#CyberFLASH: Privacy Commissioner Targets IoT Health Devices in Sweep

image-4

What rumours is your fitness tracker spreading about you? In its latest Internet of Things themed sweep, the Office of the Privacy Commissioner of Canada reviews what personal information is being collected about Canadians by “smart” health and fitness devices.

Many of us will remember Time Magazine’s audaciously titled September 2013 issue, which splashed the following headline across its cover page: “Can Google Solve Death?”

At the time, there were more than a few skeptics who might have dismissed Google’s investment in Calico, a biotech subsidiary, as another moonshot investment by the tech giant or as part of a long-term expansion strategy.

Fast-forward less than three years. Regulators continue to play catch-up with the burgeoning industry at the intersection of data analytics and user-generated personal health data. The ballooning number of connected devices that make up the so-called internet of things (“IoT”) has accelerated in scale at a heart-clutching rate. The Office of the Privacy Commissioner of Canada (“OPC”) quoting estimates that, by 2020, there will be between 20 and 30 billion connected devices.[1] While devices that generate data specific to the function and use of the human body represent a subset of these devices, it is hard to deny the growth in the sophistication and potential use (and misuse) of the datasets generated from users’ health and biometric data.

Connected health technology has come a long way since the days of telephonic medical alert systems infamously portrayed in infomercials featuring “help, I’ve fallen” pushbutton necklaces. While application driven smart-phones, watches and fitness wearables are top of mind, the healthcare industry has adopted a range of smart devices that quietly gather and amass a steady stream of data about their users: baby monitors, respiratory and glucose meters, scales, pillboxes, thermometers, contact lenses, heart-monitors, and even band-aids are but a few of the previously inert devices that have become IoT-enabled. For individual consumers, health practitioners, and public health officials, there are extremely compelling use cases to prevent regulatory authorities from stifling the innovation in this sector. For individual patients and clinicians, the devices open what was previously a black-box allowing insight into the lives of individuals outside a clinical setting. The data gathered will enable the healthcare industry to open new service lines focusing on early detection and intervention as well as ongoing health monitoring. Similarly, public health authorities can benefit from large-N data-mining that could potentially offer new insights into determinants of disease, healthy aging processes, and general population wellness.

Read more here

#CyberFLASH: Privacy enforcement chiefs bringing IoT in for a few questions

15660875_s-300x120The Global Privacy Enforcement Network (GPEN) is putting the Internet of Things (IoT) world in its crosshairs during its 2016 global privacy “Sweep.” The group – a worldwide union of national privacy and law enforcement agencies seeking to tackle transnational privacy and data security issues – said they plan to vet all sorts of manufacturers on data privacy and security practices to see what issues, if any, are prevalent in this new connected industry.

It comes at the perfect time, as more homes and businesses start to adopt IoT devices and platforms. Knowing the potential privacy issues that companies could be neglecting will make the industry as a whole safer and secure, if IoT developers and manufacturers fix any issues identified in the GPEN report.

See Also: Could massive consumer fear kill the Internet of Things?

“Connected devices, such as fitness trackers, smart scales, sleep monitors and other health related products, are capable of capturing some of our most intimate data,” said commissioner Daniel Therrien, for Canada’s Office of the Privacy Commissioner (OPC), a member agency of GPEN.

“Given the sensitivity of the information, it is imperative that the companies behind such devices are transparent about what they collect, how the information will be used and with whom the data will be shared. I’m pleased the Sweep will focus on this important area under the Internet of Things banner,” he said.

Read more here

#CyberFLASH: Holding The Black Bag: Personal Health Information And Bankruptcy Proceedings

image-4A recent decision of the Ontario Information and Privacy Commissioner (OPC) highlights the potentially broad application of the Personal Health Information Protection Act (PHIPA).1

The vast majority of PHIPA’s obligations are imposed upon “health information custodians” – those individuals and organizations that collect information from patients – doctors, clinics and hospitals.2 But what happens when the custodian goes bankrupt? The recent decision in Viterna Health Centre Inc. indicates that whoever is left in possession of the information is “it”. This could potentially affect a number of unsuspecting commercial parties.

A copy of the decision can be found here.

Where did all the health information custodians go?

The Viterna case involved a number of health clinics that closed their doors and entered bankruptcy proceedings. The problem, however, was that the companies running the clinics simply left patient records in boxes, in the leased premises across Toronto. While under bankruptcy proceedings, the companies were no longer allowed to conduct any business and are subject to a stay under the Bankruptcy and Insolvency Act (BIA).3 The result was that the clinics avoided responsibility for securing the records.

In November 2015, the OPC issued a Notice of Review to the clinics’ former landlords and trustee in bankruptcy, asking for representations about a potential order to secure the records. As it made clear in its decision, the OPC’s concern was that “the Records were at imminent risk of being lost, destroyed, disclosed, or disposed of in contravention of [PHIPA]…” 

Read more here

#CyberFLASH: Windows 10 ‘spying’ claims investigated by Canadian watchdog

typing-image-genericCanada is investigating the terms and conditions that come with Windows 10, after many have claimed that the new operating system is watching its users.

The controversy has come about because the software’s data collection functions are turned on by default. While Microsoft have made it clear that the function can be turned off before the OS is even installed, in Canada software must seek consent for the data collection, rather than simply giving the option to turn it off.

With Windows 10, Microsoft is able to collect “your voice input, as well as your name and nickname, your recent calendar events and the names of people in your appointments, and information about your contacts including names and nicknames”, according to its terms. Microsoft also reserves the right to “access, disclose and preserve personal data”.

These privacy problems are further exacerbated by Microsoft’s recent move to download Windows 10 onto all computers using Windows 7 and 8 even when the user decided not to use the free upgrade.

Speaking to The Inquirer Microsoft confirmed: “For individuals who have chosen to receive automatic updates through Windows Update, we help upgradable devices get ready for Windows 10 by downloading the files they’ll need if they decide to upgrade. When the upgrade is ready, the customer will be prompted to install Windows 10 on the device.”

Read more here

#CyberFLASH: Canada joins global sweep of kids’ online privacy

image-2Sometimes it can seem that kids are more digitally savvy than the adults around them. Children are playing games on mobile devices, watching videos online, and exploring various websites. But are those apps and websites taking enough precautions to protect children’s privacy?

That’s the question at the heart of a global investigation taking place this week involving privacy organizations in 21 countries, including the Office of the Privacy Commissioner of Canada (OPC).

These organizations will be examining the apps and websites that are most popular among children in each country. (In Canada, “children” means those under age 12, though this may differ in some places.)

Investigators will be looking at whether apps and sites gather personal information on kids, and if they do, whether that information is limited to what’s necessary (to create an account, for example). They will also examine whether the apps and sites prompt users to involve a parent or guardian in any registration process; and whether they take measures to make privacy policies understandable to kids. That means not just using simple language, but also using graphics or even animated characters to guide them through the information and to encourage parental involvement.

The sweep, which began Monday and runs through Friday, was initiated by the members of the Global Privacy Enforcement Network, and includes countries such as the United States, the United Kingdom, China, Germany, France and Mexico.

Read more here

#CyberFLASH: Privacy Commissioner announces funding for independent privacy research

B97375091Z.120141001155319000GS36SSNI.11GATINEAU – Independent research and knowledge translation projects supported through the Office of the Privacy Commissioner of Canada’s 2015-2016 Contributions Program will explore a wide range of emerging privacy issues, such as fitness tracking devices, lawful access and children and privacy policies.

“The projects selected this year will help build a greater understanding of new risks to privacy and also provide individuals and organizations with information about how to better protect personal information in a constantly evolving environment,” says Privacy Commissioner of Canada Daniel Therrien.

The Commissioner also announced today that the Contributions Program has been renewed for another five years following an independent evaluation of the Program.

“The Contributions Program is considered to be one of the foremost privacy research funding programs in the world and has made a significant contribution to developing privacy knowledge in Canada and beyond. We are very pleased that the Program will continue to support this important work,” says Commissioner Therrien.

The Contributions Program funds not only research but also its application in ways that have a real impact of Canadians. Some examples of this year’s projects include:

Privacy and fitness tracking devices – This project will examine the relationship between the data collection and transmission practices of fitness tracking devices, the cloud services they integrate with, and how third parties may access their personal information from the providers of these services.

Lawful access – This project will explore the implications of the Edward Snowden revelations regarding the relationships between government signals intelligence authorities and private sector telecommunications companies over access to and sharing of metadata and private communications.

Read more here

#CyberFLASH: Why Bell’s opting-out approach isn’t good enough

BCE Beats Profit Estimates as Smartphone Subscribers GainBell’s targeted advertising program, which creates customer profiles that include age, gender, account location, credit score, pricing plan, and average revenue per user, generated controversy from the moment it was announced in October 2013. The communications giant maintained that it complied with Canadian privacy laws, yet many clearly disagreed as the Privacy Commissioner of Canada received an unprecedented barrage of complaints.

While concerns about tracking Internet usage and search queries garnered headlines, the fundamental legal issue was whether Bell was entitled to force its millions of customers to opt-out of the targeted advertising program if they did not wish to participate or if the law requires an explicit, opt-in approach in which consumers must proactively ask to be included before their tracking information is used for advertising purposes.

This week the Privacy Commissioner of Canada rendered his verdict: Bell’s targeted advertising program violates the law since the consumer data used by Bell is sufficiently sensitive such that an opt-out approach does not adequately protect user privacy. Bell argued that the information it collects is non-sensitive and that opt-out was therefore good enough.

If the consumer data is taken piece by piece, Bell might have been right. Yet in an era of “big data”, the Privacy Commissioner effectively concluded that the sum of personal information is more than the parts. In the case of Bell, he placed the spotlight on the remarkable scale of the company’s data collection and usage:

Read more here

#CyberFLASH: Privacy commissioner studies Bell ad tracking

Apple Hosts Event At Company's Town HallThe issue of Bell Canada tracking Internet use in order to deliver targeted online advertising remains unresolved even though the company has accepted a privacy commissioner’s recommendation that it first seek customer consent.

“I would just caution that the real issue is still in front of the CRTC, which is whether they are allowed to do this at all,” said John Lawford, executive director of the Public Interest Advocacy Centre.

Calling the practice an abuse of privacy, the consumer group has filed a complaint with the Canadian Radio-television and Telecommunications Commission, arguing Bell has gone beyond its role as a provider of telecom services.

Lawson says telecom legislation prohibits Bell from using confidential information to support a new business that secures revenues from selling to advertisers the interest profiles of its customers.

Bell tracks only customer Internet use by cellphone clients at present, but has indicated it would extend that to landlines and to TV viewing habits, having argued for more than a year that customers could opt out if they so wished.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.