Thursday, September 18, 2014

Google's latest transparency report: Law enforcement requests up 150% over five years

Google has released its most recent iteration of its transparency report. In a posting on the Google Public Policy Blog, Richard Salgado, Legal Director, Law Enforcement and Information Security, writes that Google has seen a 15% increase in government data demands (excluding national security demands) since the second half of last year, and a 150% jump since Google's first report 2009. Breaking out U.S. demands, the numbers have risen 19% since the second half of last year and have leaped 250% since 2009.

The numbers for Canada have actually gone in the other direction. The previous transparency report included 52 demands for info on 73 users, compared to the most recent 27 demands related to 33 user accounts.

Consistent with Google's previous positions Salgado writes:

Governments have a legitimate and important role in fighting crime and investigating national security threats. To maintain public confidence in both government and technology, we need legislative reform that ensures surveillance powers are transparent, reasonably scoped by law, and subject to independent oversight.

Amen to that.

Sunday, September 14, 2014

Newfoundland health authority employee fined for rummaging through records

Last Thursday, a judge of the Newfoundland Provincial Court fined a former employee of Western Health $5000 for rummaging through approximately 1000 records. The accused was found to have reviewed names and billing addresses, but not more sensitive health information. See: Fine in privacy breach 'sends the right message': Ed Ring - Newfoundland & Labrador - CBC News.

Thursday, September 11, 2014

Privacy Commissioner of Canada releases results of second GPEN Privacy Sweep focused on mobile apps

The Privacy Commissioner of Canada has released the results of the second Global Privacy Sweep carried out by the Global Privacy Enforcement Network (GPEN). This sweep focused on mobile apps and the OPC scrutinized 151 of the 1211 examined globally.

The findings are summarized in a blog post, along with ten tips directed to assist developers in being more transparent about how apps collect, use and disclose personal information.

Here's the media release, too:

News Release: Global privacy sweep raises concerns about mobile apps - September 10, 2014

News Release

Global privacy sweep raises concerns about mobile apps

Clear, concise privacy language builds consumer trust and is good for business, Privacy Commissioner says after global sweep of more than 1,200 mobile apps.

OTTAWA, September 10, 2014 – As mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used, participants of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep found.

“Fortunately, there were few examples of apps collecting the sort of information that would appear to exceed their functionality—like a flashlight app seeking permission to obtain your contacts list,” says Daniel Therrien, Privacy Commissioner of Canada.

“But we did find many apps were requesting permission to access potentially sensitive information, like your location or access to your camera functions, without necessarily explaining why. This left many of our sweepers with a real sense of unease.”

The privacy sweep results offer insight into the types of permissions some of the world’s most popular mobile apps are seeking and the extent to which organizations are informing consumers about their privacy practices. A number of specific examples illustrating these trends can be found in a blog postexternal on the Office of the Privacy Commissioner of Canada’s website. The Commissioner determined it was in the public interest to share specific results from the Sweep in order to help Canadians better understand the observations. Our Office has also prepared a 10 tips guide to help developers better communicate their privacy practices to app users.

In total, 1,211 apps were assessed, 151 of them by the Office of the Privacy Commissioner of Canada.

Participants looked at the types of permissions an app was seeking, whether those permissions exceeded what would be expected based on the app’s functionality, and most importantly, how the app explained to consumers why it wanted the personal information and what it planned to do with it.

“Both large and small app developers are embracing the potential to build user trust by providing clear, easy to read and timely explanations about what information they will collect and how they will use it,” Commissioner Therrien says.

“Others are missing that opportunity by failing to provide even the most basic privacy information.”

The Sweep, which took place May 12 to 18, 2014, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection.

The GPEN initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. It was not in itself an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Concerns identified during the Sweep, however, will result in follow-up work such as outreach to organizations, deeper analysis of app privacy provisions and/or enforcement action.

Office of the Privacy Commissioner of Canada Sweep highlights:

  • 28 per cent of apps provided a clear explanation of their collection, use and disclosure of personal information policies.
  • More than a quarter of apps examined by the OPC (26%) offered either no privacy policy at all or one that left sweepers with serious concerns regarding how their information would be collected, used and disclosed.
  • Amongst the apps receiving top ratings were very popular apps in the e-marketplace, demonstrating that when properly explained to consumers, the collection of information does not negatively impact on downloads.

Global Sweep highlights:

  • Three-quarters of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions and the potential sensitivity associated with the information highlight the need for apps to be more transparent.
  • For nearly one-third of the apps (31%), sweepers could not understand – after reading the app’s various privacy communications and given what they knew about the app’s function – why it needed access to certain information.
  • Some 43 per cent of apps did not tailor privacy communications to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using larger font, pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen.

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

See also:

Blog post, Backgrounder, Ten Tips for Communicating Privacy Practices to Your App's Users

Wednesday, September 03, 2014

The US doesn't have a privacy law? Really? Verizon to pay $7.4 million over failure to notify consumers on privacy rights

At privacy gatherings, I often hear that Canada and the European Union have serious privacy laws, while the United States is somehow on the lawless fringe (other than sectoral laws like HIPAA). That's far from the case, as the Federal Trade Commission has taken a small portion of the Federal Trade Commission Act and 33 other statutory instruments to enforce a pretty broad privacy regime in the US. Case in point: Today's $7.4 million settlement with Verizon over the omission to include a privacy brochure in the with the first bills of 2 million customers. (See: Verizon to pay $7.4 million over failure to notify consumers on privacy rights | Reuters).

Tuesday, September 02, 2014

The celebrity photo leak/hack: lessons for securing devices and cloud accounts

Over the weekend, a deluge of intimate photos of celebrities appeared on the internet, first on 4Chan and then on Reddit (CBC report). Surely, they are other places now. What is unclear at the moment is how the images were obtained in the first place. There's been speculation that the photos came from the iCloud accounts that were either compromised by a brute-force password attack or even a suggestion that the WiFi at the Emmy Awards was somehow compromised. Other discussions online suggest that the photos have been traded for years among avid collectors. It will be very interesting -- from a privacy and security point of view -- to learn how it actually happened.

In the meantime, this serves as a reminder about what steps most people should take to secure their sensitive personal information on their devices and in the cloud.

Increasingly, people are carrying more and more sophisticated devices with onboard cameras that automatically sync data to remote servers. I am not at all interested in blaming the victims. Increasingly, people are taking photos from the most banal moments in their lives to the most intimate. Like it or not, it's simply a fact. While celebrity images are the most sought-out, images of ordinary people have been scraped from unsecured image hosting sites with traumatic results.

Most smartphones are mostly secure out of the box, and responsible vendors update vulnerabilities as they are discovered. However, they rely on humans who may not be as technically-minded as the first line of defence. All of these devices and services are protected by passwords. People tend to choose very weak, easily guessed passwords. That can be fixed. And people can take additional steps to protect their information.

  1. Try to learn the basics of how your device works, particularly about what is synchronised and backed up to online services; check your default settings;
  2. Secure your device with a PIN or password (How to: Android and iOs);
  3. Add encryption to your device, if possible (How to: Android);
  4. Add remote management to kill your device if it is lost (How to: Android (I also like Cerberus Anti Theft) and iOs);
  5. Use a strong password for all your accounts. The longer the better. (Read this XKCD comic. Read it, learn it, live it.)
  6. Consider a password manager like LastPass to generate complicated passwords for your accounts and to keep them safe. But protect your password vault with the most complicated and longest password you can reliably remember.
  7. Use two-factor authentication for your cloud accounts. While not particularly intuitive, two-factor authentication protects your account even if your password is compromised. This is critical. (How to: Google Accounts, DropBox, and most other places.) Any account to which you sync your personal images and video should be protected by two factor authentication.

With these measures in place, you're much more secure than most people. But there is no such thing as perfect security. Knowing that there are malevolent people out there looking for this kind of content and other sensitive personal information, the next question needs to be "am I satisfied that this is as secure as it needs to be in light of the nature of the information and the consequences of a 'leak'"?

UPDATE: According to TechCrunch, Apple's two-factor authentication DOES NOT PROTECT iCloud or Photostreams. This is a major shortcoming. I would recommend not using iCloud for anything personal or sensitive until Apple fixes this gaping omission.

Sunday, July 27, 2014

Ontario court to hear telcos' challenge of police request for "tower dumps" including info on 40,000+ customers

An Ontario court has agreed to hear a Charter challenge brought by Rogers and Telus in response to a police request for "tower dumps" with records on over 40,000 calls or customers. The police subsequently withdrew its request, but the judge has agreed to hear the case in any event, given the important privacy interests at stake.

The short recital of the facts is very interesting and suggests the initial production order is staggeringly broad, requiring the production of personal information about tens of thousands of people who had nothing to do with the crime being investigated: [8] Mobile telephones check into wireless networks by connecting to antennas that are frequently mounted on towers. A record is created whenever the telephone attempts or completes a communication which could be a phone call, text message or e-mail. The record identifies the particular tower at which the phone connected to the system. Each tower serves a geographical area ranging from a 10-25 km radius in the country and 1-2 km, radius (or even less) in the city. [9] The production orders against Rogers and Telus are in similar form. The orders require cell phone records for all phones activated, transmitting and receiving data through 21 specified Telus towers and 16 Rogers towers. The orders require the name and address of every subscriber making or attempting a communication and the particular cell tower being utilized. The orders are framed such that if both the person initiating and receiving the communication are Rogers (or Telus) subscribers, then information regarding the recipient must also be provided and the cell tower the recipient used must also be provided. The orders also require billing information which may include bank and credit card information.

[10] Telus and Rogers are both contractually obliged, subject to narrow exceptions, to keep customer personal information private and confidential.

[11] The existing order will require Telus to disclose the personal information of at least 9,000 individuals. Rogers estimates that it will be required to conduct 378 separate searches and retrieve approximately 200,000 records related to 34,000 subscribers.

[12] The existing orders do not specify how the customer information is to be safeguarded and does not restrict the purposes for which the PRP may use the information. For example the PRP is not restricted from retaining the information and using it with respect to unrelated investigations.

[13] The Telus affidavit indicates that since 2004 it has dealt with thousands of court orders requiring cell records. In 2013 alone, it responded to approximately 2,500 production orders and general warrants. To the knowledge of the Telus deponent, the order that it now challenges is the most extensive to date in terms of the number of cell tower locations, and length of time periods, for which customer information is required.

[14] The Rogers affidavit indicates that from 1985 to 2014 it has complied with many thousands of production orders. In 2013, alone it produced 13,800 “files” in response to production orders and search warrants.

The court also highlights that the privacy of millions of Canadians is implicated by the decision:

[41] With respect to the third criterion, sensitivity to the count’s proper law making function, there is effectively an ongoing dispute between the police and telecommunications providers. The fact the “tower dumps” are frequently used by police as an investigative tool is reflected in the material before me and is evident as a matter of judicial experience. The Rogers-Telus applications directly concern 40-50,000 individuals, it is safe to infer that the number of individuals affected across Canada would be in the hundreds of thousands, if not millions, every year.

See: R. v. Rogers Communications Partnership, 2014 ONSC 3853 and Telecoms’ charter case to be heard | The Chronicle Herald.

Thursday, July 10, 2014

Privacy Commissioner cautions insurers about the use of genetic testing

The Office of the Privacy Commissioner of Canada has today released a policy statement on genetic testing and the insurance industry. Essentially, the document says to tread carefully, but the subtext clearly is much more negative towards the practice.

From the media release:

News Release: Office of the Privacy Commissioner of Canada issues statement on the use of genetic test results by life and health insurance companies - July 10, 2014

OTTAWA, July 10, 2014 – The Office of the Privacy Commissioner of Canada is urging the life and health insurance industry to call on its members to refrain from asking applicants for access to existing genetic test results for the purposes of underwriting an insurance policy at this time.

“As science and technologies advance, protecting genetic privacy will become increasingly important and challenging,” says Privacy Commissioner Daniel Therrien.

“We are calling on the industry to refrain from asking for existing test results to assess insurance risk until the industry can clearly show that these tests are necessary and effective in assessing risk. This would allow people to undergo genetic testing for various purposes without fear that the results may have a negative impact if they apply for insurance.”

The step called for in the policy statement issued today would effectively expand the industry’s current voluntary moratorium on asking applicants to undergo genetic testing. The statement outlines the Office of the Privacy Commissioner’s position with respect to the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) to this practice.

The statement says: “It is not clear that the collection and use of genetic test results by insurance companies is demonstrably necessary, effective, proportionate or the least intrusive means of achieving the industry’s objectives at this time.”

The statement reflects the Office of the Privacy Commissioner’s ongoing work on the privacy implications associated with genetic information.

The issue has prompted the introduction of private members’ bills at both the federal and provincial levels, and the issue was mentioned in the most recent Speech from the Throne.

The Office of the Privacy Commissioner has provided the statement to the Canadian Life and Health Insurance Association.

The Commissioners of Alberta, British Columbia and Quebec – all provinces with substantially similar private-sector legislation – support the work done by the Office of the Privacy Commissioner of Canada. Insurance companies in those provinces will need to consider provincial legislation in addressing these issues.

For more information about the two research papers that contributed to this statement and the OPC’s strategic priorities, please see:

Tuesday, July 08, 2014

Catherine Tully appointed new FOIPOP Review Officer of Nova Scotia

The Nova Scotia government has just announced the appointment of the new FOIPOP Review Officer for Nova Scotia, Catherine Tully.

Here's the media release:

New FOIPOP Review Officer Appointed |

New FOIPOP Review Officer Appointed

Department of Justice

July 8, 2014 1:07 PM

Catherine Tully of Ottawa has been appointed Nova Scotia's new freedom of information and protection of privacy review officer.

Ms. Tully will oversee how provincial and municipal governments, school boards, universities, community colleges and hospitals protect the privacy of Nova Scotians and respond to requests for access to information.

"This is an important oversight role," said acting Justice Minister Mark Furey. "Nova Scotians have a right to information held by government and they expect us to protect their private information. I'm very pleased we have a strong leader to fulfill this responsibility. Ms. Tully has tremendous leadership and practical experience to bring to this role."

Ms. Tully has over 10 years of senior experience with government agencies and Crown corporations dedicated to access to information and privacy law. She's been the assistant information and privacy commissioner for British Columbia and, most recently, was the director of privacy and access to information for Canada Post. Although she spent much of her work and educational career in Ontario and British Columbia, Ms. Tully completed a master's degree in international law and human rights at Dalhousie University.

"I look forward to working with public bodies and health custodians to help them find practical solutions to the tough access and privacy issues," said Ms. Tully. "For citizens, I will continue the work of ensuring that Nova Scotians have meaningful access to government information and real protection of their personal information.

"I am honoured by this appointment and look forward to my return to Nova Scotia to tackle the opportunities and challenges of review officer."

The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer accepts appeals from people and organizations who are not satisfied with the response they received from provincial government departments, most provincial agencies, boards and commissions, municipal government organizations and public bodies including community colleges, hospitals, universities, and school boards.

The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.

Ms. Tully will begin Sept. 8.

Monday, June 23, 2014

The New Canadian Anti-SPAM Law and Your Business

This morning, I hosted an online webinar entitled The New Canadian Anti-SPAM Law and Your Business. We did it using Google's Hangout On Air feature that allows virtually unlimited numbers of people to attend live and it creates a handy YouTube video of the entire session for future reference.

You'll see from the presentation that I'm not a big fan of the law, but it's going to be the law on July 1, 2014 and businesses need to get their ducks in a row if they haven't already.

If you're looking for specific advice about compliance, feel free to contact me at

Wednesday, June 18, 2014

Henry v Bell Mobility: Another Federal Court case shows PIPEDA damages are hardly worth pursuing absent evidence of actual harm

The Federal Court, in the recently issued decision in Henry v Bell Mobility 2014 FC 555 (not yet on CanLII or the Court's site) has awarded a very modest sum of damages to a customer of Bell Mobility whose phone account was accessed by an impostor. At the hearing before the Federal Court, Bell did not contest liability so all the Court had to consider was the appropriate measure of damages. Nevertheless, the facts are relevant: An individual was able to convince a customer service representative employed by the mobile phone company to grant her access to the complainant's account. She was provided with general account information and the last seven numbers dialed. The impostor was also allowed to make changes to the account.

The claimant alleged that he suffered a lost business opportunity as a result of the impostor then contacting an intended business associate of the claimant. However, the claimant did not offer any compelling evidence to support this business opportunity. Instead of the compensatory damages of $35,500.00, punitive damages of $5,000.00, general damages of $5,000.00 and legal costs of $4,000.00, the Court awarded $2,500 in general damages plus $1,000 in costs. The complainant had argued that the Court should follow Chitraker v Bell, but the court was not convinced.

[26] Chitrakar is distinguishable from the current case in that here Bell Mobility has taken responsibility for the breach of Mr. Henry's privacy rights; it has put in place steps to better train CSRs; it has not in any way benefited from the breach; and, has acknowledged that Mr. Henry is entitled to damages in keeping with the jurisprudence of this Court. Bell Mobility argued that damages in the range of $1,500 - $2,000 was more than adequate to compensate Mr. Henry in these circumstances.

[27] Having considered all of the evidence and the jurisprudence and given the circumstances under which the woman cajoled the Bell representative to make the changes to the account and the breadth of the information disclosed it is my view that an award of $2,500.00 is appropriate. Mr. Henry was self-represented at trial although he had counsel on record assisting him earlier in the case. In all of the circumstances, costs in the amount of $1,000.00 will cover disbursements and legal costs.

Interestingly, there is no mention of Jones v Tsige; the court only discusses PIPEDA cases.

What's the moral of this story? Absent any actual, provable harm, PIPEDA damages are hardly worth pursuing.