Friday, May 30, 2014

Facebook "sponsored stories" class action certified

Today, the British Columbia Supreme Court certified a class action against Facebook Inc. in connection with the "sponsored stories" feature of the web platform.

Here is the decision, which I expect will be published on the court's website shortly: Douez v. Facebook, Inc., 2014 BCSC 953.

Most interestingly, the Court determined that the choice of law and forum selection clauses in the Facebook terms of service did not necessarily preclude the lawsuit from going ahead in BC because the Privacy Act provides that all claims under the statute are to be heard by the Supreme Court of BC.

Thursday, May 29, 2014

CRTC seeking comments on set top boxes, audience measurement and privacy

I just spoke with a friend at the CRTC who alerted me to the following ongoing consultation which has an interesting privacy angle. As part of a much broader consultation on broadcasting in Canada, the CRTC is looking for comments and input about the public policy and privacy issues that are related to the use of data gleaned from set top boxes. Those are the smart devices that turn your cable or broadcast signal into something your TV understands, but they are increasingly sophisticated computers that can also provide information back to the cable company about what shows are being watched. While this is obviously useful for a number of purposes, those purposes are not well known. In addition, the extent to which Canadian TV distributors engage in this practice is not well known, either.

Here's the relevant excerpt from the notice:

Broadcasting Notice of Consultation CRTC 2014-190

Enhanced audience measurement using set-top boxes

98. The Commission considers that the Canadian television industry should have access to appropriate tools to effectively respond to changes in the industry and to the needs and interests of viewers. Data from set-top boxes (STBs) could be such a tool as it can be used to measure viewing levels of programs more accurately. This could improve the industry’s ability to provide viewers with the programming they want to watch and the information they need to make informed choices. It could also serve to increase revenues flowing to program creators.

99. Tom Pentefountas, Vice-Chairman, Broadcasting, carried out a fact-finding exercise in early 2014 on the possible use of STBs for audience measurement. A wide range of stakeholders provided information about current approaches to audience measurement and STB technology. A number of stakeholders also raised public policy issues relating to the relationship between audience measurement techniques and privacy, and the availability of STB information in the context of an industry in which some parties are vertically integrated and others are not.

100.STB-based data is currently being collected and used in Australia, UK and the U.S. and, to a more limited extent, in Canada.

101.The collection of STB data is an area in which VI companies may have an advantage to the extent that they share STB data received from their BDUs with the television programming services that they also own. Large broadcasters also have access to a large amount of useful and relevant data from existing audience measurement services such as BBM. In contrast, smaller services and those targeting niche audiences, especially those not operated by VI companies, may not have access to equivalent data either from STBs or from BBM.

102.The privacy of individuals is a paramount consideration and must be maintained. How best to achieve this goal is an important issue and raises additional matters related to viewer consent as well as the gathering and storage of personal information.

Questions

103. The Commission invites parties to respond to the following questions, making reference to the English- and French-language markets as appropriate.

Q49. Should an STB-based audience measurement system be implemented in Canada?

Q50. The Commission invites parties to propose a concrete model for the establishment of an STB-based audience measurement system that maintains the privacy of individual Canadians.

Q51. What role, if any, should the Commission play in enabling a STB-based audience measurement system?

Q52. What data points can and should be collected?

Q53. What methodology should be used to collect data?

Q54. If the Commission were to enable the collection and use of such data, what privacy protection methods should be established?

Q55. What technical matters must be resolved to establish an STB-based audience measurement system?

Q56. What governance model should oversee the operation of such a system?

Q57. Does the establishment of an STB-based audience measurement system have implications for resources, funding and cost recovery? If so, what are those implications?

The deadline for comments is June 29, 2014.

Wednesday, May 28, 2014

Prime Minister names DOJ's top national security and law enforcement lawyer as next Privacy Commissioner of Canada

The Prime Minister has tapped Daniel Therrien to be the next Privacy Commissioner of Canada. Mr. Therrien is a long-serving lawyer with the Department of Justice. Here is the announcement:

PM NOMINATES NEXT PRIVACY COMMISSIONER

Introduction

Prime Minister Stephen Harper today announced the nomination of Daniel Therrien as the next Privacy Commissioner.

Mr. Therrien is currently Assistant Deputy Attorney General, Public Safety, Defence and Immigration Portfolio, at the Department of Justice. He began his career as Counsel to the Department of the Solicitor General of Canada, the Correctional Service of Canada and the National Parole Board. He subsequently went on to hold positions of increasing scope, complexity and responsibility, including Senior General Counsel and Director, Citizenship and Immigration Legal Services, at the Department of Justice; Director General, Refugee Policy, at Citizenship and Immigration Canada; and Manager, Legal Strategy and International Law, at the Department of Justice. Mr. Therrien holds a Bachelor of Arts and a Licence en droit from the University of Ottawa. He has been a member of the Quebec Bar since 1981.

As set out in the Privacy Act, this appointment must be approved by resolution of the Senate and House of Commons. In addition, pursuant to House of Commons Standing Order 111.1, the Government will be tabling this nomination for referral to the appropriate Standing Committee.

The Prime Minister took the opportunity to thank Chantal Bernier, who has been serving as Interim Privacy Commissioner since December 3, 2013, for her dedication and service to Canadians.

Quick Facts

The Office of the Privacy Commissioner was created in 1977 under the Canadian Human Rights Act, Part IV. The Privacy Act, which currently governs the functions of the Office of the Privacy Commissioner, was adopted in 1983.

As an Agent of Parliament, the Privacy Commissioner oversees compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act, Canada’s private sector privacy law. The mission of the Office of the Privacy Commissioner of Canada is to protect and promote the privacy rights of individuals.

Quote

“­­­­­­­­­­I am pleased that Daniel Therrien has agreed to be nominated for the position of Privacy Commissioner. He is a well-qualified candidate who would bring significant experience in law and privacy issues to the position.” – Prime Minister Stephen Harper

Related Product

Biographical Notes: Daniel Therrien



I expect his appointment will be controversial as he has been the Assistant Deputy Attorney General with Justice Canada, responsible for providing advice to the following departments and agencies, most of which have been in the government surveillance crosshairs as of late:

  • Canada Border Services Agency
  • National Security Litigation and Advisory Group
  • Citizenship and Immigration Canada
  • Communications Security Establishment, Legal Services
  • Correctional Service Canada
  • Crimes Against Humanity and War Crimes Section
  • National Parole Board to Parole Board of Canada
  • National Defence and Canadian Forces, Legal Services
  • Public Safety Canada, Legal Services
  • Royal Canadian Mounted Police

This a politically bold choice that likely serves to reinforce that the government will not be changing its position regarding national security and law enforcement. It will be interesting to see the reaction to this appointment and to see whether the Office of the Privacy Commissioner of Canada, under his leadership, will continue to take a leadership role in advocating for privacy with respect to law enforcement and national security activities.

Only time will tell ...

Wednesday, May 07, 2014

Liz Denham calls for health privacy law for BC

The Information and Privacy Commissioner of British Columbia, Liz Denham, is calling for a health privacy law for the province, to replace the overlapping current laws that regulate pesonal information in that sector. From The Province: B.C. needs better health privacy laws to keep up with technology: watchdog.

Monday, May 05, 2014

My opening statement to the House of Commons Justice and Human Rights Committee on Bill C-13

Apparently my testimony tomorrow at the House of Commons Justice and Human Rights committee on Bill C-13, the Protecting Canadians from Online Crime Act will not be webcast. Nor will it be on C-PAC or available on Pay Per View at your local arena. So, in case you are interested in what I plan to say, here you go ... (subject to tweaking as I finalize the text)

Introduction

Thank you very much for providing me with the opportunity to speak with you today.

For the purposes of introduction, my name is David Fraser. I’m a partner with the Atlantic Canadian law firm McInnes Cooper, but I do need to emphasise that I am here speaking as a private individual and my comments should not be attributed to my firm, its clients or any other organization with which I am affiliated.

I have been practicing internet and privacy law for over a dozen years. I have represented a range of clients over the years, including victims of cyberbullying, victims whose intimate images have been posted online, and I have represented and advised service providers.

Most notably, I was part of a team at my firm that took the case of a 15 year old victim of cyberbullying to the Supreme Court of Canada, pro bono. This was the first time that the Court had the opportunity to consider the phenomenon of cyberbullying and the unanimous Court came out very strongly to protect the interests of the victim of sexualized cyberbullying.

I have also advised people who have been accused of cyberbullying. I hope that this experience from a number of different perspectives will provide this Committee with some assistance in its important task of considering Bill C-13.

Bill C-13 as a whole

I am disappointed that Bill C-13 combines two very different but related matters: the dissemination of intimate images, on one hand, and law enforcement powers more generally, on the other hand. Both aspects raise very important issues that merit close scrutiny but we are seeing that debate about police powers is overshadowing the discussion of cyberbullying.

That said, we have one bill in front of us and I’m pleased to provide you my thoughts.

Intimate Images

It has been suggested that Bill C-13, if it had been in force, could have saved Amanda Todd and Rehtaeh Parsons. That makes a good soundbite, but the world is much more complicated than that. Creation, possession and dissemination of child pornography is already a crime. So is the creation, possession and dissemination of voyeurism images. So is extortion. So is criminal harassment.

That said, there is a gap that we should fill: the malicious dissemination of intimate images without the consent of the person depicted in them.

We need to be very careful about how we craft this offence. The current reality is that young people and adults, whether we like it or not, take photos of themselves and voluntarily share them with intimate partners. Those digital images can easily be spread around without the consent of the of the person depicted.

We want to criminalize the boyfriend who posts pictures of his ex-girlfriend online without her consent -- so-called “revenge porn”. We want to criminalize the actions of the person who forwards around images of current or former intimate partners. In each of those cases, the individual would know -- or ought to have known -- whether they had the consent of the person depicted in the image.

But we shouldn’t inadvertently criminalize behaviour that is not blameworthy: someone finds a picture online of someone naked and forwards it to a friend. That person knows nothing about the circumstances in which the photo was taken. It could be a professional model. The photo may have been posted by the person in the photo herself. There’s no way to tell whether consent was obtained, whether there was any expectation of privacy at the time the photo was taken and the individual has no way of determining this.

The real challenge arises when addressing third parties who do not know the person depicted in the image, nor do they know the circumstances under which the image was taken. The provisions in the bill use a “recklessness” standard, which in my view is too low. Recklessness applies where a person should have looked into it but decided to be “willfully blind”. However, given the huge amount of naked images online, it is not possible to “look into it.”

This is especially important for online service providers who have no way of knowing and no way of finding out the circumstances under which an image was taken or uploaded.

We need to be especially attentive to crafting the law so that it will survive a challenge in the Courts and “recklessness” poses the risk of having the law struck down or making criminals out of people who are not truly blameworthy.

Police powers

Transmission data

Bill C-13 creates a “Production Order for Transmission Data” (section 487.016) and a “Warrant for Transmission Data Recorders” (section 492.2). It has been said that the purpose of the transmission data provisions of the Bill is to extend the current police powers -- that are coupled with judicial oversight -- related to telephony information to the internet age, without significantly extending the status quo.

While this may be a reasonable objective, this must be done very carefully because “transmission data” is significantly different from traditional telephony signalling data.


With conventional telephony, “transmission data” refers to the number called from, the number called, whether the call was completed and the duration of the call. In the internet context, the amount of information and what it reveals is dramatically different. It would include the IP address of the originating computer, information about the computer, the browser or other program being used, the internet communications protocol being used (web surfing, file transfer, peer-to-peer, voice over IP, video conferencing, etc.), the IP address or domain name of the server or computer being communicated with, URL of the page visited and whether the transmission was completed. An interception of “transmission data” would tell law enforcement agencies whether the target of the surveillance was visiting a search engine (and possibly what is searched for), an encyclopaedia (and again, what is being viewed), a poker site or a medical site. Furthermore, the data will also provide greater insight into the likely physical location of the surveillance target. This is a dramatic expansion of the information provided compared to traditional telephone communications.

Individuals use computer assisted communications in a very different manner than the telephone system. A telephone call is usually a singular event that creates one small packet of transmission data. A browsing session will create a new packet for each page or site visited, which amounts to many, many packets during a session. And information about what sites are visited and in what sequence also communicate -- by inference -- information about the content of that communications. Finally, individuals use web browsers for many purposes that go well beyond the traditional uses of telephones.

Even with the express exclusion of “content” from the definition, transmission data may provide insight into the content of the communications. And in any event, internet transmission data will provide law enforcement agencies with information that goes to the biographical core of the target of the surveillance, which triggers a need for heightened legal protections under s. 8 of the Charter.

The increased privacy intrusion represented by these new law enforcement powers can be mitigated in either of the following two ways:

(a) the extension of the current lawful access to telephony transmission data to other forms of transmission data should be accompanied by a higher threshold: from “reasonable grounds to suspect” to “reasonable grounds to believe”; or

(b) the definition of “transmission data” should be refined to strictly limit the scope of what is included so that it much more closely tracks telephony transmission data.

Notice to the affected individuals

On important element is missing from all of this … the individual whose information is being sought. I am of the view that the police or government agency seeking information about an individual should inform him or her as soon as doing so would not prejudice the lawful investigation. This should be no later than six months after the information is sought, unless a judge orders otherwise.

Immunity

The immunity provisions in the new s. 487.0195 are gravely problematic. This is a very cleverly drafted provision. We are told that this is simply “for greater certainty”, but everything we know suggests otherwise. It says you will not be liable for handing over any data that you are not prohibited by law from handing over, and if you do so you are civilly immune.

Only the criminal law creates real legal prohibitions. Handing over data might not be a criminal offense, but it may create civil liability. This civil liability is there for a reason. I may not be legally prohibited from accidentally - emphasis on “accidentally” -- hitting your car with mine, but I certainly should be liable to pay for the harm that I cause. This is an incentive for me to pay attention when I am driving. Likewise, service providers should have to think about all the interests involved before handing over data, willy-nilly. This provision should be removed. It cannot be fixed and will only encourage over-reaching by law enforcement.

This is not simply providing needed clarity, but taking rights away from citizens.

While we don’t have Bill S-4, the Digital Privacy Act, in front of us, I am concerned that we are weakening Canadians’ privacy under the guise of protecting it. While this immunity provision tells service providers, “it’s OK, hand it over”, the new provisions in S-4 underscore that and seem to allow any business to hand over customer information to police, government and other businesses without any due process and without any notice to the affected individual. This is a very regressive step

Thursday, May 01, 2014

We seriously need transparency about law enforcement demands

Earlier this week, Interim Privacy Commissioner Chantal Bernier dropped a bombshell: Law enforcement agencies asked nine Canadian telcos for personal information 1.2 MILLION times and received data in more than three quarters of those cases. On its face, that number is staggering. It appears even more staggering when you figure that this is only a sub-set of Canadian telcos. But these numbers say virtually nothing about what kind of information we're talking about, what kinds of requests are made, under what circumstances, how many of them are with a warrant and how many are without, how many are based on intrusive and judicially unaccountable orders such as those under the Income Tax Act and the Customs Act? How many relate to the administration of laws, how many relate to law enforcement and how many are for national security purposes?

We know that hundreds of times a year, Canadian telcos provide private customer information to the police without a warrant under a protocol that I believe to be unlawful. (We'll see what the Supreme Court of Canada ultimately has to say about this practice in R v Spencer heard in December of last year.) We also know that not all telcos have adopted this protocol.

In this post-Snowden age and without credible information, we simply assume the worst and -- too often -- these assumptions are borne out.

In response, some telcos are providing some very general information (In my neck of the woods, Atlantic Canada's largest telcos, Bell Aliant and Eastlink both say they don't provide private information without a warrant or other legal compulsion.) But they are generally tight-lipped about what information they can provide, citing that it is law enforcement sensitive.

When the industrious researchers at the Citizen Lab tried to get this information from telcos directly, they were largely told to ask the government. MP Charmaine Borg, when trying to get clear information from federal law enforcement agencies, only received a paltry amount of data.

I don't buy it. And I can't accept it. We saw a huge furore over warrantless access to subscriber information when the federal government proposed Bill C-30. We're seeing a big fuss over this revelation related to the 1.2 million requests. We're about to start debating the new cyberbullying act that revives much of C-30's "lawful access" and we're ramping up to debate S-4, the Digital Privacy Act which extends voluntary disclosures of sensitive personal information beyond law enforcement. We cannot have an informed and educated debate about these incredibly important topics without real information.

So why aren't telcos and law enforcement agencies coming clean? We saw Google take the lead with its Transparency Report, which has been followed by other technology companies including as Twitter and Facebook. The list of companies actually includes telecommunications companies such as AT&T and Time Warner Cable in the US and Telstra in Australia [PDF]. But, to my knowledge, no Canadian company provides any data akin to a transparency report. Do government and law enforcement agencies want us to be in the dark? The cynic in my is starting to think so.

We need more transparency and accountability. We need one Canadian telco to take the courageous first step of producing a comprehensive transparency report, with full details of its methodology and terminology so that other telcos can step out of the shadows and provide comparable useful data. It's probably in their interests, since the speculation that is swirling around is likely worse than the reality. I don't know how or when a Canadian telco will step up, but Canadians should be calling on their providers to come clean with this information.