Monday, February 28, 2005

US Senator Says Westlaw Data Service Has Lax Rules for Security

In the fallout of the ChoicePoint incident, legislators are turning their eyes to other data aggregators. Senator Schumer (D NY) held a press conference to show the kind of information that is available to subscribers of Westlaw's People-Find database. He dredged up personal information on high profile folks, including Paris Hilton (won't they leave the poor - I mean unlucky - girl alone?):

The New York Times > Business > Senator Says Data Service Has Lax Rules for Security:

"As the fallout continued to spread from the news of a security breach at ChoicePoint, a company that inadvertently sold sensitive consumer data to thieves last year, Senator Charles E. Schumer, Democrat of New York, took aim at another data search service, Westlaw. He promised to introduce broad new legislation aimed at curbing identity theft.

At a news conference in Washington yesterday, Mr. Schumer complained that any employee - from high-level managers to interns - of a company subscribing to Westlaw's databases could access sensitive records on millions of people, including Social Security numbers, previous addresses, dates of birth and other data that is valuable to identity thieves.

Mr. Schumer presented a parade of posters of well-known individuals whose information was available on Westlaw, including the former attorney general John Ashcroft, Vice President Dick Cheney, Gov. Arnold Schwarzenegger, the actor Brad Pitt and the heiress Paris Hilton. The posters obscured their personal data...."

The author of this article, Tom Zeller Jr., also had an excellent article on February 24th that is well worth reading: The New York Times > Business > Breach Points Up Flaws in Privacy Laws

Wired News: Known Hole Aided T-Mobile Breach

Wired News is reporting that a "script kiddie" simple exploit was responsible for the breach of T-Mobile system last year that allowed a hacker to, among other things, read Secret Service e-mail and view celeb private photos: Wired News: Known Hole Aided T-Mobile Breach. It is unclear whether this is connected to the most recent Paris Hilton incident.

Hearings set as congressional concern grows over identity theft

While committee hearings don't guarantee action, I will be very interested to see what is said during hearings before the Senate Judiciary Committee on the topic of identity theft and data aggregators. Such a hearing is being hastily scheduled, according to Cox News Services:

Hearings set as congressional concern grows over identity theft:

"WASHINGTON - The Senate Judiciary Committee will hold a hearing on identity theft and data brokers, its chairman announced Thursday.

The announcement reflected mounting concern in Congress over revelations that criminals were able to buy personal information on hundreds of thousands of individuals from ChoicePoint, an Alpharetta, Ga., consumer data company.

Senate Democrats, including Charles Schumer of New York, Dianne Feinstein of California and Patrick Leahy of Vermont, are pushing for legislation to tighten access to such data and have called for hearings.

'I got a letter from Senator Leahy yesterday on the identity theft issue, and I immediately said we can hold a hearing,' Sen. Arlen Specter, R-Pa., said at a news conference. A date for the hearing has not been set.

Specter's comments came just before Schumer announced that he is urging Westlaw, a Minnesota research company, to close an 'egregious loophole' on its Web site that could let anyone buy an individual's Social Security number and other personal information.

In a letter to Westlaw, Schumer urged the company to 'immediately suspend' its service, People-Find(cq), which provides subscribers with personal information about millions of individuals over the Internet.

'Westlaw's People-Find service might as well be the first chapter of 'Identity Theft for Dummies,'' said Schumer. 'Criminals no longer need to forage through dumpsters for discarded bills. They just need to send Westlaw a check and they're in business.'

As an example, Schumer said his staff was able use People-Find to obtain the Social Security numbers of Vice President Dick Cheney and celebrities Jennifer Anniston, Brad Pitt and Paris Hilton.

Schumer said he knew of no case in which Westlaw's service had been used to illegally obtain a person's personal data.

The senator said he would introduce legislation to establish federal rules limiting who can provide or sell access to private information.

Thomson West, which operates the Westlaw online legal research service, said in a statement, "We share Senator Schumer's serious concerns about identity theft. We have been working with his office on this issue, communicated our mutual concerns, and provided information on our strict policies regarding access to Social Security numbers."

The company said its under its policies, sensitive public information is limited to "a very limited number of specialized customers, such as legislative, regulatory and government agencies."

Commentary on ChoicePoint

Scott Bradner (a consultant with Harvard University's University Information Systems) recounts in NWFusion what are, in his view, the failings of ChoicePoint brought to light in the latest incident and hopes that it will lead to national mandates to protect personal information:

Dumber decisions - safer world?:
  • "The company's validation procedures for permitting access to its databases was clearly inadequate. Maybe the company decided that it was too expensive to do things correctly - for example, by visiting all companies before granting access?
  • ChoicePoint didn't tell any of the people whose data was stolen that that they were at risk for identity theft for almost five months. The company said it was the cops who didn't give a hoot about warning people that their good names were in eminent danger and told ChoicePoint not to tell anyone. Maybe, but ChoicePoint's later actions indicate that it was not exactly eager to do what was right.
  • When ChoicePoint finally admitted that something had happened, the company downplayed it and said that the only people who were at risk were 35,000 or so Californians. Perhaps not coincidentally, California by law is the only state where people whose private information is exposed by such breaches must be notified .
  • Only after considerable pressure, including a letter from 38 state attorneys general demanding that people at risk in their states also be notified, did ChoicePoint belatedly say it would send letters to 110,000 additional people. (One wonders if the attorneys general of the other states think that identity theft is OK.) Since that expansion, there have been news reports that the number of people whose data was accessed might exceed 500,000.
  • ChoicePoint includes information that it doesn't need to in the reports it provides - such as a Social Security number in its personal property and personal auto reports (samples of which are on the company's Web page ). I understand the company might want to include the ability to look someone up using a Social Security number, but I don't understand why "

Sunday, February 27, 2005

NYT: Some Sympathy for Paris Hilton

The most recent Sunday New York Times has an article on the past week in privacy. Both the Paris Hilton and ChoicePoint incidents are discussed. The Times also quotes Bruce Schneier, the author of Schneier on Security.

The New York Times > Week in Review > Some Sympathy for Paris Hilton:

"...But the implications of the problem at ChoicePoint are enormous, said Daniel J. Solove, an associate professor of law at George Washington University and author of 'The Digital Person: Technology And Privacy in The Information Age.' The company, he noted, has collected information on practically every adult American, and 'these are dossiers that J. Edgar Hoover would be envious of.' Government has looked into ways to mine commercial data to detect patterns of suspicious activity, he noted, and it will continue to do so. But who watches the watchers? Lawmakers like Senators Charles Schumer of New York and Dianne Feinstein of California are calling for tighter regulation of data brokers. That would be a good idea, said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. 'It's a big, largely unregulated industry that doesn't bear consequences when things go wrong.' Even those who pursue fame, he noted, deserve a measure of privacy...."

Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law

Since I started this blog in January 2004, I have noted a few incidents related to inappropriate release of personal information. After an e-mail exchange with Rob Hyndman, I thought it would be interesting to figure out how many incidents I've blogged about. So here is a brief catalog of what I've picked up over the last year and a bit.

Hacking and inappropriate disposal rank highly as the reasons for ending up on this list. But, if there is one thing to learn from all of this: inadequate security of personal information is the one practice that is the most likely to put your company on the front pages of the paper and to destroy any customer trust you've managed to develop.

Last updated - 20050405

Should service providers force you to practice safe passwording?

While T-Mobile tries to sort out the mess following the hacking of Paris Hilton's T-Mobile account, the comany has issued a press release urging that customers take some steps to protect themselves.

While the pointers are sensible, I am surprised that none of the big online services force consumers to do this. I know that when I have to change my password at work, it cannot be fewer than X characters, it has to be a mix of uppercase and lowercase, it must contain a specified number of non-alphanumeric characters and it cannot be a password that I've already used. Services like T-Mobile, Gmail, Yahoo, Hotmail, etc. can easily be configured to require the same, I am sure. Perhaps they are concerned that customers will balk at not being able to set their passwords as "password"?

T-Mobile Statement on Security and Privacy:

"Along with the considerable resources T-Mobile has and will continue to dedicate to customer security, there are some specific actions we recommend customers take to help protect their mobile phone accounts and personal data.

-- T-Mobile customers should ensure they utilize passwords and change them frequently to safeguard personal information in the following three areas:

-- On my.t-mobile.com - the Web self-service tool.

-- Attached to their account, when calling a Customer Service Representative.

-- On their voicemail box.

-- Be sure the password to access my.t-mobile.com has a combination of letters and numbers.

-- Change passwords at least every 60 days; never give out passwords, even to friends or family; and memorize passwords.

-- If a device is lost, or notice suspicious activity on an account, call T-Mobile immediately.

If a T-Mobile customer has a question about service, or would like further password assistance, simply visit my.t-mobile.com; or a T-Mobile representative can help you by dialing 611 from a T-Mobile phone, or calling 1-800-937-8997."

Online trust is falling

PrivacyDigest is reporting that consumer confidence in electronic commerce is falling:

"The BBC and ZDNet are reporting on an RSA poll of 1,000 users about failing confidence in ecommerce. 43% of respondents were reluctant to give details to online sites and 70% said that firms were not doing enough to keep their data secure. The BBC goes on to quote experts who back up the perception, ZDNet claims that action is being taken and is well." [Slashdot]5:57:15 PM PermaLink

In light of the most recent privacy/security incidents, it is not a surprise.

Saturday, February 26, 2005

Momentum Building Against Database Aggregation of Personal Data?

In his blog today, Canadian technology lawyer Rob Hyndman asks: "Momentum Building Against Database Aggregation of Personal Data?"

I'm very interested to see how the latest round of incidents are going to play out in the United States. Apparently the Bank of America incident specifically involves the personal information of US legislators who carry a special Visa card for government employees. This may hit a little close to home for those with their hands on the levers of power.

There's an interesting dynamic in the United States at the moment. Consumers are increasingly worried about identity theft. The growth of this sort of crime is spurred by the inadequate security of personal information and security breaches (such as Choice Point and BoA). Agglomerating all this sensitive financial information by data aggregators dramatically increases the risk of significant consequences if security is breached.

But, at the same time, there is pressure to have higher quality personal information available to so-called legitimate businesses, such as credit grantors.

This data is also used to prevent credit fraud (see PIPEDA and Canadian Privacy Law: Identity-verifying questions are getting personal). Biometrics and big databases can also be used to positively verify the identity of those applying for credit. If, for example, there were a reliable database of biometric identifiers available to financial institutions, a credit card company can make sure that someone applying for credit in the name of Bob Smith is the Bob Smith and not someone who happened to snatch a pre-approved credit card mailout from Bob's mailbox.

(As an aside, I think that ID theft would drop dramatically if it were illegal to open a credit facility for anybody whose identity is not positively identified.)

There's also a sense that these databases are useful to prevent terrorism and lesser crimes. They are routinely used to run background checks and, according to Choice Point, law enforcement are significant customers of these systems. There will be continued pressure to make these databses available for such use.

We will never see the end of these databases, but I am waiting to see how the contrary pressures will eventually play out.

So what's the solution? I think the ten principles from the Canadian Standards Association Model Code for the Protection of Personal Information are a good start (see the Code as Schedule I to PIPEDA), coupled with a positive obligation to report any breach of security related to one's personal information.

  • Individuals should have a right to know what their personal information will be used for.
  • Organizations should not be able to collect information (from any source) unless the individual consents. For example, a credit grantor should not run a credit check without the consent of the individual and a data aggregator should not relese the credit report unless it has confirmation that the individual has consented.
  • Public records should not be "mined" for collateral uses unrelated to the purpose of the original record unless the individuals concerned have consented.
  • Individuals should have access to all their records, including information about to whom they have been disclosed. This should be provided free of charge by data aggregators as a cost of doing business.

The exceptions to the ten principles of the CSA Model Code that are in PIPEDA are generally sensible, recognizing that there are circumstances where consent should not be required or where access can be denied.

But will the US implement anything like this on a national basis? Probably not, but if they want my opinion they are welcome to it.

Friday, February 25, 2005

Interesting: How Do Cell Phones Reveal Your Location?

I was searching Slate and happened upon this interesting article, which discusses how your movements (current and historical) can be tracked using your cell phone.

How Do Cell Phones Reveal Your Location? By Brendan I. Koerner:

"...Location data extrapolated from tower records is frequently used in criminal cases. It was vital, for example, to the prosecution of David Westerfield, who was convicted of murdering 7-year-old Danielle van Dam in San Diego. The killer's cell-phone usage revealed a bizarre travel pattern in the two days following the girl's disappearance, including a suspicious trip to the desert. In cases like this, wireless providers will not release a user's records without a court order, save for rare instances in which a kidnapping has taken place and time is of the essence...."

One thing that the article did not highlight is that as long as your phone is on, it is regularly communicating with the local towers, generally checking into the netwok and checking for messages. This information can be logged and often is. So even if you aren't talking on the phone, it can reveal your location.

Incident: Bank of America loses data on 1.2 MILLION customers

MSNBC is reporting that the Bank of America has lost computer backup tapes containing very sensitive personal information about 1.2 million US federal employees. One point two million. 1,200,000. One million two hundred thousand. That's a lot of data to lose, a lot of letters to send out and a lot of mea culpas.

MSNBC - Bank of America loses customer data:

"CHARLOTTE, N.C. - Bank of America Corp. has lost computer data tapes containing personal information on up to 1.2 million federal employees, including some members of the U.S. Senate.

The lost data includes Social Security numbers and account information that could make customers of a federal government charge card program vulnerable to identity theft.

Sen. Pat Leahy, D-Vt., is among those senators whose personal information is on the missing tapes, spokeswoman Tracy Schmaler said...."

Statement of Claim in the CIBC Class Action

I've just read the Statement of Claim filed in the recent class action lawsuit filed against CIBC in connection with the "faxing fiasco". If you are a privacy nerd, it makes interesting reading ...

Update: April 18, 2005 - PIPEDA and Canadian Privacy Law: Privacy Commisioner of Canada releases her report on the CIBC faxing incidents

Incident: Online payroll service discloses W2 forms of thousands of US workers

Slashdot has a discussion of yet another incident that has resulted in the potential exposure of highly sensitive personal information of thousands of Americans:

http://it.slashdot.org/article.pl?sid=05/02/25/2028242 from the that-why-we-use-these-password-things dept.

ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."

For Canadians, W-2 forms are the same as our T4 tax forms that employers issue, which includes the name, address, social insurance number, income, deductions, etc.

A summary of the problem is reported in a Think Computer Whitepaper:

It is this feature of the PayMaxx system that is gravely flawed. While PayMaxx’s programmers took care to ensure that their system’s authentication software worked well, they took less care to protect the code that dynamically generated form W-2, and each form includes a person’s home address, aggregate payroll, and Social Security number. Perhaps the team that created it lost sight of the sensitivity of this information; as a programmer, it is easy to become focused on the detailed mechanisms that make your program work and forget about the “big picture,” but in any event, it is still not a very good excuse. The result of this mistake was that when Pay-Maxx announced the availability of 2004 W-2s on-line, the home address, aggregate payroll, and Social Security number of each and every one of PayMaxx’s customers became available to us here at Think. By simply changing one number in a hyperlink on PayMaxx’s “secure” web site, it was possible to scan through PayMaxx’s entire W-2 database for the year 2004.

PayMaxx stored each employee’s data record sequentially in a table—a perfectly normal and acceptable practice, and one that Think uses frequently in its own software, but also one which made it possible to always guess the ID of the next record by simply adding 1. In software based on the Think Lampshade platform, each HTTP request is checked against a security array to verify that the user signed in actually has access to the data being requested. In PayMaxx’s software, this process simply didn’t exist. Anyone with access to the system could view the W-2s of employees with whom they had had no connection whatsoever. Furthermore, by simply subtracting the first ID from the last ID that allowed this behavior, it was possible to ascertain the number of W-2 forms that PayMaxx had printed for the 2004 tax year: 25,468. In other words, a glitch on a single web page made it possible to access the Social Security numbers and salaries of 25,468 individuals nationwide.

Update: CNet news is reporting that PayMaxx has closed its service while it figures out how to fix the problem - Payroll site closes on security worries CNET News.com.

beSpacific: Privacy and E-Health Records

Sabrina at beSpacific is pointing to some great stuff on patient privacy and public attitudes in the United States.

beSpacific: Privacy and E-Health Records:

Press release: "U.S. adults are divided right down the middle on whether the potential privacy risks associated with a patient electronic medical record system outweigh the expected benefits to patients and society, according to Dr. Alan F. Westin, Professor of Public Law & Government Emeritus, Columbia University and Director of a new Program on Information Technology, Health Records & Privacy at Privacy & American Business (P&AB)."

Related references:

  • Dr. Alan Westin's February 23, 2005 testimony (PDF) before HHS's National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality at the Hearings on Privacy and Health Information Technology.

  • How the Public Views Health Privacy: Survey Findings from 1978 to 2005 (PDF)

Guest blogger: Comment on Canada (Minister of National Revenue) v. Toronto Dominion Bank

Mathew Englander sent me the following, which he has allowed me to post ...

Canada (Minister of National Revenue) v. Toronto Dominion Bank

The case arose from the investigation of a tax debtor, "J.M.". MNR [the Minister of National Revenue] found out about a cheque for $10,000 which someone had written to J.M., and which J.M. had endorsed and deposited to a certain numbered account at Toronto Dominion Bank. MNR wanted to know whether J.M. had tried to reduce his property at the expense of his creditors. Therefore MNR sent the Bank a requirement to provide information about the account, under subsection 231.2(1) of the Income Tax Act. The branch responded that the account-holder was not J.M., and refused to name the account-holder. MNR sent two more notices under subsection 231.2(1) but the Bank still refused to comply. Thus MNR brought an application in Federal Court under subsection 231.7(1) of the Income Tax Act, seeking an order compelling the Bank to provide the name and contact information of the account-holder.

Justice Tremblay-Lamer dismissed the application. MNR's appeal was dismissed with Justice D├ęcary writing for the panel of the FCA.

Under the holding, MNR needs prior judicial authorization to seek information relating to an *unnamed* individual. Subsection 231.2(1) allows MNR to issue a requirement-to-provide-any-information-or-document and does not require prior judicial authorization if the information or document relates to a *named* individual. However, as the FCA held, where MNR does not know the name of the individual about whom it seeks information, it must obtain judicial authorization under subsection 231.2(3). That subsection requires that the judge be satisfied that the requirement is made to verify compliance by the individual with a duty or obligation under the Income Tax Act (http://canlii.com/ca/sta/i-3.3/sec231.2.html). Here, MNR would not have been able to satisfy that criterion because it had no reason to believe that the account-holder had contravened the Income Tax Act.

From a privacy-law viewpoint, it is good to know that MNR is held to stringent compliance with the statute when it seeks information or documents about someone from a bank. On the other hand, one might ask why the statute permits MNR to require a bank to provide information about a named individual, without prior judicial authorization and without notice to the individual.

MNR had argued that unless its appeal was allowed, its power of issuing a requirement-to-provide-any-information-or-document would be "seriously compromised". Reading between the lines, I infer that in the past, financial institutions have provided MNR with information relating to unnamed individuals, without the requisite prior judicial authorization. Kudos to Toronto Dominion Bank for successfully fighting MNR in court on this issue, and for protecting its customer's privacy in this case by refusing to disclose the information to MNR without clear statutory authority for the demand. (In theory, the Bank could have been prosecuted under subsection 238(1) of the Income Tax Act for failing to comply with MNR's demand for information.)

The FCA's decision is dated October 25, 2004, but the English-language translation just recently became available. MNR did not seek leave to appeal to the Supreme Court of Canada.

Mathew Englander

Thursday, February 24, 2005

Wednesday, February 23, 2005

Jurisdictional limits on Canadian privacy law

David T.S. Fraser*

Printer-friendly version

This article is reprinted from the February 2005 edition of the Canadian Privacy Law Review (2:5), Michael Geist, editor-in-chief.

Canada's federal privacy law is already hobbled by the country’s constitutional division of powers. By relying upon the federal parliament’s “general trade and commerce” powers, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) cannot apply to the provincially regulated workplace. Likewise, it cannot apply to the non-commercial operations of charities and the “MUSH” sector, meaning municipalities, universities, schools and hospitals. While there are sectors beyond PIPEDA’s reach, the question of whether PIPEDA applies to commercial activities that take place outside Canada's borders remains.

Until recently, the putative position of officials from the Office of the Privacy Commissioner has been that PIPEDA can apply to the collection, use and disclosure of personal information about Canadians by foreign companies. The issue has ceased to be theoretical thanks to an unpublished finding of the Assistant Privacy Commissioner dealing with a complaint brought by the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”), associated with the University of Ottawa Law School. In the Assistant Commissioner’s letter to CIPPIC,[1] her office declined to initiate an investigation because the company involved had no presence in Canada. This represents a complete reversal from the previous (unofficial and hypothetical) position of the Office of the Privacy Commissioner.

The letter from the Assistant Commissioner was issued in response to a complaint under PIPEDA launched by CIPPIC against Abika.com, a U.S. company that harvests databases and public sources to produce reports that allegedly include personal information up to and including psychosexual profiles of individuals. This service provides information on Americans and Canadians. CIPPIC filed its complaint in June, claiming that Abika collects, uses, and discloses the personal information of Canadians without consent in violation of Canada's national privacy law.

In its response, the Office of the Privacy Commissioner noted that the company does not have a physical presence in Canada. This led to their conclusion that “while the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA.” This conclusion came as a surprise to many because of the unofficial position taken by the Office of the Privacy Commissioner when the question was merely theoretical.

At the risk of only minimal controversy, the Office of the Privacy Commissioner could have asserted jurisdiction to investigate and then dealt with the challenges of enforcement. Modern Canadian principles of conflict of laws, following such seminal cases as Morguard Investments v. De Savoye[2], Tolofson v. Jensen,[3] and Hunt v. T & N PLC[4] provide a strong basis to argue that Canada’s privacy laws can reach beyond its borders where there is a clear and substantial connection with Canada. Such a decision would at least have left the complainant with the ability to take the finding to the Federal Court of Canada to explore whether the Court would fashion a remedy and whether the cooperation of U.S. authorities could be obtained. Declining to accept jurisdiction left the complainant with one option: to seek judicial review of this decision, completely separate from the merits of the original complaint.

At least in its origins, PIPEDA was designed to be a piece of an international system to protect the privacy of consumers and citizens. All privacy statutes in Canada trace their roots back to an initiative undertaken by the Organization for Economic Cooperation and Development (“OECD”) to establish basic levels for the protection of personal information among member states.[5] The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data was signed by Canada in 1984 but was never formally adopted into Canadian law, though they eventually found their way into the Privacy Act[6] that governs personal information in the custody of the federal government and certain crown agents. According to the former Canadian Privacy Commissioner:

[a]mong the most influential modern formulations of the desire to protect against excessively curious governments and businesses has been the OECD's 1980 Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. In 1984, Canada joined 22 other industrialized nations by adhering to the guidelines. The guidelines were intended to harmonize data protection laws and practices among OECD member countries by establishing minimum standards for handling personal data. The guidelines were not themselves enforceable, but they became the starting point for data protection legislation in countries around the world, including Canada.[7]

The OECD guidelines contain eight fundamental principles of national application dealing with the collection, use, disclosure and retention of personal information.

Following the OECD guidelines, the European community decided to implement and harmonize private sector privacy legislation throughout the continent. The result of this initiative was the European Data Protection Directive[8] which required all member countries of the European Union to implement legislation protecting personal information, hopefully to provide a seamless privacy regime throughout Europe. Most notably, the European Directive included a provision that prevented the transmission of any personal information outside of the European Union unless the recipient country had legislation in place that would offer substantially similar protections. While this provision does not purport to operate extraterritorially, it is demonstrative of an attempt to specifically regulate the cross-border movement of personal information. There is also little doubt that it had an extraterritorial effect.

In the absence of similar and recognized legislation in Canada, the European Data Protection Directive would have prevented the free flow of personal information between Canada and member states of the European Union. The modern economy is predicated on the flow of personal information, either as a good in and of itself or ancillary to other transactions. The prohibitions contained in the European Directive would have amounted to a non-tariff trade barrier between Europe and Canada.

In response to the European Directive and a perceived need to boost electronic commerce, the Canadian government introduced legislation that, it was hoped, would be considered by Europe to be sufficiently similar to the Directive. Both the OECD Guidelines and the European Directive provide the international context in which PIPEDA was born.

In disposing of questions such as the one considered by the Office of the Privacy Commissioner, Canadian courts consider whether there is a “real and substantial” connection between the matter at issue and Canada. If the answer is “yes”, the courts may assume jurisdiction. The “real and substantial connection” test has been more recently used by the Supreme Court of Canada in Society of Composers, Authors and Music Publishers of Canada v. Canadian Association of Internet Providers.[9] In the SOCAN decision, Justice Binnie reviewed the general principles of the extraterritoriality of Canadian laws and concluded that the Canadian Copyright Act[10] may apply to cross-border activities where there is a “real and substantial connection” with Canada:

¶54 While the Parliament of Canada, unlike the legislatures of the Provinces, has the legislative competence to enact laws having extraterritorial effect, it is presumed not to intend to do so, in the absence of clear words or necessary implication to the contrary. This is because "[i]n our modern world of easy travel and with the emergence of a global economic order, chaotic situations would often result if the principle of territorial jurisdiction were not, at least generally, respected"; see Tolofson v. Jensen, [1994] 3 S.C.R. 1022, at p. 1051, per La Forest J.

¶55 While the notion of comity among independent nation States lacks the constitutional status it enjoys among the provinces of the Canadian federation (Morguard Investments Ltd. v. De Savoye, [1990] 3 S.C.R. 1077, at p. 1098), and does not operate as a limitation on Parliament's legislative competence, the courts nevertheless presume, in the absence of clear words to the contrary, that Parliament did not intend its legislation to receive extraterritorial application.

¶56 Copyright law respects the territorial principle, reflecting the implementation of a "web of interlinking international treaties" based on the principle of national treatment (see D. Vaver, Copyright Law (2000), at p. 14).

¶57 The applicability of our Copyright Act to communications that have international participants will depend on whether there is a sufficient connection between this country and the communication in question for Canada to apply its law consistent with the "principles of order and fairness ... that ensure security of [cross-border] transactions with justice"; see Morguard Investments Ltd., supra, at p. 1097; see also Unifund Assurance Co. v. Insurance Corp. of British Columbia, [2003] 2 S.C.R. 63, 2003 SCC 40, at para. 56; R. Sullivan, Sullivan and Driedger on the Construction of Statutes (4th ed. 2002), at pp. 601-602.

¶58 Helpful guidance on the jurisdictional point is offered by La Forest J. in Libman v. The Queen, [1985] 2 S.C.R. 178. That case involved a fraudulent stock scheme. U.S. purchasers were solicited by telephone from Toronto, and their investment monies (which the Toronto accused caused to be routed through Central America) wound up in Canada. The accused contended that the crime, if any, had occurred in the United States, but La Forest J. took the view that "[t]his kind of thinking has, perhaps not altogether fairly, given rise to the reproach that a lawyer is a person who can look at a thing connected with another as not being so connected. For everyone knows that the transaction in the present case is both here and there" (at p. 208 (emphasis added)). Speaking for the Court, he stated the relevant territorial principle as follows (at pp. 212-13):

I might summarize my approach to the limits of territoriality in this way. As I see it, all that is necessary to make an offence subject to the jurisdiction of our courts is that a significant portion of the activities constituting that offence took place in Canada. As it is put by modern academics, it is sufficient that there be a "real and substantial link" between an offence and this country ... [Emphasis added.]

¶59 So also, in my view, a telecommunication from a foreign state to Canada, or a telecommunication from Canada to a foreign state, "is both here and there". Receipt may be no less "significant" a connecting factor than the point of origin (not to mention the physical location of the host server, which may be in a third country). To the same effect, see Canada (Human Rights Commission) v. Canadian Liberty Net, [1998] 1 S.C.R. 626, at para. 52; Kitakufe v. Oloya, [1998] O.J. No. 2537 (QL) (Gen. Div.). In the factual situation at issue in Citron v. Zundel, supra, for example, the fact that the host server was located in California was scarcely conclusive in a situation where both the content provider (Zundel) and a major part of his target audience were located in Canada. The Zundel case was decided on grounds related to the provisions of the Canadian Human Rights Act, but for present purposes the object lesson of those facts is nevertheless instructive.

¶60 … From the outset, the real and substantial connection test has been viewed as an appropriate way to "prevent overreaching ... and [to restrict] the exercise of jurisdiction over extraterritorial and transnational transactions" (La Forest J. in Tolofson, supra, at p. 1049). The test reflects the underlying reality of "the territorial limits of law under the international legal order" and respect for the legitimate actions of other states inherent in the principle of international comity (Tolofson, at p. 1047). A real and substantial connection to Canada is sufficient to support the application of our Copyright Act to international Internet transmissions in a way that will accord with international comity and be consistent with the objectives of order and fairness.

¶62 Canada clearly has a significant interest in the flow of information in and out of the country. Canada regulates the reception of broadcasting signals in Canada wherever originated; see Bell ExpressVu Limited Partnership v. Rex, [2002] 2 S.C.R. 559, 2002 SCC 42. Our courts and tribunals regularly take jurisdiction in matters of civil liability arising out of foreign transmissions which are received and have their impact here; see WIC Premium Television Ltd. v. General Instrument Corp. (2000), 8 C.P.R. (4th) 1 (Alta. C.A.); Re World Stock Exchange (2000), 9 A.S.C.S. 658.

¶63 Generally speaking, this Court has recognized as a sufficient "connection" for taking jurisdiction, situations where Canada is the country of transmission (Libman, supra) or the country of reception (Canada v. Liberty Net, supra). This jurisdictional posture is consistent with international copyright practice.

¶76 Accordingly, the conclusion that Canada could exercise copyright jurisdiction in respect both of transmissions originating here and transmissions originating abroad but received here is not only consistent with our general law (Libman, supra, and Canada (HRC) v. Canadian Liberty Net, supra) but with both national and international copyright practice.

¶77 This conclusion does not, of course, imply imposition of automatic copyright liability on foreign content providers whose music is telecommunicated to a Canadian end user. Whether or not a real and substantial connection exists will turn on the facts of a particular transmission (Braintech, supra). It is unnecessary to say more on this point because the Canadian copyright liability of foreign content providers is not an issue that arises for determination in this appeal, although, as stated, the Board itself intimated that where a foreign transmission is aimed at Canada, copyright liability might attach.

PIPEDA is not explicit about whether it is intended to apply extraterritorially, but there is some guidance in Section 4, the basis of the law’s application:

Application

4. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

The application section is entirely silent with respect to its intended territorial application. The only reference to specific jurisdictions are contained in the transitional provisions and the definition of “federal work, undertaking or business”. The transition provisions begin with Section 30:

DIVISION 5 TRANSITIONAL PROVISIONS

Application 30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.

Application (1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.

Expiry date *(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.

*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]

Expiry date *(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.

*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]

These provisions were temporary (and expired on January 1, 2004), as part of the gradual implementation of PIPEDA, providing individual provinces with the ability to put in place substantially similar legislation during the period in which the law only applied to the federally regulated private sector and cross-border sales of information. It may be notable that the cross-border reference says “outside the province” and not “to another province”.

In the absence of clear guidance from the statute, one can interpret it to apply in all circumstances where there exists a “real and substantial link” to Canada, following the Supreme Court's guidance in SOCAN and the cases to which Binnie J. refers. In any event, there is nothing in the statute that would prevent the Office of the Privacy Commissioner from assuming jurisdiction in the circumstances set out above if one takes the more modern and progressive view of jurisdiction that is currently being applied by the Canadian courts.

In the past, Officials with the Office of the Privacy Commissioner have advised that the Commissioner likely would assume jurisdiction where the collection of personal information is about Canadian residents or where the collection originates in Canada. This appears to no longer be the case. The Commissioner’s office used to be of the view that PIPEDA is part of an international scheme of privacy protection that could reach over borders. The Privacy Commissioner has an arguable basis to make this second assertion and assume jurisdiction. As mentioned above, Canada implemented PIPEDA following the OECD Guidelines and in light of threatened restrictions on cross-border data flows caused by the European Directive.

While Canada is not bound by either the European Directive or the OECD Guidelines, it appears to be the spirit of PIPEDA that the Canadian law fit within this general scheme of international data protection. This, in and of itself, would give support for investigating the complaint brought by CIPPIC. Nevertheless, modern Canadian conflict of law jurisprudence clearly gives a Canadian adjudicative body, tribunal or investigator jurisdiction over activities that take place outside of our frontiers if there is a “real and substantial” connection to Canada. Whether that connection exists in the CIPPIC’s complaint is both a question of law and a question of fact, two questions that the Assistant Commissioner appears not to have pursued. Unless CIPPIC seeks judicial review of the Assistant Commissioner’s decision not to investigate, it may be some time before the question in judicially considered.


* David T.S. Fraser is the chairman of the Privacy Practice Group at McInnes Cooper, Atlantic Canada’s largest single law partnership, principal legal advisor to National Privacy Services Inc. and the author of “PIPEDA and Canadian Privacy Law”, a privacy law weblog found at http://pipeda.blogspot.com/.

The genesis of this article is a presentation given by the author to the Canadian Bar Association Annual Meeting and Conference, August 2004.

[1] Available online at http://www.cippic.ca/en/projects-cases/privacy/opcc_response_30nov04.pdf.

[2] [1990] 3 S.C.R. 1077.

[3] [1994] 3 S.C.R. 1022.

[4] [1993] 4 S.C.R. 289.

[5] Organization for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (adopted 23 September 1980).

[6] Privacy Act, R.S.C. 1985, c. P-21.

[7] Speech by Bruce Phillips to the Canadian Bar Association, “The Evolution of Canada's Privacy Laws” (January 28, 2000). Available online http://www.privcom.gc.ca/speech/archive/02_05_a_000128_e.asp.

[8] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[9] 2004 SCC 45 (“SOCAN”).

[10] Copyright Act, R.S.C. 1985, c. C-42.

Schneier on Security: ChoicePoint

Bruce Scheier has a good comment on the ChoicePoint fiasco and the lessons to be learned about incident response:

Schneier on Security: ChoicePoint:

"...This story would have never been made public if it were not for SB 1386, a California law requiring companies to notify California residents if any of a specific set of personal information is leaked.

ChoicePoint's behavior is a textbook example of how to be a bad corporate citizen. The information leakage occurred in October, and it didn't tell any victims until February. First, ChoicePoint notified 30,000 Californians and said that it would not notify anyone who lived outside California (since the law didn't require it). Finally, after public outcry, it announced that it would notify everyone affected...."

Top Ten Messages Left On Paris Hilton's Cell Phone

After having her cell phone hacked, Paris Hilton was the target of last night's Top Ten List on the Late Show with David Letterman:

CBS | Late Show with David Letterman : Top Ten:

"Top Ten Messages Left On Paris Hilton's Cell Phone

10. 'You probably don't remember me, but we had sex about 3 weeks ago.'

9. 'Consider switching to Verizon, we rarely let hackers steal our personal information.'

8. 'So this is the second most embarassing thing that's ever happened to you?'

7. 'Uh yes, I'd like to book a room for next Wednesday night at the Detroit Hilton.'

6. 'It's Bill Clinton. I've been meaning to call you for some time.'

5. 'Hey it's Pauly Shore--thanks for getting my name in the newspaper.'

4. 'Sorry I missed you, you must be at work...just kidding.'

3. 'Hi, it's Christo. Wanna get freaky in Central Park?'

2. 'You have a collect call from Dave Letterman, will you accept?'

1. 'Is there anything of yours NOT on the internet?'"

No real privacy law content, but hey ...

CIPPIC weighs in on "substantial similarity" for the Ontario Personal Health Information Protection Act

A short time ago, Industry Canada gazetted its notice of the proposed order-in-council to deem the Personal Health Information Protection Act to be substantially similar to PIPEDA. (See PIPEDA and Canadian Privacy Law: Industry Canada proposes PIPEDA exemption for Ontario "health information custodians".) If passed by cabinet, this would exclude "health information custodians" in Ontario from the application of PIPEDA. The notice in the Gazette requested comments on the proposed order.

The Canadian Internet Policy and Public Interest Clinic has provided its comments, limiting its review to the weak research exemption of PHIPA. The impguned provision doesn't jibe with PIPEDA in that it only requires a research ethics review board to "consider" certain factors before allowing a researcher to have access to personal health information. See the letter to Industry Canada here.

You too can be hacked when the answer to your secret question is the name of your famous, book-writing dog

How secret is your "secret question" when you are famous for being famous and your life is an open book. It is looking more and more like Paris Hilton's Sidekick II was hacked into thanks to really, really bad password protection. Or, as MacDevCenter points out, a really obvious "secret question" to make it really easy for users who have fogotten their passwords.

"Like many online service providers, T-Mobile.com requires users to answer a 'secret question' if they forget their passwords. For Hilton's account, the secret question was 'What is your favorite pet's name?' By correctly providing the answer, any internet user could change Hilton's password and freely access her account. "

Apparently her dog, Tinkerbell, is almost as famous as her. He is an author (The Tinkerbell Hilton Diaries: My Life Tailing Paris Hilton), a fashion accessory and a dog-about-town. Anybody with more interest in inane celebrities than I would have been able to get her secret question and log into the T-Mobile system.

For a good review of the inherent weakness of these systems, see Schneier on Security: The Curse of the Secret Question.

Alarm raised over Australian health network

The Australian privacy commissioner is concerned that HealthConnect, a federal health network, is lumbering toward implementation without adequate privacy protections:

Australian IT - Alarm raised over health network (Karen Dearne, FEBRUARY 23, 2005):

"'Given the magnitude of the project and the sensitive nature of health information, a robust privacy framework needs to be established as a priority,' the OFPC says in its submission on the roadmap HealthConnect Business Architecture.

'The architecture includes many references to privacy protocols or rules which will apply to HealthConnect, although their substance and standing is unclear.'

While the OFPC regulates the private health sector and handling of personal information by federal and ACT government agencies, the privacy of health information within the states is regulated at the state level. "

Tuesday, February 22, 2005

"Lawful access" back on the radar screen

Michael Geist is reporting, in privacyinfo.ca, that the Canadian lawful access initiative is creeping back onto the government's agenda:

www.PrivacyInfo.ca:

"The Toronto Star today reports what has been an open secret for a couple of months now -- the Canadian government is moving forward with its lawful access agenda. For those new to the issue, lawful access would require network providers to establish new capabilities to allow for real-time network surveillance. Failure to do so is punishable by significant fines and jail time. The big issue for the ISPs revolves around cost, as in who should pay for this. Given the enormous privacy implications, one would hope that the government would make a case demonstrating a real need for these new powers, rather than just crossing items off a wish list."

Transcript of conversation with Robert O'Harrow of 'No Place to Hide' fame

On the weekend, the Washington Post hosted an online discussion with Robert O'Harrow, the author of "No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society". They've posted a transcript their site:

'No Place to Hide' (washingtonpost.com):

"The post-9/11 marriage of private data and technology companies and government anti-terror initiatives has created something entirely new: a security-industrial complex. In his new book, reviewed in Sunday's Book World, Post reporter Robert O'Harrow shows how the government now depends on burgeoning private reservoirs of information about almost every aspect of our lives to promote homeland security and fight the war on terror. "

Privacy and Investigations

This morning, I gave a presentation on privacy and investigations by professional regulators as part of an InfoNex conference on professional regulation and discipline. A PDF of the materials are here for all who may be interested.

Paris Hilton's singular contribution to humanity ...

According to Larry Magid, having her phone hacked may be Paris Hilton's singular (not cingular!) contribution to humanity because "you can bet that the entire mobile device industry will focus a lot more attention on security."

Monday, February 21, 2005

Privacy Rights Clearinghouse: The ChoicePoint Data Security Breach: What It Means for You, and How to Find Out What ChoicePoint Knows about You

In the aftermath of the ChoicePoint incident, Privacy Rights Clearinghouse has produced a lengthy page on what the incident means to you and what data aggregators like ChoicePoint may have on you:

Alert: The ChoicePoint Data Security Breach: What It Means for You, and How to Find Out What ChoicePoint Knows about You:

"San Diego, CA -- Data aggregators compile in-depth dossiers of personal information on almost everyone, even though many have never heard of them, have never had an account with them, nor have given them permission to obtain personal information. Until recently, many Americans had never heard of ChoicePoint, one of the largest data aggregators. But with recent information coming to light that identity thieves opened 50 accounts to access ChoicePoint's databases of personal information, many people are just realizing that companies like ChoicePoint exist. (See www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html)..."

Paris Hilton's Sidekick gets hacked

The Internet is abuzz this morning with the exciting contents of Paris Hilton's T-Mobile Sidekick. It appears that someone hacked into the T-Mobile system and was able to get the contents of her address book, notepad and the photos she had take with the gadget. Most of the links earlier today were to the photos themselves, which are not "safe for work".

Most of the discussion about it suggests that it may be related to the recent hacking of T-Mobile's systems (see PIPEDA and Canadian Privacy Law: Incident(s): Hacker breaches T-Mobile systems, reads US Secret Service email), but it could just have easily been a result of someone guessing her password and accessing the system via the T-Mobile login page. I wouldn't be surprised if her password was "password".

This incident does, however, highlight the vulnerability of personal information when it is in possession of third parties. Our e-mail and address books are held by Yahoo! or Hotmail or whoever. Our voice mail resides on some telco server and our instant messages are archived. It used to be that the bad guys had to break into our homes and offices for this stuff. Now they just have to hack into one of dozens of systems. (See Schneier on Security: T-Mobile Hack).

For (safe for work) coverage of the incident, see Paris Hilton's Sidekick gets hacked. What is T-Mobile going to do about it? - Engadget - www.engadget.com and Hackers post Paris Hilton's address book online - Computerworld:

"Hackers post Paris Hilton's address book online

A copy of her T-Mobile USA cell phone address book appeared on the Web

News Story by Paul Roberts

FEBRUARY 21, 2005 (IDG NEWS SERVICE) - Hackers penetrated the crystalline ranks of Hollywood celebrity Saturday, posting the cellular phone address book of hotel heiress and celebrity Paris Hilton on a Web page and passing the phone numbers and e-mail addresses of some of Tinsel Town's hottest stars into the public realm.

A copy of Hilton's T-Mobile USA Inc. cell phone address book appeared on the Web site of a group calling itself 'illmob.' The address book contains information on over 500 of Hilton's acquaintances, including super celebrities such as Eminem and Christina Aguilera. It is not known how the information was obtained, but the release of the contact book may be further fallout from a hack of T-Mobile's servers that came to light in January...."

E-mail gaffe reveals HIV, AIDS names

From the Palm Beach Post:

E-mail gaffe reveals HIV, AIDS names:

"WEST PALM BEACH - A highly confidential list of the names and addresses of 4,500 Palm Beach County residents with AIDS and 2,000 others who are HIV positive was e-mailed Thursday to more than 800 county health department employees.

Health department statistician John W. 'Jack' Nolan, who compiles data on HIV/AIDS cases for the county, sent the e-mail containing his monthly cumulative statistics report and inadvertently attached a file with the identities and addresses of AIDS patients and others who have tested HIV positive. Health department spokesman Tim O'Connor confirmed the incident...."

Surplus military laptops contained info on Canadian soldiers

The London Free Press is reporting that an Alberta military surplus store has received surplus computers that still contain information on Canadian soldiers:

London Free Press: News Section - Probe sought over military laptops:

"EDMONTON -- Alberta's privacy commissioner is calling for a federal investigation into why personal information about soldiers was on laptops turned in to an army surplus store. 'It would appear the military may have breached the federal Privacy Act and so the federal commissioner would be interested in that,' Frank Work said yesterday...."

Saturday, February 19, 2005

Canadians in American government databases

The Toronto Star, which has the best privacy coverage of any Canadian daily newspaper, is running an article by Thomas Walkom that highlights the amount of data about Canadians that may be in the hands of American authorities. It begins with a discussion of Canadian tax records that found their way into the possession of an American prisoner, via the Department of Homeland Security. The article also discussed the Arar case and the use of No-Fly Lists by Canadian airlines.

TheStar.com - Uncle Sam's steely glare:

"... It's safe to say she never expected to find her name, Canadian income tax summaries and social insurance number in the files of the U.S. Homeland Security Department. Indeed, if it weren't for a fluke, she probably never would have...."

Thursday, February 17, 2005

Geist: Revise privacy law to protect public, not offenders

Michael Geist, in his latest Toronto Star column, argues that PIPEDA should be amended in line with California's example that requires companies to notify customers if the security of their personal information has been compromised:

TheStar.com - Revise privacy law to protect public, not offenders:

"... Recognizing that companies have an incentive to keep privacy and security breaches private, the State of California has adopted a law that requires organizations to publicly disclose privacy breaches to their customers. Although opposed by business, the law, known as SB1386, has proven wildly successful since its enactment just over 18 months ago.

The law requires companies and agencies that do business in the state, or possess personal information of state residents, to report breaches in the security of personal information in their possession. Companies must act quickly, notifying customers in writing, electronically, or by prominently posting the information on their website.

The law's impact on business practice has been dramatic. The State's Office of Privacy Protection recently surveyed California companies and found that 76 percent of surveyed companies changed their communications polices as a result of the new law; about one third of the surveyed companies changed security procedures; and almost half changed the way they used social security numbers (the U.S. equivalent of Canadian social insurance numbers)..."

Former nurse pleads guilty to identity theft

All too often, it's an inside job. All to often, it's the most vulnerable who are targeted. In this case, a nurse has been convicted of stealing the identity of a patient to obtain credit:

AP Wire | 02/17/2005 | Former nurse pleads guilty to identity theft:

"ST. LOUIS - A former nurse at a St. Louis suburban hospital has pleaded guilty to using patient information to obtain credit, U.S. Attorney James Martin said Thursday.

Doris Odebunmi, 53, of St. Louis pleaded guilty to misusing a Social Security number, and faces up to five years in prison and/or a fine of $250,000. She is required to make restitution. She'll be sentenced on June 8...."

ChoicePoint's mission turned on head in personal info breach

The Miami Herald has an interesting article, commenting on the irony of ChoicePoint not doing due diligence on its own customers, allowing criminals to have access to their huge cache of personal information: AP Wire | 02/17/2005 | ChoicePoint's mission turned on head in personal info breach:

"ATLANTA - Consumer data collector ChoicePoint Inc.'s mission is to arm customers with the information necessary to verify that the people they are doing business with are who they say they are.

That selling point has been turned on its head by bandits who were given access to the company's massive database by duping it into thinking they were someone they were not.

'The irony appears to be that ChoicePoint has not done its own due diligence in verifying the identities of those 'businesses' that apply to be customers,' said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group in San Diego. 'They're not doing the very thing they claim their service enables their customers to achieve.'...."

Wednesday, February 16, 2005

Google may be looking for your personal information

In conversation with industry analysts, Google CEO Eric Schmidt indicated that Google may soon require usernames, passwords and personal information to use their services.

Google Discusses Strategy With Analysts - BizReport:

"- Google is likely to require its users to begin providing personal information to use some of its products and services, said CEO Eric Schmidt. Requiring people to provide their identity and a password to gain service access is common at many Web sites, but would be new for Google. Having more personal information would enable Google to offer more useful improvements, Schmidt said. He didn't provide a timetable or specify which services might require registration."

Thanks to beSpacific: User Registration Down the Road for Google? for the link.

Upcoming conference: 'Implementing PIPEDA: A review of Internet privacy statements and on-line practices'

PIPEDA Conference, March 18, 2005 - Privacy Project:
"'Implementing PIPEDA: A review of Internet privacy statements and on-line practices'

March 18, 2005
9:00am - 5:00pm

The University of Toronto's Centre for Innovation Law and Policy at the Faculty of Law and the Faculty of Information Studies will be hosting a conference on the implementation of the Personal Information and Electronic Documents Act (PIPEDA): A review of Internet privacy statements and on-line practices.

Daniel Solove, an associate professor of law at the George Washington University Law School and an authority in the areas of information privacy law and cyberspace law, will be the keynote speaker for the conference.

The conference will take place March 18 in the Bennet Lecture hall inside Flavelle House at the Faculty of Law. There is no cost to attend the conferrence, but registration is required. A tentative timetable and speaker's list is now available.

For more information, contact:

Rajen Akalu - rajen.akalu@utoronto.ca "

I have heard that one of the panelists may be Mathew Englander.

RFID, Electronic Eavesdropping and the Law

The RFID Journal is carrying an article by Dr. Reuven R. Levary (a Professor of Decision Sciences, Cook school of Business) and three JD/MBA students from Saint Louis University on the legal and privacy aspects of RFID technology:

RFID Journal - RFID, Electronic Eavesdropping and the Law:

"Feb. 14, 2005--As radio frequency identification enters the mainstream, consumer advocates are raising concerns about the potential use of the technology for electronic eavesdropping. In Europe, there are strong laws governing the use of data gathered on consumer. In the United States, no such overarching legislation exists. So the question is: What laws currently on the books, if any, in the United States could protect consumers against invasion of privacy using RFID systems? And what are the legal ramifications for companies that use the technology in a retail setting?. ..."

Tuesday, February 15, 2005

Identity-verifying questions are getting personal

The Boston Channel WCBV-TV is carrying a report about intrusive and more than slightly creepy questions that credit card companies are asking to verify the identity of card holders. After a string of "suspicious" purchases prompted a credit card company to put a fraud alert on a consumer's card, the customer was required to answer a number of unexpected questions to prove she is who she says she is:

TheBostonChannel.com - Money - Are Credit Card Companies Getting Too Personal?:

"... 'And they said, 'In order to get your card reactivated and take the fraud protection off, we're going to have to ask you some questions.' And she said, 'I want to warn you that some of these questions might sound a little unusual,'' Santilli said.

Unusual and, according to Santilli, invasive.

'Well, the first question was the age group of a former husband of mine,' Santilli said. 'But then the next question that came up was about my former husband's sister. And they asked me, 'In which county is she likely to live,' and they asked her name specifically.'

'I said, 'I can't believe you're asking me this.' And then she apologized again,' Santilli said.

Santilli answered the questions; Providian removed the fraud alert. But the experience left Santilli shaken.

'I was expecting to be asked my mother's maiden name, my Social Security number, maybe what I purchased that day and for what amounts. Anything else but questions about a past relationship,' Santilli said.

WJAR-TV contacted Providian. It reported Providian uses a security system that gathers information about card holders.

'When the customer calls in, we use an electronic system. It automatically generates verification questions using public sources,' Providian spokeswoman Beth Haiken said.

Where do they get that information? The station reported that companies like Providian can get it at city and town halls or anywhere else public records are available. It's all legal because they're public records, according to the station."

It's probably worth noting that this wouldn't fly in Canada. Publicly available information may be used without consent, but only for the purposes for which it is made available in the first place. I can't see that municipal records are made available for this purpose.

Incident: Impostors obtain personal information on thousands of Americans

This one is a biggie. One of the largest traders in personal information in the US, ChoicePoint, allowed criminals masquerading as legit businesses to trawl the personal records of thousands of Americans. ChoicePoint has notified thousands of Californians that their security has been compromised. Because only California has a law requiring such disclosure, this leads to the question of how many peope are affected but are not aware of it?

MSNBC - Database giant gives access to fake firms:

"Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen, MSNBC.com has learned.

The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint aggregates and sells such personal information to government agencies and private companies...."

Incident: Personal data on nearly 25,000 subscribers leaked by Japanese Telco

The personal information of twenty five thousand Japanese telco customers have had their data leaked, according to Agence France Press:

Yahoo! News - Personal data on nearly 25,000 subscribers leaked: NTT DoCoMo:

"TOKYO (AFP) - Japan's top mobile operator NTT DoCoMo (news - web sites) Inc. said it has found a leak of personal information linked to nearly 25,000 subscribers, with someone within the company likely to blame.

Private data such as names, addresses, mobile and fixed-line telephone numbers of 24,632 clients kept by the company were found to have been taken by an outsider, NTT DoCoMo said in a statement...."

Monday, February 14, 2005

Geist on revising PIPEDA

Michael Geist's LawBytes column in the Toronto Star is devoted to why he believes PIPEDA should be revised:

TheStar.com - Revise privacy law to protect public, not offenders:

"...The time has come to lift the veil of secrecy surrounding privacy and security breaches in Canada. For every case that comes to light, there is little doubt that there are many more that remain hidden from public view.

From a privacy compliance perspective, experience illustrates that mandatory reporting requirements provide an effective motivation for organizations to take their privacy and security obligations seriously. With identity theft at an all-time high, they also ensure that the public is kept informed about the security of their personal information and better positioned to monitor their credit reports and credit card activity for suspicious activity.

Former IBM CEO Louis Gerstner once noted that 'people don't do what you expect, they do what you inspect.' For Canada's privacy legislation to meet expectations, we need more inspection and better disclosure practices. A mandatory self-reporting system on privacy and security breaches would be a step in the right direction."

Sunday, February 13, 2005

Computer theft puts military and intelligence officials at risk

SAIC, one of the leading employee-owned R&D companies in the US, has experienced a theft of computers containing personal information of its shareholders (and employees). The company does a huge amount of military work, which mak es the information additionally sensitive. Not only is there a risk of identity theft, there may also be national security issues as well. As reported in the Washington Post (registration required):

Break-In At SAIC Risks ID Theft (washingtonpost.com):

"Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.... "

Slashdot has a discussion of the incident here. Thanks to Privacy Digest for the pointer.

Change those default passwords

Many technology devices, from routers to network servers, come with default passwords that you are supposed to change when you install them. Well, if ever there was a slap in the side of the head to remind you to change those passwords, here it is: Default Password List and Default Passwords. These sites list the default passwords for dozens and dozens of devices. If I can find these on the internet, you can be assured that those who are trying to attack your network know them like the backs of their hands.

Saturday, February 12, 2005

Article: Outsourcers are anxious to safeguard your privacy

The Charlotte Observer (registration required) has an article on foreign outsourcing and customer information. Not unrealistically, companies and their customers are concerned about privacy when sending customer data overseas for processing:

Charlotte Observer | 02/12/2005 | Outsourcers are anxious to safeguard your privacy:

"Foreign companies fear bad publicity could cut into their business

Ensuring the security of customer data and other sensitive information remains a top concern of U.S. companies increasingly sending call center and computer work to lower-wage nations.

And it's a matter of survival for the foreign firms providing outsourcing services.

'If you have even one minor breach that makes it into the press, it's over,' said Rick Rossow, IT policy director at the U.S.-India Business Council in Washington. 'It's not going to take a lot for companies to pull back.'

Foreign outsourcing already is a controversial trend, blamed for eroding America's middle class by sending information-technology work overseas. Critics say it also puts consumers at risk because other countries have inadequate security and legal protections. Consumers have little recourse, critics say, if they are harmed financially by unauthorized access to their accounts and personal information."

Friday, February 11, 2005

Canadian Internet and Public Interest Centre report issued

The first issue of the CIPPIC Bulletin has been released, but the links are unfortunately broken. Check back and hopefully it will be fixed shortly: English and French. The CIPPIC Bulletin provides an update on CIPPIC projects and activities, many of which involve advocacy and policy work on Canadian privacy law.

Training, training, training! Privacy laws can be implemented without going off the deep end ...

It continually drives me bonkers when I read about how some organizations implement privacy laws (see below). Granted, these laws are not always easy to understand, but they usually can be implemented without completely shutting down normal business operations or even normal personal interactions.

A huge part of the problem is that the laws are not very easy to understand, particularly if you sit down a read them from beginning to end. Most laypeople have a hard enough time staying awake during the process and it is rare to actually make it through the law in one sitting. But even if you can manage to make it that far, there in little in the laws themselves to help you in translating theory to practice. (You're not alone: I've dealt with lawyers who have little understanding of the law itself, let alone how it should be implemented. A law degree does not automatically confer an ability to figure it out.)

So what's to be done? People need to be trained about what the law means and how it needs to be integrated into their operations. Front line employees don't need to memorize section 7(3)(c)(ii), but they do need to know how to do their job in this new regulatory environment. They need to know how to meet customer expectations. They need to know how to deal with circumstances where privacy laws may entail a bit more process for their customers. And they need some common sense.

On this front, I have to give full marks to the Nova Scotia Department of Justice, which recently held a series of workshops for department administrators of the Freedom of Information and Protection of Privacy Act throughout the province. And they had the good sense to include a unit on PIPEDA. Though this law doesn't generally apply to the same organizations subject to FOIPOP, it has been a major source of confusion.

CBC Manitoba - Ombudsman slams province over privacy laws:

"Tuckett says there are many cases where public officials do not use common sense in providing people with access to their own personal information.

'I had a call from somebody where they were talking to somebody in a medical doctor's office and asking about the condition of the person and the doctor came up and said, 'You know, you can't talk about your medical condition with other people in our office because it's contrary to PHIA,'' he says.

'I call it 'PHIAnoia' because, you know what it is, it's this, 'I can't share that, I can't do this.' Privacy laws were never intended to be applied so rigidly that all of a sudden you can't have normal human relations with people.'

Tuckett recommends the government should set up a training program to help its employees understand privacy and access laws. This report will be Tuckett's last as ombudsman; he is retiring as of Feb. 11."

Tyler Hamilton: Why retailers are contributing to identity theft

Tyler Hamilton, a technology journalist from Toronto, has written in his blog about the practice of some retailers who still print full credit card info on sales slips. Check it out:

Tyler Hamilton: Why retailers are contributing to identity theft:

".... Word of advice: If you get a credit-card slip back from a retailer and notice that your full credit-card information is published on it, speak up. Let them know that's not acceptable, and that you may just shop somewhere else if they don't stop doing it. Otherwise, don't be surprised if you find some strange charges on future credit-card statements. "