Access to Information
OpenMedia delivers 104,000 signatures opposing Bill C-11 to the Senate
OpenMedia, a non-profit organization working to keep the internet “open, affordable, and surveillance-free,” delivered a petition opposing the controversial Bill C-11 (aka the Online Streaming Act) with over 104,000 signatures to the Senate. Bill C-11 is an amendment to the Broadcasting Act that aims to support the creation and promotion of Canadian content online. It is designed to give the Canadian Radio-television Telecommunications Commission (CRTC) regulatory authority over online streaming platforms like YouTube, Netflix, and others. In its current form, however, experts believe Bill C-11 is too vague and gives the CRTC too much power. It could potentially even put user-generated content under the watchdog’s purview — in fact, outgoing chair Ian Scott previously admitted it will do as much.
Biometrics / Identity
New Zealand’s OPC explores biometrics code of practice
New Zealand’s Office of the Privacy Commissioner is exploring a Code of Practice for Biometrics. Privacy Commissioner Michael Webster said the office received 100 submissions to a consultation paper on privacy regulation of biometrics released in August, showing “a real high level of interest.” Concerns included protections of such sensitive information and discriminatory impacts of biometrics use. See also: Biometrics are even less accurate than we thought
AI-generated fake faces have become a hallmark of online influence operations
Fake accounts on social media are increasingly likely to sport fake faces. Facebook parent company Meta says more than two-thirds of the influence operations it found and took down this year used profile pictures that were generated by a computer. As the artificial intelligence behind these fakes has become more widely available and better at creating life-like faces, bad actors are adapting them for their attempts to manipulate social media networks. “
Face biometrics coming to vehicles will allow keyless access and more
Genesis Motor Europe and an Oshawa, Canada tech startup are both introducing new biometrics capabilities for keyless access and feature control in automobiles that could make that tangle of keys in your pocket obsolete. Genesis’ GV60 electric SUV will be “the first car in the world to feature pioneering face recognition technology as part of biometric vehicle entry and engine start.” The Face Connect system uses a face sensor and a deep-learning image processing controller to enable drivers to lock and unlock their cars without a physical key. Via an app, additional biometric features will allow drivers to start their cars with a fingerprint.
Children / Education Privacy
Quebec information commission releases children’s privacy review
The CAI released a report regarding potential children’s privacy amendments to provincial privacy legislation. Themes reviewed in the report include going beyond parental consent for children’s data use, improved privacy awareness for parents and children, and proposals for prohibited data collection practices.
Study finds 96% of apps used in US schools share student personal information
In the U.S., 96% of applications used in schools share student personal information with third parties, according to a study by Internet Safety Labs. The data is shared with advertisers often without informing or obtaining consent from students or the schools, the study found. Internet Safety Lab researchers examined 13 schools in each state for a total of 663 schools, with a total student population of approximately 500,000. Schools typically had more than 150 “approved technologies for classrooms.” The study found roughly 25% of recommended or school-required apps included advertisements and 13% included “retargeting ads.”
ICO creates Children’s Code design tests
The U.K. ICO created design tests to help designers assess whether products or services likely to be accessed by children comply with the Children’s Code. The ICO said the tests will support designers in creating “online experiences that protect children’s personal data,” noting, “Each test provides a report detailing areas of good practice as well as steps you can take to improve your conformance.”
Trade association sues over California Age-Appropriate Design Code Act
Technology trade association NetChoice filed a lawsuit against the state of California aiming to block the California Age-Appropriate Design Code Act from taking effect. The group, whose membership includes most major Big Tech platforms, submitted a complaint alleging the recently-passed legislation “presses companies to serve as roving censors of speech on the internet.” The law is set to take effect July 1, 2024, and includes requirements for privacy-by-default settings and data protection impact assessments.
Consumers
AI art and text is getting smarter, what comes next?
In recent weeks, the latest versions of AI art-creating tools, along with a compelling new AI chatbot have flooded social media. The tools can be fun, with people creating artistic and enhanced selfies using Lensa, strange concept art with DALL-E 2, or exploring the way the chatbot, ChatGPT, creates seemingly original and complex prose in seconds. But the new tools are also a demonstration of how powerful AI has become, and hint at a relatively near future where it could convincingly replace human workers. Will Knight, senior writer with WIRED, discusses what’s behind these popular new AI tools, some of their pitfalls, and the impact they’re already having on society.
Data Sciences
New compromise AI Act amendments released
New compromise amendments to the Artificial Intelligence Act, excluding general-purpose AI from high-risk systems, have been released. The 10th round of compromise amendments is expected to be discussed Dec. 14. AI systems are considered high risk if their failure or malfunction puts individuals health, safety or fundamental rights at risk. Additional wording states the high risk categorization only applies to systems with an intended purpose. “Pending discussions, GPAI (general-purpose AI) will be treated separately,” a note in the text states.
Enforcement of NYC’s automated employment bias law postponed
Enforcement of New York City’s Automated Employment Decision Tools law, which was to take effect Jan. 1, 2023, has been postponed to April 15, 2023. The Department of Consumer and Worker Protection announced the postponement is due to a “high volume of public comments” and said a second public hearing is being planned. Under the law, employers or employment agencies must conduct an independent bias audit before using artificial intelligence employment tools.
ICO publishes first Tech Horizons Report
The U.K. Information Commissioner’s Office published its first Tech Horizons Report. The annual report “examines the implications of some of the most significant technological developments for privacy in the next two to five years” in fields including consumer health care, Internet of Things devices and immersive technologies. The creation of the Tech Horizons Report was born out of the ICO25 strategy to help inform society about “emerging technologies to reduce burdens on businesses, support innovation and prevent harms.”
Digital Government
Senator seeks FTC probe of data sales to U.S. government agencies
U.S. Sen. Ron Wyden, D-Ore., asked the U.S. FTC to investigate internet infrastructure company Neustar Security Services’ sale of data to the federal government. Wyden wants the FTC to review whether the company should have warned consumers it was selling information on where they went online. Many whose data was sold reportedly did not know they interacted with Neustar as data was obtained from domain name lookup services the company gave to internet service providers.
Microsoft rolls out ‘data boundary’ for EU cloud customers
Microsoft is beginning a phased rollout of its “EU data boundary” enabling EU cloud customers to process and store data in the region. The “EU data boundary” applies to Microsoft’s core cloud services. A first phase will include customer data, followed by logging and service data,
Health Privacy
Quebec to introduce personal health file access
The Legault government has introduced Bill 3, aimed to streamline the way patients access their health data, as well as the way data is shared with professionals. It is meant to allow patients to more easily access their health files, see the history of who else viewed their file and provide or deny access to other professionals. The program will create a consistent medical file that tracks patients across different doctors as opposed to different health professionals possessing different files on a patient. The bill is an updated version of Bill 19 which was introduced in 2021 but died on the order paper.
BC OIPC: Public health system has unaddressed ‘vulnerabilities’
The BC OIPC released a report alleging the Provincial Health Services Authority did not properly respond to “security and privacy vulnerabilities” in the public health database it manages. The OIPC cited “vulnerabilities requiring immediate attention,” including issues with auditing, encryption and multifactor authentication. Database of British Columbians’ personal health information is ‘disturbingly’ vulnerable: privacy watchdog
Law Enforcement / Intelligence
OECD to finalize framework on government access to personal data
Officials from the U.S. and more than 30 OECD member states adopted an agreement on safeguarding privacy when accessing personal data for national security and law enforcement reasons. The OECD Declaration on Government Access to Personal Data Held by Private Sector Entities clarifies how law enforcement and security agencies can access personal data. The agreement will enable data flows “with the safeguards needed for individuals’ trust in the digital economy and mutual trust among governments regarding the personal data of their citizens.”
Colorado woman sues detective over false location ping
A Colorado woman is suing a Denver police detective after a false ping by Apple’s ‘Find my iPhone” feature resulted in a SWAT raid of her home. The detective used the woman’s address as the basis for the raid, after the owner of a stolen truck identified its location through the “Find My” app. The complaint states the app determines approximate locations and “is not intended as a law enforcement tool.”
Mobile / Location
UK releases code of practice to improve app privacy, security
The U.K. released a voluntary code of practice to improve security and privacy requirements on applications and app stores. New measures include improved reporting of software vulnerabilities and enhanced transparency around privacy and security for app users.
US Senate passes bill to ban TikTok on government devices
The U.S. Senate passed legislation banning federal government employees from downloading TikTok on government-owned devices. TikTok claimed it does not share U.S. user data with the Chinese government and stores the data with Oracle cloud software. TikTok is currently undergoing the national security review process with the U.S. Committee on Foreign Investment. Meanwhile, at least seven states have said they will ban employees from using TikTok on government devices citing data security concerns. See also: Canada ‘closely monitoring’ U.S. bill to ban TikTok, government says
Online Privacy / Surveillance
Man jailed in first doxxing sentencing under Hong Kong privacy law
A 27-year-old man will serve 8 months in jail for disclosing his ex-girlfriend’s personal information on social media without consent in the first doxxing sentencing under Hong Kong’s Personal Data (Privacy) Ordinance. “The court must send a clear message that, save for very exceptional cases, it will not condone this type of offence,” acting Principal Magistrate David Cheung Chi-wai said.
Elf on the Shelf has a sinister side, says UOIT prof
Those big blue eyes and blushing cheeks look innocent enough, but one Toronto academic believes the Elf on the Shelf is teaching kids to accept a surveillance state. In her paper, Who’s the Boss, published by the Canadian Centre for Policy Alternatives, Laura Pinto argues Santa’s spying little helper “sets up children for dangerous, uncritical acceptance of power structures.”
A faster way to preserve privacy online
New research enables users to search for information without revealing their queries, based on a method developed by MIT researchers that is 30 times faster than comparable prior techniques.
Regulators
Quebec information commission releases annual report
Quebec’s data protection authority published its 2021-2022 annual report after tabling in the National Assembly. Notably, the CAI said it only received 25% of the budget increase it put in for to address implementation of updates to the province’s private sector privacy law. The commission said lower funding “will not allow it to make all the changes required by the new responsibilities entrusted to it in a timely manner.” La présidente veut plus d’argent pour faire appliquer les nouvelles lois and Une trentaine d’entreprises ont déclaré des fuites en deux mois
OAIC announces 2023 Privacy Awareness Week dates
The Office of the Australian Information Commissioner announced Privacy Awareness Week will take place May 1-7, 2023. “Privacy Awareness Week is an annual event to raise awareness of privacy issues and the importance of protecting personal information,” the OAIC said. The event is conducted alongside Australian state and territory data protection authorities as well as members of the Asia Pacific Privacy Authorities forum.
Security / Breaches
Company privacy leaders call for standardization of breach reporting requirements
International leaders in cybersecurity and privacy are calling for the EU, U.K. and U.S. to better sync their data breach reporting requirements. Multinational companies claim reporting requirements that vary by jurisdiction can create compliance issues. U.S. National Cyber Director Chris Inglis said reporting requirements should be synchronized within U.S. government agencies. U.S. Department of Homeland Security Undersecretary for Strategy, Policy and Plans Robert Silvers called for more cooperation with foreign governments on breach reporting requirements.
Spyware and surveillance-for-hire industry ‘growing globally’: report
The spyware and surveillance-for-hire industry is “indiscriminately” targeting journalists, activists and political opposition, and growing on a global scale, the social media company Meta warned. In a new report, the company said it has “continued to investigate and take actions against spyware vendors around the world, including in China, Russia, Israel, the United States and India, who targeted people in about 200 countries and territories.” Meta was one of the first to publicly challenge the spyware industry back in 2019, when it began legal proceedings against Israeli firm NSO Group for hacking into approximately 1,400 WhatsApp users’ mobile devices. The report details the tactics being used by spyware and hacking companies, in particular an Indian business called CyberRoot previously exposed by a Reuters investigation into Indian mercenary hackers.
Uber suffers new data breach after attack on vendor, info leaked online
Early Saturday morning, a threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services. The newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. One of the documents includes email addresses and Windows Active Directory information for over 77,000 Uber employees. Uber said it believes it is related to a security breach on a third-party vendor.
FBI’s InfraGard US Critical Infrastructure Intelligence Portal Hacked
A database containing the contact details of more than 80,000 high-profile private sector people is now up for sale on a cybercrime forum. The FBI has seen one of its key databases hacked, and it looks as though a major security failure on the part of the bureau is to blame.
Workplace Privacy
Federal public servants must return to office two or three days a week
Federal public servants will be required to return to the office for two or three days a week, Treasury Board President Mona Fortier announced. Employees in the core public service across all departments must begin phasing in a return-to-office plan in mid-January, working in the office two or three days per week, or 40 to 60 per cent of their regular schedule.
+++