20 May – 09 June 2017


US – Washington Becomes the Third State with a Biometric Law

On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute. The law prohibits any “person” from “enrolling a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers. With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information. Legislatures in other states around the country are considering similar bills including Alaska, California, Massachusetts, and New Hampshire. The Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action. On the same day that Governor Inslee signed H.B. 1493, he also signed H.B. 1717, which covers government agencies. Both laws go into effect on July 23, 2017. [Washington Becomes the Third State with a Biometric Law]

US – JetBlue Will Test Facial Recognition for Boarding

The airline will test facial-recognition check-in next month for flights from Boston to Aruba, the latest attempt by the industry to streamline boarding. Passengers will step up to a camera, and the kiosk will compare the facial scan to passport photos in the U.S. customs database to confirm the match. (You still have to bring your passport.) A screen above the camera will let passengers know when they’re cleared to board. JetBlue is collaborating on the technology with SITA, a tech company that specializes in air travel, including products like robotic check-in kiosks that autonomously rove around airports, sensing where they are needed. JetBlue says it will be the first airline to use facial recognition for boarding. The airline says it won’t have access to the photos – only SITA will. SITA said it will not store the photos. Delta Air Lines plans to test face-scanning technology with four kiosks at Minneapolis-St. Paul this summer for passengers to check their own luggage. [CNN Tech] See also: [Face it, this new Blippar mobile app may creepily destroy your privacy] and [UK police arrest man via automatic face recognition tech]


CA – Canada’s Privacy Czar Raises Flag Over Planned U.S. Border Password Searches

Canadian privacy could be imperilled by apparent U.S. plans to demand cellphone and social media passwords from foreign visitors, a federal watchdog says. In a letter [see here] to the House of Commons public safety committee, privacy commissioner Daniel Therrien warns the recent pronouncements from the Trump administration could mean intrusive searches — even at preclearance facilities in Canada. The Commons public safety committee is studying legislation [Bill C-23 see here] that would expand preclearance operations. Under the bill, U.S. searches at preclearance facilities would be governed by Canadian law, including the Charter of Rights and Freedoms. But Therrien says those protections appear to be hollow because they could not be enforced in court due to immunity provisions that significantly limit access to civil remedies for the actions of U.S. border officers carrying out preclearance duties. The Liberal government says the preclearance arrangements would strengthen security and prosperity while ensuring respect for the sovereignty of both countries. [Globe & Mail]

CA – CSIS Kept ‘All’ Metadata on Third Parties for a Decade: Top Secret Memo

When CSIS intercepted the communications of innocent people between 2006 and 2016 “all” the metadata related to those communications was retained in a controversial database, a top secret memo obtained by the Star suggests. The document relates to CSIS’s Operational Data Analysis Centre (ODAC) and a now-discontinued program that stored data intercepted from the service’s targets — and people who were in contact with them at the time. The Federal Court ruled in 2016 it was illegal for the service to indefinitely keep data on people who posed no threat to Canada’s national for future analysis. While the basics of the program were revealed in heavily censored court documents, the scale of the program is not widely understood. CSIS told parliamentarians earlier this year that it didn’t know how many Canadians were caught up in the ODAC. But in an October 2016 memo to Public Safety Minister Ralph Goodale, outgoing Canadian Security Intelligence Service director Michel Coulombe suggested the court’s ruling would have a significant impact. In a statement Thursday evening, CSIS spokesperson Tahera Mufti reiterated that all the ODAC data was collected legally via court warrants over the years. The Federal Court did not rule the collection of third-party metadata was illegal — just the indefinite retention. Mufti also confirmed the new six-month period to assess whether metadata is relevant to a CSIS investigation. “CSIS has implemented new retention practices for information, including associated data (metadata), collected via warrant that are in compliance with (Noël’s) decision, which will allow ODAC to recommence its analysis of newly acquired associated data,” Mufti wrote. “ODAC historical metadata holdings remain fenced off, and unavailable for use, until a final decision regarding their disposition is made.” Toronto Star: Top secret memo suggests large scale for CSIS metadata program, Federal Court ruled keeping the data was illegal in 2016]

CA – Report on C-51 Public Consultations, Most Disapprove

Last fall, the government asked Canadians to weigh in on the future of the country’s national security legislation. The government received 58,933 responses through an online questionnaire, and another 17,862 via email — in addition to feedback from cross-country meetings with constituents, academics and expert groups. On May 19, a report summarizing the results of the consultation was released, with one topic in particular drawing considerable attention: what sort of powers should law enforcement and intelligence agencies have when investigating crimes in the digital world? “Most participants in these Consultations have opted to err on the side of protecting individual rights and freedoms rather than granting additional powers to national security agencies and law enforcement, even with enhanced transparency and independent oversight,” the report reads. “The thrust of the report suggests that there’s significant appetite for reform,” said Craig Forcese, a law professor at the University of Ottawa who has written extensively on Bill C-51 — in particular, “a significant appetite for limiting state power in terms of the sorts of powers that security services have.” [CBC News: Canadians ‘reluctant’ to accept new police powers, prefer privacy online, government finds]

CA – Goodale Calls C-22 ‘Major Piece’ of National Security Agenda

Canada’s Public Safety Minister Ralph Goodale signalled that he’s hoping to bring in further national security legislation as he looks to the Senate to pass the Liberals’ first “major piece” of the government public safety and security agenda, Bill C-22 [see here] The legislation would establish the new joint National Security and Intelligence Committee of Parliamentarians, the first of its kind in Canada. It will set up its scope, mandate, and outline its legal rights and restrictions. It also establish a secretariat for the committee. The mandate of the committee is to review, monitor, and scrutinize the work of the country’s most secret intelligence agencies, including CSIS, the RCMP, the CSE, and the CBSA. As it’s drafted, the committee would be under the purview of the Government House Leader’s Office, but the secretariat will be established through the Privy Council Office and the committee will report to Prime Minister Justin Trudeau (Papineau, Que.). Mr. Trudeau appointed five-term Liberal MP David McGuinty (Ottawa South, Ont.) last January to chair the committee. Other members of the committee have not been chosen yet. [The Hill Times: Goodale calls C-22 ‘major piece’ of feds’ national security agenda, says amendments to Conservatives’ Anti-Terrorism Bill C-51 coming soon]

CA – Journalist Shield Law Could Soon Become Reality in Canada

The federal Liberal government is prepared to throw its support behind proposed legislation to protect the identity of journalists’ confidential sources. The government is expected to announce it will back a Conservative senator’s privately sponsored bill that would, for the first time in Canada, provide statutory protection for the identity of journalists’ sources. The bill would make it harder for police and other law enforcement or security agencies to spy on journalists’ communications or to seize documents that could reveal their sources. It would also make it harder for the cops to use whatever information is seized or captured by warranted surveillance. The Journalistic Sources Protection Act, S-231, was introduced by Sen. Claude Carignan in November after revelations that Montreal police spied on the communications of 10 journalists in Quebec in recent years — a scandal that has prompted a public inquiry in the province. In a major move that could see a new law adopted within a few months, the Liberals will propose a handful of technical amendments to address “legal and policy concerns” with the bill as drafted — changes that a senior government official characterized as “reasonable” and that Carignan said he supports. [The Star]

CA – Federal Housing Agency Boosting Its Ability to Detect Mortgage Fraud

The head of Canada Mortgage and Housing Corp. says it is beefing up its ability to detect mortgage fraud after being directed to do so by the federal government. CMHC president and CEO Evan Siddall says there is no evidence of a widespread mortgage fraud problem. But Siddall says there are incentives to commit fraud in the system and therefore the agency needs to be vigilant. Siddall says CMHC is looking at ways it can use data analytics to spot patterns that could be indicative of fraud networks or fraud rings. (Toronto Star)

CA – OIPC QC Rules Individuals Cannot Be Barred from Requesting Access to Information by Telephone

The Commission d’Accès à l’Information du Québec investigated a complaint against Surete du Quebec, alleging non-compliance with the Act on Access to Documents of Public Bodies and Protection of Information. The Quebec Commissioner received a complaint that the Police Headquarter’s telephone system barred callers from requesting access to information held; the institution does respond to written requests received from individuals within the legislated timeframe, however, modifications had to be made to its telephone message to ensure individuals could also request access orally, through speaking with an employee, or leaving a message after hours. [CAI QC – Decision 1011205 – Surete du Quebec]

CA – OIPC ON Issues Compliance Guidelines for Security, Breach Protocols, and Electronic Health Records

The Information and Privacy Commissioner in Ontario provided an update on the latest developments in healthcare and guidance on protection of personal health information, pursuant to the Personal Health Information Protection Act. Healthcare custodians should ensure the following – a written policy for sending and receiving emails, encryption of emails containing PHI (unless it is an urgent situation), restrictions on access to servers and portable devices, appropriate access controls (including staff training on access to PHI), and appropriate discipline for unauthorized access. PHI can be collected from the provincial EHR only to assist in healthcare provision, or eliminate significant risk of serious harm, and the IPC and affected individuals must be notified of theft, loss or unauthorised access to PHI. [IPC ON – Latest Developments in Protecting Personal Health Information]

CA – OIPC ON Issues Best Practices on Adequate Search

This IPC guidance examines the components of a reasonable search. Document the details of the search; ensure a full understanding of the request (contact the requester if necessary), consider the search methods (e.g. who conducted the search, who was consulted, what types of files were considered, and were any areas left out), consider destruction of records (if possible, provide details of record retention policies and schedules), and consider records outside the organization’s custody (who has them and why). [IPC ON – Reasonable Search Press Release | Guidance]

CA – OIPC AB ‘Fearful’ NDP Won’t Fix Flawed Freedom of Information Law

More than a month after the release of a report [see 55 Pg pdf here] raising alarm over government secrecy, information and privacy commissioner Jill Clayton is disappointed and frustrated with the lack of action by the NDP to ensure Albertans have proper access to government information. In a separate report [see 11 Pg pdf here], Clayton has called on the NDP government to amend the legislation to give her office that capacity — a power that had long been recognized by the province until recent years — but the province has given no signal on how it will proceed. “I am fearful that nothing’s going to happen,” Clayton said in a recent interview. “It’s impossible to imagine how citizens can hold a government to account, how they can engage fully in a democracy, if they’re not able to get information, and a big piece of that is to have independent, objective and effective oversight.” The most recent issues raised by Clayton follow reports see here she issued in February warning of “unacceptable” delays in processing information requests and a “lack of respect” for access to information among some senior officials within the civil service. [Calgary Herald]

CA – CRA Employee Fired After Agency’s Biggest Privacy Breach

Eight CRA staffers were fired during the fiscal year that ended March 31 for improperly accessing taxpayer data. Now comes news that another person was fired just before that for committing the biggest privacy breach in the department’s history. Sometime before March 23, 2016 the unnamed employee improperly accessed the accounts of 38 taxpayers in detail, and briefly accessed another 1,264 accounts using a search function to find surnames and postal codes. CRA spokesman said no taxpayer data was changed and stressed that of the 1,264 accounts briefly accessed files were viewed for approximately two seconds per account. So this is time for another reminder that the federal privacy commissioner’s office has issued guidance on ways to cut down on employee snooping. Suggestion number one is foster a culture of privacy. [IT World Canada | Tax worker fired after biggest privacy breach at Revenue Canada]

CA – SCoC Hears Fed’s Appeal on Residential School Records

Lawyers for the federal government and the National Centre for Truth and Reconciliation took turns Thursday trying to convince the Supreme Court how to handle the personal records of those who endured life inside Canada’s infamous residential schools. The Liberal government is appealing a lower court decision that allows the records to be destroyed after 15 years unless the individual in question directs otherwise. Justice Department lawyers say the documents are subject to federal laws governing access to information, privacy and the national archives, and should be preserved to ensure the residential school legacy is never forgotten. A lower court judge ruled the material should be destroyed after 15 years, but individuals could consent to have their stories preserved at the National Centre for Truth and Reconciliation in Winnipeg. In a split decision in April 2016, the Ontario Court of Appeal agreed, noting the documents were not government records subject to archiving laws. The court also rejected the idea the documents were “government records” but fell under judicial control. A dissenting justice maintained, however, that the documents should be turned over to Library and Archives Canada, subject to normal privacy safeguards and rules. The Assembly of First Nations argues the Ontario Court of Appeal upheld the promises of confidentiality made to former students of residential schools by ordering the destruction of records and ensuring former students maintain control over the accounts of their residential school experiences. [The Canadian Press via The Chronicle Herald]

CA – OIPC ON Recommendations for Creation and Analysis of Data Sets

The Information and Privacy Commissioner of Ontario has issued guidance on the use of big data by government institutions. Institutions should ensure they have the legal authority to collect personal information for big data projects, publish a description of the project on their website, de-identify linked data sets (to ensure adequate separation between policy analysis and administrative functions), ensure information analyzed is accurate, complete, and up-to-date, be aware of misleading correlations, and ensure profiling decisions that significantly affect individuals are verified. [IPC ON – Big Data Guidelines]

CA – OIPC SK Finds Health Authority Failed to Properly Respond to Privacy Breach

This OIPC report investigates the handling of a privacy breach by the Keewatin Yatthè Regional Health Authority (“Keewatin”) pursuant to Saskatchewan’s The Health Information Protection Act. The authority did not contain the breach (it did not recognize that a suspended nurse’s 3 hours of unsupervised access to patient records as a breach), conduct an adequate investigation (it does not interview employees on unpaid leave), or notify affected individuals (it should provide written notification, post a public notice regarding the breach, and provide patients with the opportunity to view their chart free of charge); the provincial nurses’ association and union should support the authority’s request for an interview with the employee. [OIPC SK – Investigation Report 230-2016 – Keewatin Yatthè Regional Health Authority]

CA – OIPC SK Issues Guidelines for Conducting Audits of Users’ Access to Medical Records

The Office of the Saskatchewan Information and Privacy Commissioner issued guidance about auditing users accessing personal health information in accordance with the Health Information Protection Act. A proactive audit and monitoring program includes random audits of user activity, focused audits as a result of a complaint made by a staff member or the general public, and monitoring procedures; a user viewing their own record, a record of an individual with the same last name or another employee’s are some of the events that should trigger an audit. [OIPC SK – Audit and Monitoring Guidelines for Trustees eHealth Saskatchewan]

CA – OIPC SK Finds Doctor’s Access to PHI for Training Purposes is Unlawful

The Office of the Information and Privacy Commissioner in Saskatchewan investigates a complaint against a doctor’s access to personal health information in contravention of the Health Information Protection Act. The doctor accessed personal health information of a non-patient without a legitimate need-to-know basis (i.e., to train his wife to assist with various aspects of his medical practice); if the doctor’s wife had a legitimate need to access the information to complete her job duties, the doctor should have registered her with her own user account. [OIPC SK – Investigation Report 282-2016 Eastside Medical Clinic Dr Serhii Haidash]

CA – OIPC SK Recommends GTH Board Quit Private Email

The provincial privacy commissioner says members of the Global Transportation Hub’s board of directors received “sensitive” information at private email addresses — and says board members should conduct government business with government email rather than their personal email accounts. The suggestion was contained in a report [see here] related to a Freedom of Information request filed by CBC Saskatchewan in April 2016 “It is clear from the record in this case that sensitive GTH information was sent to board members at their personal email addresses. I strongly sent to board members at their personal to reconsider this practice,” the report said. [see line 17 here] The report comes a month after Saskatchewan Premier Brad Wall was criticized by the Opposition New Democrats for conducting government business using his own personal email server. “We appreciate the advice of the Information and Privacy Commissioner and will consider all the recommendations,” a GTH spokesperson said through an email Tuesday afternoon. [GTH board shouldn’t use personal email to send ‘sensitive’ info: privacy report ]

CA – Saskatoon Health Region Sees Increase in Privacy Breaches and Complaints

The Saskatoon Health Region’s latest data shows that there has been a 50% increase in the total number of privacy breaches and complaints. The data was compiled between April 1 and March 31 in each fiscal year [from 2012 to 2016]. According to the region’s enterprise risk management director Lori Frank, the increase can be attributed to awareness. Social media has also played a role in the increase of violations and subsequent complaints. [GlobalNews]

CA – OIPC NFLD Guidance on Disclosure of Records Containing Policy Advice or Recommendations

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has issued recommendations on determining whether records requested, pursuant to the Access to Information and Protection of Privacy Act, are exempted from disclosure. Public bodies can refuse disclosure of records contain advice (identifying options for a decision without making specific recommendations), proposals, and recommendations (suggested course of action); however, since this a discretionary exemption, institutions should consider whether disclosure would subject its decisions and policy-making to excessive scrutiny, or whether there is a public interest in the information that overrides its interests in refusing disclosure. [OIPC NFLD – Policy Advice or Recommendations]

CA – Alberta Gov’t Says Shredded Documents an Isolated Incident

Alberta legislature visitor logs shredded in the months following the 2015 election have the Opposition demanding an investigation by the privacy commissioner. Justice Minister Kathleen Ganley said Wednesday it seems the missing documents were due to what she labelled “inappropriate” actions of a single person employed with the legislature’s sheriff’s office at the time. Wildrose democracy and accountability critic Nathan Cooper said shredding documents is a clear violation of the transparency the NDP pledged to Albertans. [Shredded documents an isolated incident: justice minister]

CA – Ottawa Police Back External Case Reviews Modelled After Philadelphia Approach

The Ottawa Police Service will adopt an external review of sexual assault cases modelled after an oversight program in Philadelphia that has been shown to improve the quality of sex-assault investigations dramatically and reduce the number of complaints dismissed as unfounded. The move is a significant reversal for the Ottawa service, which in December, 2015, after nearly two years of negotiations, rejected a proposal from local advocacy groups to adopt the oversight model. At the time, the service said it was advised that privacy laws prohibited sharing case files with civilians. Brian Beamish, the Information and Privacy Commissioner of Ontario, told The Globe in a statement that his office has been working with police services about how to implement the Philadelphia model in a way that complies with privacy legislation. “It is my view that external review of sexual-assault case files can make an important contribution to improving the investigation of sexual assault complaints while complying with privacy requirements, including through the use of agreements, oaths of confidentiality and privacy and confidentiality training,” Mr. Beamish said in the statement. [Source]

CA – Ontario Court Considers Harm as Factor for Merging Class Action Suits

The Court considers a carriage motion to join two separate class action complaints regarding a data security breach at Casino Rama Services Inc. Two similar class action suits were brought forward in Ontario regarding a data breach of confidential personal and financial information where the hacker dumped data on the Internet; the firm that is in a better position to provide class members with a speedy resolution is considered as with each passing month it becomes easier for the defendant to say that no harm has been done. [Kaplan v Casino Rama Services Inc. et al – 2017 ONSC 2671 CANLII – Superior Court of Justice Ontario]

CA – Winnipeg Transit Gave Rider Location Data to Cops, No Warrants

City officials confirmed that on four occasions since March of 2017, Winnipeg police have requested the data generated through the use of Peggo cards for a specific passenger to assist with an investigation. On each occasion, the transit service provided police with the desired records. In July of 2016, Winnipeg Transit launched its new Peggo card system, which allows users to pay their fare using an electronic card. It also allows Transit officials to track the exact travel habits of the 130,000 daily Transit passengers. Every time a passenger uses their Peggo card, data is generated on the date, time, bus number, boarding and transfer locations. If the user has registered their card online, the passenger’s name becomes linked to the data. Other government bodies also forward personal information to law enforcement without requiring a warrant or court orders. Bruce Owen, spokesperson for Manitoba Hydro, said requests from police for account information must be made in writing. “We provide police information on a customer’s account, including confirmation there has been a higher than normal kilowatt-hour consumption,” he said. Tom Keenan, a professor at the University of Calgary who specializes in information security says “I see a growing sensitivity to this kind of information and it is quite appropriate to question it” The privacy and information watchdog for the province says that under the Freedom of Information and Protection of Privacy Act, or FIPPA, any public body can release personal information to law enforcement without the need for a warrant or the consent of the individual being targeted under certain conditions. Specifically, Section 44(1) of the act outlines conditions under which a public body may disclose personal information to law enforcement Winnipeg Mayor Brian Bowman said while he has been assured transit complied with privacy legislation, he wants to know more about what councillors were told about Peggo privacy before the cards went online last year. [Winnipeg Transit gave Peggo card travel history to police without warrants]

CA – Toronto Committee Scraps Proposal for In-Cab Cameras Due to Privacy Concerns

At a May 29 city meeting, Toronto’s Government Management Committee voted to scrap a proposal that would place cameras in the cabs of the city’s garbage truck fleet. The intention of the proposal was to increase internal surveillance in order to improve safety management and determine causes of accidents when they happen. However most city officials predicted this proposal would have a negative effect on morale. Beaches-East York Councillor Janet Davis said at the meeting, “This is about invasion of personal privacy and the extent that management can do that,” InsideToronto.com reported. Some other committee members said the suggestion to monitor garbage truck drivers on their routes should be part of a bigger discussion about management. [wastedive.com]

CA – Court-Ordered Reconsideration by OIPC BC Upholds Government Corporation’s FOI Disclosure of Email Correspondence

This OIPC order is a court-ordered reconsideration of Order F13-23 and redetermination of an unpublished investigation report by the OIPC concerning a request from a journalist for correspondence pursuant to British Columbia’ Freedom of Information and Protection of Privacy Act. Emails that reflect 2 employees’ intertwined business and personal relationships must be disclosed (with portions severed); the emails were largely created for in the course of professional duties, and are under the corporation’s control (e.g. there were sent/received by the corporation’s email system and are stored on its servers). The corporation was not required to notify one of the employees that it was “collecting” his PI as it was not doing so; the employee voluntarily provided his PI in the emails and his PI was not solicited by his colleague. [OIPC BC – Order F17-20 – British Columbia Lottery Corporation]

CA – MB Freedom of Information Review Gives PCs Opportunity to Close Legislative Loopholes

The Manitoba Legislative Assembly Press Gallery is asking for clarity around exemptions, reports to cabinet. Manitoba is reviewing the Freedom of Information and Protection of Privacy Act (FIPPA), but balancing a transparent government with a right to privacy is a tricky act. The act came into force in 1998 and provides right of access to records held by public bodies while protecting privacy by setting rules for information collection, use and disclosure. Provincial legislation calls for it to undergo regular reviews and the last was in 2004, before it was significantly amended again in 2011. Reviewing the legislation is a good opportunity for the province to catch up to freedom of information laws in other provinces, said Steve Lambert, past-president of the Manitoba Legislative Assembly Press Gallery. The Manitoba Legislative Assembly Press gallery, which has 46 members and represents 11 media outlets, contributed a submission to the review calling for clarity and more reasonable time frames for access to information. “Our biggest concern is that background information, data reports, things that the public pays for on matters of public interest are currently kept hidden,” Lambert said. “Basically right now anything that is submitted to a cabinet minister or produced by a cabinet minister cannot be released to the public for 20 years and that is such a wide all-encompassing exception that if you are in government and wanted to hide something you could just give it to a cabinet minister and claim that exemption.” Manitobans are being asked to take part in the review and submissions will be collected until the end of the month. [CBC News]

CA – Proposed Amendments to PIPEDA Will Make It Mandatory to Notify a Breach

There is currently no mandatory requirement in Canadian legislation for organizations to notify of a breach, except in certain circumstances (e.g., private sector organizations in Alberta, and health information in Ontario, New Brunswick and Newfoundland and Labrador); organizations should make it a best practice to voluntarily notify affected individuals of privacy breaches, as once it is made mandatory under PIPEDA, organizations that fail to notify may be subject to a fine of up to $100,000, and may be publicly named by the Privacy Commissioner. [Privacy Breaches in Manitoba– A Mitigation and Prevention Primer – Andrew Buck, Lawyer, Pitblado Law: Manitoba: Whistleblower sues health authority and lawyers, alleging identity revealed


CA – Canadians Want More Regulatory Review of Emerging Technologies: Accenture

Canadians prioritize regulatory reviews of drones, autonomous vehicles and online user agreements above those of other emerging technologies, according to new research from global professional services company Accenture on Canadian attitudes on government regulation of emergent technology-enabled products and services. The survey found that four in 10 (40%) of those polled said that “drones equipped with video cameras” should be a key area for government regulatory review. Nearly as many Canadians said that key areas for government regulatory review should include autonomous (driverless) vehicles and for online user agreements for new products or services (each cited by 38% of respondents). Other areas in which Canadians want to prioritize a regulatory review include connected homes and products, such as technology that controls a home’s lights, alarms, temperatures, or baby monitors from a mobile phone or other device (cited by 30% of respondents); social media, including privacy rights and/or guidelines around advertising (26%); ridesharing services like Uber and Lyft (26%); and sharing economy accommodations like Airbnb and HomeAway (23%). However, many Canadians believe that the government should step away from regulating certain technologies “because they are evolving well without the need for additional regulation.” For example, half (51%) of Canadians want government to step away from further regulating video/music streaming, and almost as many want government to stop regulating connected homes/products (48%), social media (46%) and artificial intelligence (43%). [Canadian Underwriter]

WW – Google Starts Tracking Offline Shopping — What You Buy at Stores in Person

Google already monitors online shopping — but now it’s also keeping an eye on what people buy in physical stores as it tries to sell more digital advertising. The Internet giant said that a new tool will track how much money people spend in merchants’ bricks-and-mortar stores after clicking on their digital ads. The analysis will be done by matching the combined ad clicks of people who are logged into Google services with their collective purchases on credit and debit cards. Google says it won’t be able to examine the specific items bought or how much a specific individual spent. But even aggregated data can sometimes be converted back to data that can identify individuals, said Larry Ponemon, chairman of the Ponemon Institute privacy research firm. Google’s tool doesn’t work for cash payments or the 30% of U.S. card transactions that Google can’t currently access. Google gives its users the option to limit the company’s tracking and control what types of ads they are shown — although in practice, relatively few users tweak such settings. [Associated Press | How the latest Google data mine digs into credit-card privacy] and also Be careful celebrating Google’s new Ad Blocker. Here’s what’s really going on


NZ – Govt Backtracks On Data-for-Funding Proposal

Social service providers will no longer need to hand over the private details of their clients to the government until a new data protection policy is in place. The government had said it would only give funding to providers if they handed over client names, birth dates, ethnicity and the personal details of any dependants. Last month the Privacy Commissioner found handing over the details was “excessive”, disproportionate to the government’s need, and the Ministry of Social Development acted “prematurely” without considering privacy risks. Minister for Children Anne Tolley has temporarily suspended the process. She said an advisory group would be set up to consider the best way to increase the level of data being collected, while maintaining privacy and trust with providers. [Radio New Zealand]

US – DEFCON to Plumb Electronic Voting Machines’ Security

The DEFCON conference in July will include a “village” of electronic voting machines for attendees to try to crack. DEFCON founder Jeff Moss said that the voting machine companies are welcome to be involved in the process, but expects that they will not take him up on his offer. [Top hacker conference to target voting machines]


CA – Feds Suspend Implementation of CASL Private Right of Action

The federal government has issued an Order in Council today delaying the coming into force date of the private right of action under Canada’s Anti-Spam Legislation until completion of a parliamentary review “in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.” “If they are delaying it, that’s definitely good news for businesses. A lot of them have been struggling in the past few months to make sure they are complying with CASL in light of the two changes that will be coming into force — the private right of action as well as the end of the transition period,” says Eloïse Gratton of Borden Ladner Gervais LLP. Inga Andriessen says the big message that will need to get out is that CASL hasn’t been repealed. CASL is still going to be in place. The government can still fine you the same way as they could before, but the good news is nobody is going to be suing you in court for any violation of CASL. If anything, it’s a time to really take a look at your CASL policies and make sure you’re still compliant or get compliant if you weren’t before.” [Last minute reprieve as feds suspend controversial private right of action provision in CASL] Canada: CASL – Government Suspends Private Right of Action

Electronic Records

CA – Conservative Party Takes Disciplinary Action After Membership List Shared

The Conservative party is demanding that the National Firearms Association destroy a party membership list that it appears to have illicitly obtained from one of the camps in the recent leadership contest. “We are aware that our members are being contacted by an outside organization,” the party said. “We will be issuing a cease-and-desist letter to the organization in question, demanding that they destroy the list.” The party did not identify the outside organization but the post came after numerous Conservatives complained through social media that they’d received a letter this week from the National Firearms Association, seeking a donation. They suspected that the association had obtained their names and addresses from the party membership list, distributed to each of the 14 candidates during the leadership race, which concluded last weekend with the election of Andrew Scheer. CBC News contacted spokespeople for all 14 campaigns, all of whom denied sharing the list with the National Firearms Association. The party did not name the culprit but said it has “identified the parties responsible for sharing the information, and will be taking disciplinary action against them.” [The Canadian Press]

EU Developments

EU – Cybersecurity Skills Gap of 350,000 Workers by 2022

This month sees the third release of data from the “Global Information Security Workforce Study 2017: Benchmarking Workforce Capacity and Response to Cyber Risk” [see here & here], which was conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)2, Booz Allen Hamilton and Alta Associates; and offers up a deeper exploration of the growing cybersecurity skills gap. It predicts a] cybersecurity skills gap for Europe of 350,000 (globally 1.8 million) by 2022, resulting in European organisations planning their fastest rate of cybersecurity hiring in the world – as 38% of surveyed hiring managers in the region admitting they intend to grow their workforce by at least 15% in the coming year. Though, this is despite the fact that two-thirds of organisations have also stated that they currently have too few cybersecurity workers. The lack of professionals entering the industry has a two-fold impact on the profile of the workforce. Not only is it not increasing at a rate fast enough to fill the necessary roles, it has also led to a greying workforce, with just 12% of workers under 35, and 53% over 45. The profession faces a looming skills cliff edge, with the majority of workers getting closer to retirement and companies failing to recruit long-term replacements. Recommendations by this release suggest that organisations need to adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show that workers with non-computing related backgrounds account for nearly a fifth of the current workforce in Europe, and that they hold positions at every level of practice, with 63% at manager level or above. [What we learned from this month’s European GISWS report]

UK – ICO Promotes Funding for Data Protection and Privacy Research

The Information Commissioner’s Office (ICO) has announced that it will provide between £20,000 and £100,000 to organisations that meet its criteria for funding under the new grants programme. The ICO said there its grants programme has five objectives, which including supporting and encouraging research and “privacy enhancing solutions in significant areas of data protection risk”, in projects “that will make a real different to the UK public”, as well as raising data controllers’ awareness of “privacy enhancing solutions”. The watchdog said data protection and privacy research projects must meet at least one of the five strategic goals it set out in its recently published information rights strategic plan (14-page / 209KB PDF) to be eligible for funding. [Organisations given chance to win funding for data protection research by UK watchdog]

EU – EU Adopts Regulation for Wearable Technology

The European Union adopts Regulation 2017/745 on Medical Devices, which includes the issuance of a press release; and fact sheet. The Regulation, which applies to devices and related software, requires EU registration of each device, designation of an EU authorised representative for the manufacturer, and informed consent from the subjects of any clinical investigations concerning the device; a manufacturer must have a risk management plan for the lifecycle of each devices, and keep technical documentation available to EU authorities for 10 years. [Regulation 2017/745 on Medical Devices – European Union | Press Release | Fact Sheet | DLA Piper | Emergo]

UK – ICO Outlines 4-Year Plan to Strengthen Transparency and Accountability

The UK Information Commissioner’s Office released a 4 year plan outlining its mission, vision and strategic goals. The ICO will increase public trust and confidence in how their data is used and made available by creating a culture of accountability, improve standards of information rights practice through clear, targeted engagement and influence, and maintain and develop influence within the global regulatory community (despite Brexit); a technology strategy will be developed to assist organisations, and there will be continued focus on lead generation and data broking organisations to ensure compliance with the law. [ICO UK – Information Rights Strategic Plan 2017-2021]

Facts & Stats

US – FTC Finds Thieves Attempt to Use Stolen Data Within 9 Min of Breach

In an effort to see what happens after a data breach, the Federal Trade Commission leaked a database of 100 fake customers and found it only took 9 minutes for crooks to attempt to access the information. The FTC’s Office of Technology made the information realistic by using popular names based on Census data, addresses from across the country, email addresses that used common email address naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet or a credit card), according to a May 24 blog post. Researchers then twice posted the information to a popular hacker forum where stolen credentials are shared, within 9 minutes of the second post, hackers were attempting to use the stolen data to pay for all sorts of things, including clothing, games, online dating memberships and pizza. More than 1,200 attempts were made to exploit the stolen information. [scmagazine.com]


CA – Information Commissioner Tables 2016/17 Annual Report

Information Commissioner Suzanne Legault tabled her 2016–2017 Annual Report in Parliament today. [See here] The year began on a positive note for access to information and transparency with many constructive advancements and a promise by the government to reform the “Access to Information Act.”[See here] As the year drew to a close, Commissioner Legault says there is “a shadow of disinterest on behalf of the government.” Several investigations illustrate longstanding deficiencies with the Act, which include the deletion of emails subject to a request, difficulties accessing documents in a ministers’ office, failure to document decisions, and lengthy delays to obtain information. Institutional performance in relation to compliance with the Act is showing signs of decline. Much-needed reform is necessary to solve ongoing problems across the access system. Commissioner Legault says “our investigations highlight that the Act continues to be used as a shield against transparency and is failing to meet its policy objective to foster accountability and trust in our government. The Act urgently needs to be updated to ensure that Canadians’ access rights are respected. A lot of work needs to be done before this government delivers on its transparency promises.” [The Information Commissioner’s 2016−2017 annual report] Canada: The Information Commissioner’s 2016−2017 annual report

CA – Government Accused of Hoarding Canadian History in ‘Secret’ Archives

Some of Canada’s leading historians say the federal government is putting the country’s historical record at risk by hoarding piles of documents inside secret archives that together would make a stack taller than the CN Tower. Historian Dennis Molinaro of Trent University discovered ministries and agencies are stockpiling millions of decades-old papers rather than handing them over to Library and Archives Canada for safekeeping and public access. He’s launched a petition to try to convince the government to set them free. The Canadian Historical Association (CHA) has joined his campaign and is calling on the government to mark Canada’s 150th anniversary by overhauling the laws on access to government records. As part of his research, Molinaro has been asking government departments to hand over information about Canada’s Cold War domestic spy and surveillance programs run by the RCMP. Last fall, the federal government initially refused his access-to-information request for the papers (which were never transferred to the national archives) concerning a 65-year-old top secret RCMP wiretapping program dubbed Project Picnic. One day after CBC News reported on Molinaro’s battle with the bureaucracy, officials notified him they would release the 1951 “secret order” that authorized the wiretapping program targeting suspected Soviet spies and other subversives, signed by Prime Minister Louis St-Laurent. Access-to-information officials have told Molinaro the Privy Council Office holds at least 1.6 million more pages from the era, many of which could concern Cold War counter-espionage programs. He’s also learned many more intelligence-related records dating back four, five and six decades are being held by the Communications Security Establishment (CSE) and the departments of Justice and Foreign Affairs. He’s been told in email exchanges that there’s currently no public list to help him — or any other researcher — understand, let alone access, these mountains of papers kept inside closed government storerooms. “The government seems to be, in essence, running some kind of secret or shadow archive,” Molinaro told CBC News. Keeping millions of records from the national archives is “appalling,” he said. “You’re hiding the historical record from the Canadian people.” [CBC News]

WW – Apple Transparency Report

Apple’s transparency report for the second half of 2016 shows that the company received between 5,750 and 5,999 FISA orders and National Security Letters regarding between 4,750 and 4,999 accounts. [Apple transparency report shows increased U.S. national security requests | Apple Receives First National Security Letter, Reports Spike in Requests for Data | Report on Government and Private Party Requests for Customer Information: July 1 – December 31, 2016.

Health / Medical

WW – Medical Device Security ‘Is A Life or Death Issue’, Warns Researcher

There are more than 8,000 vulnerabilities in the code that runs in seven analyzed pacemakers from four manufacturers, according to a new [WhiteScope] study. And that’s just a subset of the overall medical device scene, in which devices have scarcely any security at all. A second, separate, study [Ponemon/Synopsys] that looked at the broader market of medical devices found that only 17% of manufacturers have taken serious steps to secure their devices, and only 15% of healthcare delivery organizations (HDOs) have taken significant steps to thwart attacks. Patients have already suffered adverse events and attacks. Its findings: a) 31% of device makers and 40% of HDOs surveyed by Ponemon Institute said that they’re aware of patients suffering from such incidents; b) Of those respondents, 38% of HDOs said they were aware of inappropriate therapy/treatment delivered to patients because of an insecure medical device; and c) Another 39% of device makers confirm that attackers have taken control of medical devices. As far as the pacemaker-specific vulnerabilities go, Researcher Billy Rios and Dr Jonathan Butts from security company WhiteScope found that few manufacturers encrypt or otherwise protect data on a device or when that data was being transferred to monitoring systems. Neither were any of the devices they looked at protected with the most basic authentication: login name and password. Nor did the devices authenticate the devices or systems to which they connect. [Naked Security (Sophos)]

UK – Health Sector Accounts for ‘43% of All Data Breach Incidents’

The UK health sector suffered a disproportionate number of data breach incidents between January 2014 and December 2016. In total, healthcare organisations suffered 2,447 incidents and accounted for 43% of all reported incidents in the time period. According to a data analysis by Egress, the data, received from the Information Commissioner’s office, also shows that human error accounts for the almost half of these incidents across every sector. Furthermore, the number of incidents rose year on year, with a 20% increase, from 184 incidents in the last quarter of 2014, to 221 in the last quarter of 2016. Taking the 221 incidents occurring between October and December 2016, the top-ranking incident types were: 1) Theft or loss of paperwork – 24%; 2) [Other principle 7 failure] – 22%; 3) Data faxed/posted to incorrect recipient – 19%; 4) Data sent by email to incorrect recipient – 9%; and 5) Failure to redact data – 5% [Source]

WW – Study: Most Dementia Apps Lack a Privacy Policy

Mobile health apps targeting dementia patients lack appropriate privacy policies, according to researchers, highlighting concerns about the possibility of privacy breaches within a particularly vulnerable population. Researchers with Harvard Medical School reviewed 125 iPhone apps built for dementia patients and found that 72 collected user data. Of those apps that collected data, just 33 had an available privacy policy, according to results published in the American Journal of Geriatric Psychiatry. Many of those mobile apps that had an accessible privacy policy lacked clarity, often failing to address the specific functions of the app, describe safeguards or differentiate between individual protections versus aggregate data protection. The authors said the findings of the study highlighted a significant concern for patients with cognitive impairment and their caregivers, eroding trust among users. [fiercehealthcare.com]

US – Healthcare Industry in Critical Condition, Says Cybersecurity Task Force

In a recent report, the U.S. Department of Health and Human Services has flagged the country’s healthcare industry as highly vulnerable to cyber-attacks and ransomware. The DHHS’ Health Care Industry Cybersecurity Task Force’s report [96 pg PDF see here, PR see here] has revealed damning details on the healthcare industry’s cyber-security standards and how well the industry is prepared to safeguard private information from hackers. “Healthcare cybersecurity is in critical condition,” said Josh Corman, a member of the task force and Atlantic Council Director of the Cyber Statecraft Initiative. The report revealed a lack of designated cyber-security officials in most hospitals and also that smaller hospitals did not invest in cyber-security as they [erroneously] believed only larger institutions were targeted by hackers. The task force has recommended that the Health and Human Services Secretary must publish standards and guidance consistent with the NIST Cybersecurity Framework, must establish a Task Force to explore options to incentivize risk-based cybersecurity, and should make recommendations to Congress about required statutory changes. [Source]

Horror Stories

EU – Commission Fines Facebook €110 Million for Providing Inaccurate Information about WhatsApp Takeover

The European Commission has imposed a fine on Facebook for provision of misleading information during its investigation of Facebook’s acquisition of WhatsApp. In its notification to the Commission about its acquisition of WhatsApp, Facebook stated it would not be able to automatically match its users’ IDs with WhatsApp users’ IDs; however, the technical possibility for automated matching existed, Facebook staff were aware of the possibility, and the omission prevented the Commission from having all relevant information for assessing the transaction (regardless of whether there would have been an impact on the outcome. [EC – Mergers: Commission Fines Facebook 110 Million Euros for Providing Misleading Information about WhatsApp Takeover]

CA – Massive Breach at PSPC Reveals Workers’ Salaries & More

The personal information of almost 13,000 public servants was exposed in one of the largest ever privacy breaches at a federal government department. The July 11, 2016, breach at Public Services and Procurement Canada (PSPC) included the salary, age, reading-and-writing test results and other private information of 12,901 employees — nearly everyone working in the department, which employed 13,300 people at the time. The largest ever privacy breaches at a federal government department. Also included was confidential employment-equity data of about 2,590 employees, such as whether they self-identified as a visible minority, disabled or Indigenous. The department reported the breach to Canada’s privacy commissioner, Daniel Therrien, more than a month later, on Aug. 19, 2016. Employees themselves were notified even later, by email, on Aug. 26 — six weeks after the fact. The July 2016 privacy breach was at least the third at PSPC in the space of about a year. The first two breaches — which occurred between March and July 2015, and February and April of 2016 — were the result of the wonky Phoenix payroll system which has been underpaying, overpaying or not paying federal workers. The earlier breaches affected more workers — 300,000 — but the kind of personal information exposed was relatively minor compared with the depth of private information revealed in the latest incident, which included the size of workers’ paycheques. Other federal government departments have a far worse record of privacy breaches than PSPC, as detailed in last fall’s annual report from Therrien, which covered the period between April 1, 2015, and March 31, 2016. The worst offenders were Veterans Affairs (84), Corrections Canada (50), Immigration (47), the Canada Revenue Agency (21) and Employment and Social Development (17). [Massive privacy breach at Public Services reveals workers’ salaries ]

CA – OHIP Card Renewal Notices Breach Caused by ‘Anomaly’

Ontario plans to resume mailing health card renewal notices more than a month after a printing “anomaly” caused a privacy breach. Incorrectly printed forms resulted in the personal information for thousands of children being mailed to strangers in April. All health card renewal notices were suspended while the province tried to find the cause of the problem, brought to its attention late in the last week of April by parents who received incorrect forms. A printing mistake on the double-sided form resulted in a mismatch between the mailing address on the front and the information on the back, including a full name, home address, birth date and health number. All the incorrectly printed health card renewal notices belonged to children with a birth date in early July. Kitchener-Waterloo MPP Catherine Fife called the explanation of an anomaly “thin” and said residents “deserve real answers” about the privacy breach. “It doesn’t leave people with a lot of confidence. How do you control against an anomaly? There’s still some outstanding questions,” Fife said. [Waterloo Record | Ontario considering offering system to renew health cards online

Identity Issues

US – Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach

OneLogin—a company that allows users to manage logins to multiple sites and apps all at once—announced [see here] it had suffered some form of breach. OneLogin says that all customers served by the company’s US data centre are impacted, and has quietly issued a set of serious steps for affected customers to take. Notably, the public blog post omitted certain details that OneLogin mentioned to customers in an email; namely that hackers have stolen customer information. “Customer data was compromised, including the ability to decrypt encrypted data,” according to a message OneLogin sent to customers. Multiple OneLogin customers provided Motherboard with a copy of the message. The message also directed customers to a list of required steps to minimize any damage from the breach, which in turn gave an indication of just how serious this episode might be. It’s always worth remembering that when a service aggregates the ability to log into multiple apps or sites at once, it is creating a very juicy target for hackers. [Motherboard | OneLogin admits recent breach is pretty dang serious | OneLogin: Breach Exposed Ability to Decrypt Data | Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach | Password manager OneLogin hacked, exposing sensitive customer data: Password manager OneLogin hacked, attackers could ‘decrypt encrypted data’ | http://www.onelogin.com/blog/may-31-2017-security-incident]

AU — Australia Post to Create Federal Government Identity Concept

Australia Post has announced a partnership with the Digital Transformation Agency to create a proof-of-concept identity platform that integrates its digital ID system with the Commonwealth’s Digital Identity Framework. “Our research shows these processes cost the Australian economy up to AU$11 billion a year in proving identity alone, and can be unlocked by making it easy, safe and secure to prove that you are who you say you are when interacting online,” said Australia Post managing director and group CEO Ahmed Fahour, who resigned from his position in February and is set to leave the role in July. “We envisage an identity solution, like Digital iD, could unlock significant benefits for everyday Australians doing business with government.” [ZDNet]

Law Enforcement

CA – Worries over Ottawa Police Nerve Centre & “Predictive Policing”

The $2-million Ottawa Police Service’s Strategic Operations Centre (OPSOC) began operating last October at the Greenbank police station. Located in a room now ringed by big-screen TVs tuned to cable news, the OPSOC is staffed from 6 a.m. to 2 a.m. by five employees drawn from a pool of 16 sworn officers and eight civilians. They sit in front of banks of computer screens, keeping an eye on traffic cameras, social media and other sources of information. OPSOC has an annual budget of $1,982,600, and is only in the first of a three-phase rollout. Civil liberties groups are concerned over OPSOC’s apparent reliance on what’s known as “predictive policing,” which involves the use of various analytical techniques to identify potential criminal activity before it occurs. Brenda McPhail, privacy director for the Canadian Civil Liberties Association (CCLA), said Canadians aren’t being given the opportunity to have a conversation about this level of surveillance by police. In particular, McPhail said it could have a chilling effect on protesters. We’ve been talking to activists who’ve experienced surveillance and [they say] it makes them think twice about protesting.” [Doubts swirl around new Ottawa police nerve centre]

CA – Cobourg Police Add ALPR Technology to Cruiser

Cobourg Police Service has launched an ALPR-equipped cruiser, and law enforcement has just gotten what Acting Sergeant Marc Bellemare considers a significant boost. “You go out on patrol. It scans license plates and, any license plates where there’s an issue, it creates a positive hit and alerts us to stop that vehicle,” Bellemare said. Issues that might cause a stop include everything from driving while suspended and expired validation stickers to Amber Alerts and involvement in a crime. [Northumberland Today]

CA – Doubts Swirl Around New Ottawa Police Nerve Centre

A $2-million police initiative billed as a sort of “virtual backup” for front-line officers is drawing criticism from both their union and civil liberties advocates. The Ottawa Police Service’s Strategic Operations Centre (OPSOC) began operating last October at the Greenbank police station. Located in a room now ringed by big-screen TVs tuned to cable news, the OPSOC is staffed from 6 a.m. to 2 a.m. by five employees drawn from a pool of 16 sworn officers and eight civilians. They sit in front of banks of computer screens, keeping an eye on traffic cameras, social media and other sources of information. Their task, according to the Ottawa Police Service, is “supporting front-line officers, particularly during high-risk and/or complex calls.” OPSOC staff use all the resources at their disposal to gather information for their colleagues as they rush to the scene of a crime or collision. Since it opened in October, the operations centre has assisted with more than 2,000 calls for service. OPSOC has an annual budget of $1,982,600, and is only in the first of a three-phase rollout. Civil liberties groups are concerned over OPSOC’s apparent reliance on what’s known as “predictive policing,” which involves the use of various analytical techniques to identify potential criminal activity before it occurs. Brenda McPhail, privacy director for the Canadian Civil Liberties Association (CCLA), said Canadians aren’t being given the opportunity to have a conversation about this level of surveillance by police. In particular, McPhail said it could have a chilling effect on protesters. “We’ve been talking to activists who’ve experienced surveillance and [they say] it makes them think twice about protesting.” Cartright dismissed those privacy concerns. “We are only accessing things that are available to the public,” he said. “That’s the balance.” The unit is still operating like a pilot project, he said, and a report assessing its usefulness is expected by the end of its first year of operation. Other police services have launched similar units with success, Cartright noted. “We’re not recreating any wheel,” he said. [CBC]


US – Supreme Court Will Hear Mobile Phone Location Data Case

The US Supreme Court will hear arguments in a case regarding the need for a warrant to use cell-site data to track a suspect’s location. The case, Carpenter v. United States, No. 16-402, involves data held by a mobile phone company. The question is whether police are required to obtain a warrant to access mobile phone location histories. Police currently have access to the information without the need for a warrant through the third-party doctrine, which allows police to demand information from companies if the information is considered a normal business record. [Supreme Court Agrees to Hear Cellphone Tracking Case | Supreme Court agrees to rule if cops need warrant for cell-site data | Supreme Court to hear case on tracking phone location data]

Online Privacy

WW – 7 in 10 Smartphone Apps Share Your Data With Third-Party Services

More than 1,600 people who have used Lumen [see here] since October 2015 allowed us to analyze more than 5,000 apps. We discovered 598 internet sites likely to be tracking users for advertising purposes, including social media services like Facebook, large internet companies like Google and Yahoo, and online marketing companies under the umbrella of internet service providers like Verizon Wireless. We found that more than 70 percent of the apps we studied connected to at least one tracker, and 15% of them connected to five or more trackers. One in every four trackers harvested at least one unique device identifier, such as the phone number or its device-specific unique 15-digit IMEI number. Unique identifiers are crucial for online tracking services because they can connect different types of personal data provided by different apps to a single person or device. Most users, even privacy-savvy ones, are unaware of those hidden practices. Tracking users on their mobile devices is just part of a larger problem. More than half of the app-trackers we identified also track users through websites. Thanks to this technique, called “cross-device” tracking, these services can build a much more complete profile of your online persona. [Source]

WW – Synaptics Warns That Fingerprint Spoofing Makes Laptops Vulnerable

According to Godfrey Cheng, vice president of product at Synaptics, earlier this month [the company] issued a warning that some computer makers have chosen to use insecure smartphone fingerprint sensors instead of more secure laptop sensors The smartphone fingerprint sensors typically use unencrypted methods to store and send the fingerprint to a central processing unit (CPU) for processing. That makes the data vulnerable to snooping software and other hacks. Synaptics sensors, by contrast, use encryption and a secondary host processor to do the recognition work. That encryption makes it a lot harder for hackers to copy the fingerprint and use it to unlock a computer remotely, Cheng said. The insecure fingerprint sensors are disturbing because modern laptop users are conditioned to believe that fingerprints are unique and are much safer than passwords. This is largely true, but a laptop manufacturer’s choice in sensors can potentially lead to the theft of your fingerprint image. That makes a user’s laptop secrets vulnerable, as well as those of an entire enterprise, if it’s a work computer. “There are two types of fingerprint sensors in the notebook market today,” Cheng said. “Those that are encrypted and safe, and those that are unencrypted and unsafe.” [Source]

WW – Distributed Ledger Technology May Not Be Compliant with the GDPR

A review of the applicability of the General Data Protection Regulation in the blockchain context. It is virtually impossible to identify the entity responsible for the blockchain process (e.g., data controller, data processor) and to change or delete information contained on a blockchain (making the right to be forgotten impossible). [Blockchains and Personal Data Protection Regulations Explained] See alsol [Toyota pushes into blockchain tech to enable the next generation of cars]

CA – Ontario Owner of Website That Names and Shames Debtors Told to Shut Down

The Ministry of Government and Consumer Services has ordered the owner of a website that publishes public information about people who’ve been successfully sued but won’t pay up to “cease and desist”. “I will not be bullied by some officious twit at the Ministry of Government and Consumer Services, whose mandate is the protection of consumers and they seem to be hell bent to do exactly the opposite.” said Dougall Grange, the owner of the website publicexecutions.ca. “What I’m doing is allowing judgement creditors, ie those are people who are owed money certified by the courts, to publish that information online in an accessible way, to motivate the person who owes them money to pay.” But the ministry sees it differently. It said in a letter to Grange, he’s providing a consumer report without registering as a Consumer Reporting Agency, a violation of the Consumer Reporting Act. If Grange is convicted of violating the Consumer Reporting Act, he could face a fine of up to $100,000. Grange said the website doesn’t break even and he was considering shutting it down until he got the ministry’s letter. [CBC News]

NZ – Privacy Call to Limit Power Usage Monitoring

Smart meters that relay half-hourly power usage are a potential risk to people’s personal security and privacy, and standards should be set to curb data collection, NZ Privacy Commissioner John Edwards says. The commissioner said about 70% of households in New Zealand have smart meters. The devices automatically record and transmit power usage data in half hourly intervals, but that information can also reveal much about the comings and goings of people in a household at a given time. The information is collected by electricity retailers like Meridian or Mercury, who use it to prepare their bills. It is then passed on to lines companies under information-sharing pacts. Mr Edwards said it could indicate when people were out, at home or in the shower – and this could put their security at risk if abused. The trend all over the world was to require that collection of data about people’s private lives be kept to a minimum, he said. In an open letter to the industry, Mr Edwards recommended electricity companies ensure that personal information was not collected unnecessarily or held for longer than it had to be. He also suggested aggregating data into clusters to cover an entire community, or all the people in a street, rather than recording data on individual homes. [radionz.co.nz]

Other Jurisdictions

WW – How to Keep Track of Cloud Providers and Products for Security Compliance

Tracking to ensure cloud providers and their products are complaint with corporate security controls and with compliance demands of business partners isn’t easy, security consultant James Arlen told a recent meeting of the Toronto Area Security Klatch (TASK), a community of infosec pros and students, because few organizations have the leverage to get providers to divulge the secrets of their security processes. However, he said, by gathering information and asking incisive questions infosec pros may be able to create a risk model that will meet the needs of management. Ironically, in this digital age, security compliance with a cloud provider comes down to paper. “The contract with the provider is the whole damn thing,” Arlen told the meeting. However, unless the customer is a government or a global corporation, the provider usually holds the whip hand. On top of that CISOs may have a raft of security standards to comply with, including the federal PIPEDA, the EU privacy directive, PCI for credit cards, NIST and various ISO/IEC rules. How does that relate to what a provider follows? One answer is using the Cloud Security Alliance’s free cloud controls matrix, which cross-indexes major compliance regimes and discover how they map to another. But, Arlen said, the real work of tracking compliance is creating a tracking list for every cloud provider and service staff are entitled to use – or, if the CISO decides, services staff are known to use even without permission. Arlen admits to frustration with third party security attestations in contracts (“We attest to following ISO 27001”), which says nothing about the provider’s actual security capability. As for documenting the provider’s security compliance, Arlen urges CISOs to follow these seven steps: 1) Review contract documents/exhibits; 2) Request vendor compliance documentation; 3) Review the Cloud Security Alliance Star registry for vendor compliance statements; 3) If neither exist, submit your own vendor security risk assessment; 4) Consider the provider and product stance relative to your requirements using the CSA cloud controls matrix; 5) Document deviations and your recommendations to the business/technology owner; and 6) Revise this regularly [IT World]

Privacy (US)

US – FTC Issues Recommendations to Small Businesses for Protecting Personal Information

The FTC’s issues recommendations for small businesses trying to protect personal information. Strong, complex passwords should be used that mix numbers, symbols and capital letters into the middle of the password (rather than at the beginning or end) and do not use repeating patterns to lengthen the password; organizations should also stick to websites that use encryption to protect the information as it travels from the computer to their server (check for https in the URL of all pages, not just the login page) and avoid using mobile apps that require sharing personal or financial information over public Wi-Fi. [FTC – Small Business Security Basics]

CA – California Class Action Filed over “BART Watch APP”

A class action complaint was filed against BART [see here], the San Francisco Bay Area Rapid Transit District, on May 22, 2017 in the District Court for the Northern District of California alleging BART created a “clandestine collection of private cell phone identifiers.” In particular, the plaintiffs claim the “BART Watch APP” [see here] —a mobile application that provided users with transit information and the ability to contact the police—collected private data in violation of California’s privacy laws. Elerts Corporation, the software developer, was also named as a defendant for its development of the App. The Plaintiffs claim that “a detailed review of the BART Watch App reveals that Defendants have been using it to secretly collect Californians’ unique mobile device identification numbers and periodically track their location.” The Plaintiffs further allege that “by collecting the device identification numbers, locations, and other personal information…Defendants have amassed a trove of data through the App.” And, Plaintiffs claim that these actions by BART and BART Police are prohibited under California law. [App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data]

US – Supreme Court to Settle Major Cellphone Privacy Case

Police officers for the first time could be required to obtain warrants to get data on the past locations of criminal suspects based on cellphone use under a major case on privacy rights in the digital age taken up by the U.S. Supreme Court on Monday. The justices agreed to hear an appeal by a man [Timothy Carpenter] convicted in a series of armed robberies in Ohio and Michigan with the help of past cellphone location data who contends that without a warrant from a court such data amounts to an unreasonable search and seizure under the U.S. Constitution’s Fourth Amendment. The case reaches the high court amid growing scrutiny of the surveillance practices of U.S. law enforcement and intelligence agencies amid concern among lawmakers across the political spectrum about civil liberties and police evading warrant requirements. “Because cellphone location records can reveal countless private details of our lives, police should only be able to access them by getting a warrant based on probable cause,” said Nathan Freed Wessler, a staff attorney with the American Civil Liberty Union’s Speech, Privacy and Technology Project who represents Carpenter. The case will be heard and decided in the court’s next term, which starts in October and ends in June 2018. [Reuters]

US – Trump Backs Permanent FISA Sec. 702 Powers He Once Criticized

Just months after President Trump complained about being spied on by the Obama administration, his administration is embracing a full permanent extension of the secret snooping powers the government used to track conversations between his campaign aides and Russian operatives. Mr. Trump’s intelligence and counterterrorism team said Section 702 of the Foreign Intelligence Surveillance Act has saved hundreds of lives by preventing terrorist attacks and insisted — despite Mr. Trump’s claimed experiences — that the law is not being abused. Without congressional action, Section 702 is set to expire on Dec. 31. That part of the law allows federal intelligence agencies to scoop up the communications of foreigners outside the U.S. It does not allow Americans to be targets of snooping, but if foreigners who are targeted are communicating with Americans, then those exchanges can be tracked in what is dubbed “incidental collection.” About 10% of conversations monitored end up with incidental collection, National Security Agency Director Michael Rogers testified to Congress on Wednesday. [watch here starting at 22:37 min] Civil liberties advocates accused Mr. Trump of hypocrisy for complaining about snooping during the campaign and now supporting the very tools he was worried about. [Trump backs permanent snooping powers he once criticized as abusive]

US – Obligation to Notify is Triggered by Unauthorized Access and the Likelihood of Harm to Consumers

A review of the breach notification in the wake of a ransomware attack in accordance with the US Department of Health and Human Services and State law. HIPAA provides that if there is a low probability that the PHI affected by the breach has been compromised, then the notification requirement does not apply; the attorneys general and other authorities have not issued specific guidance, however, the majority of state breach notification obligations are triggered when an unauthorized actor accesses and acquires personal information stored on a company’s network, and the breach poses a reasonable likelihood of harm to the customer. [Ransomware Attacks When is Notification Required – Latham and Watkins]

US – $11.7 Million Class Action Suit Dismissed for Failure to Establish Real-World Harm

The Court considers Experian Information Solutions, Inc.’s appeal of a judgement awarded in a class action suit for violations of the Fair Credit Reporting Act. An individual alleged he suffered an injury when a consumer reporting agency identified a defunct credit card company, rather than the name of the current servicer, as the source of a trade-line on his consumer report; however, no real-world harm was caused by the error since the error did not hinder the accuracy of the report or efficiency of the credit report resolution process (the individual was still able to obtain the necessary information and resolve his credit issues). [Michael T. Dreher v. Experian Information Solution Inc. – No. 15-2119 – United States Court of Appeals for the Fourth Circuit]


US – GAO Issues Report on Security, Privacy & Governance Challenges of IoT

In May 2017, the Government Accountability Office (GAO) released a technology assessment of the Internet of Things (IoT) for Congressional members of the IoT Caucus. The GAO report offers an introduction to IoT; reviews the many uses and their associated benefits that connected devices may bring to consumers, industry, and the public sector; and highlights the potential implications of the use of IoT, including information security challenges, privacy challenges, and government oversight. The report also identifies areas of apparent consensus among experts regarding the challenges posed by IoT, though the appropriate responses are disputed. Accordingly, the report may act as a foundation for future policymaker discussions about regulating IoT. The GAO’s report provides an introduction to IoT and answers three overarching questions: (i) what is known about current and emerging IoT technologies, (ii) how and for what purpose IoT technologies are being applied, and (iii) the potential implications of the use of IoT technologies. [GAO Report Highlights Security, Privacy, and Governance Challenges of the Internet of Things]

WW – 94% Believe Unsecured IoT Devices Could Lead to ‘Catastrophic’ Cybersecurity Attack

A new research report on third-party IoT integrations shows a strong concern over IoT security, but not many actions taken to mitigate it. 94% of risk management professionals believe that a security incident resulting from unsecured IoT devices “could be catastrophic.” The report, jointly released by the Ponemon Institute and the Shared Assessments Program, was built on the responses of 553 individuals from various industries. The Internet of Things (IoT): A New Era of Third Party Risk takes a look at the concerns around third-party risks in IoT security, and what business leaders are doing to address it. …One of the most surprising points was how many survey respondents expected to be the victim of an attack. Some 76% of those surveyed said that a DDoS attack resulting from an unsecured IoT device would be “likely to occur within the next two years” Despite this belief, only 44% said their organization would be able to protect either their network or other systems from “risky” IoT devices. [Technical Republic]


US – Healthcare Cyber Security Task Force Issues Report

The US Department of Health and Human Services Health Care Industry Cybersecurity Task Force has released its first report to US legislators. The report underscores the point that digital vulnerabilities are threats not only to information but also to patients’ safety. It calls for the government and private sector healthcare entities to work together on six imperatives that include defining leadership, governance, and expectations for healthcare cybersecurity; increasing the resilience and security of medical devices and IT; and identifying ways to protect research and development and intellectual property from theft. [Federal task force: Here’s how to fix healthcare cybersecurity | HHS Cyber Task Force wants better partnerships, stronger federal leadership | Health Care Industry Cybersecurity Task Force ]

US – Department of Health and Human Services OIG Report

The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has submitted its semi-annual report to Congress. Among OIG’s findings: HHS “faces challenges to protect the privacy and security of the data it collects and maintains.” [Health Data Security Tops HHS’ List of Challenges | Semiannual Report to Congress: October 1, 2016 to March 31, 2017]

UK – ICO Data on Reported Breaches

According to data obtained from the UK’s Information Commissioner’s Office (ICO), 43 percent of breaches reported between January 2014 and December 2016 affected the healthcare sector. While healthcare had the highest percentage of reported breaches, other sectors are seeing greater increases in the number of breaches reported. Across all sectors, more breaches were caused by human error than by external cyber threats. [Healthcare tops UK data breach chart – but it’s not what you’re thinking]

US – Classified Defense Data Found in Unprotected Cloud Storage

A US defense contractor appears to have stored top secret US intelligence data on a publicly-accessible Amazon cloud storage server. The account has been linked to contractors Booz Allen Hamilton. The data are related to the US National Geospatial-Intelligence Agency, which provides battlefield satellite and drone surveillance imagery. [Defense contractor stored intelligence data in Amazon cloud unprotected | US military data reportedly left on unsecured Amazon server | Intelligence contractor credentials left unsecured on Amazon server: report | Security company finds unsecured bucket of US military images on AWS]

US – Insider Threat Training Requirement for US Gov’t Contractors

US federal contractors wishing to maintain their clearances must have completed an insider threat training course by June 1, 2017. The requirement is described in the National Industrial Security Program Operating Manual (NISPOM) Change 2. The course is the second step of a new compliance requirement. The first part took effect late last year and required contractors implementing changes to protect their systems from insider threats. [Insider threat training deadline here for federal contractors | NISPOM Change 2 (May 18, 2016)]

US – Medical Device Vulnerabilities Reports issued

Two separate studies have found that numerous medical devices contain software vulnerabilities. One study that focused on implantable cardiac devices and their associated equipment found more than 8,000 vulnerabilities. That study found that in most cases, data were not protected either on the devices or while being transferred to monitoring equipment. In addition, the study found that there was no authentication for connecting devices. The second study examined a broader spectrum of devices, polling manufacturers, hospitals, and health organizations about the equipment; the majority said the devices are difficult to secure. [‘Thousands’ of known bugs found in pacemaker code]

WW – Cybersecurity: Third Parties are the Weakest Link

63% of all data breaches are linked in some way to third-parties such as contractors, suppliers and vendors that have access to a business’ system; organizations should utilize a service-level agreement with specific details of the types of security measures the vendor must use when handling data for the business, have the vendor perform periodic security assessments on its systems, and limit the third party’s access to the business network. [Third-Party Data Breaches: Weakest Link in Cybersecurity – John DiGiacomo, Lawyer, Revision Legal]

WW – Increase in Ransomware Attacks and Cyberespionage in 2016

Verizon has released the results of its 2017 data breach investigation, based on analysis of: 1,935 confirmed data breaches; and 42,068 incidents. 62% of breaches featured hacking (most of these breaches leveraged stolen and/or weak passwords), 51% of breaches included malware (66% of malware was installed via malicious email attachments), and 43% were social attacks; organizations should train staff to spot warning signs, only provide data access to employees that require it to perform their duties, promptly apply patches and updates, encrypt sensitive data, and use 2-factor authentication. [2017 Data Breach Investigations Report – Verizon]

AU – Ransomware Attack Will Count as Data Breach Under NDB

Leonard Kleinman [chief cyber security adviser at RSA] gave a rundown of what one could expect when the Privacy Amendment (Notifiable Data Breaches) Act 2017 [see here] takes effect [February 22, 2018], focusing on the security side of things, at a seminar in Melbourne on Tuesday. Given the cyber security environment at the moment, Kleinman said it was necessary to understand the legislation and its obligations, even if a company was not planning to take the necessary steps to plan for it. Indeed, this was a common theme which was advanced by the other two speakers at the seminar: Helaine Leggat, the director of Information Legal, and Mani Amini, GRC group manager at Content Security, the other firm that was involved in organising the seminar. The Office of the Australian Information Commissioner has a rundown of the data breach act here) The Office of the Australian Information Commissioner is currently seeking public comment on entities covered by the NDB scheme; notifying individuals about an eligible data breach; identifying eligible data breaches; and the Australian Information Commissioner’s role in the scheme. The last date for submitting comments is 14 July. [Ransomware attack will count as data breach: security pro]

WW – InfoSec 2017: A Look at the Family Album of Ransomware

Ransomware is among the topics at this week’s InfoSec Europe 2017 gathering this week in London. It’s been with us for some time and is considered old news by many security practitioners. But it remains a vexing problem for companies and continues to dominate many a conference agenda. SophosLabs recently looked at the most prolific ransomware families and attack vectors over a six-month period and boiled it down to the graphic below. In this article we break down the statistics, review some of the ransomware-themed events on the InfoSec agenda and offer up some defensive measures. [InfoSec 2017: a look at the family album of ransomware]


US – Nest Security Camera Knows Who’s Home With Google Face Tech

Nest Labs, owned by Alphabet Inc., is adding Google’s facial recognition technology to a high-resolution home-security camera, offering a glimpse of a future in which increasingly intelligent, internet-connected computers can see and understand what’s going on in people’s homes. Facebook deploys similar technology to automatically recognize and recommend tags of people in photos posted on its social network. The camera will only identify people you select through Nest’s app for iPhones and Android devices. It won’t try to recognize anyone that an owner hasn’t tagged. Even if a Nest Cam IQ video spies a burglar in a home, law enforcement officials will have to identify the suspect through their own investigation and analysis, according to Nest. Netatmo , for instance, introduced a security camera touting a similar facial recognition system in 2015. The way that the Nest and Netatmo cameras are being used doesn’t raise serious privacy concerns because they are only verifying familiar faces, not those of complete strangers, said Jennifer Lynch, who specializes in biometrics as a senior staff attorney for the Electronic Frontier Foundation, a digital advocacy group. [Source]

US – Explosive Revelation of Obama Administration Illegal Surveillance of Americans

During the Obama years, the National Security Agency intentionally and routinely intercepted and reviewed communications of American citizens in violation of the Constitution and of court-ordered guidelines implemented pursuant to federal law. The unlawful surveillance appears to have been a massive abuse of the government’s foreign-intelligence-collection authority, carried out for the purpose of monitoring the communications of Americans in the United States. While aware that it was going on for an extensive period of time, the administration failed to disclose its unlawful surveillance of Americans until late October 2016, when the administration was winding down and the NSA needed to meet a court deadline in order to renew various surveillance authorities under the Foreign Intelligence Surveillance Act (FISA). The administration’s stonewalling about the scope of the violation induced an exasperated Foreign Intelligence Surveillance Court to accuse the NSA of “an institutional lack of candor” in connection with what the court described as “a very serious Fourth Amendment issue.” The FISA-court opinion is now public, available here. The unlawful surveillance was first exposed in a report at Circa by John Solomon and Sara Carter here, who have also gotten access to internal, classified reports. The story was also covered extensively Wednesday evening by James Rosen and Bret Baier on Fox News’s Special Report. [See here] According to the internal reports reviewed by Solomon and Carter, the illegal surveillance may involve more than 5 percent of NSA searches of databases derived from what is called “upstream” collection of Internet communications. To summarize, we have the communications of Americans inside the United States being incidentally intercepted, stored, sifted through, and in some instances analyzed, even though those Americans are not targets of foreign-intelligence collection. The minimization procedures are supposed to prevent the worst potential abuses, particularly, the pretextual use of foreign-intelligence-collection authority in order to conduct domestic spying. But even when complied with, there is a colorable argument that the minimization procedures do not eliminate the Fourth Amendment problem — i.e., they permit seizure and search without adequate cause. Clearly, this new scandal must be considered in context. The NSA says it does not share raw upstream collection data with any other intelligence agency. But that data is refined into reports. To the extent the data collected has increased the number of Americans whose activities make it into reports, it has simultaneously increased the opportunities for unmasking American identities. Other reporting indicates that there was a significant uptick in unmasking incidents in the latter years of the Obama administration. More officials were given unmasking authority. At the same time, President Obama loosened restrictions to allow wider access to raw intelligence collection and wider dissemination of intelligence reports. [National Review]

US Government Programs

US – U.S. Now Can Ask Travelers for Facebook, Twitter Handles

Travelers wishing to visit the United States can now be asked for their social media handles and email addresses going back five years, a new U.S. government request that’s alarmed privacy advocates but which the Trump Administration says could help weed out travelers who intend harm. Citizens of most countries must apply for visas to travel to the United States, which are granted by the State Department. This generally involves a visit to a local U.S. embassy or consulate and an in-person interview with a consular official. The supplemental questionnaire will only be given to “a fraction of 1% of the 13 or so million people who apply for a visa to visit the United States each year and is meant for applications for which consular officials feel more information is necessary,” said Will Cox, a spokesman for the State Department’s Bureau of Consular Affairs. About 85% of those apply for visas are granted them, he said. Applicants are not being asked for the passwords to these accounts and consular officers will not be going into social media and friending people, Cox said. The questionnaire also asked about employment history, siblings, children and spouses, “current or previous” and “living or deceased. “The State Department asked for the right to collect the information under an emergency request on May 3 which was granted on May 23 by the Office of Budget and Management. It was implemented with no fanfare on May 23 and it wasn’t until Thursday, when Reuters first reported on it, that the existence of the new form became widely known. [USA TODAY | If you have a Twitter account, change these privacy settings now]

US – DHS Sec. Kelly Affirms US Citizens’ Phone Searched of at Border

American citizens coming to the United States from overseas risk having their cellphones confiscated and searched at airports or other border crossings, Homeland Security Secretary John Kelly confirmed on Capitol Hill, walking back previous statements. Pressed by Republican Senator Rand Paul about the searches and threats to detain or turn back travelers if they did not comply, including citizens and U.S. green card holders, Kelly affirmed [at 51.55 – 57.40 min] to the Senate Homeland Security and Governmental Affairs Committee: “We do it whether they’re citizens or noncitizens coming in.” The retired general acknowledged his statement was “a change” from his comments during an April 5 hearing, in which he told senators, “I don’t believe we ever turn back citizens or legal residents.” At that April hearing, Kelly had emphasized that the targets of the searches were foreigners, but Paul pointed out there had been news reports of Americans also being caught up in the dragnet. And on Tuesday, the Kentucky libertarian read from several public reports of Americans being detained by Customs and Border Patrol agents until they divulged the contents of their phones, including a NASA engineer and a couple returning from Canada. Paul and Democratic Senator Ron Wyden have introduced legislation that would require border agents to obtain warrants before searching Americans’ electronic devices. A bipartisan companion bill is also pending in the House. [Cellphone Privacy: Homeland Security Chief Acknowledges Searches of U.S. Citizens’ ] See also: [1Password’s new ‘travel mode’ keeps your data safe from border agents]

Workplace Privacy

CA – Federal Benefits Workers Told to Stay Off Social Media When Vetting Applications

Federal workers whose job it is to determine whether someone is eligible for employment, disability or seniors’ benefits have been told to stop being amateur sleuths by searching the Facebook profiles of applicants. The order came after senior officials learned that staff were logging on to social media websites to check on any suspicions they had with someone’s application for Canada Pension Plan disability benefits. And now other benefit programs — employment insurance, seniors’ benefits like old age security and the guaranteed income supplement — have been subjected to the same reminder. The only personal information the department is allowed to collect has to come from the applicant or from a third party like a doctor, employer, or family member, provided the applicant consents. The briefing note says that using publicly available information like social media posts and even address listings could be considered “an invasion of privacy” and a violation of the Privacy Act and the Charter of Rights and Freedoms. Staff were reminded that if they came across something odd in a file, including anything that could be easily found online, they were to send it to the wing of the department that investigates and roots out fraud in the federal benefits system. [The Star See also: Get Ready for the Next Big Privacy Backlash Against Facebook]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: