08-23 April 2017


US – Border Patrol Seeking Facial Recognition Drones

Customs and Border Protection (CBP), a Department of Homeland Security (DHS) agency, has used drones originally designed for foreign battlefields in order to conduct border surveillance, although these efforts have hardly been efficient. Federal solicitation documents reveal that DHS is looking to smaller drones with facial recognition capabilities. This ought to concern Americans who value civil liberties. The solicitation lists required sensor capabilities for the drones, including, “Provides a surveillance range of 3 miles (objective),” “Able to track multiple targets persistently,” and “Identification of humans via facial recognition or other biometric at range.” “The sensor technology would have facial recognition capabilities that allow it cross-reference any persons identified with relevant law enforcement databases.” If you’re an American adult reading this there is a good chance that your facial image is in one of these “relevant law enforcement databases.” A Government Accountability Office report from last year found that the Federal Bureau of Investigation’s facial recognition system has access to more than 411 million facial images, including the driver’s license photos from sixteen states. Current law allows CBP officials to stop and search vehicles within 100 miles of America’s external boundary in order to prevent illegal immigration.[see ACLU map here] Roughly two-thirds of Americans live in this so-called “Constitution-free” zone. Although DHS’ solicitation mentions facial recognition drones being used as part of border patrol we should be prepared for them to make appearances at interior checkpoints as well as at ports of entry. [CATO | The US Border Patrol is trying to build face-reading drones]

WW – Researchers Develop Synthetic Skeleton Keys for Fingerprint Sensors

Those fingerprint-based security systems in your mobile phone might not be quite as secure as you wish they were. That’s the takeaway from just-published research by engineering researchers at New York University and Michigan State University. According to NYU’s press room, “the team analyzed the attributes of MasterPrints culled from real fingerprint images, and then built an algorithm for creating synthetic partial MasterPrints.” And their digitally simulated “synthetic partials” proved worryingly effective. This kind of research helps to identify areas where our security is weaker than we thought rather than practical forms of attack. They may come in time though and according to MSU Today, the research team is now investigating potential solutions for this vulnerability. [Naked Security]

Big Data

WW – Artificial Data Reduces Privacy Concerns and Helps with Big Data Analysis

Big data, more often than not, contains sensitive information pertaining to individuals serviced by the organization, and releasing that information to outside resources may place the organization or business in jeopardy with state and federal privacy regulations. Three researchers at MIT may have figured out a way to assuage privacy concerns. Principal researcher Kalyan Veeramachaneni along with researchers Neha Patki and Roy Wedge in their paper The Synthetic Data Vault (PDF) describe a machine-learning system that automatically creates what the researchers call “synthetic data.” The beauty of the machine-learning model from Veeramachaneni and his team is that it can be configured to create synthetic data sets of any size, and this can be done quickly to accommodate development or to stress-test schedules. Artificial data is also a valuable tool for educating students, as there is no need to worry about data sensitivity. The MIT press release [see here] concludes with, “This innovation can allow the next generation of data scientists to enjoy all the benefits of big data, without any of the liabilities.” [TechRepublic See also: Brandon Purcell Q&A on AI & fulfilling the failed promise of big data]


CA – Proposed Amendments to the Privacy Act Enhance Transparency

The Standing Committee on Access to Information, Privacy and Ethics issued recommendations following its review of the Privacy Act. The OPC should be granted the discretion to publicly report on government privacy issues when it is in the public interest, and share audit and investigative information with domestic and international counterparts; the scope of the Act should be extended to include ministers’ offices and the Prime Minister’s Office, information requests from law enforcement should be reported, and right of access should be extended to foreign nationals. [Protecting the Privacy of Canadians – Review of the Privacy Act – Report of the Standing Committee on Access to Information Privacy and Ethics]

CA – Manitoba Government Seeks Comments on Access to Information

The Manitoba Minister of Sport, Culture and Heritage seeks public commented on the Freedom of Information and Protection of Privacy Act (FIPPA), as part of its legislative review. Comments can be submitted until May 31, 2017. Comments are sought on whether FIPPA is appropriate for local public bodies (schools, municipalities, regional health authorities), public bodies should have greater flexibility in access request response times and extensions, or charge fees for voluminous, multiple, or concurrent requests, and on current discretionary and mandatory exceptions that may limit access to information. [Manitoba Government – FIPPA Legislative Review]

CA – Saskatoon Police Prepare for Changes to Freedom of Information Law

Starting this fall, Saskatchewan police forces will be subject to provincial freedom of information law. The Saskatoon Police Service hired its first access and privacy officer this spring and she [Kayla Oishi] is in the process of developing the forms and procedures people will need to use to request documents from the police. [Here are some relevant questions Oishi answered, including]: 1) What kind of information can be requested from the police?; 2) What information won’t be given out?; 3) When can FOIP requests be filed?; 4) How can people file freedom of information requests?; 5) How much does it cost to submit a FOIP request?; 6) How long will it take for police to respond to FOIP requests?; 7) How many FOIP requests does the Saskatoon Police Service expect to process?; and 8) Can people in other provinces file FOIP requests with police? [Star Phoenix See also: Saskatoon police hire first access and privacy officer]

CA – Cellphone Surveillance Technology Being Used by Local Police Across Canada

Calgary police, Ontario Provincial Police and Winnipeg police all confirmed to CBC News they own the devices — known as IMSI catchers, cell site simulators or mobile device identifiers (MDIs) — joining the RCMP, which has used the technology for its own investigations and to assist Toronto and Vancouver police. While Ontario and Winnipeg police refused to say whether they use the technology to intercept private communications, Calgary police and the RCMP insist they only deploy their IMSI catchers to identify — and occasionally, in the RCMP’s case, track — cellular devices. Micheal Vonn, policy director of the B.C. Civil Liberties Association and a legal expert on privacy, says she’s concerned there isn’t a warrant process specific to IMSI catchers that establishes strict limits on how the technology is used given its potential for mass surveillance. “It’s nothing but a policy choice for some law enforcement not to use the content interception capabilities,” said Vonn, referring to features some IMSI catchers have to eavesdrop on any cellphone within a radius of several blocks. It’s hard to believe “the tantalizing availability of such technology is not going to be exploited,” she said. “It will.” CBC News has since contacted 30 provincial and municipal police forces across Canada to ask how many IMSI catchers they own, the number of operators trained to use them, and how many times the technology was used in 2015 and 2016. Only Calgary police answered in full. The Office of the Privacy Commissioner of Canada is investigating the RCMP’s use of IMSI catchers, following a complaint filed last year. [CBC]

CA – CSIS Waiting On Liberal Reforms Before Using Threat-Disruption Powers

Nearly two years ago, the Canadian Security Intelligence Service (CSIS) was granted expanded legal authority to actively disrupt threats to national security, not simply gather information about such threats. The change was made when the former Conservative government passed Bill C-51 in June that year. The new law allows CSIS agents to take nearly any action — short of causing bodily harm or death, violating a person’s sexual integrity or obstructing justice — to stop or disrupt a threat, as long as CSIS obtains a warrant from a Federal Court judge for any steps that would violate an individual’s Charter rights. However, senior CSIS officials decided it wouldn’t be appropriate to pursue more serious so-called “threat-reduction activities” that require a judge’s sign-off, while the Liberal government is actively considering how it will amend the law, a source with direct knowledge of the discussions told the Star. Documents obtained by the Star lay out in detail three agreements CSIS has negotiated with other government departments and agencies setting out how they will co-ordinate these kinds of actions and how CSIS will notify its partner agencies in advance. One key agreement is with the Communications Security Establishment, or CSE, Canada’s sophisticated electronic spying and cyber-defence agency, which answers to the minister of national defence. CSIS has struck similar agreements to co-ordinate with the RCMP and Global Affairs Canada. Another agreement obliges CSIS to notify the foreign affairs department of any foreign policy or “strategic outcomes” that result from CSIS flexing its muscle abroad, in countries where there could be diplomatic fallout for Canadian spies acting in ways that may not accord with local laws. [The Star]

CA – B.C. Privacy Commissioner Rejects Call To Probe NDP List Sharing

British Columbia’s privacy watchdog. Drew McArthur, said in a statement Monday that the Liberal complaint does not meet the threshold for an investigation by his office. The New Democrats called the complaint an attempt to divert attention from serious issues facing the Liberals on the eve of an election campaign. A Liberal official said the party was reviewing McArthur’s response, but did not comment further. B.C. Liberal party president Sharon White had requested the investigation in a letter to McArthur on Friday. McArthur explained that the Personal Information Protection Act applies to private organizations in B.C., including political parties, and there are two circumstances that can result in an investigation. “The first is most common: we investigate complaints from individuals whose personal information has been directly affected,” said McArthur’s statement. But since there is no individual complaint, an investigation cannot proceed on those grounds, he said. “The second option is for the commissioner to initiate an investigation into a potential contravention of (the Act) if he has ‘reasonable grounds to believe that an organization is not complying.’ We have reviewed the documents submitted by the B.C. Liberal party and have determined that the information provided does not meet the threshold for a commissioner-initiated investigation.” The Liberals sent a second complaint letter Monday, alleging the B.C. NDP was in breach of the Act by attempting to use a voter support list collected by the federal NDP in the 2015 federal election. [CTV News]

CA – OIPC NS Recommends Regularly Reviewing the Need for Video Surveillance

The Office of the Information and Privacy Commissioner for Nova Scotia has issued guidelines on the use of video surveillance, pursuant to the: Freedom of Information and Protection of Privacy Act; and Municipal Government Act. The need for video surveillance must be pressing and substantial, requiring concrete, verifiable evidence of the problem to be addressed (e.g., crime rates); organizations should regularly review the use of existing video surveillance systems to ensure that the original problem still exists and requires the use of CCTV, and whether or not there is a less invasive way of achieving the same goal. [OIPC NS – Video Surveillance Guidelines]

CA – How the B.C. Government Quietly Gained Access to the Non-Voter List

When the B.C. Liberal government amended the Election Act in 2015 what was tucked into the eight-pages of stricken sections and subsections was a change requiring Elections B.C. to provide parties and candidates not only with the list of people who voted in the last election, but the list of those who didn’t. Less than a month before the legislation was introduced, the privacy commissioner flagged that section as an unwarranted intrusion. The sole reason that political parties need/want that information, she said, is to gain access to “personal information in a comprehensive and accessible format after voting day in order to perform analytics and other uses.” She said the information was “likely to be linked with other information in political databases and elsewhere.” Provincial Attorney General Suzanne Anton was unmoved by critics’ concerns. Her response was essentially: Trust us, we won’t misuse it. So, what is the big deal about getting the list of non-voters? Well, for one thing, the best predictor of who will vote is whether they voted in the last election. That is why voter suppression tactics are aimed at those who have a history of voting. But the converse is also true. Knowing who didn’t vote last time allows parties to ignore non-voting individuals and communities and direct their money and energy at those who do. It’s cynical and the antithesis of democracy. [Vancouver Sun]

CA – Liberals Accuse NDP of Sharing Supporter Lists Without Consent

The B.C. Liberal party has filed a complaint with the province’s privacy commissioner, alleging the B.C. NDP has breached protection laws by sharing its supporter list with “politically friendly” groups. A letter to Privacy Commissioner Drew McArthur signed by B.C. Liberal president Sharon White called for an immediate investigation into alleged breaches of B.C.’s Personal Information Protection Act by the NDP. “We have obtained documentation concerning the activities of the B.C. NDP, Strategic Communications, the municipal political parties, Vision Vancouver, Coalition of Progressive Electors and the Surrey Civic Coalition, and B.C. NDP officials in Saanich, B.C., which show serious and ongoing breaches of the Personal Information Protection Act.” The Liberals allege in the letter “there are clearly reasonable grounds to believe that a number of political organizations in B.C. have not complied with the Personal Information Protection Act.” The complaint to the privacy commissioner includes documents of three agreements dated Oct. 5, 2005 between the NDP and Vision Vancouver, COPE and Surrey Civic Coalition. “These agreements set out a secret arrangement whereby the B.C. NDP would share lists regarding its supporters with these politically friendly municipal parties to help them identify supporters and assist them to elect their candidates in municipal elections,” stated the letter. [Vancouver Sun]

CA — NL Privacy Commissioner Calls Cameras in Rental Home ‘Incredibly Unsettling’

“I can’t think of any more egregious way for your personal privacy to be breached, than to have cameras in your home, unbeknownst to you,” said Donovan Molloy, Newfoundland and Labrador’s privacy commissioner. In February, Rachel Tribble and her roommate discovered an elaborate system of cameras inside their rental property — including cameras in their bedrooms. Tribble said the cameras were hooked up to video and audio cables, that connected to a recording device in the attic. Police have seized equipment from the home. Their investigation is ongoing. Homeowner Kevin Vokey said that the system was installed for personal security while he was living there and maintained that it was an internal system, with no external access outside of the home, and that footage from the system was never streamed. In general terms, Molloy noted that the province’s Privacy Act prohibits “surveillance, auditory or visual, whether or not accomplished by trespass, of an individual, by any means including eavesdropping, watching, spying, harassing or following” without consent. [CBC]

CA – Western Librarians Publish First-Ever Online Privacy Guide by a Canadian University

A guide on the first steps you can take to protect your online privacy is close to home — right on the Western libraries website. The work is a collaborative effort between Melissa Seelye, a graduate student in library and information sciences and Erin Johnson, a library assistant in research and instructional services at Weldon Library, and is the first online privacy guide published by a Canadian university. The guide is curated for a general audience, from beginners to more advanced users. The guide lists privacy protection tools such as Internet browser alternatives, browser extensions, search engine alternatives, private messaging apps and password managers. Included is also more information on privacy policies and legislation implemented by Western and the Canadian government. [Western Gazette]


EU – Commission Launches Public Consultation On Internet Fears

The EU is launching an unprecedented public consultation to find out what Europeans fear most about the future of the internet. A succession of surveys over the coming weeks will ask people for their views on everything from privacy and security to artificial intelligence, net neutrality, big data and the impact of the digital world on jobs, health, government and democracy. A dozen leading European publications are to publicise the surveys over the coming three weeks. Results will be compiled in early June. Readers can complete the first questionnaire here. [The Guardian]

EU – Survey: Europe Less Concerned About Privacy Than Counterparts

The survey from Forrester [see here] included 3588 responses from employees involved in planning, funding and the purchasing of business and tech products and services. And found that while 50% of security and risk (S&R) pros worry about customer privacy concerns in the US, the number in emerging markets – where many firms are looking for new customers – is significantly higher. When asked to rate their concern for each source of information risk and the potential impact it could have on their organisation, security decision makers from Germany (34%), France (36%) and the UK (42%) are highly or extremely concerned. Elsewhere in the world, respondents are more concerned with customer privacy. Security decision makers from India (76%), China (71%), the US (50%), Brazil (51%), Canada (47%) and Australia/New Zealand (43%) expressed such concerns. In these same markets, a majority of more security decision makers from outside of Europe consider privacy a competitive differentiator: India (44%); China (37%); Brazil (33%); the US (32%); Germany (27%); Canada (26%); Australia/New Zealand (26%); the UK (26%) and France (23%). Firms across the globe must therefore understand the risks and opportunities that come with privacy. The report identifies an effective privacy organisation has these attributes for success: 1) A privacy leader; 2) Identify and limit potential conflicts of interest; 3) Create escalation procedures; 4) Define the relationship between privacy and compliance; and 5) Audit data assets. [SC Magazine]


NZ – New Zealand Privacy Commish Blasts Gov’t NGO Data Collection Plans

Social Development Minister Anne Tolley is pushing a policy to force non-government organisations (NGOs) to hand over personalised data of their clients, in order to be eligible for Government funding. Privacy Commissioner John Edwards today rejected the plan [see PR here see 49 pg pdf report here]. He described the Government plans to capture the individual and personal data of vulnerable clients as “excessive and unnecessary,” and it could have serious and unintended consequences. Little or no thought had been given to developing possible alternative means to achieve the Government’s aims without risking those consequences. Tolley revealed the ministry was forced to shut down its information sharing portal following a privacy breach. An error allowed one provider to view another provider’s folder, but there was no data contained in the folder at the time. [see here | Privacy Commissioner has slammed Social Development data collection plans as too intrusive | Government demands non-profit clients’ personal data before releasing funds]

US – Erosion of Public Trust Biggest Long-Term Impact of OPM Breaches, Experts Say

It’s been nearly two years after the Office of Personnel Management first announced that hackers had stolen personally identifiable information from 21.5 million people in two separate cyber breaches, and counterintelligence officials say it’s still unclear just how the adversary may use that data, if at all. Instead, the biggest harm from the OPM breaches has been the public’s erosion of trust in the agency and in government at large to protect personal data, said Charlie Phalen, director of the National Background Investigation Bureau (NBIB). Counterintelligence and security officials have little information about the long-term impacts of the OPM breaches, experts say impacted individuals shouldn’t be paranoid. They should take basic precautions when they post on social media, travel abroad and connect with new people online, yet those measures are no different than the steps every other American should take to protect their personal information. “My best sense of what the long-term impacts of this is that this information in the hands of the adversary might help them learn more about me, might help them get a little bit of an edge on me, might help them sort through data, but all in all, if I take the same precautions tomorrow that I would have taken three years ago with traveling, with dealing with my business, with my life, with contacts, I don’t think I would do much very differently,” Phalen said. He said he feels “fairly comfortable” that OPM’s current information system is “protected as well as it can be.” As NBIB director, Phalen is now working with the Defense Information Systems Agency and other stakeholders to develop the specifications of a completely new security clearance information system. OPM looking to rebuild trust | Federal News Radio]

US – Most People Don’t Trust Government to Keep Their Personal Data Private, Report

New survey results released on Monday by research firm Accenture show that citizens generally lack faith in the ability of government to keep information safe and are calling for stronger protections. Most — 74% — said they lacked confidence in their government’s ability to keep citizen data private and secure, and 65% said they lacked confidence in the ability of law enforcement to investigate and prosecute on cybercrime cases. Accenture’s state and local security advisor, Lalit Ahluwalia said this survey confirms that “cyber insecurity” remains pervasive and bolsters the existing belief among government agency leaders that cybersecurity should be a top priority. Indeed, cybersecurity was named as the top priority for state chief information officers for the fourth year in a row, according to an industry list. Ultimately, policies are just words on paper — agencies “need to act,” said Lee Tien, senior staff attorney and Adams Chair for internet rights at the Electronic Frontier Foundation, in an email to StateScoop. Having a policy doesn’t mean an agency is being responsible with citizen data, he said. “Does the agency actually have a good IT department that routinely patches and upgrades software and operating systems whenever security weaknesses are discovered?” he said. “Equally important, does the agency allow the IT department to do its job?” [StateScoop]

US – Up to 100,000 Taxpayers Compromised in Fafsa Tool Breach, I.R.S. Says

The Internal Revenue Service said on Thursday that the personal data of as many as 100,000 taxpayers could have been compromised through a scheme in which hackers posed as students using an online tool to apply for financial aid. The agency became concerned last fall when it realized that it was possible for criminals to take advantage of the student loan tool that allows aid applicants to automatically populate the applications with their and their parents’ tax information. The worry was that thieves might use the stolen data to file fraudulent returns and steal refunds, as they did two years ago. “Fortunately we caught this at the front end,” John Koskinen, the I.R.S. commissioner, said Thursday at a Senate Finance Committee hearing. The I.R.S. does not expect the tool to be secure and operational again until October. “Our highest priority is making sure that we protect taxpayers and their identity,” he said. But the breadth of the breach remains unknown, and Mr. Koskinen faced tough questions during the hearing as to why he did not act sooner. [NY Times]

AU – Whistleblowing: Australian Privacy Commissioner Concerned by Possible Forensic Audit of Members of Parliament’s Mobile Phones

A report prepared by the Office of the Privacy Commissioner regarding a forensic audit of mobile phones requested by the Premier of Victoria. Privacy laws may have been contravened by the audit as personal information may have been collected without proper notice to individuals; several requests for information have been sent to the Premier’s office which has claimed cabinet confidentiality to hide violations of law. [DPA Australia – Forensic Audit of Mobile Telephone Records

AU – Privacy Concerns Remain Over Sydney’s Public Bus Wi-Fi

Patrons of Sydney’s public transportation have been “actively warned” against the complementary Catch Wi-Fi-provided internet service, citing privacy concerns, after the controversial program’s 50-bus trial run. “To protect your privacy we recommend against using the Wi-Fi on this bus,” the warning message states. “The terms and conditions state by connecting to it they may collect your ‘name, address, date of birth, location details, drivers licence details, photographs, videos, credit card details, employer and other details’ and sell them to other businesses.” NSW Greens MP and Transport spokeswoman Mehreen Faruqi wondered why the Victorian government could enact a similar program without collecting personal information, and the NSW could not. [News.co.au]

US – Organizations Must Monitor and Manage Risks from their Digital Footprint

Much of organization’s digital footprint is controlled by employees, suppliers, and others that unknowingly expose sensitive information; organizations should understand cyber threats faced (leverage threat intelligence, profile attackers’ tools/techniques, understand target industries/geographies), monitor for data leakage (sensitive code, private encryption keys, employee credentials, intellectual property, security procedures), and monitor for risks to reputation (phishing, domain infringement, spoofed social media accounts and mobile apps). [Digital Shadows – Digital Risk Management – Identifying and Responding to Risks Beyond the Boundary]


CA – Alberta OIPC Investigates Purposely Deleted Gov’t Emails

Alberta privacy commissioner investigates deleted government emails. Wildrose MLA Don MacIntyre sent the request to the commissioner in November regarding an email from James Allen, who was assistant deputy minister in the department of energy, to Balancing Pool CEO Bruce Roberts, in which Allen writes that the email is “sensitive and transitory” and to “please delete” it. Privacy commissioner Jill Clayton confirmed the investigation in a letter to MacIntyre, writing that it “appears from my review of the complaint that information may have been inappropriately withheld in response to access requests made” to the Balancing Pool. MacIntyre had also asked for a wider investigation into a “culture of secrecy” in the government, but the commissioner declined to take that on, saying she didn’t fully understand the request and wasn’t sure if it was part of her office’s jurisdiction. [Edmonton Sun]

CA – Canada’s Anti-Spam Law Adds Teeth, Leaves Potential Opening for Class Actions

Canada already has one of the world’s strictest regimes regulating commercial electronic messages, and, just in time for the country’s 150th birthday, the consequences for breach are about to get much more severe. On July 1, 2017, this regime will add additional teeth in the form of a private right of action, which could drastically increase the threat of legal proceedings and financial consequences for those who violate it. Until July 1, 2017 the primary concern is that violations of Canada’s Anti-Spam Law (“CASL”) would be prosecuted by the bodies responsible for its enforcement (Canadian Radio-television and Telecommunications Commission (the “CRTC”), the Competition Bureau, and the Office of the Privacy Commissioner). After July 1, 2017 those who send commercial electronic messages also face the risk of class proceedings specifically permitted by CASL. This post considers the following: 1) What is CASL?; 2) What is the private right of action?; 3) Why should companies be concerned with the private right of action? (Broad scope of CASL, Different liability standard, Class action concerns); and 4) What are the limitations? CASL has been in force for nearly three years now, and most organizations should be familiar with the legislation’s requirements. Come July 1, however, the availability of CASL’s private right of action will undoubtedly increase the consequences of violations, making compliance with the legislation essential for anyone engaged in sending CEMs. [Source]

Electronic Records

US — Few Patients Electronically Access Their Health Information When Provided the Option

The Government Accountability Office (“GAO”) has reviewed the state of patients’ electronic access to their health information through the Medicare Electronic Health Record Incentive Program. A majority of hospitals/health care professionals offered patients access to an electronic portal (where information could be viewed, downloaded and transmitted), however, only 15% of hospital patients and 30% of professionals’ patients accessed the portal; lower levels of access were seen in high poverty areas, rural areas, health care groups of less than 50 members, specialty practitioners and older patients, and there was variability in the information made available through the portals (lab test results, current medications, clinical history, radiology results). [GAO – HHS Should Assess the Effectiveness of Efforts to Enhance Patient Access to and Use of Electronic Health Information]

EU Developments

EU – MEPs Vote for Full Review of Privacy Shield

MEPs have voted for a review of the controversial Privacy Shield data transfer agreement between the EU and US, concerned over key areas of weakness. The European Commission will now be forced to investigate whether the agreement offers enough protections to EU citizens in compliance with the EU Charter of Fundamental Rights and forthcoming privacy regulation the GDPR. “This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses,” said civil liberties committee chair Claude Moraes. As the resolution outlines, MEPs are concerned about a number of recent developments, not least new rules that since January this year have allowed the NSA to share large amounts of private data – obtained without warrants, court orders or the like – with 16 other agencies including the FBI. [InfoSecurity | EurActiv: MEPs want Commission to toughen up Privacy Shield under Trump EU Reporter: #PrivacyShield: MEPs alarmed by US developments that undermine privacy safeguards ]

US – Europe’s Digital Single Market Strategy Must Accommodate Multiple Online Identities and a Balance of Control Over Personal Data

A high level group of scientific advisors under the European Commission has provided an opinion on cybersecurity in the European digital single market. Digital transactions should only require a minimum amount of personal data to be divulged, which is relevant and exclusive to the given context, and different levels of security should be required for separate transactions that deal with various sets of data; the General Data Protection Regulation will require organisations to provide more transparency about what happens to personal data online, and will shift control away from private organisations to the data subject (important in the online world where users unwittingly provide their data) [European Commission – Scientific Opinion No. 2 2017 – Cybersecurity in the European Digital Single Market]

EU – EDPS Publishes Toolkit for Privacy-Friendly Policymaking

The EDPS has published a necessity toolkit. The toolkit is designed to help policymakers identify the impact of new laws on the fundamental right to data protection and determine the cases in which the limitation of this right is truly necessary, the EDPS said today. Almost all EU policy proposals now involve some form of personal data processing. With policymakers increasingly required to respond quickly to acute public security challenges and keep up with developments related to the digital economy or international trade, the need for help to ensure that new proposals respect fundamental rights is greater than ever. In this necessity toolkit, the EDPS provides policymakers with a practical step-by-step checklist, setting out the criteria to be considered by policymakers when they assess the necessity of new legislation, and providing examples to illustrate each step. The toolkit is based on decisions issued by the Court of Justice and the European Court of Human Rights, as well as on Opinions published by both the EDPS and the Article 29 Working Party. It also incorporates feedback gathered on an EDPS background paper on the topic, published in June 2016. This feedback was used to develop the toolkit and ensure that it meets the needs of EU policymakers in all sectors, ranging from security to the digital economy. [EDPS]

EU – Article 29 Working Party Supports Proposed Regulation but Says Terminal Equipment is Insufficiently Protected

The Article 29 Data Protection Working Party has issued an opinion on the proposed ePrivacy Regulation. The proposed Regulation incorrectly suggests that valid consent can be given through non-specific browser settings (the end-user must be able to give separate consent per website or app), and there should be mandatory adherence to the Do Not Track standard; the European Commission should promote a technical standard for mobile devices to automatically signal an objection against WiFi tracking. [Article 29 Data Protection Working Party – Opinion 01/2017 on the proposed Regulation for the ePrivacy Regulation (2002/58/EC) – Working Paper 247 Article 29 Working Party – Opinion 01/2017

EU – Article 29 WP Issues Final Guidelines on Data Portability

The Article 29 Working Party has issued final guidelines (revised April 5, 2017) on the right to data portability, the new elements of which are analyzed by a law firm. The guidelines were first issued in December 2016. Data processors will have contractual obligations to assist the controller in responding to portability requests; a controller must assess the interplay between any competing rights on a case-by-case basis under sectoral legislation (but such legislation will not automatically displace the GDPR right). “Observed” data remains within the scope of the right (e.g. raw data processed by a smart meter), but “inferred” data does not (e.g. risk profiles for credit scores); “hindrance” to the right is defined to include fees, excessive delays/complexity, or deliberate obfuscation. [Article 29 WP – Guidelines on the Right to Data Portability | https://www.twobirds.com/en/news/articles/2017/global/article-29-working-party-issues-final-guidelines-on-the-right-to-data-portability Bird & Bird]

UK – ICO Recommends Organizations to Implement Appropriate Record Keeping Practices to Prevent Data Breaches

The UK ICO has issued recommendations for safeguarding health information. Health records must be properly secured and tracked to prevent loss or accidental disclosure; examples of recent breaches included health records being stored in a garage, records left behind when a doctor moved to a new home (the doctor had taken files home and not returned them to the office), and records left behind during an office relocation. [ICO UK – Garages New Homes and Old Offices – The Records Management Mistakes That Put Health Records at Risk]

EU – Yahoo/US Gov’t Email Surveillance Bothers WP29 Privacy Chiefs

European Union privacy regulators intend to question U.S. national intelligence officials about the extent to which the government orders online communications companies to cooperate in surveillance, they said April 10. [see here] The EU Article 29 Working Party will send a letter to U.S. Director National of Intelligence (DNI) Dan Coates “asking for additional information regarding the legal basis and justification for any surveillance activities concerning EU data subjects.” The move comes after the EU privacy regulators in October 2016 said they were concerned about the alleged scanning of Yahoo! Inc. customers’ incoming emails at the request of U.S. intelligence agencies. U.S. surveillance of EU citizens’ has increasingly become an issue with the approach of the EU-U.S. Privacy Shield data transfer program’s first annual review in September. Similar surveillance concerns were raised by an April 6 European Parliament resolution. There are “great concerns” about broadening the authority of the National Security Agency to share data it collects with other law enforcement agencies, the resolution said. EU lawmakers are also “alarmed” about reports of surveillance of emails by an unnamed “US electronic communications service provider,” it said. [Yahoo U.S. Email Surveillance Bothers EU Privacy Chiefs]

EU – WP29 Issues Final Guidelines on Data Protection Officers

At its plenary session on 5 April, the Article 29 Working Party (“WP29”) approved revised guidance interpreting elements of the General Data Protection Regulation (“GDPR”), including on the appointment of data protection officers. The revisions to the draft guidance, which was initially released in December 2016, followed a period of open public consultation that ran through the end of January 2017. You can find our summary of the December 2016 highlights here. Some of the new points raised by the WP29 in its final guidance are as follows: 1) Accountability means that DPO assessments need to be kept up-to-date and can be requested at anytime; 2) No “a la carte” DPO appointments; 3) Big data now an example of ‘regular and systematic monitoring’; 4) Preferably, the DPO should be located within this EU; 5) There can only be one DPO, but supported by a team; 6) Duty to ensure the confidentiality of communications between the DPO and employees; 7) Senior managers including Head of HR, Marketing or IT individuals are barred from serving as the DPO; and 8) The GDPR does not prevent the DPO from maintaining records of processing The revised guidance on portability is available here. For a redline comparison with the earlier draft, click here. [Source]

EU – Proposed e-Privacy Regulation Permits Unacceptable Processing of Personal Data

The European Digital Rights has issued comments on the Proposal proposed draft regulation concerning privacy in electronic communications. The Regulation permits tracking of communication devices in public spaces (provided there is user notification), on first use of software or smart devices, users would be forced to accept privacy settings that may negate their rights, and declining consent for tracking using device fingerprinting is not addressed (only through third parties); the scope of retention of electronic communications data has increased without sufficient protections to ensure storage is limited to what is strictly necessary, or that only anonymised data is used. [European Digital Rights’ Position on the Proposal of an e-Privacy Regulation]

EU – Commission Requests Standardisation in Data Protection & Security Policy

Insight into the role of standardisation as a form of co-regulation in the data protection context. As regulation shifts from the European Commission to co-regulation with industry, the Commission has requested that the EU Standardisation Organisations create standards to address how to address/manage privacy by design; standards will also be created on how to realise privacy and personal data protection management processes, including descriptions of necessary roles, tasks, documentation, hardware/software requirements, and templates for applying the standards. [Co-Regulation in EU Personal Data Protection – The Case of Technical Standards and Privacy by Design Standardisation Mandate – Irene Kamara – European Journal of Law and Technology]

EU – H&W’s CIPL Issues Discussion Paper on GDPR Certifications

The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP has issued a discussion paper on Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms. It sets forth recommendations concerning the implementation of the EU General Data Protection Regulation’s (“GDPR’s”) provisions on the development and use of certification mechanisms. Certifications, seals and marks have the potential to play a significant role in enabling companies to achieve and demonstrate organizational accountability and GDPR compliance for some or all of their services, products or activities. The capability of certifications to provide a comprehensive GDPR compliance structure will be particularly useful for small and medium-sized enterprises. For large and multinational companies, certifications may facilitate business arrangements with business partners and service providers. In addition, certifications, seals and marks can be used as accountable, safe and efficient cross-border data transfer mechanisms under the GDPR. [CIPL Issues Discussion Paper on GDPR Certifications]

Facts & Stats

US – Analysis Finds 1,800 Health Care Breaches Since 2009

An analysis of data from the Department of Health and Human Services found nearly 1,800 large data breaches involving patient information since 2009. Of the breaches, more than 1,200 affected health care providers, while 257 breaches were reported by 216 hospitals, including many large teaching hospitals. Trivalent CTO John Suit said the analysis shows data protection technology has failed to keep up with health care digitization, and traditional encryption is not enough to stop cyber threats. “The result is an extreme risk for patients who put their trust in health care organizations to address their medical concerns, but also protect their sensitive and personal information,” said Suit. “Hospitals, pharmacies, assisted living facilities, insurance providers, and research institutions must strengthen their security strategy and adopt a defense-in-depth approach with multiple layers of protection.” [Health Data Management]


WW – Hackers Release Files Indicating NSA Monitored Global Bank Transfers

Hackers released documents and files on Friday that cybersecurity experts said indicated the U.S. National Security Agency had accessed the SWIFT [Society for Worldwide Interbank Financial Telecommunication – see here] interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks. The documents and files were released by a group calling themselves The Shadow Brokers. Also published were many programs for attacking various versions of the Windows operating system, at least some of which still work, researchers said. In a statement to Reuters, Microsoft, maker of Windows, said it had not been warned by any part of the U.S. government that such files existed or had been stolen. The absence of warning is significant because the NSA knew for months about the Shadow Brokers breach, officials previously told Reuters. Under a White House process established by former President Barack Obama’s staff, companies were usually warned about dangerous flaws [Vulnerabilities Equities Process (VEP) – see here & here]. The SWIFT messaging system is used by banks to transfer trillions of dollars each day. Belgium-based SWIFT downplayed the risk of attacks employing the code released by hackers on Friday. Cris Thomas, a prominent security researcher with the cybersecurity firm Tenable, said the documents and files released by the Shadow Brokers show “the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor, if not disrupt, financial transactions to terrorists groups”. [Reuters]


CA – Two Alta OIPC Reports Highlight Obstacles Gov’t Oversight & FoI

The Information and Privacy Commissioner tabled two reports in the legislature related to the Commissioner’s functions under the Freedom of Information and Protection of Privacy Act (FOIP Act). Investigation Report F2017-IR-03 concerns allegations of delays and possible interference in the Government of Alberta’s (GoA) handling of access requests. The report identifies a number of factors that contribute to delays, including a significant increase in the number of access requests, the complexity of requests and applicant expectations. However, the investigation faced a number of challenges that made it impossible to make meaningful and reliable findings with respect to other potential issues in the access request response process. “I am deeply disappointed in how this matter has unfolded. What should have been a relatively straightforward investigation has concluded under a shadow that brings the very notion of independent oversight of the executive branch of government into question and has the potential to erode public confidence in an open and accountable government,” said Commissioner Jill Clayton. During the investigation, the question of whether the Commissioner has the power to require public bodies to produce records over which solicitor-client privilege has been claimed made its way through the court system. In November 2016, the Supreme Court of Canada (SCC) decided that the Alberta Legislature did not use the right words in the FOIP Act to give the Commissioner this power. [see here] Following the SCC’s decision, the Commissioner issued a statement saying that she would write to government with options for how to proceed on this issue. However, as an independent Officer of the Legislature who reports to the Legislative Assembly and not to government, and whose ability to perform core functions as an Officer of the Legislature has been compromised (as evidenced, in part, by the investigation referenced above), the Commissioner decided to table a Special Report and Request for Legislative Amendment in the legislature on producing records to the Commissioner. [Alberta Information & Privacy Commissioner Press Release | Investigation Report F2017-IR-03: Investigation into allegations of delays and possible interference in responding to access requests | Producing Records to the Commissioner: Restoring Independent and Effective Oversight under the FOIP Act]

CA – OIPC NFLD Recommends That Employees Who Conduct Searches for Records Do Not Determine Whether Records Are Responsive

New OIPC guidance outlines OIPC NL expectations and standards when it receives complaints alleging incomplete responses to requests for records pursuant to the Access to Information and Protection of Privacy Act (the “Act”). An FOI Coordinator is in the best position, as someone more experienced with requests for access to records, to determine whether records are responsive; the Coordinator should establish a written policy or practice as to how a search should be carried out and keep a copy of the instructions sent to employees regarding the search. [OIPC NFLD – Practice Bulletin: Reasonable Search]

CA — Institutions Should Provide Individuals with Information Regarding their Right to Access Records

The Office of the Saskatchewan Information and Privacy Commissioner has issued recommendations to government institutions on how to address access requests made under the Freedom of Information and Protection of Privacy Act or and the Local Authority Freedom of Information and Protection of Privacy Act. Individuals do not necessarily know about their right to access records; government institutions and local authorities should provide individuals with information on how to submit a formal access request, the timelines to receive a response, fees associated to the request, the right to appeal to the privacy commissioner and the importance of narrowing the request. [OIPC SK – Assisting the Applicant – Sharon Young]

WW – Microsoft Releases Biannual Transparency Reports

Microsoft released its most recent biannual transparency reports on the Microsoft Transparency Hub. These reports consist of the Law Enforcement Requests Report, U.S. National Security Orders Report which cover the period from July to December 2016, are largely consistent with previous reports and Content Removal Requests Report which details acceptance rates regarding requests to remove content from governments, copyright holders and individuals subject to the European Union’s “Right to Be Forgotten” ruling and victims of non-consensual pornography. It also disclosed a National Security Letter (NSL) received from the Federal Bureau of Investigation (FBI) in 2014, which sought data belonging to a customer of our consumer services. Microsoft is the latest in a series of companies able to disclose an NSL due to provisions in the USA Freedom Act requiring the FBI to review previously issued non-disclosure orders. The NSL was included in the aggregate data of a previous report, but we’re newly able to disclose its content for this reporting period. There are times when secrecy is vital to an investigation, but too often secrecy orders are unnecessarily used, or are needlessly indefinite and prevent us from telling customers of intrusions even after investigations are long over. That’s why we asked a federal court to weigh in on the increasing frequency of these orders. Our hope is this lawsuit will lead to new rules or laws that keep secrecy for times when it is truly essential. [MSFT Blog]

US – Trump’s White House on Defensive Over Transparency

The White House was forced Monday to defend its controversial positions to keep its visitor logs secret and President Donald Trump’s tax returns private. Under fire over the White House’s decision Friday to buck Barack Obama’s precedent by withholding visitor logs, Spicer said the prior administration was the one with a transparency issue. “Frankly, the faux attempt that the Obama administration put out where they would scrub who they didn’t want put out didn’t serve anyone well,” Spicer told reporters Monday. “It’s not really being transparent when you scrub out the names of the people that you don’t want anyone to know were here.” Spicer framed the visitor logs decision as a return to the pre-Obama policy and no different than the protocol for lobbyists and others who visit members of Congress. Spicer said the White House keeps the media abreast of the president’s activities. Reporters travel with Trump on Air Force One, after flying separately during the 2016 campaign. Members of the media also are given brief access to photograph many of Trump’s meetings, and he holds news conferences when major foreign leaders visit. [Politico]


CA – Canada Passes Legislation Protecting Genetic Information

The Canadian Parliament recently passed Bill S-201, the Genetic Non-Discrimination Act, which protects individuals from having to disclose information related to genetic testing and test results. Contravention of the Act is punishable by significant fines and even potential imprisonment. There are express exceptions for health care practitioners who are providing health services to patients and researchers who are collecting information from participants in medical, pharmaceutical or scientific research. Supporters of the new legislation believe that this will remove perceived obstacles to genetic testing such as fear that the results of that testing will be used to discriminate against the patients. Canada’s legislative initiative on genetic testing is similar to the U.S. Genetic Information Nondiscrimination Act. Restrictions on the use of genetic test results have also been adopted in certain European jurisdictions, including France. The Association of British Insurers and government in the U.K. adopted a Concordat and voluntary moratorium limiting the use of genetic testing by insurers. Other countries have yet to address the issue. The evolving global quilt of responses to this issue indicates that a global consensus has yet to emerge. [Data Protection Report]

Health / Medical

CA – Ontario Proposes Prescribed Circumstances Under Which Health Information Custodians Must Notify IPC of Breach

Amendments are proposed to Ontario Regulation 329/04 under the Personal Health Information Protection Act (“PHIPA”). Public comments are due by May 8, 2017. The amendments, effective July 1, 2017, would require a custodian to notify the IPC of a suspected breach, if the breach is part of a pattern, if the custodian has notified a governing College of a breach, or if the breach is “significant” (based on the nature of the PHI, the number of records or individuals, or number of custodians/agents responsible for the breach”); a custodian would be required, effective 2019, to annually report the number of breaches it notified to affected individuals in the preceding calendar year. Proposed Amendments to Ontario Regulation 329/04 Regarding Notices to the Commissioner Under the Personal Health Information Protection Act – Ontario | Press Release | Proposed Amendments]

CA – Sask IPC: Private Health Firms Should Be “Trustees” Under HIPA

Sask. privacy commissioner recommends private health-care providers be governed by health info protections. It took a matter of moments for a ransomware attack to incapacitate the patient database of Saskatoon’s Professional Sport Rehabilitation Corporation. The ransomware incident in October 2016 affected [Saskatoon’s Professional Sport Rehabilitation Corporation – Pro Sport] database containing private information such as patients’ names, addresses, phone numbers, health numbers, details of their injuries and treatment plans. On the day of the incident (October 12), ProSport’s office manager reported the attack to Saskatchewan’s Information and Privacy Commissioner’s Office. On Oct. 26, it filed a formal incident report to the privacy commissioner’s office. In a report (see 10 pg pdf here) following his investigation into the incident, Information and Privacy Commissioner Ronald Kruzeniski recommended that patient information collected by private businesses whose primary purpose is to provide health services should be governed by provincial health information protections. Kruzeniski made the same recommendation previously, in his 2015-2016 annual report (see 19 pg pdf here). Kruzeniski recommended that ProSport only collect Saskatchewan Health numbers from patients for whom the service provided is publicly funded. He also recommended that the business “securely destroy” all health numbers it has on file that are not needed to collect public funding. [Star Pheonix]

WW – Google Study Seeks 10,000 Volunteers to Share Medical Data

Google’s health spinout, Verily, is looking for 10,000 American volunteers to share intimate and sensitive information about their bodies in an attempt to help predict heart disease and cancer. Called the Baseline Project, the multi-year study could cost upwards of $100 million. Volunteers will be asked to submit to an extensive amount of tests and physical monitoring, including a heart monitor to follow pulse and movements in real time. They will also get x-ray and heart scans, genomes deciphered, and blood tests over a four-year period. Sanjiv Sam Gambhir, a physician researcher at Stanford University and Baseline investigator, said, “No one has done this kind of deep dive on so many individuals. This depth has never been attempted. It’s to enable generations to come to mine it, to ask questions, without presupposing what the questions are.” [MIT Technology Review]

US – HIPAA Enforcement Issues Straight from the Regulator

At the March 26-29 Health Care Compliance Association’s annual “Compliance Institute,” [see here] Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors. Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA. Do any of them look familiar to you? These issues include: 1) Impermissible Disclosures; 2) Lack of Business Associate Agreements; 3) Incomplete or Inaccurate Risk Analysis; 4) Failure to manage identified risks; 5) Lack of transmission security; 6) Lack of Appropriate Auditing; 7) Patching of Software; 8) Insider Threats; 9) Disposal of PHI; and 10) Insufficient Backup and Contingency Planning. OCR also identified upcoming guidance and FAQs The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI. The presentation discussed the current status of OCR’s audit program. [Privacy and Security Matters]

US – Dept. of Health and Human Service Establishes Health Cybersecurity and Communications Integration Center

The US Department of Health and Human Services (HHS) is establishing its own version of the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center (NCCIC). The Health Cybersecurity and Communications Integration Center (HCCIC) is expected to be operational by the end of June 2017. HHS has given the National Health Information Sharing and Analysis Center grants to help encourage wide participation and ensure that small health services offices can benefit from the information that is gathered. [HHS to stand up its own version of the NCCIC for health]

US – HHS Imposes $400,000 Fine for Breach of 3,200 Patients’ ePHI

The Department of Health and Human Services, Office for Civil Rights enters into an agreement with Metro Community Provider Network to settle alleged violations of the HIPAA Privacy and Security Rules. [HHS – Resolution Agreement – Metro Community Provider Network]

US – HHS Provides Checklist to Help Organizations Measure Effectiveness of Privacy Programs

The Department of Health and Human Services’, Officer of the Inspector General has provided guidance to organizations on measuring the effectiveness of privacy and compliance programs. Organizations should ensure standards, policies and procedures are readily available to employees, reviewed from external experts, based on assessed risks, and there is no contradiction/overlap of policies; ensure training requirements for high risk positions are established, a formal process is in place to make staff aware of new laws, regulations, and policies, and review policies/procedures following investigations or raised issues. [HHS – Measuring Compliance Program Effectiveness – A Resource Guide]

Horror Stories

US – Breach Exposes Student Data of 1.3 Million Kids

Earlier this month 1.3 million K-12 students’ personal information was exposed in a data breach of data warehouse platform Schoolzilla. Originally discovered by security researcher Chris Vickery, a “file configuration error” led to the exposure of the student data, including the Social Security numbers of some. Vickery did not produce evidence of the breach because he deleted the database from his own computer. “The sheer volume of private student data, including (test) scores and Social Security numbers for children, convinced me that it should be purged from my storage in an expedited fashion.” Vickery did applaud Schoolzilla’s quick actions to fix the error that led to the breach. [The Daily Dot]

WW – InterContinental Hotels Data Breach Affects Nearly 1,200 Properties

InterContinental Hotels Group now says that the number of properties affected by a payment system breach is close to 1,200, a notable increase from its first estimate of 12. All but one of the affected properties are in the US. The systems were compromised between September 29 and December 29, 2016. [InterContinental Hotel Chain Breach Expands | InterContinental Hotels data breach expands from 12 to 1,200 hotels | Holiday Inn hotels hit by card payment system hack | InterContinental Hotels Group (IHG) Notifies Guests of Payment Card Incident at IHG-Branded Franchise Hotel Locations in the Americas Region]

Identity Issues

IN – Gov’t Site Posts Over a Million Aadhaar Numbers & Details

Digital identities of more than a million citizens have been compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security. The glitch by the Jharkhand Directorate of Social Security revealed the names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme. Jharkhand has over 1.6 million pensioners, 1.4 million of whom have seeded their bank accounts with their Aadhaar numbers to avail of direct bank transfers for their monthly pensions. Their personal details are now freely available to anyone who logs onto the website, a major privacy breach at a time when the Supreme Court, cyber-security experts and opposition politicians have questioned a government policy to make Aadhaar mandatory to get benefits of a variety of government schemes and services. [Details of over a million Aadhaar numbers published on Jharkhand govt website | Aadhaar & Lessons from countries that resisted biometric IDs]

Law Enforcement

US – Fight Continues Over CBP Prohibition On Recording Officers in Public

Government Can’t Shut Down Public Recording That Doesn’t Interfere with Law Enforcement

The US Border Patrol prohibits any recording within 150 feet of their location, which includes the public roadside. A federal district court found that the new rule was a valid time, place, or manner restriction on First Amendment-protected activity [see here]. Cato, with the assistance of the UCLA Law School First Amendment Clinic and noted scholar Eugene Volokh, has filed an amicus brief asking the U.S. Court of Appeals for the Ninth Circuit to reverse that ruling. [CATO At Liberty Blog]


US – Uber Responds to Report That it Tracked Devices After its App Was Deleted

Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses. Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook. In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times [see here] and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015. An Uber spokesperson said]: “We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users” [TechCrunch]

Online Privacy

US – FTC Issues Recommendations on How to Assist Victims of Phishing Scams

The FTC has issued recommendations to prevent phishing scams. Organizations may support their customers by notifying them as soon as possible via social media sites, email or letter, including a warning to ignore suspicious emails or texts messages and a reminder that sensitive personal information is never required by the company through insecure channels; other steps organizations may take include, contacting law enforcement (FBI’s Internet Crime Complaint Center) and providing resources to affected customers (direct them to www.IdentityTheft.gov). [FTC – Has a Phishing Scam Hooked Your Company’s Good Name?]

US – Identity Theft: Services Are Limited at Detecting All Types of Fraud: GAO

The Government Accountability Office was asked to examine the marketplace for identity theft services;

  • the potential benefits and limitations of ID theft services available to consumers;
  • marketing, billing, and security issues associated with these services; and
  • factors that affect government and private-sector decision making about offering ID theft services.

Credit monitoring does not detect existing account fraud, and the effectiveness of ID monitoring is unclear (some types of fraud are not monitored, such as debit/check card fraud, tax refund fraud and medical ID theft); ID theft services typically process a broad range of sensitive PI (putting customers at risk in the event of a cyberattack), and some providers’ websites appear misleading or vague (e.g. o incorrectly implying that credit monitoring prevents, rather than just detects, ID theft) [Government Accountability Office – Identity Theft Services]

WW – Google May Unveil Ad-Blocking Tool in Chrome

Google is mulling plans to roll out an ad-blocking feature in its Chrome browser, though it may decide not to move forward if certain details are not ironed out. The feature “could be switched on by default” and would filter out “certain online ad types deemed to provide bad experience for users as they move around the web.” An official announcement of the tool is expected within weeks. One possible application being considered would “block all advertising that appears on sites with offending ads, instead of the individual offending ads themselves. In other words, site owners may be required to ensure all of their ads meet the standards, or could see all advertising across their sites blocked in Chrome,” the report states. [The Wall Street Journal | Google Working on an Ad Blocker for Chrome |- Report: Google will add an ad blocker to all version of Chrome web browser |- : Chrome: Is ad giant Google about to roll out in its own ad blocker? | Coalition for Better Ads Releases Initial Better Ads Standards for Desktop and Mobile Web in North America and Europe

Other Jurisdictions

US – Google Must Give Gov’t Overseas Data, Judge Says

On April 19 San Francisco US magistrate judge, Laurel Beeler, ruled Google Inc. can’t quash a search warrant requesting certain user content stored overseas; holding that the tech giant must produce all responsive information that is retrievable from the United States, regardless of where it is stored, and finding that the disclosure of information from the company’s headquarters in the United States is a domestic application of the Stored Communications Act. [See 9 pg pdf here]. The dispute stems from a June search warrant requesting data from specific Google email accounts, including subscriber information, evidence of specified crimes and information about the account holders’ true identities, locations and assets, according to the opinion. The tech giant asked to quash the search warrant in December, contending that the government can’t force it to turn over the extraterritorial content. Google cited the Second Circuit’s July decision [see 63 pg pdf here] in a similar case involving Microsoft, which held that the SCA didn’t apply outside the United States and the company needn’t disclose user content housed on a server in Ireland In that matter, the government sought rehearing en banc, which the Second Circuit denied in a 4-4 decision. [See 60 pg pdf here] However, Judge Beeler said Wednesday that she found the dissenters’ reasoning persuasive, holding the statute’s application here is lawful. [Source]

US – Department of Education Site Accidentally Publishes Student, Parent Data

The Victorian Department of Education has announced that it has accidentally published on its website the information of up to 115 families who submitted comments on proposed regulations for state schools. Data that was up for part of the past weekend included information on a domestic violence case and student absence due to self-harm, the report states. While the DoE said it was “very sorry” about the incident, it didn’t elaborate on its cause and said it was conducting an independent investigation to discover how it happened. “The department took immediate action to take the submissions down as soon as the breach was discovered,” a spokesperson said. “We understand the seriousness of this incident, and we are contacting those affected to apologise directly.” [ZDNet]

Privacy (US)

US – FTC Continues to Scrutinize Mobile Apps and Security Practices

The FTC highlights its enforcement efforts in 2016. Highlights from 2016 include:

During 2016, the FTC investigated issues related to marketing (bypassing user permissions and illegal robocalls), consumer tracking (of children in violation of COPPA and of individuals who opted out) and security (failure to prevent unauthorized access to personal information); companies deceived consumers with false claims about their products/services, undisclosed/inflated debt fees, and used consumer information inappropriately (to take money from bank accounts, public disclosure of sensitive medical information). [FTC Annual Highlights 2016 – Enforcement]

US – FTC Seeks Comment on Proposed Changes to Truste’s COPPA Safe Harbor Program

In a press release, the Federal Trade Commission announced it is seeking comment on proposed changes to TRUSTe’s COPPA safe harbor program. The FTC said it will publish a notice in the Federal Register shortly seeking input, including “the addition of a new requirement that participants conduct an annual internal assessment of third-parties’ collection of personal information from children on their websites or online services.” Specific questions the FTC is seeking comment on also include “whether the mechanisms used to assess compliance with the proposed modified program requirements are effective.” The comment period will be open until May 24. [FTRC.gov]

US – FTC Seeks Comment on Proposed Changes to TRUSTE’s COPPA Safe Harbor Program

The Federal Trade Commission is seeking comment on proposed changes to TRUSTe’s safe harbor program under the agency’s Children’s Online Privacy Protection Rule. The FTC’s COPPA Rule includes a “safe harbor” provision designed to encourage increased industry self-regulation in this area. Under this provision, industry groups and others may ask the Commission to approve self-regulatory guidelines that implement the protections of the Rule. Companies that comply with the FTC-approved guidelines receive safe harbor from agency enforcement action under the Rule. In a Federal Register notice to be published shortly, the FTC is seeking comment on proposed changes to TRUSTe’s existing safe harbor program including the addition of a new requirement that participants conduct an annual internal assessment of third-parties’ collection of personal information from children on their websites or online services. Among the questions the Commission is seeking comment on is whether the mechanisms used to assess compliance with the proposed modified program requirements are effective. The comment period will last for 30 days until May 24. [FTC]

US – EFF Releases Report on Tech Companies and Data Collection in Schools

The Electronic Frontier Foundation has released a new report on the education technology industry and its student data collection practices. The report, “Spying on Students: School-Issued Devices and Student Privacy,” argues that state and federal laws as well as industry self-regulation “has failed to keep up with a growing” industry. “At the same time,” the EFF blog post states, “schools are eager to incorporate technology in the classroom to engage students and assist teachers, but may unwittingly help tech companies surveil and track students. Ultimately, students and their data are caught in the middle without sufficient privacy protections.” The report surveyed more than 1,000 stakeholders in the U.S. and reviewed 152 education technology policies over the course of the last year. The EFF’s Amul Kalia said, “In this whitepaper, we lay out specific strategies” for parents, teachers, and other stakeholders so they can “push their schools and districts in the right direction.” [EFF.org]

US – School Districts Should Implement Acceptable Use Policy for All Online Activity

The National School Board Association (NSBA) has issued a legal and policy guide for school boards on data security. The policy should govern all online activity both internally, and on the Internet for both staff and students to protect the school from legal ramifications from education apps that use lengthy terms and conditions written in legalese; school districts should consider incorporating school security policies into staff job descriptions, assign specific individuals to monitor compliance, train staff on common risks and errors that lead to breaches, and use encryption for sensitive data or files transmitted by unsecured email. [Data Security for Schools – A Legal and Policy Guide for School Boards – National School Board Association]


WW – Global Survey: 64% Of Security Pros Can’t Stop a Mobile Data Breach

64% of security professionals doubt their organizations can prevent a breach to employees’ mobile devices, a recent Dimensional Research survey of 410 security leaders found. sponsored by Check Point Software, “Security professionals worldwide from an independent global database were invited to participate in a survey on the topic of mobile device security. A total of 410 participants who have security leadership or frontline responsibilities completed the global survey. Participants represented each of the five continents with the full spectrum of job responsibilities and company sizes. The survey was administered electronically and participants were offered a token compensation for their participation.” See pg 9 here] found that 20% of businesses have experienced a mobile breach, and another 24% don’t know, or can’t tell, whether they’ve experienced one. Strikingly, 51% of respondents believe the risk of mobile data loss is equal to or greater than that for PCs. More than a third of companies fail to secure mobile devices adequately, with only 38% leveraging a dedicated mobile security solution. When asked why, 53% of respondents cited a lack of budget, and 41% cited a shortage of resources. 94% of respondents expect the frequency of mobile attacks to increase, and 79% expect the difficulty of securing mobile devices to grow. Separately, a CITO Research survey of more than 100 mobility professionals found that 57% of respondents are concerned about corporate data on personal and other non-managed devices. That’s an increase of 13% over a similar survey in 2016. [eSecurity Planet]

WW – Report Shows Hacking, Phishing, Malware Top Cause of Data Incidents

BakerHostetler has released its 2017 Data Security Incident Response Report highlighting the need for business leaders to understand and be prepared for the risks associated with cyberthreats. Analyzing more than 450 cyber incidents that the firm’s privacy and data protection team handled last year, the report found phishing, hacking or malware cause the majority of incidents at 43%— a 12% jump from last year. Human error came in second at 32%. The report also offers information on typical ransomware attack scenarios, the average incident response timeline for events, the value of a good forensics investigation, and the frequency with which events caused an investigation by regulators and lawsuits. [Report]


WW – Popular Bose Headphones Spy on Users, Lawsuit Says

The audio maker Bose, whose wireless headphones sell for up to $350, uses an app to collect the listening habits of its customers and provide that information to third parties—all without the knowledge and permission of the users, according to a lawsuit filed in Chicago on Tuesday. The complaint accuses Boston-based Bose of violating the WireTap Act and a variety of state privacy laws, adding that a person’s audio history can include a window into a person’s life and views. In addition to the QuietComfort 35 headphones, the other Bose products cited in the complaint are the SoundSport Wireless, Sound Sport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II. If the allegations are true, the Bose case is just the latest privacy incident involving the so-called “Internet of things” in which more companies and devices that are connected to the web can’t resist the temptation of harvesting the consumer data they throw off. [Fortune]

CA – Winnipeg Police Using Technology to Intercept Cellphone Communications

In a statement, the Winnipeg Police Service said it “can confirm that it possesses a cell site simulator (CSS).” “It is only deployed under judicial authorization, or in exigent circumstances. We are concerned that providing too much information about investigative techniques could jeopardize active investigations and threaten public and officer safety. As such, we will not be providing the number of CSS technicians employed by the WPS, nor the number of investigations conducted using this device in 2015 and 2016.” A police spokeswoman admitted one of the main criticisms of CSS devices is about loss of privacy to third-party individuals. “The Winnipeg Police Service respects the privacy of innocent bystanders. The collected data does not include phone numbers or any other personal identifying information or data. The collected data relating to third parties is preserved and not accessed by anyone other than the CSS technicians, until ordered otherwise by an appropriate court,” she said. But lawyer Scott Newman, a spokesman for the Criminal Defence Lawyers Association, said he’s still concerned about the use of the technology by police. “It’s all well and good for police to say ‘trust us, we are protecting your privacy’, but without having seen the guidelines, we don’t know if the technology is being used appropriately.” [Winnipeg Free Press] See also: [CBC News: Cellphone surveillance technology being used by local police across Canada | Toronto Star: Regulate use of surveillance devices by police forces: Editorial  | CBC News: RCMP reveals use of secretive cellphone surveillance technology for the first time | Toronto Star: RCMP acknowledges using phone trackers to collect Canadians’ cellular details | Globe & Mail: RCMP reveals its use of cellphone-tracking machines | OpenMedia: After years of secrecy, RCMP finally admits to using mass cell phone surveillance tools on Canadians | CBC News: RCMP, CSIS launch investigations into phone spying on Parliament Hill after CBC story | CBC News: Someone is spying on cellphones in the nation’s capital

US – NSA/FBI FISA FAQ: We’re Spying On You for Your Own Protection

A new factsheet by the NSA and FBI [The FISA Amendments Act: Q&A – 10 pg pdf see here] has laid bare contradictions in how US intelligence agencies choose to interpret a law designed to prevent spying on American citizens, but which they use to achieve exactly that end. The document even claims that it is surveilling US citizens for their own protection while at the same time claiming that it is not doing so. The obvious and painful contradictions are testament to the very reason why the factsheet had to be prepared in the first place: Congress is threatening not to renew the legislation due to the intelligence agencies’ willful misrepresentation of the law to perform the very activities it was designed to prevent. There is of course one positive to the “factsheet” on Section 702: thanks to information in the public domain and Congressional hearings, the intelligence agencies have been forced to flag their own contradictions in how they chose to interpret the law. If Congress does its job properly, those contradictions will be removed and future-proofed before the intelligence agencies get their right to spy on US communications returned to them. [The Register]

US – Report: Tech Companies Are Spying on Children Through Devices and Software Used in Classroom

Technology companies are spying on school kids through devices and software used in classrooms. Those companies often collect and store children’s names, birth dates, browsing histories, location data and much more — often without adequate privacy protections or the awareness and consent of parents, according to a new report [Spying on Students: School-Issued Devices and Student Privacy] from the nonprofit Electronic Frontier Foundation (EFF). One-third of all K–12 students in the United States use school-issued devices running software and apps that collect far more information on kids than is necessary. Resource-poor school districts can receive these tools at deeply discounted prices or for free, as tech companies seek a slice of the $8 billion ed tech industry. But there’s a real, devastating cost — the tracking, cataloguing and exploitation of data about children as young as 5 years old. “Parents, teachers, and other stakeholders feel helpless in dealing with student privacy issues in their community. In some cases students are required to use the tools and can’t opt out, but they and their families are given little to no information about if or how their kids’ data is being protected and collected,” said EFF in a statement. [The Journal]

US Government Programs

US – Trump Fast Tracks Facial Recognition in US Airports

The United States is fast-tracking a facial recognition system in U.S. airports. Called Biometric Exit, the system employs facial matching to individuals leaving the country to identify whether a traveler entered the U.S. legally. Passengers would submit to a photo prior to boarding a plane; that photo would then be matched with passport-style photos in visa applications. If there’s no match, the report states, it could be evidence the traveller entered the country illegally. Biometric Exit has been under development for some time and has been tested on a flight from Atlanta to Tokyo, but, according to the report, the Trump administration has expedited implementation of the system, and it is expected to be used in other U.S. airports this summer, with the intention of rolling it out to every international flight and border crossing in the U.S. Larry Panetta, of the U.S. Customs and Border Protection, said, “Facial recognition is the path forward we’re working on.” [The Verge]

US Legislation

US – Bi-Partisan Federal Bill Provides Greater Privacy Protection for U.S. Citizens’ Digital Data at the Border

Senate Bill 823, the Protecting Data at the Border Act, is introduced. Border guards would generally be required to obtain a probable cause warrant to gain access to a citizen’s digital contents of their equipment or account; exceptions to the warrant requirement include government authority under FISA, emergency situations, protection of public health and safety and a citizen’s express consent. The bill imposes detailed audit and reporting requirements related to such searches on the Department of Homeland Security, which it must make publicly available and submit to Congress. Senate Bill 823 – Protecting Data at the Border Act – 115th Congress | The Register ]

US – CA Assemblyman Pulls Controversial Bill from Privacy Committee Hearing

California Assemblyman Jim Cooper (D-Elk Grove) has withdrawn AB-165 — a controversial bill that would have provided a student exclusion to the existing California Electronic Communications Privacy Act (CalECPA) — from a Privacy Committee scheduled for Tuesday, April 18. The bill would have allowed a local educational agency, or any individual acting on behalf of a local educational agency, to search an electronic device or online account of a student, parent, teacher of school staff member without complying with CalECPA rules. The bill faced massive opposition from civil rights and other groups. A coalition of more than 55 organizations, including the American Civil Liberties Union and Common Sense Kids Action, voiced their opposition to the bill and fueled an online campaign to tell legislators not to support the bill. [The Journal]

US – Federal Bill Amends FERPA to Regulate Access to Student Data Held by Outside Parties

Senators Edward Markey and Orrin Hatch introduced Senate Bill 877, the Protecting Student Privacy Act of 2017, amending the Family Education Rights and Privacy Act. The bill was previously introduced as the Protecting Student Privacy Act of 2015; and has been referred to the Committee on Health, Education, Labor and Pensions. If passed, outside parties (a person who is not an employee, officer or volunteer of an educational institution or government agency) must maintain educational records in a manner that provides parents with the right to access personal information, and a process to challenge, correct or delete inappropriate data held in an education record; institutions and agencies must require each outside party to whom data is disclosed to have in place information security policies and procedures that include a comprehensive security program to protect personal data. [Senate Bill 877 – Protecting Student Privacy Act of 2017 – 115th Congress – In The Senate of the United States]

US – Utah Act Mandates Privacy Training for School Employees Handling Student Records

Senate Bill 102, an amendment to the Utah Student Privacy Act has been passed into law. Authorized school employees must attest to having completed the privacy training and submit such certification to the School Board; unauthorized school employees may handle students records if consent is obtained or if authorized by federal and state privacy laws. [S.B. 102 – Amending the Utah Student Privacy Act – General Session 2017 – State of Utah Legislature]

US – California Bill Prohibits Disclosure of Criminal History on Job Application Forms

AB 1008, An Act to add Section 12952 to the Government Code, relating to Employment Discrimination, has been introduced in the California Assembly and been referred to the Committee on Labor and Education. It would be unlawful to include any question seeking disclosure of criminal history on job applications, inquire into/consider conviction history before an individual receives a conditional offer, or consider arrests not followed by conviction; denial of employment based on a prior conviction requires an individualized assessment of the nature/gravity of the offense, the time passed since the offense, and the nature of the job, and notification to the applicant, with examples of mitigation/rehabilitation evidence voluntarily provided by the job applicant. [AB 1008 – An Act to Amend section 12952 to the Government Code Relating to Employment Discrimination – State of California]

US – Maryland Legislation Would See Task Force Study Police Use of Facial Recognition

A bill [HB 1065 ] passed in the Maryland House of Delegates and currently under consideration by a Senate committee would see a task force formed to study police use of surveillance technologies, such as facial recognition software Under the proposed legislation, law enforcement departments would have to disclose to the task force surveillance technologies that they are using and the task force would ascertain which technologies are constitutional. Delegate Charles Sydnor, D-Baltimore, said. “It seems as if we are moving toward a surveillance state with the type of surveillance used by law enforcement.” The ACLU of Maryland, said that the task force would help to ensure that Fourth Amendment protections are not violated by police use of new surveillance technologies. Sydnor said that he is unsure whether the Senate committee would pass the bill, but plans to reintroduce it for the next General Assembly if the committee rejects it. Sydnor decided to back the bill in response to reports that Baltimore Police were using an aerial surveillance aircraft without first alerting city officials. [Biometric Update | Legislation creates task force to study surveillance tactics]

US – 10 States Take Internet Privacy Matters into Their Own Hands

Just days after President Donald Trump signed legislation into law allowing Internet service providers (ISPs) to sell the personal data of customers, several states moved ahead with legislation to protect the data of their constituents, including: 1) Connecticut, 2) Illinois, 3) Kansas, 4) Maryland, 5) Massachusetts, 6) Minnesota, 7) Montana, 9) Washington and 10) Wisconsin. [GovTech]

Workplace Privacy

WW – Insider Threats: 2/3 of Employees Have Access to Corporate Data After They Leave

This December 2016 study surveyed 187 IT and/or HR decision makers and influencers in organizations, primarily in North America, regarding the issue of taking data with them when they leave; and was sponsored by Archive360, Druva, Intralinks, OpenText, Sonian, Spanning by Dell EMC, ThinkHR, and VMware. 1 in 5 of those employees uploaded the data specifically for sharing it outside of the company; 1/4 of companies never require departing employees to sign a document indicating they returned all corporate data assets. Best practices include physical activities (obtain custody of all company-supplied equipment and security cards), account activities (disable access to user account/company network), archiving (be able to rapidly restore deleted/corrupted files), and management activities (create a positive work environment to reduce potential for malicious theft). [Best Practices for Protecting Your Data When Employees Leave Your Company – White Paper – Osterman]

US – Dell End-User Security Survey Highlights Security Concern vs. Productivity

Having to choose between data security and productivity, employees are more apt to go for the latter, according to the Dell End-User Security Survey 2017 released today.[see here] The recent Dell survey solicited responses from about 2,600 business professionals who handle confidential data at companies with more than 250 employees. The global survey was conducted in eight countries including Australia, Canada, France, Germany, India, Japan, the U.K. and the U.S. About two in three employees, or 65 percent, noted that they felt it is their responsibility to protect confidential data, including educating themselves on the possible risks and behaving in a way that protects the company. However, only 36 percent of employees feel confident in their knowledge of how to protect sensitive information. At the same time, about two-thirds of employees reported being required to complete cybersecurity training on protecting sensitive data. 76% of survey respondents said their company prioritizes security at the expense of employee productivity. At the same time about the same number of survey takers admitted that they would share sensitive, confidential or regulated company information under certain circumstances. [Source]

US – Case Illustrates Problems of BYOD & Commingled Work/Personal Info

Technology in the workplace has developed to a point where we now have our personal data and our employer’s data commingled on the same devices. This commingling of data and equipment is usually not a problem until an employee leaves their position and the employer must decipher what equipment and data the employee has a right to take with them. It is becoming increasingly clear that employee training, including discussions of acceptable uses of employer equipment and data, are the best way to avoid conflicts when an employee departs. One case in particular demonstrates the confusion that may arise when an employee commingles work and personal data with work and personal equipment was decided April 12, 2017 by the California Court of Appeals in Mendez v. Piper (unpublished) This is not the first time we have seen disputes arise over data when an employee is terminated. For example, we have seen disputes involving account passwords where, after being terminated, the sole person that has possession of important workplace passwords demands money to provide the passwords to his former employer. These situations are avoidable if employees and employers take the time before the stress of employee’s departure to determine how personal and business data and equipment should be treated. Further, these issues could be addressed during quarterly meetings employers should have with employees to address data and privacy issues in the workplace. [Privacy Risk Report]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: