10–16 December 2022

Access to Information

OpenMedia delivers 104,000 signatures opposing Bill C-11 to the Senate

OpenMedia, a non-profit organization working to keep the internet “open, affordable, and surveillance-free,” delivered a petition opposing the controversial Bill C-11 (aka the Online Streaming Act) with over 104,000 signatures to the Senate. Bill C-11 is an amendment to the Broadcasting Act that aims to support the creation and promotion of Canadian content online. It is designed to give the Canadian Radio-television Telecommunications Commission (CRTC) regulatory authority over online streaming platforms like YouTube, Netflix, and others. In its current form, however, experts believe Bill C-11 is too vague and gives the CRTC too much power. It could potentially even put user-generated content under the watchdog’s purview — in fact, outgoing chair Ian Scott previously admitted it will do as much.

Biometrics / Identity

New Zealand’s OPC explores biometrics code of practice

New Zealand’s Office of the Privacy Commissioner is exploring a Code of Practice for Biometrics. Privacy Commissioner Michael Webster said the office received 100 submissions to a consultation paper on privacy regulation of biometrics released in August, showing “a real high level of interest.” Concerns included protections of such sensitive information and discriminatory impacts of biometrics use. See also: Biometrics are even less accurate than we thought

AI-generated fake faces have become a hallmark of online influence operations

Fake accounts on social media are increasingly likely to sport fake faces. Facebook parent company Meta says more than two-thirds of the influence operations it found and took down this year used profile pictures that were generated by a computer. As the artificial intelligence behind these fakes has become more widely available and better at creating life-like faces, bad actors are adapting them for their attempts to manipulate social media networks. “

Face biometrics coming to vehicles will allow keyless access and more

Genesis Motor Europe and an Oshawa, Canada tech startup are both introducing new biometrics capabilities for keyless access and feature control in automobiles that could make that tangle of keys in your pocket obsolete. Genesis’ GV60 electric SUV will be “the first car in the world to feature pioneering face recognition technology as part of biometric vehicle entry and engine start.” The Face Connect system uses a face sensor and a deep-learning image processing controller to enable drivers to lock and unlock their cars without a physical key. Via an app, additional biometric features will allow drivers to start their cars with a fingerprint.

Children / Education Privacy

Quebec information commission releases children’s privacy review

The CAI released a report regarding potential children’s privacy amendments to provincial privacy legislation. Themes reviewed in the report include going beyond parental consent for children’s data use, improved privacy awareness for parents and children, and proposals for prohibited data collection practices.

Study finds 96% of apps used in US schools share student personal information

In the U.S., 96% of applications used in schools share student personal information with third parties, according to a study by Internet Safety Labs. The data is shared with advertisers often without informing or obtaining consent from students or the schools, the study found. Internet Safety Lab researchers examined 13 schools in each state for a total of 663 schools, with a total student population of approximately 500,000. Schools typically had more than 150 “approved technologies for classrooms.” The study found roughly 25% of recommended or school-required apps included advertisements and 13% included “retargeting ads.”

ICO creates Children’s Code design tests

The U.K. ICO created design tests to help designers assess whether products or services likely to be accessed by children comply with the Children’s Code. The ICO said the tests will support designers in creating “online experiences that protect children’s personal data,” noting, “Each test provides a report detailing areas of good practice as well as steps you can take to improve your conformance.”

Trade association sues over California Age-Appropriate Design Code Act

Technology trade association NetChoice filed a lawsuit against the state of California aiming to block the California Age-Appropriate Design Code Act from taking effect. The group, whose membership includes most major Big Tech platforms, submitted a complaint alleging the recently-passed legislation “presses companies to serve as roving censors of speech on the internet.” The law is set to take effect July 1, 2024, and includes requirements for privacy-by-default settings and data protection impact assessments.

Consumers

AI art and text is getting smarter, what comes next?

In recent weeks, the latest versions of AI art-creating tools, along with a compelling new AI chatbot have flooded social media. The tools can be fun, with people creating artistic and enhanced selfies using Lensa, strange concept art with DALL-E 2, or exploring the way the chatbot, ChatGPT, creates seemingly original and complex prose in seconds. But the new tools are also a demonstration of how powerful AI has become, and hint at a relatively near future where it could convincingly replace human workers. Will Knight, senior writer with WIRED, discusses what’s behind these popular new AI tools, some of their pitfalls, and the impact they’re already having on society.

Data Sciences

New compromise AI Act amendments released

New compromise amendments to the Artificial Intelligence Act, excluding general-purpose AI from high-risk systems, have been released. The 10th round of compromise amendments is expected to be discussed Dec. 14. AI systems are considered high risk if their failure or malfunction puts individuals health, safety or fundamental rights at risk. Additional wording states the high risk categorization only applies to systems with an intended purpose. “Pending discussions, GPAI (general-purpose AI) will be treated separately,” a note in the text states.

Enforcement of NYC’s automated employment bias law postponed

Enforcement of New York City’s Automated Employment Decision Tools law, which was to take effect Jan. 1, 2023, has been postponed to April 15, 2023. The Department of Consumer and Worker Protection announced the postponement is due to a “high volume of public comments” and said a second public hearing is being planned. Under the law, employers or employment agencies must conduct an independent bias audit before using artificial intelligence employment tools.

ICO publishes first Tech Horizons Report

The U.K. Information Commissioner’s Office published its first Tech Horizons Report. The annual report “examines the implications of some of the most significant technological developments for privacy in the next two to five years” in fields including consumer health care, Internet of Things devices and immersive technologies. The creation of the Tech Horizons Report was born out of the ICO25 strategy to help inform society about “emerging technologies to reduce burdens on businesses, support innovation and prevent harms.”

Digital Government

Senator seeks FTC probe of data sales to U.S. government agencies

U.S. Sen. Ron Wyden, D-Ore., asked the U.S. FTC to investigate internet infrastructure company Neustar Security Services’ sale of data to the federal government. Wyden wants the FTC to review whether the company should have warned consumers it was selling information on where they went online. Many whose data was sold reportedly did not know they interacted with Neustar as data was obtained from domain name lookup services the company gave to internet service providers.

Microsoft rolls out ‘data boundary’ for EU cloud customers

Microsoft is beginning a phased rollout of its “EU data boundary” enabling EU cloud customers to process and store data in the region. The “EU data boundary” applies to Microsoft’s core cloud services. A first phase will include customer data, followed by logging and service data,

Health Privacy

Quebec to introduce personal health file access

The Legault government has introduced Bill 3, aimed to streamline the way patients access their health data, as well as the way data is shared with professionals. It is meant to allow patients to more easily access their health files, see the history of who else viewed their file and provide or deny access to other professionals. The program will create a consistent medical file that tracks patients across different doctors as opposed to different health professionals possessing different files on a patient. The bill is an updated version of Bill 19 which was introduced in 2021 but died on the order paper.

BC OIPC: Public health system has unaddressed ‘vulnerabilities’

The BC OIPC released a report alleging the Provincial Health Services Authority did not properly respond to “security and privacy vulnerabilities” in the public health database it manages. The OIPC cited “vulnerabilities requiring immediate attention,” including issues with auditing, encryption and multifactor authentication.  Database of British Columbians’ personal health information is ‘disturbingly’ vulnerable: privacy watchdog

Law Enforcement / Intelligence

OECD to finalize framework on government access to personal data

Officials from the U.S. and more than 30 OECD member states adopted an agreement on safeguarding privacy when accessing personal data for national security and law enforcement reasons. The OECD Declaration on Government Access to Personal Data Held by Private Sector Entities clarifies how law enforcement and security agencies can access personal data. The agreement will enable data flows “with the safeguards needed for individuals’ trust in the digital economy and mutual trust among governments regarding the personal data of their citizens.”

Colorado woman sues detective over false location ping

A Colorado woman is suing a Denver police detective after a false ping by Apple’s ‘Find my iPhone” feature resulted in a SWAT raid of her home. The detective used the woman’s address as the basis for the raid, after the owner of a stolen truck identified its location through the “Find My” app. The complaint states the app determines approximate locations and “is not intended as a law enforcement tool.”

Mobile / Location

UK releases code of practice to improve app privacy, security

The U.K. released a voluntary code of practice to improve security and privacy requirements on applications and app stores. New measures include improved reporting of software vulnerabilities and enhanced transparency around privacy and security for app users. 

US Senate passes bill to ban TikTok on government devices

The U.S. Senate passed legislation banning federal government employees from downloading TikTok on government-owned devices. TikTok claimed it does not share U.S. user data with the Chinese government and stores the data with Oracle cloud software. TikTok is currently undergoing the national security review process with the U.S. Committee on Foreign Investment. Meanwhile, at least seven states have said they will ban employees from using TikTok on government devices citing data security concerns.  See also: Canada ‘closely monitoring’ U.S. bill to ban TikTok, government says

Online Privacy / Surveillance

Man jailed in first doxxing sentencing under Hong Kong privacy law

A 27-year-old man will serve 8 months in jail for disclosing his ex-girlfriend’s personal information on social media without consent in the first doxxing sentencing under Hong Kong’s Personal Data (Privacy) Ordinance. “The court must send a clear message that, save for very exceptional cases, it will not condone this type of offence,” acting Principal Magistrate David Cheung Chi-wai said.

Elf on the Shelf has a sinister side, says UOIT prof

Those big blue eyes and blushing cheeks look innocent enough, but one Toronto academic believes the Elf on the Shelf is teaching kids to accept a surveillance state. In her paper, Who’s the Boss, published by the Canadian Centre for Policy Alternatives, Laura Pinto argues Santa’s spying little helper “sets up children for dangerous, uncritical acceptance of power structures.”

A faster way to preserve privacy online

New research enables users to search for information without revealing their queries, based on a method developed by MIT researchers that is 30 times faster than comparable prior techniques.

Regulators

Quebec information commission releases annual report

Quebec’s data protection authority published its 2021-2022 annual report after tabling in the National Assembly. Notably, the CAI said it only received 25% of the budget increase it put in for to address implementation of updates to the province’s private sector privacy law. The commission said lower funding “will not allow it to make all the changes required by the new responsibilities entrusted to it in a timely manner.” La présidente veut plus d’argent pour faire appliquer les nouvelles lois and Une trentaine d’entreprises ont déclaré des fuites en deux mois

OAIC announces 2023 Privacy Awareness Week dates

The Office of the Australian Information Commissioner announced Privacy Awareness Week will take place May 1-7, 2023. “Privacy Awareness Week is an annual event to raise awareness of privacy issues and the importance of protecting personal information,” the OAIC said. The event is conducted alongside Australian state and territory data protection authorities as well as members of the Asia Pacific Privacy Authorities forum.

Security / Breaches

Company privacy leaders call for standardization of breach reporting requirements

International leaders in cybersecurity and privacy are calling for the EU, U.K. and U.S. to better sync their data breach reporting requirements. Multinational companies claim reporting requirements that vary by jurisdiction can create compliance issues. U.S. National Cyber Director Chris Inglis said reporting requirements should be synchronized within U.S. government agencies. U.S. Department of Homeland Security Undersecretary for Strategy, Policy and Plans Robert Silvers called for more cooperation with foreign governments on breach reporting requirements.

Spyware and surveillance-for-hire industry ‘growing globally’: report

The spyware and surveillance-for-hire industry is “indiscriminately” targeting journalists, activists and political opposition, and growing on a global scale, the social media company Meta warned. In a new report, the company said it has “continued to investigate and take actions against spyware vendors around the world, including in China, Russia, Israel, the United States and India, who targeted people in about 200 countries and territories.” Meta was one of the first to publicly challenge the spyware industry back in 2019, when it began legal proceedings against Israeli firm NSO Group for hacking into approximately 1,400 WhatsApp users’ mobile devices. The report details the tactics being used by spyware and hacking companies, in particular an Indian business called CyberRoot previously exposed by a Reuters investigation into Indian mercenary hackers.

Uber suffers new data breach after attack on vendor, info leaked online

Early Saturday morning, a threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services. The newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. One of the documents includes email addresses and Windows Active Directory information for over 77,000 Uber employees. Uber said it believes it is related to a security breach on a third-party vendor.

FBI’s InfraGard US Critical Infrastructure Intelligence Portal Hacked

A database containing the contact details of more than 80,000 high-profile private sector people is now up for sale on a cybercrime forum. The FBI has seen one of its key databases hacked, and it looks as though a major security failure on the part of the bureau is to blame.

Workplace Privacy

Federal public servants must return to office two or three days a week

Federal public servants will be required to return to the office for two or three days a week, Treasury Board President Mona Fortier announced. Employees in the core public service across all departments must begin phasing in a return-to-office plan in mid-January, working in the office two or three days per week, or 40 to 60 per cent of their regular schedule.

+++

04-09 Dec 2022

Access to Information

EU lawmakers reach agreement on e-Evidence regulation

The Council of the European Union, European Parliament and European Commission reached an agreement on e-Evidence regulation. Aiming to facilitate cross-border criminal investigations, the regulation implements a mechanism for law enforcement agencies to obtain electronic evidence stored in another EU country. It includes the European Preservation Order, under which a judge could order a service provider to preserve data related to a suspect that could be accessed at a later date. The regulation must still be ratified by lawmakers and EU governments.

Biometrics / Identity

Canada’s online streaming bill amended to require age verification to watch porn

A Senate committee amending the Liberal government’s controversial Bill C-11 has added the requirement for online platforms to verify the age of users accessing pornography, a move internet law experts say poses privacy risks and is likely unconstitutional. The amended version of the legislation must be approved by the full Senate and then go back to the House of Commons before it becomes law. It if does pass into law, it would be up to the CRTC to decide how to implement the age verification requirement

Council of the European Union approves EU digital identity scheme

The Czech Presidency of the Council of the European Union adopted its position on the proposed EU digital identity framework. The council said the system would establish digital wallets with “universal access for people and businesses to secure and trustworthy electronic identification and authentication.” Czech Deputy Prime Minister for Digitalization and Minister of Regional Development Ivan Bartoš said the proposed framework brings “massive advancement in how people use their identity and credentials” while users are “firmly keeping control over their data.”

Australia launches myGov digital identity mobile app, ‘at long last’

After long delays, the Australian government’s myGov mobile app has launched, with integrated biometric facial recognition log-in capabilities and a digital wallet. The app is designed to become a single “digital location” to manage identity and provide mobile access to both government and private sector services. It will enable users to access 15 government services, with authentication through biometric checks that also include fingerprint verification, QR codes, and a six-digit PIN. He called the launch a “quantum leap forward” for government services in Australia.

TSA tests digital ID verification

The U.S. Transportation Security Administration is adding digital IDs to a program for testing passenger facial recognition verification technology at airports across the country. The TSA is considering using digital IDs to verify passenger information against real-time facial recognition scans at checkpoint security. The agency’s Privacy Impact Assessment said digital IDs are expected to “improve airport security and expedite checkpoint security processes.” The TSA said data collected will be anonymized, encrypted and deleted within two years.

Children / Education Privacy

New Jersey introduces bill to establish Children’s Data Protection Commission

State Assemblyman Herb Conaway Jr., D-NJ, introduced a bill to create a New Jersey Children’s Data Protection Commission. The legislation concerns “social media privacy and data management standards for children” and establishes a nine-member commission to receive feedback from a “broad range of stakeholders” recommending best practices for protecting children’s personal data online. The bill requires digital companies operating in the state to conduct data protection impact assessments before launching new products likely to be accessed by children. Fines for failure to comply are proposed to be $2,500-$7,500 per affected child.

National intelligence director warns parents about kids’ privacy on TikTok

In an interview with NBC at the Reagan National Defense Forum, U.S. Director of National Intelligence Avril Haines cautioned parents should be concerned about data privacy risks facing children on TikTok. She noted China’s ability to access foreign data and “target audiences for information campaigns or for other things, but also to have it for the future so that they can use it for a variety of means that they’re interested in.”

Consumers

Norwegian Consumer Council targets deceptive design

The Norwegian Consumer Council is asking “several” Norwegian and international companies to change practices after identifying their use of deceptive design to “push, manipulate and trick consumers into making choices that are in the companies’ own interest.” NCC Director of Digital Policy Finn Myrstad said many of the companies are likely in breach of legal requirements, but “loopholes and the lack of enforcement means that companies can often operate like this without fear of consequences.”

Apple to expand encryption in its cloud backups, halts CSAM rollout

Apple announced a suite of data security improvements it plans to roll out in the coming months that aim to protect consumer data and ward off hackers. The three data security features include iMessage Contact Key Verification, Security Keys for Apple ID and Advanced Data Protection for iCloud. The FBI says Apple’s new encryption is “deeply concerning”

Data Sciences

Canada’s proposed AI Act ‘requires further consideration’

Tech Policy Researcher at the Princeton University Center for Information Technology Policy Christelle Tessono and Deputy Director for the Centre for Media, Technology and Democracy at McGill University Sonja Solomun discuss Canada’s proposed Artificial Intelligence and Data Act in an op-ed. They say the proposal is an “encouraging first step” after years of calls to regulate AI, but that it “requires further consideration to provide adequate oversight, accountability and human-rights protections that would elevate it to international precedents in this space.”

Council of the European Union settles on proposed AI Act language

The Czech Presidency of the Council of the European Union announced member states reached a common position on the draft Artificial Intelligence Act. The council highlighted its unified stance on high-risk AI system classification and requirements, exemptions, compliance and provisions for the proposed AI Board. Czech Deputy Prime Minister for Digitalization and Minister of Regional Development Ivan Bartoš said the council “managed to achieve a delicate balance” that covers industry benefits and “full respect of the fundamental rights of our citizens.”

EU-US Trade and Technology Council settle on AI roadmap

The EU-U.S. Trade and Technology Council announced results of its third summit, including an agreement on the Joint Roadmap on Evaluation and Measurement Tools for Trustworthy Artificial Intelligence and Risk Management. The two sides said the roadmap will help inform risk management and trustworthiness while building “a shared repository of metrics” for ongoing measurement. With respect to AI and privacy, the two sides said they will “assess the use of privacy enhancing technologies and synthetic data in health and medicine, in line with applicable data protection rules.”

Digital Government

EU Council adopts AI Act, eIDAS Regulation amid sovereignty questions

The Council of the European Union had a busy fall. The season culminated 6 Dec. with a Ministerial meeting of the Transport, Telecommunications and Energy Council during which member states formally adopted an agreed position on two significant legislative proposals: the Artificial Intelligence Act and the eIDAS Regulation, with a hint of a heating sovereignty debate. This means both texts are closer to the finish line: The next step for both files is the three-way negotiations once the European Parliament reaches its own position.

Health Privacy

Data breach of Ontario’s vaccine booking system affects hundreds of thousands

Hundreds of thousands of Ontarians’ information may have been compromised in a data breach of the province’s vaccine management system last year. Starting this week, some 360,000 people will receive notices that their personal information was part of the November 2021 data breach of the COVAXX system, the Ministry of Public and Business Service Delivery said in a statement. OPP laid charges against 2 people in connection with breach last year. Around 360K people in Ontario affected by COVAXon privacy breach

Quebec to modernize access to patient health data with new bill

The Quebec government unveiled a new bill to modernize access to patient health data in order to increase transparency and improve information sharing among professionals. The “Act respecting health information and social services and amending various legislative provisions” will make it easier for patients to consult their health records. They will also be able to know who has had access to their information and will be able to decide whether or not to share that information with other professionals. Bill 3 is a slightly modified version of Bill 19, which was introduced almost exactly one year ago. However, the latter died on the order paper before it could be adopted by the National Assembly.

OAIC ends COVIDSafe reporting

The Office of the Australian Information Commissioner ended its COVIDSafe assessment program after receiving no privacy complaints or data breach notifications about the COVIDSafe system from May to November. Australian Information Commissioner and Privacy Commissioner Angelene Falk said all COVID application data was deleted from the National COVIDSafe Data Store.

FTC releases updated interactive health care app compliance tool

The U.S. FTC released an updated Mobile Health App Interactive Tool. The application, first developed in conjunction with the HHS’ Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration, aims to help health care app developers determine if the app is compliant with federal laws and regulations. The interactive tool asks users questions about the app’s functionality and the data it collects. It then indicates which laws might cover the app, such as the FTC’s Health Breach Notification Rule.

Planned Parenthood calls for ‘tailored regulation’ to protect health care data

In response to the U.S. FTC’s request for input on commercial surveillance, Planned Parenthood called for “tailored regulations to protect consumers’ sensitive data from the potentially dangerous consequences of commercial surveillance and lax data security.” The organization said technology companies should be prohibited from disclosing information related to abortion, including online searches, and required to dispose of health-related data quickly.

Number of people hit by NL privacy breach in 2021 cyberattack now up to 58,000

Eastern Health says it’s notifying about 31,500 patients and employees whose personal or health information was taken from a network file drive during the 2021 cyberattack on Newfoundland and Labrador’s health-care system. According to Eastern Health, the stolen files include medical diagnoses, Medical Care Plan numbers and administrative information dating back to “at least” 1996.  The latest update brings the total number of patients and employees impacted by the network drive breach to 58,200 — more than 10 per cent of the province’s population.

Law Enforcement / Intelligence

Council to vote on body cams for Vancouver police as critics raise privacy concerns

Vancouver city council is set to vote on a motion to outfit police officers with body cameras by 2025, a move that councillors with the ABC Vancouver party say will fulfil a campaign promise to improve public safety in the city while addressing concerns about transparency and accountability in policing. “This is an evidence-based approach. People want evidence-based policymaking, and this is all about the evidence,” said Coun. Lenny Zhou.  But an emerging body of research on the use of body-worn cameras suggests that while the cameras come at a significant cost, they do not result in significant changes in behaviour among either police officers or the public.

Mobile / Location

Mobile data broker asks judge to dismiss FTC lawsuit

Mobile data broker Kochava is asking a U.S. District Court judge to dismiss a lawsuit filed by the U.S. FTC alleging the company sells smartphone users’ geolocation data. Kochava said the FTC “grossly exaggerates” what location data “may or may not reveal about consumers” and has not shown the alleged practices cause injury to consumers. In the lawsuit, the FTC alleges the data could divulge users’ visits to sensitive locations.

Women allege stalkers used AirTags to track them

Apple was sued by two women who allege their former partners used AirTags to stalk them. The federal class-action lawsuit “accuses Apple of failing to introduce effective safeguards that would prevent stalkers from using AirTags to track people,” and failing “to heed warnings from advocacy groups and news reports.” In February, Apple announced AirTags would be improved to better alert others an unknown device was nearby, however, the lawsuit asserts the updates were “woefully inadequate.”

Online Privacy / Surveillance

Report explores global cookie review

International law firm Bird & Bird published its Winter 2022 Global Cookie Review. Authors of the report found “an increasing amount of regulation that both directly and indirectly governs the use of (cookie) technologies” around the world and “a general trend towards European levels of (cookie) regulation” among Asian-Pacific countries.

CJEU rules search engine operators must delete ‘manifestly inaccurate’ results

The Court of Justice of the European Union ruled search engine operators must delete search results if an individual proves information about them is “manifestly inaccurate.” The decision comes after Google denied a request by two investment managers to “de-reference” results of a search they claimed produced “inaccurate claims.” The German Federal Court of Justice asked the CJEU for its interpretation of the EU General Data Protection Regulation, which governs the right to erasure. Google said it welcomed the decision. EU court: Google must delete inaccurate search info if asked

Meta’s behavioral ads will finally face GDPR privacy reckoning in January

Major privacy complaints targeting the legality of Meta’s core advertising business model in Europe have finally been settled via a dispute resolution mechanism baked into the EU’s GDPR.  The complaints, which date back to May 2018, take aim at the tech giant’s so-called “forced consent” to continue tracking and targeting users by processing their personal data to build profiles for behavioral advertising so the outcome could have major ramifications for how Meta operates if regulators order the company to amend its practices. The European Data Protection Board (EDPB), a steering body for the GDPR, confirmed it has stepped in to three binding decisions in the three complaints against Meta platforms Facebook, Instagram and WhatsApp. The trio of complaints were filed by European privacy campaign group, noyb, as soon as the GDPR entered into application across the EU.

UK smart meter data sparks new privacy row

In October, the UK government confirmed that it would be using data from smart meters to get better insights into the rollout of the Energy Price Guarantee (EPG) scheme. However, experts suggest that this process could result in a breach of confidentiality and privacy.

CJEU upholds 225M Euro WhatsApp fine

The Court of Justice of the European Union denied a challenge by Meta’s WhatsApp over its 225 million euro fine issued by Ireland’s Data Protection Commission in September 2021. WhatsApp filed for annulment of the European Data Protection Board decision that led to the DPC fine. The CJEU upheld the EDPB’s role and authority to arrive at a collective decision under the EU General Data Protection Regulation’s consistency mechanism while noting WhatsApp was not directly concerned by the board’s decision.

Meta sued for embedding Pixel code

Meta was sued in U.S. District Court for the Northern District of California for allegedly embedding its Pixel tracking code on popular tax filing websites.

Dating app sued for BIPA violations

Mobile dating application Tinder and its parent company, Match Group, were sued in U.S. District Court for the Northern District of Illinois for allegedly violating the state’s Biometric Information Privacy Act.

Amazon offering customers $2 per month to monitor the traffic on their phones

Some Amazon users will now earn $2 dollar per month for agreeing to share their traffic data with the retail giant. Under the company’s new invite-only Ad Verification program, Amazon is tracking what ads participants saw, where they saw them, and the time of day they were viewed. This includes Amazon’s own ads and third-party ads on the platform. Through the program, Amazon hopes to offer more personalized-ad experiences to customers that reflect what they have previously purchased, according to Amazon.

Regulators

ICO publishes reprimands online

In a blog post, U.K. Information Commissioner’s Office Director of Investigations Stephen Eckersley said the authority began publishing reprimands retroactive to January 2022. The ICO already published enforcement notices, fines and summaries of audit reports on its website. “While fines may grab people’s attention, every one of these reprimands represents a time we have taken action to raise data protection standards,” Eckersley said, adding businesses, organizations and individuals will have “certainty” around legal requirements and their rights.

Italy’s privacy watchdog fines COVID lockdown-era party app

U.S. social media app Clubhouse, which became popular during the COVID-19 lockdowns, has been hit with a €2 million fine for violations of the EU’s GDPR. Italy’s privacy regulator, the Garante, said it had found “numerous violations” of the GDPR by the app. The Garante said the app was not transparent enough about the use of users’ data; that it gave users the ability to store and share audio without others’ consent; that it profiled and shared account information without identifying a proper legal basis; and that it had indefinite retention periods of the recordings made by the social network.

Security / Breaches

Cyberattack on health authority exposes data of 58K

A cyberattack on health authority Eastern Health exposed private data of more than 58,000 Newfoundland and Labrador residents and 280 current and former staff members. The Office of the Information and Privacy Commissioner for Newfoundland and Labrador said an investigation into the breach won’t be complete until March 2023. Eastern Health said the social insurance numbers of less than 20 patients and banking information of less than five patients were accessed.

Associates of HIPAA-covered entities targets for breaches

Data breaches of medical entities have steadily increased over the past several years, citing figures from the U.S. Department of Health and Human Services’ Office for Civil Rights’ HIPAA Breach Reporting Tool. Of the 10 largest health breaches in 2022, half involved “business associates” of medical providers, the tool showed. The largest breach so far, of Wisconsin-based mailing vendor OneTouchPoint, exposed 3 million individuals’ personal information. Cybersecurity experts advised the health care industry to improve vetting its third-party vendors and push for cybersecurity standards in contracts.

Advanced Data Protection for iCloud Expands Range of Protected Information

Apple will expand the range of data that users can protect with end-to-send encryption in iCloud. Currently, certain types of data – including health information, passwords, and payment card data – can be protected by end-to-end encryption. Apple plans to extend the protection to photos, notes, and iCloud backups. The feature is now available to users in the Apple Beta Software Program. It will be available to all US users by the end of this calendar year and will be rolled out worldwide early next year. The FBI says Apple’s new encryption is “deeply concerning”

UCalgary research raises questions about internet security

Research by a University of Calgary internet security and privacy expert and a colleague at University of California Berkeley has led to web browser firm Mozilla removing an offshore company as a trusted “root certificate authority.” The basis of all security on the internet comes from root certificate authorities, and their removal is rare and significant. Any root certificate authority can vouch for the legitimacy of any website.

Workplace Privacy

Stealth data collection threatens employee privacy

As enterprises deploy more types of cybersecurity and employee monitoring tools, they may be inadvertently exposing themselves, team members, and business partners, to unnecessary privacy risks. The danger arises when enterprises acquire tools without fully understanding their data collection capabilities and scope. “IT leaders should be asking their vendors to provide information on the data they’re collecting, such as collection frequency and data types,” says Woody Zhu, assistant professor of data analytics at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy.

+++

27 Nov–03 Dec 2022

Access to Information

Cape Breton Regional Police Service chastised by province’s privacy commissioner

Nova Scotia’s information and privacy commissioner has rebuked the Cape Breton Regional Police Service for ignoring a freedom of information request. In a ruling issued Nov. 24, commissioner Tricia Ralph said the force failed to respond to an applicant in August and subsequently failed to provide documents to the commissioner’s office. The applicant, who is not identified, had been seeking records on her own interactions with the force. “There is little analysis to be undertaken here,” Ralph wrote in her decision. “The law is crystal clear. The police [service] is required to issue a decision to the applicant within 30 days unless a time extension is taken, which was not done. This is concerning.”

‘Stonewalled’: Trans Mountain hides dealings with private security and spy firms

A federally owned pipeline company is withholding records that would expose its dealings with private security and intelligence firms by citing blanket exemptions under access-to-information law. Calgary-based Trans Mountain responded to a request to see its contracts with these agencies, along with reports delivered under those deals, by refusing to release a single piece of paper, prompting CBC News to lodge an official complaint.

Eby must fulfil NDP promises on freedom of information reform: Opinion

Last week, former attorney general David Eby was sworn in as the 37th premier of British Columbia. “We have to earn the trust of British Columbians every single day,” he proclaimed in his speech, ending with the words: “We’ve got so much important work to do. I can’t wait to get started with you.” One essential place to start would be to fulfil the unkept electoral promises his New Democratic Party made in 2017 to repair B.C.’s defective freedom of information law. The legislation now contains three statutory black holes that often render it almost inoperable:

1. Section 13 of the act allows officials to seal records of policy advice.
2. The law does not apply to the wholly owned subsidiaries of universities and Crown corporations,
3. The third problem is that of “oral government,” whereby government officials don’t create or preserve records of their decisions or policy development because they don’t wish such records to ever be made public through the FOI process.

ECJ Ruling Deems Public Access to Beneficial Ownership Registers under 5AMLD invalid

On 22 November 2022, the European Court of Justice (“ECJ”) ruled [ECJ press notice, Joined Cases C-37/20 and C-601/20, InfoCuria] that the changes introduced by Directive 2018/843 (“5AMLD”), allowing unrestricted public access to beneficial ownership registers, is in breach of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. See also: Opinion: Private lives, public registers and the ECJ and Access to EU public registers ends: ‘We are going back to era of corporate secrecy’

Biometrics / Identity

Biometrics a key focus area for ICO’s regulatory sandbox

The U.K. Information Commissioner’s Office announced biometrics is a key area of focus for its regulatory sandbox. The ICO said it is interested in working with “innovative biometrics projects using personal data” in the public, education, recruitment and employment-monitoring sectors.

UK voter requirement an opportunity for biometric ID documents?

UK residents will have to show photographic identification when voting at polling stations in some elections from May 2023, following April’s passing of the Elections Act 2022. According to the new rules, supported IDs will include passports, driving licenses, biometric immigration IDs and specific electoral identity documents or cards, as already available in Northern Ireland. A LSE law professor believes that excluding university ID cards and young person’s travel cards from the lists “adds weight to criticisms that the new voter ID requirement is politically motivated.”

As more biometric data is collected in schools, parents need to ask these 10 questions

A Sydney high school recently introduced fingerprint technology to “help narrow down” students who were vandalizing school toilets. Some parents were supportive, but other parents and digital rights advocates raised privacy and security concerns. The NSW Education Department has since noted the school is still considering how it will handle anti-social behavior and the community will be “consulted”. While the fingerprint plan appears to have stalled, it shows how easily biometric technology can be introduced into schools. Here are some basic questions parents can ask if a biometric technology is being used or proposed in their child’s school:

1. exactly what information is being collected, when and why?
2. how is the data being stored, processed, and analyzed?
3. who has access to the system and how will it be maintained over time?
4. what data privacy and security provisions are in place?
5. what happens if I/my child opts out?
6. what implications are there for the time and expertise of teachers, and other school staff?
7. is there enough independent evidence to support claims a new technology will improve learning or school operations?
8. how will funding this technology impact other school budget and resourcing priorities?
9. is there another way to address this issue, rather than using a biometric solution?
10. has my school community had a meaningful opportunity to learn about and discuss this change?

Children / Education Privacy

Yukon DOE ignores IPC order to halt school surveillance

The Yukon Department of Education rebuffed recommendations by the Office of the Information Privacy Commissioner to prohibit schools in the city of Whitehorse from using surveillance technologies against students. The DOE rejected an order to intervene on Nov. 16 after an IPC investigation revealed seven schools are conducting video surveillance, which the DOE allows at a school’s discretion. The DOE’s response to the initial complaint explained video footage does not come with audio and is retained for a maximum of 14 days.

Finland unveils new project focusing on children’s data protections

Finland’s Office of the Data Protection Ombudsman and TIEKE Finnish Information Society Development Centre recently announced GDPR4CHLDRN, a two-year project to facilitate protection of children’s data. Information on personal data processing will be provided to organizations involving children’s activities, minors and their parents and tools will be developed to support data protection legislation. “Our goal is for children and young people to know the importance of data protection and their own rights better than they do now,” Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa said.

Kids Online Safety Act may harm minors, civil society groups warn lawmakers

More than 90 advocacy groups penned a letter to U.S. Senate leadership opposing passage of the proposed Kids Online Safety Act. Groups opined the bill could “jeopardize young people’s access to end-to-end encrypted technologies” while carrying other unintended harms, including “additional forms of digital surveillance and control.”

DSK bans use of Microsoft Office 365 in schools, finds compliance issues left uncorrected

The Conference of the Independent Data Protection Authorities of Germany banned the use of Microsoft Office 365 in all schools. The ban came on the heels of concerns over the security of students’ data on U.S.-based cloud servers. Meanwhile, a working group comprised of German DPAs found that after two years, the company has not yet resolved any privacy compliances issues around its Microsoft Office 365 products. German report details EU GDPR compliance issues for Microsoft 365

UK Online Safety Bill will return to Parliament next month

The Online Safety Bill proposed [OSB] has made a comeback on the Government’s legislative programme, with its remaining stages due to be provisionally debated on December 5. More than four years in the making, the Online Safety Bill in its current form would require social media and other platforms to protect their users from harmful content, with large fines and the threat of having their site blocked if they were found to breach the new rules, which will be overseen by Ofcom. SEE ALSO: Surveillance powers in UK’s Online Safety Bill are risk to E2EE, warns legal expert and The Online Safety Bill will make life harder for victims

Consumers

Lawsuit alleges Facebook collects personal data for ad targeting

A lawsuit filed in London’s High Court accuses Facebook of “surveillance advertising” and calls on the company to stop the practice. The lawsuit, filed by technology and human rights activist Tanya O’Carroll, claims Facebook “violates general data protection regulations by processing and profiling her personal data that’s then tailored for the advertisements.” Meta recently announced privacy updates for teens on Instagram and Facebook, including default privacy settings for Facebook users under 16, or under 18 in certain countries.

Data Sciences

Synthetic data a key to privacy by design practices in new Canadian smart city partnership

Toronto-based nonprofit Innovate Cities and synthetic data generation provider Replica Analytics have joined forces to help cities transition from using personal data to using synthetic data. The basis partnership will provide municipalities with synthetic data based on real-life data points to achieve smarter solutions for each given city. (Article contains quotes by Ann Cavoukian and Khaled El Emam)

US Census bureau director defends differential privacy in 2020 tally

U.S. Census Bureau Director Robert Santos defended the agency’s use of differential privacy to shield 2020 census participants’ identities. Santos claimed differential privacy was the “best solution available” to prevent outside groups from reidentifying participants using third-party data and “powerful computers.” However, “prominent state demographers and academic researchers” previously urged the Census Bureau not to utilize differential privacy because it delayed data, created inaccuracies and found thousands of U.S. jurisdictions, such as census blocks, would not get “useable data” because of algorithms protecting confidentiality.

Amazon will warn against potential discrimination in AI offerings

Amazon will issue warning cards with some of its artificial intelligence-based products to bring light to potential discrimination issues the technologies may possess. The AI Service Cards will be attached to cloud-computing products, including facial recognition and audio transcription, to provide information on the limits of those services. One expert said the most important aspect of this move is “the commitment to do this on an ongoing basis and an expanded basis.”

AWS Key Management Service launches External Key Store

Amazon Web Services Key Management Service launched a new tool, the External Key Store, enabling customers to protect data with encryption keys under their own control. Customers can “encrypt or decrypt data with cryptographic keys, independent authorization, and audit in an external key management system outside of AWS.” XKS is based on “a new, external root of trust.” Root keys are stored hardware security modules operated by the user. “When AWS KMS needs to encrypt or decrypt a data key, it forwards the request to your vendor-specific HSM.”

Digital Government

European Commission introduces public-sector interoperability legislation

The European Commission proposed the Interoperable Europe Act, aimed at streamlining public-sector data sharing across EU member states. According to the commission, the proposed legislation will support “trusted data flows” and “the creation of a network of sovereign and interconnected digital public administrations.” The commission added the proposal seeks to “ensure the seamless delivery of public services across borders, sectors and organisational boundaries.”

Health Privacy

BC doctors accused of spreading “misleading information” could be jailed under new law

During the pandemic, several doctors in the Canadian province of British Columbia hit the headlines for opposing Covid measures. State-sanctioned medical authorities responded by warning physicians that if they “put the public at risk with misinformation,” they may face investigations and regulatory action. Now, just 18 months later, these threats from medical authorities have evolved into a sweeping piece of legislation that includes two-year jail sentences for doctors who are deemed to be spreading certain types of “false or misleading information.”

B.C. premier’s expansion of involuntary medical treatment infringes on human rights: advocates

Advocates say the B.C. premier’s proposal to expand the scope of involuntary mental health treatment could further infringe on the rights of marginalized people. Involuntary or mandatory treatment is among Premier David Eby’s proposals to expand mental health care support, which also includes funding more mental health emergency teams — a pillar of his public safety plan. Involuntary treatment is allowed under B.C.’s Mental Health Act; a person can be detained in a psychiatric facility if a doctor deems it necessary for their health and safety, as well as the safety of others. But Eby is proposing to expand the system further, including by beefing up information sharing arrangements between police and medical professionals. Civil rights advocates say forced treatment is not based on science and called on the province to move away from the approach.

Alberta MLA Thomas Dang fined $7,200 for hacking COVID-19 vaccine records portal

An Alberta legislature member who admitted to hacking the province’s COVID-19 vaccine records portal has been ordered to pay a $7,200 fine. Thomas Dang was sentenced in the Provincial Court of Alberta in Edmonton by Judge Michelle Doyle. “Given the gravity of the offence, a sentencing court must impose a sentence that deters others from engaging in the sort of conduct that Mr. Dang engaged in,” Doyle said. MLA Dang ordered to pay $7,200 for breaching Alberta vaccine portal

Saskatchewan IPC finds privacy violations in SHA fax use

The Saskatchewan OIPC ordered the Saskatchewan Health Authority to curtail its use of fax communications due to privacy concerns. The IPC found 42 instances of private information being faxed to the wrong recipient by the SHA since 2018. Additionally, the IPC found the SHA did not properly notify individuals or take necessary steps for further prevention following two recent data breach claims.

HHS Office of Civil Rights issues notice for entities using tracking technology

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) has issued guidance to entities and business associates using tracking technology under HIPAA. OCR noted some regulated entities often share electronic protected health information with online tracking providers “in a manner that violates the HIPAA Rules.”

DSK introduces resolution for processing individuals’ health data

The Conference of the Independent Data Protection Authorities of Germany introduced a resolution for the processing of personal health data at its 104th conference. Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber said to balance using individual patient data for research purposes and maintaining their privacy, the DSK must establish “transparent and comprehensible rules … with the best legal and technical protection for the data subjects.” Measures will include encryption and pseudonymization of patient data by a trust authority.

Law Enforcement / Intelligence

Canadian Parliament calls for assessments of RCMP spyware use

Members of the Canadian Parliament’s House of Commons ethics committee recommended the federal government require privacy assessments when using “high-risk technological tools.” The report suggested a list of “banned spyware vendors” be compiled in the wake of disclosures the Royal Canadian Mounted Police utilized the technology. Following the report’s release, Privacy Commissioner of Canada Philippe Dufresne said he approved its recommendations, including amendments to the Privacy Act requiring government institutions to conduct privacy impact assessments.

Police searches intended to cause psychological harm, MLA Shannon Phillips alleges in lawsuit

MLA Shannon Phillips has filed a $400,000 lawsuit against several members of the Lethbridge Police Service, claiming illegal searches of police databases were an invasion of her privacy intended to cause her psychological and emotional harm.

RCMP’s new privacy-protecting unit at risk of failing due to resource crunch, documents reveal

An RCMP initiative to ensure that the force uses intrusive technological tools in accordance with Canada’s privacy laws is dealing with a lack of funding and staff, says an internal report. “Without external pressure … there is a possibility that the resources required to implement and institutionalize the program will not materialize,” the assessment says. The NTOP unit was launched by the Mounties last year as the federal Office of the Privacy Commissioner was investigating the RCMP’s use of a form of facial-recognition software.

Mobile / Location

Revamp of federal privacy law fails to fix deficiencies in current legislation: Citizen Lab report

Canadian privacy law lacks a clear governance framework for the collection and use of some personal information, Citizen Lab has concluded in a report examining how telecommunications companies shared de-identified and aggregated mobility data with the federal government during the COVID pandemic. Among the report’s recommendations, Citizen Lab calls on the federal government to change its recent private sector privacy legislation so Canadians are notified and have a say when private organizations plan to share their data with governmental institutions. The report, “Minding Your Business A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under Socially Beneficial and Legitimate Business Exemptions in Canadian Privacy Law“ was authored by Amanda Cutinha and Christopher Parsons.

Online Privacy / Surveillance

Irish DPC serves Meta 265M euro fine

Ireland’s Data Protection Commission announced a 265 million euro fine to Meta over alleged EU GDPR violations. The fine is the third-largest GDPR penalty served to date, following a 405 million euro fine from Ireland to Meta in September. The DPC’s initial investigation, opened in April 2021, examined the alleged exposure of a data set of personal information from Meta’s Facebook. The probe concluded the platform violated Articles 25(1) and 25(2) of the GDPR.

Snapchat enables privacy feature to comply with CPRA

Snapchat will implement a feature enabling California-based users to ask the application to “limit the use of sensitive personal information.” The toggle switch is designed to comply with the California Privacy Rights Act, which takes effect Jan. 1, 2023. While the feature will appear in the privacy controls section of the app’s settings for all users, its function works only for users located in California.

ICE publishes vulnerable immigrants identities

U.S. Immigration Customs Enforcement accidentally posted the identities and detention locations of more than 6,000 immigrants fleeing “torture and persecution” on its website. Though all currently in ICE custody, the immigrants could be exposed to retribution from the gangs and governments they sought refuge from in the U.S. In a statement, ICE said the immigrants’ personally identifiable information was posted for “approximately five hours” and the disclosure, though accidental, was a “breach of policy.”

Regulators

Mandatory Privacy Breach Reporting and Management Program Requirements Come to B.C.

Big changes are coming to B.C.’s privacy laws. Effective February 1, 2023, new Freedom of Information and Protection of Privacy Act (“FIPPA”) sections (36.2 and 36.3) and regulations will come into force. For the first time, a B.C. privacy law will require breach reporting and the implementation of a privacy management program. A privacy management program will typically include:

• a personal information inventory (or data mapping);
• relevant policies (privacy policies addressing the various types of personal information being handled, such as employees and website visitors);
• risk assessment and remediation tools and procedures;
• education and training plans; and
• processes to manage personal information in the hands of service providers.

A privacy management plan should also include an incident response plan which addresses these new breach notification requirements as well as remediation, mitigation, investigation and resolution of incidents. The B.C. Privacy Commissioner has provided guidance for public bodies on how to implement a privacy management program. The B.C. Government also has its own Privacy Management and Accountability Policy, which may be useful guidance for other public bodies.

Senators add more privacy protection to controversial online streaming bill

Senators have added stronger privacy protections to the Liberal government’s controversial online streaming bill, although other amendments to exclude smaller platforms and add a reference to consumer choice were voted down by Liberal-appointed senators. Sen. Julie Miville-Dechêne put forward an amendment she noted was first suggested by Privacy Commissioner Philippe Dufresne.

Australia passes Privacy Legislation Amendment Bill 2022

The Parliament of Australia approved final passage of the Privacy Legislation Amendment Bill 2022. The bill amends the Privacy Act of 1988 to increase data breach fines to AU$50 million, or penalties based on data monetization and 30% of adjusted quarterly turnover under a new three-factor penalty scheme. Australian Information Commissioner and Privacy Commissioner Angelene Falk said the changes create “closer alignment with competition and consumer remedies” under the EU GDPR and “facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively.”

EDPS, ENISA agree to data security cooperation

The European Data Protection Supervisor and the European Union Agency for Cybersecurity signed a memorandum of understanding to forge a strategic cooperation on data protection and cybersecurity matters. The entities described the MOU as a partnership for “designing, developing and delivering” awareness campaigns and joint work on “cybersecurity aspects of data protection.” The agreement also includes commitments to adopting privacy-enhancing technologies and increasing relevant capacities and skills of EU public-sector personnel.

Israel’s PPA publishes privacy impact assessment guide

Israel’s Privacy Protection Authority published a guide with detailed recommendations on conducting privacy impact assessments. The PPA said the guide assists organizations in identifying privacy risks “at an early stage and will help them deal with them in a simpler and more efficient way, and usually, also at a lower financial cost.” While privacy impact assessments are not mandated by Israeli law, the PPA said reviewing privacy impacts “when setting up and managing new projects” benefits the organization and its customers.

German state DPA releases processor code of conduct

The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information released a code of conduct for processors, offering standardized rules to support companies in applying the EU General Data Protection Regulation. Processors following the code submit to regular monitoring by a body accredited by the LfDI, Commissioner Stefan Brink said. “Self-regulation is an excellent opportunity to tailor data processing to the needs of industries — the GDPR provides this opportunity, which we are now implementing,” Brink said.

Security / Breaches

Ontario appeal court limits privacy claim in data breach lawsuits

The Ontario Court of Appeal set a precedent for future data breach lawsuits with a recent decision on a 2017 breach claim against Equifax. The court ruled against plaintiffs who sued based on intrusion of privacy, noting those grounds can’t be used against companies and their ability to prevent hackers from accessing databases. However, the court indicated future data breach cases can be brought on other grounds, including negligence and breach of contract, if actual financial loss stemming from the breach can be proven. See McCarthy Tetrault analysis of the Ontario appeal court’s decision. Also: Blakes, Cassels & Graydon and Torys,

Ontario school board trying to recover from cyber incident

An Ontario public school board continues trying to recover from what it calls a cyber incident. The Durham District School Board, which serves 75,000 students and approximately 14,000 staff across the Region of Durham east of Toronto, said in a website statement that it is still working with external consultants to help determine the scope and extent of the attack.

UK announces mandatory cyber incident reporting for managed service providers

The U.K. announced an update to the Network and Information Systems Regulations, including mandatory incident reporting obligations for managed service providers and minimum security requirements with fines of up to 17 million GBP for noncompliance. The government said essential services must notify regulators “of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.”

NIS2 Directive clears Council of the European Union

The Czech Presidency of the Council of the European Union approved the NIS2 Directive, a modernized framework based on the EU Network and Information Security Directive. Czech Deputy Prime Minister for Digitalization and Minister of Regional Development Ivan Bartoš said the EU “took another step to improve our capacity to counter” cybersecurity threats that “remain a key challenge for the years to come.” The directive will soon be published in the Official Journal of the European Union and take effect 20 days thereafter. Member states will have 21 months to incorporate the directive into national law.

Security expert dives deeply on four types of email attack

In a recent ITWC briefing, Roger A. Grimes, Data-Driven Defense Evangelist, KnowBe4, said there are many types of email attack being employed by hackers today, but he focused on the top four:

• Password hash theft, in which a hacker intercepts and steals an encrypted password;
• Spray attacks, where a hacker defeats restrictions on the number of unauthorized logins allowed;
• Rogue password recoveries, which allow a hacker to change your password, even bypassing multi-factor authentication; and
• Bad form exploits, in which a hacker uses mailbox automation tools to hide an attack.

People are used to getting phishing emails, or having someone ask them for their password. But attacks are growing increasingly sophisticated. Coming in 2023, companies do well to take a deeper dive on the kinds of things hackers are doing. View on demand: Incredible Email Hacks You’d Never Expect and How You Can Stop Them

Massive Twitter data breach was far worse than reported, reveal security researchers

A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. It had previously been thought that only one hacker gained access to the data, and Twitter’s belated admission reinforced this impression …

WhatsApp data breach sees nearly 500 million user records up for sale

A post on a “well-known hacking community forum” claims almost half a billion WhatsApp records have been breached and are up for sale. The post, which multiple sources have confirmed is likely to be true, claims to be selling an up-to-date, 2022 database of 487 million mobile numbers used on WhatsApp, which contains data from 84 countries. This means that almost one-quarter of all WhatsApp’s estimated two billion monthly active users are possible at risk.

Canada Post employee arrested for stealing over 500 items, Alberta RCMP say

A Canada Post employee in Wainwright, Alta. has been arrested after a search warrant revealed the employee had over 500 post items in a home and vehicle, authorities said. The items, which were supposed to be delivered by the employee, were seized by Wainwright RCMP, the Eastern Alberta District Crime Reduction Unit, and Canada Post postal inspectors on Nov. 23.

Hyundai vulnerability allowed remote hacking of locks, engine

Researchers discovered flaws in a number of apps linked to car brands that allowed for personal details and remote control of vehicles using easily-obtained IDs The exploit impacts cars by Hyundai and Genesis released since 2012 and targets a weakness in the use of insecure vehicle data in mobile apps intended for use by the owners of the vehicles.

Workplace Privacy

In ruling on disclosure of airplane cockpit voice recordings, SCC considers pilot privacy

In a class action stemming from an airplane accident, a judge made no error when he denied the Transportation Safety Board of Canada’s (TSB) request to make submissions, in camera, on the disclosure of recordings from the cockpit’s on-board voice recorder, the Supreme Court of Canada has found. [see: Canada (Transportation Safety Board) v. Carroll-Byrne, 2022 SCC 48 dated November 25, 2022 – case in brief & docket]

+++

20–26 November 2022

Access to Information

PM, federal ministers should not be exempt from access laws: former top public servant

Canada’s former top public servant says the offices of the prime minister and federal ministers should no longer be exempt from access-to-information law, and there should be a greater onus throughout the federal government to pro-actively disclose as much information to the public as possible. Speaking to the House of Commons committee on access to information, Michael Wernick said public servants are already subject to access requests and that this should be expanded to include all “taxpayer-funded political staff” including at the top levels of the federal government.

Lawyers frustrated by Ottawa’s disclosure of documents at Emergencies Act inquiry

Lawyers at the inquiry into the federal government’s use of the Emergencies Act last winter say Ottawa has been too slow to disclose documents and are raising concerns about a lack of transparency. Thousands of pages of documents have been submitted into evidence at the Public Order Emergency Commission. Paul Champ, the lawyer representing Ottawa residents and businesses affected by the demonstrations, says documents from the federal government are coming too late in the process. Hundreds more documents are expected to be submitted this week. Documents already submitted into evidence include text messages between ministers and their staff, along with emails, internal police communications, intelligence reports and more.

Biometrics / Identity

US biometric surveillance database reaches 10,000 data points

A privacy advocate’s database counting the U.S. government bodies that surveil citizens’ biometric identifiers reportedly now has 9,850 data points. The Atlas of Surveillance, created by the Electronic Frontier Foundation in 2019, is a map of the U.S. that can be searched and filtered to see all the locations so far known to the foundation to use some form of biometric surveillance. It started with 250 data points, and now reportedly contains information on 5,500 law enforcement agencies in all 50 states and multiple territories and districts. The organization says it gathers data through hundreds of FOI requests, crowdsourcing, student researchers, interns and volunteer work. The atlas tracks 12 categories, including body-worn cameras, drones, license plate readers, Ring/Neighbors partnerships with device owners, facial recognition and video analytics.

Scottish government to pilot digital identity platform in early 2023

Scotland will pilot a digital identity platform with Disclosure Scotland in early 2023. Disclosure Scotland users will be able to use secure sign-on and online identity verification. Scotland’s Policy Lead for Digital Identity Gavin Ross said they are focused on supporting Social Security Scotland and health services.

Belgium plans rollout of digital ID wallet next year to compete with itsme

The Belgian government plans to introduce an application from 2023 to contain mobile driver’s licenses and other credentials. The Secretary of state for digitalization indicated that the myID.be wallet will contain the digital version of a citizens’ national ID cards which can be used in the conduct of official transactions. digital wallet will provide an alternative to the popular itsme app. VRT NWS reports it is accessed through a QR code, while itsme logins are carried out with the user’s phone number.

ID fraud costs passed on to UK consumers

A recent report by GBG suggests consumers are gradually picking up the cost of digital identity fraud. According to the report, 87% of UK business leaders confirmed identity fraud costs are being passed on to consumers. The same study also found that two in three people in the UK think that businesses are cutting corners when it comes to protecting them from fraud by failing to check and verify people’s identities online. GBG also recently announced a new no-code onboarding tool with face biometrics and liveness detection.

Children / Education Privacy

France says non to Office 365 and Google Workspace in school

The French minister of national education and youth has said that free versions of Microsoft Office 365 and Google Workspace should not be used in schools – a position that reflects ongoing European concerns about cloud data sovereignty, competition, and privacy rules. Last week, the Ministry of National Education published a written reply to confirm that French public procurement contracts require “consideration” – payment. “Free service offers are therefore, in principle, excluded from the scope of public procurement,” the Ministry statement says, and minister Ndiaye has reportedly confirmed this position.

Online proctoring biometrics use fails to meet Canadian legal threshold, report says

Online proctoring tools for conducting remote exams do not go far enough to ensure free, clear and individual consent from Canadian students whose biometric data they collect, according to a new report published by the University of Ottawa and supported by the OPC. The report points to familiar issues with AI discrimination and biometric errors. The report concludes with a series of recommendations pertaining to how AI is defined and categorized, and how human oversight of evolving surveillance technologies can help maintain transparency and reduce error and bias.

VR devices used in schools violate privacy laws

An analysis by Common Sense Media identified serious privacy concerns with the seven most popular virtual reality devices used in schools. Senior Counsel and Privacy Program Director Girard Kelly said the research and advocacy organization cannot recommend “any device right now for schools and districts that wouldn’t potentially be violating state or federal privacy laws.” The report states the examined devices display third-party advertising, have unclear privacy policies or note user data could be used for advertising and tracking purposes.

Meta unveils teen privacy updates

Meta introduced new privacy updates for teens on Instagram and Facebook, including default privacy settings for Facebook users under 16 or 18 depending on their country of residence. Facebook says it will also be encouraging teens already on the app to choose its new more private settings for:

·        Who can see their friends list

·        Who can see the people, Pages and lists they follow

·        Who can see posts they’re tagged in on their profile

·        Reviewing posts they’re tagged in before the post appears on their profile

·        Who is allowed to comment on their public posts

Consumers

FCC: ‘Ringless voicemails’ subject to robocalling rules

In a unanimous decision, the U.S. Federal Communications Commission said callers must obtain consent prior to delivering “ringless voicemails.” Under the Telephone Consumer Protection Act, callers may not make non-emergency calls using automatic telephone dialing systems without prior express consent of the called party.

Australian renters in the dark over use of data by tech company Snug

One of Australia’s fastest growing rental application platforms is using renters’ data in obscure and potentially discriminatory ways to “score” their applications against rental properties, and gives them a higher score when they offer to pay more rent, an investigation found.

Data Sciences

Credit reporting agency tests token-based privacy technology

Credit reporting agency TransUnion is testing token-based technology to encrypt customers’ sensitive data so it is not visible when a third party requests a credit report. TrueZero, created by Spring Labs, encrypts the sensitive data, including personally identifiable information, in tokens before it is viewed by a third party. Spring Labs CEO John Sun said sensitive information entails “anything that’s used universally as an identifier for that customer.”

Health Privacy

Canada’s health-care system has a data problem, experts say

Canada has no national database for its more than 100 health authorities and regions to compare human resources and health data. This includes everything from wait-times to staffing shortages. Last May, the dire need for better health-data sharing was outlined in a report, called the Pan-Canadian Health Data Strategy, which noted that, if a stronger health data foundation had been in place, “health inequities experienced during the pandemic would have been reduced and lives would have been saved.” A recent effort to tie increased federal health-care funding to the creation of a national health database to provide better more fiscal accountability failed last week after talks between Canada’s federal, provincial and territorial health ministers collapsed.

Big Brother Watch report suggests thermal screening tools in pandemic may have been unlawful

The scientific evidence to support the use of thermal screening to reduce the transmission of Covid-19 during the pandemic was very weak or inconclusive. The claims come from a new legal opinion commissioned by UK-based non-profit Big Brother Watch which says infrared screening for temperature “results in large numbers of false positives, either offering false reassurance or unnecessary alarm – and potential exclusion of the person from work or leisure activities.”

Lawsuit alleges contact tracing app installed without users’ consent

A lawsuit filed in the U.S. District Court of Massachusetts claims the Massachusetts Health Department installed a COVID-19 contact tracing application on more than 1 million Android mobile devices without consent.

State attorneys general urge Apple to protect reproductive health data

In a letter to CEO Tim Cook, 10 state attorneys general urged Apple to protect consumers’ reproductive health information from misuse. The attorneys general said the company should require application developers to delete nonessential data, provide notice of potential data disclosure to third parties and implement privacy and security standards around the collection of reproductive health data.

New healthcare privacy challenges as online data tracking, sharing methods evolve

With security concerns, including a potential breach and a class-action suit, around Meta Pixel and other web tracking tools, health systems should be considering “all the ways PHI may be used, disclosed and accessed,” says a former OCR investigator.

UK parents lose their legal battle to use son’s Sperm while he was in a coma

Urgent case heard in Court of Protection while the man, who has since died, was in a coma. Mr Justice Poole ruled the procedure would be an ‘invasion of his privacy’ He said there was insufficient evidence that the man would have consented

Law Enforcement / Intelligence

RCMP use of spyware warrants update to Canada’s privacy laws, MPs say

Canada should update its privacy laws in the wake of revelations that the country’s national police force uses spyware to hack mobile devices, a parliamentary committee says. The House of Commons ethics committee is recommending the federal government require privacy assessments for the use of “high-risk technological tools” that collect personal data, according to a report tabled this week. The report, which received all-party support, also says Ottawa should make a list of banned spyware vendors and set “clear rules on export controls over surveillance technologies.” However, it does not recommend a moratorium on the use of spyware by police.

UK security fears spark Chinese camera ban

The British government has told its departments to stop installing Chinese-linked surveillance cameras at sensitive buildings, citing security risks. The decision comes after a review of “current and future possible security risks associated with the installation of visual surveillance systems on the government estate”, cabinet office minister Oliver Dowden said in a written statement to parliament.

Mobile / Location

Citizen Lab adds to chorus of criticism over Ottawa’s new data privacy bill

Ottawa’s contentious use of Canadians’ mobility data early in the COVID-19 pandemic should serve as a warning the government needs to strengthen its proposed new private-sector privacy law, the Toronto internet-security and human-rights organization Citizen Lab says. The report adds to broad criticism from the privacy community of the Consumer Privacy Protection Act, which was introduced as part of Bill C-27 in June. The Citizen Lab report argues the federal government’s use of location data from Telus Corp. and BlueDot Inc. – which allowed Ottawa to track the movement of millions of devices to understand population movements in the era of rolling COVID-19 lockdowns – could create a slippery slope in which such data could restrict human rights.

Apple iPhone data not as anonymous as company says: researchers

App developers claim that analysis shows the detailed analytics data Apple records about what users do in the App Store can be linked directly to accounts. Mysk researchers said Apple’s analytics data include a Directory Services Identifier (DSID), which uniquely identifies an iCloud account and is associated with name, email and any other iCloud-related data. Mysk said the tech giant’s claims in its device analytics and privacy statement that the collected data does not personally identify users is “inaccurate,” and that the App Store continues to send detailed analytics to Apple even when sharing analytics is turned off. Mysk said there was no way to stop it.

Online Privacy / Surveillance

Lawsuit alleges Facebook collects personal data for ad targeting

A lawsuit filed in London’s High Court accuses Facebook of “surveillance advertising” and calls on the company to stop the practice. The lawsuit claims Facebook “violates general data protection regulations by processing and profiling her personal data that’s then tailored for the advertisements.” Meta recently announced privacy updates for teens on Instagram and Facebook, including default privacy settings for Facebook users under 16, or under 18 in certain countries.

Tax filing websites ending users’ financial information to Facebook

A report co-published by The Markup and The Verge found that several tax-filing services, including H&R Block, Tax Act and TaxSlayer, have shared users’ financial data with Meta’s Facebook. According to the report, data was shared through a code called Meta Pixel and included contact information, filing status, refund totals and dependent’s scholarship information. A H&R Block spokesperson said the company evaluates its practices regularly and “will review the information.”

Regulators

German state DPA releases processor code of conduct

The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information released a code of conduct for processors, offering standardized rules to support companies in applying the EU GDPR. Processors following the code submit to regular monitoring by a body accredited by the LfDI, Commissioner Stefan Brink said. “Self-regulation is an excellent opportunity to tailor data processing to the needs of industries — the GDPR provides this opportunity, which we are now implementing.”

ICO publishes transfer risk assessment guidance

The U.K. Information Commissioner’s Office announced new guidance and resources for data transfer risk assessments. The ICO said its guidance presents an “alternative, achievable approach” compared to the European Data Protection Board’s guidelines and touted the assessment process as “reasonable and proportionate.” The assessment tool rolled out by the ICO evaluates risk based on “whether the transfer significantly increases the risk of either a privacy or other human rights breach.”

FTC urged to minimize commercial surveillance, children’s digital services

31 U.S. state attorneys general wrote a letter to the U.S. FTC calling for mandated data collection limits. The group said consumers are “coerced into sharing more personal data than they otherwise intended to” based on the current notice-and-choice regime that is “largely failing consumers.” Also, 21 advocacy groups sent a petition to the FTC urging the agency to regulate against potentially harmful design techniques associated with children’s online services.

National Standard of Competency for Privacy and Access Professionals

Innovative technologies, new laws, and consumer expectations have increased the demand for data protection professionals who are competent to protect personal privacy and ensure organizational compliance with domestic and foreign laws and regulations. The new National Standard of Competence for privacy, access, and data protection indicates the core competencies required, and covers a range of key areas, including information privacy, access to information, and data protection. The standard applies across public, private, and non‑profit organizations, and is equally relevant to all sectors of the economy. See National Standard of Canada, (CAN/CIOSC 109-1: 2022) i

Security / Breaches

EU Council releases new proposed Cyber Resilience Act text

The Czech Presidency of the Council of the European Union released new text on the proposed Cyber Resilience Act, legislation intended to enact cybersecurity requirements for connected devices and related services. In the addition, member states are not prevented from imposing national restrictions on digital products, including bans, based on national security.

One in five public-facing cloud storage buckets expose sensitive data

Public-facing cloud storage buckets are a data privacy nightmare, according to a study by Laminar Labs’ research team, who recently found that one in five public-facing cloud storage buckets contains personally identifiable information (PII) – and the majority of that data isn’t even supposed to be online in the first place. The information uncovered by the researchers includes physical addresses, email addresses, phone numbers, driver’s license numbers, names, loan details, and credit scores.

About 40,000 people affected by SLGA security breach: commissioner’s report

The personal information of approximately 40,000 people connected to Saskatchewan’s Liquor and Gaming Authority (SLGA) was compromised during a 2021 Christmas Day cybersecurity attack, according to the province’s information and privacy commissioner’s report on the incident.

OSSTF confirms current and past members’ information compromised in cyberattack

The Ontario Secondary School Teachers’ Federation (OSSTF) confirmed that a number of its current and past members’ information was breached in a cyberattack. The organization discovered a third party accessed and encrypted its system between May 24 and May 30, 2022. The organization did not confirm how many people were impacted but did confirm that the hack involved current and past people employed by OSSTF.

Workplace Privacy

Booz Allen says former staffer downloaded employees’ personal data

U.S. government contractor Booz Allen Hamilton disclosed that a former staffer downloaded potentially tens of thousands of employees’ personal information from the company’s internal network. The notice said that the report downloaded by the employee contained, “your name, Social Security number, compensation, gender, race, ethnicity, date of birth, and U.S. Government security clearance eligibility and status as of March 29, 2021.” Booz Allen said the report containing the personal information was “improperly stored on an internal SharePoint site,” but did not say what circumstances led to the discovery of the data.

Privacy and employment law: a new era of privacy rights in Ontario workplaces?

Since the Ontario Court of Appeal decision in Elementary Teachers Federation of Ontario v York Region District School Board, 2022 ONCA 476, many employers continue to grapple with understanding workplace privacy as well as understanding how the Canadian Charter of Rights and Freedoms applies to different Ontario workplaces. [Gowlings Brief]

Device repair technicians snoop on your personal data, remove their tracks: report

Researchers from the University of Guelph have found electric repair technicians often snoop through customers’ data. Computer scientists tested the privacy policies of 18 repair shops in North America in their research paper “No Privacy in the Electronics Repair Industry.” To protect data, the authors argue the solution requires work from three parties: device manufacturers, service providers, and regulatory parties. Device manufacturers can provide the ability to create guest accounts, which will limit the device’s access when being repaired. For example, Samsungs introduced “repair mode,” which protects data on the devices. Service providers need to develop policies that protect customers’ data from technicians. Regulatory bodies also need to play a role in keeping such information safe.

+++