Monday, July 31, 2006

Canadian Commissioner issues fact sheet on metadata

The Privacy Commissioner of Canada has recently posted a "fact sheeet" on the risks of metadata and the information it can reveal: Fact Sheet: The Risks of Metadata (July 2006). Thanks to Michel Adrien's Library Boy for the link.

Friday, July 28, 2006

Alberta commissioner launches investigation into stolen laptop

From the Office of the Information and Privacy Commissioner of Alberta:


News Release: Commissioner launches investigation into stolen laptop

Alberta’s Information and Privacy Commissioner has initiated an investigation into a stolen laptop computer which contains financial and other personal information about possibly 8,000 clients of MD Management, a subsidiary of the Canadian Medical Association.

Click to view more information News Release: Commissioner launches investigation into stolen laptop.

CIPPIC complains about SWIFT disclosure

The Canadian Internet Policy and Public Interest Clinic has filed a complaint with the Privacy Commissioner against the Big Six Canadian banks over the disclosure of information by the international, inter-bank clearinghouse SWIFT. (Via Michael Geist.)

According to previous reports, the Commissioner is already on the case (Canadian Privacy Law Blog: Canadian Commissioner investigates whether Canadian banking records were reviewed by the CIA).

Thursday, July 27, 2006

Alberta Commissioner releases summaries of cases with educational value

The Information and Privacy Commisisoner of Alberta has published a sample of cases on its website that are considered to have educational or instructive value. They can be found here. All orders are still on the website here, but summaries provide a good snapshot of some of the Commissioner's "greatest hits".

Tuesday, July 25, 2006

US judge dismisses phone records lawsuit

According to Yahoo! News, the lawsuit against AT&T related to the disclosure of phone records to federal authorities has been thrown out for national security reasons.

Judge dismisses phone records lawsuit - Yahoo! News

CHICAGO - Citing national security, a federal judge Tuesday threw out a lawsuit aimed at blocking AT&T Inc. from giving telephone records to the government for use in the war on terror.

"The court is persuaded that requiring AT&T to confirm or deny whether it has disclosed large quantities of telephone records to the federal government could give adversaries of this country valuable insight into the government's intelligence activities," U.S. District Judge Matthew F. Kennelly said....

Might also give citizens insight into the government's activities....

Monday, July 24, 2006

Canadian passport office to match pics against photo watchlists

I reported a little while ago that the Canadian Passport Office was about to roll out biometrics in passports (Canadian Privacy Law Blog: Canada prepares to roll out biometric passports). Now, the Globe & Mail is reporting that phase II is on the horizon: facial recognition. The Canadian government will compare all passport photos to known terrorists (and criminals, deadbeat dads or just shifty looking people). See: : Passport database to use facial imaging.

Australian Privacy Foundation calls for inquiry into US SWIFT monitoring

According to Open and Shut, the Australian Privacy Foundation is pressing that country's Privacy Commissioner to investigate US review of SWIFT interbank transfer information, as the Canadian Commissioner is currently doing. See: Open and Shut: Australian Privacy Foundation calls for inquiry into US SWIFT monitoring.

Sunday, July 23, 2006

RFID privacy in Canada

Saturday's Globe & Mail had an interesting article on RFID, which is now online in the Globe's technology section: : Who's watching the watchers? I find these articles to be interesting, but often overstate the threat that RFID poses in Canada. Most of the concern is that item-level tagging of purchased items will lead to the ability to track individuals once they have left the store. While this might theoretically be possible, the advent of a new technology does not mean that Canadian laws go out the window.

Every retail operation in Canada is governed by privacy laws, either PIPEDA or a substantially similar equivalent. Among other things, these laws require that the collection of personal information be reasonable and that personal information only be collected with the knowledge and the consent of the individual. I have no doubt that the unique identifier in a purchased item's RFID tag, when attached to any other information about an individual, is personal information for the purposes of these statutes. Therefore, in Canada:

  1. Any retail operation using RFID in Canada has to inform customers;
  2. Any retail operation that matches an RFID serial number to any personal information has to get the consent of the consumer; and
  3. You cannot require a consumer to consent to a collection, use or disclosure of personal information that is unreasonable or is for a purpose not identified to the individual.

Essentially, this means that retailers cannot covertly use RFID to track consumers in this country. The situation is entirely different in the US where no general privacy law covers the retail sector.

If you want any more information on RFID and Canadian privacy law, check out this great report by Teresa Scassa, Michael Deturbide, Theodore Chiasson and Anne Uteck of Dahousie's Law and Technology Institute: An Analysis of Legal and Technological Privacy Implications of Radio Frequency Identification Technologies. This report was funded by the Privacy Commissioner's contributions programme.


In a letter to the editor in today's Globe & Mail (July 25, 2006), Anne Cavoukian responds to the article from Saturday's paper: : RFIDs track products:

"RFIDs track products

ANN CAVOUKIAN Information and Privacy Commissioner of Ontario

Toronto -- The article Who's Watching The Watchers? (July 22) suggests that Katherine Albrecht was invited 'back' to brief my office on Radio Frequency Identifiers (RFIDs). I would like to make this perfectly clear -- she was never there, nor was she ever invited. Meanwhile, the article's characterization of RFIDs as spy chips is misleading.

Let's have a reality check. Currently in Canada, RFID tags are used in the supply-chain process for inventory control (tracking products, not people), which involves no privacy issues. But in future, if and when RFIDs are embedded into consumer products and linked to personal identifiers, we must remain vigilant to ensure that they are deployed in a manner that does not threaten privacy.

I have been studying RFIDs since 2003 and recently issued RFID privacy guidelines to address the future prospect of item-level, potentially privacy-invasive, RFIDs. I am a fierce protector of privacy but also believe in describing issues fairly and evenly. What we need is public education about this technology rather than fear mongering.

Misrepresenting RFIDs only serves to keep the public in the dark."

Thursday, July 20, 2006

Emily of the State

Cynically Tested has posted a brief video on YouTube featuring Emily of the State, an interesting bit of "lawful access" spyware for your computer: YouTube - Emily of the State - Internet Spying Short

Via Connie Crosby and Michael Geist.

Wednesday, July 19, 2006

Commissioner releases batch of new findings

The flow of findings posted on the website of the Office of the Privacy Commissioner has slowed to a trickle this year, but the floodgates opened long enough to release seven new findings today. I'll comment on them in greater detail before too long, but here are their titles and links:

Commissioner's Findings - Privacy Commissioner of Canada

In a conversation with the Assistant Commissioner, I've been told that there is no shortage of complaints but only a shortage of complaints that raise novel issues. Astute observers will note that most of these findings deal with novel issues, particularly situations of marital breakdown.

Sponges are RFID worthy

Most of what you hear about RFID these days has people donning tinfoil hats. Many feel that privacy should not be the price to pay for personalization or supply chain management. But how about saving your life? Researchers at Stanford University have finished a pilot project in which surgical sponges were tagged using RFID to prevent the unfortunate "sewed up with a sponge inside" syndrome. If I've learned anything from Gray's Anatomy, it's that this can have nasty side effects. With tagged sponges, a quick scan with a reader will let surgeons know whether a sponge is somewhere it shouldn't be before suturing. Naturally, they're looking at tagging all sorts of surgical implements in addition to sponges. See: RFID to prevent loss of surgical sponges inside patients - Engadget.

North Carolina county to scan irises looking for sex offenders

According to Newsweek, Mecklenburg County in North Carolina is one of the first counties to adopt a new technology/database combination to keep closer tabs on sex offenders. Each sex offender in the county will be scanned and the local cops will be given scanning PDAs to check all suspects against the database. The database is owned by the private company that sells the scanners and privacy advocates are not pleased with the adoption of the technology. Iris Scans: Keeping an Eye on Sex Offenders - Newsweek Periscope - Via Fark ( (2179727) Rosco P. Coltrane to scan the irises of everybody pulled over in Mecklenburg County, North Carolina), where one commentator writes:

Think about it more like this:

1) Only speeders get scanned

2) Not all sex offenders speed

3) Therefore more scanning is needed.

Next logical step? Scanners on every door, window, and slushie machine.

OPC issues PIPEDA Review Discussion Document

The Personal Information Protection and Electronic Documents Act provides for a review of the Act every five years by a committee of the House of Commons. Since it came into force in 2001, many have been waiting for 2006 to resolve a number of outstanding questions. While preliminary consultations have been going on by Industry Canada in anticipation of the review, there hasn't been any indication of when the public review would begin.

The Privacy Commissioner of Canada has kicked off the public discussion with the release of a PIPEDA Review Discussion Document, which covers a number of areas where defects and ambiguities have been identified. The document doesn't offer recommendations, but raises questions to be considered by the committe in the following areas:

  • Commissioner’s Powers
  • Consent
  • Disclosure of Personal Information before Transfer of Businesses
  • Work Product
  • Duty to Notify
  • Transborder Flows of Personal Information
  • Sharing Information with Other Data Protection Authorities

The document is relatively brief and does a good job of discussing most of the issues that I expect will be considered by the committee whenever it gets going.

Tuesday, July 18, 2006

Not even the royal laptop is safe

Apparently a laptop containing Her Majesty's secrets has been stolen from an aide in Buckingham Palace. See: Contractor UK: Contractor steals laptop of royal secrets. I imagine it would be very difficult to steal the identity of Queen Elizabeth, but I suppose stranger things have happened.

Via Pogo Was Right.

Little brother may be watching in Hong Kong

According to the New York Times, the government of Hong Kong has recruited thousands of boy scouts to monitor internet discussion groups to rat out copyright violators. See: Dare Violate a Copyright in Hong Kong? A Boy Scout May Be Watching Online - New York Times. While there, will they also help little old ladies cross the information highway?

US Gov't requires internal notification of breaches within one hour

Another indication that the US Government is taking personal information protection much more seriously since the VA breach, the Office of Management and Budget has advised all government CIOs that all breaches of personal information, known or suspected, must be reported to US-CERT within one hour of discovery.

Memorandum for Chief Information Officers

As you know, the reporting procedures require agencies to report according to various timeframes based on type of incident. This memorandum revises those reporting procedures to now require agencies to report all incidents involving personally identifiable information to US-CERT within one hour of discovering the incident. You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches. US-CERT will forward all agency reports to the appropriate Identity Theft Task Force point-of-contact also within one hour of notification by an agency.

Via Pogo Was Right.

Monday, July 17, 2006

Judicial review puts Privacy Commissioner's cross-border powers under the microscope

It appears from an article in today's Toronto Star ( - Privacy chief eyes U.S. border) that Phillipa Lawson of the University of Ottawa is taking the Privacy Commissioner to task and to court for not going after a US-based data broker. In June 2004, Lawson and the Canadian Internet Policy and Public Interest Clinic complained to the Privacy Commissioner of Canada against The complaint alleged that Abika violated Canadian privacy laws by compiling information about Lawson without her consent and in violation of the Accuracy principle of PIPEDA.

The Assistant Commissioner concluded that because the company had no presence in Canada, she could not investigate and therefore could not issue any finding on the matter. PIPEDA, the Assistant Commissioner concluded, did not give her jurisdiction to investigate a company outside of Canada. Lawson has sought judicial review of the decision not to investigate.

From the Star's article:

The commissioner's decision "ultimately narrowed the scope of privacy protection for all Canadians," Lawson's court documents state.

"... in the absence of any legislative restrictions on her investigative powers and despite Parliament's intent to give the Commissioner broad investigative powers and this Court's findings that the Commissioner's powers be given a liberal interpretation, the commissioner chose to set artificial limits on her ability to investigate the complaint," the documents state.

In a response filed late last month, privacy commissioner Jennifer Stoddart asks that the application be dismissed.

Her court documents state that she "correctly determined that PIPEDA was not intended, either expressly or implicitly, to have extra-territorial reach."


Court documents filed by Lawson say "this case is about the scope of Canadians' legal privacy protection when a commercial organization with a foreign business address reaches into Canada to collect personal information about Canadians and discloses that information to other Canadians."

For the background to this complaint, see PIPEDA and Canadian Privacy Law: CIPPIC complaint raises a number of novel and interesting issues, PIPEDA and Canadian Privacy Law: Jurisdictional limitations on Canadian privacy law and The Canadian Privacy Law Blog: CIPPIC v Part deux.

Can you record telephone calls without consent?

During the last week, the Supreme Court of California overturned a lower court and held that it is unlawful to record phone conversations of Californians, even if one party to the call is in a jurisdiction that permits such recording. (See: State Supreme Court Says Out-of-State Firms Can't Secretly Record Californians' Calls - Los Angeles Times.)

If often get e-mail from readers of this blog and the most common question is whether you can record phone calls (to which you are a party) without the other party's knowledge or consent. The answer to this question is a bit complicated, particularly because of rulings like that of the California Supreme Court.

What follows is a general discussion of the laws in Canada that need to be consulted to determine if recording is lawful. Circumstances vary widely and this is not a full review of all the laws that may be relevant, so this should not be considered to be legal advice. I also note this is not about recording for law enforcement purposes, where different rules will apply.

For calls originating and terminating in Canada, the first place to look (but not the last!) is the Criminal Code of Canada. Part VI of the Code is entitled "Invasion of Privacy" and addresses the issue of the interception of private communications. In short, it makes it illegal to intercept a private communications unless authorized by the Code (e.g. with a warrant or as part of maintaining the communications system) or unless the consent of one of the parties is obtained. The same holds true for radio-based communications, under both the Code and the Radiocommunications Act, which also prohibits divulging a radio-based communication without the consent of a party to that communication.

For private actors (as opposed to agents of the state), we have to also look at general privacy legislation, including the Personal Information Protection and Electronic Documents Act (Canada) aka PIPEDA, the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and an Act Respecting the Protection of Personal Information in the Private Sector (Quebec). None of these statues apply to purely personal endeavours. For example, PIPEDA says:

[3](2) This Part does not apply to ...
(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or

(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Alberta's PIPA similarly reads:

[3](3) This Act does not apply to the following:
(a) the collection, use or disclosure of personal information if the collection, use or disclosure, as the case may be, is for personal or domestic purposes of the individual and for no other purpose;

(b) the collection, use or disclosure of personal information if the collection, use or disclosure, as the case may be, is for artistic or literary purposes and for no other purpose;

However, if the recording is for commercial purposes, such as the recording of customer service calls, the knowledge and consent of the individual is required. (Some consent exceptions may apply, but should not be relied upon unless you have specific legal advice.)

But that's not the end of the inquiry. Before you hit "record", you also have to consider whether the recording may be an invasion of privacy under the common law or those statutes which have created an express tort of invasion of privacy. For example, Newfoundland's Privacy Act creates a private right of action for an unreasonable invasion of privacy, but specifically excludes listening to or recording a conversation by a lawful party to a phone conversation. (Though the recording is not an invasion of privacy per se, the specific use of that call might be an invasion of privacy.)

So what is the conclusion? A lawful party to a call that starts and ends in Canada can record that call if they are doing so for a personal or journalistic reason and not a commercial purpose. If recording is to be carried out in connection with a commercial activity, check out "Focus on Privacy - Call Monitoring".

Sunday, July 16, 2006

AT&T settles privacy lawsuit

In conclusion to a petition brought by the Electronic Privacy Information Center about the improper use of customer information for marketing purposes, the FCC has settled with AT&T to the tune of $500,000:

Electronic Privacy Information Center

AT&T Fined $550,000 for Privacy Failures

In a settlement (pdf) reached with the Federal Communications Commission, AT&T agreed to pay $550,000 in a case concerning consumer privacy. According to the settlement, AT&T may have improperly used customer data for marketing purposes. AT&T also agreed to improve procedures for opt-out notification. This investigation was prompted by an EPIC petition submitted to the FCC in August 2005. For more information, see FCC Commissioner Adelstein's statement (pdf) on the settlement and EPIC's Phone Records page. (Jul.11)

Via beSpacific.

Saturday, July 15, 2006

Edmontonian writes about his data breach experience

In today's Edmonton Sun, Timothy le Riche writes about his recent experience of having his information compromised when an investment advisor lost his laptop:

Identity indemnity

It's been a tough a day at work, traffic was crazy getting home, and there you find a letter waiting that warns: "An incident has occurred which may have compromised the security of a file containing some of your personal information."

Great. Just what you need.

The letter that arrived at my house recently was from one of my investment dealers. A laptop computer was stolen, and, unfortunately, it contained client details such as my name, age, month of birth, address, home and office phone and fax numbers, e-mail addresses and some asset information.

They note that the information did not include my day of birth, social insurance number (S.I.N.) nor any banking details.

Even if this thief is able to hack through the password protection to get at the data, I don't think he'll be too impressed with my account. What I'm more concerned about is, of course, identity theft. So that's what I set out to deal with.

Now I'm not too pleased with this investment dealer in that a sensitive laptop could go missing, but I'll give them good marks for how they moved on it. They began by establishing exactly what information was on the computer and then took a series of actions.

First, they sent out a letter to affected investors like me, beginning with apology. Apologies don't solve much but at least offer an appropriate demeanour.


Then, they notified the police - and the letter I received includes the police file number. I can refer to this number in any dispute over future fraudulent charges against me, the letter explains.

My account with the dealer has been flagged. I am assured that extra measures will be applied to ensure validity of any requests on my account.

The dealer notified TransUnion of Canada Inc., one of two main credit reporting agencies, where a fraud warning was placed on my file. This one is important. In addition, the letter suggests that I contact Equifax, the other big credit agency, and flag my name there.

With my name flagged, those agencies will contact me first before issuing any credit under any application with my name on it.

My dealer has also notified the Alberta Privacy Commissioner, and pledges a security review with outside consultation. Finally, they offer phone numbers of top staff - including the chief privacy officer - whom I immediately called the next morning. Again, kudos to them. I was called back quickly. The privacy officer offered some more details and urged me to contact Equifax.


I also called the police. Unfortunately, no single officer is assigned to the report number - it's a generic file. I am directed to the police website for information on identity theft:

Equifax, it turns out, is one of those organizations that doesn't like to talk to people; they would rather have you press a series of phone buttons to deliver information.

I keyed in my S.I.N. and other details, as requested, and then I was informed my account is flagged. A computer voice said they will send me a copy of my credit report.

It is recommended that you check your credit report at least once a year.

Even though my investment dealer had no credit card information, I decided to call MasterCard for more information on identity theft and fraud.

It turns out they provide a free legal advice service to card holders. Top marks to MasterCard as well.

It seems I've tagged all the bases.

Now all I can do is wait.

And brace myself for that credit report - and whatever bad news it might reveal.

Alberta legislature to begin PIPA review for the fall

The Legislature of Alberta is about the begin consultations on the Personal Information Protection Act, which is the province's general private sector and employee privacy law.

Committee seeks public input on review of Personal Information Protection Act (PIPA):

Edmonton- An Alberta Legislative Assembly all-party committee is currently reviewing the Personal Information Protection Act. Following an initial orientation meeting held June 28, the committee will meet again in the Fall to begin a comprehensive review of the Act.

"We want to consult with as many people as we can who are governed by this legislation" said Mrs. Cindy Ady, MLA, Calgary-Shaw and Chair of the Select Special Personal Information Protection Act Review Committee. "We want to ensure that there is an appropriate balance of the right of an individual to have personal information protected and the organization's need to collect, use and disclose personal information."

Ady explained that the committee will actively consult with Albertans throughout the review and encourages those with an interest to download the discussion guide from the website at

"Public input and consultation is important for this review," said Ady. "We are advertising to the public the ways in which they can become involved and will make all relevant documentation available on a committee website."

- 30 -

For further information, contact:

Mrs. Cindy Ady, MLA, Calgary-Shaw
Chair, Select Special Personal Information Act Review Committee
Legislature Office
#131 Legislature Building,
10800 - 97 Avenue
Edmonton, AB T5K 2B6
Phone: (780) 427-1234
Fax: (780) 415-9472

For general information about the Committee:

Karen Sawchuk
Legislative Assembly of Alberta
Committee Clerk, Select Special Personal Information Act Review Committee
Phone: (780) 427-1350

Hilarious animated editorial cartoon about NSA surveillance

This hilarious animated editorial cartoon by Newsday's Walt Handelsman is a must see: Walt Handelsman: N.S.A. Wiretapping. Thanks to Daniel Solove at Concurring Opinions for the great link.

Nova Scotia passes USA Patriot Act blocking statute

In one of the shortest sittings that I can recall, the Legislature of Nova Scotia has passed the Personal Information International Disclosure Protection Act, also known as Bill 19.

Nova Scotia Legislature - House Business - Status of Bills

Bill No. 19 An Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada

Hon. Murray K. Scott Minister of Justice

First Reading June 30, 2006

Second Reading (Second Reading Debates) July 6, 2006

Law Amendments Committee July 10, 2006; July 11, 2006

Committee of the Whole House July 13, 2006

Third Reading July 14, 2006

Royal Assent July 14, 2006

I do not believe it has been proclaimed into force, so stay tuned for that part. (See update below.)

The Personal Information International Disclosure Protection Act is a response to the USA Patriot Act, specifically designed to prevent the export of personal information in the custody or control of public bodies in Nova Scotia to any other country. Though the prohibition is generic, it is clearly meant to prevent personal information from being the subject of a demand under the USA Patriot Act. It is also subject to the individual's consent, meaning that the prohibition does not apply if the individual data subject has identified the information and has specifically consented to the export of his or her information.

The Act is binding on all public bodies, their employees and specifically their service providers.

The Act requires that all public bodies ensure that all personal information in its custody or control is kept in Canada and is accessed only in Canada, unless the head of that public body has determined that storage or access outside of Canada is necessary for the public body's operations. If the head so determines, he or she has to notify the Minister of Justice for the province within ninety days of the end of the year.

The Act also contains a requirement that the Minister of Justice be notified forthwith of any "foreign demand for disclosure" or of any request that may be such a demand. The notice has to include the following:

as known or suspected,
(a) the nature of the foreign demand for disclosure;

(b) who made the foreign demand for disclosure;

(c) when the foreign demand for disclosure was received; and

(d) what information was sought by or disclosed in response to the foreign demand for disclosure.

It is an offence to disclose any personal information except in compliance with the Act and it contains specific penalties for public bodies, employees and service providers. Public sector employees may be subject to a fine of up to $2000 and imprisonment for six months. Corporate service providers may be subject to a fine of up to $500,000.

Interestingly, the Act grandfathers in contracts already entered into with service providers, but public bodies are expected to use all reasonable efforts to come into compliance with the new disclosure rules as soon as reasonably possible.

Nova Scotia is now the third Canadian province to enact such legislation, after British Columbia and Alberta.

Probably the most unmanageable portion of the Act deals with temporary exports. These are permitted (for example, in an employee's blackberry or on their laptop), but only with the permission of the head of the public body. This will be very difficult to administer because virtually every public sector employee's cell phone, laptop or briefcase contains information that is considered to be "personal information" under the statute. Every public sector employee who goes to a conference with her laptop will need the permission of the minister or university president or crown corporation president. However, given the rash of laptop thefts as of late, it may be a good thing to make public bodies think much more carefully about how information is carried around.

Interestingly, the Act is not an amendment to the Freedom of Information and Protection of Privacy Act which generally governs the collection, use and disclosure of personal information by public bodies. It is a stand-alone statute, unlike the way this was done in Alberta and BC.

For some background, see:

Update (20060717): The Bill has received Royal Assent, but is has not yet been proclaimed into force. (I've added the bold bit in the table above.)

Friday, July 14, 2006

Incident: Privacy breach hits +200K online game players

From GameSpot (via the always interesting Video Game Law Blog):

Japanese MMOG suffers privacy leak - News at GameSpot

Game Garden warns that e-mail addresses and game logs of hundreds of thousands of Xenepic Online players may have been compromised.

By Walt Wyman, GameSpot

Posted Jun 28, 2006 11:41 am PT

Game Garden, an online game developer and provider, announced today that personal user information from Xenepic Online, a free massively multiplayer online role-playing game for PCs, was inadvertently compromised. Game Garden manages the server on behalf of NHN Japan Corporation, the game's provider.

The information was mistakenly stored on an open download server, potentially allowing anyone to access it using certain exploits. Data for 297,805 users was put at risk, including their game-server usernames and passwords, e-mail addresses, and game log files, which contain information on items purchased and chat history.

However, it seems that no payment information, such as credit card information, was among the compromised data. In a press release, Game Garden apologized to Xenepic users for the security failure and pledged to "further consolidate internal management to prevent similar incidents in the future."

Privacy Commissioner's Audit of Canada Border Services Agency find privacy protections lacking

The Office of the Privacy Commissioner of Canada has just recently released the result of its audit of the Canada Border Services Agency, focusing particularly on the sharing of information between the CBSA and other countries. The Commissioner's office found that the CBSA hasn't been following the required procedures when it comes to information sharing with the United States, as much information is provided verbally without any record being made of the information provided and to whom. Here is the executive summary from the Audit:

Audit of the Personal Information Management Practices of the Canada Border Services Agency (June 2006) Privacy Commissioner of Canada

Section I - Main Messages

1.1 We found that the Canada Border Services Agency (CBSA) has systems and procedures in place for managing and sharing personal information with other countries. However, significant opportunities exist to better manage privacy risks and achieve greater accountability, transparency and control over the trans-border flow of data. Trans-border data flows refer to personal information that is collected or disclosed across international borders.

1.2 Written requests for assistance from foreign governments are processed in accordance with requirements. However, many of the information exchanges between the CBSA and the United States at the regional level are verbal, and are not based on written requests. These exchanges are not recorded consistently and do not follow the approval process as established under CBSA policy. Furthermore, they are not compliant with the terms of the Canada-United States Customs Mutual Assistance Agreement of June 1984.

1.3 The CBSA needs a coordinated method of identifying and tracking all flows of its trans-border data. The Agency cannot, with a reasonable degree of certainty, report either on the extent to which it shares personal information with the United States, or how much and how often it shares this information. By extension, it cannot be certain that all information sharing activities are appropriately managed and comply with section 107 of the Customs Act and section 8 of the Privacy Act.

1.4 Generally, the controls surrounding the Passenger Information System (PAXIS) and the Integrated Customs Enforcement System (ICES) are sound. These two key systems contain sensitive personal information about millions of travellers. Notably, foreign jurisdictions do not have direct access to these systems, and electronic disclosures to the United States under the Shared Lookout and High-Risk Traveller Identification initiatives are transmitted over secure channels. However, there are opportunities to strengthen controls to further reduce the risk that personal information could be improperly used or disclosed. These opportunities include:

  • completing the introduction of a new security management framework as initiated by the CBSA;
  • updating and clarifying roles and responsibilities for IT functions;
  • ensuring system access rights are kept up-to-date;
  • implementing audit control capability for lookout data printouts; and
  • introducing a mechanism for Canada and the United States to assure each other that the system controls and protection of shared personal information are adequate.

1.5 The CBSA needs to explore ways to improve the quality and control of data it acquires under the Advance Passenger Information/Personal Name Record (API/PNR) initiative to ensure that personal information is as accurate and complete as possible.

1.6 The CBSA has not yet evaluated the effectiveness of the High-Risk Traveller Identification (HRTI) Initiative with the United States because the project has yet to be fully implemented. In particular, it should assess the extent to which inaccurate or incomplete data may affect enforcement objectives and individual travellers. Until the CBSA has evaluated the initiative, the Agency will not be able to demonstrate that it has achieved its objective and, accordingly, that the collection and use of vast amounts of personal information about millions of travellers is justified.

1.7 The CBSA is a new entity. Therefore, the time is opportune for the Agency to articulate and implement a comprehensive privacy management framework. In particular, the CBSA should work toward updating and strengthening its agreements with the United States covering the sharing of personal information. The Agency should also consolidate its reporting of privacy incidents and look for ways of improving the monitoring of personal information disclosures.

1.8 Finally, the activities associated with sharing data across borders should be made more transparent. A clear and complete picture of these activities is not readily available to show what information is shared with whom, and for what purpose. As is true for other departments, the CBSA’s trans-border data flows are not accounted for in meaningful detail. More transparency is needed to better inform Parliament and the Canadian public about activities in this area.

1.9 Addressing such matters is in the public interest. We believe that strong privacy management and accountability are essential for dealing with the public’s concerns about the flow of personal information from Canada to other countries.

Wednesday, July 12, 2006

University security breaches may be affecting donor trust

It may be trite to say that a privacy/security breach may affect your relationship with your customers, but that sentiment is not only found in the retail and financial sectors. Universities have to be careful about the fallout of these incidents. Perhaps more so, since universities are so often the subject of these breaches.

According to the Associated Press (via Pogo Was Right), Ohio University has seen a drop in the number of donations made to the university in the wake of a number of security breaches. The fundraising office says it is too early to tell if the breaches are the real cause of the decline in donations, but the university has heard from former donors who are unhappy and prefer not to donate again. See: AP Wire 07/12/2006 OU reports drop in donations in wake of data thefts.

Tuesday, July 11, 2006

Business Week columnist calls for personal information protection at US universities

It's not often that a columnist in Business Week says "there oughta be a law!" But that's what Scott Olson says after being notified by his alma mater that his personal information was among 197,000 records of fellow UTexas alums that was compromised by a computer hacker.

It's Time to Protect Students' Data - Business Week Online via Yahoo! News

... It got me thinking: Colleges and universities should be held to the same government compliance standards as companies that operate in health care or financial services.

After all, a third of all data leaks are at universities, according to CNET Networks. That's not surprising, as universities walk a fine line between ensuring that users, many of whom are using personal laptops and other devices, have continuous access to network resources, while keeping those same resources safe from infections and unauthorized access. All too often, security gets shoved to the back burner in favor of keeping networks open and users productive. Cybercrooks, recognizing a good thing when they see it, are making hay while the sun shines....

Ramasastry on outsourcing, identity theft and fraud

I have linked before to Anita Ramasastry's columns on FindLaw, which are always interesting. But if you have any involvement in advising companies about outsourcing, this one is a very interesting read.

FindLaw's Writ - Ramasastry: Risky Business? How Multinationals' Outsourcing Involving Customer Data Can Lead to Identity Theft and Other Fraud

As I have detailed in several columns for this site, many security breaches and data thefts have recently occurred at companies and government agencies within the United States. In this column, I'll turn to another related, and also worrisome data security problem: Thefts of personal data that occur overseas or "offshore," as major American corporations outsource their data processing and customer service operations to other countries to cut costs.

I'll inquire whether U.S. customers have any legal recourse if they are victims of identity theft resulting from these security breaches. In addition, I'll argue that Congress should take a hard look at this problem - but I'll also suggest that, in the end, self-regulation by the multinationals that are outsourcing the data may be the best solution.

Nova Scotia USA Patriot Act response is back on!

After a brief recess for an election, the Nova Scotia House of Assembly is back with a new session but a boatload of bills that fell off the order paper. Among them is (newly renumbered) Bill 19, the Personal Information International Disclosure Protection Act, which I blogged about earlier.

The Bill was reintroduced on June 30 and received second reading on July 6, 2006. It is now headed to committe for consideration, with what appears to be the approval of all three parties.

Here is the Minister of Justice making the motion for second reading and the response from the opposition parties:

Handsard - July 6, 2006, p. 314

MR. SPEAKER: The honourable Minister of Justice.

HON. MURRAY SCOTT: Mr. Speaker, this legislation will strengthen protections against the disclosure of Nova Scotians' personal information, under the U.S. Patriot Act. The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure. We know that the U.S. security legislation has caused concerns about the American Government's ability to access personal information of Nova Scotians, held outside of Canada. This legislation clearly outlines responsibilities of public bodies, municipalities and technology service providers and the consequences if these responsibilities are not fulfilled.

Under the bill, the Minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. The bill also requires that service providers storing information only collect and use personal information for the purposes of their work, for a public body or a municipality. In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing, under this bill. To that end, the bill will also provide whistle-blower protection for employees of external service providers to ensure they are protected if they report an offence under the bill. Whistle-blower protection for Nova Scotia Government staff already exists under the Civil Service Act.

Mr. Speaker, penalties under the Act include a fine of up to $2,000, or six months of imprisonment for malicious disclosure by employees of public bodies and municipalities. The Act also creates offences for service providers with penalties of up to $2,000 for employees and $500,000 for companies. Under this bill, these penalties will become part of any new contract. At the same time, we are working to strengthen our existing contracts with current service providers.

Mr. Speaker, this is a serious issue and this bill will help ensure that the privacy of Nova Scotians' information continues to be protected. With those few comments, I move second reading of Bill No. 19. Thank you.

MR. SPEAKER: The honourable member for Cole Harbour-Eastern Passage.

MR. KEVIN DEVEAUX: Mr. Speaker, Bill No. 19 is a bill that the NDP has been pressuring the government to pass for, I guess, two years. This is a bill that two years ago when the NDP discovered, I think it happened in British Columbia originally where the Privacy Commissioner - where they actually have a Privacy Commissioner, I may note, for the record - noticed that under the Patriot Act in the United States, an American investigating body, FBI, CIA, National Security Agency, what have you, under the Patriot Act, if there are records held

[Page 315]

by an American corporation or its subsidiary, in another country, that those organizations can go in and access those records; it may even be without a subpoena, but there's probably very little judicial review, but under the Patriot Act they have access to that information.

So, for example, in Nova Scotia, if our government contracts out the maintenance of the data for people who are on social assistance, or motor vehicle records, that information is handed over to an American corporation to manage that data, that maybe even a subsidiary of that company in this province or in Canada, the American authorities would have access to that. That is a concern, one that British Columbia addressed a while back and it's one that I know that this province, for two years we've asked this government to do this, it's one that we have introduced legislation on and it's one that we're now glad to see the government also understands, finally, that what the NDP was asking for is something we need to do.

It is abhorrent that even for two years we allowed this province to farm out information that could easily be accessed under the Patriot Act. Now even more, we've heard recently how the American authorities have been poring over telephone records, have been monitoring telephone calls. In this age in which - if you want to call it Neo-McCarthyism, in many ways - it's very important that we have an opportunity to ensure that the information in the private information and data of Nova Scotians is protected.

Now, someone raised this with me when the bill was first introduced back in the Spring, before the election, Mr. Speaker. At that time, we had an opportunity - it was asked, well, what's a $2,000 fine going to do? They're probably right. To be frank, the fines in this legislation are not punitive, are not a form that is going to look at these findings and say to themselves wow, do we pay a $2,000 fine and give them information to the FBI or do we say under this act we can't?

The real punitive measure in this is that the contract can be cancelled immediately if there's a violation, that is important. I suspect if we're talking about a long-term contract of maintaining data, I would suggest to you that it would result in that company having to think long and hard about having that contract ripped up and voided. That's the kind of punitive measure we can put in. I would also suggest to the government, for the record, that if they want to avoid this from happening it can easily be done by ensuring that the maintenance of that information remains in house within the government and isn't contracted out. When you contract it out then the opportunity arises.

Mr. Speaker, these are things that can be done, I'm glad to see this legislation coming forward, I'm glad to see the Tory government finally agreeing with us. I will note for the record that the minister's comments that there is a whistle-blower protection in the Civil Service Act is not correct. I would suggest to you that the regulations that were passed about a year ago, a year and a half ago in regard to whistle-blower, do not provide any protection for civil servants. Frankly, they only require them to basically have to report their problems higher up and God knows what will happen after that happens. I would suggest to you that this legislation is the

[Page 316]

first step, it's a good step, the NDP has asked for this for two years, we're glad to see this legislation coming forward, we're glad to see it go to the Law Amendments Committee and we're hopeful we can get it passed in this session. Thank you.

MR. SPEAKER: The honourable member for Cape Breton South.

MR. MANNING MACDONALD: Mr. Speaker, on behalf of our Leader and our Justice Critic, I stand in my place this evening and say that we too will be supporting Bill No. 19 as it moves through the House. I want to commend the minister for bringing this bill forward this evening. I believe that it's an important protection for Nova Scotians and I think all Parties in this House realize that this is a bill, as the NDP House Leader states, that may be able to be improved on over time. Certainly it's a first step to have it here and hopefully it will meet with a smooth passage throughout the Law Amendments Committee and on to third reading. Thank you.

MR. SPEAKER: If I recognize the honourable minister it will be to close the debate.

The honourable Minister of Justice.

HON. MURRAY SCOTT: Mr. Speaker, I'd like to thank the Leader of the Opposition and also the House Leader for the Liberal Party for their support of this government bill. We can stand in the House and we can all take credit for good things that have happened here. This is an initiative of government and over the next coming weeks there's going to be a pattern formed here that this government is intent on increasing the penalties and supporting the laws in this province, bringing new legislation such as this, that will make our province as safe as we possible can, and that's what Nova Scotians want.

Mr. Speaker, this is a good bill that goes a long way to doing that and with that I move to close debate on second reading of Bill No. 19.

MR. SPEAKER: The motion is for second reading of Bill No. 19. Would all those in favour of the motion please say Aye. Contrary minded, Nay.

The motion is carried.

Ordered that this bill be referred to the Committee on Law Amendments.

(See: Nova Scotia introduces amendments to thwart USA Patriot Act, Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia), Nova Scotia's Personal Information International Disclosure Protection Act to die on the order paper.)

IPC responds to David Canton's column about receipts

The Information and Privacy Commissioner of Ontario has written to David Canton at eLegal Canton in response to (and support of) his recent column on the practice of printing full credit and debit card numbers on point of sale receipts. Check out his blog for his summary and the text of the letter: eLegal Canton: Privacy commissioner responds to debit/credit card article.

Radio interview on workplace privacy

I blogged yesterday about a new report related to workplace privacy (Canadian Privacy Law Blog: Employers spying on Canadian workers, study suggests). For those who may be interested, I'm doing a series of radio interviews today for the CBC morning programs in Corner Brook, Charlottetown, Ottawa, Gander, Moncton, St. John's, Ontario AM, Regina, Edmonton, Calgary and Victoria. If you aren't there, you can listen online.

High school students call cell phone search policy an invasion of privacy

Some students in Framingham, Mass. are upset with a new policy at Framinhgam High School that purports to give administrators the power to confiscate cell phones and scroll through their contents when a student is suspected of having drugs or stolen property. The school says it is legal but some students are calling it an invasion of privacy because mere suspicion can't justify the intrusive search. See: - Local / Regional News: Students cry foul over cell phone policy: Teens say officials are ’overreacting’ and violating their privacy. Via Slashdot, where you'll find a lively discussion on the subject.

Monday, July 10, 2006

Employers spying on Canadian workers, study suggests

According to the CBC, a researcher from Ryerson University will be releasing a study today on surveillance in the workplace. When I get a copy of the report, I'll post a link if I can. In the meantime, here's what the CBC has to say:

CBC News: Employers spying on Canadian workers, study suggests:

Last Updated Mon, 10 Jul 2006 09:32:45 EDT

CBC News

Canadian employers in a wide range of industries conduct surveillance of employees at work, suggests a report to be released on Monday.

Produced by Toronto's Ryerson University, the study called 'Under the Radar' asked Canadian businesses about surveillance of their employees.

Employers view closed-circuit television cameras, listen to recorded phone calls, monitor e-mails and scan magnetic information from security passes, said lead author Avner Levin.

Levin, a law professor at the university, said he isn't surprised at the methods, but was taken aback by employers' attitudes toward employee privacy.

'Nobody said this is a problem, or even something they have to deal with in a proactive way. It's just simply under the radar,' said Levin.

Human resources executives responsible for workplace privacy often have little knowledge of the potential intrusiveness of technologies at work in their own companies, he said.

They rarely know what information is being collected by colleagues running company computer systems, he said.

'The executives that are responsible for privacy in the workplace are not fully aware of the extent of ... the surveillance activity that is conducted,' he said.

Managers often work without guidelines about how to respond if surveillance reveals an employee behaving suspiciously, said Levin.

E-mails monitored: U.K., U.S. study

The Ryerson study follows a large workplace survey in the United States and Britain, which suggested 40 per cent of employers regularly read employees' e-mails.

University of Ottawa privacy expert Michael Geist says Canadian firms are likely close behind.

"I don’t have any doubt that we're going to find more and more companies doing it," he said. "To move directly to full-on monitoring of e-mail use is as invasive as it comes."

The founder of Ottawa e-mail security firm Roaring Penguin warns companies must carefully consider their policies on e-mail.

"If you just put the technology in place and add a whole bunch of rules without thinking about what you're trying to do, you're probably blocking a lot of mail that shouldn't be blocked, letting stuff out that should be blocked and most importantly, irritating employees," said David Skoll.

Spell out polices: privacy laws

Canada has two federal privacy laws: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Privacy Act limits the personal information federal government departments and agencies can collect from Canadians.

Employees in federally regulated industries and the private sector are protected by PIPEDA, which says employers must let employees know what personal information is being collected and for what purpose. Employees must be able to see that information.

"At a minimum, employers should tell their employees what personal information will be collected, used, and disclosed," says the website of Canada's Privacy Commissioner.

"They should inform employees of their policies on web, e-mail, and telephone use, for example. If employees are subject to random or continuous surveillance, they need to be told so."

I have to correct one statement that appears in the article: "Employees in federally regulated industries and the private sector are protected by PIPEDA". PIPEDA only applies to employees of federal works, undertakings and businesses. It does not (NOT!) apply to private sector employees nationally. Employees in the rest of the private sector only have statutory privacy protections if they are in Quebec, British Columbia and Alberta, since PIPEDA does not apply outside of federally regulated workplaces and those provinces have set up provincial privacy laws.

Calgary sportplex security cameras tape men and boys changing in locker room

According to the Calgary Herald, a Nova Scotia man has initiated a complaint about the practices of the Talisman Centre's use of video cameras in the change rooms of this Calgary sportplex. For the last eight years, the Centre has been using video cameras as a deterrent to theft but Jim Power is concerned it is an unprecedented invasion of privacy to be taping men and boys changing in the locker room. From the article:

Security cameras watch as men, boys change at Calgary sportsplex

... Power learned in April while doing research for a yet-to-be-published book titled You Are Being Watched that for nearly a decade the city's popular, family-oriented fitness centre has had closed-circuit television cameras in its men's change rooms. There are no cameras in the toilets or urinals.

The cameras were installed in 1997 after a rash of thefts and have remained, despite evolution in the province's privacy laws.

Power launched a letter-writing campaign to Alberta government officials and plans to do a Michael Moore-esque literary documentary of Calgarians' reaction to the issue. He wants city residents who learned after the fact that their children were videotaped to write to him.

''I don't care if it's the police, a priest or the prime minister I don't want to be taped and I don't want my children taped,'' said the 49-year-old father of four.

''Calgarians can make up their own minds. But in Nova Scotia, I have yet to meet one person who didn't cringe when I told them.''

The Centre has countered that the cameras have worked to virtually eliminate theft and that the images from the cameras

are secure and not viewed unless there is an incident and a police officer is present to assist. Images are destroyed after 21 days.

NYT profiles an ID thief

Last week, the NYT ran an in-depth profile of an identity thief. There's nothing earth shattering, but it is an interesting read nevertheless: Identity Thief Finds Easy Money Hard to Resist - New York Times.

Sunday, July 09, 2006

Information privacy in the United States: A History

Daniel J. Solove of George Washington University, one of the premier American scholars on privacy, has written the first chapter of Proskauer on Privacy and has made it available through SSRN. The 48-page PDF is a fantastic primer on privacy throughout US history:

SSRN-A Brief History of Information Privacy Law by Daniel Solove:

Solove, Daniel J., 'A Brief History of Information Privacy Law' . Book chapter in Proskauer on Privacy (2006) Available at SSRN:

Abstract: This book chapter provides a brief history of information privacy law in the United States from colonial times to the present. It discusses the development of the common law torts, Fourth Amendment law, the constitutional right to information privacy, numerous federal statutes pertaining to privacy, electronic surveillance laws, and more. It explores how the law has emerged and changed in response to new technologies that have increased the collection, dissemination, and use of personal information.

Common questions following laptop breaches

The Associated Press' technology writer asks and tries to answer a number of questions that arise in the fallout of all the recent privacy breaches stemming from lost/stolen laptops:

  1. Why is sensitive personal data on the laptop in the first place?
  2. Why aren't sensitive identifiers (like social security numbers) masked or otherwise obscured?
  3. Why isn't it encrypted?

It's an interesting article with a bit more insight into some of the more recent breaches: Questions linger over secrets on laptops - Yahoo! News.

Saturday, July 08, 2006

Supreme Court of Canada sides with solicitor client privilege in freedom of information case

In a freedom of information decision released yesterday, the Supreme Court of Canada came down strongly (and unanimously) in support of solicitor client privilege as an almost absolute bar to disclosure under Ontario's freedom of information law:

Goodis v. Ontario (Ministry of Correctional Services), 2006 SCC 31 (CanLII)

Rothstein J. (McLachlin C.J. and Bastarache, Binnie, LeBel, Deschamps, Fish, Abella and Charron JJ. concurring)

Access to information — Access to records — Exemption — Solicitor‑client privilege — Access to records for determination of whether they should be disclosed under Freedom of Information and Protection of Privacy Act — Whether records may be disclosed to requester’s counsel notwithstanding claim of solicitor‑client privilege — Whether Divisional Court bound by Act’s provisions prohibiting Commissioner from disclosing any records until final decision made — Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31, s. 19.

A judge of the Divisional Court, who was reviewing a decision of the Ontario Information and Privacy Commissioner, granted the requester’s counsel access to records notwithstanding a claim of solicitor‑client privilege by the Ministry of Correctional Services. The judge treated the motion for access as one by the requester’s counsel, and not as one by the requester, in order to enable counsel to argue whether those records should be disclosed under the Freedom of Information and Protection of Privacy Act. The order for disclosure was made subject to a confidentiality undertaking. Panels of the Divisional Court and of the Ontario Court of Appeal upheld that decision and found that the judge had discretion to order disclosure.

Held: The appeal should be allowed.

Records subject to a claim of solicitor‑client privilege may be ordered disclosed only where absolutely necessary — a test just short of absolute prohibition. A different test is not justified for access to information cases. Here, the evidence revealed no such absolute necessity, and any records claimed to be subject to solicitor‑client privilege should not be disclosed. It is difficult to envisage circumstances where this test could be met if the sole purpose of disclosure is to facilitate argument by requester’s counsel on the question of whether privilege is properly claimed. While the principle of hearing from both sides of an issue is to be departed from only in exceptional cases, judges are well acquainted with privilege and well equipped to determine if a record is subject to it. [20‑25]

The procedural provisions of the Freedom of Information and Protection of Privacy Act apply to the Commissioner, not the courts which are bound rather by the legislation governing their procedures on judicial review. Since the provisions of the Act prohibiting the Commissioner from disclosing any records until a final decision is made are procedural, the matter of disclosure is accordingly left to the court’s discretion, subject to statutory or common law rules. Where no common law rule prescribes the manner in which to deal with records, the court must adopt a procedure which will protect the confidentiality of records until a substantive decision is made. [30‑32]

In this case, the judge of the Divisional Court considered the appropriateness of the confidentiality undertaking and that the integrity of counsel providing the undertaking had not been attacked. His approach was correct to the extent the records were not privileged and confidentiality had been claimed on some other basis. However, in the case of documents subject to solicitor‑client privilege, this approach was inappropriate unless the “absolute necessity” test was met. [33]

Friday, July 07, 2006

What to do when faced with a privacy breach

Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner, has just released a new paper, What to do When Faced With a Privacy Breach: Guidelines for the Health Sector, to provide guidance to health information custodians under the Personal Health Information Protection Act when they are faced with a privacy breach, including what happens when the IPC investigates a privacy breach. Good reading ...

NJ Librarian ensnared in privacy conflict

Michael Zimmer is writing about a recent story out of New Jersey. A librarian who stood up for privacy rights, her library's privacy policy and the ALA's code of ethics has come under fire for "showing blatant disregard" for the police by asking for a subpoena before handing over a borrower's records. Interesting reading: » Archives » NJ Librarian ensnared in privacy conflict.

Thursday, July 06, 2006

South Carolina health agency now destroying computers on site after personal info found on surplus computer

Health and Human Services in South Carolina has changed its policy of dealing with surplus computers after personal information, including social security and medicaid numbers were found on a computer sold as surplus last week. Now the agency will be destroying the equipment "on site" to prevent a recurrence. See: Columbia, SC: SC state agency halting surplus computer sales after information leak.

Fans targeted in personal information scam

Fans of the Red Hot Chili Peppers are apparently being targeted to provide personal information, including social security numbers, by scammers promising free concert tickets in exchange for filling in a specious survey: Net Music Countdown: Red Hot Chili Peppers Security Alert.

Tuesday, July 04, 2006

Data protection in Latin America

I just happend upon a very useful site for information and developments in privacy law in Latin America, Habeas Data, which includes "News about Data Protection, Computer Law & Habeas Data in Latin America". Unfortunately, it doesn't have an RSS feed but should be added to your bookmarks on foreign privacy law.

Victim impact statement on debit card fraud

A colleague in Alberta recently sent me a link to a recent case from Alberta, R. v. Singh, 2006 ABPC 156. It is a decision of the Alberta Provincial Court determining the appropriate sentencing for an individual who pleaded guilty to debit card fraud under section 342.1 of the Criminal Code of Canada. The decision is interesting in that it describes the crime in some detail, but the most interesting part is the victim impact statement submitted by the Interac Association:

“I, Fred Harris have been employed by INTERAC ASSOCIATION as Senior Vice President of Strategy and Business Development for over 15 years. In my capacity as Senior Vice President, I have knowledge of the fraud prevention mechanisms implemented by Interac Association’s member institutions to ensure the security of transactions on the Shared Cash Dispensing and Interac Direct Payment services (the “Interac Services” or the “Services”), and also of the specific matters addressed below.


The Interac Services account for millions of automated banking machine and payment transactions (known as “debit at the point of sale” or “POS” transactions) on a daily basis. These services enjoy a high degree of consumer confidence given the ease of use and the widespread acceptance of debit cards at locations ranging from retail outlets to federal and provincial government offices.

In 2004, there were 19.8 million users of Interac Direct Payment each month resulting in a total of 2.8 billion point of sale transactions. Those 2.8 billion transactions represent $124.4 billion dollars at 546, 000 point of sale terminals. In 2004, cardholders withdrew cash from an automated banking machine that did not belong to their own financial institution over 294 million time utilizing one of the 46,178 ABMs available in the Canadian marketplace. In addition to the transactions processed through the Interac Services there are close to one billion proprietary transactions, such as bill payments and cash withdrawals, processed on Members; own proprietary banking machines every year. These services are among the most secure in the world. Interac Association and its Members take extreme care in identifying threats and vulnerabilities to ABM or Point of Sales locations. Establishing stringent device level security standards, and by employing security features that can include surveillance cameras, and automated fraud detection systems.

Banking machine and point of sale transactions require a two factor authentication system consisting of the electronic reading of valid magnetic strips information from the back of a debit card plus the inputting of an associated Personal Identification Number (PIN). In recent years, criminals have developed diverse and increasingly ingenious means of obtaining the information on the magnetic stripe and PIN information from cardholders. This activity, often called “skimming” uses methods that range form low-tech ploys consisting of double swiping a cardholder’s card and then looking over the individual’s shoulder as the PIN is entered, to higher-tech methods that include hidden pinhole cameras and additional card readers installed on top of banking machine card readers or point of sale devices.

Once a skimming incident is identified, Interac Association and its Members take action to eliminate the source of skimming and manage the resulting exposure to cardholders and financial institutions. In order to protect cardholders, most exposed cards are proactively cancelled by the financial institution and the cardholder is notified that a replacement card is being required. Until the cardholder receives the replacement card they are unable to access their money using a banking machine or point of sale terminal. In other instances, thousands of cards are proactively blocked to stem losses, thereby increasing substantially the number of cardholders affected by a single skimming incident. Canadian financial institutions have been at the forefront of fraud prevention and detection and continue to develop improved procedures and use new technology as it becomes available.


The initial group affected by debit card fraud is [sic] cardholders. Money is taken directly from their chequing or savings accounts. In some cases cardholders are burdened in the short term by being unable to meet basis living requirements, for example they may be unable to make rent or mortgage payments. They may suffer immediate “on the spot” inconvenience and embarrassment, particularly given the widespread use and acceptance of debit cards, when their card cannot be used to pay for goods or other services. Cardholders must then take steps to lodge an inquiry with their financial institution, which leads to an investigation regarding the missing funds. Their financial institution will reimburse them if they are the victims of a proven fraud, but in the meantime they are inconvenienced.

In 2003 our Members collectively reimbursed $44 Million to approximately 28,000 cardholders who were victims of debit card fraud resulting from skimming. In 2004 this figure increased to $60 Million reimbursed to over 48,000 cardholders. The related costs are also significant. The time and effort to investigate each instance of fraud is a significant burden on the time and resources of law enforcement agencies, Interac Association, and the involved financial institutions, terminal deployers and merchants. Each incident typically requires a team of individuals from several different financial institutions and terminal deployers to retrieve and scrutinize various records and to liaise with the appropriate law enforcement agencies. This investigation often takes several weeks. In addition, financial institution often proactively block and re-issue other debit cards used at this location during the skimming period in order to prevent further losses. This represents a further cost to the financial institution as well as an inconvenience to cardholders.

Interac Association and its Members, and the entire industry, also suffer. At a minimum, debit card fraud shakes customer confidence in the use of modern banking technology. This risk and potential harm increase exponentially when one considers that criminals often share the success of their schemes on readily accessible internet bulletin boards.”

Monday, July 03, 2006

US Government sets new standards on security for personal information

According to the Washtington Post (OMB Sets Guidelines for Federal Employee Laptop Security), the White House Office of Management and Budget has sent a memorandum to all heads of civilian agencies setting additional requirements for the safeguarding of personally identifiable information. The memo requires, among other things, that government departments:

1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;

2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;

3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and

4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

Geist on Sympatico privacy policy flap

Michael Geist's weekly Toronto Star column focuses on internet privacy and the sympatico privacy policy fuss: - Bell clause creates problems for privacy.

Nova Scotia considers electronic reporting of second-hand goods sales

The province of Nova Scotia has posted a discussion paper on the Department of Justice website soliciting comments on the electronic monitoring of pawnshops and second hand goods dealers. They seem to be considering following the Saskatchewan model, which requires photo ID from sellers and depositors. The info on the items and the particulars from the ID are sent to a company that operates a police-accessible database.

The discussion paper only mentions privacy in one throw-away line.

Possible Concerns or Drawbacks:

The Committee recognizes that the transition from the present no reporting of pawn transactions to mandatory reporting using an automated system is a big step. Customer concerns will include privacy issues and the fee on the service. Pawn shops will have concerns about the expense and time involved; also that it may discourage business or cause customer complaints. Some businesses may not voluntarily comply which will mean new enforcement responsibilities for the police. Licensing will also be an additional administrative responsibility and cost.

Similar rules are in place elsewhere, and I've commented a bit here:

Sunday, July 02, 2006

Incident: Laptops stolen from American Red Cross office in Texas

According to the Dallas Morning News, three laptops were stolen from a locked closet in a Texas office of the American Red Cross. The laptops contained years of data on all donors from that particular region, but all the data was encrypted. Because it was encrypted, it should probably classified as a "non-incident" or "incident averted".

See: Dallas Morning News | Donor data stolen at local Red Cross .