Monday, March 29, 2004

Article: Outsourced UCSF notes highlight privacy risk / How one offshore worker sent tremor through medical system

The heated debate over outsourcing in the United States has included some serious dicussion of privacy issues related to the practice of sending personal information overseas. The San Francisco Chronicle has published a series of articles on outsourcing, which includes one that focuses on this issue in particular.

SPECIAL REPORT / Looking Offshore / Outsourced UCSF notes highlight privacy risk / How one offshore worker sent tremor through medical system: "American jobs have been moving offshore for years, primarily manufacturing work seeking out lower-paid workers abroad. The outsourcing of people's personal information, though, is a relatively new phenomenon -- opening the door to identity theft, fraud and other criminal activities.

'We've reached the point where American companies ship personal information outside the country and tell customers to check their privacy at the shore,' said Rep. Edward Markey, D-Mass., one of the leading privacy advocates on Capitol Hill.

Lubna Baloch's run-in with UCSF demonstrates that the safety of outsourced information can never be guaranteed -- no matter how stringent the safeguards -- and offers the most glaring example to date of how a disgruntled overseas worker can violate the privacy rights of U.S. citizens. "

Concerns related to the confidentiality of personal information in outsourcing are, in my view, likely to be among the most compelling arguments in this debate. Most other concerns relate to job losses, but this issue is one of the only ones that speaks to the protection of consumers. Legislators in the US should consider the alternative of "nearshore" outsourcing to Canada, which has been a growth industry for the Atlantic Provinces in Canada. (See, for example, Keane's great growth in Nova Scotia and EDS's expansion in Nova Scotia.) Companies can take advantage of much lower costs, highly-skilled employees and enforceable privacy laws that are actually stronger than those in the United States.

Article: It's a matter of regaining trust in technology

Australia's The Age publication has a very interesting article on trust and customer relationships. Many businesses have sadly let their customers down and have destroyed the trust that is essential to taking advantage of advanced customer relationship management.

It's a matter of regaining trust in technology - Next -
"It is not only a problem for the paranoid, because according to Longstaff, 'There has been a precipitous decline in trust in everything because of the public perception of the gap between what someone says and what they do. In terms of technology the gap between what technology promises and what is delivered has been apparent. And the gap between a promise and delivery always gives rise to a decline in trust.'

CRM technology has battled one of the biggest such gaps - because the slick marketing promises of vendors were not easily or cheaply delivered, and only now, several years after the first expensive systems went in, are CRM systems delivering on those promises. Julian Beavis, a vice-president of Teradata, which sells data warehousing and CRM tools, acknowledges that, 'The industry is renowned for grossly simplifying what it takes to do this'.

'It has gone some way to regaining its credibility, and people like the National (Australia Bank, which won an award for its database system in 2003) are making it work.

'The fundamental thing to make CRM work is trust, and that has been squandered, and now we have to get it back,' Beavis says. Getting it back, he believes, will require consumers to experience an alluring level of service underpinned by CRM, which will entice them and eventually rebuild their trust."

Sunday, March 28, 2004

White Paper: Privacy and the tourism industry

A couple of weeks ago, I spoke at the Tourism Industry Association of PEI on the impact of PIPEDA on their sector. As a hand-out, I wrote a brief article entitled Privacy and the Tourism Industry. National Privacy Services Inc. has designed a privacy compliance program for the tourism sector, which is, I believe, the first of its kind. It includes:

  • Privacy manual;
  • Multi-media training CD for privacy officers and staff;
  • Complete consent strategy;
  • Model privacy policies; and
  • Model contractor agreeements.

The second-part, which is optional, is also a first of its kind for the industry. For a low monthly fee, NPSi can act as a company's privacy officer. This allows smaller businesses to take advantage of professional privacy support that they would never be able to afford in-house. More information is available at

Thursday, March 25, 2004

Incident: Net firm admits leak of data about 1.4 M clients

The Japan Times is reporting about an incident that occurred last year that probably compromised the personal information of approximately 1,400,000 clients:

The Japan Times Online:

"Net firm admits '03 data leak may affect 1.4 million clients

ACCA Networks Co., a high-speed Internet-access wholesaler, confirmed Thursday that information on some of its customers has been leaked, adding that the leak, which apparently occurred about a year ago, may involve data on about 1.4 million people.

ACCA President Yoshio Sakata said the company acknowledges that personal data on at least 201 customers have been leaked to a third party. He did not rule out the possibility that data on all of ACCA's 1.1 million customers have been leaked, as well as data on some 300,000 people who once were subscribers to the company's services."

Article: Don't 'creep out' your customers

This American article talks about the need to be sensitive to customers when you are dealing with their personal information. The example given probaly woudn't fly in Canada under PIPEDA, but the general theme of the article makes sense: | Don't 'creep out' your customers:

"BALTIMORE -- When it comes to customer privacy, marketers have to do more than just obey the law, says Gartner analyst Adam Sarner. They have to avoid the 'creepiness factor.'

Speaking Monday at the Gartner CRM Summit, Sarner described how he was once contacted by a mortgage company that seemed to be almost flaunting the information it had gathered about him.

'[The letter] said: 'Dear Mr. Sarner, we have used your publicly available records and understand that you pay X amount for your house at X percent,'' Sarner said. 'Creepy, right? 'We were digging around in your data, and this is all the stuff that we know about you.' It kind of creeps you out. ... You have to understand that [people] are a little touchy about this.'"

Tuesday, March 23, 2004

Release: Privacy Law Spurs Jump in Shredding Business

This should come as no surprise:

Privacy Law Spurs Jump in Shredding Business:
"Proshred Sees Accelerated Expansion of Its Door-to-Door Shredding Services As Personal Information Protection and Electronic Documents Act Takes Full Effect

TORONTO, March 23 /CNW/ - With the Personal Information Protection and Electronics Act now in full effect in Canada after a three-year phased-in program, Canadian businesses are increasingly turning to shredding services for assistance in complying with the law's prohibition against disclosing personal information collected during the normal course of commercial activities.

Proshred Security International Inc., Canada's largest mobile shredding service with offices in 350 cities across the country, has seen surging interest in the use of its door-to-door document destruction services by companies and organizations wishing to avoid potential liability under the privacy law.

The company's client roster has expanded by 15 percent in the last six months, with a majority of new customers citing the law as a key reason for coming on board. Inquiries have continued to flow in since January 1 as businesses that had delayed changing their document retention and destruction procedures are scrambling to protect themselves.

'We had a number of proposals with large companies that didn't go anywhere for months or even years because there appeared to be no pressing need for a shredding service,' said Ron Campbell, Proshred President and CEO. 'Now we're seeing those proposals being funded because of this privacy legislation.'

Privacy without tears: In addition to helping uphold the law's ban on unauthorized personal information disclosure by ensuring that information is destroyed before it can be used for illicit purposes, shredding can minimize the burden created by the provision of the law that requires companies to supply all information they have on a specific individual upon request."

Monday, March 22, 2004

Article: More on the Equifax breach

Today's Globe and Mail has another article on the Equifax credit report breach, which was widely publicised last week:

The Globe and Mail: Credit breach too easy, consumer group says -- Critics argue Equifax case underscores how simple it is to abuse confidential files:

"VANCOUVER -- A security breach that allowed criminals to gain access to 1,400 confidential credit files at Equifax Canada was a crime waiting to happen, the president of Consumer Federation Canada says.

'This could have been prevented,' said Dan Barnabic, whose non-profit consumer advocacy group is lobbying the government to tighten regulations covering credit-reporting agencies. Mr. Barnabic said that to access the credit reports at a credit-reporting agency such as Equifax, all a criminal needs to do is set up a front operation."

Friday, March 19, 2004

Article: The Hindu Business Line : They still get in!

From India, an article on spam that misunderstands what PIPEDA is supposed to do about spam.

The Hindu Business Line : They still get in!: "In Canada, the PIPEDA (Personal Information Protection and Electronic Documents) Act has been enacted to have a check on and control spamming. Likewise, anyone in Utah receiving banned spam could sue the sender, even if the message originated from out of state. "

Incident: Equifax admits that more than a thousand credit reports have been compromised

In the last week, the Canadian media have been abuzz with news about a huge security breach on the part of Equifax that apparently allowed criminals access to credit reports on 1,400 Canadians. Credit reports are the best starting place for identity thieves, since they contain names, addresses, social insurance number, birth date, employer, banking information, etc.

Some of the coverage includes:

The Globe and Mail: "'If this was done by a couple of kids who had a friend inside at Equifax who started selling passwords, that's one thing. In that case, I'd be watching my credit cards like a hawk. But if it's linked to Eastern European criminal gangs linked to extortion, that's something else again, and I would be a lot more concerned.' Equifax confirmed on Monday that the credit reports of about 1,400 consumers, primarily in British Columbia and Alberta, 'were accessed by criminals posing as legitimate credit grantors.'"

Credit agency reports security breach - Computerworld: "MARCH 17, 2004 - TORONTO - More than 1,400 Canadians, primarily in the provinces of British Columbia and Alberta, have been notified of a major security breach at Equifax Canada Inc., a national consumer-credit reporting agency.

Equifax confirmed yesterday that it discovered the breach in late February and has notified affected consumers via registered mail asking that they contact the agency to review the contents of their respected credit files. "

Albertans on identity theft hit list: "Criminals posing as credit grantors accessed files, including bank account numbers, credit histories and home addresses. Valerie McLean, of Vancouver's Better Business Bureau, says once a criminal gains access to someone's credit file, they can essentially steal that person's identity.

'They have your date of birth. They have your full name. They have your former names. They have your occupations. They have your address. And they know what financial institutions you're doing business with and what credit cards you hold,' she said." - Personal info stolen from Equifax database- CTV News, Shows and Sports -- Canadian Television: "Though the company only announced the security breach on Monday, the RCMP has been investigating for the past month.

'The RCMP is in fact looking into this matter,' confirms RCMP Sgt. John Ward, but would say no more. It's not the first trouble for Equifax. The company was targeted by criminals two years ago, stealing 2,500 credit reports from mailboxes. Using the information, the thieves applied for new credit cards."

Monday, March 15, 2004

Letter to BC and Alberta Information and Privacy Commissioners - Privacy Commissioner of Canada

Residents of British Columbia and Alberta are caught in a state of jurisdictional overlap with respect to privacy laws. PIPEDA applies to commercial activities, except in those provinces that have enacted legislation that has been declared to be substantially similar. Both BC and Alberta have private sector privacy laws that came into effect on January 1, 2004, but none have been declared by the federal parliament to be "substantially similar". It appears that complainants can go to both the federal and provincial commissioners to complian about a provincially-regulated business.

The federal Privacy Commissioner has just released a letter to the commissioners for BC and Alberta on how to handle this overlap until the federal cabinet makes such a declaration:

The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to Mr. Frank Work, Information and Privacy Commissioner for Alberta, and Mr. David Loukidelis, Information and Privacy Commissioner for British Columbia, regarding the handling of complaints under PIPEDA as of January 1, 2004.

March 11, 2004

Mr. Frank Work
Information and Privacy Commissioner
Office of the Information and Privacy Commissioner
4th floor 9925,109 Street
Edmonton AB T5K 2J8

Mr. David Loukidelis
Information & Privacy Commissioner for British Columbia
Office of the Information and Privacy Commissioner
PO Box 9038, STN Prov Govt
Victoria, BC V8W 9A4

Dear Mr. Work and Mr. Loukidelis:

Handling of complaints under PIPEDA as of January 1, 2004

This letter will serve to confirm the discussions we had in Ottawa on January 21, 2004 concerning our current and future handling of complaints by our Office where the complaint is against an organization in, as the case may be, British Columbia or Alberta.

Our understanding is as follows:

  • Until the BC and Alberta Personal Information Protection Acts (PIPAs) are, respectively, declared to be substantially similar by the Governor in Council;
  1. The Office of the Privacy Commissioner of Canada (OPC) has a legal obligation to apply the Personal Information Protection and Electronic Documents Act (PIPEDA) where appropriate.
  2. OPC will take complaints against private sector organizations in BC and Alberta that are collecting, using or disclosing personal information about their customers in the course of commercial activity. This includes organizations that deal in personal health information such as physicians and dentists’ offices, private laboratories, etc.
  3. OPC will verbally inform complainants of the possibility of complaining directly to the appropriate provincial commissioner and that complaints which fall clearly in provincial rather than federal jurisdiction, after a substantially similar order, will be transferred in any event.
  4. If the complainant wishes nevertheless to proceed federally, OPC will open a complaint file but will inform all parties to the complaint that there will be a transfer of the complaint and all information on the file to the appropriate provincial commissioner if and when a substantially similar order is made.
  • OPC will continue, after any substantially similar order is made, to take complaints concerning federal works, undertakings and businesses (FWUBs), including complaints about employee personal information and information about job applicants to FWUBs.
  • Complaints involving inter-provincial issues will be handled by OPC in accordance with the following principles.
  1. Before the making of a substantially similar order, the complaints will be handled as per (2) above in all cases unless the complaint is substantially about the crossing of inter-provincial boundaries or the issue otherwise falls under OPC’s jurisdiction.
  2. After the making of a substantially similar order, complaints will be handled as per arrangements which we will continue to develop between OPC and your respective offices.
  • Our offices are also currently discussing the following issues:
  1. arrangements to share the contents of complaints files where circumstances warrant and consistent with our respective legal authorities and obligations;
  2. harmonization of statistical reporting and language for such reporting where possible;
  3. development of joint statements, questions and answers, and jurisdictional tools where possible.

The arrangements set out above reflect current practices in our respective offices, but may change over time. In light of that, we have each agreed to name individuals in our respective offices to engage in day-to-day discussions on issues as they arise. We also agree to keep the channels of communication open at the most senior levels and will attempt to meet as frequently as required and possible.

We are pleased that we have been able to reach these understandings and look forward to continuing to work with you to effectively protect the privacy rights of individuals.

Yours sincerely,

Jennifer Stoddart
Privacy Commissioner of Canada

c.c. Provincial Commissioners

Sunday, March 14, 2004

Privacy and the Tourism Sector

Last week, in conjunction with National Privacy Services Inc., I was invited to give a presentation to the Tourism Industry Association of PEI (TIAPEI) on the impact of PIPEDA on the tourism sector. I think TIAPEI will be putting all our materials up on their website, but in the meantime, I've posted one of my articles on my website:

Privacy and the Tourism Sector: [PDF]
" Since January 1, 2004, every organization in Atlantic Canada that collects, uses or discloses personal information in the course of commercial activities has been subject to a new and far-reaching federal privacy law. This includes businesses that operate in the tourism and hospitality sectors. Because the law reaches into the relationship between tourism operators and their customers, it potentially has a profound effect on the organization's ability to attract and retain those customers. "

Saturday, March 13, 2004

Article: Businesses Need Trained Privacy Cops

The International Association of Privacy Professionals has apparently announced that they will begin a certification program for privacy professionals. (See their press release here.) This seems like a very good idea, though it will ultimately be very American focused.

InformationWeek > Privacy > Businesses Need Trained Privacy Cops > March 10, 2004:

"Among the companies represented on the certification program's advisory board are HP, Microsoft, Nationwide Insurance, Nordstrom, Procter & Gamble, and Wal-Mart. Specifics of the certification program are yet to be divulged, but Hughes says the curriculum will be distributed in books, by training partners, and during privacy association conference sessions, with plans for eventual Web-based training. Testing will occur initially at the association's conferences."

I have heard of a Winnipeg lawyer who has started a company called Chartered Privacy Officers, Inc. and is looking to do some sort of privacy officer accreditation. He has filed trademark applications in Canada for the terms "Registered Privacy Officer", "Chartered Privacy Officer", "Licensed Privacy Officer", and "Certified Privacy Officer". I don't think he's associated with any group of privacy professionals, or at least that isn't apparent from his website.

For some time, we have recognized that there is a real lack of training available for privacy officers. Usually, the first question after telling clients that they must appoint a privacy officer is "where can we get training for that?" The answer used to be "nowhere." Conferences and the like are all over the place, but I didn't think the curriculum was comprehensive and didn't actually provide real tools. Being resourceful maritimers, we built our own two-day training program. We first offered in Halifax in October, 2003 and it was incredibly well received. One of the attendees of our first session (employed in the health-care field) mentioned that she had just come from a two day conference on health privacy in Toronto and she found our program head and shoulders above the Toronto program. Ours was "actually useful". We just held another session in Halifax last week and the feedback was equally positive. One attendee said it was the "best continuing professional development program" she'd attended. We are doing it again starting on Monday in Saint John.

Wednesday, March 10, 2004

Op-Ed: Privacy in Retreat

Today's New York Times (registration required) has a good privacy op-ed by William Safire. The focus is intrusion by government and it bears a close read, particularly the examples of how vulnerable medical records may be to mandatory disclosure in litigation. (Under PIPEDA in Canada, medical records and other personal information can be disclosed without consent in the face of a subpoena or other court process. This one of the big issues in the recent music sharing litigation in Canada: see my blog entry on the topic.)

March 10, 2004
Privacy in Retreat

WASHINGTON — "I believe privacy is a fundamental right," said the candidate George W. Bush one month before his election, "and that every American should have absolute control over his or her personal information."

Those of us agitating against snoopery — facilitated by databanks and newly invasive surveillance — were further assured when we elicited Bush's on-the-record promise to "guarantee the privacy of medical and sensitive financial records."

But after 9/11, the passion went out of advocacy of privacy. The right to be let alone had to be balanced against the right to stay alive.


Terror's threat is real. But as we grudgingly grant government more leeway to guard our lives, we must demand that our protectors be especially careful to safeguard our rights. Officials all too often fail to see both sides of their jobs.

As reported last week by Robert Pear and Eric Lichtblau in The Times, the Justice Department said that medical patients "no longer possess a reasonable expectation that their histories will remain completely confidential."

This abhorrent philosophy underlies a counterattack launched by Justice at doctors who went to court to challenge the federal Partial Birth Abortion Ban Act. Most Americans, including many who are pro-choice, favor that legislation. I think the doctors are mistaken in their constitutional objection. But in defending the law, Attorney General John Ashcroft went overboard.

Justice issued subpoenas to hospitals in several cities across the nation for the medical records of hundreds of women who had undergone abortions. After hospitals protested that the order flew in the face of federal and state privacy laws, Justice offered to allow the individual names to be blotted out. In Chicago, Northwestern Memorial argued in court that patients would not trust such redaction of their records — copies of which would pass through hundreds of hands — to keep private such an intimate procedure.

The judge quashed the subpoena, but Justice is appealing. "Congress created a zone of privacy relating to medical information," says Chicago Congressman Rahm Emanuel. "Who would have thought the first one to violate it would be the federal government?" Medical records contain dates of treatment, doctors' names, prescriptions — all clues to identity. Who would not be deterred from going to a hospital that meekly passed along those records?

This intrusion cannot be justified by a claim to protect the nation from a terror attack. In Pittsburgh, however, the F.B.I. has set up a pilot Strategic Medical Intelligence unit under that very rubric. Doctors in Pennsylvania and West Virginia are expected to notify S.M.I. bioterror experts of any "suspicious event," from an unusual rash to a finger lost in an explosion, identifying but not informing the patient.

It's proper for a doctor to report a case of spousal or child abuse to the police, or to query the Centers for Disease Control about a mysterious infection. But how do patients feel about their doctors first secretly calling the F.B.I.? Where is the oversight to protect the innocent injured or ill? Where is the patient's informed consent?

A balance must be struck between protecting all of us and protecting each one of us. I don't trust Justice or the C.I.A. to strike that balance. I have more faith in the courts and Congress, and — if he would remember his stand on personal freedom — in George W. Bush.

Tuesday, March 09, 2004

Article: Privacy rules turn shredders on: Document destruction firms see business booming in age of Enron, identity theft

Today's Globe and Mail has an article on the increased used of document destruction in response to identity theft and privacy laws:

Privacy rules turn shredders on: Document destruction firms see business booming in age of Enron, identity theft

For Terry Farrell, contact with his paper shredder has escalated from a casual fling to a torrid relationship.

Every day, the Toronto financial planner's GBC Shred Master hums to life, slicing and dicing sensitive statements and client correspondence.

"I don't keep every statement that I have. Sometimes with transactions I have too many copies and so I shred what I need to. For me, its strictly security and compliance," said the burly 58-year old. His list of about 400 clients ranges from wealthy retirees to frugal school teachers.

That's a big change from five years ago when the machine sat idle most days in his home office.

"When I first got it, I barely used it," he said. "Now, I am absolutely inundated with paperwork. It is never-ending."

Mr. Farrell is on to something. New privacy legislation -- and a liberal dose of corporate paranoia -- has made the paper shredding trade very big business. In the age of Enron and identity theft, conscientious paper management is hot. ...

New Canadian legislation called the Personal Information Protection and Electronic Documents Act, effective Jan. 1, 2004, is driving the desire to mince and chop, industry sources say. The federal act sets ground rules for how the private sector collects, uses and discloses personal information. For shredders, the kicker is in the act's notes on retention: Businesses must "destroy, erase or render anonymous" personal data that are no longer required.

Last summer I wrote on article on PIPEDA and document destruction, which is available from the McInnes Cooper website at

Information destruction is the one place that businesses fall flat on their faces in the most public of ways. Most privacy incidents are related to not controlling the waste stream. Some time ago, I used to work in a building that also housed an investment firm. Each week, the loading dock was filled with blue bins for recycling. Available for anyone to see (if they were curious) were print-outs of all their accounts, including names of account holders, addresses, balances, recent trades and overall performance. Neeless to say, I'd take my investment business somewhere else.

The best rule of thumb is to shred all paper waste and destroy all magnetic media. Better safe than sorry.

Saturday, March 06, 2004

Upcoming Article: The Application of PIPEDA to Personal Health Information

Below is the beginning of an article that I wrote, which will appear in the March edition of Butterworth's Privacy Law Review. If you want to read the whole thing, you'll probably need to wait until it comes out at the end of the month (I'm not sure if they wanted exclusive digital rights ...).

The application of PIPEDA to Personal Health Information

David T.S. Fraser[1]

Since it was Bill C-6 and C-54 before that, one of the most contentious issues related to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) has been if – and how – it applies to the practice of medicine and the handling of personal health information. The Canadian Medical Association and other similar organizations lobbied strongly against the inclusion of health information within the ambit of PIPEDA. This lobbying continued to the final hours of 2003, at which point it became clear that the federal cabinet did not support either a “carve-out” or a postponement of the law’s application to medical information.

Among medical professionals, PIPEDA is widely seen as a tool that does not effectively address the nuances that separate personal information collected in the medical context from that which is ordinarily used in the course of commerce. There was also a strong strain of opinion that physicians' ethical obligations and the CMA Health Information Privacy Code are sufficient to protect patient privacy. The medical and dental professions should be exempted, it was argued. In the end, PIPEDA did not treat health information as a special class of information and did not specifically exempt physicians or dentists from its application.[2]

Leaving the statute unamended did not clarify the application of the law to health information because a myriad of questions linger, at least in the minds of many. While there are many important issues related to PIPEDA and personal health information, this article will focus on the impact of PIPEDA on medical professionals in practice. Many medical professionals who have turned their minds to this issue are primarily concerned with whether PIPEDA applies in a particular circumstance and the impact of other laws specifically focused on personal health information.

According to Section 4 of the Act, PIPEDA applies to:

... every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or ...

This raises the very important question: what part of the practice of medicine is, in fact, a commercial activity. There appears to be a consensus that a physician in private practice is engaged in commercial activities, regardless whether services are paid for by public insurance. PIPEDA thus applies in private practice. What about physicians working at a hospital? Or physicians employed by university health clinics? The lines can get very blurry.


[1] The author is the Chair of the Privacy Law Group at McInnes Cooper. He is also a part-time member of the Faculty of Law at Dalhousie University and general counsel to National Privacy Services Inc.

[2] PIPEDA did treat health information differently from ordinary personal information during the law’s first year of application in the federally-regulated private sector. Federal works, undertakings and businesses were given an additional year – until 2002 – before the law would apply to “personal health information.” See PIPEDA, s. 30(1.1) and (2.1.).

File-swapping litigation raises important privacy issues

Up until recently, Canadians have been free of the sort of litigation that the American recording industry has inflicted on "file sharers" in the U.S. As many know, the first movements toward similar litigation has recently been noticed in Canada (See the Globe & Mail's article, Canadian Recording Industry hopes to inspire fear over file swapping). Some of the more recent media attention has focussed on the attempt by CRIA to discover the identities of individuals whom they have targetted:

London Free Press: Business Section - Copyright suit raises concerns
David Canton, Freelance writer 2004-03-06 03:22:53

A legal action that could potentially affect anyone who has downloaded music on the Internet was recently initiated in Canada. The plaintiffs in this civil suit are some of the biggest music record labels, represented by the Canadian Recording Industry Association (CRIA).


CRIA intends to go after "egregious" or high-volume file-sharers that make massive quantities of music available for free.

The defendants in these proceedings are unknown for the moment. CRIA is requesting a court order that could change that. If granted, it would require Internet service providers (ISP) to produce names and addresses of the alleged perpetrators.

Electronic Frontier Canada and the Canadian Internet Policy and Public Interest Clinic have both been allowed by the court to intervene in this matter to argue the legal issues surrounding privacy, due process, and copyright law.

CRIA has tracked computers trading in copyrighted songs using their Internet protocol (IP) addresses through the use of surveillance technology. CRIA needs to match those IP addresses with subscriber information to identify the defendants.

Five ISPs have been targeted by CRIA for the disclosure of personal information that would lead to the identification of subscribers using the Web to upload music. The court ordered an adjournment until March 12 so the parties can cross-examine each other's affidavit documents to determine the technical and legal issues in dispute.

Downloading involves taking information from another computer. Uploading is transferring data from one's own computer to another. It is generally accepted that the Copyright Act allows music downloading so long as it is for personal use. Uploading is not so clear. These issues have not yet been decided in courts.


Under the Personal Information Protection and Electronic Documents Act (PIPEDA), an ISP is not permitted to disclose a subscriber's personal information without the person's knowledge and consent. One exception is a court order.

There are many issues to be considered, such as whether civil actions should be held to a higher threshold before privacy is violated than in criminal cases, and whether uploading music as done by the peer-to-peer networks is actually copyright infringement.

There is also concern about the accuracy of the information being sought. Dynamic IP addresses can be reassigned to different customers on a continual basis, making it difficult to determine which individuals upload music files.

The worry is that ISPs could be compelled to provide private information that wrongly identifies someone. One of the ISPs maintains it can not accurately match the IP addresses with alleged file-sharers.

Copyright © The London Free Press 2001,2002,2003

One concern that I have, right off the bat, is that the ISPs probably collect way too much information in the first place and probably should put in place a rigorous retention policy that would delete their logs pretty darn quick. If they don't have the information desired by CRIA, they don't have to worry about it. It is not the job of the ISPs to collect and stockpile evidence for the recording industry (or any other organization). In fact, under PIPEDA they should probably not retain it:

Principle 5 -- Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

The information being requested by CRIA is probably from routine logging of network activity and connections. I know of some providers who (despite advice to the contrary) keep these logs indefinitely for security and audit purposes. In most cases, this is not made known to the customers. I know that my ISP does not mention this sort of information collection in its Privacy Policy, even though the Openness Principle requires making this sort of collection known. My cellphone company doesn't say anything about signalling information, which I am sure is logged and can be traced to me.

According to what I've heard, the US PATRIOT Act allows the Department of Homeland Security to request information about borrowers from public libraries. The logical response from many librarians is to make sure they don't collect information that would be useful to the FBI. From the San Francisco Public Library:

The Library does not maintain a history of what a borrower has previously checked out once books and materials are returned on time.

In short, if you don't want to fight over disclosing it to anyone, don't collect it and, if you do, don't retain it!

Thursday, March 04, 2004

Article: Privacy officials fear U.S. law's reach: FBI could gain access to personal information about Canadians, government warned

The Victoria Times Colonist and the Vancouver Sun are reporting about fears that the US PATRIOT Act might require companies to hand over Canadian data to the FBI:

Privacy officials fear U.S. law's reach: FBI could gain access to personal information about Canadians, government warned

Judith Lavoie
Victoria Times Colonist

Thursday, March 04, 2004

Provincial information and privacy offices across the country are scrambling to find ways of stopping the FBI gaining access to sensitive personal information about Canadians under a controversial new American law.

"This has the potential for being the biggest privacy issue we have ever dealt with," said Mary Carlson, director of policy and compliance for the B.C. Information and Privacy Commissioner's Office.

"It is the first we had heard of the long arm of the FBI coming across the border."

At issue is the U.S. Patriot Act, brought in after the 9-11 terrorist attacks, which allows the FBI to order organizations to turn over information. A "gag provision" then prohibits the organizations from telling anyone that the data has been released.

Legal opinions given to the B.C. Government and Service Employees' Union -- which has filed a lawsuit in an effort to stop privatization of the Medical Services Plan -- say Canadian subsidiaries of U.S. companies would be subject to the Act. Any corporation that has access to documents wanted by the FBI, even if the company does not have a legal right to those documents, could be ordered to turn them over.

That would mean the FBI could demand health and social service information about all British Columbians.

Governments are increasingly outsourcing work, often to companies with U.S. connections, but no one had figured in the far-reaching powers of the Patriot Act, said Carlson.

"If this is true, our data would be exposed in ways we have never imagined before," she said.

Carlson contacted the federal information and privacy commissioner and provincial offices and found the Patriot Act was not on their radar screens.

All the offices are now looking at the potentially serious implications, Carlson said. "We are working feverishly here trying to work out what we can do."

The two companies shortlisted to take over MSP and PharmaCare administration services are both American-based. IBM is American with a wholly-owned Canadian subsidiary and Maximus is based in Virginia.

Other recent government outsourcing includes a large chunk of BC Hydro's business services, which went to a Canadian subsidiary of Accenture, a company with its head office in Bermuda and main business office in the U.S., and government debt collection which went to a Canadian subsidiary of multi-national Electronic Data Systems.

Health Services Minister Colin Hansen said previously that the American government could not pass a law that applies to data owned by B.C. and which never leaves B.C. But, under the Patriot Act, that is in doubt.

Management Services Minister Joyce Murray, whose portfolio includes information and privacy, met with Commissioner David Loukidelis Wednesday to discuss the problem.

"We are now working in collaboration with the Attorney-General's office and Health Services to seek extra professional advice," she said.

A lawyer specializing in American law and privacy of information will look at implications of the Patriot Act and the government will work actively with other provinces and the federal government on the issue, Murray said.

"Whatever the advice is, the bottom line is that we're totally committed to ensuring that the privacy of information is protected for British Columbians," she said.

Any contracts with private companies must enshrine the absolute protection of privacy and those contracts will be monitored, she said.

Murray said she can understand why no one had picked up the importance of the U.S. law, as there have been no challenges or court cases around it.

But BCGEU president George Heyman said Hansen and Premier Gordon Campbell had obviously not done their homework in the rush to privatize and contract out.

"We could figure it out and they have a whole phalanx of lawyers and staff. I would think they could figure out the risk. It's more likely that they don't care," he said.

Article: Senators: Hands Off Kids' Data

According to the great folks at Wired News, two US senators have proposed legislation to outlaw trading in marketing lists about children. This is a laudable initiative, but it also very interesting to hear about the kids of marketing lists that are presently being compiled by marketers.

Wired News: Senators: Hands Off Kids' Data
02:00 AM Mar. 04, 2004 PT

"Two lawmakers introduced a bill in the U.S. Senate Wednesday to prohibit corporations from selling the personal information of children under the age of 16 without their parents' consent.

Sens. Ron Wyden (D-Oregon) and Ted Stevens (R-Alaska) introduced the Children's Listbroker Privacy Act to limit the sale of personally identifiable information for purposes of marketing to children, as part of a larger package of legislation intended to help parents combat commercial attacks on their children.

Companies spend about $12 billion annually on marketing aimed at children, often using targeted lists from brokers who sell data not only on teens but on preschoolers as well. The lists can include a child's name, address, age, ethnicity, religious affiliation, sports activities, hobbies and family income level."

People are often surprised to hear about the detail and information in marketing lists. Marketer websites, such as that of Dunhills, are often very eye-opening. Why settle for just 6.2 Million Canadian e-mail addresses when you can get a list of incontients or the chapped of lip!