Tuesday, November 30, 2010

Visa proposes to use location info to prevent fraud

I usually am not a fan of being profiled and data mined by companies without my knowledge, but there is one clear exception: I am delighted my bank takes such an interest in who I am and what I buy to prevent fraud. Loyal readers my recall my experience with having my debit card cloned, which was detected because my bank knows that I am not in the habit of withdrawing a few hundred dollars from my bank account at ATMs located in strip clubs.

Now, Visa is apparently interested in looking for corroboration from customers' cell phones to figure out whether purchases are legit. The logic is that if you are making a purchase where the card is allegedly present, your mobile phone is likely nearby. I would gladly opt in to this.

Check out the details from Fast Company:

Visa to Use Your Phone's Location to Prevent Credit Card Fraud | Fast Company.

Sure, you like all the great benefits of having your phone know where you are. Looking up directions or local weather information becomes that much faster. But outside companies and agencies are equally delighted to have access to your location information--and not just to send you coupons. Increasingly, they’re going to be using that information for purposes that have nothing to do with your convenience and fancy.

Some of those purposes you’ll like. Others you might not be so keen about. One you’ll probably be okay with was just announced by Visa Europe. The credit card company is going to start using information about the location of customers’ mobile phones to prevent credit card fraud.

Visa Europe has partnered with a company called ValidSoft that can establish whether your mobile phone is in the same place as the merchant or ATM where your card is being used. The assumption is that if the two devices are in close proximity, it’s probably you using the card, even if you’re far afield from your usual stomping grounds. If the two devices are not in the same place, the system may send up an alert.

Proximity information will only be one of a number of variables the system will use to assess the likelihood of fraud during any particular transaction. The companies say the system will both reduce card misuse and cut down on the number of “false positives.” That, they say, will create a better experience for users when a particular purchase deviates from their expected patterns--no more annoying calls or locking your card up when you're simply on vacation--and it will cut down on case-management processing costs for card issuers.

Earlier this year, Gartner issued a report predicting that by 2015, at least 15% of payment card transactions will be validated using mobile location information. “Visa Europe’s move is the start of this trend,” author Avivah Litan wrote on the Gartner blog. “These services have great value when it comes to protecting payment accounts and preventing fraud,” she wrote. “Many more banks and card companies will adopt them once they see the value.”

Facebook sued for HAVING privacy controls

TechCrunch is reporting that Facebook is facing a patent infringement lawsuit in the US for having privacy controls. Yup, you heard that right. The plaintiff is alleging that Facebook's privacy controls infringe a prior patent.

You simply can't win in this world.

Here's a blurb:

Facebook Sued For Having Privacy Controls In Place. Yes, Seriously.

... In short, because Facebook enables people to have some control over their privacy on the popular social networking sites by effectively letting users decide which information you share with whom, Walker Digital believes the company infringes one of its “inventions”.

Provided I’ve understood the complaint correctly and the whole thing isn’t an early April Fools joke, this whole suit is just plain laughable.

In a reaction to the Bloomberg piece, a Facebook spokesperson said they would fight the suit vigorously, calling it “completely frivolous”. This time, I can’t help but agree with them.

You can read the full docket over at Justia.

Monday, November 29, 2010

Ottawa Citizen: On guard for privacy

The Privacy Commissioner, Jennifer Stoddart, is the subject of a very complimentary editorial in today's Ottawa Citizen.

On guard for privacy


The rule for political survival under Stephen Harper's government seems to be: smile and nod, and hope no one notices you. So it's a nice surprise that the prime minister has nominated Canada's high-profile privacy commissioner for re-appointment.

Jennifer Stoddart is no sycophant. And she seems to have avoided the administrative and budgetary pitfalls that claimed the careers or marred the work of other officers of Parliament. Seven years ago, she took over an office in disarray, and turned it into an internationally recognized storehouse of expertise. Her office deals with a large workload. She often has to pronounce on questions while they are in the headlines. There's an urgency to every matter she takes on, because when an individual's privacy is under threat, a remedy delayed is a remedy denied.

Most recently, she's expressed concern about how governments will manage the information they gather on airline passengers. Notably, though, she doesn't rail against the whole concept of data collection. She's not a slavish defender of privacy at the cost of every other consideration. Her advice on airline security, as in all matters, is balanced and sensible. If a policy has an unwarranted or unnecessary effect on privacy, Stoddart will point out ways the government can mitigate those effects. When there is a clear breach, though, she doesn't mince words. She recently said Veterans Affairs' treatment of veteran Sean Bruyea was "alarming" and might be an indicator of a systemic problem. Stoddart's office has been pushing Facebook to make changes for several years, and has criticized a careless mistake Google Inc. made in collecting information for its Street View application.

In any era, Canadians would be lucky to have a privacy commissioner ready to denounce and recommend fixes for an egregious but conventional breach of an individual's rights, as happened in the Bruyea case. Stoddart, though, is particularly suited for this age, when new kinds of co-operation between states, new global business models and new territories in cyberspace are forcing privacy advocates to keep one step ahead.

Technology is changing fast. One gets the sense, though, that Stoddart finds that exciting, as well as challenging. She's no Luddite. She wants to improve the world of social media, not sneer at it. She treats privacy as an essential living element of 21st-century citizenship. That's important, because when privacy advocates buy into a binary world view that sees privacy and engagement as opposing principles, that encourages the developers of new technology to dismiss privacy as the concern of a bygone era.

There will be a lot of work to do in the next few years, as governments continue to refine their security protocols and as cyberspace takes on new forms. No public servant should develop a sense of entitlement, but Stoddart shows no signs of doing so. She's working hard, getting results and is eminently qualified to keep leading this fight for the next few years.

Stoddart has been nothing but fair to this government, and has given it no reason to punish her. It's quite possible, though, that her independent spirit and sharp mind will prove inconvenient to any government on the receiving end of one of her reports. The Harper government, to its credit, has shown itself willing to take that political risk for the good of the country.

Sunday, November 28, 2010

Privacy in the cloud for Canadian universities

This past week, I was invited to speak at the annual get-together of The Canadian University Council of CIOs (CUCCIO) in Toronto on the topic of cloud computing. Many universities in Canada are struggling with the legal and privacy issues of adopting cloud computing, particularly when Google and Microsoft are both offering very attractive (and free!) offerings that would relieve universities of the costs and burdens of administering student and alumni e-mail.

Universities in Alberta, British Columbia and Nova Scotia are particularly hampered by legislation that was designed to thwart the boogeyman represented by the USA Patriot Act.

BC and Nova Scotia have each adopted legislation that either categorically prohibits the "export" of personal information by public bodies, or put in place administrative hurdles. Alberta joins this pack by making it an offense under their public sector privacy law to disclose personal information in response to a "foreign demand for disclosure".

Part of the problem is that the legal framework is not particularly nuanced, as each decision about whether to outsource a service should be guided by a detailed risk assessment and privacy impact assessment instead of ham-fisted categorical rules that don't take particular circumstances into account.

Here is my presentation, which was well received.

If the embedded slideshow isn't showing you the love, click here: https://docs.google.com/present/view?id=ddpx56cg_320fx7rkbhh&interval=30

Canadian courts set high bar for privacy damage awards

Michael Geist's latest Toronto Star column addresses the two recent Federal Court decisions (Stevens and Randall) where the bar for damages has been set (unreasonably?) high. See: Geist: Canadian courts set high bar for privacy damage awards - thestar.com.

Thursday, November 25, 2010

Supreme Court considers privacy in electricity consumption

Yesterday, the Supreme Court of Canada released its decision in R. v. Gomboc, 2010 SCC 55 (CanLII), where the Court considered the use of a digital recording ammeter to determine the electricity consumption of a private home to form the basis (in part) for a search warrant related to a suspected marijuana grow-op.

The facts are somewhat unique, given that Alberta's Electrical Utilities Act and related Code of Conduct Regulation would have given the homeowner the ability to keep electricity consumption information confidential and that the cooperating party -- the utility -- was also a victim of the illegal consumption of electricity.

Check out Brian Bowman's blog post about the case, too.

Here's the headnote:


Constitutional law ― Charter of Rights ― Search and Seizure ― Warrantless request by police to electric utility company for installation of digital recording ammeter to measure flow of electricity into a residence suspected of housing a marijuana grow operation ― Information from digital recording ammeter indicating pattern consistent with grow operation ― Observations of police and information from digital recording ammeter basis for warrant to search residence ― Whether reasonable expectation of privacy existed in the information obtained from the digital recording ammeter ― Whether installation of digital recording ammeter violated the rights of the accused to be secure against unreasonable search and seizure ― Canadian Charter of Rights and Freedoms, s. 8 ― Electric Utilities Act, S.A. 2003, c. E-5.1 ― Code of Conduct Regulation, Alta. Reg. 160/2003

Police ― Powers ― Search powers ― Warrantless request by police to electric utility company for installation of digital recording ammeter to measure flow of electricity into a residence suspected of housing a marijuana grow operation ― Information from digital recording ammeter indicating pattern consistent with grow operation ― Observations of police and information from digital recording ammeter basis for warrant to search residence ― Whether police search powers exercised in manner that infringed right of accused to be secure against unreasonable search ― Canadian Charter of Rights and Freedoms, s. 8.

An officer with the Calgary Police Service Drug Unit informed the Southern Alberta Marijuana Investigation Team about a residence in Calgary that he believed might be involved in producing marijuana. That same afternoon, officers conducted a reconnaissance of the residence and made inquiries of neighbours. Based on the observations of the officers and the neighbours questioned, the police contacted the utility company to request the installation of a digital recording ammeter (“DRA”) which would measure electrical power flowing into the residence which was owned by G. The resulting DRA graph showed a pattern of cycling of approximately 18 hours, a pattern consistent with a marijuana grow operation. An officer re-attended at G’s residence to conduct a second external viewing. On the basis of her observations and the information provided to her, including the DRA graph, the officer obtained a search warrant. As a result of the search, the police seized 165.33 kilograms of bulk marijuana, 206.8 grams of processed and bagged marijuana located in a freezer, and numerous items relating to a marijuana grow operation. G was charged with possession of marijuana for the purposes of trafficking and production of marijuana and theft of electricity. A voir dire was conducted to consider G’s application to exclude the evidence disclosed by the search on the basis that no warrant had been obtained prior to the installation of the DRA. The trial judge relied on the Code of Conduct Regulation made pursuant to Alberta’s Electric Utilities Act as statutory support for police access to the DRA data. The DRA evidence was therefore admitted and G was found guilty of the drug-related offences. A majority of the Alberta Court of Appeal allowed G’s appeal and ordered a new trial, concluding that G had a subjective expectation of privacy in the DRA information which was also objectively reasonable. The majority further concluded that the Regulation could not be interpreted to imply the homeowner’s consent to allow a utility company to gather information at the request of the state.

Held (McLachlin C.J. and Fish J. dissenting): The appeal is allowed and the conviction entered at trial is restored.

Per Deschamps, Charron, Rothstein and Cromwell JJ.: A critical factual consideration, on which much of the disagreement in this case turns, is the degree to which the use of DRA technology reveals private information. The evidence was that marijuana grow operations are not investigated using only DRA data and that DRA technology is employed late in an investigation and after conventional investigative methods support the inference that marijuana is being grown in the home. DRA data are used as one more investigative tool to dispel the belief that a grow operation is on the premises and even operate in favour of the defence in approximately half of the times. The importance of what the DRA discloses and what inferences the DRA data support is central to this case. The findings of the lower court concluding that a reasonable expectation of privacy in the DRA data does exist because some information about what is taking place in a house could be inferred are not supported by any evidence on the record. The DRA is a technique that reveals nothing about the intimate or core personal activities of the occupants. It reveals nothing but one particular piece of information: the consumption of electricity.

Before reaching the question of whether a search is reasonable within the meaning of the Charter, the accused must first establish that a reasonable expectation of privacy existed to trigger the protection of s. 8. The facts of this case straddle two privacy interests recognized in the jurisprudence: informational and territorial. There is every reason, however, for proceeding with caution when deciding what independent constitutional effect disclosure clauses similar to those in the Regulation may have on determining a reasonable expectation of privacy.

Determining the expectation of privacy requires examination of whether disclosure involved biographical core data, revealing intimate and private information for which individuals rightly expect constitutional privacy protection. The appropriate question is whether the information is the sort that society accepts should remain out of the state’s hands because of what it reveals about the person involved, the reasons why it was collected, and the circumstances in which it was intended to be used. The combined effect of the Regulation and s. 487.014 of the Criminal Code establishes that not only was there no statutory barrier to the utility company’s voluntary cooperation with the police request, but express notice that such cooperation might occur existed. This is one factor amongst many which must be weighed in assessing the totality of the circumstances. The central issue in this case is thus whether the DRA discloses intimate details of the lifestyle and personal choices of the individual that form part of the biographical core data protected by the Charter’s guarantee of informational privacy. The evidence available on the record offers no foundation for concluding that the information disclosed by the utility company yielded any useful information at all about household activities of an intimate or private nature that form part of the inhabitants’ biographical core data. The DRA’s capabilities depend of course on the state of the technology at the time of its use. As DRA technology now stands, it is not capable of giving access to the occupants’ personal information. Instead, the DRA data merely yield an additional piece of information to evaluate suspicions — based on an independent evidentiary foundation — police already have about a particular activity taking place in the home.

A final factor affecting the informational privacy analysis is the fact that G’s interest in the electricity use data was not exclusive. G’s electricity consumption history was not confidential or private information which he had entrusted to the utility company. As the supplier of electricity, the utility company had a legitimate interest of its own in the quantity of electricity its customers consumed. Consequently, it is beyond dispute that the utility company was within its rights to install a DRA on a customer’s line on its own initiative to measure the electricity being consumed. The utility company was not an interloper exploiting its access to private information to circumvent the Charter at the behest of the state; rather, its role is limited to the wholly voluntary cooperation of a potential crime victim.

While a territorial privacy interest involving the home is a relevant aspect of the totality of the circumstances informing the reasonable expectation of privacy determination, the Charter’s protection of territorial privacy in the home is not absolute. Where, as in the case at bar, there was no direct search of the home itself, the informational privacy interest should be the focal point of the analysis. The fact that the home was the focus of an otherwise non-invasive and unintrusive search should be subsidiary to what the investigative technique was capable of revealing about the home and what information was actually disclosed. The fact that the search includes a territorial privacy aspect involving the home should not be allowed to inflate the actual impact of the search to a point where it bears disproportionately on the expectation of privacy analysis.

Per Binnie, LeBel and Abella JJ. ― Throughout the development of its s. 8 jurisprudence, the Court has consistently recognized the overriding constitutional importance of the privacy interests connected with activities taking place inside the home. Given the overriding significance of protecting these privacy interests, the concerns regarding the warrantless use of DRAs are well founded. And this case may well have been differently decided but for a crucial factor: the relationship between G and his utilities provider is governed by a recently enacted public statute, which entitles G to request confidentiality of his customer information. He made no such request. Nor did he challenge the constitutionality of the relevant provision. This combines to determinately erode the objective reasonableness of any expectation of privacy in the DRA data.

DRA data indicating a certain cyclical pattern permits a strong inference of the presence of a marijuana grow operation in a residence. The existence of such activity is presumptively information about which individuals are entitled to expect privacy because it is information about an activity inside the home and is, therefore, personal information. The fact that the activity is criminal does not, under our jurisprudence, remove it from the expectation of and entitlement to privacy protection and, therefore, the requirement of a warrant. The DRA is a surveillance technique that yields usually reliable inferences as to the presence within the home of one particular activity: a marijuana grow operation.

The fact, however, that the customer in this case can request that his or her information be protected means essentially that under the Code of Conduct Regulation, the customer is presented with the unrestricted ability to control the expectation of privacy in his or her relationship with the utility company. G made no such request, yet urges the Court to treat his expectation of privacy as if he had. There is no room for interpretive creativity in this case because there is no ambiguity in the language of the provisions. DRA information, whenever it is collected, is, necessarily, “customer information” pursuant to the Regulation and, as such, information under s. 10(3)(f) of the Regulation that can be collected by the utility company and disclosed “without the customer’s consent” to the police investigating an offence. An examination of the totality of the circumstances involves consideration of all, not just some, of the relevant circumstances. There can be no examination of the totality of the relevant circumstances without including the fact that the Regulation exists. It cannot, therefore, be seen as neutral or irrelevant. The contractual terms the Regulation creates are not only clear and unambiguous; they are also clearly relevant to an objective assessment of the reasonableness of any expectations of privacy G may have had in the DRA information, regardless of whether he decided to inform himself of the legal parameters of his relationship with his utility provider. When considered among all the circumstances of this case, the legislative authority provided by the Regulation is in fact determinative and leads to the conclusion that any expectation of privacy that G may have had was objectively unreasonable. In the absence of a reasonable expectation of privacy, the collection of the DRA information in this case did not constitute a “search” within the meaning of s. 8.

Per McLachlin C.J. and Fish J. (dissenting): This appeal raises core issues regarding the protection of privacy safeguarded by s. 8 of the Charter. When we subscribe for public services, we do not authorize the police to conscript the utilities concerned to enter our homes, physically or electronically, for the purpose of pursuing their criminal investigations without prior judicial authorization. Considering the totality of the circumstances, a reasonable person would not accept that the type of information at issue, collected for the reasons and in the manner that it was, should be freely available to the state without prior authorization. G is presumed to have a subjective expectation of privacy within his home. The existence of an obscure regulation that the reasonable person is unlikely to understand does nothing to render G’s subjective expectation objectively unreasonable. G had a reasonable expectation of privacy in the DRA data, the intrusion and transmittal of the information gleaned constituted a search and this search was not authorized by law.

A search occurs when state conduct interferes with an individual’s reasonable expectation of privacy. Whether an expectation of privacy is reasonable depends on whether the individual concerned has (1) a subjective expectation of privacy in the subject matter of the alleged search, and (2) whether that subjective expectation is objectively reasonable. The test for subjective expectation of privacy is a low hurdle and individuals are presumed to have a subjective expectation of privacy regarding information about activities within the home. Thus, resolution of this issue turns on whether G’s expectation of privacy was objectively reasonable. The factors relevant to determining an objectively reasonable expectation of privacy include the subject matter of the search, the place of the search, whether the privacy interest was abandoned or waived, the degree of intrusiveness, and, in some cases, the presence of a regulatory framework that would diminish any expectation of privacy. In our view, the resolution of this issue turns on the last two factors above: the degree of intrusiveness and the presence of a regulatory framework.

We begin with the issue of intrusiveness. While the DRA does not indicate the source of electrical consumption within the residence, it produces detailed information as to the amount of electricity being used in a home and when it is being used. In addition, DRAs are extremely accurate in disclosing the existence of plant growing operations within a house. The fruits of a search need not produce conclusive determinations about activities within a home in order to be considered informative and thus intrusive. The significance of the DRA data derives from its utility in making informed predictions concerning the probable activities taking place within a home. Predictions of this sort, while not conclusive, nonetheless convey useful private information to the police. Such evidence of criminal activity, or of a connection to criminality, has previously been considered by this Court to be very personal biographical information.

The constitutionality of a search does not hinge on whether there are even more intrusive search methods the police could have improperly used. It is unhelpful to compare a DRA search conducted without a warrant to a physical search conducted with a warrant. It is hardly apparent that the use of DRAs will reduce the total intrusion into a suspect’s territorial privacy as the use of a DRA only serves as a substitute for a physical search of a suspect’s home if the police could have obtained a warrant to search the home.

The remaining issue in determining whether a search occurred is whether the Regulation negates or reduces the objectively reasonable privacy interest the other factors suggest. A reasonable person would not have concluded that his or her expectation of privacy in activities inside the home was negated because of the Regulation. The average consumer signing up for electricity cannot be expected to be aware of the details of a complex regulatory scheme which permits the utility company to pass information on electricity usage to the police, especially when a presumption of awareness operates to, in effect, narrow the consumer’s constitutional rights. In addition, if they were made aware of the Regulation — something that did not happen in this case — reasonable consumers would likely not read it as permitting the intrusion at issue. Finally, although the Regulation is not a criminal law, the provisions relied upon by the Crown are explicitly criminal rather than regulatory in purpose. We conclude that G had a reasonable expectation of privacy in the DRA data and that the intrusion and transmittal of the information gleaned thus constituted a search.

If a search is established, the court must then determine whether the search was reasonable. The search in this case was not reasonable. The warrantless use of the DRA was not shown to be reasonably necessary to the police activity, as the police unit in this case has demonstrated by virtue of its general policy of applying for warrants before attaching DRAs to transformers located on private property. Moreover, while the Regulation permits the disclosure of “customer information”, it does not authorize the utility company to operate as an agent for the police for the purpose of spying on consumers. The DRA data that concerns us here was not pre-existing information in a utility company subscriber’s file. Although the utility company might have chosen to collect this data on its customers on its own initiative and for its own purposes, it neither did so nor manifested any intention to do so in this case. Accordingly, it has not been demonstrated that the search was authorized by law and as such, G’s rights under s. 8 of the Charter were infringed. We would affirm the judgment of the Court of Appeal and dismiss the appeal against that judgment to this Court.

Check out Brian Bowman's blog post about the case, too.

Jennifer Stoddart nominated for reappointment as Privacy Commissioner

The Prime Minister's Office has announced that the current Privacy Commissioner of Canada has been nominated for reappointment for a further three year term. It's worth noting that this is shorter than the usual full term.

From the Prime Minister's press release:

24 November 2010

Ottawa, Ontario

Prime Minister Stephen Harper today announced the nomination of Jennifer Stoddart for reappointment as Privacy Commissioner of Canada for a three-year term. Ms Stoddart has been serving as the Privacy Commissioner of Canada since December 2003.

“Jennifer Stoddart is extremely well qualified to continue in the role of Privacy Commissioner of Canada”, said the Prime Minister. “She brings to the position considerable expertise in privacy protection issues and a deep understanding of the importance of open and transparent government. I am pleased that she has agreed to be nominated to continue in this important role”.

The Leader of the Government in the House of Commons and Minister of the Environment will be tabling this nomination for consideration by the House of Commons.

The Office of the Privacy Commissioner was created in 1977 under the Canadian Human Rights Act, Part IV. The Privacy Act, which currently governs the functions of the Privacy Commission, was adopted in 1983.

As an Agent of Parliament, the Privacy Commissioner oversees compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act, Canada’s private sector privacy law. The mission of the Office of the Privacy Commissioner of Canada is to protect and promote the privacy rights of individuals.

Friday, November 19, 2010

Federal Court dismisses damages claims, considers what is compensable under PIPEDA

Dan Michaluk has a good summary of a very recent case from the Federal Court in Stevens v. SNF Maritime Metal Inc., 2010 FC 1137, where a claim for damages was dismissed as essentially an end-run around other potential causes of action. In this case, for wrongful termination. The applicant had apparently defrauded his employer and another company breached PIPEDA by disclosing the applicant's information to the employer. The employee was terminated and claimed damages for the resulting loss.

See: Case Report – Federal Court dismisses application, articulates what damages are compensable under PIPEDA « All About Information.

Monday, November 15, 2010

Opt out, while you still can: Airport security reaches new levels of absurdity

"Ask the Pilot", over at Salon.com, has a great/sad illustration of the absurdity of idiotic policies and slavish adherence to these policies at airport screening: Airport security reaches new levels of absurdity - Ask the Pilot - Salon.com.

Over the past year, I've been "randomly" selected for the virtual stip-search about a half dozen times. Each time, I've opted out and have gone for the pat-down. I don't really have a problem with modesty and would probably streak through the terminal for a reasonable fee, but I do so just to make a point. The machines are pointless security theatre.

On my last trip to Ottawa, the CATSA screener guy directed me to the naked machine after I went through the metal detector. He didn't tell me it was optional. I said "I decline." And he was visibly surprised. When I opted out, he tried to sell me on the benefits of going into naked machine: "It only takes two seconds."

"No thanks. I opt out."

He was also the guy who got to give me the rub-down, and I'm sure I got extra-special treatment because I defied him.

A few weeks before, when I opted out to a woman CATSA person, she said I'd have to wait for a male guy. I said I didn't care if it was her, but I still had to wait. But she had to hold onto my boarding pass to make sure I didn't make a break for it (though I'd been through the metal detector). A few minutes passed and there was no male CATSA guy available. Obviously upset she was having to loiter with me, she quickly ran the explosive decting swab on my hands, gave me the all-clear and sent me on my way.

Does this make you any safer?

Body scanning, which started as random, is becoming de rigeur in the United States and I will not be surprised to see it make a similar change in Canada. It's the classic bait and switch: don't worry ... it's optional and we randomly choose people for secondary screening through the scanner. Now that we have them installed in all the airports, it's the scanner or the glove. Then it'll be the scanner or the train.

Recently, an American blogger wrote about his surreal experience in trying to opt-out at San Diego airport and it has garnered over 4000 comments so far.

Not surprisingly, this has led to a backlash. A number of groups in the US are calling for national opt-out day in airports on the busiest travel day of the year. I expect that it will have an impact on Thanksgiving travelers and will get some notice.

Thursday, November 11, 2010

Obama administration has plans for online privacy law

The Wall Street Journal is reporting that the Obama administration is preparing to table proposals for a new, comprehensive online privacy regime in the United States.

Initiatives like this have been floated before, so it will be interesting to see what it looks like when it sees the light of day.

See: Obama Administration Seeks Internet Privacy Protections, New Policy Office - WSJ.com.

Federal website leaked personal information

The CBC is reporting that an important government website had a significant security glitch that led to the disclosure of sensitive personal information of about 75 people. The site, Access Key, was launched on September 26 and the problem occurred within days. The error was reported by users and it took the site's operators a number of days before reporting it to the Privacy Commissioner. See: CBC News - Ottawa - Federal online glitch leaked private info.

Tuesday, November 09, 2010

Nova Scotia to table health information legislation today

The Nova Scotia Minister of Health is expected to table the latest iteration of the Personal Health Information Act in the Nova Scotia legislature this afternoon. Expect to see the text of the bill here as soon as it's tabled.

See: Health minister expected to table personal information bill today - NovaScotia - TheChronicleHerald.ca.

Update: The text of Bill 89 is available here.

Thursday, November 04, 2010

Eroding Financial Privacy: PIPEDA & FATCA

Last week, Michael Power blogged about the Foreign Accounts Tax Compliance Act. This week, he's got a more detailed post about that Act and how it affects organizations' obligations under PIPEDA. Check it out: Michael Power * Eroding Financial Privacy: PIPEDA & FATCA.

Tuesday, November 02, 2010

The new lawful access bills

Here is the first reading text of the Investigative Powers for the 21st Century Act:

BILL C-51 An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act.

I will post a link to the Investigating and Preventing Criminal Electronic Communications Act when it is posted on the parliamentary website.

(Note: I had previously linked to the wrong bill on this post ...)

Monday, November 01, 2010

Lawful access back before Parliament

Once again, the Government of Canada has put "lawful access" back before Parliament.

Notice that it again allows for the police and "national security agencies" to require the personal information of telecommunications customers without a warrant.

I will post a link to the bill itself as soon as I can get my hands on it, but in the meantime here's the press release from the Department of Justice:

Government of Canada Introduces Legislation to Fight Crime in Today’s High-Tech World


OTTAWA, November 1, 2010 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, together with Dave MacKenzie, M.P. for Oxford and Parliamentary Secretary to the Minister of Public Safety, and Daniel Petit, M.P. for Charlesbourg–Haute-Saint-Charles and Parliamentary Secretary to the Minister of Justice, today re-introduced in the House of Commons two bills that would provide law enforcement and national security agencies with up-to-date tools to fight crimes such as gang- and terrorism-related offences and child sexual exploitation.

“New and evolving technologies provide new ways of committing crimes, making them harder to investigate,” said Minister Nicholson. “We must ensure that law enforcement has the means to bring to justice those who would break the law. Twenty-first-century technology demands twenty-first-century tools for police to effectively investigate crime.”

The proposed Investigative Powers for the 21st Century Act would provide law enforcement agencies with new, specialized investigative powers to help them take action against Internet child sexual exploitation, disrupt on-line organized crime activity and prevent terrorism by:

  • enabling police to identify all the network nodes and jurisdictions involved in the transmission of data and trace the communications back to a suspect. Judicial authorizations would be required to obtain transmission data, which provides information on the routing but does not include the content of a private communication;
  • requiring a telecommunications service provider to temporarily keep data so that it is not lost or deleted in the time it takes law enforcement agencies to return with a search warrant or production order to obtain it;
  • making it illegal to possess a computer virus for the purposes of committing an offence of mischief; and
  • enhancing international cooperation to help in investigating and prosecuting crime that goes beyond Canada’s borders.

“We are giving our police the tools they need to keep up with criminals who are increasingly using new technology in carrying out their crimes. High-tech criminals must be met by high-tech police,” said Mr. MacKenzie. “This announcement once again demonstrates our commitment to give our law enforcement agencies the tools they need to make our communities safer.”

The Investigating and Preventing Criminal Electronic Communications Act would address challenges posed by today’s technologies that did not exist when the legal framework for interception was last updated nearly 40 years ago. The Act would require service providers to include interception capability in their networks, thereby allowing law enforcement and national security agencies to execute authorizations for interception in a more timely and efficient manner with a warrant. The proposed Act also calls for service providers to supply basic subscriber information upon request to designated law enforcement, Competition Bureau and national security officials.

Requirements to obtain court orders to intercept communications will not be changed by this Act. This legislation will simply help ensure that, when warrants are issued, telecommunications companies have the technical ability required to intercept communications for the police and the Canadian Security Intelligence Service.

Other countries, such as the United Kingdom, the United States, Australia, New Zealand, Germany and Sweden, already have similar legislation in place.

“Both of these pieces of legislation will provide vital tools to allow law enforcement officers to trace serious computer crimes such as child pornography and hate crime,” said Mr. Petit. “Both acts help to address Canadians’ privacy concerns by including strict privacy safeguards which, in the case of the Investigative Powers for the 21st Century Act, includes heightened requirements for obtaining judicial authorization before police can obtain data relating to a suspect’s location.”

The Government carefully considered input provided by a broad range of stakeholders in developing these two pieces of legislation, including the telecommunications industry, civil liberties groups, victims’ advocates, police associations and provincial/territorial justice officials. As a result, the Government has ensured that the Investigative Powers for the 21st Century Act and the Investigating and Preventing Criminal Electronic Communications Act adopt a balanced approach, taking full account of the need to protect the safety and security of Canadians, the competitiveness of the telecommunications industry, and the privacy rights of Canadians.

An on-line version of the legislation will be available at www.parl.gc.ca.

Backgrounder: Investigative Powers for the 21st Century Act.