#CyberFLASH: Legal experts to mull risks to privacy, safety at conference in Halifax

computer-closeupCyber-crime and privacy issues top the agenda at the International Society for the Reform of Criminal Law annual conference in Halifax this week.

It is the first time the conference, slated to run Sunday through Thursday has been held east of Montreal.

Judges, lawyers, legislators and law enforcement officials from around the globe will weigh in on the difficult balance between the rights of the individual and society’s collective security, said Hon. Justice Michael MacDonald, Supreme Court of Nova Scotia, who is co-chairing this year’s conference along with Supreme Court Justice Thomas Cromwell.

“It’s a huge challenge in the face of technology that’s changing at warp speed,” MacDonald said.

“The internet is changing our lives daily and it’s a challenge at the best of times to find that right balance between protecting your and my privacy with the need to protect society,” he said.

While judges are loath to give police the right to hack anyone’s account without good reason, with the internet changing life in almost every way, the justice system has to act appropriately to make sure the use of the internet as an instrument of crime is minimized, MacDonald said.

One of the biggest challenges is that of the principle of open court, he said.

“In Nova Scotia and Canada and all leading democracies we value our open courts principle, which means everything that happens must be open to the public and the public must be able to scrutinize to make sure justice is administered properly,” MacDonald said.

The problem is that information that can be gathered through open court principle can be manipulated for malicious purposes, he said, recalling his law practice in the 1970s, when a messy divorce case might yield personal details about children or other vulnerable people.

Those same details, online, could be Googled and exploited, MacDonald said.

Read more here

#CyberFLASH: Update Canada’s privacy laws, but don’t look to Europe or the US for guidance, experts say

n-ONLINE-PRIVACY-largeEven Justin Trudeau thinks Canada needs to update its data privacy laws for the 21st century, but the recently passed E.U.-U.S. Privacy Shield probably isn’t providing the guiding light he might be hoping for, according to several privacy experts.

Instead, the current agreement highlights the need for an update: While our own federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) was deemed “adequate” by the European Commission in the early 2000s, it’s scheduled to be revisited in the near future and might not meet the E.U.’s new standards – which many privacy advocates believe don’t go far enough anyway, the University of Ottawa’s chair of Internet and e-commerce law, Michael Geist, says.

“There’s a very real possibility that the E.U. could examine the adequacy finding for Canada and raise the same kinds of concerns that came up in the context of [Privacy Shield predecessor] Safe Harbour, potentially challenging whether Canada’s existing system – given some of the things we now know about surveillance and information sharing – is deserving,” he says.

That said, “there’s still a bit of an open question as to whether [Privacy Shield itself] meets E.U. law or not,” he continues. “There was a lot of political motivation to get a deal done, but I think there remains some ongoing concerns, particularly in the privacy community, which suggests that it still could be subject to challenges.”

Approved on July 12, the agreement, which E.U. member nations must incorporate into their national laws by May 6, 2018, establishes new regulations for data transfers between the U.S. and E.U., notably by imposing limitations on the access of U.S. public authorities to European consumers’ digital information; by requiring regular updates and reviews of companies that handle personal data; and by providing a clear method of conflict resolution for E.U. residents who feel their data has been misused without their consent.

Read more here

#CyberFLASH: Eight tips to improve your organization’s data privacy

imageFor CISOs, every day is data privacy day. But every January 28th Data Privacy Day is officially observed by a number of countries and agencies.

It could be a good day for infosec pros to remind themselves that in addition to IT security, ensuring corporate privacy policies for personal data — of employees as well as customers and partners — are up to date and enforced.

This year’s observation comes at a sensitive time for chief security and privacy officers. Not only are data breaches increasing, the ability of customers to sue is also going up as well.

Just this week an Ontario judge recognized a new common law privacy tort of public disclosure of private facts. The case involved a man who posted a sexual video of an ex-girlfriend on the Internet without permission.

“In the electronic and Internet age in which we all now function, private information, private facts and private activities may be more and more rare, but they are no less worthy of protection,” the judge wrote in part.

The woman had entrusted the defendant with the images, he judge said, and the defendant had no right to publish them. The man was fined a total of $100,000 in damages, plus court costs.

This case doesn’t deal with a corporation. However, before this week no Canadian court recognized the right to sue for public disclosure of private facts. The point is organizations need to note the common law on privacy is expanding.

Read more here

#CyberFLASH: Four ways Canada’s new transparency rules fall short.

hi-bc-archive-surveillance-camerasCanadians have become increasingly troubled by reports revealing that telecom and Internet companies receive millions of requests for subscriber data from a wide range of government departments. In light of public concern, some Internet and telecom companies have begun to issue regular transparency reports that feature aggregate data on the number of requests they receive and the disclosures they make.

The transparency reports from companies such as Rogers, Telus and TekSavvy have helped shed light on government demands for information and on corporate disclosure practices. However, they also paint an incomplete picture since companies have offered up inconsistent data and some of the largest, including Bell, have thus far refused to come clean on past requests and disclosures.

The Privacy Commissioner of Canada released a report last week that showed that all transparency reports are not created equal. For example, TekSavvy has provided information on the content of the disclosures, the number of accounts affected and instances where users were notified. By contrast, companies such as Rogers, Telus, Allstream and Wind Mobile have not disclosed this information, offering more limited data.

In an effort to create greater uniformity in transparency reporting, Industry Canada has just released new transparency reporting guidelines. The government states that it has released the guidelines “to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies and regulatory authorities.”

Read more here

#CyberFLASH: Canadian Government Amends and Strengthens PIPEDA, Adding Breach Notification Requirement and Filling Other Gaps

n-ONLINE-PRIVACY-largeJust prior to recessing for the summer, the Canadian government enacted the Digital Privacy Act. It includes a number of targeted amendments to strengthen existing provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), but falls short of providing the Privacy Commissioner of Canada (Commissioner) with direct enforcement powers, as some stakeholders—including the former Commissioner—had proposed.

The Digital Privacy Act was introduced in April 2014 as part of the government’s “Digital Canada 150” strategy. While it was touted as providing new protections for Canadians when they surf the web and shop online, there is nothing that is particularly “digital” about the bill, which will equally affect the bricks and mortar, paper-based world.

Of particular note, the Digital Privacy Act creates a duty to report data breaches to both the Privacy Commissioner and to affected individuals “where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Failure to report data breaches in the prescribed manner could result in fines of up to $100,000 for non-compliant organizations. While the majority of the new law is currently in force, the provisions relating to breach notification have yet to be proclaimed in force by the government.

Once in force, the mandatory breach-reporting regime will bring the federal law into alignment with many international laws, as well as with Alberta’s own Personal Information Protection Act, which has had a breach notification provision since 2009. However, unlike the Alberta law, the Digital Privacy Act would also require organizations to maintain records of all data breaches involving personal information under their control—even if they do not require reporting to the Commissioner or to affected individuals—and to provide these records to the Commissioner on request. Failure to comply with these requirements could also result in a fine of up to $100,000.

Read more here

#CyberTRAX: A slow clap for Anonymous

10712553“Greetings citizens of Canada, we are Anonymous. Today, this 17th of June, 2015, we launched an attack against the Canadian Senate and Government of Canada websites in protest against the recent passing of Bill C-51.”

That was the opening to a video the online activist group posted Wednesday, as federal government websites fluctuated in and out of operation.

“Stand for your rights, take to the streets in protest this 20th of June, 2015,” the Anonymous video continued. “Disregard these laws, which are unjust, even illegal.”

Throughout the afternoon, dozens of government of Canada websites went down, including canada.ca, the site for Transport Canada and the page for the Department of Foreign Affairs. The outage also seemed to affect government Blackberrys, though Public Safety Minister Steven Blaney said no private information was compromised. Though the source of the attack was initially unclear, Anonymous eventually claimed responsibility and posted the video.

The irony of launching a cyber-attack to protest an anti-terrorism law was surely lost on this gaggle of virtual legionnaires. This attack — which took the form of a distributed-denial-of-service, or DDoS, attack — is not particularly sophisticated in nature and acts as more of a nuisance than a real security breach. Essentially, “attackers” flood the server with requests at such an overwhelming volume that it forces them to crash.

Read more here

#CyberFLASH: Canada greenlights an anti-terror law that hurts internet privacy

parliament-hill-2012-jon-fingas-flickrThe US government might be curbing its surveillance activities, but just the opposite is happening north of the border. Canada’s Senate has passed the heavily disputed Bill C-51 into law, granting spy agencies (like the Canadian Security Intelligence Service) greater powers to violate digital privacy in the name of fighting terrorism. The move lets government branches swap sensitive data like tax filings, and gives spies permission to load intrusive malware on suspects’ devices. It also raises the possibility of searching devices at the border to find “terrorist propaganda,” and should allow disruptive tactics like taking down websites. Moreover, there are worries that some online discussions wishing harm against Canada and its allies might be deemed illegal.

Some of the strategies greenlit here aren’t new — just ask the US’ National Security Agency. However, there’s a concern that C-51’s vague definitions of national security risks let the Canadian government snoop on people who are merely challenging authority, such as activists and religious leaders, rather than limiting the scope to extremists. Not surprisingly, the attempts at criminalizing certain kinds of discussion could easily tread on the country’s free speech rights.

The Senate move doesn’t mean that the law is set in stone. Two political parties (the NDP and Green Party) have promised to repeal C-51 if they can, and a third (the Liberal Party) is at least open to amendments. Those aren’t idle threats, either. There’s a federal election coming up in the fall, and even supporters of the ruling Conservative Party believe C-51 could be unpopular enough to usher in a change of leadership that either softens key measures or kills the law outright. In other words, the battle isn’t over yet.

Read more here

#CyberFLASH: Spy agencies target mobile phones, app stores to implant spyware

pdphonejpg-jpg-size-xxlarge-letterboxCanada and its spying partners exploited weaknesses in one of the world’s most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows.

Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.

Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.

The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn’t alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments’ agencies, hackers or criminals.

“All of this is being done in the name of providing safety and yet … Canadians or people around the world are put at risk,” says the University of Ottawa’s Michael Geist, one of Canada’s foremost experts on internet law.

CBC News analysed the top secret document in collaboration with U.S. news site The Intercept, a website that is devoted in part to reporting on the classified documents leaked by U.S. whistleblower Edward Snowden.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.