Thursday, December 30, 2010

Ontario Commissioner to appeal personal email decision

You may recall my recent post on a decision of the Ontario courts that held that a government employee's personal email is outside of the jurisdiction of the Ontario freedom of information laws (Canadian Privacy Law Blog: Ontario access to information decision may affect cloud computing decisions). The Ontario Information and Privacy Commissioner has decided to appeal the decision, so stay tuned as the saga unfolds.

See: Privacy watchdog to appeal email ruling

Tuesday, December 28, 2010

London police claim CCTV solves six crimes a day

Any stats on the effectiveness of video surveillance are hard to find. The Met police in London are claiming that CCTV now accounts for six crimes solved per day:

BBC News - "Six crimes a day" solved by CCTV, Met says

... The number of cameras in Britain has gone up from 21,000 in 1999 to 59,753 in 2010, it added.

The Met said among the 2,512 suspects caught this year, four were suspected murderers, 23 rapists and sex attackers and five wanted gunmen.

I'm curious what that translates as in cost per arrest?

Class action lawsuit? There’s an app for that

Just posted over at

Class action lawsuit? There’s an app for that — Slaw

You may have seen the recent Wall Street Journal article on the privacy implications of certain iPhone, iPod Touch and Android apps that disclose information to advertising networks without the explicit knowledge of the user. It didn't take long, but now a class action lawsuit filed in California against Apple for allowing this to happen. See: Apple sued over privacy in iPhone, iPad apps | Apple - CNET News.

I think that this lawsuit is directed at the wrong party (Apple Computer Inc.) and, if it is at all successful, will be harmful to the internet.

This is similar to going after Facebook for everything that their app developers do. Where on party provides a platform (in this case, a mobile device) and another party builds applications on that platform, the key issue that needs to be addressed where privacy is concerned is “where should accountability for privacy lie?” Getting it wrong will stifle innovation in this currently burgeoning area of the Internet ecosystem. Placing all the responsibility on the platform provider will discourage innovators from making new technologies available to the public, to the detriment of those users who are supposed to be protected by privacy rules. Instead, third-party service and application providers should be responsible to users (and to the courts) for their collection, use and disclosure of personal information.

Just imagine what might happen if the already restrictive Apple is found liable for providing app developers too much latitude in structuring their apps. Would this encourage innovation in applications for users? Nope.

Thursday, December 23, 2010

Interview with EU Privacy Chief

The Washington Post has an interesting interview with the head of privacy for the European Union, highlighting some of the differences between continental and American approaches to consumer privacy. The video and a written summary are here: Post Tech - Video: E.U. privacy chief Reding to meet with Holder.

(via Schneier on Security)

Santa's privacy policy

This is a must read: McSweeney's Internet Tendency: Santa's Privacy Policy.

Hat-tip to @privacyprivee for the link.

Tuesday, December 21, 2010

Federal Court awards PIPEDA damages due to inaccurate credit report

In what appears to be a break from the recent cases that have declined to award damages to applicants under PIPEDA, the Federal Court in Nammo v. Transunion of Canada Inc., 2010 FC 1284 has just recently awarded damages to an individual whose loan application was declined due to inaccurate information provided by a credit bureau.

The court awarded $5000 in damages after considering the principles to be applied by the court in awarding damages under the statute. It is really worth noting how cases such as Randall v Nubody's is distinguished.

[71] As indicated, PIPEDA provides the Court broad remedial powers and, in my view, s. 16 of PIPEDA permits the Court, in an appropriate case, to award damages even when no actual financial loss has been proven. In Randall v Nubodys Fitness Centres, 2010 FC 681, Justice Mosley found that an award of damages under s. 16 is not to be made lightly and that such an award should only be made “in the most egregious situations.” This is such a situation. In Randall, which involved the disclosure of how often the applicant used his gym membership to his former employer, Justice Mosley determined that the impugned disclosure of personal information was “minimal,” that there had been no injury to the applicant sufficient to justify an award of damages, that the respondent did not benefit commercially from the breach of PIPEDA, that the respondent did not act in bad faith, and, perhaps most importantly, that there was no link between the disclosure and the employer’s alleged retaliation against the applicant. The same cannot be said here. Not only was the disclosure of inaccurate information directly linked to the refusal of the loan and the associated injury to the applicant, but the respondent also profited from the disclosure and acted in bad faith in failing to take responsibility for its error and failing to rectify the problem in a timely manner. The violation of Mr. Nammo’s rights under PIPEDA was not “the result of an unfortunate misunderstanding,” as was the case in Randall. It was a serious breach involving financial information of high personal and professional importance. The fact that there is no precedent for an award of damages under PIPEDA should not impact the Court from making an award of damages where the circumstances and justice demands it. In my view, for the reasons that follow, this is such a case.


[74] The Supreme Court found that “to be ‘appropriate and just’, an award of damages must represent a meaningful response to the seriousness of the breach and the objectives of compensation, upholding Charter values, and deterring future breaches.” In my view, the same reasoning applies to a breach of PIPEDA, which is quasi-constitutional legislation.

[75] In Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, the Supreme Court held that the Privacy Act, R.S.C.1985, c. P-21, was quasi-constitutional legislation that must be interpreted with its special purposes in mind. In Eastmond v Canadian Pacific Railway, 2004 FC 852, at para. 100, Justice Lemieux confirmed that PIPEDA also enjoys quasi-constitutional status:

I have no hesitation in classifying PIPEDA as a fundamental law of Canada just as the Supreme Court of Canada ruled the federal Privacy Act enjoyed quasi-constitutional status (see Justice Gonthier's reasons for judgment in Lavigne v. Canada (Office of the Commissioner of Official Languages, [2002] 2 S.C.R. 773 at paragraphs 24 and 25).

[76] Applying the Supreme Court’s reasoning in Ward to PIPEDA applications before this Court indicates that both the question of whether damages should be awarded and the question of the quantum of damages should be answered with regard to whether awarding damages would further the general objects of PIPEDA and uphold the values it embodies. Furthermore, deterring future breaches and the seriousness or egregiousness of the breach would be factors to consider.

[77] One of the central objects of PIPEDA is to encourage those who collect, use and disclose personal information to do so with a degree of accuracy appropriate to the use to which the information is to be put and to correct errors quickly and effectively. I have found that TransUnion failed to collect accurate information on the applicant. Further, when apprised of its error, it failed to address the complaint quickly and effectively. It further failed to quickly and effectively correct the inaccurate information it had disseminated. Lastly, it failed to take responsibility for its error, first blaming CBV, and then in this action attempting to attribute some blame to the applicant. In my judgment, these are circumstances that warrant an award of damages based on the considerations of vindication and deterrence.

Check out the following commentary:

Monday, December 20, 2010

Washington Post on Monitoring America

The Washington Post has a monumental investigative report on "Top Secret America" focused on Monitoring America. Here's a summary:

Monitoring America |

Top Secret America is a project two years in the making that describes the huge security buildup in the United States after the Sept. 11, 2001, attacks. Today’s story is about those efforts at the local level, including law enforcement and homeland security agencies in every state and thousands of communities. View previous stories, explore relationships between government organizations and the types of work being done, and view top-secret geography on an interactive map.

Today's story, along with related material on The Post's Web site, examines how Top Secret America plays out at the local level. It describes a web of 4,058 federal, state and local organizations, each with its own counterterrorism responsibilities and jurisdictions. At least 935 of these organizations have been created since the 2001 attacks or became involved in counterterrorism for the first time after 9/11.

The months-long investigation, based on nearly 100 interviews and 1,000 documents, found that:

  • Technologies and techniques honed for use on the battlefields of Iraq and Afghanistan have migrated into the hands of law enforcement agencies in America.
  • The FBI is building a database with the names and certain personal information, such as employment history, of thousands of U.S. citizens and residents whom a local police officer or a fellow citizen believed to be acting suspiciously. It is accessible to an increasing number of local law enforcement and military criminal investigators, increasing concerns that it could somehow end up in the public domain.
  • Seeking to learn more about Islam and terrorism, some law enforcement agencies have hired as trainers self-described experts whose extremist views on Islam and terrorism are considered inaccurate and counterproductive by the FBI and U.S. intelligence agencies.
  • The Department of Homeland Security sends its state and local partners intelligence reports with little meaningful guidance, and state reports have sometimes inappropriately reported on lawful meetings.

Thursday, December 16, 2010

Facebook implements facial recognition, silent on privacy

Facebook has just announced that it is implementing facial recognition software to "make it easier to tag your friends" in photos. It will make tagging the same person over and over in an album much easier, but their blog post (Making Photo Tagging Easier) doesn't address privacy at all. I'm surprised by this, given that Facebook has been much more vocal and upfront about privacy as of late.

Canada's anti-spam act passes and receives royal assent

Bill C-28, Fighting Internet and Wireless Spam Act, also known as the anti-spam act, has passed through the sentate and received royal assent on December 15, 2010. It comes into force on the day or days set by the Governor in Council.

Check it out: LEGISINFO - The Library of Parliament's research tool for finding information on legislation.

Ontario access to information decision may affect cloud computing decisions

Dan Michaluk has a great summary of a recent and important access to information case from Ottawa, City of Ottawa v. Ontario (Information and Privacy Commissioner) (13 December 2010, Ont Div. Ct.): Case Report – Personal e-mails not subject to FOI legislation « All About Information.

I think this is probably one of the most important access decisions of the past year. It's similar to Johnson v Bell Canada, but seems to go even further. It will have a big impact in universities, where professors have generally been wrangling for exclusion of their e-mail from access legislation.

Most importantly, I think: This case may also have an impact on cloud computing for universities and USA Patriot Act-blocking statutes, because these statutes only apply to information under the "custody or control" of the public body. This case can be interpreted to support the proposition that student e-mail, at least, is not under the custody or control of the public body for the purposes of such statutes.

Update (30 December 2010): Canadian Privacy Law Blog: Ontario Commissioner to appeal personal email decision.

Wednesday, December 15, 2010

Caption this photo (TSA)

I was going to link to this interesting photo (which is devoid of additional context) from Boing Boing, but then noticed the ad which makes an interesting juxtaposition. Check it out, though you ad may vary: TSA WTF OTD - Boing Boing.

Tuesday, December 14, 2010

American Appeals Court says cops need warrants (with probable cause) to get e-mails

This is great news, both for e-mail users and for greater adoption of cloud computing. Contrary to Department of Justice lawyers (and too many precedents on their side), the US Court of Appeals for the Sixth Circuit has found that stored e-mails can't be accessed by law enforcement without a valid warrant.

The court struck down portions of the Stored Communications Act, which had permitted law enforcement to get their hands on e-mails over 180 days old with only a subpoena.

This may have big implications for cloud computing. One of the problems with US law on this is that the Fourth Amendment has been interpreted to say it doesn't protect the privacy of information held by a third party. So if you hand info over to someone like a bank, a cloud provider, an e-mail provider, etc. the protection is very different than if you have it in your personal possession. Finally the courts may be seeing that handing over data to service providers is the modern reality and privacy protections should keep up.

This is a victory for The Digital Due Process Coalition and its supporters in the United States who are advocating for bringing due process into line with modern technology.

Check out some interesting commentary:

And the decision is here:

Monday, December 13, 2010

Wikileaks and Privacy

A friend of mine who is now at Lattice Engines sent me this link written by one of his friends about WikiLeaks and privacy: Wish you were beer: Wikileaks and Privacy.

I'm not sure where I am on this debate yet. I am in favour of transparency and generally agree with the idea of a work product exception to privacy regulations (e.g. if it's about you in your work or professional capacity, it's not really "personal" information) but it's an important debate to have.

Saturday, December 11, 2010

University of Alberta signs on to Gmail

Interesting development, from the Edmonton Journal:

University of Alberta signs on to Gmail

EDMONTON — The University of Alberta and Google concluded legal negotiations this week, preparing the way for better e-mail service for students and entry into the Canadian university market for the Internet giant.

The contract makes legally binding Google’s promises not to data mine university Gmails or share data with a third party. University staff and students get all of Google’s Gmail applications for free, and get to retain their tags.

The contract is the first of its kind in Canada and expected to be adopted other Canadian universities now that Alberta has paved the way, University of Alberta vice-provost Jonathan Schaeffer said.

The University of Alberta currently uses more than 30 different e-mail systems across campus.

Using Gmail could save the university $2 million a year, allow a common calendar and improve the emergency response system. But when the idea was first touted publicly last January, many staff and students had privacy concerns.

Signing the contract to ease those concerns means increased legal risks for Google, which sees the free services as a way to build market loyalty but can’t otherwise profit from the deal.

“That, in part, is why it took so long,” Schaeffer said. Now, “we have a legal contract that would allow us to go after them.”

The contract took 15 months to negotiate, which was much longer than the university expected, Schaeffer said. But a legally binding framework was also needed to meet the requirements of the Alberta Freedom of Information and Protection of Privacy Act.

The shift to Gmail will begin in January.

More than 20 Canadian universities, as well as the Canadian University Council of Chief Information Officers, sent Google letters of support during a low point in negotiations last July, indicating it would also be interested in accepting Gmail if a legal framework like the one the U of A wanted was in place.

Jennifer Stoddart: making your privacy her business

Today's Globe & Mail has an interesting profile of the Canadian Privacy Commissioner, Jennifer Stoddart. It's a bit lightweight, but an interesting read. See: Jennifer Stoddart: making your privacy her business - The Globe and Mail.

Friday, December 10, 2010

The first truly honest privacy policy

This is pretty amusing (cynical, but amusing). The author has "open sourced" it, so here it is in all its glory but follow the link to get the accompanying commentary:

The first truly honest privacy policy

... Instead of a welter of new laws or regulations, how about just one: The Honest Privacy Policy Act. The HPPA would require every company to post a simple, direct, and brutally honest policy detailing what really happens to your data.

To help this proposal along I’ve come up with one of my own – and it’s 5,085 words shorter than Facebook’s. Here’s what a real privacy policy might look like:

"At COMPANY _______ we value your privacy a great deal. Almost as much as we value the ability to take the data you give us and slice, dice, julienne, mash, puree and serve it to our business partners, which may include third-party advertising networks, data brokers, networks of affiliate sites, parent companies, subsidiaries, and other entities, none of which we’ll bother to list here because they can change from week to week and, besides, we know you’re not really paying attention.

We’ll also share all of this information with the government. We’re just suckers for guys with crew cuts carrying subpoenas.

Remember, when you visit our Web site, our Web site is also visiting you. And we’ve brought a dozen or more friends with us, depending on how many ad networks and third-party data services we use. We’re not going to tell which ones, though you could probably figure this out by carefully watching the different URLs that flash across the bottom of your browser as each page loads or when you mouse over various bits. It’s not like you’ve got better things to do. Each of these sites may leave behind a little gift known as a cookie -- a text file filled with inscrutable gibberish that allows various computers around the globe to identify you, including your preferences, browser settings, which parts of the site you visited, which ads you clicked on, and whether you actually purchased something.

Those same cookies may let our advertising and data broker partners track you across every other site you visit, then dump all of your information into a huge database attached to a unique ID number, which they may sell ad infinitum without ever notifying you or asking for permission.

Also: We collect your IP address, which might change every time you log on but probably doesn’t. At the very least, your IP address tells us the name of your ISP and the city where you live; with a legal court order, it can also give us your name and billing address (see guys with crew cuts and subpoenas, above).

Besides your IP, we record some specifics about your operating system and browser. Amazingly, this information (known as your user agent string) can be enough to narrow you down to one of a few hundred people on the Webbernets, all by its lonesome. Isn’t technology wonderful?

The data we collect is strictly anonymous, unless you’ve been kind enough to give us your name, email address, or other identifying information. And even if you have been that kind, we promise we won’t sell that information to anyone else, unless of course our impossibly obtuse privacy policy says otherwise and/or we change our minds tomorrow.

We store this information an indefinite amount of time for reasons even we don’t fully understand. And when we do eventually get around to deleting it, you can bet it’s still kicking around on some network backup drives in somebody’s closet. So once we have it, there’s really no getting it back. Hell, we can’t even find our keys half the time -- how do you expect us to keep track of this stuff?

Not to worry, though, because we use the very bestest security measures to protect your data against hackers and identity thieves, though no one has actually ever bothered to verify this.

You’ll pretty much just have to take our word for it.

So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.

(Hey, Did somebody hold a gun to your head and force you to visit this site? No, they did not. Did you run into a pay wall on the home page demanding your Visa number? No, you did not. You think we just give all this stuff away because we’re nice guys? Bet you also think every roomful of manure has a pony buried inside.)

This privacy policy may change at any time. In fact, it’s changed three times since we first started typing this. Good luck figuring out how, because we’re sure as hell not going to tell you. But then, you probably stopped reading after paragraph three."

I am hereby open sourcing this privacy policy. Feel free to use it on your own sites or suggest it to any that seem deserving (but I’d appreciate a credit and a link, if you’re so inclined).

ITworld TY4NS blogger Dan Tynan writes privacy policies in his sleep -- which may be why he always wakes up cranky. Catch his brand of juvenile snark at eSarcasm (Geek Humor Gone Wild) or follow him on Twitter: @tynan_on_tech.

Ottawa crafts plan to ward off privacy criticism over U.S. border deal

The Globe &amp Mail has received a secret briefing document on developing a communications plan for selling an upcoming deal with the United States to create a common security perimeter around Canada and the US. The document list the Privacy Commissioner as a likely critic of the plan:

Ottawa crafts plan to ward off criticism over U.S. border deal - The Globe and Mail

... It also provides a rare insight into how the government regards Canadians: as a nation ignorant of the true scale of the security threat it faces and more concerned with privacy rights.

The communications strategy for the perimeter security declaration – which the document says will be unveiled in January, 2011 – predicts one of the biggest potential critics will be the federal privacy commissioner Jennifer Stoddart. That’s because the deal is expected to increase the amount of data exchanged between law enforcement and other government authorities in both countries.

Missing laptops spark strong reaction from Alberta Privacy Commissioner

A rash of missing or stolen laptops has prompted Alberta's Information and Privacy Commissioner to speak out strongly on the issue of encryption and data security:

CBC News - Calgary - Stolen Alta. laptops held health data

Seven laptops or digital devices with unencrypted health, employee and financial information have been lost or stolen in Alberta in the past month, prompting disbelief Thursday from Alberta Privacy Commissioner Frank Work.

"It just makes me crazy," Work said. "I think that's just utterly irresponsible now in this day and age."

Medical charts belonging to 2,700 pediatric gastroenterology patients participating in a study were on one of the stolen laptops, which belonged to a researcher at the University of Alberta.

A missing digital recorder stolen from Alberta Sustainable Resources contained statements related to wildlife investigations. And a laptop stolen from the same department contained contact information for junior forest rangers, as well as an employee evaluation.

A laptop from an unnamed trust company had emails containing mortgage application information, social insurance numbers, credit bureau reports and other personal financial information for 135 people, a loss that worried Work the most.

"In that case, that's information that can really be used for an identity theft," Work said.

Two laptops containing information about patients, all under six years old, were stolen from a speech pathology office.

Another laptop from a marketing firm that contained information on 27 Alberta employees was left in a European airport. The last missing laptop belonged to a genetic research company. It contained employee information that included social insurance numbers.

Encryption programs easily available

Work says people shouldn't put personal information on laptops if they don't have to. Many internet security companies, such as Norton and Symantec, offer encryption programs that make it easy for people to protect data.

"It's not like we're asking people to do anything incredibly difficult here," Work said, "especially if you weigh that against telling 35 employees that you lost their RSP information, their employment files and so on."

Police have told Work that most laptop thefts involve criminals who try to resell them quickly for $50 or $70 to someone who simply overwrites the files and does little with the personal information.

However, the information is out there, which is still troubling, Work said.

"You have a responsibility to your patients, your clients, your employees to encrypt their information when you're carrying it around with you. And the law says you have to do that."

Alberta law doesn't have any provisions for Work to penalize individuals, organizations or government agencies for privacy breaches. He can only work with offenders on remedial measures.

People who've been the victim of privacy breaches by private sector businesses can sue for damages under Alberta law, Work said.

Wednesday, December 08, 2010

Asia Pacific Privacy Authorities commit to collaboration

We are seeing the growth of formal and informal structures being put in place by privacy commissioners and their counterparts worldwide to foster interjurisdictional collaboration. We've recently seen the establishment of the Global Privacy Enforcement Network and now the Asia Pacific Privacy Authorities form has concluded in Auckland with a further commitment to cross-border collaboration:

Privacy Commissioners Commit To Continue International Collaboration |

The importance of privacy to the public on both sides of the Pacific Ocean has been demonstrated in a meeting of privacy and data protection commissioners from three continents in the Asia Pacific region.

Hosted by the Office of the New Zealand Privacy Commissioner, the Asia Pacific Privacy Authorities (APPA) forum concluded in Auckland yesterday, with members affirming their commitment to continue to collaborate on international data protection issues.

The New Zealand Privacy Commissioner, Marie Shroff was delighted with the success of the meeting.

"This APPA meeting was one of the largest that we have held and it was pleasing to welcome three new members: Mexico, United States and Queensland. The last two days have reinforced our commitment to continue international collaboration amongst members. This will strengthen our ability to get the best possible outcome for the public's privacy rights."

The APPA members discussed a variety of contemporary privacy issues that face members right across the Asia Pacific region including ways to tackle privacy concerns about social networking, direct marketing and credit reporting.

"I think it is no surprise that issues such as online privacy are a common concern for all jurisdictions but there are practical steps that we can all take to educate the public and the business community on their privacy rights and responsibilities," Australian Privacy Commissioner Timothy Pilgrim said.

For instance, APPA members affirmed their commitment to jointly promote Privacy Awareness Week, which will be held from 1-7 May 2011. APPA has also established a working group on technology issues.

The next APPA meeting will be in South Korea in June 2011.

South Korea investigates Facebook for allegedly breaching privacy laws

Facebook is facing scrutiny and an investigation by data protection authorities in South Korea for allegedly not getting user consent before collecting personal information, though the site's terms and conditions do a standard job of covering the topic. See: South Korea: Facebook Doesn't Comply With Our Privacy Laws

This is interesting, but also should be a reminder that online properties effectively operate in multiple jurisdictions and need to keep in mind that there are a myriad of privacy laws out there.

Tuesday, December 07, 2010

Back online!

After a week of 404's, the Canadian Privacy Law Blog back in business. Sorry for any inconvenience.