Thursday, May 31, 2007

Federal Commissioner releases annual PIPEDA report

Hot on the heels of the Ontario report yesterday, the Federal Privacy Commissioner has released her annual report on PIPEDA. It really should be a must read for anyone interested in PIPEDA, as it discusses many of the notable cases of the last year and some of the issues in the Office of the Privacy Commissioner of Canada. For example, the average resolution time from initial complaint to final finding has moved to sixteen months, five more months than in 2005.

Here's the media release with links to the report.

News Release: Privacy Commissioner calls for stronger data protection: Tabling of Privacy Commissioner of Canada's 2006 Annual Report on the Personal Information Protection and Electronic Documents Act (May 31, 2007)

Privacy Commissioner calls for stronger data protection: Tabling of Privacy Commissioner of Canada's 2006 Annual Report on the Personal Information Protection and Electronic Documents Act

Ottawa, May 31, 2007 — There has never been a greater need to take data protection seriously as new data breaches reinforce concerns about both security issues and trans-border data flows, according to the Privacy Commissioner of Canada, Jennifer Stoddart. Her 2006 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

High-profile data breaches among a few well-known banking and retail organizations during 2006 reinforce the very serious nature of privacy breaches and the need to better protect personal information held by private sector companies.

Despite these cases, complaints against some of the major sectors covered by PIPEDA since 2001 (financial institutions, insurance companies and the transportation sector) have declined slightly. This is in contrast, however, to those industries which have been subject to PIPEDA only since 2004, such as the retail and accommodation sectors. These sectors have been the subject of substantially more complaints than in previous years. Overall, there were 424 complaints in 2006, compared with 400 in 2005.

“We are pleased to see fewer complaints related to sectors more familiar with PIPEDA; I believe it stems from a stronger understanding of the Act. It would appear that compliance is improving with time and we look forward to seeing this trend continue,” says Commissioner Stoddart.

“Sectors with less experience with PIPEDA have more work to do. As they gain a better understanding of what the law requires, we expect to see a decrease in complaints involving them,” she says.

“Research we are releasing today shows a majority of businesses covered by the Act appreciate their role in protecting consumer information, although there are still too many firms that need to take their role more seriously.”

That research, a survey of Canadian businesses on a number of issues relating to privacy, was conducted by Ekos Research Associates earlier this year. The results raise important questions about whether some businesses are doing enough to fulfill their PIPEDA obligations.

The survey found:

  • While the majority of businesses that collect personal customer information have fully implemented PIPEDA provisions (67 per cent), there are a small but not insignificant number that are only in the process of implementing (16 per cent) and others that are not in the process of doing so (15 per cent).
  • Only a third of all businesses report having staff that has been trained about their responsibilities under Canada’s privacy laws.
  • Less than one in five has sought clarification of their role, although this is also much higher among larger businesses.

“Almost half of the businesses studied tend to rate their company’s awareness of its responsibilities under the privacy laws favourably. However, a similar number report either low or moderate awareness. PIPEDA and its provincial counterparts regulate commercial activity in Canada. All businesses that handle personal information need a good understanding of what the law requires,” says Commissioner Stoddart. “Businesses must realize the importance of living up to the law’s privacy protection principles and the consequences of failing to do so.

“I am particularly concerned to see that only a third of businesses have provided privacy training for staff. Good training is absolutely essential to prevent privacy breaches.”

Going forward, these companies will need to take steps to ensure greater compliance with the Act. Canadians expect private sector organizations to safeguard their personal information, particularly given the proliferation of identity theft.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

In the fall of 2007, the Office of the Privacy Commissioner will be hosting the who’s who of the privacy world at the 29th International Conference of Data Protection and Privacy Commissioners in Montreal. Details are available at

To view the reports:

Wednesday, May 30, 2007

Workplace privacy issues - Facebook and blogs

I'm currently in Toronto, co-chairing the Canadian Institute's conference on Privacy Compliance. I gave a presentation today on workplace privacy issues, which is available here. My co-presenters did a good job of canvassing many of the issues, so I got to have a bit of fun talking about the privacy aspects of reading employees' blogs and facebook pages.

Ontario Commissioner releases annual report for '06

Yesterday, Anne Cavoukian released the 2006 annual report for the Office of the Information and Privacy Commissioner of Ontario. It's a pretty slick report and chock full of interesting info.

Incident: Patient information cards sold at auction in Saskatchewan

Another case of personal information being sold at auction, this time in hardcopy form:

Patient information cards sold at auction

REGINA -- The Saskatoon Health Region apologized Tuesday after more than 2,000 patient information cards that were supposed to be treated as "very confidential" were accidentally sold at an auction of health region surplus material rather than shredded.

The plastic cards are used to make imprints on documents for patient records. The cards contain names, dates of birth, addresses, religious affiliations, health card numbers and the names of the patient's doctor.

They were used between January and May of this year for day surgery patients and outpatients at City Hospital.....

Monday, May 28, 2007

FTC probes Google / Doubleclick merger

According to the New York Times, the US Federal Trade Commission has begun an inquiry into the planned acquisition of Doubleclick by Google: Google Deal Said to Bring U.S. Scrutiny - New York Times:

Privacy groups said it was significant that the F.T.C., the agency that monitors online privacy issues, would be conducting the review.

“We think it’s very important that the F.T.C. is taking a look at the Google-DoubleClick deal,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a privacy rights group.

In the days after the planned merger was announced, Mr. Rotenberg’s center and two other advocacy groups, the Center for Digital Democracy and the United States Public Interest Research Group, filed a request for the F.T.C. to investigate the privacy implications.

In the complaint, the groups noted that Google collects the search histories of its users, while DoubleClick tracks what Web sites people visit. The merger, according to their complaint, would “give one company access to more information about the Internet activities of consumers than any other company in the world.”

Google has built a lucrative business in selling small text ads that appear alongside its search results and on other Web sites. DoubleClick is the leader among companies that specialize in placing graphical and video ads online.

Jeff Chester, executive director of the Center for Digital Democracy, said that decisions made now about the structure of the online advertising industry could have lasting effects on data collection and personal privacy on the Internet, especially if control rests with a “few powerful gatekeepers” led by Google.

Still, privacy issues are not typically the concern of antitrust officials. In reviewing a proposed merger, legal experts say, regulators weigh the likely impact on competition and struggle with tricky technical matters like defining the relevant market to measure.

Privacy, dumpsters, drives and discs

If you're not reading David Canton's blog, you should. Particularly the latest of his Canoe/London Free Press columns: eLegal Canton: Privacy, dumpsters, drives and discs.

Reasonable expectation of privacy videos

The folks at the IDTrail have produced two interesting videos on the reasonable expectation of privacy that are worth checking out:

blog*on*nymity - blogging On the Identity Trail The first film, "Tessling-Just the Facts", is a brief dramatization of the facts that gave rise to R. v. Tessling [2004], a criminal case which addressed the concept of the "reasonable expectation of privacy" with respect to forward-looking infrared (FLIR) technology.

Download Tessling-Just the Facts (Save As...))Format: .mov[Quicktime],Duration: 4min22sec, Size: 9.53MB.

The second film, "CFP-Interviews", is a documentary that provides the viewer with a taste of various public interest perspectives on how to conceive of "reasonable expectations of privacy". It features short interviews with the following experts in the field of privacy, civil rights and law, in order of appearance:

Starring (in order of appearance):

Download Public Interest Perspectives (Save As...)Format: .mov[Quicktime], Duration:25min52sec, Size: 54.8MB.

Saturday, May 26, 2007

Google is watching you. No surpise, but privacy regulators are concerned.

From the Independent (UK):

Google is watching you - Independent Online Edition > Science & Technology

'Big Brother' row over plans for personal database

By Robert Verkaik, Law Editor

Published: 24 May 2007

Google, the world's biggest search engine, is setting out to create the most comprehensive database of personal information ever assembled, one with the ability to tell people how to run their lives.

In a mission statement that raises the spectre of an internet Big Brother to rival Orwellian visions of the state, Google has revealed details of how it intends to organise and control the world's information.

The company's chief executive, Eric Schmidt, said during a visit to Britain this week: "The goal is to enable Google users to be able to ask the question such as 'What shall I do tomorrow?' and 'What job shall I take?'."

Speaking at a conference organised by Google, he said : "We are very early in the total information we have within Google. The algorithms [software] will get better and we will get better at personalisation."

Google's declaration of intent was publicised at the same time it emerged that the company had also invested £2m in a human genetics firm called 23andMe. The combination of genetic and internet profiling could prove a powerful tool in the battle for the greater understanding of the behaviour of an online service user.


Privacy protection campaigners are concerned that the trend towards sophisticated internet tracking and the collating of a giant database represents a real threat, by stealth, to civil liberties.

That concern has been reinforced by Google's $3.1bn bid for DoubleClick, a company that helps build a detailed picture of someone's behaviour by combining its records of web searches with the information from DoubleClick's "cookies", the software it places on users' machines to track which sites they visit.

The Independent has now learnt that the body representing Europe's data protection watchdogs has written to Google requesting more information about its information retention policy.

The multibillion-pound search engine has already said it plans to impose a limit on the period it keeps personal information.

A spokesman for the Information Commissioner's Office, the UK agency responsible for monitoring data legislation confirmed it had been part of the group of organisations, known as the Article 29 Working Group, which had written to Google.

It is understood the letter asked for more detail about Google's policy on the retention of data. Google says it will respond to the Article 29 request next month when it publishes a full response on its website.

The Information Commissioner's spokeswoman added: "I can't say what was in it only that it was written in response to Google's announcement that will hold information for no more than two years."


A spokeswoman for the Information Commissioner said that because of the voluntary nature of the information being targeted, the Information Commission had no plans to take any action against the databases.

Peter Fleischer, Google's global privacy Ccunsel, said the company intended only doing w hat its customers wanted it to do. He said Mr Schmidt was talking about products such as iGoogle, where users volunteer to let Google use their web histories. "This is about personalised searches, where our goal is to use information to provide the best possible search for the user. If the user doesn't want information held by us, then that's fine. We are not trying to build a giant library of personalised information. All we are doing is trying to make the best computer guess of what it is you are searching for."

Privacy protection experts have argued that law enforcement agents - in certain circumstances - can compel search engines and internet service providers to surrender information. One said: "The danger here is that it doesn't matter what search engines say their policy is because it can be overridden by national laws."

Thursday, May 24, 2007

Why Your Company Needs a Chief Privacy Officer

From CSO Online:

Why Your Company Needs a Chief Privacy Officer - Security Feed - News - CSO Magazine

May 23, 2007

In this era of data breaches and identity theft, chief privacy officers working hand-in-hand with security groups play a crucial if little-known role in protecting identifiable personal information.

The position of privacy executive is a relatively new one, dating back less than ten years, says Chris Zoladz, vice president of information protection and privacy with Marriott International. He pegs this role at about the stage where the security profession was 10 to 15 years ago. Although many organizations might believe the privacy function is covered by security groups, Zoladz told security professionals at The International Information Systems Security Certification Consortium’s (ISC2) 2007 SecureAmericas conference, held near Washington, D.C. last week, why the privacy function is separate but complementary.

"There are a lot of similarities between the professions, [such as] the focus on business value," he told the audience. The CPO is more focused on what data in an organization needs to be protected, however, while the security department develops and manages the way to protect it. "The CPO defines the ’what,’ the CISO deals with the ’how,’" he said.


"Good privacy is good business. The stakes in this area are constantly getting higher and higher . . . now we’re reading about [data breaches] in major media outlets," he said. "That’s done a lot for consumer awareness . . . and has raised the consciousness and awareness of our managers. That’s a positive move forward."


Zoladz defined privacy professionals as custodians -- not owners -- of personal information and said they must ensure that data is used in a responsible manner. Offering an example of his company’s Web site, he said because Marriott collects personal information from guests as part of the hotel chain’s reservation process, marketing executives have proposed personalizing the information that appears on the site so it’s customized to each visitor’s preferences. He said he gets involved in these proposals to make sure guests’ information is used properly.


There’s something else CPOs and CISOs have in common: Their career paths usually aren’t well defined, he said -- "Which means there’s a lot of opportunity."

Zoladz is also treasurer of the International Association of Privacy Professionals (IAPP), which has launched the IAPP certification, a three-hour test that is to the privacy profession what the CISSP is to the security profession, he said.

-- By Cara Garretson Network World (US)

Wednesday, May 23, 2007

Incident: Private medical records of Colorado residents exposed on Internet

From Minnesota public radio:
MPR: wavLength: Private medical records of Colorado residents exposed on Internet Private medical records of Colorado residents exposed on Internet

Posted at 10:03 PM on May 22, 2007 by Jon Gordon

On Friday's Future Tense, you'll hear this story:

As medical records are created and transmitted electronically more and more, the chance of private information falling into the wrong hands is growing. Sometimes records are stolen by hackers, other times just improperly secured. Compromised records can lead to a range of problems, from loss of employment to identity theft to plain old embarrassment.

Future Tense has discovered that detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time through at least last Friday, May 18. The data included patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois. It's unclear how many people may have seen the records.

Experts say the case likely runs afoul of federal health information privacy laws, even though there is no evidence that the records were misused.

The unsecured computer, which was accessible through a Web browser, was operated by Beacon Medical Services of Aurora, Colorado, which provides billing, coding and other services to emergency physicians at 17 facilities.

Beacon CEO Dennis Beck says he was shocked to learn about the breach and that the company took immediate steps to correct it.

"We've implemented a culture of compliance and data security and it just did not seem consistent with our culture, our practice and our experience," he said.

The medical records resided on an FTP server. FTP stands for File Transfer Protocol. It's a means by which users send and receive computer files over the Internet or private networks. In Beacon's case - and this is typical of the industry - health care providers sent encrypted data to the server for Beacon to access so it could bill patients and insurance companies. The data was unencrypted on Beacon's end, and the FTP server was not supposed to be accessible to the public. But in this case it was. No username or password was required to view the records.

The data included details of patients' visits to emergency rooms -- what ailments they complained of, diagnoses and treatments, and medical histories, along with the patients' names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. Some of the records detailed sensitive cases, from sexually transmitted diseases to severe depression. The site also contained financial information, such as a list of low-income patients who received state aid to help pay their medical bills.

Beacon has employed two firms to help investigate what led to the security hole.

"It appears to us now at this point as if there was some back door that was opened to this server," said Beck. "We don't know when, but we believe it may have been done when a consultant did some work for us several years ago."

The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000.

Future Tense discovered the Beacon site after a tip from a source who stumbled upon it. We followed up on the tip, staying just long enough to confirm the existence of the records and get an idea what kind of data they contained. We notified several health care providers whose patient data was exposed. Those providers informed Beacon, which promptly shut the server down when it learned of the problem.

Bill Byron is spokesman for Banner Health Corporation, the parent company of McKee Medical Center of Loveland, Colorado, one of the providers whose data was included on the FTP site. Byron said McKee physicians won't transmit any more records to Beacon
until they're satisfied the security problem is fixed.

"We're trying to understand what our obligations are going to be, in terms of disclosing to patients that this has occurred, so that's still in process, to determine what we have to do," he said.

The Colorado medical records incident appears to be a serious violation of federal law governing medical record privacy, according to Janlori Goldman, director of the Health Privacy Project at Georgetown University.

"Large-scale breaches like this are not uncommon," she said. "They may not happen every day but they happen enough that you have to wonder, why aren't people taking greater care with this information?"

About a year ago, for example, a data security breach exposed medical information and Social Security numbers of some 26 million veterans after data was stolen from the home of an employee of the Department of Veterans Affairs.

Tomorrow on Future Tense, we'll explore the potential harm of compromised medical records, and at the federal law designed to protect patients. One critic of current law says patients have very little recourse when their most sensitive medical records become public.

Here is a list of physician groups, clinics and hospitals which had data of various kinds on the exposed site:

-McKee Medical Center of of Loveland, CO
-Big Thompson Emergency Physicians of Longmont, CO
-Presbyterian St. Luke's Hospital of Denver
-North Suburban Medical Center of Thornton, CO
-Carepoint Emergency Physicians of the greater Denver area
-Long's Peak Emergency Physicians
-Longmont United Hospital
-Boulder Community Hospital
-Emergency Medical Specialists PLC
-Memorial Hospital of Colorado Springs
-Proctor Hospital of Peoria, IL

Monday, May 21, 2007

Michael Geist: There Will Be No Privacy Reform. Get Over It

Micahel Geist's take on the results of the PIPEDA review: There Will Be No Privacy Reform. Get Over It.

See also his Toronto Star column on the topic.

I think he's probably right.

Fact sheet on the Terrorist Identities Datamart Environment

Interested to know more about US terrorism watch lists and how they are managed? The National Counterterrorism Center has produced the following fact sheet:
Fact sheet on the Terrorist Identities Datamart Environment

The Terrorist Identities Datamart Environment (TIDE) is the US Government’s (USG) central repository of information on international terrorist identities. TIDE supports the USG’s various terrorist screening systems or “watchlists” and the US Intelligence Community’s overall counterterrorism mission. The Terrorist Identities Group (TIG), located in NCTC’s Information Sharing & Knowledge Development Directorate (ISKD), is responsible for building and maintaining TIDE.

The TIDE database includes, to the extent permitted by law, all information the U.S. government possesses related to the identities of individuals known or appropriately suspected to be or have been involved in activities constituting, in preparation for, in aid of, or related to terrorism, with the exception of purely domestic terrorism information.

Sunday, May 20, 2007

Incident: Alcatel-Lucent Trying to Find Lost Disk

A courier has apparently lost a disk containing personal information on up to 200,000 employees, including dates of birth and social security numbers. In the meantime, the company will not be using couriers to transport employee information. See: Alcatel-Lucent Trying to Find Lost Disk.

Tuesday, May 15, 2007

FRONTLINE: Spying on the home front

Update: The video of the full show is available online:

Check out tonight's Frontline on PBS:

FRONTLINE: coming soon: spying on the home front PBS

Spying on the Home Front coming May. 15, 2007 at 9pm (check local listings)

(60 minutes) FRONTLINE addresses an issue of major consequence for all Americans: Is the Bush administration's domestic war on terrorism jeopardizing our civil liberties? Reporter Hedrick Smith presents new material on how the National Security Agency's domestic surveillance program works and examines clashing viewpoints on whether the president has violated the Foreign Intelligence Surveillance Act (FISA) and infringed on constitutional protections. In another dramatic story, the program shows how the FBI vacuumed up records on 250,000 ordinary Americans who chose Las Vegas as the destination for their Christmas-New Year's holiday, and the subsequent revelation that the FBI has misused National Security Letters to gather information. Probing such projects as Total Information Awareness, and its little known successors, Smith discloses that even former government intelligence officials now worry that the combination of new security threats, advances in communications technologies, and radical interpretations of presidential authority may be threatening the privacy of Americans. (read the press release)


"So many people in America think this does not affect them. They've been convinced that these programs are only targeted at suspected terrorists. ... I think that's wrong. ... Our programs are not perfect, and it is inevitable that totally innocent Americans are going to be affected by these programs," former CIA senior attorney Suzanne Spaulding tells FRONTLINE correspondent Hedrick Smith in Spying on the Home Front, airing Tuesday, May 15, 2007, at 9 P.M. ET on PBS (check local listings) and available for viewing after broadcast at

9/11 has indelibly altered America in ways that people are now starting to earnestly question: not only perpetual orange alerts, barricades and body frisks at the airport, but greater government scrutiny of people's records and electronic surveillance of their communications. The watershed, officials tell FRONTLINE, was the government's shift after 9/11 to a strategy of pre-emption at home--not just prosecuting terrorists for breaking the law, but trying to find and stop them before they strike.

President Bush described his anti-terrorist measures as narrow and targeted, but a FRONTLINE investigation has found that the National Security Agency (NSA) has engaged in wiretapping and sifting Internet communications of millions of Americans: The FBI conducted a data sweep on 250,000 Las Vegas vacationers, and along with more than 50 other agencies, they are mining commercial-sector data banks to an unprecedented degree, and they have even been assigning suspicion ratings to anyone who travels across a U.S. border.

Even government officials with experience since 9/11 are nagged by anxiety about the jeopardy that a war without end against unseen terrorists poses to our way of life, our personal freedoms. "I always said, when I was in my position running counterterrorism operations for the FBI, `How much security do you want, and how many rights do you want to give up?'" Larry Mefford, former assistant FBI director, tells correspondent Smith. "I can give you more security, but I've got to take away some rights. ... Personally, I want to live in a country where you have a common-sense, fair balance, because I'm worried about people that are untrained, unsupervised, doing things with good intentions but, at the end of the day, harm our liberties."

Although the president told the nation that his NSA eavesdropping program was limited to known Al Qaeda agents or supporters abroad making calls into the U.S., comments of other administration officials and intelligence veterans indicate that the NSA cast its net far more widely. AT&T technician Mark Klein inadvertently discovered that the whole flow of Internet traffic in several AT&T operations centers was being regularly diverted to the NSA, a charge indirectly substantiated by John Yoo, the Justice Department lawyer who wrote the official legal memos legitimizing the president's warrantless wiretapping program. Yoo told FRONTLINE: "The government needs to have access to international communications so that it can try to find communications that are coming into the country where Al Qaeda's trying to send messages to cell members in the country. In order to do that, it does have to have access to communication networks."

Spying on the Home Front also looks at a massive FBI data sweep in December 2003. On a tip that Al Qaeda "might have an interest in Las Vegas" around New Year's 2004, the FBI demanded records from all hotels, airlines, rental car agencies, casinos and other businesses on every person who visited Las Vegas in the run-up to the holiday. Stephen Sprouse and Kristin Douglas of Kansas City, Missouri, object to being caught in the FBI dragnet in Las Vegas just because they happened to get married there at the wrong moment. Says Douglas, "I'm sure that the government does a lot of things that I don't know about, and I've always been OK with that--until I found out that I was included."

A check of all 250,000 Las Vegas visitors against terrorist watch lists turned up no known terrorist suspects or associates of suspects. The FBI told FRONTLINE that the records had been kept for more than two years, but have now all been destroyed.

"To simply say, you know, `as a matter of national security we need to know the name of every single person checking into your hotel at any given moment,'" says Alan Feldman, vice president of MGM Mirage, "that seems extremely unusual and, I think, extremely troubling."

In the broad reach of NSA eavesdropping, the massive FBI data sweep in Las Vegas, access to records gathered by private database companies that allows government agencies to avoid the limitations provided by the Privacy Act, and nearly 200 other government data-mining programs identified by the Government Accounting Office, experienced national security officials and government attorneys see a troubling and potentially dangerous collision between the strategy of pre-emption and the Fourth Amendment's protections against unreasonable search and seizure.

Peter Swire, a law professor and former White House privacy adviser to President Clinton, tells FRONTLINE that since 9/11 the government has been moving away from the traditional legal standard of investigations based on individual suspicion to generalized suspicion. The new standard, Swire says, is: "Check everybody. Everybody is a suspect."

Spying on the Home Front is a FRONTLINE co-production with Hedrick Smith Productions, Inc. Hedrick Smith is correspondent and senior producer. The program is produced and directed by Rick Young. FRONTLINE is produced by WGBH Boston and is broadcast nationwide on PBS. Funding for FRONTLINE is provided through the support of PBS viewers. Additional funding for FRONTLINE is provided by The Park Foundation. Additional funding for Spying on the Home Front is provided by The JEHT Foundation. FRONTLINE is closed-captioned for deaf and hard-of-hearing viewers and described for people who are blind or visually impaired by the Media Access Group at WGBH. FRONTLINE is a registered trademark of WGBH Educational Foundation. The FRONTLINE executive producer for special projects for is Michael Sullivan. The executive producer for FRONTLINE is David Fanning.

Social Security Cards to go biometric

One of two initiatives in Congress, which may never see the light of day, would replace the flimsy social security card with a biometric ID that employers would be required to verify before employing anybody.

National ID: Biometrics Pinned to Social Security Cards

The Social Security card faces its first major upgrade in 70 years under two immigration-reform proposals slated for debate this week that would add biometric information to the card and finally complete its slow metamorphosis into a national ID.

The leading immigration proposal with traction in Congress would force employers to accept only a very limited range of approved documents as proof of work eligibility, including a driver's license that meets new federal Real ID standards, a high-tech temporary work visa or a U.S. passport with an RFID chip. A fourth option is the notional tamper-proof biometric Social Security card, which would replace the text-only design that's been issued to Americans almost without change for more than 70 years.

A second proposal under consideration would add high-tech features to the Social Security card allowing employers to scan it with specially equipped laptop computers. Under that proposal, called the "Bonner Plan," the revamped Social Security card would be the only legal form of identification for employment purposes.

Neither bill specifies what the biometric would be, but it could range from a simple digital photo to a fingerprint or even an iris scan. The proposals would seem to require major changes to how Social Security cards are issued: Currently, new and replacement cards are sent in the mail. And parents typically apply for their children before they're old enough to give a decent fingerprint.

There are also logistical problems to overcome before forcing all of the nation's employers to verify a biometric card -- given the nation has millions of employers, many of whom may not have computer equipment at all....

Monday, May 14, 2007

Why does Google remember information about searches?

Straight from Google's official blog:

Official Google Blog: Why does Google remember information about searches? 5/11/2007 11:21:00 AM Posted by Peter Fleischer, Global Privacy Counsel

We recently announced a new policy to anonymize our server logs after 18–24 months. We’re the only leading search company to have taken this step publicly. We believe it’s an important part of our commitment to respect user privacy while balancing a number of important factors.

In developing this policy, we spoke with various privacy advocates, regulators and others about how long they think the period should be. There is a wide spectrum of views on this – some think data should be preserved for longer, others think it should be anonymized almost immediately. We spent a great deal of time sorting this out and thought we’d explain some of the things that prompted us to decide on 18-24 months.

Three factors were critical. One was maintaining our ability to continue to improve the quality of our search services. Another was to protect our systems and our users from fraud and abuse. The third was complying—and anticipating compliance—with possible data retention requirements. Here’s a bit more about each of these:

  • Improve our services: Search companies like Google are constantly trying to improve the quality of their search services. Analyzing logs data is an important tool to help our engineers refine search quality and build helpful new services. Take the example of Google Spell Checker. Google’s spell checking software automatically looks at your query and checks to see if you are using the most common version of a word’s spelling. If it calculates that you’re likely to generate more relevant search results with an alternative spelling, it will ask “Did you mean: (more common spelling)?” We can offer this service by looking at spelling corrections that people do or do not click on. Similarly, with logs, we can improve our search results: if we know that people are clicking on the #1 result we’re doing something right, and if they’re hitting next page or reformulating their query, we’re doing something wrong. The ability of a search company to continue to improve its services is essential, and represents a normal and expected use of such data.
  • Maintain security and prevent fraud and abuse: It is standard among Internet companies to retain server logs with IP addresses as one of an array of tools to protect the system from security attacks. For example, our computers can analyze logging patterns in order to identify, investigate and defend against malicious access and exploitation attempts. Data protection laws around the world require Internet companies to maintain adequate security measures to protect the personal data of their users. Immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk. Historical logs information can also be a useful tool to help us detect and prevent phishing, scripting attacks, and spam, including query click spam and ads click spam.
  • Comply with legal obligations to retain data: Search companies like Google are also subject to laws that sometimes conflict with data protection regulations, like data retention for law enforcement purposes. For example, Google may be subject to the EU Data Retention Directive, which was passed last year, in the wake of the Madrid and London terrorist bombings, to help law enforcement in the investigation and prosecution of “serious crime”. The Directive requires all EU Member States to pass data retention laws by 2009 with retention for periods between 6 and 24 months. Since these laws do not yet exist, and are only now being proposed and debated, it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It's therefore too early to state whether such laws would apply to particular Google services, and if so, which ones. In the U.S., the Department of Justice and others have similarly called for 24-month data retention laws.
At the same time, regulators in other parts of governments have argued for shorter retention periods, reflecting the conflicts in every country between privacy and data protection objectives on the one hand, and law enforcement objectives on the other. Companies like Google are trying to be responsible corporate citizens, and sometimes we are told to do different things by different government entities, or to follow conflicting legal obligations. It's hard enough to get different government entities to talk to each other inside one country. When you multiply this by all the countries where Google must comply with the laws, the potential conflicts are enormous. Nonetheless, Google is committed to providing its users around the world with one consistent high level of data protection.

It’s also worth reiterating that we do not ask our users for their names, address, or phone numbers to use most of our services. For those who want to see what their logs history looks like, we offer transparent access via a Google Account to their own personal Web History.

Finally, we maintain rigorous internal controls of our logs database. We look forward to an ongoing discussion with privacy stakeholders around the world as we pursue a common goal of improving privacy protections for everyone on the Internet.

Saturday, May 12, 2007

Canada's No-fly list takes to the skies

Canada's new no-fly list is ready to take off:

CNW Group

Air security strengthened - Passenger Protect ready to take flight

OTTAWA, May 11 /CNW Telbec/ - The Honourable Lawrence Cannon, Minister of Transport, Infrastructure and Communities, together with the Honourable Stockwell Day, Minister of Public Safety, today announced new regulations that will strengthen air passenger security screening. Once implemented, new measures under a program known as Passenger Protect will prevent persons who pose an immediate threat to aviation security from boarding a commercial aircraft.

This made-in-Canada program was developed to provide an additional layer of security for the aviation system and to enhance public safety in a way that complies with the Canadian Charter of Rights and Freedoms and federal privacy legislation.

"Canadians want to fly secure, and Passenger Protect is a significant step forward. We must remember that Canada is not immune to the threat of terrorism and we must remain vigilant," said Minister Cannon. "Passenger Protect will not only make Canada's aviation system more secure, it will also help keep the world's skies safe by reaching beyond Canadian borders to screen everyone getting on a flight to Canada."

Under the new program, the Government of Canada is maintaining a list of specified persons who may pose an immediate threat to aviation security should they attempt to board a flight. Air carriers will be able to screen passengers against the specified persons list through a secure online system. If the air carrier identifies a person as a possible match with an entry on the list, the air carrier will contact Transport Canada to confirm the passenger's identity, and obtain a decision whether or not to allow him or her to board the flight. "Canada has one of the best aviation systems in the world and is always looking for ways to increase the safety and security of the travelling public,"said Minister Day.

The Government of Canada has held discussions with airlines, airports, and labour representatives, as well as civil liberties and ethno-cultural groups in developing Passenger Protect, to create a program that enhances security, respects the needs and realities of the aviation industry and protects the rights of Canadians. As part of the consultations, Transport Canada has established a reconsideration process to provide a non-judicial, efficient way for any members of the public who have been denied boarding to have their cases reviewed by persons independent of those who made the original recommendation.

Transport Canada has worked closely with the Office of the Privacy Commissioner in order to further strengthen the privacy provisions of the program. Implementation for flights within Canada and international flights to and from Canada will begin on June 18, 2007.

As of this date, new Identity Screening Regulations will require air passengers within Canada who appear to be 12 years of age or older to present one piece of government-issued photo identification (ID) that shows name, date of birth and gender or two pieces of government-issued ID - one of which shows name, date of birth and gender - before boarding an aircraft. The boarding pass provided by the air carrier must match the name on the ID.

Canadians will not need a passport for travel within Canada but rather can present a range of government-issued ID to the air carriers including a health card, a birth certificate, a driver's licence and a social insurance card. Current requirements for international travel will remain in place. This practice is consistent with procedures currently in use by most major airlines, and will allow the air carrier and Transport Canada to confirm the identity of a passenger who is a possible match with an entry on the specified persons list.

These proposed regulations were first published in the Canada Gazette, Part I on October 28, 2006, after which a 75-day period followed to enable interested parties and the public to provide comments.

The final regulations will be published in the Canada Gazette, Part II on May 16, 2007.

A backgrounder with more information on the Passenger Protect program and the new Identity Screening Regulations is attached.

<< -------------------------------------------------------------------------





The Government of Canada began consulting with industry on passenger assessment in May 2004, and expanded consultations on a program proposal for Passenger Protect in the summer of 2005. Consultations with air carriers, airports, labour representatives, civil liberties and ethno-cultural groups as well as the Office of the Privacy Commissioner were essential to the successful design and implementation of a program that enhances security, respects the needs and realities of the aviation industry, and ensures that the privacy and human rights of Canadians are protected.

The Passenger Protect program adds another layer of security to Canada's aviation system to help address potential threats. Terrorist groups continue to target civil aviation, and seek means to defeat existing safeguards and measures.

Under the program, the Government of Canada is maintaining a list with the name, date of birth and gender of each specified person that will be provided to airlines in secure form. The airlines will compare the names of individuals intending to board flights with the names on the specified persons list, and will verify with the individual's government-issued identification when there is a name match. Identification will be verified in person at the airport check-in counter. When the airline verifies that an individual matches in name, date of birth and gender with someone on the list, the airline will be required to inform Transport Canada.

A Transport Canada officer will be on duty 24 hours a day, every day, to receive calls from airlines when they have a potential match with a specified person on the list. Transport Canada will verify information with the airline, confirm whether the individual poses an immediate threat to aviation security and inform the airline, if required, that the individual is not permitted to board the flight. The Royal Canadian Mounted Police (RCMP) would be notified immediately in the event of a match, and police of jurisdiction at the airport would be informed and take action as required.

The Passenger Protect program will be implemented for Canadian domestic flights and international flights to and from Canada on June 18, 2007. Creating the Specified Persons List

The Minister of Transport, Infrastructure and Communities has the authority under the Aeronautics Act, to specify an individual who is a threat to aviation security and to require airlines to provide information about the specified person.

A Transport Canada-led Advisory Group will assess individuals on a case-by-case basis using information provided by the Canadian Security Intelligence Service and the RCMP, and will make recommendations to the Minister of Transport, Infrastructure and Communities concerning their designation as specified persons or the removal of that designation. The Advisory Group includes a senior officer from the Canadian Security Intelligence Service and a senior officer from the RCMP (as advised by the Department of Justice), with input from representatives from other Canadian government departments and agencies.

Individuals are added to the specified persons list based on their actions, which lead to a determination that they may pose an immediate threat to aviation security, should they attempt to board an aircraft. Guidelines in making that determination are focused on aviation security, and may include:

  • an individual who is or has been involved in a terrorist group, and who, it can reasonably be suspected, will endanger the security of any aircraft or aerodrome or the safety of the public, passengers or crew members;
  • an individual who has been convicted of one or more serious and life-threatening crimes against aviation security; and
  • an individual who has been convicted of one or more serious and life-threatening offences and who may attack or harm an air carrier, passengers or crew members.

Identity Screening Regulations

As of June 18th 2007, new Identity Screening Regulations will require airlines to screen each person's name against the specified persons list before issuing a boarding pass, for any person who appears to be 12 years of age or older. The regulations take into account the various ways in which the boarding pass may be obtained: at a kiosk, through the Internet, or at an airport check-in counter.

Where there is check-in via Internet or kiosks, airlines will not allow printing of the boarding pass when there is a name match with the specified persons list. Passengers refused a boarding pass at a kiosk or through the Internet will be directed to the airline agent for in-person verification of government-issued identification (ID). ID verification will determine whether the name, date of birth and gender match those of a listed person.

The regulations also require air carriers to screen individuals at the boarding gate by comparing the name on government-issued ID with the name on the boarding pass. If the name on the ID is not the same as the name on the boarding pass, the air carrier will be required to check the name on the ID against the list.

Transport Canada will work with air carriers to provide training for agents and staff who will be involved in implementing the ID verification requirement, and establish procedures that respect the rights of passengers.

The ID requirement under the Passenger Protect program is for one piece of valid government-issued photo ID that shows name, date of birth and gender, such as a driver's licence or a passport, or two pieces of valid government-issued ID, at least one of which shows name, date of birth and gender, such as a birth certificate. The verification of passengers' ID is already a practice followed by most major air carriers in Canada.

The regulations will be published in the Canada Gazette, Part II on May 16, 2007.

Reconsideration and Appeals

The Passenger Protect program also includes a reconsideration process for individuals who wish to contest the denial of boarding. An individual who has been denied boarding under the Passenger Protect program will be able to apply to Transport Canada's Office of Reconsideration (OOR), which may arrange for an independent assessment of the case and make a recommendation. The goal is to provide a non-judicial, efficient mechanism for any member of the public to have their case reviewed by persons independent of those who made the original recommendation to the Minister. Individuals have the further option of making application to Federal Court for judicial review. Privacy and Human Rights

The protection of privacy and human rights is a core element of the Passenger Protect program. In developing the program, Transport Canada worked with stakeholders and consulted with civil liberties and ethno-cultural groups, and the Office of the Privacy Commissioner on privacy aspects.

A summary of the Privacy Impact Assessment conducted on the Passenger Protect program is available on the Transport Canada website at In addition, the Office of the Privacy Commissioner of Canada posed a series of questions to Transport Canada about the Passenger Protect program in August 2005. The questions and the answers shed light on the privacy protection features of the program and are available on the Web at

More details on the Passenger Protect program and the new Identity Screening Regulations are available on Transport Canada's website at

May 2007

Narcotics diary of FBI agent on EBay

If you were smoking dope in New York between 1931 and 1959, your comings and goings may be detailed in a surveillance diary of a former FBI agent, which is being sold on EBay. It is apparently complete and unredacted. No name have been changed to protect the innocent or guilty. More: Boing Boing: EBay find: Narcotics diary of FBI agent, NYC, 1931-1959

Monday, May 07, 2007

WSJ sheds light on TJX breach methods

David Canton has just posted a link to a very interesting and insightful article on the TJX/Winners breach, which sheds light on how the scammers were able to penetrate the TJX system to take approximately TWO HUNDRED MILLION credit card numbers.

How Credit-Card Data Went Out Wireless Door -

... When wireless data networks exploded in popularity starting around 2000, the data was largely shielded by a flawed encoding system called Wired Equivalent Privacy, or WEP, that was quickly pierced. The danger became evident as soon as 2001, when security experts issued warnings that they were able to crack the encryption systems of several major retailers.

By 2003, the wireless industry was offering a more secure system called Wi-Fi Protected Access or WPA, with more complex encryption. Many merchants beefed up their security, but others including TJX were slower to make the change. An auditor later found the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought. The company declined to comment on its security measures.

The hackers in Minnesota took advantage starting in July 2005. Though their identities aren't known, their operation has the hallmarks of gangs made up of Romanian hackers and members of Russian organized crime groups that also are suspected in at least two other U.S. cases over the past two years, security experts say. Investigators say these gangs are known for scoping out the least secure targets and being methodical in their intrusions, in contrast with hacker groups known in the trade as "Bonnie and Clydes" who often enter and exit quickly and clumsily, sometimes strewing clues behind them.

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory. "It was as easy as breaking into a house through a side window that was wide open," according to one person familiar with TJX's internal probe. The devices communicate with computers in store cash registers as well as routers that transmit certain housekeeping data.

After they used that data to crack the encryption code the hackers digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords, investigators believe. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet, probers say....

Thursday, May 03, 2007

Parliamentary review of PIPEDA: Report

The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:



has the honour to present its

Fourth Report

Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:

The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.

Here are the recommendations:


Recommendation 1

The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.

Recommendation 2

The Committee recommends that PIPEDA be amended to include a definition of “work product” that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be added to the definition of “work product information” in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.

Recommendation 3

The Committee recommends that a definition of “destruction” that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.

Recommendation 4

The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 5

The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.

Recommendation 6

The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose .

Recommendation 7

The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modeled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.

Recommendation 8

The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.

Recommendation 9

The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 10

The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.

Recommendation 11

The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.

Recommendation 12

The Committee recommends that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: “For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]”

Recommendation 13

The Committee recommends that the term “government institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.

Recommendation 14

The Committee recommends the removal of section 7(1)(e) from PIPEDA.

Recommendation 15

The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.

Recommendation 16

The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.

Recommendation 17

The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.

Recommendation 18

The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.

Recommendation 19

The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.

Recommendation 20

The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.

Recommendation 21

The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.

Recommendation 22

The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (section 9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.

Recommendation 23

The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.

Recommendation 24

The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.

Recommendation 25

The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a “without consent” power to notify credit bureaus in order to help protect consumers from identity theft and fraud.

Wednesday, May 02, 2007

Alberta order on consent and withdrawal thereof

A new and interesting Order from Alberta:
Order P2007-003

Two Complainants brought complaints under the Personal Information Protection Act with respect to the collection, use and disclosure of their personal information by International Stereo Ltd., (now operating as Urban Audio Video Inc.) (the “Retailer”). The information had been collected by the Retailer and then conveyed to Wells Fargo Financial Corporation of Canada, so as to permit the latter organization to conduct credit checks for determining whether it would grant credit for buying the Retailer’s merchandise. Although the Complainants signed applications containing clauses consenting to use of personal information for credit checks, they said they had been assured their personal information would not be used in this way. They also said they had been led to believe the cards for which they applied would allow them to get 10% discounts on purchases. As well, one of them complained that his request to withdraw his application had been refused.

The Adjudicator found that the Retailer collected, used and disclosed the Complainants’ personal information in violation of section 7 of the Act (collection, use and disclosure without consent), that it failed to provide adequate notification of the purpose for collection in contravention of section 13, and that it failed to cease collecting, using or disclosing the personal information after consent had been withdrawn, in violation of section 9(4).