Friday, December 31, 2004

Tune in next week ...

Thanks to the series of articles in Canwest newspapers on privacy and surveillance that ran between Christmas and New Year's, I've been asked to be on a couple of radio shows at the beginning of next week. Tune in to Peter Anthony Holder's show on Monday night at 8:05pm (EST) on CJAD in Montreal (live radio feed here) or to the Bill Good show on Tuesday morning at 11:00am (PST) on CKNW in Vancouver (live radio feed here). I understand that there may be a call-in portion for both shows, so feel free to call with your privacy stories and questions. If they archive shows for posterity, I'll post a link.

Boxers have privacy rights, too.

The Globe and Mail is carrying a report that a boxer's medical information was released without his permission, perhaps having a significant impact upon his career. It is alleged that a clinic released neurological and MRI test results that showed cranial bleeding.

The Globe and Mail: Joe Mesi sues, alleging breach of privacy:

"Buffalo - Boxer Joe Mesi is suing a medical clinic and the New York State Athletic Commission, alleging they improperly distributed medical records that indicated he suffered multiple brain bleeds in his last fight...."

Thursday, December 30, 2004

Single Government ID Moves Closer to Reality

Further to my earlier posting on the new US Government identity verification project (PIPEDA and Canadian Privacy Law: US Government developing standard for positive identification), the Washington Post is carrying an article that comments, among other things, on privacy objections to the new standard:

Single Government ID Moves Closer to Reality:

"....Some federal employees have concerns about the new cards.

Colleen M. Kelley, president of the National Treasury Employees Union, which represents more than 150,000 federal workers in 30 agencies, said the proposed standard would permit agencies to print employees' pay grade and rank on the new cards, which many workers would consider an invasion of privacy.

'For example, an agency might seize upon this technology as a means to track employees as they move throughout a building,' Kelley said in written comments to NIST last week. 'That is troubling, standing alone. It would be particularly objectionable if the agency tried to track visits to particular sites such as the union office, Employee Assistance Program offices and the inspector general's office.'

NIST has gathered comments on the draft standard from more than 500 entities and individuals but has not made them public.... "

I wonder how long it will take before this makes its way into IDs for civilians, such as passports and drivers' licences.

Tools to Make Your Hard Drive Forget Its Past

The New York Times circuits section is running an article entitled Tools to Make Your Hard Drive Forget Its Past. The title is a bit misleading, since it only lists the tools to need to reformat your drive to start from scratch with a fresh installation of your software.

If you really want to erase your hard drive to preserve the confidentiality of your information before you sell or ditch your PC, you need a toolkit that truly destroys the data that is written on the magentic media. A number of products are available on the market that at least purport to meet rigorous standards, such as those set by the US Department of Defence (See Google Search: DoD 5220.22-M). The Canadian RCMP recommends, in their Hard Drive Secure Information Removal and Destruction Guidelines, that hard drives containing Secret or Top Secret data be disintegrated into itty bitty pieces (smaller than 1/4 of an inch).

Wednesday, December 29, 2004

Invasive technology makes schools more like "correctional facilities"

The third article in the series of privacy articles by CanWest Global is now online from the Ottawa Citizen's site: Security-riddled schools more like 'correctional facilities': Instead of making students feel safer, an education professor argues extreme surveillance makes them feel like criminals, writes Sarah Schmidt.

Banks up customer surveillance

Stuart Laidlaw has a very interesting article on customer surveillance at Canadian banks and the impact of the USA Patriot Act on their vigilance: TheStar.com - Banks up customer surveillance.

Privacy law is making hospitals lose patients and patient attitudes to privacy

icWales has an article ("Privacy law is making hospitals lose patients") on the the new practice of removing--in the name of privacy--patients' nameplates from above their beds and whiteboards from nursing stations. This has led to substandard care and literally losing patients, at least in Wales. The article cites a survey published in the British Medical Journal that examined the attitudes of patients to having their names made known in this way. (Ravindra Gudena, Stanley Luwemba, Amy Williams, and Lloyd R Jenkinson, Data protection gone too far: questionnaire survey of patients' and visitors' views about having their names displayed in hospital, BMJ, Dec 2004; 329: 1491.)

Based on a very simple questionnaire, most did not find the practice of posting patients names was invasive of privacy and most felt that patient names should appear over their beds:

Responses of 243 patients and 215 visitors to questionnaires about patients in hospital having their names displayed. Values are numbers; percentages (95% confidence intervals)




Patients

Visitors

Totals

Have you seen the name board or not?







Yes

173; 71 (65 to 77)

157; 73 (67 to 79)

330; 72 (68 to 77)

No

70; 29 (23 to 35)

58; 27 (21 to 33)

128; 28 (24 to 32)

Where should the name board be located?







In the open

182; 75 (70 to 80)

160; 74 (69 to 80)

342; 75 (70 to 79)

Hidden

4; 2 (–3 to 7)

12; 6 (0 to 12)

16; 3 (2 to 5)

No preference

57; 23 (19 to 28)

43; 20 (14 to 26)

100; 22 (18 to 26)

Do you mind having your name displayed on the name board (or, does this infringe on patients' privacy?)







Yes

10; 4 (2 to 7)

21; 10 (2 to 5)

31; 7 (4 to 9)

No

233; 96 (93 to 98)

194; 90 (84 to 94)

427; 93 (91 to 96)

Should patients' names be displayed above their beds?







Yes

236; 97 (95 to 99)

201; 93 (90 to 97)

437; 95 (94 to 97)

No

7; 3 (5 to 8)

14; 7 (3 to 10)

21; 5 (3 to 7)

This raises a number of questions about the wisdom of certain privacy laws and practices in the clinical environment. I wonder whether one can imply consent to having one's name posted over their bed if a good survey strongly suggests that the majority of patients don't object and, in fact, think that posting their names is a good idea. If you couple this with an opportunity to "opt out" on the admitting form, you should be able to satisfy most of the people most of the time.

Privacy and location-capable cell phones

The author of Sent.Org, aka [evL] blog, has an interesting and long posting that starts with a discussion of the privacy issues inherent in GPS capable cell phones, which leads into a broader discussion of privacy issues and routine law enforcement access to personal information. Rather than summarize it, I suggest taking a look at the blog posting itself:

:: [ evL ] Calling? :: sent.org :: [ evL ] blog :: sent :: [ evL ]:

"IF YOU PURCHASED A NEW CELLPHONE over the past 18 months or so, odds are that one of the features listed in small print on the side of the box was "E911 capable." Or, as in the case of my latest Motorola, "Location technology for piece [sic] of mind." Perhaps you asked the salesman to explain the feature, and he replied that it means that cops can home in on your phone in case of an emergency, a potentially important perk should you ever find your hand pinned beneath an immovable boulder in rural Utah, as Aron Ralston did recently. Assuming he could have gotten a signal, an E911-capable phone might have saved the young backpacker the pain of having to amputate his own arm.

What your salesman probably failed to tell you--and may not even realize--is that an E911-capable phone can give your wireless carrier continual updates on your location. The phone is embedded with a Global Positioning System chip, which can calculate your coordinates to within a few yards by receiving signals from satellites. GPS technology gave U.S. military commanders a vital edge during Gulf War II, and sailors and pilots depend on it as well. In the E911-capable phone, the GPS chip does not wait until it senses danger, springing to life when catastrophe strikes; it's switched on whenever your handset is powered up and is always ready to transmit your location data back to a wireless carrier's computers. Verizon or T-Mobile can figure out which manicurist you visit just as easily as they can pinpoint a stranded motorist on Highway 59.

So what's preventing them from doing so, at the behest of either direct marketers or, perhaps more chillingly, the police? Not the law, which is essentially mum on the subject of location-data privacy... "

Tuesday, December 28, 2004

They're watching and know who you are

Part two of the weeklong series of articles on privacy issues by Canwest reporter Richard Foot has been published in the Ottawa Citizen, Montreal Gazette, Vancouver Sun, etc. This part is on surveillance and the possibility of pervasive surveillance being coupled with facial recognition software.

They're watching you, and they know who you are (Ottawa Citizen):

"Biometric face recognition is about to change the way governments do business, and could remove our last shreds of anonymity, writes Richard Foot.

Richard Foot
The Ottawa Citizen

December 28, 2004

In London, Ont., 16 video cameras mounted on traffic poles keep a 24-hour watch on downtown streets for the city's police. In New York City, more than 2,400 outdoor video cameras -- many operated by private companies -- gaze out over the streets of Manhattan alone.

'No matter what, walking through the world these days, you're going to end up on video camera,' says David Fraser, a Halifax privacy lawyer.

Public surveillance isn't a new phenomenon, but despite its creeping presence, Canadians have maintained a measure of anonymity when we venture outside our homes. Video cameras might be watching us in public places, but unless we're famous or infamous, they usually can't identify who we are.

Until now...."

Grocery Store Loyalty Card Use is Strong Despite Privacy Concerns

A recent survey has confirmed what I've thought for some time: consumers will trade away their privacy at the drop of a hat. The study from Boston University suveyed a range of US consumers on their use and attitude to loyalty cards. Consumers will consistently trade their anonymity (and thus privacy) in exchange for discounts and other perceived benefits. This is even the case for those who are concerned about privacy (16% of those surveyed think about the personal information they are giving away each time they use their cards).

I'll try to find more information on the study, particularly the questions asked as part of the survey. I'm particularly curious if consumers selectively use their cards out of concern for the information that would be included in their profiles (for example, privacy-conscious consumers may not use their cards when they purchase items that may disclose too much personal information) and whether they really think about all the uses to which the information may be put.

The press release is reproduced in full below:

PRESS RELEASE: Grocery Store Loyalty Card Use is Strong Despite Privacy Concerns:

"New research from Boston University finds that 86% of adults carry a grocery store loyalty card and use it, even though cards give stores the right to track consumer purchases.

Boston, MA (PRWEB) December 28, 2004 -- Grocery story loyalty cards are more widespread than the Internet or the home computer: 86% of adults have at least one, most have more than one. Yet nearly half of the people who carry them didn’t know about the sophisticated web of tracking and marketing they were getting stuck in when they signed up. Is this a privacy bomb waiting to go off? No, according to results of a Fall 2004 study by a student research team at Boston University’s College of Communication. In an online survey of 515 adult supermarket shoppers the students found that even though privacy concerns are high, most cardholders agree that the benefits of using a loyalty card outweigh any infringement on personal privacy.

Grocery store loyalty cards are the credit card or keychain-sized cards with a barcode or magnetic stripe offered by most large supermarket chains. Chances are good you have at least one in your wallet or purse. When scanned at the cash register, the card unlocks special discounts offered to “loyal” members. In return for the savings, cardholders agree to allow the grocery store to track their purchases each time they shop. Grocery stores use this information to decide which products to carry, what prices to charge, and in some cases, to target consumers with specific coupons and promotions on behalf of grocery manufacturers.

Actual grocery store uses vary by store – some find the data analysis so time consuming they have chosen to abandon the cards altogether as PW Supermarkets, a small chain in Northern California, recently did. Still others have sophisticated systems for matching publicly available information about consumer households with the data collected at the cash register, a practice that infuriates privacy advocacy groups.

Does this tracking influence the consumer’s choice to use a discount card? A clear majority – 76% – of cardholders report that they use their grocery store loyalty card nearly every time they shop despite the fact that 52% also are concerned about how much of their personal information is collected by companies generally. Why do it, then? Sixty-nine percent of consumers report that the card benefits them in the form of lower prices and access to special promotions. And while seven in ten shoppers now know that grocery stores keep track of what they spend, only 16% think about this fact each time they use it.

“The fact that consumers – even those generally concerned about privacy – are willing to use these cards is testament to the fact that personal information is a commodity people are willing to trade with the right company for the right price,” explains Professor James McQuivey, who supervised the research project. No doubt this will only embolden supermarkets as they try to squeeze ever more dollars from a thin-margin retailing environment. What’s next? McQuivey offers, “Expect radio frequency identification embedded in the loyalty card of the future, an electronic tag that will identify you when you walk through the door, when you’re standing in front of the Pampers, and when you arrive at checkout. All with your permission, of course, and in exchange for a benefit grocery stores have yet to identify.”

About the survey

An online survey of 515 people 18 years of age and older was conducted during the last week of October 2004. As such it can only represent the two-thirds of households with Internet access. Sample was randomly drawn from a representative subgroup of participants in Survey Sampling International’s US online panel. The margin of error for a randomly drawn sample this size is +/-5%.

About the College of Communication at Boston University

The College of Communication at Boston University is home to the Communication Research Center where professors train undergraduate and graduate students in the science of consumer research and analysis. This project was designed by students under the supervision of Professor James McQuivey.

Contact Information:

James McQuivey
Assistant Professor
College of Communication
Boston University
640 Commonwealth Ave
Boston, MA 02215
617.803.6209 p
617.507.7892 f"

Monday, December 27, 2004

Your daily digital data droppings

Canwest Global is doing a series of feature-length articles on privacy between Christmas and New Year. For the first one, I was "shadowed" by a reporter to look at the sorts of data that we leave in our wake as we go throughout our daily lives.

Our every move is tracked and recorded:

"Short of becoming a hermit, there's little Canadians can do to avoid the pervasive climate of surveillance that surrounds them, says Richard Foot. However, there is protection in knowing what information is sought, how it is collected, and why.

The Ottawa Citizen Monday, December 27, 2004

David Fraser walks out his front door on a midwinter morning bound for work. His movements and activities are under surveillance, tracked by networks of people and distant computers in his own city and around the planet.

Mr. Fraser isn't a wanted man, nor is he a foreign spy. He's an ordinary Canadian inhabiting a world so wired by ubiquitous technology that almost everything he does is monitored and measured in breathtaking detail.

Mr. Fraser, a Halifax privacy lawyer, isn't concerned about the surveillance itself. What worries him is that most Canadians simply don't know their lives are so closely watched by the silent eyes of business and government. Like federal privacy commissioner Jennifer Stoddart, he calls public ignorance about the vast, daily exchange of personal information the greatest threat to privacy in Canada today.

'The critical thing is that people must be aware of it,' Mr. Fraser says. 'Yet most people simply don't understand much private information they leave behind them each day, during their ordinary routines.'...

The Series

Tomorrow: Biometric wizardry poised to remove last shreds of anonymity. Wednesday: School security: When safety concerns override privacy rights. Thursday: Your health records in cyberspace. Friday: Lives and habits of Canadian consumers up for grabs."

I'll post links to the stories as the appear online.

Sunday, December 26, 2004

No electronic peeping in US federal jurisdiction

The US Senate and House have passed the Video Voyeurism Prevention Act of 2004, which has been sent to President Bush for his signature. The law is restricted by the US federal government's limited jurisdiction, so it applies in federal facilities and areas of special federal jurisdiction. It makes it a federal crime to capture an image of an individual's "private area" when the individual has an expectation of privacy. CNN, among others, is running an AP article on the law:

CNN.com - New bill targets some peeping Toms - Dec 9, 2004:

"... The bill, which President Bush is expected to sign, would make it a crime to videotape or photograph the naked or underwear-covered private parts of a person without consent when the person has a reasonable expectation of privacy.

Conviction could lead to a fine of not more than $100,000 or imprisonment for up to one year, or both.

'Upskirting' and 'downblousing'

The measure got voice vote approval in both chambers of Congress -- the House on September 21 and the Senate on Tuesday.

The legislation would apply only in federal jurisdictions, such as federal buildings, national parks or military bases, but it carves out exceptions for law enforcement, intelligence and prison work...."

We've had a bill pending, on and off, to amend the Canadian criminal code to do the same thing. Unfortunately, it has fallen off the order paper at least once (See PIPEDA and Canadian Privacy Law: Article: Canada 'voyeur' bill still on shelf), but was reintroduced as Bill C-2 and is presently before committee. The text of the bill is here and its current status can be found here.

The proposed Canadian law is similar to the US one referred to above, except is also makes it an offence to distribute a recording produced as a result of an offence under subsection (1).

Because the Canadian federal government's criminal law jursidcition is unlimited, the law will apply coast-to-coast in Canada.

Saturday, December 25, 2004

HIPAA and electronic medical records in one hospital

The Marshfield News Herald (Marshfield, WI) has an article on privacy and hospital records that also briefly discusses some patient attitudes to new processes and procedures:

Marshfield News Herald - Hospitals work on protecting digital records:

"...While the federal government has cracked down on medical privacy, some patients say they were not actually concerned their privacy was being invaded, be it from hackers or from employees within the health care system.

'I have no privacy issues at all, because I could care less if other people saw my medical records,' said Lisa Schilling, 32, of Marshfield. 'What do I have in there that is so good to see?'

Schilling said the HIPAA regulations are actually an inconvenience and would like to help her husband with his medical information 'without them making me sign a piece of paper. It's almost getting too carried away.'

Under HIPAA privacy rules, an individual can schedule an appointment for a spouse but cannot have access to information such as laboratory tests without express written consent from his or her spouse...."

EPIC Top Ten Privacy Resolutions for 2005

The Electronic Privacy Information Center has released their top ten privacy resolutions for 2005:

EPIC Top Ten Privacy Resolutions for 2005

Top Ten Consumer Privacy Resolutions
Protect Your Privacy in The New Year!

1. Engage in "privacy self defense." Don't share any personal information with businesses unless it is absolutely necessary (for delivery of an item, etc.). Don't give your phone number, address, or name to retail stores. If you do, they can sell that information or use it for telemarketing and junk mail. If they ask for your information, say "it's none of your business," or give "John Doe, 555-1212, 123 Main St." Don't return product warranty cards. Don't complete consumer surveys even if they appear to be anonymous. Profilers can build in barely-perceptible codes that link you to the survey, and this data goes straight to direct marketers.

2. Pay with cash where possible. Electronic transactions leave a detailed dossier of your activities that can be accessed by the government or sold to telemarketers. Paying with cash is one of the best ways to protect privacy and stay out of debt.

3. Install anti-spyware, anti-virus, and firewall software on your computer. If your computer is connected to the Internet, it is a target of malicious viruses and spyware. There are free spyware-scanning utilities available online, and anti-virus software is probably a necessary investment if you own a Windows-based PC. Firewalls keep unwanted people out of your computer and detect when malicious software on your own machine tries to communicate with others.

4. Use a temporary rather than a permanent change of address. If you move in 2005, be sure to forward your mail by using a temporary change of address order rather than a permanent one. The junk mailers have access to the permanent change of address database; they use it to update their lists. By using the temporary change of address, you'll avoid unwanted junk mail.

5. Opt out of prescreened offers of credit. By calling 1-888-567-8688, you can stop receiving those annoying letters for credit and insurance offers. This is an important step for protecting your privacy, because those offers can be intercepted by identity thieves.

6. Choose Supermarkets that Don't Use Loyalty Cards. Be loyal to supermarkets that offer discounts without requiring enrollment in a loyalty club. If you have to use a supermarket shopping card, be sure to exchange it with your friends or with strangers.

7. Opt out of financial, insurance, and brokerage information sharing. Be sure to call all of your banks, insurance companies, and brokerage companies and ask to opt out of having your financial information shared. This will cut down on the telemarketing and junk mail that you receive.

8. Request a free copy of your credit report by visiting http://www.annualcreditreport.com. All Americans are now entitled to a free credit report from each of the three nationwide credit reporting agencies, Experian, Equifax, and Trans Union. You can engage in a free form of credit monitoring by requesting one of your three reports every four months. By staggering your request, you can check for errors regularly and identify potential problems in your credit report before you lose out on a loan or home purchase. Currently, these reports are available to residents of most western states. By September 2005, all Americans will have free access to their credit report.

9. Enroll all of your phone numbers in the Federal Trade Commission's Do-Not-Call Registry. The Do-Not-Call Registry (http://www.donotcall.gov or 1-888-382-1222) offers a quick and effective shield against unwanted telemarketing. Be sure to enroll the numbers for your wireless phones, too.

10. File a complaint. If you believe a company has violated your privacy, contact the Federal Trade Commission, your state Attorney General, and the Better Business Bureau. Successful investigations improve privacy protections for all consumers.

For more information about privacy, visit the Electronic Privacy Information Center at http://www.epic.org/

Slashdot has a discussion of the resolutions at Slashdot | Privacy Resolutions for the New Year.

Friday, December 24, 2004

Thursday, December 23, 2004

More hidden video cameras - this time in a correctional facility

Privacy battles in the workplace are increasingly being fought over the newswires. Below is the latest, based on an allegedly hidden video camera at a Canadian prison:

Hidden video surveillance of correctional officers at Leclerc Institution; Correctional Service Canada wrongly blames union for its own illegal acts:

"MONTREAL, Dec. 23 /CNW Telbec/ - Following several media reports December 23, the Union of Canadian Correctional Officers (UCCO-SACC-CSN) is compelled to comment on the discovery of a hidden surveillance camera at Leclerc Institution, a medium-security penitentiary in Laval.

A correctional officer at Leclerc Institution discovered a video camera hidden in a defective emergency light during the evening of September 21, 2004. As soon as the officer moved the light, the preventive security officers and the assistant warden at Leclerc quickly intercepted him. They then lied to him about the purpose of the camera and threatened him with reprisals if he did not keep this discovery secret. He refused and was suspended without pay for seven days for having "damaged government material". The suspension has been grieved.

Following a meeting with the Acting Commissioner of Correctional Service Canada, Mr. Don Head, UCCO-SACC-CSN was satisfied that this was an isolated incident and would not be repeated. Mr. Head stated to the union that only he can authorize the installation of hidden electronic surveillance, and that he did not do so in this case, or at any other penal institution in Canada.

However, UCCO-SACC-CSN is now compelled to publicly comment following defamatory statements by Leclerc Assistant Warden Pierre Gauthier in the Dec. 23 edition of the Journal de Montréal. Mr. Gauthier stated the camera was installed to catch correctional officers in the act of vandalism and intimidating management staff. He also stated the camera respected the Privacy Act and CSC policies.

"Both statements are untrue," said Mr. Pierre Dumont, Quebec Region President of UCCO-SACC-CSN. "This camera was installed illegally, and UCCO-SACC-CSN has filed a complaint over the incident with the federal Privacy Commissioner, Ms. Jennifer Stoddart."

This case is all the more disturbing because it was followed by an incident at William Head Institution, a minimum-security penitentiary near Victoria, BC. Two CSC managers from this institution will face criminal charges in a trial beginning next month in Vancouver over a case of illegal electronic surveillance.

Both the BC and Quebec incidents are illegal attempts to harass the union representing correctional officers in Canada, notes UCCO-SACC-CSN National President Sylvain Martel. He said it is typical behaviour in a situation in which the federal government is refusing to negotiate a renewal to their labour agreement that has been expired since June 2002.

"Certain CSC managers believe themselves to be above the law," said Mr. Martel. "But this union will ensure that even CSC managers cannot break Canadian laws."

The Union of Canadian Correctional Officers (UCCO-SACC-CSN) is the official bargaining agent for 5,700 correctional officers in 54 federal institutions across Canada.

For further information: Lyle Stewart, CSN communications advisor, (514) 796-2066"

In light of the inflamatory language in the release, I'd just like to mention that I am simply quoting verbatim from the union's press release and I will happy publish a rebuttal from Corrections Canada.

Interesting stuff ...

More coverage: CBC Montreal - Guards want warden charged over spy camera

Wednesday, December 22, 2004

Is your e-mail private after your death?

The family a US Marine who was killed in action has been trying to persuade Yahoo! to provide them with access to his mail inbox. The grieving father is quoted by the the Associated Press (via Yahoo!, ironically):

'I want to be able to remember him in his words. I know he thought he was doing what he needed to do. I want to have that for the future,' said John Ellsworth, Justin's father. 'It's the last thing I have of my son.'

But without the account's password, the request has been repeatedly denied. In addition, Yahoo! policy calls for erasing all accounts that are inactive for 90 days. Yahoo! also maintains that all users agree at sign-up that rights to a member's ID or contents within an account terminate upon death.

'While we sympathize with any grieving family, Yahoo! accounts and any contents therein are nontransferable' even after death, said Karen Mahon, a Yahoo! spokeswoman.

Since the story appeared, offers of help have poured in from lawyers and hackers. (See: Yahoo! News - Father Seeking Marine's E-Mail Gets Help)

I have mixed feelings about this one. On one hand, your executors act as your personal representative and get to rummage through all your stuff. Should e-mail be excluded from that? Shouldn't Yahoo! have to respond to the executor if presented with a duly certified copy of the late soldier's will? On the other hand, it may bother many people to think that your family may be able to view all your personal e-mails after your death. Perhaps people ought to think about dealing with these matters in their wills and giving directions to their e-mail providers for what to do after they are gone. One more thing to worry about, I guess.

Canadian Privacy Firsts: Misdirected faxes leads to joint investigation and report by Alberta and Federal Commissioners

Canada suffers under a tangle of privacy laws, some of which overlap and others that leave gaping holes. In some cases, a number of privacy laws may apply. Misdirected faxes with sensitive information in Alberta over the summer engaged both the Alberta Health Information Act and the Personal Information Protection and Electronic Documents Act, resulting in the first joint investigation and report from the federal and Alberta privacy commissioners. The report is also notable as the Federal Commissioner's report "names names".

The Federal Commissioner's finding is here:

Report: Misdirected faxes containing health information end up in apartment managers' hands - December 21, 2004

Incident

In July 2004, it was reported in the Edmonton Journal that a couple who managed an apartment building had received facsimile transmissions in error from various sources. These transmissions contained personal medical information.

The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta collaborated in investigating this incident. It was determined that the couple received 10 facsimile transmissions from seven different companies. Some of these transmissions came under the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA). Two companies were responsible for these transmissions:

  • Dynacare
  • Viewpoint

The following is a summary of the investigation into the incidents.

Summary of Investigation — Dynacare

One facsimile was sent erroneously by Dynacare, which operates medical laboratories, on January 19, 2004. It contained such personal information as the name, age, height, smoking habits, and patient number of an individual who had undergone testing by the company. Also included was a diagnosis and specific medical test results for the individual.

Once the company had been alerted to the privacy breach, it investigated the incident but was unable to determine who was directly responsible for the transmission. It was able to narrow responsibility, however, down to one of five individuals. Our Office confirmed that the facsimile was sent via manual transmission, in other words, the person who sent the facsimile manually keyed in the number.

All five individuals had signed an oath of confidentiality at the time of hiring, and were aware of the confidential nature of the medical records and the need to ensure that they are not inappropriately disclosed. These oaths had not been reviewed since they were signed. The company has developed a new form and will ensure that employees review and sign it annually.

Dynacare also implemented an electronic auto fax function on its computers. Facsimile numbers are entered into the system and checked for accuracy. If an employee wishes to send a facsimile, he or she will use the automated system. Such a measure should minimize the risk of regularly used numbers being misdialed. For numbers that are used infrequently or on a one-time basis (they are not programmed into the system), Dynacare provided employees with a set of instructions that are intended to ensure that they confirm the accuracy of the fax numbers before transmission.

Dynacare is in the process of revising its policies and procedures to ensure full compliance with all applicable legislation, including Alberta's Health Information Act and the PIPEDA.

Although Dynacare had not notified the individual whose personal information was on the facsimile, it indicated that it would consider doing so.

Conclusion

The Assistant Privacy Commissioner concluded that Dynacare disclosed personal information without consent, contrary to the provisions of PIPEDA.

Summary of Investigation — Viewpoint

Viewpoint is a medical organization that provides diagnosis consultation services. The facsimile in question, sent on April 14, 2004, was a medical evaluation. It contained the patient's name, age, occupation, detailed medical history, and also included information about the patient's children. The evaluation was sent by a medical consultant to a Viewpoint physician, who reviewed and made comments on the report. It was then supposed to be sent back to the consultant via facsimile. Two of the numbers, however, were transposed, and the facsimile was sent to the incorrect place. Although the Viewpoint physician made notes to the report, he was not responsible for its transmission and Viewpoint has not been able to determine who in fact sent the facsimile to the wrong number.

When the recipients of the facsimile contacted Viewpoint regarding the transmission they were told to destroy the documentation. Viewpoint indicated to our Office that in future, should any facsimile transmissions containing personal information be sent to the wrong number, Viewpoint will dispatch a courier to retrieve any such records. The company has also taken steps to have all facsimile numbers verified before transmission and has implemented measures to have any incidents reported to management.

As for the patient in question, Viewpoint indicated that it would be more appropriate for the medical consultant to contact the patient regarding the disclosure as they have a doctor-patient relationship.

Conclusion

The Assistant Commissioner concluded that Viewpoint contravened PIPEDA when it disclosed personal information without consent.

Recommendations made to Dynacare and Viewpoint

The Assistant Commissioner made the following recommendations to both companies:

  • That the organizations implement and follow the OPC's recommendations with respect to the transmission of facsimiles as set out in the fact sheet Faxing Personal Information.
  • That the organizations implement measures to notify individuals whose personal information has been inadvertently disclosed via misdirected facsimiles.
  • That the organizations review and update employee confidentiality/privacy agreements on a yearly basis.

The press release from the Alberta Information and Privacy Commissioner is available in PDF at http://www.oipc.ab.ca/ims/client/upload/NR_H2004_IR_001_2.pdf and his report is here: http://www.oipc.ab.ca/ims/client/upload/H2004-IR-001.pdf

From the Edmonton Journal:

Clinics, doctors criticized for fax foul-ups: Privacy commissioner puts onus on offices to ensure information sent to correct number:

"EDMONTON - A new report from Alberta's privacy commissioner is a sharp reminder to health workers that careless faxes can put patient privacy in jeopardy.

Each day, hundreds of fax machines in medical clinics send patient information from one place to another. It's the standard way information is shared among doctors, therapists, laboratories and consultants.

On Tuesday, the commissioner's office released a 16-page report that found two local doctors and three clinics violated the Health Information Act by not handling faxes correctly.

The investigation was launched after The Journal reported in July that a local woman received more than 20 faxes with confidential medical information that were supposed to go to LifeMark Health Institute, a private medical consulting company. Nese Premakumran's fax number was one digit different from LifeMark's...."

Tuesday, December 21, 2004

The (Privacy) Gap: Popular Retailers Using Secret Cameras to Capture Information About Customers - PrivacySpot.com

I don't get the Wall Street Journal (online or offline), though I'd like to read the article referred to in this post on privacyspot.com:

The (Privacy) Gap: Popular Retailers Using Secret Cameras to Capture Information About Customers | PrivacySpot.com - Privacy Law and Data Protection:

"The Wall Street Journal (subscription required) reports that many popular retailers are using secret cameras to record, and sophisticated software to analyze, information about what happens in their stores. The cameras, which are different than your vanilla anti-shoplifting camera, are often completely hidden. And the images they record aren't reviewed by a sleepy security guard; they are reviewed by sophisticated computers that can differentiate people on the basis of age, gender, and race. This information is then aggregated into reports about who is shopping, who is browsing, and how they are reacting to items in the store. Interestingly, the data is also matched with information about credit card transactions to determine how much people are spending.

Predictably, retailers swear that the technology is innocuous because no information about particular individuals is recorded; however, the computers can read facial expressions down to the level of "fast-eye movement, smiles and frowns." The data may not be utilized to collect information about individuals at this stage, but there are no guarantees. The bigger problem, of course, is that this technology further erodes the distinction between private and public life. Every time we step outside our front doors, we are consenting to be viewed by other people. But while I may not care that someone knows I visited The Gap (which uses the technology) yesterday, I might care a lot that my facial expressions were recorded and stored in a databse somewhere. Despite the fact that I am out in public, I carry expectations regarding a modicum of residual privacy that I will continue to enjoy. This includes not being photographed, analyzed, recorded, and data-mined in every store I visit. Unfortunately, people's expectations regarding privacy have not kept pace with recent advances in surveillance technology. This has led to the creation of a "privacy gap" that retailers are eager to exploit. Tellingly, the article notes that many stores do not want customers to know they utilize the technology. You see, it might make people feel "uncomfortable." No kidding."

This is the first I've heard of this technology, but it raises some interesting questions.

CIPPIC v Abika.com: Part deux

The Candian Internet and Policy Public Interest Clinic has filed a second, revised complaint with the Office of the Privacy Commissioner, following the Assistant Commissioner's decision to not investigate the initial complaint because Abika.com is entirely located within the United States. More information is available from the CIPPIC website:
CIPPIC News - CIPPIC:

"On December 14, 2004, CIPPIC sent a formal complaint about Abika.com to the Federal Trade Commission in the United States, alleging violations of US law. We also responded to the Privacy Commissioner of Canada by way of a letter encouraging her to reconsider her staff's determination that they could not investigate companies located wholly in the USA. After discussions with the Office of the Privacy Commissioner, we filed another complaint against Abika.com under PIPEDA on December 20, 2004.

"

For the background to this second complaint, see PIPEDA and Canadian Privacy Law: CIPPIC complaint raises a number of novel and interesting issues and PIPEDA and Canadian Privacy Law: Jurisdictional limitations on Canadian privacy law.

Employees in Ontario (and perhaps other Canadian provinces) have no right to privacy

This is hot off the presses. With no statutory right to privacy in Ontario (unlike Alberta and British Columbia), an arbitrator has decided that the "reasonableness" test that has ordinarily applied to determine the admissibility of video surveillance evidence may not be warranted. It is worth asking if the admission of video surveillance is really any different from admitting the testimony of the private investigator who took the video. Should the fact that it is more persuasive make it more difficult to admit?

2004 CarswellOnt 5241

Hotel-Dieu Grace Hospital v. CAW-Canada, Local 2458

Ontario Arbitration Board

Snow Member

Heard: July 15, 2004
Heard: October 14, 2004
Judgment: November 2, 2004
Docket: MPA/Y401670

Snow Member:

...

1 The grievor was discharged on the basis of video surveillance evidence. This is an interim award regarding the admissibility of that video evidence.

IV. Union Position

....

8 The Union submitted that the Employer could only use this video evidence if:

1. It was reasonable for the Employer to request surveillance;

2. The surveillance was conducted in a reasonable manner; and,

3. There were no other alternatives open to the Employer to obtain this evidence.

9 The Union submitted that the arbitration cases indicated that video of an employee was an intrusion that should not be taken lightly, that an Employer needed to have reasonable grounds to decide to engage in surveillance of an employee and, if the Employer did not have reasonable grounds, the video evidence should be rejected. The Union reviewed several awards and adopted the arguments contained in them.

10 As for reasonable grounds, the Union said the cases made clear that mere suspicion was inadequate. The Union said there were no reasonable grounds to use surveillance in this case. To allow the Employer to use video evidence without first subjecting that evidence to the above reasonableness test would shift the balance of power in favour of the Employer. In summary, the Union said it made sound labour relations sense to use the test of reasonableness in assessing video surveillance evidence.

....

V. Employer Position

12 The Employer said there was no legal reason to require the Employer to have reasonable grounds to engage in surveillance and there was no proper basis to refuse to admit the video evidence from that surveillance.

13 The Employer referred to Section 48 (12) (f) of the Labour Relations Act, 1995 dealing with admissibility of evidence and said that an examination of that provision indicated that the video was admissible. The Employer submitted that the arbitration cases upon which it relied indicated that the cases cited by the Union have not been followed in recent years. The Employer reviewed both the Union's and its own cases in detail and urged me to follow the approach found in its cases.

...

15 In summary, the Employer said that, absent a collective agreement or statutory provision, an Employer can engage in surveillance of an employee and use the video from that surveillance in arbitration. There was no basis for subjecting the issue of admissibility of this video evidence to a special test.

Should there be an additional reasonableness test for surveillance video?

32 Notwithstanding that this evidence is relevant to a material issue, and would be admissible applying the statute, the Union said that there was a line of arbitration cases which took a different approach. The Union submitted that those cases held that video evidence should only be admitted in an arbitration if that evidence also passed the reasonableness test. Although there are conflicting decisions of Ontario arbitrators on this point, the Union is correct that in the decisions upon which it relied the arbitrators subjected the introduction of video surveillance to the reasonableness test. There are minor differences in those tests but the key points are:

1. The employer had to have acted reasonably in deciding to place the employee under surveillance; and,
2. The Employer had to have conducted the actual surveillance in a reasonable manner.

33 I note that the reasonableness test appears to have been used in Ontario only for video evidence. Before the days of video, and currently as well, this Employer could have hired a detective to conduct similar surreptitious surveillance away from the work place, make notes on what was observed and take still photographs, and then testify in an arbitration from his or her memory aided by the notes and still photographs. I am aware of no suggestion that such evidence has been subjected to the reasonableness test in an arbitration under the Labour Relations Act.

34 From the awards before me it is clear that this reasonableness test for the admissibility of video evidence was first used in British Columbia in Re Doman Forest Products Ltd. and I.W.A., Loc. 1-357 (1990), 13 L.A.C. (4th) 275 (Vickers), a case discussed in several of the awards relied upon by the parties. At that time British Columbia had a statute providing for a right of privacy and Arbitrator Vickers took the view that, among other things, surveillance conflicted with the employee's statutory right of privacy. In reconciling the employer's right to prove its case through relevant evidence with the employee's statutory privacy right to be free from surveillance, the arbitrator adopted the reasonableness test. If the surveillance was unreasonable under the privacy legislation, the resulting video evidence was not admitted.

35 A similar test was used in Manitoba, where there was also a statutory right to privacy, in Re New Flyer Industries Ltd. (supra). Arbitrator Chapman cited with approval an earlier decision of Arbitrator Peltz between the same parties (the Mogg case) and, at page 63 of his award, Arbitrator Chapman quoted from Arbitrator Peltz' earlier award where the existence of a statutory right to privacy is relied upon. Although Arbitrator Chapman does not specify the source of the statutory right, at page 146 of his award in Re Canadian Timken Ltd. (supra), Arbitrator Welling indicates that the right to privacy in Manitoba was found in the Privacy Act, R.S.M. 1987, c. P125.

36 A similar test was used in Ross v. Rosedale Transport Ltd. (supra), a dispute under federal jurisdiction, to balance an employee's privacy rights found in the federal Personal Information Protection and Electronic Documents Act with the employer's right to prove its case through relevant evidence.

37 In each of those jurisdictions there is a statutory right of privacy and I have no issue with the reasonableness test being applied to balance an employee's right of privacy with an employer's right to prove its case through relevant evidence.

38 But I do have difficulty with the use of a reasonableness test where there is no right of privacy. A reasonableness test has been used in Ontario - see, for example, two cases cited by the Union, Re Toronto Transit Commission (Saltman) (supra) and Re Labatt Ontario Breweries (supra) - where there is no statutory right to privacy. In subjecting videotape evidence to a reasonableness test Arbitrators Saltman and Brandt applied a different approach from that normally used in assessing the admissibility of evidence.

39 In examining the reasonableness test of Arbitrators Saltman and Brandt in the above cases, a test also applied by some other Ontario arbitrators, it is important to note that the use of the reasonableness test for the admission of videotape evidence has been criticized and firmly rejected in a number of later cases - see, for example, Re Kimberly-Clark Inc. (Bendel) (supra); Re Toronto Transit Commission (Solomatenko) (supra); and Re Canadian Timken Ltd. (Welling) (supra) cited by the Employer. (I note that while Arbitrator Bendel's award was released in 1996, prior to Arbitrator Saltman's 1997 award, it was not published in Labour Arbitration Cases until 1998 and was not mentioned in Arbitrator Saltman's award.)

40 The initial and primary basis for the use of the reasonableness test for the admissibility of video evidence has been a concern about privacy. The use of the reasonableness test as a means of balancing privacy expectations or concerns (there being no right to privacy) with the right to lead relevant evidence has been fully and ably reviewed in the three awards by Arbitrators Bendel, Solomatenko and Welling (supra) and I do not intend to repeat that analysis. Although the analysis in those three cases varies in some details, each rejects the reliance on privacy as a basis for using the reasonableness test for the admissibility of video evidence.

41 As there is no right of privacy in Ontario, this reasonableness test, originally designed to balance rights, has to be carefully examined. Since it is not needed to balance competing rights, and has been persuasively rejected by other arbitrators, why might I adopt it?

42 Some of the cases (including cases not relied upon by the Union but referred to in the various awards) suggest alternative rationales for using the reasonableness test and subjecting video evidence, particularly video evidence resulting from surveillance, to heightened scrutiny. But those alternative bases (reliance on values in the Canadian Charter of Rights and Freedoms, analogy with cases on searching employees, and safeguarding the integrity and credibility of the arbitration process) are also examined by Arbitrators Bendel, Solomatenko and Welling in Re Kimberly-Clark Inc. (supra); Re Toronto Transit Commission (supra); and Re Canadian Timken Ltd. (supra), respectively, and persuasively rejected.

43 I can find no basis in the arbitration awards relied upon by the parties to persuade me to adopt a reasonableness test for the admissibility of this video evidence. In particular, I reject the primary ground advanced for this test - privacy - as a basis for using the reasonableness test. I also reject the other reasons which have been advanced - reliance on values in the Canadian Charter of Rights and Freedoms, analogy with cases on searching employees, and safeguarding the integrity and credibility of the arbitration process. Nothing in those awards persuades me that a special test is needed to determine the admissibility of video evidence.

44 The Union offered further policy reasons for adopting the reasonableness test. The Union submitted that to allow the Employer to use video evidence without subjecting that evidence to the reasonableness test would shift the balance in favour of the Employer. The Union also submitted that it made sound labour relations sense to use the test of reasonableness in assessing surveillance evidence. The Union did not provide specifics, but I understood that the submissions flowed from:

1. The idea that employees have an expectation of privacy, even if not a right; and,
2. The distaste which some people have regarding an employer conducting surreptitious surveillance.

45 The Union urged me to shift the balance, and to uphold sound labour relations values, by subjecting the video evidence to the reasonableness test.

46 I do not think that my subjective perception about a need to shift the balance of power between the parties, or the balance between the Employer and the grievor, is a sound basis for a decision to reject relevant evidence, or to subject this evidence to the additional reasonableness test.

47 Moreover, the fact that some people find this practice of surreptitious video surveillance offensive does not, in my view, carry any weight in determining the admissibility of the video evidence. Improvements in technology have enhanced the ability of a "sleuth" to record what an employee has done away from the work place but, as I noted earlier, it has long been possible to engage in surveillance and testify about what was observed. I do not see that the recent use of video has created a shift in the balance of power which should be corrected, even assuming that correcting a shift in the balance of power was a sound basis for determining admissibility. In my view, because the evidence is clearer, more detailed, and thus perhaps more persuasive, the possibility of video evidence has, at most, simply prompted employers to more frequently exercise a power which employers have long possessed.

48 While I have concluded that shifting the balance of power is not a proper basis for determining the admissibility of this video evidence, I would note that if the Union wishes to shift the balance of power it is able to do so in the bargaining process. The parties' collective agreement is their current agreement in terms of the allocation of power between the two of them. It is clearly possible for a collective agreement to address this issue and to indicate an approach to the admissibility of video evidence which an arbitrator would be required to apply. But there was no suggestion of anything in the parties' existing collective agreement which would assist in resolving the issue before me on the admissibility of this video evidence. ....

CN and union fight over hidden cameras leads to whistleblower charges

Below is a press-release issued by the CAW today:

Canada NewsWire - CAW to charge CN for threats to whistleblower:

"TORONTO, Dec. 21 /CNW/ - The Canadian Auto Workers union will file charges against Canadian National Railway for threatening to discipline a union representative who exposed CN's hidden surveillance cameras at its Winnipeg repair shops.

Les Lilley, the union chairperson representing 600 CAW members and a CN employee for more than 34 years, has been summoned to a disciplinary hearing to be held this afternoon. The allegations, which include 'insubordination,' could carry severe penalties ranging up to dismissal.

On November 24, workers in the Transcona Wheel Shop discovered a hidden surveillance camera in an air duct. Last Thursday, Queen's Bench Justice Wallace Darichuk granted the CAW's request for an injunction prohibiting CN from using all but four cameras in its Transcona Shops complex, and restricting the use of those four cameras to the protection of workers' safety. Les Lilley conducted the in-house investigation which brought the evidence of covert surveillance to light.

'The charges against Les are outrageous,' said CAW Local 100 Prairie Region vice-president Dennis Wray. 'CN is using intimidation and reprisal tactics to muzzle whistleblowers and divert attention from its own actions. This is the same disturbing pattern of corporate behaviour which helped trigger a month-long strike of 4,500 CAW members last winter.'

The CAW will charge CN under a section of the Canada Labour Code which bars employers from interfering with legitimate union activities. "Other charges may also be laid," said CAW national representative Abe Rosner in Montreal, "considering the proximity of the threats to the issuance of the court injunction."

Last week the union filed a grievance as well as a formal complaint to the federal Privacy Commissioner accusing CN of spying on Wheel Shop workers contrary to federal legislation and asking for punitive damages for loss of dignity and invasion of privacy. Those matters will be heard over the coming months."

No suggestion of looking for charges under PIPEDA's whistleblower provisions.

Update: See also Winnipeg Sun: NEWS - CN union to grieve hearing (2004.12.22)

Monday, December 20, 2004

Privacy, hospitals and law enforcement

A FOX station in the pacific northwest is carrying the following story:

FOX 12 OREGON Conflict with law enforcement:

"WENATCHEE, Wash. Last spring a Douglas County man shot himself in the hand while cleaning his gun.

He was treated at a hospital that did not report the incident to law enforcement because of privacy law.

Douglas County Sheriff Dan LaRoche heard about it weeks later and said it should have been investigated, although he believes it was an accident.

The incident is an example of how the privacy law (Health Insurance Portability and Accountability Act -- known as HIPAA) can hamper law enforcement.

A spokeswoman for the Washington State Hospital Association, Cassie Sauer, says the year-old law has strained the working relationship between health care workers and police in some areas of the state. (Wenatchee World)"

In Alberta, the Health Information Act allows healthcare providers to tell the cops, but only if the person has not told the hopspital not to: "Doc, don't tell the cops about my seven gunshot wounds."

Saturday, December 18, 2004

Federal Government secrets may be vulnerable to Patriot Act

Today's Vancouver Sun has a lengthy article that reports officials in the federal government are concerned about the security and privacy of information that is handled by American contractors or subsidiaries of US companies. The article is interested, but does not suggest what the federal government is considering doing in reponse:

U.S. law 'threatens Canada's secrets'

OTTAWA -- Highly sensitive personal, military and national security information held by the Canadian government is accessible to U.S. authorities under the Patriot Act, according to a document obtained Friday.

A team of Canadian government lawyers studied the vulnerability of top-secret data after a controversy broke out in B.C. earlier this year over whether British Columbians' personal medical records were being put at risk due to the provincial government's plan to contract out services to a U.S.-owned firm.

The federal lawyers agreed with B.C. privacy commissioner David Loukidelis that the Patriot Act, enacted after the 2001 terrorist attacks in New York, gives the U.S. government enormous ability to probe into the databases of American companies that do business with Canadian governments.

"Their preliminary findings indicate that the Federal Bureau of Investigation could require an American corporation under the U.S. Patriot Act to disclose information under its control, including information held by its Canadian subsidiaries," wrote Mark Seely, an official with Public Works and Government Services Canada, in a July 22, 2004 e-mail to more than two dozen Public Works officials....

Friday, December 17, 2004

Alberta bureaucrat calls in the federal commissioner to investigate privacy breach

In another interesting turn of events, an Alberta public servant has requested that the Federal Privacy Commissioner investigate the breach of privacy connected to the discovery of hundreds of files of bureaucrats' personal information in Alberta. This is in addition to an investigation conducted by the Alberta Commissioner, the report for which was released this week (see PIPEDA and Canadian Privacy Law: Alberta Commissioner releases report on incident involving sensitive info of senior public servants).

Feds called in:

"A top Alberta bureaucrat burned in the recent leak of private credit data from the provincial government's staff-screening process has sicced Ottawa's privacy watchdog on the case. The bureaucrat, who has asked not to be named, said he's filed a request for an investigation by the federal Office of the Privacy Commissioner.

The commission office couldn't confirm the request yesterday. 'We get about 19,000 requests a year, [!]' said a spokesman.

Although provincial Information and Privacy Commissioner Frank Work released his own report on the Trans Union affair this week, the federal office may also have jurisdiction - since the screening process involved the Canadian Security Intelligence Service.

The screening process was launched by the Klein government last year to guard against fraud or security breaches by top bureaucrats. It included criminal background and credit checks, along with a CSIS 'vulnerability risk screening.' ...."

For background, see:

Union obtains an injunction in the CN hidden camera case

I haven't found a copy of the decision in this matter, so I only have the following news report to go on...

It appears that the union representing workers at the Canadian National Railway yard in Winnipeg has sought an injunction to prevent the railway from using hidden cameras in a machine shop (see CN Rail turns on hidden cameras to investigate vandalism). The court, according to the Winnipeg Sun, granted the injunction in part: the railway can only use the cameras in the interests of safety, not for any discipline proceedings. If the judge relied on PIPEDA, which is not clear from the report below, it would be the first case of its kind.

Winnipeg Sun: NEWS - Partial victory for union:

"CN limited to four cameras

By KATHLEEN MARTENS, BUSINESS REPORTER

A judge has given CN Rail workers in Winnipeg a partial victory in their fight to kill hidden cameras watching them work. Queen's Bench Justice Wallace Darichuk yesterday granted an interim injunction sought by Canadian Auto Workers Local 100 on behalf of 90 members at the Transcona Wheel Shop.

Injury or death

His order, effective immediately, limits the railway to using four ceiling cameras in the interests of safety only -- not for suspicions about productivity or sabotage.

Darichuk said he was swayed by the railway's argument that unexplained breakdowns of equipment could cause injury or death. Court heard wheel mechanisms repaired in the shop have broken down up to five times a day this month and that's why CN brought in the cameras and turned them on Dec. 7. ..."

Thursday, December 16, 2004

WiFi hacker sentenced to prison

From SecurityFocus:

SecurityFocus HOME News: Long prison term for Lowe's wi-fi hacker:

"A 21-year-old Michigan man was sentenced to nine years in federal prison Wednesday in federal court in Charlotte, North Carolina for his role in a failed scheme to steal credit card numbers from the Lowe's chain of home improvement stores by taking advantage of an unsecured wi-fi network at a store in suburban Detroit.

Brian Salcedo faced a possible sentence of 12 to 15 years under federal sentencing guidelines, but at the government's urging federal judge Lacy Thornburgh gave the hacker credit for helping out his former victim following his guilty plea last June, according to the prosecutor on the case.

'He provided assistance to Lowe's,' says assistant U.S. attorney Matthew Martens. 'He met with the corporation to help them understand the vulnerabilities in their system and how they can improve and protect themselves from hackers in the future.'

Salcedo's partner in the caper, 21-year-old Adam Botbyl, has also pleaded guilty, and was sentenced Thursday to 26 months in prison followed by two years of court supervised release. In an interview last August, Botbyl told SecurityFocus he regretted participating in the scheme. 'It's going to take a lot to start to get my reputation back,' he said. 'This has messed up my entire life for at least 10 or 15 years.' ..."

Alberta Commissioner to conduct his own "PATRIOT ACT" outsourcing inquiry

The Alberta Information and Privacy Commissioner, Frank Work, announced that his office will be working jointly with the Government of Alberta to examine the implications of public sector outsourcing for the personal information of Albertans. The news release can be found here.

Alberta Commissioner releases report on incident involving sensitive info of senior public servants

The Alberta Information and Privacy Commissioner has released his report related to the huge incident involving the breach of credit information related to hundreds of senior civil servants. See the report and press release here.

Outsourcing of Canadian student loans process to US results in complaint to the Privacy Commissioner

This is the first week that I've thought it would be easier to blog about who isn't complaining to the Office of the Privacy Commissioner ...

A Vancouver man is taking his complaint about foreign outsourcing of studen loans to the Privacy Commissioner, according to the Georgia Straight:

Straight.com: Student-Debt Activist Seeks Privacy Probe:

"A Vancouver man has asked the federal privacy commissioner to investigate the outsourcing of Canada student loans to a U.S.-owned company. Mark O'Meara, founder of the www.canadastudentdebt.ca/ Web site, claimed that as a result of a recent corporate takeover, Nebraska-based Nelnet has access to all federal student debtors' personal information and financial data.

On December 6, Nelnet announced that its wholly owned Canadian subsidiary had completed its purchase of a CIBC subsidiary, Edulinx Canada Corp., which administers the Canada Student Loans Program on behalf of the federal government. According to Human Resources and Skills Development Canada, more than 1.8 million students have borrowed approximately $15.6 billion through the Canada Student Loans Program since 1993.

In an e-mail to the Straight, O'Meara stated that the federal privacy commissioner should examine whether student-loan data is now subject to the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism). Under Section 215 of the act, the FBI is permitted to obtain secret court orders to obtain "any tangible things".

On October 29, provincial Information and Privacy Commissioner David Loukidelis released a report concluding that there is a "reasonable possibility" of unauthorized disclosure of personal information under the USA PATRIOT Act. He issued numerous recommendations to mitigate this risk.

O'Meara claimed that the federal privacy commissioner's office never responded to his e-mail asking for an investigation. Federal Privacy Commissioner Jennifer Stoddart also did not respond to the Straight's request for an interview by deadline.

Nelnet's Nebraska-based spokesperson, Ben Kiser, told the Straight that nothing will change for students and borrowers as a result of the change in ownership. "Edulinx will remain a Canadian firm with operations in Canada," he said. "That means all processing, call-centre, data-storage, records-storage, and other student-loan functions will continue to take place exclusively in Canada."

Last August, however, the American Civil Liberties Union filed a submission to Loukidelis claiming that the FBI could obtain personal records stored by a subsidiary of a U.S. corporation operating in another country. In one instance, a U.S. grand jury subpoenaed a foreign-bank employee while he was on U.S. soil. In a separate submission filed by the B.C. Government and Service Employees' Union, ACLU lawyer Jameel Jaffer claimed that the USA PATRIOT Act could enable the FBI to obtain entire databases of personal records without notifying anyone."

Wednesday, December 15, 2004

Privacy and the negative option

Apparently the Privacy Commissioner's office is currently investigating a complaint related to the "opt out" policy of one of Canada's largest telecommunications companies. While this is not entirely a new issue, this article - in and of itself - demonstrates that complainants can easily seek publicity for their complaints as the media is very interested in covering privacy issues these days.
Yahoo! News - Privacy commissioner investigating new Rogers 'negative option' complaint:

"TORONTO (CP) - The federal privacy commissioner's office has opened an investigation into a Toronto man's complaint that the Rogers Wireless service contract includes a 'negative option' privacy policy that is illegal.

Communications consultant Michael Krauss complained in September about a fine-print section of the company's service agreement that requires cellphone customers to fill out an online form or contact a customer service representative to prevent Rogers from disseminating information to other Rogers companies for telemarketing. 'I have commenced an investigation under the Personal Information Protection and Electronic Documents Act (PIPEDA) that Rogers Wireless is allegedly using negative consent when obtaining customers' permission to collect, use and disclose their personal information,' senior privacy investigator Kasia Krzymien told Krauss in a letter dated last Friday.... "

Alberta Government 'dropped ball' on security breach

Following the incident in which sensitive personal information of senior public servants was found in the course of a drug bust (see Article: Dumpster-diving meth-heads collect info for ID thieves and Incident: Massive leak of personal information in Edmonton, Alberta), the Alberta Information and Privacy Commissioner has released his report. The breach originated with the private contractor, the investigation found, but the government didn't do enough to obtain privacy assurances:

Government 'dropped ball' on security breach:

"The Klein government is not living up to its own rules regarding the security of personal information it collects, charge Opposition Liberals. Edmonton Manning Grit MLA Dan Backs said a report prepared by the privacy commissioner's office into the discovery of personal documents pertaining to senior government officials in a city hotel room last month shows the government is 'failing miserably' in its duties.

'The government really dropped the ball on this one,' Backs said yesterday. 'The government ministers responsible (for the Solicitor General department and Personnel Administration Office) are failing miserably in their responsibility to protect the privacy of Albertans.' However, the report states the leak did not occur at the government level, but rather with TransUnion Credit Information Services Inc., a credit-reporting agency...."

Monday, December 13, 2004

Jurisdictional limitations on Canadian privacy law

Canada's privacy law is already hobbled by the constitutional division of power. For example, as a federal law, it cannot apply to the provincially regulated workplace. But, theoretically, it can apply outside of Canada's border. This has been the theoretical position of officials from the Office of the Privacy Commissioner. However, when dealing with an actual complaint, the Commissioner did not extend the federal privacy law to an organization entirely outside of Canada.

Michael Geist, in his weekly Toronto Star Column, reports on an as-of-yet unpublished finding of the Commisioner that concludes that the law cannot regulate the use of Canadian personal information that is in the hands of an organization that has no presence in this country:

TheStar.com - CIBC breach spotlights hole in privacy law:

"...According to a recent unpublished letter from the privacy commissioner, the answer is unfortunately no. The Commissioner has adopted the position that Canada's privacy legislation stops at the border and that her office does not have the power to investigate companies that do not have a physical presence in Canada.

The letter was issued in response to a complaint launched by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Abika.com, a U.S. company that harvests databases and public reports. The company uses the information to produce reports that allegedly include, in some cases, psychosexual profiles. CIPPIC filed its complaint in June, claiming that Abika collects, uses, and discloses the personal information of Canadians without their consent in violation of Canada's national privacy law.

The privacy commissioner's office responded privately to Canadian Internet Policy and Public Interest Clinic two weeks ago. It noted that the company does not have a physical presence in Canada and therefore concluded that 'while the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA' (the Personal Information Protection and Electronic Documents Act, Canada's national privacy law that governs how businesses collect and use personal information)...."

I tend to agree with Michael ... the Privacy Commissioner could have asserted jurisdiction and then dealt with the challenges of enforcement. This would at least have left the complainant with the ability to take the finding to the Federal Court of Canada to see if a real remedy could be fashioned.

Under traditional principles of international law, there are six bases on which a country such as Canada can assume jurisdiction to proscribe the actions of individuals and companies. (In most cases, these principles have arisen in the criminal law context but there is no reason to believe the Canadian courts would not apply them.) Four of the bases for jurisdiction are relevant to this discussion:

  • Territorial Principle – A state has the jurisdiction to regulate individuals and subjects within its territory, including internal waters and airspace. This is the primary and most universal base for jurisdiction.
  • Nationality Principle – Civil law countries have traditionally asserted jurisdiction over their nationals, regardless of where they may be located.
  • Passive Personality Principle – States have assumed jurisdiction over crimes committed abroad against its nationals.
  • By Agreement – A country may, by agreement, grant another country jurisdiction over certain persons or subjects within its borders.

Traditionally, the territorial principle has been the most persuasive and widely applied. This is based on the fundamental principle of international sovereignty that a state has absolute jurisdiction over "all persons, citizens and aliens alike, and things within its territory."

The Supreme Court of Canada’s decision in Libman v. The Queen is the leading Canadian authority on the issue of how and when a Canadian court may assert jurisdiction. Libman dealt with a "telemarketing scam" where the calls originated from Canada but were made to residents of the United States. Justice LaForest, who delivered the judgment of the unanimous court, recited the relevant facts:

3 During the period covered by the informations, Mr. Libman operated a telephone sales solicitation room (or "boiler room") at 43 Menin Road in Toronto, where a number of individuals were employed as telephone sales personnel. Pursuant to Mr. Libman's directions the sales personnel telephoned United States residents and attempted to induce them to purchase shares in two companies, Hebilla Mining Corporation and Claravella Corporation, which purported to be engaged in gold mining in Costa Rica. In addition to the telephone representations, the United States residents also received promotional material which was mailed from Panama City, Panama and San José, Costa Rica by associates of Mr. Libman.

4 The telephone sales personnel, on the direction of Mr. Libman, made material misrepresentations with respect to their identity, where they were telephoning from, and the quality and value of the shares they were selling. As a result of these misrepresentations, a large number of United States residents were induced to purchase shares in the two mining companies. There was some evidence tendered at the preliminary inquiry from which it could be inferred that these shares were virtually worthless.

5 The United States residents who agreed to purchase shares were told by the telephone sales personnel to send their money to offices operated by Mr. Libman's associates in either San José, Costa Rica or Panama City, Panama. There was evidence tendered that Mr. Libman went to a location outside Canada, usually Costa Rica or Panama, to meet with his associates and receive his share of the proceeds of the sale of the shares. Mr. Libman then brought this money back to Toronto and distributed a portion of it to his sales personnel. There was also evidence tendered at the preliminary inquiry with respect to the wire transfer of monies from Panama City to Mr. Libman in Toronto.

The appellant, Mr. Libman, was charged in Canada with fraud under the Criminal Code. In his defence, the appellant argued that Canada did not have the jurisdiction to prosecute him for the offence as the deprivation of the victim is the essential element of the offence and, if it did occur at all, it did not occur in Canada.

Justice LaForest began with the essential principle of territorial jurisdiction:

11 The primary basis of criminal jurisdiction is territorial. The reasons for this are obvious. States ordinarily have little interest in prohibiting activities that occur abroad and they are, as well, hesitant to incur the displeasure of other states by indiscriminate attempts to control activities that take place wholly within the boundaries of those other countries; see R. v. Martin, [1956] 2 All E.R. 86, at p. 92. … As well, along with other types of protective measures, states increasingly exercise jurisdiction over criminal behaviour in other states that has harmful consequences within their own territory or jurisdiction; see The Lotus (1927), P.C.I.J., Ser. A., No. 10. It follows from this that the same criminal act may occasionally be subject to prosecution in more than one country, a matter to which I shall refer from time to time.

The analysis is relatively straightforward where all the elements and effects of an alleged offence are within the bounds of the prosecuting state: Territorial and subject matter jurisdiction unambiguously provide that state with sufficient grounds to assert jurisdiction. In fact, it would be difficult for another state to attempt to exert jurisdiction. Matters become much more complicated when transnational activities are in question:

16 The cases reveal several possibilities, of which I mention a few. One is to assume that jurisdiction lies in the country where the act is planned or initiated. Other possibilities include the place where the impact of an offence is felt, where it is initiated, where it is completed, or again where the gravamen, or essential element of the offence took place. It is also possible to maintain that any country where a substantial or any part of the chain of events constituting an offence takes place may take jurisdiction.

17 Though counsel for Mr. Libman argued that exclusive jurisdiction belongs to the country where the gravamen of the offence took place or where it was completed, a review of the English authorities does not really support that position. What it shows is that the courts have taken different stances at different times and the general result, as several writers have stated, is one of doctrinal confusion, a confusion compounded by the fact that the discussion often focuses on the specific offence charged, a discussion made more complicated by the further fact that some offences are aimed at the act committed and others at the result of that act.

After surveying the threads of English and Canadian jurisprudence, LaForest J. concluded that a Canadian court may assert jurisdiction in circumstances where there is a "real and substantial link" between the offence and Canada:

74 I might summarize my approach to the limits of territoriality in this way. As I see it, all that is necessary to make an offence subject to the jurisdiction of our courts is that a significant portion of the activities constituting that offence took place in Canada. As it is put by modern academics, it is sufficient that there be a “real and substantial link” between an offence and this country, a test well-known in public and private international law; see Williams and Castel, supra; Hall, supra. As Professor Hall notes (p. 277), this does not require legislation. It was the courts after all that defined the manner in which the doctrine of territoriality applied, and the test proposed simply amounts to a revival of the earlier way of formulating the principle. It is in fact the test that best reconciles all the cases. The only ones that do not fall within it are those like Harden and Rush which, in my view, should no longer be followed.

75 That this approach is attuned to modern times is evident from the fact that some variant of it has been recommended by numerous law reform bodies or adopted in legislation…

76 Just what may constitute a real and substantial link in a particular case, I need not explore. There were ample links here. The outer limits of the test may, however, well be coterminous with the requirements of international comity.

77 As I have already noted, in some of the early cases the English courts tended to express a narrow view of the territorial application of English law so as to ensure that they did not unduly infringe on the jurisdiction of other states. However, even as early as the late 19th century, following the invention and development of modern means of communication, they began to exercise criminal jurisdiction over transnational transactions as long as a significant part of the chain of action occurred in England. Since then means of communications have proliferated at an accelerating pace and the common interests of states have grown proportionately. Under these circumstances, the notion of comity, which means no more nor less than “kindly and considerate behaviour towards others”, has also evolved. How considerate is it of the interests of the United States in this case to permit criminals based in this country to prey on its citizens? How does it conform to its interests or to ours for us to permit such activities when law enforcement agencies in both countries have developed cooperative schemes to prevent and prosecute those engaged in such activities? To ask these questions is to answer them. No issue of comity is involved here. In this regard, I make mine the words of Lord Diplock in Treacy v. Director of Public Prosecutions cited earlier. I also agree with the sentiments expressed by Lord Salmon in Director of Public Prosecutions v. Doot, supra, that we should not be indifferent to the protection of the public in other countries. In a shrinking world, we are all our brother's keepers. In the criminal arena this is underlined by the international cooperative schemes that have been developed among national law enforcement bodies.

78 For these reasons, I have no difficulty in holding on the facts agreed upon for the purpose of this appeal, that the counts of fraud with which the appellant is charged may properly be prosecuted in Canada, and I see nothing in the requirements of international comity that would dictate that this country refrain from exercising its jurisdiction. Since these fraudulent activities took place in Canada, it follows for the reasons set forth in the Chapman case that the conspiracy count may also be proceeded with in Canada.

It goes without saying that the evolving adoption of privacy and data protection laws are not identical to criminal law, either domestically or internationally. However, analogies are easily made and there is an evolving international cooperative scheme, beginning with the OECD Guidelines.

As the basis for Canada to claim jurisdiction requires a "real and substantial link" between the activity and Canada, one must consider whether the collection of personal information about Canadians by foreign companies would be considered to provide a "real and substantial link" to Canada or the collection of information about non-Canadians by a Canadian company. The facts in Libman are sufficiently analogous to provide authority for the proposition that a court on review would likely find a “real and substantial link” between such activities and Canadian jurisdiction, notwithstanding any argument that the connection is de minimis.

The Personal Information Protection and Electronic Documents Act sets out, at Section 4, the basis of its application:

Application

4. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

Limit

(2) This Part does not apply to

(a) any government institution to which the Privacy Act applies;

(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or

(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Other Acts

*(3) Every provision of this Part applies despite any provision, enacted after this subsection comes into force, of any other Act of Parliament, unless the other Act expressly declares that that provision operates despite the provision of this Part.

The application section is entirely silent with respect to its intended territorial application. The only reference to specific jurisdictions are contained in the transitional provisions and the definition of "federal work, undertaking or business". The transition provisions begin with Section 30:

DIVISION 5

TRANSITIONAL PROVISIONS

Application

30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.

Application

(1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.

Expiry date

*(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.

*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]

Expiry date

*(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.

*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]

These provisions are temporary (and expired on January 1, 2004), as they assist with the gradual implementation of the legislation, providing individual provinces with the ability to put in place substantially similar legislation during the period in which the law only applies to the federally regulated private sector and cross-border sales of information. It may be notable that the cross-border reference says "outside the province" and not "to another province".

In the absence of clear guidance from the statute, one can interpret it to apply in all circumstances where there exists a "real and substantial link" to Canada, following the Supreme Court's guidance in Libman. In any event, there is nothing in the statute that would prevent Canada from assuming jurisdiction in the circumstances set out above.

In the past, Officials with the Office of the Privacy Commissioner have advised that the Commissioner likely would assume jurisdiction where the collection of personal information is about Canadians or Canadian residents or where the collection originates in Canada. This appears to no longer be the case. Not only would the collection take place "in Canada", the Commissioner’s office used to be of the view that PIPEDA is part of an international scheme of privacy protection that could reach over borders.

The Privacy Commissioner has an arguable basis to make this second assertion and assume jurisdiction. As mentioned above, Canada implemented PIPEDA following the OECD Guidelines and in light of threatened restrictions on cross-border data flows caused by the EU Directive. Recital 20 of the EU Directive reads:

(20) Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;

The EU Directive is implemented, for example, in the United Kingdom's Data Protection Act 1998, which provides that the statute would apply, for example, if a call centre contacting Canadians were located in the United Kingdom:

Application of Act.

5. - (1) Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if-

(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or

(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.

(3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom-

(a) an individual who is ordinarily resident in the United Kingdom,

(b) a body incorporated under the law of, or of any part of, the United Kingdom,

(c) a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and

(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom-

(i) an office, branch or agency through which he carries on any activity, or

(ii) a regular practice;

and the reference to establishment in any other EEA State has a corresponding meaning.

While Canada is obviously not bound by the EU Directive, it appears to be the spirit of PIPEDA that the Canadian law fit within this general scheme of international data protection.

This may be academic, as this no longer appears to be the position of the Office of the Privacy Commissioner.