News Alerts and Breach Report for Week of November 1, 2022
Global Regulators Come to Agreement on Facial Recognition
More than 120 data privacy regulators met in Istanbul last week for the 44th Global Privacy Assembly (GPA). Biometric Update notes that the regulators came to an agreement on the use of facial recognition, and that the technology, “should be deployed only on a clear legal basis…with the deploying organization establishing its reasonableness, necessity and proportionality.” The regulators also agreed that human rights assessments should be used to assess each use case of facial recognition, and that transparency and accountability are key. In other words, nothing too shocking. But the agreement follows a report from the Canadian Parliament’s Standing Committee on Access to Information, Privacy and Ethics (ETHI), which calls for “a moratorium on the use of facial recognition by police and the private sector unless they are approved by the Privacy Commissioner.” Canada’s Privacy Commissioner, who was present at the assembly in Istanbul, has vowed to work with law enforcement to ensure the agreement’s principles are implemented, and “says he hopes Parliament will follow up its update of Bill-C27, which deals with the private sector, by updating the Privacy Act which covers the public sector.”
FTC Sets Sights on Ed Tech Industry
The edtech firm Chegg has been accused by the FTC of being careless with data security, and exposing the personal info of 40 million users, including details about some students’ sexual orientation disabilities, parents’ income, and religion. The complaint stems from a breach by a former Chegg contractor who was given root access to the company’s servers. Issuing too many root access credentials, which grant access to its entire system, has been a standard practice for Chegg since at least 2017. The former Chegg contractor in question was able to access and steal the data of Chegg users in 2018 and list it for sale online. An analysis by the New York Times notes that the FTC charges are a warning for the ed tech industry, which have capitalized on the pandemic to sell digital learning solutions: “The federal complaint against Chegg represents the first case under the agency’s new campaign focused specifically on policing the ed-tech industry and protecting student privacy…Many online education services record, store and analyze a trove of data on students’ every keystroke, swipe and click — information that can include sensitive details on children’s learning challenges or precise locations. Privacy and security experts have warned that such escalating surveillance may benefit companies more than students.”
A New Form of Cryptography Could Enhance Privacy
A new database is helping catch serial predators while preserving the privacy of both victim and predator. Callisto allows sexual assault survivors to register the identifying details of their assailants. “These details are encrypted, meaning that the identities of the survivor and the perpetrator are anonymous. If you hacked into the database, there is no way to identify either party,” the Guardian reports. If the same assailant is named by two people, the website sends the name of the survivors to two seperate lawyers who will contact those people individually to let them know of a match and offer legal assistance.
CIPL Publishes White Paper on Children’s Privacy, New York to Pass Law
The Centre for Information Policy Leadership at law firm Hunton Andrews Kurth published a white paper last week that explores key issues related to protecting children’s privacy. The paper, which is titled Protecting Children’s Data Privacy, Policy Paper I, International Issues and Compliance Challenges, explores how to protect children’s privacy while empowering them to access the educational and developmental opportunities of the internet. Issues analyzed include the wide disparity in jurisdictional requirements for obtaining consent for the collection and processing of children’s data, how to verify an internet user’s age, how to provide transparency, and how to apply a risk-based approach to protecting data.
Breach Report
* * * * * * *
To read our article on the updates to the EU-US data privacy agreement, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
79 | Understanding 5G Cybersecurity Issues (with guest Carlos Solari)
78 | The Nexus Between Privacy, Cybersecurity & National Security (with guest, Corey Simpson)
77 | Privacy & Cybersecurity Whistleblowers: A New Trend? (with guest, Andrew Grosso)