Category: Surveillance & Privacy

The wave of U.S. comprehensive state privacy legislation that few ever thought would materialize in a calendar year has revealed itself. Comprehensive bills in Montana and Tennessee cleared their respective state legislatures 21 April — the first same-day passage for two state privacy bills — to join Indiana and Iowa among states to reach the finish line this year.

Both bills, which now await enactment pending governor’s signature, carry likeness to existing state privacy laws with some originality.

Montana Senate Bill 384 aligns exclusively with the Connecticut Data Privacy Act after surprise amendments during the cross-chamber process. Tennessee’s bill brings the most unique provisions, including enforcement that hinges on adoption of the U.S. National Institute of Standards and Technology’s Privacy Framework.

The U.S. allegedly eavesdropped on private conversations between United Nations Secretary General António Guterres and other U.N. officials, according to documents obtained by the Washington Post. The classified documents highlight conversations that Guterres had with top U.N. officials and world leaders, including one about how he was angry that he was not allowed to visit the Tigray region of Ethiopia,…

Defendants Are New York City Residents Who Allegedly Operated the Police Station in Lower Manhattan and Destroyed Evidence When Confronted by the FBI A complaint was unsealed today in federal court in Brooklyn, New York, charging two defendants in connection with opening and operating an illegal overseas police station, located in lower Manhattan, New York, for a provincial branch of…

Various treaties and multi-national proposals to combat cybercrime have been around for years. I’m not exaggerating. These have been floating around for more than a decade. (Do you want to feel old? This cybercrime treaty proposal would be old enough to legally obtain a social media account in the United States if it were still viable.)

The UN has been pushing its own version. But its idea of “crime” seems off-base, especially when it’s dealing with a conglomerate of countries with varying free speech protections. The “Cybercrime Treaty” proposed by the UN focuses on things many would consider ugly, distasteful, abhorrent, or even enraging. But it’s not things most people consider to be the sort of “crimes” a unified world front should be addressing — not when there’s plenty of financially or personally damaging cybercrime being performed on the regular.

One of the most notorious privacy-breaching tech companies in operation, Clearview AI, has, according to its CEO, scraped 30 billion social media photos, packaged and curated them, and passed them along to the surveillance state authorities to do with what they will (in the dark, with no oversight, naturally, as the Founders warned such authorities would if left unchecked). Clearview’s…

When Member of Parliament Kenny Chiu was contacted by the Canadian Security Intelligence Service (CSIS) ahead of Canada’s federal election in 2021, he was puzzled. He had never expected to be part of a CSIS investigation, let alone one that required an in-person talk at the height of Canada’s COVID-19 pandemic. “At that time, everything had moved online, so it was…

In a preliminary victory in the continuing fight against privacy-invasive software that “watches” students taking tests remotely, a French administrative court outside Paris suspended a university’s use of the e-proctoring platform TestWe, which monitors students through facial recognition and algorithmic analysis.

TestWe software, much like Proctorio, Examsoft, and other proctoring apps we’ve called out for intrusive monitoring of exam takers, constantly tracks students’ eye movements and their surroundings using video and sound analysis. The court in Montreuil, France, ruled that such “permanent surveillance of bodies and sounds” is unreasonable and excessive for the purpose preventing cheating.

There’s growing evidence that passing a comprehensive privacy law at the state level is a multiyear endeavor. There are anomalies among existing laws on the books, but most legislatures take two years or more to pass a bill.

Indiana is the latest example of how the process plays out, as it’s on the verge of adding to the pile of comprehensive state privacy laws. The Indiana House took a unanimous 98-0 vote to grant final passage to Senate Bill 5 on consumer data protection a year after the bill stalled in the same chamber.

The Indiana Senate, which already voted 49-0 to approve SB 5 on 9 Feb., will vote on concurrence, a perceived formality before the bill heads to Gov. Eric Holcomb, R-Ind., for a final signature. Holcomb has seven days upon transmission to act on the bill, with a definitive veto the only way it will not become a law.

Western media seems to be actively trying to create an “information tsunami” about the topic, according to Pushilin, who suggested it could mean the leaks may have been deliberate.

“Who knows, this could be the preparation of the global community for a possible reduction in support for Ukraine on the eve of the highly publicized counteroffensive by the Ukrainian Armed Forces,” Pushilin wrote. He also said, however, that regardless of the content of the leaked documents or the true intentions of the West, Russia’s task is to continue working and not respond to provocations.

A California-based owner of a Tesla vehicle has sued the electric carmaker in a prospective class action lawsuit accusing it of violating the privacy of customers. The lawsuit was filed in the United States District Court for the Northern District of California on Friday. It came after reports on Thursday that groups of Tesla employees privately shared via an internal…

According to nine former workers who talked to the agency, groups of employees shared private footage of customers in Tesla’s internal one-on-one chats between 2019 and 2022. One of the clips in question captured a man approaching his electric car while he was completely naked, one of the sources said.

New rules and obligations under the California Consumer Privacy Act have reached the finish line. The California Privacy Protection Agency announced its first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review.
The finalized rules contain no substantive changes to the final draft submitted by the CPPA to the OAL in February. The first rulemaking package addresses regulations concerning data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling.
“I’m incredibly impressed with the team and thankful for the Board’s thoughtful guidance,” CPPA Executive Director Ashkan Soltani said in a statement. “With the regulations in place, we can now redouble our efforts to promote public awareness of consumers’ rights and businesses’ responsibilities under the law to better ensure that these privacy rights are secured.”
In its press release, the agency indicated the regulations “provide clarity and specificity to implement” changes to the CCPA regulations necessitated by the CPRA. It added the final rules “place the consumer in a position where they can knowingly and freely negotiate with a business over the business’s use of the consumer’s personal information.”
More CPPA insights into the final regulations will come to light at the IAPP Global Privacy Summit 2023 in Washington, D.C., 5 April, as Soltani joins California Supervising Deputy Attorney General Stacey Schesser, CIPP/US, for a discussion on CCPA enforcement.
The finalization is a culmination of a rulemaking process the CPPA commenced 8 July 2022, after originally scheduling its completion for 1 July 2022. The agency formally announced an extended delay to its process 23 Feb. 2022, citing insufficient staff and resources would slow its work.
The CPPA Board had its first-ever meeting 14 June 2021, while Soltani was appointed executive director 4 Oct. 2021. The agency added relevant personnel on a rolling basis — and lost a board member — while executing its rulemaking procedure.
“This is a major accomplishment, and a significant step forward for Californians’ consumer privacy. I’m deeply grateful to the Agency Board and staff for their tireless work on the regulations, and to the public for their robust engagement in the rulemaking process,” CPPA Board Chair Jennifer Urban said in a statement.
Industry stakeholders criticized the agency’s drawn-out rulemaking procedure despite the short-staffing acknowledgements. Concerns stemmed from the lack of time for companies to sufficiently implement final regulations ahead of CPRA enforcement becoming effective 1 July.
The agency partially addressed the enforcement concerns with a rule allowing the CPPA to “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Upon submission of the first rulemaking package to the OAL, the CPPA announced preliminary activities on its next rulemaking package. The second set of CPRA rules will address cybersecurity audits, risk assessments and automated decision-making.

Israel launch a new spy satellite on Wednesday, the first the country has sent to space in nearly three years as it seeks to enhance its defense capabilities and prepare for a possible escalation with Iran.

An Israeli Shavit rocket delivered the Ofek-13 satellite to space, blasting off from the Palmachim Airbase on the Mediterranean coast at 7:10 p.m. ET, according to the Israeli Ministry of Defense. The ministry confirmed that the satellite entered its designated orbit and began transmitting data after completing an initial series of inspections. Ofek-13 still has to undergo a few more inspections before beginning its full operations “in the near future,” the defense ministry wrote.

Israel’s Ofek-13 satellite is the latest to join a series of reconnaissance satellites, the first of which launched in 1988. Its latest predecessor was the Ofek-16, which launched in July 2020. Israel’s defense ministry is claiming that Ofek-13 has the most advanced capabilities of the entire series with “unique radar observation capabilities, and will enable intelligence collection in any weather and conditions of visibility thus enhancing strategic intelligence,” Boaz Levy, CEO of state-owned Israel Aerospace Industries, said in the ministry statement.

The U.S. state of Iowa is no stranger to privacy bills. Since its first attempt in 2020, the state’s legislature has repeatedly proposed and considered comprehensive consumer data privacy legislation. But 2023 is the year privacy took root in Iowa. On 28 March 28, Iowa became the sixth state to pass a comprehensive privacy law, joining Connecticut, Utah, Virginia, Colorado and California. The law will go into effect on 1 Jan. 2025, giving organizations 21 months to comply with the new requirements from this state with over 3 million residents. Though the new law includes many familiar elements from other state laws, organizations should note a handful of differences as they expand their U.S. compliance efforts. 

A new lawsuit accuses Mark Zuckerberg and other Meta Platforms Inc executives and directors of failing to do enough to stop sex trafficking and child sexual exploitation on Facebook and Instagram. The complaint made public late Monday by several pension and investment funds that own Meta stock said Meta’s leadership and board have failed to protect the company’s and shareholders’ interests by turning a blind eye to “systemic evidence” of criminal activity.

Given the board’s failure to explain how it tries to root out the problem, “the only logical inference is that the board has consciously decided to permit Meta’s platforms to promote and facilitate sex/human trafficking,” the complaint said. Meta rejected the basis for the lawsuit, which was filed in Delaware Chancery Court.

Meta, based in Menlo Park, California, has long faced accusations that its platforms are a haven for sexual misconduct.

German and US authorities, supported by Europol, have targeted ChipMixer, a cryptocurrency mixer used to keep crypto transactions private. The investigation was also supported by Belgium, Poland and Switzerland. On 15 March, national authorities took down the infrastructure of the platform, seizing 4 servers, and also seizing about 1909 Bitcoins in 55 transactions (approx. EUR 44.2 million) and 7 TB of data.