Monday, October 31, 2005

Privacy survey at

I've been asked to help get the word out about a National Science Foundation-funded survey on privacy policies and how users understand them. Please give these folks a hand ...

ThePrivacyPlace.Org 2005 Privacy Survey is Underway!

Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and will help us establish with our investigations of privacy policy expression and user comprehension thereof.

The URL is:

We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey which takes about 5 to 15 minutes to complete. The results will be made available in 2006 via our project website (

Prizes include

  • $50 gift certificates and
  • IBM sponsored giveaways!

On behalf of the research staff at ThePrivacyPlace.Org, thank you!"

Ontario's Commissioner faults paper disposal company and clinic for breach of privacy in medical records

Full marks to the Information and Privacy Commissioner for the fast investigation and report related to sensitive medical records being used as props on a Toronto movie set (see: The Canadian Privacy Law Blog: Incident: Medical records blowing in the wind in Toronto). She has issued the first order under the Personal Health Information Protection Act.

From the Commisioner's website:

IPC - Medical records found scattered across Toronto streets: Commissioner Cavoukian issues first Order under new law

NEWS RELEASE : October 31, 2005

TORONTO – An investigation into how personal health records ended up being strewn across the streets of downtown Toronto on October 1 as a backdrop for a film production has resulted in a ruling by Information and Privacy Commissioner Ann Cavoukian that both a Toronto X-ray/ultrasound clinic and a paper disposal company had breached Ontario’s Personal Health Information Protection Act (PHIPA).

The Commissioner, who was appalled at learning of this breach, went to the scene herself shortly after being advised of the records being scattered on the streets. “The Order I released today – the first under the new Act – should be carefully reviewed by every health information custodian and paper disposal company in Ontario. Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated.”

In her Order, Commissioner Cavoukian said that the personal health records were collected by a paper disposal company that engaged in both shredding and recycling activities. A portion of the personal health records picked up from the clinic were mistakenly believed to be intended for recycling. The records were subcontracted to another recycling company, which later sold them – intact – to the film company for use on its set.

The Commissioner found that:

  • the Toronto clinic failed to take all reasonable steps to secure the personal health information in its custody or control;
  • the clinic failed to ensure that the personal health information was disposed of in a secure manner; and
  • the clinic failed to comply with section 17(1) of PHIPA, which requires it to be responsible for the proper handling of personal health information by itself and its agents. Commissioner Cavoukian said that, in the above context, a written contractual agreement would be required setting out the agent’s duty to securely shred the materials and require the agent to provide a written attestation confirming that shredding has been completed.

The Commissioner also found that:

  • the paper disposal company’s action in forwarding the records to a recycling facility instead of shredding them, while caused by a mistaken belief that the records were intended for recycling, contravened the Act.

Commissioner Cavoukian ordered the clinic to review its information practices to ensure that the location of all personal health information within its custody or control is documented, and that this personal health information is adequately secured.

The Commissioner ordered the clinic to put into place a written contractual agreement with any agent it retains to dispose of personal health information. The agreement must set out the obligation for secure disposal and requires the agent to provide written confirmation once secure disposal has been carried out.

“Secure disposal,” the Commissioner said in her Order, “must consist of permanently destroying paper records by irreversible shredding or pulverizing, thus making them unreadable. Further, steps must be taken to ensure that no unauthorized person will have access to the personal health information between the time the records leave the health information custodian’s custody until their actual destruction.”

Similarly, the paper disposal company, which fell under PHIPA because it functioned as an agent, having been given personal health information directly by a health information custodian, was ordered by the Commissioner to put into place a written agreement that includes the requirement for the disposal company to engage in secure shredding and provide an attestation confirming destruction of records.

Among other requirements, the Commissioner also ordered the paper disposal company to put procedures into place that will prevent paper designated for shredding from being mixed together with paper that is intended to be disposed of via recycling.

This Order will establish the practice to be followed by all health information custodians and their agents in Ontario, with respect to the Commissioner’s expectations for the secure disposal of health information records under Ontario’s new Health Information Privacy law.

The Commissioner’s Order, HO-001 is available on the IPC website.

Some media coverage, as well:

Clinic, paper firm broke privacy rules

October 31, 2005

TORONTO -- Ontario's privacy commissioner has found a clinic and a paper-disposal company broke privacy rules after personal health records were strewn on a downtown movie set.

Ann Cavoukian says the health records were collected by a company that engaged in both shredding and recycling.

The company mistakenly believed that the records picked up from the X-ray and ultrasound clinic were meant to be recycled.

As a result, it subcontracted the paper to another recycling company, which later sold it to a film company for use on its set.

The health records then ended up being strewn across the streets of downtown Toronto on Oct. 1 as a backdrop for a film production.

Cavoukian says she was appalled at the breach of Ontario's Personal Health Information Protection Act.

'Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated,'' Cavoukian said.

The Toronto clinic, which she did not identify, failed to take all reasonable steps to secure the information and ensure it was disposed of securely.

The paper-disposal company also breached the act by sending the records for recycling instead of shredding them.

She also ordered both facilities to put measures in place to preclude a recurrence. "

Experts on ID theft and privacy

All last week, CNet assembled a blue-ribbon panel of experts to discuss various aspects of identity theft and privacy. Check out the conversation:

Saturday, October 29, 2005

Admissibility of video surveillance evidence

The use of video surveillance has come under increased scrutiny in recent years, prompted mostly by new privacy laws such as PIPEDA and the western provinces' PIPAs. To insurance lawyers, the most important question is what impact do these laws have on the admissibility of video surveillance evidence.

The only published court decision on this point, Ferenczy v. MCI Medical Clinics, 2004 CanLII 12555 (ON S.C.), may be interpreted to hold that a violation of PIPEDA does not render video evidence inadmissible (but it could be much more clear):

"[35] For all of the foregoing reasons I conclude the evidence here in question was not collected, recorded, used or disclosed in contravention of the Act. However, as I indicated earlier in these reasons, the evidence is in any event relevant and its probative value exceeds its prejudicial effect. Its admission into evidence would not render the trial unfair and it is, in my view, admissible at trial in any event at trial."

Johannes Schenk recently wrote about a BC arbitration decision in which the arbitrator decided that a violation of that province's Personal Information Protection Act would render the resultant evidence inadmissible. From paragraph 58 of IN THE MATTER OF an Expedited Arbitration Between EBCO Metal Finishing Ltd. and International Association of Bridge, Structural, Ornamental & Reinforcing Iron Workers, Shopmens' Local 712, [2004] B.C.C.A.A.A. No. 260:

... The PIPA is clearly intended to apply to the employment relationship. The authority of the legislation would not be given effect were an employer to breach its provisions and be permitted to rely on the unlawfully obtained evidence anyway. For an arbitrator in British Columbia to admit the evidence in such a case would amount to error of law and abdication of jurisdiction.

Aribral decisions have little precedential value, particularly outside the particular province, but this highlights that this issue has not entirely been put to rest.

Canadian Judicial Council protocol on inclusion of personal information in court judgements

The Canadian Judicial Council has recently been struggling with the balance between open courts and privacy when making court records available online. It has just released its Use of Personal Information in Judgements and Recommended Protocol (pdf here). Until recently, legal publishers have taken it upon themselves to selectively edit judgements to conform with publication bans, but more courts are releasing their own decisions online. The protocol does not deal with electronic access to court records themselves, but hopefully a protocol for that will be forthcoming.

Thanks to beSpacific for the link.

HP user group membership list for sale to highest bidder

Former members of Interex, a Hewlett-Packard user group, are upset that the bankrupt association's member list is likely to be sold to satisfy creditors. The organization's privacy policy didn't anticipate bankruptcy, but some members think their information is confidential and simply should not be treated as any other asset. See: Interex membership list for sale to highest bidder - Computerworld.

Through-the-wall audio surveillance

Thanks to Bruce Schneier (Schneier on Security: Eavesdropping Through a Wall) for directing me to an interesting US patent application for through-the-wall audio surveillance technology that was developed in association with NASA: United States Patent Application: 0050220310.

Blogging from IAPP's Privacy Academy

Lance Koonce and Kraig Baker, from the Privacy and Security Law Blog, has been blogging from the International Association of Privacy Professional's Privacy Academy recently held in Las Vegas. Rather than link to all the postings, just check out the blog and you'll find them...

US Passports to be "chipped" by October 2006

The US State Department has issued its final rules on the implementation of RFID in all US passports, beginning with those issued after October 2006. The chips will include a digitised version of the holder's photo and other information. According to the Washington Post, 98% of the comments on the proposal were against the measure, but the Department suggests that measures are being taken to minimise the risk associated with the RFID chip. The passports will include an "anti-skimming" film on the front and back covers, making it more difficult to read the chip at a distance: U.S. Passports to Receive Electronic Identification Chips.

NY Court Bans Feds from Tracking Cell Phones

US Federal law enforcement officers have been seeking to have cellular phone companies provide, without a warrant or probable cause, information on subscribers. The information requested includes the caller's location and the particulars about calls made. This week, a US Federal Court Judge in New York has denied the US Justice Department access to this information without a warrant. According to eWeek, this decision is similar to one made by a district court in Texas last month.

From eWeek: NY Court Bans Feds from Tracking Cell Phones.

Responding to a security breach

NetworkWorld has a great article on how to respond to security incidents involving personal or corporate data:

Responding to a security breach

...But organizations can reduce their overall losses by reporting breaches in a timely manner and offering whatever help they can to the affected parties, Penn says. On the other hand, organizations can compound their losses by covering up and delaying reporting, such as the case with ChoicePoint, whose stock dropped by 15% after fraud in its system exposed 145,000 credit identities in February. And health maintenance organization Kaiser Permanente was fined $200,000 in August for a three-month delay in reporting an exposure of patient data posted on a publicly accessible Web site used for help desk support....

Privacy cartoon: Don't mind me ...

From NetworkWorld:


Thursday, October 27, 2005

New IT.Can Blog

The Canadian Information Technology Law Association has just launched a new blog to foster discussion of issues of interest to practitioners and others who are interested in Canadian technology law issues. It also has an RSS/XML feed.

One of the initial postings is related to the recent decision by the Privacy Commissioner on outsourcing and the USA Patriot Act. I blogged about it here (The Canadian Privacy Law Blog: Privacy Commissioner considers USA Patriot Act / Outsourcing complaints against Canadian bank), but the IT.Can blog provides a good oppotunity for discussion. Check out the post here: Bank’s notification to customers triggers PATRIOT Act concerns.

Hidden Camera in Law Firm Bathroom = Lawsuit

I don't often find good privacy stories by reading blogs about law firm marketing and management, but sometimes you just luck out ...

From Larry Bodine's great Professional Marketing Blog (verbatim):

Larry Bodine's PROFESSIONAL MARKETING Blog: Hidden Camera in Bathroom = Lawsuit:

How would you like to be the marketer for the l7-lawyer firm of Mangan, Langhenry, Gillen & Lundquist in Wheaton, IL: They got sued by a former attorney who discovered a hidden camera in the ladies' bathroom -- twice.

A woman identifying herself only a 'Jane Doe,' said in her complaint filed in Cook County District Court that she discovered a hidden video camera in the toilet paper roll one day. She removed it, only to find it back in place a month later. Apparently one of the male partners was using it to view or record everyone who used the stall.

According to WBBM news radio in Chicago, one of the male partners recently left the firm, but wouldn't say who it was. It also wouldn't comment.

If you were the marketing director of this disaster, what would you do?

Wednesday, October 26, 2005

Ontario's adoption records bill to be voted on this week

The Ontario proposal to change the rules for open adoption records will likely be voted upon this week:

Bill opening Ontario's adoption records expected to be voted on soon - Yahoo! News:

...The law would open up adoption records, making it easier for adoptees and birth parents to find one another. Adoption records have been sealed in Ontario since 1927. Adult adoptees would be able to access their original birth certificate, which could include the names of their birth parents. Birth parents, meanwhile, would be able to see the birth certificate and current name of the child they gave up for adoption. The campaign would inform people about the changes and let both parents and children know they have the option to request not to be contacted. They can also ask a tribunal for a veto to keep their file sealed, provided they can prove releasing the records would cause harm....

Tuesday, October 25, 2005

CardSystems class action update

The pre-trial process in the Cardsystems class action lawsuit continues, while the parties are squabbling over what and how much information Visa and MasterCard should be providing to the plaintiffs about their relationships with Cardsystems: Squabble continues over credit card breach | Tech News on ZDNet.

Cell phone tracking services proves popular in South Korea

Business Week Online is carrying a feature on the somewhat surprising popularity of a number of cell-phone tracking services in South Korea. Many people are willing to give up a significant measure of privacy for convenience or safety:

"Working Late" Won't Work Anymore

"I used to be worried when my boyfriend didn't answer my calls," says Shim You Sun, a 25-year-old accountant who pays 11 cents each time she checks up on him. "Now I can rest assured that he is at work or busy attending a seminar."

She's one of more than 4 million Koreans who have signed up for various services using technology that can determine a cellular subscriber's location. One, costing $3 per month, will send a message with your coordinates to friends and family periodically while you're traveling. Another will automatically dispatch a text message to friends who get within a block or so of each other as they move around town. Yet another, costing 29 cents a day, will send a message if a person isn't at a specified place at a certain time and then allows the tracker to see the person's movements over the previous five hours. And 20,000 parents pay $10 per month for alerts if their children stray from the route between school and home. The Korea Association of Information & Telecommunication reckons such services are growing by 74% annually, with revenues expected to triple in 2007, to $1.54 billion, from $500 million last year....

Thanks to Privacy Spot for the link: The Ultimate in Cell Phone Tracking | - Privacy Law and Data Protection.

Monday, October 24, 2005

FBI Papers Indicate Intelligence Violations

Even when the FBI can go to a secret court for authorization for intrusive surveillance or, in some cases, do it according to internal oversight, the Washinton Post is reporting that some FBI agents have circumvented all oversight to conduct surveillance on US residents:

FBI Papers Indicate Intelligence Violations

In other cases, agents obtained e-mails after a warrant expired, seized bank records without proper authority and conducted an improper "unconsented physical search," according to the documents.

Although heavily censored, the documents provide a rare glimpse into the world of domestic spying, which is governed by a secret court and overseen by a presidential board that does not publicize its deliberations. The records are also emerging as the House and Senate battle over whether to put new restrictions on the controversial USA Patriot Act, which made it easier for the government to conduct secret searches and surveillance but has come under attack from civil liberties groups.

The records were provided to The Washington Post by the Electronic Privacy Information Center, an advocacy group that has sued the Justice Department for records relating to the Patriot Act.

David Sobel, EPIC's general counsel, said the new documents raise questions about the extent of possible misconduct in counterintelligence investigations and underscore the need for greater congressional oversight of clandestine surveillance within the United States.

"We're seeing what might be the tip of the iceberg at the FBI and across the intelligence community," Sobel said. "It indicates that the existing mechanisms do not appear adequate to prevent abuses or to ensure the public that abuses that are identified are treated seriously and remedied."

Police Association of Ontario doesn't want to name names

The Police Association of Ontario is floating a proposal that police officers not wear any indication of their names, only their badge numbers. The PAO cites officer privacy as the issue, but others say that the move further removes the police from the communities they serve and make it harder to keep track of abusive cops. See: CBC Ottawa - Police Association balks at officer nametags.

Michael Geist: Government Caves to Lobbyists on Do-Not-Call Legislation

Michael Geist continues to chronicle the journey of the proposed "Do Not Call" law through the legislative sausage factory:

Michael Geist - Government Caves to Lobbyists on Do-Not-Call Legislation:

"Appeared in the Toronto Star on October 24, 2005 as Ottawa Caves to Lobbyists on Do-Not-Call Law Sometime this week - possibly as soon as later today - the House of Commons will proceed to pass do-not-call legislation by giving Bill C-37 its third and final reading. While officials from all parties will likely point proudly to the new law as evidence that government can respond to the concerns of Canadians, the reality is that the bill has devolved into an embarrassing shell of its original self, rendered practically useless under the onslaught of lobby groups determined to thwart any attempt to limit their ability to call consumers at all hours of the day."

Privacy and Insurance Claims

I was recently invited by the Canadian Bar Association - Nova Scotia's Insurance Law subsection to give a presentation on privacy laws and insurance claims, focusing on where we are now that PIPEDA has been in force for almost two years. The two principal themes were video surveillance and access to the claims file. You can download a pdf of the presentation here if you are interested: Privacy and Insurance Claims.

Sunday, October 23, 2005

Identity thieves target student aid funds

Marketwatch reports that student aid programs are under increasing attack by identity thieves who see a big pot of money, much of which is acessible online: College-aid money means big bucks for identity thieves - Financial - General News - Internet Services - Financial Services - Internet - Personal Finance.

Colleges Protest Call to Upgrade Online Systems

I wrote recently about the prospect of VoIP companies having to build-in law enforcement tapping abilities into their systems (The Canadian Privacy Law Blog: Internet bugging may dictate technolgies and call-routing for VoIP services). The rule change also apparently applies to Universities in the US, who are not happy about having to spend untold thousands of dollars to modify their systems: Colleges Protest Call to Upgrade Online Systems - New York Times

W-Five feature on personal information theft and fraud

Last night (and this afternoon) was the season premiere of CTV's investigative news program, W-Five. The second feature on the show was about the theft of and trafficking in personal information that occurs in Canada and the United States. It chonicled a Canadian connection to the infamous Shadowcrew bust in the US and the efforts to two local police departments to deal with the Canadian angle. The RCMP refused to appear on camera but wrote to the reporters that they did not deal with it because of a lack of resources. Not a high priority, the reporter inferred.

The story also featured an interview with the Minister of Industry, David Emerson who was obviously very uncomfortable. A data theft disclosure law is not a priority of the Canadian government and he expects Canadian companies will consistenly do the right thing by letting customers know if their information is compromised:

A disclosure law is being considered in Ontario, but on the federal level, virtually nothing. We spoke to the man responsible, Industry Minister David Emerson, who admitted he didn't really know how many Canadian companies have been breached or how many Canadians have had their information stolen.

"We don't know with precision, let me put it that way," said Emerson. "We know in an approximate way."

Though Emerson admits the impact of the crime is huge, he also says the legislation just isn't a priority for the governing Liberals. But not to worry, he says, most companies will do the right thing.

"I would say that there are many more cases of companies who have properly notified their customers than there are companies who have not," says Emerson.

But, Emerson admits, he doesn't know for sure.

Read the summary of the feature here: No One's Safe

You can also see the video, starting at about 12:30 in the broadcast: click here. Video should open in Windows Media Player.

Saturday, October 22, 2005

PIPEDA doesn't pip PI's video in court, Privacy Commissioner finds has written a little article about the recent finding from the Assistant Privacy Commissioner related to video surveillance. I advised the insurer in this case and wrote about it earlier (The Canadian Privacy Law Blog: Assistant Privacy Commissioner concludes that initiating a lawsuit is implied consent to video surveillance). See the article here: PIPEDA doesn't pip PI's video in court, Privacy Commissioner finds.

Big brother at the POS: Tracking your kid's school cafeteria meals

A central Ohio school board received a series of presentations for replacing the check-out systems at school cafeterias. Usually not newsworthy, but some of the proposed systems include the ability to alert kids that their meals contain ingredients to which they are allergic and a function to report back to parents what their kids are eating. There is also a "privacy protection" feature being advertised: the system will make harder for kids to tell which student is getting a subsidised or free meal.

Interesting: School eyes lunch systems to protect privacy, track eating.

Incident: Georgia state employee said to have downloaded records of 465,000 drivers and state employees

A former employee of the State of Georgia has been fired and charged with computer trespass and theft after logs (allegedly) showed that he had downloaded drivers and employee records of almost half a million people to his home computer. The former employee and computer programmer had been involved in a project with that data, but logs showed the activity after the project was over. The databases included addresses and social security numbers. The State of Georgia is sending letters to all the affected people: The state of Georgia is sending letters to 465,000 drivers and state employees, warning that they may be at risk for identity theft.

Friday, October 21, 2005

How to check your customer is over 18 and still alive

Pinsent Mason's Out-Law (a great source of IT law news) is pointing to an interesting new service designed to fight credit card fraud. The service, offered by Metacharge, apparently verifies information related to credit card customers for online clients that are at a high risk of fraud. Metacharge checks whether the authorized holder of the card is a live adult and also tracks the IP address of the customer to see whether they are connected from their expected origin. If you are trying to gamble online while connected from Nigeria and Malaysia, you may be cut off. If you're dead, the consequences may be worse. See: How to check your customer is over 18 and still alive | OUT-LAW.COM.

Western students' personal data, including SINs, posted on Internet

Thanks to David Canton for e-mailing me about this story out of the University of Western Ontario: It appears that someone posted a listing of graduate students who had applied for scholarships on a web server. The information included names, social insurance numbers and whether they had been successful in previous competitions. The university has sent letters to the thousand affected students, informing them that the info was online and had been taken down. In the meantime, it had been indexed (and presumably cached) by Google and viewed at least fourteen times. Concerned students are being told to place a fraud alert on their credit files. See London Free Press - City & Region - Students' personal data posted on Internet in error. Also, check out David Canton's post: eLegal Canton: UWO student personal data posted on Internet.

PIPEDA Case Summary #315: Web-centred company's safeguards and handling of access request and privacy complaint questioned (August 9, 2005)

The Office of the Privacy Commissioner just released a finding related to a free e-mail provider's PIPEDA compliance, particularly with respect to access, security and challenging compliance. The complainant thought her estranged husband had been accessing her e-mail and was responsible for changing her password on a number of occasions. Trying to deal with customer service people at the e-mail provider proved fruitless and the Assistant Commissioner found that the company was not in compliance with Principle 10 of PIPEDA, which requires that any complaints be escalated to the company's privacy officer. The Assistant Commissioner also concluded that the IP address of the person who had been resetting her password might be information about a third-party, but the company could release it to the complainant becuase it could not be linked to a third-party without the assistance of the ISP involved. Finally, the Assistant Commissioner concluded that the company could not be faulted for inadequate security because the customer didn't follow the instructions to make her own password and "personal question" more secure. Read the full finding here: Commissioner's Findings - PIPEDA Case Summary #315: Web-centred company's safeguards and handling of access request and privacy complaint questioned (August 9, 2005).

PIPEDA Case Summary #314: Insurance company denies access to personal information in statement of claim (August 9, 2005)

The Office of the Privacy Commissioner has just posted to its website a finding related to a complaint filed by an insured under an automobile policy who was looking for information about a claim that has been filed by a third party related to damage to a motor vehicle. Though the insurer settled the claim, the insured disputed whether she was at fault.

The insurer refused to provide the insured with access to the particulars of the claim because, in its view, it contained personal information about the claimant. That information, it argued, could not be disclosed without consent under PIPEDA. The insurer attempted to get this consent and was not able to do so.

The insured enlisted the help of the province's superintendent of Insurance but to no avail. She then complained to the Privacy Commissioner that she was denied access to her personal information under Principle 9 of PIPEDA.

The Privacy Commissioner concluded that the third-party personal information should have been severed from the records and the remainder provided to the insured:

Commissioner Findings - PIPEDA Case Summary #314: Insurance company denies access to personal information in statement of claim (August 9, 2005)

Application: Principle 4.9 states that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. An exception to access is included in subsection 9(1), which states that an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

  • Based on her review of the statement of claim in question, the Assistant Commissioner was of the opinion that some of the information in the statement of claim was the complainant personal information.
  • While she noted that the statement also contained the third party claimant's personal information, this information could be severed in the manner described in subsection 9(1), and the complainant personal information provided to her.
  • As this had not been done, and instead the complainant was denied access to the entire document, the Assistant Commissioner determined that the insurance company had denied the complainant access to her personal information, contrary to Principle 4.9.

The Assistant Commissioner concluded that the complaint was well-founded.

I have some questions about this that are not dealt with in the published finding. First, it refers simply to the "statement of claim". If it is a statement of claim filed in a lawsuit, it's a public document that the complainant can get in other ways and you can likely imply consent to its disclosure. Secondly, and perhaps more importantly, is that the finding does not address any aspects of agency between the insurer and the insured. The insurer is simply the agent of the insured. The information collected and held by the insurer is done on the behalf of the insured. Using principles of agency, the information (arguably) is constructively held by the insured herself. The insured would have the ability and right to that information under agency principles, regardless of PIPEDA. I don't know if this argument was ever raised before the Assistant Commissioner, but I'd be interested to see whether it would fly.

Google Files for Behavioral Targeting Patents

Thanks to Michael Zimmer for a recent posting on his Thinking About Technology blog, which points to two pending Google patents.

When Gmail first came out, many commentators found the idea of targeted advertising based on keywords in e-mail messages to be weird and intrusive. (See Gmail Privacy FAQ from EPIC, Thirty-One Privacy and Civil Liberties Organizations Urge Google to Suspect Gmail, Gmail is too creepy.) The new technology that Google is working on would target ads to users based on searches and websites that the user has visited in the past.

From the pending applications:

United States Patent Application: 0050222901:

"Determining ad targeting information and/or ad creative information using past search queries


Ad information, such as ad targeting keywords and/or ad creative content for example, may be determined using aggregated selected document-to-query information associations. For example, popular terms and/or phrases also associated with a selected document may be used as ad targeting keywords and/or ad creative content for an ad having the document as a landing page. Query information may be tracked on a per document level, a per domain level, etc. The determined ad information may be used to automatically populate an ad record, or may be provided to an advertiser as suggested or recommended ad information. "

United States Patent Application: 0050222989:

"Results based personalization of advertisements in a search engine


Personalized advertisements are provided to a user using a search engine to obtain documents relevant to a search query. The advertisements are personalized in response to a search profile that is derived from personalized search results. The search results are personalized based on a user profile of the user providing the query. The user profile describes interests of the user, and can be derived from a variety of sources, including prior search queries, prior search results, expressed interests, demographic, geographic, psychographic, and activity information. "

Read Michael Zimmer's posting here: Thinking About Technology: Google Files for Behavioral Targeting Patents.

Thursday, October 20, 2005

Internet bugging may dictate technolgies and call-routing for VoIP services

While Canadians are fretting over lawful access, our friends south of the border are dealing with the second generation, or rather an extension of the rules begun with the Communications Assistance to Law Enforcement Act. CALEA, as it is called, required telecommunications companies to build-in wiretapping capabilities. A recent set of rules published by the Federal Communications Commission extends that wiretapability requirement to VoIP providers. Any company that provides a service that connects calls to or from the traditional phone system is required to provide central bugging features for law enforcement.

Wired News is asking where that leaves VoIP companies that use a peer-to-peer model. These providers don't route calls centrally so there is no easy place to intercept the calls. And the rules apply to all calls on the system, not just those that go to or from traditional switches. According to the regs, that's no excuse.

This may be a case where law enforcement access requirements will be dictating the technology that a company can use. Read more: Wired News: Furor Grows Over Internet Bugging.

Schneier on Private Webcams and the Police

Since the Conrona (Southern California) Chamber of Commerce and the local police have begun asking local businesses to provide law enforcement with access to the feeds from local businesses' web-enabled security cameras, Bruce Schneier asks how long it will be before a law is passed requiring a backdoor for police?: Schneier on Security: Private Webcams and the Police.

"Lawful access" to the next level? "We're just keeping up with technology. In the olden days, we'd be able to post a cop in front of your store so this is no different ..."

Privacy Commissioner considers USA Patriot Act / Outsourcing complaints against Canadian bank

Not too long ago, the Canadian Imperial Bank of Commerce gave the users of the bank's Visa card notice that processing of account information may take place in the United States, which would make the information accessible to US law enforcement and intelligence officials. This caused a relatively minor stink in the press but did result in a number of complaints to the Office of the Privacy Commissioner of Canada.

Today, the Assistant Commissioner has released her finding related to these complaints and has found that there is nothing in PIPEDA which prevents oursourcing such as this or that requires getting consent for the processing of personal information by third-party service providers. There was some question of whether CIBC appeared to offer an opt-out option. With respect to the cross-border outsourcing issue, there is again no requirement to get consent from the customer. The company has to use contractual means to make sure that the information has a comparable level of protection, but the existence of the USA Patriot Act doesn't mean that you can't have comparable protection in the US. (Canada has similar legislation that has garnered less attention.) Personal information is equally vulnerable to disclosure to law enforcement, whether it is located north or south of the Canada-US border.

The Assistant Commissioner did state that companies that do outsource the processing of personal information are under an affirmative duty to inform their customers. While the customer cannot "opt out" of the outsourcing, they can choose not to do business with the company.

Read the full finding here: Commissioner's Findings - PIPEDA Case Summary #313: Bank's notification to customers triggers PATRIOT Act concerns (October 19, 2005).

Michael Geist has a comment here: Michael Geist - Canadian Privacy Commissioner Denies PATRIOT Act Complaints.

CIPPIC also has a thing or two to say: Privacy Commissioner OKs outsourcing to US.

Incident: Personal information of Vermont Tech students internet-accessible for over a year

Another university-related privacy/security breach:

Personal information on Vermont Tech students ends up on the Internet

Vermont Technical College's entire student body had their names, addresses, Social Security numbers and academic information inadvertently posted on the Internet by a college staff member more than a year ago, and the records remained publicly accessible until last week, Vermont Tech officials said Wednesday.

A former Vermont Tech student happened upon the 2003 student information last week after using the search engine Google to look up his own name, Vermont Tech President Allan Rodgers said. The college, which notified Google and removed the information from the college computer server on which it was stored, is contacting all 1,100 students whose private information was likely available on the Internet since January 2004.

"We have taken swift steps to secure the information and to remove the data from the Vermont Tech server and from other sources," Rodgers wrote in an Oct. 12 e-mail to students and alumni. "We regret this incident, and we are reviewing our security practices, policies and employee training."

A Vermont Tech employee who coordinates the college's tutoring services was responsible for the error, Rodgers said. The staff member, he said, attempted to electronically submit the student information over a privately secured computer drive but inadvertently sent it to a publicly accessible college Web site.

The information included student names; ethnicity; Social Security numbers; addresses; and student identification numbers. Academic information, including SAT scores and academic standings, were also part of the compromised data.

"This is the first time we've been aware that this information could be accessed," Rodgers said, referring to the former student's Internet discovery. Rodgers said he has since spoken to one or two students who are curious about what happened and how the college will follow up on it.

Rodgers said all Vermont Tech employees, including the employee who made the error, will receive additional training on computer network security.

"People have to have access to information in order to do their jobs, and we need to make them understand what is secure and what is an unsecured venue for information transmission," Rodgers said.

While there is no indication that any of the Vermont Tech information was lifted off the Internet by identity thieves, the possibility that such a thing could happen is very real, said Gary Kessler, an associate professor at Champlain College and director of its information security program.

Kessler said universities and colleges, with their vast computer networks and wealth of sensitive data, might be particularly vulnerable to hackers. The University of California, San Diego, and the University of Texas at Austin, he said, are among the growing number of institutions that have fallen victim to identity thieves.

Champlain College recently spent millions of dollars on a new administrative student database system that includes state-of-the-art security. As part of the new system, only specific employees may access private data, such as Social Security numbers.

"With the new system at Champlain, I cannot get Social Security numbers of my students. I can't even accidentally disclose the information," Kessler said. "The only people that generally require Social Security numbers are dealing with financial aid."

Wednesday, October 19, 2005

Privacy Commissioner of Canada to appear before House of Commons Standing Committee on Access to Information, Privacy and Ethics

From the Federal Government's principal website:

Privacy Commissioner of Canada to appear before House of Commons Standing Committee on Access to Information, Privacy and Ethics

The Privacy Commissioner of Canada, Jennifer Stoddart, will be appearing before the House of Commons Committee to discuss her Office's Annual Reports tabled recently in Parliament - the 2004-2005 Annual Report on the Privacy Act and the 2004 Annual Report on the Personal Information Protection and Electronic Documents Act.

Date: Thursday, October 20, 2005
Time: 11:00 a.m. to 2:00 p.m.
Location: Room 253-D, Centre Block, Ottawa

Card skimmer? We don't need no stinking card skimmer.

While card skimming is obviously a problem and a threat (The Canadian Privacy Law Blog: Bank card skimming arrest in Nova Scotia), what many people don't realize is that all that is encoded on your average debit card magnetic strip is the card number. Your card number and your PIN are all that are needed to recreate an exact copy of your card and raid your accounts. Companies that continue to put the full debit card number on receipts are making it easy for anyone who finds that receipt to completely recreate your card. Criminal clerks at stores don't even need to skim your card to rip you off. Their employer helps them do it.

Bank card skimming arrest in Nova Scotia

A special Halifax Police/RCMP task force has recently made an arrest in Halifax in connection with a suspected card skimming operation. It is alleged that an employee at a gas station double-swiped customers' bank cards, first in the normal card terminal and then in a card reader, to capture card data. Then, the PIN entry was observed. This information was used to create new cards, which were then used by the fraudsters. Police say the scam may have had up to 400 victims: Latest charges bring total to 85 in bank card scam.

Monday, October 17, 2005

Banks told to strengthen authentication for online account access

According to Reuters, the Federal Financial Institutions Examination Council has told US banks to switch to two-factor authentication to prevent account hijacking. Two-factor authentication, which usually involves biometrics, challenge/response queries or secondary PINS generated by key-chain or card-based gizmos, are hoped to minimise the threat posed by intercepting passwords or phishing attacks. Banks will have just over a year to implement the requirements: Banks to strengthen Web log-ons to thwart ID theft - Yahoo! News.

EFF cracks hidden snitch codes in color laser prints

The Electronic Frontier Foundation started a project some time ago to decode the hidden tracking information that certain colour laser printers embed in documents. The results are out and EFF's findings are rather interesting. The info is hidden in small yellow dots that are too pale for the human eye to readily discern, but are visible under magnification and blue light. EFF reports here: EFF: DocuColor Tracking Dot Decoding Guide.

Thanks to Boing Boing for the link.

Screw-ups are the most common cause of privacy breaches

While evil hackers are often portrayed as the gravest threat to personal privacy, Bob Sullivan at MSNBC writes that screwups and lax policies are the leading cause of information leaks. Read it here: Surprise! You're exposed - Security -

Also check out Accidents Happen | - Privacy Law and Data Protection for discussion of the MSNBC article.

Perusing marketing list catalogs to check on privacy policy compliance

Chris Hoffnagle at EPIC West must be a voracious reader of marketing publications. He regularly blogs about the kinds of marketing lists that brokers of such things are selling. Today, he checks out the offering of's customer list and how it stacks up to their online privacy policy. Something doesn't add up, he concludes: EPIC West: Electronic Privacy Information Center West Coast Office: Violating its Privacy Policy?

Privacy Protection Requires Action Not Rhetoric

Michael Geist's most recent Law Bytes article says that we are facing a privacy crisis evidenced by the new "lawful access" snooping powers and the Federal Privacy Commissioner's lack of effective enforcement powers. Read it here: Michael Geist - Privacy Protection Requires Action Not Rhetoric.

Leading US spammer shut down by the FBI

From the Associated Press, via Yahoo! News:

FBI Raid Shuts Down Suspected Spammer - Yahoo! News:

"WEST BLOOMFIELD, Mich. - A man described as one of the nation's leading senders of spam says an FBI raid on his home office has halted his e-mail operation.

Warrants unsealed last week show that a September raid on Alan M. Ralsky's home in a Detroit suburb included the seizure of financial records, computers and disks.

'We're out of business at this point in time,' Ralsky said. 'They didn't shut us down. They took all our equipment, which had the effect of shutting us down.'

Terry Berg, the top deputy in the Detroit U.S. attorney's office, declined to comment.

Ralsky, 60, has said that he has 150 million or more e-mail addresses, and he has been a target of anti-spam efforts for years.

Verizon Communications Inc. sued him in 2001, saying he shut down its networks with millions of e-mail solicitations. He settled, promising not to send spam on its networks.

A federal law that took effect last year bans use of misleading subject lines and the sending of commercial e-mail messages that appear to be from friends. It also bans use of multiple e-mail addresses or domain names to hide senders' identities."

Spyware can constitute illegal trespass on home computers

A Federal Court in Chicago has held that spyware makers may be subject to liability for trespass to chattels. In a motion to dismiss before trial, the judge in Sotelo v. DirectRevenue held that there was at least an arguable case that this legal doctrine may apply: - Spyware can constitute illegal trespass on home computers:

"... The defendants filed a motion to dismiss the trespass to chattels cause of action, arguing that the traditional legal elements pertaining to this type of claim were not met in this new setting. While the court acknowledged that this historical legal doctrine over time has applied to personal property (such as damaging or stealing a person's bicycle), the court nevertheless denied the motion, allowing the cause of action to proceed to later trial.

First, the court found that this type of trespass cause action does not require loss of personal property. Instead, 'interference' is sufficient. The court then took the leap to hold that interference with the use of a home computer is enough to maintain a claim for trespass to chattels.

Because the plaintiff's complaint alleged that computer use had been hindered, slowed down and bombarded with pop-up advertisements, enough interference had been asserted for the case to proceed on this cause of action.

In sum, and in the words of the court: 'Simply put, plaintiff alleges that Spyware interfered with and damaged his personal property, namely his computer and Internet connection, by over-burdening their resources and diminishing their functioning. Accordingly, the court denies (the) motion to dismiss (the) trespass to chattels cause of action.'"

Thanks to Privacy Digest for the link.

Sunday, October 16, 2005

Identity theft on the rise in the UK as householders bin their bills

The Telegraph of London is reporting on identity theft in the United Kingdom. It includes some statistics related to practices that put UK citizens at risk of identity theft. Approximately 77% of trash bins in that country contain personal information and are easy pickings for "bin raiders". See: Telegraph | News | Identity theft on the rise as householders bin their bills.

Another suitor for CardSystems

First, CardSystems was circling the bowl: CardSystems threatened with extinction due to Visa and AMEX termination.

Then, CardSystems was being bought by CyberSource: Cardsystems assets being sold to CyberSource.

Then, CyberSource leaves CardSystems at the altar: CyberSource Terminates Negotiations with CardSystems.

Now, CardSystems is being wooed by Pay by Touch: Card Center Hit by Thieves Agrees to Sale (registration req'd).

Facial scans, digital fingerprints to be compiled for Canadian border security project

Canadian immigration authorities are making their first foray into using biometrics to keep track of refugees, immigrants and visitors to Canada. A pilot project is being implemented at border crossings in British Columbia and the Vancouver International Airport. The test will involve digital photos and fingerprints. At the moment it is only a pilot project, but is likely a sign of things to come. From the Canadian Press: Facial scans, digital fingerprints to be compiled for border security project - Yahoo! News.

Daily Show's Ed Helms on avoiding identity theft

I was just browsing the Daily Show with Jon Stewart's video archive and happened upon a handy-dandy video that's somewhat relevant to this blog: Ed Helms on Avoiding Identity Theft (Windows Media required). There may be something somewhat useful in there.

Watching Movies or Being Watched?

Mathew Englander just pointed me to an interesting comment on the Industrial Brand blog about the writer's experience at a screening at the Vancouver International Film Festival. The writer is more than a little perturbed by the aggressive, anti-piracy measures being taken at such screenings, which include pat-downs, scanning by a metal detector and -- la piece de resistance -- videotaping of the entire audience. He was told this is the new normal for film festival entries by the big studios. Read the blog entry here: Industrial Brand Creative Watching Movies or Being Watched?.

Activist against SSNs in online public records

Today's Arizona Daily Star has a profile of B.J. Ostergren, who has a mission to get social security numbers and other sensitive personal information out of public records that are made available (much of it online) by all levels of government. Her tactics include finding the SSNs of the powerful and posting them on her site:

Counties putting your private data online | The Arizona Daily Star

B.J. Ostergren, a Virginia activist, has fished out from the public records the Social Security numbers of dignitaries ranging from CIA Director Porter Goss to Florida Gov. Jeb Bush in an effort to persuade politicians of the dangers of posting the information online.

She's also ferreted out the Social Security number for Rep. Tom DeLay, R-Texas, which is mentioned on a 1980 tax lien the IRS filed against him. Local clerks dutifully filed the lien against DeLay's property with his local tax records because a lien is something that must be cleared up before the property can be sold.

In the past this information has been available for anyone willing to trek down to the courthouse and leaf through public land records or the proceedings of divorce courts. But thanks to the Internet age, public records are now put online to make it easier for anyone with a computer anywhere around the world to retrieve them.

"It's putting our country at great danger," said Ostergren, who has posted some of the Social Security numbers she's retrieved on her Web site at

Saturday, October 15, 2005

Privacy in the healthcare milieu

On Thursday night, I had the pleasure of giving a presentation alongside Nancy Milford (of the Nova Scotia Health Organizations Protective Assoc.) to the Nova Scotia Medical-Legal Society on issues related to consent and the release of patient information. The group is composed of lawyers and medical professionals who have an interest in health law. Almost all of them had very interesting questions on how PIPEDA is being applied (and should be applied) in the healthcare context. If you're interested in a copy of the materials, send me an e-mail at

CyberSource Terminates Negotiations with CardSystems

A press release put out today says that Cybersource has withdrawn its offer to purchase embattled CardSystems: CyberSource Terminates Negotiations with CardSystems: Financial News - Yahoo! Finance.

See, also, The Canadian Privacy Law Blog: Cardsystems assets being sold to CyberSource, et seq.

Pizza joints selling addresses and phone numbers to skip tracers

Chris Hoofnagle runs his own personal blog on privacy and also updates the EPIC West blog regularly.

He has recently posted about an ad that he saw in a publication for private investigators in California. Merlin Data is advertising that it can find you an address for an unlisted number, using information collected by pizza restaurants. See: EPIC West: Electronic Privacy Information Center West Coast Office: Merlin Selling Personal Info From Pizza Delivery Database.

(You may recall Merlin being mentioned on this blog in connection with a Choice Point-type incident: The Canadian Privacy Law Blog: Incident: Another data aggregator provides personal information to impostors.)

RFID interest group unveils privacy and and security position paper

The Association for Automatic Identification and Mobility (aka AIM) has released a position paper on RFID privacy and security. It sure has impressed Data Collection Online, which was a little bit breathless in its report on the position paper:

"The position paper, that also includes position statements on other important RFID issues, can be downloaded, at no cost, from the AIM Store from the following link:

As the professional association representing the full AIM community of providers and end users, AIM Global is uniquely positioned to deliver clear, unbiased, and credible information on auto ID technologies, a broad category of wireless data transmission and data capturing technologies, encompassing RFID."

I haven't read the position paper (more on that below), but I am not sure how you can say that the lobbying group of the RFID industry is "unbiased". Being unbiased suggests being disinterested, which those who make their livelihoods from the products being discussed really aren't. But I digress ...

Registration screen from aimglobal.orgThe document is available for free download from the documents section of the AIM Global website. I didn't download the document, simply because the process to do so involved filling out a huge form that requires information that many would consider intrusive. I just find such forms annoying, since there is no compelling reason given for why the information is necessary. There is no privacy policy and no statement of any kind related to how the information will be used. I am sure that they all mean well, but this registration requirement coupled with no privacy statement significantly undermines whatever their privacy experts have to say on RFID.

Online retail alliance set up to lobby on privacy, taxes and other online issues

Major online retailers, including eBay and Amazon, have joined forces to create an industry alliance to lobby congress and other legislators on issues such as privacy, internet access, taxation of online purchases and others. The publicity associated with the launch does not suggest the position they are likely to take on privacy, so stay tuned as the group will have its first meeting in the near future. See: TechWeb | E-Business | Major Online Retailers Form Lobbying Group.

Tracking cell phones for traffic data

The Missouri Department of Transportation has initiated a pilot project that will track cell-phones for traffic management purposes. The authorities say that there is nothing to worry about, since the signals will remain anonymous but privacy advocates like Daniel Solove see this as the thin edge of the wedge of electronic tracking of individuals. See: Tracking cell phones for traffic data.

Google updates its privacy policy

Thanks to Rob Hyndman for pointing out to me that Google has just updated its privacy policy. Rob notes that it has given notice of the update via the Official Google Blog:

Our ongoing privacy efforts

10/14/2005 04:28:00 PM
Posted by Nicole Wong, Associate General Counsel

We updated our privacy policy today. We know privacy is important to our users, and it's important to us, too. That's why we work hard to let people know how we collect and use personal information to provide our services. A clearly written privacy policy is part of this effort. In this update, most of the terms are the same, but there are two important differences:

First, we created a short, one-page "highlights" notice summarizing our privacy practices. We hope this is easy to digest and understand at a glance. Second, we provided even more detail about our privacy practices in the full-text privacy policy and lots more detail in the accompanying FAQs. The goal of both is to help you make informed choices about using our services.

Designing privacy protection and user choice into Google products is an ongoing effort. Please let us know how we're doing. Permalink

Thursday, October 13, 2005

Inconvenience could stop ID theft

The Star Herald of Kosciusko, Mississippi is suggesting that all business should check ID when customers use credit cards and cheques. This minor inconvenience would reduce the likelihood of ID theft and fraud: Inconvenience could stop ID theft.

Wednesday, October 12, 2005

The Impact of U.S. Law on Canadian IT Businesses

Canadian information technology companies are players on a global stage. Few large information technology projects are restricted to only one country and any venture into electronic commerce invariably crosses borders. No ambitious Canadian IT company is content to narrow its sights to the domestic market. Lawyers advising these businesses have always had to maintain an awareness of legal developments elsewhere but the last few years have brought with them a range of new laws that affect their southward-looking clients. No area of law has seen as much change at that touching upon the protection of personal information.

The one law that has received the greatest publicity and, perhaps, the greatest scrutiny, is the USA Patriot Act, which was passed by the Congress within two months of the terrorist attacks of September 11, 2001. This law does not single out the technology industry but a number of its provisions have had a particular impact on cross-border services, regardless of the direction in which those services flow. Section 505 of the USA Patriot Act short-circuits ordinary search warrant requirements and allows the Federal Bureau of Investigation to have access to records such as financial records, credit reports, ISP logs and transactional records for intelligence, counter-intelligence and anti-terrorism purposes by use of a “national security letter”. The recipient of a national security letter is required to hand over the information requested and is specifically precluded from informing the individual concerned that the US government has sought access to the information. When information on Canadians is within the jurisdiction of the United States, privacy advocates fear that this information will be too-readily made available to law enforcement, who are able to dispense with the usual “probable cause” requirements. Information in the custody of a US company (or a subsidiary) in Canada may be within the Act’s jurisdiction.

In May of 2004, the Information and Privacy Commissioner of British Columbia initiated a public consultation on whether these provisions of the USA Patriot Act would infringe upon the privacy of British Columbians following an announcement by the BC Government that it would outsource the processing of medicare claims to a Canadian subsidiary of a US company. The request for submissions resulted in more than five hundred contributions from individuals and organizations throughout Canada.

As was pointed out in a number of submissions to the BC Commissioner, personal information has always been available for law enforcement, intelligence and anti-terrorism investigations, regardless of where the information actually resides. The principal effect of the BC Commissioner’s report was to shine a spotlight on the cross-border sharing of personal information and to raise awareness – some might say paranoia – about Canadian personal information being stored in the United States. The attention to the issue spawned significant changes to the BC public sector privacy law and put government outsourcing under the microscope. Many outsourcing customers, government included, are now including language to prohibit the transfer of personal information outside of Canada, and in some cases outside the home province of the customer.

Legal changes in California’s privacy laws are spilling over to other states and are having an impact upon Canadian technology companies. California’s trail-blazing consumer privacy law, which has been followed in a number of US states, requires that organizations notify affected individuals whose personal information may have been compromised or accidentally disclosed. The California law is intended to operate extra-territorially. These laws not only place the company in the uncomfortable position of having to notify customers, but also provide penalties for failing to do so. The California law in particular has prompted the recent deluge of public disclosures of privacy and security breaches in the United States and has also increased consumer expectations on both sides of the border. Similar provisions have found their way into Ontario’s relatively new Personal Health Information Protection Act and the concept of mandatory notification will undoubtedly be considered as part of the five year review of the Personal Information Protection and Electronic Documents Act.

In an era in which privacy and security are perceived to be clashing on a regular basis and in which identity theft is characterized as one of the fastest-growing crimes, it should not be surprising that technology lawyers have to grapple with privacy on a more regular basis as both a customer-relations issue and as a significant regulatory concern. At least a baseline knowledge of the legal regimes on both sides of the border are necessary to get a sense of the big picture for advising clients.

This article originally appeared in the Oct 7, 2005, issue of The Lawyers Weekly

Martin defends new wiretap bill

Prime Minister Paul Martin says that the proposed new wiretap law will protect the civil rights of Canadians, but that's hard to evaluate since the bill hasn't been publicly produced. Regardless, the opposition is up in arms: Globetechnology: Martin defends new wiretap bill.

Liability and Pharmacy Practice

I've been invited to speak on October 30 at the Fall Refresher for the Nova Scotia College of Pharmacists on privacy liability and pharmacy practice. The brochure for the full, two-day event is available here. If you are interested in the presentation materials, e-mail me at

Meth addiction and identity theft

Police in Rochester, Washington held a public forum recently and reinforced the connection between identity theft and addiction to methamphetamines:

Identity theft worse; don't let yourself be yet another victim

“Rochester is kind of unique: They not only steal your garbage, but your entire garbage can,” said detective Sgt. Jim Dunn in discussing new kinds of identity theft. He and detective Roland Weiss described the many kinds of identity crimes, including a woman with a baby stroller loading up from mailboxes she passes.

Our state is eighth in the nation for identity theft and it’s an exploding problem, they said.

And, chillingly, they linked the high incidence here to another huge crime problem we have in Lewis and Thurston counties and surrounding areas — methamphetamine use and abuse. Meth users not only need the money they obtain from identity theft to finance their drug addiction, when they are high on it they find new and clever ways to steal, Dunn said.

You’ve heard of meth labs — now there’s identify theft labs, temporary quarters found in hotel rooms, for example, where all the tools needed for buying, selling and exchanging personal information have been found.

Thanks to Identity Theft Spy for the link.

Tuesday, October 11, 2005 error floods man with faxes

A typo in the fax number printed on certain invoices has sent a flood of faxes related to corporate credit accounts to the fax machine of a Seattle small business. Reminiscent of the CIBC faxing incident we've see here in Canada: The Seattle Times: Business & Technology: error floods man with faxes. The most interesting aspect of the story is how difficult it was for the poor guy who received the faxes to get Amazon's attention.

Thanks to Rob Hyndman for the pointer: - Privacy Breaches and Fax Floods, Redux.

Identity theft? Culprit is likely a friend or relative

According to a study recently reported in the Arizona Republic, a significant portion of "identity" fraud is committed by people known to the victims and most fraudsters who are not known to the victim get their information using low-tech means:

Identity theft? Culprit is likely a friend or relative:

"...According to one recent study, by Javelin Strategy & Research, a consulting firm in Pleasanton, Calif., in 26 percent of all cases the fraud victims knew the person who had misused their personal information. (Typically it was a family member, friend or neighbor, or in-home employee.) In addition, as much as 50 percent of debit-card fraud occurs when a card is snagged by a family member or friend who knows the card's personal-identification number, according to a recent report from TowerGroup, a unit of MasterCard International Inc.

The term 'identity theft' is often used loosely to describe a wide array of crimes. But true identity theft occurs when someone uses stolen information to create a new form of identity, such as opening a new credit-card account under the victim's name. That differs significantly from other kinds of bank fraud, such as when a criminal uses a stolen ATM card to get cash out of a teller machine.

Whether it's full-blown ID theft or small-scale fraud, even in cases where the criminal is a stranger, it's almost never a case of sophisticated computer hacking. Although 75 percent of all households use the Internet and 65 percent of those do some online banking, 'most criminals obtain personal information through traditional rather than electronic channels,' according to the Javelin study. Some 29 percent of victims surveyed said their personal information was obtained through a lost or stolen wallet, checkbook or credit card.

According to the study, the bulk of the rest were attributed to friends and relatives, corrupt employees, stolen mail, Dumpster-diving, and computer spyware. Computer viruses or hackers accounted for only 2.2 percent of incidents. While there has been a significant increase in the number of electronic attempts at identity theft, "the ones that are working are the traditional ones," said James Van Dyke, Javelin's president...."

IBM to Put Genetic Data of Workers Off Limits

According to the New York Times, IBM is the first major corporation to make a commitment to its 300K employees that it will not use genetic information to determine eligiblity for employment or employment benefits, such as health plans. See: I.B.M. to Put Genetic Data of Workers Off Limits - New York Times.

Monday, October 10, 2005

For Victims, Repairing ID Theft Can Be Grueling

The New York Times from October 1, 2005 has a very good and very in-depth article on the effect of identity theft on its victims. The article also outlines some scarily clever ways that fraudsters are wringing money out of unsuspecting victims, including bogus income tax refunds. Read it here: For Victims, Repairing ID Theft Can Be Grueling - New York Times.

Access Commissioner redrafts ATI Act

Ken Rubin, an access to information advocate, writes in the Hill Times about the latest wrangling over access to information and law reform in Ottawa:

Access Commissioner John Reid produces his own access bill :

Justice Minister Irwin Cotler has been promising a draft government access bill to the House Access to Information Committee, but has so far not delivered. So Access Commissioner John Reid produced his own.

Sunday, October 09, 2005

Air Miles should be about data mining, not mass appeal

The President of the Air Miles program in Canada recently spoke in Vancouver, suggesting that retailers are missing out on the true benefit of his loyalty program. It's not being able to say "hey, we give you Air Miles so shop here", but rather to build a more intimate relationship with your customers (via data mining):

Retailers missing the point of loyalty reward programs, Air Miles head says - Yahoo! News

VANCOUVER (CP) - Retailers have lost their way and have become too focused on using loyalty reward programs as a currency to attract customers, says the president of Air Miles.

Bryan Pearson says most retailers are neglecting the wealth of shopper data that is collected by the programs that could be used to better market to their customers, which was one of the purposes the program was created in the first place.

"Points are really viewed as discounts or an alternative way to get something extra and that's not a bad thing, but I'm not sure it's sustainable in the long run," Pearson said in an interview Thursday.

Court: Federal Law Bans Text-Message Spam

An Arizona appeals court has held that unsolicited text messages to a cell phone violate a federal anti-telemarketing law originally aimed at voice calls. See Court: Federal Law Bans Text-Message Spam - Mobile News - Designtechnica.

On website, women identify cheaters

It may be hard to have sympathy for the privacy of the people listed on this website, but ...

A Miami woman has produced what is becoming a popular website for women to alert other women to cheating husbands, boyfriends, etc. At, members can upload photos and details about men they think have cheated on them. Interestingly, their privacy policy has nothing to say about the information of the people listed on the site.

For info, check out the article in the Miami Herald: | 09/28/2005 | On website, women identify cheaters.

Boston's big brother on bulk beer buys

Sorry. Couldn't resist that headline.

City authorities in Boston are planning to require all beer vendors to send the names and particulars of everyone who buys a keg of beer in the city to the local police, so that the cops can drop by parties to check on how things are going. The privacy acspect of this commented upon, albeit briefly: U.S.:

Big Brother' Watching

``Big Brother is watching,'' [Boston Detective Tom Sexton] said, in a reference to the George Orwell novel ``1984.'' ``I guess in some respects we are. But we're doing so for good reasons.''

Invasion-of-privacy arguments don't hold up, [Boston Licensing Board Chairman] Pokaski said.

``There's no privacy when alcohol is concerned because it is a highly regulated commodity,'' he said.

Temporary credit cards to foil frausters

Newsday is running an article from the Washington Post on the availability, through certain card issuers, of temporary credit card numbers for online or over-the-phone purchases. The service is designed to assuage the common fears associated with using credit cards online: Gaining peace of mind when shopping online.

Incident: Video outlet dumps piles of sensitive personal information on the sidewalk in New York

A closed Blockbuster video outlet reportedly dumped piles of membership application forms on a sidewalk. The forms contained very sensitive information that would be more than enough to give an identity thief a good run at the video store's members: name, address, social security number, phone number, credit card and expiry and other information. From the New York Daily News:

It's fraud gold mine

East Side Blockbuster dumps customers' records on street



Blockbuster forms on sidewalk with credit card numbers.

A shuttered Blockbuster video store carelessly dumped hundreds of files containing customers' Social Security and credit card numbers on a busy upper East Side sidewalk.

The Daily News discovered the stacks of confidential paperwork - a gold mine for scam artists - scattered like ordinary litter on Lexington Ave. near 85th St. on Thursday.

The trash pile included recent membership applications, each revealing the customer's birth date, address, phone number, driver's license number and signature.

More alarming, each application also contained a credit card number and expiration date, and many included a Social Security number.

"That makes me really mad," Kerry Norton, 29, a city teacher told The News after learning that her personal data had been left on the street for anyone to take.

"It's horrendous. You would think you could trust a big company like that. They should have shredded them."

Rebecca Pruthi, a 32-year-old doctor, said she was "disturbed" that a major corporation would fail to take basic steps to protect customers' privacy.

"I make sure my garbage at home is shredded," she said. "People do go through garbage on the street in New York, and this could have been dangerous."

Privacy expert Eric Gertler agreed. He said in the information age anyone who disposes of records without shredding is flirting with disaster.

"In the wrong hands, the information is very valuable to identity thieves, scammers, hackers and other bad guys," said Gertler, author of "Prying Eyes" and CEO of Blackbook Media.

For instance, a thief could use the credit card and address information to order merchandise online - a scam that might go unnoticed until the victim got their next bill.

With a Social Security number, a crook could do even more damage, essentially assuming the victim's identity and applying for loans, credit cards and cell phones in their name.

"In the wrong hands, your personal information is gold," Gertler said. "There's no question that these customers were at risk."

Blockbuster's corporate headquarters said it was investigating the breach and would discipline the employee responsible.

"Our corporate policy is applications must be safely secure under lock and key and must be destroyed when no longer kept on file," spokesman Randy Hargrove said.

"Our top concern is the privacy of our customers and we believe what you are reporting to us is an isolated incident."

The manager of the Lexington Ave. branch, who declined to give his name, blamed the Sanitation Department for failing to pick up the trash Thursday.

But he couldn't explain why the applications weren't shredded and were instead left in clear garbage bags after the store shut it doors for good.

He also could not say why he didn't haul the files back inside after the bags broke open, spilling the papers on the sidewalk.

"It's appalling," said upper East Side resident Deborah Glass, 46, another Blockbuster patron. "I can't believe it."

Originally published on October 8, 2005

Privacy concerns, expense keep fingerprinting, eye scans out of U.S. ATMs

The technology currently exists to replace PINs with supposedly unbreakable biometrics, such as fingerprint and retina scans. It is being used in other countries, but it has yet to break into the North American market due to the privacy concerns associated with using such data and the expense involved in replacing or upgrading the thousands of ATMs around. From the Associated Press: AP Wire | 10/09/2005 | Privacy concerns, expense keep fingerprinting, eye scans out of U.S. ATMs.

Looking-glass world of privacy policies

Today's San Francisco Chronicle has a column by David Lazarus about the difficulties in not only understanding some companies' privacy policies, but also knowing which applies as financial companies merge, sell accounts and outsource:

Looking-glass world of privacy policies:

"Companies do so much bed hopping, it's hard to keep track of who's sleeping with whom, much less which firm's privacy policy is in force for consumers at any particular time. "

Lazarus quotes a particularly sketchy policy, which essentially means the company will do everything it can legally do with your info. In the US, that's a lot of stuff:

"We do not disclose any nonpublic, personal information about our introduced customers or introduced former customers to anyone except as permitted by law."

That just wouldn't fly under PIPEDA.

Saturday, October 08, 2005

Commentary on new international passenger info transfer rule

As of this week, the US Government requires all airlines, cruise ship companies and others to provide the Department of Homeland Security with detailed passenger information in standard, electronic format. The Practical Nomad notes this new development and offers a strong opinion on the new regulations. While the government may have an interest in obtaining this information, the author is more than a little upset that passengers are required to hand it over to the carriers (which are often unregulated in what they do with the info), who then pass it to the government:

The Practical Nomad blog: USA requires passenger details from international airlines:

"... But that's not what the rule requires: the rule gives travellers no option to provide the required information directly to the CBP. Instead, the rule requires airlines to provide passengers' personal information to the CBP, effecting requiring travellers -- if the airlines are to be able to comply, without which airlines' passengers won't be allowed to travel -- to turn over their information to the airlines as well as the government.

Both the final rule and the PIA entirely ignore the implications of requiring passengers to provide detailed personal information to, at a minimum, airlines (and, in most cases, other companies such as Computerized Reservation Systems (CRS's) and travel agencies), under government order, without imposing any restrictions whatsoever on the ability or authority of the recipient airlines and other companies to use, rent, or sell the information that passengers will be forced to give them, without any requirement for notice or consent. This government-compelled transfer of rights in personal data to unregulated private entities is the real violation of privacy rights in the new rule...."

Are Private E-Mails Really Private?

Law.Com's Legal Technology department has an interesting article on the use of e-mails of former employees in connection with litigation. The article is entirely New York-centric. That being said, it is an interesting read though your mileage may vary when you cross the border: Legal Technology - Are Private E-Mails Really Private?.

Dilbert on checking references

Privacy laws and a fear of other forms of liability have caused many companies to stop giving references about former employees. Some HR folks have their own way around that ....

The legal way around all this is for the hiring company to get a written consent that not only allows it to check references but also stands as written authority for anybody with relevant information to disclose it to the company. Or you can just talk about the weather ...

Friday, October 07, 2005

Good, Bad in Canadian Privacy Law

Today's Direct Marketing News carries an op/ed piece by Robert Gellman, a Washington-based privacy consultant. He reviews three recent decisions of the BC, Alberta and Federal Privacy Commissioners. I can't say that I disagree with much of what he says, particularly his comments on the Federal Commissioner's finding related to envelope stuffers. See the article here: | News | Article.

Access to medical records

A short while ago, I was interviewed for an article in Legion Magazine, a Canadian publication for veterans and active armed forces personnel, about access to medical records. If you're interested, you can read it online here: Legion Magazine: Access to medical records.

ChoicePoint Struggles to Strike Balance

The pendulum has swung the other way and some customers of ChoicePoint are a little upset at how vigilant the company is being about how it screens its customers. Even law enforcement agencies are being subjected to random audits and on-site inspections: RedNova News - Technology - ChoicePoint Struggles to Strike Balance.

Elections Chief would consider disclosing voters list under right circumstances

I must have missed this one last week ...

The Chief Electoral Officer of Canada apparently thinks that he'd break the law that prevents disclosing the national list of electors, if the circumstances were right. He wants the law amended so that he could provide the list to organizations like CSIS in certain circumstances: - National/World - Chief would mull sharing voters list

"Canada's chief electoral officer says he'd consider illegally sharing the confidential federal voters list in the interest of public safety.

Jean-Pierre Kingsley says the law should be changed to allow him to release the list under certain conditions, such as inquiries from Canada's spy agency.

CSIS could use the voter database as it tries to protect citizens, Kingsley said yesterday.

"Of course I can understand why that may raise some alarms. But I also understand that CSIS is a legal entity in this country," he said. "And if they're the ones asking me for something, and I find it reasonable, I'll go along with it -- if the statute is changed.

"Right now if anybody comes to see me and asks me for information -- where I could save lives potentially -- I can't give it. I'd have to break the law. It might even be possible that I would break the law if those were the circumstances."

In a report to Parliament, Kingsley also says he should have new powers to review financial reports from parties."

Put your faith in the bank?

The editorial writers at the San Francisco Chronicle aren't too thrilled with the recent US District Court ruling that has gutted the protections in California's financial privacy law (background: The Canadian Privacy Law Blog: US Federal Court Preempts Landmark California Privacy Law):

Put your faith in the bank?:

"...State Sen. Jackie Speier, D-Hillsborough, was ahead of the curve in pushing legislation that would restrict the ability of banks, insurance companies and brokerages to share and sell their customers' personal information without permission. Speier's SB1 was signed into law by then-Gov. Gray Davis in August 2003.

The financial-services industry has since rolled out the heavy legal artillery to try to undercut SB1's privacy protections. The industry gained a significant victory this week when U.S. District Judge Morrison England ruled that federal law prevents states from restricting the flow of information among their affiliates. The federal Fair Credit Reporting Act allows affiliated companies to share information about customers' "credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living."

Considering that many big-name institutions count their affiliates in the thousands -- in myriad lines of business -- the ruling means that Californians' personal information will be spread far and wide for marketing and other purposes.

"We're fighting the Bush administration on federal pre-emption all the time," said Attorney General Bill Lockyer, whose office put up the defense for SB1. "They are consistently on the side of banks and financial institutions on all of these consumer protection lawsuits."

The judge did preserve one key provision of SB1 -- a ban on the sale of customer information to third parties without permission.

This decision once again turns the focus on Congress to provide all Americans with more meaningful privacy protections. This nation needs to require encryption and other security precautions on financial data, require the notification of customers when breaches occur -- and adopt what California lawmakers thought would become a national model of customer control over how their personal information is distributed."

Incident: Bank of America notifying customers after laptop theft

A laptop containing sensitive customer informaiton has been stolen from a "service provider" to the Bank of America:

Bank of America notifying customers after laptop theft | InfoWorld | News | 2005-10-07 | By Robert McMillan, IDG News Service:

"... In a letters sent to Buxx users and dated Sept. 23, the Charlotte, North Carolina, bank warned that customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. Visa Buxx is a prepaid credit card for teenagers that the Bank of America (BofA) stopped selling in January.

The laptop, which belonged to an unnamed Bank of America 'service provider' was stolen on Aug. 29, said Diane Wagner, a BofA spokeswoman. The bank was notified of the theft on Sept. 9, and began sending out the letters after a two-week investigation, she said...."