cloud Storage Tech
U.S. District Court for the Northern District of California Magistrate Judge Laurel Beeler’s ruling [see here] that Alphabet Inc.’s Google turn over customer data stored overseas relied more on the specific storage technology at play than on an outdated federal email privacy law, attorneys told Bloomberg BNA. The ruling may not offer real clarity sought by companies that store large amounts of data in the cloud on whether they must comply with government demands for the release of consumer data stored outside the U.S. But it does offer some insight into how courts may parse the technological issues surrounding the storage of data and identification of the consumers tied to that data by focusing on the ability of the company to readily identify the citizenship of a particular user. [BNA]
US – NY Lawmakers Consider Adding a ‘Textalyzer’ to Accident Investigations
A bill before the New York State Senate would give law officers a tool to check drivers’ cell phones after an accident in order to determine if distracted driving was the cause. Titled Evan’s Law, named after Evan Lieberman, a New Castle teenager who lost his life in 2011 due to a distracted driver in Westchester County, the bill would be the first in the nation to receive legislative approval. But not everyone is excited about the prospect. Rashida Richardson of the New York Civil Liberties Union is concerned that private information would not be private with any phone-scanning technology. She also questioned its accuracy, according to CBS New York. [Patch.com]
Security
US – New ABA Opinion: Attorneys Must Take Reasonable Cybersecurity Measures to Protect Client Data
On May 11, 2017, the American Bar Association (ABA) issued Formal Opinion 477, making clear that a lawyer may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct so long as the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access to client information. Lawyers may also be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. This new opinion updates a prior opinion issued by the ABA in 1999 (Formal Opinion 99-413)[see here], in which the ABA concluded that attorneys may use the Internet to transmit unencrypted communications relating to a client without running afoul of the Model Rules of Professional Conduct. Although most enterprises and firms use some level of protection in their electronic communications, this new opinion highlights the growing focus on cybersecurity across all industries and professions. Encryption is increasingly becoming the industry standard in securing electronic data and communications, and is often the first line of defense when facing a data breach scenario. [Privacy and Security See also: 8 Steps to Evaluating Cloud Service Security]
WW – Google Docs Phishing Scam
An enormous phishing scheme disguised as a Google Docs request has been sent to as many as one million users. The attackers used Google developer tools that create an app that was designed to trick users into thinking they were viewing the real Google Docs app. It displayed a legitimate OAuth screen seeking permission to access and manage users’ email and contacts. Within an hour of learning about the phishing scheme, Google had taken steps to protect users. Read more in:
– computerworld.com: Google Docs phishing scam underscores OAuth security risks
– www.wired.com: Don’t Open That Google Doc Unless You’re Positive It’s Legit
– www.scmagazine.com: Massive Google Docs phishing attack targeted credentials, permissions
– www.eweek.com: Google Docs Phishing Attack Tricks Unsuspecting Users to Click
– www.cyberscoop.com: OAuth-based phishing campaign gives Gmail users a scare
– threatpost.com: 1 Million Gmail Users Impacted by Google Docs Phishing Attack
– www.bleepingcomputer.com: It Took Google One Hour to Shut Down Massive Self-Replicating Phishing Campaign
US – HHS to Launch Cybersecurity Center
The Department of Health and Human Services (HHS) will soon launch a healthcare focused cybersecurity initiative modeled on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC). The new center, to be called the Health Cybersecurity and Communications Integration Center (HCCIC) would seek to reduce the extensive “noise” in the health care industry about cyber threats and to analyze and “deliver best practices and the two or three things that a small provider, a small office, a doc in a box can do to protect his patient’s privacy and information security around those systems.” HHS also envisions the HCCIC working with developers of mobile health apps to promote data security best practices in that fast-growing area. In December, the Food & Drug Administration responded to the “growing number of medical devices designed to be networked to facilitate patient care” by issuing guidance addressing the management and reporting of post-market cybersecurity vulnerabilities in medical devices. On May 3, HHS’ Health Care Industry Cybersecurity Task Force released its draft report to Capitol Hill. The report includes recommendations to create a medical-device specific “MedCERT” modeled after the United States Computer Emergency Readiness Team, which “would assess vulnerabilities, evaluate patient safety risks, adjudicate between the vulnerability finder and product manufacturer, and consult organizations about how to navigate the vulnerability process.” [Security and Privacy Health Law]
WW – CompTIA Study Finds Old Tactics Often Used to Fight Breach Threats
Old tactics too often used to fight top data security threats Organizations recognize information security as a growing imperative, but too many remain on the defensive and use dated tactics and training to protect their data. That is the conclusion of the new study “The Evolution of Security Skills” from CompTIA, the leading technology association. According to the study, one of the challenges for many organizations is that they put their focus on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyberattacks, generally get the most attention. Of the 350 organizations surveyed, 29 percent said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures. Too many organizations remain on the defensive and use dated tactics and training to protect their data. That is the conclusion of the new study “The Evolution of Security Skills” [see here] from CompTIA . Of the 350 organizations surveyed, 29 percent said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures. Seth Robinson, senior director, technology analysis, at CompTIA calls on organizations to adopt proactive measures to protect their data. These include identifying weak links before they are exploited, broadening the skills of their technology professionals, and increasing security training top to bottom throughout the organization. [Info Mgmt]
UK – ICO Reports Record Number of Data Breaches and Fines
The ICO’s annual performance statistics for 2016/17 also reveal that the regulator received more reported data protection breaches and fined more companies for unlawful activities than any previous year. The statistics show that data protection complaint cases rose to 18,354, around 2,000 more than the previous year. Some 2,565 self-reported data breaches resulted in 16 civil monetary penalties totalling £1,624,500 for serious breaches across a range of public, private and voluntary sectors. The ICO received more than 166,000 reports about nuisance calls and texts. The ICO issued a record number of 23 fines in this regard, totalling £1,923,000, and issued nine enforcement notices and placed 31 organisations under monitoring. More than 5,400 freedom of information (FOI) cases were received and 5,100 closed during the year, with 1,351 decision notices, which was “broadly similar” to the previous year, the ICO said. The ICO expects its work to intensify next year in the run up to deadline for compliance with the EU’s General Data Protection Regulation (GDPR) on 25 May 2018. .Testifying to the House of Lords EU Home Affairs Sub-Committee in a hearing on the new EU data protection ackage, Denham planned to expand the ICO’s staff to deal with the extra work burden to be imposed by the GDPR. [Computer Weekly]
WW – Organizations’ Lack of Attention to Printer Security Makes Them Vulnerable
This white paper surveyed individuals responsible for printer security at 16 organizations, which averaged 51 million pages printed per year by 8,800 printers used by 57,200 IT users and involving 4,500 IT staff. More than half of companies experienced an IT security breach in the last year that involved print security, yet almost 2/5 of senior managers are more likely to be involved in decision making for overall IT security than for print security; breaches commonly occur from the device’s network ports, print/copy/scan job interception, print/MFP hard drives and memory, printed or copied documents left in output trays or illegal use of secure media (checks, prescriptions). [The Business Value of Printer Security – IDC]
WW – Mobile Devices: Only 36% of Organizations Believe Cyberattacks Can Be Prevented
410 security professionals from an independent global database participated in a survey on mobile device security. Types of attacks experienced on employees’ mobile devices include malware, phishing using text messages, network attacks, intercepted calls and text messages over a carrier network, key logging, and credential theft; 62% of organizations do not use mobile security solutions (due to lack of budget, shortage of resources, lack of experience, or insufficient risk), despite 94% of organizations believing that the frequency and types of mobile device attacks will increase in the next year. [The Growing Threat of Mobile Device Security Breaches – Global Survey of Security Professionals – Check Point Software Technologies]
US – Uber Responds to Report That It Tracked Devices After Its App Was Deleted
Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses. Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook. In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times [see here] and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015. An Uber spokesperson said “We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users” [TechCrunch]
US – DHS Provides Guidance on Implementing Security Improvements for Mobile Devices
The Department of Homeland Security, in coordination with the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence, conducted a study on current and emerging threats to the government’s use of mobile devices. Mobile devices are vulnerable to attacks on back-end systems that require a security approach different from protection developed for desktop workstations; organizations should ensure timely patching of known vulnerabilities, block network access for obsolete devices (those no longer supported with updates), enable strong authentication methods, automatically monitor, detect and report any security policy violations, and enable remote wiping capabilities. [DHS – Study on Mobile Device Security]
US – NIST: Let Passwords Be Longer and Eliminate Character Variation Requirements
Later this summer, the US National Institute of Standards and Technology (NIST) will release new Digital Identity Guidelines. NIST appears likely to recommend against requiring periodic changes for passwords and instead, employing other measures to make passwords both easier to remember and more difficult to crack. For instance, allowing up to 64 characters could let people use passphrases rather than passwords. And allowing spaces and doing away with character variation requirements would help with memorization. NIST is currently reviewing public comment received on the guidelines. Read more in:
– https://qz.com: The US standards office wants to do away with periodic password changes
– https://pages.nist.gov: Digital Identity Guidelines
Smart Cars & Cities
WW – Report on IoT, Automation, Autonomy, and Megacities in 2025
Engineers designing and implementing internet-connected IOT devices face daunting challenges that is creating a discomfort with what they see evolving in their infrastructures. This paper brings their concerns to life by extrapolating from present trends to describe plausible future crises playing out in multiple global cities within 10 years. Much of what occurs in the scenarios is fully possible today. IoT, Automation, Autonomy, and Megacities in 2025
US – California Bill Mandates Privacy by Design for IoT Devices
Manufacturers of Internet-connected devices (better known as the Internet of Things) should be following a new California bill closely because it would create a mandate under California law that all IoT devices have built-in security features appropriate to the device and information collected. California Senate Bill 327 [see here], amended in March, is the latest in a trend of legislative and regulatory efforts by state and federal authorities to hold IoT device makers more accountable for consumer data security. The California bill was introduced at nearly the same time the FTC brought an enforcement complaint in federal court in California against a computer networking equipment manufacturer for failing to take reasonable steps to secure its products from hackers. California’s Senate Bill 327 would go much further than the FTC has in “encouraging” manufacturers to adopt industry best practices for device security by codifying the State of California’s ability to bring enforcement complaints against those companies that do not build adequate security safeguards into their devices. It could be the first legislative mandate for IoT device manufacturers to proactively implement “security by design” [WCSR]
WW – Securing the Internet of Things
Microsoft is calling for the development of a cybersecurity policy for the Internet of Things (IoT). While “industry can build security into the development of IoT devices and infrastructure, the number of IoT devices, the scale of their deployments, the heterogeneity of systems, and the technical challenges of deployment into new scenarios require an approach specific to IoT.” In a separate story, Japan’s Internal Affairs and Communications Ministry will introduce a certification system for IoT devices that will rate their resilience to cyberattacks. Read more in:
– www.darkreading.com: Microsoft Calls for IoT Cybersecurity Policy Development
– mscorpmedia.azureedge.net: Cybersecurity Policy for the Internet of Things (PDF)
– www.sltrib.com: Japan to rate home devices on cyber-attack vulnerabilities
Surveillance
US – NSA Collected Americans’ Phone Records Despite Law Change: Report
The U.S. National Security Agency collected more than 151 million records of Americans’ phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report [see PR here & Report here] issued by the top U.S. intelligence officer the NSA collected the 151 million records of Americans’ phone calls last year even after Congress limited its ability to collect bulk phone records though it had warrants from the secret Foreign Intelligence Surveillance court to spy on only 42 terrorism suspects in 2016, in addition to a handful identified the previous year. The report came as Congress faced a decision on whether to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), which permits the NSA to collect foreign intelligence information on non-U.S. persons outside the United States, and is scheduled to expire at the end of this year. Officials on Tuesday argued that the 151 million records collected last year were tiny compared with the number collected under procedures that were stopped after former NSA contractor Edward Snowden revealed the surveillance program in 2013. The report said the names of 1,934 “U.S. persons” were “unmasked” last year in response to specific requests, compared with 2,232 in 2015, but it did not identify who requested the names or on what grounds. [Reuters]
US – Cop Union Opposes New Bill That Would Thwart License Plate Readers
If the Electronic Frontier Foundation and a San Diego-based Republican state senator have their way [and here], it will soon become legal for Californians to cover their license plates while parked as a way to thwart automated license plate readers. As written, the new senate bill would allow for law enforcement to manually lift a cover, or flap, as a way to manually inspect a plate number. The idea is not only to prevent dragnet license plate data collection by law enforcement, but also by private companies. A California company, Vigilant Solutions, is believed to have the largest private ALPR database in America, with billions of records. The California Police Chiefs Association has already filed its opposition to the bill. In a letter to Sen. Joel Anderson, the group argued that the bill would only benefit one group: “those who are trying to evade law enforcement and detection.” Similarly, the bill has faced resistance from the California Public Parking Association, among other groups. .In March 2015, Ars obtained the Oakland Police Department’s 4.6 million reads of more than 1.1 million unique plates, which were gathered between December 23, 2010 and May 31, 2014, as part of a public records request. The dataset showed precisely how revelatory such information can be—we were able to discern the home of a city council member with little difficulty. [Ars Technica]
US – Study Lays Out Privacy Concerns That Kids and Parents Have About Toys That Listen
University of Washington researchers explored the attitudes of kids and parents toward Wi-Fi-enabled toys in a study. “It’s inevitable that kids’ toys, as with everything else in society, will have computers in them, so it’s important to design them with security measures in mind,” said Franziska Roesner, one of the co-authors of the study, which was funded by the Consumer Privacy Rights Fund at the Foundation for Communities and the Environment and by UW’s Tech Policy Lab. This year, sales of My Friend Cayla were banned in Germany due to concerns that personal data could be stolen. In the U.S., advocacy groups have filed a complaint with the FTC over Cayla and i-Que Robot. (The FTC is reviewing the complaint.) The researchers say toy designers, parents and policymakers should become more aware of the potential vulnerabilities. and the potential solutions. One of the suggested strategies is to program the toys themselves to tell kids that they’re being recorded – and to alert parents to any concerns that come up. [Geekwire]
US Government Programs
US – FTC Requests Comments on Significant Changes Proposed to Organization’s Safe Harbor Program Under COPPA Rule
The Federal Trade Commission issued a notice on proposed changes to TRUSTe’s safe harbor program under the COPPA Rule: The proposed changes include measures to reduce the risk of misrepresentation by participants in the program (the organization would have greater control over use of the trustmark); new obligations require participants to conduct an annual internal assessment of third parties’ use of tracking technologies to collect children’s PI, describe their retention policies, undergo an annual compliance review, implement a user complaint process, enhance security measures, and notify affected users and the organization of any data breach. Public comments are due by May 24, 2017. [FTC – 16 CFR Part 312 – Children’s Online Privacy Protection Rule Safe Harbor Proposed Self-Regulatory Guidelines; TRUSTe COPPA Safe Harbor Program Application to Modify Program Requirements Press Release | Consultation
US – NSA Announces Data Collection Changes
The US National Security Agency says it has stopped collecting email traffic for simply containing the email address or phone number of a foreign target. The NSA agreed to end the practice as part of an agreement with a federal court that allows the agency to continue its Section 702 surveillance program. Sources- www.wired.com: A Big Change in NSA Spying Marks a Win for American Privacy
– www.theregister.co.uk: NSA pulls plug on some email spying before Congress slaps it down
– www.scmagazine.com: NSA to end controversial warrantless surveillance practice
– www.zdnet.com: NSA stops controversial program that searches Americans’ emails
– arstechnica.com: NSA ends spying on messages Americans send about foreign surveillance targets
– omputerworld.com: NSA ends surveillance tactic that pulled in citizens’ emails, texts
– www.washingtonpost.com: NSA halts controversial email collection practice to preserve larger surveillance program
Workplace Privacy
CA – Wearables in the Workplace Have Major Implications
With the growth of wearables in the workplace, how employee information is gathered, stored and used is becoming cause for concern. Researchers Steven Richardson and Debra Mackinnon at Queen’s University have published a report titled ‘Left to their own devices? Privacy Implications of Wearable Technology in Canadian Workplaces‘ and highlighted some of the issues that have to be considered by all stakeholders. Researchers have identified more than 420 devices that are currently available for use in the workplace. The researchers argue that there is a need for greater accountability and transparency in how the devices are being implemented so that we have a more informed approach to privacy in the workplace. Wearables offer huge benefits and the technology is undoubtedly here to stay. However, the privacy issues do need more careful consideration by all the stakeholders involved prior to implementation. [Toronto Sun]
CA – Mandatory Locomotive Recorder Bill ‘Addresses A Key Safety Issue,’ Says Transportation Safety Board
Amendments to the federal “Railway Safety Act” [see here] mandating recording devices, if passed into law, could provide “essential information” to Transportation Safety Board of Canada staff investigating rail accidents and could help prevent such accidents in the future, TSB suggested Tuesday. Bill C-49, an omnibus piece of legislation, was tabled Tuesday in the House of Commons by Transport Minister Marc Garneau. [See here] This would mandate installation of locomotive voice and video recorders, TSB said in a separate release Tuesday. [See here] In September, 2016, the Canadian branch of International Brotherhood of Teamsters stated that railway companies should “not to be given access to the recordings because that would be an unprecedented and unparalleled intrusion into the workplace, one that is unnecessary, and would be tantamount to violating workers’ right to privacy.” [Canadian Underwriter]
CA – New Legislation Requiring Cameras on Trains Will Violate Workers’ Privacy, Rail Union Says
The union representing rail workers says new legislation [see here & here] that would require cameras to be installed on Canada’s trains threatens workers’ privacy and came as a surprise. But Transport Minister Marc Garneau said he’s spoken with the Teamsters Canada Rail Conference about the proposal, and the union knew what was being planned. The law would require railway companies to equip locomotives with voice and video recorders that could be used by the Transportation Safety Board of Canada after an accident to assess what went wrong. The union is upset that railway companies would also have access to the recordings to conduct random samples and look for safety risks. “From the workers’ perspective, the government has abandoned them,” union president Doug Finnson said. “I’m particularly pissed at this.” Finnson claims that once railway companies have access to the recordings, the government won’t be able to control how they use them. It’s still unclear how much power companies will have to act on what they see and hear in the recordings. Jean Laporte, chief operating officer of the Transportation Safety Board, said if railway companies observe employees engaged in criminal activity or gross negligence, they will have a “moral obligation to take action and deal with that.” According to the proposed legislation, companies can use the recordings “to address a prescribed threat to the safety of railway operations.” [National Post]
+++