Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY COMMUNITY

Bernier Appointed Interim Commissioner (November 27, 2013)

Prime Minister Stephen Harper announced the appointment of Chantal Bernier as interim privacy commissioner on Wednesday, effective December 3. Harper praised outgoing Privacy Commissioner Jennifer Stoddart, saying, “Canadians have been well-served by her exemplary leadership in overseeing compliance with Canada’s privacy laws.” Bernier, who holds a Master’s degree in Public International Law from the London School of Economics and Political Science, has served as assistant privacy commissioner since 2008, and was previously the assistant deputy minister, Community Safety and Partnerships Branch, Public Safety and Emergency Preparedness Canada, for six years. Bernier will serve pending the completion of the selection process for the next commissioner.
Full Story

DATA PROTECTION

Commissioner Supports Call for CSC Audit (November 27, 2013)

Correctional Investigator Howard Sapers has recommended Correctional Service Canada “conduct an internal audit of its practices and procedures to protect personal information,” Canada NewsWire reports, and that call has prompted a statement of support from Privacy Commissioner Jennifer Stoddart. “We are very pleased that the correctional investigator has called for an internal audit,” Stoddart’s statement reads. “Year after year, our own office has identified serious privacy concerns with respect to Correctional Service Canada (CSC).” The statement notes the CSC “consistently accounts for the largest number of complaints received by our office”—with 284 received in 2012-2013.
Full Story

DATA LOSS

Answers, Class-Action Sought in Medical Marihuana Breach (November 27, 2013)

MP Hedy Fry is urging Privacy Commissioner Jennifer Stoddart to determine why Health Canada exposed 40,000 medical marihuana users, Ottawa Citizen reports. In her letter to Stoddart, Fry suggests “cost-cutting might be one reason why Health Canada sent the form letters to its registered users by regular mail instead using the usual method of private special delivery mail,” the report states. Meanwhile, a proposed class-action suit has been filed against the government in the Federal Court of Canada. "This privacy breach … not only compromises the confidentiality of participants' personal and health information, but it also compromises participants' physical safety and security," said Kate Saunders of Branch MacMaster LLP, the firm representing the plaintiff.
Full Story

INFORMATION ACCESS

Journalists Concerned About Bill C-461 (November 27, 2013)

Journalists and broadcasters are raising concerns that Bill C-461 “could undermine the journalistic and programming integrity of Canada's public broadcaster, the CBC/Radio-Canada,” CNW reports. In a statement, the journalists cite multiple concerns, including that it “opens the door to privacy requests that could also jeopardize the CBC's journalistic integrity.” The report suggests, “C-461 changes the Privacy Act by removing the CBC's right to exclude privacy information collected for reasons of journalism and instead makes disclosure of that information subject to a test of injury to the CBC's ‘independence.’”
Full Story

SURVEILLANCE

OPC Concerned About “Hobby Drones” (November 27, 2013)

The Office of the Privacy Commissioner is concerned that miniature camera-equipped drones “could evade Canadian privacy law as people begin using the increasingly affordable aircraft to spy on others,” MACLEANS reports. A new study from the OPC indicates model aircraft could remain “entirely unregulated” while the government focuses on drones used for commercial or law enforcement purposes. “Drones are already being sold in many retail stores,” the OPC’s study notes, suggesting, “The next generation of recreational drones could prove to be even smaller and cheaper than the ones that currently exist.”
Full Story

INTERNET OF THINGS

Opinion: TV’s Rollout Shows Lack of PbD, Transparency (November 27, 2013)

The recent rollout of LG’s new smart television has garnered press attention arising from several privacy concerns about how the new appliance collects and shares user data. The company has since announced it will update its firmware to address some of the concerns, and in the meantime, according to the Center for Democracy & Technology Director of Consumer Privacy Justin Brookman, its privacy notice has changed several times—often in contradictory ways. Did the company miss an opportunity to prevent all this? What roles could privacy professionals play in preventing such backlash. In this installment for Privacy Perspectives, Brookman looks into LG’s collection practices while pointing out the appliance’s apparent lack of Privacy by Design and transparency, suggesting the incident could serve as a lesson for privacy pros within other companies set to roll out new technology and consumer products.
Full Story

INTERNATIONAL PRIVACY

UN Passes Internet Privacy Resolution (November 27, 2013)

The United Nations General Assembly’s Human Rights Committee has unanimously approved an unlawful surveillance resolution originally proposed by Brazil and Germany, the Associated Press reports. Though symbolic, the resolution looks to pass along privacy rights to people around the world. The U.S., along with the other “Five Eyes” nations, had tried to dilute some of the resolution’s language, the report states. Brazil’s UN ambassador said the resolution “established for the first time that human rights should prevail irrespective of the medium and therefore need to be protected online and offline.” Germany’s ambassador queried, “Is the human right to privacy still protected in our digital world? And should everything that is technologically feasible, be allowed?”
Full Story

ONLINE PRIVACY

Will the Internet Become Private as a Standard? (November 27, 2013)

The Internet Engineering Task Force (IETF) has asked the architects of Tor, a privacy-protecting web-browsing tool, to discuss the idea of using their product to make private web browsing the Internet standard, Salon reports. “Collaborating with Tor would add an additional layer of security and privacy … that goes beyond encrypting your communications,” the report states. Andrew Lewman, executive director of Tor, says the idea is “worth exploring to see what is involved. It adds legitimacy; it adds validation of all the research we’ve done”; however, he adds, “The risks and concerns are that it would tie down developers in rehashing everything we’ve done, explaining why we made decisions we made. It also opens it up to being weakened.” Meanwhile, new app Aether is an encrypted network that lets people share content anonymously.
Full Story

PRIVACY LAW

Opinion: Bell Case “Offers Little Clarity” on PIPEDA (November 27, 2013)

In a commentary for Law Times, Mark Hayes writes of the recent outcome of Chitrakar v. Bell TV, where the Federal Court of Canada awarded $20,000 in damages for breach of the Personal Information Protection and Electronic Documents Act (PIPEDA). “Many academic commentators and privacy lawyers suggested the decision might signal a sea change in the attitude of the courts towards damages under PIPEDA and possibly other provincial privacy statutes,” he writes, countering, “This is unlikely.” He goes on to suggest, “It’s doubtful Chitrakar will have much precedential value because of the unique circumstances and the questionable judgment shown by Bell in ignoring the Federal Court proceedings.”
Full Story

ONLINE PRIVACY

Open-Sourced Router Privacy Project Unveiled (November 26, 2013)

Embedded systems design company Redfish Group has launched an open-sourced router project to help protect online privacy, ZDNet reports. Called ORP1, the project aims to protect the privacy of users across all their devices located within their homes. ORP1 is set to feature a user-friendly interface with an OPSec virtual privacy network and Tor server, the report states. Redfish Managing Director Justin Clacherty said, “I've really wanted to get an open networking platform out there for a while now, and we just felt that a router was the way to go, especially with all the NSA revelations and people's worrying about the different U.S. tech companies providing equipment to us, which may have backdoors.”
Full Story

SOCIAL NETWORKING

Viral Video Exposes Privacy Disconnect (November 25, 2013)

A video went viral last week in which the host, Jack Vale, decided he wanted to know “how easy it would be to get personal information from complete strangers.” Vale located nearby social media users by using his own location and identifying nearby users who publicly posted basic personal information. It turned out that identifying and gleaning additional personal data was relatively simple. This installment of Privacy Perspectives explores the experiment, looking at “what seems to be a common disconnect between our online and offline lives” and possible lessons for online businesses.
Full Story

PRIVACY LAW

Tracker Roundup: Wyndham Case, Safe Harbor and More (November 25, 2013)

In the U.S., FTC v. Wyndham will decide whether the company’s “failure to safeguard personal information caused substantial consumer injury” and whether the FTC even has the authority to regulate data security; the GAO is pushing for comprehensive federal law governing the collection, use and sale of personal data by businesses, and Sen. Al Franken (D-MN) is calling for regulation over biometric data before the horse leaves the barn. In the EU, the debate over Safe Harbor continues, with MEP Jan Philipp Albrecht and Justice Commissioner Viviane Reding saying EU residents need to be able take data privacy complaints to U.S. courts. The Office of the Australian Information Commissioner (OAIC) has released the final set of Australian Privacy Principles that cover access to and correction of personal information, and in Canada, Alberta needs to create a new Privacy Act and Bill C-30 is back in the news. All this and more in this week’s Privacy Tracker legislative roundup. (IAPP member login required.)
Full Story

SURVEILLANCE

Twitter Encrypts; Zuckerberg Says Gov’t “Continuing To Blow It” on Privacy (November 25, 2013)

Twitter has announced it has encrypted its services to protect user data from cyber criminals and intelligence agencies. Lawyers for Lavabit—which closed its e-mail services rather than share master encryption keys with the government—have filed a reply brief in a case that may determine whether a company must be compelled to turn over such keys. Lavabit Founder Ladar Levison recently spoke about his experience with The Privacy Advisor. Meanwhile, the NSA’s John Inglis said he is skeptical about the NSA sharing the vast troves of data it collects with other federal agencies such as the FBI or DEA—indicating he does not agree with a reform bill proposed by Sen. Diane Feinstein (D-CA). The Wall Street Journal reports that a federal judge appears to be “receptive to critics” of the NSA’s collection of phone metadata, but one federal lawyer has argued that Americans have “no expectation of privacy” in making phone calls. And on ABC’s This Week, Facebook CEO Mark Zuckerberg said the U.S. is “continuing to blow it” on privacy issues.
Full Story

PRIVACY

Vint Cerf is Wrong. Privacy Is Not an Anomaly (November 22, 2013)
During a keynote address at the FTC roundtable on the Internet of Things on Tuesday, Google Chief Internet Evangelist Vint Cerf said, “privacy may actually be an anomaly.” Not all agree, however, with this assertion. “The view of privacy as an anomaly is not new, particularly among Silicon Valley entrepreneurs, who time and again express a cavalier approach to what is a fundamental, deep-rooted social, moral and legal value,” writes IAPP VP of Research Omer Tene. In this installment of Privacy Perspectives, Tene lays out his argument for why privacy may be evolving but is hardly an anomaly.

BIG DATA

Hartzog and Selinger: Maybe We Need More Specific Terms (November 22, 2013)

In a piece for Forbes, Woodrow Hartzog and Evan Selinger discuss some of the myths around Big Data and the importance of using the term correctly. Skepticism is important in order to help society set realistic expectations, the authors write, but like the concept of “privacy,” the term “Big Data” itself is problematic because “it has no set meaning.” At some point it will be important to assign specific terms, rather than “heuristic terms”—or “mental shortcuts” developed to make sense of complex ideas quickly—in order to accurately discuss such concepts as Big Data, the authors write.
Full Story

ONLINE PRIVACY

Browser Extension Allows Users To Use “Fake” Identifiers (November 22, 2013)

PCWorld reports that U.S.-based Abine is adding features to its anti-tracking browser extension to allow users to hide their personal details during web transactions. The features are being added to “DoNotTrackMe,” an extension for browsers such as Firefox, Internet Explorer, Chrome and Safari. Users can give a one-time credit card number and a disposable e-mail address and phone number, the report states, rather than using their real details.
Full Story

PRIVACY LAW

Cyber-Bullying Bill Revives Bill C-30 Controversy (November 22, 2013)

“A tough new law on cyberbullying is putting a spotlight on the Conservative government’s sweeping approach to strengthening police investigative powers,” The Globe and Mail reports, highlighting how the proposed law, which was introduced Wednesday, is reviving the controversy around the previously withdrawn Bill C-30. “Regrettably, the federal government is using this pressing social issue as an opportunity to resurrect much of its former surveillance legislation, Bill C-30,” said Ontario Information and Privacy Commissioner Ann Cavoukian, suggesting the new bill gives police surveillance powers that pose a risk to privacy. Meanwhile, The Canadian Press reports Minister of Justice and Attorney General Peter MacKay has denied the “new anti-cyberbullying bill will do an end-run around legitimate Internet privacy protections.”
Full Story

PRIVACY LAW

Supreme Court To Hear Gun Registry Appeal (November 22, 2013)

The Supreme Court decided Thursday it will give Quebec’s government a final chance at making a case for preserving gun registry data, The Globe and Mail reports. In June, the Quebec Court of Appeal ruled the province “has no property right in the data,” noting “its existence in a registry infringes the right to privacy,” the report states. “For the moment, we’re satisfied with the situation, and we’re preparing for the eventual creation of a Quebec arms registry,” said Stéphane Bergeron, Quebec’s public safety minister. Federal Public Safety Minister Steven Blaney issued a statement, however, that the Conservative government “will vigorously defend our legislation, adopted by Parliament, in front of the Supreme Court.”
Full Story

EMPLOYEE PRIVACY

Dickson Concerned About Photo-Sharing Policy (November 22, 2013)

The StarPhoenix reports on concerns from Saskatchewan Information and Privacy Commissioner Gary Dickson over Saskatoon Public Schools’ “policy of sharing staff photos internally,” a practice he is recommending be stopped. The photos are used in internal e-mails and messaging as well as being displayed in yearbooks, the report states. Dickson, who began his investigation following a union complaint, wrote, “There appears to be a disconnect between the stated purpose of collecting the photographs; e.g. for use in yearbooks and identification purposes, and the stated purpose of use of the photographs with the e-mail system; e.g. for identification during crisis events.” Dickson is recommending the practice be suspended until the issues are addressed.
Full Story

PRIVACY LAW

Opinion: Saskatchewan Should Look to Neighbours (November 22, 2013)

Attorney Greg Fingas writes for the Leader-Post about Saskatchewan’s lack of provincial privacy law, noting that while it has managed to skirt the issues some of its neighbours have come up against, its citizens may not be getting the level of privacy protection they want. Federal law offers some protection to Saskatchewan residents, and Fingas says “it's possible that our current privacy protection is sufficient. But given an ideal opportunity to ask what protection we expect for ourselves, we should keep an eye on our neighbours' choices rather than avoiding the question entirely.”
Full Story

DATA LOSS

Opinion: Ask Your Customers How Safe They Feel (November 22, 2013)

EMC Corp. released a survey showing that 58 percent of Canadian technology professionals “think their bosses are confident in the security and performance of their computer systems,” prompting IT World Canada Editor-At-Large Shane Shick to write, “companies never seem to learn from the mistakes of others,” adding, “If scary statistics and even scarier news stories aren't driving them to improve, direct feedback from the people they claim to care about is probably the only thing that will.” Meanwhile, the Pictou County Health Authority will send letters notifying dozens of patients that their health records may have been viewed by an outside healthcare professional who was shadowing an employee without authorization, and Healthcare Canada identified 40,000 medical cannabis patients and producers by including "Marihuana Medical Access Program" in the return address on communications, angering The Canadian Association of Medical Cannabis Dispensaries.
Full Story

INTERNET OF THINGS

LG Plans To Update Firmware Following Smart TV Allegations (November 22, 2013)

Following a UK blogger’s allegations that smart TVs are collecting user data on such details as what channels are watched and the names of media files streamed over networks, LG has responded saying that the information collected was “not personal but viewing information.” The company said it has verified that even when the Smart TV platform is turned off by the user, information apparently continues to be transmitted, though the data is not retained by the server. “A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted,” the company said.
Full Story

CYBERSECURITY

Debunking Three Cyber Insurance Myths (November 21, 2013)

“In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals,” writes Experian Data Breach Resolution Vice President Michael Bruemmer, CIPP/US, “Some professionals were adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly.” In this post for Privacy Perspectives, Bruemmer debunks three of the most common myths associated with cyber insurance and examines why small- and medium-sized businesses are not off the radar of hackers and other cyber thieves.
Full Story

PRIVACY ENGINEERING

How To Do PbD in Predictive Analytics (November 21, 2013)

In a Q&A with DataInformed, IBM Fellow and Entity Analytics Group Chief Scientist Jeff Jonas discusses his involvement with Privacy by Design and how he integrated it into new predictive analytics software. Jonas has created technology that allows businesses to collect and analyze data from multiple sources in real time to help make “smart” decisions. He said, “One of my goals in the use of Privacy by Design in the G2 project was what kind of privacy features can I bake in that cost no more? In other words, they’re by default. They’re built in. In fact, a few of them, you can’t even turn them off. That way, someone’s not left there with a decision, ‘Yeah, we trust ourselves. I don’t have to pay extra for a privacy feature. I’d rather just buy more disk space.’”
Full Story

INTERNET OF THINGS

Are Smart TVs Watching Us? (November 21, 2013)

CNET UK reports on a UK blogger's allegations that “smart TVs are sending information on what channels you watch and the names of media files you stream over your network—even if you turn the setting off.” The report notes the blogger noticed ads on his Internet-connected TV and found an online instruction video where TV-maker LG “details how it can effectively target ads based on user data.” Asked for comment, LG responded, “Customer privacy is a top priority at LG Electronics and, as such, we take the issue very seriously. We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.”
Full Story

BYOD

Where IBM Thinks BYOD Technology Is Headed (November 20, 2013)

When IBM announced last week it will soon acquire FiberLink, a maker of cloud-based mobile-device-management technology and the MaaS360 product, the news may have been interesting to privacy professionals on its own, drawing attention to a tech provider that will now have access to IBM’s much larger resources in attempting to solve a problem, in BYOD, with which many struggle. However, the buy is part of what IBM Director of Mobile Security Caleb Barlow called a “string of pearls” that includes the acquisition of Trustseer and the creation of a “cybersecurity software lab” in Israel, staffed with 200-plus researchers who will focus on mobile and application security and privacy. In this exclusive for The Privacy Advisor, Sam Pfeifle talks with Barlow about what IBM sees as the “Holy Grail” of mobile device management.
Full Story

PRIVACY LAW—CANADA

What Does Unconstitutional Ruling Mean for Alberta Privacy Law? (November 19, 2013)

In the wake of news that the Supreme Court of Canada has deemed the Alberta Personal Information Protection Act (PIPA) unconstitutional, Shaun Brown of nNovation analyzes what the decision means for the province in this Privacy Tracker exclusive. “It was inevitable that freedom of expression would eventually clash with privacy legislation in the courts,” writes Brown, adding that the ruling was “not surprising.” The broad “prohibition-first” approach of PIPA means “there are bound to be certain purposes that maybe should be exempted from the requirement to obtain consent but could not be conceived by legislatures when privacy laws were initially drafted,” Brown writes. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Hochman: What Are the Ethics of the Internet? (November 19, 2013)

In a piece for Internet Evolution, Jonathan Hochman explores the ethical limits on the Internet and what he sees as a major problem called “paid unpublishing.” In such cases, a website operator obtains embarrassing information, publishes it and then offers to remove it for a fee. A recent example of this can be seen with mugshot website operators. “Unless steps are taken now to confront paid unpublishing, we may increasingly find our secrets or mistakes for sale online by unscrupulous ‘entrepreneurs,’” Hochman writes, adding that ethical online media follows three principles: no paid unpublishing, avoiding conflicts of interest and supporting the right to respond.
Full Story

PERSONAL PRIVACY

The Secret Life of Webcams (November 18, 2013)

Webcams are on nearly every laptop and smartphone these days. They are great for video conferencing but can be used for nefarious purposes as well. One such case involves a young adult who hacked into a number of computers to take photos of young women and then used such photos to blackmail them. Moreover, the U.S. Federal Trade Commission recently settled with security company TRENDnet because it allegedly used lax security in protecting its cameras from being hacked and exploited. This Privacy Perspectives post explores these cases and looks at what can be done to prevent such nefarious use of these ubiquitous and potentially invasive features.
Full Story

PRIVACY IN POP CULTURE

The Circle Makes Us Square (November 15, 2013)

In his new novel, The Circle, Dave Eggers creates a world dominated by a search/social/commerce operation that is basically every cliché you’ve ever heard about Google, Facebook, Amazon, Yahoo and Twitter, all wrapped into one. In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle examines the world Eggers creates—a world devoid of privacy pros, where characters live by slogans like “secrets are lies,” “sharing is caring” and “privacy is theft.”
Full Story

PRIVACY

Brick-and-Mortars Catch Up on Tracking (November 15, 2013)

Reuters reports on brick-and-mortar retailers’ use of face scanners in an effort to improve such things as staffing, layout and marketing. Many businesses, aware of consumers’ reticence to be tracked, promise to only use the data in aggregate unless consumers give their consent. Shoppers are also increasingly asked to sign up for loyalty card programs that would allow the retailer to track them in exchange for discounts. “They are just trying to get real smart with data in the way the e-commerce guys are smart with data,” said the head of one tracking-device manufacturer. But the chief executive of a customer science company said, “Too much is happening without consumer consent.”
Full Story

PRIVACY LAW

Ruling Expected in “Palace Casino” Case (November 15, 2013)

Canada’s Supreme Court is expected to release its decision in Information and Privacy Commissioner v. UFCW Local 401—commonly known as the Palace Casino case—today, and Financial Times reports “the ruling could be one of the most important privacy law decisions of the year.” The case, which dates from 2009, involved union members filming replacement workers crossing a picket line and threatening to post the pictures online, prompting a complaint to Alberta’s Office of the Information and Privacy Commissioner. Alberta’s Court of Appeal ruled in 2012 that while “publishing the images would have violated Alberta’s privacy statute, the legislation violates the freedom of expression guaranteed in the Canadian Charter of Rights and Freedoms,” the report states.
Full Story

PRIVACY LAW

Cavoukian: Bill C-551 Worthy of Consideration, Passage (November 15, 2013)

IT World Canada reports on the newly introduced Act to Establish the National Security Committee of Parliamentarians and Ontario Information and Privacy Commissioner Ann Cavoukian’s comments that she is “heartened” by Bill C-551. The bill was introduced in the House of Commons by MP Wayne Easter last week. “While the bill may not give committee members sufficient authority to peer behind the veil of secrecy surrounding national security powers and programs,” she writes, “I see Mr. Easter's bill as a proposal worthy of consideration, debate and ultimately passing into law.”
Full Story

PRIVACY LAW

Supreme Court Rules Warrants Needed To Search Computers, Mobile Phones (November 15, 2013)

The Supreme Court has issued a unanimous decision in R. v. Vu that recognizes “important privacy interests in information stored in a computer or mobile phone,” Mondaq reports. In its decision, the court determined “specific, prior judicial authorization is required to search the contents of those devices when executing a search warrant for a premises,” the report states. Noting it “is difficult to imagine a more intrusive invasion of privacy than the search of a personal or home computer,” the court writes that it does “distinguish, for the purposes of prior authorization, the computers from the cellular telephone in issue here.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Study: Privacy Policies Needed for Drones (November 15, 2013)

The Canadian Press reports on a study due out next week that calls for “clear policies about the sort of personal information flying drones are allowed to collect” before law enforcement and others begin widely using them. The study, which examined academic articles, court reports and access-to-information documents, was conducted by Christopher Parsons and Adam Molnar of Block G Privacy and Security Consulting. The research “urges law enforcement agencies, governments and privacy commissioners to work together to ensure civil liberties are respected,” the report states. The study cites the "potential for intrusive and massive surveillance" as warranting public discussion, and notes Canada’s government “lacks a clear policy” on drones.
Full Story

PRIVACY RESEARCH

OPC Calls for Research Proposals (November 15, 2013)

The Office of the Privacy Commissioner (OPC) is calling for research proposals to advance privacy knowledge and awareness as part of its 2014-2015 Contributions Program. In its announcement of the call for proposals, the OPC notes, “The Contributions Program promotes the advancement of knowledge in Canada by funding independent privacy research and related knowledge translation initiatives. Since its inception over 10 years ago, the program has helped to generate research touching on a diverse range of topics—from video surveillance to electronic health records to social networking.” Applications are due January 6.
Full Story

SURVEILLANCE

As NSA Fallout Continues, Investigations Called For, Launched (November 14, 2013)

Dutch and Belgian data protection authorities are leading an investigation “into whether consumers’ personal data on the global SWIFT money-transfer network can be accessed by the U.S. National Security Agency (NSA) or other intelligence services,” Bloomberg reports. “We will investigate if the security of the networks and databases of SWIFT containing huge quantities of personal data related to bank transactions of, among others, European citizens, allow for or have allowed for unlawful access,” said Dutch DPA and Article 29 Working Party Chairman Jacob Kohnstamm. In the U.S., advocacy groups including the Electronic Privacy Information Center, Privacy Rights Clearinghouse and Center for Digital Democracy sent a letter to the U.S. Federal Trade Commission calling for an investigation into Internet companies whose networks were accessed by the NSA. “It is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the commission could ignore the consequences for consumer privacy,” the letter states. Meanwhile, a GigaOM report suggests the legacy of Edward Snowden's revelations about NSA surveillance could be "much if not most of the open web will be encrypted by default."
Full Story

PRIVACY BUSINESS

IBM To Acquire Fiberlink Communications (November 14, 2013)

IBM has announced its agreement to acquire mobile management and security company Fiberlink Communications. “In a mobile-first world, clients require a comprehensive mobile management and security offering. Oftentimes they integrate solutions on their own and take on unnecessary risk,” said IBM’s Robert LeBlanc. “To protect and enhance the complete mobile experience, it’s crucial to secure the app, user, content, data and the transaction. The acquisition of Fiberlink will enable us to offer these expanded capabilities to our clients, making it simple and quick to unlock the full potential of mobility.”
Full Story

PRIVACY RESOURCES

Where To Get Schooled in Privacy (November 13, 2013)

Prompted by a post to the IAPP Privacy List, our online Resource Center now includes a list of colleges and universities that offer courses in privacy. Currently featuring universities in the U.S., Canada and Europe, we have collected a preliminary list of offerings for those seeking higher education in privacy, but we need your help. Do you know of a school with a strong privacy focus? If so, send us an e-mail and let us know what we’re missing.
View Resource

DATA PROTECTION

Facebook Asks Adobe Users To Change Passwords (November 12, 2013)

Facebook is warning users who also use Adobe that if they are using the same e-mail and password combinations on both sites, they should change that, KrebsonSecurity reports. That’s after the recent breach at Adobe in which hackers stole nearly three million encrypted credit card records and users’ login credentials. “We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said a Facebook spokesman. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.”
Full Story

PRIVACY LAW

Kazakhstan Joins the Crowd and Other Legislative Updates (November 11, 2013)

In the U.S., guidelines and court rulings have offered insight on everything from drone use to workplace audio recordings, while, internationally, questions still loom about the future of Safe Harbor and national leaders have presented an Internet privacy resolution to the UN. Kazakhstan’s privacy law is scheduled to come into effect this month, and Indonesia is looking into consolidating its sectoral coverage into an overarching law. Also in this week’s Privacy Tracker roundup is analysis of India’s privacy bill, California’s spate of privacy laws and insight from the FTC and the New Jersey Attorney General’s Office on how to avoid the wrath of regulators. (IAPP member login required.)
Full Story

SURVEILLANCE

Canada Described as “Safe Haven” (November 8, 2013)

Amidst the almost daily reports of increased online surveillance from across the globe, The Calgary Herald reports “Canada is being described as a safe data haven where data can be legally protected.” And that is translating into companies launching new data storage services in Canada, the report states, quoting Cloud Council’s Robert Hart, who explained, “The protection of data is an active topic across all provinces … we are proactively reporting on and advocating for privacy in cloud computing environments." The report highlights several providers and their commitment to keep data centres in Canada and ensure “Canadian sovereignty over all information.”
Full Story

DATA PROTECTION

Erroneous Fax Results in Patient Data Breach (November 8, 2013)

A dialing error at eHealth Saskatchewan has resulted in a fax containing 18 results being sent to a private residence rather than the intended physician, the Prince Albert Daily Herald reports. The affected patients are being notified of the breach. The documents have since been disposed of and the incident has been reported to the Saskatchewan Office of the Information and Privacy Commissioner. “This kind of thing does periodically happen,” said eHealth Saskatchewan’s CEO. “It is certainly not something we like to have happen and eHealth takes full responsibility for the error. We really do regret any concerns or any difficulties that may have happened as a result.”
Full Story

PRIVACY LAW

Court Rules Against Man in RCMP Raid Case (November 8, 2013)

The Supreme Court of Canada has ruled against a British Columbia man seeking to avoid a second trial after the RCMP raided his house and seized two computers and a cellphone, The Windsor Star reports. The trial judge in the case did not allow the evidence taken from the two devices because the warrant should have been more specific about electronic documents, the report states, leading to the man’s acquittal. But the BC Court of Appeal ordered a new trial, and the man was convicted in a 9-0 decision. Justice Thomas Cromwell said, “While every search of a personal or home computer is a significant invasion of privacy, the search here did not step outside the purposes for which the warrant had been issued…”
Full Story

ONLINE PRIVACY

Closed-Circle Feature Added to Google+ (November 7, 2013)

Google has added a new feature to Google+ to ensure private conversations remain private, Think Digit reports. The feature allows businesses to decide if their restricted community will be open to everyone at the company or more limited, the report states. System administrators can decide whether restricted communities will be the default, but communities open to third parties such as business partners and clients can also be created.
Full Story

SURVEILLANCE

U.S. Urges EU To Preserve Safe Harbor; International Reactions to Spying Programs Continue (November 7, 2013)

Across the globe, fallout from reports of U.S. National Security Agency (NSA) and other governmental surveillance programs continues. Politico reports on U.S. regulators urging their counterparts in the EU not to abandon the Safe Harbor Framework amidst “mounting European anger over NSA spying.” Separately “The CIA is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls,” according to a report in The New York Times. NSA General Counsel Rajesh De has attempted to explain the agency’s telephone metadata collection program by saying, “It’s effectively the same standard as stop-and-frisk”—using “reasonable and articulable suspicion” to identify phone numbers to target. Meanwhile, Google has begun encrypting its internal network in an effort to halt broad surveillance, and Kaspersky has said it is designing products “to detect all malware”—even that sponsored by the NSA. In response to allegations of U.S. agencies spying on EU officials, Spiegel examines what the White House might have known and how the NSA sets its priorities, and Indonesia has backed a UN statement indicating “anger at U.S.-led data snooping,” while Australian websites faced cyber attacks “in protest at Canberra's reported involvement in the surveillance network.”
Full Story

PRIVACY RESOURCES

Employee Monitoring: What’s Allowed and What’s Not? (November 6, 2013)
Employers walk the line between protecting company resources and ensuring productivity and becoming big brother to their staff. Technology is available to monitor everything from computer use to hallways, but just because it’s out there, doesn’t mean it’s okay to use it. This IAPP Resource Center Close-Up aims to help you balance organizational security with employee privacy laws across the globe. You’ll find tools, articles and guidance on conducting background checks, accessing employee data and BYOD, plus learn about differing laws from region to region. (IAPP member login required.)

PRIVACY TECH

Hack the Trackers Taps Into the Post-Snowden Zeitgeist (November 5, 2013)

What do you get when you put a group of talented, self-motivated developers, tech-savvy judges and folks who built one of the Internet’s most-successful online privacy tools into the same room? This coming Saturday, you’ll get Hack the Trackers. Created by Ghostery, a privacy-enhancing browser service owned by Evidon, the hackathon aims to develop a new generation of online privacy tools by inviting developers to work together on open-sourced technology and then be judged by selected experts. In this exclusive for The Privacy Advisor, Jedidiah Bracy, CIPP/US, CIPP/E, talks with Evidon about how the event came to be and where they plan to take it.
Full Story

PRIVACY

Ten Steps to a Quality Privacy Program, Part Four: PIAs (November 4, 2013)
In part four of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, explores privacy impact assessments, which she calls key to privacy by design—or default. While there are foundational concepts that must be addressed, each organization may need to approach PIAs differently according to its size and needs, writes Rodriguez in this exclusive for The Privacy Advisor.

PRIVACY LAW

Burden Lowered for Breach Compensation, Changes in China (November 4, 2013)

This week’s Privacy Tracker legislative roundup highlights a U.S. case that may have lightened the burden on plaintiffs in order to win compensation in breach cases, plus the introduction of bills inspired by the NSA’s surveillance techniques. China has amended its consumer protection law, and one Canadian provincial minister is trying to address a gap in privacy protection in the private sector by consolidating and adding laws. Meanwhile, Brazil is still considering a data protection law and the European Commission plans to push toward implementing the Data Protection Regulation by spring of 2014 despite attempts to delay it until 2015. (IAPP member login required.)
Full Story

BIG DATA

Business Lessons on Privacy and Data Mining (November 4, 2013)

Computerworld reports on the privacy issues surrounding data mining and how including ethical standards with mining can help bolster trust with consumers and help a company’s brand. One digital strategist said, “The values that you infuse into your data-handling practices can have some very real-world consequences.” The article provides a number of examples of companies getting into trouble because of their data-mining practices, but also provides another positive example. Data analytics firm Retention Science uses predictive algorithms and aggregated data to help better target consumers but refuses to share data across clients or third parties. The company also says its data scientists are not allowed to use or share collected data for their own research or publications. A representative from the company said it “works only with businesses that are fully committed to getting their consumers’ consent in advance to use their data.”
Full Story

ONLINE PRIVACY

Microsoft Updates Policy Ahead of Launch (November 4, 2013)

Ahead of the launch of the Xbox One this month, Microsoft has updated its privacy policy to clarify how data is collected and used within gaming functions. While Xbox One uses facial recognition to log in users, the data doesn’t leave the console and can be deleted at any time. However, users “should not expect any level of privacy” when it comes to live communication features like chat and video during live-hosted game sessions. Microsoft reserves the right to monitor those communications “to the extent permitted by law,” Ars Technica reports. Users are permitted to disable targeted ads and tracking through an opt-out page. Editor’s Note: For more on privacy concerns related to Kinect 2.0, see attorney David Tashroudian’s exclusive article, “Will Kinect 2.0 and COPPA Play Well Together?,” in The Privacy Advisor.
Full Story

DATA COLLECTION

Facebook Testing More Robust Data Tracking (November 1, 2013)

The Wall Street Journal reports on new software being tested by Facebook to increase the site’s ability to collect great amounts of user information, including the tracking of a user’s cursor on screen. In an interview with The Journal, Facebook Analytics Chief Ken Rudin said the collected data could be added to the company’s data analytics warehouse. According to the report, Facebook can use the stored data “for an endless range of purposes—from product development to more precise targeting of advertising.” Currently, the company collects two types of data: behavioral and demographic. The new tests would expand Facebook’s ability to collect behavioral data, according to Rudin. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Advocates, Industry Still Doubting DNT Talks (November 1, 2013)

Privacy advocates and the ad industry agree on one thing: the Do-Not-Track (DNT) talks should end, but, The Hill reports, the co-chairmen of the World Wide Web Consortium DNT working group announced that talks will continue. Network Advertising Initiative President Marc Groman, CIPP/US, said the NAI “remains concerned about the lack of progress and transparency in the working group as well as recent stories of arbitrary decisions,” but added, “we will continue to engage to ensure that there is a voice for third parties and digital advertising, small- and medium-sized businesses, the long tail of the Internet and frankly the consumer.”
Full Story

PRIVACY LAW

OPC Report: CRA Must Do Better at Protecting Privacy (November 1, 2013)

Along with her final annual report on compliance with the Privacy Act, tabled in Parliament on Tuesday, Privacy Commissioner Jennifer Stoddart submitted a special audit citing “weak security practices” at the Canada Revenue Agency (CRA), The Canadian Press reports. Stoddart offered more than a dozen recommendations to improve CRA’s protection of personal information, “including better monitoring of employee access to databases,” the report states. “Canadians surrender their personal information to government out of necessity, often under legal compulsion," Stoddart said in her report, adding, “In return, people justly expect that the government will exercise effective stewardship over such information.
Full Story

PRIVACY LAW

Minister: Province To Address Gap (November 1, 2013)

Saskatchewan Justice Minister Gord Wyant has said the government must address a "gap" in privacy protection for private-sector employees, The Regina Leader-Post reports. “We, like Ontario and the eastern provinces, have relied on the federal legislation with respect to privacy matters in the private sector," Wyant said. Referencing calls for change by Saskatchewan Information and Privacy Commissioner Gary Dickson, Wyant added “there's a little bit of a gap when it comes to that area.” To address the issues, he said, “We've consolidated all the labour legislation into one piece, and we think that there's a possibility of perhaps bringing some regulations forward under the employment act to cover off that issue.”
Full Story

FINANCIAL PRIVACY

Bell To Pay $21K for Unauthorized Credit Check (November 1, 2013)

The Federal Court of Canada has ordered Bell TV to pay Rabi Chitrakar $21,000 in damages after it accessed his credit report without permission, CBC reports. After Bell conducted the credit check, Chitrakar signed his name on an electronic device which, unknown to him, embedded his signature in a rental agreement authorizing the company to obtain his credit report. Chitrakar complained to the company asking it to remove the check from his records noting it could reduce his credit rating leading to higher loan costs. The court’s decision states, Bell has “shown no interest” in remedying the situation, noting, “In this case, Chitrakar had his rights violated in a real sense with potentially adverse consequences.”
Full Story

DATA LOSS

Missing Memory Sticks Prompt OIPC Investigation (November 1, 2013)

The Toronto Star reports on the loss of data storage sticks containing information on approximately 18,000 Toronto Western Hospital Donald K. Johnson Eye Centre patients. A key ring with the memory sticks went missing in September, the report states, and the incident has prompted both an apology from the centre’s chief doctor and an investigation by Ontario’s Office of the Information and Privacy Commissioner (OIPC). The USBs included such information as patient names, addresses, phone numbers and procedure codes, the report states, and despite hospital rules and three OIPC orders, the three USBs were not encrypted.
Full Story

EMPLOYEE PRIVACY

BC Commissioner Investigating Record Checks (November 1, 2013)

Concerns about how much and what type of personal information is disclosed in police record checks, which are often conducted for employment-screening purposes, have prompted an investigation by BC Information and Privacy Commissioner Elizabeth Denham, The Canadian Press reports. Citing concerns from individuals and civil society groups “about the scope and sensitivity of personal information that's accessed and disclosed to police,” Denham has suggested “the relevance of the information collected in the public and private sector needs to be scrutinized,” the report states.
Full Story