Thursday, September 28, 2006

PIPEDA and elections or leadership campaigns

M.J. Murphy (aka BigCityLib) asks whether Liberal Party leadership candidates Dion, Dryden and Brison violated PIPEDA by providing confidential party membership lists to the Globe & Mail, as reported by CTV (BigCityLib Strikes Back: Did Dion, Dryden, and Brison Violate Federal Law?). It's an interesting question, but one that is likely answered in the negative.

Of course, this isn't legal advice to anyone. Rather, it's just a discussion of the issues engaged by this report.

The reason is that PIPEDA likely does not apply to the core activities of political parties. Section 4 sets out where PIPEDA does and does not apply:

Application

4. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

Limit

(2) This Part does not apply to

(a) any government institution to which the Privacy Act applies;

(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or

(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

It is likely a stretch to suggest that federal politics - all cynicism aside - is a "commercial activity", at least to the extent that it would trigger the federal government's general trade and commerce powers upon which PIPEDA relies for its jurisdiction.

Regarding the "disclosure" to the Globe to conduct an opinion poll, most practitioners in this area would say that it is not technically a disclosure. If the poll was being conducted on behalf of the candidate, the polling organization would be the agent for the candidate. (Unless the most recent finding from the Privacy Commissioner would deem their conduct to be a commercial activity in and of itself.) If the use by the Globe was for journalistic purposes, they're off the hook thanks to 4(2)(c).

This is not to suggest that the candiates are blameless. There's been some suggestion that providing the data to the Globe may have violated the conditions of confidentiality imposed by the Liberal party. If that's the case, there may be other remedies, but they wouldn't be within PIPEDA.

Wednesday, September 27, 2006

Precedent: The New Rules of Law and Style

There's a new legal blog in town, and it's unlike any of the other Canadian legal blogs out there. Precedent: The New Rules of Law and Style is hard to pigeon-hole, but is about law, life, style and other interesting stuff. I'll leave it to the site's author, Melissa Kluger, to describe it:

I’ve been a lawyer in Toronto now for four years. Over this time, a lot of law magazines, newspapers and newsletters have crossed my desk. Even though these are publications for lawyers, I never feel like they are really talking to me. They always feel a little old, a little earnest and, well, a little boring. I want a publication that is fun, smart and stylish — that understands what it’s like to be a young lawyer, asks tough questions about the profession, and strives to entertain and enlighten me. And so I’m setting off to make one. A Precedent, if you will. A magazine that gets lawyers and knows what they want.

Check it out ...

Presentation: Privacy and Health Information

I was invited to speak today at the Atlantic Health Information Systems (AHIS) annual conference at White Point Beach Resort. The topic - surprise! - was privacy and health information systems. The presentation was an overview of the overlapping laws that govern health information in Nova Scotia and the rest of Atlantic Canada. I promised that I'd make the presentation available on my blog, so here it is: AHIS2006.html.

Trust ye, TRUSTe?

Wired's blog 27B Stroke 6 points to a recent report that suggests TRUSTe approved sites may not be entirely trustworthy. Using McAfee's SiteAdvisor data, Harvard researcher Ben Edelman has found that TRUSTe's sites are more likely than most to spam you and deliver adware and spyware. Not surprisingly, TRUSTe doesn't agree with the findings.

Tuesday, September 26, 2006

Alberta Commissioner faults MD Management for laptop theft

The Office of the Information and Privacy Commissioner of Alberta has released its investigation report into the missing laptop case (for some background, see: Canadian Privacy Law Blog: Alberta commissioner launches investigation into stolen laptop). In the wake of the theft of a laptop from an employee of MD Management (a subsidiary of the Canadian Medical Association), the Commissioner's office concluded that the organization violated the Personal Information Protection Act by not adequately securing the information of 8,000 customers. See the report here: Investigation Report P2006-IR-005.

Saturday, September 23, 2006

Three senior officers leave HP in wake of spying scandal

According to the New York Times, three senior officers of Hewlett Packard are leaving the company in the wake of the recent leak investigation that many think went too far. Leaving personnel include Chairwoman Patricia Dunn, Senior Counsel and Manager of Global Investigations. See: Chairwoman Leaves Hewlett in Spying Furor - New York Times.

If you have one of the US census bureau's hundreds of missing laptops ...

Please return it.
CNN.com - Census Bureau loses hundreds of laptops - Sep 21, 2006:

"WASHINGTON (AP) -- The Commerce Department has lost 1,137 laptop computers since 2001, most of them assigned to the Census Bureau, officials said Thursday night."

Wednesday, September 20, 2006

ChoicePoint victims uncompensated despite $5M fund

The Associated Press is reporting that months after a $5 million settlement assembled a pool of funds to compensate people for the ChoicePoint breach, nobody has seen a penny. "It's under review." See: AP: FTC yet to pay ChoicePoint victims - Yahoo! News.

Tuesday, September 19, 2006

US AG calls for ISP data retention on behalf of law enforcement

Once again, the US Attorney General is calling for a law requiring internet service providers to collect and keep logs for law enforcement purposes:

USATODAY.com - Gonzales calls for law to require Internet companies to preserve customer data:

... 'We respect civil liberties but we have to harmonize this so we can get more information,' he said.

The subject has prompted some alarm among Internet service provider executives and civil liberties groups after the Justice Department took Google to court earlier this year to force it to turn over information on customer searches. Civil liberties groups also have sued Verizon and other telephone companies, alleging they are working with the government to provide information without search warrants on subscriber calling records.

Justice Department officials have said that any proposal would not call for the content of communications to be preserved and would keep the information in the companies' hands. The data could be obtained by the government through a subpoena or other lawful process....

Finding: Law firms collected credit reports without consent

Yesterday, the Office of the Privacy Commissioner of Canada posted a new finding based on two separate complaints related to a law firm conducting credit checks without consent (Commissioner's Findings - PIPEDA Case Summary #340: Law firms collected credit reports without consent (May 2, 2006)).

The Assistant Commissioner concluded that the complaints were well-founded. This represents a very important finding, not so much on the question of the appropriateness of the credit checks but on important questions of jurisdiction raised. The credit checks were apparently contrary to the agreement between the firms and the credit bureaus in question. However, in my humble opinion and with the greatest respect to the Assistant Commissioner, Complaint A was incorrectly decided.

Complaint A

An individual complained that a law firm collected his personal information, by conducting a credit bureau inquiry, without his knowledge and consent.

Summary of Investigation

The law firm confirmed that it did conduct the credit inquiry. It argued, however, that the OPC did not have jurisdiction in this matter, as the information was collected for personal purposes of a client in relation to possible litigation, and it would therefore not provide the Office with access to its records.

The Office asserted its jurisdiction with respect to the complaint on the basis that the collection occurred during the course of the law firm’s commercial activities.

The complainant had also filed a complaint with the credit bureau regarding the collection of his credit information. The credit bureau requires its member companies, such as the law firm in this case, to obtain express consent for the collection of credit information. Since the law firm failed to provide adequate information or cooperate fully with the credit bureau’s inquiries, the credit bureau concluded that the law firm did not have the complainant’s consent to the collection. As a result, the law firm’s membership privileges were suspended.

Findings

Issued May 2, 2006

Application: Paragraph 4(1)(a) establishes that Part I of the Act applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

The Assistant Commissioner was satisfied that the collection occurred in the course of the firm’s commercial activities, and noted that as there was no general exclusion for the activities of law firms undertaken on behalf of their clients. The Office therefore found that it had jurisdiction in the matter, pursuant to paragraph 4(1)(a).

As for the collection, the law firm admitted that it had collected the complainant’s personal information, by way of credit inquiry. The complainant had alleged that this was done without his consent, and the law firm did not provide any evidence to the contrary.

The Assistant Commissioner therefore concluded that the information was collected without the complainant’s knowledge or consent, in contravention of Principle 4.3. She recommended that the law firm implement a policy that prohibits conducting credit checks without the individual’s consent, unless one of the exceptions to the requirement for consent, as set out in the Act, is applicable. The law firm responded by continuing to challenge this Office’s jurisdiction, maintaining that the issue did not involve any commercial activity. It stated that it continues to comply with the Act, as it has since the Act came into force. It also maintained that it does not collect the personal information of anyone without their consent. The Assistant Commissioner was not satisfied with this response, noting that the Act requires organizations to be open about their privacy policies and practices. The response from the law firm did not address the specific recommendation of the Office to implement a policy for obtaining consent to conduct credit checks. Nor did the response provide any further evidence that the Act was not contravened in this instance.

Accordingly, she concluded that the complaint was well-founded.

In my humble opinion, and based solely on this little snapshot of the facts provided above, the Assistant Commissioner was without jurisdiction to consider this particular complaint. The basis for the Commissioner's jurisdiction is in s. 4(1)(a) of PIPEDA, which states that Part I of the Act applies with respect to the collection, use and disclosure of personal information in the course of “commercial activities”. Commercial activities is further defined to mean an act or transaction or course of conduct that is of a “commercial character”. It is said that the law firm was acting for a client and that the client was engaged in litigation against the complainant. That the law firm is engaged in its own commercial activities should be irrelevant. It is merely the agent for its client.

This position is supported by the decision of Justice Dawson of the Ontario Superior Court of Justice in Ferenczy v. MCI Medical Clinic, [2004] O.J. No. 1775. Justice Dawson concluded that video surveillance of a medical malpractice plaintiff is not “commercial activity” for the purposes of PIPEDA:

25 The plaintiff submits that the private investigator (an organization) retained by the CMPA (an organization) was collecting and making a record (videotape) of the plaintiff's personal information (images) during the course of commercial activity (while being paid), and that as the plaintiff did not consent to the collection and release of the information, the investigator and the CMPA are in contravention of the Act.

26 For a number of reasons I disagree. I will deal with some specific reasons momentarily, but first I will make a few general comments.

27 The legislation in question is complex and so broadly worded that a reasonable argument could be made to extend its reach so far as to transform both civil and criminal litigation into something very different than it is today. The arguments advanced on behalf of the plaintiff here prove that point. On the basis of the plaintiff's argument, Dr. Weinstein might be permitted to take his own video camera and record surveillance evidence in his own defence, but a licenced private investigator could not do so on his behalf if he was being paid to do so.

28 This argument would extend to an accused in a criminal case. While there are exceptions in the Act that allow law enforcement agencies to investigate and collect information about a suspect or an accused, an accused would arguably be prevented from utilizing a private investigator, or other paid agent, to collect information or conduct surveillance that could be vital to his or her defence. …

30 One way to avoid this result, and I conclude it is the correct interpretation of the Act, is to apply the principles of agency. On this analysis it is the defendant in the civil case who is the person collecting the information for his personal use to defend against the allegations brought by the plaintiff. Those whom he employs, or who are employed on his behalf, are merely his agents. On this analysis s. 4(2)(b) of the Act governs. That section reads as follows:

>4(2) This part does not apply to ...

(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose;

The defendant through his representatives was employing and paying an investigator, to collect information for him. It is the defendant's purpose and intended use of the information that one should have regard to in determining the applicability of the Act. On the basis of this analysis I conclude that the defendant is not collecting or recording personal information in the course of commercial activity. He, through his agents, was collecting information to defend himself against the lawsuit brought by the plaintiff. This is a personal purpose in the context of the civil action brought against him by the plaintiff. In my view, this conclusion is consistent with the overall purpose of the Act which is aimed primarily at information collected as a part of commerce. [emphasis added]

The collection, use and disclosure of personal information in connection with private litigation is a private matter and not "commercial activity". Simply put, a claim for damages under the common law or litigation related to such a claim cannot be reasonably said to be a “commercial activity”. The fact that the relationship between the defendant, on one hand, and the law firm, on the other hand, is commercial is not relevant: As PIPEDA requires a “commercial activity” nexus to be applicable, the fact that the law firm is being paid is immaterial, no such nexus would exist and PIPEDA should not apply.

Parliament limited PIPEDA’s application to “commercial activities” (and federal works, undertakings and businesses) because federal jurisdiction is limited by the Constitution Act, 1867. In passing PIPEDA, Parliament relied upon its jurisdiction over the “Regulation of Trade and Commerce” contained in s. 91(2). A private lawsuit between two individual litigants (and all matters ancillary thereto), are a matter of “Property and Civil Rights in a Province”, which is an area of jurisdiction specifically reserved to the Provinces in s. 92 of the Constitution Act, 1867. Simply put, an attempt to enforce PIPEDA between two private individuals, acting in their private capacities (even if one is acting through a paid agent) would be an unconstitutional application of PIPEDA.

If Section 4(1)(a) is going to be read in such an expansive way, virtually all activities fall within "commercial activities". A public hospital will be engaged in commercial activities because it gets paid by medicare and because most attending physicians are actually incorporated contractors. (Even worse: some hospitals charge for casts and splints and private rooms!) All universities are engaged in commercial activity since they collect tuition and charge room and board. All public schools are engaged in commercial activities because students have to pay for field trips. All provincial government departments are engaged in commercial activity because you have to pay to register your car.

At the end of the finding, the following is noted:

For both complaints the Assistant Commissioner also indicated that she would pursue the matter in accordance with the Act and referred the cases to her litigation counsel. Shortly after being contacted by the Commissioner’s counsel, both law firms agreed to implement the recommendations thus avoiding the need to follow through with an Application in the Federal Court.

I can understand why the firms would not want to be drawn into an expensive proceeding in the courts, but it is regrettable that this finding will remain unchallenged.

Monday, September 18, 2006

Latest weapons in the war against shoplifing

Last week, Business Week ran a very interesting article on new technologies being implemented by retailers to curtail shoplifting and other species of fraud. From smart video systems that can detect unusual patterns supposedly indicative of shoplifting to RFID-enabled shopping carts that lock down the wheels in a "push out" scam, the technology is rather impressive and potentially intrusive. Much of it is being implemented covertly, so they don't tip off the miscreants and out of fear of a privacy backlash. See: Attention, Shoplifters. Via Privacy Digest.

ICC produces standardized form for "binding corporate rules" approval in 25 EU states

The International Chamber of Commerce has produced a "one form" solution for seeking approval of European Data Protection authorities in 25 European states to permit the export of personal information from Europe in compliance with the "binding corporate rules" exception. From the ICC:

Smoothing the way for international data transfers

Paris, 12 September 2006

Individuals will benefit from greater transparency in the drafting of BCR's determining how their personal data is safeguarded.

Companies transferring personal data, such as lists of employees or customers, outside the European Union must comply with stringent European legal restrictions. To help businesses demonstrate their compliance, the International Chamber of Commerce (ICC) has taken the initiative to standardize the process across all 25 EU countries.

Until now, companies have had to submit different application forms to each EU member state when asking data protection authorities to approve their Binding Corporate Rules (BCRs) - corporate codes which set measures to ensure data protection in transfers from one country within the EU to a country outside it.

"With input from member companies working with BCRs and feedback from various European authorities, we created this standard application form for BCRs," said Christopher Kuner, Chair of the ICC Task Force on Privacy and Protection of Personal Data. "The same form can be used for approval in all EU member states - that is the main advantage."

Data protection authorities (DPAs) will also benefit from a more coherent, time-saving application process, while individuals will benefit from greater transparency in the drafting of BCR's determining how their personal data is safeguarded, Mr Kuner also noted.

The standardized form has been submitted to the working group of European data protection authorities for discussion. DPAs have already responded favourably. "I welcome this ICC initiative, and hope that it will lead to a more streamlined and efficient procedure for approval of BCRs throughout the EU," said Billy Hawkes, Irish Data Protection Commissioner.

Divided into eight sections, the ICC form guides companies through the application process, ensuring all the necessary information is included, and explains what conditions exist and what obligations need to be met. ICC has already taken a leading role in assisting companies to use BCRs, and published a comprehensive report on binding corporate rules for international transfers of personal data in November 2004.

Click here for a copy of the application form

Click here to view the report on BCRs

Sunday, September 17, 2006

Privacy breaches and outsourcing widespread among US medicare contractors

A study by the US Government Accountability Office shows that more than 40% of contractors handling public health insurance data have experienced privacy breaches. Unfortunately, the report is unclear about the severity: one misdirected fax is different from widespread information theft, but the report treats them equally. The report also considers the extent of offshore outsourcing and its impact on privacy.

GAO: Health care privacy breaches widespread:

But the frequency and severity of the breaches is unclear

September 06, 2006 (Computerworld) -- More than 40% of U.S. Medicare contractors and state Medicaid agencies have experienced a privacy breach involving personal health information -- although the frequency or severity of the breaches remains unclear, according to report released yesterday by the U.S. Government Accountability Office (download PDF).

The GAO reviewed the role of private contractors in administering three of the nation's major public health insurance programs -- Medicare, Medicaid and the U.S. Department of Defense's Tricare program. Those agencies have medical data on more than 100 million Americans, according to the GAO.

According to the study, 47% of Medicare Advantage contractors reported privacy breaches within the past two years, as did 44% of Medicaid agencies, 42% of Medicare FFS (fee for service) contractors and 38% of the contractors for the Tricare program.

The report noted that more than 90% of Medicare contractors and state Medicaid agencies -- and 63% of Tricare contractors -- reported some level of domestic outsourcing in 2005, involving anywhere from three to 20 U.S. vendors.

In addition, some federal contractors and state Medicaid agencies knew that those domestic vendors had sent some of the work offshore, the GAO said. Thirty-three Medicare Advantage contractors, two Medicare FFS contractors and one Medicaid agency indicated that their domestic vendors transferred personal health information of U.S. citizens offshore. They did not, however, offer data about the scope of the information transferred overseas.

"Moreover, the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to other locations or vendors," the GAO said....

DVD + RFID = Ultimate copy protection (and privacy invasion?)

Ritek Corporation, one of the leading manufacturers of DVDs, is moving to embed RFID chips in DVDs to prevent counterfeiting, allow inventory tracking, regional lock-downs and perhaps invasions of privacy. The chips will be read by point of sale systems and individual DVD players.

DVD chips 'to kill illegal copying' - vnunet.com

U-Tech described this as the "real end game" for the chip-on-disc technology, which would "eliminate optical disc piracy in the entertainment and IT sectors" .

IPICO claims that its RFID tags can be read from at least six metres away, and at a rate of thousands of tags per minute. The passive chips require no battery, as they are powered by the energy in radio waves from the RFID reader.

"I have envisioned using RFID to improve product visibility and enhance security in the optical disc industry for some time," said Yeh.

"Launching the chip-on-disc system has made this dream a reality and holds the potential to protect the intellectual property of music companies, film studios, gaming and software developers worldwide."

Gordon Westwater, president of IPICO, added: "[This is the] first step towards new international standards to safeguard optical media, and the subsequent adoption of the chip-on-disc concept as a global standard."

Via: Embedded RFID to smack-down DVD piracy - Engadget.

Friday, September 15, 2006

Irish group aims to torpedo data retention rules

An Irish activist group has begun a court challenge to the European Union's data retention rules, arguing they are contrary to the Irish Constitution and the European Convention on Human Rights. See: Digital rights activists take aim at EU data laws The Register.

Thursday, September 14, 2006

Incident: BC Government and service provider lose 33 data tapes with info on hundreds of thousands

A while ago, the BC government caught auctioning off backup dapes containing loads of pesonal information (The Canadian Privacy Law Blog: Incident: British Columbia government actioned off surplus backup tapes with sensitive health information). Now, IT Business has discovered that 33 backup tapes sent missing from a British Columbia government data centre. An investigation turned of three of the tapes, but the rest remain AWOL. Some of the tapes contain very sensitive personal information about welfare recipients and others contain even more sensitive health information.

What's worse is that the tapes were lost in August of last year and the investigation was completed in February, but it took a Freedom of Information Act request for the information to come to light.

See: ITBusiness - B.C. loses track of computer tapes with citizens' data: Information about income assistance, prescriptions and identifying details of hundreds of thousands of people goes missing. Telus comments on its role and its efforts to lock down the data centre

Electronic Health Information and Privacy Conference in Ottawa

I just received a notice about the Electronic Health Information and Privacy Conference that's taking place in Ottawa on November 13, 2006. It looks like a good program with top-notch speakers. Check it out.

Sunday, September 10, 2006

CIPPIC comments on PIPEDA review discussion document

The Canadian Internet Policy and Public Interest Clinic has released their response to the Privacy Commissioner's request for comments related to the upcoming PIPEDA review. No huge suprises, but an interesting read.

Saturday, September 09, 2006

Hundreds of would-be paramours exposed online

Wired Blog 27B Stroke 6 is reporting on a recent story that has dozens of men fuming over an apparent prank and gross invasion of privacy. Someone by the name of Jason Fortuny posted an ad on Craigslist posing as a woman looking for an unusual and intimate encounter. Respondents were encouraged to reply along with photos. Fortuny then posted all the e-mails and all the photos online, exposing images and information the respondents probably didn't expect to have spread all over the internet. Some had replied from work addresses and at least one was sent from a ".mil" address. Not good.

Pretexting and Canadian law

Rob Hyndman has some interesting things to say about the whole surveillance fiasco that appears to be blowing up in faces of HP's management. (See: robhyndman.com » Blog Archive » Surveillance - is this the HP Way?) I also have to say thanks to Rob for posting a link to the Smoking Gun's reproduction of a letter from one board member who resigned in protest (Hewlett-Packard Targeted Board In Leak Probe - September 5, 2006). That letter includes, as an attachment, a letter from AT&T describing the outcome of their investigation of how someone managed to establish online accounts in the name of the board member to review his calling activity. Apparently, HP's management also hacked the accounts of journalists to get similar info on them (Reporters' records hacked in HP probe CNET News.com).

[What follows is very general and should not be taken as legal advice.]

If this case had arisen in Canada, PIPEDA would probably not be much help to go after the pretexter. In connection with an investigation, you can collect personal information without consent under 7(1)(b). And then you can use it without consent under 7(2)(d). The only check on this is likely the "reasonableness" provision in s. 5(3):

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Unfortunately, this section doesn't really speak of the manner of collection. Principle 4.4 of Schedule I, however, says that "Information shall be collected by fair and lawful means." Hacking into a system and impersonating the individual is probably not fair and (see below) lawful.

(I would emphasise that PIPEDA does not apply to private individuals pretexting for their own purposes or to journalists. But the Criminal Code applies to everyone. )

In Canada, our Criminal Code has a number of provisions that could be used to prosecute anyone doing this sort of pretexting. To begin with, there's the fraud section (s. 380) that reads:

Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service,
(a) is guilty of an indictable offence and liable to a term of imprisonment not exceeding fourteen years, where the subject-matter of the offence is a testamentary instrument or the value of the subject-matter of the offence exceeds five thousand dollars; or

(b) is guilty (i) of an indictable offence and is liable to imprisonment for a term not exceeding two years, or

(ii) of an offence punishable on summary conviction,

where the value of the subject-matter of the offence does not exceed five thousand dollars.

Courts have held, generally speaking, that an individual commits fraud when (a) deceit; (b) unfair disclosure; or (c) unfair exploitation is used to induce any person to part with any property or suffer a financial loss. But is setting up an online account really within "any service"? It's not 100% clear.

The Criminal Code also contains a section dealing specifically with impersonation. Section 403 reads:

403. Every one who fraudulently personates any person, living or dead,
(a) with intent to gain advantage for himself or another person,

(b) with intent to obtain any property or an interest in any property, or

(c) with intent to cause disadvantage to the person whom he personates or another person,

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years or an offence punishable on summary conviction.

There are also the "hacking" provisions in s. 342.1, which in my experience the crown and police are too bashful to apply to hacking to obtain information:

342.1 (1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

(2) In this section,

“computer password” means any data by which a computer service or computer system is capable of being obtained or used;

“computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

“computer service” includes data processing and the storage or retrieval of data;

“computer system” means a device that, or a group of interconnected or related devices one or more of which,

(a) contains computer programs or other data, and (b) pursuant to computer programs,

(i) performs logic and control, and

(ii) may perform any other function;

“data” means representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system;

“electro-magnetic, acoustic, mechanical or other device” means any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing;

“function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system;

“intercept” includes listen to or record a function of a computer system, or acquire the substance, meaning or purport thereof;

“traffic” means, in respect of a computer password, to sell, export from or import into Canada, distribute or deal with in any other way.

Several aspects of this provision make it extremely broad or at least allow a very broad interpretation. The definition of computer service includes data processing and the storage or retrieval of data. Computer system is quite broad, covering every device that contains some software-related functionality. The definition of data is also rather expansive, including data “in a form suitable for use in a computer system,” which would include data in the process of being transmitted, or in offline storage, in addition to data inside a computer.

It may appear that Canadian law is up to the task of dealing with pretexting, but I'd conclude that we could use some clarification. The courts have held that information is not property and there may be enough wiggle room to argue that pretexting doesn't fit within the above sections of the Criminal Code. Perhaps we need an amendment or two to clearly criminalize impersonation of a person to obtain information about that person.

Definition of personal information muddies privacy law

The London Free Press, which is also the source of David Canton's great technology law column, is also running an interesting commentary on an issue that didn't make it into the Privacy Commissioner's proposed topics for discussion in connection with the PIPEDA review:

London Free Press - Business - Definition of personal information muddies privacy law:

... Several OPC decisions on when photos and video recordings become personal information have been inconsistent, so some businesses are unsure whether some aspects of their work put them at risk.

This leads to a tangential question: Do we need a separate definition for 'business information'?

Intuitively, one might think a business e-mail address is a logical extension of a business employee's name, title, address and phone number -- information exempt from PIPEDA, according to the definition of personal information. The assistant commissioner, however, in decision No. 297, declared it 'personal information' because it was not included in the list of business information under this definition....

Bill makes threat of 'Big Brother watching' very real, experts warn

The Ottawa Business Journal is running an interesting article on anticipated lawful access legislation, quoting Michael Geist and Michael Power, among others: Ottawa Business Journal - Bill makes threat of 'Big Brother watching' very real, experts warn.

Thursday, September 07, 2006

Ontario Commissioner and BMO release brochure on information security on the road

The Information and Privacy Commissioner of Ontario and the Bank of Montreal have just released a brochure related to safety, security and privacy in using mobile devices. Here's the media release:

IPC - Guard the information you take out of the office, urges Privacy Commissioner Ann Cavoukian:

NEWS RELEASE : September 7, 2006

Guard the information you take out of the office, urges Privacy Commissioner Ann Cavoukian

In a number of recent cases, thousands of people have found themselves facing the potential threat of identity theft simply because someone took a laptop – packed with people’s personal information – home with them or on a business trip, and the laptop was later lost or stolen.

Ontario’s Information and Privacy Commissioner, Ann Cavoukian, and BMO Financial Group (BMO) have met this challenge head on by partnering together to create a joint brochure, Reduce Your Roaming Risks – A Portable Privacy Primer, which outlines specific steps that everyone can take to minimize the chance that the information contained on one’s laptop or personal digital assistant (PDA) will be accessed by unauthorized parties.

“With today’s technology, people have the flexibility to connect to their organization’s network from virtually anywhere in the world,” said Commissioner Cavoukian. “But working away from the bricks and mortar office means that you are also working outside of the traditional security layers. You need to re-assess the privacy and security risks associated with working remotely or while travelling.”

“It is critical that you take the steps needed to safeguard all confidential information, whether it be your own, that of your employer, or, most importantly, that of the people who entrusted their personal information to your custody and care, in the belief that it was in safe hands,” said the Commissioner.

“As a financial services provider, it is fundamentally important that we continue to earn the trust and confidence of our customers that their personal information is safe and secure,” said Dina Palozzi, Chief Privacy Officer, BMO Financial Group. “We were pleased to work with Commissioner Cavoukian on the development of the brochure. It’s a timely and relevant tool that all workplaces should make available to any employees who share a responsibility for safeguarding important customer or company information.”

Among the recommendations that the Commissioner and BMO make in the brochure:

  • Always use strong password protection, preferably in conjunction with data encryption;
  • Do not remove any client information from your organization’s network or premises without proper authorization from your supervisor;
  • Remove all confidential information, or any devices containing confidential information, from plain sight in your vehicle. Lock your valuables in the trunk before you start the trip, not in the parking lot of your destination;
  • In public places, do not discuss any confidential information on your cell phone; and
  • Only conduct confidential business on business or personal computers. Do not use public computers or networks, or conduct business in public places.

Laptops, PDAs, Cell Phones:

Laptops, PDAs and, more recently, cell phones, are considered to be the “golden eggs” by identity thieves. Here are some of the precautions the brochure recommends be taken to minimize the risks:

  • Ensure that all of your devices require passwords for access: power-on passwords, screensaver passwords, account passwords. Strong passwords consist of at least eight characters, upper and lower case, numerals and special characters. The password should not be a word that can be found in any dictionary;
  • Enable the automatic lock feature of your device after five minutes of idle time;
  • Encrypt your data according to your company’s policies. This is essential if you transport personal and/or confidential customer data – it should never be left in “plain view;”
  • When no longer needed, remove all confidential data from your devices using a strong “digital wipe” utility program. Do not simply rely on the “delete” function.

    Confidential and Financial Information:

    If you handle confidential information online or perform financial transactions, then your laptop (and sometimes your PDA) should, at a minimum, have a personal firewall, anti-virus and anti-spyware protection. In addition, install the latest updates and security patches for your mobile devices, including your cell phone.

    When connecting to public wireless networks or HotSpots in airports, hotels, coffee shops, etc., bear in mind that these networks are inherently unsafe. Remember the following:

    • Watch out for shoulder surfing – someone “casually” observing the work on your laptop; Never connect to two separate networks simultaneously (such as Wi-Fi and Bluetooth);
    • Do not conduct confidential business unless you use an encrypted link to the host network (such as a Virtual Private Network – VPN).

    The brochure also contains advice on what to do if you lose confidential data, as well as providing a quick reference checklist.

Wednesday, September 06, 2006

Hewlett Packard spied on directors

The New York Times is reporting that Hewlett Packard spied on its directors to find the source of some leaks. The paper reports that this included monitoring home and cellular phones, and that the company's counsel had advised that it was lawful. The article is a bit short of details (did they wiretap the phones or buy the calling records from brokers), but I can't imagine actually listening to these calls would be lawful. See: H.P. Spied on Directors to Find Leak - New York Times.

Update (20060906): Wired is reporting that the investigators bought calling records. See: Wired News: Phone Scam Charge Rocks HP.

Tuesday, September 05, 2006

BC Information Summit

If you will be in BC on September 29, you may want to consider attending the BC Information Summit:

BC INFORMATION SUMMIT Open Government: What Works and What Doesn't

The BC Information Summit – Friday September 29

BC's Freedom of Information Act, passed in 1992, was designed to make BC's government more open and accountable. Then-Attorney General Colin Gabelman proclaimed, “We want to create a ‘culture of openness' within government so that information is routinely released.”

That was the theory then; what is the reality today? Has FOI really made the government more transparent and accountable? Has it empowered citizens? Is government really more open than it was fourteen years ago?

The first BC Information Summit brings together academics, legal experts, journalists, present and past elected officials and experienced Freedom of Information requesters from every sector of society. Together, they shall explore the challenges and solutions of creating an open government and a free flow of information to the public.

For agenda, speaker and ticket information click http://www.infosummit.ca/.

Sunday, September 03, 2006

Newfoundland government backs off on disclosure of physician billing information

Following a recent decision of the Supreme Court of Nova Scotia (Canadian Privacy Law Blog: Doctors' billings in Nova Scotia is private information under FOIPOP), the government of Newfoundland and Labrador has backed off its pursuit to disclose the same information for physicians in that province. See: N.L. blocks release of data on doctors' billings - Yahoo! Canada News

New data theft scandal rocks Indian call centres

According to the Observer, an Indian call centre company named V-Angels has reported a number of employees to the police for stealing confidential customer information. The company's clients aren't named, but are said to be a number of blue chip US and UK businesses. This would be anohter hit to the outsourcing industry in India.

See: The Observer Business New data theft scandal rocks subcontinent's call centres.

Saturday, September 02, 2006

It's not your job to police your customers

We constantly hear about the balance between privacy and security or between privacy and law enforcement. It is a precarious balance, but service providers need to be mindful of their place in the balance.

The Canadian general privacy law that is often the focus of this blog, the Personal Information Protection and Electronic Documents Act, addresses the role that the private sector can and should play in striking this balance. The short answer, if there is one, is that you are not a cop. The police have their job and are required to operate within the contraints of the law, including the Canadian Charter of Rights and Freedoms. The private sector gets to define its job, and it generally isn't law enforcement.

The hubub over the change to Sympatico's terms of service is evidence that customers don't expect their service providers to act as agents of law enforcement (see: Canadian Privacy Law Blog: More fallout from Sympatico privacy upset). Actors in the private sector, such as internet service providers, often collect and retain information that may be useful for law enforcement or as part of private litigation.

So what are service providers to do? Here's a short guide (and comments are welcome):

  1. Don't collect personal information that you don't need just because it could be useful, particularly if it could be useful to law enforcement or to private litigants. Even if you think you may be required to collect it later, that's no justification to collect it now.
  2. Don't keep personal information around any longer than you actually need it. If you are asked for personal information by law enforcement or private litigants, it is much easier to say you don't have it than to go to court to resist providing it (see below).
  3. Don't offer law enforcement unsolicited access to personal information just because you see something suspicious. Unless you come across evidence of fraud against your organization or compelling evidence of a serious crime, it is not your job to hand over reams of information to law enforcement.

    PIPEDA does allow you to disclose personal information to law enforcement on your own initiative under section 7(3) of the law:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

    (i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

    (ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

  4. If asked by law enforcement for personal information that is in your custody, don't hand it over without a warrant. This is the diciest situation and PIPEDA offers a bit of guidance. Under section 7(3), you are permitted to disclose personal information without consent in the following circumstances:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

    (c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

    (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

    (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

    (iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

    It must be noted that these provisions are permissive, meaning that they allow you to disclose the information in these circumstances without offending PIPEDA. Nothing in the above require you to disclose the information. Any compulsion has to come from another statute or rule of law. So, if asked, preserve the information and ask that they return with a warrant. If they have probable cause and a reasonable basis to compel the information, they'll be back.

  5. If you are served with a subpoena for personal information, you should resist the disclosure. A subpoena is not a search warrant. In most jurisdictions, any lawyer representing any litigant can print out a subpoena and go to the court to get a fancy looking stamp on it. All a subpoena means is that you are required to attend at court with the information to have a judge make the final call. There may be no basis for the demand for information and your organization should avoid any situation where it has provided personal information that it was not legally required to hand over. When the internet service providers in the recent file sharing case resisted disclosure and took the matter to court, they emerged as staunch defenders of their users' privacy. That's certainly better than the alternatives.

Credit to the [non]billable hour for the photo.

AARP analysis of recent breaches

The AARP's (formerly American Association of Retired Persons) policy think tank has produced a study of privacy breaches since 2005. For some additional analysis, see Brian Krebs on Computer Security.

Friday, September 01, 2006

Stealth surfing not quite worry free

Those worried about the internet surfing footprints they leave on their PC have a new ally in Browzar, which is an internet browser that doesn't keep a cache, save cookies or use "autocomplete". And it is less than 300k and doesn't require any installation.

I did a little googling ... I mean I used the Google® internet search engine ... looking for more info and found a recent blog posting by Scott Hanselman, who did some looking under the hood of Browzar. According to this post browzar works in tandem with Internet Explorer and deletes image files after they are written to the cache by IE. And not all files are actually deleted. This causes two problems: The first is the file that isn't deleted and the second is that the users' tracks are still on the PC, but have just been deleted (and can therefore be undeleted).

And, of course, you also have to worry about the ability of the visited sites to track you down by your IP address.