Oct 312015
 October 31, 2015  Posted by  Business

Agan Uzunovic writes:

WhatsApp, one of the most popular online calling apps, has been exposed by a group of researchers who identified how app’s internal protocol is storing call duration and personal information of the participants.

Though, WhatsApp has never claimed itself to be an anonymous calling service but this new research has unveiled new information on how the app’s communication systems have been powered.

Read more on HackRead.

Oct 312015
 October 31, 2015  Posted by  Business, Court, Surveillance, U.S.

Cyrus Farivar reports:

Federal prosecutors have said that they are moving forward in their attempt to compel Apple to unlock a seized iPhone 5S running iOS 7, even after the defendant in a felony drug case has now pleaded guilty.

The judge in the case, United States Magistrate Judge James Orenstein, said in a Friday court filing that he is confused.

Read more on Ars Technica.

Oct 302015
 October 30, 2015  Posted by  Breaches, Non-U.S., Online

Site A describes a court case, but the names of the plaintiff and defendant are replaced with initials to protect their privacy. But if you go to Site B and do a search for the individual’s name, the search results provide a link to the court case. Are you violating some aspect of Hong Kong’s Data Protection law by identifying them via hyperlinks that way? Spoiler alert: Yes.

Read the following press release from the Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) . The background on the case is embedded in the press release, so you’ll be able to understand the issue and facts.

(29 October 2015) The Office of the Privacy Commissioner for Personal Data (“PCPD”) welcomes the ruling by the Administrative Appeals Board (“AAB”) on 27 October 2015 for the dismissal of the appeal from Mr David Webb against the PCPD’s Enforcement Notice directing him to remove from his Webb-site in 2014 the three hyperlinks which effectively disclosed the Complainant’s identity in three anonymized judgments.

The AAB confirms:

  1. the PCPD’s decision that Mr Webb had contravened Data Protection Principle 3 (“DPP3” – Data Use Principle) of the Personal Data (Privacy) Ordinance (“Ordinance”) by publishing the three hyperlinks on Webb-site; and
  2. the justification for the issuance of the Enforcement Notice.

The PCPD’s Comments

Ms Fanny Wong, Acting Privacy Commissioner for Personal Data, responded, “It is not the PCPD’s stance to ask for removal of articles from the archives of newspapers and publishers. In this case, the PCPD only directed Mr Webb to remove the hyperlinks which showed the parties’ names in the three anonymized judgments on the Judiciary’s website, bearing in mind that the anonymization is made pursuant to the request of the Complainant and is consistent with Article 10 of the Hong Kong Bill of Rights. As directed by the Chief Justice, with effect from April 2011, all judgments in family and matrimonial cases at every level of courts, whether in open court or in chambers, should be anonymized before release.”

Ms Wong added, “In weighing the freedom of press and expression against the personal data privacy of the Complainant, the PCPD was of the view that the disclosure of the Complainant’s identity in the three anonymized matrimonial judgments did not serve to promote the transparency of operations of companies, governments, regulators and controlling shareholders; nor was it able to achieve the purpose of condemning public vices or protecting the minority shareholders’ interest. In the circumstances, the balance should be tipped in favour of protecting the Complainant’s personal data in the three anonymized judgments.”

As the AAB has dismissed the appeal, the Commissioner will follow up with Mr Webb on his compliance with the Enforcement Notice.

It is a misconception that publicly accessible personal data can be further used or disclosed for any purpose whatsoever without any regulation. Personal data obtained from the public domain is still subject to the protection under DPP 3 of the Ordinance.

Case Background

The Complainant and her ex-husband were parties to several matrimonial proceedings, of which three judgments were handed down by the Court of Appeal in 2000, 2001 and 2002 in open court. At the request of the Complainant, the Judiciary in 2010 and 2012 replaced the names of the Complainant and her ex-husband by alphabets in those three judgments in the Legal Reference System of the Judiciary’s website.

However, the Complainant subsequently found her name revealed on three hyperlinks on “Who’s Who” of a website named “Webb-site” established by Mr Webb. If a user entered the Complainant’s name in the “search people” box, Webb-site would bring the user to the “Who’s Who” page, and the three hyperlinks were embedded under the item “Articles”. By clicking on “Articles” and then on the hyperlinks, the user would be taken to the three anonymised judgments in the Legal Reference System of the Judiciary’s website.

According to Webb-site, its objective was “to provide independent commentary on corporate and economic governance, business, finance, investment and regulatory affairs in Hong Kong.” The Complainant was aggrieved and hence lodged a complaint with the PCPD against Mr Webb.

The PCPD decided that Mr Webb had contravened DPP 3 of the Ordinance by publishing those three hyperlinks with the Complainant’s name revealed on Webb-site, which effectively disclosed her identity in the three anonymized judgments, and served upon Mr Webb an Enforcement Notice directing him to remove those three hyperlinks from the Webb-site. The three judgments are matrimonial proceedings touching on her private life but not public duty. Mr Webb subsequently lodged an appeal against PCPD’s decision and the service of the Enforcement Notice, and the appeal was heard before the AAB on 13 July this year.

The AAB’s Decision

The AAB upheld the PCPD’s decision and the issuance of the Enforcement Notice and made the following findings:

The AAB held that DPP 3 is directed against the misuse of personal data, regardless of whether the relevant personal data has been published elsewhere or in the public domain and that Mr Webb was a data user governed by the Ordinance.

The AAB also held that on a proper construction of subsection (4) of DPP 3, “the purpose for which the data was to be used at the time of the collection of the data” referred to the purpose for which the data was originally collected. In this case, the Judiciary was the person who first collected the Complainant’s data, and its purposes in collecting the Complainant’s personal data were to enable its judgments to be utilized as “legal precedents on points of law, practice and procedure of the courts and of public interests”. The AAB was of the view that Mr Webb’s purpose of using the Complainant’s personal data (i.e. reporting and publication for general use) in Webb-site was not consistent with the Judiciary’s purposes of publishing the three judgments, and it therefore concluded that Mr Webb did use the Complainant’s personal data for a “new purpose” in contravention of DPP 3.

The AAB also took the view that the balance between freedom of expression and personal data privacy protection struck by the Commissioner was not unreasonable.

The AAB rejected Mr Webb’s argument that the common law principle of open justice would exempt him from any breach of DPP 3 under section 60B(a) of the Ordinance, as Mr Webb was not required by any principle of law to publish the personal data of the Complainant on Webb-site.

– End –

Please click here to view:
Decision of the AAB

Oct 302015
 October 30, 2015  Posted by  U.S., Youth & Schools

Louise Kennedy reports on a study by the Massachusetts ACLU:

Many Massachusetts schools are using technology to monitor students, collect personal data about them and share that data in ways that raise troubling questions about student privacy, according to a new study from the American Civil Liberties Union of Massachusetts.

The study, released Wednesday, examined 35 school districts across the state, including Boston, Springfield and various rural and suburban districts. Almost universally, the study found, students in those districts have “no expectation of privacy” when going online in school; many are similarly unprotected when using school-issued electronic devices, such as Chromebooks or iPads.

And many districts reserve the right to inspect those devices without notice or consent, the report said. Unlike searches of school lockers or student backpacks, the report said, in many cases school officials can search cellphones and other devices without even a “reasonable suspicion.”

Read more on WBUR.