Sunday, April 30, 2006

"National security letter" statistics released for 2005

The Associated Press (via beSpacific) is reporting that in 2005, the FBI used almost ten thousand "" to obtain information on more than 3,500 people. National security letters are a mechanism provided for in the USA Patriot Act by which US law enforcement and intelligence agencies can secretly compel information from third parties. See: FBI secretly sought data on 3,501 - U.S. Security -

Saturday, April 29, 2006

BC Government proposes rollbacks to USA Patriot Act provisions in FIPPA

The British Columbia Government has introduced amendments to the Freedom of Information and Protection of Privacy Act, the province's public sector privacy and access law, to roll back some of the more recent amendments made in response to fears about the USA Patriot Act. (BILL 30 -- 2006: MISCELLANEOUS STATUTES AMENDMENT ACT (No. 2), 2006). The Information and Privacy Commissioner is generally in agreemenet with the cross-border amendments and has issued a statement published on his website:

Bill 30 (Miscellaneous Statues Amendment Act, 2006)––Amendments to the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Personal Information Protection Act (“PIPA”)––OIPC File No. F05-26470

Further to my letter of April 27, 2006, I have now had an opportunity to consider the other amendments that the above Bill would make to FIPPA and to PIPA. I support these amendments.

In the case of amendments to FIPPA in relation to location of personal information outside of Canada or access to it from outside Canada, I support these amendments as reasonable. I note that they are narrowly tailored and would permit location of personal information outside Canada or access from outside Canada only where a public body official is temporarily travelling outside Canada or for “installing, implementing, maintaining, repairing, trouble shooting or upgrading an electronic system or equipment that includes an electronic system” or “for data recovery that is being undertaken following failure of an electronic system”.

The BC Government Employees Union, which started the USA Patriot Act and oursourcing fuss some time ago, is not at all happy. Here's their statement:

BCGEU: Liberal efforts to weaken privacy protection, .....:FOR IMMEDIATE RELEASE

APRIL 28, 2006

Liberal efforts to weaken privacy protection, limit freedom of information buried in omnibus legislation

The B.C. Government and Service Employees’ Union is adding its name to the list of groups opposed to sweeping changes in privacy protections and access to information contained in the Freedom of Information and Protection of Privacy Act (FIPPA) which the Campbell government tried to bury in an omnibus piece of legislation introduced Thursday in the Legislature.

“These are very troubling measures that are ill advised and just plain dangerous,” warns BCGEU president George Heyman. “It’s a real setback for open and transparent government.”

Heyman says the proposed amendments roll back provisions to protect personal privacy implemented in 2004 to address concerns around the USA Patriot Act, based on recommendations by B.C.’s privacy commissioner. That Act—which was just renewed by the Bush government—gives U.S. security agencies like the FBI sweeping powers to obtain information from companies and individuals in that country.

“Victoria is putting British Columbians’ highly sensitive personal information at risk by weakening current protections—thereby increasing the risk of loss and theft, or exposure to the intrusive powers of the USA Patriot Act.”

Changes to section 33 of FIPPA will severely compromise current privacy protections by giving the green light to public bodies to release British Columbians’ personal information outside B.C. and Canada to a shopping list of officials and interests—including employees of private U.S. companies like Maximus and EDS hired by the government—to administer our personal medical and financial records.

“Given the recent high profile failures of this government to protect sensitive personal information, this is a development that will alarm British Columbians,” says Heyman.

Meanwhile, other changes to sections 17 and 21 of FIPPA will enable Victoria to expand the heavy veil of secrecy around privatization projects and private-public partnerships by giving government sweeping powers to withhold information from the public. “These amendments establish that the interests of private companies will take precedent over British Columbians’ right to know,” Heyman says.

He also cautions that proposed Liberal amendments include provisions that will compound the lengthy delays already faced by British Columbians filing access to information requests with government and public bodies, by allowing the government to manipulate response deadlines.

Information Commissioner attacks Access to Information amendments in the Federal Accountability Act

Earlier this week, at a meeting in Calgary, I heard first-hand the Federal Information Commissioner's views on proposed amendments to the Access to Informaiton Act contained in the omnibus Federal Accountability Act. The FAA is promoted as increasing accountability on the part of government and public servants. The Commissioner, John Reid, is of the view that it is a dramatic step backwards. Though it adds a handful of government and crown agencies under the Access to Information Act's purview, it also adds to the exceptions to the general principle of access.

The Commissioner has taken the very unusual step of issuing a special report to parliament to share his views. Here is an extract from the report's introduction:

Office of the Information Commissioner: Reports - Response to the Report of the Access to Information Review Task Force

... Finally, and most important, the content of the Federal Accountability Act, and the government’s discussion paper on access reform, is a cause for grave concern. What the government now proposes – if accepted – will reduce the amount of information available to the public, weaken the oversight role of the Information Commissioner and increase government’s ability to cover-up wrongdoing, shield itself from embarrassment and control the flow of information to Canadians.

No previous government, since the Access to Information Act came into force in 1983, has put forward a more retrograde and dangerous set of proposals to change the Access to Information Act. Most recently, in 2002, the Liberal government of Jean Chr├ętien established a Task Force of government insiders to come up with recommendations for "reform" of the access law. The result was so pro-secrecy that it prompted this Information Commissioner to table a Special Report to Parliament, in September 2002, raising this alarm:

"Once again we are, with this Task Force Report, confronted with the reality that bureaucrats like secrets – they always have; they will go to absurd lengths to keep secrets from the public and even from each other. Bureaucrats don’t yet grasp the profound advance our democracy made with the passage, in 1983, of the Access to Information Act. They continue to resent and resist the intentional shift of power, which Parliament mandated, away from officials to citizens. A bureaucrat’s dream of reform is to get back as much lost power over information as possible" (p. 10).

The current government’s proposals are every bit as much "a bureaucrat’s dream" as were those of the Chr├ętien government.

This Special Report, as did the 2002 Special Report, sounds this alarm: The government’s access to information reform plan will not strengthen the accountability of government through transparency – it will weaken it.

There is no more eloquent testimonial to the power of the forces of secrecy in government than the radical change they have wrought, in a few short weeks, to the Prime Minister’s election promises for access reform. In his role as Leader of the Opposition, Stephen Harper ridiculed the Martin government’s decision to release a discussion paper, rather than to introduce a bill to reform the Access to Information Act.

Prior to the election, Stephen Harper, also ridiculed the content of the Martin government’s discussion paper saying that: "it proposes to make the government more secretive than it already is, to propose a new 20 year gag order on draft internal audit reports and working papers, and to try to prevent the release of consultant reports for agencies for 20 years." (Conservative Party press release, June 2, 2005).

The new government has done exactly the things for which its predecessor had been ridiculed. The government has issued a discussion paper rather than a comprehensive reform bill and in the proposed Federal Accountability Act, it has thrown a blanket of secrecy over draft internal audit reports and working papers, for 15 years (no need to demonstrate any potential for injury from disclosure!). Also, the government proposes to keep secret forever all records relating to investigations of wrongdoing in government. The previous government pushed through a secrecy provision for such records (over the objections of the Information Commissioner, public service unions and whistleblowers), but limited its operation to a five-year period.

Here a digression on the government’s decision to refer the Commissioner’s proposals for access reform (the Open Government Act) for more study and debate before being introduced into Parliament. Now is the time for action, not talk! That is the message the Commissioner gave the Standing Committee on Access to Information, Privacy and Ethics on October 25, 2005 – and it remains his position.

The most recent of a long list of exhaustive, detailed, open and professional inquiries was the Gomery Commission of Inquiry. Justice Gomery’s second report – Restoring Accountability (February 1, 2006) – was informed by an extensive national consultation with respect, inter alia, to access to information reform, including, the receipt of comments to a website from the public at large, consultations with experts in five moderated roundtables throughout Canada, receipt of written submissions from experts, academics, interested parties and specific commissioned research.

Based on that widespread consultation with all relevant stakeholders, Justice Gomery made recommendations with respect to access to information reform – specifically, with respect to the reforms contained in the Open Government Act which this Commissioner prepared (at the request of the Standing Committee on Access to Information, Privacy and Ethics) and made public in September of 2005. The views and recommendations of Justice Gomery are set out in Appendix "A". They constitute an affirmation that access to information reform is required and an endorsement of the reforms proposed in the Open Government Act.

To end this digression, then, there are no gaps in the knowledge base on which proper policy choices can be made for access to information reform; there has been full opportunity for debate, critique and persuasion. There is no reason – apart from a loss of political will – to refrain from proceeding with the reforms contained in the Open Government Act as endorsed by Justice Gomery, the Conservative election platform and in the Seventh Report of the Standing Committee on Access to Information, Privacy and Ethics presented to the House of Commons on November 21, 2005.

Here's some media coverage of the Commissioner's report:

EU and US study suggests American companies are more advanced in personal information protection

According to a new study (2.5MB) undertaken by the Ponemon Institute for White & Case, American companies are more advanced in protecting personal information than companies in the European Union. This may come as a surprise in light of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. See the White & Case press release: White & Case LLP - News & Events - Despite Stricter Rules in Europe, US Companies More Advanced in Protecting Data.

Closing at least one barn door

With most personal information mostly in digital form, it is easily reproduced and highly portable. Not only can it be e-mailed and FTP'd, it is increasingly finding its way onto USB drives. These drives can easily be stolen (and wind up on the black market in Kabul) or can be used by malevolent employees to commit fraud. Lifehacker is linking to Remote Administration for Windows, which has posted a simple registry change that apparently disables USB drives in Windows (Remote Administration For Windows - Windows administration tricks and tips.: Disable USB Drives). I have no idea whether it disables iPODs, USB external hard-drives or other USB-connected mass storage, but it apparently does not interfere with other USB devices.

Usual disclaimers apply ...

Is that an RFID in your 501s, or ....

Levi's is apparently rolling out a test of using radio frequency ID tags (RIFDs) to track inventory in a select number of retail outlets. The RFIDs, which contain an individual serial number are on a dangling tag marked "Please discard this tag if it is not removed at the point of purchase." Not surprisingly, some see conspiracy afoot and are concerned about the privacy aspects of wider adoption of RFIDs on consumer goods. See: Advertising Age - Privacy Group Slams Levi's for Radio ID Tags.

Friday, April 28, 2006

It's the cover-up, stupid

In the hundreds of security and privacy breaches reported in the last few years, the companies involved that have fared the best are those that have been forthcoming with information and appear to be genuinely interested in the well being of the people involved. (I say "appear to be" because it doesn't really have to be sincere, but it has to benefit the individual. Once you can fake sincerity, you've got it made.) Those that have fared the worst are those that lied, misled customers, otherwise tried to cover it up or trivialize the breach.

Accidents happen and any company that has customer data on hand is at risk, to some degree or another. No security system is perfect. The biggest consequence of a breach is probably not an award of damages from the court but the loss of trust of customers and other stakeholders. The senior director at Lexis Nexis is quoted in a recent Network World article (Disclosure meant less pain in data theft) as confirming this:

But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach, he said. "We tried to do the best job we could," he said.

The company contacted all those who were affected by the attack using the framework of a California data security disclosure law passed in 2003 as a guide, Cronin said.

The law is catching up after the high-profile cases of last year, including ChoicePoint, a data broker that acknowledged divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented notification laws, and a federal law is under consideration.

After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he said.

LexisNexis encouraged certain customers to sign up for anti-virus software. It revamped online security access, looking at password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of its products to identity potential security problems, Cronin said.

LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door perimeter attacks are less likely than the persistent weak link: people.

Now ask yourself why ChoicePoint is synonymous with "privacy breach" and not Lexis Nexis.

Personal information in the hiring process

The Office of the Information and Privacy Commissioner for BC has released a guide to PIPA and the Hiring Process. For those outside of British Columbia, it's an interesting read and embodies some good practices for dealing with personal information of employment applicants. But be careful: PIPEDA does not have the same consent exceptions that are described in this publication.

Thursday, April 27, 2006

Incident: Server with personal information hacked at Alaska University

Though this involves names and social security numbers of 39,000 students, faculty and staff, I was thinking that these university incidents may be becoming too frequent and mundane to report about...

KTVA - Local:

"Hacker gets into UAF database

The University of Alaska Fairbanks is taking steps to prevent another computer breach.

Steve Smith, U.A.'s chief information technology officer, says the university's Computer Incident Response Team, has conducted a security sweep. And he says a consultant has been hired to help strengthen the walls around the university's computer network.

The problem showed up on a server at the Kuskokwim campus in Bethel. The files have been taken off-line, as well as four similar ones recently found during a search of other university servers.

University officials say the hacker had access to the names, Social Security numbers and partial e-mail addresses of nearly 39-thousand current and former University of Alaska Fairbanks students, faculty and staff.

And they say the hacker had access to the information for nearly a year. "

Tuesday, April 25, 2006

Global survey suggests that customers worldwide will trade privacy for convenience

Unisys and the Ponemon Institute have undertaken what it describes as a global survey of privacy preferences, particularly focusing on credentialing and identity management. The results suggest, not too surprisingly, that consumers are prepared to trade privacy for convenience. Here's the press-release:

Unisys Majority of Consumers Worldwide Would Relinquish Some Privacy for Convenience, Says Unisys Global ID Management Study Majority of Consumers Worldwide Would Relinquish Some Privacy for Convenience, Says Unisys Global ID Management Study Research to support Unisys call for standardized identity authentication practices and new definition of security at 15th World Congress on IT

BLUE BELL, Pa., April 25, 2006 – While privacy remains a major concern of people around the world, new research from Unisys Corporation (NYSE: UIS) debunks some of the traditional myths concerning protection and use of identity credentials. The results show that a majority of consumers would share personal data if they knew the end user will securely protect their information and they can perceive a clear benefit in convenience gained.

In the first global survey of its kind, the Unisys research also found that most consumers (71 percent) worldwide are willing to have a multi-purpose identity credential that many organizations would accept to verify a person’s identity before providing access to secure records or locations. The most important functions cited for a multi-purpose credential are to prove identity for access to transportation channels (such as airplanes, trains and buses), enter public locations (stadiums, airports and others), cross borders (customs), and access Internet accounts.

“Of course people demand and deserve their privacy,” said Mark Cohn, vice president of homeland security solutions, Unisys Corporation,” but when there are visible benefits of sharing information, most people will give up some privacy for convenience. It’s clear there can be voluntary adoption with ID authentication between parties who trust each other.”

The research also pointed to preferable methods of technology for identity verification, revealing that more than two-thirds (67 percent) of consumers worldwide would support using biometrics such as voice recognition or fingerprints. When comparing biometrics to other security devices such as smart cards and tokens, 66 percent also favored biometrics as the ideal method to combat fraud and identity theft. This finding shows a slight increase from previous research that Unisys conducted in September 2005, which found 61 percent of consumers worldwide favored biometrics as the preferred method to fight fraud and identity theft.

Additional identity management findings from the current study include:

  • Banking institutions are the most trusted by consumers to issue and manage a multi-purpose identity credential (cited by 46 percent of respondents), followed by a government agency established to issue identity cards (45 percent). In contrast, law enforcement (police) are the least trusted (40 percent) to issue identity credentials, followed by a private company established to issue identity cards (38 percent).
  • More than 68 percent of individuals believe it is important that the credential can operate across international borders.
  • North American and Asia-Pacific consumers are willing to share more personal data than Europeans and Latin Americans.
  • People in North America, Europe and Asia-Pacific are more willing to share sensitive personal information with a government organization rather than a business. In contrast, respondents in Latin America are more willing to share personal data with a business rather than government.

The Ponemon Institute, a leading independent firm that specializes in privacy and security research, conducted the survey on behalf of Unisys.

“I’ve studied identity management and privacy issues for more than 20 years and this is the first time anyone has looked at consumer preferences so broadly from a global perspective,” Dr. Larry Ponemon, chairman of the Ponemon Institute and a noted security expert, said. “I’m surprised by these findings, which imply that consumer education on privacy perhaps has made a positive impact. While clearly a concern, privacy might not be as big of a roadblock to identity authentication as some pundits claim.”

The current research is part of a broader analysis of identity authentication that Unisys will spearhead at the upcoming 15th World Congress on Information Technology (WCIT 2006). Unisys also will present policy proposals to WCIT delegates on the need for standards around procedures and practices in global identity authentication. The Congress is expected to draw 2,000 business, government and academic leaders from 80 countries. WCIT’s goal is to explore pertinent issues in security and privacy, digital access and healthcare, and to make specific, actionable policy recommendations to the global IT community. A biennial global event, the 15th Congress will take place in Austin, Texas, May 1-5, 2006.

Unisys President and CEO Joseph W. McGrath will keynote at WCIT 2006, as well as participate in a dialogue of government and private sector leaders who will discuss how to redefine security to address rapidly changing security and privacy requirements of individuals, businesses and governments worldwide – including the need for international uniform standards for identity authentication.

About the research and the Ponemon Institute

The research consisted primarily of a Web-based survey of randomly chosen consumers in 14 countries: Australia, Argentina, Brazil, Denmark, Canada, France, Germany, Japan, Korea, Mexico, Taiwan, Thailand, the United Kingdom and United States. The Ponemon Institute sent invitations to 16,683 adult-aged individuals throughout the world, via e-mail or letter, from which it received 1,661 usable responses, resulting in an overall 9.96 percent response rate. Of these respondents, 464 are North Americans, 427 are Europeans, 450 reside in Asia-Pacific, and 320 are Latin Americans. The Ponemon Institute also conducted an additional 262 direct interviews (either in-person or via telephone) in four countries to validate the Web-based survey findings.

The Ponemon Institute is a “think tank” dedicated to advancing responsible information practices in businesses and government. To achieve this objective, Ponemon Institute conducts independent research on privacy and information security, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations. The Institute is headquartered in Michigan. For more information, visit or contact (800) 887-3118.

About Unisys

Unisys is a worldwide technology services and solutions company. Our consultants apply Unisys expertise in consulting, systems integration, outsourcing, infrastructure, and server technology to help our clients achieve secure business operations. We build more secure organizations by creating visibility into clients’ business operations. Leveraging Unisys 3D Visible Enterprise, we make visible the impact of their decisions – ahead of investments, opportunities and risks. For more information, visit

Breach at Univ. of Texas - Austin exposes data on 197,000 people

From Computerworld, the headline says it all: Breach at Univ. of Texas - Austin exposes data on 197,000 people - Computerworld.

Monday, April 24, 2006

Homeland Security inks deal to share passenger info with Centers for Disease Control

The Depatrment of Homeland Security and the Department of Health and Human Services have signed a deal to allow unprecedented data sharing to address pandemics and other travel-related health concerns. This goes far beyond the "Safe Traveler" deal previously worked out and critics say that it violates the US/EU pact related to passenger info. To make matters worse, the agencies involved did not publish a privacy impact assessment, though one is required for projects such as this.  See:

Posted on my Blackberry from Calgary, so my apologies for the formatting.

Sunday, April 23, 2006

Incident: Dental records found in Manitoba landfill

It is puzzling that these sorts of incidents keep on happening. According to yesterday's Winnipeg Sun, the Ombudsman of Manitoba is investigating a potential breach of the province's Personal Health Information Act after old dental records were found in a landfill. See: - Winnipeg News - Forgotten dental records investigated.

Saturday, April 22, 2006

New Supreme Court of Canada decision considers privacy aspects of Access to Information Act review procedure

The Supreme Court of Canada doesn't often hear cases related to the Access to Information Act and the Privacy Act, but it did so in a decision released yesterday. In H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13, the Supreme Court determined that a court, in a review under s. 44 of the Access to Information Act is permitted to consider issues related to the privacy of personal information.

The s.44 scheme is generally understood to relate to confidential business information. Under the Act, if an applicant requests access to information that may be confidential business information, the head of the government body is required to give notice to the third-party who may be affected, who can make a representation that the information should not be disclosed. If the government proposes to release the information despite the third party's objections, the third party can make an application to the Court to have that decision reviewed.

The Access to Information Act does not have any similar review provision if the information in question is "personal information". In this particular case, the third party attempted to argue that the information was also personal information and should not be released. The Supreme Court of Canada concluded that a court may, on a s. 44 review, consider the personal information exemption as well as the confidential business information exemption. In the decision, the Court had some interesting things to say about privacy. Here's the headnote for the case:

Citation: H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13

Date: 20060421 Docket: 30417

File No.: 30417.

2005: November 7; 2006: April 21.

Present: McLachlin C.J. and Bastarache, Binnie, LeBel, Deschamps, Fish and Abella JJ.

on appeal from the federal court of appeal

Access to information — Exemptions — Personal information — Third party information — Review by Federal Court — Application by third party under s. 44 of Access to Information Act for review of government institution’s decision to disclose record — Whether third party can raise exemption for personal information on s. 44 review — Access to Information Act, R.S.C. 1985, c. A‑1, ss. 19, 20(1), 44.

A federal agency received a request under the Access to Information Act (“Access Act”) for access to certain records pertaining to the respondent company, a third party within the meaning of the Act. The agency determined that some of the records might contain confidential business or scientific information, as described in s. 20(1) of the Act, and requested, pursuant to ss. 27 and 28, that the company make representations as to why the information should not be disclosed. The company submitted its representations and after reviewing them, the agency concluded that the records should be disclosed, subject to certain redactions. The company commenced a review proceeding pursuant to s. 44 of the Access Act and, in addition to the confidential business information exemption, sought to raise the personal information exemption set out in s. 19 of the Act. The application judge concluded that the company could raise the s. 19 exemption on a s. 44 review and ordered the severance of certain records containing personal information. The Federal Court of Appeal upheld the decision.

Held (McLachlin C.J. and Bastarache and LeBel JJ. dissenting): The appeal should be dismissed.

Per Binnie, Deschamps, Fish and Abella JJ.: A third party may raise the exemption for personal information set out in s. 19 of the Access Act in a s. 44 review. The plain language of the statute, together with the legislative context and combined purposes of the Access Act and the Privacy Act, provides ample foundation for this conclusion. [22‑46]

It is apparent from the scheme and legislative histories of the Access Act and the Privacy Act that the combined purpose of the two statutes is to strike a careful balance between privacy rights and the right of access to information. However, within this balanced scheme, the Acts afford greater protection to personal information. By imposing stringent restrictions on the disclosure of personal information, Parliament clearly intended that no violation of privacy rights should occur. Where a third party becomes aware that a government institution intends to disclose a record containing personal information, nothing in the plain language of ss. 28, 44 and 51 of the Access Act prevents the third party from raising this concern by applying for review. These sections do not limit the court’s discretion to a consideration of the s. 20(1) exemption. Furthermore, s. 44 is the sole mechanism under either the Access Act or the Privacy Act by which a third party can draw the court’s attention to an intended disclosure of personal information in violation of s. 19 of the Access Act, and by which it can seek an effective remedy on behalf of others whose privacy is at stake. While the Privacy Commissioner and the Information Commissioner play a central role in the access to information and privacy scheme and have extensive responsibilities, their role is limited by an inability to issue injunctive relief or to prohibit a government institution from disclosing information. A reviewing court is in a position to prevent harm from being committed and the statutory scheme imposes no legal barrier to prevent the court from intervening. An interpretation of s. 44 that forces an individual to wait until the personal information is disclosed and the damage is done, or that imposes an onerous burden on the person seeking to avert the harm, fails to give proper content to the right to privacy and also fails to satisfy the clear legislative goals underlying the Access Act and the Privacy Act. A narrow interpretation of s. 44 would weaken the protection of personal information and dilute the right to privacy. [2] [31‑35] [45] [63] Although a review under s. 44 of the Access Act is triggered by a third party’s right to notice where requested records may contain confidential business information, Parliament’s failure to provide a similar notice where personal information is involved does not indicate that the legislature intended that s. 19 should be unavailable on a s. 44 review. The right to notice accorded to third parties follows logically from the specific nature of the confidential business information exemption and does not limit the right of review provided for in s. 44. First, in the case of confidential business information, the assistance of the third party is necessary for the government institution to know how, or if, the third party treated the information as confidential. Second, the mandatory nature of s. 19 precludes the need for a notice provision. Under the Access Act, notice is a right intended to enable a party to contest the release of information and is therefore required only where the statute contemplates the possibility of making information public, as is the case with confidential business information under s. 20(1). In the specific circumstances in which the Access Act does authorize the disclosure of personal information, a notice provision is either superfluous or has in fact been provided for in the legislative scheme (s. 8(5) of the Privacy Act). Given the underlying presumption that personal information will not be disclosed as well as the paramount importance of individual privacy, it would be absurd not to allow third parties to use the mechanism provided for by the legislature to prevent a violation of the spirit and the letter of the Access Act and the Privacy Act. Allowing the company to raise the s. 19 exemption on a s. 44 review does not create a “second tier” of third parties, but allows the only third party who has access to s. 44 to use this remedy to prevent harm from occurring needlessly. [41] [50‑58]

Per McLachlin C.J. and Bastarache and LeBel JJ. (dissenting): A third party cannot raise the s. 19 exemption for personal information on a s. 44 review. In interpreting s. 44 of the Access Act, it is necessary to preserve the integrity of the mechanism Parliament has selected. In order to balance the competing rights of access and privacy, Parliament has selected a complaint and investigation process. Where the personal information of individuals is improperly disclosed, those individuals can bring a complaint to the Privacy Commissioner under s. 29 of the Privacy Act. There is no notice provision prior to the disclosure of a requested record that might contain exempted personal information, nor does the unlawful disclosure of exempted personal information give rise to a right of judicial review under the Access Act or the Privacy Act. By virtue of ss. 27, 28 and 29 of the Access Act, the legislative scheme provides notice prior to the actual disclosure only where the requested record may contain confidential business information. Since the right to bring a s. 44 review flows from the notice a third party receives because of the believed presence of confidential business information in the requested record, considered in its proper statutory context, s. 44 has nothing to do with the s. 19 exemption. The structure of the Access Act and of the Privacy Act suggests that Parliament intended that the protection of personal information be assured exclusively by the Office of the Privacy Commissioner. In order to give effect to the legislative intent, the complaint and investigation process contained in s. 29 must be respected. [94‑97] [106] [123]

Unless the opportunity to raise exemptions at a s. 44 review proceeding is limited to the s. 20 exemption for confidential business information, third parties who have received notice pursuant to s. 28(1)(b) will be afforded an opportunity to raise the s. 19 exemption for personal information in circumstances where no comparable right exists for a third party claiming only that the record contains personal information belonging to it. The effect of the proposed extension of the s. 44 review would be to create two categories of third parties: those who have relevant confidential business information and those who do not. Such a result would be absurd insofar as it would allow greater protection of certain individuals’ personal information, depending on the possible application of s. 20. There is no basis for such a two‑tiered system in either the Access Act of the Privacy Act. Furthermore, that right of review may not even belong to the individual whose personal information actually appears in the requested record. In the present case, only the company has the right to apply for a review, notwithstanding that the personal information contained in the record actually belongs to its employees. While both the Access Act and the Privacy Act expressly allow an authorized agent to bring complaints to the Information Commissioner or to the Privacy Commissioner, respectively, s. 44 does not so provide. [98‑102] [107]

Although a third party cannot raise the s. 19 exemption on a s. 44 review, where a government institution acts without or beyond its jurisdiction, it remains open to a party directly affected by the decision to bring an application for judicial review pursuant to s. 18.1 of the Federal Courts Act. The decision of the government institution to disclose the requested record is reviewable for jurisdictional error, and the remedy of prohibition is available. The Federal Court judge hearing the judicial review application will only decline to exercise his jurisdiction if satisfied that the statutory scheme provides an adequate alternative remedy. Here, the statutory scheme does not provide the company with an adequate alternative remedy. [108] [114] [117‑118]

In view of the critical differences between the two proceedings, there are valid reasons for refusing to collapse a s. 18.1 review within a s. 44 review. However, the Federal Court judge could proceed with both applications at the same time or consecutively, thereby addressing the concerns about unwarranted use of resources. [119‑121]

Update (20060423): Check out Michael Geist's comment on the importance of this case: Michael Geist - The Supreme Court on Privacy.

Australian privacy decision in abortion case

Peter Timmins at Open and Shut, a blog about privacy and access law in Australia, has a comment about a recent case there in which a hospital claimed public interest privilege when it tried to prevent an investigation board from obtaining the records of a woman who had received a late-term abortion in the hospital. The argument was not successful and the Court ordered that the records be provided. See: Open and Shut: Landmark privacy decision in abortion case.

Thursday, April 20, 2006

Incident: Alberta Commissioner faults store for inadequate security of personal information after customers' information used fraudulently

In case you were wondering whether printing credit card numbers on receipts is a risky venture, think about Monarch Beauty Supply in Edmonton, Alberta. The company, like many others, prints this information on receipts. And this company threw them out in a dumpster behind the store.

Edmonton Police received from an anonymous informant copies of that confidential information and began an investigation. The Information and Privacy Commissioner of Alberta also received a complaint from a customer of Monarch Beauty Supply that her credit card had been fraudulently used to buy a laptop. The investigation found that other personal information originating with the company had found its way into the hands of criminals.

The Commissioner found that the company did not adequately safeguard personal information, in violation of PIPA. The Commissioner also noted that there was inadequate training of staff because store managers were not trained in privacy.

Lessons learned:

  1. Do not print credit and debit card numbers on receipts.
  2. Do not dispose of personal information by throwing it out.
  3. Make sure that all staff who handle personal information are trained in their obligations under the law.

Under most of Canada's privacy laws, individuals who have been harmed by a company's violation of the law can seek damages from the company that violated the law. Victims of identity theft can seek compensation for all the damage done because of a company's screw up.

See the Commissioner's report:

Investigation Report P2006-IR-003

Information and Privacy Commissioner's investigation finds Monarch Beauty Supply improperly disposed of over 2600 customer receipts by placing them in a dumpster. The Alberta business failed to protect personal information from identity thieves.

Click to view more information Investigation Report P2006-IR-003

See coverage from the Edmonton Sun: Crook used dumped credit data.

Tuesday, April 18, 2006

The Worm Within

The Bank Lawyer's Blog just linked to my recent post The Canadian Privacy Law Blog: Incident: Bank employee uses access to account information to harass customers. Kevin has some additional insights based on his own experience with advising banks on pre-employment screening. Check it out: Bank Lawyer's Blog: The Worm Within.

Suspected killer used Maine sex offender registry

Convicted sex offenders aren't a sympathetic bunch, but I expect we'll hear something about the risks of putting their personal information online after a young Nova Scotia allegedly used the State of Maine's sex offender registry to track down and murder two residents of that state who were listed in the registry. The database includes names, conviction information and address. See: CBC News: Suspected killer accessed online sex offender registry.

Update: David Holtzman at Global POV has an interesting comment on this post and the issue in general. See: GlobalPOV: Listless in Maine (20060419).

The Toronto Star's editorial advocates keeping registries private: - Editorial: Keep registries secret (20060419).

Update - 20060421: Tamara Thompson at PI Buzz notes that the Maine sex offender registry has been taken offline. She also discusses that the law enforcement agencies who maintain the site don't have any authority to do so since the Maine law setting up the site simply says that they shall make this information available to the public on the internet. See: PI Buzz - Maine yanks sex offender registry

Sunday, April 16, 2006

Incident: Laptop theft exposes clients of confidential counselling services

Another laptop theft, another privacy incident.

From the Chilliwack Progress in British Columbia:

Data privacy breach affects FHA
By Jeff Nagel
Black Press
Apr 16 2006

Fraser Health Authority (FHA) employees have been warned that some of them who used an ultra-confidential counselling service may have had their privacy breached as a result of a theft of a computer.

The computer with a disk inside it went missing in March from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority.

The disk contained the names, birth dates, contact information and referral reasons for thousands of Lower Mainland health workers who sought help for intensely personal problems.

The service offers help with relationship counselling, drug or alcohol addictions, sexuality questions, abuse, loss and grief, and stress or emotional traumas - among other issues.

"People who use the EFAP program are often going through a crisis of some kind," said Hospital Employees' Union spokesman Mike Old. "The theft of that information is of great concern to the union and its members....

Incident: Bank employee uses access to account information to harass customers

The Cadillac News, in Cadillac, Michigan is reporting on a former employee of Fifth Third Bank who allegedly used access to account information to harass customers, most of whom are women:

Cadillac News:

Internal theft of personal bank data rare

By Matt Whetstone, Cadillac News

CADILLAC - There's a first time for everything - even a bank employee using his job to compromise the personal information of customers.

Fifth Third Bank has the designation of being the first after an employee at an Indiana banking center accessed account information and harassed customers, who were primarily women.

“Fifth Third puts our employees through extensive training on the use of client information,” said Peggy Janei, spokeswoman for the company. “We have strict policies and procedures about that.”

The man, 39-year-old Marco Antonio Munoz, is no longer working for the institution but his alleged trail of identity theft could span the Midwest and hundreds, if not thousands, of bank customers.

“We don't know what we have here yet,” said Det. Sgt. Jeff Herweyer, who handled the case on behalf of the Michigan State Police Cadillac Post.

What police do have is 73 pages of names that Munoz accessed over the last four years, with the most activity in the last two.

Munoz passed the bank's screening process. Had he had a criminal background in the past, he would not have been hired, Janei said.

“We continue on a daily basis to enforce with our employees' appropriate use of customer information, we never sell client names,” she said.

Fifth Third of Northern Michigan President and CEO John Pelizzari said it is a very unusual occurrence. He has been in the business for 30 years and said this is the first such case he has seen.

Special Agent Terry Booth of the Federal Bureau of Investigation office in Detroit said the agency has handled cases of bank employees taking money out of accounts but this case seems to be unique.

“Quite frankly, I've never heard of that,” Booth said. “It's news to me they would use it for that type of activity.”

Robert Marcus, branch manager for Citizens Bank in Cadillac, said he is quite surprised of the nature of the incident.

Like Fifth Third, Citizens has security measures in place to ensure customers' personal information is kept safe. Anyone who develops a trend of looking up a lot of client information without a need will set off a red flag.

The measures, Marcus said, are necessary to protect people at a time when identity theft and fraud are on the rise. The institution also has policies where personal information must be kept in a safe place, off desks or out of plain sight, to avoid any potential for someone gathering information through that method, he said.

Even potential new customers are carefully reviewed to ensure they are who they say they are, he added.

Friday, April 14, 2006

Incident: When wind hit, privacy flew out the window

Thanks to Gerry Riskin of the Edge Group and author of Amazing Firms, Amazing Practices for passing this along.

Recently, high winds went whipping through downtown Indianapolis, blowing windows out of buildings and generally making a mess of things. Part of the mess was documents from two law firms, which were scattered throughout the downtown area. Most of the papers, which included at least one will, have been recovered. Other businesses lost documents, some of which contained pretty sensitive personal information.

Whether it's personal or privileged, you just don't want them blowing around town.

See: When wind hit, privacy flew out the window | My favorite quote from the article: "Privacy experts say that's bad."

Courts and PIPEDA: Why the federal law does not apply in British Columbia

It is always interesting to see how the courts are dealing with privacy laws.

I just came across a somewhat interesting case from British Columbia, in which the Court was asked to determine whether the Personal Information Protection Act could be used to refuse to identify a witness based on the "privacy" of that witness. The answer, not surprisingly, is no:

Shilton v. Fassnacht, 2006 BCSC 431 (CanLII)

[12] The plaintiffs object to disclosure on a number of bases. First, they submit that the opening words of Rule 27(22) give the court a discretion to order non-disclosure. They submit that non-disclosure should be ordered here for reasons of privacy and privilege.

[13] On the privacy issue, the plaintiffs referred to the Personal Information Protection Act, S.B.C. 2003, c. 63. That Act governs the collection, use and disclosure of personal information by organizations. In the Act “organization” is defined as including a person. However, s. 3(4) provides:

3(4) This Act does not limit the information available by law to a party in a proceeding.

[14] Given other definitions in the Act, it is clear that the present lawsuit comes within the meaning of “a proceeding.” Moreover, s. 1 of the Act specifies that “personal information” does not include “contact information.”

[15] In my view, there is nothing in the Personal Information Protection Act that would limit the defendant’s right under Rule 27(22) to obtain the names and contact information of relevant witnesses.

Even more interesting is the way the Court considered the Personal Information Protection and Electronic Documents Act. The Judge concluded that PIPEDA does not apply in British Columbia because of the effect of s. 30(1) of that Act:

[16] It is even clearer that the federal Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 has no application here by virtue of s. 30(1), which provides:
30(1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.

[17] The present lawsuit relates to matters wholly within the province of British Columbia and the federal act has no application.

With the greatest respect to the judge and to the party that made the argument, this is just plain wrong. It is true that PIPEDA does not apply to the provincially-regulated private sector in BC, but it has nothing to do with s. 30(1) in 2006. If you look at all of s. 30, you'll see that s. 30(1) is no longer in effect.



30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.


(1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.

Expiry date

*(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.

* [Note: Section 30 in force January 1, 2001, see SI/2000-29.]

Expiry date

*(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.

* [Note: Section 30 in force January 1, 2001, see SI/2000-29.]

The Act came into force on January 1, 2001, so s. 30(1) ceased to have any effect on January 1, 2004.

The real reason why PIPEDA does not apply to the provincially regulated private sector in British Columbia is because of the effect of s. 26(2):


(2) The Governor in Council may, by order,

(a) ...

(b) if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.

The Governor in Council did make such an order (Organizations in the Province of British Columbia Exemption Order ) on October 12, 2004. For this reason, if PIPA (BC) does apply, PIPEDA will not.

Thursday, April 13, 2006

Privacy and open courtrooms

I was interviewed yesterday by a reporter from the Regina Leader Post about privacy and open courtrooms. The issue has come to the fore in the province of Saskatchewan as a result of the trial of a former football player who is charged with aggravated sexual assault. He is alleged to have had unprotected sex with a number of women without revealing that he is HIV positive.

Vanity quote:

Smith case takes another step :

While proceedings in Canada's court system are usually open to the public and media, exceptions -- while rare -- are certainly not unheard of, said David T.S. Fraser, a Nova Scotia lawyer who specializes in Canadian privacy law.

'The rights in our charter are not absolute,' he said. 'They're all subject to reasonable limitations that are compatible with the democratic and generally open society, and that's the sort of question the judge has to ask and answer.'

Fraser said there is a very strong precedent to close courts in particular circumstances. In addition to cases involving confidential medical information, public access to trials is most often restricted in cases that involve victims of sexual assault, children and national security issues.

Wednesday, April 12, 2006

UK Information Commissioner issues guidance on database transfers

The Information Commissioner in the UK has issued a guidance document outlining how transfers of customer databases upon the insolvency of a business or the sale of a business. In short, databases can be transferred without consent as long as the customers are given notice after it is transferred and as long as the information is only used for the original purposes for which it was collected. Read the Guidance Document here. (Link via and Pogo Was Right.)

Incident: Laptop containing personal health information stolen from Saskatchewan contractor

The CBC, via Yahoo! News, is reporting that a computer containing personal health information on Saskatchewan residents has been stolen from the Toronto office of a contractor. The information apparently was "heavily encrypted" and didn't contain any names or other identifying information, other than "health registration numbers". The article is unclear whether this is a medicare number or some other number.

The contractor apparently had access to this information as part of a project involving the analysis of long-term patient care in Saskatchewan. The Privacy Commissioner for the province has been consulted, but there's no mention of the reaction.

See: Computer containing health data stolen - Yahoo! Canada News.

Proposed amendments to Alberta's Health Information Act

The government of Alberta has just introduced amendments to the Health Information Act. Bill 31, the Health Information Amendment Act 2006 makes some mundane changes to the law, but some are more substantial.

For example, new sections allow certain disclosures of personal health information to deal with suspected fraud by patients and healthcare providers.

Disclosure to prevent or limit fraud or abuse of health services

37.1(1) A custodian may disclose individually identifying health information referred to in subsection (2) without the consent of the individual who is the subject of the information to a police service or the Minister of Justice and Attorney General where the custodian reasonably believes

(a) that the information relates to the possible commission of an offence under a statute or regulation of Alberta or Canada, and

(b) that the disclosure will detect or prevent fraud or limit abuse in the use of health services.

Disclosure to prevent or limit fraud or abuse of health services by health services providers

37.2(1) A custodian may disclose individually identifying health information referred to in subsection (2) without the consent of the health services provider who is the subject of the information to a police service or the Minister of Justice and Attorney General where the custodian reasonably believes

(a) that the information relates to the possible commission of an offence under a statute or regulation of Alberta or Canada by the health services provider, and

(b) that the disclosure will detect or prevent fraud or limit abuse in the provision of health services.

Also, a new subsection 170(5.1) appears to be meant to counter the USA Patriot Act:

(5.1) No person shall knowingly disclose health information to which this Act applies pursuant to a subpoena, warrant or order issued or made by a court, person or body having no jurisdiction in Alberta to compel the production of information or pursuant to a rule of court that is not binding in Alberta.

(7) A person who contravenes subsection (5.1) is guilty of an offence and liable

(a) in the case of an individual, to a fine of not less than $2000 and not more than $10 000, and

(b) in the case of any other person, to a fine of not less than $200 000 and not more than $500 000.

IRS seeks US taxpayer data from PayPal

According to the NYT, the US IRS has gotten approval from a Federal Court to get taxpayer information from PayPal. The information sought is about American taxpayers who have bank accounts, credit cards or debit cards issued in more than 30 countries that are reputed to be tax havens. This is part of a wider effort to stem tax evasion. PayPal is just another means that those with money stashed offshore can spend it in the US. See: I.R.S. Asks PayPal for Taxpayer Data - New York Times.

Followup: Vancouver law firm's files found blowing around an alley

I wrote on Tuesday about a Vancouver law firm's files found blowing around an alley. My anonymous Vancouver correspondent has found the video about the story on the CTV website: CTV Video - CTV Vancouver: privacy-lawfirm-clip. Alternate link.

Tuesday, April 11, 2006

'Mistakes happen,' tax agency explains

The other day, I blogged about the CRA sending a Toronto taxpayer's information to the wrong address (in the aptly entitled post: CRA sends Toronto taxpayer's information to the wrong address). The CRA has made a statement along the lines of "stuff happens ... We're really busy in April and it could happen to anyone."

Amazingly comforting. I feel better already.

See: - Toronto And GTA - 'Mistakes happen,' tax agency explains

Incident: Vancouver law firm's files found blowing around an alley

I am advised by a correspondent from Vancouver that the local CTV affiliate reported yesterday that hundreds of confidential documents, including individuals' medical and financial data, were blowing around an alley in downtown Vancouver yesterday afternoon. CTV says the documents appear to have come from a law firm that handles personal injury matters, which I'd rather not name until I can track down further information on the incident. The firm that was named did not put anyone on camera, but gave a statement to CTV that they don't know how this could have happened and are reviewing their procedures.

Do consumers care about privacy?

Over at the Bank Lawyer's Blog, the author is writing about discussions at a recent conference on privacy held at the Wharton School at the University of Pennsylvania. Definitely worth a read: Bank Lawyer's Blog: Privacy: Do Consumers Really Care?.

ChoicePoint Announces New PATRIOT Act Compliance and OFAC Compliance Software

About 99% of this is marketing speak, but parts of this press release from ChoicePoint look interesting:

ChoicePoint Announces New PATRIOT Act Compliance and OFAC Compliance Software:

New Bridger Insight XG™ to Streamline Customer Screening

ALPHARETTA, GA (PRWEB) April 4, 2006 -- ChoicePoint today announced the official launch of Bridger Insight XG, a new Office of Foreign Asset Control (OFAC) and USA PATRIOT Act (PATRIOT Act) compliance solution. The new solution is now available to more than 4,000 existing Bridger Insight clients and other businesses across the banking and finance, insurance, securities, mortgage, automotive, gaming and public sectors.

Bridger Insight XG will reduce manual workload and streamline PATRIOT Act compliance and OFAC compliance workflow across an organization using new technologies designed to greatly simplify customer screening (including OFAC checks and ID verification) and due diligence processes. The new product is designed to help businesses more efficiently identify suspected terrorists and prevent crimes such as money laundering and ID theft.

Through new automated compliance workflow and case management tools, this new OFAC and PATRIOT Act compliance software can help users realize significant cost savings and greatly reduce false positive hits. Turn-key enterprise-wide deployment is another feature of the new software, which is equipped with the latest security and expanded audit capabilities.

Bringing extensive experience as a pioneer of OFAC compliance and PATRIOT Act compliance software, Bridger Insight XG helps clients make informed decisions, while saving time and reducing workload costs.

Bridger Insight solutions are used every day by the majority of the top 25 U.S. banks and thousands other businesses across the financial, insurance, securities, mortgage, automotive, gaming and public sectors to perform real-time and scheduled batch customer screening, utilizing more than 24 up-to-date watch lists, with access to extensive business and individual identity information, Factiva® Media and in-depth politically exposed persons databases.

More information about Bridger Insight XG can be obtained at

Anyone know what a "in-depth politically exposed persons database" is? If so, leave a comment. Sounds interesting...

Monday, April 10, 2006

Florida county posts residents' sensitive data on public Web site

From Computerworld (via beSpacific: Sensitive Personal Data Posted on Florida County Public Records Site):

Florida county posts residents' sensitive data on public Web site - Computerworld:

APRIL 10, 2006 (COMPUTERWORLD) - The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents in Florida's Broward County are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on the county's Web site.

CRA sends Toronto taxpayer's information to the wrong address

A Toronto woman is up in arms after the Canada Revenue Agency accidentally mailed her tax information to the wrong person. - Toronto And GTA - Breach of privacy:

"When Renata Mehta called Canada Revenue Agency last Monday asking for a copy of the T4E she filed with her tax return, she didn't expect the government to act so quickly.

And she certainly didn't expect the confidential form to be mailed to another woman.

In what Mehta calls 'an enormous breach of privacy,' the Mississauga woman's documents, along with 2004 income tax return information of a 53-year-old Burlington woman, was sent to Margaret McLellan's apartment in East York.

Like the other two women, McLellan had called Revenue Canada last Monday to request personal documents.

Yesterday going through the stack of papers that were all packed into an envelope Tuesday, it took McLellan a minute to realize it was someone else's private information.

'I was going through the pages and said, 'Wait a minute, this isn't my name.'' ...

Sunday, April 09, 2006

Google's WiFi plans in Frisco lead to privacy concerns

Google and Earthlink have teamed together to offer a wifi network throughout the San Francisco area. Google can't do anything without causing worry about privacy among some. The concern with this initiative is that now Google will not only know where you've been online, but where you've been in real life. Interestingly, most commentary is not about whether Google knows, but the fact that they'll retain a handy drove of location information that may be of interest in law enforcement and PIs. See: Boing Boing: Privacy worries over Google/Earthlink WiFi plans in SF. See also a fair amount of coverage in the traditional online media.

Saturday, April 08, 2006

iPods don't steal identities. People steal identities. With iPods?

According to the United Press International, a San Francisco man has been arrested for fraud and forgery with an iPod. OMG!

Before breathless hysteria leads some legislator to ban iPods as ID theft tools, pause a moment. Count to ten. Here are other "ID theft tools" that can hold personal information that legislators may want to think about as well:

Check out the original story: United Press International - NewsTrack - IPod stored data for identity theft.

Former telco employee testifies about NSA taps on long distance switching equipment

The Electronic Frontier Foundation is leading a class action lawsuit against AT&T in connection with the alleged illegal wiretapping of telecommunications in the US. The latest news is that AT&T allowed the National Security Agency to install data-mining equipment at the telco's international and long distance switches in San Francisco, Seattle, San Jose, Los Angeles and San Diego. From Wired's coverage:

Wired News: Whistle-Blower Outs NSA Spy Room

AT&T provided National Security Agency eavesdroppers with full access to its customers' phone calls, and shunted its customers' internet traffic to data-mining equipment installed in a secret room in its San Francisco switching center, according to a former AT&T worker cooperating in the Electronic Frontier Foundation's lawsuit against the company.

Mark Klein, a retired AT&T communications technician, submitted an affidavit in support of the EFF's lawsuit this week. That class action lawsuit, filed in federal court in San Francisco last January, alleges that AT&T violated federal and state laws by surreptitiously allowing the government to monitor phone and internet communications of AT&T customers without warrants.

On Wednesday, the EFF asked the court to issue an injunction prohibiting AT&T from continuing the alleged wiretapping, and filed a number of documents under seal, including three AT&T documents that purportedly explain how the wiretapping system works.

According to a statement released by Klein's attorney, an NSA agent showed up at the San Francisco switching center in 2002 to interview a management-level technician for a special job. In January 2003, Klein observed a new room being built adjacent to the room housing AT&T's #4ESS switching equipment, which is responsible for routing long distance and international calls.


"While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet (AT&T's internet service) circuits by splitting off a portion of the light signal," Klein wrote.

The split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T was also diverting traffic routed from its network to or from other domestic and international providers, according to Klein's statement.


In a letter to the EFF, AT&T objected to the filing of the documents in any manner, saying that they contain sensitive trade secrets and could be "could be used to 'hack' into the AT&T network, compromising its integrity."

Thanks to Secondary Screening: Ex-AT&T Employee on NSA Wiretap Room for the link.

UPDATE (20060430): It appears that US Government is about to use the "state secrets" privilege to have this lawsuit by EFF thrown out. See: 27B Stroke 6: Feds Drop Bomb on EFF Lawsuit.

Friday, April 07, 2006

Former outsourcing employees arrested for theft using personal information

Canadian police have today arrested two former employees of a prominent outsourcing company who allegedly used personal information on holders of Canada Savings Bonds to defraud the Bank of Canada of around $100,000. The company is the data processor for the Bank and the employees are said to have used data obtained on the job. The leads that led to the arrest came from the company itself.

See: CBC News: Thieves use CSB database to steal $100,000.

Thursday, April 06, 2006

Exporting personal information from Europe

Jay Cline writes in Computerworld about the four ways that American companies can export personal information from Europe in compliance with the EU Data Protection Directive:

  1. Transborder data-flow agreements
  2. Safe harbour via the FTC
  3. Binding corporate rules
  4. Customer consent

See: Are your data exports from Europe legal? - Computerworld.

Privacy Data Protection Europe

Canadian federal strategy for trans-border information flows (including the USA PATRIOT ACT)

The Government of Canada, through the Treasury Board Secretariat, has released its long-awaited Report on Assessment of Privacy Concerns Related to USA PATRIOT Act, including a multipart federal strategy: Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows

I haven't had a chance to review it yet, but here's the executive summary. Hopefully, I'll have something more substantive to say shortly:

Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows - Part 2 of 10

Executive Summary

The Government of Canada takes the issue of privacy very seriously, including concerns about possible privacy risks posed by foreign legislation, such as the USA PATRIOT Act.*

These laws point to the need for current privacy best practices to become more uniform throughout the federal government and for additional measures to build upon and complement the existing safeguards.

For over a quarter century, Canada has been a world leader in privacy. It has introduced ground‑breaking legislation and policies designed to respect the personal information of its citizens.

Recent trends and events, however, have raised new concerns about whether the personal information of Canadians is adequately protected by governments and companies when it travels outside of Canada’s borders.

Transborder data flows and contracting

The emergence of new information technologies, such as the Internet, allows information to be transferred quickly and easily across borders. This includes personal information and other sensitive information. The transfer of such information across borders is known as “transborder data flows.”

Transborder data flows are becoming more common as companies and governments take advantage of outsourcing, a practice in which a supplier is hired under contract to manage certain activities, often because the institution does not have adequate internal resources to improve efficiency and levels of service. Federal government institutions are among the organizations that contract out or outsource some programs and services.

Information under foreign laws

It is not uncommon for an organization in Canada to outsource the management of personal information about Canadians to a company in the U.S. or elsewhere. Information stored or accessible outside of Canada can be subjected not only to Canadian laws but also to laws in the other country.

One such law is the USA PATRIOT Act. The Act permits U.S. law enforcement officials to seek a court order allowing them to access the personal records of any person for the purpose of an anti‑terrorism investigation, without that person’s knowledge.

In theory, it means U.S. officials could access information about Canadians if that information is physically within the U.S. or accessible electronically.

British Columbia court case sparks national debate

In 2004, a court case in British Columbia (B.C.) sparked a national debate on the potential impact of the USA PATRIOT Act on the privacy of Canadians.

The British Columbia Government and Service Employees’ Union sought an order to stop the provincial government from hiring the Canadian affiliate of a U.S. company to administer the province’s medical records, claiming that the contract would make the records vulnerable under the USA PATRIOT Act.

The union lost the court case and is appealing. The province, meanwhile, proceeded with the contract using the U.S.-based firm but added new privacy measures.

In addition to the court case, the Information and Privacy Commissioner for B.C. conducted a review. The Commissioner for B.C. concluded that the issue was larger than the USA PATRIOT Act, that transborder data flows could make Canadians’ information accessible under other foreign laws, and that the matter should be addressed by both the public and private sectors.

The Privacy Commissioner of Canada agreed with the results of the B.C. review, and together with the B.C. Commissioner, called for actions to be taken by the federal government to enhance protection of Canadians’ personal information that can flow across borders.

The federal government’s strategy

The Government of Canada responded to the USA PATRIOT Act concerns and other transborder data issues with a federal strategy. It is confident that the right to privacy related to key federal personal and sensitive information can be both respected and achieved.

The strategy was created with the following factors in mind.

Shared responsibility: The federal government is not alone. Other governments, the private sector, and Canadians themselves all have a role to play in the protection of privacy.

Balanced approach: Privacy needs to be weighed against other important considerations. Among these are the following: the need to ensure that contracting protects privacy and results in improved service to Canadians; international trade agreements that allow for fair and equitable treatment of foreign companies and play a major role in the health of Canada’s economy; and the need to protect the public safety and national security.

Build on existing measures: The latest measures are an extension of privacy safeguards put into place long before the USA PATRIOT Act was enacted. They complement previous statutes such as the Privacy Act, enacted in 1983 to impose obligations on federal government institutions to respect the privacy rights of Canadians. The Personal Information Protection and Electronic Documents Act (PIPEDA), which took full effect in January 2004, protects personal information held by the private sector. In addition, the Government of Canada was the first national government in the world to introduce a mandatory Privacy Impact Assessment Policy. The Policy requires government departments to build in privacy protection when changing or creating programs and services that collect personal information.

Informational privacy can also find constitutional protection under section 8 of the Canadian Charter of Rights and Freedoms.

The federal strategy consists of the following steps.

  1. Awareness: The government made all of its 160 institutions that are subject to the federal Privacy Act aware of the privacy issues raised by the USA PATRIOT Act.
  2. Risk identification and mitigation: Institutions reviewed their contracting and outsourcing arrangements to identify any risks under the USA PATRIOT Act, assess the seriousness of those risks, take corrective actions as needed, and report to the Treasury Board of Canada Secretariat (the Secretariat).

Here are the results reported to the Secretariat:

Most of the federal institutions, 83 per cent, had their contracting classified as “no risk” (77 institutions) or “low risk” (57 institutions) under the USA PATRIOT Act or other foreign legislation. Of the remaining institutions, many with mandates that include international activities, contracting risks were rated as “low to medium” (19 institutions) and “medium to high” (7 institutions). It should be noted that, if an institution identified only one contract as high risk, the institution was classified in the high risk category. That said, in all cases where risks were identified, institutions have taken, or are planning, remedial actions to mitigate risks.

  1. Guidance on privacy in contracting: For many years, federal institutions have had privacy and security safeguards in place to protect personal and other sensitive information that is handled or accessible under contract. Risk management strategies are also in place to cope with emerging privacy issues and, where necessary, institutions have outlined further measures to mitigate risk.

Existing Best Practices include the following: Prior to initiating a contract, inspections of private sector facilities may be carried out by government security experts to ensure that adequate protection is available for information handled or stored off government premises by a contractor; the requirement that core information stays at home—in other words, part or all of the work must be completed within the department or within Canada; the return of records or approved destruction of all records at the end of a contract; the inclusion of contractual clauses to address confidentiality; and the signing of non-disclosure agreements.

Guidance document: The government has recently issued a policy guidance document for federal institutions that provides a privacy checklist and upfront advice on considering privacy prior to initiating contracts. It also includes specific considerations for maximizing privacy protection that can be used to develop clauses to include in requests for proposals (RFP) and contracts.

  1. Follow up: The government will be taking additional steps to further mitigate risk.

Highlights of ongoing measures and those planned for within the next year:

  • Follow-up assessment of federal contracting activities, ongoing contract advice, and implementation of risk management strategies for contracting where information may potentially be at risk under the USA PATRIOT Act or other foreign laws.
  • Ensuring that key government policies are in step with privacy issues and reflect the new global reality.
  • The exploration of technology and data architecture solutions to protect information flows, including the use of encryption technology and electronic audit trails.
  • Continued monitoring of new technologies, trends, and events to address their possible effects on privacy.
  • The development of additional guidelines to cover government-to-government information sharing (within Canada and abroad), auditing of contracts, and technical solutions to protect privacy.
  • Increased awareness and training related to transborder data flows and existing federal safeguards.

Highlights of planned measures between one to two years:

  • A scheduled 2006 review of the PIPEDA and determination if the federal Privacy Act should also be reviewed.
  • The development of a privacy management framework to establish high standards of privacy protection throughout the federal government.
  • Addressing privacy and transborder data flows for the recently announced Security and Prosperity Partnership (SPP) between Canada, Mexico, and the U.S.

The federal government will also continue to share best practices in protecting transborder data flows with provincial and territorial governments as well as the private sector and foreign governments.