Thursday, January 31, 2008

Atlantic Canadian police want local ISPs to loosen up to nab suspected online predators

Earlier this week, the RCMP organized a conference of police, internet service providers and other "stakeholders" on internet safety. I wrangled an invite, but had to go out of town at the last minute. One of the topics under discussion was whether ISPs should disclose subscriber information without a warrant.

My opinion on the topic is well known to readers of this blog (see tag: lawful authority).

Today's Hailifax Daily News has an article on the fact that the two leading ISPs in Atlantic Canada, Eastlink and Aliant, have a policy of requiring a warrant. Interestingly, the article focuses on the word "may" and not "lawful authority" in PIPEDA:

Halifax, The Daily News: Local News Police want local ISPs to loosen up to nab suspected online predators

Police want local ISPs to loosen up to nab suspected online predators



Police in Nova Scotia are at a disadvantage compared to the rest of Canada when it comes to tracking down online sexual predators. Partly it's because of a single word in a piece of legislation.

When someone posts child pornography online, police have to go through Internet service providers - or ISPs - to get the person's name and address.

Most ISPs - over 70 per cent across the country - give police basic information without making them get a warrant. But Cpl. Dave Fox of the RCMP Internet Child Exploitation Unit said the majority of those that require warrants are in Atlantic Canada.

Both of Nova Scotia's two main providers, Aliant and EastLink, make police get warrants before handing over information. It's a process that takes a week on average, police say, and eats up desperately needed resources.

"We're not looking for shortcuts. If we took a shortcut and we were breaching someone's charter rights ... We would risk all the evidence we obtained by this warrantless searches being ruled inadmissible at trial," Fox said.

When contacted by The Daily News, Aliant said it would share information with police in emergency situations, but otherwise ask for a warrant.

"This is how we approach it. We work with them. This is what's in place in terms of our practice," said Aliant communications director Kelly Gallant.

For EastLink, the reluctance comes from the wording of the Personal Information Protection and Electronic Documents Act.

The act states ISPs "may disclose personal information" to police without a warrant.

At issue is the word "may," which some ISPs see as being too vague.

Though the federal government has endorsed pre-warrant requests as complying with the legislation, a minority of companies say handing over personal information without a warrant could expose them to lawsuits.

"The way the law is dictated today it is not clear, so we're erring on the side of the law," said Paula Sibley, communications specialist for EastLink.

"If the legislation was to be clarified, we would fully work within that."

No company has been successfully sued for handing information over to police, though there are two suits in early stages - one in Ontario and one in British Columbia.

Sunday, January 27, 2008

UK Commissioner seeks additional powers and penalties

In stark contrast to Canada's Privacy Commissioner, the Information Commissioner in the UK is looking for stronger powers and penalties. See: IMPACT®: ICO publishes powers and penalties wishlist, which refers to "DATA PROTECTION POWERS AND PENALTIES: The Case for Amending the Data Protection Act 1998".

Wednesday, January 23, 2008

Cory Doctorow: why personal data is like nuclear waste

Cory Doctorow, of Boing Boing fame, has an opinion piece in The Guardian: Cory Doctorow: why personal data is like nuclear waste Technology

We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back...

I'm not sure that nuclear waste is the best analogy. In speaking on the topic, I usually liken personal information to heating oil. Many businesses need oil to operate. Either it is the raison d'etre of the business or it is just one of those things that supports the business. Whatever the case, it needs to be carefully stored or it can leak out and cause a huge, expensive mess. And personal information, like oil, should only be kept around while it is needed. If you don't need it, dispose of it carefully. Personal information that is no longer needed is akin to an underground oil tank: get rid of it (safely) as soon as you can.

No responsible business would allow employees to transport oil in inappropriate containers. The same should apply to personal information.

Personal information is an asset, but a dangerous one: if spilled, can cause a disastrous mess.

European privacy authorities consider IP addresses to be personal information

This is an interesting development.

In 2003, the Privacy Commissioner of Canada released a finding that strongly suggested that an IP address is "personal information" for the purposes of PIPEDA (Commissioner's Findings - PIPEDA Case Summary #25: A broadcaster accused of collecting personal information via Web site - November 20, 2001 - Privacy Commissioner of Canada). Now the European Union is taking a similar position.

This determination has implications for a range of businesses that operate websites, but particularly affects companies like Google, Yahoo! and the like.

Wired News - AP News - EU Official: IP Is Personal


AP Business Writer

BRUSSELS, Belgium (AP) -- IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.

Germany's data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.

He told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address "then it has to be regarded as personal data."

His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is - something strictly true but which does not recognize that many people regularly use the same computer terminal and IP address.

Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people.

But these exceptions have not stopped the emergence of a host of "whois" Internet sites that apply the general rule that typing in an IP address will generate a name for the person or company linked to it.

Treating IP addresses as personal information would have implications for how search engines record data.

Google led the pack by being the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years.

But a privacy advocate at the nonprofit Electronic Privacy Information Center, or EPIC, said it was "absurd" for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.

"It's one of the things that make computer people giggle," EPIC executive director Marc Rotenberg told The Associated Press. "The more the companies know about you, the more commercial value is obtained."

Google's global privacy counsel, Peter Fleischer, however, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language they use - and that was not enough to identify an individual user.

"If someone taps in 'football' you get different results in London than in New York," he said.

He said the way Google stores IP addresses meant one of them forms part of a crowd, giving valuable information on general trends without infringing on an individual's privacy.

Google says it needs to store search queries and gather information on online activity to improve its search results and to provide advertisers with correct billing information that shows that genuine users are clicking on online ads.

Internet 'click fraud' can be tracked down by showing that the same IP address is jumping repeatedly to the same ad. Advertisers pay for each time a different person views the ad, so dozens of views by the same person can rack up costs without giving the company the publicity it wanted.

Microsoft does not record the IP address that identifies an individual computer when it logs search terms. Its Internet strategy relies on users logging into the Passport network that is linked to its popular Hotmail and Messenger services.

The company's European Internet policy director, Thomas Myrup Kristensen, described the move as part of Microsoft's commitment to privacy.

"In terms of the impact on user privacy, complete and irreversible anonymity is the most important point here - more impactful than whether the data is retained for 13 versus 18 versus 24 months," he said.

But neither of the search engines received a pat on the back from Spain's data protection regulator, Artemi Rallo Lombarte, who criticized them for not trying to make their privacy policies accessible to normal people.

Their privacy policies "could very well be considered virtual or fictional ... because search engines do not sufficiently emphasize their own privacy policies on their home pages, nor are they accessible to users," he said, describing the policies as "complex and unintelligible to users."

Tuesday, January 22, 2008

Google spars with European lawmakers over privacy in Doubleclick review

Google was able to coast through regulatory review in the US without any consideration of privacy, but Europe is a different matter:

Google spars with European lawmakers over privacy | Reuters

Mon Jan 21, 2008 1:54pm EST

By David Lawsky

BRUSSELS (Reuters) - Google attacked European parliamentarians and privacy advocates on Monday for trying to have competition authorities consider the handling of personal information in its $3.1 billion takeover of rival DoubleClick.

The argument was the centerpiece of a European Parliament hearing to consider the burgeoning role of the Internet in impinging on the privacy of citizens.

The U.S. Federal Trade Commission (FTC) signed off last month on Google's $3.1 billion deal, which combines its dominance in pay-per-click Internet advertising with DoubleClick's market-leading position in display ads.

After listening to a visiting FTC commissioner, U.S. and European privacy advocates and European parliamentarians question the impact of the deal on European citizens' on-line privacy, Google's global privacy counsel shot back.

"People (are) trying to take a privacy case and shoehorn it into a competition law review ... I can understand that people continue to peddle this theory in Europe after having lost in the United States," Peter Fleischer said. His attack did little to calm the waters.

"The reason you want to have the data is because it gives you a competitive advantage. It is business. I don't think they can be completely disconnected. And we should discuss that side of things too," said Sophie in 't Veld, the Dutch parliamentarian who sought the hearing.

She called information a competitive factor and declared: "Having that much information is market power."

Federal Trade Commissioner Pamela Harbour said her four colleagues at the FTC had taken a traditional approach and excluded questions of privacy in their decision. She dissented.

"I believe a traditional approach does not capture the interests of all the parties. There is no proxy for the consumer whose privacy is at stake," she said.

The European Commission has said it will not take privacy into consideration. In the past six years, it has not turned down any all-U.S. deal approved by U.S. authorities.

Fleischer, asked about the deal rationale, said Google wanted to get into banner advertising. He said his firm did not build dossiers on individuals through searches, instead using the words of each search to decide what ads to display with it.

Contractual limits would prevent Google from using DoubleClick information from individuals, he said.

Stavros Lambrinidis of Greece, who chaired the meeting, asked whether Google turned information over to government authorities.

Fleisher said that if authorities go "through a valid legal process we will respond to it".

(Editing by Dale Hudson)

Monday, January 21, 2008

US Department of Commerce privacy incident response plan

Sabrina Pacifici has posted on her (fantastic) blog, beSpacific, a link to the privacy breach response plan put together by the US Department of Commerce: Department of Commerce Breach Notification Response Plan, September 28, 2007 (21 pages, PDF). This, in and of itself, is not particularly newsworthy but it's worth taking a look at as a precedent document in formulating such policies.

The document includes the Department's matrix for determining whether notification is required:

US Office of Personnel Management says not to use SSN as primary identifier

In the better late than never department, the US Office of Personnel Management is telling US government departments and agencies not to use the social security number as a default personnel identifier. See:

Thanks to beSpacific for leading me to the story.

NDP calls for VLT player tracking and intervention

The Government of Nova Scotia is planning to implement a new system for players of video lottery terminals (VLTs), requiring players to use a personal card so they can track their wins and losses, and put limits on their own playing. The system allows the players to remain anonymous. NDP Gambling Critic, Howard Epstein, wants the system to be changed so that the government knows how much players are losing so they can intervene if it appears to be a problem. The privacy issues in this one are obvious. See: Nova Scotia News - - NDP: No anonymous VLT cards - Counsellors should contact gamblers with big losses, critic says.

Privacy Commissioner wades into copyright debate and DRM

The Privacy Commissioner of Canada has waded into the debate over copyright reform in Canada, focusing on the possible privacy impact of digital rights management. The following is from a letter to the Minister of Industry and the Minister of Canadian Heritage:

Letter with respect to possible amendments to the Copyright Act (January 18, 2008) - Privacy Commissioner of Canada

...Technological protective measures can be embedded in various media to control copying and prevent copyright infringement, or they can be built into electronic devices to prevent the reading of unauthorized content. Digital rights management (DRM) is the general term for the varied technologies used to enforce pre-defined limitations on the use of digital content. These include any means by which publishers or manufacturers control use of data or hardware. My office has prepared an information sheet on DRM technology, a copy of which is enclosed for your information.

If DRM technologies only controlled copying and use of content, our Office would have few concerns. However, DRM technologies can also collect detailed personal information from users, who often do no more than access the content on a computer. This information is transmitted back to the copyright owner or content provider, without the consent or knowledge of the user. Although the means exist to circumvent these technologies and thus prevent the collection of this information, previous proposals to amend the Copyright Act contained anti-circumvention provisions.

Technologies that report back to a company about the use of a product reveal a great deal about an individual’s tastes and preferences. Indeed, such information can be extremely personal. Technologies that automatically collect personal information about individuals without their knowledge or consent violate the fair information principles that are central to PIPEDA and most other privacy legislation. That this occurs when individuals are engaged in a private activity in their homes or other places where they have a high expectation of privacy exacerbates the intrusiveness of the collection.

Update: Michael Geist's latest column is on this topic: | columnists | Copyright reform a potential threat to privacy.

Sunday, January 20, 2008

Incident: Personal info on 600K UK military recruits on stolen laptop

The Register reports that a laptop containing the personal information of 600,000 UK military recruits was on a laptop stolen from a naval officer's car. See: Join the army, get your ID pinched - MoD laptop goes AWOL | The Register.

Thursday, January 17, 2008

Microsoft seeks patent for office 'spy' software

This is weird, and creepy:

Microsoft seeks patent for office 'spy' software - Times Online

Microsoft is developing Big Brother-style software capable of remotely monitoring a worker’s productivity, physical wellbeing and competence.

The Times has seen a patent application filed by the company for a computer system that links workers to their computers via wireless sensors that measure their metabolism. The system would allow managers to monitor employees’ performance by measuring their heart rate, body temperature, movement, facial expression and blood pressure. Unions said they fear that employees could be dismissed on the basis of a computer’s assessment of their physiological state....

Wednesday, January 16, 2008

The state has no business in the bathroom stalls of the nation

The ACLU in the US is supporting Senator Craig's withdrawal of his guilty plea, arguing that there is a reasonable expectation of privacy for those who are (or are not) having sex in bathroom stalls. See:

ACLU: Sex in restroom stalls is private - Yahoo! News

ST. PAUL, Minn. - In an effort to help Sen. Larry Craig, the American Civil Liberties Union is arguing that people who have sex in public bathrooms have an expectation of privacy.

Craig, of Idaho, is asking the Minnesota Court of Appeals to let him withdraw his guilty plea to disorderly conduct stemming from a bathroom sex sting at the Minneapolis airport.

The ACLU filed a brief Tuesday supporting Craig. It cited a Minnesota Supreme Court ruling 38 years ago that found that people who have sex in closed stalls in public restrooms "have a reasonable expectation of privacy."

That means the state cannot prove Craig was inviting an undercover officer to have sex in public, the ACLU wrote.

The Republican senator was arrested June 11 by an undercover officer who said Craig tapped his feet and swiped his hand under a stall divider in a way that signaled he wanted sex. Craig has denied that, saying his actions were misconstrued....

Tuesday, January 15, 2008

FBI wants instant access to international identity data

According to the Guardian, the FBI is looking to get a number of nations onboard an internatioal biometric database creepily named "Server in the Sky":

FBI wants instant access to British identity data Special reports Guardian Unlimited

... The FBI told the Guardian: "Server in the Sky is an FBI initiative designed to foster the advanced search and exchange of biometric information on a global scale. While it is currently in the concept and design stages, once complete it will provide a technical forum for member nations to submit biometric search requests to other nations. It will maintain a core holding of the world's 'worst of the worst' individuals. Any identifications of these people will be sent as a priority message to the requesting nation."

Participants in this initiative include the US, UK, Australia, Canada and New Zealand as part of a working group called the "International Information Consortium".

Monday, January 14, 2008

Alberta privacy commission to rule on bar scans

Personal information practices of bars and nightclubs are coming under increasing scrutiny, particularly with repect to video surveillance in Nova Scotia and the practice of scanning identification documents. Complaints related to the latter practice are pending in British Columbia and Alberta. It appears that a decision of the Alberta Commissioner is to be expected shortly: Alberta privacy commission to rule on bar scans.

CMA says physicians can just say no to signing passport applications

The Canadian Medical Association says physicians should feel free to refuse to sign patients' passport applications, particularly if they object to doing so on privacy grounds. Recent changes to requiremetns for passport applications have broadened the categories of who can attest to an applicant's identity, but the form now requires the attestor to put in their date of birth and passport number. See: Signing patients' passport forms: MDs should feel free to say no.

Saturday, January 12, 2008

Identity Theft and Privacy Laws

Yesterday, I gave a presentation with S/Sgt Al Langille of the RCMP at the Canadian Bar Association - Nova Scotia's annual professional development conference on ID theft and privacy laws. If you're interested, the presentation is here:

A Privacy Manifesto for the Web 2.0 Era

Alec Saunders, in a guest column on Om Malik's GigaOM, has recentlly written a privacy manifesto for the Web 2.0 era. Those used to dealing with PIPEDA will notice a lot in common with the principles from the CSA Model Code for the Protection of Personal Information. A snippet:

A Privacy Manifesto for the Web 2.0 Era - GigaOM
  1. Every customer has the right to know what private information is being collected. That rules out any secret data collection schemes, as well as monitoring regimes that the customer hasn’t agreed to in advance. It also rules out any advertising scheme that relies on leaving cookies on a customer’s hard disk without the customer’s consent.
  2. Every customer has the right to know the purpose for which the data is being collected, in advance. Corporations must spell out their intent, in advance, and not deviate from that intent. Reasonable limits must be imposed on the collection of personal information that are consistent with the purpose for which it is being collected. Furthermore, the common practice of inserting language into privacy policies stating that the terms may be modified without notice should be banned. If the corporation collecting data wishes to change its policy then it’s incumbent upon the corporation to obtain the consent of customers in advance.
  3. Each customer owns his or her personal information. Corporations may not sell that information to others without the customer’s consent. Customers may ask, at any time, to review the personal information collected; to have the information corrected, if that information is in error; and to have the information removed from the corporation’s database.
  4. Customers have a right to expect that those collecting their personal information will store it securely. Employees and other individuals who have access to that data must treat it with the same level of care as the organization collecting it is expected to.

Alberta Commissioner considers reference checks under PIPA

From Alberta:

Commissioner rules reference check was in compliance with Personal Information Protection Act

January 8, 2008

Commissioner rules reference check was in compliance with Personal Information Protection ActInformation and Privacy Commissioner, Frank Work, has determined that information collected in an employment reference check was in compliance with the Personal Information Protection Act (PIPA).

An individual had complained that a former employer had disclosed information not related to her job to a prospective employer in contravention of PIPA and that the prospective employer had collected the information in contravention of the Act. The individual also complained that the former employer had not responded to her request for her personal information.

Following an inquiry into the matter, the Commissioner determined that the information collected in the reference check was personal employee information as defined in PIPA and that no unrelated personal information about the individual was collected. The Commissioner found no evidence that personal information, aside from work related information, had been disclosed or collected.

The Commissioner did find, however, that the former employer did not properly respond to the Complainant’s request for her personal information and has ordered the former employer to respond to that request.To obtain a copy of Orders P2006-006 and P2006-007, visit our website,

Thursday, January 10, 2008

Security breach at the Canadian Bar Association

The Canadian Bar Association advises that it has noted "unauthorized activity" related to member information: CBA Personal Information Advisory.

Michael Geist quotes from the notification the CBA has sent to affected members:

Michael Geist - Canadian Bar Association Hit By Security Breach

Your records may have been affected by this unauthorized activity. The files contained personal information relating to online orders (name, address, phone, fax, member number) and encrypted credit card information. We have no reason to believe that the encrypted credit card information was compromised. CBA uses one of the most secure encryption solutions available to protect credit card information. As a precautionary measure, we recommend that members monitor their credit card accounts for suspicious activity.

Wednesday, January 09, 2008

The problem with do-not-fly lists?

The problem with name-based do-not-fly lists? Five year olds who get detained because of their names: TSA searches, detains 5 year old because his name was on no-fly list - Boing Boing.

Privacy law freezes health research in British Columbia

The Vancouver Sun is reporting that recent amendments to BC's privacy laws are making it difficult for researchers to recruit participants:

Privacy law freezes Health research

Numerous B.C. health studies are not proceeding, languishing on hold or facing long delays because privacy legislation prevents researchers from actively recruiting participants.

A sample of taxpayer-funded studies actually or potentially affected by the legislation include ones on Parkinson's disease, back injuries, prostate cancer, breast cancer, ovarian cancer, multiple myeloma, and the quality of life and health-care needs of childhood cancer survivors.

Scientists say the problem is a 2003 amendment to the B.C. Freedom of Information and Protection of Privacy Act prohibiting government from releasing information to scientists for the purpose of contacting individuals about participating in research.

Previously, the legislation allowed the government to disclose contact information to research scientists, without the consent of individuals, as long as confidentiality was protected.

The reasons for the amendment are not clear, but prior to 2003, scientists were allowed to collect a random sample of names from data banks such as the Medical Services Plan (MSP) registry and election lists to recruit control subjects for studies.

Medical studies have yielded important findings and led to major shifts in human behaviour, such as smoking cessation, more exercise and dietary changes....

Monday, January 07, 2008

Don't try this at home

A British celebrity, to demonstrate that privacy breaches are much ado about nothing, published his bank account number in a newspaper column and taunted that:

"All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing," he told readers.

Nothing can go wrong here, right? A wily reader used the information to set up an automatic debit to a Diabetes charity.

Lesson: Don't try to be cute with your personal information.

See: BBC NEWS Entertainment Clarkson stung after bank prank.

Sunday, January 06, 2008

Even the law-abiding bar patron has cause to worry

An editorial in today's Halifax Chronicle Herald is coming out in favour of the apparent clampdown on bars in Halifax, including the doubling of surveillance cameras and giving the police access to the feeds.* They even come out with the old line, "if you aren't breaking the law, you have nothing to worry about":

Nova Scotia News -

"Some critics have raised concerns about the misuse of increased security cameras, or giving police and liquor licence inspectors access to the images. Bars, however, are public places. If individuals are not breaking the law, they have little need to worry. That said, any misuse of the security cameras should be punished."

Today's paper had the following letter to the editor:

Nova Scotia News -

Pretty public privacy

I read with amazement the Dec. 30 article "Lawyer: Cops watching bar videos a worry." It left me wondering how anyone could have any expectation of privacy in a public place.

By definition, "public" is the opposite of "private." One cannot have both at the same time.

There are those who claim that their privacy is taken away by video cameras in bars and on the street. Well, folks, you never had privacy in these public places in the first place, so how is it taken away from you?

If these people want privacy, I suggest they look for it in their homes or in a voting booth. Get over it.

John D. Spearns, Dartmouth

This is a fallacious supposition. Halifax is a small city. There's actually a pretty good chance that the person watching the monitor is a neighbour, a member of your church or at least somehow intersects with your social circle. (Just go to the public market on a Saturday morning and you'll see how small a city this is.)

People at bars routinely do things that are not -- I repeat, NOT -- illegal but they wouldn't want recorded for posterity and perhaps clipped and sent around in an e-mail. People go to bars to relax, to undwind, to meet people and maybe even do foolish but lawful things. I am sure that on any given night, extramarital affairs are begun at bars around town. (A bit foolish in such a small city, but ....) None of this is illegal and none of it merits the scrutiny of law enforcement. Having cameras that are being transmitted to the police in realtime can have a chilling effect on lawful behaviours. Just because you are publicly visible shouldn't mean that you surrender all rights to privacy. (One must remember, also, that a bar is not a "public place" but a private establishment into which the public is invited.)

It may be a different matter if the cameras were only used as an investigative tool to look into incidents after the fact, but there has been no indication that there will be any controls on these cameras.

Even the law-abiding bar patron has cause to worry.

*See: Canadian Privacy Law Blog: Offsite surveillance in Halifax bar may set precedent and Canadian Privacy Law Blog: Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system.

Saturday, January 05, 2008

Allowing medical device reps into surgeries questioned

British Columbia has recently changed the rules to prohibit representatives of medical device manufacturers from scrubbing in for surgeries. As far as I know, this is the first such rule in Canada and company reps are routinely permitted into surgeries in other provinces.

I got a call from CBC just before New Years to comment on the practice and the quotes they used pretty well sum up my view:

'Time-honoured' medical practice questioned

David Fraser, a privacy lawyer in Halifax, said patients should have a say.

"When an individual is undergoing surgery, they're sedated. They're not aware of what's going on around them and they're completely vulnerable to the surroundings and what's happening to them," Fraser said.

"There's a higher obligation on the part of health care professionals to make sure that consent is properly obtained."

Wedge said despite privacy concerns in other provinces there are no plans to bring in new policies on P.E.I.

Friday, January 04, 2008

Thursday, January 03, 2008

Facebook prevents scraping of profiles

Apparently Facebook has banned Robert Scoble and suspended his account after Facebook determined he was violating the terms of service by using an automated script to "move his social graph" (Facebook disabled my account « Scobleizer — Tech geek blogger). What he was apparently doing was using a script or some other automated tool to "export" information related to his 5000 friends to import the data into Plaxo (What I was using to hit Facebook — unreleased Plaxo Pulse « Scobleizer — Tech geek blogger). Facebook lets you import data from Gmail and other services, but it's a one way street.

His account has been restored, but I hope this spurs some debate over the portability of one's own data, particularly if that includes data about others.

In my view, I think that Facebook is right to prevent this sort of scraping. Facebook is different from your usual address book. There's much more information being shared on social networking sites. Perhaps imprudently, many users add as friends people they really don't know and (un)wittingly expose sensitive information. A facebook profile not only lists that individual in question, but his or her friends.

All of this means that information from a Facebook is more prone to be abused in a manner that the individual may not anticipate. If I add Scoble (or you) as a friend on Facebook, I think I have a good sense of what may happen to that information on Facebook. But I have no clue about what can happen when that information is taken off a trusted platform into some other, unknown, system. It's a bit chilling and Facebook is correct to take the position it has.

There's some additional coverage here: The Scoble scuffle: Facebook, Plaxo at odds over data portability The Social - CNET, but you should also read the comments on Scoble's own posts as they represent an interesting slice of opinion.

What intrusive "function creep" looks like

Just before New Year's, the Nova Scotia Utility and Review board reinstated the liquor license of a popular bar in Halifax on the condition (among others) that the bar double the number of surveillance cameras and allow liquor inspectors and the cops to have offsite access to the feeds (see: Canadian Privacy Law Blog: Offsite surveillance in Halifax bar may set precedent and Canadian Privacy Law Blog: Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system).

When this report came out, I voiced some concerns that this may set a dangerous precedent. Any move to implement such a scheme has to include very tight controls over how this new-found surveillance power will be used lest it be a license for unimpeded and unrestricted intrusiveness.

In case you were wondering what the slippery slope of function creep (to mix my metaphors) looks like, look no further than random ID checks in casinos in Illinois. Random identification checks by law enforcement officers were put in place to deal with excluded problem gamblers. Assurances were given that there would be no other use of that information or other abuse of this power. Now it's reported, shockingly, that the cops in Illinois casinos are checking for problem gablers, sex offenders, outstanding warrants and other micreants. See: Daily Herald Police admit ID checks in casinos turn up more than problem gamblers.

To put it bluntly, function creep is a very real phenomenon that needs to be anticipated and guarded against whenever a new intrusive technique or technology is rolled out.

Wednesday, January 02, 2008

Happy birthday to the Canadian Privacy Law Blog

Today marks the fourth anniversary of the Canadian Privacy Law Blog. Four years ago, on January 2, 2004, I put fingers to keyboard and joined the interesting conversation that was beginning to take shape on the internet among veteran bloggers and I'm glad I did. (Welcome to the Canadian Privacy Law blog.) According to Blogger, this will be my 2740th post to the blog.

Forgive me if I get a bit melancholic and wistful as I look back on the past four years, but it has been a very eventful one for me and for the world of privacy. And both are related, I think. (I mean the changes in the world of privacy have influenced me, not the other way around.)

The day before my first posting, the Personal Information Protection and Electronic Documents Act ("PIPEDA") came fully into force for all commercial activities in Canada. That day, the Personal Information Protection Acts of British Columbia and Alberta came into force, but were not declared to be "substantially similar" to PIPEDA until ten months later (Alberta and British Columbia privacy laws declared to be substantially similar.) Also on the legislative front, Ontario passed the Personal Health Information Protection Act and it became law in May, 2004 (Ontario's Personal Health Information Protection Act receives royal assent.) Perhaps as importantly, it was declared substantially similar on November 28, 2005. (PHIPA declared substantially similar.)

Much attention has been paid to the continuing erosion of privacy rights in the United States and Canada. In 2004, the Information and Privacy Commissioner of British Columbia brought the USA Patriot Act under scrutiny. (U.S. Patriot Act worries Privacy Commissioner and BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws.) In response, British Columbia, Alberta and Nova Scotia have passed laws or amendments to existing laws to closely regulate the export of personal information outside of Canada. In the US, the USA Patriot Act has been subject to many judicial challenges with some success.

Perhaps the area that has been most visible to laypeople is the growing trend of requiring companies to report data breaches. California led the way and now more than thirty US states have such requirements. We haven't seen it in Canada (except in PHIPA in Ontario) but advocates are calling for such a requirement in Canada's privacy laws of general application. Coming clean has led to the public disclosure of a number of huge breaches, including Cardsystems, TJX/Winners, Department of Veterans Affairs and the UK Revenue and Customs Service. Whether we see a change in Canadian law has yet to be seen. Despite the huge publicity given to these breaches, business built on personal information -- such as Facebook -- thrive.

On the professional front, I've been very fortunate to have been invited to speak on the topic of privacy on more occasions than I can estimate. Highlights have been speaking at the Canadian Bar Association general meeting in Winnipeg in 2005, Canadian IT Law Association for the past few years and innumerable professional organizations. The blog has also led to innumerable media interviews and some amazing awards (I'd like to thank the academy. And my blog ... and An honour to even be considered.)

Perhaps more satisfying is that I've been fortunate to have met (in some cases, in the flesh) and to have been inspired by some great fellow legal bloggers. This list includes Connie Crosby, Rob Hyndman, David Canton, Michael Geist, Michael Fitzgibbon and the amazing Slawyers.

To my readers, thank you very much for taking the time to drop by. I hope it has been informative and useful. Please pass along any suggestions or your thoughts, either in the comments to my posts or via e-mail at

Birthday cake graphic used under a creative commons license from K. Pierce.

Privacy Among Top 10 Law Firm Practice Areas of Media Interest in 2008

Legal Expert Connections, which specializes in marketing for lawyers, has issued a press release on the ten practice areas that it anticipates will garner the most media interest in 2008.

Privacy is on the list, which doesn't surprise me too much. Afterall, incidents are in the media regularly as are government policies that have an impact on personal information. And this is an area in which the media don't hesitate before calling a lawyer for comment. Just off the top of my head, I can think of a few colleagues at the privacy bar who have been repeatedly quoted in the media on privacy articles in the past year, including Brian Bowman in Winnipeg, Michael Geist in Ottawa, and David Canton in London.

Legal Expert Connections Projects Top 10 Law Firm Practice Areas of Media Interest in 2008

The top 10 law firm practice areas of interest to the media, based on current news events, are projected to be real estate, government, intellectual property, international, privacy, immigration, trusts & estates, environment, employment and health care. Attorneys and legal marketers are advised to plan their 2008 communications strategy accordingly, notes law firm marketing consultant Margaret Grisdela.

Boca Raton, FL (PRWEB) January 2, 2008 -- Law firms that position their attorneys as legal thought leaders and educators in key 2008 news stories will leverage their expertise and increase name recognition via a proven public relations strategy. According to Margaret Grisdela, President of the legal marketing firm Legal Expert Connections ( and author of the new legal marketing book Courting Your Clients, attorneys in hot practice areas should take advantage of current media news coverage and emerging trends to capture a leadership position and competitive advantage in their areas of expertise.

"This approach is really Public Relations 101: offering high level legal insight and expertise to a variety of media outlets to garner the third party credibility and broad-based exposure in print, radio, television and on the web that PR offers," affirms Ms. Grisdela. "Journalists and radio and TV producers are always seeking experts on timely news topics. The following legal practice areas are poised to generate a high level of interest from the media in 2008, meaning that attorneys and their marketing advisors should strategize now to ensure that their name is top of mind with the media."

1. Real estate. As home sales continue to decline, attorneys with a real estate practice serving consumers or developers will find many opportunities to educate the market in areas of foreclosure, bankruptcy, mortgage fraud, and short sales.

2. Government. The 2008 presidential election will dominate the news, giving attorneys with an angle on leading voter concerns like the Iraq war, civil rights, the U.S. economy and education a big potential stage.

3. Intellectual Property. The U.S. Congress is evaluating major patent legislation, while Europe is actively implementing sweeping "EPC 2000" patent changes in 2008. IP attorneys have an unprecedented opportunity to explain digital rights, licensing, infringement and the need for trade secret protection.

4. International. In 2007, the Securities and Exchange Commission paved the way for likely adoption of International Financial Reporting Standards (IFRS), which could ultimately replace U.S. Generally Accepted Accounting Principles (GAAP). As business goes global, corporate and securities attorneys can educate audiences on business legalities in Brazil, Russia, India, China, and other rapidly growing countries.

5. Privacy. With digital consumer data growing exponentially, attorneys can address matters involving privacy policies, identify theft, data security, e-discovery, background checks, medical record protection, credit reports and more.

6. Immigration. Congress could not reach agreement on immigration reform in 2007 despite heated public debate, leaving this is a hot button for 2008 politics.

7. Trusts & Estates. 2008 is the first year Baby Boomers start turning 62 and become eligible for Social Security retirement benefits. Attorneys with a concentration in wills, trusts, and estates should position themselves as a credible legal partner for aging Boomers in need of retirement planning.

8. Environment. Leading world scientists documented an "unequivocal" warming in the global climate in 2007. Law firms can address a range of green topics, including alternative energy, recycling, energy efficiency, toxic tort litigation and more.

9. Employment. Wage and hour litigation brought under the Fair Labor Standards Act (FLSA) tripled in the past few years, according to court records. Employment law attorneys should be prepared to speak on a full range of employment law matters including overtime, discrimination, family leave, and other personnel policies.

10. Health Care. Universal coverage will be a big focus of media attention during the 2008 elections, giving health care attorneys a natural platform to address insurance haves and have-nots, HIPAA, health care fraud, billing practices, medical reimbursements and more.

In addition to direct media outreach on these topics, other public relations and communications opportunities for attorneys include speeches, articles and editorials, blogs, letters to the editor, newspaper columns, web site postings, white papers, client alerts, and educational seminars.

About Legal Expert Connections, Inc.

Legal Expert Connections specializes in marketing and business development exclusively in the legal and litigation support markets. Founded by law firm marketing consultant Margaret Grisdela, also known as the "Rainmaking Lady," the firm's services include business development seminars and campaigns, attorney marketing plans, law firm brochures, expert witness marketing, direct mail, web site development and more. The firm's web site is and lawyer marketing blog is

Opinion: We have everything to fear from ID cards

Today's Telegraph has a great opinion piece against mandatory ID cards in the UK:

We have everything to fear from ID cards - Telegraph

By Andrew O'Hagan

We start the year in Britain with a challenge to our essential nature, for 2008 might turn out to be the year when we decide to rip up the Magna Carta.

Among the basic civil rights in this country, there has always been, at least in theory, an inclination towards liberal democracy, which includes a tolerance of an individual's right to privacy.

We are born free and have the right to decide what freedom means, each for ourselves, and to have control over our outward existence, yet that will no longer be the case if we agree to identity cards.


Britain is already the most self-watching country in the world, with the largest network of security cameras; a new study suggests we are now every bit as poor at protecting privacy as Russia, China and America.

But surveillance cameras and lost data will prove minuscule problems next to ID cards, which will obliterate the fundamental right to walk around in society as an unknown.

Some of you may have taken that freedom so much for granted that you forget how basic and important it is, but in every country where ID cards have ever been introduced, they have changed the relation between the individual and the state in a way that has not proved beneficial to the individual. I am not just talking Nazi Germany, but everywhere.

It is also a spiritual matter: a person's identity is for him or her to decide and to control, and if someone decides to invest the details of their person in a higher authority, then it should not be the Home Office.

The compulsory ID card scheme is a sickness born of too much suspicion and too little regard for the meaning of tolerance and privacy in modern life.

Hooking individuals up to a system of instantly accessible data is an obscenity - not only a system waiting to be abused, but a system already abusing.

Though we don't pay much attention to moral philosophy in the mass media now - Bertrand Russell having long been exchanged for the Jeremy Kyle Show - it may be worth remembering that Britain has a tradition of excellence when it comes to distinguishing and upholding basic rights and laws in the face of excessive power.

The ID cards issue should be raising the most stimulating arguments about who we are and how we are - but no, it is not: we nose the grass like sheep and prepare to be herded once again.

It seems the only person speaking up with a broad sense of what this all means is Nick Clegg, the new leader of the Liberal Democrats, who has devoted much of his new year message to underlining the sheer horribleness of the scheme.

He has said he will go to jail rather than bow to this "expensive, invasive and unnecessary" affront to "our natural liberal tendencies".

I have to say I cheered when I heard this, not only because I agree, but because it is entirely salutary, in these sheepish times, to see a British politician express his personal feelings so strongly.

Many people on the other side of the argument make what might be called a category mistake when they say: "If you've nothing to hide, why object to carrying a card?"

Making it compulsory to prove oneself, in advance, not to be a threat to society is an insult to one's right not to be pre-judged or vetted.

Our system of justice is based on evidence, not on prior selection, and the onus on proving criminality is a matter for the justice system, where proof is of the essence.

Many regrettable things occur as a result of freedom - some teenage girls get pregnant, some businessmen steal from their shareholders, some soldiers torture their enemies, some priests exploit children - but these cases would not, in a liberal society, require us to end the private existence of all people just in case.

If the existence of terrorists, these few desperate extremists, makes it necessary for everybody in Britain to carry an ID card then it is a price too high.

It is more than a price, it is a defeat, and one that we will repent at our leisure. Challenges to security should, in fact, make us more protective of our basic freedoms; it should, indeed, make us warm to our rights.

In another age, it was thought sensible to try to understand the hatred in the eyes of our enemies, but now it seems we consider it wiser just to devalue the nature of our citizenship.

What's more - it won't work. Nick Clegg has pointed to the gigantic cost and fantastic hubris involved in this scheme, but recent gaffes with personal information have shown just how difficult it is to control and protect data.

A poll of doctors undertaken by has today shown that a majority of doctors believe that the National Programme for IT - seeking to contain all the country's medical records - will not be secure.

In fact, it is causing great worry. Many medical professionals fear that detailed information about each of us will soon be whizzing haphazardly from one place to another, leaving patients at the mercy of the negligent, the nosy, the opportunistic and the exploitative.

"Only people with something to hide will fear the introduction of compulsory ID cards."

That is what they say, and it sounds perfectly practical. If you think about it for a minute, though, it begins to sound less than practical and more like an affront to the reasonable (and traditional) notion that the state should mind its own business.

In a just society, what you have to hide is your business, until such times as your actions make it the business of others. Infringing people's rights is not an ethical form of defence against imaginary insult.

You shouldn't have to tell the government your eye colour if you don't want to, never mind your maiden name, your height, your personal persuasions in this or that direction, all to be printed up on a laminated card under some compulsory picture, to say you're one of us.

You weren't born to be one of us, that is something you choose, and to take the choice out of it is wrong. It marks the end of privacy, the end of civic volition, the end of true citizenship.

The Clawbies are out!

On New Year's Eve, Steve Matthews published his Clawbie awards for Canadian Legal Blogs. I was honoured to be a runner-up in the practitioner support category:

2) Best Practitioner Support Blog - Garry Wise - Year-in and year-out, Garry is one committed law blogger. He offers his opinions on almost everything, and if you do a Google search for Toronto lawyer you’ll see how blogging benefits the online exposure of his practice. If you didn’t read his Starting a law firm post back in February, please do. Garry Wise consistently offers great vision to a lot of solos across the country. Runner ups: David Fraser’s Canadian Privacy Law Blog, Hull & Hull’s Toronto Estate Law Blog

Steve has been a big promoter of this blog and I'm grateful to have gotten to know him over the past years. Check out the full listing and support your local legal blogger!

New US passport cards for North American travel can be read at a distance

Over the holidays, the US government published information about a new passport card to facilitate travel by Americans in North America. One "feature" is causing a lot of concern: the technology (presumably RFID) built into the card means they can be read over a distance of up to eight metres. The cards will be issued with protective sleeves for those who want to use them, but this doesn't assuage privacy advocates who think the technology is inherently flawed. See: U.S. 'vicinity-read' cards assailed by privacy experts.

Tuesday, January 01, 2008

New breach blog

Emergent Chaos is linking to a reasonably new resource, the Breach Blog, that contains data on personal information breaches, similar to Pogo's and the Data Loss Archive and Database (DLDOS).

I've stopped blogging about most breaches, primiarily because they are too numerous and others can provide that service. I try, however, to keep on top of them and report on those that are particularly newsworthy or provide novel lessons to be learned. I'll certainly add it to my blogroll.

Happy New Year!

To all the readers of the Canadian Privacy Law Blog, I wish you all the best for 2008!

Happy new year!

Fireworks photo by ahisgett, used under a creative commons license.