04-18 August 2017

Biometrics

US – FBI Can Keep Secret Who’s in its Biometrics ‘Mega Database’ –Justice Dept.

The FBI has obtained a legal exemption from federal privacy laws, allowing the agency to keep secret whose data it has stored in its vast biometrics database. A final rule published in the federal register by the Justice Dept. says that the Next Generation Identification (NGI) system will not be subject to several key protections and provisions covered under the Privacy Act, which allow for judicial redress and opting out of the database altogether. “The FBI’s massive biometric database includes the information of individuals who apply for citizenship or must get a background check as a condition of their job decision The Bureau’s decision to exempt this database from basic privacy protections invites abuse” said the ACLU. Described as a “mega-database” by the ACLU, the NGI system contains millions of fingerprints, photos for facial recognition, iris patterns, and a voice and gait recognition database from a variety of government and non-law enforcement sources — including those who apply for jobs, security clearance, and immigration purposes. A FOI request by the Electronic Privacy Information Center found that the database had a 20 percent search error rate on facial recognition matches, a rate that the FBI is “prepared to accept.” Security researcher Bruce Schneier said (via an EFF report) that even a 90% accurate system will “sound a million false alarms for every real terrorist.” The rule will go into effect on August 31. [ZDNet]

WW – Report: Biometrics Plays Increasing Data Security Role in Public Service

Accenture released a new report, Emerging Technologies Make Their Mark on Public Service, which found the use of biometrics and advanced analytics plays an increasingly critical role in data security and privacy across government and public service agencies. Based on a survey of nearly 800 public service technology professionals in nine countries, the report found that 73% of respondents cited “improved data security and privacy protection as the leading benefit of investing in emerging technologies.” The report also found that the public safety industry has the highest adoption rate of biometric technologies and that 69% of all respondents said they are deploying or considering deploying biometric technologies. [Source]

Big Data

US – CDT Launches Digital Decisions Tool

The Center for Democracy & Technology announced the launch of its first public version of the digital decisions tool aimed at enabling developers to understand and mitigate what the CDT sees as the unintended bias and ethical pitfalls associated with designing automated decision-making systems. The interactive digital decisions tool encourages developers to think critically and methodically by adding a series of questions to consider during the designing and deploying process of an algorithm in order to help shape a fair outcome for all. The CDT is currently seeking feedback. [CDT.org]

WW – AI Diagnoses Depression Through Photo Analysis

Researchers at Harvard University and the University of Vermont released a study suggesting that artificial intelligence can detect depression by analyzing the color, shading, and editing of Instagram photos. The study shows that their algorithm could correctly detect depression in 70% of the test subjects who had been diagnosed with depression within the past three years while general practitioners were able to identify 42% through in-person evaluations. While researchers believe this is not a direct comparison, they do identify it as a tool that could potentially help diagnosis delivery in the future by alerting a practitioner to signs of depression. [Seeker]

Canada

CA – Lawyers Try to End Warrantless Phone Searches at Border

Supreme Court of Canada judges have found, a smartphone can contain “immense amounts of information” that touch a person’s “biographical core.” They’ve acknowledged that laptops create detailed logs and trails of data that can be used to retrace a person’s steps in ways that physical documents can’t. And lawyers have successfully argued that smartphones and laptops, far from being static stores of information, are in fact portals to the near-limitless volumes of data stored in the cloud — from social media profiles to email accounts and file-sharing apps. It was in this context that a Manitoba provincial court judge Donovan Dvorak last year [see here] made a significant ruling: just as Section 8 of the Charter of Rights and Freedoms protects Canadians from unreasonable search and seizure, that right should also apply at the border when an officer asks to search your smartphone or laptop. The judge called into question the federal government’s long-held position that the Customs Act gives it the broad power to search personal electronic devices without a warrant or limitations, under its definition of importable goods. Judge Donovan Dvorak ruled that if border officers are to search phones, they have to abide by the limits defined in the 2014 Supreme Court case R. vs. Fearon, which dealt with cellphone searches incidental to arrest. It was decided that for a search to be lawful in such scenarios, there would have to be a relevant law enforcement purpose for the search, the search could not be indiscriminate, and officers would be required to take detailed notes on what was searched and how. Across Canada, an increasing number of lawyers are arguing more or less the same thing: that warrantless smartphone searches at the border are unconstitutional, and the practice should be stopped or at least limited. CBC News learned of four cases which lawyers are arguing their clients’ electronic devices were unlawfully searched under the Customs Act. [These are: 1) R. vs. Sikailey (Ontario); 2) vs. Vaillancourt (Manitoba); 3 R. vs. Askari (Alberta); and 4) R. vs. Canfield (Alberta)] Each of these cases focuses on Section 99(1)(a) of the Customs Act, which gives border officers the power to, “at any time up to the time of release, examine any goods that have been imported and open or cause to be opened any package or container of imported goods and take samples of imported goods in reasonable amounts.” But it’s not yet clear if Judge Dvorak’s ruling will stick. Federal government lawyers argued in May they should have been notified before such questions were raised to give them the chance to respond. The Crown has since been granted the chance to submit arguments that the law is reasonable as is. [see here] [CBC News | See also See: Canada’s privacy czar raises flag over planned U.S. border password searches | Privacy commissioner investigating Canada Border Services Agency over electronic media searches | Allan Richarz: What, if any, rights to privacy do you have when crossing the border?]

CA – CSE Commissioner Tables Annual Report in Parliament

The Annual Report of the Communications Security Establishment Commissioner, the Honourable Jean-Pierre Plouffe, CD, was tabled in Parliament. [see here] The Commissioner made five recommendations: 1) that CSE make clear in memoranda of understanding with foreign entities the limitations of CSE’s foreign SIGINT activities and that it cannot receive information that may have been acquired by directing activities at Canadians; 2) that CSE apply caveats consistently to all exchanges and that it use appropriate systems to record all information released; 3) that CSE issue over-arching guidance to establish baseline measures for information exchanges; 4) in the context of foreign signals intelligence ministerial authorizations, that CSE reporting to the Minister on private communications explain the extent of privacy invasion. There is a distorted view of the number of Canadians or persons in Canada involved in communications intercepted by CSE as a result of the technical characteristics of certain communications technology and the manner in which CSE counts private communications; and 5) that CSE always obtain written legal advice from Justice Canada concerning the retention or use of an intercepted solicitor-client privileged communication. [Office of the CSE Commissioner]

CA – NL OIPC Rules Sunshine List/RNC Blunder an Accident

The NL OIPC has concluded that a privacy breach that led to the salary and employee ID information of some Royal Newfoundland Constabulary officers being published online earlier this year was accidental. [See OIPC PR here & 17 pg pdf Report here] The information was published as part of the 2016 Sunshine list, which listed people who made more than $100,000 while working for the N.L. government or one of its boards or agencies. Government had agreed to a request from the RNC Association to leave the names of 167 police officers off the list for safety reasons, but their names were included in public spreadsheets released on June 30 anyway. [CBC News]

CA – Police Need Search Warrant to Get Hydro Records in Grow-Op Cases: Court

The Ontario Court of Appeal has ruled [see here] that police investigating a suspected marijuana grow-op in a Hamilton home needed a search warrant to obtain hydro records from a local utility company. The landmark decision sends a clear message to law enforcement agencies and hydro companies, says Toronto cannabis lawyer Paul Lewin. Despite the fact the court did not exclude the marijuana and cash seized — so the convictions for possession for the purpose of trafficking and possession of proceeds of crime, were upheld – the case is nonetheless a positive development for cannabis growers and privacy advocates, Lewin said. The province’s high court rejected the Crown argument that the appellants did not have a reasonable expectation of privacy in the data. “The examination and use of the data by the police was not authorized by law, and therefore could not be reasonable within the meaning of s. 8 of the Charter,” Justice David Doherty, writing on behalf of the panel, wrote in a decision released Aug. 11. “The appellants’ right to be free from unreasonable search and seizure was breached.” [Toronto Star]

CA – BC OIPC Launches Probe into Translink Data-Sharing with Police

BC’s information and privacy office will investigate TransLink’s disclosure of rider data after a Tyee story revealed the transportation authority is increasingly sharing users’ personal information with law enforcement agencies. “In light of reports that TransLink shared its riders’ Compass fare card information with law enforcement agencies, I launched an investigation into the transportation authority’s collection, use, and disclosure of its ridership’s personal information,” said Acting Information and Privacy Commissioner Drew McArthur in a statement. Documents obtained through freedom of information by The Tyee’s Bryan Carney showed [see here] that the Metro Vancouver transportation authority is routinely providing police personal information of transit users — including where they travelled — without warrants or notification to individuals. The documents show TransLink has received 132 requests from law enforcement agencies for information on transit users so far in 2017, and granted 82 requests. If the rate continues for the full year, the number of requests granted will have jumped 30% over 2016. [The Tyee | See also: TransLink Should Review Policy on Info Sharing with Police, Says Privacy Advocate | TransLink Increasingly Sharing Riders’ Personal Information, Travel With Police | Metrolinx is reviewing its privacy policy, and you’ll have a chance to weigh in | Metrolinx to review Presto privacy policy | Metrolinx has been quietly sharing Presto users’ information with police | Presto tracking a privacy issue | Regina, Saskatoon Transit have provided police with transit card information in investigations | Winnipeg Transit gave Peggo card travel history to police without warrants | Vancouver transit’s Compass card system poses privacy concerns]

CA – Agreement Needed for RNC to Access MRD Database: Privacy Commissioner

NL Information and Privacy Commissioner Donovan Molloy is recommending that the RNC Royal Newfoundland Constabulary be barred from access to the Motor Vehicle Registration database if an Information Sharing Agreement is not put in place between the two parties. Service NL’s Motor Registration Division (MRD) handles a huge amount of information and the Privacy Commissioner conducted an audit to ensure that third parties with access to the database are protecting the privacy of those individuals. [See PR here & IPC Report here] [VOCM News]

E-Government

US – Advice from DEF CON’s Voting Village

Def Con attendees were given the opportunity to hack decommissioned electronic voting machines. They found numerous security holes, particularly in systems that do not provide paper trails. Municipalities and states would be well-advised to start addressing voting security issues as soon as possible. Recommendations include retiring outdated machines; securing voter registration systems and databases; requiring the use of risk-limiting audits where electronic voting machines are used; changing rules for voting systems’ procurement and maintenance; and training election officials in the use of cryptographic keys. [Wired]

Electronic Records

WW – Can Ethereum Blockchain Solve the Social Media Privacy Problem?

Most would agree that the top drawbacks to social media are the loss of personal privacy, data protection and ownership of information. However, the ‘centralized’ control model of social media might be a thing of the past, however, thanks to the next-generation ‘decentralized’ models of social media, based on blockchain technology. One such project is ‘Indorse‘—a reward-based decentralized professional network on the Ethereum blockchain. Indorse uses a LinkedIn-style professional networking model, wherein members retain the ownership of data while earning rewards for sharing their professional skills and using the platform. In its White Paper, Indorse highlights: “To be clear, we are not against advertising, and we are most certainly not against social media. However, we are against the centralization of social media. We believe the solution is a new model of social networks—a decentralized one that places ownership of information back in the hands of the members.” The project Indorse will create a parallel decentralized version of a professional networking platform. Like Indorse, other such projects are together building a decentralized world. Together, decentralized platforms and tokenization are emerging in a big way and if the trend continues—more regulatory and legality angle with get attached to it over time. Investopedia Also See: Will blockchain be the saviour of cybersecurity? | Block Chain Market: Demand for Improved Privacy of Patient Data to Steer Growth | The big business revolution: why the future is blockchain | US Government Funds Blockchain Key Management Tool With $794k Grant  | How Blockchain Can Improve The Health Information Exchange | Encrypgen Uses Blockchain to Usher in New Era of Genetic Privacy | The Present Use and Promise of Blockchain in Insurance | Blockchain and healthcare privacy laws just don’t mix | Google’s DeepMind plots healthcare data auditing system secured by blockchain | Why Data Security is Critical with Healthcare Blockchain | A Complete Beginner’s Guide To Blockchain | Blockchain’s brilliant approach to cybersecurity | Legal implications of expanded use of blockchain technology | Blockchain Healthcare Conference Showcases Skepticism and Promise | IEEE Launches World’s First Virtual Blockchain Workshop Dedicated to Advancing HealthTech for Humanity | Hyperledger Plans Blockchain Healthcare Group | Healthcare blockchain ideas swirl at government conference]

Encryption

US – How NIST Digital Authentication Guidelines Could Help Health Care

In June, the National Institute of Standards and Technology released a new version of its digital identity guidelines designed to help federal agencies seeking to create a secure authentication process, but, it could help the health care industry, as well. Phishing, social engineering, and lost or stolen items are among the risks organizations face when attempting to secure their authorization process. NIST suggests several ways to mitigate those threats, including extending training for subscribers, implementing system and network security controls, and installing multiple steps to access a system. [HealthITSecurity]

WW – Microsoft Unveils Blockchain-Enhancing Framework

Microsoft has released a technical whitepaper on a framework designed to improve the performance, and privacy, of blockchain. The Coco Framework is expected to be made available on GitHub in 2018 as an open-source project, where it will help strengthen several blockchain ledgers. Coco currently supports 10 different ledgers. “We think blockchain will transform pretty much every industry,” said Azure Chief Technology Officer Mark Russinovich. “We’re working with customers and partners to make it easier for them to play with.” [ZDNet]

EU Developments

EU – General News

  • European Data Protection Supervisor Giovanni Buttarelli said the EU-U.S. Privacy Shield agreement is “an interim instrument for the short term. Something more robust needs to be conceived.” [More]
  • A new U.K. Data Protection Bill would make it easier for people to access personal data held by an organization, withdraw consent for processing and request deletion of data, plus gives regulators increased fining powers. [Sky News]
  • Ireland’s Data Protection Commissioner has released guidance on the appropriate qualifications for a data protection officer. [More]
  • Russian President Vladimir Putin has signed a pair of bills prohibiting the use of virtual private networks and eliminating the anonymous use of instant messaging services. [Radio Free Europe]

FOI

CA – Third Parties Cannot Determine If Request is Frivolous or Vexatious

The Ontario Information and Privacy Commissioner reviewed an appeal by General Motors Canada regarding the Ministry of Economic Development, Employment and Infrastructure’s decision to disclose public records, pursuant to the Freedom of Information and Protection of Privacy Act. Frivolous or vexatious discretion is not intended to be available to outside parties objecting to disclosure of records that would otherwise be subject to disclosure simply because of the requester’s motives or nature of the request; the identity of the requester is generally not relevant to the decision-making process of a public body. [IPC ON – Order PO-3738-I – Ministry of Economic Development Employment and Infrastructure]

Genetics

US – Genetic Testing Back on Radar for Parents

After a federal bill protecting patients from genetic discrimination passed in the spring, familiar faces began to appear at Dr. Ronald Cohn’s door. Cohn is the pediatrician-in-chief for SickKids Hospital, and over the last few months, he’s been fielding new conversations with parents of young patients, who’ve previously sat down with him to discuss genetic testing. The tests could be recommended for any number of reasons, whether to find the most effective treatment for a known condition or to diagnose a mystery slate of symptoms their child was living through. But, prior to March this year, the results of that test weren’t legally protected from discrimination, discouraging some parents from giving their consent. After the Genetic Non-Discrimination Act, or Bill S-201 [see here], passed in March — ensuring no person can be required to undergo genetic testing or disclose previous results — many of those parents are re-appearing at Cohn’s door. [The Star See also: New genetic non-discrimination law will promote privacy and human rights in Canada | Canada expands protection of individual rights with new legislation on genetic testing and privacy | Genetic privacy bill to go to Supreme Court | Canada Passes Legislation Protecting Genetic Information | Canada’s new genetic privacy law is causing huge headaches for Justin Trudeau | Genetic non-discrimination bill unconstitutional: Trudeau | Liberal backbenchers defy cabinet wishes and vote to enact genetic discrimination law | Does this genetic testing bill threaten the insurance industry? | Life insurers’ new genetic test policy called an 11th-hour stalling attempt | Canadian insurance industry pens rules on use of genetic test results | Genetic discrimination private member’s bill pits Grit backbenchers against cabinet | Canada: Genetic Discrimination And Canadian Law | Genetic testing bill perpetuates myths and fears]

US – Researchers Show How Encryption Could Protect DNA

Researchers at Stanford have published a study showing how to apply “genome cloaking” to DNA samples so that 97% of a participant’s unique genetic information remains hidden from anyone other than the DNA owner during analysis. The process reportedly includes using an algorithm to encrypt their DNA while uploading it to a cloud where researchers are then able to analyze the specific point they are examining. Researchers say that this will help address the 2008 Genetic Information and Nondiscrimination Act, which is reported to have significant loopholes and raises concerns over DNA discrimination. Gill Bejerano, one of the researchers, said, “Now we can perform powerful genetic analyses while also completely protecting our participants’ privacy.” [Gizmodo]

Health / Medical

US – Federal Court Says Your Prescription Records Aren’t Really Private

When you fill a prescription at your local drug store, you would surely bristle at someone behind you peeking over your shoulder — but in a [recent] decision [also see here], a federal court in Utah said that you have no Fourth Amendment right to object when the peeker is the U.S. government. In a case challenging the Drug Enforcement Administration’s warrantless access to patient prescription records stored in a secure state database, the court relied in part on an outdated legal doctrine to rule that a “patient in Utah decides to trust a prescribing physician with health information to facilitate a diagnosis,” and thereby “takes the risk that his or her information will be conveyed to the government.” That’s hard to swallow — and it helps make very clear the huge stakes of our upcoming Supreme Court argument in United States v. Carpenter, which concerns the role of the so-called “third-party doctrine” in opening up all kinds of sensitive records to warrantless searches by police. [ACLU | See also: Police are now tracking your prescription drugs | With executive order, Missouri becomes last state to start drug database | Federal judge orders Utah to turn over prescription drug database to DEA | Police access to prescription drug monitoring database draws privacy concern in opioid crisis | With executive order, Missouri becomes last state to start drug database | ACLU fights against warrantless searches of drug database | DEA Wants Inside Your Medical Records to Fight the War on Drugs | Feds accessing medical records without warrants]

US – Recording Medical Visits Could Be a Growing Trend

The growing practice of recorded medical visits and can be used as a tool to help patients remember important details. Describing the difficulty patients face when trying to remember details of the visit and interpret complex medical language, researchers point to how recording conversations is a practice they would like to see embraced. Only 11 states reportedly need both parties’ consent to record, and in 39 states, plus the District of Columbia, only one party’s consent is necessary under wiretapping or eavesdropping laws. Some physicians, however, have expressed concerns the recordings could find their way into malpractice cases. It also raises questions about who owns the data. [Hong Kong]

Horror Stories

US – Data Breach Exposes Sensitive Info of 1.8M Illinois Voters

A data breach has exposed the sensitive information of 1.8 million Illinois citizens. Cyber resilience firm UpGuard found an Amazon Web Services device controlled by leading voting machine supplier Election Systems & Software. The device was not protected by a password and compromised information included citizens’ names, addresses, dates of birth, partial Social Security numbers, party affiliations and, in some cases, driver’s license and state ID numbers. [Gizmodo]

US – Anonymous Affiliate Releases PII of 22 GOP Lawmakers

A group affiliated with online activist group Anonymous has published what it claims to be the private cellphone numbers and email addresses for 22 Republican members of Congress. In a move that marked the end of nearly two years of silence, the release is believed to be part of a bid to push for the impeachment of U.S. President Donald Trump. Rob Pfeiffer, chief editor of The Anon Journal, said the release was spurred by Trump’s reaction to the violent clashes in Charlottesville. [The Washington Post]

US – Vancouver Pot Dispensary Patient Data Breach Highlights Regulatory Haze

Sensitive patient data supplied to a Vancouver cannabis dispensary has been either mishandled or — according to the shop’s owner — stolen, a situation again highlighting the cloud of confusion over the regulation of retail pot. A tipster found a computer memory card in a Vancouver alley, containing more than 1,000 photos of people taken inside a west-side dispensary, as well as digital copies of private medical documents. Postmedia reviewed and confirmed the contents of the memory card, but is not identifying the dispensary, because it was not immediately possible to confirm how the disk was obtained. The tipster who provided the disk said he was unsure if it ended up in the alley due to negligence or “some criminal act that led to the memory card being stolen or otherwise taken from the dispensary.”  [Vancouver Sun]

Identity Issues

UK – New Law Could Criminalise Uncovering Personal Data Abuses, Advocate Warns

The new UK data protection bill [see here & here] will contain a clause making it a criminal offence to “intentionally or recklessly re-identify individuals from anonymised or pseudonymised data”. The maximum penalty under the new law would be an unlimited fine. Lukasz Olejnik [see here], a Princeton cybersecurity and privacy researcher, warns that the government’s proposed data protection bill may criminalise the research that highlights these problems, while doing nothing to stop the spread and release of poorly anonymised data. Olejnik said: “It’s a justified risk. Security and privacy research requires assessing system strength, including trying to break de-identification and anonymisation systems. This can be done by demonstrating re-identification. When faced with ‘unlimited fines’ and unspecified provisions, I cannot imagine anyone risking conducting research for public good.” A similar proposal in Australia also led to concerns from security researchers there. Melbourne University researchers argued that a ban on re-identification “could inhibit open investigation, which could mean that fewer Australian security researchers find problems and notify the government”. As a result, “criminals and foreign spy agencies will be more likely to find them first”, they wrote. The UK data protection bill will not be published in full until the end of the summer recess, and is expected to be voted on in the current parliamentary term. [The Guardian | Also See: The new UK Data Protection Bill will criminalise failures under GDPR | Re-identifying folks from anonymised data will be a crime in the UK | NZ privacy commissioner recommends Australia’s data re-identification criminalisation lead | Data re-identification criminalisation law should be passed: Senate committee | Brandis flags Privacy Act changes to protect anonymised data | Brandis to criminalise re-identifying anonymous data under Privacy Act | Research work could be criminalised under George Brandis data changes]

AU – Australia Adds Personal Identifiers on Postal Vote

The Australian Bureau of Statistics’ decision to include personal identifiers on ballot papers for a same-sex marriage postal vote next month has raised concerns over the separation of voter identity and vote cast. Monique Mann, co-chair of the surveillance committee of the Australian Privacy Foundation, warns, “There is a real potential for a chilling effect — if people believe that their vote in the survey is not secret, that may influence the way they choose to vote, or indeed if they vote at all.” The ABS maintains that survey responses would be “anonymous and protected under the secrecy provisions” of the Census and Statistics Act and is reported to help protect against fraud and multiple voting. [Guardian]

AU – Australian Government Reports on Metadata Requests and Use

The annual Attorney General’s Department report on the operation of the Telecommunications (Interception and Access) Act saw 325,807 requests made to access metadata in the 2015–16 period, a slight reduction in the number of requests compared to the previous year. A 2015 law required Australia’s telephone and internet service providers to maintain customer metadata, including a variety of customer details, which the Australian government can access without a warrant. Thanks to a mutual assistance treaty signed with China, it is also reported that Australia provided the Chinese government with “documents, records and articles of evidence” in relation to criminal activity. A spokesperson for Attorney General George Brandis assured that their cooperation with foreign governments is “subject to safeguards to ensure compliance with our international human rights obligations.” [BuzzFeed News]

WW – New Coalition Aims to Educate on Data Sanitization

A group of stakeholders has launched the International Data Sanitization Consortium to encourage IT professionals to follow best practices around destroying and deleting old data. “I am astounded by how little is known and understood about data sanitization,” Blancco Chief Strategy Officer Richard Stiennon said. “The vast majority of organizations today aren’t undertaking the necessary steps to implement a data sanitization process and are leaving themselves vulnerable to a potential data breach,” he said, adding, “This is both disappointing and alarming — and something we at the IDSC hope to change through ongoing education and guidance.” [Healthcare IT News]

Internet / WWW

UK – British Library’s Internet Archives Exempt from New UK Privacy Law

The internet archives maintained by the British Library will be exempt from recently introduced privacy legislation designed to expand the “right to be forgotten.” The law will align the U.K. with the EU GDPR, but the new rules offer exceptions for information, including the British Library’s archives and medical records collected by the National Health Service. While the British Library is “pleased” with the exemption, it said the government has not explained the way the exclusion will work in practice. “We are in ongoing dialogue with the Data Protection Bill team to ensure that possible risks to the activities of the British Library and similar institutions can be appropriately managed,” the library said in a statement. [Bloomberg Technology]

Law Enforcement

CA – New RCMP Dashcams Coming After Previous Ones Discontinued

The Saskatchewan RCMP said an in-car video system was discontinued n favor of a pilot project with new dashcam technology that began in May 2017. It expects to go provincewide with the in-car digital video systems once the pilot wraps at the end of August. Some citizens have expressed concerns about not knowing if they’re being recorded. Some research has suggested the cameras can create an over-reliance on video and a reduction in attention to detail. Recording can add up, and needs to be clarified in policy because of cost as well as transparency. People will question the circumstances in which a camera was turned on and off. There are also questions around privacy, regarding who has access to the video and when it can be used in the future. [CBC]

US – Police Body Camera Company Stoking Privacy Concerns

After high-profile police killings and clashes with protesters over the past several years, civil rights advocates have pressed law enforcement officers to wear body cameras, so that there would be an indisputable video record of any police confrontation. Some police departments have been reluctant to adopt the technology. But now, one of the major camera companies is offering police a free trial to use its technology in a move that raises both civil liberties and budgetary questions for communities across America. In April, Axon [formerly Taser International see here] unveiled an offer for police departments to try its body cameras for free for one year. That offer helps Axon get its cameras into more police departments, knowing that the company stands to make huge profits not from the sale of cameras but rather from its attendant cloud video storage platform, www.Evidence.com. The video footage collected by its cameras is helping Axon build out its artificial intelligence business, which requires massive amounts of data to train computers to operate autonomously and in unprecedented ways that could vastly expand police surveillance and targeting. By giving the cameras to police departments, Axon is able to collect even more of the data it needs, in effect using the enticement of a free trial offer to build out its video analytics and computer vision business — all on the backs (or rather, torsos) of local police departments. As part of its quarterly earnings report, Axon disclosed that it has received inquiries about its free trial from more than 1,500 law enforcement agencies. With computer vision capabilities, Axon body cameras could be used to identify persons of interest through recorded video — turning a tool for police accountability into a new surveillance mechanism. Machine learning could enable Axon’s software to train itself on patterns of movement it deems “suspicious” and generate new lists of suspects for police to investigate. To begin, however, Axon will most likely use its AI capabilities for the less-alarming tasks of redacting videos and generating reports. On last week’s earnings call, Smith said those features could roll out as soon as the end of this year. Axon’s willingness to take a loss on camera sales can be explained in by its short-term profitability off of cloud storage and its long-term vision to turn itself into a software company specializing in computer vision for law enforcement. But that development raises significant privacy concerns for Axon’s technology to be used in surveillance and predictive policing. [International Business Times | TASER’s Free Body Cams Are Building a Massive Police A.I. | Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines ]

Location

US – Absent Warrant, Police Could Monitor Anyone Via Location Data: ACLU

Lawyers have filed their opening brief at the Supreme Court in one of the most important digital privacy cases in recent years. Carpenter v. United States [also see here], asks a simple question: is it OK for police to seize and search 127 days of cell-site location information (CSLI) without a warrant? Previously, lower courts have said that such practices are compatible with current law. But the fact that the Supreme Court agreed to hear the case suggests that at least four justices feel that perhaps the law should be changed. Carpenter’s attorneys, many of whom are from the ACLU, argue in their filing [August 7; see here] that the current legal standard gives the government too much leeway. They write: “the government could use this tool to monitor the minute-by-minute whereabouts of anyone—from ordinary citizens to prominent businesspersons to leaders of social movements.” Previously, the Supreme Court found that there is no privacy interest in “business records” disclosed to a company—like location data, for instance—under the so-called “third-party doctrine.” [ArsTechnica | See also: Digital Privacy to Come Under Supreme Court’s Scrutiny | Third party rights and the Carpenter cell-site case | How should an originalist rule in the Fourth Amendment cell-site case? | Carpenters, Carriers, and Cell-Sites (Oh My!): SCOTUS to Hear Mobile Locational Privacy Case | ‘Carpenter v. United States,’ the Fourth Amendment historical cell-site case | Justices to tackle cellphone data case next term (more details) | U.S. Supreme Court to Consider Whether the Fourth Amendment Protects Cell-Location Data | U.S. Supreme Court to settle major cellphone privacy case ]

Online Privacy

CA – Police Investigating Toronto “Snitches” Website

The man who set up a website that reveals the age, identity, home address of purported “snitches” or police informants across the GTA says he only targets non-violent “career” criminals and does not advocate violence or vigilantism against them. Adam Louie says he set up the website, “Golden Snitches,” [see here] in order to protect people from becoming ensnared by known police informants who he says are themselves involved in criminal activity. Louie says when someone submits a profile to be posted, he speaks to them, speaks to people possibly incarcerated as a result of the allegation, as well as their lawyers. He said some have threatened to commence legal action against him, but none have actually followed through to date. A Toronto police spokesperson said the service is aware of the website. “I can’t comment on its legitimacy but there is an ongoing investigation and we are aware of its existence.” Louie said the site represents a public service and is not meant to bring harm to anyone. [CP24]

WW – Can You Trust Cheap Chinese Phones with Your Privacy?

Should you trust a low-priced Android phone from a brand you’ve never heard of with your security and privacy? It might not be such a wise idea. Many low-priced Android smartphones have had security and privacy problems. In late July, Russian antivirus firm Dr.Web reported that models sold under the Leagoo and Nomu names had a malicious program built right into the firmware. Then, just last week, Amazon suspended sales of phones marketed by BLU after researchers reported that snooping adware was built into the devices. (By Friday, Amazon was selling the phones again.) The upshot is this: You should really think twice before buying an Android phone from an unfamiliar manufacturer. Be wary of any smartphone that costs less than $100 unlocked. If a smartphone doesn’t cost much, and doesn’t make you watch ads, then you have to wonder how else the company makes money. [Tom’s Guide]

US – Facebook to Protect the Privacy of Deceased Users

Although Facebook admits that it may not have all the answers when it comes to the death of a user, it is taking steps to ensure privacy and enhance empathy after a user passes away. By designating a “Legacy Contact,” Facebook allows a contact of the user’s choosing to have access to the periphery of the deceased’s account and grants them the ability to delete the account or designate it as a memorialized profile. The Legacy Contact, however, will not be able to change or delete old posts or remove friends. Facebook Director of Global Policy Management also stated that no one will have access to conversations. “In a private conversation between two people, we assume that both people intended the messages to remain private.” [TechCrunch]

Other Jurisdictions

AU – Australia’s Data Retention Scheme Detailed in Report

A recent report shows that Australian telecommunications companies are left with an AU$70 million gap to cover the cost of ensuring data-retention obligations. Under regulations passed in March 2015, telecommunications carriers “must store customer call records, location information, IP addresses, billing information, and other data for two years, accessible without a warrant by law-enforcement agencies.” From 2015 to 2016, the report states that 63 enforcement agencies made 333,980 authorizations for retained data, of which 326,373 were related to criminal law. Most requests reportedly stem from illicit drug offenses, followed by miscellaneous, homicide, robbery, fraud, theft and abduction. [ZDNet]

Privacy (US)

US – Google Must Turn Over Data Stored Abroad Sought Under U.S. Warrant

Alphabet Inc.’s Google has lost a bid to overturn a magistrate judge’s order forcing the company to turn over Gmail data stored abroad in response to a federal warrant (In re Google Inc. , N.D. Cal., No. 16-mc-08263, review denied 8/14/17 ).[See Amicus Brief form Microsoft, Amazom, Apple & Cisco here] Judge Richard Seeborg of the U.S. District Court for the Northern District of California Aug. 14 upheld [also see here] a magistrate judge’s order denying Google’s motion to quash the warrant. Google must turn over all content that is “accessible, searchable, and retrievable from the” U.S. pursuant to the lawful warrant under the Stored Communications Act (SCA) [see here], Seeborg said. The SCA warrant, served on U.S.-based Google, was a “domestic application of the statute” because the data is “easily and lawfully” accessed and disclosed in the U.S., he said. Also, the “conduct relevant” to the warrant occurred in the U.S., he said. Google fought to quash the warrant and overturn the magistrate judge’s opinion because it believed that the SCA warrant was applied beyond U.S. borders in violation of the statute and turning over the data would flout user privacy interests. The U.S. Court of Appeals for the Second Circuit’s ruling in Microsoft v. United States that Microsoft need not turn over emails stored in Ireland to law enforcement because the SCA warrant didn’t reach data stored in overseas data centers isn’t being followed by district courts. The U.S. Department of Justice June 23 asked the U.S. Supreme Court to review the Microsoft decision. The justices haven’t issued a decision on the request. Seeborg reached this decision in part because Google moves data around from one location to another automatically for business optimization purposes. Google’s algorithmic-based storage may be the reason why the case differs from the Second Circuit’s Microsoft case. Timothy Newman, privacy and cybersecurity associate at Haynes & Boone LLP in Dallas, said that courts are having “an easier time enforcing these warrants when the location of the data is determined by an algorithm and not based on user-specified location.” [BNA.com | See also: Apple, Amazon, and Microsoft are helping Google fight an order to hand over foreign emails | SF Judge Hands Google Another Loss on Foreign-Stored Data | US judge orders Google to hand over data to the FBI from overseas emails | Judge Breaks Precedent, Orders Google to Give Foreign Emails to FBI | Google must turn over foreign-stored emails pursuant to a warrant, court rules | Microsoft’s cloud privacy battle may go to US Supreme Court | Court Declines to Reconsider Microsoft Email Seizure Ruling | Court Keeps Microsoft’s Irish Servers Safe From U.S.  | US government wants Microsoft ‘Irish email’ case reopened  | Lawmakers question DOJ’s appeal of Microsoft Irish data case | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Government Seeks Do-Over On Win For Microsoft And Its Overseas Data

US – EFF’s Court Brief Urges Warrants for E-Device Searches at Borders

The EFF has filed a court filing [in the appeal of “United States v. Molina-Isidoro” – see here] pressing for warrants be required for searches of mobile phones, laptops and other digital devices by federal agents at international airports and U.S. land borders — describing these as “highly intrusive forays into travelers’ private information”. [See EFF PR here] [Also see news coverage here & here & here] Such searches are currently allowed under an exception to the Fourth Amendment for routine immigration and customs enforcement. However, the EFF says digital device searches at the U.S. border have more than doubled since the inauguration of President Trump. In July, the U.S. Customs and Border Protection agency also clarified that its policy allowing warrantless border searches is restricted to locally stored data — meaning cloud services cannot be legally searched without a warrant. However the average device owner still likely holds a lot of data on their devices, from documents, to offline email to smartphone photos and videos. The EFF notes that border agents opened the defendant’s Uber and WhatsApp apps when they searched her device — implying that cloud data may have been accessed as part of the search. “There is no indication that border agents put her phone in airplane mode or otherwise disconnected it from the Internet when they accessed these apps,” the filing states. The document also refers to the Supreme Court holding that police require a warrant to search the content of a phone seized during an arrest — with the EFF arguing the same principle should apply to the digital devices seized at the border. [TechCrunch | Also See: Cellphone Privacy: Homeland Security Chief Acknowledges Searches of U.S. Citizens’ | Lawyers demand answers after artist forced to unlock his phone | Lawmakers Move To Stop Warrantless Cellphone Searches at the U.S. Border | Lawsuit Seeks Transparency as Searches of Cellphones and Laptops Skyrocket at Borders | Digital Privacy at the U.S Border: A New How-To Guide from EFF | Border agents could be forced to get a warrant before searching devices | Wyden objects to DHS password collection plan | Sen. Wyden Calls for Warrants for Tech Searches on the Border | Wyden to Introduce Legislation Limiting Phone Searches at Border | A US-born NASA scientist was detained at the border until he unlocked his phone | Your Privacy Doesn’t Matter at the Border

US – DoJ Warrant for Data on ALL Visitors to Anti-Trump Site Sparking Fight

The Justice Department is trying to force an internet hosting company to turn over information about everyone who visited a website used to organize protests during President Trump’s inauguration [Also see here, here and here] Federal investigators last month persuaded a judge to issue a search warrant to the company, Dreamhost, demanding that it turn over data identifying all the computers that visited its customer’s website and what each visitor viewed or uploaded. Over 1.3 million requests were made to view pages on the website in the six days after inauguration alone. Dreamhost is fighting the warrant as unconstitutionally broad. “In essence, the search warrant not only aims to identify the political dissidents of the current administration, but attempts to identify and understand what content each of these dissidents viewed on the website,” two lawyers for Dreamhost wrote in a court motion opposing the demand. The government’s filing declared that Dreamhost “has no legal basis for failing to produce materials in response to the court’s search warrant.” The fight, which came to light on Monday when Dreamhost published a blog post entitled “We Fight For the Users,” centers on a search warrant for information about a website, disruptj20.org, which served as a clearinghouse for activists seeking to mobilize resistance to Mr. Trump’s inauguration on Jan. 20. Judge Leibovitz had set a hearing for Friday August 18. But late Tuesday, William Miller, a spokesman for the U.S. attorney’s office said the court was rescheduling it to a later date, which was not yet set. [The New York Times | In J20 Investigation, DOJ Overreaches Again. And Gets Taken to Court Again. | A closer look at DOJ’s warrant to collect website records]

US – Lawsuit Over False Online Data Revived After U.S. Top Court Review

A federal appeals court on revived a California man’s lawsuit accusing Spokeo Inc of publishing an online profile about him that was filled with mistakes. The 9th U.S. Circuit Court of Appeals ruled 3-0 [see here] in favor of Thomas Robins, 15 months after the U.S. Supreme Court asked [see here] it to more closely assess whether he suffered the “concrete and particularized” injury needed to justify a lawsuit. The SCOTUS case was significant because Robins tried to pursue a class action, which if successful could expose Facebook Inc, Alphabet Inc’s Google and other online data providers to mass claims in similar lawsuits. In the decision, Circuit Judge Diarmuid O’Scannlain said “it does not take much imagination” to surmise how Robins could have suffered real harm, given the importance of consumer reports to getting jobs, obtaining loans and buying homes. Spokeo said it will vigorously defend itself in court, and it believes the need to show individualized inaccuracies will make it “very difficult” to win class certification. [Reuters]

US – DreamHost to Fight US DoJ Over 1.3m IP Addresses of Anti-Trump Site Visitors

Efforts by US prosecutors to identify up to 1.3 million people who accessed an anti-Trump protest website is unconstitutional, a court will hear this week. Lawyers for DreamHost, which hosts disruptj20.org, will argue in a Washington DC courtroom that the demand for visitor records from the website breaks both the First and Fourth Amendments on free speech and unreasonable search. Last month, the US Department of Justice demanded DreamHost hand over 1.3 million IP addresses of visitors, as well as any contact information, submitted comments, emails and uploaded photos. It refused. In its legal filing to the court, DreamHost uses several touchstone cases to argue that the demand is counter to American laws and traditions. The warrant violates the Fourth Amendment, DreamHost argues, referencing several legal precedents about protected speech and the fact that “concerns about privacy are especially critical when people engage in aspects of speech and association during political campaigns.” It also points to cases involving Amazon and Microsoft in which the open-ended nature of the request for all information on all visitors without any date restriction was ruled unconstitutional. The broad nature lacks the “specificity” required. The company also argues that the warrant violates the Privacy Protection Act. It says it has reviewed much of the information requested and argues that it qualifies as either “work product” or “documentary material” and so benefits from additional legal protections. [The Register | Justice Dept. Demands Data on Visitors to Anti-Trump Website, Sparking Fight | In J20 Investigation, DOJ Overreaches Again. And Gets Taken to Court Again. | A closer look at DOJ’s warrant to collect website records]

US – CDT Urges FTC to Investigate VPN Provider Over Deceptive Practices

The Center for Democracy & Technology is urging the FTC to investigate claims made by virtual private network provider Hotspot Shield. In its 14-page filing, the CDT alleges the company violates its “anonymous browsing” claims by “intercepting and redirecting web traffic to partner websites, including advertising companies.” David Gorodynasky, head of the service’s parent company, AnchorFree, said the company does not profit from its customers’ data. CDT disagrees. “Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing,” the CDT stated. [ZDNet | arstechnica | zdnet | cdt.org]

US – Uber Agrees to 20 Years of Privacy Audits to Settle FTC Data Mishandling Probe

The legacy of Travis Kalanick’s fast and loose management style at Uber continues to serve up fresh embarrassments for the embattled, still CEO-less company. The ride-hailing giant has settled a FTC investigation into data mishandling, privacy and security complaints that date back to 2014 and 2015 – ostensibly agreeing with the FTC’s complaint that it misrepresented its practices to consumers. [Also see here] The FTC said Uber has agreed to put in place a comprehensive privacy program, including undergoing regular independent privacy audits. [See FTC PR here] The FTC’s order extends for a period as long as 20 years. In its complaint docket the FTC cites news reports in 2014 of Uber’s so-called ‘God view’ real-time interface that had apparently allowed its employees to spy on users’ rides, and Uber’s response at the time — when it claimed to have “a strict policy prohibiting all employees at every level from accessing a rider or driver’s data”, and to be “closely” monitoring and auditing this policy. In its decision and order docket, the FTC orders a prohibition against “misrepresentations” by Uber pertaining to how it monitors or audits internal access to consumers’ personal Information; and to the extent to which it protects the privacy, confidentiality, security, or integrity of any personal information it handles and stores. In a statement responding to the FTC’s order, an Uber spokesperson told us: “We are pleased to bring the FTC’s investigation to a close. The complaint involved practices that date as far back as 2014. We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs. In 2015, we hired our first Chief Security Officer and now employ hundreds of trained professionals dedicated to protecting user information. This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.” [Mobile Trend]

US – Judge Says LinkedIn Cannot Block Startup from Public Profile Data

U.S. District Judge Edward Chen in San Francisco ruled [see here] that Microsoft Corp’s LinkedIn unit cannot prevent a startup from accessing public profile data [see LinkedIn C&D letter here], in a test of how much control a social media site can wield over information its users have deemed to be public. Judge Chen granted a preliminary injunction request [see here] brought by hiQ Labs, and ordered LinkedIn to remove within 24 hours any technology preventing hiQ from accessing public profiles. [For all related court docs see here] The case is considered to have implications beyond LinkedIn and hiQ Labs and could dictate just how much control companies have over publicly available data that is hosted on their services. [For additional news see here, here & here & for background see here] HiQ Labs uses the LinkedIn data to build algorithms capable of predicting employee behaviors, such as when they might quit. LinkedIn plans to challenge the decision, a company spokeswoman said. [Reuters]

US – The FTC and FBI Are Shining the Spotlight on Your Kid’s Smart Toys

In June, the FTC announced that it had updated its COPPA compliance plan for businesses to make inescapably clear that internet-enabled toys and other “internet of things” (IoT) devices that collect personal information from children may be subject to COPPA. Shortly thereafter, the FBI issued a public service announcement warning parents that connected toys “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.” The FTC’s formal pronouncement that COPPA applies to connected toys and other IoT devices may serve as a shot against the bow, and likely foreshadows enforcement activity with regard to connected toys. It is a safe bet that the FTC has been paying close attention to the privacy and security ramifications of smart toys and privacy issues with such devices. Whatever the FTC’s announcement may portend, it was moderate in tone by comparison to the FBI’s public service announcement. The FBI encouraged parents to “consider cybersecurity prior to introducing smart, interactive, internet-connected toys into their homes.” It alluded to the range of information that connected toys might collect, such as recordings of a child’s voice, physical location, internet use history, and IP addresses, and associate with account information, which could include the child’s name and address. The FBI urged parents to research connected toys before purchasing them to learn of any known security issues, to closely monitor children’s use of such toys, and to follow good security practices, such as ensuring that the toys are running updated firmware and that they are turned off when not in use. As for legal protections, the FBI noted that smart toys must comply with COPPA and Section 5 of the Federal Trade Commission Act. The FTC and FBI announcements reflect the growing attention of a variety of federal agencies to the security of consumer smart devices. [The Hill]

US – Disney Faces Children’s Privacy Class Claims Over Mobile App

The Walt Disney Co. allegedly allowed mobile gaming applications to collect and export children’s personal information to advertising partners without parental consent, according to a federal court complaint (Rushing v. Walt Disney, Co., N.D. Cal., 17-cv-4419, complaint filed 8/3/17). The case highlights legal questions surrounding the use of big data analytics to gain knowledge about app user activity. The practice leaves open the possibility that individual pieces of data can be aggregated with other information to identify individuals, exposing companies to potential liability for privacy violations. The plaintiffs, a parent and her child who used the Disney Princess Palace Pets mobile gaming app, alleged in an Aug. 3 complaint filed in the U.S. District Court for the Northern District of California that Disney’s user tracking system violates COPPA.[see here] The law requires websites and apps targeted at children to gain parental consent to collect and use the personal information of children under the age of 13. Stacey Gray, policy counsel at Future Privacy Forum, said that the “lawsuit is very unusual because despite the way it is framed, in reality it is not a COPPA complaint.” COPPA doesn’t allow individuals to sue, leaving that power to the Federal Trade Commission and state attorneys general. The allegations in the complaint are based on multi-state common law intrusion upon seclusion and California constitutional right to privacy claims, Gray said. [BNA.com]

US – Tech Companies File Amici Brief in Support of Warrants for Cell Phone Data

More than a dozen US tech companies filed an amici brief with the US Supreme Court, voicing their support for strong privacy protections and requiring law enforcement to obtain warrants to access certain data from mobile phones. The brief says that law enforcement currently relies on outdated laws to obtain the warrants, which violate the Fourth Amendment. [wired | law.com | aclu.org]

Privacy Enhancing Technologies (PETs)

WW – New Apple Feature Will Disable Touch ID

Apple is expected to introduce a new feature in iOS 11 that will allow a user to disable the Touch ID by quickly pushing the power button five times. The move will signal an emergency SOS that can only be reversed after entering the passcode. The update comes as recent rulings have granted police the means to force users to unlock their phones using their fingerprints and follows a rise in controversies surrounding law enforcement requests for phone data. Passcodes are reportedly protected under the Fifth Amendment but fingerprints are not. [USA Today]

Security

US – NIST Releases Revised Security and Privacy Controls

The National Institute of Standards and Technology has issued a draft revision of its Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. The revision was developed by a joint task force from the civil, defense and intelligence communities, the NIST news release states, and “represents an ongoing effort to produce a unified information security framework for the federal government.” NIST Fellow and Team Leader Ron Ross said the new revision “takes the guidance in new directions — we are crafting the next-generation catalog of controls that can also be applied to secure the internet of things.” It’s the first to really dive into the world of sensors and media collection devices like cameras, recorders and voice-activated controls that are embedded both in personal devices and smart systems like those used for traffic monitoring. This also marks the first time that privacy controls are embedded into the security section, rather than listed in an appendix. The structure of the outcome-based document is designed to guide users through the complex process of establishing controls governing the activity of systems and devices. NIST Senior Privacy Policy Advisor Naomi Lefkovitz said, “This revision covers the overlap in security and privacy for systems, as well as the ways in which they are distinct. It also enhances the ability for both professional teams to collaborate yet still maintain their respective authorities.” Comments are due on the draft Sept. 12, just 30 days after the initial release. NIST plans to do a final draft in October with another round of comments before the final version is released Dec. 29. [see NIST PR here | FCW.comNIST | NextGov | NIST Releases Updated Cyber and Privacy Guidance Draft | Security and Privacy Controls for Information Systems and Organizations]

US – NIST Revamps Password Recommendations

The National Institute of Standards and Technology has revamped their advice for creating passwords. NIST released a new guideline for password creation, favoring long, easy-to-remember phrases over a mixture of capital letters, numbers and symbols. The original author of “NIST Special Publication 800-63. Appendix A,” Bill Burr, said he regrets advising internet patrons to create more complex passwords and for telling users to change their passwords every 90 days. Burr said most people would only make minor changes to their passwords, while mixing different symbols and numbers made passwords difficult to use and remember. [The Wall Street Journal]

US – NIST Outlines Framework for Cybersecurity Training

In a statement [see here] Monday August 7, the National Institute of Standards and Technology [NIST] said it’s planning to upgrade a federal initiative on cybersecurity education and workforce training. NIST, which is responsible for developing a range of computer and network security specifications, said it wants to update the National Initiative for Cybersecurity Education [NICE], which is a government-industry created framework that aims to “promote a robust network and an ecosystem of cyber-security education, training, and workforce development.” [see 144 pg pdf NICE Framework here] The NICE framework addresses some of the most obvious but often overlooked steps involved in the creation of security teams, such as assessing workforce skills and identifying certification and training requirements. It also specifies tasks used in job descriptions, and ultimately seeks to match these tasks with people who possess the right knowledge, skills and abilities. One of the main aims of the NIST effort is to raise awareness of the need for a “ground-up” approach to cybersecurity strategies, in order to ward off evolving security threats such as ransomware. Another of NICE’s goals is to expand and institutionalize integrated and certified security teams that reflect recommended best practices. NIST added that it’s planning to host a conference to discuss its progress with NICE in Dayton, Ohio, this November. [Silicon Angle | Illinois mandates cybersecurity training for state employees]

US – EFF Claims Captive Portals Provide ‘Illusion of Security’

The Electronic Frontier Foundation explores the use of captive portals — a webpage users interact with before accessing public Wi-Fi — their associated security issues and best practices, in their latest Deeplinks blog post. The EFF argues that the process of signing in to a network, either by agreeing to the terms of service or by providing personal information to gain access, unnecessarily interferes with security rather than provide actual safeguards for the user. They claim, “The illusion of security that a login window may provide can lead users to inaccurately believe that wireless networks with captive portals are safer than those without.” The EFF goes on to say that moving away from the use of captive portals will help create more open and privacy-protective wireless access portals. [Deeplinks]

WW – Bad Android Messaging Apps

Some apps for sale in Android app stores have been found to contain malware known as SonicSpy, which can record calls, take pictures, make calls, send text messages, and monitor call logs and Wi-Fi access point information. SonicSpy is contained in messaging apps which do perform as advertised while surreptitiously stealing and monitoring users’ information. [Android app stores flooded with 1,000 spyware apps].

US – FTC Posts Fourth Blog in Its “Stick with Security” Series

On August 11, 2017, the FTC published the fourth blog post in its “Stick with Security” series. [See here] This week’s post, entitled Stick with Security: Require secure passwords and authentication, examines five effective security measures companies can take to safeguard their computer networks. The practical guidance aims to make it more difficult for hackers to gain unauthorized access to networks. These security measures include: 1) Insisting on long, complex and unique passwords; 2) Storing passwords securely; 3) Guarding against brute force attacks; 4) Protecting sensitive accounts with more than just a password; and 5) Protecting against authentication bypass. [Hunton & Williams]

US – FTC Posts Third Blog in Its “Stick with Security” Series

On August 4, 2017, the FTC published the third blog post in its “Stick with Security” series. [See here]. This post, entitled “Stick with security: Control access to data sensibly,” notes that just as business owners lock doors to prevent physical access to business premises and shield company proprietary secrets from unauthorized eyes, they should exercise equal care with respect to access to sensitive customer and employee data. The post outlines two key security steps companies should take: 1) Restrict Access to Sensitive Data; and 2) Limit Administrative Access. The FTC’s next blog post, to be published Friday, August 11, will focus on secure passwords and authentication. [H&W Blog]

CA – Surrey Renters Revolt Over ‘Heavy-Handed’ Strata Fines, Surveillance

Some renters at Surrey’s d’Corize high rise have received thousands of dollars of tickets in a day from building managers for minor infractions, such as not compacting garbage, and for wearing improper footwear in the gym and believe they’re being watched by surveillance cameras. The fines began after tenants noticed that surveillance cameras were installed throughout the building in recent months. In July, he said the number of tickets issued dramatically increased. However, the strata said that the sudden spike in fines was in response to a constant reoccurrence in offences, which lead to health and safety concerns. written statement from the strata said that the security system is partly meant “to meet statutory and regulatory requirements, including the enforcement of the bylaws and rules.” Many residents believe the strata is using video surveillance to justify the levied fines — a practice that goes against guidelines authorized by B.C.’s Office of the Information and Privacy Commissioner. According to the OIPC’s Privacy Guidelines for Strata Corporations and Strata Agents, “personal information obtained from video surveillance or key fob systems should not be used to justify levying fines” for minor bylaw infractions. “It’s much easier and less privacy invasive to educate people about what’s appropriate,” said OIPC acting information commissioner Drew MacArthur “That’s the way to approach that — not to put in surveillance cameras.” The OIPC has the power to order strata to remove cameras if they are in violation of residents’ privacy. A strata is also obliged to provide residents access to tape that contains their information, according to the OIPC. [CBC News | See also Report landlords who break privacy rules, urges BC agency]

US – Defense Counsel Journal’s Free Issue Covers Privacy Law Topics

The International Association of Defense Counsel (IADC) journal, Defense Counsel Journal (DCJ) [see here] will release two issues of its “Privacy Project V,” with the first coming out this summer and the second being released in the fall. In the issues, IADC members discuss a variety of legal privacy topics that are growing more important to the public on a global scale each year. Topics found in the free summer issue [see here] are designed to keep attorneys abreast on the new information and changing trends regarding privacy and related areas of law. Subjects covered in the issue include product liability laws related to the internet, metadata in litigation, data breach class actions, email evidence in litigation, among other topics. [Madison County Record]

Smart Cars / Cities / IoT

UK – UK Publishes Laws of Robotics for Self-Driving Cars

The UK has published a set of “Key principles of vehicle cyber security for connected and automated vehicles” [see here] outlining how auto-makers need to behave if they want computerised cars to hit Blighty’s byways and highways. [Also see here & here] The principles suggest all participants in the auto industry’s long supply chains must work together on security both in the design process and for years after vehicles hit the roads. The eight principles include: 1) Organisational security is owned, governed and promoted at board level; 2) Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain; 3) Organisations need product aftercare and incident response to ensure systems are secure over their lifetime; 4) All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system; 5) Systems are designed using a defence-in-depth approach; 6) The security of all software is managed throughout its lifetime; 7) The storage and transmission of data is secure and can be controlled; and 8) The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail. Each principle has sub-principles and that’s where the detail gets interesting. Transport minister Lord Callanan’s announcement suggests the Principles will be included in future legislation governing self-driving cars on British tarmac. [Register]

WW – Report: Smart City Market Expected to Hit $cc775B by 2021

A report from BCC Research finds the smart city market is expected to hit $775 billion by 2021. The number of cities to incorporate smart technology is expected to rise to more than 600 over the next couple of years. The report states North America will dominate the global smart city market, raising their investments from $118.5 billion in 2016 to $244.5 billion in 2021. “This is a large and growing market. There are currently around 100 smart city projects, and we think in a short period of time that will expand to roughly 10–13% of medium to large cities. We see about 5,000 cities of that size and 600 will go to smart city technology in the fairly near term,” BCC Analyst Michael Sullivan said. [TechRepublic]

US – FPF Seeks Feedback on Seattle’s Smart City Risk Assessment

The Future of Privacy Forum is seeking public feedback on the proposed City of Seattle Open Data Risk Assessment. In its Open Data Policy, Seattle said data would be “open by preference” unless individual privacy is affected. To ensure a balance between open data and privacy is met, the city announced last year that it will perform annual risk assessments and “tasked FPF with creating and deploying an initial privacy risk assessment methodology for open data,” according to an FPF release. The comment period will be open until Oct. 2. [FPF]

US – FPF Releases Infographic on Microphone Use in IoT Devices

The Future of Privacy Forum has released an infographic, Microphones & the Internet of Things: Understanding Uses of Audio Sensors in Connected Devices, to educate users on the range of uses microphones have in different connected devices. The infographic highlights how microphones are used by displaying when microphones are activated, what kinds of data can be transmitted, and the current U.S. legal protections for connected devices. FPF Policy Counsel Stacey Gray explained that “Information networks and devices that make up the ‘Internet of Things’ promise great benefits for individuals and society.” Gray added, “However, if we do not have the right guiding principles or necessary privacy safeguards, consumers will lose trust in the evolving technologies.” [FPF]

WW – Google Glass EE Evades Privacy Questions 

Just about two years after Google spiked the original Glass [see here & here], the company is back with Glass Enterprise Edition, targeted towards factory employees and blue-collar specialists building machines big and small, using a precise set of instructions pulled up on the inside of the Glass’s smart lens. Google’s resurrection of Glass, with a few new work-specific alternations and improvements, has so far been hailed as a smart pivot for a device with extraordinary potential, but a misguided initial message. The first Glass was plagued by concerns the device was an unwanted intrusion into other people’s privacy. Users could potentially record people without their consent, even if a light on the front made it clear the camera was on. The pushback against “Glassholes” smeared whatever big improvements Glass conferred on the user’s life. But what about the new Glass EE? As a device marketed toward the workplace, has Google successfully freed it from the besmirchment of privacy questions that helped doom the original device? For Woodrow Hartzog, a digital privacy expert and assistant professor at Samford University, the answer to that question is mixed. He says questions still remain about how employers might use the data they collect through Glass EE devices on the factory floor, what Glass EE might do to employee morale in terms of autonomy and power employees have in the first place, the potential to turn Glass EE devices into tools for surveillance, whether Google may reverse course with the new model and begin implementing facial recognition technologies on Glass devices — and what that will mean for privacy concerns moving forward — and many others. The original Google Glass’s failure may have had more to do with the fact that consumers didn’t feel the practical benefits outweighed privacy concerns, rather than with absolute objections over privacy and digital security. Google may have found a solution to that concern with Glass EE, not through a rapid transformation of features that mitigate privacy concerns — Glass EE is more-or-less just a technical improvement of its predecessor – but by simply changing its messaging and promoting Glass as a workplace device. [Inverse]

Surveillance

US – Stingray Detection Apps Can Be Circumvented: Study

Researchers from Oxford University and the Technical University of Berlin tested five Android mobile apps that claim to be able to detect when the device connects to a cell-site simulator, or Stingray. While the apps were able to detect when service had been forcibly downgraded and when they received silent messages that are used for geolocation, the researcher were able to use other methods to evade detection and trick the devices into providing their information. [Those Free Stingray-Detector Apps? Yeah, Spies Could Outsmart Them | Those ‘stingray’ detector apps are basically useless, say researchers | Evaluating IMSI Catchers Detection Applications]

Telecom / TV

US – Anti-Robocall Law Survives First Amendment Challenge by Time Warner

Under the Telephone Consumer Protection Act [see here, amended in 2015 see here], you’re not liable for using an automated system to place calls or send texts to cellphones if you’re engaged in government debt collection. But if you’re trying to collect non-governmental overdue bills via the same automated system, you could be on the hook for millions of dollars in a TCPA class action. That distinction, according to a ruling [August 1, 2017, see here] by U.S. District Judge Paul Oetken of Manhattan in a TCPA class action against Time Warner [also see here & here], means that the TCPA is subject to the most stringent form of review under the First Amendment as per the U.S. Supreme Court’s 2015’s Reed v. Town of Gilbert which held that strict scrutiny applies to content-based regulations on speech. The TCPA’s carve-out for government debt collection, Judge Oetken held, is a regulation based on content. But the judge refused to take the next step and hold the TCPA to be unconstitutional under the First Amendment. Time Warner’s lawyers argued in a motion for judgment on the pleadings that TCPA fails the strict scrutiny review because the law, as amended, is not narrowly tailored to serve a compelling government interest. The exemption for government debt collectors “renders the speech restriction prototypically under-inclusive and results in an irrational, ineffective and patently unfair regime.” Judge Oetken disagreed. Privacy is a compelling interest, he held, whether it’s the traditional respect courts have accorded for privacy in the home or the modern extension to cellphone privacy. And the carve-out for government debt collectors, he held, is a narrow exemption that does not doom the entire law. [Reuters]

US Government Programs

US – General News

  • The U.S. Ninth Circuit Court’s ruling in Robins v. Spokeo found that a Fair Credit Reporting Act violation was sufficient to justify Article III standing. Lexology
  • Davis & Gilbert Partner Richard Eisert discusses U.S. District Judge Edward Davila’s ruling that the onus falls on the individual user to keep browsing history private rather than on a company to set privacy as a default. [AdExchanger]
  • The Ninth U.S. Circuit Court of Appeals recently ruled that concern about potential privacy intrusion does not qualify as an imminent injury that can be addressed in court [AMA Wire]
  • The first challenge is underway to a new Tennessee law requiring public schools to share student information with charter schools within 30 days of a request. [The Tennessean]
  • A three-judge panel of the second most powerful court in the U.S., the D.C. Circuit Court of Appeals, has ruled customers can sue a health insurer for a 2014 breach in which personal data was compromised. [The Hill]
  • Chicago Mayor and City Clerk have put out a request for proposals for technology companies to build a platform for municipal ID cards despite threats of funding cuts from the Trump administration. [StateScoop]

US Legislation

US – General News

  • NY Gov. Andrew Cuomo signed legislation prohibiting the unlawful alteration of official student records in any primary, intermediate, high school or college in the state — expanding on the types of information covered in the previous law. [Wyoming FreePress]
  • NY Gov. Andrew Cuomo signed new legislation that will make it possible to sue a neighbor for the invasion of privacy if they videotape in an adjacent backyard without permission. [Times-Union]
  • Two Senate committees advanced bipartisan bills aimed at boosting cyber skills. [Morning Consult]
  • A bipartisan group of U.S. senators has released new legislation intended to confront internet-of-things security vulnerabilities. Sens. Cory Gardner, R-Colo., Steve Daines, R-Mont., Mark Warner, D-Va., and Ron Wyden, D-Ore., are co-sponsoring the bill. [Reuters]
  • Orrin Hatch, R-Utah, and Chris Coons, D-Del., have released new legislation that would create a legal framework for allowing law enforcement to access data of U.S. citizens stored overseas. The International Communications Privacy Act would also mandate that law enforcement notify other countries of the data collection in accordance with their laws, the report states. [The Hill]
  • The draft Senate Republican border security bill, Building America’s Trust Act, would increase the collection of biometric data, the use of drone monitoring and, in some cases, mandatory DNA collection. The author and co-sponsors of the bill have yet to officially introduce the bill. [Ars Technica]
  • Delaware has updated its data breach law to include the protection of additional types of information and increase notification requirements, among other changes. [JDSupra]
  • Nebraska Sen. Carol Blood has proposed a bill to create a drone policy in the state addressing privacy concerns, among others. [Omaha World-Herald]

 

+++

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: