Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

SURVEILLANCE

Spying Leads to Calls for “Privacy Havens” (September 30, 2013)

The Wall Street Journal reports today on new data privacy trends inspired by Edward Snowden’s NSA revelations, including a new “Email Made in Germany” service created by three of Germany’s largest Internet service providers. "We can say that we protect the e-mail inbox according to German law," says Jorg Fries-Lammers, a spokesman for one of the German companies, 1&1 Internet AG. "It's definitely a unique selling point." Facebook COO Sheryl Sandberg pronounced herself “nervous” about these kinds of developments. "It means fragmenting the Internet and putting the economic and social opportunities it creates at risk." President of Brazil H. E. Dilma Rousseff even went so far as to call for “the establishment of a civilian multilateral framework for the governance and use of the Internet and to ensure the effective protection of data that travels through the web” in a speech before the United Nations. The NSA news is leading to tech innovation as well. John McAfee announced this week he is developing personal gadgetry that will protect the user from NSA spying. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

PGP Creator Warns About E-mail Privacy (September 30, 2013)

Creator of the e-mail encryption software PGP, Phil Zimmermann, has told The Guardian that users of consumer e-mail services should be aware of the threat of exposing their metadata. Zimmermann says his opinions on privacy have changed drastically in the more than 20 years since he invented PGP, noting “more recently … everyone has become aware that metadata is becoming increasingly important—that the message headers mean a lot.” These risks prompted him to develop a new feature for his Silent Phone app that encrypts conversations earlier in the call process, but the report states, in spite of PGP flaws “becoming clearer with time,” he maintains that PGP is holding up just fine.
Full Story

PRIVACY REGULATION

Frameworks Emerging Around the World, But Is Enforcement? (September 27, 2013)

AdAge reports on privacy frameworks in regions around the globe—particularly in Latin America and India. Nations including Chile and Brazil are currently exploring new data protection rules, similar to that of the EU, which consider privacy as a human right. India is also grappling with emerging privacy issues, even though culturally, “Your expectation of privacy is nil,” one expert said, adding, “The Indian outsourcing industry needs to instill a sense of confidence … in how it respects U.S. and EU data.” VP of Privacy Certified at the Entertainment Software Rating Board Dana Fraser said when navigating global privacy rules, “We have to figure out what’s the highest bar we have to uphold … It can actually impact your rollout dates for an app.” Several privacy experts agreed, however, that enforcement is a hurdle outside the U.S. “I think it is true that the U.S. enforces more than anyone else,” Covington & Burling’s Matthew DelNero said.
Full Story

PRIVACY LAW

OPC Encourages Parliament To Review PIPEDA (September 27, 2013)

With a new parliamentary session scheduled to begin in October, Bloomberg BNA reports that Sébastien Gariépy, spokesman for Industry Minister James Moore, has said “he could not confirm that the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) would be reintroduced by the Department of Industry.” An Office of the Privacy Commissioner spokesman noted, “Much has changed as the years have passed, and the commissioner believes Canadians need far stronger protections than what is being proposed with respect to data breaches. Our office would again encourage parliamentarians to proceed with a second review of PIPEDA.”
Full Story

HEALTHCARE PRIVACY

Results of Investigation Withheld (September 27, 2013)

While the Vancouver Island Health Authority (VIHA) has completed its investigation into allegations a Victoria doctor took a photograph of an unconscious patient and sent it to others for “non-medical reasons,” the authority is not revealing the results until the College of Physicians and Surgeons completes a review, Times Colonist reports. “In the interests of fairness and due process, we will wait for the findings from the College to determine what action we should take in response,” the VIHA’s Valerie Wilson said, adding, “We have been meeting with the patient and the patient’s family on a regular basis since this incident occurred … We have apologized to the patient.”
Full Story

DATA PROTECTION

Health Record Disposal Improving in Saskatchewan (September 27, 2013)

A recent report issued by Saskatchewan Information and Privacy Commissioner Gary Dickson reveals that the disposal of health records across the province is improving, Regina Leader-Post reports. “One of the most positive developments that we’ve seen over time is these reported incidents to our office have become less frequent,” said Office of the Information and Privacy Commissioner Compliance Director Diana Aldridge. “They’ve been fewer and far in between.” A far bigger problem, according to Aldridge, is errant faxes from medical offices. A report is expected on that issue.
Full Story

DATA PROTECTION

From Poland, DPAs Prepare To Join Forces (September 26, 2013)

In an exclusive for The Privacy Advisor, Sam Pfeifle reports from the 35th Annual Conference of Data Protection and Privacy Commissioners in Warsaw, Poland. Pfeifle notes that from the outset, “the collective DPAs intended to show a united front and that they mean business.” As Polish Minister of Administration and Digitization Michel Boni said in his keynote, “We need regulations. Hard regulations.” But only one subject hung over the event more than whistleblower Edward Snowden: The upcoming European Data Protection Regulation and what the future of privacy enforcement will look like. Nearly every presentation contained some disclaimer about how things will change once the regulation comes into place. The form it will take in the end? No one can confidently predict that. The fact that it’s needed? On that there is universal agreement.
Full Story

DATA GOVERNANCE

Is Your Biz Viewing Privacy Through the Right Lens? (September 26, 2013)

For many consumers and businesses, privacy and data protection remain a top concern, “But are business leaders looking at the glass half empty?” asks PricewaterhouseCoopers Data Protection and Privacy Manager Rafae Bhatti, CIPP/US. “By considering only what privacy safeguards can prevent—customer loss, brand damage, fines and litigation—they are missing a big opportunity,” he writes. In this post for Privacy Perspectives, Bhatti provides some suggestions on what companies can do to “find the right balance between protecting data and enabling its use in new ways.” Editor’s Note: PwC’s Aaron Weller, CIPP/US, CIPP/IT, will speak in the breakout session “How To Get the C-Suite on Board (and Make Them Think It Was Their Idea)” at next week’s IAPP Privacy Academy in Seattle, WA.
Full Story

PRIVACY

Survey: Orgs Lacking Comprehensive Privacy Programs (September 26, 2013)

A new survey by Gartner has found the “perceived level of maturity attached to organizations’ privacy activities has decreased since 2011,” CIOL reports. While 43 percent of organizations have a comprehensive privacy management program in place, more than a third of organizations “still ‘consider privacy aspects in an ad hoc fashion,’” the survey found. And while 90 percent of organizations do have at least one person responsible for privacy, only 66 percent have a defined privacy officer role.
Full Story

PRIVACY—U.S.

Changing Tactics: The Rise of the Privacy Advocates (September 25, 2013)

In September, Facebook announced it would delay planned changes to its privacy policies. The announcement followed pressure from six major consumer privacy groups—EPIC, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG and the Privacy Rights Clearinghouse—that said the changes would make it easier for Facebook to use users' data for advertising and other purposes. The coalition asked the Federal Trade Commission to block the changes, alleging they would violate a 2011 settlement with the commission. In this exclusive for The Privacy Advisor, experts discuss the ways in which privacy advocates have become increasingly politically savvy and strategic in achieving their goals.
Full Story

WEB CONFERENCE

Where Security Meets Privacy (September 25, 2013)

The relationship between IT security and privacy teams within organizations should ideally be a strong one—with clear communication channels and responsibilities—but this is rarely the case. Competing demands, siloed cultures and even competition for budget can all contribute to produce a less-than-ideal partnership. Join panelists Jonathan Fox, CIPP/US, CIPM, of McAfee, Co3 System’s Gant Redmon and Navigate’s Chris Zoladz, CIPP/US, CIPP/E, CIPP/G, CIPP/IT, on October 17 from 1 to 2:30 p.m. EDT to gain tips and insights into how you can improve this working relationship at your organization.
Full Story

BIG DATA

“Master Profiles” Will Connect Online, Offline Data (September 24, 2013)
Financial Times reports that Acxiom has launched a new system designed to combine consumers’ offline and online activities, which then processes the collected data using algorithms. The data is then made available to marketers for behavioral targeting and personalized ads on mobile, the web and eventually television, the report states. Acxiom Chief Technology Officer Phil Mui said, “We are making big marketing data truly actionable.” The new system is a significant shift for targeted advertising as the system—which features a new identifier to match user profiles—allows marketers to track users across devices into one profile instead of multiple profiles based on a given device. Editor’s Note: Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, will speak in the breakout session Taming Big Data at next week’s IAPP Privacy Academy in Seattle, WA. (Registration may be required to access this story.)

BIG DATA

The Misconceptions of Defining Data Brokers (September 24, 2013)

“The marketing industry has come under fire recently for its use of consumer data to provide ads and offers,” writes Epsilon Privacy Manager Nicole Tachibana, CIPP/US, adding, “There are a number of misconceptions at the heart of the issue.” She notes that Federal Trade Commissioner Julie Brill has said that data brokers are using user profiles to “determine the rates we pay (and) even what jobs we get.” In this Privacy Perspectives post, Tachibana writes, “However, the reality is that marketing data brokers use information for marketing purposes only,” and she parses out misperceived definitions of what marketing data brokers do with consumer data.
Full Story

PRIVACY

On What Rock and Privacy Might Have In Common (September 23, 2013)

Near the end of the 1960s, rocker Jim Morrison and The Doors recorded a blues jam called “Rock is Dead.” The phrase, however, isn’t particular to the music world, as it’s a phrase often spoken when discussing privacy, “especially in light of what some are calling the ‘Summer of Snowden,’ which has brought on a new chorus of reports, blogs and posts exclaiming the death knell of privacy,” writes Jedidiah Bracy, CIPP/US, CIPP/E. Though our world is rapidly changing in many ways, some things stay the same, highlighted in part by a Newsweek cover story from 1970 asking if privacy is dead. This Privacy Perspectives post explores that article and excavates many of the similar arguments and concerns that still resonate today.
Full Story

BEHAVIORAL TARGETING

Industry Reacts to Google Cookie Alternative (September 20, 2013)

The Wall Street Journal reports on the ad industry’s reaction to an unofficial proposal by Google to replace cookies with an anonymous identifier (AdID) system. Advertising executives, ad technology firms and analysts say that changing how consumers are tracked online would significantly affect the $120 billion industry. Interactive Advertising Bureau President Randall Rothenberg said, “This would be anticompetitive and potentially negatively impact all other online publishers.” Financial Times has published a Q&A to explore the proposed cookie alternative, and AdAge has posted a video with some industry reaction. Independent researcher Ashkan Soltani has posted a blog answering some questions on the AdID proposal. (Registration may be required to access this story.)
Full Story

BIOMETRICS

Facedeals To Use Facial Recognition for Targeted On-Site Advertising (September 20, 2013)

In an interview with MarketingLand, Facedeals CEO Dave McMullen says his company will soon be offering an opt-in service where consumers can select preferences ahead of time and then be offered deals via a text to their phones when cameras at establishments recognize their faces. In addressing privacy concerns, McMullen says the “double opt-in” service—the downloading of the app and then the process of registering—“ensures no one is signed up without their permission.” Further, he said privacy is already being infringed upon by every phone noting your location, camera recording your likeness and credit card transaction tracking your purchases. Why shouldn’t the consumer get something out of the deal?
Full Story

SURVEILLANCE

Group Wants Countries To Disclose Data Requests (September 20, 2013)

Privacy advocates, human rights groups and tech companies are asking 21 countries to release information on their surveillance requests, The Hill reports. The Global Network Initiative includes such companies as Facebook, Google and Microsoft and said in letters to the members of the Freedom Online Coalition—a group of 21 countries working together to advance Internet freedom—that governments should release the data and allow the tech companies asked to respond to such requests to do the same.
Full Story

PRIVACY LAW

Stoddart: PIPEDA “Really Doesn’t Do Anything” (September 20, 2013)

Echoing comments she made before the IAPP Canada Privacy Symposium, outgoing Privacy Commissioner Jennifer Stoddart told Global News that PIPEDA doesn’t provide “enough incentives” for companies to actually protect consumer data. “It doesn’t really do anything to deter those who want to misuse Canadians’ privacy, and therefore doesn’t give a marginal advantage to the many corporations that are protecting Canadians’ privacy,” she said. “If you’re deliberately launching a product that’s misusing peoples’ personal information, collecting their personal information or, indeed as one company was doing, spying on people who rent laptops, there should be some sort of sanction.” Thus far, Parliament has not taken action to address concerns Stoddart has been expressing for the better part of six months.
Full Story

ONLINE PRIVACY

Resurfacing of Photo Highlights Lack of Control (September 20, 2013)

The Canadian Press reports that the photo of a deceased teen girl turned up in third-party dating ads on Facebook, highlighting “how little control anyone has over any image once it gets out into the Internet sphere,” says technology and law Prof. Robert Currie. "It really seems to me to be an unfortunate accident that is causing a lot of grief … But it's just the kind of thing that is going to happen," says Currie. The company posting the ad used an image scraper to get the image, according to its administrator. Facebook has banned the company, saying the ads are a “gross violation” of its policies.
Full Story

BEHAVIOURAL TARGETING

Advertisers Offering Consumers Choice (September 20, 2013)

The Digital Advertising Alliance of Canada (DAAC) has announced a program to allow consumers “to control whether they want to receive targeted advertising messages,” The Globe and Mail reports. Canadians will soon begin to see an “Ad Choices” icon in this offshoot of a movement that began in the U.S. and later spread to Europe. The DAAC hopes to educate consumers about how they are targeted, while the Office of the Privacy Commissioner has said it is “pleased that the advertising industry is taking action on this issue … the use of online behavioural advertising has grown dramatically and we are concerned that Canadians’ privacy rights are not always being respected.”
Full Story

SURVEILLANCE

Police Pledge Adherence to Privacy Guidelines (September 20, 2013)

Hamilton police have agreed to follow Ontario’s privacy guidelines for the use of video surveillance, The Spectator reports. The newspaper had previously revealed the police department’s video surveillance program appeared to be “violating provincial guidelines designed to protect the public's privacy, and this had been the situation for years,” the report states. Deputy Chief Ken Leendertse announced new policies to comply with the provincial guidelines and promised an annual report reviewing the program “and its effectiveness according to the privacy commissioner's ‘Section 4’ criteria, which deal with demonstrating an ongoing need for surveillance and proving the effectiveness of the tool,” the report states.
Full Story

SURVEILLANCE

Opinion: Oversight Needed for Real Privacy (September 20, 2013)

An op-ed for The Globe and Mail co-authored by Ontario Information and Privacy Commissioner Ann Cavoukian, with Ron Deibert, Andrew Clement and Nathalie Des Rosiers, discusses Communications Security Establishment Canada (CSEC) playing “the part of a willing accomplice” to U.S. surveillance efforts. The authors caution, “This rare disclosure offers a glimpse at CSEC’s intimate partnership with one of the world’s most powerful intelligence agencies—and serves as a reminder that Canadians shouldn’t be complacent … While there is much criticism of the U.S. Foreign Intelligence Surveillance Court, at least it has oversight of NSA activities. There is no equivalent in Canada.”
Full Story

ONLINE PRIVACY

Study: Whois System’s Privacy Controls Being Abused (September 19, 2013)

A new study commissioned by the Internet Corporation for Assigned Names and Numbers (ICANN) indicates the Whois system’s current ad hoc privacy controls are being abused, ZDNet reports. ICANN—a pseudo-directory of contact details for domain names—is recommending the Whois system be replaced to include authenticated access. Currently, contact details for administrators of a domain are publicly available, prompting domain name owners to provide false information.
Full Story

ONLINE PRIVACY

Is Google Set To Do Away with Cookies? (September 18, 2013)
USA TODAY reports on a potential move by Google to replace third-party cookies with a new anonymous identifier (AdID) that would allow advertisers to track Internet browsing activity for marketing. The AdID would be communicated to online advertisers and ad networks that have aligned with agreed-upon guidelines in the attempt to give consumers more privacy and control as they browse the Internet. Though the program has not been officially announced by Google, a spokesman said, “Technological advancements can improve users’ security while ensuring the web remains economically viable. We and others have a number of concepts in this area, but they’re all at very early stages.” According to the report, Google plans to reach out to industry, government agencies and consumer groups in the near future.

PRIVACY TECHNOLOGY

Why Privacy Pros Must Embrace Technology (September 18, 2013)

“As privacy professionals, we have the opportunity to help companies restore the balance in the personal data ecosystem by considering the business needs of our employers as well as those of the individual,” writes UnboundID Product Marketing Director Nick Crown, CIPP/IT. To provide more user control over personal data, “our industry needs to look beyond static, ‘detective’ approaches to privacy practices,” he notes, and “embrace technology as an enabler of preventative privacy controls.” In this installment of Privacy Perspectives, Crown presents four phases that outline how businesses can better provide transparency, choice and control to their customers in relation to the collection, processing and transfer of their personal information.
Full Story

PRIVACY RESOURCES

Consumer-Facing Privacy Policies: What Should Yours Look like? (September 18, 2013)

With privacy becoming more of a competitive advantage in business, it’s important that organizations communicate their data collection and handling practices with consumers in an easily digestible manner. But with the amount of legal jargon in most policies, many consumers don’t read them, or if they’ve tried, they can’t understand them anyway. In this IAPP Resource Center Close-Up, see examples of successful policies, guidance on creating plain-language and layered policies and what to pay attention to when making changes to your policy. (IAPP member login required.)
Close-Up: Creating a Privacy Policy

MOBILE PRIVACY

Operator Calls for Consistent Privacy Approach (September 18, 2013)

Mobile operator Vodafone is calling on the app development community to take the lead in communicating to consumers a consistent set of privacy guidelines similar to nutrition labels used by the food industry, Marketing Week reports. Vodafone Global Privacy Counsel Kasey Chappelle said the company is telling mobile app developers and other third parties to help safeguard consumer privacy and to communicate how data is collected and shared with advertisers. Vodafone is lobbying third parties through trade organizations such as the GSMA and the Mobile Entertainment Forum, the report states.
Full Story

HEALTHCARE PRIVACY

On Where Health IT and Privacy Meet (September 17, 2013)

With the advent of National Health IT Week, Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, discusses the global health technology initiative and where health IT and privacy overlap. In this Privacy Perspectives installment, Royal delves into some of the topics and issues being raised this week—including mobile health technology and telehealth—and asks if your organization is taking part. “How do you see it correlating with privacy?” she queries, and “What do you see as the biggest challenges?”
Full Story

ONLINE PRIVACY

Tumblr Inks Deal With Analytics Biz (September 17, 2013)

TechCrunch reports that Tumblr has signed a deal with analytics company DataSift, a move that could give advertisers more knowledge of what is posted on the site and boost Tumblr’s advertising sales. DataSift will have access to all of Tumblr’s real-time and historical data. DataSift currently has similar deals with Twitter and Facebook. Meanwhile, a report suggests that Google may have access to the WiFi passwords of every Android user, and, “Considering how many Android devices there are, it is likely that Google can access most WiFi passwords worldwide.”
Full Story

SOCIAL NETWORKING

Will Going Public Diminish Privacy on Twitter? (September 16, 2013)

News that microblogging site Twitter plans to go public has prompted some to ask whether certain privacy functions on the site will have to go by the wayside to help generate revenue. Blouin News reports the company plans to exact a $15 billion IPO on $500 million of revenue and, to help boost its bottom line, Twitter may have to do away with its Do-Not-Track option. The report also questions whether Twitter may cease publishing its transparency reports and how much it will comply with foreign government requests to remove or share user data. “As the social media company executes its plans to expand abroad,” the report states, “it has much less of an incentive to get into spats with foreign governments over user data.”
Full Story

PRIVACY

A Look at the “Age of Context” (September 16, 2013)

In an article for Forbes, Rawn Shah reviews Age of Context: Mobile, Data, Sensors and the Future of Privacy by Shel Israel and Robert Scoble. The book looks at the state of technology in 2013 with regard to healthcare, transportation, mobile devices and understanding customers, among others. Context is important when it comes to wearable technologies, the book notes. The kind of information collected, how its processed and cross-referenced with other sources and the responses they produce are all important questions, the authors note, calling such data points “Little Data.” Editor’s Note: Sam Pfeifle interviewed Israel last month in anticipation of his keynote address at IAPP Privacy Academy, in Seattle, September 30 to October 2. The interview contains a free download of the book’s chapter on privacy.
Full Story

SURVEILLANCE

Law Enforcement Surveillance Tools Abound (September 16, 2013)

Ars Technica reports on BlueJay—a “Law Enforcement Twitter Crime Scanner.” The program provides real-time access to the “firehose” of public tweets so police can track suspects, keywords, locations, public events, social unrest and department mentions. The Verge reports on Italian-based firm Hacking Team and how the small tech security firm started from two programmers who created a suite of hacking tools. The Milan police eventually contacted the programmers with the intent of purchasing their hacking tools. Hacking Team now boasts 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.” Meanwhile, a recent Foreign Intelligence Surveillance Court opinion states the Edward Snowden leaks “have engendered considerable public interest and debate about Section 215.”
Full Story

SURVEILLANCE

NSA Reactions Abound in U.S., Canada, Brazil (September 13, 2013)

The latest headlines reflect the pattern of the past week: The fallout from Edward Snowden’s U.S. National Security Agency (NSA) revelations is showing no sign of letting up. In the U.S., Sen. Edward J. Markey (D-MA) is asking for details from major cellphone carriers on how many government data requests they receive and how they respond. In Brazil, President Dilma Rousseff is asking legislators to support a bill requiring foreign companies to store data about their Brazilian clients on servers in that country in the wake of the NSA reports. And in Canada, Communications Security Establishment Canada “handed over control of an international encryption standard to the NSA, allowing the agency to build a ‘backdoor’ to decrypt data,” reports indicate. Ontario Information and Privacy Commissioner Ann Cavoukian has introduced a policy aimed at allowing privacy and counterterrorism surveillance to coexist in harmony, while a What'sYourTech report suggests almost half of Canadians "think it’s OK for the government to monitor our e-mail and other online activities.” (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

SGI Data Collection Spurs Criticism (September 13, 2013)

“It's unfortunate that Saskatchewan Government Insurance (SGI) behaves like it owns the road when it comes to the privacy of auto-injury claimants.” That’s the focus of an editorial by The Regina Leader-Post calling for SGI to limit data collection to relevant medical files. “Despite being investigated for a third time by Saskatchewan Information and Privacy Commissioner Gary Dickson regarding the ‘over-collection of personal information and personal health information,’ SGI continues to insist the commissioner's office has no jurisdiction in these matters,” the report states, noting Dickson’s position that “there is no evidence that the Legislative Assembly of Saskatchewan would have intended to create such a gap in legislated privacy protection and that, in fact, there is no such gap as alleged by SGI."
Full Story

EMPLOYEE PRIVACY

Opinion: Tracking Has Limits (September 13, 2013)

An editorial published by Postmedia News comments on rulings by BC’s Office of the Information and Privacy Commissioner (OIPC) that employers may track their employees through cellphones and GPS, cautioning, “employers will be wise to exercise that right fairly and within reason.” Noting employers have the right to ensure employees are not illegally or unethically using company computers and networks, the editorial suggests, however, “Employers' rights are not unrestricted—employees are allowed a reasonable level of privacy, according to a ruling by the Supreme Court of Canada in 2012.”
Full Story

SURVEILLANCE

“Worrying Times” Prompt Media Survey (September 13, 2013)

The Huffington Post Canada cites recent revelations about ways “government spy agencies like CSEC may be monitoring the everyday Internet usage of law-abiding Canadians” in a feature seeking readers’ concerns about privacy in these “worrying times.” When it comes to protecting privacy, journalists are seeking feedback on how readers “think we can pressure the government for answers about secret surveillance--and for an end to all online spying programs targeted at law-abiding Canadians.”
Full Story

PRIVACY ENGINEERING

Is 2013 the Year of the Privacy Engineer? (September 12, 2013)

With the recent introduction of a new master’s degree by Carnegie Mellon and an influx of privacy engineering job openings by large tech firms, will this be the year of the privacy engineer? “Though the term privacy engineering has been around since at least 2001,” writes Robert Jason Cronk, CIPP/US, “only recently has the computer science community tried to use it in a concrete and systematic way.” In this Privacy Perspectives post, Cronk, a privacy engineering consultant for Enterprivacy Consulting Group, delves into the work of privacy engineers and why they “must be in place to identify user-centric risks and help design solutions” to help organizations mitigate risks while improving data flows. Editor’s Note: Cronk, along with MITRE’s Stuart Shapiro, CIPP/US, CIPP/G, will lead the preconference workshop Privacy Engineering Primer later this month at the IAPP’s Privacy Academy in Seattle, WA.
Full Story

ONLINE PRIVACY

Which Companies Top the ‘Privacy-Friendly’ List? (September 12, 2013)

Forbes reports on the “most privacy-friendly companies” according to privacy experts. Lee Tien of the Electronic Frontier Foundation cites Microsoft, Google, Tumblr and Facebook, while Chris Hoofnagle of Berkeley’s Center for Law & Technology cites B2B services “such as Salesforce, which explicitly says that the data you load into their service is yours, that you can encrypt it and that they will never sell it.” Boston attorney Sarah Downey says Twitter’s “Do-Not-Track” policy puts it at the top, and a number of experts cited companies such as DuckDuckGo, which doesn’t track users’ searches.
Full Story

BIOMETRICS

U.S. To Expand Data Sharing Overseas (September 12, 2013)

The Department of Homeland Security plans to expand foreign biometric data sharing, FCW reports. The Office of Biometric Identity Management (OBIM), now five months old, will use a $33 million contract with Accenture to decrease the time, cost and personnel required to share U.S. biometric data with the UK, New Zealand, Canada and Australia. OBIM provides biometric data to federal, state and local governments to deal with immigration violators, criminals and known or suspected terrorists, OBIM’s deputy director said, adding it aims to improve biometric data-sharing and increase interoperability among the U.S. Departments of Defense, Justice and State. Meanwhile, the U.S. and Japan seek to formalize an agreement on sharing fingerprints of convicted criminals.
Full Story

BIOMETRICS

Apple Releases Include Fingerprint Sensor (September 11, 2013)

The New York Times reports on Apple’s release of two new iPhones Tuesday, including a model with a fingerprint sensor that can be used instead of a passcode. In response to privacy concerns, Apple says user fingerprints will only be stored on the phone and will not be shared with app developers. The release is symbolic of a number of new on-the-market devices that use biometric authentication tools. A new wristband, Nymi, contains a voltmeter to read heartbeats. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said the wristband’s creator. The biometric devices come on the heels of the recent discovery that even a 55-character password could be broken. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

When “All About You” Isn’t About You at All (September 10, 2013)

Acxiom’s release of AboutTheData.com has been touted as a step forward for online data transparency, as it’s now possible to know what Acxiom and other data brokers likely know about you. But people are finding that Acxiom doesn’t seem to know much about them at all. And what they do know is wrong. In this installment of Privacy Perspectives, Jedidiah Bracy, CIPP/US, CIPP/EU, explores the impact the bizarro world of data brokerage could have on public perceptions of behavioral advertising and online tracking, and why this whole thing just might backfire.
Full Story

ONLINE PRIVACY

New Apps Give Posts a Shelf Life (September 10, 2013)

Reuters reports on the proliferation of mobile apps that allow users to control who sees their content on social media sites—and for how long. Secret.li, for example, allows iPhone users to post a photo to Facebook knowing it will be automatically deleted either an hour, a day or a week after it’s posted and giving them control over with whom it will be shared. Another app, Spirit, allows users to hashtag tweets so they will auto-delete after a time period of the users’ discretion. "With the ongoing privacy scares, people are thinking about what they put out there now and looking for ways to have more control," said Spirit’s developer.
Full Story

PRIVACY LAW

The OECD Heralds the Arrival of the Privacy Profession (September 9, 2013)
For anyone following the field of privacy policymaking, the past two years have seen a flurry of activity unsurpassed in any other legal arena. Fittingly, the first reform process to come to fruition is that of the OECD Privacy Guidelines, which date back to 1980 and contain the first internationally agreed upon iteration of the now ubiquitous Fair Information Privacy Principles (FIPPs). Together with the expected result of the major reform processes in the U.S. and EU, the revised guidelines, slated to be launched later today on the OECD website and with a reception at the Canadian embassy in Washington, DC, are set to become the second generation of information privacy laws. As such, it is important to assess what has changed since their inception more than 30 years ago. In this installment of Privacy Perspectives, Omer Tene, who served as rapporteur for the Expert Group advising the OECD, examines the potential impact of the new guidelines.

DATA PROTECTION

When It Comes to Success, PIAs Should Not Be Underrated (September 9, 2013)

Privacy impact assessments (PIAs) are likely to become the most vital item in the privacy professional’s toolkit. That’s according to Eduardo Ustaran, CIPP/E, who writes for Field Fisher Waterhouse’s Privacy and Information Law Blog that PIAs are an effective tool that can be used to send a powerful message within an organization that the privacy pro is “on the side of the organization” as far as innovation and progress while “coming up with sensible ways of preventing unjustifiable risks” for everyone’s benefit. PIAs are especially relevant when it comes to global compliance, as they reach outside of the legal obligations of a given regime, Ustaran writes. Editor's Note: Want tools and templates for conducting PIAs? See Close-Up: PIAs.
Full Story

PRIVACY COMMUNITY

Accountability Is About Values (September 6, 2013)

“Over the past year, I reflected on why I have been doing privacy for nearly a quarter of a century,” writes Martin Abrams. “And after reflection, I decided it is time for me to focus on the role of values in privacy.” In this Privacy Perspectives blog post, Abrams discusses his new role as leader of the Information Accountability Foundation and how organizations can institutionalize accountability “in businesses’ practices, regulatory oversight and the next generation of privacy law.” Editor's Note: For more information on accountability see Close-Up: Accountability in the IAPP Resource Center.
Full Story

EMPLOYEE PRIVACY

Investigation: PI Not Adequately Protected in Outsourcing (September 6, 2013)

An investigation by Saskatchewan Information and Privacy Commissioner Gary Dickson has found the province’s public service commission has not been doing enough to protect the personal data of employees and job applicants, The StarPhoenix reports. Describing the commission as “the human resources department for the Saskatchewan government,” Dickson cited concerns about its outsourcing “to an outfit in the U.S. for a bunch of (information technology) services, and what that involved was sharing personal information of two groups of Saskatchewan workers.” The investigation showed the commission did not do an adequate job of protecting privacy when it outsourced its IT service, the report states.
Full Story

PRIVACY COMMUNITY

Denham’s Work Shows Passion for Data Protection (September 6, 2013)

A feature in The Globe and Mail focuses on BC Information and Privacy Commissioner Elizabeth Denham, issues of privacy and surveillance and her passion for data protection. “Data protection, I think, is more important now than it’s ever been, especially in the face of massive volumes of personal information that’s collected and analyzed by both public- and private-sector organizations,” Denham said, adding, “Individuals’ ability to control their personal information is more challenging than it’s ever been.” The report highlights Denham’s work in the privacy field, previously as the assistant privacy commissioner of Canada and, since 2010, as BC’s privacy commissioner.
Full Story

SURVEILLANCE

In Canada and U.S., Spying Reviews Underway (September 6, 2013)

In the U.S., the surveillance review board recently named by the White House is slated to meet with privacy advocates and representatives from technology companies in two separate meetings Monday, The Hill reports. A White House spokeswoman said it is not a “White House meeting” and a list of who will be attending has yet to be disclosed. Additionally, President Barack Obama addressed National Security Agency (NSA) surveillance program disclosures, saying, “I can give assurances to the publics in Europe and around the world that we’re not going around snooping at people’s e-mails or listening to their phone calls.” Meanwhile, Canada’s Office of the Privacy Commissioner has already said it is conducting a review “to gauge whether spy agencies here are also targeting Canadians,” National Post reports.
Full Story

DATA LOSS

Phone, Photo Breach Under Investigation (September 6, 2013)

CBC News reports on Wal-Mart Canada’s investigation of a privacy breach at one of its stores that involved the phone numbers and photographs “of a customer who had used the photo developing machines in the east Regina location.” Wal-Mart Canada VP of Corporate Affairs Andrew Pelletier said, “We take the privacy and confidentiality of customers very seriously. Clearly, what's reported here should never have occurred, and we will get to the bottom of it.”
Full Story

DATA LOSS

Treating Breaches as Customer Issues (September 5, 2013)

In a world rife with data breaches affecting organizations large and small, businesses should treat these events as customer issues rather than compliance issues, writes Experian Data Breach Resolution Group VP Michael Bruemmer, CIPP/US. Bruemmer points out that organizations often smoothly handle the technical and regulatory sides of a breach response, but he adds, “as I’ve seen time and time again, what you might be falling behind on is the consumer engagement side of breach response, and that’s when your customers start making calls.” In this Privacy Perspectives installment, Bruemmer offers a number of ways businesses can go beyond a “compliance-only response.”
Full Story

BIG DATA

Information Pollution and the Internet of Things (September 4, 2013)

As we get closer to a super-connected world of devices and sensors—estimates posit that by 2020 there will be between 30 to 50 billion connected devices—privacy professionals will be faced with the massive issue of data access. In this Privacy Perspectives post, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, CIPM, looks into this underlying problem, writing, “when so much information is collected—and across so many devices—how can we provide individuals with meaningful access to information in a way that is not totally overwhelming?”
Full Story

PRIVACY RESOURCES

What Do You Need To Build a Privacy Program? (September 4, 2013)

Privacy professionals looking to build a privacy program may need to call on “proactive strategies, persuasion, political savvy, adaptability and a passion to get an exciting new organizational function up and running”—never mind knowledge of relevant laws and how to comply with them—to get the job done. That’s according to the IAPP’s guide book, Building a Privacy Program: A Practitioner's Guide, one offering in this IAPP Resource Center Close-Up. You’ll also find freely accessible guides from the Massachusetts Office of Consumer Affairs and Business Regulation, an outline of IAPP award-winner Vodafone’s privacy program and articles to help you get buy-in from your organization.
Close-Up: How To Build a Privacy Program

SOCIAL NETWORKING

Pro-Privacy Attorney Leaving Twitter (September 4, 2013)

Twitter attorney Alex Macgillivray has announced his plans to leave the company, The Guardian reports. Macgillivray is credited with being aggressively pro-free speech and is described as being Twitter’s “conscience-in-residence,” turning the company into “one of the fiercest defenders of user privacy in cyberspace,” the report states. Macgillivray’s departure may have industry wondering whether Twitter will “now have a less robust defence against government requests for user data and compromise its position on free speech and privacy online,” the report states.
Full Story

PRIVACY SCHOLARSHIP

Academics Explore the Intersection of Privacy and Big Data (September 4, 2013)

In anticipation of next week’s Future of Privacy Forum and Stanford Center for Internet and Society workshop on meeting the challenges of Big Data and privacy, Stanford Law Review has released its 2013 Symposium Issue with contributions from academics and other privacy experts. Academic works cover topics such as Big Data rewards, classification and fairness, paradoxes of Big Data, “preemptive analytics” and public vs. nonpublic data. Meanwhile, a new post by Ari Waldman in Concurring Opinions explores the “sociology of privacy.” Editor's Note: Look for IAPP coverage of the event next week.
Full Story

PRIVACY LAW

South Africa Gets a Law; Breach Notification Goes Into Effect in the EU, and More (September 3, 2013)

Last week saw a new law in South Africa, new guidelines from the Australian privacy commissioner, a new breach notification requirement in effect in the EU and U.S. states tackling big issues like e-mail and location privacy in the absence of forward motion on a federal level. In this week’s Privacy Tracker legislative roundup, you’ll get more in-depth information on all of the above and more—including a series of cases in Minnesota questioning the liability of government agencies when an employee violates the Driver’s Privacy Protection Act. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Project Aims To Educate About Digital Footprints (September 3, 2013)

GigaOm reports on a National Science Foundation-funded project called Teaching Privacy and a related online tool that lets users track the location of Twitter and Instagram users. Both the project and the “Ready or Not” tool aim to educate individuals—particularly high school students—about online privacy and how our personal information forms a digital footprint. Expanding on the Ready or Not geo-tracking tool, Gerald Friedland, an International Computer Science Institute researcher working on the Teaching Privacy project, said, “Most people…do not know that if you tweet something this location data is actually publicly available.” The researchers are also working on a study showing that an anonymous account holder of a service such as Yelp can have reviews cross-referenced with location data and timestamps on other services to reveal the user’s identity.
Full Story