21 July – 03 August 2017

Biometrics

US – FBI Biometric Database to Be Exempt from Parts of Privacy Act

The Federal Bureau of Investigation this week published a final rule that will exempt its Next Generation Identification biometrics database from certain portions of the Privacy Act. The massive database includes biometric records of individuals who have undergone background checks for jobs, military service or for those who have criminal records. Beginning Aug. 31, individuals will not be able to find out what types of data the FBI has about them. The agency has argued doing so could compromise investigations. The Electronic Privacy Information Center had tried to persuade the FBI to minimize its data collection and Privacy Act exemptions to no avail. Though it’s not currently known how many records are in the database, the Electronic Frontier Foundation estimated in 2014 that the FBI could have as many as 52 million facial images by 2015. [NextGov | New Rule Exempts FBI From Disclosing Its Biometric Database To Americans | If the FBI Has Your Biometrics, It Doesn’t Have to Tell You | Facial recognition database used by FBI is out of control, House committee hears

US – Businesses Sued for Collection of Employee Biometric Data

A host of employee biometric privacy lawsuits are seeking class-action status in the Cook County Circuit Court this year. Grocery store Roundy’s, Intercontinental Hotels’ Kimpton chain and data center operator Zayo Group have all been accused of violating the Illinois Biometric Information Privacy Act. The suits alleged all three businesses did not obtain required written consent and provide disclosures about the collection, use and storage of employees’ fingerprints and handprints. Potential violations could result in high fines. Roundy’s, for example, estimated in a court filing from last May that damages could reach up to $10 million. Mercator Advisory Group Vice President of Payments Innovation Tim Sloane said, “This is likely to be a costly lesson to business leaders in Illinois.” [The Chicago Tribune]

Big Data

US – CDT Launches Digital Decisions Tool

The Center for Democracy & Technology announced the launch of its first public version of the digital decisions tool aimed at enabling developers to understand and mitigate what the CDT sees as the unintended bias and ethical pitfalls associated with designing automated decision-making systems. The interactive digital decisions tool encourages developers to think critically and methodically by adding a series of questions to consider during the designing and deploying process of an algorithm in order to help shape a fair outcome for all. The CDT is currently seeking feedback. [Full Story]

Canada

CA – EU’s Highest Court Axes Canuck Passenger Name Record Deal

Brussels has to go back to the drawing board on a key plank of its counterterrorism strategy. The European Court of Justice dealt a blow to the EU’s policy of sharing information about airline travellers, saying that a long-standing arrangement with Canada ran roughshod over people’s privacy. [See here] In its ruling, the ECJ said the Commission went too far when it gave Canada access to detailed information about airline passengers, including what meals a passenger ate, in what company he or she traveled and how he or she bought a ticket — and stored these data for up to five years. The idea is that law enforcement could use the information to map and monitor terrorists’ and criminals’ travels, and halt them before boarding flights. A PNR data-sharing agreement with Canada dates back to 2006, but when it was revised in 2014, the European Parliament asked the ECJ for its opinion on the update before giving the deal its seal of approval. Security Commissioner Julian King said that Commission officials are speaking to Canadian counterparts “about ways of addressing the concerns raised by the European Court of Justice on the envisaged EU-Canada PNR agreement.” [See here] But King said the opinion did not affect EU countries’ obligations to implement the EU’s own, internal PNR system. Privacy advocates called the opinion a win for privacy. “Reckless data retention and profiling have no place in a democratic, law-based society,” Joe McNamee, executive director at European Digital Rights, said in a statement. [POLITICO.eu | Deal to share passenger info between EU and Canada struck down on privacy concerns | When travel security makes things more dangerous | EU-Canada Airline Data Pact Violates Privacy: Adviser | EU-Canada passenger data deal infringes privacy: EU adviser | EU-Canada Air Data Deal Is Illegal, Warns Top Lawyer | EU-Canada Traveler Data-Sharing Deal May Go Too Far | EU Court of Justice Issues Ruling on Privacy Rights and International Agreements – Sam Trosow, Associate Professor, The University of Western Ontario]

WW – Canada Third in Reported Data Breaches So Far This Year

The number of publicly-reported data breaches in Canada in the first six months of the year hit 59 — two more than the same period a year ago — according to a compilation released this week by Risk Based Security (RBS), a Virginia provider of threat intelligence. [See here] By comparison there were 22 publicly-reported breaches in China and 19 in Russia. The United Kingdom was second on the list with 104 breaches. Canada was third. However, measured by the number of records exposed China was number one, with over 3.8 billion. The U.S. was second with just over 3.7 billion, India third with over 179 million records exposed. Canada was eighth with over 2.1 million records exposed. Overall there were 2,227 international breaches reported in the first half of 2017, exposing over 6 billion records in the first half of this year. One Chinese company accounted for 2 billion exposed records alone. [IT World Canada]

CA – Nova Scotia Minister Used Private Email for Government Work: Documents

Documents obtained by Global News under an access to information request show cabinet minister Leo Glavine relied on a private email account when he was minister of health. Last year, the province’s privacy and information commissioner, Catherine Tully, warned against the use of private email by government entities. “The (Office of the Information and Privacy Commissioner) strongly recommends that public bodies and municipalities prohibit their staff from using instant messaging tools and personal email accounts for doing business, unless they can be set up to retain and store records automatically,” reads the report. Spokesperson Lisa Jarrett sent an emailed statement saying the Gmail account in question isn’t a personal email account but rather the email Glavine uses for constituency work. The legislature’s website lists a different email for Glavine’s MLA work than the Gmail account listed in the documents obtained by Global News. Jarrett said both of the private accounts are used for his work as an MLA. Other MLAs also use non-government email accounts. While Nova Scotia’s access laws don’t ban the use of personal email accounts, using them could put the user in conflict with the access and privacy law in several ways, Tully said in an interview. [Global News]

CA – NB OIPC Calls for Public Release of Cop-Cam Video of Shooting

New Brunswick’s access to information and privacy commissioner has called for the release of a body camera tape that shows a fatal police shooting in Rothesay. The decision comes after a 15-month access to information battle by CBC News. In her ruling [see 10 pg pdf here], Anne Bertrand had to determine who should be allowed to see footage collected from body cameras worn by police. She decided that public interest trumps privacy in this case. Releasing the videotape, Bertrand wrote, is the “right thing to do” for the public to understand the decision to use fatal force. “In special circumstances, there may be a public interest in the public knowing about what happened, despite there being personal information involved,” Bertrand said in an interview. The police force isn’t required to follow Bertrand’s decision and will be getting legal advice. Michael Boudreau, a criminology professor at St. Thomas University in Fredericton, said. “I think this is a very important decision on a go-forward basis for police forces across the country” National civil liberties group backs call for release of police shooting tape [CBC News]

CA – ‘Canadians are concerned’: Private Data On the Table in NAFTA Negotiations

The personal information of Canadians will be on the negotiating table when North American free trade talks begin this month. The United States has served notice it wants an end to measures that restrict cross-border data flows, or require the use or installation of local computing facilities. Privacy advocates say that means trouble for Canada’s ability to shield sensitive information such as health or financial data from the prying eyes of foreign agencies by storing it in computer servers on Canadian soil. The U.S. proposal runs counter to public-sector privacy laws in British Columbia and Nova Scotia that require domestic data storage. It also seems at odds with the federal government’s strategy on cloud computing — the purchase of digital storage from third parties — that says all “sensitive or protected data under government control will be stored on servers that reside in Canada.” The U.S. trade representative flagged the data storage issue in its 2017 report on foreign trade barriers, noting the B.C. and Nova Scotia laws prevent public bodies such as schools, universities, hospitals and government-owned utilities from using American services when there’s a possibility that personal information would be stored in, or accessed from, the United States. The report also highlighted the Canadian government’s major consolidation of federal email services, a procurement project that cited national security as a reason for requiring the contracted company to keep data in Canada. [See here at Pg 71/72] [National Post | Privacy rights on the NAFTA agenda | NAFTA talks: U.S. proposal for cross-border data storage at odds with B.C., N.S. law | NAFTA: data flows back on the trade agenda Renegotiations of the North American Free Trade Agreement could come in conflict with privacy laws in two Canadian provinces – CBC News]

machines. Brian Beamish, Ontario’s information and privacy commissioner, said in an e-mail he doesn’t have jurisdiction over homeowners who use security cameras or collect data for personal use. [Barrie Examiner]

CA – OIPC SK: Public Bodies Should Share Data Adhering to the Minimisation Principle

The Office of the Saskatchewan Information and Privacy Commissioner issued guidance on the collection and disclosure of personal information and personal health information. An authorized sharing occurs only when one public body has the authority to collect personal information and the other has the authority to disclose it; both public bodies should collect and disclose the least amount of data possible, and enter into a data sharing agreement when sharing will occur on an ongoing basis. [OIPC SK – Collection/Disclosure – A Two-Step Analysis]

CA – OIPC AB Provides Six Guiding Principles for Information Sharing

The OIPC AB has issued guidance on information sharing for both the private and public sector. Information sharing initiatives should consider transparency (outline the participants and what information will be collected, shared and disclosed for what purposes), legal authority (including ensuring participants are subject to access/privacy laws), privacy impact assessments (identify ways to mitigate risks of a breach), access and correction rights for individuals, accountability (share the least amount of data needed), and oversight (consult with the OIPC to address potential privacy implications). OIPC AB – 6 Principles for Getting Information Sharing Right]

CA – Ontario Court Upholds IPC Ruling that Doctors’ Billing Information Is Not PI

The Court considered an application for judicial review of an OIPC ON order requiring the Ministry of Health and Long-Term Care to disclose physicians’ billing records under the Ontario Health Insurance Program. The IPC reasonably concluded that the information is not PI (it relates to professional information) and the secrecy obligation under the Health Insurance Act governing the physician payments is subject to FIPPA; the requester does not need a reason to request the billing records (FIPPA mandates disclosure if no privacy exemption is proven, and the public is entitled to information to hold the government accountable). [Ontario Medical Association, several physicians affected directly by the Order and affected Third Party Doctors v. IPC ON, Minister of Health and Long-Term Care, the Ministry of Health and Long-Term Care and Theresa Boyle – 2017 ONSC 4090 – Ontario Superior Court of Justice]

CA – Manitoba Ombudsman Issues Guidance on Privacy Programs

The Manitoba Ombudsman has issued guidelines for implementing a privacy management program. The program must be supported by senior management, delegated to a privacy officer that is provided with the necessary resources to develop and implement the program and must include controls that describe the types of personal information and the processing activities, mandatory employee training, and service provider oversight. [Manitoba Ombudsman – Guidelines for Implementing a Privacy Management Program for Privacy Accountability]

CA – BC Organization Must Remove and Destroy Personal Information

The Office of the Information and Privacy Commissioner in British Columbia investigated a complaint against the Surrey Creep Catcher, alleging improper handling of personal information, pursuant to the Personal Information Protection Act. The organization induced individuals to have online communications with fictitious underage girls, video-recorded encounters with these individuals, and posted the videos on social media; these activities were not for journalistic purposes (no effort was made to provide accurate, fair descriptions of the facts), and collection, use or disclosure of their information was done without consent and was not for any investigative purpose. [OIPC BC – Order P17-03 – Surrey Creep Catcher]

CA – OIPC BC Cautions Employers About Risks of Social Media Background Checks

The OIPC BC updated its guidance on conducting social media background checks: the original guidance was issued in 2011. Risks include inaccuracy, collecting irrelevant or excessive information, overreliance on consent (an employer cannot use the information if consent is subsequently withdrawn), and inadvertent collection of third party PI; conduct a PIA (find out what privacy law applies, identify the purposes for using social media, and identify the types and amounts of PI), and do not attempt to avoid privacy obligations by contracting a third party to perform the social media background checks. [OIPC BC – Conducting Social Media Background Checks]

CA – Barrie City Staff Looking into Potential Bylaw to Regulate Surveillance Systems and Drones

Barrie Council has asked staff to investigate a potential bylaw to regulate home security video surveillance systems, domestic closed-circuit television surveillance and drones with cameras. City clerk Dawn McAlpine says two Ontario municipalities have passed bylaws prohibiting cameras being focused on other private properties. But she expects enforcement would be a problem – specifically permission to go on private property to determine which way a camera is facing. Tobi Cohen, who’s with the Office of the Privacy Commissioner of Canada, said its regulations don’t apply to individuals who collect, use or disclose personal information strictly for personal and non-commercial purposes. “That being said, privacy protection and safeguards against unlawful surveillance are provided elsewhere through the Charter of Rights and Freedoms, the Criminal Code and through provincial laws,” he said in an e-mail. While Transport Canada has a number of regulations concerning drones – how high they can fly, how close they can be to buildings, etc. – that federal department does not regulate cameras on these flying

Consumer

US – Stanford Economist Examines a Paradox of the Digital Age

People say they want to protect their personal information, but new research shows privacy tends to take a backseat to convenience and can easily get tossed out the window for a reward as simple as free pizza. The working paper — co-authored by Susan Athey, a senior fellow at the Stanford Institute for Economic Policy Research – provides real-life evidence of a digital privacy paradox: a disconnect between stated privacy preferences and actual privacy choices. And it serves policymakers with some food for thought about how to regulate data sharing without creating more hassles for consumers. “Generally, people don’t seem to be willing to take expensive actions or even very small actions to preserve their privacy,” Athey said. “Even though, if you ask them, they express frustration, unhappiness or dislike of losing their privacy, they tend not to make choices that correspond to those preferences.” What’s more, students who had expressed stronger preferences for privacy — whether it was privacy from the government, the commercial provider or the public — essentially behaved no differently than those who said privacy was less of a concern, the study found. Altogether, the experiment results show that “consumers deviate from their own stated preferences regarding privacy in the presence of small incentives, frictions and irrelevant information,” the study stated. The findings, released in June by the National Bureau of Economic Research, provide a rare snapshot: The privacy paradox has been widely observed, but empirical evidence from a real-world setting – involving choices with real consequences — has been limited. The study raised two policy implications. Since the findings show consumers’ actions don’t align with what they say, and it’s difficult to gauge a consumer’s true privacy preference, policymakers might question the value of stated preferences. On the other hand, consumers might need more extensive privacy protections to protect consumers from themselves and their willingness to share data in exchange for relatively small monetary incentives. In any case, as people are quick to give up some privacy for less hassle, regulations should avoid inadvertently sticking consumers with additional effort or a less smooth experience as they make privacy-protective choices, the study stated. [Source]

US – Rewards Program Raises Privacy Concerns

A new rewards program provides opted-in users credit for every $300 they spend on their Verizon bill. Verizon Up features “Device Dollars toward your next device purchase, discounts on an accessory, or partner rewards,” as well as other ticket opportunities. The concern for some, however, is the trade-off. To use the program, a user must sign up for Verizon Selects, which allows the company to track browsing history, app usage, device location, service usage, demographic information, postal and email contact data, among others, the report states. The data is also shared with “vendors and partners,” and Verizon’s Oath, the combination of newly acquired AOL and Yahoo. [The Verge]

US – Filmmakers Create Short Movies on Online Privacy, Surveillance

Rooftop Films and Mozilla recently presented a screening of several short films regarding various internet-related topics. Film fans and web patrons visited Brooklyn, NY, for the Net Positive, Internet Health Film Shorts program, where filmmakers displayed what they felt was helping — and hurting — the internet. The topics of the films included online privacy, surveillance, virtual reality and internet fame. [Mozilla blog]

E-Government

AU – Australian Government Issues Recommendations for Sharing of Public and Private Sector Data Sets

The Australian Federal Government released a final report on the costs and benefits of increasing the availability and use of data in the public and private sectors: the draft report was issued in November 2016. Accredited authorities would be established with the power to share or release data sets, and permit trusted users to access and use sensitive or identifiable data (based on risk classifications), and consumers would have access and control of their data; inclusion of private sector databases could lead to uncertainty over commercially sensitive information and intellectual property rights, and regulatory complexity will increase (new regulatory bodies will not sit under the Information Commissioner). The Quest for Greater Data Availability and Use in Australia – Sylvia Ng et al. – PWC | Article | Government Report]

E-Voting

US – DEF CON Voting Village

People attending DEF CON last week were given the opportunity to try to hack voting machines and voter databases. DEF CON’s “hacker voting village” was created to let attendees discover vulnerabilities in a variety of decommissioned voting equipment that conference organizers bought on eBay. Read more in: – www.scmagazine.com: Election tech hacked within hours at DEF CON Voting Village

  • cnet.com: Defcon hackers find it’s very easy to break voting machines
  • darkreading.com: DEF CON Rocks the Vote with Live Machine Hacking
  • eweek.com: Hackers Demonstrate Voting Machine Vulnerabilities at DefCon
  • wsj.com: Hacker Cracks Voting Machine in Less Than 2 Hours
  • reuters.com: Hackers scour voting machines for election bugs

US – 33 States Accepted DHS Election Security Help

The US Department of Homeland Security (DHS) Election has provided cyber security assistance to 33 state election offices and 36 local election offices prior to the November 2016 election. Election systems have been designated as critical infrastructure. DHS is offering cyber hygiene assessments and risk and vulnerability assessments. DHS also shares critical threat information with critical infrastructure operators and owners. [Read more in thehill.com: 33 states accepted DHS aid to secure elections]

EU – Estonia Implements Strong eVoting Security

Estonia is adopting stronger security measures for its elections. Estonia is the only country that allows citizens to vote through online balloting. The system was introduced in 2005. The upgrades include features known as end-to-end verifiability. Tarvi Martens, the Estonian National Electoral Committee’s head of evoting, notes that while US elections are dependent of a variety of electronic voting machines, “with Internet voting, there’s a single piece of software that can be controlled.” [www.irishexaminer.com: World’s most hi-tech voting system raises cyber defences]

US – Colorado Now Requires Regular Risk-Limiting eVoting Audits

Colorado has become the first US state to require risk-limiting audits to be conducted regularly. Risk-limiting audits compare a random sample of paper ballots with their corresponding digital ballots to see if votes were correctly tabulated. [Read more in: thehill.com: Colorado hires startup to help audit digital election results and www.politico.com: Colorado to require advanced post-election audits]

US – Open Source Software Can Help Secure Voting Process

In an effort to improve the security of electronic voting systems, the National Association of Voting Officials is encouraging election officials to use open source software. The author of this piece argues that open source software is more secure than proprietary software. [www.nytimes.com: To Protect Voting, Use Open-Source Software]

E-Mail

CA – Canadian Organizations Should Treat Scams as Data Security Matter

An examination of what Canadian companies should as victims of a phishing scam. Where funds are transferred by wire, the organization should immediately contact the company’s financial institution, local law enforcement and/or the RCMP, the Canadian Anti-Fraud Centre and their cyber-insurance provider; where sensitive information is disclosed, the company should initiate its incident response plan and identify regulatory and contractual obligations. [Phishing Lures – What To Do If You’ve Taken the Bait – Justin L. Root, Counsel, Sarah H. Jodka, Counsel and Wendy G. Hutton, Partner, Dickinson-Wright]

WW – Google to Settle Class-Action Related to Email Scanning

After announcing it will no longer scan emails for ad personalization, Google has agreed to resolve a class-action privacy lawsuit related to the practice. The settlement agreement would place a three-year injunction affecting the tech company’s ability to send ads based on users’ emails. The settlement would also require Google “to cease all processing of email content that it applies prior to the point when the Gmail user can retrieve the email in his or her mailbox and that is used for advertising purposes,” according to court papers. Meanwhile, the European Union is putting pressure on Google and other tech companies, such as Twitter and Facebook, to update their terms to ensure they are in line with EU law. [MediaPost]

CA – Email Confidentiality Clauses Are Not Considered a Security Measure

The Quebec Order of Human Resources and Industrial Relations’ disciplinary complaint against Carole Milot for unauthorized disclosure. The email confidentiality clause is a standard clause that appears systematically in all emails transmitted without requiring an additional action of the email sender; employees cannot delegate to email recipients their professional responsibility to preserve the confidentiality of information that comes to their knowledge in the exercise of their profession. [Disciplinary Board Order of HR Advisors in Quebec Approved Industrial Relations Canada Province of Quebec NOT 13-16-00013]

US – White House Officials Spear-Phished in Email Prank

A number of White House officials, including Homeland Security Adviser Tom Bossert, was tricked by a series of spear-phishing emails. A U.K.-based, self-described “email prankster” convinced Bossert that he was U.S. President Donald Trump’s son-in-law Jared Kushner. In response, Bossert shared his personal email address with the adversary. White House Press Secretary Sarah Huckabee Sanders said, “We take all cyber-related issues very seriously and are looking into these incidents further.” Former FBI Special Agent Adam Malone said, “Spear-phishing is the most common technique used by hackers to gain access to their victims. This information shines a light on how easy it is for people to build trust with unverified individuals.” [CNN]

Electronic Records

US – Personal Info of 650,000 Voters Discovered on Poll Machine Sold on Ebay

When US government workers decommission old voting equipment and auction them off to the public, they’re supposed to wipe voter information from the device’s memory. There’s no formal auditing process for how many of the machines are properly wiped, and thus no way to estimate how many machines have been sold that inadvertently contain voter records. But hackers given access to an ExpressPoll-5000 electronic poll book—the kind of device used to check in voters on Election Day—have discovered the personal records of 654,517 people who voted in Shelby Country, Tennessee. It’s unclear how much of the personal information wasn’t yet public. Some of the records, viewed by Gizmodo at the Voting Village [watch 3:19 video here], a collection of real, used voting machines that anyone could tinker with at the DEF CON hacker conference in Las Vegas [see here], include not just name, address, and birthday, but also political party, whether they voted absentee, and whether they were asked to provide identification. Anyone with access to such a device—whether on Election Day or while playing with an ExpressPoll-5000 at home—would need only moderate computer skills to check for those records. They’re stored on a removable memory card. Anyone who pulls out the drive and reads the memory card with their computer will see the drive’s contents, including the giant database of personal records, if it hasn’t been wiped. [Gizmodo]

Encryption

WW – IARPA’s Homomorphic Encryption Computing Techniques with Overhead Reduction Program

In an audio interview, Dr. Mark Heiligman, program manager for the Homomorphic Encryption Computing Techniques with Overhead Reduction (HECTOR) program at the US Intelligence Advanced Research Projects Activity (IARPA) describes the goals of the program. IARPA is holding a Proposers’ Day Conference on Wednesday, July 26 to provide interested parties with information about the program. Read more in: federalnewsradio.com: Dr. Mark Heiligman: Intelligence community pursues HECTOR and www.iarpa.gov: Homomorphic Encryption Computing Techniques with Overhead Reduction (HECTOR) ]

EU Developments

EU – CJEU Hears Arguments in Potential Facebook Class-Action

In a parallel case to ongoing litigation in Ireland’s High Court, Austrian Privacy Lawyer Max Schrems and representatives from Facebook Ireland presented arguments Wednesday at the Court of Justice of the European Union in a potential privacy class-action against the social networking company. At issue is whether Schrems can bring a worldwide privacy class-action suit against the company in Austria on behalf of 25,000 users, even though many of those individuals are not Austrian. The CJEU’s advocate general will offer his opinion on the case November 7, though the opinion will not be binding. The court’s final judgment is expected by year’s end. [Irish Times]

EU – First look at LIBE’s 800 ePrivacy amendments

As the clock ticks on the ePrivacy Regulation — and the ambitious aim of having it ready for May 2018 — members of the European Parliament’s civil liberties committee have submitted more than 800 amendments. The big — though not surprising — news is the proposal to introduce “legitimate interest” as a justification for further processing of data. Polish MEP Michal Boni’s amendments in Recital 17 on metadata and Recital 21 on access to information stored on terminal equipment both propose “an exemption from obtaining end-users’ consent in cases where the processing is necessary for the purpose of legitimate interest, provided that the data protection impact assessment was carried out.” Jennifer Baker has the scoop on this and other controversial potential additions for The Privacy Advisor, including interviews with MEPs from Germany, the U.K., the Netherlands and more. [IAPP.org]

EU – CJEU Declares EU-Canada Agreement Incompatible with Fundamental Rights

The EU Court of Justice considered the compatibility of the draft EU-Canada passenger name record agreement. The transfer, processing and retention of sensitive data cannot be justified solely on the basis of protection against terrorism and transnational crime, and storage of PNR data for up to 5 years is not proportional; the Agreement must be based on judicial and police cooperation and protection of personal data, and passenger should only be retained, after departure, if they present an identified risk. CJEU – Opinion 1-15 – Draft Agreement Between Canada and the EU on PNR Data | Press Release | Opinion

UK – ICO Issues Recommendations for Surveillance Camera Use

The UK information Commissioner’s Office has updated its code of practice in relation to surveillance cameras and personal information, pursuant to the Data Protection Act of 1998: the Code was originally issued in 2014. Organisations should conduct data protection impact assessments to ensure surveillance systems are lawful, proportionate and necessary, and clear responsibilities, secure and encrypt images captured, restrict viewing of live images to authorised persons, and view recordings of sensitive areas after an incident; disclosures of recordings must be controlled and consistent, and recordings should be provided to law enforcement in a suitable format. [ICO UK – In the Picture: A Data Protection Code of Practice for Surveillance Cameras and Personal Information]

EU – French Court Refers Territorial Scope to CJEU

The Conseil d’Etat (“Conseil”) considers an appeal by Google Inc. regarding an order issued by the Commission Nationale de l’informatique et des Libertés requiring it to delink all search materials across extensions of a domain name for each complaint received. The extraterritoriality of the CNIL’s order of Google to delink material on all search engine extensions poses difficulties for interpreting EU law; a decision from the CJEU is required to determine whether the law allows a Member State decision to apply to the entirety of the search engine’s domain. EC 19 July 2017 – No. 399922 – Google Inc | TechCrunch]

EU – Groups to European Commission: Privacy Shield Isn’t Adequate

In a letter written to European Commissioner for Justice, Consumers and Gender Equality Vera Jourová, Human Rights Watch and Amnesty International ask the European Commission to reevaluate its stance on Privacy Shield’s adequacy, specifically its “Implementing Decision 2016/1250.” The letter asks the commission to “encourage the U.S. legislative and executive branches to adopt the necessary binding reforms” so that transferring data to the U.S. complies with EU law, including the GDPR. The letter cites the U.S.’s foreign intelligence surveillance laws as evidence privacy protections “demonstrably fall far short of essential equivalence to the standards set out in EU law.” [HRW.org]

EU – German Court Rules Employee Keyboard Tracking Illegal

The Federal Labour Court has ruled that a company violated workers’ rights when it installed spy software on its computers. The company had informed employees that they would begin saving internet traffic on company computers and then installed keylogger software and routinely took screenshots. A case was filed against the company when an employee was fired based on evidence gathered during this surveillance. The German court ruled that such evidence was illegally obtained and that keylogger software was an unlawful way to control employees. The court included that, since the termination was based on illegal evidence, the employee’s termination should be void. [The Local]

EU – Other Developments

  • A group of researchers from the Institute for Information Law at the University of Amsterdam published a report on the state of the European Commission’s proposed ePrivacy Regulation. In it, they found the ePrivacy Regulation needs significant revisions in four major areas. [The Register]
  • Germany’s Federal Labour Court has ruled that a company violated workers’ rights when it installed spy software on its computers. [The Local]
  • After the U.K. House of Lords’ EU Home Affairs Sub-Committee released a report on the details of data transfers post-Brexit, the U.K. House of Commons Library published a briefing paper on the subject. [Reed Smith’s Technology Law Dispatch]
  • In what it says is an effort to block the spread of extremist material, Russia’s State Duma passed a bill outlawing the use of virtual private networks and other proxy services to access state-blocked websites. [VOA]
  • A new opinion from the advocate general of the Court of Justice of the European Union states that a student’s exam script should be considered personal data. [The Irish Times]

Facts & Stats

US – Report: Data Breaches Up 29% in the First Half of 2017

A report from the Identity Theft Resource Center and CyberScout found the number of data breaches in the U.S. increased 29% in the first half of 2017. The report found 791 breaches took place in the first six months of 2017, exposing about 12 million records, although 67% of the breaches did not indicate the number of compromised records. While the business sector suffered the highest percentage of reported breaches at 54.7%, the health care industry saw the biggest increase in incidents, suffering 30.7% of the attacks, up from 22.6% reported in the first half of 2016. [NBC News]

US – At Mid-Year, U.S. Data Breaches Increase at Record Pace

The number of U.S. data breaches tracked through June 30, 2017 hit a half-year record high of 791, according to recent numbers released [see here] by the Identity Theft Resource Center (ITRC) and CyberScout. This represents a significant jump of 29 percent over 2016 figures during the same time period. At this pace, ITRC anticipates that the number of breaches could reach 1,500 in 2017, a 37% annual increase over 2016, when breaches reached an all-time record high of 1,093. Sixty-seven percent of data breach notifications or public notices did not report on the number of records impacted, an all-time record high that represents an increase of 13% over the first half of 2016 and a major hike over the 10-year average of 43%. The Medical/Healthcare industry stands apart when it comes to reporting most fully on the number of records compromised, due in part to mandatory reporting for healthcare industry breaches that impact 500 or more individuals. For the first half of 2017, 81.5% of the breaches reported to Health & Human Services included the number of records, equal to the first half of 2016. Since 2005, the ITRC has identified data breaches in five industry sectors: financial (including banking and credit); health/medical; government/military, education and business.[See here] So far in 2017, the business sector continues to top the list at 54.7% of the total breaches, followed by the healthcare/medical industry at 22.6%. The education sector ranks third at 11% of the total breaches followed by the Banking/Credit/Financial industry at 5.8% and the government/military at 5.6 percent. [ID Theft Center]

FOI

CA – ON OIPC Rules Province Must Hand Over Info Advocates

Ontario government must hand over information to accessibility advocates, commission rules. Ontario’s privacy commission says the provincial government significantly overcharged an advocacy group fighting for information on accessibility law compliance in the province and must now hand over the material. Privacy Commission Adjudicator Diane Smith’s July 27 decision says the government tried to charge the Access for Ontarians with Disabilities Alliance $4,200 for a sweeping access to information request seeking details on many issues, including plans to make sure private businesses are complying with accessibility laws. It ordered the government to provide much of the information in the request free of charge and knocked the fee for the rest down to $750. The government now has until Aug. 28 to release those documents. [CP via The Toronto Star]

CA – Echoes of Trump in Sask. Government’s Response to GTH Land Deal Access Requests: Expert

University of Ottawa professor Michel Drapeau, a leading expert in access to information law says when he read the latest report on the government’s handling of Global Transportation Hub land deal documents, his mind immediately went to U.S. President Donald Trump and the well-publicized allegations he has disregard for the rule of law. He said the outrageous behaviour of Saskatchewan’s Ministry of Highways, outlined in a new report [see here] by the Office of the Saskatchewan Information and Privacy Commissioner, “makes you wonder if it’s a spreading disease.” In his July 19 report, commissioner Ron Kruzeniski details a year and a half long litany of unjustified delays, excessive fees and unlawful behaviour by the ministry. After reading the report, Drapeau said the ministry’s response is “beyond negligent and it’s beyond the pale and they just couldn’t care less.” “I just find their reaction to what is a quasi-constitutional right, contemptuous,” said Drapeau, an author [see here] of textbooks and reference guides on access to government documents. [CBC: Echoes of Trump in Sask. government’s response to GTH land deal access requests: Expert]

Genetics

WW – Helix Develops Marketplace Based On User DNA

Personal genomics company Helix has announced the launch of 18 apps designed to offer an enhanced marketplace built upon a user’s DNA. Each app will turn a one-time DNA donation into new insights on how to optimize your existence based on your genetic makeup. However, owning DNA is not without ethical issues: “While Helix wouldn’t comment on how the company plans to use its genetic information internally, it did say it doesn’t have any plans to share data with any third parties, to support external research efforts or otherwise.” The scope of the FDA’s authority to regulate genetic testing is in a legal dispute. [Wired]

Health / Medical

WW – Survey: Despite Support for IoT Medical Devices, Security Concerns Remain

A survey found most U.S. citizens support internet-of-things devices having the ability to send significant health changes to their doctor, but a majority is still concerned about the devices’ security. The 2017 Unisys Security Index saw 78% of respondents supporting the IoT device collecting and transmitting their medical information, but 51% said they were extremely or very concerned about someone gaining unauthorized access to their devices, such as an internet-connected defibrillator or pacemaker. Respondents were less likely to want health insurers to access their IoT data, with 41% stating they do not want those organizations to obtain their information. [Healthcare Informatics]

CA – Privacy Worries Over TELUS EHR Tool with Rx Drug Vouchers

A software tool that Telus has written into its electronic patient records system could prove to be a setback in the war to lower drug prices in Canada by favouring brand name drugs over cheaper generic ones. The tool, used the moment a prescription is being written by a doctor, also raises privacy concerns for patients, among other issues. As the Star’s Jesse McLean and David Bruser report, thousands of Canadian doctors use the software to take notes during patient visits and create a prescription to be filled by the patient’s pharmacy. There is a privacy concern. “There will certainly be a number of physicians who will be concerned they are inadvertently participating in contributing data to pharmaceutical companies,” Dr. Monica De Benedetti and colleagues at the Hamilton Family Health Team wrote to Telus in a complaint letter. For its part, Telus Health insists it has only shares with drug companies the total number of vouchers that are printed off for their products. No patient or physician information is shared, the company says. Still, data systems have a way of being compromised and, regardless, doctors may not want to contribute any market information to pharmaceutical companies at all. The good news? The software, which allows physicians to opt in at any time, also allows them to opt out. [The Toronto Star | Doctors use this software during patient visits. Now Big Pharma is tapping it to sell their drugs]

US – HHS’ Website Highlights Breach Investigations and Resolutions

The U.S. Department of Health and Human Services, Office for Civil Rights launched a web tool that provides information on breaches affecting entities covered by the Health Insurance Portability and Accountability Act. The website makes available information that entities covered by HIPAA report to OCR when they are involved in breaches affecting 500 individuals or more; it displays the name of the entity, state where the entity is located, number of individuals affected, date and type of breach, and location of the breached information. [HHS Unveils Improved Web Tool to Highlight Recent Breaches of Health Information]

Identity Issues

CA –TransUnion Pushes Liberals to Grant Access to Newly Issued Social Insurance Numbers

TransUnion, an international credit reporting agency, is pushing the federal government to give it access to a monthly list of new social insurance numbers despite years of rejections over privacy concerns. Currently, only government officials are allowed access to the list. TransUnion argues that the information would help it better detect identity theft because social insurance numbers that have either not been issued, or those not issued at birth, are often used to fraudulently apply for credit cards and loans. The monthly list, known as the “Last SIN of the Month Report,” gives a breakdown by region of the latest regular and temporary social insurance numbers, including those given to new workers or newborns. Amid privacy and security concerns, the previous Conservative government used a 2012 budget bill to tighten the rules about what personal information ESDC [Employment and Social Development Canada] could share with non-government entities. The rules came into effect in December 2013, and ESDC stopped sharing the social insurance numbers list with TransUnion and others because it was no longer able to disclose the report outside the department. [Global News]

US – Identity of Users Defamatory Reviews Not Protected by Freedom of Speech

The District Court reviews an appeal by ZL Technologies, Inc. relating to anonymous posts published on Glassdoors, Inc.’s website. When vigorous criticism descends into defamation, constitutional protection under the First Amendment is no longer available; the posts conveyed factual assertions that could be proved true or false, providing support for a defamation cause of action (e.g., statements around staff turnover. [ZL Technologies Inc v Does 1-7 and Glassdoor Inc – Court of Appeal of California]

US – Chicago Looks to ID Program to Protect Immigrant Data

Chicago Mayor Rahm Emanuel and City Clerk Anna Valencia have put out a request for proposals for technology companies to build a platform for municipal ID cards despite threats of funding cuts from the Trump administration. The efforts are part of a national trend seeing so-called sanctuary cities designing ID systems that will protect the personal information of undocumented residents and help prevent deportation. “We are committed to creating a more inclusive and accessible city for all Chicagoans, and this RFP will help us achieve a technical solution that strikes the right balance between making the ID both secure and accessible,” Valencia said in a statement. In an April vote, the program passed 44 to 4, though the potential funding cuts remain a concern for some. [StateScoop]

Law Enforcement

US – New York Eyes Textalyzer to Bust Drivers Using Cellphones

Police in New York state may soon have a high-tech way of catching texting drivers: a device known as a textalyzer that allows an officer to quickly check if a cellphone has been in use before a crash. Democratic Gov. Andrew Cuomo on Wednesday directed the Governor’s Traffic Safety Committee to examine the technology and the questions about privacy and civil liberties its use would raise. The device is called the textalyzer because of its similarity to the Breathalyzer, which is used to identify drunken drivers. Once plugged into a person’s phone for about a minute, it will indicate whether a motorist was texting, emailing, surfing the web or otherwise using his or her cellphone before a serious crash. …The technology is still some months away from being ready, according to Cellebrite, the Israel-based tech company developing the device. Digital privacy and civil liberties groups already have questioned whether the technology’s use would violate personal privacy, noting that police can already obtain search warrants if they believe information on a private phone could be useful in a prosecution. Rainey Reitman, of the Electronic Frontier Foundation said “I am extremely nervous about handing a cellphone to a law enforcement officer and allowing them in any way to forensically analyze it This is a technology that is incredibly problematic and at the same time is unnecessary. There are already legal avenues for a police officer.” [Source | New York ‘Textalyzer’ Bill Threatens Privacy Under the Guise of Safety | NY Lawmakers Consider Adding a ‘Textalyzer’ to Accident Investigations]

Online Privacy

WW – Google Implements Stronger Warnings for Unverified Apps

People using G-suite applications, including Gmail and Google Docs, will see bolder warnings each time they try to interact with new or unverified web apps. The warnings will appear before the permissions consent screen, and will include information about the risks to their personal data if they continue to use an unverified app. Read more in: www.eweek.com: Google Strengthens Protections Against Unverified Web Apps and developers.googleblog.com: New security protections to reduce risk from unverified apps.

WW – Study: More than 50% of Children’s Apps Fail to Protect Data

The Washington Post tested more than 5,000 popular apps aimed at children under 13 to see whether they are properly protecting user data. The testers found more than 50% of those apps fail to protect data, often sending sensitive information, such as device serial numbers, email addresses and other personally identifiable information, to third-party advertisers. More than 90% of the failing cases involve apps sending identifiers users cannot change or delete, such as hardware serial numbers. Despite the high numbers, the testers believe the failures are not malicious. “We suspect that most of the developers whose apps fail to protect data do not have nefarious intent, but rather fail to configure their software properly or neglect to scrutinize practices of the third-party advertisers they rely upon to generate revenue,” the report states. [Full Story]

WW – Adsquare Introduces New Cross-Device Matching Method

Adsquare is proposing a different method to cross-device matching. The mobile device exchange is deviating from the traditional method of using cookies as core identifiers and is instead aiming to start with device IDs as the primary source of identification. Adsquare CEO Tom Laband said, since cookies are not people-based, they are not a reliable foundation for building audiences in apps. Laband also said creating segments based on device ID will make opting out easier, especially as the EU General Data Protection Regulation comes into effect. [AdExchanger]

US – New Survey Examines Why We Share on Social Media

Visual content solutions provider Olapic conducted a survey of the motivational and emotional responses to social media postings and found that our desire to share stems from an emotional drive more than anything else. In a survey of more than 1,000 participants, Olapic and data analysis company Spectra Analytics measured the impact and longevity of online trends and found that 40% of Americans ages 16 to 44 post to interact with friends, for example, while women tend to be more likely than men to post supportive comments. The authors of the study point to the predictive nature of their findings as a powerful tool to control the next online phenomenon. [ZDNet]

CA – Google Files Injunction Against Canadian Search Results Ruling

In response to a ruling from Canada’s Supreme Court, Google is filing an injunction against the decision that states the tech company must remove search results for pirated products. Google filed the injunction with the U.S. District Court for Northern California, stating the ruling violates U.S. law and thus the company does not need to comply with the Canadian decision. “We’re taking this court action to defend the legal principle that one country shouldn’t be able to decide what information people in other countries can access online,” Google Senior Product Counsel David Price said. “Undermining this core principle inevitably leads to a world where internet users are subject to the most restrictive content limitations from every country.” The case parallels other conflicting jurisdictional takedown requests, including whether Google should apply the right to be forgotten globally. [Wired]

WW – Google’s plans to track you offline just hit their first hurdle

Google’s new ad programme lets the company track credit card information across online and brick-and-mortar shops The Electronic Privacy Information Centre (EPIC) is calling on the US Federal Trade Commission (FTC) to investigate Google [see PR here & 25 pg pdf complaint here], alleging that the company is gaining access to credit card information in a bid to bind customer online behaviour to offline shopping habits. Google’s new advertising scheme, Store Sales Measurement, allows the tech giant to track customer credit-card transactions – both online and within brick-and-mortar shops. According to the Washington Post, a legal complaint filed by the privacy group claims Google is leveraging the credit and debit card information of the majority of US consumers, without providing a meaningful way for individuals to opt out. The group also alleges that Google is using this sensitive information in a method that is vulnerable to data breaches and that it should be audited by third parties. The company said that it has “invested in building a new, custom encryption technology that ensures users’ data remains private, secure and anonymous”. EPIC cite the database technology Google’s scheme is based on – CryptDB – as having known security flaws. In 2015, Microsoft researchers successfully hacked health records stored using CryptDB. Google Tracking In-Store Purchases? Privacy Group Asks FTC To Investigate Google [Source]

CA – Ashley Madison Gets Privacy Re-Boot with Ann Cavoukian’s Help

Ashley Madison relaunches in Australia: ‘We’re just trying to help people have a better affair.’ Ashley Madison suffered a public relations disaster in July 2015, when hackers released the personal details of 35 million members online — almost all its users worldwide. The service marketed as the discreet way to cheat suddenly lost its trump card — privacy. A joint investigation by Canada and Australia’s Privacy Commissioners found Ashley Madison’s parent company Avid Life Media (ALM) “did not have appropriate safeguards in place considering the sensitivity of the personal information nor did it take reasonable steps in the circumstances to protect the personal information it held.” ALM, now rebranded as Ruby Corp, were given a deadline, which ends today [July 31, 2017 see here], to obtain independent third party assurance that it had adopted the report’s recommendations and secured its members’ data. Ruby Corp hired Ontario’s former Information and Privacy Commissioner Ann Cavoukian to overhaul its privacy and data policies. “We have received our Privacy by Design certification, which is an important certification,” Mr Keable told news.com.au by phone from Toronto, where Ashley Madison’s main office is based. “We have put privacy of our members’ data at the heart of our business and we now look at data as something that is sacred to us,” Mr Keable said. [News.com.au | Ashley Madison investigation finds security measures lacking; fictitious security trustmark was ‘deceptive’ | Watchdog slams Ashley Madison over privacy failures | Ashley Madison broke Canadian privacy laws with ‘deceptive’ security practices: Privacy czar | Ashley Madison not as discreet, a lot more deceptive than it said, probe finds]

Privacy (US)

EPIC Files Complaint with FTC Regarding Google’s Sales Measurement Program

The Electronic Privacy Information Center is planning to file a complaint with the Federal Trade Commission regarding Google’s Store Sales Measurement program. The program ties consumers’ online behavior to their purchases in brick-and-mortar stores. EPIC’s complaint states Google is gaining access to sensitive information, such as customers’ credit and debit card purchase records, without divulging the way the information was obtained. The complaint states Google does not give consumers a meaningful way to opt out of the program. The tech company says the approach is “common” and it had “invested in building a new, custom encryption technology that ensures users’ data remains private, secure and anonymous.” [The Washington Post]

WW – Future of Privacy Forum Announces Eighth Annual Call for Papers

The Future of Privacy Forum has announced its eighth annual Privacy Papers for Policymakers call for nominations. The aim is to highlight important work and leading privacy research that has a positive contribution in shaping future data policy solutions for the U.S. Congress, federal agencies and for data protection authorities around the world. Finished papers and/or nominations will be considered on or before Sept. 26, 2017. Winning authors are invited to present their work at an annual event in Washington, D.C., Feb. 27, 2018. [Full Story]

US – FTC and FBI Issue Compliance Reminder on Children’s Online Privacy Protection Act

Both the FTC and the FBI have made clear that they are focused on kids’ privacy, particularly as it relates to internet-connected or “smart” toys and other devices directed at children. The FTC recently updated its six-step compliance plan [see here] for businesses to comply with the Children’s Online Privacy Protection Act (COPPA). Similarly, the FBI released a Public Service Announcement [see here] about the dangers of internet-connected toys and other kids’ devices. COPPA prohibits unfair or deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information on the internet from and/or about children. COPPA is one of the strictest privacy statutes in the world, and even has been touted as a model by European and other regulators in jurisdictions known for more rigid privacy laws than are typically found in the United States. COPPA applies to websites or other online services such as mobile apps that collect personal information from children under the age of 13. Companies that have a significant consumer base among kids under 13 and that offer internet-connected toys or devices should carefully review company operations and advertising programs in response to the updated Compliance Plan. COPPA is vigorously enforced by the FTC and state attorneys general, and the added attention in these areas will only increase the level of scrutiny for companies. The updates from the FTC and FBI—as well as the continued focus on these issues in the European market—highlight the risks and challenges around kids’ privacy, and can serve as an opportune reminder for companies to revisit policies, processes, and procedures to ensure full compliance in this area. [Morgan Lewis | FTC’s COPPA Guidance Update Part of a Larger Trend]

EU – German Researchers Obtain Web Browsing Histories of 3M Citizens

A pair of German researchers obtained the information of three million German citizens from companies gathering “clickstreams.” Among the information was the porn-browsing habits of a judge and the drug preferences of a politician. Speaking at the DEF CON cybersecurity conference in Las Vegas, Svea Eckert and Andreas Dewes said the data is supposed to be anonymized, but analysis shows it could easily be tied to individuals. [The Guardian]

US – Other Developments

  • Patrick Leahy, D-Vt., and Mike Lee, R-Utah, plan to reveal a bill designed to update the Email Communications Privacy Act of 1986. [The Hill]
  • In a continued reorganization of the White House, House Homeland Security Committee Chairman Michael McCaul, R-Texas, has introduced a bill to raise the priority of cybersecurity at the Department of Homeland Security. [The Hill]
  • S. District Court Judge Colleen Kollar-Kotelly ruled President Donald Trump’s voter fraud commission does not need to conduct a privacy impact assessment before gathering citizens’ data. [Politico]
  • A New York federal judge denied a motion to suppress data stemming from law enforcement access to cellphone records in a 2015 case, writing in his decision that “current Fourth Amendment jurisprudence affords no privacy interest in records created by a third party based on information voluntarily provided.” [Courthouse News]
  • The House Appropriations Committee unanimously agreed to add language to the 2018 appropriations bill that would require government agencies to obtain a warrant, rather than a subpoena, to access emails, texts and cloud-based data. [Broadcasting & Cable ]
  • S. Secretary of State Rex Tillerson announced that the Office of the Coordinator for Cyber Issues will be shut down and reorganized to fall under the State Department’s Bureau of Economic and Business Affairs. [Bloomberg]
  • Missouri has announced a new prescription drug-monitoring program that could be up and operating within a month. The executive order signed by Governor Eric Greitens comes after previous attempts failed, due in part to privacy concerns. [The Associated Press]
  • Utah state law currently mandates a warrant for the Drug Enforcement Administration to view the state prescription-drug database, but that is being weighed by U.S. District Judge David Nuffer in a case that pits health care privacy against a need to combat the country’s opioid drug epidemic.[ABC News]
  • A recent investigation by the Vermont attorney general found that a facial-recognition program in use at the Department of Motor Vehicles to be in violation of state law. [The Burlington Free Press]
  • A recently passed Nevada law requires ISPs and website operators to inform users of what the data they collect and how it’s used. [Hunton & Williams’ Privacy & Information Security Law Blog]
  • New Jersey has a new law restricting the scanning and use of state-issued IDs by retailers [Hunton & Williams’ Privacy & Information Security Law Blog]
  • The U.K. government has announced new drone laws requiring registration of certain drones, and safety, security and privacy training for owners [Sunday Express]
  • S. Congressman Blake Farenthold, R-Texas, has introduced the Cell Location Privacy Act, which would require local, state and federal law enforcement agencies to obtain a warrant before using a cell site simulator device to locate a cellphone user. [Source]
  • The U.S. Federal Trade Commission is looking for public input on the CAN-SPAM Rules, among other things, as part of Chairman Maureen Ohlhausen’s regulatory reform initiative [The National Law Review]
  • Arkansas’s new State Insurance Department General Omnibus Bill, which includes changes to breach notification rules, goes into effect August 1 [Radar]
  • California’s Supreme Court has ruled on the access of employer records under the California Private Attorneys General Act of 2004. [The National Law Review]
  • A Florida appeals court sided with a man who secretly recorded a meeting with a police officer limiting the state’s laws against secret recordings. [Miami Herald]
  • Medical and civil rights groups are pushing for Rhode Island Governor Gina Raimondo to veto a bill that would allow police to access health information without a warrant. The bill is an effort to fight the opioid crisis in that state. [RI Future]
  • Chicago’s Finance Committee Chairman Edward Burke has introduced three ordinances for the aldermen’s consideration: the Chicago Internet Privacy Ordinance, the Chicago Location Information Protection Act and the Mobile Privacy Awareness Act. [Chicago Sun Times]

Privacy Enhancing Technologies (PETs)

WW – Apple’s New Patent Protects Device Screens from Prying Eyes

Apple has filed a patent for a screen allowing for increased privacy on portable devices. The application, entitled “Displays With Adjustable Angles-of-View,” would use an electrically adjustable lens array designed to modify a device’s backlight in order to narrow the angle of view. Instead of an attachment, the method would be integrated into the display through a series of substrate layers. “Displays are typically designed to display images over a relatively wide angle of view to accommodate movements in the position of a viewer relative to the display,” Apple said in its application. “In some situations, such as when a user of a laptop or other device with a display is using the device in public, the wide viewing angle is undesirable as it compromises privacy.” [CNET]

WW – Mozilla Introduces Self-Destructing File App

Mozilla is testing an app that lets users create files that self-destruct after one download or after 24 hours. Firefox Send can accommodate files up to 1GB. It can be used “in any modern browser,” although Firefox users may need to download Firefox 54. It works on Chrome; functionality in Edge is in development, and it works in Safari 11.0, which is currently available to developers. The app’s functionality requires that Web Crypto API be implemented in the browser. Read more in www.zdnet.com: Firefox’s new tool lets you send self-destructing 1GB files from any browser]

RFID / IOT

US – Legislation Aims to Improve IoT Security

US legislators have introduced the Internet of Things Cybersecurity Improvement Act of 2017, which would establish standards for companies that want to sell Internet of Things (IoT) devices to the federal government. Among the requirements: the devices must be capable of being patched; they must not have hard-coded passwords; and the vendors must ensure that the devices do not contain vulnerabilities when they are sold. Read more in:

  •  www.cnet.com: Congress to smart device makers: Your security sucks
  •  www.darkreading.com: Proposed IoT Security Bill Well-Intentioned But Likely Hard To Enforce
  •  www.eweek.com: How the Federal Government Wants to Improve IoT Security
  •  krebsonsecurity.com: New Bill Seeks Basic IoT Security Standards
  •  www.scribd.com: Text of the Internet of Things Cybersecurity Improvement Act of 2017

US – GAO Says US Defense Department Needs to Address IoT Security

According to a report from the Government Accountability Office (GAO), the US Department of Defense (DOD) lacks adequate rules to address the security threat posed by Internet of Things (IoT) devices. While DOD has established policies for certain IoT-related security risks, the policies are insufficient for certain devices. GAO recommends that DOD conduct appropriate operations security surveys; and assess current IoT-related policies and identify areas that need attention. [fcw.com: DOD risks ‘rogue’ apps under current IoT policy | www.gao.gov: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD]

EU – Bluetooth Sensors Track Cars, Traffic Patterns

The city of Aarhus, Denmark, has started using Bluetooth sensors to collect traffic pattern information from vehicles as a means to reveal irregularities that would have otherwise gone unnoticed. The sensors, made by Blip Systems, feed off a device’s Bluetooth capability and are being used in cities around the world. Aarhus Municipality ITS Project Manager Asbjørn Halskov-Sørensen argued, “Ultimately, the data contributes to an improved economy and a better environment through reduced driving times and fuel consumption, and thus reductions in greenhouse gas emissions from vehicles.” [Full Story]

US – The Privacy Issues with Employee-Embedded RFID chips

Wisconsin-based company Three Square Market made waves last week when it announced it will embed radio frequency identification chips in its employees. On August 1, the company is hosting a “Chip Party” for those employees opting in to the embedded tracking project. Yet, embedding tracking technology into the human body, or “cyborgification,” as the Center for Democracy & Technology’s Joseph Jerome points out, “raises a host of ethical questions” and “employer-driven ‘chipping’ poses at least three immediate challenges.” In this post for Privacy Perspectives, Jerome dives into those concerns, including questions about notice, consent, data security and the potential for mission creep. [IAPP.org]

EU – Samsung Launches Service to Monetize IoT Data Use

European Communications reports Samsung has created a service to assist in the monetization of data usage by internet-of-things devices. The Samsung Artik Cloud Monetization for IoT allows device manufacturers to measure the amount of data customers use on their devices so they can be charged accordingly. Device manufacturers will be able to define service plans according to need, then Samsung’s service will measure data usage against the plan and send payments to the manufacturers. “It’s an open data broker model that enables, for the first time, device manufacturers and service providers to tap into an open IoT ecosystem and create service plans that generate revenue directly from the interactions of devices and services,” a blog post from Samsung Artik said. [Eurocomms]

US – Carnegie Mellon University Study Finds Most Home Routers Are Lemons

A US Department of Defense (DoD) funded study from Carnegie Mellon University found that nearly all home routers are rife with security problems. They are “notorious for their web interface vulnerabilities” and other security issues, and they are not frequently updated. The study analyzed 13 routers from a variety of manufacturers. When the researchers found vulnerabilities, they contacted the manufacturers, giving them 45 days to release a patch, after which they would release vulnerability details. Most manufacturers responded slowly if at all. Among the suggestions for addressing the router security issue is to focus not on the number of flaws found in devices, but on the responsiveness of vendors in providing fixes. Read more in: www.govinfosecurity.com: Consumer Routers Report Concludes: It’s a Market of Lemons | resources.sei.cmu.edu: “Systemic Vulnerabilities in Customer Premises Equipment (CPE) Routers”]

Security

US – HHS Releases New Data Breach Education Web Tool

The U.S. Department of Health and Human Services, Office for Civil Rights has released an updated web tool designed to help educate health care entities better identify data breaches. The HIPAA Breach Reporting Tool also educates health care professionals on the ways data breaches that involve health information are investigated and resolved. The tool also possesses a feature that allows health care organizations to see data breaches currently under investigation and reported within the last 24 months. “HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” HHS Secretary Tom Price said. “We have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.” [HHS.gov]

US – FTC Publishing Blog Posts on Data Security Best Practices

The Federal Trade Commission announced it will publish new blog posts on ways to educate businesses on the best practices to protect and secure consumer data. In the first blog post, the FTC looks back to past cases for emerging themes from closed data security investigations. The FTC found while news companies may report on data breaches, they may not cover whether the compromised data had been encrypted. The post also looks into the helpful work done by security researchers. The posts are designed to build upon the agency’s Start with Security guide for businesses. [Full Story]

FTC Posts Second Blog in Its “Stick with Security” Series

On July 28, 2017, the FTC published the second blog post in its “Stick with Security” series. [See here] The FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This latest post looks at key security principles that apply to all businesses regardless of their size or the types of data they handle. The practical guidance offers five steps companies can take to ensure the security of the data they hold and provides examples to illustrate each step. The steps are: 1) Don’t collect personal information you don’t need; 2) Hold onto information only as long as you have a legitimate business need; 3) Don’t use personal information when it is not necessary; 4) Train your staff on your standards; and 5) When feasible, offer consumers more secure choices [H&W]

US – Ransomware growing but accidental breaches a major cause of loss

Ransomware attacks continued their rise in the first half of 2017, up by 50% over the first half of 2016, but accidental breaches continue to be a major problem and account for 30% of breaches overall, specialist insurer Beazley reported. Beazley, which offers cyber and data breach response insurance, released its latest Beazley Breach Insights report on Aug. 1 based on client data in the first six months of 2017. The report found that hacking and malware attacks – of which ransomware attacks form a growing part – continue to be the leading cause of breaches, accounting for 32% of the 1,330 incidents that Beazley Breach Response (BBR) Services helped clients handle in the first half of the year. However, accidental breaches caused by employee error or data breached while controlled by third party suppliers continue to be a major problem, accounting for 30% of breaches overall, only slightly behind the level of hacking and malware attacks. In the healthcare sector, these accidental breaches represent, by a significant margin, the most common cause of loss at 42% of incidents, Beazley noted in a statement. [See here] …”Unintended breaches account for one-third of all data breach incidents reported to Beazley and show no signs of abating,” Katherine Keefe, global head of BBR Services, said in the statement. “They are a persistent threat and expose organizations to greater risks of regulatory sanctions and financial penalties. Yet, they can be much more easily controlled and mitigated than external threats. We urge organizations not to ignore this significant risk and to put more robust systems and procedures in place.” [Canadian Underwriter]

Smart Cars

US – Connected Car Data in Demand

The New York Times reports that automakers, local government, retailers, insurers and tech companies are all eager to leverage the information collected by connected cars. While there is a limit on how event data recorders can be used, no law governs the data captured by the other devices in cars, leaving a long list of devices open for use. The line created between being a benefit to the consumer and the potential threat to personal privacy and security is murky, the report points out. [Full Story]

Surveillance

US – Newly Declassified Memos Detail Extent of Improper Obama-era NSA spying

The National Security Agency and FBI violated specific civil liberty protections during the Obama administration by improperly searching and disseminating raw intelligence on Americans or failing to promptly delete unauthorized intercepts, according to newly declassified memos that provide some of the richest detail to date on the spy agencies’ ability to obey their own rules. The memos reviewed by The Hill were publicly released on July 11 through Freedom of Information Act litigation by the American Civil Liberties Union. They detail specific violations that the NSA or FBI disclosed to the Foreign Intelligence Surveillance Court or the Justice Department’s national security division during President Obama’s tenure between 2009 and 2016. Critics say the memos undercut the intelligence community’s claim that it has robust protections for Americans incidentally intercepted under the program. “Americans should be alarmed that the NSA is vacuuming up their emails and phone calls without a warrant,” said Patrick Toomey, an ACLU staff attorney in New York who helped pursue the FOIA litigation. “The NSA claims it has rules to protect our privacy, but it turns out those rules are weak, full of loopholes, and violated again and again.” The Hill reviewed the new ACLU documents as well as compliance memos released by the NSA inspector general and identified more than 90 incidents where violations specifically cited an impact on Americans. Many incidents involved multiple persons, multiple violations or extended periods of time. There also were several instances in which Americans’ unmasked names were improperly shared inside the intelligence community without being redacted, a violation of the so-called minimization procedures that Obama loosened in 2011 that are supposed to protect Americans’ identity from disclosure when they are intercepted without a warrant. Numerous times improperly unmasked information about Americans had to be recalled and purged after the fact, the memos stated. …The NSA also admitted it was slow in some cases to notify fellow intelligence agencies when it wrongly disseminated information about Americans. The law requires a notification within five days, but some took as long as 131 business days and the average was 19 days, the memos show. The new documents show that the NSA has, on occasion, exempted itself from its legal obligation to destroy all domestic communications that were improperly intercepted. Under the law, the NSA is supposed to destroy any intercept if it determines the data was domestically gathered, meaning someone was intercepted on U.S. soil without a warrant when the agency thought they were still overseas. The NSA, however, has said previously it created “destruction waivers” to keep such intercepts in certain cases. [The Hill |

US – Intelligence chairman accuses Obama aides of hundreds of unmasking requests

Intelligence Chairman Devin Nunes (R-Calif.), in a letter to Director of National Intelligence Dan Coats, is accusing top political aides of President Obama of making hundreds of requests during the 2016 presidential race to unmask the names of Americans in intelligence reports, including Trump transition officials. …National Security Adviser Susan Rice and CIA Director John Brennan have acknowledged making such requests though they insisted the requests were for legitimate work reasons. His letter noted requests from senior government officials, unlike career intelligence analysts, “made remarkably few individualized justifications for access” to the U.S. names. “The committee has learned that one official, whose position had no apparent intelligence related function, made hundreds of unmasking requests during the final year of the Obama administration,” Nunes wrote. “Of those requests, only one offered a justification that was not boilerplate.” Sources familiar with the Nunes letter identified the official as then-U.N. Ambassador Samantha Power. Nunes said he intends to introduce legislation to address concerns about the unmasking process impacting Americans’ privacy. Beginning in 2011, Obama loosened the rules to make it easier for intelligence officials and his own political aides to request that the names be unmasked so they could better understand raw intelligence being gathered overseas. The change has been criticized by liberal groups like the ACLU and conservatives like Nunes because of the privacy implications. [The Hill See also: Schumer uses Senate rule to scuttle meeting on ‘unmasking’ by Obama officials | Schumer Blocks National Security Briefing For Senate Committee | Senate Judiciary Committee to push for facts on alleged ‘unmasking’ by Obama officials | Was Obama administration illegal spying worse than Watergate? Explosive Revelation of Obama Administration Illegal Surveillance of Americans | Top Obama Adviser Sought Names of Trump Associates in Intel | Rand Paul offers backup to Trump on monitoring claims| Obama’s rule changes opened door for NSA intercepts of Americans to reach political hands | Lawmaker says U.S. foreign surveillance ‘unmasked’ Trump associates | Trump camp could have fallen into ‘backdoor’ surveillance | Trump’s Wiretapping Accusations: Here’s What the Government Can Actually Do | National Security Agency Databases Open for Business | Obama Expands Surveillance Powers on His Way Out

US – OTI Details Open-Sourced Surveillance Experiment

New America’s Open Technology Institute reveals a project it conducted this past April during the March for Science protests in Washington, D.C. The group made sensors designed to detect the presence of cell site simulators called Stingrays — technology that mimics cellphone towers in order to surveil smartphone metadata, content and location. “There is a nascent open source community coalescing around the idea of detecting cellular surveillance,” the report states. “Based on the available literature and documentation, the community has identified a number of possible identifiers that point to the presence of cell site simulators.” The project found, however, that available technology only allows for detection of 2G and 3G GSM networks. The group, together with other advocacy organizations, plans to create more advanced detection sensors and conduct further research on Stingray use. [Open Technology Institute]

Telecom / TV

CA – Rogers Transparency Report: Tower Dump Requests an Issue

Rogers has released its fourth transparency report, detailing the number of requests for customer information it received from government and law enforcement over 2016, and how many times it acquiesced to those requests. [See here] In its latest corporate responsibility report, competitor Bell refrained from citing specific numbers, while Telus’ transparency report for 2016 was included in its sustainability report, revealing a total of 65,183 requests. In 2015 report, Rogers focused largely on the landmark R. v. Rogers Communications ‘Tower Dump’ case, which entailed a 2014 police request for all data from a single operating tower that would have led to Rogers disclosing information involving over 30,000 customers. …This year, chief privacy officer David Watt stated that ‘Tower Dump’ requests are still something the carrier is patrolling closely: “In 2016, we continued to be vigilant with these requests and pushed back against 60% of the ‘Tower Dump’ orders we received, narrowing the requests so that information was only disclosed for about 10% of the customers who were part of the original request” In total, Rogers [says] that it received requests impacting 126,349 customers in 2016. [MobileSyrup]

US – Amazon pulls Blu smartphones following privacy concerns

After security firm Kryptowire discovered the smartphones created by Blu had software that collected users’ data and sent it to China without consent, Amazon has pulled the phones from its website. Blu said it has not committed any wrongdoing, while a company spokeswoman said Blu has “several policies in place [that] take customer privacy and security seriously.” Blu said it is in the process of review to resume sales of the phones on Amazon. “Because security and privacy of our customers [are] of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved,” Amazon said in a statement. [CNET]

US – Amazon to Suspend Sales of Android Blu Over Spyware Concerns

Amazon says it will suspend sales of Blu Android smartphones after a Black Hat presentation alleged that some Blu models send personal data to a company in China. Blu denies the allegations. The problem lies with a firmware updating utility called AdUps. AdUps was notified of the issue last fall, but has yet to make changes so that personal information is not sent. Read more in threatpost.com: Amazon Halts Sale of Android Blu Phone Amid Spyware Concerns | www.scmagazine.com: Amazon suspends sales of Blu Android phones amid spyware allegations.]

US Government Programs

US – DHS Partnership with Airlines for Traveler Verification Service Impacts Individual Privacy

The Department of Homeland Security provided the public with notice concerning U.S. Customs and Border Protection’s data processing activity plans in relation to the Traveler Verification Service. Privacy risks that cannot be fully mitigated include individual participation (the only way for a traveler not to be subject to biometric collection is to not travel, and U.S. federal privacy protections do not extend to non-U.S. citizens), purpose specification and use limitation (air carriers may use photos they collect consistent with their contractual relationship with travelers), and data minimization (DHS cannot limit the time that airlines retain the information collected for their own business purposes). [Department of Homeland Security – Privacy Impact Assessment Update for the Traveler Verification Services (TVS): Partner Process | Press Release | PIA update]

US – OPM CIO DeVries Criticizes GAO Cybersecurity Audit

The U.S. Office of Personnel Management Chief Information Officer David DeVries criticized an audit conducted by the Government Accountability Office. While the GAO praised the work the OPM has done following the massive data breach it suffered in 2015, it still found the agency to fall short in several areas, putting its IT assets at risk. DeVries sent a written statement to the GAO, saying the audit did not capture all the work the OPM has done since the incident. “GAO does not fully acknowledge OPM’s defense-in-depth strategy and compensation controls,” DeVries said. “OPM has applied a defense-in-depth strategy to efforts to enhance OPM’s cybersecurity posture, meaning there are many layers and aspects to OPM’s defensive strategy.” [BankInfoSecurity]

US Legislation

US – Bipartisan Lawmakers Introduce Trio of Email Privacy Overhaul Bills

The bills, introduced July 27, would take different approaches to update the decades-old Electronic Communications Privacy Act (ECPA).[See here] The 1986 law allows access to consumer emails stored more than 180 days with a subpoena or a court order. ECPA generally requires the government to obtain a warrant to access data stored for less time. Warrants must be supported by probable cause — a higher standard than needed for subpoenas or other court orders. The House passed its version of an ECPA update in February.[See H.R.387 here and here] The Senate bills are the first signs of life for the issue there this year. It’s unclear whether or when the Senate Judiciary Committee will consider any of the measures, which together signal that there isn’t agreement yet in the Senate about how to rewrite the law. The Senate measures take different approaches to updating ECPA. The Email Privacy Act ( S. 1654), introduced by Sen. Mike Lee and co-sponsored by Sens. Patrick J. Leahy (D-Vt.) and six other Republican and Democratic senators, is companion legislation to the Email Privacy Act [see H.R.387 here], which passed the House in February. The Senate bill would update ECPA to require law enforcement agencies to obtain a search warrant before accessing consumer communications no matter how long they are stored. The ECPA Modernization Act ( S. 1657) [see here], also introduced by Lee and co-sponsored by Leahy, includes a warrant requirement for access to consumer communications, but would also require a warrant for access to historical and real-time geolocation information, prohibit the use of communications and geolocation data obtained in violation of ECPA, and require notice within 10 days to individuals whose electronic communications were sought under a warrant. The International Communications Privacy Act (S. 1671) [see here], introduced by Sen. Orrin Hatch (R-Utah) and co-sponsored by Sens. Dean Heller (R-Nev.) and Christopher Coons (D-Del.), also contains search warrant requirement provisions for stored consumer communications. [BNA]

US – ECPA Reform Legislation Introduced

US legislators are working on a bill that would update the Electronic Communications Privacy Act of 1986 (ECPA). The new bill would require law enforcement to obtain a warrant prior to accessing stored electronic communications. The Senate’s version of the bill would also require a warrant for obtaining location data. Read more in: www.eweek.com: New U.S. Cyber-Security Legislation May Help Reassert Fourth Amendment and www.lee.senate.gov: Sens. Lee and Leahy Introduce ECPA Modernization Act

US – Revocation of Consent Under the TCPA

The basic principle of the Telephone Consumer Protection Act (TCPA) is that it seeks to prohibit a company from making “any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party.” What happens if an individual gives a company “express written consent” and later seeks to revoke that consent? Prior case law, and a 2015 Federal Communications Commission (FCC) ruling [see here], had stated that a consumer who freely gives informed consent may revoke it by “any reasonable means.” There have been various cases where the plaintiffs have successfully claimed that they revoked their initial consent and were therefore entitled to damages under the TCPA. The Second Circuit, in “Reyes v. Lincoln Automotive Financial Services, No. 16-2104-cv” [see here], however, draws a clear distinction with those rulings and comes out stating that express consent can, in certain cases, be irrevocable. The Second Circuit found that while there was sufficient evidence to support that Reyes had revoked consent, the TCPA does not allow for a party to revoke his express written consent to be contacted if that express written consent was given as part of a “bargained-for exchange” in a bilateral agreement. This is in stark contrast to prior cases in the Third [see here] and Eleventh [see here] circuits that stated that consent could in fact be revoked. [Source]

Workplace Privacy

US – Company Offering Microchip Implants for Employees

Employees of Wisconsin-based Three Square Market will have the option to have a radio-frequency identification biochip implanted into their hands for work purposes. Employees who agree to the program can use the chip to make purchases in their offices, open doors or log in to their computers. “We foresee the use of RFID technology to drive everything from making purchases in our office micro markets, opening doors, use of copy machines, logging in to our office computers, unlocking phones, sharing business cards, storing medical/health information, and used as payment at other RFID terminals,” 32M CEO Todd Westby said. “Eventually, this technology will become standardized, allowing you to use this as your passport, public transit, all purchasing opportunities.” The company is expecting more than 50 employees to undergo the procedure. [ZDNet]

 

+++

 

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: