Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector. This digest summarizes the most notable events in privacy and cybersecurity.
Class Action Filed Against Fiat-Chrysler and Harman over Hacking Vulnerabilities
On Tuesday, August 8 plaintiffs in the Southern District of Illinois filed a class action lawsuit against Fiat-Chrysler and Harman International Industries, the maker of the Uconnect dashboard, alleging hacking vulnerabilities. This suit comes on the heels of a voluntary recall of 1.4 million Chrysler vehicles in July.
FDA Warns that Drug-Administering Pump Can Be Hacked
Last Friday, July 31, 2015, the U.S. Food and Drug Administration (FDA) warned that the Hospira Symbiq infusion pump, which administers drugs, may be at risk of getting hacked through hospital networks. According to FDA, vulnerabilities “could allow an unauthorized user to control the device and change the dosage the pump delivers.” This warning follows similar warnings that FDA made about other Hospira pumps in May of this year.
DefCon Hacking Conference – Researchers Warn of Vulnerabilities in Medical Devices and Keyless Entry
During DefCon, the world’s largest computer hacking conference, researchers Mark Collao and Scott Erven warned that internet-connected medical devices are particularly vulnerable to hackers. According to Collao and Erven, unencrypted medical information often travels from these devices across the web, making it easily susceptible to snooping. Similarly, Samy Kamkar warned that his $32.00 radio device, called RollJam, is able to intercept information from keyless entry systems, allowing the user to use the device as a fob to access cars, trucks, garages, and other places that use keyless entry systems.
GAO Issues Memorandum on Pending Cybersecurity Legislation
On Sunday, August 2, the Government Accountability Office (GAO) issued a memorandum to the ABA Cybersecurity Legal Task Force on three pending cybersecurity bills: Protecting Cyber Networks Act (PCNA), H.R. 1560, the National Protection Advancement Act of 2015 (NCPAA), H.R. 1731, and the Cyber Security Information Act of 2015 (CISA), S. 754 (Senate counterpart to NCPAA). Each piece of proposed legislation provides for voluntary sharing of information between the federal government and nonfederal entities. Each also codifies the current Federal Trade Commission and Department of Justice policy that sharing cybersecurity information itself does not violate federal antitrust laws. The GAO memorandum summarizes the major provisions of each bill, compares the bills, and details arguments in support of and in opposition to passing each piece of legislation.
Groups Urge FCC to Stop Requiring Companies to Store User Data for 18 Months
On Tuesday, August 4 a coalition of technology and cybersecurity groups led by the Electronic Privacy Information Center (EPIC) called for a revision of a Federal Communications Commission (FCC) policy that requires data storage for billing purposes. Under the current regime, companies must keep “name, address, telephone number of the caller, telephone number called, date, time, and length of call” for billing reasons for a year and a half. This policy, according to the advocacy groups, exposes consumers to data breaches, stifles innovation, and reduces competition.
9th Circuit Does Not Revive Netflix Privacy Class Action
On Friday, July 31, the Ninth Circuit affirmed that Netflix, Inc. did not violate the Video Privacy Protection Act (VPPA) by not requiring a user to input a username and password each time the Netflix streaming service appeared on a television. Subscribers only have to input the username and password once to link a television to the streaming service, after this, the dashboard which includes a user’s queue, viewing history, and recommendations appears on the television automatically. Plaintiffs argued that this violated the VPPA, because third parties that used the television could access the subscriber’s information. The Ninth Circuit disagreed. It held that the disclosures on the television were equivalent to the subscriber’s own access because of the subscriber’s decision to link the devices.
Sunglasses Disrupt Facial Recognition Software
Japanese researchers have developed sunglasses which they claim can disrupt facial recognition software. According to developers, the so-called “Privacy Visor” prevents smart phones and similar devices from focusing on and identifying faces.