Friday, April 30, 2010

Social networking for lawyers seminar

Some readers of this blog may be interested in this seminar that I'm giving for the Nova Scotia Barristers Society next week. Those who aren't lucky enough to be in Halifax can attend by webinar:
NSBS - Development
Lunch & Law: Social Networking in a Global Market
Lunch & Law -

Social Networking in a Global Market: Marketing Strategies for Lawyers

Nova Scotia Barristers' Society - Continuing Professional Development

Wednesday, May 5, 2010 12:00 - 1:30 pm

CPD Center, Suite 408, 1645 Granville Street, Halifax

The Program: New technologies provide a plethora of unique opportunities for lawyers to raise their profiles and reach new clients.

Join David T.S. Fraser of McInnes Cooper for a repeat performance! David will provide an overview of blogs, social networking websites and other innovative means of marketing your law practice.

Even if blogs, Facebook, LinkedIn and Twitter leave you scratching your head and wondering what it's all about, this seminar will provide practical insight into these dynamic marketing channels.

David will also explore the issues of associated ethics challenges based on the CBA's new Guidelines for Ethical Marketing Practices Using New Information Technologies.

Don't miss this unique opportunity to learn the latest and greatest trends for marketing your legal practice.

Originally delivered to Society membership in December. Join us for a repeat performance!

Register online - If you do not already have a username and password (or to activate your account), please contact Pierre Benoit at pierreb@nsbs.org.

Fee: $40 per person plus tax (lunch included)

Can't travel to Halifax? Why not join us from the comfort of your office!
Webinar/Teleconference option is available. Fee is $40 plus tax (includes long-distance charges). Instructions will be emailed one day in advance.

Yahoo privacy boss distances herself from Facebook

It really isn't surprising that companies that are not Facebook are concerned that Facebook's attitude to privacy means that other internet companies are having also big targets placed on their backs.

Yahoo privacy boss distances herself from Facebook - The Globe and Mail

...“Mark Zuckerberg is younger than me,” Ms. Toth, the California-based Chief Privacy Officer of search engine giant Yahoo Inc., says with an exasperated shrug during an interview. “Just because a CEO says something, doesn’t mean he is going to be right.”

What Ms. Toth is lamenting is the privacy policies of Facebook’s 25-year-old founder. The social media site found itself the subject of criticism this week from Canada’s Privacy Commissioner and four U.S. senators, who complained that a recent set of innovations improperly exposed the Internet habits and personal opinions of users. A New York Times reporter fuelled the controversy when he posted a quote on Twitter from an unnamed Facebook employee saying Mr. Zuckerberg, “doesn’t believe” in privacy.

That type of attitude, Ms. Toth said, is putting Internet companies in harm’s way with regulators and customers who are agitating for improved privacy protections. If the industry doesn’t work together to simplify and standardize website privacy settings, she warns regulators are going to start imposing harsher rules. ...

Thursday, April 29, 2010

Commissioner can't demand evidence to back-up privilege claims

Dan Michaluk, over at All About Information, has a great summary of a recent case from the Federal Court holding that the Privacy Commissioner of Canada does not have the power to demand evidence to support a claim of privilege, as an exemption to the access principle under PIPEDA. See: Case Report – Federal Court says OPC can’t demand evidence supporting a privilege claim « All About Information.

This is very interesting because since Blood Tribe, the Commissioner has been demanding detailed information about the documents over which privilege is claimed.

This case is Privacy Commissioner of Canada v. Air Canada, 2010 FC 429 (CanLII), 2010 FC 429 (CanLII).

Wednesday, April 28, 2010

Patriot Act reality check and Canadian authorities' similar powers

I had the honour of being invited to speak to the Canadian Bar Association's Alberta branch earlier this week about cross-border privacy issues.
We have had to deal with them rather acutely in Nova Scotia since the passage of the Personal Information International Disclosure Protection Act (PIIDPA), which prompted me to take a closer look at the different regimes for access to personal information by law enforcement and national security types on both sides of the border.
Most people are surprised to learn that some of the most "problematic" provisions of the USA Patriot Act are replicated in Canadian law in the Anti-Terrorism Act. We just don't hear about it as much. People are also surprised to learn of huge amount of information sharing that takes place between agencies in Canada and their counterparts in the US.
For example, we have our equivalent of the FISA secret court in the form of designated judges of the Federal Court of Canada acting under the CSIS Act, who issue secret orders. Our National Defence Act allows for warrantless interception, for the purpose foreign intelligence, of private communications directed at foreign entities located outside of Canada. This is very similar to authorizations by the Attorney General of the United States under the Foreign Intelligence Surveillance Act.
Here's the presentation I gave:

Amazon refuses to turn over customers' reading records to North Carolina tax department

Tax authorities in North Carolina, in connection with an investigation about sales taxes, has demanded that Amazon hand over information not only about sales to North Carolina residents, but the details of what they bought. This would include information about books and other very personal purchases.

Amazon is fighting the request as invasive of customer privacy.

See: Amazon refuses to turn over customers' reading records to North Carolina tax department - Boing Boing.

Sunday, April 25, 2010

Facebook changes rules for plaform developers; Privacy Commissioner warns of blackmail risk

Quietly, Facebook has changed it policy for developers on the Facebook platform. Under the old policy, platform developers were only able to cache user information for less than 24 hours. Now, that limitation has been lifted. Not surprisingly, Canadian Privacy Commissioner Jennifer Stoddart has something to say about it:
Facebook users risk blackmail, privacy czar warns - The Globe and Mail

Jacquie McNish and Omar El Akkad

Published on Friday, Apr. 23, 2010 10:19PM EDT

The world’s most popular social network has made it easier for its users to become the victims of “blackmail” by watering down its protections of personal information, Canada’s top privacy official says.

Facebook executives this week unveiled a series of changes to the site, which now boasts about 400-million users. One of the changes allows third-party developers who design games and other Facebook applications to store user data indefinitely. Previously, developers were required to delete the data after 24 hours.

“I’m very concerned about these changes. More than half a million developers will have access to this data,” Jennifer Stoddart, Canada’s Privacy Commissioner, said in an interview in her Ottawa office. “The information will be stored indefinitely and it opens the possibility that a lot of people can be blackmailed from all corners of the world.”

More than just about any government official in the world, Ms. Stoddart’s hard-line stand on protecting consumers’ privacy has forced Facebook to fundamentally alter the way it treats personal information, even though Canada’s Privacy Commissioner has substantially weaker enforcement powers than many of her global counterparts. After she concluded a 14-month investigation of Facebook last year, the website committed to installing better safeguards by a deadline this summer, including allowing its users to block makers of such popular applications as the game Farmville from culling private information and photos.

“They certainly seem to be moving in the opposite direction,” Ms. Stoddardt said. She said the regulator was surprised by the announcement and it does not intend to take any steps until after the deadline expires at the end of July for the social media giant to reform its privacy practices.

Facebook representatives told The Globe and Mail in an e-mail that privacy concerns “are always at the forefront of any new product development.”

“During the course of launching any products, including those at f8 [Facebook’s developer conference this week], we always consult with a variety of privacy bodies.”

Company representatives added that they had previously agreed to launch a new model for users to give permission to applications developers to use their information, and that the company had followed through on that promise this week.

Ms. Stoddart said the company's apparent about-face is the latest in a series of aggressive innovations by “bright young geeks” at Internet companies such as Facebook and Google, who are so enthralled with technology that they are not focusing on basic privacy rights that other brick-and-mortar companies respect. As these Web giants seek to profit from their extensive stores of demographic data, they are finding themselves increasingly at odds with privacy regulators.

“Making unlimited wealth is not a reason for doing away with privacy. The rest of the world’s citizens are not comfortable with this,” Ms. Stoddart said.

She added that her counterparts in other countries are disheartened by the Internet industry’s apparent indifference to privacy concerns and she expects that “an enforcement action” will be taken in the near future against one of the Web’s larger players.

She said it is likely that a European regulator will initiate enforcement proceedings because, unlike Canada, most European countries give their regulators the authority to order changes.

“This is a global issue and I expect we will see a global solution.”

The commission’s pioneering Facebook investigation was triggered by a complaint from an Ottawa privacy rights group, which alleged that the site was not properly informing users about their right to restrict access to their data. Although the commission's powers are limp by global standards, Ms. Stoddart said she decided after some “sleepless nights” that her office “could not duck” the privacy issues posed by Facebook.

Ironically, the Globe & Mail is connected to Facebook, so FB users can "like" the article or comment on it using their Facebook accounts.

Friday, April 23, 2010

Let’s see Canadian transparency in government demands for personal information

My post on Slaw this week:

Let’s see Canadian transparency in government demands for personal information – Slaw

Earlier this week, Michel-Adrian Sheppard blogged on Slaw about Google’s new Government Requests Tool (Google Releases Data on Government Requests for Private User Data). I blogged about it as well here. I’m all in favor of pulling this out of the shadows and into the sunlight.

It’s interesting to peruse the numbers and to read the FAQ.

While the information provided raises a bunch of questions, they are very important questions to ask. What are the nature of the demands for customer information? Criminal law or national security? What are the relevant Google products involved? Why so many government demands in Brazil?

But I’d really like to see other online service providers step up and provide this level of transparency. Bell, Aliant, Rogers, Shaw and other Canadian online service providers and ISPs should provide this same information for their operations. How many requests do they currently get? From whom? Which province? What is the legal authority? With or without a court order?

This is particularly relevant as the former Bill C-47 (Technical Assistance for Law Enforcement in the 21st Century Act) will likely return to Parliament which, if passed, will allow the police to demand customer information from telecommunications companies in Canada without a warrant.

Wednesday, April 21, 2010

Facebook makes users' "interests" public, with no opt-out

I am an unhappy Facebook user. Facebook has just decided that all the "interests" information on users profiles pages should be public. They say it is "Connecting you to everything you care about", but there's no opt out. If your profile says you're interested in photography, you're thrown into a community based on that interest.
As for me, I now have no interests because I am not intersted in Facebook disclosing my personal information without my ok.
For more info: Facebook Further Reduces Your Control Over Personal Information Electronic Frontier Foundation.

Tuesday, April 20, 2010

Google releases Government Requests Tool, showing info and takedown demands

Google has just announced a new "Government Requests tool", which shows graphically how many governmental requests Google and YouTube receive for either user information or to take down content. The background is explained at the Google Public Policy Blog: Greater transparency around government requests.

This can only be a good thing. Legal processes for the disclosure of user information and the removal of content are often not well understood. Any measure that increases transparency and accountability, while providing information to inform public debate, is a good thing. I would hope to see other service providers stepping up to provide this sort of information as well.

Then I'd like to see more well-informed debate on the matter.

Privacy guardians warn multinationals to respect laws

International data protection regulators are meeting in Washington, DC and are planning to hold a press conference this afternoon. Here is the announcement they have released to the media:

Privacy guardians warn multinationals to respect laws

WASHINGTON, DC, April 20, 2010 /PRNewswire via COMTEX/ -- Ten data protection authorities from around the world say Google Inc. and other international corporations are overlooking privacy values and legislation when they launch new online products.

EDITORS NOTE: The heads of some of the data protection authorities that signed the joint letter to Google Inc. will host a press conference today in Washington, D.C., where the International Association of Privacy Professionals is holding its annual global summit. Journalists outside of Washington may listen in via teleconference. Details are provided below.

Privacy Commissioner of Canada Jennifer Stoddart and several international counterparts have issued a joint letter directing Google Inc. and other international corporations to respect the privacy rights of people around the globe.

"While we hear corporations such as Google pay lip service to privacy, we don't always see this reflected in the launch of new products," says Commissioner Stoddart.

"As part of an unprecedented collaboration, data protection authorities representing over 375 million people in 10 countries are speaking with a common voice to remind these organizations that they must comply with the privacy laws of each country where they roll out online products and services."

Commissioner Stoddart was among the signatories to a joint letter to Google Chief Executive Officer Eric Schmidt expressing deep concern about his company's privacy practices, particularly in relation to the recent launch of its social network, Google Buzz.

The letter, signed by the heads of data protection authorities in Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, stated:

(W)e are increasingly concerned that, too often, the privacy rights of the world's citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services.

The data protection authorities go on to note that the privacy problems associated with the initial global rollout of Google Buzz in February should have been "readily apparent" to the company.

Google Mail, or Gmail, had been a private, one-to-one web-based e-mail service, but was abruptly melded with a new social networking service. Google automatically assigned users a network of "followers" from among people with whom they corresponded most often on Gmail, without adequately informing those users about how this new service would work or providing sufficient information to permit informed consent.

These actions violated the fundamental, globally accepted privacy principle that people should be able to control the use of their personal information.

Gmail users - understandably concerned that their personal information was being disclosed - were highly critical of the new service. In response, Google apologized and quickly introduced changes to address the widespread criticism.

Previously, Google has raised significant privacy concerns in many countries with the launch of its Street View service, which displayed images of street scenes on the Internet.

In the letter, the data protection authorities recognized that Google is not the only online company that has introduced services with inadequate protections for privacy. However, they urged Google to set an example "as a leader in the online world."

"We therefore call on you, like all organizations entrusted with people's personal information, to incorporate fundamental privacy principles directly into the design of new online services."

The letter makes specific recommendations for enhancing privacy protections and asks Google to explain how it will comply with national privacy laws in the future.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Saturday, April 17, 2010

This blog has moved

This blog is now located at http://blog.privacylawyer.ca/. You will be automatically redirected in 30 seconds, or you may click here. For feed subscribers, please update your feed subscriptions to http://blog.privacylawyer.ca/feeds/posts/default.

Sunday, April 11, 2010

Some thoughts on street photography

Simon Fodden, the head slawer over at http://www.slaw.ca/ has a great post to end the week (The Friday Fillip – Slaw), pointing to a great piece of photographic excellence "We're all gonna die". It's a 100m long photograph of people taken from Warshauer Strasse in Berlin. Go take a look at it, then come back here.

Simon notes that you can't go and see the location on Google Street View, presumably because of the supposed privacy issues that the German government has with street level imaging. That's too bad.

Simon brings up the broader topic of the privacy issues of photographing people, particularly in public places. It's an issue that has come up in all the discussions about Google Street View and other street imaging products out there on the 'net. I've given this topic a bit of thought, being simultaneously a privacy nerd, photo nerd and history nerd. Obviously, taking photos of people raises privacy issues but I don't have much of a problem when photos are taken in public places. People simply have diminished expectations of privacy on a public street. I like that Google and some others have allowed individual "vetoes", so that anyone who does not want to appear online can have the image taken down.

That's not to say that wholesale surveillance is ok, but when the images are being taken primarily of places and the people are incidental, I don't think this is what privacy laws were designed to protect us against. (The line can blur towards stalking or harassment if you follow a person in a public area and continue to take their photo, but that's not at issue here.)

Canadian privacy laws are meant to address commercial activity. To me, this sort of imaging is not "commercial" but fits under the exception of "journalistic, artistic and literary" expression, which is expressly excluded from PIPEDA.

My firm's property department has some great historical publications on the original property grants for Halifax. They include all sorts of info, like what was where, who owned what. For a history nerd, it is fascinating. It's a cool city with a neat history. I've spent hours looking at historical photos of Halifax. Many of them have people in them, which only adds to the value. I don't care who they, but what they are doing, where they are going and what they are wearing add so much to the historical significance of the photos.

I can't wait until the technology has been around long enough so that not only will you be able to stroll down a virtual street, but you'll be able to scroll back through history. Imagine looking at a downtown street in Street View and being able to choose to see what it looked like last year, five years go, ten years ago and fifty years ago. Not only will that be immensely cool, academics will have an incredibly valuable resource at their disposal.

Friday, April 09, 2010

RCMP changes rules for criminal records checks

Today's post at slaw.ca:
RCMP changes rules for criminal records checks

Late last year, the RCMP changed its policy for access to criminal records information via the Canadian Police Information Centre (CPIC). Reputable companies, up until that point, had been able to obtain police records clearances through local police departments. These clearances were conditional upon the background checking company obtaining signed consent from the individual and making those consent forms available for spot audits. Provided the proper consent was obtained, background checking companies had been able to provide same-day results if the name, address and date of birth provided did not result in any “hits” in CPIC. In most cases, where there may be derogatory information, the individual would have to appear for fingerprinting so that his or her identity could be confirmed. This practice meant that those who had clear records could go on to the next stage of the process for their job application, volunteering application or whatever.

For records where a pardon has been granted for certain sexual offences, a notation is made in CPIC’s databases. It used to be that the police would provide, with the individual’s written consent, confirmation that no such notation exists provided that the person was being screened for working or volunteering with vulnerable populations.

These checks were facilitated by professional background screening companies, in cooperation with law enforcement, who would often be able to provide an “all clear” within the day.

Now, all screening requires fingerprints and about 120 days’ wait. The RCMP is saying that they are simply doing what the Criminal Records Act requires them to do. I don’t buy it. The Act says that the RCMP can disclose the existence of a notation if the person has provided written consent and the check is made for a paid or volunteer position that is one of authority or trust relative to children or vulnerable persons.

According to an article in today’s Globe & Mail, a number of volunteer-staffed organizations have cancelled programs because the 120 day wait cannot be accommodated. What may be worse, some organizations may be foregoing these checks and permitting unscreened people to work closely with vulnerable populations.

This is untenable, in my view. I’m not in favour of widespread criminal records checking where it is not relevant to the position, but these checks are very often relevant for certain employment or volunteer positions. Provided the person has provided clear, informed, unambiguous consent, there is no reason why an “all clear” can’t be given forthwith. I can understand that you would want to avoid the possibility of erroneously saying that a person has a criminal record or a pardoned sexual conviction, so the practice of fingerprinting should continue where there might be a “hit”. But where there is no reason to think a person has a record, that information should be provided right away.

Volunteerism is important. Silly policies should not have the effect of impeding volunteer efforts, nor should they discourage prudent screening that keeps predators away from the vulnerable.

Wednesday, April 07, 2010

Saskatchewan amends privacy regs to permit soliciation of former patients

One controversial aspect of health privacy laws, at least when they are implemented, is whether hospitals or supporting foundations can use patient information without consent for fund-raising purposes. It appears that Saskatchewan is about to amend the health privacy regulations for that province to permit solicitation after a sixty-day waiting period. See: Saskatchewan gives local health foundations the OK to contact former patients for fundraising purposes.

Thursday, April 01, 2010

US Federal judge declares warrantless wiretapping program unlawful

A US Federal Court has declared that the Bush-era "warrantless wiretap" program was unlawful. The administration, up to and including the Obama administration, argued that in a time of war, it was lawful to eavesdrop on communications without a warrant, particuarly international communications. The decision is here: http://cryptome.org/alharamain-v-nsa.pdf and the New York Times' has an article on the decision here: Federal Judge Finds N.S.A. Wiretaps Were Illegal - NYTimes.com.