Thursday, August 31, 2006

Pizza receipts land in trash

If your data is supposed to go to a shredder, make sure it ends up there.

A dumpster in British Columbia has been found overflowing with credit card receipts that contain card numbers, expiry dates and customer names. The owner of the pizza joint where the receipts originated says they were sent to a shredder. Unfortunately, they never made it there.

There are two problems here: First, the paper should have gone to a shredder. That's a no-brainer. Secondly, that information should not have been on the slips in the first place. I am getting sick and tired of seeing full credit card data on slips that are generated by a computer terminal. All these transactions are settled electronically and there is simply no reaon for the full credit or debit card number to be printed everywhere. I have noticed that even companies that do not print the full number on the customer's copy often print the full data on the story copy. Why? I don't know but that's the version that wound up in the dumpster.

In short, if you don't need it, don't collect it or keep it. But if you do need it and do collect it, dispose of it properly.

24 Hours Vancouver - News: Pizza receipts land in trash

By JOHN PIGEON, 24 HOURS

When Mark Schroeder slapped a pizza dinner on his Visa card in Whistler three years ago, he never thought that his Visa receipt would end up in a dumpster behind a Domino's franchise office in Port Coquitlam.

But on Tuesday afternoon when 24 hours followed an anonymous tip to the dumpster off Kingsway Avenue, Schroeder's credit-card slip, complete with account number, expiry date and name, was among thousands in a trash container.

"I can't even think of a word to describe how upset I am right now. What can you say?" Schroeder said from his home in Pemberton. "I'm kind of awestruck, actually, that they would do something like this and treat their customers with such a lack of respect."

The anonymous tipster felt the same way when he came across the dumpster, overflowing with credit-card slips and card imprints, on his morning walk to work.

"I was angry because that could have been my stuff in there," he said, adding "there's credit-card numbers, expiry dates and signatures on there that makes it very obvious to identity theft."

According to Gord Jamieson, Visa Canada's director of Risk Management and Security, "there is a requirement under the Payment Card Data Security Standards for the destruction of data.

"The data must be securely destroyed in a manner such that the account data is no longer readable," he said.

Domino's franchise owner Gary Josefczyk oversees the office and owns 21 Domino's Pizzas throughout the Lower Mainland.

He said the credit-card slips were sent to a mobile shredder.

"I don't know what to say. My policy is to shred them after nine months of holding them," he said.

Josefczyk declined to comment any further.

UK database of children-at-risk could put them at greater risk

Some experts are suggesting that the UK's new childrens' database will become a tool of pedophiles hunting for vulnerable children. See: The Sun Online - News: List could put kids at risk.

Update (20060901): At least celebrity kids will be protected:

Telegraph News Celebrity children will get database privacy:

... Lord Adonis, the education minister, told the House of Lords: 'Between 300,000 and 400,000 users will access the index. Children who have a reason for not being traced, for example where there is a threat of domestic violence or where the child has a celebrity status, will be able to have their details concealed.' ...

Via Privacy Digest.

(BTW: "Lord Adonis"? That's my nickname.)

Wednesday, August 30, 2006

Right to Know Forum in Nova Scotia

Darce Fardy, former Freedom of Information and Protection of Privacy Review Officer for Nova Scotia has passed tihs announcement on to me:

RIGHT TO KNOW FORUM

University of Kings College (Alumni Hall)

September 27, 2006 6:30 - 9 pm

The Right to Know Coalition of Nova Scotia, with the support of the FOIPOP Review Office, is observing National Right to Know Week with a forum where issues related to the principles of openness and accountability in government and other public bodies will be discussed and debated.

Keynote speaker: Wayne MacKay, former Nova Scotia Human Rights Commissioner and President of Mount Allison University, now Professor of Law with Dalhousie Law School. Inducted into the Order of Canada in 2005.

Panel #1: A political look at the issues of openness and accountability and the Freedom of Information and Protection of Privacy Act. The four political parties: Michel Samson, interim leader of the Liberal party; Nick Wright, leader of the Green Party; Paul Black, Senior Researcher with the NDP Caucus; and an as yet unnamed MLA from the Progressive Conservative Party. Moderated by Darce Fardy of the RTK Coalition and former Review Officer for FOIPOP.

Panel #2: Neal Livingston, a documentary producer from Cape Breton and veteran user of the FOIPOP Act; Doug Keefe, Deputy Minister of Justice; Charles Cirtwill, Vice-President and Director of Operations of the Atlantic Institute for Market Studies; and Richard Cotter, Warden of Richmond County and President of the Union of Nova Scotia Municipalities will provide their views on transparency in public bodies. Moderator: Dean Jobb, of the Faculty of Journalism at Kings, former newspaper journalist and recognized expert in access to information legislation.

The audience will be encouraged to get involved with questions or comments. All are welcome. September 27, Kings= Alumni Hall, 630 to 9 pm

FBI shows off huge, multi-source linked database

According to the Washington Post, the FBI has just provided a demonstration of a new ginormous database to help the war on terror. Here is an extract (I have some comments below):

FBI Shows Off Counterterrorism Database

The FBI has built a database with more than 659 million records -- including terrorist watch lists, intelligence cables and financial transactions -- culled from more than 50 FBI and other government agency sources. The system is one of the most powerful data analysis tools available to law enforcement and counterterrorism agents, FBI officials said yesterday.

The FBI demonstrated the database to reporters yesterday in part to address criticism that its technology was failing and outdated as the fifth anniversary of the Sept. 11, 2001, terrorist attacks nears.

Privacy advocates said the Investigative Data Warehouse, launched in January 2004, raises concerns about how long the government stores such information and about the right of citizens to know what records are kept and correct information that is wrong.

The data warehouse is an effort to "connect the dots" that the FBI was accused of missing in the months before the 2001 attacks, bureau officials said. About a quarter of the information comes from the FBI's records and criminal case files. The rest -- including suspicious financial activity reports, no-fly lists, and lost and stolen passport data -- comes from the Treasury, State and Homeland Security departments and the Federal Bureau of Prisons.

"That's where the real knowledge comes from . . . sharing information," said Gurvais Grigg, acting director of the FBI's Foreign Terrorist Tracking Task Force, who helped develop the system.

In a demonstration, Grigg sat at a computer and typed in the name "Mohammad Atta," one of the 19 hijackers in 2001. The system can handle variants of names and up to 29 variants on birth dates. He typed "flight training" in the query box and pulled up 250 articles relating to Atta.

Wonder what happens if you type in "J. Edgar Hoover" and "pink tutu"?

... No top secret information is in the system, officials said....

Perhaps I am being overly cynical, but wouldn't you think that in order to be effective, the database should contain top secret intelligence? Surely the results of an interrogation of an insurgent in Afghanistan or the wiretapping of a radical in England would be "top secret" but highly relevant.

If you are going to mung together a big whack of databases to provide some actionable intelligence, shouldn't it include the right databases? Wouldn't that include "top secret" intelligence databases? Wouldn't that help avoid some of the "intelligence failures" that have been fought over the last few years?

... Irrelevant information can be purged or restricted, and incorrect information is corrected, he said. Willie T. Hulon, executive assistant director of the FBI's National Security Branch, said that generally information is not removed from the system unless there is "cause for removal."

Every data source is reviewed by security, legal and technology staff members, and a privacy impact statement is created, Grigg said. The FBI conducts in-house auditing so that each query can be tracked, he said.

David Sobel, senior counsel of the Electronic Frontier Foundation, said the Federal Register has no record of the creation of such a system, a basic requirement of the Privacy Act. He also said the FBI's use of an internal privacy assessment undercuts the intent of the privacy law.

FBI officials said the database is in "full compliance" with the law.

Sobel said he learned under a Freedom of Information Act disclosure last week that the system includes 250 million airline passenger records, stored permanently.

"It appears to be the largest collection of personal data ever amassed by the federal government," he said. "When they develop the capability to cross-reference and data-mine all these previously separate sources of information, there are significant new privacy issues that need to be publicly debated."

Tuesday, August 29, 2006

Incident: AT&T e-commerce site hacked

AT&T is again in the privacy crosshairs, this time after it was revealed that credit card info of around 19,000 customers was obtained by "hackers" via an e-commerce website operated by the telco. See: AT&T: Hackers Took Credit Card Info - Forbes.com.

First conviction under Canada's new voyeurism law

Canada's new video voyeurism law is getting its first test after a man in Nova Scotia has pleaded guilty to using a video camera to covertly tape a young child taking a bath. The accused has also pleaded guilty to creating child pornography.

N.S. man pleads guilty to voyeurism:

A Nova Scotia man has pleaded guilty to using a video camera to secretly tape a girl in a bathtub.

During a court appearance in Amherst on Tuesday, Winston Charles Patriquin, 33, from Port Howe, also pleaded guilty to a charge of making child pornography.

Police began investigating in February after someone saw what Patriquin was recording on his video camera.

"Essentially they involved putting up a ladder against the side of a house and using a video camera to film a child in the bathtub," said Crown attorney Craig Botterill.

Patriquin was charged under the new voyeurism section of the Criminal Code, making him the first case in Canada, according to the Crown.

New law makes recording illegal

The law, which was passed in November, makes it illegal to "surreptitiously observe or make a visual recording" for a sexual purpose.

Patriquin also faced charges of accessing and possessing child pornography, but the Crown plans to withdraw them after working out a deal with the defence.

Botterill said that deal will keep a child off the witness stand.

"It's important wherever possible to try to spare a child of having to go through the trauma of testifying in court," he said.

In return for guilty pleas to voyeurism and making child pornography, Patriquin will agree to a 90-day jail sentence.

The deal also calls for two years probation with intensive treatment and counselling. Patriquin will have to supply a DNA sample and his name will be placed on the national sexual offender registry.

Botterill said he considered pushing for a one-year jail sentence. But given there is no precedent for the crime of voyeurism and Patriquin had no criminal record, he decided there was a chance Patriquin would do no jail time at all.

Botterill said the public should know that no child was sexually assaulted, "and in fact the child was unaware that she was being filmed."

Patriquin will be sentenced on Sept. 28.

The relevant section of the criminal code reads:

Criminal Code

PART V: SEXUAL OFFENCES, PUBLIC MORALS AND DISORDERLY CONDUCT

Sexual Offences

Voyeurism

162. (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if

(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;

(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or

(c) the observation or recording is done for a sexual purpose.

Definition of “visual recording”

(2) In this section, “visual recording” includes a photographic, film or video recording made by any means.

Exemption

(3) Paragraphs (1)(a) and (b) do not apply to a peace officer who, under the authority of a warrant issued under section 487.01, is carrying out any activity referred to in those paragraphs.

Printing, publication, etc., of voyeuristic recordings

(4) Every one commits an offence who, knowing that a recording was obtained by the commission of an offence under subsection (1), prints, copies, publishes, distributes, circulates, sells, advertises or makes available the recording, or has the recording in his or her possession for the purpose of printing, copying, publishing, distributing, circulating, selling or advertising it or making it available.

Punishment

(5) Every one who commits an offence under subsection (1) or (4)

(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years; or

(b) is guilty of an offence punishable on summary conviction.

Defence

(6) No person shall be convicted of an offence under this section if the acts that are alleged to constitute the offence serve the public good and do not extend beyond what serves the public good.

Question of law, motives

(7) For the purposes of subsection (6),

(a) it is a question of law whether an act serves the public good and whether there is evidence that the act alleged goes beyond what serves the public good, but it is a question of fact whether the act does or does not extend beyond what serves the public good; and

(b) the motives of an accused are irrelevant.

Australian tax office fires employees over inappropriate snooping into confidential records

Once again, Australia is in the privacy news. This time, it is the Australian Tax Office, which has recently disciplined two dozen employees over inappropriate perusal of tax records.

Australian IT - Tax office sacks 'spies' (Ben Woodhead, AUGUST 29, 2006):

A SECOND government agency has been forced to sack staff for spying on client records, with the Australian Taxation Office taking action against 27 workers for breaches of privacy.

The tax office took action against 24 employees over inappropriate access to taxpayer files last financial year, with another three cases detected this year.

ATO first assistant commissioner for people and place, Anne Ellison, said 12 of the staff caught spying last year resigned on the spot. Four were sacked, two were fined and six had their salaries reduced or were demoted.

Two were ultimately prosecuted for breaches of the Tax Administration Act, with one sentenced to community service and the other fined.

The revelations come a week after multi-millionaire former actor and producer John Cornell - who is facing allegations that he and Paul Hogan held $40 million in Swiss-administered trusts and offshore companies without declaring it to the ATO - accused the tax office of a campaign of media leaks....

Thanks to Open and Shut for the link: Open and Shut: This time it's the Tax Office named in privacy breach.

Monday, August 28, 2006

Ontario Commissioner finds that CIA does not have access to health information

I blogged yesterday about the controversy surrounding an indirect CIA investee company providing services to Canadian health providers (Canadian Privacy Law Blog: Privacy groups slam use of CIA-backed software to index Canadian health files). The Information and Privacy Commissioner of Ontario just issued an investigation report ((PHIPA Report HI06-45) and the following media release in response:

CNW Group:

Electronic health information strongly protected in Ontario: Commissioner Cavoukian

TORONTO, Aug. 28 /CNW/ - An investment in Initiate Systems Inc., a company providing software to an electronic health record application in Ontario, does not provide the CIA or anyone else with access to personal health information, says Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner.

In March 2006, In-Q-Tel, the venture capital arm of the CIA, invested in Initiate Systems Inc., whose software is being used in provincial electronic health record applications across Canada under an agreement with Canada Health Infoway, a federally funded, non-profit corporation that leads electronic health initiatives in Canada.

Prior to In-Q-Tel's investment, Initiate Systems' software was selected for use in one application in Ontario - the Enterprise Master Patient Index (EMPI). Although the EMPI contains health card numbers and other identifying information, it does not include diagnoses, prognoses, or other clinical information typically shared between health care providers and their patients. In Ontario, the Personal Health Information Protection Act establishes rules for the collection, use and disclosure of personal health information and designates the Office of the Information and Privacy Commissioner/Ontario as the body responsible for overseeing compliance with the legislation.

On August 11, 2006, privacy advocates expressed concerns that In-Q-Tel's investment in Initiate Systems may give the CIA access to provincial medical records. Commissioner Cavoukian immediately launched a privacy investigation into the allegations to determine if any personal health information was being disclosed in contravention of Ontario's health privacy legislation.

Among the Commissioner's findings in her investigation report:

  • Cancer Care Ontario, which operates the EMPI on behalf of the Ministry of Health and Long-Term Care, allows Initiate Systems Inc. extremely narrow, on-site access to personal health information, under tightly controlled and limited conditions, and only as necessary to enable Initiate Systems Inc. to provide the services that it is contractually obligated to provide;
  • No health information from the EMPI flows outside of Ontario;
  • In-Q-Tel's investment in Initiate Systems Inc. does not allow In-Q- Tel to access any health information contained in the Ontario EMPI.

"Cancer Care Ontario, an organization that my office has worked with on privacy issues since the implementation of the Personal Health Information Protection Act nearly two years ago, has an extensive array of privacy safeguards in place," said Commissioner Cavoukian.

In addition to written privacy, confidentiality and security provisions in the Master Software License and Services Agreement with Initiate Systems Inc., other safeguards include:

  • Initiate Systems does not have any remote access to EMPI data and performs all technical support for the EMPI in Ontario, with comprehensive security measures in place;
  • Access to the EMPI by Initiate Systems' staff must be authorized and verified by CCO and may only occur on its Ontario premises; and
  • Initiate Systems is prohibited from disclosing EMPI data to any party without the prior written consent of CCO, which has neither been sought nor granted.

Looking further ahead, Commissioner Cavoukian makes three recommendations in her investigation report, which is posted on the IPC's website: www.ipc.on.ca.

RECOMMENDATIONS

1. The Commissioner should be consulted concerning any proposed amendments or changes to the confidentiality or privacy obligations contained in the agreement between CCO and Initiate Systems.

2. The MOHLTC or any other person who operates the EMPI in the future should advise the Commissioner if there is a breach of the confidentiality or privacy obligations of the agreement by Initiate Systems, and the steps taken to mitigate the breach, the measures taken to prevent subsequent breaches, and the manner and nature of the notification provided to individuals whose personal health information is contained in the EMPI.

3. The MOHLTC or any other person who operates the EMPI in the future using the Initiate Software should advise the Commissioner when changes will be made to the source code for the Initiate Software, as well as the nature and rationale for these changes.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.

For further information: Media Contact: Bob Spence, Communications Co-ordinator, Direct line: (416) 326-3939, Toll-free: 800-387-0073, Cell phone: (416) 873-9746, bob.spence@ipc.on.ca

Sunday, August 27, 2006

Canadian folk singer opens the door to expanded privacy for celebrities in Europe

Canadian folk singer Loreena McKennitt has obtained an injunction in the United Kingdom to prevent the publication of some revelations in a biography. For some reason, McKennitt went to court so that nobody would know "what was under the lino of the house in Ireland, how many bunk beds were put up when visitors came to stay and what happened when McKennitt was aroused from sleep". Sounds pretty mundane to me.

But this case is important as it suggests that celebrities, who depend upon being in the public eye to a certain degree, can call upon the European courts to seek protection from the glare of the spotlight. According to the Times of London:

For the first time a British court drew on a 2004 ruling at the European Court of Human Rights that said photographs of Princess Caroline of Monaco shopping in a public place or in a swimming costume at a beach club breached her right to privacy. The judge claimed there was a “significant shift” taking place between, on the one hand, the right of freedom of expression and the corresponding interest of the public to receive information and, on the other hand, “the legitimate expectation of citizens to have their private lives protected”.

He said information about an affair between two people could be protected even if one of them decided to reveal it to the public; incorrect information could breach someone’s right to privacy; and the fact that something was already in the public domain did not always mean it could be published again.

Ash has lodged an appeal and the media organisations are seeking to join in the action when it is heard later this year.McKennitt has said in an interview: “Privacy is integral to people’s emotional and psychological wellbeing. It doesn’t matter if you are a so-called public figure.”

Media lawyers say the case has wider ramifications than the long-running one brought against a tabloid newspaper by Naomi Campbell, the supermodel. She won £3,500 damages from the Daily Mirror after it revealed her fight against drug addiction. The Court of Appeal overturned the award but the House of Lords then allowed the model’s appeal against that judgment, saying the newspaper had gone too far in detailing her medical treatment.

More info here: Folk singer opens the door to privacy law - Sunday Times - Times Online.

As a Canadian aside, PIPEDA does not offer any protection in these circumstances as it does not apply to artistic or literary endeavours. The common law may be called upon, but I don't think you'd get very far here.

Privacy groups slam use of CIA-backed software to index Canadian health files

I'm back from vacation, CBA, etc and clearing out my backlog of developments in the privacy field. Here is one interesting item that I missed from ten days ago ....

It appears that the Canada Health Infoway group is contracting with a CIA-funded company to provide software for managing electronic health records here in Canada. This, not surprisingly, has some privacy folks concerned. I would be wary about selecting this vendor, but it raises an important general issue about the procurement of software and systems for managing sensitive personal information: if you do not have access to the source code, how can you know whether there is a back-door or a "phone home" function built into the system? Most contracts have covenants that there are no such functions, but these promises may be inadequate if the risks related to data is very high. Even if the company does not intend to use them for nefarious purposes, once-hidden "defects" (or features) are too easily discovered by those with nefarious intent and can completely destroy the credibility of the whole system. And when the system is a unified elecronic health records, the consequences of such a loss of trust could be devastating.

Privacy groups slam use of CIA-backed software to index Canadian health files:

OTTAWA (CP) - Software that will help sort millions of Canadian health records was developed by a company funded through the CIA's venture capital partner, sparking concerns about the confidentiality of patient data.

Privacy advocates are raising questions about Canadian use of the Initiate Systems indexing program given its creator's financial connection to In-Q-Tel - a private firm that helps the U.S. Central Intelligence Agency zero in on promising technology.

"There's a smell test that happens here, and it doesn't smell right," said David Fewer, general counsel for the Canadian Internet Policy and Public Interest Clinic.

"The optics require that foreign intelligence services stay well away from the delivery of health care services in Canada."

Initiate Systems of Chicago has sold the indexing software to Alberta, British Columbia, Manitoba, Newfoundland, Saskatchewan and Ontario for use in a national initiative to better manage health records.

Canada Health Infoway, a non-profit corporation accountable to the federal, provincial and territorial governments, aims to create compatible electronic health information systems across the country.

In-Q-Tel was established seven years ago as a private company to help the CIA and the broader U.S. intelligence community identify, acquire and use cutting-edge technologies.

Though not part of the CIA, In-Q-Tel consults with the intelligence agency on the strategic value of potential transactions.

The venture capital firm made an investment in Initiate Systems earlier this year.

The intelligence connection, first reported by U.S.-based Government Health IT magazine, prompted Canada Health Infoway staff to ask participating provinces about potential problems.

Infoway spokesman Kirk Fergusson said preliminary inquiries indicate Initiate doesn't have access to any client health data held by the provinces. "Thus far, that seems to be the story."

Gina Sandon, vice-president marketing for Initiate Systems, said the company will not see patient files of any description.

"At no point do we house data, access data or move data from our customers. Our customers control their data behind their firewalls and manage the security of that data."

Sandon said Initiate has worked with each province to ensure compliance with "all Canadian laws and privacy compliance requirements."

The software company adds that In-Q-Tel has no member on Initiate's board of directors, nor any decision-making power.

Despite the assurances, Darrell Evans of the B.C. Freedom of Information and Privacy Association remains skeptical Initiate Systems will not see patient data.

"I simply don't believe they will never have access," he said.

"I think there's reason to be concerned about this."

Evans contends the arrangement with a U.S. firm with intelligence ties increases the vulnerability of such files in an era when security agencies are keenly interested in personal dossiers to fight terrorism.

"Governments want this information. There's no question. If they see the need for it, they will get it."

In-Q-Tel spokesman Donald Tighe insisted there's nothing to worry about.

Tighe said In-Q-Tel, which has offices in northern Virginia and California's Silicon Valley, is solely interested in cultivating "best-of-breed" technologies of use to the intelligence community.

"Our job is to help create this connectivity between innovations and government agencies."

Anne-Marie Hayden, a spokeswoman for Privacy Commissioner Jennifer Stoddart, said the watchdog is discussing the issue with Canada Health Infoway.

"At this time, there's nothing that leads us to believe that Canadians' personal health information is at risk," Hayden said. "However, we are monitoring this issue very closely."

Friday, August 25, 2006

Promiscuous pluggers beware

Don't plug your USB drive in an unknown port! Not only could you get (or give) cooties, but Schneier on Security writes about software out in the wild that allows the covert copying of everything on your drive. Not a good thing for those who carry their lives on their USB drives and plug them into untrusted PCs in internet cafes, at conferences, at hotel business centres and the like.

Privacy concerns over Australian welfare internal data breach

Australian authorities are investigating the inappropriate perusal and alteration of welfare records by employees at "Centrelink". Disciplinary action has been taken against around six hundred employees and some cases have been referred to the police:

Privacy concerns over Centrelink breaches The Daily Telegraph

August 24, 2006 12:00

PRIVACY advocates have serious concerns about the Federal Government's proposed Smartcard after Centrelink staff were caught inappropriately accessing client records.

Six hundred Centrelink staff were caught using sophisticated spyware programs to browse the welfare records of friends, family, neighbours and ex-lovers without authorisation.

A total of 19 Centrelink employees were sacked and 92 resigned after 790 cases of inappropriate access were uncovered.

The head of a privacy taskforce looking into the government's proposed health and welfare Smartcard says he's deeply concerned about the implications for Australians.

The Smartcard will link medical, tax, welfare and other personal details on at least 17 million Australians.

“The Centrelink revelations are deeply disturbing,” Professor Allan Fels told ABC radio yesterday.

“I take some comfort from the fact that the government has caught them and punished them, but there is still a huge weight now on the government to provide full, proper legal and technical protection of privacy with the access card.”

Centrelink said five cases were been referred to Australian Federal Police, more than 300 staff faced salary deductions or fines, another 46 were reprimanded, and the remainder demoted or warned.

Labor says the breaches demonstrate the government's administrative incompetence and wants the privacy commissioner to investigate.

Theft of information from union office under investigation in Nova Scotia

From the Halifax Chronicle Herald earlier this week:
The ChronicleHerald.ca:

Pace of information theft probe frustrates C.B. union manager

Members’ information was stolen

By ASHLEIGH McKENNA and SHERRI BORDEN COLLEY Staff Reporter

The business manager of a Cape Breton union is upset that records for its 400-plus members that went missing more than a year ago still haven’t been recovered.

Files containing social insurance numbers, addresses, and bank account and income tax information were taken from the Sydney office of the International Brotherhood of Electrical Workers Local 1852 in September 2005, Brian Tobin said Wednesday night.

"It’s frustrating, to say the least," he said.

"Here’s all this personal, confidential information out there in the hands of who knows who and there’s nothing being done about it."

Mr. Tobin said the information was stolen by a former employee.

No union members have reported that their information has been misused, but the implications of what could be done with the data are worrisome, he said.

"This is a pretty scary business."

When he took over as business manager in April, Mr. Tobin said he called the Cape Breton Regional Police and any municipal representatives he thought might help.

The union also filed charges with its international office, which allowed the former employee to remain in the 438-member union on the condition that he returns the records, Mr. Tobin said.

Insp. Tom Hastie confirmed that Cape Breton Regional Police received a complaint about "some suspicions and some missing documents" in May.

"The file is ongoing and still under investigation," Insp. Hastie said.

Police do have a suspect or suspects in mind.

"There are some leads, obviously, in the case and any of these types of frauds or thefts from within establishments such as that, they’re quite in-depth and involved, and the onus is on us to make sure that we do a very thorough investigation," he said.

RFID at airports

Cryptome is hosting a flash animation that illustrates the possible use of RFID for people and baggage tracking, and data matching at airports. Check it out here.

Wednesday, August 23, 2006

Privacy hall of shame

Wired News has released a top ten list for its suggested entries in the "Privacy Debacle Hall of Fame". The countdown is:
Wired News: Privacy Debacle Hall of Fame

10. ChoicePoint data spill
9. VA laptop theft
8. CardSystems hacked
7. Discovery of data on used hard drives for sale
6. Philip Agee's revenge
5. Amy Boyer's murder
4. Testing CAPPS II
3. COINTELPRO
2. AT&T lets the NSA listen to all phone calls
1. The creation of the Social Security Number

The Wired article has more details on each of the above blunders.

Via Concurring Opinions and Rob Hyndman.

Alberta Commissioner issues first PIPA order

Sorry, no summary: I'm on vacation. Stay tuned, I will try to write one later ....

http://www.oipc.ab.ca/ims/client/upload/P2005-001.pdf

Posted from the top of the CN Tower. (The elevators went offline for a few hours and you can only look down for so long!)

Canadian police forces link databases

Thanks to a reader who passed this along .... And apologies for the formatting. I will clean it up when I get to a PC.

A range of Canadian police forces have banded together under the leadership of the RCMP to join their information systems to avoid interjurisdictional gaps. The press release is below, but I find the mentions of privacy to be the most interesting part. They say that "Governance and policy mechanisms ensure the PIP respects both federal and provincial privacy legislation and principles for the collection, use and disclosure of personal information."

I hate to be cynical, but ...  I find that interesting and a bit hard to take at face value. I have yet to see an electronic health system do that and the healthcare system is used to operating in the sunshine. I would be interested to see the privacy impact assessments for this project and info on how the access, acccuracy, accountability and challenging compliance principles are incorported.  

Here is the release:

Minister Toews Joins Police Community in Supporting Newest Crime Fighting Tool - Police Information Portal Becomes National in Scope, Allows Greater Information Sharing Among Police

http://news.gc.ca/cfmx/view/en/index.jsp?articleid=234199&
 
St. John’s, August 20, 2006 * Today the Honourable Vic Toews, Minister of Justice lent his support as a number of police services signed on to the Police Information Portal (PIP), increasing the national scope of PIP, a robust, crime-fighting tool. With today’s signing, the total number of police services participating in PIP rises to 126.

PIP will provide a secure information gateway that will allow police to work collaboratively by accessing occurrence data in each other’s records management systems (RMS). Participating police services dynamically post records from their RMS to the national Police Information Portal. With a single query, they can search all other participating police service RMSs for vehicles, people, property or occurrences, and receive consolidated reports.

The national Police Information Portal is an efficient way to provide dynamic information-sharing among Canadian police services. The solution leverages existing RMS systems and regional information-sharing arrangements, minimizing the investment required by participating law-enforcement partners. The RCMP National Police Services is the custodian of the PIP development and roll-out on behalf of the Canadian police community.

“I am pleased to see that this Government’s investment in the Police Information Portal will soon provide real benefits for police officers across Canada,” said Minister Toews. “The Police Information Portal is an important technology tool that will allow police officers to use real-time information to prevent and reduce crime, keeping Canadian homes and communities safe.”

Chief Vince Bevan, Ottawa Police Service, and Chair of the PIP Governance Committee echoed Minister Toews by saying, “Information sharing through the PIP system will increase police effectiveness and prevent offenders from slipping through the cracks. In the past, offenders used jurisdictional gaps to their advantage. PIP closes those gaps.”

Governance and policy mechanisms ensure the PIP respects both federal and provincial privacy legislation and principles for the collection, use and disclosure of personal information.

“The RCMP is pleased to lend its support to the PIP and continue its development and implementation to aid all Canadian police agencies in their work,” said RCMP Commissioner Giuliano Zaccardelli. “We are leveraging our expertise in the development and implementation of other technology tools such as the Canadian Police Information Centre (CPIC) Renewal, and are confident that the PIP will meet the collective needs of the Canadian law enforcement community.”

Currently almost one-third of Canada’s police officers are using the system.

Sunday, August 20, 2006

Warrantless wiretapping program declared unconstitutional, order stayed pending appeal

Last week, on August 17, 2006, a United States District Judge declared the Bush administration's warrantless wiretap program to be illegal and unconstitutional. The order to end the program is stayed until September, allowing the government to appeal. From the New York Times:

Federal Judge Orders End to Warrantless Wiretapping - New York Times:

WASHINGTON, Aug. 17 — A federal judge in Detroit ruled today that the Bush administration’s eavesdropping program is illegal and unconstitutional, and she ordered that it cease at once.

District Judge Anna Diggs Taylor found that President Bush exceeded his proper authority and that the eavesdropping without warrants violated the First and Fourth Amendment protections of free speech and privacy.

“It was never the intent of the Framers to give the president such unfettered control, particularly where his actions blatantly disregard the parameters clearly enumerated in the Bill of Rights,” she wrote, in a decision that the White House and Justice Department said they would fight to overturn. A hearing will be held before Judge Taylor on Sept. 7, and her decision will not be enforced in the meantime pending the government’s appeal.

The judge’s ruling is the latest chapter in the continuing debate over the proper balance between national security and personal liberty since the attacks of Sept. 11, 2001, which inspired the eavesdropping program and other surveillance measures that the administration says are necessary and constitutional and its critics say are intrusive.

In becoming the first federal judge to declare the eavesdropping program unconstitutional, Judge Taylor rejected the administration’s assertion that to defend itself against a lawsuit would force it to divulge information that should be kept secret in the name of national security.

“Predictably, the war on terror of this administration has produced a vast number of cases, in which the states secrets privilege has been invoked,” Judge Taylor wrote. She noted that the Supreme Court has held that because the president’s power to withhold secrets is so powerful, “it is not to be lightly invoked.” She also cited a finding in an earlier case by the Court of Appeals for the District of Columbia Circuit that “whenever possible, sensitive information must be disentangled from nonsensitive information to allow for the release of the latter.”

The New York Times also has a handy-dandy guide on how the usual process operates for law enforcement to obtain a warrant under the Foreign Intelligence Surveillance Act. The Bush administration is arguing that the process is too cumbersome for the current situation and that their procedure of avoiding authorization from the Foreign Intelligence Surveillance Court is constitutionally kosher.

The US administration has come out strongly against the Court's ruling and argues that it will be successful on appeal.

Bush Predicts Appeals Court Will Lift Ban on Wiretaps - New York Times:

WASHINGTON, Aug. 18 — President Bush predicted Friday that an appeals court would ultimately overturn a decision this week declaring his warrantless wiretapping program illegal, and he said that “those who herald this decision simply do not understand the nature of the world in which we live.”

World Privacy Forum files FTC complaint against AOL

First of all, apologies for the extremely light writing as of late. I was at the Canadian Bar Association's annual get-together in St. John's, Newfoundland last week, followed by a week of vacation in Toronto with one of my sons. Things will be back to normal in about a week. Unless there's a huge pile of work to catch up on, which may be the case.

Back to the business of this blog ....

The World Privacy Forum has filed a complaint (PDF) with the US Federal Trade Commission over AOL's disclosure of slightly de-identified search data to researchers:

World Privacy Forum Files FTC Complaint About AOL Data Releases

The World Privacy Forum filed a complaint today with the Federal Trade Commission regarding AOL's multiple releases of portions of its users' search query histories. The complaint discusses AOL search query releases from 2004 and 2006. The complaint alleges that the data release was intentional, and due to significant identifiability issues of the data subjects, that the releases are harming some AOL customers, and that AOL customers did not know their search histories would be made available to the public. The World Privacy Forum urges consumers to take precautions when using search engines. For more see the complaint (PDF). Also see the World Privacy Forum Search Engine Privacy Tips.

Via ComputerWorld: Privacy watchdog says AOL violated its own policy.

Tuesday, August 15, 2006

Privacy Commissioner launches investigation of SWIFT disclosures

The Canadian Privacy Commissioner, Jennifer Stoddart, has announced that she will begin a formal investigation of the possible disclosure of personal information of Canadians by the Society for Worldwide Interbank Financial Telecommunication (SWIFT). It has been reported that US law enforcement have been perusing the data of this interbank clearing centre to track terrorism finances.

This is most interesting because in the past she has refused to investigate outside of Canada for lack of jurisdiction to effectively gather info outside our borders.

Here is the Commissioner's release:

Privacy Commissioner launches investigation of SWIFT

Ottawa, August 14, 2006 – The Privacy Commissioner of Canada, Jennifer Stoddart, has officially launched an investigation of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European-based financial cooperative that supplies messaging services and interface software to a large number of financial institutions in more than 200 countries, including Canada, to determine whether personal information relating to Canadians’ financial transactions is being improperly disclosed by SWIFT to foreign authorities. The Commissioner has notified SWIFT of her intention to launch an investigation into the matter.

“The risks resulting from personal information flowing across borders is something that we have been expressing concerns about for some time. The SWIFT situation concerns privacy commissioners world wide and is something we need to examine in more detail,” said Ms. Stoddart. “Although there are times when we are unable to lawfully investigate a complaint about something taking place outside Canada with Canadians' personal information, we have determined that we are, in fact, in a position to investigate this important matter.”

Before launching an official investigation, the Office of the Privacy Commissioner of Canada (OPC) first looked into the situation to examine what was taking place and to determine the extent to which it could get involved, given questions surrounding jurisdiction and the application of Canada’s federal privacy laws. Based on the information gathered during this preliminary phase, the Commissioner has determined that she has reasonable grounds for a commissioner-initiated complaint against SWIFT to ascertain whether there has been any contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law. The Commissioner derives this authority from section 11(2) of PIPEDA, which states that “if the Commissioner is satisfied that there are reasonable grounds to investigate a matter… the Commissioner may initiate a complaint in respect of the matter.”

In addition to its investigation of SWIFT, the OPC has also received complaints against several Canadian financial institutions and is investigating their involvement.

The OPC is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

View the Commissioner's June 2006 news release on the SWIFT issue.

— 30 —

It is being widely reported elsewhere:

Sunday, August 13, 2006

Zimmer's thoughts on the AOL search data release

Michael Zimmer has spent some time in the last little while thinking about the recent AOL release of search data, a portion of which can be traced back to individuals. Check out some of his insightful posts:

Another VA laptop disappears

I've stopped writing about privacy breaches as they are becoming too routine, but this one is worth mentioning: After all the media storm, congressional hearings, firings and general ruckus, the US Department of Veterans' Affairs has managed to lose another computer. This one contains data on 38K people. See: Update: Another VA computer missing.

Saturday, August 12, 2006

New article on laptops and privacy

Michael Power and Roland L. Trope have recently published the first of what I understand to be a regular privacy-specific column in IEEE Security & Privacy. The article is entitled "Lessons for Laptops from the 18th Century". The courts and constitutions of Canada and the United States have steadfastly protected the privacy of the home, but what should courts be doing now that more and more of peoples' intimate lives are chronicled on portable electronic devices? And what of such records that are uploaded using online backup services?

Friday, August 11, 2006

AOL blunder revives debate over data retention law

The AOL search data blunder (see below) has revived discussion and interest in an American law that was proposed after the earlier fight with the Department of Justice over search data:

AOL gaffe draws Capitol Hill rebuke CNET News.com

Rep. Ed Markey, a Massachusetts Democrat, said Wednesday that AOL's disclosure of the search habits of more than 650,000 of its users demonstrates that new laws are necessary. AOL has apologized for the disclosure.

"We must stop companies from unnecessarily storing the building blocks of American citizens' private lives," Markey said.

Markey's proposal, called the Eliminate Warehousing of Consumer Internet Data Act (EWOCID), was introduced in February after Google's courtroom tussle over search records with the U.S. Department of Justice.

Republicans have kept it bottled up in a House of Representatives subcommittee ever since, but a Markey representative said Wednesday that he hoped "this most recent breach will light a fire under the GOP leadership."

Wednesday, August 09, 2006

Be careful what you say at the counter

Front line employees need to be trained in protecting the privacy of your patrons, for two reasons. The first is that many, if not most, privacy compliants I've dealt with are simply customer service issues that are aggravated by the actions or inactions of customer-facing employees. The second reason is that customer interactions are where many smaller privacy issues can rear their heads.

For example, in auditing an insurance broker some time ago, one of the first things I noticed was that computer monitors were plainly visible from the areas where customers were waiting. A nosy parker could look over and see the details of another patron's policies: Something that's surely none of their business.

At the customer service counter, staff have to be very mindful of what they say within earshot of others. I'm reminded of this by an AP story running today on Yahoo News. Though the story is about a lawsuit being brought by the ACLU against libraries' lending policies, the article contains a reminder of how employees need to be trained to be sensitive of privacy issues. When a homeless library patron sought to check out more than three items,

'They said 'Oh, no — you live at a shelter,' right in front of everybody,' he said. 'It made me feel like a second-class citizen.'

Do you think that it will help anyone to potentially humiliate the person in front of others? I don't think so. Perhaps I'm being too forgiving, but I expect the library employee just didn't think about what they said before they said it.

This sort of thing may not give rise to a formal complaint, but employees shouldn't be upsetting the growing minority of customers who care about their privacy and care about it a lot.

Users identifiable by AOL search data

An intrepid reporter from the New York Times has provided a vivid illustration that the supposedly de-identified search data released by AOL is not really anonymous.

A Face Is Exposed for AOL Searcher No. 4417749 - New York Times

Buried in a list of 20 million Web search queries collected by AOL and recently released on the Internet is user No. 4417749. The number was assigned by the company to protect the searcher’s anonymity, but it was not much of a shield.

No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from “numb fingers” to “60 single men” to “dog that urinates on everything.”

And search by search, click by click, the identity of AOL user No. 4417749 became easier to discern. There are queries for “landscapers in Lilburn, Ga,” several people with the last name Arnold and “homes sold in shadow lake subdivision gwinnett county georgia.”

It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently researches her friends’ medical ailments and loves her three dogs. “Those are my searches,” she said, after a reporter read part of the list to her.

What this really illustrates is the risk posed by simply keeping data around. AOL says they keep the data for a month and this particular database was used internally for research to optimize the AOL service. The usual risk to consider is that the data will illicitly go out the back door, but in this case it went out the front door.

Now the cat's out of the bag: Someone has put the database online, allowing you to search the searches (http://www.aolsearchdatabase.com/). Many of the searches reveal sad details about the users and browsing is creepily voyeuristic. Now Thelma's data is out there, along with searches of over six hundred thousand others.

Thanks to Michael Geist for the link.

Monday, August 07, 2006

AOL gives loads of users' search histories to researchers

It really wasn't that long ago that Google, AOL, Yahoo! and MSN were in the privacy crosshairs over the potential release of user search records to the US Federal Government. (See: The Canadian Privacy Law Blog: US DOJ has subpoenaed Google's search records.) In that saga, the US Department of Justice subpoenaed Google's search records as part of a lawsuit to which Google was not a party. The search giant resisted and privacy advocates were upset to learn that MSN, Yahoo! and AOL handed over reams of supposedely anonymized customer information.

Now, Wired and others are reporting that AOL has handed over three months of search activity of 350,000 AOL users to researchers. The 400MB of data has been pulled off the web, but is already out there. Wired's 27B Stroke 6 blog quotes an EFF lawyer who believes this is a violation of the US Electronic Communications Privacy Act, the statutory damages for which probably add up to $658,000,000. Read more about it at 27B Stroke 6: AOL 's $658 Million Privacy Breach?

It appears that though the information isn't linked to IP addresses or user names, the data does show the sequence of searches from individual users and, in some cases, the user can be identified by searching for themselves.

Update: AP has a good report on this that features how this sort of release can disclose very intimate personal information even if user names are replaced with numeric identifiers:

AOL: Searches by 650K people got out - Yahoo! News:

"Although AOL had substituted numeric IDs for the subscribers' real user names, the company acknowledged the search queries themselves may contain personally identifiable data.

For example, many users type their names to find out whether sites have dirt on them and then separately search for online mentions of their phone, credit card or Social Security numbers. A few days later, they may search for pizzerias in their neighborhoods, revealing their locations, or for prescription drug prices, revealing their medical conditions. All those separate searches would be linked to the same numeric ID.

'Search query data can contain the sum total of our work, interests, associations, desires, dreams, fantasies and even darkest fears,' said Lauren Weinstein, a privacy advocate.

The company apologized for the disclosure.

'This was a screw up, and we're angry and upset about it,' AOL spokesman Andrew Weinstein said. 'It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant.'"

See also: AOL Removes Search Data on Group of Web Users - New York Times.

Sunday, August 06, 2006

VeriChips cloned, VeriEasily apparently

The only surprise is that it happened so quickly....

According to recent reports, supposedly secure VeriChips (an implantable RFID chip) can be cloned, defeating their utility as a means of authentication. See: Techdirt: VeriChip VeriEasy To Clone, Researchers Say.

Friday, August 04, 2006

Tune in today for Maritime Noon for privacy phone-in

I've been invited to be the guest on today's Maritime Noon on CBC, during the phone-in portion at 1:00 PM AST. You can listen from anywhere using Windows Media: high bandwidth (32Kbps) or low bandwidth (16Kbps).

CBC Nova Scotia - Programs - Maritime Noon - Main:

On Friday's Show

We're being watched : when we use a 'smart card' to open a door at work, when we withdraw money from the bank, and when we walk through a mall.

It's called electronic surveillance and it's becoming more common in our daily lives.

But does it make you feel safer or just more 'spied upon' ?

Our question : 'How can we create a balance between security and privacy ?'

Tuesday, August 01, 2006

Ixquick follows privacy commandment: don't keep it

Among the ten commandments of protecting consumer privacy is the admonition "don't keep it." It appears that search engine ixquick is following that commandment:

Ixquick.com eliminates 'Big Brother'

First search engine to stop recording privacy details

HAARLEM, The Netherlands, June 27, 2006

As personal privacy concerns create growing alarm about the freedom of the Internet, the Ixquick metasearch engine (www.ixquick.com) has taken a pioneering step: starting today, Ixquick will permanently delete all personal search details gleaned from its users from the log files.

"This new feature of our search engine ensures both optimal privacy protection and maximum search performance for our customers, since they will be able to search using the 11 best search engines without their personal data being recorded," says Ixquick spokesman Alex van Eesteren.

As digital technology increasingly pervades our world, more and more personal details are being stored electronically, many of them by search engines. While you are searching the internet, these engines register the time of your searches, the terms you used, the sites you visited and your IP address. In many cases this IP address makes it possible to trace the computer, and in turn the household, that carried out the search.

These personal details are often retained for long periods by search engines and are of interest to commercial parties, governments and even criminals. "Many search engines openly use this data for commercial purposes. It seems only to be a question of time before the data gets misused," alleges Van Eesteren. "Therefore we have decided to permanently delete all personal search records. If the data is not stored, users privacy can't be breached".

Ixquick's Meta Search feature enables the user to simultaneously search 11 of the best search engines. However, Ixquick does not share the user's personal data with these individual search engines in any circumstances. In addition, as of this week, Ixquick will delete the users' IP addresses and 'unique user IDs' from its own 'Log Files'.

"Therefore, any user can use Ixquick.com to search in a combination of the best search engines secure in the knowledge that they can enjoy complete protection of their privacy," continues Mr. van Eesteren.

For more information, please visit www.ixquick.com.

This makes sense in so many ways: First, they save cash since they don't have to store the information. Second, they don't have to worry about a privacy breach. Third, they won't get dragged into a fight over customer information. Finally, it'll excite privacy-concerned web surfers without alientating the others.

Via michaelzimmer.org.

Ontario Commissioner issues second order under PHIPA

The Information and Privacy Commissioner of Ontario has issued her second order under the province's new Personal Health Information Protection Act.

The complaint concerns a pretty deplorable situation that took place at the Ottawa Hospital. The complainant was admitted to the hospital and advised that shd did not want her estranged husband and his girlfriend (both were employees of the hospital) to know of her admission or of her situation. Subsequent discussion with her husband demonstrated that he knew about her admission and the patient complained.

An investigation revealed that the girlfriend had accessed the complainant's electronic health record a number of times and disclosed it to the estranged husband. The Commissioner was less than impressed, as demonstrated by the postscript to the executive summary:

POSTSCRIPT

This was a truly regrettable situation in which a patient who was admitted to a hospital, made a specific request to prohibit her estranged husband and his girlfriend, a nurse at the hospital, from having any information regarding her hospitalization, only to learn that the exact opposite had occurred.

Despite having alerted the hospital to the possibility of harm, the harm nonetheless occurred. While the hospital had policies in place to safeguard health information, they were not followed completely, nor were they sufficient to prevent a breach of this nature from occurring. In addition, the fact that the nurse chose to disregard not only the hospital’s policies but her ethical obligations as a registered nurse, and continued to surreptitiously access a patient’s electronic health record, disregarding three warnings alerting her to the seriousness of her unauthorized access, is especially troubling. Protections against such blatant disregard for a patient’s privacy by an employee of a hospital must be built into the policies and practices of a health institution.

This speaks broadly to the culture of privacy that must be created in healthcare institutions across the province. Unless policies are inter-woven into the fabric of a hospital’s day-today operations, they will not work. Hospitals must ensure that they not only educate their staff about the Act and information policies and practices implemented by the hospital, but must also ensure that privacy becomes embedded into their institutional culture.

As one of the largest academic health sciences centres in Canada, the Ottawa Hospital had properly developed a number of policies and procedures; but yet, they were insufficient to prevent members of its staff from deliberately undermining them.

See Health Order HO-002 released July 31, 2006. (Executive Summary)