Tuesday, July 26, 2011

Live chat on privacy and facial recognition systems

As part of the Globe & Mail's ongoing series on facial recognition systems and privacy, I've been invited to be part of a live, online discussion at 1:00 Eastern on Wednesday.

Here's the blurb they've put up:

What are the risks of facial recognition software? - The Globe and Mail

Facial recognition software is practically ubiquitous these days, whether you realize it or not. This week's Time To Lead series has looked at how it's been rolled out, from banks and casinos to the online world. The Globe editorial board says that the information the comes from this software should not become a commodity.

Are the legal protections in place sufficient? What are the privacy implications of facial recognition software?

Join us for online to delve further into the subject. David Fraser, a privacy lawyer and partner at McInnes Cooper in Halifax, will take your questions, in a live chat hosted by editorial writer Karim Bardeesy, at 1pm on Wednesday.

Globe & Mail series on facial recognition

This week, the Globe & Mail is running a series of articles and opinion pieces on the use of facial recognition technologies. They're worth a read:

Thursday, July 21, 2011

TSA to roll-out less intrusive body scanners

Wired is reporting that the United States Transportation Security Administration is beginning to roll out less-intrusive full-body scanners, which apparently don't automatically display a nude image of the traveler: TSA Announces Privacy Overhaul of Nude Airport Scanners | Threat Level | Wired.com.

Friday, July 15, 2011

Cloud computing and privacy

Today, I will be giving a presentation during a "Town Hall" meeting at the University of New Brunswick as part of their roll-out of cloud computing services for students. I've been asked to address privacy and security aspects of cloud computing.

Here's the presentation, if you're interested:

The video of the presentation is posted on YouTube.

Monday, July 11, 2011

Social sciences research using social media data: Harvard's Privacy Meltdown

This is a really interesting case, and case-study in the complicated privacy and ethical issues of using "person level" social networking information for social sciences research. In this case, researchers "friended" students on Facebook to pull their data into the study. No consent was obtained. The study passed the institutional review board of Harvard, which concluded that getting opt-in consent would not be legally or ethically necessary.

"Alerting students risked 'frightening people unnecessarily,' he says.

'We all agreed that it was not necessary, either legally or ethically,' Mr. Kaufman says."

For the full story, see: Harvard's Privacy Meltdown - Technology - The Chronicle of Higher Education.

Via Lauren Weinstein.

Sunday, July 10, 2011

Dilbert: Employee locator device

Dilbert comic strip for 05/27/2011 from the official Dilbert comic strips archive.

Alberta Court says claims for invasion of privacy must go to Commissioner first

In the recent case of Martin v. General Teamsters, Local Union No. 362, 2011 ABQB 412, the Alberta Court of Queen's Bench struck a portion of a plaintiff's statement of claim related to invasion of privacy, holding that the plaintiff must first complain to the Information and Privacy Commissioner before appearing in court:

Paragraph Nine

[43] It is alleged:

On or about June 2009 and again on or about August 24, 2009 Bernie Haggarty, Business Agent for the Defendant violated my rights with regards to the release of private medical information without first obtaining written consent.

[44] Bernie Haggarty has filed an Affidavit in response to this allegation denying that he improperly released any private medical information of the Plaintiff as alleged or at all, and showing the circumstances of his involvement in efforts to allow the Plaintiff’s employer to evaluate whether or not it accommodate the injury restrictions of Ms. Martin. He deposes that Ms. Martin was present when he sent the information and that he did so wholly with her consent.

[45] This claim appears to be one of invasion of privacy. In Bank of Montreal v. Cochrane, [2010] A.J. No. 1210, Kent, J. discussed claims for breach of privacy, paras. 6, 7 and 8:

6 The second arguable claim is for breach of privacy. BMO first says that if there is a statutory claim for breach of privacy both provincial and federal legislation require certain conditions to be met before a claim can be brought before a court: see Personal Information Protection Act,S.A. 2003, c.P-6.5 and Personal Information Protection and Electronics Documents Act, S.C. 2000, c.5, ss.14-15. These preconditions have not been met.

7 If the pleading claims a common law claim for breach of privacy, BMO argues that there is no such claim: Mohl v. University of British Columbia,[2009] B.C.J. No. 1096 (B.C.C.A.). BMO also argues that the litigation process is intended to be a public process so that anything contained in pleadings cannot be a breach of privacy.

8 I agree with BMO.

[46] In the case referenced by Justice Kent of Mohl v. University of British Columbia, the B.C. Court of Appeal noted at para. 13, “there is no common law claim for breach of privacy”.

[47] If a claimant wishes to make a claim for damages arising from a breach of privacy, the Personal Information Protection Act, S.A. 2003, c.P-6.5requires a claimant to proceed with his or her claim before the Commissioner appointed under that Act. If the Commissioner makes an Order under the Actagainst an organization, an individual affected by the Order then has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach of the Act by the organization. (Para. 60 of the Act)

[48] Therefore, claims for a breach of privacy which have not first proceeded before the Commissioner cannot be heard by the Court. Further, the Affidavit evidence of Bernie Haggarty on this matter, uncontroverted by the Plaintiff, satisfies me that there is genuine issue to be tried. Paragraph 9 would be struck pursuant to Rule 3.68(a). However, on the uncontroverted evidence of Mr. Haggerty it is dismissed.

Friday, July 08, 2011

Saskatchewan court considers lawful authority

The Provincial Court of Saskatchewan has just ruled that a police officer in the midst of a drug investigation has "lawful authority" to ask for and receive information about a customer of a car rental company, including the customer's contract and photocopy of the renters' drivers license. The Court held that Section 7(3) of PIPEDA was satisfied by the request and that Budget Rent A Car was able to hand over the info in the absence of a production order.

See: R v Siemens, 2011 SKPC 57

[51] Lastly, I am not satisfied that the information contained in the Budget Rent-a-Car contract or attached documents exposed any intimate details about the accused’s lifestyle or information of a biographic nature. The information in the contract included the accused’s name and Mastercard number. It also included a copy of the accused’s driver’s license which provided a photo of the accused, his driver’s license number, his address, his height, weight, eye and hair colour, sex, birthdate, issue date, expiry date, class, endorsements and restrictions.

[52] A lot of this information is personal to the accused but it does not reveal intimate details of his lifestyle or his personal choices. In today’s world we have become increasingly dependent on the Internet and technology. Some of the information such as name and address are readily available on the Internet or in a phone book. I heard no evidence that the accused went to any lengths to keep this information out of a phone book or off the cyber highway. People use credit and debit cards to purchase things or make payments. A driver’s license gives an individual the privilege to drive a vehicle and it has become a very common form of identification. Indeed, it is one of only a handful of acceptable identification when it comes to purchasing alcohol or cigarettes, travelling on an airplane within Canada, when cashing a cheque, when picking up merchandise already paid for, among other things. It is also used by retailers to deter and detect fraud. All provinces in Canada have given police the right to request a driver’s license from someone driving a vehicle to verify the identity of the person driving to ensure that they are legally driving. Barring evidence to the contrary about a particular person, such reliance on driver’s license and technology reduces the expectation of privacy that that person can expect in the information contained in these things.

[53] It is also significant to note that the disclosure of this information did not lead to the police obtaining more intimate details of the accused’s lifestyle or choices such as sexual orientation, religion or personal likes or dislikes. The only thing the information revealed was that Lindsay Siemens had a driver’s license and a credit card and rented the red Cobalt that the police saw meet with Ms. Holmes and Mr. Soare in Rosedale, Alberta. It was only after the police did further investigation that they satisfied themselves that Mr. Siemens was the person who met with Ms. Holmes and Mr. Soare and that he was involved in the drug trade.

[54] Taking into account the nature of the information in question, the fact that PIPEDA was complied with the lawful authority of Constable Hicks to request the information pursuant to section 47.014(1) and Phelps Leasing’s right, in accordance with its contractual arrangement with the accused to disclose the information to a police officer engaged an active investigation, the accused did not have an objectively reasonable expectation of privacy in this information.

In the end, the court found the information was not unlawfully obtained, was not an unreasonable invasion of privacy and therefore did not offend Section 8 of the Charter.

Monday, July 04, 2011

Microsoft releases source code for WiFi access point data collection software

Microsoft has released the source code for the software that is being used to log WiFi information to support their location based services. Transparency is a good idea in this sensitive and closely-scrutinized area.

Managed Driving Data Collection - Home

Resource Page Description

As part of Microsoft’s ongoing commitment to consumer privacy, we are providing more transparency about how we gather information through managed driving to provide location-based services. We are sharing relevant portions of our data collection software source code that demonstrates both the type and amount of data we collect through managed driving.

The information collected during Managed Driving includes Cell tower, Wi-Fi and GPS data. The collected data is used to build a positioning database that helps create location capabilities and services for Windows Phone and other Microsoft products and services.

The code has been written using a combination of native and managed code, and uses publicly documented interfaces for accessing Cell tower, Wi-Fi and GPS data. The software only detects management frame subtypes called probe request frames, which do not contain any personal user content. The software does not observe or collect any data frame packets, which are the type of Wi-Fi packets that may contain user content transmitted over a network nor does it attempt to connect to any open networks. The software only observes information that is publicly broadcasted by the Cell tower, Wi-Fi access point and GPS satellites. The information we collect includes elements like latitude, longitude, direction, speed, mobile country code, mobile network code, location area code, cell identifier and only specific Wi-Fi information such as BSSID (i.e, the Media Access Control aka MAC address), signal strength, and radio type.

During the collection process, we collect and retain only as much Wi-Fi access point data as necessary to build our positioning database, and none of data collected is associated with personally identifiable consumer information.

Saskatchewan Commissioner releases annual report, calls for more prosecutions

The Information and Privacy Commissioner of Saskatchewan has released his annual report for 2010-2011. Like some of his colleagues, he's calling for greater sanctions for privacy breaches:

Commissioner says Saskatchewan 'bedevilled' by privacy breaches - Winnipeg Free Press

"What we often find is that it's not somebody hacking into a database," said Dickson.

"It's typically a lack of care. It's carelessness on the part of organizations that are entrusted with personal information, and then curiosity of staff who can't seem to overcome the temptation to go and snoop in somebody else's health records or somebody else's personal information, which means a huge training effort has to happen in our province.

"We're certainly making some headway, but we simply have too many organizations in Saskatchewan in 2011 that aren't doing an appropriate job protecting personal information."....

The maximum fine under Saskatchewan's 19-year-old Freedom of Information and Protection of Privacy Act is $1,000. By comparison, breaking the province's Health Information Protection Act can mean a fine of up to $50,000 for an individual and $500,000 fine for an organization.

But, Dickson noted, no one has ever been prosecuted under either of those acts. It's a long-standing concern for the commissioner.

"We're not going to have the level of compliance ... that I think Saskatchewan residents are entitled to until there are particularly serious consequences," he said. "(We need) ... people being charged under an offence provision and a court process and then at the end of that, if somebody's found guilty, substantial fines."

Saskatchewan Justice Minister Don Morgan said Dickson is right. Penalties for privacy breaches are "quite light," but so far nothing has met prosecutorial standards, he said.