Sunday, August 31, 2008

Newly noticed: Photo Attorney

After a very long hiatus, I've been reinfected with the photography bug thanks to acquiring a new digital SLR (some of my recent work is at http://www.privacylawyer.ca/photo or can be found on Flickr here (RSS)).

And of course, everything has to do with privacy and civil liberties, so I've also become quite interested in the recent "war against photography" (examples here, here, here and here). There are also a few interesting perspectives about photography in public places and privacy. People have been harassed for taking pictures of their own children because other children may also be included in the photos. I don't have all the answers, but it's interesting to try to keep up with the debate. To that end, I've added Photo Attorney to my RSS reader, to follow what Carolyn E. Wright has to say on the topic.

Tuesday, August 26, 2008

Privacy? We Got Over It.

Yesterday's Wall Street Journal had an interesting Op/Ed on privacy, highlighting contemporary expectations of privacy.

Information Age - WSJ.com

Privacy? We Got Over It.

August 25, 2008; Page A11

In 1988, Congress banned video stores from disclosing the titles of films that people rent. The issue arose because in the battle to block Robert Bork from the Supreme Court, someone leaked his video rentals.

Fast-forward to this summer, and a federal judge hearing a $1 billion copyright complaint by Viacom ordered YouTube to turn over online records about which computer addresses were used to watch which videos on the site. The judge dismissed privacy concerns as "speculative." How quickly our expectations of privacy have changed.

Privacy advocates objected that with access to Internet protocol addresses, it would be possible to track who watched what. Hundreds of millions of people have watched videos on YouTube since its founding in 2005 -- indeed, by one estimate, virtually everyone who uses the Web has watched a video on the site. This makes it surprising that there was such little public outcry about this potential loss of privacy. Google, which owns YouTube, has complied with the judge's order by using encryption to hide individual records, but it is indeed "speculative" how much people would object to disclosing this online behavior.

This incident is a telling moment. We seem to be following the advice of Scott McNealy, chairman of Sun Microsystems, who in 1999 said, "You have zero privacy anyway. Get over it." And the observation by Oracle CEO Larry Ellison: "The privacy you're concerned about is largely an illusion. All you have to give up is your illusions, not any of your privacy."

These comments could be dismissed as technology executives trying to minimize complaints about technology. But whatever we say about how much we value privacy, a close look at our actual behavior suggests we have gotten over it. A recent study by AOL of privacy in Britain found that 84% of people said they would not disclose details about their income online, but in fact 89% of them willingly did.

Amazon closely records our taste in books, Gmail scans our emails to deliver relevant ads, and electronic tolls track where we drive. Profiles on MySpace and Facebook are accessible, forever. The disclosure that Judge Bork liked to rent British comedies seems quaint in comparison.

Records about us are no longer kept in scattered manila files in dusty cabinets, but digitally, which means in permanent records that can be combined with other records to paint a full picture of our tastes and habits. Information held by different retailers, insurers and government agencies can be mined to create constantly updated files more complete than the most tenacious intelligence report on a suspected criminal a generation ago.

Privacy advocates do their jobs by reminding us of these risks, but our choices all seem to be in the direction of trading away privacy. The fantastic power and convenience of digital life has led us to change what we consider private in ways that we can only begin to understand.

Indeed, our expectations of privacy have changed radically over time. Stanford law professor Lawrence Friedman in his recent book, "Guarding Life's Dark Secrets," documents the total lack of privacy expectations through the medieval period, when people lived together with no option for privacy, to a period of privacy for some people and some purposes as part of what he calls the "Victorian compromise." Propriety was defined through social norms focused on reputation, which included significant freedom for otherwise scandalous behavior if it was done carefully, in private.

"If the nineteenth century was a world of privacy and prudery, a world of closed doors and drawn blinds," Mr. Friedman writes, "then the world of the twenty-first century is the world of the one-way mirror, the world of the all-seeing eye."

We now seem happy to trust companies with our information for benefits such as one-click buying and online searches for personally relevant results. In a digital world where it is possible to know more than ever about everything, including one another, the new vice may be the flip side of privacy -- concealing information about ourselves of legitimate value to others.

In the physical world, surveillance cameras, satellites and bio-recognition systems have redefined privacy expectations. We have learned that "privacy can be very dangerous," as federal appeals judge Richard Posner has observed. "Obviously if you're a terrorist, privacy is enormously important. So the more we think of privacy as endangering us, that will reinforce these commercial incentives to surrender privacy."

Privacy remains a virtue, or at least we still say it does. But the balance has been tipped by other values, such as transparency, a free flow of information and physical security. We're in the early stages of adapting to more digital and visible lives, with privacy expectations better defined by what we do than by what we say.

Monday, August 25, 2008

Hackers target hotel chain and swipe details of all guests from the past year

This is simply staggering, but a harbinger of things to come I am sure:

The Sunday Herald - Scotland's award-winning independent newspaper

Revealed: 8 million victims in the world's biggest cyber heist

EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months

By Iain S Bruce

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment....

Thanks to the ever-vigilant Rob Hyndman for the link.

China considers criminal penalty on leaking personal data

Some non-Olympic news from China:

It appears that China is considering criminal law amendments similar to those passed recently in Canada to make it a criminal offense to traffic in personal information. See: China weighs criminal penalty on leaking personal data_English_Xinhua.

Monday, August 18, 2008

CBA urges Government to reform Privacy Act

I am currently in Quebec City attending the Canadian Bar Association's annual Canadian Legal Conference. On behalf of the CBA's National Privacy and Access Law Section, I had the honour of presenting a resolution to the National Council calling for reforms to the Privacy Act. The resolution passed with one contrary vote (I wanted to speak with the fellow who voted against it, but didn't get the chance and then lost him in the crowd). This is the third time the CBA has formally called upon the government to look at the antiquated 1982 Act. The Privacy Commissioner, Jennifer Stoddart, is here and spoke to the Council on the following day. Her office has issued the following press release about the resolution:
News Release: Commissioner welcomes legal community’s call for privacy law reform (August 18, 2008) - Privacy Commissioner of Canada

Commissioner welcomes legal community’s call for privacy law reform

Quebec City, August 18, 2008 — A Canadian Bar Association (CBA) resolution once again highlights the urgent need for reform of Canada’s federal public sector privacy legislation, says the Privacy Commissioner of Canada, Jennifer Stoddart.

“With this resolution, lawyers from across the country are urging the government to strengthen privacy protection for Canadians. Canada’s federal sector privacy legislation, the Privacy Act, is unbelievably inadequate,” says Commissioner Stoddart. “I hope the federal government will heed the CBA’s call for modernization of the Act. This is the latest in a string of appeals from privacy experts about the need to update legislation which has been far outpaced by technological and societal changes.”

The CBA, which is holding its 2008 Legal Conference in Quebec City, passed the resolution calling for comprehensive revision of the Privacy Act on the weekend.

In particular, it proposes changes to the legislation to ensure that:

  • Federal government departments only collect personal information when demonstrably necessary for clear and articulated state goals;
  • Once collected, personal information is rigorously protected with stringent safeguards and accountability requirements, including a breach notification requirement; and
  • Personal information is not shared within or beyond Canada’s borders unless those safeguards and requirements can be guaranteed.

The Office of the Privacy Commissioner of Canada (OPC) has long been advocating for reform of the Privacy Act, which is a quarter-century old and has never been substantially updated.

Last spring, the House of Commons Standing Committee on Access to Information, Privacy and Ethics began a study of the Privacy Act and possible amendments. The OPC reform proposals to the committee are posted at http://www.privcom.gc.ca/keyIssues/ki-qc/mc-ki-pa_e.asp. The OPC looks forward to the Committee’s recommendations.The CBA resolution is available at www.cba.org/cba/resolutions/pdf/08-06-a-pdf.pdf. The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Sunday, August 17, 2008

Commissioner launches her "Legal Corner"

The Federal Privacy Commissioner has launched on her website a "Legal Corner" which contains a wide range of resources that will be of interest to practitioners in the area of privacy law. See: http://www.privcom.gc.ca/leg_c/index_e.asp.

Thursday, August 07, 2008

Supposedly secure ePassports easily cloned

Cynics, who may say that "chipped" passports are more about control than security, may point to articles like this one to support their position:

‘Fakeproof’ e-passport is cloned in minutes - Times Online

New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports.

Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.

In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined....

Wednesday, August 06, 2008

New pain at the pump: Card skimming

Gas stations and convenience stores are probably among the most reported locales for card skimming, in which debit and credit cards are double-swiped and PINs are observed to commit fraud. Since my own debit card was skimmed a few weeks ago (Canadian Privacy Law Blog: Cloned!), I've stopped paying for gas inside and opting to pay at the pump where I am sure that my card does not leave my hands. Well, things are getting more complicated. Apparently pumps are becoming a common place for thieves to place covert card skimmers, at least in the US. See: Thieves skim credit card data at fuel pumps - Yahoo! News.

Student complains about Kiwi can cam

Sorry about the headline. I thought I could do beter than the one written by Stuff.co.nz.

I have reported on toilet cams on this site in the past, but all of those I've heard about installed by businesses have ended up to be fakes. That is until this report from New Zealand where a drunk student was roughed up by bouncers who were covertly watching him rip down a poster above the urinal.

See: Student shocked to star on club's loo-cam - New Zealand news on Stuff.co.nz.

Who do our privacy laws protect?

I was intereviewed by a New Brunswick journalist last week who was writing an article on how privacy laws can be used in a knee-jerk way to limit access to government information. The article, I expect, is a reaction to a number of stories out of NB where reporters were given the excuse of privacy laws to limit their access to information about potential high-risk offenders, the investigation of a motor vehicle accident that claimed a number of lives and public sector salaries.

Here is the bit that I contributed:

nbbusinessjournal.com - Who do our privacy laws protect?

Governments must protect citizens' public information [note: I'm sure I said "private information"] while still being accountable and transparent to the public, said David Fraser, a privacy lawyer with the Atlantic Canadian law firm McInnes-Cooper.

For example, the expenses for a cabinet minister's trip to Europe would likely be made public. However, a doctor's billing records, which would essentially reveal their salary, are only made available in some provinces, he said.

And although some form of privacy legislation has existed federally for quite some time, that doesn't mean the laws regulate every activity on the internet.

"It regulates commercial activities. So it says what information your bank can ask about you and what it can do with it, or your local video store," said Fraser. "But if an individual takes a picture of another person on their camera phone in embarrassing circumstances and then they post it on the Internet that's a personal use, not a commercial use, so that's not caught by that law." There are some circumstances where personal information can be released. For example, if an individual gives consent.

As well, personal information can be disclosed if it's deemed to be for the greater good of the public.

"I think people, just as a knee-jerk reaction, they say no - it's personal information," said Fraser.

Tuesday, August 05, 2008

Charges following TJX breach investigation

The New York Times is reporting that 11 people have been charged in connection with the massive data breach that dominated the headlines for months after January 2007:

11 Charged in Theft of 40 Million Card Numbers - NYTimes.com

...The charges focus on three people from the United States, three from the Ukraine, two from China, one from Estonia and one from Belarus.

The authorities said that the scheme was spearheaded by a Miami man named Albert Gonzalez, who hacked into the computer systems of retailers including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc. The numbers were then stored on computer servers in the United States and Eastern Europe.

They then sold the information to people in the United States and Europe, who used it to withdraw tens of thousands of dollars at a time from automated teller machines, the authorities said....

For the sordid history, see these related posts.

Sunday, August 03, 2008

OT: Now appearing on slaw.ca

I've been invited to be a regular contributor on Slaw.ca (the Canadian cooperative weblog on things legal), which is a great opportunity to write about things other than privacy. I'll be posting there on Fridays. My initial contribution is the first of a series on contentment in the practice of law. Check it out, if interested: Slaw: Lawyers and the unnamed force.

SCC to hear case about privacy in garbage

Dan Michaluk reports in All About Information that the SCS is getting ready to hear a case from Alberta about reasonable expectation of privacy in garbage. See: One to Watch - Garbage case ready for hearing at SCC « All About Information.

Friday, August 01, 2008

Nomadic laptops can expect the rubber glove treatment

There's been a bit of a buzz lately about laptop inspections by the Department of Homeland Security (Crossing the border? Consider the possibility of laptop searches, Hands off my laptop, Your papers and laptops, please?, US Customs confiscating laptops). Today, the Washington Post is reporting on recently disclosed policies used by the DHS to take and inspect laptops:

Travelers' Laptops May Be Detained At Border (washingtonpost.com)

... The policies state that officers may "detain" laptops "for a reasonable period of time" to "review and analyze information." This may take place "absent individualized suspicion."

The policies cover "any device capable of storing information in digital or analog form," including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover "all papers and other written documentation," including books, pamphlets and "written materials commonly referred to as 'pocket trash' or 'pocket litter.' "

Reasonable measures must be taken to protect business information and attorney-client privileged material, the policies say, but there is no specific mention of the handling of personal data such as medical and financial records.

When a review is completed and no probable cause exists to keep the information, any copies of the data must be destroyed. Copies sent to non-federal entities must be returned to DHS. But the documents specify that there is no limitation on authorities keeping written notes or reports about the materials.

"They're saying they can rifle through all the information in a traveler's laptop without having a smidgen of evidence that the traveler is breaking the law," said Greg Nojeim, senior counsel at the Center for Democracy and Technology. Notably, he said, the policies "don't establish any criteria for whose computer can be searched." ...

If you want to take a look at the policy itself, it's here.

Thanks to Rob Hyndman for the tipoff.