Thursday, July 31, 2008

Nova Scotia begins consultation on Personal Health Information legislation

The Province of Nova Scotia has for some time been consulting with inside stakeholders on the development of health information legislation. It has just launched a consultation, seeking input from interested parties. I haven't had a chance to look at the discussion paper yet, but I understand they've been using Ontario's PHIPA as the model:

Personal Health Information Legislation for Nova Scotia Department of Health Government of Nova Scotia

For the past several years the Department of Health has been working with health sector partners on initiatives related to the protection and use of personal health information. As part of the evolution of standards, policy and law on these issues, .the Department is developing a Personal Health Information Act for the province.

The Department is pleased to present the Discussion Paper Personal Health Information Legislation for Nova Scotia (PDF: 70p). Throughout the Discussion Paper, key issues related to the collection, use, disclosure, retention and destruction of personal health information are discussed, and legislative provisions for a Personal Health Information Act are proposed.

Public and stakeholder input to this legislation is critical to its success. Any feedback on the issues raised in the paper, and on any issues related to the management of personal health information in Nova Scotia can be submitted through the online questionnaire, by e-mail to mailto:phia@gov.ns.caor by regular mail to the Personal Health Information Project, Department of Health, 1690 Hollis Street, P.O. Box 488 , Halifax , Nova Scotia , B3J 2R8

The deadline for comments is November 1, 2008.

Google moves to have lawsuit thrown out, arguing complete privacy does not exist

In the "Street View" lawsuit with the Borings (see: Boring lawsuit over Google's "Street View"), Google has filed a motion to have the suit dismissed. Google argues that in the 21st century, complete privacy does not exist. The Smoking Gun has Google's motion here: Google: "Complete Privacy Does Not Exist" - July 30, 2008

Tuesday, July 29, 2008

Michigan seeks private sponsors for police surveillance cameras

Apparently the municipality of Flint, Michigan is looking for businesses to pony up $30,000 each to sponsor one of 14 surveillance cameras. See: Michigan City Wants Sponsors for Police Cameras: Top News Stories at Officer.com.

Sponsors get to have their logo affixed to the device, along with a police crest and a blue light.

If I buy a camera, do I get to have it focused on the mayor's house?

PIPEDA Finding: Residental property appraisal is the owner's personal information

It's been a while since we've seen a published PIPEDA finding that wasn't from a high-profile case.

In this case, a bank refused to provide a customer with access to the appraisal conducted by the bank of the customer's property. The bank argued it was about the property and not about him. Further, they argued it was confidential commercial information. The Assistant Commissioner did not agree:

Commissioner's Findings - PIPEDA Case Summary #: Residential Property Appraisal Documents are Owners’ Personal Information (May 7, 2008)

The Assistant Commissioner first examined the question of whether the residential property appraisal should be defined as personal information under section 2 of the Act. After considering both the bank’s views and the CBA’s, as well as this Office’s earlier deliberation on the same question in another finding, the Assistant Commissioner remained of the opinion that, since the property was in the complainant’s name, the information relating to the property, including its market value, was his personal information. He therefore had a right of access to it.

Friday, July 25, 2008

Mosley's privacy win in English courts

It's a busy week for privacy cases in the English courts. The media has widely reported on the case of Max Mosley, the Grand Prix boss, who has successfully sued the News of the World. The publication placed a hidden camera in a private residence and filmed Mosley in an intimate encounter. The paper suggested that he participated in a sadomasochistic orgy that attempted to recreate a Nazi death camp atmosphere.

In seeking to protect his privacy, the whole event has been thrown into the public arena. And consistent with other privacy cases, the quantum of damages is surprisingly low given the impact that this has had on Mosley.

The decision can be found here.

From the New York Times:

British Judge Rules Tabloid Report Tying Grand Prix Boss to ‘Orgy’ Violated Privacy - NYTimes.com

LONDON — In a ruling with potentially wide implications for press freedom in Britain, a judge ruled Thursday that a tabloid newspaper breached the privacy of Max Mosley, the overseer of grand prix motor racing, when it published an article in March claiming that he had participated in a sadomasochistic “orgy” with a Nazi theme.

The judge, Sir David Eady, awarded Mr. Mosley, 68, damages equivalent to about $120,000 and legal costs estimated to be at least $850,000 in his lawsuit against The News of the World.

The ruling upheld the central arguments by Mr. Mosley and his lawyers: that there had been no Nazi theme to the five-hour sex session in an apartment in the Chelsea district of London that was secretly filmed by the newspaper, and no issue of public interest in its decision to splash the article on its front page and post video on its Web site.

“I found that there was no evidence that the gathering of March 28, 2008, was intended to be an enactment of Nazi behavior or adoption of any of its attitudes,” the judge wrote.

He added that Mr. Mosley had a “reasonable expectation” of privacy for sexual activities that took place on private premises and that did not involve violations of the criminal law.

“There was no public interest or other justification for the clandestine recording, for the publication of the resulting information and still photographs, or for the placing of the video extracts on The News of the World Web site — all of this on a massive scale,” the judge said.

But he denied Mr. Mosley the “punitive damages” he had sought, which could have amounted to millions of dollars. The damage done to Mr. Mosley’s reputation by “the embarrassing personal information” disclosed by the newspaper “cannot be mitigated by simply adding a few noughts to the number first thought of,” the judge said.

Outside the court, Mr. Mosley said he was delighted with the ruling, which he described as “devastating” to The News of the World.

“It demonstrates that their Nazi lie was completely invented and had no justification,” he said. “It also shows that they had no right to go into private premises and take pictures and film of adults engaged in activities which are no one’s business but those of the people concerned.”

The ruling was one of several by Justice Eady and other judges in recent years in privacy cases against British newspapers under a provision of the European Convention on Human Rights. Some legal experts say the rulings have shifted the balance in Britain in favor of celebrity plaintiffs and against newspapers and other media organizations in invasion-of-privacy cases.

Justice Eady, in his finding, said his ruling should not be considered “a landmark case,” but rather “the application to rather unusual facts” in the Mosley case of privacy principles that had been developing in British court judgments in recent years. Still, the ruling caused a stir among lawyers fighting for press freedoms, some of whom said it was a bellwether for a new, more restrictive era of news media coverage of people in the public domain.

Other lawyers cautioned against alarmism, saying British courts would continue to weigh two competing provisions in the European rights convention — Article 8, establishing a right of privacy, and Article 10, protecting press freedoms — and that it was too early to know where the lasting balance would be struck.

“One lesson it teaches is that public figures can have a private life,” said Desmond Browne, a barrister who has represented some of the plaintiffs in headline-making privacy cases.

Editors of some of Britain’s more serious newspapers also were wary about drawing instant conclusions about where press law in Britain was headed.

Roger Alton, editor of The Independent, a newspaper known for the rigor of its investigative journalism, said he was not too troubled by the ruling.

“It’ll affect kiss-and-tell stories,” Mr. Alton told the British Broadcasting Corporation. “But it’s not a landmark. It’s not going to set things up in a completely different way.”

But Colin Myler, editor of The News of the World, said the judgment was based on precedents established by “judges in Strasbourg,” seat of the European Court of Human Rights, and that the issues involved had never been addressed by Britain’s Parliament. “As a result, our media are being strangled by stealth,” he said.

For Mr. Mosley, success in the case represented at least a partial vindication of what amounted to a gamble. Rather than resigning in shame, as have many well-known figures caught in sex scandals, Mr. Mosley chose another route. He admitted to a passion for sadomasochism, which he told the court had continued for 45 years, and discussed, from the witness box, details of what had occurred in the Chelsea apartment.

But the aspect of the article that he, and many of his detractors in the world of motor racing and beyond, considered the most damaging was the claim that the session involved a conscious effort to recreate the atmosphere of a Nazi death camp.

The potential damage to Mr. Mosley was linked, inevitably, to the fact that he is the son of Sir Oswald Mosley, leader of Britain’s National Union of Fascists in the 1930s, whose secret marriage to Mr. Mosley’s mother, Diana, took place at the home of the Nazi propaganda chief Joseph Goebbels in 1936, with Hitler as guest of honor.

In court, lawyers for The News of the World said they based their claim of a Nazi theme, in part, on the use of commands in guttural German or German-accented English by Mr. Mosley and the women involved. But Mr. Mosley and four of the five women involved maintained that what they intended in their role-playing was to recreate a generic prison scene, not a Nazi death camp.

Thursday, July 24, 2008

English case looks under the hood of Facebook in privacy case

A colleague just brought to my attention a case handed down yesterday by the High Court of Justice (Queen's Bench Division) of England & Wales: Applause Store Productions Ltd. & Anor v Raphael [2008] EWHC 1781 (QB) (24 July 2008).

The case relates to the misuse of private information and defamation. The defendant in this case had set up a false Facebook profile in the name of the plaintiff and established a Facebook group that was, shall we say, not flattering of the plaintiff. The court found in favour of the defendant on both claims.

What's additionally interesting is the detail with which the Court reviews the logging data generated by Facebook and provided to the Court. The case is an interesting read for privacy issues, but also is a good chance to look under the hood of Facebook, forensically speaking.

Canadian IT Law Association annual conference

The Canadian IT Law Association's annual conference is in Halifax this year. In addition to famous Maritime hospitality, attendees can expect to learn the latest in IT, IP and privacy law. The brochure is online here.

It should be great, and I'm not just saying that because I'm the conference co-chair. I've gone to the last six conferences and it is consistently the best of its class.

Wednesday, July 23, 2008

Airport kiosks suspected in fraud probe

This morning's Globe & Mail ran a story about an apparent connection between a rash of credit card fraud and the check-in kiosks at Toronto's Pearson International Airport. The Airport Authority has said they've checked them out and think all is well:

WestJet suspends credit-card kiosk check-ins amid fraud probe

...Earlier Wednesday, a spokesman for the Greater Toronto Airport Authority said a recent audit demonstrated the kiosks, used to check in and pick up boarding passes, were safe and secure.

"We checked our systems and everything checks out, so we're happy with that," said Scott Armstrong.

Meanwhile, airlines have disabled the ability to use a credit card to check in.

From today's Globe:

globeandmail.com: Credit-card fraud probe targets Pearson's self-service kiosks

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks.

In recent months, financial institutions that issue credit cards spotted isolated fraud patterns that appeared to stem from use of the cards in conjunction with getting boarding passes at the Pearson kiosks, according to sources.

While the investigation is in the early stages, it is currently focused on the kiosks, where passengers use passports, frequent-flier cards, reservation numbers, names, and/or credit card data to identify themselves for flights on any one of 13 airlines. It is not known whether any information has actually been stolen or otherwise gone astray.

Some members of the financial industry are very concerned because Pearson is Canada's busiest airport, with 31.5 million passengers travelling through it last year.

One person familiar with the investigation said the fact that personal data at airports might not be secure “should send shudders through every airport traveller.” ...

ALA calls for a privacy revolution

At the end of June, I blogged about a new initiative by the American Library Association calling for a "privacy revolution" (Canadian Privacy Law Blog: "If you need privacy, you should get your own computer."). The initiative now has its own website and an interesting concept paper. Check them out.

The site also has video of speakers on the topic from the ALA's most recent annual meeting.

Monday, July 21, 2008

A promise like that would require lawyers, money, and probably guns

This is brilliant:

FAQs about Mailinator

What is Mailinator's official privacy policy?

The official policy is something like: At Mailinator, THERE IS NONE. Expect that any email you send or have sent here can be viewed by anyone. Mailinator/ManyBrain does NOT ask, require or even want any of your personal information. This service is not much different than the existing Usenet; anything you put out there is world-viewable. Keep that in mind.

So if the government issued a subpeona to Mailinator to divulge emails or logs, you'd rat me out?

Holy crap, yes. I'm not going to jail for you, I have a boyish face and very (very) supple skin.

That said, Mailinator keeps very little for any length of time. Mailinator can be a useful privacy tool.

Privacy is a serious issue, and we want to be clear. We think Mailinator can provide pretty decent privacy, and we want to keep providing that and even improve it, but we can't promise it. A promise like that would require lawyers, money, and probably guns - and since we provide Mailinator for free, we don't have any of those.

This was forwarded to me by a friend, who I expect has better things to do than ferret out that most elusive creature: the funny privacy statement.

Update: I should have guessed it .... PGuy is too busy doing deals in NYC to be reading FAQs. He got it from Rick Segal: The Best FAQ in the World.

Sunday, July 20, 2008

Privacy dilemma illustrated in Vermont library

The local Halifax paper is running an AP story about the tough choices that custodians of personal information are sometimes called upon to make. After a young girl went missing, the police showed up at the public library demanding to take the public access computers that the girl had apparently used to communicate on MySpace. The librarian stood her ground and demanded that the police get a warrant. They did. Here's the full story:

Nova Scotia News - TheChronicleHerald.ca

Police raid on library offers privacy dilemma

By JOHN CURRAN The Associated Press

Sun. Jul 20 - 5:19 AM

RANDOLPH, Vt. — Children’s librarian Judith Flint was getting ready for the monthly book discussion group for eight and nine-year-olds on Love That Dog when police showed up.

They weren’t kidding around: Five state police detectives wanted to seize Kimball Public Library’s public access computers as they frantically searched for a 12-year-old girl, acting on a tip that she sometimes used the terminals.

Flint demanded a search warrant, touching off a confrontation that pitted the privacy rights of library patrons against the rights of police on official business.

"It’s one of the most difficult situations a library can face," said Deborah Caldwell-Stone, deputy director of intellectual freedom issues for the American Library Association.

Investigators obtained a warrant about eight hours later, but the June 26 standoff in the 105-year-old, red brick library on Main Street frustrated police and had fellow librarians cheering Flint.

"What I observed when I came in were a bunch of very tall men encircling a very small woman," said the library’s director, Amy Grasmick, who held fast to the need for a warrant after coming to the rescue of the 4-foot-10 Flint.

Library records and patron privacy have been hot topics since the passage of the U.S. Patriot Act after the Sept. 11, 2001, terror attacks.

Library advocates have accused the government of using the anti-terrorism law to find out, without proper judicial oversight or after-the-fact reviews, what people research in libraries.

But the investigation of Brooke Bennett’s disappearance wasn’t a Patriot Act case.

"We had to balance out the fact that we had information that we thought was true that Brooke Bennett used those computers to communicate on her MySpace account," said Col. James Baker, director of the Vermont State Police.

"We had to balance that out with protecting the civil liberties of everybody else, and this was not an easy decision to make."

Brooke, from Braintree, vanished the day before the June 26 confrontation in the children’s section of the tiny library.

Investigators went to the library chasing a lead that she had used the computers there to arrange a rendezvous.

Brooke was found dead July 2.

An uncle, convicted sex offender Michael Jacques, has since been charged with kidnapping her.

Authorities say Jacques had gotten into her MySpace account and altered postings to make investigators believe she had run off with someone she met online.

Flint was firm in her confrontation with the police.

"The lead detective said to me that they need to take the public computers and I said ‘OK, show me your warrant and that will be that,’ " said Flint, 56. "He did say he didn’t need any paper.

"I said ‘You do.’ He said ‘I’m just trying to save a 12-year-old girl,’ and I told him ‘Show me the paper.’"

Cybersecurity expert Fred H. Cate, a law professor at Indiana University, said the librarians acted appropriately.

"If you’ve told all your patrons ‘We won’t hand over your records unless we’re ordered to by a court,’ and then you turn them over voluntarily, you’re liable for anything that goes wrong," he said.

Federal Commissioner funds research into surveillance in Canada

As part of its contributions program (Contributions Program 2008-2009 - Backgrounder - Privacy Commissioner of Canada), the Ofice of the Privacy Commissioner of Canada is funding a project to look into surveillence in Canada:

Organization: Queen’s University —The Surveillance Project, Department of Sociology

Location: Ontario

Funding amount: $50,000

Project title: Camera Surveillance in Canada: Current Trends

Project description: There is a surprising lack of Canadian research to date on the development of camera surveillance, and the proliferation of surveillance cameras in Canada is occurring without enough oversight or public debate. This project will outline Canadian trends in camera surveillance in public and private spaces by analyzing documentary sources and through interviews with key stakeholders. As part of the project, a final research report will be presented at the International Conference of Data Protection Commissioners in Strasbourg, France (Sept. 2008).

Something like this is sorely needed as police forces and others push for more surveillance of public places, while research in other countries suggest that it just moves crime from one area to another.

Good catch, David Canton, via the Commissioner's blog.

Thursday, July 17, 2008

Supreme Court rules on Privacy Commissioner's power to review privileged documents

The Supreme Court of Canada has just handed down its decision in Canada (Privacy Commissioner) v. Blood Tribe Department of Health, which was a question of whether the Privacy Commissioner could review documents to determine whether claims of privilege have been properly applied. The unanimous Court, on appeal from the Federal Court of Appeal, determined that she cannot.

From the headnote:

Privacy — Investigations of complaints — Powers of Privacy Commissioner — Production of documents — Solicitor‑client privilege — Dismissed employee filing complaint with Commissioner and seeking access to her personal employment information — Employer claiming solicitor‑client privilege over some documents — Whether Commissioner can compel production of privileged documents — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 12.

Following her dismissal, an employee asked to have access to her personal employment information because she suspected that the employer had improperly collected inaccurate information and used it to discredit her before its board. The employer denied the request, and the employee filed a complaint with the Privacy Commissioner seeking access to her personal file. The Commissioner requested the records from the employer in broad terms. All records were provided except for those over which the employer claimed solicitor‑client privilege. The Commissioner then ordered production of the privileged documents pursuant to s. 12 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which confers the powers to compel the production of any records “in the same manner and to the same extent as a superior court of record” and to “receive and accept any evidence and other information . . . whether or not it is or would be admissible in a court of law”. The employer applied for judicial review of the Commissioner’s decision. The reviewing judge determined the Commissioner was empowered to compel production of documents over which solicitor‑client privilege was claimed in order to effectively complete her statutory investigative role. The Federal Court of Appeal set aside the decision of the reviewing judge and vacated the Commissioner’s order for production of records.

Held: The appeal should be dismissed.

Solicitor‑client privilege is fundamental to the proper functioning of our legal system. The complex of rules and procedures is such that, realistically speaking, it cannot be navigated without a lawyer’s expert advice. However, experience shows that people who have a legal problem will often not make a clean breast of the facts to a lawyer without an assurance of confidentiality “as close to absolute as possible”. Without that assurance, access to justice and the quality of justice in this country would be severely compromised. It is in the public interest that the free flow of legal advice be encouraged. [9]

When the appropriate principles of statutory interpretation are applied to the general language of PIPEDA, the right of the individual or organization that is the target of the complaint to keep solicitor‑client confidences confidential must prevail. The Commissioner is an officer of Parliament vested with administrative functions of great importance, but she does not, for the purpose of reviewing solicitor‑client confidences, occupy the same position of independence and authority as a court. It is well established that general words of a statutory grant of authority to an office holder, including words as broad as those contained in s. 12 of PIPEDA, do not confer a right to access solicitor‑client documents, even for the limited purpose of determining whether the privilege is properly claimed. That role is reserved to the courts. Express words are necessary to permit a statutory official to “pierce” the privilege. Such clear and explicit language does not appear in PIPEDA. [1-2]

An adjudication of a claim of privilege by the Commissioner, who is an administrative investigator not an adjudicator, would be an infringement of the privilege. Client confidence is the underlying basis for the solicitor‑client privilege, and infringement must be assessed through the eyes of the client. To a client, compelled disclosure to an administrative officer, even if not disclosed further, would constitute an infringement of the confidentiality. The objection is all the more serious where, as here, there is a possibility of the privileged information being made public or used against the person entitled to the privilege. Furthermore, in pursuit of its mandate, the administrative officer may become adverse in interest to the party whose documents it wants to access. Not only may it take the resisting party to court but it may decide to share compelled information with prosecutorial authorities without court order or the consent of the party from whom the information was compelled. [20‑21] [23]

Here, the only reason the Commissioner gave for compelling the production and inspection of the documents in this case is that the employer indicated that such documents existed. She does not claim any necessity arising from the circumstances of this particular inquiry. The Commissioner is therefore demanding routine access to such documents in any case she investigates where solicitor‑client privilege is invoked. In the Commissioner’s view, piercing the privilege would become the norm rather than the exception in the course of her everyday work. Even courts will decline to review solicitor‑client documents to adjudicate the existence of privilege unless evidence or argument establishes the necessity of doing so to fairly decide the issue. [17]

The Commissioner has not made out a case that routine access to solicitor client confidences is necessary to achieve the ends sought by PIPEDA. There are other less intrusive remedies. Firstly, she may, at any point in her investigation, refer a question of solicitor‑client privilege to the Federal Court under s. 18.3(1) of the Federal Courts Act. Secondly, within the framework of PIPEDA itself, the Commissioner has the right to report an impasse over privilege in her s. 13 report and, with the agreement of the complainant, bring an application to the Federal Court for relief under s. 15. The court is empowered, if it thinks it necessary, to review the contested material and determine whether the solicitor‑client privilege has been properly claimed. This procedure permits verification while preserving the privilege as much as possible. [31] [33‑34]

Some past coverage of this case on this blog: Canadian Privacy Law Blog: Decision: Blood Tribe (Dept. of Health) v. Canada (Privacy Commissioner), Canadian Privacy Law Blog: Commissioner cannot compel privileged documents: FCA.

Wednesday, July 16, 2008

Google and Viacom agree to protect user privacy

When the order was made that Google provide Viacom with its raw user logs (a move which significantly compromised user privacy), I wrote that the court could have ordered that the information be anonymised. (Canadian Privacy Law Blog: Commentary on the YouTube / Viacom order)

I don't think I can take any credit for this next move, but I'm sure the loud outcry has had an influence: Google and Viacom have agreed to anonymise the data using a one-way function so that the actual IP addresses cannot be reverse-engineered and Viacom has agreed to not even try. The stipulation filed with the court is here. Extract:

IT IS HEREBY STIPULATED AND AGREED, by and between the undersigned counsel of record:

1. Substituted Values: When producing data from the Logging Database pursuant to the Order, Defendants shall substitute values while preserving uniqueness for entries in the following fields: User ID, IP Address and Visitor ID. The parties shall agree as promptly as feasible on a specific protocol to govern this substitution whereby each unique value contained in these fields shall be assigned a correlative unique substituted value, and preexisting interdependencies shall be retained in the version of the data produced. Defendants shall promptly (no later than 7 business days after execution of this Stipulation) provide a proposed protocol for this substitution. Defendants agree to reasonably consult with Plaintiffs’ consultant if necessary to reach agreement on the protocol.

2. Non-Circumvention: The parties agree that they shall not engage in any efforts to circumvent the encryption utilized pursuant to Paragraph 1 this Stipulation. This Paragraph does not limit in any way any party’s rights under Paragraph 8 below.

For background, see all posts tagged: Viacom v Google. Also, the Ontario Privacy Commissioner applauds this move: CNW Group | OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO | Commissioner Cavoukian Applauds Agreement Protecting YouTube Users' Privacy

Tuesday, July 15, 2008

Ask the privacy lawyer: Data in transit outside of Canada

I received the following question the other day:

In terms of personal data that was captured by a healthcare company while a patient in Canada, and relayed to another city in Canada for analysis, further use, etc., does that patient data have to remain in Canada ? or is it allowed to traverse the US border at any time during its journey across the continent ? My concern is that communication networks don't seem to be restricted to intra-Canada operation or due to congestion or failure, most have to use large data highways that may cross over into the United States.

Under PIPEDA, is patient or personal data limited to just traverse within Canada ?

In Canada, there are no restrictions on the export of personal information except for personal information that is subject to the Freedom of Information and Protection of Privacy Acts of Alberta, British Columbia and Nova Scotia, and the equivalent in Quebec. Each of those provinces have enacted laws in response to the USA Patriot Act. The Patriot Act gives American law enforcement with much easier access to information, including personal information. The laws in these provinces don't deal with information in transit, but talk about the storage and access to that information. For example, from Nova Scotia's PIIDPA:
5 (1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless...
While there is no caselaw on this issue, I doubt that any of the privacy regulators of those provinces or the courts would find a contravention of this law if data packets containing personal information were routed through the United States on their way between two points in Canada. The information may be intercepted while in transit, but there users have little control over how this data travels. For example, a traceroute function from my home computer to ubc.ca shows that most of the data travels through the US:
Tracing route to ubc.ca [64.40.111.228] over a maximum of 30 hops:

1 2 ms 1 ms 1 ms [REDACTED]

2 20 ms 9 ms 9 ms [REDACTED]

3 17 ms 12 ms 10 ms [REDACTED]

4 11 ms 8 ms 8 ms hlfx-br1.eastlink.ca [24.222.79.205]

5 18 ms 28 ms 18 ms te-3-1.car2.Boston1.Level3.net [4.79.2.89]

6 22 ms 19 ms 18 ms ae-2-5.bar2.Boston1.Level3.net [4.69.132.250]

7 19 ms 19 ms 22 ms ae-0-11.bar1.Boston1.Level3.net [4.69.140.89]

8 46 ms 54 ms 49 ms ae-5-5.ebr1.Chicago1.Level3.net [4.69.140.94]

9 44 ms 52 ms 39 ms ae-68.ebr3.Chicago1.Level3.net [4.69.134.58]

10 73 ms 72 ms 70 ms ae-3.ebr2.Denver1.Level3.net [4.69.132.61]

11 99 ms 90 ms 90 ms ae-2.ebr2.Seattle1.Level3.net [4.69.132.53]

12 90 ms 89 ms 89 ms ae-22-52.car2.Seattle1.Level3.net [4.68.105.35]

13 90 ms 89 ms 88 ms unknown.Level3.net [64.154.178.134]

14 93 ms 91 ms 102 ms p2-1.pr0.yvrx.hgtn.net [66.113.197.5]

15 93 ms 93 ms 91 ms r1-hgtn.netnation.com [64.40.127.254]

16 102 ms 95 ms 93 ms itservices.ubc.ca [64.40.111.228]

Trace complete.

This leads to the question of whether your information is safe from interception during transit through the US. It's really not safe from interception at any point on the internet. At each point above, the signals can be intercepted. There was recent speculation that a collaboration between AT&T the National Security Agency allowed national security organs of the US to vacuum international internet and telco traffic from at least one AT&T facility. (See: EFF's class action against AT&T.) Do they have the tools to single out particular traffic? Probably.

So what to do? If sensitive information is being transferred between two points on the internet, it should be encrypted and sent through a secure "tunnel".

Update: Added reference to Quebec statute. Thanks, commenter.

Friday, July 11, 2008

Privacy protections disappear with a judge's order

More commentary on the Viacom v. Google/YouTube case, this time from MIT's Technology review:

Technology Review: Privacy protections disappear with a judge's order

Privacy protections disappear with a judge's order

By Associated Press

NEW YORK (AP) _ Credit card companies know what you've bought. Phone companies know whom you've called. Electronic toll services know where you've gone. Internet search companies know what you've sought.

It might be reassuring, then, that companies have largely pledged to safeguard these repositories of data about you.

But a recent federal court ruling ordering the disclosure of YouTube viewership records underscores the reality that even the most benevolent company can only do so much to guard your digital life: All their protections can vanish with one stroke of a judge's pen.

"Companies have a tremendous amount of very sensitive data on their customers, and while a company itself may treat that responsibly ... if the court orders it be turned over, there's not a lot that the company that holds the data can do," said Jennifer Urban, a law professor at the University of Southern California.

In the past, court orders and subpoenas have generally been targeted at records on specific individuals. With YouTube, it's far more sweeping, covering all users regardless of whether they have anything to do with the copyright infringement that Viacom Inc., in a $1 billion lawsuit, accuses Google Inc.'s popular video-sharing site of enabling.

It's a scenario privacy activists have long warned about.

"What we're seeing is (that) the theoretical is becoming real world," said Lauren Weinstein, a veteran computer scientist. "The more data you've got, the more data that's going to be there as an attractive kind of treasure chest (for) outside parties."

U.S. District Judge Louis L. Stanton dismissed privacy arguments as speculative.

Last week, Stanton authorized full access to the YouTube logs -- which few users even realize exist -- after Viacom and other copyright holders argued that they needed the data to prove that their copyright-protected videos for such programs as Comedy Central's "The Daily Show with Jon Stewart" are more heavily watched than amateur clips.

"This decision makes it absolutely clear that everywhere we go online, we leave tracks, and every piece of information we access online leaves some sort of record," Urban said. "As consumers, we should all be aware of the fact that this sensitive information is being collected about us."

Mark Rasch, a former Justice Department official who is now with FTI Consulting Inc., said the ruling could open the floodgates for additional disclosures.

Though lawyers have known to seek such data for years, Rasch said, judges initially hesitant about authorizing their release may look to Stanton's ruling for affirmation, even though U.S. District Court rulings do not officially set precedence.

The YouTube database includes information on when each video gets played. Attached to each entry is each viewer's unique login ID and the Internet Protocol, or IP, address for that viewer's computer -- identifiers that, while seemingly anonymous, can often be traced to specific individuals, or at least their employers or hometowns.

Elsewhere, search engines such as Google and Yahoo Inc. keep more than a year of records on your search requests, from which one can learn of your diseases, fetishes and innermost thoughts. E-mail services are another source of personal records, as are electronic health repositories and Web-based word processing, spreadsheets and calendars.

One can reassemble your whereabouts based on where you've used credit cards, made cell phone calls or paid tolls or subway fares electronically. One can track your spending habits through loyalty cards that many retail chains offer in exchange for discounts.

Though companies do have legitimate reasons for keeping data -- they can help improve services or protect parties in billing disputes, for instance -- there's disagreement on how long a company truly needs the information.

The shorter the retention, the less tempting it is for lawyers to turn to the keepers of data in lawsuits, privacy activists say.

With some exceptions in banking, health care and other regulated industries, requests are routinely granted.

Service providers regularly comply with subpoenas seeking the identities of users who write negatively about specific companies, at most warning them first so they can challenge the disclosure themselves. The music and movie industries also have been aggressive about tracking individual users suspected of illegally downloading their works.

Law enforcement authorities also turn to the records to help solve crimes.

The U.S. Justice Department had previously subpoenaed the major search engines for lists of search requests made by their users as part of a case involving online pornography. Yahoo, Microsoft Corp.'s MSN and Time Warner Inc.'s AOL all complied with parts of the legal demand, but Google fought it and ultimately got the requirement narrowed.

In the YouTube case, Viacom largely got the data it wanted.

Google has said it would work with Viacom on trying to ensure anonymity, and Viacom has pledged not to use the data to identify individual users to sue. The YouTube logs will also likely be subject to a confidentiality order.

But privacy advocates warn that there's no guarantee that future litigants will be as restrained or that data released to lawyers won't inadvertently become public -- through their inclusion as an attachment in a court filing, for instance.

And retailers, government agencies and others are regularly announcing that personal information, stored without adequate safeguards, is being stolen by hackers or lost with laptops or portable storage drives.

"You just never know," said Steve Jones, an Internet expert at the University of Illinois at Chicago. "There are some circumstances under which what seems to be private information is going to be shared with a third party, and the court says it's OK to do that."

Copyright Technology Review 2008.

Thursday, July 10, 2008

Judge Protects YouTube's Source Code, Throws Users To The Wolves

It is not often that a columnist for a major national newpaper calls a federal court judge a moron, but that's just what Michael Arrington on the Washtington Post website calls Judge Stanton, referring to Viacom v. Google/YouTube. See: Judge Protects YouTube's Source Code, Throws Users To The Wolves - washingtonpost.com.

Ontario Commissioner calls on Google to appeal Viacom / Youtube ruling

Hot off the presses: The Information and Privacy Commissioner of Ontario has written to Google calling for Google to appeal the recent Viacom v. Google disclosure order:

CNW Group OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Privacy Commissioner Ann Cavoukian urges Google to appeal YouTube ruling

Privacy Commissioner Ann Cavoukian urges Google to appeal YouTube ruling

TORONTO, July 10 /CNW/ - Ontario Information and Privacy Commissioner Ann Cavoukian is urging Google to appeal the recent ruling of U.S. District Court Judge Louis Stanton, requiring the disclosure of YouTube users' information to Viacom. YouTube, a popular website, is owned by Google.

In a letter to Sergey Brin, Google's President of Technology, the Commissioner emphasized her deep concerns about the privacy implications of the ruling, which she was asked to outline earlier this week on Canada AM.

Commissioner Cavoukian said "I was astounded to learn that Google had been ordered to disclose certain YouTube information, which includes users' login IDs and IP addresses, for use in Viacom's copyright infringement lawsuit against YouTube." The Commissioner felt that Judge Stanton had "failed to consider that user login IDs and video viewing habits can reveal a great deal of sensitive personal information."

In response to suggestions that the data be "anonymized" before its release to Viacom's legal counsel, the Commissioner noted that it is possible to re-identify individuals by linking their data with publicly available personal information, such as that found in telephone directories. "Simply stripping certain data fields from a database is not sufficient to safeguard the privacy of individuals" warned the Commissioner.

Despite the Judge's associated protection order which attempts to limit the authorized uses of YouTube users' information by Viacom, this does not eliminate the Commissioner's concerns. Companies simply cannot guarantee that information, once obtained, will not be subject to unauthorized use or disclosure. "Witness the example of identity theft" she noted. "The majority of instances of identity theft result from insider abuse."

"While I have sympathy for the rights of intellectual property holders, businesses should not rely on the surveillance of consumers to protect their copyright interests. It is not acceptable to allow copyright enforcement to come at the expense of users' privacy."

The full text of the letter to Google may be found on the Commissioner's website at www.ipc.on.ca in the What's New section.

Previously: Commentary on the YouTube / Viacom order, Judge orders that YouTube hand over viewer records.

Edmonton addresses perception of public safety with surveillance cameras

The police in Edmonton, Alberta are proposing to place surveillance cameras on the city's popular strip. Frank Work, the Information and Privacy Commissioner of Alberta is not impressed. And in case you were wondering if this is about perceptions, here you have it directly from Sgt. Gary Godziuk, with the city's public safety compliance team:

"The cameras will contribute to the overall perception of public safety and the mitigation of crime and disorder."

See: edmontonsun.com - Edmonton News - Here's looking at you.

Tuesday, July 08, 2008

Commentary on the YouTube / Viacom order

I had the chance yesterday to read the decision in Viacom International v. YouTube (previously: Canadian Privacy Law Blog: Judge orders that YouTube hand over viewer records). The request and the order are appalling from a privacy point of view, in my humble opinion.

It appears clear from the decision that Viacom, et al. were ostensibly not looking for information about users of Google Video and YouTube, but this will certainly be the side-effect. In the preliminary motion, Viacom was seeking a number of orders from the court to help it build its billion dollar case for copyright infringement against the video sites. Because the vast majority of the content is uploaded by users, Viacom is going after YouTube on the basis that they assist and encourage the violation of copyright by users and are therefore responsible financially for it. The reason put forward by Viacom for seeking the full user logs was to compare the viewership (aka hits) of allegedly pirated content against viewership of non-pirated materials. If they can show that allegedly pirated content is more popular, the reasoning goes, they can show that YouTube has a financial interest in allowing pirated content on the site.

Google attempted to argue to the Court that handing over the raw logs would be intrusive of privacy for the sites' users. Unfortunately for the users, the Court didn't put much weight in these arguments as it referred to Google's past positions that IP addresses cannot identify individuals:

Defendants argue that the data should not be disclosed because of the users’ privacy concerns, saying that “Plaintiffs would likely be able to determine the viewing and video uploading habits of YouTube’s users based on the user’s login ID and the user’s IP address” (Do Decl. ¶ 16).

But defendants cite no authority barring them from disclosing such information in civil discovery proceedings, and their privacy concerns are speculative. Defendants do not refute that the “login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube” which without more “cannot identify specific individuals” (Pls.’ Reply 44), and Google has elsewhere stated:

We . . . are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.

Google Software Engineer Alma Whitten, Are IP addresses personal?, GOOGLE PUBLIC POLICY BLOG (Feb. 22, 2008), http://googlepublicpolicy.blogspot.com/2008/02/are-ip-addresses-personal.html (Wilkens Decl. Ex. M).

So why does Viacom need the full logs? Because they need to try to determine unique viewership of the content. They need a way to distinguish one viewer from another.

Do they need full IP addresses? I don't think so. While we are talking about terabytes of data, it would be trivial to run all the logs through a software routine that would use a "one way hash" to make each IP address unique while not disclosing the IP address itself.

Why the big deal? While Viacom obtained the information for one purpose (to build its case against YouTube), it may be able to use the information for other purposes. At least in Canada, that would be covered by the implied undertaking rule that would require court permission before using it for any other purpose. But the bigger deal is the chilling effect on viewers. Casual web surfers may know that somewhere their digital footprints are being recorded, but they don't spend a lot of time thinking about it. This case should make internet users think carefully about where they are surfing, what they are viewing and the fact that once personal information is recorded and retained, it will be available for all kinds of secondary uses. Some of these secondary uses, such as litigation or criminal investigations, are beyond their control and there is no opt-out. The Viacom order includes the personal information of innocent viewers who were only viewing public domain or properly licensed content. Those logs include my IP addresses, which includes information about what I've viewed and what my kids have viewed. I'm sure that it includes your IP address too.

What to do? If you are an online service provider, don't create logs. If you create logs, don't keep them. It's that simple. (If you are about to be served with a subpoena, don't delete them. It's too late and you'll be hit with accusations of spoliation.) If you are an internet user, look into Tor.

Monday, July 07, 2008

UK Commissioner calls for complete overhaul of European DP laws

The UK Information Commissioner is calling for a complete overhaul of privacy/data protection in Europe. Think-tank RAND Europe has been commissioned to review the whole state of affairs and report back in April 2009. Watch this space for the results ...

Europe data protection laws not fit for purpose, says ICO

... The current European Directive is "no longer fit for purpose" and European Data Protection law "needs to be modernised to meet the technological and social challenges of the 21st century," the ICO has said.

“European data protection law is increasingly seen as out of date, bureaucratic and excessively prescriptive, said UK Information Commissioner Richard Thomas at the Privacy Laws and Business conference in Cambridge.

"It is showing its age and is failing to meet new challenges to privacy, such as the transfer of personal details across international borders and the huge growth in personal information online. It is high time the law is reviewed and updated for the modern world."

Saturday, July 05, 2008

Keep your friends close, but your laptop closer ... Especially in airports

According to a recent study conducted by the Ponemon Institute, 10,000 laptops are lost/stolen each week in US airports. While the commentary on this study talks about confidential business information, I am confident that the majoriy of these laptops also contain personal information. See: PC World - Business Center: Laptops Lost Like Hot Cakes at US Airports.

Thursday, July 03, 2008

Saskatchewan Commissioner releases annual report

The Information and Privacy Commissioner of Saskatchewan, Gary Dickson QC, has released his annual report today. Here is the "Quick Overview":
A Quick Overview

This is my fifth Annual Report as Saskatchewan’s first full-time Commissioner.

Some good progress has been achieved in terms of access to information and privacy compliance in a number of areas. In other areas, not enough has been achieved.

My intention is that this Annual Report provide both some perspective on the last four and one-half years and an outline of the challenges ahead for this office. The people of Saskatchewan deserve an access and privacy regime that is both robust and effective.

My commentary in this Annual Report needs to be qualified by the recognition that achieving such a regime captures much more than just the activities of our oversight office. It entails other features such as:

  • Effective and up-to-date legislation;

    Strong network of FOIP Coordinators in all government institutions and local authorities;

  • Comprehensive training program for all new public sector employees and contractors;
  • System of in-service training for all existing public sector employees; and
  • Detailed and practical manual that explains statutory requirements in plain language with checklists, specimen forms, and ‘decision trees’.
From the perspective of the individual in

Saskatchewan, a robust access and privacy regime would feature:

  • Relatively simple process to access one’s own personal information and to correct errors in that information;
  • Full and timely response to any access requests;
  • Relatively simple process to make a complaint that privacy requirements for a public body have not been met;
  • A senior, properly trained and qualified FOIP Coordinator for the relevant public body who can assist the citizen to exercise the rights created by our three access and privacy laws; and

    Reviews by our office to be completed in majority of cases within five months.

Two central themes have crystallized since I started in November 2003.

1. One is the largely unfinished state of our access and privacy regime despite the fact that FOIP is 16 years old.

2. The other is the burgeoning demand by Saskatchewan citizens and organizations for assistance from us in coping with what is seen as a fragmented, confusing and underresourced trio of laws.

This includes demand from public sector employees who want to do the right thing and who do wish to ensure their organizations meet access and privacy requirements.

Our last four and one-half years have seen significant increases in almost all areas of service. Formal reviews of access decisions and privacy complaints received by our office for the 2007-2008 fiscal year are 40% higher than the previous fiscal year. Requests to our office for summary advice are up 29%. Visitors to our website are up 20% over the previous year.

This increase in demand for assistance may be at least partly attributable to a lack of tools and resources available to those who need them.

That demand for service also reflects new developments that have dramatically sharpened the focus on personal health information, technical threats to privacy and the demand for transparent and accountable government at all levels.

The OIPC is supported by the Legislative Assembly Office that provides an array of services. We appreciate and rely on those resources.

I am very proud of what our small office has accomplished in the last four and onehalf years. The credit goes to the wonderful team of men and women in this office led by Diane Aldridge, Director of Compliance and Pamela Scott, Manager of Administration.

Judge orders that YouTube hand over viewer records

This is some pretty scary stuff. Not only has Viacom (shame on Viacom) demanded that Google hand over the records of all users who viewed certain YouTube videos (yup, viewed not uploaded) but a Judge has actually ordered this. Perhaps not surprisingly, Google's argument that IP addresses are not personal information has been used against its arguments that handing over this information would be unduly intrusive of personal privacy. See: Judge Orders YouTube to Give All User Histories to Viacom Threat Level from Wired.com.

Wednesday, July 02, 2008

Most Canadians resist sharing personal details with stores: Poll

When I give presentations on Canadian privacy law, the number one question I get -- without exception -- is whether a retailer can ask for your phone number or postal code at the point of sale. Sometimes I'm asked about asking for ID when making returns. According to Canada.com (I haven't been able to find the survey itself), the Privacy Commissioner of Canada has commissioned a survey that confirms that Canadians are not comfortable with retailers who ask intrusive questions at the check-out:

Most Canadians resist sharing personal details with stores: Poll

Most Canadians resist sharing personal details with stores: Poll

Don Butler , Canwest News ServicePublished: Wednesday, July 02, 2008

OTTAWA - More than half of Canadians resist requests for personal information from retailers and nearly as many simply refuse to provide it, according to a survey done for the Office of the Privacy Commissioner.

The Ipsos Reid survey, made public recently on a government website, also found that safety or security concerns are a major impetus for the refusal to give retailers personal information such as name, phone number or postal code.

The survey of 1,000 adult Canadians, conducted last December, was commissioned in part to help the privacy commissioner's office evaluate the need for public education to inform Canadians about their privacy rights during retail transactions.

The survey found 52 per cent of respondents resist retailers' requests for personal information by asking why it is needed, and 45 per cent flatly refuse to provide such information.

Thirteen per cent have deliberately given a store incorrect information when asked for a name, phone number or postal code. Eleven per cent have done the same when registering for commercial online sites.

Anne-Marie Hayden, spokeswoman for the privacy commissioner's office, said it was encouraging that many Canadians are balking at requests for personal information from retailers.

"Personal information is increasingly invaluable in the marketplace," she said. "So we're pleased that consumers are taking charge and questioning requests for their personal information."

Under the Personal Information and Electronic Documents Act, Hayden noted, businesses aren't allowed to collect personal information indiscriminately. Rather, they're supposed to limit the information gathered to what is necessary for the purposes identified by the organization.

Retailers need to be open about why they're asking for personal information, she said.

"If they can't give you a good reason why they need your personal information, don't give it out."

The survey found those who have either refused to give personal information or given incorrect information most often say they did so for reasons related to security and safety.

One in five don't trust the safety of providing such information online, while one in 10 have concerns about identity theft, fraud or computer hackers. Another six per cent mention safety or security issues in general.

A further 28 per cent refrain from providing their personal information because they consider it private or none of the retailer's business.

Others say they refuse because retailers don't need the information or they don't want to be contacted by telemarketers or sent junk mail.

One in three Canadians say they think stores use personal information they gather to compile statistics or demographic information on their customers. Three in 10 think stores sell the information to telemarketers or other companies.

The survey has a margin of error of 3.1 percentage points, plus or minus, 19 times out of 20.

In a report last month, Privacy Commissioner Jennifer Stoddart said many companies ignore "elementary security measures" to protect the personal information they gather. This has led to a growing number of "inexcusable" security breaches, she said.

Last year, the privacy commissioner's office launched an online "e-learning tool" to help retailers bring their privacy practices and policies into line with the law.