Tuesday, January 31, 2006

Missouri shuts down call record vendor

The Attorney General of Missouri has been successful in his effort to get a restraining order to prevent Locatecell.com from selling phone records of Missouri residents. See: Missouri Shuts Down Locatecell.com.

In related news, Verizon got a similar order from a federal judge in Trenton, NJ. See: Verizon wins injunction in privacy fight: Financial News - Yahoo! Finance.

Technorati tags: :: :: :: :: .

Australia to review privacy laws

The Attorney General of Australia has asked the Law Reform Commisison of that country to undertake a comprehensive review of the existing privacy laws, particularly with reference to changes in technology that have taken place since the existing Privacy Act became the law in 1988. See: Privacy laws to be reviewed. 01/02/2006. ABC News Online.

Don't keep the data that you don't need

The recent controversey over subpoenas of high-profile search engines has spurred a lot of discussion about what search engines know about you. For example, John Battelle was able to get confirmation from Google of what a lot of people have probably always suspected:

1) "Given a list of search terms, can Google produce a list of people who searched for that term, identified by IP address and/or Google cookie value?"

2) "Given an IP address or Google cookie value, can Google produce a list of the terms searched by the user of that IP address or cookie value?"

I put these to Google. To its credit, it rapidly replied that the answer in both cases is "yes." Just FYI.

What else does Google know? Given that Google operates

  • one of the most widely used advertising networks,
  • one of the most widely used webmail services,
  • one of the most widely used mapping services,
  • one of the most widely used website statistics services,
  • one of the most widely used browser toolbars,
  • one of the most widely used news aggregators,
  • one of the most widely used online group services,

they know a heck of a lot. Every time you visit a site that uses adwords, your computer connects to google and tells them what you're viewing and probably what got you there. And all this can be matched by your google cookie or your IP address.

The question is, other than for personalized services, why should a company maintain information that is personally identifiable? Why keep logs that have your ip address down to the last digit when the same value can be obtained from the data by only keeping the first three units (192.168.168.* compared to 192.168.168.111)? The level of trust that consumers have for companies like Google is eroding and businesses should take heed of this. If you don't need the information in personally identifiable form, don't keep it.

It will not be long before the cost of keeping this stuff is prohibitive if you have to spend valuable personel time responding to subpoenas. I can imagine the FBI or some other three-letter-agency having a form subpoena that will seek all the records from Google, Yahoo!, DoubleClick and others about the supposed "owner" of a suspicious IP address. What did you search for? What did you read? When were you online? All this info is mantained by a small handful of companies.

UPDATE: While you're thinking about this, check out Google's data minefield by Mark Rasch (via robhyndman.com).

Technorati tags: :: :: :: :: :: :: ::

How to handle an inappropriate disclosure of personal information

Over at eLegal Canton, David Canton is discussing the lessons to be learned from an incident reported on Techdirt about an individual who was sent 34 other credit cards along with his own:
First - as we have seen many times before, a prompt and proper response to any alleged privacy breach is crucial. Every person in every business that has customer contact must be trained to spot privacy issues, and immediately bring them to the attention of the business's privacy officer.

Second - what should be the proper response when something like credit cards or documents with personal information is sent to the wrong person? Is telling them to cut them up or shred them sufficient? Or should they request they be returned? At least if they are returned, the business will know exactly what was sent.

Technorati tags: :: :: ::

Monday, January 30, 2006

Sunday, January 29, 2006

IP addresses are personal information

Adam Fields' blog has a good post about the "big fuss" over IP addresses, which is particularly relevant in light of the fight over search logs and subpoenas from the US Department of Justice:

Adam Fields (weblog) - What's the big fuss about IP addresses?:

Given the recent fuss about the government asking for search terms and what qualifies as personally identifiable information, I want to explain why IP address logging is a big deal. This explanation is somewhat simplified to make the cases easier to understand without going into complete detail of all of the possible configurations, of which there are many. I think I've kept the important stuff without dwelling on the boundary cases, and be aware that your setup may differ somewhat. If you feel I've glossed over something important, please leave a comment.

First, a brief discussion of what IP addresses are and how they work. Slightly simplified, every device that is connected to the Internet has a unique number that identifies it, and this number is called an IP address. Whenever you send any normal network traffic to any other computer on the network (request a web page, send an email, etc...), it is marked with your IP address....

I don't think there can be much doubt that an IP address is "personal information" for the purposes of PIPEDA or the Personal Information Protection Acts of BC and Alberta, particularly as it appears in a server log. The information does not have to "identify" an individual, but must be "information about an identifiable individual". George Radwanski, when he was federal Privacy Commissioner held, in Case Summary #25, that a PC's NetBIOS information is "personal information" for the purposes of PIPEDA because it can lead to iformation that is traceable to an identifiable individual. Whether that interpretation would hold up in court is debateable, but any business in Canada should proceed on the assumption that a user's IP address is their personal information.

Technorati tags: :: :: :: :: ::

Database on sellers of used goods upsets Ontario Privacy Commissioner

The Ontario Privacy Commissioner is up in arms over the growing requirement that citizens hand over their ID and get entered into police databases to engage in entirely legal conduct, such as sell used stuff to second-hand stores. According to the Toronto Star, the Commissioner has made inquiries after hearing of a new bylaw in Oshawa that would require those selling to pawn shops to provide three pieces of government-issued ID (I'm not sure I even have three pieces of government-issued ID). All the information is entered into a database that is handed over to the local police, along with the photo of the vendor.

Here's the gist:

TheStar.com - Database on goods sold angers privacy watchdog

The privacy commissioner says she was spurred to investigate after reading a Toronto Star story about a legal battle between the 24-store franchise chain Cash Converters Canada Inc. and the City of Oshawa.

"It opened my eyes to all this stuff that was going on," says Cavoukian. "From privacy perspective this is extremely invasive, and who pays the price for this erosion of rights? It's the average lay person; you and I. The people contemplating crimes, selling (stolen) goods to these shops, are going to learn of this and they are going to use fake ID."

On Monday, Cash Converters asked the Superior Court of Justice to quash amendments to an Oshawa bylaw that would require it to send clients' personal information in electronic format to Durham Regional Police Services, and to pay Oshawa up to $1 per transaction to cover the cost of storing and inspecting data. (A lawyer for the city says Oshawa has no contract yet with BWI to store data.)

Justice Edward P. Belobaba reserved judgment on Monday after lawyer David Sterns presented his multi-pronged attack on the bylaw, but the judge promised a ruling shortly.

He warned Sterns he was not impressed by the argument that a municipality does not have constitutional authority to help police enforce the criminal code offence of possession of stolen property.

The court received a factum from the Ministry of the Attorney General in support of Oshawa's authority, within the umbrella of provincial responsibility, to raise a barrier to criminals and protect local shop owners and their customers from acquiring stolen property, a criminal offence. Belobaba spent more time exploring the arguments that Oshawa would be collecting an improper tax if it collected an unsupported fee per transaction that could cost the local Cash Converters franchisee more than $8,000 a year.

After some discussion, Belobaba also heard Stern's argument that the bylaw would force shop owners to breach federal and provincial privacy laws that require informed consent about the use of private information.

Cavoukian said she is only at the preliminary stages of exploring her concerns about privacy in second-hand shops. She said she sent letters by courier to Oshawa's mayor, clerk and director of legal services on Wednesday.

Oshawa's bylaw will require local shops to request three pieces of government identification from customers selling used goods, including one with a photograph. Shops would then have to copy the photograph digitally, and send it electronically to the police along with a description of the goods sold, the seller's name, address and telephone number, gender, birth date and approximate height.

"Where is (their) legal authority to collect this information?" asks Cavoukian, who reports directly to the speaker of the provincial legislature. "I want them to demonstrate this to me."

Previously, Oshawa shop owners were only required to keep paper record of the names, addresses and a description of customers who sell goods, to make it available to police for inspection, and to report daily to police on items purchased.

Cavoukian says it's one thing for a shop to acquire your personal information in order to stay in touch, or for the police to collect information if you have done something wrong. But she says it's quite another thing for police to get your information if you are just trying to get rid of some clutter around the house.

"Once it gets on a police database, do you really think it's going to get destroyed?" she asks rhetorically. "In this day and age, you don't want your name and address improperly in any database. It could potentially be harmful out of context."

Technorati tags: :: ::

Incident: Rhode Island gov't website hacked

According to the Associated Press, the Government of Rhode Island's online services website has been hacked, leading to the compromise of up to 53,000 credit card numbers. Check it out: SignOnSanDiego.com > News > AP News.

Thanks to Techdirt for the link: Techdirt:Will The Government Now Fine Itself For Leaking Credit Card Data?.

Technorati tags: :: :: :: :: ::

Saturday, January 28, 2006

How much privacy can politicians expect?

After the soon-to-be Prime Minister, Stephen Harper, was spotted at an Ottawa hospital overnight, there is some discussion in the media about how much privacy a Canadian politician can expect. In this day and age, the answer is likely less and less.

Check out The Globe and Mail: We get more info about George Bush's health than our own leaders' and Harper's aides vow to be more open about his health.

Technorati tags: :: :: :: ::

NYT on surveillance technology

The New York Times, in the last couple of days, put out a special outlook section on technology that includes two interesting articles on privacy and technology. Check 'em out:

Technorati tags: :: ::

RFID Cartoon

Thanks to for leading me to this great .

It's funny because it's true.

Thursday, January 26, 2006

Majority of internet users have no clue about what's collected about them when they search

The latest fuss over MSN and Yahoo! handing over information to the US Department of Justice spurred on the Ponemon Institute to find out what ordinary internet users know about their own personal data trail. Well, 77% have no clue that companies like Google collect information that can be traced back to them.

The obvious lesson from this? Internet users are, on average, clueless.

But what does that really mean to your business? Don't assume they are savvy enough to know what information your organization collects, uses and discloses. Implied consent is, in many cases, a fallacy because you simply cannot assume that they know what's going on. You need to tell them. And, in my experience, the more open, honest and forthright you are, the more otherwise suspicious customers will trust you. It's strange, but true.

See The Register's summary of the survey: 77% of Google users don't know it records personal data.

Technorati tags: :: .

Record, punitive fine for Choicepoint's data disaster

The FTC has imposed a record-breaking $10 million dollar penalty on ChoicePoint after the very high-profile incident that saw criminals obtain the personal information of 163,000 Americans. The FTC also ordered that the company pay an additional $5 million to compensate affected individuals.

This one incident has cost the company untold millions. They have paid lawyers, consultants, paid for credit monitoring for each affected individual, paid to deal with the investigation, paid to deal with the media, their share value has tanked and is only just recovering. I don't really think there is a better example for the proposition that bad security and bad privacy are bad for business.

Check out the FTC press release:

Choicepoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress:

For Release: January 26, 2006

Choicepoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress

At Least 800 Cases of Identity Theft Arose From Company’s Data Breach

Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.

“The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”

ChoicePoint is a publicly traded company based in suburban Atlanta. It obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers, birth dates, employment information, and credit histories.

The FTC alleges that ChoicePoint did not have reasonable procedures to screen prospective subscribers, and turned over consumers’ sensitive personal information to subscribers whose applications raised obvious “red flags.” Indeed, the FTC alleges that ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses. In addition, ChoicePoint applicants reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies.

According to the FTC, ChoicePoint failed to tighten its application approval procedures or monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001.

The FTC charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports – credit histories – to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.

The agency also charged that ChoicePoint violated the FTC Act by making false and misleading statements about its privacy policies. Choicepoint had publicized privacy principles that address the confidentiality and security of personal information it collects and maintains with statements such as, “ChoicePoint allows access to your consumer reports only by those authorized under the FCRA . . . ” and “Every ChoicePoint customer must successfully complete a rigorous credentialing process. ChoicePoint does not distribute information to the general public and monitors the use of its public record information to ensure appropriate use.”

The stipulated final judgment and order requires ChoicePoint to pay $10 million in civil penalties – the largest civil penalty in FTC history – and to provide $5 million for consumer redress. It bars the company from furnishing consumer reports to people who do not have a permissible purpose to receive them and requires the company to establish and maintain reasonable procedures to ensure that consumer reports are provided only to those with a permissible purpose. ChoicePoint is required to verify the identity of businesses that apply to receive consumer reports, including making site visits to certain business premises and auditing subscribers’ use of consumer reports.

The order requires ChoicePoint to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers. It also requires ChoicePoint to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. ChoicePoint will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future violations of the FCRA and the FTC Act.

This case is being brought with the invaluable assistance of the U.S. Department of Justice and the Securities and Exchange Commission.

The Commission vote to accept the settlement was 5-0.

NOTE: A stipulated final judgment and order is for settlement purposes only and does not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.

Also check out:

Technorati tags: :: :: :: ::

UPDATE: Added NYT link (20060127)

Wednesday, January 25, 2006

Incident: AMEX subsidiary loses laptop with personal information on 230K customers and advisers

From today's New York Times:

Ameriprise Loses Data on 230,000 Customers and Advisers - New York Times

Ameriprise Financial, the investment advisory unit spun off from American Express last year, said today that lists with the personal information of about 230,000 customers and financial advisers were potentially exposed to fraud.

The breach occurred in late December after a company laptop was stolen from an employee's car. It contained lists of reassigned customer accounts that were being stored unencrypted on a computer in violation of Ameriprise's rules.

The information on the laptop included the names and Social Security numbers of more than 70,000 current and former financial advisers and the names and internal account numbers of about 158,000 customers. The data was being stored in separate lists, but it is possible that there could be some overlap between the two.

Andy MacMillan, an Ameriprise spokesman, said that it was unlikely the thief knew that the customer and employee data were being stored on the laptop and the risk of "any data being used or discovered is very low." He said no other personal information was exposed.

Technorati tags: Privacy :: Personal Information :: Theft :: Identity Theft.

Alberta Commissioner slaps computer reseller for not wiping returned hard-drive

The Information and Privacy Commissioner of Alberta has just chastised a large retailer for reselling a computer without wiping the hard-drive. You've got to have a policy and consistent practices. The retailer has promised to address this issue in every province in Canada, not just Canada. See: Investigation Report P2006-IR-001.

Technorati tags: Privacy :: Personal Information :: Alberta :: PIPA.

How to not be evil as an online business

Google's mantra apparently is "". While Google has been generally applauded around the blogosphere for fighting the subpoena from the Department of Justice for search records, there are also a number of folks who are concerned that Google's privacy practices are less than transparent.

The general public are paying much more attention to the privacy practices of companies, particularly as government agencies are getting more and more inquisitive about records that are maintained by the private sector. In Europe, for example, governments are requiring companies to keep records for much longer than usual on the hope that they'll come in handy for tracking down terrorists (and file-sharers) (). Right now, MSN and Yahoo! are in the crosshairs for handing over data to the US Department of Justice. MSN has even posted its own defence of their cooperation with the US government (see: The Canadian Privacy Law Blog: Microsoft responds to subpoena controversey). Recently in Canada, a number of internet service providers went to great expense to resist handing over customer information in the face of the recording industry's demands (see: The Canadian Privacy Law Blog: The new test for disclosure of identities after BMG v John Doe).

How can companies avoid being drawn into this no-win situation? It is incredibly simple (and happens to be the law in Canada):

  1. Don't collect any information that you do not need
  2. If you don't need information that is personally indentifiable for your legitimate business purpose, simply do not collect it.
  3. Don't keep any personally identifiable information that you do not need
  4. If you no longer need information in personally indentifiable form, don't keep it. Or if the information is still of use, don't keep it in personally identifiable form. Remove all identifiers. Irretrievably sever the link between the data and the individual. Aggregate it. Whatever you need to do, do it.

Being the custodian of information about identifiable individuals carries risk. It can be stolen. It can be hacked. It can be mis-used. It can be lost. And, it can be the subject of a subpoena. In the former examples, it can render a company subject to liability for any losses suffered by the individual. In the latter case, you can either fight disclosing the data or you can deal with the adverse publicity that may ensue.

In short, if you don't want to look like a stooge for the authorities or zealous litigants, or you don't want to pay the legal fees associated with fighting the disclosure request, don't keep the information in the first place. If you don't need it, don't collect it. If you no longer need it, get rid of it. (Securely, of course.)

Technorati tags: :: :: :: :: :: :: .

Hiding your identity online

As evidence of the increasing concerns of internet users about their privacy, the New York Times is running a piece of the growing popularity of software that protects online privacy: Privacy for People Who Don't Show Their Navels - New York Times.

Technorati tags: :: .

Tuesday, January 24, 2006

University of Notre Dame server hack exposes donor data

The University of Notre Dame is investigating a server hacking that may have exposed confidential information related to an unreported number of donors to the university. See: University of Notre Dame investigating server hack - Computerworld.

Technorati tags: :: :: ::

T-Mobile seeks halt to cell phone record sales

Computerworld is reporting that T-Mobile is following Cingular's suit by seeking an injunction against call record dealers. See: T-Mobile seeks halt to cell phone record sales - Computerworld

Technorati tags: :: :: .

Monday, January 23, 2006

The search trail you leave behind

Search Engine Watch's blog has a very interesting article on the digital tracks that search engine users leave behind. Check it out: Protecting Your Search Privacy: A Flowchart To Tracks You Leave Behind.

Technorati tags: :: .

Techniques of the phone record brokers

Paul McNamara in Network World writes about how companies that sell phone records get the info. Apparently, many use the little info they collect to get a fuller profile on ChoicePoint or Lexis. With all that info, they can fool customer service reps into believing they are dealing with the actual customer. Some use corrupt phone company employees, some of whom advertise their availability on websites frequented by the record brokers. Check it out: How phone records are stolen

Technorati tags: :: :: .

Sunday, January 22, 2006

Phone tracking comes to the US

Michael Zimmer is passing along an announcement that Verizon is planning to offer a GPS tracking service, presumably to keep track of one's kids. Or others. "Hi honey, I got you a new phone ..."

Check it out: michaelzimmer.org - Verizon Plans GPS Tracking Service.

Technorati tags: :: :: :: :: .

Saturday, January 21, 2006

Microsoft responds to subpoena controversey

In response to all the discussion about search engines handing over masses of data to the US government, the MSN Blog has Microsoft's response to the controversy:
MSN Search's WebLog : Privacy and MSN Search

Over the summer we were subpoenaed by the DOJ regarding a lawsuit. The subpoena requested that we produce data from our search service. We worked hard to scope the request to something that would be consistent with this principle. The applicable parties to the case received this data, and the parties agreed that the information specific to this case would remain confidential. Specifically, we produced a random sample of pages from our index and some aggregated query logs that listed queries and how often they occurred. Absolutely no personal data was involved.

With this data you:

CAN see how frequently some query terms occurred.

CANNOT look up an IP and see what they queried

CANNOT look for users who queried for both “TERM A” and “TERM B”.

At MSN Search, we have strict guidelines in place to protect the privacy of our customers data, and I think you’ll agree that privacy was fully protected. We tried to strike the right balance in a very sensitive matter.

Now that you have more information, you can be the judge.

Thanks to beSpacific for the link: beSpacific: MSN Blog Post Explains Search Data Provided to DOJ.

Technorati tags: :: :: :: :: ::

World Tracker turns anyone into a cellphone spy

Engadget is pointing to an intersting service from the UK that appears to let you track the cell phone of your employee, spouse, mistress, next victim, etc. via a handy Google maps internet interface.

World Tracker turns anyone into a cellphone spy - Engadget:

Forget those piddly wiretaps. The next frontier in warrant-free surveillance is upon us, and it's open to everyone. A UK service called World Tracker apparently uses cell tower data (or GPS, when available) to track the location of just about any GSM cellphone. Just enter the number you want to track into the service's handy Google Maps-based interface, and you'll be able to zoom in on the device's location, with accuracy somewhere between 50 and 500 meters. The first time you try to track a phone, a text message is sent to the owner, who must reply in order to enable tracking (we'll leave it to you to figure out how to work around this if you need to track a spouse, kid or employee). The service is currently compatible with O2, Vodafone, Orange and T-Mobile in the UK, and has plans to expand to other markets including Germany, Spain, Norway and the US. If, that is, privacy advocates don't shut it down first.

I checked out the site. The most appealing bit is the ability to be alerted when your loved one has strayed beyond the "geo fence" that you've set for her. Sign me up.

Hmm. What'll they think of next?

And if they have any expansion plans into Canada, they'll need to know that location based information is personal information and -- thanks to PIEPDA and PIPA -- it can only be collected and disclosed with consent.

Technorati tags: :: :: :: ::

Missouri seeks TRO against call record vendors

The state of Missouri, through its Attorney General, has filed for a temporary restraining order against Data Find Solutions Inc. and 1st Source Information Specialists to prevent them from selling calling records. This follows in the footsteps of a similar application made in another court by Cingular. See: Kansas City Star 01/21/2006 State tries to protect cell-phone records.

Technorati tags: :: :: :: :: .

Friday, January 20, 2006

The Canadian angle on the sale of phone records

Today's Vancouver Sun is running a rather lengthy article on Canadian angle of the current "phone records for sale" controversey. It covers a number of important points, starting with the unsettling reality that Canadian privacy laws are currently impotent when it comes to how companies outside Canada deal with the personal information of Canadians. Michael Geist make the point pretty strongly. The author also intereviewed reps from Bell Canada and Telus, all of whom say that security is being beefed up in light of the attention this is getting. See: Privacy laws not protecting phone records.

Technorati tags: :: :: ::

Legal conflicts for bloggers

Off topic, but ...

This past week, a colleague and I gave a presentation on blogs and blogging to the Halifax Association of Law Librarians. We covered the usual topics, including an overview of some of the good legal blogs out there, RSS, aggregators, etc.

But I also talked about an issue that has been a concern to me since I started this blog but I really haven't heard any discussion of it among the dozens of legal blogs that I follow: conflicts and blogging. Legal ethics say that a lawyer can't reveal the identity of a client or do anything that may be prejudicial to a client, except with the client's consent. See Rule 22 of the Nova Scotia Legal Ethics and Professional Conduct Handbook.

In this blog, I usually post about articles and incidents of interest that have a privacy angle. If I see an article or another blog post that deals with privacy, I'll post a link to it. I hope that this blog is "one stop shopping" for everything of interest related to Canadian privacy law. But it simply can't be. From time to time, a story hits the media that involves a client of my firm. Also, from time to time, I'll get a call from someone in the media asking to comment on a privacy story that involves a client. I always decline to link to the story or to make the comment. Unless I have the client's OK. (Which I've gotten from time to time, particularly if the result of the matter is public knowledge.)

It is a real challenge and something to be very mindful of. I work in a firm with almost 200 lawyers, with six offices in four jurisdictions. We also are Atlantic Canadian counsel to many of the largest companies operating in North America. Our securities group does agency work on behalf of loads of public companies that require registration in Atlantic Canada. If a lawyer in one of our New Brunswick offices does work for the Canadian subsidiary of a huge insurance company, that company is a client and I have to keep my mouth shut. Even if it may be borderline or in a grey area, I have to err on the side of caution.

I would be very interested to hear the thoughts of other legal bloggers out there on this topic. I think this is an important topic that could bear some informed discussion.


UPDATE:

I solicited Alan Gahtan's thoughts on this subject, which he has posted on Gahtan's Technology and Internet Law Blog:

"My view is that lawyers who publish, whether through a blog or through more traditional print media, operate under a disability. They must not disclose client confidences and must not advocate a position that is contrary to their client’s interests. The magnitude of the disability is proportionate to the size of the firm that a particular lawyer practices with since conflicts are “shared” among the lawyers of a firm. It is less of a problem when the lawyer’s publishing activities involve ad hoc articles as opposed to the operation of a website or blog that tries to cover all developments in a particular area. I’m not a legal ethics expert but my view is that simply reporting other information that is already public should not create a legal conflict (although I can see that it could create a business conflict with a particular client). However, it does mean that the blogging lawyer will be limited in their ability to comment on a particular news item if such comment would be detrimental to the interest of a client of the firm. It likely also means that any third party comments will also need to be filtered so that they do not contain any content that is detrimental to any such client. "

I like the use of the term that we lawyers are blogging "under a disability." Our hands our tied and our lips are always sealed, but this isn't unique to the blogging environment. Lawyers always have very juicy gossip but have to keep their mouths closed at cocktail parties. Blogging lawyers also have to be mindful not to aliente present and prospective clients with their blog content. I try to be as even-handed and balanced as possible, with the minimum of personal and political opinion (which is distinct from professional opinion).

There have been a number of times when I've had to remain silent when clients have appeared in the news, even though I have no immediate knowledge of the incident (for example, if its US branch is in the news). There have also been cases when the clients have had positive privacy-related publicity, but it is not my place to speak for or about them without permission. But when it does not inovolve a client, I think I am free to link to public information even though my firm has clients in the same industry with similar business issues.

Thanks Alan, Rob, David and DP Thinker for the comments, above and below.

Technorati tags: legal ethics :: blogging :: blogs :: lawyers :: legal profession

Security of phone records

Rob Hyndman weighs in on the recent concerns over the ease with which some companies are able to get calling records from various phone companies:

robhyndman.com: ... What I find particularly troubling about pretexting is that it pulls back the covers on what must be profoundly lax security precautions taken by the phone companies, and suggests that they are still - even after all of 2005's controversy over poor data security - remarkably unconcerned with building data security in as a core value of their corporate cultures (quite apart from the obvious failure to build sensible data protection measures into business processes). At some point, data security just has to be recognized as a mission-critical obligation of these organizations, and there ought to be serious and punitive consequences if they are not up to this challenge. "

Technorati tags: :: ::

Thursday, January 19, 2006

Other search engines handed over data to US DOJ

I blogged earlier today that the US Department of Justice subpoenaed a huge amount of data on search requsts from Google. Google said no and is challenging the request in court (see: The Canadian Privacy Law Blog: US DOJ has subpoenaed Google's search records). It now turns out that the other major search engines handed over the data. See: Boing Boing: DoJ search requests: Google said no; Yahoo, AOL, MSN yes.

Technorati tags: :: :: :: ::

House chairman promises bill banning sale of phone logs

First comes the publicity. Then comes the investigation. Then comes the lawsuit. Now, it's the Congress to the rescue: House chairman promises bill banning sale of phone logs - Computerworld. I will not speculate on what happens next.

Technorati tags: :: :: :: .

Rutgers replaces SSNs as student identifiers

Rutgers University in New Jersey is joining the hundreds of universities that have already made the switch from Social Security Numbers to more random student ID numbers. See: New IDs prevent identity theft - University.

Technorati tags: :: :: ::

UK Privacy Law interferes with medical research, scientists say

In light of the quote below, perhaps the headling should have been "BRITISH PRIVACY LAW KILLING THOUSANDS!" According to Reuters, a group of scientists in the United Kingdom are saying that the mis-interpretation of the and the bureaucratic morass that is has spawned is interfering with vital health research. This principally affects population studies, rather than clinical studies which require individual consent. Check it out:
Health News Article Reuters.com

"In medical research there are thousands, if not tens of thousands, of unnecessary deaths occurring each year in the UK alone through the misinterpretation of these laws and guidelines," [Professor Rory Collins] added.

The same general argument has been raised by Canadian and US researchers about privacy laws in those countries.

Technorati tags: :: ::

US DOJ has subpoenaed Google's search records

The US Government is seeking to enforce a subpoena served on Google for a huge bit of the search giant's database. From the Mercury News:

MercuryNews.com 01/18/2006 Feds want Google search records:

"The move is part of a government effort to revive an Internet child protection law struck down two years ago by the U.S. Supreme Court. The law was meant to punish online pornography sites that make their content accessible to minors. The government contends it needs the Google data to determine how often pornography shows up in online searches.

In court papers filed in U.S. District Court in San Jose, Justice Department lawyers revealed that Google has refused to comply with a subpoena issued last year for the records, which include a request for one million random Web addresses and records of all Google searches from any one-week period."

Google didn't comply when the subpoena was issued in the first instance and is challenging the request in court on the grounds that it is invasive of privacy and would reveal trade secrets.

Thanks, Boing Boing: Boing Boing: DoJ demands user search records from Google.

Technorati tags: :: :: ::

Wednesday, January 18, 2006

Cingular gets restraining order against two online call-record vendors

In the ongoing saga over sales of phone records, Mobile Mag and others are reporting that Cingular Wireless has obtained a temporary restraining order against two vendors of customer calling records. See: Cingular Wireless gets TRO against mobile phone record sites and destinationCRM.com: Cingular Wireless Battles 'Data Burglars'.

Technorati tags: :: :: :: .

FCC investigating sales of phone records

According to the Washington Post, the FCC has begun an investigation into the widely-reported sales of confidential phone records. Interesting what happens when these issues get loads of publicity.

See: FCC Probes Selling of Cell Phone Records

Technorati tags: :: :: .

Apple changes its (i)Tune and asks if it can communicate back to the mothership

After last week's fuss about iTunes reporting back to Apple about users music libraries (see: The Canadian Privacy Law Blog: Is iTunes reporting your listening back to the mothership?), Apple is now doing what it should have done in the first place. It is telling users what it wants to do and is asking for their OK. Check out Boing Boing: Apple changes iTunes, now obtains consent before collecting info.

Businesses that want to collect information about their users and those who want to provide features that require information from their users must be transparent about what they are doing and why. This reminds me of the expression that "it is not the crime, but the coverup." Consumers want to trust the companies they deal with. They expect to know what's going on. If they don't, consumers assume the worst and the suspicion snowballs. Consumers fall into three groups: those who don't care about privacy, those who care about privacy but will trade personal information for value or convenience, and those who are borderline paranoid. Other than the tinfoil hat, they are hard to tell apart but the middle group is the majority. If a company is transparent, accountable and appears to be honest, the first two groups will trust it with personal information. The latter group will never be happy, but if you are transparent they will just not use your product. If you aren't, they will be very loud with their suspicions. Even a company as trusted as Apple can have the paranoid descend on them and the middle-of-the-road types voice suspicions.

Moral of the day: be open and transparent from the beginning and you'll have many more satisfied customers.

Technorati tags: :: :: :: :: ::

What's encoded on hotel room keys?

Adam Shostack at Emergent Chaos takes a look at what is actually encoded on hotel room key cards: Emergent Chaos: Hotel Room Keys. There are a number of urban legends floating around, suggesting that loads of personal information is hidden in the mag strip.

Technorati tags: :: ::

Tuesday, January 17, 2006

New hope for the tort of invasion of privacy in Ontario?

Thank you to a loyal reader who brought this case to my attention.

The Ontario Superior Court of Justice recently had an opportunity to consider whether you can sue for an alleged invasion of privacy in Ontario. More accurately, the Court considered whether you can even try to sue on this basis. In Somwar v. McDonald's Restaurants of Canada Ltd., 2006 CanLII 202 (ON S.C.), Stinson J. considered a defendant's application to strike a plaintiff's claim for invasion of privacy. The defendant argued that it disclosed no reasonable cause of action.

In the result, the Court let the plaintiff's pleading stand. This does not meant that there is or is not an independent tort of invasion of privacy, but it does suggest that the courts in Ontario will at least hear the plaintiff out.

The facts in this case involve an employer who carried out a credit check on an employee without the employee's knowledge or consent. The plaintiff sued. Because the courts of Ontario have gone both ways on whether you can sue for this, the plaintiff was not thrown out of court.

Stinson J. had some interesting things to say:

Is it fully settled in the jurisprudence that there is no common law tort of invasion of privacy?

[8] I begin my analysis with this question for the simple reason that if the answer is "yes" that is the end of the plaintiff's case.

[9] In a law review article written in 1960, the leading American torts scholar, William Prosser, listed four distinct kinds of invasion of privacy interests as follows: (i) intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; (ii) public disclosure of embarrassing private facts about the plaintiff; (iii) publicity which places the plaintiff in a false light in the public eye; and (iv) appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness: see William L. Prosser, “Privacy” (1960) 48 Cal. L. Rev. 383 at 389. Although Dean Prosser's article was intended as an overview of the American jurisprudence in this area, his analytical framework is helpful in trying to understand the approaches taken by Canadian courts when dealing with these types of claims.

[10] The complaint in the case at bar concerns the conduct of a credit bureau check on an employee by his employer, without the employee’s consent. This complaint falls within Prosser’s first category of invasion of privacy, i.e. “intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.” Prosser further described such intrusion as follows:

  • there must be something in the nature of prying or intrusion;
  • the intrusion must be something which would be offensive or objectionable to a reasonable person;
  • the thing into which there is prying or intrusion must be, and be entitled to be, private; and
  • the interest protected by this branch of the tort is primarily a mental one. It has been useful chiefly to fill in the gaps left by trespass, nuisance, the intentional infliction of mental distress, and whatever remedies there may be for the invasion of constitutional rights.

[11] In The Law of Torts in Canada, 2nd ed. (Toronto: Carswell, 2002) G.H.L. Fridman discussed different classifications of torts and observed that courts, in the limited circumstances where damages are awarded for “invasion of privacy”, tend to treat such invasion as an intentional tort. At pp. 20-21 he wrote:

Acceptance by the courts … of the possibility of liability for certain kinds of “invasion of privacy,” limited though this may be, suggests that the courts are groping their way towards the idea that, where one person acts in a manner that is known and intended to be injurious to another, liability should ensue, even though no nominate tort such as … intimidation, trespass, or defamation, has been committed, unless the circumstances reveal that there was what can be accepted as a lawful reason, justification or excuse for the perpetration of the act and the infliction of the harm.

[12] Based on Prosser’s description of intrusion of privacy interests and Fridman’s observations on treatment of “invasion of privacy” by courts, I conclude that the plaintiff’s complaint concerning the invasion of his privacy could be categorized as an intentional tort.

[13] The potential existence of a common law intentional tort of invasion of privacy has been discussed on various occasions in the jurisprudence of the courts of Ontario. Many of these cases involved intrusion into the plaintiff's seclusion or private affairs and thus fall within Prosser's first category of invasion of privacy interests.

[14] In Capan v. Capan, [1980] O.J. No. 1361 (H.C.J.), the plaintiff commenced an action against her husband for damages for continuing mental and physical harassment and invasion of privacy. The defendant allegedly stalked the plaintiff during a separation, harassed her with persistent telephone calls at home and at her work place, and forced his way into her apartment. The defendant moved to strike out the plaintiff’s statement of claim based on the absence of a reasonable cause of action. Osler J. dismissed the motion stating (at paras. 14-15):

What is complained of here is, in its very essence, an abuse of personal rights to privacy and to freedom from harassment. … [I]t has not been demonstrated that the rights referred to will not be recognized by our courts nor that their infringement will not found a cause of action. In my view, it would not be right, on a motion of this kind, for the court to deprive itself of the opportunity to determine, after hearing the evidence, whether such right exists and whether it should be protected.

[15] In Saccone v. Orr (1981), 34 O.R. (2d) 317 (Co. Ct.), the defendant recorded a private telephone conversation with the plaintiff without the plaintiff’s consent. The defendant then played the tape at a municipal council meeting. A transcript of the tape was subsequently published in a local newspaper. The court rejected the defendant’s argument that no tort of invasion of privacy existed in Ontario common law. Jacobs Co. Ct. J. said:

[I]t’s my opinion that certainly a person must have the right to make such a claim as a result of a taping of a private conversation without his knowledge, and, as against the publication of the conversation against his will or without his consent. Certainly, for want of a better description as to what happened, this is an invasion of privacy and despite the very able argument of defendant’s counsel that no such action exists, I have come to the conclusion that the plaintiff must be given some right of recovery for what the defendant has in this case done.

[16] In Roth v. Roth reflex, (1991), 4 O.R. (3d) 740 (Gen. Div.), the court held that the defendants’ acts such as locking a gate on an access road, interfering with and blocking the use of the road by the plaintiffs in getting to and from their cottage, and removing a shed, pump and dock with the concomitant shutting off of electricity in the plaintiffs’ cottage at a time when they were not there constituted a harassment of the plaintiffs in the enjoyment of their property. Mandel J. also found that the defendants’ actions amounted to an invasion of the plaintiffs’ privacy. He further rejected the view that privacy flowed from property rights. He wrote (at p. 758):

In my view, whether the invasion of privacy of an individual will be actionable will depend on the circumstances of the particular case and the conflicting rights involved. In such a manner the rights of the individual as well as society as a whole are served.

It is also noteworthy that Mandel J. reached the foregoing conclusion after he observed that there is no legislated remedy for invasion of privacy in Ontario, unlike some other provinces.

[17] In Lipiec v. Borsa, [1996] O.J. No. 3819 (Gen. Div.), the defendants’ counterclaim against the plaintiffs was based on nuisance and trespass. The plaintiffs and the defendants were owners of adjoining residential properties. The court found that the plaintiffs had greatly reduced the defendants’ enjoyment of their property by removing the fence between the two properties and erecting a commercial type surveillance camera aimed at the defendants’ yard. McRae J. noted that intentional invasion of privacy had been recognized as actionable in Ontario in several cases. He found that there was intentional invasion of the defendants’ right to privacy and awarded damages to the defendants.

[18] In Tran v. Financial Debt Recovery Ltd., [2000] O.J. No. 4293 (S.C.J.) (reversed on other grounds, [2001] O.J. No. 4103 (Div. Ct.)), the plaintiff had outstanding student loans. Employees of the defendant debt collection agency began calling the plaintiff about the loan, several times an hour, at work. The plaintiff disputed the amount outstanding, but he was never provided with particulars. Despite the plaintiff’s request to be contacted at home, the defendant’s employees continued to call him at work. The court found that the defendant had invaded the plaintiff’s privacy by placing repeated and vexatious calls to the plaintiff’s place of employment. Molloy J. awarded damages to the plaintiff for the torts of defamation, intentional interference with economic interests, intentional infliction of emotional suffering, and invasion of privacy.

[19] Other cases in which trial judges have found liability based on invasion of privacy falling within Prosser's first category include Garrett v. Mikalachki, [2000] O.J. No. 1326 (S.C.J.) and Rathmann v Rudka, [2001] O.J. No. 1334 (S.C.J.).

[20] The courts of Ontario have not been unanimous concerning the existence of a common law tort of invasion of privacy. In Haskett v. Trans Union of Canada Inc. (2001), 10 C.C.L.T. (3d) 128 (Ont. S.C.J.), aff'd 15 C.C.L.T. (3d) 194, (Ont. C.A.), the plaintiff alleged that the defendant credit-reporting agencies had unlawfully included his pre-bankruptcy debts in consumer reports and incorrectly reported them as collectible debts. He sought to bring a class proceeding against the defendants for damages based on breach of fiduciary duty, invasion of privacy, and negligence. The defendants moved to strike the statement of claim on the ground that it did not disclose a reasonable cause of action. With respect to invasion of privacy, Cumming J. found that it was plain and obvious that the complaint of wrongful inclusion of inaccurate information in a credit report did not amount to a reasonable cause of action in tort. Cumming J. quoted with approval from Professor Klar in his text Tort Law (Toronto: Carswell, 1991) where he stated at p. 56 as follows:

Despite some encouraging suggestions from a few courts, it would be fair to say that the Canadian tort law does not yet recognize a tort action for invasion of privacy per se. Rather “privacy” rights have been protected under the umbrella of other traditional tort actions, and by legislative interventions.

Cumming J. acknowledged, however, that “more recently, there has been some recognition of invasion of privacy as an embryonic tort where there is harassing behaviour or an intentional invasion of privacy.” [Emphasis added.] On appeal, the appellant limited his claimed cause of action to negligence. Thus, the Court of Appeal did not address the ruling of the motion judge with respect to the issue of invasion of privacy.

[21] In T.W. v. Seo, [2003] O.J. No. 4277 (Ont. S.C.J.) (varied on other grounds at [2005] O.J. No. 2467 (C.A.)), the defendant was an ultrasound technician who videotaped the plaintiff while she was in the change room. The plaintiff’s claim included a claim for damages based on the tort of invasion of privacy. Siegel J. refused to put any questions to the jury relating to this cause of action as he found that “insofar as a common law tort of invasion of privacy was recognized in Canada, it did not extend to these facts.”

[22] In light of the trial decisions listed in this brief survey of Ontario jurisprudence, and the absence of any clear statement on the point by an Ontario appellate court, I conclude that it is not settled law in Ontario that there is no tort of invasion of privacy.

Is it plain and obvious that the plaintiff’s action cannot succeed, or despite the novelty of the cause of action, is there a chance that the plaintiff might succeed?

...

[28] Provinces such as British Columbia, Manitoba, Newfoundland, and Saskatchewan have created a statutory tort of invasion of privacy. See John D.R. Craig, “Invasion of Privacy and Charter Values: the Common-Law Tort Awakens” (1997) 42 McGill L.J. 355, footnote 2. In Quebec, s. 5 of the Charter of Human Rights and Freedoms, R.S.Q., c. C-12, which provides that “every person has a right to respect for his private life”, is directly enforceable between citizens. In Ontario, however, there is no statutory remedy for unreasonable intrusion into an individual’s private affairs.

[29] With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with Charter values and an "incremental revision" and logical extension of the existing jurisprudence.

[30] Such a development in the common law has been viewed as appropriate by many legal commentators: see, for example, the articles by Bell, and Craig, supra. Bell wrote (at p. 235):

The emerging social realities of twenty-first century life in Canada include the use of technology that “increasingly facilitates the circulation and exchange of information”, cellular phones that can be used to take photographs, and the seemingly ever-increasing desire by the public at large for media stories, to name but a few examples. A broad embracement of a common law tort of invasion of privacy would reflect an updating of the common law to reflect these emerging social realities….

[31] Even if the plaintiff's claim for invasion of privacy were classified as "novel" (which, in any event, is not a proper basis for dismissing it) the foregoing analysis leads me to conclude that the time has come to recognize invasion of privacy as a tort in its own right. It therefore follows that it is neither plain nor obvious that the plaintiff's action cannot succeed on the basis that he has not pleaded a reasonable cause of action.

UPDATE: Check out Michael Fitzgibbon's post on this case, in which he offers some helpful comments on the test for striking out a pleading and on what this case may mean: Thoughts from a Management Lawyer: It's Alive (for now) The Tort of Invasion of Privacy in Ontario. (Added 20060118)

Technorati tags: :: :: :: :: ::

Privacy and loyalty programs: What information consumers don't want to share

A recent survey by the NRF Foundation polled US consumers to see how much personal information consumers are willing to give up in exchange for benefits as part of loyalty programs. The results are interesting, since they show what information is considered most personal by consumers:

...While consumers do want to pledge their loyalty, retailers are going to have a tough time figuring out just how to build their allegiance. That's because consumers state they are only willing to share a small portion of the much needed personal information that retailers need to develop traditional loyalty programs. According to the study, the most acceptable information shoppers were willing to give retailers include their name (89.8%), e-mail address (78.1%), street address (60.7%), and past transactions (46.8%). Consumers were least likely to allow retailers to track weight (14.4%), income (12.5%), job title (12.1%), employer (10.9%) and net worth (8.2%).

The more intrusive a company wants to get, the greater value they have to provide. This also suggests that a company that wants a widely-adopted program will have to limit the information collected and provide assurances about how it will be protected and used.

Via CRM Today.

Technorati tags: :: :: ::

How do they do that? Techniques of phone record vendors

Wired News is running an article by Kim Zetter on the sale of phone records. The article is notable because it discusses at least one of the tactics used by these "services" to get phone records:

Wired News: Devious Tactic Snags Phone Data

According to the suit, online cell-phone record vendors placed hundreds of thousands of calls to Verizon customer service requesting customer account information while posing as Verizon employees from the company's "special needs group," a nonexistent department. The caller would claim to be making the request on behalf of a voice-impaired customer who was unable to request the records himself. If the service representative asked to speak with the customer directly, the caller would impersonate a voice-impaired customer, using a mechanical device to distort his voice and make it impossible for the service representative to understand him -- a variant of a widely used social-engineering technique known as the "mumble attack."

Rob Douglas, a private investigator turned privacy activist, says federal authorities have known about the sale of private phone records since at least 1998 but have done little to address the problem. In the absence of federal action, phone companies have been resorting to civil lawsuits to prevent sellers from obtaining and selling records.

Technorati tags: :: ::

Monday, January 16, 2006

One month till data breach law in Ohio

Ohio joins the growing list of American states that require notification of data breaches, effective February 17, 2006. See: Data-breach notification soon a matter of Ohio law - 2006-01-16.

Technorati tags: Privacy :: Privacy Law :: Security :: Breach :: Ohio

Duty to protect third-parties from online porn overrides employee's right to privacy in NJ

Michael Fitzgibbon at Thoughts from a Management Lawyer is blogging about a recent decision from New Jersey in which the court there held that employers have a duty to protect third parties from porn surfing employees. And "[n]o privacy interest of the employee stands in the way of this duty on the part of the employer." Interesting stuff. See: Thoughts from a Management Lawyer: Internet Surfing and the Workplace, who got it from Employee's Surfing Pornographic Web Sites At Work Land Employer In Hot Water WLF May it Please the Court Law Weblog.

Technorati tags: Privacy :: Workplace Privacy :: Porn :: Employment Law :: New Jersey

Saturday, January 14, 2006

Conviction in Nova Scotia card skimming case

Crown prosecutors in Nova Scotia have secured the conviction of Eugeniu Micolai Moldovan on 77 counts of fraud, stemming from a scam in which Moldovan and an accomplice placed a card skimmer and PIN reader on automated ticketing machines at a local movie megaplex. The accomplice previously pleaded guilty.

Credit for catching the scammers goes to a vigilant bank employee who noted a pattern of fraud and tipped off the Halifax police that the scammer would likely be at a particular movie theatre on a particular date. I wish I knew which bank or who the employee is to give proper credit.

The scammer used a card reader and a pin-pad overlay to catch both the mag stripe info and the customer's PIN. The hardware used was pretty good and users couldn't tell it was there.

Moldovan will be sentenced on February 16 and the Crown Prosecutor said he'd be seeking a lengthy sentence.

See: The ChronicleHerald.ca

Technorati tags: Privacy :: Card Skimming :: Fraud :: Credit Card :: Credit Card Fraud :: Debit Card :: Debit Card Fraud :: Nova Scotia

No official sanction after security and privacy breach from Indian outsourcer

Last June, I blogged about an incident in which a journalist reported that he had purchased personal information about British residents from the employee of an outsourcing operation in India (see: The Canadian Privacy Law Blog: Undercover UK reporter buys personal information from Indian call centre).

At the time, the UK Information Commissioner said that the banks involved may face prosecution under the Data Protection Act. Following an investigation by the Information Commissioner, it is now said that there is no evidence that any personal information was compromised and there will be no prosecution. (I am not sure if this means there was no evidence or they didn't find any evidence.)

The UK police also said that they did not have any jurisdiction to investigate and financial regulators didn't bother to investigate. Somewhat troubling was the statement at the time that "Our concerns are whether adequate security controls were in place but a determined fraudster is always going to get through."

See: UK banks escape punishment over India data breach - Law & Policy - Breaking Business and Technology News at silicon.com

Technorati tags: Privacy :: Outsourcing :: India :: United Kingdom :: Data Protection Act :: Data Protection

Friday, January 13, 2006

Upcoming conference: Personal Information Protection Act Conference 2006: April 26-27 2006, The Westin, Calgary, Alberta

Both the Information and Privacy Commissioners of Alberta and BC are sponsoring and participating in an upcoming conference in Calgary. As you can guess, "PIPA 2006: Customers, Employees & Privacy: An educational Forum for Business" is about business and the private sector privacy laws of both provinces. Check out the site, from Verney conference management: Personal Information Protection Act Conference 2006: April 26-27 2006, The Westin, Calgary, Alberta.

Technorati tags: :: :: ::

Thursday, January 12, 2006

Phone records of Gen. Wesley Clark bought for under $100

I expect we'll see some strong legislative action in the US to stop the sale of calling records if bloggers follow AMERICAblog's footsteps and buy the phone records of prominent Americans. AMERICAblog bought the phone records of General Wesley Clark, the former Supreme Allied Commander of NATO. They apparently did it to prove a point: "We wanted to see if it was possible to buy the phone records of someone high profile in order to prove that this is a problem with serious national security implications, and frankly, we didn't want to pick a Republican since we thought such a choice would be perceived as partisan or mean-spirited, and that is not our intent for exposing this. Our intent is to get this problem fixed so that we all can benefit." Check it out (and the hundreds of comments) here: AMERICAblog: Because a great nation deserves the truth.

Thanks to EPIC West for the link: EPIC West: Electronic Privacy Information Center West Coast Office: Blogger Buys General Clark's Cell Phone Records.

Technorati tags: :: :: ::

Privacy is in the eye of the beholder

If you were looking for evidence that some people take privacy pretty seriously, look no further than the situation that has befallen Cheryl Gallant, a Conservative candidate for Member of Parliament for Renfew-Nipissing-Pembrooke. A short while ago, I blogged about a fuss that has been kicked up after her constituency office sent birthday cards to constituency residents. It appeared that the only place that the MP's staffers could have gotten the citizens' birthdays was from passport applications processed through her office. At least two people were upset then (see: The Canadian Privacy Law Blog: Birthday Cards lead to investigation by the Privacy Commissioner).

The story continues: The candidate began her remarks at a recent debate by wishing everyone there a happy birthday. (Some in the audience booed the reference, though they might have been Liberal plants.) Her remarks have been taken as being a bit flippant.

ottawasun.com - Election - Gallant vows privacy probe

Asked if constituents' privacy was a joking matter, she said people have been complaining they didn't get a card, so she thought she'd simply send greetings to everyone at once.

On Monday, Gallant said, the number of people calling her office requesting cards crashed the office's phone system.

She intends to conduct a probe and said that although her office is not covered under the jurisdiction of the privacy commissioner, they've always conducted business as if it was.

"If one person can get so upset and make such a hullabaloo, we want to ensure no one else's feelings are hurt," she said.

"What we did was a courtesy, a gesture of kindness."

Deep River resident Leslie White, who has no affiliation to any political party, said her husband and mother both received birthday cards from Gallant last month. Both had recently had passports processed through Gallant's office. Other constituents have come forward with similar stories, including a 19-year-old man. Gallant couldn't explain how he came to get a card, but said they are sent out on request and most people are happy to get one.

"In the five years I've been a member of Parliament, two days into this election was the first time I had ever received a complaint about receiving a birthday card," Gallant said. "So I almost wonder if somebody gave us the referral and knew that she didn't like it and that it would put her off her rocker, so to speak."

Privacy is an emotional issue. Some people are very sensitive and are not shy about going to the press when they feel they've been "violated". What might have appeared to be a gesture of kindness on the part of the sender may be a very creepy experience for the recipient of the gesture. Anyone dealing with personal information or thinking about it has to keep in mind that privacy is a very sensitive issue for a lot of people and you should look at your proposed actions through the eyes of your most privacy sensitive customer. If it'll upset them, it probably is not worth doing since the fallout often consumes your energy and detracts from whatever beneficial effect you might have hoped for.

Technorati tags: Privacy :: Passport :: Politics :: Canada

Checking out Mao? No need to worry

In the wake of the (ultimately false) report that the federales had visited a student becuase he requested Mao's Little Red Book (See: The Canadian Privacy Law Blog: Borrow the wrong book and get it personally delivered by the feds; and then The Canadian Privacy Law Blog: Story about feds visiting after request for Mao book is a hoax), the UMass Dartmouth and Penn libraries are trying to reassure patrons that their records are safe. In fact, they say that once you return the book you've checked out, the title is no longer connected to your borrowers' record. Check out the Daily Pennsylvanian: Checking out Mao? No need to worry.

Technorati tags: Privacy :: Libraries :: Security :: Personal Information :: Patriot Act.

Visa and Mastercard mull open standard for transaction security

The New York Times reports that Visa and Mastercard have been quietly meeting to discuss setting up an open standards body to set best pactices for the processing of electronic and payment card transactions. See: Credit Card Rivals to Unite in Data Protection Effort - New York Times.

Technorati tags: Privacy :: Credit Cards :: Electronic Payments :: Open Standards :: Security

Wednesday, January 11, 2006

Nova Scotia Auditor General concerned about effect of USA Patriot Act on citizen privacy

The Nova Scotia Auditor General released his report for 2005 in December. The fourth chapter is entitled Electronic Information Security and Privacy Protection.

In his report, he reviews the privacy and information security practices of a number of departments, including Justice and Community Services. He also touches upon the USA Patriot Act and its possible impact on the personal information of Nova Scotians. Data processing and information storage services for the province are provided by wholly-owned subsidiaries of American companies, which are undoubtedly subject to American laws. The province has carried out a study of the situation, but refused to provide it to the Auditor General, citing solicitor-client and cabinet privilege. In an interview by the Canadian Press, the provincial Minister of Justice hinted that Nova Scotia will be introducing a law in the spring sitting of the Legislature to mirror that passed by British Columbia to better protect personal information from being disclosed to foreign law enforcement.

Read the CP article here: N.S. auditor concerned citizens information could be leaked to U.S. agencies - Yahoo! News.

Technorati tags: privacy :: Patriot Act :: Nova Scotia :: privacy law.

Nova Scotia FOIPOP Review Officer to form Right to Know coalition upon retirement

As reported here on Saturday (The Canadian Privacy Law Blog: Nova Scotia's FOIPOP Review Officer to step down), Nova Scotia's Freedom of Information and Protection of Privacy Review Officer will be stepping down from his post on January 23, 2006 when his term concludes. Today's Halifax Chronicle Herald reports on the retirement and mentions that Darce will not be disappearing into the sunset. He is planning to start a "Right to Know" coalition to educate people about access to information laws and to lobby for greater openness. See: Freedom of information protector leaving his post: Fardy plans to start citizens coalition called Right to Know

Technorati tags: :: :: .

Incident: Bank tape lost with data on 90,000 customers

Another bank data tape lost in transit on its way to a credit bureau. This time, it is People's Bank of Connecticut and the tape had the personal information of 90,000 customers. Check it out: Bank tape lost with data on 90,000 customers - Computerworld

Technorati tags: :: :: ::

Is iTunes reporting your listening back to the mothership?

Boing Boing passed along to its readers (Boing Boing: iTunes update spies on your listening and sends it to Apple?) a report that the latest version of Apple's iTunes is reporting back to Apple the music that users are listening to (see: since1968.com: iTunes Update: Apple's Looking Over Your Shoulder). This "feature" is via the MiniStore, which presents info about the performer whose song you are listening to and "other users also bought ..." information. The author was concerned that info about current listening was being passed back to Apple without telling users about it.

Other commentators have pointed out on Boing Boing that iTunes does not "phone home" if the MiniStore pane is closed.

This looks a lot like the feature in Windows Media Player which does something very similar, but I note that Microsoft at least asks you when you install if you mind having your info passed along to Microsoft. Apple the good doesn't look so good next to Microsoft.

Technorati tags: :: :: :: :: ::

Incident: Data for 55,000 customers stolen from Bahamas hotel

According to Computerworld, a high-clas island resort's databases have been hacked, leading to the exposure of personal information of 55,000 customers. The report says that the information compromised included "names, addresses, credit card numbers, Social Security numbers, driver's license numbers and bank account numbers."

What possible reason would a hotel have for collecting Social Security Numbers from guests? And if it had a reason to collect this sort of info, why would it keep it?

Personal information is like an underground tank, half full of oil. If you don't need it, get rid of it. The more of them you have and the longer you have 'em, the higher the risk of disaster.

Here's the gist of the Computerworld article:

Data for 55,000 customers stolen from Bahamas hotel - Computerworld

Data for 55,000 customers stolen from Bahamas hotel The upscale Atlantis Resort has acknowledged an apparent database break-in

JANUARY 11, 2006 (IDG NEWS SERVICE) - Travelers who stayed at the upmarket Atlantis Resort in the Bahamas should keep a close eye on their bank statements in the months ahead. The hotel has acknowledged an apparent database break-in in which personal information for 55,000 guests may have been stolen, including credit card and bank account numbers.

The resort said it is notifying affected customers in writing so that they can "take steps to protect themselves from possible identity fraud."

Kerzner International Ltd., which operates the 2,000-room "ocean-themed" resort on Paradise Island, reported the theft last week in a U.S. regulatory filing. An internal investigation revealed that the information had been stolen from a database of Atlantis customers.

...

The information stolen includes names, addresses, credit card numbers, Social Security numbers, driver's license numbers and bank account numbers. Approximately 55,000 customers may have been affected, the resort company said.

Technorati tags: :: :: ::

Iconic eatery Cafe Henry Burger shuts its doors after 83 years

The Ottawa Citizen is reporting that Cafe Henry Burger in Ottawa is closing down. According to the owner, the restaurant suffered a loss of business as fallout from the Radwanski scandal that lead to the downfall of the then Privacy Commissioner and opened all entertainment spending by public officials to much greater scrutiny.

Iconic eatery Cafe Henry Burger shuts its doors after 83 years

It made headlines of a different kind in 2003 when it was revealed that some public servants had run up huge bills at Cafe Henry Burger, including then-privacy commissioner George Radwanski. Mr. Bourassa concedes that the repercussions of that hurt sales at his restaurant.

"Following that, there was greater expense-account scrutiny and a greater call for access to information. This resulted in a loss of clients."

Despite the obvious sadness he feels at the closing of his restaurant, he is focusing on the many good experiences he has had.

I'm sure some would suggest that it was the loss of Radwanski's business that did it in.