Friday, June 22, 2012

CBSA comes clean on border surveillance -- not as bad as speculated

After a full week of speculation about the reported plan of the Canada Border Services Agency to intercept the private conversations of travelers in Canadian airports, the CBSA has finally come out with information about the scope of the project. And it's not as bad as the speculation. (Lesson here for the government: Be proactive about disclosing projects and policies that potentially infringe on the privacy rights of Canadians. If the media scoop you, quickly come clean and be truthful. Waiting a week is a VERY BAD idea.)

According to a policy manual obtained by the CBC under the Access to Information Act, the surveillance plan would not be intercepting private communications of travelers while they are waiting to see a CBSA officer on entry, but would be used to record the interviews and interactions between travelers and those CBSA Officers. (See: Border agency policy spells out surveillance rules - Politics - CBC News.)

If that's the full extent of it, it's simply not as bad as speculated. A conversation between a vacationing couple in the line-up is a private communication that can only be intercepted with a warrant signed by a judicial officer. But a conversation with a government official can't be said to be a private communication and just doesn't have the same expectation of privacy.

However, I don't think this is the last we're hearing on this. But at least it's not as bad as it first appeared.

Sunday, June 17, 2012

Canada Border Services Agency to bug airports to eavesdrop on travelers?

I have seen a few reports this weekend saying that the Canada Border Services Agency has been installing audio recording equipment at Canadian airports to eavesdrop on travelers. (See: Listening equipment 'will record conversations' at Canadian airports: CBSA or Canadian airport to bug travelers' conversations.

While details are sketchy, I can't help but wonder whether or how this is lawful at all.

In Canada, it is unlawful to intercept any private communications without a warrant. The Criminal Code of Canada makes that pretty clear:

Interception

184. (1) Every one who, by means of any electro-magnetic, acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years.

Saving provision

(2) Subsection (1) does not apply to

(a) a person who has the consent to intercept, express or implied, of the originator of the private communication or of the person intended by the originator thereof to receive it;

(b) a person who intercepts a private communication in accordance with an authorization or pursuant to section 184.4 or any person who in good faith aids in any way another person who the aiding person believes on reasonable grounds is acting with an authorization or pursuant to section 184.4;

(c) a person engaged in providing a telephone, telegraph or other communication service to the public who intercepts a private communication,

(i) if the interception is necessary for the purpose of providing the service,

(ii) in the course of service observing or random monitoring necessary for the purpose of mechanical or service quality control checks, or

(iii) if the interception is necessary to protect the person’s rights or property directly related to providing the service;

(d) an officer or servant of Her Majesty in right of Canada who engages in radio frequency spectrum management, in respect of a private communication intercepted by that officer or servant for the purpose of identifying, isolating or preventing an unauthorized or interfering use of a frequency or of a transmission; or

(e) a person, or any person acting on their behalf, in possession or control of a computer system, as defined in subsection 342.1(2), who intercepts a private communication originating from, directed to or transmitting through that computer system, if the interception is reasonably necessary for

(i) managing the quality of service of the computer system as it relates to performance factors such as the responsiveness and capacity of the system as well as the integrity and availability of the system and data, or

(ii) protecting the computer system against any act that would be an offence under subsection 342.1(1) or 430(1.1).

Use or retention

(3) A private communication intercepted by a person referred to in paragraph (2)(e) can be used or retained only if

(a) it is essential to identify, isolate or prevent harm to the computer system; or

(b) it is to be disclosed in circumstances referred to in subsection 193(2).

The Office of the Privacy Commissioner of Canada has said they've seen no mandatory privacy impact assessment about this initiative and the CBSA has essentially said nothing about this. Hopefully the Canadian media will pursue this and we'll get more details shortly.

Wednesday, June 06, 2012

Why the heel-dragging on privacy law revision?

I was interviewed yesterday by Sarah Schmidt of Postmedia News about why the Harper Government appears to be dragging their heels on implementing Bill C-12 or kicking off the next mandatory five year review of PIPEDA.

Her interview with the Commissioner, Jennifer Stoddart, and me also focused on the Commissioner's apparent abandonment of the ombudsman model in favour of the ability to issue orders and to levy fines.

Feds dragging their heels on fixing privacy law: Stoddart

OTTAWA — Canada's privacy watchdog says she's "very, very disappointed" by the federal government's failure to update a law meant to protect the personal information of consumers.

Jennifer Stoddart's annual report on the private-sector privacy law, tabled Tuesday in the House of Commons, highlights how evolving technologies are creating new privacy risks for youth.

The report also flags how Parliament is required, every five years, to review the Personal Information Protection and Electronic Documents Act (PIPEDA), but the latest review, which was scheduled for 2011, but has yet to be launched. Meanwhile, amendments to the law, tabled last fall, are outdated already, says the report calling for new powers for the Office of the Privacy Commissioner.

"I am very, very disappointed that we're not moving ahead with privacy reform issues. They're long overdue," Stoddart said in an interview after the tabling of the report.

Under the current law, Stoddart has no power to impose any fines and companies are not required to report breaches to her office.

The proposed amendments tabled last fall do not include powers to impose fines, but do include a provision for mandatory reporting to the privacy commissioner if a company experiences a material breach. The bill, known as C-12, has not moved beyond first reading, which took place on Sept. 29, 2011.

"What is put there, I think, was current about three years ago, but in the meantime the world has moved on. I really think, like in most jurisdictions now, we need some sanctions for egregious data breaches." said Stoddart.

"We have to have powers that will be respected by these huge multinational corporations that are doing business online and you need a strong voice to be heard by them."

Pointing to the fact that the government's anti-spam law is still not in effect, despite its passage last year, Stoddard added: "There's a slowness that is hard to understand in this digital age."

David Fraser, a Halifax-based lawyer specializing in privacy laws, said it's "puzzling" the recommendations arising from the 2006 PIPEDA review process have not been enacted.

"They really come up with something that by all measures is a bit of a no-brainer."

Fraser said the government's decision to not begin the second PIPEDA review in 2011 makes more sense if the Tories aren't interested in discussing Stoddart's push for more powers, given how "significant" the proposal is.

"During the last review, the privacy commissioner was fine with being an ombudsman, not have order-making powers and using persuasiveness and co-operation and collaboration to get companies to change their practices," said Fraser.

"More recently, and including in her annual report, she's making noises about looking for additional powers, particularly the ability to levy fines and perhaps issue orders. And that is a significant change — not only a significant change in the approach of her office, which has consistently advocated the ombudsman position for 15 years, but it would make a significant change in the legislation. It may not be a discussion the government wants to have right now," added Fraser, who leads McInnes Cooper's Privacy Practice Group.

Industry Minister Christian Paradis declined to answer questions put to him about why C-12 has stalled in Parliament, the delay in the 2011 PIPEDA review, and Stoddart's push for more powers.

In a statement, Paradis said the government is "building a modern legal framework that will enhance consumer confidence in the online marketplace and support the growth of Canada's digital economy. The Personal Information Protection and Electronic Documents Act underwent a review that led to the drafting of Bill C-12, which is currently before Parliament."

Tuesday, June 05, 2012

Privacy Commissioner of Canada releases 2011 Annual Report on PIPEDA

The Privacy Commissioner of Canada has just released her annual report to Parliament related to her duties under PIPEDA for 2011.

Here's the media release:

News Release: Evolving technologies creating new privacy risks for youth: annual report - June 5, 2012

The Privacy Commissioner’s 2011 annual report on private-sector privacy issues, tabled in Parliament today, examines some of the concerns facing what some have called the “Internet generation.” At the same time, the Commissioner is launching a new graphic novel to help youth better understand and navigate the privacy risks of the online world.

OTTAWA, June 5, 2012 –Young Canadians are facing a host of privacy risks that previous generations never had to worry about – from “nanny cams” to cell phone monitoring to a permanent trail of their online communications, says the Privacy Commissioner of Canada.

Youth privacy issues have emerged as a significant concern and are highlighted in the Commissioner’s 2011 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law. The report was tabled in Parliament today.

“While the young show agility in using any new kind of digital communication, and recognize the importance of protecting their privacy, they are also often unsuspecting about the potential privacy intrusions that can accompany novel technologies,” says Commissioner Jennifer Stoddart.

“All of that online communication creates a permanent record – and that could carry risks to their privacy and to their reputations. Not just today, but perhaps even more in the future.”

The Office of the Privacy Commissioner of Canada (OPC) has made youth issues a major focus of its outreach and public education initiatives. The OPC has developed a number of education materials, including presentation packages for school and community use, a teen-oriented video and a tip sheet for parents.

Graphic Novel

Today, the Privacy Commissioner is also launching another important tool – a graphic novel called Social Smarts: Privacy, the Internet and You, which will help younger Canadians to understand and navigate privacy issues in the online world.

“This graphic novel – a first for our Office – was developed with feedback from youth. We hope it will help young people to understand the risks to privacy when it comes to social networking, gaming and texting,” says Commissioner Stoddart.

The new graphic novel can be downloaded from the OPC’s youth website.

Investigations

The annual report also describes an OPC investigation into a complaint about a daycare’s use of webcam monitoring. A parent objected to the fact that the webcam feed was being recorded and felt that appropriate privacy safeguards were not in place.

During the investigation, the daycare centre agreed to take steps to add privacy safeguards. The centre also deleted its saved video files and modified its systems to no longer record the video stream. It implemented a privacy policy requiring all parents to sign a form consenting to the webcam monitoring and required parents using the webcam service to sign a contract agreeing to not record the webcam feed and to keep confidential their password allowing access to the video. As such, the OPC concluded that the complaint was resolved.

The annual report also details findings related to investigations of three complaints against Facebook, as well as a wide-ranging complaint against a youth-oriented social networking site, Nexopia. The investigation results were announced earlier this year.

The OPC accepted 281 formal complaints under PIPEDA in 2011, a 35 percent increase from the previous year.

Privacy Commissioner issues batch of new findings under PIPEDA

Moments before issuing her annual report to Parliament, the Office of the Privacy Commissioner of Canada has released a batch of new findings under PIPEDA. Findings are few and far between these days and you'll note that most of them are from last year.

Alberta Commissioner to appeal United Food and Commercial Workers, Local 401 v Alberta

The Edmonton Journal is reporting that the Information and Privacy Commissioner is planning to seek leave to appeal the United Food and Commercial Workers, Local 401 v Alberta (Attorney General) case to the Supreme Court of Canada. See: Supreme Court next step after Alberta’s privacy laws ruled unconstitutional.

In this case, among other things, the Alberta Court of Appeal found that portions of Alberta's Personal Information Protection Act were unconstitutional as it does not take into account freedom of expression guaranteed under the Charter of Rights and Freedoms.

I've blogged about this case in the past. Check out the tag UFCW Case (Alberta).

Monday, June 04, 2012

Ontario Commissioner issues her 2011 Annual Report

Anne Cavoukian, the Information and Privacy Commissioner of Ontario has issued her Annual Report for 2011. A significant theme of the Report is not surprisingly lawful access, which has been an important issue for the Commissioner since Bill C-30 reared its head this past year:

The theme of my 2011 Annual Report — Ever Vigilant — was chosen in large part because this year Ontarians faced what I consider to be one of the most invasive threats to our privacy and freedom that I have encountered in 25 years of safeguarding citizens’ rights and championing openness and transparency in government.

That threat presented itself as lawful access legislation proposed by the federal government. The legislation was designed to provide police with much greater ability to access and track information about identifiable individuals via the communications technologies that we use every day, such as the Internet, smart phones, and other mobile devices, and at times, without a warrant or any judicial authorization. Telecommunications service providers would also be required to build and maintain intercept capabilities in their networks for use by police.

It my view, it is highly misleading to simply call such legislation “lawful access” or to champion it as a child protection measure. The broad powers proposed represent much more — they represent a looming system of “Surveillance by Design.”

Let me be clear, I hold our police services in the highest regard and have a deep appreciation for the critical public safety functions they perform. However, we must be vigilant in not allowing the investigative needs of police forces to outstrip our constitutional right “to be secure against unreasonable search and seizure.”

In the absence of significant amendments, such a proposal risks intrusions on the privacy of too many innocent individuals. Electronic scrutiny of an individual paints a detailed and revealing digital biography and is likely to capture personal information of family, friends, neighbours, colleagues and acquaintances. Properly supervised, surveillance powers can be invaluable to law enforcement. However, the consequences of unsupervised powers can be devastating to innocent individuals subjected to unwarranted suspicions, to poorly-handled evidence, or to erroneous conclusions hastily drawn.

So disturbing was the legislation that I — and every privacy commissioner in Canada — wrote to the federal Deputy Minister of Public Safety in March 2011, detailing our concerns. We provided copies of our joint letter to the House of Commons Standing Committee on Public Safety and National Security and the Standing Committee on Justice and Human Rights.

The legislation (originally referred to as Bills C-50, C-51 and C-52) died on the Order Paper when Parliament was dissolved in March 2011. However, the government pledged to reintroduce it on its re-election. (At the time of this Annual Report, the legislation was reintroduced as Bill C-30. More information is available at www.realprivacy.ca.)

Sensing a critical opportunity to engage the public and the government before the legislation was reintroduced, I decided to write my own 22-page Open Letter to the federal Minister of Public Safety and the federal Minister of Justice and Attorney General of Canada to share my concerns. I also authored several op-eds in the fall of 2011. Then, in December 2011, I decided to expand my public educational campaign, beginning with a Symposium with highly-respected thought leaders scheduled for January 2012 — “Beware of ‘Surveillance by Design:’ Standing Up for Freedom and Privacy.” I also committed to urging Ontarians, and indeed all Canadians, to write to their Member of Parliament to share their concerns about the proposed legislation. Finally, I instructed my staff to develop concrete recommendations so that the bill could be amended to ensure that Canadians will enjoy a modern, effective, and comprehensive approach to law enforcement in which privacy protection and government transparency are built directly into the legislation.

The false link between "lawful access" and the Magnotta investigation

After having read this Toronto Sun article in which Public Safety Minister Vic Toews incorrectly claims that Bill C-30 would help in the Luka Rocco Magnotta investigation (Magnotta to be charged with criminal harassment of PM), I was going to write a post about how it was a case of shallow political opportunism. Michael Geist beat me to it.

Check out Michael's posting at his blog: Toews Draws False Link Between Magnotta Investigation and Lawful Access.