Friday, March 28, 2014

Cloud Computing FAQ for Corporate Counsel

The Canadian Corporate Counsel Association Magazine (CCCA Magazine) Spring 2014 edition had a strong focus on privacy, "Managing your Privacy Risk: An In-house Guide." The edition included a version of my Cloud Computing and Privacy FAQ, focused at in-house counsel. Click the image (or here) to get the full article:

A hint at the extent of warrantless access to customer data in Canada

Earlier this week, the Halifax Chronicle Herald published a story about information that has come to light about the extent to which law enforcement agencies are seeking -- and getting -- access to private information without a warrant. (See Ottawa has been spying on you | The Chronicle Herald)

MP Charmaine Borg tabled a question in Parliament looking for particulars about how often government agencies look for and get information about customers of telecommunications services. Perhaps not surprisingly, CSIS and CSE refused to answer. The RCMP refused to provide information, saying it does not track this information. The full document is available here [PDF].

What is most interesting about the document is the extent that the Canadian Border Services Agency, the organization that polices Canada's borders, asked for and received telco customer information without a warrant. It happened over 18,000 times and telcos refused only a handful of times, mainly if they didn't have the information requested.

If I had been asked which government agencies seek warrantless access to customer data, I would have put CBSA pretty low on the list and would think they would represent a drop in the bucket. If that's the case, and the "drop in the bucket" is 18,000 requests, we must be looking at a VERY LARGE bucket.

What's also troubling is that unless charges are laid, nobody ever finds out that their information has been obtained by law enforcement. And, in fact, there's a gag order that would prevent you from getting that information from your telco. I highly doubt that CBSA laid 18,000 charges last year, so there are thousands of Canadians whose information has been accessed and they will never know about it.

Not surprisingly, some of the best analysis of this comes from Chris Parsons, a post-doctoral fellow at the CitizenLab at the University of Toronto. Read his full discussion of this here: Mapping the Canadian Government’s Telecommunications Surveillance.

In the media, this story was first reported in the Chronicle Herald by Paul McLeod:

Ottawa has been spying on you

PAUL MCLEOD OTTAWA BUREAU

Published March 25, 2014 - 8:19pm

Last Updated March 25, 2014 - 8:54pm

Telecom firms handing over data without warrants

Telecommunications companies gave individual customer data to the Canada Border Services Agency over 18,000 times in one year.

This information includes the content of voice mails and text messages, websites visited and the rough location of where a cellphone call was made, according to government data.

For cases involving those types of requests, Canada Border Services sought a warrant for the information. But in the vast majority of releases, the agency asked for and received basic subscriber information without obtaining a warrant.

From April 2012 through March 2013, the agency asked telecoms for information 18,849 times. Of those, 99 per cent were for subscriber information that did not involve a warrant.

Telecoms handed over the data in all but 25 cases.

“I find that shocking,” said privacy expert David Fraser, a lawyer with McInnes Cooper in Halifax.

“If you cannot convince a judge or a justice of the peace or a magistrate that you are entitled to that information, then you should not be getting that information.”

Documents show Canada Border Services appears to have an agreement with telecoms wherein basic subscriber information is handed over without the need for a warrant.

According to the agency, this type of information includes “identity and address details provided to the (service provider) when the cellular account was created.”

This includes the name and address of a cellphone user, when the individual activated their phone, their account number and what kind of payment plan is used (such as if their device is prepaid or postpaid).

Canada Border Services requested this information 18,729 times during that fiscal year.

Other information requested included text message content (77 times), voice mails (10 times), geolocation requests (63 times), websites visited or IP addresses (78 times), transmission data (113 times) and cellphone logs (128 times).

The agency says information from telecoms is key to modern crime investigations.

Its parent department, Public Safety Canada, says that when agencies ask for information, “they do so in full respect of

Canadian laws, which are some of the strongest in the world at protecting privacy.”

Public Safety says that while most information requires a warrant to obtain it, information such as a customer’s name and address carries “a lower expectation of privacy and, as such, may be requested (without a warrant) according to Canadian law.”

Subscribers are not normally notified if their information has been handed over to authorities.

Fraser, who authors a blog on Canadian privacy laws, said this arrangement violates citizens’ basic rights to privacy.

He said Canadians already rejected this kind of intrusion in the debate around Bill C-30, the government’s Internet surveillance bill. The Conservatives introduced but then killed the bill due to public backlash.

“We had all of that outrage because that piece of legislation would have legitimized this practice,” said Fraser.

“Even without that legislative cover, we have CBSA looking for this information, but even more outrageously getting it from telecommunications companies.”

Of the 25 times telecoms rejected information requests, some denials were due to phones no longer being active or a customer changing service providers.

The information given to Canada Border Services is kept for up to two years unless it is involved in criminal charges. In those cases, information is kept for up to seven years.

The RCMP, the Canadian Security Intelligence Service and Communications Security Establishment Canada were all asked by Parliament, via a member’s question, to provide the same details about such requests.

They all refused for different reasons.

The RCMP said it does not track how often it asks telecoms for information.

Communications Security Establishment Canada, in charge of foreign intelligence and securing Canadian government electronic information, said providing the information would reveal Canada’s intelligence capabilities. The body is prohibited from spying on Canadians.

The Canadian Security Intelligence Service, a spy agency that investigates suspected threats to Canadian security, admitted it may ask telecoms to provide “subscriber information and access to the content of communications.”

But CSIS said it is not allowed to provide such information because it would be a breach of national security.


I was also interviewed about this for Radio Canada International: Canadian’s private telecom information, not so private.

Tuesday, March 25, 2014

Interim Privacy Commissioner of Canada releases report on HRSDC/Student Loan privacy breach

The Interim Privacy Commissioner of Canada has today tabled in Parliament the report of her investigation into the loss of a portable hard drive that contained personal information more than half a million student loan recipients by Human Resources and Skills Development Canada. (Previous posts can be found here.)

Here's her media release:

News Release: Investigation into hard drive loss highlights important lessons for all organizations to follow - March 25, 2014

Investigation into hard drive loss highlights important lessons for all organizations to follow

OTTAWA, March 25, 2014 - The disappearance of a portable hard drive containing the personal information of 583,000 student loan recipients underscores the need to ensure that formal privacy and security policies are more than simply words on paper, an investigation has found.

The investigation by the Office of the Privacy Commissioner of Canada was launched after the hard drive was reported lost by Employment and Social Development Canada (ESDC), formerly Human Resources and Skills Development Canada.

An investigation report tabled in Parliament today details how the hard drive was left unsecured for extended periods of time; not password protected; and held personal information that was unencrypted. As well, employees handling the device were not aware of the sensitivity of the information stored on the device.

The report concludes that a gap between policies and practices at ESDC led to weaknesses in information management controls, physical security controls, and most importantly, the level of employee awareness of departmental policies and procedures.

“This incident should serve as a lesson for all organizations,” says Interim Privacy Commissioner Chantal Bernier. “Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly.”

“We are pleased that ESDC has accepted all of our recommendations and has started taking the necessary steps to implement them. We hope this investigation will prompt other federal departments and private-sector organizations to review their own privacy policies and practices.”

The Office launched the investigation in January 2013 after ESDC reported that a portable hard drive containing a substantial amount of personal information had been missing for two months.

Despite extensive search efforts, the Department was unable to locate it or determine whether human error or malicious intent was responsible.

Staff of ESDC’s Canada Student Loans Program had used the department-owned, 1 terabyte hard drive to make a backup copy of program information stored in the central computer to ensure its preservation when that data was being transferred between networked drives.

The hard drive contained the Social Insurance Number, name, date of birth, home address, telephone number, loan amounts and balances for 583,000 clients of the loans program. It also included gender, language and marital status for some.

Because of failures in departmental practices, ESDC could not conclusively identify what information was on the portable hard drive or when it had been last updated.

Nonetheless, ESDC says that no evidence has yet emerged that the personal information potentially stored on the hard drive has been accessed or used for fraudulent purposes.

The investigation found that ESDC employees had contravened sections of the Privacy Act — Canada’s federal public sector privacy law — related to the use, disposal and disclosure of personal information.

ESDC has accepted all 10 of the Commissioner’s recommendations and has already made significant steps in implementing some, including:

  • Severely restricting the use of portable storage devices and introducing system software which blocks the use of any such devices on desktop computers without specific authorization;
  • Periodically examining portable storage devices to ensure they are being used solely for the authorized reasons;
  • Reviewing all materiel holdings, disposing of transitory records and classifying remaining records at the appropriate security level; and
  • Instigating a new integrated learning strategy which focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years.

The Office of the Privacy Commissioner of Canada will follow up in one year to confirm ESDC’s progress in implementing the recommendations.

“To effectively mitigate privacy risks, there must be a synergy between privacy and security controls. Implementation of such controls will help ESDC — and all organizations — to properly protect the personal information that Canadians entrust to them,” says Interim Commissioner Bernier. “To further address broader systemic issues, we are conducting an audit of the use of portable storage devices by selected federal organizations, and we have just released some new tips for organizations on this issue.”

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

See also:

Wednesday, March 19, 2014

Ann Cavoukian, Ontario's Information and Privacy Commissioner, to lead Ryerson University institute at the conclusion of her third term

Ontario's well-regarded Information and Privacy Commissioner, Ann Cavoukian, is stepping down at the conclusion of her unprecedented third term, but is then stepping across town to take a prestigious new position at Ryerson University as the Executive Director of the Ryerson University Institute for Privacy and Big Data.

From the media release:

Office of the Information and Privacy Commissioner/Ontario | Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, appointed Executive Director of the Ryerson University Institute for Privacy and Big Data

TORONTO, March 19, 2014 /CNW/ - Ryerson University today announced the appointment of Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, as the Executive Director of the new Ryerson University Institute for Privacy and Big Data. Currently a distinguished visiting professor at Ryerson, Dr. Cavoukian's appointment will take effect at the conclusion of her unprecedented third term as Commissioner, on July 1, 2014.

"It has been an honour to serve as the Information and Privacy Commissioner for the past three terms, spanning over 15 years. Together with my hardworking and devoted staff, we have built a world-class agency, renowned for our innovation and leadership in access and privacy. We are grateful for the support of the many Ontarians who have shared with us their appreciation for the work we do and the impact we have had," says Dr. Cavoukian. "Having advised the Legislature that I would not be considering a fourth term as Commissioner (three is more than enough!), I am delighted to be able to pursue my passion for preserving privacy, well into the future, with such a progressive university as Ryerson."

Big Data - the acquisition, storage, processing, analysis and use of large data sets - has the potential to enable innovations and facilitate critical social interests with impacts felt at every level, from invaluable discoveries in health research, to mapping of human behaviour in the digital world, to management of natural resources. Ryerson's cross university Big Data Initiative (BDI) focuses on developing new tools and applying those tools to advance organizational performance across sectors. BDI brings together existing centres that collaborate with industry partners to drive the development of new Big Data based products and services, including Ryerson's Centre for the Study of Commercial Activity, Ryerson's Centre for Cloud and Context Aware Computing, and the Data Science Laboratory. The new Institute for Privacy and Big Data will help ensure privacy is considered at every stage of the process.

"The Institute for Privacy and Big Data will bring together experts from both within the university and beyond, to develop new ways to protect and promote people's privacy in the digital age," says Mohamed Lachemi, provost and vice president academic. "I would like to welcome world renowned privacy expert Dr. Cavoukian to Ryerson to lead this new initiative. I know her knowledge and expertise will have immediate impact and be of immeasurable benefit to our students."

The new Institute for Privacy and Big Data, housed within Ryerson's Faculty of Science is an important component of the university's strategy, demonstrating how to harness the power of Big Data in ways that fully respects privacy. The Institute's main objectives include:

Promote the development of technologies that analyze data within an appropriate context and privacy-protective sphere, and applying those technologies in a positive-sum manner to the various sectors of Big Data in order to improve upon the value and utility of the associated analytics, all while strongly protecting the privacy of data-subjects.

Provide an educational platform to disseminate the techniques and procedures of privacy enhanced Big Data analytics through research programs.

Provide an incubation platform for start-up companies to utilize these technologies for new markets and applications, uniquely positioning them as Privacy by Design applications, delivering both privacy and Big Data analytics.

Ryerson's existing Privacy and Cyber Crime Institute (currently within the Ted Rogers School of Management) and the research conducted within it, including areas such as workplace privacy, data breaches, identity theft and online privacy, will become part of the new Institute under Dr. Cavoukian's leadership. The new Institute will serve as a hub for Ryerson students, faculty and staff engaged in data-driven training, discovery, innovation and commercialization.

Dr. Cavoukian will take the helm of the new Ryerson Institute for Privacy and Big Data effective July 1, with an official launch to follow in the 2014-15 academic year.

About Dr. Ann Cavoukian

Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, is recognized as one of the leading privacy experts in the world. An avowed believer in the role that technology can play in protecting privacy, her ground-breaking 1995 paper with the Netherlands, on advancing privacy protection through the pursuit of privacy-enhancing technologies (PETs), is now part of the industry lexicon. Dr. Cavoukian is best known as the creator of Privacy by Design, which was unanimously approved as an international standard for privacy protection by the International Assembly of Privacy Commissioners and Data Protection Authorities at their annual conference in 2010 in Jerusalem. Since then, Privacy by Design has grown exponentially, having been operationalized in nine application areas and translated into 35 languages.

About Ryerson University

Ryerson University is Canada's leader in innovative, career-oriented education and a university clearly on the move. With a mission to serve societal need, and a long-standing commitment to engaging its community, Ryerson offers more than 100 undergraduate and graduate programs. Distinctly urban, culturally diverse and inclusive, the university is home to more than 38,000 students, including 2,300 master's and PhD students, nearly 2,700 faculty and staff, and more than 155,000 alumni worldwide. Research at Ryerson is on a trajectory of success and growth: externally funded research has doubled in the past four years. The G. Raymond Chang School of Continuing Education is Canada's leading provider of university-based adult education. For more information, visit www.ryerson.ca

Thursday, March 06, 2014

Demanding transparency from Canadian telcos: still very murky

In January, the fine folks at the Citizen Lab made some very in-depth inquiries of Canadian telecommunications providers asking about the practices of providing customer information to law enforcement and national security agencies. According to a post on the Citizen Lab's website, ten companies have responded showing a huge range of responsiveness. Check out their post: The Murky State of Canadian Telecommunications Surveillance - The Citizen Lab.