Friday, November 30, 2007

Law enforcement access to personal information

Today I had the privilege of speaking at the annual professional development event of the Nova Scotia Criminal Lawyers Association, in association with the Nova Scotia Barristers' Society. The theme of the conference was very privacy-centric: Listening, Snooping and Searching: What's Right, What's Wrong.

I was also privileged to speak alongside S/Sgt Al Langille of the RCMP's integrated technology crime unit. He is a thirty-year veteran of law enforcement, including fifteen in technology crimes and computer forensics. A great guy and very privacy conscious.

My presentation, for those who may be interested, is here: http://docs.google.com/Presentation?id=ddpx56cg_48hcdnqv.

Thursday, November 29, 2007

Whole disk encryption made easy

If you have laptop, you should read Bruce Schneier's commentary in Wired: How Does Bruce Schneier Protect His Laptop Data? With His Fists -- and PGP.

Wednesday, November 28, 2007

Reckless corporations may violate ID theft law

Fellow blogger David Canton is quoted in this interesting article that suggests reckless corporations may find themselves guilty of violating the new ID theft law:

Reckless Data Handling Could Violate ID Theft Law - Security Feed - News - CSO Magazine

Nov 27, 2007

Reckless Data Handling Could Violate ID Theft Law

The recently proposed amendment to the Criminal Code that would make "reckless" handling of personal information a crime can be troubling given the broad definition of the word, said one lawyer.

If Bill C-27 is passed, it will be an offense to make available or sell personal information (such as names, addresses bank account information and social insurance numbers) knowing it will be used to commit fraud -- or if the person or company selling the information is reckless as to whether the data will be used for fraud by a third party.

Bill C-27, an Act to Amend the Criminal Code (identity theft and related misconduct) was tabled in the House of Commons last week and passed first reading.

As reported by ITWorld Canada, vendors say Feds should enforce data encryption

The problem with measuring recklessness is a valid concern for organizations whose business relies on collecting customer personal information given the lack of industry standards, said Howard Simkevitz, lawyer with Toronto, Ont.-based law firm Lang Michener LLP.

Some international standards, from bodies such as the International Standards Organization (ISO), handle security compliance, but there is no equivalent for privacy, Simkevitz said.

"When we’re talking about identity theft and it’s the theft of personal information, that’s a distinct privacy-oriented term."

He added the term reckless includes the absence of precautions around securing customer personal data, so organizations should implement policies and procedures based around this. Overall, such precautions are mainly based on common sense and good corporate values around how to handle another person’s sensitive data, he said.

The privacy commissioner, he added, also makes available helpful guidelines around policies.

Actually, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides a good starting point, he said, by advising organizations to determine whether the information they are collecting is personal, and if it is, to figure out if they have received consent to collect and use it for certain purposes.

"The risk of running afoul is at least minimalized, but there are tons of issues here, and the fact that now there are criminal sanctions that could be applied, is an issue," said Simkevitz.

The recklessness aspect of the bill is probably intended to capture people who do more than just act negligently, but "turn a blind eye" to securing personal information, said David Canton, a lawyer with London, Ont.-based law firm Harrison Pensa LLP.

When transferring that type of data to a third party, the organization should seek assurances that the recipient of the information is going to do what it has said it will do with the data, he said. Often, having contractual provisions to limit use of the data by a third party is useful, he added.

If companies seek such assurances, he said, "I would suspect that they haven’t crossed the reckless threshold."

But a rogue employee stealing customer personal information for the purposes of fraud could, depending on the circumstance, mean the company has been reckless, said Simkevitz. However, he said, if the company can demonstrate it took necessary actions to mitigate such risk, then it may not be held liable.

Typically, organizations are "vicariously liable" for actions of their employees, said Canton. Specifically, if the act committed falls within the ambit of that person’s job, then the organization can be held liable, he added, but "it’s not always an easy line to draw."

But given that Bill C-27 complements PIPEDA and other existing privacy legislation, said Canton, companies who have already dealt with privacy probably have dealt with the issues that this new bill presents.

The bill’s proposals do not add anything to existing legislation, said Canton, "but raises the bar and is maybe one way of putting criminal teeth in the security aspect of [PIPEDA], although it’s probably not its prime intention."

Canton said it’s hard to argue against some of the contents of the bill and it’s usually difficult to tell if such things will help deter identity theft, but it’s nonetheless a useful tool.

If anything, said Simkevitz, the bill "sensitizes corporations to the importance of protecting personal information."

In particular, he said, it’s great that it includes compensating victims of identity fraud, but it doesn’t address the issue of quantifying damages like the loss of a driver’s license versus hassle at the border because of issues with stolen identity.

"It certainly does [add teeth to PIPEDA]. Is this sufficient? I would be more reluctant to say that it is," said Simkevitz.

Besides that, he said the proposed amendment doesn’t address the use of spam to collect personal information, nor the issue of breach notification.

Alberta Commissioner investigating Barlink on ID swiping

I've blogged on this topic of bars swiping patrons' identification a number of times (see label "id swiping"), but it appears that we'll have a decision from the Alberta Commissioner on the topic in the next few months: edmontonsun.com - Edmonton News - Barlink probed by privacy watchdog.

Sunday, November 25, 2007

Consultant causes security breach of patient information in Newfoundland

An investigation has been launched in Newfoundland after a consultant working for public health authorities inadvertently breached security for personal health information, including HIV status, by allowing the information to be accessible on the internet. See: N.L. police probe security breach of patient information.

Friday, November 23, 2007

Mandatory gunshot reporting bill hits Nova Scotia legislature

Today, following yesterday's speech from the throne, the Conservative government of Nova Scotia introduced a bill in the legislature to make it mandatory that medical professionals call the cops when a person seeks treatment for a gunshot or stabbing wound. I hope to see some sensible debate about this. Already, a leading physician from the IWK Health Centre (our childrens' hospital) is saying he's concerned that it will discourage hurt young people from seeking treatment (see: Doctor pans mandatory reporting plan).

Personally, I am concerned that this may have the tendency to impair the critical relationship of trust between patients and physicians. As professionals are forced to be agents of the state -- and law enforcement in particular -- patients can trust them less with their confidences.

Cellphone Tracking Powers on Request

The Washington Post has an article on how, in some cases, law enforcement in the US is getting access to real-time tracking information about suspects' cell phones, without warrants or without probable cause. I was particularly reminded of some of the debate over lawful access in Canada:

Cellphone Tracking Powers on Request - washingtonpost.com

Cellphone Tracking Powers on RequestSecret Warrants Granted Without Probable Cause

By Ellen Nakashima

Washington Post Staff Writer

Friday, November 23, 2007; A01

Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers.

In some cases, judges have granted the requests without requiring the government to demonstrate that there is probable cause to believe that a crime is taking place or that the inquiry will yield evidence of a crime. Privacy advocates fear such a practice may expose average Americans to a new level of government scrutiny of their daily lives.

Such requests run counter to the Justice Department's internal recommendation that federal prosecutors seek warrants based on probable cause to obtain precise location data in private areas. The requests and orders are sealed at the government's request, so it is difficult to know how often the orders are issued or denied.

The issue is taking on greater relevance as wireless carriers are racing to offer sleek services that allow cellphone users to know with the touch of a button where their friends or families are. The companies are hoping to recoup investments they have made to meet a federal mandate to provide enhanced 911 (E911) location tracking. Sprint Nextel, for instance, boasts that its "loopt" service even sends an alert when a friend is near, "putting an end to missed connections in the mall, at the movies or around town."

With Verizon's Chaperone service, parents can set up a "geofence" around, say, a few city blocks and receive an automatic text message if their child, holding the cellphone, travels outside that area.

"Most people don't realize it, but they're carrying a tracking device in their pocket," said Kevin Bankston of the privacy advocacy group Electronic Frontier Foundation. "Cellphones can reveal very precise information about your location, and yet legal protections are very much up in the air."

In a stinging opinion this month, a federal judge in Texas denied a request by a Drug Enforcement Administration agent for data that would identify a drug trafficker's phone location by using the carrier's E911 tracking capability. E911 tracking systems read signals sent to satellites from a phone's Global Positioning System (GPS) chip or triangulated radio signals sent from phones to cell towers. Magistrate Judge Brian L. Owsley, of the Corpus Christi division of the Southern District of Texas, said the agent's affidavit failed to focus on "specifics necessary to establish probable cause, such as relevant dates, names and places."

Owsley decided to publish his opinion, which explained that the agent failed to provide "sufficient specific information to support the assertion" that the phone was being used in "criminal" activity. Instead, Owsley wrote, the agent simply alleged that the subject trafficked in narcotics and used the phone to do so. The agent stated that the DEA had " 'identified' or 'determined' certain matters," Owsley wrote, but "these identifications, determinations or revelations are not facts, but simply conclusions by the agency."

Instead of seeking warrants based on probable cause, some federal prosecutors are applying for orders based on a standard lower than probable cause derived from two statutes: the Stored Communications Act and the Pen Register Statute, according to judges and industry lawyers. The orders are typically issued by magistrate judges in U.S. district courts, who often handle applications for search warrants.

In one case last month in a southwestern state, an FBI agent obtained precise location data with a court order based on the lower standard, citing "specific and articulable facts" showing reasonable grounds to believe the data are "relevant to an ongoing criminal investigation," said Al Gidari, a partner at Perkins Coie in Seattle, who reviews data requests for carriers.

Another magistrate judge, who has denied about a dozen such requests in the past six months, said some agents attach affidavits to their applications that merely assert that the evidence offered is "consistent with the probable cause standard" of Rule 41 of the Federal Rules of Criminal Procedure. The judge spoke on condition of anonymity because of the sensitivity of the issue.

"Law enforcement routinely now requests carriers to continuously 'ping' wireless devices of suspects to locate them when a call is not being made . . . so law enforcement can triangulate the precise location of a device and [seek] the location of all associates communicating with a target," wrote Christopher Guttman-McCabe, vice president of regulatory affairs for CTIA -- the Wireless Association, in a July comment to the Federal Communications Commission. He said the "lack of a consistent legal standard for tracking a user's location has made it difficult for carriers to comply" with law enforcement agencies' demands.

Gidari, who also represents CTIA, said he has never seen such a request that was based on probable cause.

Justice Department spokesman Dean Boyd said field attorneys should follow the department's policy. "We strongly recommend that prosecutors in the field obtain a warrant based on probable cause" to get location data "in a private area not accessible to the public," he said. "When we become aware of situations where this has not occurred, we contact the field office and discuss the matter."

The phone data can home in on a target to within about 30 feet, experts said.

Federal agents used exact real-time data in October 2006 to track a serial killer in Florida who was linked to at least six murders in four states, including that of a University of Virginia graduate student, whose body was found along the Blue Ridge Parkway. The killer died in a police shooting in Florida as he was attempting to flee.

"Law enforcement has absolutely no interest in tracking the locations of law-abiding citizens. None whatsoever," Boyd said. "What we're doing is going through the courts to lawfully obtain data that will help us locate criminal targets, sometimes in cases where lives are literally hanging in the balance, such as a child abduction or serial murderer on the loose."

In many cases, orders are being issued for cell-tower site data, which are less precise than the data derived from E911 signals. While the E911 technology could possibly tell officers what building a suspect was in, cell-tower site data give an area that could range from about three to 300 square miles.

Since 2005, federal magistrate judges in at least 17 cases have denied federal requests for the less-precise cellphone tracking data absent a demonstration of probable cause that a crime is being committed. Some went out of their way to issue published opinions in these otherwise sealed cases.

"Permitting surreptitious conversion of a cellphone into a tracking device without probable cause raises serious Fourth Amendment concerns especially when the phone is in a house or other place where privacy is reasonably expected," said Judge Stephen William Smith of the Southern District of Texas, whose 2005 opinion on the matter was among the first published.

But judges in a majority of districts have ruled otherwise on this issue, Boyd said. Shortly after Smith issued his decision, a magistrate judge in the same district approved a federal request for cell-tower data without requiring probable cause. And in December 2005, Magistrate Judge Gabriel W. Gorenstein of the Southern District of New York, approving a request for cell-site data, wrote that because the government did not install the "tracking device" and the user chose to carry the phone and permit transmission of its information to a carrier, no warrant was needed.

These judges are issuing orders based on the lower standard, requiring a showing of "specific and articulable facts" showing reasonable grounds to believe the data will be "relevant and material" to a criminal investigation.

Boyd said the government believes this standard is sufficient for cell-site data. "This type of location information, which even in the best case only narrows a suspect's location to an area of several city blocks, is routinely generated, used and retained by wireless carriers in the normal course of business," he said.

The trend's secrecy is troubling, privacy advocates said. No government body tracks the number of cellphone location orders sought or obtained. Congressional oversight in this area is lacking, they said. And precise location data will be easier to get if the Federal Communication Commission adopts a Justice Department proposal to make the most detailed GPS data available automatically.

Often, Gidari said, federal agents tell a carrier they need real-time tracking data in an emergency but fail to follow up with the required court approval. Justice Department officials said to the best of their knowledge, agents are obtaining court approval unless the carriersprovide the data voluntarily.

To guard against abuse, Congress should require comprehensive reporting to the court and to Congress about how and how often the emergency authority is used, said John Morris, senior counsel for the Center for Democracy and Technology.

Staff researcher Richard Drezen contributed to this report.

Thursday, November 22, 2007

Take security seriously

David Canton's most recent Canoe column on information security is a good summary of the issues and includes the factors that any custodian of information should keep in mind. See: eLegal Canton: Data security must be ensured.

Geist on Canada's ID theft bill

Michael Geist, insightful and thoughtful as always, has some interesting comments on the proposed new identity theft legislation introduced yesterday. Check it out: Michael Geist - Canada's Identity Theft Bill: What It Says and What's Missing.

Bill C-27 - An Act to amend the Criminal Code (identity theft and related misconduct)

The full text of Bill C-27 has been posted on the Parlimentary website: C-27 - An Act to amend the Criminal Code (identity theft and related misconduct).

Here's the bill's summary

This enactment amends the Criminal Code to create a new offence of identity theft, of trafficking in identity information and of unlawful possession or trafficking in certain government-issued identity documents, to clarify and expand certain offences related to identity theft and identity fraud, to exempt certain persons from liability for certain forgery offences, and to allow for an order that the offender make restitution to a victim of identity theft or identity fraud for the expenses associated with rehabilitating their identity.

Wednesday, November 21, 2007

Tory legislation to target identity theft

The Canadian federal government is planning to table legislation in Parliament today to add additional offenses to the criminal code to deal with activities that are precursors to identity theft.

I was interviewed earlier today by CTV Newsnet on the topic (on Google Video):

Here is the media release:

Government of Canada Introduces Legislation to Tackle Identity Theft

GOVERNMENT OF CANADA INTRODUCES LEGISLATION TO TACKLE IDENTITY THEFT

OTTAWA, November 21, 2007 – Minister of Justice and Attorney General of Canada, the Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, today introduced legislation to help combat identity theft, which has been identified as a fast-growing problem throughout North America.

“This Government is following through on its commitment to give police the tools they need to better protect Canadians by stopping identity theft activity before the damage is done,” said Minister Nicholson. “I have tabled legislation that will make it an offence to obtain, possess or traffic in other people's identity information if it is to be used to commit a crime.”

The misuse of another person's identity information, generally referred to as identity fraud, is covered by current offences in the Criminal Code , such as personation and forgery. But the preparatory steps of collecting, possessing and trafficking in identity information are generally not captured by existing offences. The proposed legislation would create three new offences directly targeting aspects of the identity theft problem, all subject to five-year maximum sentences:

  • obtaining or possessing identity information with intent to use it to commit certain crimes;
  • trafficking in identity information with knowledge of or recklessness as to its intended use in the commission of certain crime; and
  • unlawfully possessing and trafficking in government-issued identity documents.

Additional Criminal Code amendments would create new offences of fraudulently redirecting or causing redirection of a person's mail, possessing a counterfeit Canada Post mail key and possessing instruments for copying credit card information, in addition to the existing offence of possessing instruments for forging credit cards.

Moreover, a new power would also be added permitting the court to order, as part of a sentence, that an offender be required to pay restitution to a victim of identity theft or identity fraud where the victim has incurred expenses related to rehabilitating their identity, such as the cost of replacement cards and documents and costs in relation to correcting their credit history.

“Our Government understands that new and rapidly evolving technologies have made identity theft a widespread criminal activity that often involves organized crime,” added Minister Nicholson. “This is an issue that is harming Canada 's families, seniors and businesses. We are therefore taking action to tackle this serious problem.”

This legislative proposal is one in a new series of tackling community crime bills the Government of Canada will be introducing in this new session of Parliament. This series is in addition to the comprehensive Tackling Violent Crime Act that aims to better protect youth from sexual predators, protect society from dangerous offenders, get serious with drug impaired drivers and toughen sentencing and bail for those who commit serious gun crimes.

In addition to its plan to protect Canadians against identity theft, the Government of Canada has:

  • introduced a National Anti-Drug Strategy, including legislation that would provide mandatory jail time for serious drug crimes;
  • tabled legislation to strengthen the Youth Criminal Justice Act ; and announced a comprehensive review of this Act in 2008;
  • invested in crime prevention community projects across Canada that target youth;
  • passed legislation to increase penalties for those convicted of street racing; and
  • passed legislation to end conditional sentences for serious crimes such as personal injury offences.

An online version of the legislation will be available at www.parl.gc.ca.

Here is additional coverage from CTV:

CTV.ca Tory legislation to target identity theft

Tory legislation to target identity theft

Updated Wed. Nov. 21 2007 11:58 AM ET

CTV.ca News Staff

The federal Conservatives will introduce legislation today aimed at charging people accused of identity theft even before stolen information is used to commit a crime.

Currently, the law makes it illegal to misuse someone's personal information to create false identification or for other fraudulent purposes.

However, it is not against the law to collect, possess or traffic another person's identity information.

The Tories want to amend the Criminal Code to make it an offence to possess someone's personal identifying information with the intent of selling it or using it to commit fraud.

"I think there's always a challenge in proving intent but we have a number of offences in our Criminal Code where intent is an important portion of proving the charge," David Fraser, a lawyer that specializes in privacy issues, told CTV.ca.

"You can do that by looking at the totality of the circumstances -- you don't necessarily have to look directly into the head of the accused."

In 2006, almost 8,000 victims reported losses of $16 million to PhoneBusters, the Canadian Anti-fraud Call Centre.

"There are probably even more who don't report it... (and) there isn't mandatory reporting from the banks or the credit bureaus who might be the first to hear about it," said Fraser.

He said the Tory initiative will give law enforcement an additional tool to help them deal with identity theft offences.

However, Fraser said attention should also be given to ensuring that businesses properly secure personal information in the first place.

"That's one of the places where information often gets into the hands of identity thieves," he said.

"Another part of it might be simply to make it a little more challenging in order for credit granters to extend credit to individuals."

Consumers can also take practical steps to protect their information by regularly checking bank statements and shredding personal documents, said Fraser.

The identity theft legislation is the latest in a flurry of anti-crime initiatives the Tories have announced this week.

On Tuesday, the Harper government introduced new legislation proposing mandatory sentencing for individuals convicted of serious drug-related crimes.

Federal Justice Minister Robert Nicholson said the new bill is designed to impose tough sentences on Canadians profiting from organized crime and violence.

If passed, Bill C-2 will impose the first mandatory sentences under the Controlled Drugs and Substances Act for people convicted of drug-related crimes.

On Monday, the Tories proposed changes to the Youth Criminal Justice Act.

The key proponents of their proposal are:

  • Tougher sentences
  • Allowing for pre-trial detention
  • Allow courts to consider deterrence and denunciation as objectives of youth sentences

Tuesday, November 20, 2007

UK loses sensitive personal data on 25m people

A lot of stuff I read about privacy incidents leaves me scratching my head in wonder. In thinking about the staggering number of privacy breaches coming out of governments (Canadian, US, UK, etc.), I wonder:

  1. Are we hearing about all these incidents because employees who handle personal information for governments are idiots?
  2. Are we hearing about all these incidents because governments are more likely to come clean when bad things happen?
  3. Are we hearing about all these incidents because citizens are more likely to go to the media?
  4. Are we hearing about all these incidents because governments handle such vast quantities of personal information, but statistically are no more likely -- per capita / per employee / per whatever -- to mishandle personal information?

I am thinking that it probably isn't #2.

The latest is from the UK. An employee of the Revenue & Customs sent CDs of unencrypted personal information about almost every child and parent in the UK via regular internal mail. The CDs never reached their destination. The minister responsible has admitted that this has occurred on multiple occasions. When are governments going to learn?

See: Taxman loses sensitive personal data on 25m people - Times Online, via UK tax-man repeatedly hemorrhages personal financial info of 25 MILLION Brits - Boing Boing.

Sunday, November 18, 2007

Incident: Laptop containing pensioners' personal information stolen from bureaucrat's home

CBC is reporting that a laptop containing personal information on more than a thousand pensioners was stolen from a bureaucrat's home in Gatineau, Quebec. The government has notified the 1600 affected individuals. It appears the laptop was not supposed to leave the building. The Privacy Commissioner is investigating. See: Private information stolen from civil servant's home.

Saturday, November 17, 2007

Friday, November 16, 2007

The Canadian Response to the USA Patriot Act

I was recently invited to contribute an article to the IEEE Security & Privacy magazine on the Canadian response to the USA Patriot Act. Here's the abstract:

The Canadian Response to the USA Patriot Act

Since the attacks of September 11, 2001, US authorities have spent untold millions of dollars guarding their frontiers to regulate what gets into the country. On the other side of the border, many Canadian jurisdictions have turned their thoughts to regulating what information flows southward into the US. This isn't out of concern about terrorism but rather about the US response to it.

Citation: David Fraser, "The Canadian Response to the USA Patriot Act," IEEE Security and Privacy, vol. 5, no. 5, pp. 66-68, Sept/Oct, 2007

I think I reserved the right to publish the article on the blog after the publication by IEEE, but I'll have to track down that release .... stay tuned.

Update: Definitely Not the Opera

I found out that tomorrow's Definitely Not the Opera is "all privacy, all the time".

Here's the synopsis from the website:

Definitely Not the Opera

Broadcast time: Saturdays at 1:00 p.m. (1:30 NT) on CBC Radio One

On the street, on stage or behind the scenes, DNTO takes listeners on a fast paced trip through the cultural landscape of Canada and around the world. Definitely Not the Opera is the ideal audio guide to the fast-changing world of popular culture. It's your tip sheet to what's hot, what to watch, who to listen to and what's going on.

This Week on DNTO!

Every breath you take… every move you make… DNTO will be watching you. ‘Cause this week, we’re looking at privacy, and asking the question – how far will you go to protect it?

From 1-2

To begin, Sook-Yin hits the streets to see what kind of bribe it take to get strangers to give up their deeply personal information.

Nick Purdon struggles to rid himself of that ancient violation of his mailbox’s privacy… junk mail.

So maybe the question isn’t so much how far you’ll go to protect your privacy… but why you should bother. Halifax-based lawyer and privacy expert David Fraser will come by to explain how your privacy is at risk in everyday situations… like turning on your computer at work.

Then it’s over to paranoid contributor Clare Lawlor, who has formed a special bond with her shredder.

Musicians put their private lives on the stage… so how do they maintain their privacy? Sook-Yin will chat with Neverending White Lights, and they’ll play us a tune live in studio.

And we’ll head south of the border to hear from funnyman John Wing with his take on privacy.

Plus tunes from the New Pornographers, Chris Walla, Crowded House and Hawksley Workman.

From 2-3

Sook-Yin pays a visit to Canadian science-fiction icon Robert J. Sawyer, who maintains that our notion of “privacy” might be a bit overrated… but to get to know Robert a little better, she’ll start by paying a visit to his garbage.

We’ll ask Robert to stick around for this week’s edition of Parlour Games.

Sook-Yin takes her mic back to the streets to find out how you’ve invaded the privacy of others. We willingly surrender a lot of our privacy online these days… but is it worth it? DNTO’s Wab Kinew looks into it.

Comedian Fraser Young loves the GPS chip. Privacy… not so much. He’ll explain why.

And Sook-Yin will talk with artist Hasan Elahi, who’s taken a unique approach to privacy… by making his every move public.

All that, and music from Immaculate Machine, Metric, the Russian Futurists, George Michael,and Prince.

DNTO airs Saturday afternoons across Canada at 1:00 p.m. (1:30 in Newfoundland) on CBC Radio One.

You can also catch the show on Sirius Satellite Radio channel 137 - Saturdays at 11:00 a.m. and 9:00 p.m.

And if you're in Chicago or Seattle, you can catch us on public radio... we're on WBEZ in Chicago Sunday at midnight, and on KXOT in Seattle Saturday at 9:00 a.m.

Plus, if you can't catch us on the air, download our weekly podcast of highlights from DNTO!

DNTO's theme music is "Bentley's Gonna Sort You Out" by Bentley Rhythm Ace.

UPDATE: My interview wasn't on the post-show podcast, but if you're interested, here's an MP3 of the interview (2931Kb).

Thursday, November 15, 2007

Alberta commissioner: "It' just nuts that we're not looking after this stuff better"

After an investigation into a stolen laptop from Alberta Capital Health, Frank Work has expressed some exasperation about how personal information is being protected:

Safeguard cyber-privacy

The Edmonton Journal

Thursday, November 15, 2007

Crafting sophisticated privacy legislation has never been more important, as lawmakers struggle to keep up with technological advances. And yet all the statutes in the world are no excuse for common sense.

"It's just nuts that we're not looking after this stuff better," exclaimed an exasperated Frank Work on Tuesday. Work, Alberta's information and privacy commissioner, had just released a report investigating the May theft of four laptop computers at a Capital Health office.

The study concluded that Capital Health had contravened the Health Information Act by not taking adequate security precautions. This was in spite of two previous warnings about the need for encryption programs. Capital Health has promised that it will have encryption for laptops installed by January and will soon provide the commissioner with a detailed implementation plan for other changes. Let's hope so.

Not that Capital Heath is alone. Work also announced another investigation into the theft of a memory stick storing personal details of 560 students attending Edmonton Catholic Schools. An employee of the board's school bus company kept the stick in her purse. The school board now insists bus carriers' memory sticks must be encrypted.

The hope is that other organizations are paying attention. Breaches in consumer information security have made all of us think twice when ordering online or even at the local cash register.

To be fair, a lot of bright people are working on this and lessons have been learned. Still, coming to terms with the storehouse of private information most of us carry around daily in various devices is everyone's business. As technology moves forward, we must remember that privacy is too precious to be taken lightly. That begins at home, at work and at school.

Tune into Definitely Not the Opera's privacy segment

On Saturday, tune into CBC Radio One's Definitely Not the Opera, where they are doing a segment on privacy. I'm meeting the host, Sook-Yin Lee, on Friday for an interview to be broadcast Saturday afternoon.

Monday, November 12, 2007

US Intel Official wants to change the definition of privacy

In a speech to a conference on GEOINT, Donald Kerr (principal deputy director of national intelligence) called for a redefinition of what is privacy. And his definition excludes the concept of anonymity.

The speech is worth a read as it contains such nuggets:

And that leads you directly into the concern for privacy. Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture. The Long Ranger wore a mask but Tonto didn’t seem to need one even though he did the dirty work for free. You’d think he would probably need one even more. But in our interconnected and wireless world, anonymity – or the appearance of anonymity – is quickly becoming a thing of the past.

Anonymity results from a lack of identifying features. Nowadays, when so much correlated data is collected and available – and I’m just talking about profiles on MySpace, Facebook, YouTube here – the set of identifiable features has grown beyond where most of us can comprehend. We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment. Protecting anonymity isn’t a fight that can be won. Anyone that’s typed in their name on Google understands that. Instead, privacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured. And it is that framework that we need to grow and nourish and adjust as our cultures change.

I think people here, at least people close to my age, recognize that those two generations younger than we are have a very different idea of what is essential privacy, what they would wish to protect about their lives and affairs. And so, it’s not for us to inflict one size fits all. It’s a need to have it be adjustable to the needs of local societies as they evolve in our country. Eventually, we can only hope that people’s perceptions – in Hollywood and elsewhere – will catch up.

Our job now is to engage in a productive debate, which focuses on privacy as a component of appropriate levels of security and public safety. This is work that the Office of the DNI has started to do, and must continue and make a high priority. This careful balance we need to strike, however, is nothing new. With the advent of telephones, we entered a new frontier that required careful balancing between safety and privacy. We faced this challenge again at the end of the ’70s in the aftermath of the Church-Pike Hearings. And now, in the era of new technologies, we have to work to continue to keep that balance, to earn that trust, and re-earn it every day through our actions. But we also have to be willing to reopen the laws and regulations that were based on technologies that existed 1978 and adjust them to the realities of 2007 and 2008.

For some reaction to the speech, see: The Associated Press: Definition Changing for People's Privacy and US intelligence honcho channels Orwell, redefines privacy - Boing Boing.

Saturday, November 10, 2007

The Shocking Truth! Comcast manual suggests it takes privacy seriously

I thought this was interesting and a sign of the times in the US ...

It is now newsworthy that a confidential manual from Comcast written to assist law enforcement in properly requesting customer information suggests they take privacy seriously! I'll repeat: they appear to take customer privacy seriously. Declan McCullagh has more: Secret manual shows Comcast (gasp!) protects customers' privacy The Iconoclast - politics, law, and technology - CNET News.com.

Salesforce.com leak leads to targeting phishing attacks

An employee of Salesforce.com has been taken in by a phishing scam and had his credentials compromised. The fraudsters have since used data from the vast ASP an in attempt to defraud a handful of users. See Schneier on Security: Targeted Phishing from Salesforce.com Leak and Salesforce.com Acknowledges Data Loss - Security Fix.

What do you want a friend of a friend of a friend to know about you?

The Office of the Privacy Commissioner of Canada has put together a snazzy flash presentation that looks at social networking sites and suggests you think about how much you want people -- including your mother and your boss -- to know about you. See: Office of the Privacy Commissioner » Blog Archive » A friend of a friend of a friend knows you’re on vacation.

Commissioner questions no-fly list in inquiry testimony

In testimony before Justice Major's Air India Inquiry, Privacy Commissioner Jennifer Stoddart questioned whether the "opaque" no fly list is effective. Justice Major's comments suggest he agrees. The Inquiry's mandate is to review, among other things, air travel security in Canada. See: Privacy watchdog questions 'opaque' federal no-fly list.

PIPEDA consultation marches onward

In case you haven't been consulted enough ...

The Government of Canada issued its response to the PIPEDA review report from the Standing Commitee on Access to Information, Privacy and Ethics, agreeing in parts and disagreeing in others with the committee's recommendations. So the government is now seeking public input on the topics that were relatively well canvassed before the parliaentary commitee.

If you have additional thoughts, you have until January 15 to make them known to Industry Canada.

Canada Gazette

DEPARTMENT OF INDUSTRY

IMPLEMENTATION OF THE GOVERNMENT RESPONSE TO THE FOURTH REPORT OF THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY AND ETHICS ON THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Deadline for submission of views: January 15, 2008

On October 17, 2007, the Government of Canada tabled in Parliament its response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). In support of the Minister of Industry's responsibility for PIPEDA, Industry Canada is seeking the views of Canadians on a number of issues related to the response, including proposals for legislative amendments to PIPEDA.

PIPEDA, which came into force on January 1, 2001, sets rules for the collection, use and disclosure of personal information in the course of commercial activity in Canada. In a modern, information-based economy, an effective and efficient model for the protection of personal information is vitally important to ensure that the privacy of Canadian consumers remains protected. The ETHI Report contains 25 recommendations for how PIPEDA could be fine-tuned to ensure that the Act continues to achieve this objective. The government response expresses agreement with a majority of the Committee's recommendations and reflects the view held by a number of stakeholders that PIPEDA is working well and is not in need of dramatic change at this time. However, a small number of specific amendments may be warranted, and this consultation process provides Canadians with the opportunity to present further information, advice and views regarding the implementation of key proposals for legislative change.

In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.

Industry Canada is also seeking further views on the issue of "work product" information (ETHI recommendation 2). The question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information has been a matter of significant debate. Industry Canada would therefore appreciate a wider range of views on whether an amendment to PIPEDA is needed, and, if so, how this should be implemented.

Furthermore, in order to ensure that PIPEDA is consistent with the needs of Canadian law enforcement agencies, the Government intends to clarify the meaning of lawful authority in PIPEDA as recommended by the Committee (ETHI recommendation 12). Industry Canada is seeking views and specific advice on how the concept of lawful authority could be better defined.

The Committee also recommended a number of issues for further consideration and/or consultation, including witness statements (ETHI recommendation 10), consent by minors (ETHI recommendation 15), and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form (ETHI recommendation 17). Industry Canada welcomes submissions on these matters.

Finally, Industry Canada is considering alternatives to the current process for the designation of investigative bodies (ETHI recommendation 6) and would appreciate any further views on this issue.

Submissions on the above, or on any other issues related to the government response that you may wish to raise, can be sent by email to PIPEDAconsultation@ic.gc.ca, by fax to 613-941-1164, or by mail to Richard Simpson, Director General, Industry Canada, Electronic Commerce Branch, 300 Slater Street, Ottawa, Ontario K1A 0C8.

The Government's response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics is available electronically on the World Wide Web at the following address: http://ic.gc.ca/specialreports.

For printed copies, please contact Publishing and Depository Services, Public Works and Government Services Canada, Ottawa, Ontario K1A 0S5; 1-800-635-7943 (Canada and U.S. toll-free telephone), 613-941-5995 (telephone), 1-800-465-7735 (TTY), 1-800-565-7757 (Canada and U.S. toll-free fax), 613-954-5779 (fax), publications@pwgsc.gc.ca (email), www. publications.gc.ca.

Privacy laws and general cluelessness

Karen Selick, a lawyer from Belleville, has an opinion piece in a recent National Post going on a tirade against privacy laws. I can certainly see her point. But the problem is not the privacy laws themselves, but the general cluelessness of the people who cite them to avoid doing something they can and likely should do.

The examples raised by Ms. Selick are general bureaucratic nonsense, but I do agree that privacy laws are increasingly and incorrectly cited by people who should know better:

The CRA vs. Canadian men

Wednesday, November 07, 2007

It appears that the Canada Revenue Agency (CRA) has recently established a policy of ripping off divorced or separated men on the flimsiest of pretexts. Within the past month, two of my legal clients have had their spousal support deductions disallowed, despite having filed copies of the documents (court order or separation agreement) proving that they have to pay.

They've both received letters from CRA bureaucrats saying they must provide signed receipts from their estranged wives. Fat chance. The wives have no obligation to provide receipts. Many women in these circumstances would withhold receipts either as a bargaining tactic to exact some other concession, or from sheer malice.

...

I phoned the CRA and spoke to a "pre-assessment review officer." She told me that it was within an officer's discretion to accept other evidence of support having been paid, without insisting that a man approach a hostile wife for receipts, and that she herself would have accepted the copy of the wife's tax return. I suspected that her apparent reasonableness may have arisen because she was talking to an irate lawyer, so I pressed on, asking why the CRA would not, on its own initiative, simply compare the two tax returns and allow the husband's deduction so long as the wife had reported the same amount of income.

Oh no, she said, that would violate the privacy laws. If they allowed the man's deduction so easily, that would be tantamount to spilling some confidential information that the wife had provided on her return.

My mind boggled. The CRA would choose to overtax a man by thousands of dollars rather than have him infer, from the fact that his deduction was allowed, that his wife had complied with the Income Tax Act and reported the money he already knew he had given her.

Could anyone really believe that this is what the Privacy Act requires? What nonsense. Men wouldn't necessarily assume that the CRA had cross-checked their wives' returns. They'd just assume the deduction was allowed because they're legally entitled to it.

The Privacy Act and its private sector counterpart, the Personal Information Protection and Electronic Documents Act (PIPEDA), now loom up unexpectedly and absurdly in many situations, I've observed. Few people know what they really require, so they've become a bogeyman, lurking ominously in the background, waiting to trip up some insufficiently vigilant flunky. It's like being a kid again, worrying that Santa's always watching and will know if you'd been bad or good. When in doubt, don't stick your neck out by saying anything about anything, no matter how absurd and inconvenient the consequences may be to anyone else.

Here's another example: Last year, I spent nine hours at a hospital emergency ward with a relative, who ultimately died there following a stroke. Days later, I wrote a letter praising the three doctors and one nurse who had attended her for their diligence and compassion. I didn't know their names but asked the hospital to pass my letter on to them. Astonishingly, the hospital replied that doing so would violate the privacy laws, unless the deceased's executor consented. Huh? I was there. I watched them doing their jobs. They discussed things with me. I observed their competence and kindness. I wanted them to know that. How on Earth could it violate anybody's "privacy" for the hospital to pass along my letter?

Aah, PIPEDA -- I've pondered this farce before. Every divorce lawyer in the country collects and uses personal information about their clients' spouses. We couldn't do our jobs otherwise. Theoretically, PIPEDA says we're supposed to seek the opposing party's consent to collecting and using information about their incomes, their adultery, their alcoholism, their bankruptcies, etc. Never yet has another lawyer contacted a client of mine seeking consent, so I assume my colleagues are as mystified as I am over how we're supposed to comply. Legislation like this, applied in the ridiculous way in which it is so often applied, undermines respect for the law. And the law could sure stand a little respect these days.

The only thing that I'd add is the last paragraph is likely incorrect. The case between the spouses is not a "commercial activity" so PIPEDA would not apply to that, even if it is facilitated by a lawyer. No PIPEDA, no consent required.

Saturday, November 03, 2007