Tuesday, September 30, 2014

Telus issues its first "Transparency Report" on government data demands

Full points to Telus for joining Rogers as the first Canadian telcos to issue a transparency report. The Report for 2013 [PDF] summarizes the disclosures of customer information made by Telus in broad categories:

Court Orders/ Subpoenas**

Court Orders 3,922

Subpoenas 393

Court Orders to comply with a Mutual Legal Assistance Treaty (MLAT) request 2

Customer Name and Address Checks 40,900

Emergency Calls 56,748

Internet Child Exploitation Emergency Assistance Requests 154

Legislative Demands 1,343

TOTAL 103,462

As Telus notes, their methodology for tracking these may differ from other telecommunications providers, so the numbers may not be directly comparable.

It is also particularly notable that Telus states their practices have changed in at least two areas following the R v Spencer decision:

Customer Name and Address Checks

Description: Requests to provide basic customer information, such as customer name and address. These are usually done in order to identify an individual associated with a telephone number. Previously, it was understood that such disclosure was permitted under Canadian law and TELUS’ service terms. However, in light of the recent decision of the Supreme Court of Canada in the case of R. v. Spencer, TELUS has changed its practice and now requires a court order for customer name and address information, except in an emergency or where the information is published in a directory.*

[Note: Hopefully, this does not suggest that they will provide a customer name and address when presented with an IP address, if that name and address are listed.]

Internet Child Exploitation Emergency Assistance Requests

Description: In response to police requests, TELUS disclosed the name and address of a customer using an IP address to help the police investigate a case of online child sexual exploitation. Previously, it was understood that such disclosure without a court order was permitted under Canadian law and TELUS’ service terms. However, the Supreme Court of Canada in the Spencer case (referred to above) has ruled that such disclosure requires a court order, except in an emergency. Accordingly, TELUS has amended its practices in this regard.

The Toronto Star has offered some commentary on this: Telus issues first ‘transparency’ report on requests for customer information | Toronto Star

Thursday, September 18, 2014

Google's latest transparency report: Law enforcement requests up 150% over five years

Google has released its most recent iteration of its transparency report. In a posting on the Google Public Policy Blog, Richard Salgado, Legal Director, Law Enforcement and Information Security, writes that Google has seen a 15% increase in government data demands (excluding national security demands) since the second half of last year, and a 150% jump since Google's first report 2009. Breaking out U.S. demands, the numbers have risen 19% since the second half of last year and have leaped 250% since 2009.

The numbers for Canada have actually gone in the other direction. The previous transparency report included 52 demands for info on 73 users, compared to the most recent 27 demands related to 33 user accounts.

Consistent with Google's previous positions Salgado writes:

Governments have a legitimate and important role in fighting crime and investigating national security threats. To maintain public confidence in both government and technology, we need legislative reform that ensures surveillance powers are transparent, reasonably scoped by law, and subject to independent oversight.

Amen to that.

Sunday, September 14, 2014

Newfoundland health authority employee fined for rummaging through records

Last Thursday, a judge of the Newfoundland Provincial Court fined a former employee of Western Health $5000 for rummaging through approximately 1000 records. The accused was found to have reviewed names and billing addresses, but not more sensitive health information. See: Fine in privacy breach 'sends the right message': Ed Ring - Newfoundland & Labrador - CBC News.

Thursday, September 11, 2014

Privacy Commissioner of Canada releases results of second GPEN Privacy Sweep focused on mobile apps

The Privacy Commissioner of Canada has released the results of the second Global Privacy Sweep carried out by the Global Privacy Enforcement Network (GPEN). This sweep focused on mobile apps and the OPC scrutinized 151 of the 1211 examined globally.

The findings are summarized in a blog post, along with ten tips directed to assist developers in being more transparent about how apps collect, use and disclose personal information.

Here's the media release, too:

News Release: Global privacy sweep raises concerns about mobile apps - September 10, 2014

News Release

Global privacy sweep raises concerns about mobile apps

Clear, concise privacy language builds consumer trust and is good for business, Privacy Commissioner says after global sweep of more than 1,200 mobile apps.

OTTAWA, September 10, 2014 – As mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used, participants of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep found.

“Fortunately, there were few examples of apps collecting the sort of information that would appear to exceed their functionality—like a flashlight app seeking permission to obtain your contacts list,” says Daniel Therrien, Privacy Commissioner of Canada.

“But we did find many apps were requesting permission to access potentially sensitive information, like your location or access to your camera functions, without necessarily explaining why. This left many of our sweepers with a real sense of unease.”

The privacy sweep results offer insight into the types of permissions some of the world’s most popular mobile apps are seeking and the extent to which organizations are informing consumers about their privacy practices. A number of specific examples illustrating these trends can be found in a blog postexternal on the Office of the Privacy Commissioner of Canada’s website. The Commissioner determined it was in the public interest to share specific results from the Sweep in order to help Canadians better understand the observations. Our Office has also prepared a 10 tips guide to help developers better communicate their privacy practices to app users.

In total, 1,211 apps were assessed, 151 of them by the Office of the Privacy Commissioner of Canada.

Participants looked at the types of permissions an app was seeking, whether those permissions exceeded what would be expected based on the app’s functionality, and most importantly, how the app explained to consumers why it wanted the personal information and what it planned to do with it.

“Both large and small app developers are embracing the potential to build user trust by providing clear, easy to read and timely explanations about what information they will collect and how they will use it,” Commissioner Therrien says.

“Others are missing that opportunity by failing to provide even the most basic privacy information.”

The Sweep, which took place May 12 to 18, 2014, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection.

The GPEN initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. It was not in itself an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Concerns identified during the Sweep, however, will result in follow-up work such as outreach to organizations, deeper analysis of app privacy provisions and/or enforcement action.

Office of the Privacy Commissioner of Canada Sweep highlights:

  • 28 per cent of apps provided a clear explanation of their collection, use and disclosure of personal information policies.
  • More than a quarter of apps examined by the OPC (26%) offered either no privacy policy at all or one that left sweepers with serious concerns regarding how their information would be collected, used and disclosed.
  • Amongst the apps receiving top ratings were very popular apps in the e-marketplace, demonstrating that when properly explained to consumers, the collection of information does not negatively impact on downloads.

Global Sweep highlights:

  • Three-quarters of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions and the potential sensitivity associated with the information highlight the need for apps to be more transparent.
  • For nearly one-third of the apps (31%), sweepers could not understand – after reading the app’s various privacy communications and given what they knew about the app’s function – why it needed access to certain information.
  • Some 43 per cent of apps did not tailor privacy communications to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using larger font, pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen.

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

See also:

Blog post, Backgrounder, Ten Tips for Communicating Privacy Practices to Your App's Users

Wednesday, September 03, 2014

The US doesn't have a privacy law? Really? Verizon to pay $7.4 million over failure to notify consumers on privacy rights

At privacy gatherings, I often hear that Canada and the European Union have serious privacy laws, while the United States is somehow on the lawless fringe (other than sectoral laws like HIPAA). That's far from the case, as the Federal Trade Commission has taken a small portion of the Federal Trade Commission Act and 33 other statutory instruments to enforce a pretty broad privacy regime in the US. Case in point: Today's $7.4 million settlement with Verizon over the omission to include a privacy brochure in the with the first bills of 2 million customers. (See: Verizon to pay $7.4 million over failure to notify consumers on privacy rights | Reuters).

Tuesday, September 02, 2014

The celebrity photo leak/hack: lessons for securing devices and cloud accounts

Over the weekend, a deluge of intimate photos of celebrities appeared on the internet, first on 4Chan and then on Reddit (CBC report). Surely, they are other places now. What is unclear at the moment is how the images were obtained in the first place. There's been speculation that the photos came from the iCloud accounts that were either compromised by a brute-force password attack or even a suggestion that the WiFi at the Emmy Awards was somehow compromised. Other discussions online suggest that the photos have been traded for years among avid collectors. It will be very interesting -- from a privacy and security point of view -- to learn how it actually happened.

In the meantime, this serves as a reminder about what steps most people should take to secure their sensitive personal information on their devices and in the cloud.

Increasingly, people are carrying more and more sophisticated devices with onboard cameras that automatically sync data to remote servers. I am not at all interested in blaming the victims. Increasingly, people are taking photos from the most banal moments in their lives to the most intimate. Like it or not, it's simply a fact. While celebrity images are the most sought-out, images of ordinary people have been scraped from unsecured image hosting sites with traumatic results.

Most smartphones are mostly secure out of the box, and responsible vendors update vulnerabilities as they are discovered. However, they rely on humans who may not be as technically-minded as the first line of defence. All of these devices and services are protected by passwords. People tend to choose very weak, easily guessed passwords. That can be fixed. And people can take additional steps to protect their information.

  1. Try to learn the basics of how your device works, particularly about what is synchronised and backed up to online services; check your default settings;
  2. Secure your device with a PIN or password (How to: Android and iOs);
  3. Add encryption to your device, if possible (How to: Android);
  4. Add remote management to kill your device if it is lost (How to: Android (I also like Cerberus Anti Theft) and iOs);
  5. Use a strong password for all your accounts. The longer the better. (Read this XKCD comic. Read it, learn it, live it.)
  6. Consider a password manager like LastPass to generate complicated passwords for your accounts and to keep them safe. But protect your password vault with the most complicated and longest password you can reliably remember.
  7. Use two-factor authentication for your cloud accounts. While not particularly intuitive, two-factor authentication protects your account even if your password is compromised. This is critical. (How to: Google Accounts, DropBox, and most other places.) Any account to which you sync your personal images and video should be protected by two factor authentication.

With these measures in place, you're much more secure than most people. But there is no such thing as perfect security. Knowing that there are malevolent people out there looking for this kind of content and other sensitive personal information, the next question needs to be "am I satisfied that this is as secure as it needs to be in light of the nature of the information and the consequences of a 'leak'"?

UPDATE: According to TechCrunch, Apple's two-factor authentication DOES NOT PROTECT iCloud or Photostreams. This is a major shortcoming. I would recommend not using iCloud for anything personal or sensitive until Apple fixes this gaping omission.