#CyberFLASH: IP Addresses As Personal Information: The Canadian And EU Positions Contrasted

a-woman-uses-her-computer-keyboard-to-type-while-surfing-the-internet-in-north-v

The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the “EU Decision”) raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.

The EU Decision

As we have covered on this blog, in the EU Decision, Mr. Breyer claimed that the Federal Republic of Germany had no right to retain the IP address from the device he used to search for information on various government websites. He contended that his IP address is personal information that the website operator may keep only for the purpose of facilitating access to the site and not for general purposes such as safeguarding the security of the site or fending off cyber-attacks, such as denials of service.

The Court of Justice held that where third parties, such as internet service providers (“ISP”), have subscriber information that can be legally accessed by the website operator and used in conjunction with the IP address to identify the visitor, the IP address is personal information. The Court seemed to leave open the question of whether the IP address would constitute personal information if the holder of it could not reasonably or legally obtain the other information needed to identify the owner of the address. In so doing, it adopted a “relative” definition of personal information.

The Court also held that individual states could not pass legislation that forbids the use of an IP address for any purpose other than facilitating network access and billing.

The Canadian Perspective

The EU Decision provides an interesting contrast with the view of the Office of the Privacy Commissioner (“OPC”) in Canada. In a research paper published in May 2013, the OPC revealed that an IP address, combined with other publicly available information, even without any access to the ISP subscriber records, may permit identification of the owner and his or her web-browsing or other activities. Based on this finding, an IP address may in many circumstances be personal information regardless of whether the ISP subscriber records linking that address with an individual are legally accessible to the organization collecting the IP address. Thus, in Canada, IP addresses may be treated as personal information in more situations than in the EU.

Read more here

#CyberFLASH: Facebook says users can’t stop it from using biometric data

facebook

Facebook Inc.’s software knows your face almost as well as your mother does. And like mom, it isn’t asking your permission to do what it wants with old photos.

While millions of internet users embrace the tagging of family and friends in photos, others worried there’s something devious afoot are trying block Facebook as well as Google from amassing such data.

As advances in facial recognition technology give companies the potential to profit from biometric data, privacy advocates see a pattern in how the world’s largest social network and search engine have sold users’ viewing histories for advertising. The companies insist that gathering data on what you look like isn’t against the law, even without your permission.

If judges agree with Facebook and Google, they may be able to kill off lawsuits filed under a unique Illinois law that carries fines of US$1,000 to US$5,000 each time a person’s image is used without permission — big enough for a liability headache if claims on behalf of millions of consumers proceed as class actions. A loss by the companies could lead to new restrictions on using biometrics in the U.S., similar to those in Europe and Canada.

Read more here

#CyberFLASH: Red Deer men targeted by sextortion scam

gv_20140408_biv0108_140409938.jpg__0x400_q95_autocrop_crop-smart_subsampling-2_upscale

RCMP are investigating an extortion scam after two Red Deer men were “lured into compromising online encounters” by strangers on the internet.

Police say both victims were approached online in October by women.

The women lured the men over the internet “and then threatened to post the images online unless they were paid by their victims,” Red Deer RCMP said in a news release Wednesday.

Neither victim was defrauded of money, police said. In both cases, the women halted communication with their targets after the men informed them they were reporting them to police.

RCMP suspect there may be even more cases of this type of extortion happening in the community, but victims “may be too embarrassed to report it.”

Furthermore, investigators say these online profiles are usually fake and the scammers live in different countries, making prosecution impossible.

Read more here

#CyberFLASH: Over 70,000 Canadian credit cards suddenly on sale on dark web

darktrace-image4b1-e1426522280109

Some Canadian organizations like to think they’re safer from cyber attack because of the relatively few publicly-reported data breaches here.

It’s true there are fewer breaches reported in this country. And international figures show reported malware attacks here are lower than in the U.S. But that doesn’t mean they don’t happen. It’s just that they don’t get reported.

For example, at this week’s SecTor security conference in Toronto a Telus Security Solutions consultant said early this year a batch of over 70,000 Canadian credit card numbers popped up for sale on the darknet.

So far no organization has announced a theft.

Milind Bhargava made the revelation as part of a presentation he and another Telus security investigator did on how much personal information on Canadians was available on the darknet.

His division regularly monitors credit card sales sites for corporate customers, he said. It’s not hard to identify Canadian credit and debit cards – the first six digits of every card identifies the bank and type of card.

In the early months of this year ”suddenly we saw 70,000-plus cards from the same province,” he said. “Multiple banks, but all from the same province. We have never seen so many from the same province.” He wouldn’t identify the province or the ).

The card data, with expiry dates ranging from this year to 2020, were being sold for between forty cents and $3 each.

Read more here

#CyberFLASH: Drop in police requests for electronic surveillance of suspected criminals baffles experts

hacker-stolen-passwords

Experts say they’re baffled by the big drop in the number of applications from police to conduct electronic surveillance on citizens.

In 2015, peace officers asked for authorization to intercept and record private communications 66 times, down from 114 a year earlier.

Police can ask a judge for permission to intercept someone’s personal communications when they suspect serious criminal activity. Such authorizations generally last around 60 days.

The data comes from the Department of Public Safety’s annual report on the use of electronic surveillance in Canada.

The report describes how, when applying for authorization, police most often said they suspected drug trafficking, terrorism, conspiracy and possession of stolen property. It also says charges were laid against 56 people identified during an interception.

Brenda McPhail welcomes the information, but the director of privacy, technology and surveillance for the Canadian Civil Liberties Association, can’t explain the drop. McPhail says there’s a limit to how helpful numbers are without any analysis.

“We could wonder whether or not the categories they are required to report in are so narrow that they are not catching the new kinds of interception technologies and techniques that are being used,” she said.

Christopher Parson agrees. He’s with the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.

“Wiretaps are meant to be a tool of last resort so what that may suggest is authorities are finding other ways of gaining evidence that is less intrusive on Canadians’ privacy, more generally,” Parsons told CBC News.

Read more here

#CyberFLASH: Buyer Beware . . . Lessons Learned From The Ashley Madison Hack

internet-privacy.jpg.size.xxlarge.letterbox“Life is short. Have an affair®.” This is the (in)famous marketing slogan used by Ashley Madison, a Canadian web site founded in 2008 and operated by Avid Life Media Inc. with the explicit mission statement of helping married individuals chat, connect and ultimately have affairs with one another. The site assured users that use of its services would be “anonymous” and “100 per cent discreet,” but, unfortunately, this was not to be the case.

Between July 15 and Aug. 20, 2015, a person/group identifying itself as “The Impact Team” hacked ALM and published details, initially on the Darkweb and eventually on the open web, of approximately 36 million user accounts. Leaked data included profile information (user names, addresses, passwords, phone numbers, the types of experiences they were looking for on the site, gender, height, weight, ethnicity, body type); account information used to facilitate access to the Ashley Madison service (e-mail addresses, security questions, hashed passwords); and billing information (billing addresses and the last four digits of credit card numbers); in addition to ALM internal documents and the CEO’s private e-mail messages. User information was quickly disseminated through several public web sites. Despite the best efforts of ALM’s counsel to quickly shut down the spread of data using DMCA copyright notices after the material appeared on Twitter and other social media sites, the breached information continued to be publicly searchable.

The fallout was swift. Reports of suicides in Canada and the U.S., myriad job resignations and marital breakups surfaced, arising from the data exposure and related public shaming. In Alabama, editors at one newspaper decided to print all the names of people from the region who appeared on the Ashley Madison database. Scammers and extortionists have also targeted Ashley Madison’s users (and alleged users) on a global basis, falsely claiming they could remove a user’s information from published data or threatening to publicly shame users online unless they sent a ransom payoff in Bitcoins to the blackmailers. Malware may have also been delivered through web sites offering to scrub user information from stolen data lists.

Read more here

#CyberFLASH: National electronic intelligence agency executive calls for ‘rational debate’ on encryption

cse-headquarters-file-jpg-size-custom-crop-1086x722OTTAWA–Canadians are being encouraged to ask more questions about the security of their electronic devices from an unlikely source — an executive at the country’s electronic intelligence agency.

Scott Jones, the deputy director of IT security at the Communications Security Establishment, said Canadians need to start taking a greater interest in how their electronic devices protect personal information.

“We should be asking when we go and buy the stuff we have at home, OK, tell me how it’s being protected,” Jones said in an interview.

“If it’s my cellphone, does it have encryption if I lose it? Can somebody just read the data off of it or not? We need to start asking questions like that … We need to start helping each other, and helping citizens, helping businesses, helping the government when we’re buying these products they need to be secure by default.”

It may come as a bit of a surprise to hear an employee at CSE counselling Canadians to protect private information. The agency, which has largely operated in secret since its creation at the end of the Second World War, was thrust into the spotlight after U.S. whistleblower Edward Snowden’s disclosures.

CSE is part of the Five Eyes security alliance, which includes spy agencies in the United States, the United Kingdom, Australia and New Zealand. Snowden’s disclosures revealed the mass surveillance programs used by those countries, including programs that scooped up their own citizens’ data.

Jones’ comments also come as law enforcement agencies in the U.S. and Canada are forcefully arguing for the need to limit encryption — calling for so-called “back doors” that would let authorities decode citizens’ data.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.