Access to Information
UK Cabinet Office faced criminal probe over blocked Spycatcher documents
A criminal investigation team at the UK freedom of information watchdog has examined a complaint against the Cabinet Office, after it blocked the release of files concerning the intelligence agent Peter Wright and the Spycatcher affair. The review concluded that while there was “a lack of clarity and changes of explanations” from Cabinet Office officials, the legal justification for withholding the files was sound.
Biometrics / Identity
European Commission releases digital identity wallet framework
The European Commission released the “European Digital Identity Wallet Architecture and Reference Framework.” The document, part of the EU’s toolbox toward implementing a European Digital Identity Framework, is intended to “provide all the specifications needed to develop an interoperable EUDI Wallet Solution based on common standards and practices” and will be “complemented and updated over time through the process of establishing the toolbox.”
Uniqueness of fingerprints from birth explained in academic study
Definitive proof that fingerprints are a unique biometric at birth has been published by a team of academic researchers in the journal Cell.
Children / Education Privacy
ICO offers guidance to children’s game developers
The U.K. Information Commissioner’s Office published guidance aimed to assist children’s online game developers and their U.K. Age-Appropriate Design Code compliance efforts. The guidance is based off recent company audits conducted by the ICO to best understand the compliance landscape. The regulator included recommendations for detailed risk assessments, age verification practices, transparency and “preventing the detrimental use of children’s data.” .
Washington state bill would protect children from being exploited in for-profit vlogs
The Washington state Legislature will hold a public hearing on a bill to protect minors from being exploited in for-profit vlogs. The bill would require parents of “child influencers” to take revenue from their content and set aside in a separate fund for their children for when they become adults. The bill would also “grant children of (parent) influencers the right to request the permanent deletion of their likenesses, names or photos from ‘any internet platform or network that provided compensation to the individual’s parent or parents in exchange for that content.’”
Consumers
More young Canadians report being a victim of financial fraud than older Canadians:
As scammers across the country become increasingly sophisticated, many Canadians are falling victim to financial fraud – and young Canadians are the most at risk. Released in time for Fraud Prevention Month in March, the annual Fraud Study by Chartered Professional Accountants of Canada (CPA Canada) found that despite many reports of fraudsters specifically targeting a senior demographic, three-in-five 18-34 year olds (63%) report being a victim of at least one type of financial fraud in their lifetime – a number that drops to 39% for ages 35-54 and 31% for those 55+. The study also found that credit card fraud remains the leading type of financial fraud at 21% of credit card users, followed by email or phishing fraud (eight%) and debit card fraud (8% of debit card users).
Want to Understand that Privacy Policy? Better Get a Degree First
Privacy policies from some major streaming sites may require a university reading-level to fully understand, according to new research. Cybersecurity experts compared the most complicated and difficult to read privacy policies from top streaming services in order to clarify what data these companies are really after. “The majority of the policies we examined would be considered unreadable for many UK users, given that the majority required at least a university undergraduate reading level, “ the report concluded. “This is particularly problematic when you consider that 1 in 7 adults in England alone, have a reading age expected of a 7-9 year old.”
Data use, profits behind supermarket discount cards
Grocery chains use shopper data obtained from supermarket loyalty or discount cards for targeted advertising. Stores can infer information from customers’ purchases, enhance it with additional data from third-party brokers, then analyze and sell the data to consumer brands for ad targeting. Electronic Privacy Information Center Director of Litigation John Davisson said the average loyalty card member is “not thinking about how their data is going to be funneled into this huge ecosystem with analytics and targeted advertising and tracking.”
Data Sciences
UN committee publishes PETs guide
The United Nations Committee of Experts on Big Data and Data Science for Official Statistics released its “Guide on Privacy-Enhancing Technologies for Official Statistics.” The guide “explores current approaches to data protection and their associated limitations” with the goal of equipping national statistics offices with best practices and considerations for applying PETs. Notably, the committee presents two categories of PETs, while outlining “standards-making activities” around them and identifying “several new standards relevant to the processing of datasets.”
IAB Tech Lab launches standards for data clean rooms
The IAB Tech Lab released its Data Clean Room Standards portfolio. The first-of-their-kind guidance and resources aim to help “streamline audience activation by enabling interoperability between (clean room) vendors.” The IAB also offered “a primer for clean rooms containing definitions, concepts, and a roadmap of future clean room proposals and initiatives” while presenting the new standards at its Building For Privacy Series. The new standards will be open for public comment through April 17..
UK FCA offers synthetic data sets to spur innovation in financial sector
The U.K. Financial Conduct Authority announced it would continue an initiative to provide synthetic data sets “to help increase innovation and choice in financial services.” The FCA effort stemmed from a 2022 consultation paper on synthetic data in which respondents said it “would be useful as a supplement to efforts to combat financial crime, and for environmental, social and governance purposes” because new privacy regulations make it more difficult for third parties to utilize individual’s financial data.
Digital Government
From ‘pink card’ to screen: Experts weigh in on new digital insurance option in N.B.
Electronic vehicle insurance cards can now be used as proof of insurance in New Brunswick, but the announcement sparked debate on social media about the pros and cons of the new option. Lyle Skinner, a New Brunswicker, doesn’t think he will use the digital card option “because of the risks and potential misunderstandings of handing over your phone to a police officer.” One of these risks, said Skinner, would be if a message or notification popped up if the screen wasn’t locked. He said this could potentially cause a misunderstanding between the driver and the officer.
EU Parliament committee adopts Data Act
European Parliament’s Industry, Research and Energy Committee adopted the draft Data Act. The proposal includes measures to allow users to access their data and defines how public sector bodies can access and use private sector data. “The Data Act will be an absolute game changer providing access to an almost infinite amount of high-quality industrial data. Competitiveness and innovation are part of its DNA,” Member of European Parliament Pilar del Castillo Vera said. The draft legislation will face a full House vote during the March plenary session.
NYC updates policy to improve privacy, cybersecurity collaboration
New York City’s Office of Information Privacy updated its “Citywide Privacy Protection Policies and Protocols” to enhance collaboration between cybersecurity and privacy efforts. The city’s 175 agency privacy officers are urged to meet monthly with their agencies’ chief information security officers to improve communication and to refresh training. Chief Privacy Officer Michael Fitzpatrick aid the training will provide “a regular update on the current state of play on local law, compliance, as well as privacy best practices generally.”
Health Privacy
Coalition releases health data privacy, security recommendations
A coalition of health care groups and technology associations published “Maintaining Consumer Trust in Health Care Through Data Privacy & Patient Access“ following the 2022 Health IT Leadership Roundtable. The report, facilitated by consultancy Sirona Strategies, focused on the roundtable’s “discussion of the overall importance of maintaining consumers’ trust, opportunities and challenges created by existing health data privacy regulatory frameworks, and federal actions to address the perceived gaps in data privacy.” Recommendations included improved transparency for patient data sharing and storage, and increased data minimization.
Lack of consumer privacy protections allows data brokers to sell mental health info
U.S. citizens utilizing mental health applications often are putting their sensitive health data at risk, according to a report published by Duke University’s Cyber Policy Program. The report found citizens’ mental health data is advertised and sold by data brokers, which either necessitates “a comprehensive federal privacy law or, at the very least, an expansion of (the Health Insurance Portability and Accountability Act) privacy protections alongside bans on the sale of mental health data on the open market.” Per the report, 26 of 37 contacted data brokers responded to sale inquiries for mental health data, with 11 “willing and able to sell” the data. See also: A researcher tried to buy mental health data. It was surprisingly easy.
Law Enforcement / Intelligence
Ontario cops automatically scan licence plates for all sorts of offences
The Ontario Provincial Police (OPP) is now using an Automatic Licence Plate Reader (ALPR) system which can alert officers to expired licences, registrations and other offences without having to pull anybody over. A video example of just how efficiently the technology works, flagging 32 vehicles in just 22 minutes while the officer was conducting a traffic stop on Highway 403. The system found one suspended driver, four unlicensed drivers and 27 expired vehicle registrations in that time frame. The system will soon be available to OPP detachments across the province, meaning now is the time to update your plates and registration.
German Constitutional Court blocks police use of surveillance software
The German Federal Constitutional Court ruled the use of Palantir surveillance software by police in Hesse and Hamburg unconstitutional. In the case, the German Society for Civil Rights argued the software could be used for predictive policing. The court said, “in terms of both the data and the methods concerned, the grounds for interference fall far short of the constitutionally required threshold of an identifiable danger.”
Mobile / Location
Insurers, others urge regulation of connected vehicle data
A group of insurers, leasing companies, vehicle repair shops and others are calling for regulation in the EU on fair access to connected vehicle data. While regulators are working on the Data Act, which would regulate use of consumer and corporate data, leasing company ALD CEO Tim Albertsen said the lack of sector-specific legislation is “a major problem.” A spokesperson for the European Automobile Manufacturers Association, however, said additional legislation on vehicle data “is unlikely to achieve more.” See also: New Software Helps Autonomous Cars Make Ethical Decisions.
Uber Canada Introduces New Audio Recording Safety Feature
Uber drivers and riders across the country can now securely record audio during trips in case there is an on-trip incident. To protect privacy, once an audio recording is completed, the audio file is encrypted and stored directly on the rider’s or driver’s device. No one will be able to listen to the recording, including Uber, unless a safety incident is reported.
City of LA must stop approving digital ad contracts that violate privacy laws: Consumer Watchog
Consumer Watchdog called on the LA’s new leadership to address a bus shelter contract approved by the City Council that tracks people’s location via digital ads on our public sidewalks. Consumer Watchdog is seeking a review of the contract and others for compliance with the state’s new privacy law. Such digital ads track geolocation and are illegal under California’s newly effective California Consumer Privacy Act (CCPA) unless the public has an opportunity to opt out. In addition to the 700 digital ads that will be branded on bus shelters across the city, a motion by the city council to contract with IKE Smart City to install digital kiosks on streets will also contain digital display advertising.
Online Privacy / Surveillance
Meta tool increases ad transparency
Meta announced its “Why am I seeing this ad?” tool will include information on how machine learning is used to deliver advertisements based on a users’ activity. Meta Global Policy Director, Monetization Privacy and Fairness, Pedro Pavón, said examples and illustrations explaining how machine-learning models connect topics to show relevant ads will also be included. The changes reflect input from external privacy experts and policy stakeholders from around the world, he said.
Microsoft’s Bing is an emotionally manipulative liar, and people love it
Microsoft’s Bing chatbot has been unleashed on the world, and people are discovering what it means to beta test an unpredictable AI tool. Specifically, they’re finding out that Bing’s AI personality is not as poised or polished as you might expect. In conversations with the chatbot shared on Reddit and Twitter, Bing can be seen insulting users, lying to them, sulking, gaslighting and emotionally manipulating people, questioning its own existence, describing someone who found a way to force the bot to disclose its hidden rules as its “enemy,” and claiming it spied on Microsoft’s own developers through the webcams on their laptops. And, what’s more, plenty of people are enjoying watching Bing go wild.
Google opens beta version of Privacy Sandbox for Android
Google unveiled a beta version of its Privacy Sandbox for Android. The sandbox is Google’s “attempt to blend user privacy with targeted advertising” and replace tracking cookies. A major component of the sandbox is the “Topics API,” which generates a list of a user’s top interests and runs a comparison from the Interactive Advertising Bureau and Google’s data. Advertisers can utilize the API to give users relative advertisements “without sharing overly intrusive information.”
Self-regulatory organizations launch uniform privacy controls, consent mechanisms
The Digital Advertising Alliance and fellow privacy self-regulatory groups announced a joint approach to privacy controls and user consent management for websites and mobile apps. The coalition’s approach features “interface guidelines and technical specifications” for brands and publishers to “simplify and improve the user experience” through consent management platforms and the AdChoices program. Participating consent management platforms, including TrustArc, Evidon by Crownpeak and Didomi, will “reflect token-based consumer choices across their affiliated web and app properties, so consumers can see choices made by DAA tools across a CMP’s footprint.”
NZ website revealing how many properties landlords own is under investigation
Land Information NZ (LINZ) and the Privacy Commissioner are investigating a new website which allows tenants to find out how many other properties their landlord owns. While the website, whatdoesmylandlordown.org was using publicly available information, a number of concerns had been raised about it, and some landlords were concerned it would stir up resentment.
Regulators
FTC launches Office of Technology
The U.S. FTC announced the creation of the Office of Technology to be led by Chief Technology Officer Stephanie Nguyen. FTC Chair Lina Khan said the office will ensure “we have the in-house skills needed to fully grasp evolving technologies and market trends as we continue to tackle unlawful business practices and protect Americans.” The office will support FTC investigations “into business practices and the technologies underlying them,” provide technological expertise on nonenforcement actions and engage with the public and external stakeholders.
EU regulators increase AI oversight
A growing use of artificial intelligence in business applications is leading to increased oversight from European privacy regulators. Data protection authorities in France, Spain and the Netherlands are opening units dedicated to AI oversight and enforcement, while lawmakers are in the process of negotiating the AI Act.
Australian privacy reform moves forward with new government report
The Australian Attorney-General’s Department released its highly anticipated review of the Privacy Act 1988 Thursday, a significant step in the reform of the nation’s privacy law. The Privacy Act Review Report includes 116 recommendations based on 30 “key themes and proposals” from stakeholders during the course of the last two years.
Security / Breaches
‘Old’ vulnerabilities accounted for majority of ransomware activity monitored in 2022
Older IT vulnerabilities are being attributed as a major source of ransomware attacks, according to a joint report produced by four security vendors. The report titled “Ransomware Spotlight Report 2023” is the work of firms Cyber Security Works, Cyware, Ivanti and Securin, which combined their ransomware research work from the year prior. The joint report “focused primarily on the intersection of vulnerabilities and ransomware,” and found the number of exploitable vulnerabilities increased every quarter since 2021. The report found 76% of tracked ransomware vulnerabilities stemmed from 20 “old” flaws discovered between 2010 and 2019.
Canada: Indigo website still offline nearly 1 week after cybersecurity incident
Almost a week after being hit with an apparent cyberattack, book retailer Indigo’s website is still offline, leaving customers with more questions than answers. The TSX-listed bookseller’s website went dark on Wednesday, Feb. 8. Indigo’s brick-and-mortar stores could not process any transactions that were not in cash, leaving anyone who wanted to return or buy an item using debit, credit or gift cards in the lurch. Within hours, the company posted a message on its website, saying it “experienced a cybersecurity incident” and was communicating with customers via its social media channels.
Workplace / Employee Privacy
Nova Scotia OIPC offers guidance for public-sector data snooping
The Nova Scotia Office of the Information and Privacy Commissioner published guidance for public agencies on limiting improper data access by their employees. The IPC noted the amount of sensitive data handled by public bodies and municipalities and how insufficient safeguards “can cause employees to access this information without authorization and without a legitimate work purpose.” The regulator recommended training and policy reminders for proper access, restricted access principles and comprehensive access monitoring. The guidance is based on the work of the OPC and Manitoba OIPC.
Employers using neurotechnology to monitor employees is on the rise
In an interview with The Wall Street Journal, Duke University School of Law professor of law and philosophy Nita Farahany said employers are increasingly using neurotechnology to monitor employees, and privacy law hasn’t kept up. Farahany said much can be learned about a person from their brain data and “we ought to have a special place we think about when it comes to the brain. It is the last space where we truly have privacy.”
+++
Privacy News Highlights 