Friday, December 29, 2006

An honour to even be considered

What a pleasant surprise to discover that The Canadian Privacy Law Blog has won the first ever CLawBie award for "Best Practitioner Support Blog"!

The CLawBies are a creation of Steve Matthews of Vancouver, BC. Had he not been forced to disqualify his own Vancouver Law Librarian Blog, he would have been in the running in the ultra-competitive Law Librarian Blog Award.

2006 CLawBies - Canada Law Blog Awards

2) Best Practitioner Support Blog - No question on this one. If you track privacy law in Canada, you read David Fraser's Canadian Privacy Law Blog. David must also be Canada's most dedicated blogger. His work is as close to exhaustive as a blog can deliver. And did I mention David's selection as a 2006 Outstanding Young Canadian? Runner ups: eLegal Canton, Alan Gahtan’s Technology and Internet Law Blog

It is very humbling to be included in such esteemed company and also gratifying that, through my blog, I've gotten to know many of my fellow nominees. This blog is coming up on its fifth birthday next week and I'm looking forward to what 2007 brings.

Thanks, Steve.

New facial recognition software raises privacy concerns

Last year I blogged about a company called Riya that was going to bring facial recognition technology to the masses (With facial recognition available to the masses, privacy through anonymity may go out the window). I haven't heard much about Riya since then, but recently a company called Polar Rose has been in the news for a similar product.

What seems to make their technology different is an internet explorer and firefox plugin that allows people to collectively identify individuals in photos on the 'net and tag them in the company's database.

The privacy concerns are pretty obvious, but it gets even more troubling when you think about the increasing amount of surveillance, webcams and other photos of individuals that are appearing on the internet without the knowledge or consent of the individuals in the photos. Combine this technology and Microsoft's new "street sweeper" photo trucks (Windows Live Local Virtual Earth and Privacy in Public), and there'll be records of where you've been from time to time.

The company's blog has some interesting things to say on their software and privacy:

On Privacy and Polar Rose

In the wake of the coverage of our upcoming launch, there’s been a natural discussion about what effect Polar Rose will have on privacy. We’re conscious of this issue and have been so from the very start; when founding the company, when first introducing the idea to Nordic Venture Partners (our investors), and with colleagues before and after they were hired.

It should come as little surprise that we believe that Polar Rose adds tremendous value to the photo web. We think we’re as harmful to the photo web, as Altavista, Yahoo!, and Google have been to the text web. By sorting the text web, these search engines exposed the wonderful resource of public documents that web had already become. The side-effect was that information which was not meant for public consumption, but which was kept private by obscurity, was suddenly exposed and searchable.

So is the photo web today. Hundreds of millions of photos that are screaming to be sorted, viewed, and searched are not being so because no one took the time – or had a facility like Flickr or other photo-sharing sites – to add descriptions, names, or tags. We want to sort this photo web to make each photo more valuable to the viewer, but also to the person who shot it. Tell the story, make it discoverable.

We’ll end up finding photos that the published never really thought of as being public. The trick, however, is not to turn off the technology, just like Altavista or any of the subsequent search engines weren’t shut down or otherwise censored. The challenge is to facilitate a way to make sure that photos that shouldn’t be in our database, aren’t. This can be by restricting access or by telling us not to pick them up.

  • We don’t index private photos; photos behind a firewall, login, or on a user’s desktop computer. (We’ll do some partnerships where private photos will be indexed, but thus only for the individual user’s viewing)
  • We honor robots.txt and subsequent requests by a site owner to remove photos from our database.
  • We’ll never engage Polar Rose in the application of the technology in security or surveillance. It’s explicitly stated in the contracts we enter with partners.

While we believe we have a good grip of the privacy issues at hand, more are going to pop up. I and others from within the company will continue to post on this subject here and anywhere else the discussion happens – by email, phone or on other blogs. Privacy will always, always stay top-of-mind.

See: Better photo search could reduce privacy (AP).

Incident: Pharmacy customers' personal information found in Winnipeg alley

A Winnipegger found three shopping bags' worth of prescription documents in an alley behind hospital this week. First stop? The media, of course.

See: Prescription documents found in Winnipeg alley: Names, addresses, drug information, health numbers found on papers (CBC).

Tuesday, December 26, 2006

Low tech tools v. high tech passports

Want to disable the always-on, non-secure RFID in a passport issued after January 1, 2007? The old fashioned way is the most effective, according to Wired.

Big brother gets an upgrade: shouting cameras

Move along, move along. Nothing to see here.

According to Bloomberg, the country that brought you the Magna Carta, pervasive surveillance, RFID passports and national ID cards is testing a new upgrade of CCTV surveillance technology. Instead of just standing idly by as passive sentries, cameras in Middlesbrough will be able to yell at ne'er do wells and miscreants.

George Orwell Was Right: Spy Cameras See Britons' Every Move

By Nick Allen

Dec. 22 (Bloomberg) -- It's Saturday night in Middlesbrough, England, and drunken university students are celebrating the start of the school year, known as Freshers' Week.

One picks up a traffic cone and runs down the street. Suddenly, a disembodied voice booms out from above:

``You in the black jacket! Yes, you! Put it back!'' The confused student obeys as his friends look bewildered.

``People are shocked when they hear the cameras talk, but when they see everyone else looking at them, they feel a twinge of conscience and comply,'' said Mike Clark, a spokesman for Middlesbrough Council who recounted the incident. The city has placed speakers in its cameras, allowing operators to chastise miscreants who drop coffee cups, ride bicycles too fast or fight outside bars.

Almost 70 years after George Orwell created the all-seeing dictator Big Brother in the novel ``1984,'' Britons are being watched as never before. About 4.2 million spy cameras film each citizen 300 times a day, and police have built the world's largest DNA database. Prime Minister Tony Blair said all Britons should carry biometric identification cards to help fight the war on terror.

``Nowhere else in the free world is this happening,'' said Helena Kennedy, a human rights lawyer who also is a member of the House of Lords, the upper house of Parliament. ``The American public would find such inroads into civil liberties wholly unacceptable.''

During the past decade, the government has spent 500 million pounds ($1 billion) on spy cameras and now has one for every 14 citizens, according to a September report prepared for Information Commissioner Richard Thomas by the Surveillance Studies Network, a panel of U.K. academics.


Thanks to Rob Hyndman for passing along the link.

Monday, December 25, 2006

CNet's privacy year in review

CNet 2006: A privacy and surveillance year in review. Some highlights:

2006 Highlights

Gonzales: NSA may tap 'ordinary' Americans' e-mail

During Senate hearing, attorney general declines to offer reassurances about a secret surveillance program.

February 6, 2006

Judge: Google must give feds limited access to records

Privacy-aware ruling says search giant must turn over a swath of indexed URLs--but not users' queries.

March 17, 2006

Special report: Silicon Money

CNET chronicles the dramatic increase in tech industry lobbying while highlighting big spenders.

March 27, 2006

Appeals court upholds Net-wiretapping rules

Bush administration's Net surveillance plans receive boost from appeals court, which refused to overturn rules.

June 9, 2006

Feds appeal loss in NSA wiretap case

Bush administration asks the 9th Circuit to halt a lawsuit that accuses AT&T of illegally opening its network to the NSA.

July 31, 2006

AOL's disturbing glimpse into users' lives

Release of three-month search histories of about 650,000 users provides rare glimpse into their private lives.

August 7, 2006

RFID passports arrive for Americans

State Department to begin handing out RFID-equipped passports despite lingering security, privacy concerns.

August 14, 2006

Post-9/11 antiterror technology: A report card

As September 11 nears, examines five useful ways of improving security--and five that should raise eyebrows.

September 7, 2006

Post-9/11 privacy and secrecy: A report card

Since September 11, the federal government has been trying to learn more about us, while keeping us from knowing what it's doing. Is this wise?

September 8, 2006

FBI director wants ISPs to track users

Robert Mueller becomes latest Bush administration official to call for ISPs to store customers' data.

October 17, 2006

Technology voter guide 2006: Rating politicians

How did U.S. politicians vote on tech-related proposals? Find out by clicking on a state, then on a name.

November 2, 2006

FBI taps cell phone mic as eavesdropping tool

Agency used novel surveillance technique on alleged Mafioso: activating his cell phone's microphone and then just listening.

December 1, 2006

Bush's privacy watchdogs make public debut

At first public meeting, White House panel hears from civil-liberties advocates but sheds little light on supposed watchdog role.

December 5, 2006

Congress and tech: Little to show

Lawmakers made a lot of noise over MySpace, China and Net neutrality, but tech-related laws were hard to come by.

December 11, 2006

He knows when you are sleeping

The Freedom Clause

Merry Christmas!

Merry Christmas from the Canadian Privacy Law Blog.

With all best wishes for a restful holiday season and every success in 2007,


Saturday, December 23, 2006

You shall know them by their sneakers

Bruce Schneier recently linked to an interesting project that set up a surveillance system to track people using the Nike/iPod Sport Kit. The kit's intended use is to have your shoes talk to your iPod Nano to track your run. However, the shoes transmit a unique ID more than sixty feet to whoever may be listening in. With less than $250 in equipment, the researchers were able to track unwitting joggers.

As one commenter noted at Bruce's blog, perhaps we can't call them sneakers any more...

Homeland security puts Privacy Impact Assessments online

The US Department of Homeland Security has put up an extensive privacy page on its website, including a full range of privacy impact assessments.

Thursday, December 21, 2006

CBA Says Deficiencies in PIPEDA Must Be Addressed in Five-Year Review

This was posted on the CBA site a while ago, but I'm working through a backlog of links after a really busy few months ...

Among those testifying at the PIPEDA review was Brian Bowman, Chair of the Privacy and Access Law Section of the CBA, who presented recommendations on behalf of the CBA. Michael Geist's site has a summary of the testimony presented on behalf of the CBA, but the release below links to the written submission:

CBA Says Deficiencies in PIPEDA Must Be Addressed in Five-Year Review

OTTAWA – The Canadian Bar Association says there are deficiencies in the Personal Information Protection and Electronic Documents Act (PIPEDA) that must be amended so the law addresses both individual privacy rights and organizations’ needs to collect and use information appropriately.

“It is essential that we be vigilant in respecting the balance of interests in the collection and use of personal information. We must oppose unnecessary erosions of privacy by both government and non-governmental organizations,” says Brian Bowman of Winnipeg, Chair of the CBA’s National Privacy and Access Law Section.

The CBA submission criticizes four key areas of the law:

  • PIPEDA and litigation. Exceptions in PIPEDA relating to litigation are too narrow and impede well-established procedures. The CBA recommends the law should be neutral in regard to the litigation process.
  • Enforcement. The CBA says enforcement should be more effective, but continue to reflect principles of fundamental justice. The CBA recommends an effective enforcement mechanism, such as an impartial tribunal, that would operate informally and have the power to make orders and award damages.
  • Notification of breaches. The CBA says notification of breaches of privacy should be balanced in approach. The CBA recommends that individuals be notified of a breach only when mechanisms like encryption have failed, or when the information is personal and sensitive.
  • Trans-border information flow. The CBA says information transferred across borders must be protected according to Canadian law. The CBA recommends that where personal information is being stored or processed outside Canada, additional protections – such as contracts – be required to add to the security of that information.

“We believe our suggestions will provide assistance in amending PIPEDA to address deficiencies and concerns that have become apparent since the law was enacted,” says Brian Bowman. “This five-year review of the legislation provides an excellent opportunity to re-assess that balance.”

Brian Bowman will present the CBA submission to the Access to Information, Privacy and Ethics Committee on Monday, Dec. 11, 2006 at 3:30 p.m. in Room 371, West Block. The submission is available on the CBA website at:

The Canadian Bar Association is dedicated to improvement in the law and the administration of justice. Some 37,000 lawyers, law teachers, and law students from across Canada are members.

- 30 -

CONTACT: Hannah Bernstein, Canadian Bar Association, Tel: (613) 237-2925, ext. 146; E-mail:

(Full disclosure: I was on the committee that developed the recommendations.)

Wednesday, December 20, 2006

Canada Revenue Agency investigates leaks of info on high profile taxpayers

The Canada Revenue Agency generally takes taxpayer privacy very seriously. It's rare to hear about any leak or misuse of personal information from the federal tax department. Lately, however, the CRA, or at least some of its employees, have come under suspicion as confidential records of high-profile taxpayers have appeared online.

The Candian Press reports on a leak of information about MP and former hockey star Ken Dryden:

Tax office staff warned of disciplinary action as CRA probes Dryden tax leak


TORONTO (CP) - Canada Revenue Agency workers are being warned of disciplinary action, including dismissal, following a published report that federal employees had leaked the confidential tax information of Liberal MP Ken Dryden.

"It is unsettling to consider that not all employees may be working with the degree of professionalism and integrity that the CRA expects," writes Larry Hillier, assistant commissioner for the Ontario region, in an internal e-mail to CRA employees obtained by The Canadian Press.

"As with all allegations of wrongdoing, an immediate investigation is being launched to determine if a breach of our standards has occurred," the memo reads. "If warranted, disciplinary action will be taken, up to and including termination of employment."

The tax information of Dryden and several other sports personalities, including former Toronto Maple Leaf Borje Salming, is available on the Internet courtesy of debt collectors who have been illegally leaking the information.

National Revenue Minister Carol Skelton has asked the CRA to launch an immediate investigation in the wake of the original CP report, which was published Saturday.

CRA workers are violating the Income Tax Act, the Privacy Act, and possibly criminal law by feeding information to former employee Alan Baggett, who in turn posts the disclosures to an Internet chat group.

The Dryden story, posted in May 2005, says the former Montreal Canadiens goalie and Leafs general manager once had a "small personal tax debt, which he no doubt paid." A former employee who worked on Dryden's file confirmed the debt to CP.

Neither Dryden nor Salming replied to requests for comment on the postings. The postings did not indicate Dryden's current tax situation.

CRA employees who are found guilty of disclosing tax information, a violation of the Income Tax Act, face fines of up to $5,000 or jail time of up to 12 months - a fact Hillier points out in his memo.

"When one employee breaches confidentiality, as is currently alleged, each and every one of us is impacted," Hillier writes, noting his "high level of confidence in the employees of the Ontario Region."

"You can be assured that all necessary steps are being taken to thoroughly investigate this matter."

Depending on the circumstances, the disclosure of confidential information could also constitute a criminal offence. Under the Criminal Code of Canada, breach of trust by a public officer is punishable by a maximum prison sentence of five years.

Tuesday, December 19, 2006

Notification coming to Ontario public sector privacy laws?

Thanks to John Gregory for passing this along ...

Bill 152 has now passed in the Ontario Legislature and is heading for royal assent. This Bill contains a number of amendments to a range of statutes, but most interestingly provides for the creation of regulations for notifications if information is disclosed contrary to the Freedom of Information and Protection of Privacy Act (and its equivalent that applies to municipalities):

9. Subsection 60 (1) of the Act is amended by adding the following clauses:
(b.1) requiring the head of an institution to assist persons with disabilities in making requests for access under subsection 24 (1) or 48 (1);

. . . . .

(d.1) providing for procedures to be followed by an institution if personal information is disclosed in contravention of this Act;

. . . . .

(f.1) respecting the disposal of personal information under subsection 40 (4), including providing for different procedures for the disposal of personal information based on the sensitivity of the personal information;

It'll be interesting to see what the regs look like.

Monday, December 18, 2006

New money laundering law requires Privacy Commissioner to review FINTRAC's compliance

Bill C-25, An Act to amend the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Income Tax Act and to make a consequential amendment to another Act, is now in force. For the purposes of attacking money laundering and the financing of terrorism, the statute expands the amount of personal financial information collected and the sources of that information. But this amendment also gives the Privacy Commissioner of Canada with a unique role. Under the statute, the Commissioner is to audit the personal information handling practices of FINTRAC every two years. We'll see how the first such audit goes ....

From the Commissioner's office:

New money laundering law requires Privacy Commissioner to review FINTRAC's compliance with Privacy Act

Ottawa, December 18, 2006 –The Privacy Commissioner of Canada, Jennifer Stoddart, has new oversight responsibilities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Bill C-25), which just received Royal Assent. Under this new legislation, the Commissioner's Office is now required to regularly review the Financial Transactions and Reports Analysis Centre (FINTRAC's) compliance with the Privacy Act, the federal public sector privacy law.

Under the Privacy Act, the Privacy Commissioner already has the power to audit the personal information-handling practices of federal departments and agencies. However, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act specifically mandates the Office to review and report to Parliament on FINTRAC's activities every two years. The Commissioner's Office had already planned to conduct an audit of FINTRAC in 2007-08, pursuant to its authority under the Privacy Act.

"We understand the need to address suspected money laundering and terrorist financing activities, but we do have concerns about the potential impact on privacy rights resulting from an increase in the amount of personal information collected and disclosed by FINTRAC," said Ms. Stoddart. "In light of this, I am pleased to see that we will have increased oversight over these activities."

In the recent report of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, Justice O'Connor also generally highlighted the need for increased oversight and review of activities that touch on national security. In Justice O'Connor's report, he recognized that the sharing and disclosure of personal information by government to foreign entities raises concerns.

Providing the Privacy Commissioner with mandated review of FINTRAC's activities is an important step because, as a result of the passage of Bill C-25, the number of organizations required to monitor and to collect information about their clients and customers will increase, the amount of personal information being collected will expand and more transactions will be subject to scrutiny and reporting. FINTRAC will be able to share more information with more organizations. FINTRAC is Canada's financial intelligence unit, a specialized agency created in July 2000 to collect, analyze and disclose financial information and intelligence on suspected money laundering and terrorist activities financing.

Last week, Ms. Stoddart appeared before the Standing Senate Committee on Banking, Trade and Commerce to discuss Bill C-25. Her statement and submission are available on the Office's Web site.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights of Canada.

More progress toward a tort of invasion of privacy in Ontario

The Ontario Superior Court of Justice has just released an interesting case considering relief from the implied undertaking rule and the potential of a tort of invasion of privacy in Ontario. (The implied undertaking rule generally prohibits the use of any information obtained in litigation for a purpose other than the instant litigation.)

Shred-Tech Corp. v. Viveen, 2006 CanLII 41004 (ON S.C.) is a case in which Shred-Tech is suing former employees for violating a non-competition covenant. The plaintiff Shred-Tech hired a private investigator to look into the situation and the PI's report was part of the rationale for initiating the lawsuit. When the PI's report was disclosed to the defendants as part of pre-trial discovery, the defendants discovered that the PI had obtained the defendants' calling records from Bell Canada and had covertly videotaped on the defendants' new business premises.

In the motion before the Court, the defendants sought an order for relief from the implied undertaking rule so they could use the materials to launch complaints under the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5; and the Private Investigators and Security Guards Act, R.S.O. 1990, c.P. 25.

The Court granted the order requested and made the following observations (the observations about the tort of invasion of privacy must be considered to be obiter dicta, but will likely be quoted as further support of the existence of the tort in Ontario):

The distinguishing feature of this motion is the reference to privacy rights, a relatively new development in our law. Public concern as to the manner of collecting personal information, and the use made of it resulted in legislative response. The Personal Information Protection and Electronic Documents Act came into existence in 2000 and is presently under review, no doubt due to the now recognized importance of privacy rights. A regulatory body was established to handle complaints regarding contraventions. There is, of course, other legislation that may be relevant to the nature of the complaint regarding the investigator’s conduct.

[27] In Ferency v. MCI Medical Clinics 2004 CanLII 12555 (ON S.C.), (2004), 70 O.R. (3d) 277 (Ont. S.C.J.), the defendant retained a private investigator to conduct video surveillance of the plaintiff. At trial, the defendant sought to use the video evidence for impeachment purposes. The plaintiff’s opposition to admission of the evidence relied on the Personal Information Protection and Electronic Documents Act. Dawson J. rejected the plaintiff’s submissions and raised the question of the statute’s application in the circumstances of that case. He also determined, by applying the principles of agency, it was the defendant who, in effect, collected the information for personal use in the defence of the plaintiff’s allegations.

[28] Ferency, as noted, dealt with the issue of admissibility of evidence at trial. Of particular importance was that the surveillance occurred in public. Dawson J. found the plaintiff had given “implied consent” saying at para. 31:

The complainant has effectively, by commencing this action and through her pleadings, put the degree of injury to her hand and its effect on her life into issue. One who takes such a step surely cannot be heard to say that they do not consent to the gathering of information as to the nature and extent of their injury or the veracity of their claim by the person they have chosen to sue. Consent is not a defined term under the Act, and there is no indication in the Act that consent cannot be implied.

[29] In the case at bar, however, the defendant’s present evidence to suggest information was obtained in circumstances that do not support a finding of consent, implied or otherwise, particularly with reference to their Bell Canada records.

[30] There is some debate as to whether there now exists a tort of invasion of privacy. I am of the view recognition of such a tort in law is the logical result of the acknowledgment of privacy rights. There must be a remedy available for the breach of any right. In this regard, I am in agreement with the comment by Stinson J. in Somwar v. McDonald’s Restaurant of Canada Ltd., [2006] O.J. No. 64 (Ont. S.C.J.) where, at para. 29, he said:

With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with the Charter values and an ‘incremental revision’ and logical extension of the existing jurisprudence.

[31] The investigation appears to have resulted from the concerns of the plaintiff regarding the conduct of the defendants in establishing a competing business. The allegations raised by the defendants regarding the manner of the investigative process are serious. Evidence is provided in support of these allegations. The evidence is not challenged. Indeed, by their failure to defend the counterclaim and respond to this motion, Sintrack and Mrowiec are deemed to admit the validity of the allegations. The defendants’ Bell Canada records, for example, were obtained by the investigator without the consent of the defendants or court order. The obvious question is how such occurred and, indeed, whether an illegal act is involved.

[32] The evidence presented by the defendant is sufficient to establish, at least, the basis of their claim. This triable issue will be determined in due course.

[33] In this case, it would be unjust to restrict the enforcement of privacy rights to the lawsuit. If the rights were violated, damages may be awarded but such, in my view, ought not be the exclusive remedy. Regulatory bodies, established for this very purpose, must be permitted to investigate the complaint and have made available to it the best evidence. Preventing a regulatory investigation, by restricting the evidence that may be considered would, in effect, condone what may be an illegal act. Such is clearly not the intent of the deemed undertaking rule.

[34] The defendants have established entitlement to the relief claimed on this motion regarding Sintrack and Mrowiec. The intended complaint is not for an improper purpose but, rather, for a legitimate inquiry by a regulatory body. While connected to the issues raised in the lawsuit, the complaint goes further in terms of the challenged conduct.

[35] There is no evidence, at present, implicating the plaintiff or its corporate officials in the investigative process. Indeed, in their defence to the counterclaim, they deny any involvement. It is to be noted, as well, the plaintiff made disclosure of the investigative report and other information as required in the discovery process.

[36] Counsel for the defendants relies on the concept of agency in arguing in favour of allowing the complaint to proceed regarding the plaintiff, Glass and Roberto. The principles of agency may be relevant in a consideration of admissibility of evidence, such as in Ferency, or with respect to the tort claim. To subject others to a regulatory investigation necessitates a foundation for the claimed relief. Agency, in my view, is insufficient for this purpose.

[37] Counsel for the defendants also suggested a lack of evidence ought not be a determining factor, referring to the comments of Granger J. in 755568 Ontario Ltd. v. Linchris Homes Ltd., supra, at p. 651 where he said:

The plaintiff in its motion, which is not supported by any affidavit material setting out its motive, seeks leave to send the transcripts of the examinations for discovery to the police in order that an investigation can be carried out, and presumably charges laid, if there are reasonable and probable grounds to believe that an offence has been committed. In my view I need not, nor should I, determine if there are reasonable and probable grounds to believe the defendants have committed a criminal offence. The sole issue is whether the request of the plaintiff is a bona fide request or made for a collateral purpose.

[38] With respect, I do not read this passage as saying evidence is not required. Granger J. refers to a “bona fide request” which, in my view, necessitates some evidence. Otherwise, an innocent party could be subjected to regulatory or other investigation. Such would be prejudicial in terms of the lawsuit and, as well, improper.

[39] In this respect, the motion as it pertains to Shred-Tech, Glass and Roberto is premature. Examinations for discovery have not yet taken place. It may be that evidence will become available and, therefore, the defendants ought then be permitted to seek relief. At this point, however, without an evidentiary foundation, the motion must be dismissed as against these parties.

[40] On behalf of the plaintiff, counsel submits prejudice will result even by allowing the complaint to proceed with respect to the investigators. No affidavit or other evidence was presented in support of this position. Judicial notice, as referred to in Ribeiro, would acknowledge the possibility of some involvement in the complaint process, such as a witness. It is to be noted, however, it was the plaintiff who retained the investigators.

[41] I do not see any significant prejudice to the plaintiff in this regard. Any prejudice is far outweighed by the injustice to the defendants if the complaint could not proceed. The defendants have an absolute right to present their complaint to the regulatory bodies. The documents and other information is the best evidence and such is of critical importance in a regulatory inquiry.

[42] I am also of the view there is a public interest in allowing the complaint to proceed against the investigators. A potential breach of a privacy right is an important matter for the complainant and for the public. If the complaint is found to be legitimate, prevention of future abuse of the rights of others is an important consideration.

The year in Tech Law, from A to Z

It's that time of year again.

Michael Geist's annual tech law retrospective, from A - Z is up on his homepage and includes a number of newsworthy privacy stories from the past year. The Letters of the Law: The Year in Canadian Tech Law.

Saturday, December 16, 2006

Inside a one-to-one CRM project

1to1weekly has a profile of a customer tracking initiative undertaken by the Buffalo Sabres hockey team. It's an interesting profile of the project, but doesn't say anything of substance about consent or other privacy issues inherent in such undertakings:

Buffalo Sabres Score With Customer Data Power Play

... The new strategy aims to identify and interact with all levels of fans. The Sabres implemented a SageCRM system, which houses information on nearly 50,000 customers. All types of fans are managed within the CRM system: season ticket holders, suite holders, mini-pack ticket holders, and single game buyers. The marketing team profiles customers by demographic information (such as age, hometown, and gender), and can track purchase history, create reports on sponsors and advertisers, and monitor Sabre Insider weekly newsletter subscribers' activity....

Privacy Officers stuck in the middle

Privacy Officers have an interesting role in an organization, both as an advocate for their organization and as a voice for the privacy concerns of different stakeholders. Robert Gellman has an interesting take on the conflicting pressures:

Chief privacy officers stuck in the middle: CPO's have to live by their wits, and be useful

By Robert Gellman, Special to GCN

Let’s try a role-playing exercise. You are the newly appointed chief privacy officer at your agency. How can you represent privacy interests internally, look functional to outsiders and not get your agency’s management mad at you? It isn’t easy to balance all these conflicting objectives.

A CPO in any organization is a person in the middle. It’s true for a CPO in a company, and it is true for a CPO in a federal agency. Even well-established internal privacy offices have to walk a tightrope.

CPOs face several institutional problems. They typically have little real power, limited resources and no natural base of support. Privacy remains a novel issue at many agencies. It often doesn’t even appear on the radar screen unless there is a crisis.

You will recall that Congress in 2004 directed agencies to establish CPOs. As the new kid on the block, a CPO has to define the role of the privacy office. It’s true that agencies have had to comply with the Privacy Act of 1974 for a generation, but most Privacy Act staffers have little power and influence. Can CPOs do better?

CPOs should not look to the Office of General Counsel as a role model. At most agencies, everyone hates the lawyers. The lawyers have the power to stop anything they don’t like by declaring it contrary to law. Agency lawyers frequently have no incentive to be helpful because they know that they can’t be fired, evaded or ignored by their clients. Anyway, a CPO does not have the clout a lawyer has.

Program offices may accept help from a CPO, but it is more likely that the CPO will have to prove something first. Some offices with privacy issues may require the CPO to bring the Wicked Witch’s broomstick—or the bureaucratic equivalent, which is a directive from the head of the agency—just to get in the door.

A CPO will have to live by his or her wits, but mostly by being useful. Often that means being a team player, finding practical solutions and, most important, doing things instead of telling others what to do. Another problem faced by an externally visible CPO comes when the battle has been lost. A privacy issue surfaces in your agency, and you recommend that the agency take specific steps to minimize privacy intrusions. You fight it out internally, and the agency rejects your advice.

That’s bad enough, but here comes a call from a reporter asking what you think of the agency’s decision. If you say that the decision was wrong, you will surely tick off your agency head as well as the program office. Good luck having any influence in the future. But if you say the decision was right, you will lose your credibility with congressional critics and with the privacy advocates who are screaming that your agency just joined Big Brother’s team.

See what I mean about being in the middle? There is no place to turn without digging yourself in deeper. So what to do? I have an answer.

The solution is that a CPO has to be able to respond procedurally. If you don’t want to say that a decision was substantively right or wrong, the best answer is that the agency duly considered privacy when it made its decision. CPOs should define their own role in procedural terms to avoid being forced to lie or being left with nothing to say. That procedural response is appropriate even when the agency did the right thing for privacy.

In a better world, we would have a truly independent privacy office that could responsibly praise or criticize an agency, the administration, Congress or the courts without losing budget or influence. But without independence, the best that we can hope for is that privacy officials represent privacy assertively, be creative, work hard and live to fight another day.

DHS Privacy Officer to scrutinize programs

According to, the newly appointed privacy officer for the Department of Homeland Security has started more closely scrutinizing the Departments IT and other projects for privacy issues. See DHS privacy office steps up scrutiny of technology projects.

Thursday, December 14, 2006

Blogging the PIEDA hearings - day 8

Michael Geist has posted notes from the eighth day of the PIEPDA hearings, at which the Canadian Medical Association, the Canadian Pharmacists' Association and the Canadian Dental Association appeared.

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Wednesday, December 13, 2006

Day seven of the PIPEDA hearings

Michael Geist has posted another set of great notes of the hearings on PIPEDA being held by the Parliamentary Committee on Ethics, Access to Information and Privacy. Day seven's submissions come from Ian Kerr, ITAC and the Canadian Bar Association: Michael Geist - PIPEDA Hearings - Day 07 (ITAC, CBA, Ian Kerr).

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Tuesday, December 12, 2006

Incident: UCLA database with 800K SSNs hacked

I stopped reporting on information breaches some time ago as they have become too routine. But this one bears commenting upon:

It appears that a database at UCLA containing over eight hundred thousand social security numbers has been hacked. Repeatedly. For over a year. What is most remarkable about this is that a large portion the affected individuals have never been students or employees of the university. Many simply applied for admission, in some cases years before.

Repeat after me: Only collect the information you need (actually, really need) and then only keep it for as long as you actually, really need it.

Personal information is like an underground oil tank. If you need one, they're good to have. Heck, if you need two, have two. But oil tanks are inherently risky. If you don't need an oil tank, for goodness' sake don't put one on your property. If you no longer need it, get rid of it. If you just leave it on your property, the risks leaks (and the ensuing cleanup cost) is too high. It doesn't matter if oil tanks and personal information appear free.

See: Boing Boing: Major identity leak: UCLA database with 800K SSNs hacked

Monday, December 11, 2006

Breach notification assessment tool

Today, the Information and Privacy Commissioners of Ontario and British Columbia have released a Breach Notification Assessment Tool to provide guidance to public and private sector bodies on what to do after a personal information breach. It is meant to be used alongside existing publications for each province:
B.C.: Key Steps in Responding to Privacy Breaches (


What to do if a privacy breach occurs: Guidelines for government organizations, (

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector, (

FTC to begin compensating ChoicePoint breach

The US Federal Trade Commission has finally begun the process to compensate victims of ChoicePoint's enormous data breach. Only those who ultimately were victims of fraud are being compensated, excluding those whose data was merely leaked:

FTC to Reimburse ChoicePoint Victims: Financial News - Yahoo! Finance:

FTC Mails Claim Forms to 1,400 ChoicePoint Victims

WASHINGTON (AP) -- Victims of identify theft stemming from a security lapse last year at consumer data provider ChoicePoint Inc. can seek reimbursement from a $5 million fund set up to recoup their losses, the Federal Trade Commission said Wednesday.

Alpharetta, Ga.-based ChoicePoint collects, sells access to and analyzes information on consumers. The company agreed Jan. 26 to pay the FTC $15 million to settle charges that the company's security and record-handling procedures violated consumers' privacy rights when thieves infiltrated the company's massive database.

Identity thieves gained access to ChoicePoint's database by posing as small business customers, possibly compromising the personal information of 163,000 Americans, according to the FTC.

The settlement included a $10 million fine -- the agency's largest ever -- and $5 million for a victims' fund that will be used to reimburse those who file claims.

HP settles pretexting charges

Hewlett Packard has settled its pretexting case with the Attorney General of California, agreeing to pay $14.5 million: HP Settles California 'Pretexting' Charges, Pays $14.5 Million - News by InformationWeek.

Sunday, December 10, 2006

With electronic health records, it's the privacy piece

I had a great but busy week last week and I'm only just getting caught up on my extracurricular reading...

Last week, the New York Times ran a very interesting and informative article on electronic health records (Health Hazard: Computers Spilling Your History - New York Times). The article confirms what I've believed for some time: the greatest impediment to the adoption of electronic health records is privacy and most planners are giving that short shrift as they plunge furter and further into this new age.

It doesn't help that celebrities, such as former President Clinton, have to check into hospitals under aliases.

“There is a huge potential for technology to improve health care and reduce its cost,” Mr. Bosworth said in a statement. “But companies that offer products and services must vigorously protect the privacy of users, or adoption of very useful new products and services will fail.”

Even before the theft this year of a Veterans Affairs official’s laptop that contained private medical records of 28 million people, a consumer survey found that repeated security breaches were raising concerns about the safety of personal health records.

About one in four people were aware of those earlier breaches, according to a national telephone survey of 1,000 adults last year for the California HealthCare Foundation. The margin of error was plus or minus 3 percentage points.

The survey, conducted by Forrester Research, also found that 52 percent were “very concerned” or “somewhat concerned” that insurance claims information might be used by an employer to limit their job opportunities.

The Markle survey, to be published this week, will report even greater worry — 56 percent were very concerned, 18 percent somewhat concerned — about abuse by employers. But despite their worries, the Markle respondents were eager to reap the benefits of Internet technology — for example, having easy access to their own health records.


Still, worries linger across the health care system. Hospital executives say that private investigators have often tried to bribe hospital employees to obtain medical records that might be useful in court cases, including battles over child custody, divorce, property ownership and inheritance.

But computer technology — the same systems that disseminate data at the click of a mouse — can also enhance security.

Mr. Liss, of NewYork-Presbyterian, said that when unauthorized people tried to gain access to electronic medical records, hospital computers were programmed to ask them to explain why they were seeking the information.

Moreover, Mr. Liss said, the computer warns electronic intruders: “Be aware that your user ID and password have been captured.”

Big Brother, Big Business

In November, I blogged about a CNBC documentary called "Big Brother, Big Business" (see Canadian Privacy Law Blog: Big Brother, Big Business). It is being rebroadcast tonight on CNBC and I've also found that it is on Google Video via Information Clearinghouse. From what I've seen so far, it's worth seeing.

Saturday, December 09, 2006

Your cell phone may be a mobile bug

I've blogged before about tracking cell phones. Now this takes it to a new level.

A recent US District Court ruling discloses that law enforcement has the ability to turn on the microphone in a cell phone, converting the device into a bug without the owner's knowledge. This apparently still works if the device is turned off; the only way to defeat it is removing the batteries.

If anyone has a copy of this decision or more info on this technique, please feel free to e-mail me at

KTRE-TV - Lufkin/Nacogdoches, TX - Court Says FBI Can Use Your Cell Phone To Spy... On You:

... A recent court ruling in a case against the Genovese crime family revealed that the FBI has the ability from a remote location to activate a cell phone and turn its microphone into a listening device that transmits to an FBI listening post, a method known as a 'roving bug.' Experts say the only way to defeat it is to remove the cell phone battery.

'The FBI can access cell phones and modify them remotely without ever having to physically handle them,' James Atkinson, a counterintelligence security consultant, told ABC News. 'Any recently manufactured cell phone has a built-in tracking device, which can allow eavesdroppers to pinpoint someone's location to within just a few feet,' he added.

According to the recent court ruling by U.S. District Court Judge Lewis Kaplan, 'The device functioned whether the phone was powered on or off, intercepting conversations within its range wherever it happened to be.' ...

Update (20061223) - Bruce Schneier's blog has more info on this, but no firm conclusions, mostly based on a ZDNet article.

Friday, December 08, 2006

PIPEDA hearing, day six

More from the PIPEDA hearings, thanks to Michael Geist:

Michael Geist - PIPEDA Hearings - Day 06 (CIPPIC, PIAC, MRIA): Friday December 08, 2006 The PIPEDA hearings continued on Wednesday with CIPPIC, PIAC, and the Marketing Research and Intelligence Association providing their views. While I was unable to find a student to blog the event, CIPPIC has posted its meeting notes and speaking notes.

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Thursday, December 07, 2006

Right to Know Coalition of Nova Scotia

The new access to information advocacy organization for Nova Scotia, the Right to Know Coalition of Nova Scotia, has a new blog: Right to Know Coalition of Nova Scotia.

Wednesday, December 06, 2006

Calgary Health Region found in Contravention of Health Information Act over stolen laptop

The Office of the Information and Privacy Commissioner of Alberta has found that the Calgary Health Region violated the Health Information Act in connection with a stolen laptop:

Calgary Health Region found in Contravention of Health Information Act over stolen laptop:

The Office of the Information and Privacy Commissioner has found that the Calgary Health Region contravened the Health Information Act (HIA), following an investigation into the theft of a laptop computer. The laptop contained a database of more than 1,000 children in a mental health care program, including patient history and treatment details.

Key findings included:

  • The Health Region had policies in place that would have protected the stolen laptop and the information it contained, but those policies were not fully implemented by the Collaborative Mental Health Program.
  • A copy of the entire database was stored on the stolen computer, increasing the number of people affected. Program workers should only have copied the files they needed, rather than the entire database.
  • While the laptop was protected by passwords, this was not adequate given the nature of the information it contained
  • A knowledgeable and motivated individual could access the data with tools that are readily available on the internet.
  • While the risk of identity theft from the information is low, it cannot be ruled out.
  • Encryption technology would have protected the lost data, but it was not implemented.

The CHR informed the Commissioner's Office of the incident on its own initiative, took immediate action to notify affected individuals and has since implemented measures to secure mobile computers. The Health Region also agreed to follow our Investigator's recommendations.

Investigator Brian Hamilton says, "For the most part the Calgary Health Region does a good job protecting information, and has been taking steps to improve security. Unfortunately, they failed to recognize and address the risks of mobile computing in this program area."

Others can learn from this investigation. The Office of the Information and Privacy Commissioner urges all HIA custodians, public bodies and private sector organizations to follow these recommendations for mobile computing:

  • Perform a Privacy Impact Assessment (or a security risk assessment) before implementing mobile computing.
  • Do not store personal or health information on mobile computing devices unless you need to - consider technologies that allow secure, remote access to your network and data instead.
  • If you must store personal or health information on a mobile device, use encryption to protect the data - password protection alone is not sufficient.
  • Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs.
  • Periodically check your policies against practice to ensure they reflect reality and remain effective.
  • Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.


For more information or to view a copy of Investigation Report H2006-IR-002, visit our website,

Tuesday, December 05, 2006

Blogging the PIPEDA hearings - Day 5

Michael Geist has again posted notes from the PIPEDA review hearings on is blog:

Michael Geist - PIPEDA Hearings - Day 05 (CMA, FETCO):

"Today marked the fifth day of PIPEDA hearings with the Canadian Marketing Association and FETCO (Federally Regulated Employers Transportation and Communication) taking centre stage. The gist of today's discussion from the witnesses - no order making power, cautious approach on security breach disclosure, and cut back on employee privacy rights. The MPs have begun to settle into specific issues with the Conservative members focused on the compliance costs, while the opposition members more receptive to enhanced privacy rights within PIPEDA. Shiran Sabari provides a complete look at the discussion: ..."

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Sunday, December 03, 2006

PIPEDA Case Summary #351: Use of personal information collected by Global Positioning System considered

On Thursday, the Office of the Privacy Commissioner of Canada posted a very interesting and detailed finding on the use of GPS tracking of company vehicles. The finding is lengthy and worth a read: Commissioner's Findings - PIPEDA Case Summary #351: Use of personal information collected by Global Positioning System considered (November 9, 2006).

A summary of the summary is in the following media release:

News Release: Privacy Commissioner urges caution before installing GPS in company vehicles (November 30, 2006):

News Release

Privacy Commissioner urges caution before installing GPS in company vehicles

Ottawa, November 30, 2006 – Employers need to carefully consider the privacy rights of their workers before installing Global Positioning Systems (GPS) into their vehicle fleets, according to the Privacy Commissioner of Canada, Jennifer Stoddart.

The Office of the Privacy Commissioner of Canada (OPC) today released a summary of its findings into a case involving the workplace use of GPS, which can track the location of a vehicle in real time. The Commissioner discussed her Office’s findings at a workplace privacy seminar hosted by Ryerson University.

“This is an important issue for employers and employees across Canada. We’re seeing more and more organizations installing GPS in their cars and trucks and it’s unclear whether they are adequately addressing privacy issues,” Ms. Stoddart said.

In the case investigated by the OPC, several workers complained that their employer, a telecommunications company, is using GPS to improperly collect their personal information – specifically their daily movements while on the job.

The company is using GPS in its installation and repair, and construction vehicles to locate, dispatch and route employees to job sites. Some workers worried, however, that GPS is also being used to monitor work performance and that information gleaned from this technology will be used to justify disciplinary action.

The OPC investigation accepted most of the company’s arguments for using GPS. It agreed, for example, that using GPS to dispatch vehicles is likely to lead to better service for the company’s customers and also could help locate missing vehicles.

However, the OPC expressed concern about using GPS as an employee surveillance tool. While using GPS to track a vehicle is not overly privacy invasive, routinely evaluating worker performance based on assumptions drawn from GPS information impinges on individual privacy.

The use of GPS as an employee surveillance tool may be acceptable in certain situations, which are defined and communicated to employees beforehand, according to the OPC findings. However, a company should not routinely use GPS to monitor its workforce.

In this case, the OPC asked the company to clearly explain to its employees how GPS would be used to check up on them, and also to develop a policy outlining an appropriate process of warnings and progressive monitoring. The policy subsequently prepared by the company spelled out situations in which the company will use GPS data to monitor employees. These include an investigation into a complaint – about speeding, for example – from a member of the public; an investigation into concerns raised within the company; or to address productivity problems. The company also made a commitment to train its managers about the appropriate use of the technology.

“Systematically using GPS to check up on workers and try to determine how well they are doing their jobs would be going too far,” said Ms. Stoddart. “Employers do not have carte blanche to use GPS to constantly monitor their workforce.”

The OPC finding also cautions employers about “function creep” – collecting information for one purpose, and then using it for some other unrelated purpose in violation of basic fair information practices.

“Managing workplace privacy is a balancing act. On the one hand, employers have the right to know what workers are up to on company time. On the other, employees have a right to privacy,” the Commissioner said.

“Workers do not check their privacy rights at the factory or office door. Workplace privacy is an important part of the basic autonomy rights of individuals in our society,” she said. “Employers must find ways to weed out the bad employees without shattering the dignity and privacy rights of the good employees – who make up the vast majority of the workforce.”

The OPC is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

The summary of the findings in the GPS investigation is available on the OPC Web site:

PIPEDA Case summary #351: Use of personal information collected by Global Positioning System considered

Once again, I am left at a bit of a loss when it comes to using PIPEDA in the workplace. Unlike PIPA in Alberta and BC, PIPEDA has no deemed consent for reasonable collection, use and disclosure in the workplace. To "make do", the practice seems to have been to use s. 5(3) of the Act to say that as long as it's reasonable, you have implied consent (particularly if there is notice). But logically you can't have consent by implication if it is clearly negated by an employee complaint. Hopefully this will become moot if the Parliamentary Committee recommends fixing up that portion of PIPEDA and something is done about it.

When fired for using police documents to check out girlfriends, call centre worker says everyone does it

From New Zealand, an interesting story ...

Police files used to check out girlfriends - New Zealand, world, sport, business & entertainment news on

Police files used to check out girlfriends

04 December 2006


A 111 call-centre worker, sacked after being accused of stealing information from the police computer, says he will fight the dismissal because the practice is rife.

Les Neilson – who admits he used the police computer to check on potential girlfriends – says many police regularly look up acquaintances and friends on the database.

He claims he has been made a scapegoat.

"I've basically been screwed for doing something that's a common practice. I've used the information the same as everyone else has," he said.

"If I'm socialising with people and I'm meeting new partners then I need to know the background of those partners because I don't want to put myself or the department in a compromising position.

"There's nothing that says 'I can't do that' – I've been doing it for the last 20 years."

Mr Neilson, who has been involved with the police for 20 years, was accused of "inappropriate accessing and disclosure of police information" in April and summarily dismissed.

However, he is fighting the sacking by taking an unfair dismissal case to the Employment Relations Authority. Mr Neilson is now working as a private investigator in Wellington.

A law expert says police could be sued over the revelations for breach of privacy and says police must investigate how many staff do this and what the confidential information is used for.

The police database contains a range of personal information, including current addresses, vehicle details, next of kin, details of who individuals live and associate with, criminal histories and any links with gangs.

The information is highly valued by private investigators and debt collectors. Sources say a current name and address alone can sell for between $100 and $200.

Police Commissioner Howard Broad said staff knew it was wrong to access the database for personal use. "If they do, it's wrong and they would know that it's wrong. It's quite a clear breach."

Mr Neilson, a former policeman who was later employed as a non-sworn staff member in the Wellington communications centre, said he regularly looked up associates and girlfriends "to protect myself and the organisation".

He denies police allegations that he gave computer information to other people, that he misrepresented himself, and that he was using the database for personal gain.

"I have not disclosed the information to anyone. I've given an explanation. If they investigate it they'll find out it's a very legitimate explanation."

Mr Neilson thought the public would not care that police accessed the database as he did.

"How many of the general public would be upset that the local policeman or someone working for the police checks up on them, or who's in the street, or checks up on potential tenants for flats or aunts' and uncles' criminal histories?"

A police headquarters spokeswoman said the office was constrained about what could be said because the case was before the Employment Relations Authority.

"The police organisation is intolerant of any abuses of information that is held. As this case illustrates, action will be taken against any staff member who seeks to use police information for purposes unrelated to their duties," the spokeswoman said.

Police Association president Greg O'Connor said the union had reminded members to be aware of how they used police information and facilities.

Operation Insider, which investigated the distribution of pornographic e-mails among police, had highlighted the importance of using such facilities appropriately, he said.

Auckland University associate law professor Scott Optican said the revelation was a significant breach of privacy and police could face lawsuits as well as formal complaints.

"Certainly, there's no question that something like this is going to have to cause the police to rethink how they safeguard the information against the people who have access to it."

Professor Optican said police had a duty to investigate how many people had accessed the database for personal use, and what they did with that information. "If it looks like there were consequences (for the person who was looked up), they need to contact that person and find out what happened.

"Quite frankly, I think the police should explain to members of the public exactly what happened here and what they'll do to make sure it doesn't happen again."

Saturday, December 02, 2006

More on warrants for ISP records

Back in October, I blogged about the CIPPIC and Online Rights privacy pledge (Canadian Privacy Law Blog: The ISP Privacy Pledge). In that post, I referred to a posting by Mark Goldberg called "Online rights is wrong."

More recently, Mark has posted 7 reasons why warrants aren't needed. This one has resulted in a bit of a debate between David Butt and Mark Goldberg, on one side, and Rob Hyndman on the other side.

The seven reasons are listed, as is additional information offered by David in the course of the debate with Rob Hyndman:

Internet child abuse investigators routinely need bare bones subscriber information (name and address) from ISPs to conduct their investigations. A question commonly asked by ISPs and privacy advocates is, why shouldn’t the police use a search warrant to get that bare bones subscriber information? There are seven really good answers to this question.
  1. Bare bones subscriber information is not the kind of private information that requires a search warrant. The highest court in Canada, the Supreme Court, has clearly said so. [R. v. Plant, [1993] 3 SCR 281]
  2. Every other business in Canada must supply this kind of bare bones customer information to the police upon request. There is no principled reason why ISPs should be exempted from the rules that apply to every other business. [This engages the moral calculus of social, not legal obligation. Simply put, fighting child abuse is more important than "protecting" the confidentiality of basic subscriber information that is widely recognized as not engaging core privacy values. In other words, I [David] challenge any business to state publicly that they would rather hamper child abuse investigations than voluntarily surrender upon request non-intimate basic customer information for which a search warrant is not necessary.]
  3. PIPEDA has a specific section in it whose purpose is to authorize the granting of this bare bones subscriber information to police. ISPs therefore have specific statutory authority to rely upon. [PIPEDA s.7(3)(c.1)(ii) Based on the comfort provided by this section, the letter of authority endorsed by CAIP is a commendable step taken by the industry to address internet based child abuse.]
  4. Police services are always understaffed and over worked. The demand for policing services always exceeds the available supply. Therefore, adding unnecessary burdens on police by requiring them to go to the trouble of getting legally unnecessary warrants prevents police officers from devoting their limited time to more important work. The result is that the whole community suffers unnecessarily.
  5. Search warrant requirements under Canadian law are onerous. A typical search warrant, even for bare bones subscriber information, may often run to more than 40 pages in length. This will require several hours of work by an officer, sometimes many officers. It will involve at least two visits to a judge. Given the limited availability of judges, the entire process may take days. All of this effort is legally unnecessary and therefore a complete waste of public funds.
  6. Bare bones subscriber information is necessary to identify the location of the suspect so that the case can be conducted by the local police service. If a search warrant were necessary for every such bare bones request, the police service in the city where the ISP head office is located would be obliged to do a great deal of onerous search warrant work simply to pass the file on to another jurisdiction when the bare bones subscriber information comes back. This places not only an unnecessary but a disproportionate burden on police services in those cities that host ISP head offices.
  7. Other democratic countries, that fully respect privacy rights, require businesses to supply this type of bare bones subscriber information to the police upon request. Internationally, the practice is routine.

With respect, I don't think it is legally correct to say that subscriber information can be provided by an ISP in response to a "letter of authority". And I am not going to get into the political debate that starts with the premise that if you follow the Charter, you are supporting child exploitation.

The first point relies entirely on R. v. Plant, a 1993 and pre-PIPEDA decision from the Supreme Court of Canada. It did not deal with subscriber information from an ISP or other telco, but electricity consumption records from a publicly owned power generation company. At the time, this information was provided to cops on a routine basis. In fact, the police had a direct computer connection to the hydro company's system. In addition, at the time, the electricity consumption records of every customer was available to anyone who asked. The majority of the Court concluded that there was no reasonable expectation of privacy in this information and a warrant was not required. It is also notable that the current Chief Justice wrote a very strong dissent arguing that there was a reasonable expectation of privacy in this information.

In my personal opinion, R. v. Plant is readily distinguishable. Plant deals with electricity consumption at a particular address, not specifically identifying information that is now being discussed from ISPs. Since PIPEDA and the PIPAs, it would be very difficult to say that there is no expectation of privacy in your name and address in ISP billing records. Just look at BMG Canada Inc. v. John Doe (F.C.), [2004] 3 F.C. 241, 2004 FC 488 (CanLII) where the Court noted:

[37]In respect of the internet specifically, Wilkins J. in Irwin Toy Ltd. v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. Sup. Ct.) stated, at paragraphs 10-11:
Implicit in the passage of information through the internet by utilization of an alias or pseudonym is the mutual understanding that, to some degree, the identity of the source will be concealed. Some internet service providers inform the users of their services that they will safeguard their privacy and/or conceal their identity and, apparently, they even go so far as to have their privacy policies reviewed and audited for compliance. Generally speaking, it is understood that a person's internet protocol address will not be disclosed. Apparently, some internet service providers require their customers to agree that they will not transmit messages that are defamatory or libellous in exchange for the internet service to take reasonable measures to protect the privacy of the originator of the information.

In keeping with the protocol or etiquette developed in the usage of the internet, some degree of privacy or confidentiality with respect to the identity of the internet protocol address of the originator of a message has significant safety value and is in keeping with what should be perceived as being good public policy. As far as I am aware, there is no duty or obligation upon the internet service provider to voluntarily disclose the identity of an internet protocol address, or to provide that information upon request.

[38]Parliament has also recognized the need to protect privacy by enacting PIPEDA, which has as one of its primary purposes the protection of an individual's right to control the collection, use and disclosure of personal information by private organizations (section 3).

The context of this case is a civil lawsuit, but the sentiments would apply in the criminal context as well. The Ontario courts have more recently dealt the exact issue we are discussing here (including the use of a so-called "letter of authority") in Re S.C., 2006 ONCJ 343 (CanLII). In this case, Justice of the Peace Conacher was being asked to issue a search warrant on the basis of information provided by an ISP to the police pursuant to a letter of authority. The Court considered both the expectation of privacy and section 7(3)(c.1)(iii) of PIPEDA, referred to by David Butt. This section reads:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

In the result, the Court in Re S.C. concluded that an ongoing criminal investigation is not "lawful authority" under PIPEDA that would permit the ISP to disclose the name and address of a subscriber without consent or a warrant:

[9] However, s. 7(3) stipulates that the information can be provided without consent only if the body seeking the information has "identified its lawful authority to obtain the information" and has indicated that the disclosure is requested (in this case) for law enforcement purposes. The Act does not set out that the existence of a criminal investigation is, in and of itself, “lawful authority” within the meaning of the Act nor, therefore, does a “Letter of Request for Account Information Pursuant to a Child Sexual Exploitation Investigation” establish such authority. Accordingly, there must still be some “legal authority” to obtain the information; in the view of this Court s. 7(3)(c.1)(ii) by itself does not establish what that “lawful authority” is. The section provides authority for disclosing information. It does not establish the authority for obtaining and possessing the information.

[10] The Information to Obtain does not otherwise reflect that the Informant established to Bell Canada the lawful authority, within the meaning of the Act, by which the investigators were seeking to obtain the requested information. Accordingly, Bell Canada did not have a basis upon which to disclose the information.

[11] In the absence of express authority within the legislation, the Charter right not to have one’s reasonable expectation of privacy interfered with, except through prior judicial authorization with all the protections that affords, must govern. Accordingly, it is the view of this Court that the Informant is not lawfully in possession of the information that was provided by Bell Canada. Therefore, that information must be set aside in the overall consideration of this application to obtain a search warrant.

With respect to the other points raised, the current Criminal Code allows for searches and obtaining personal information if there are exigent circumstances that require the information immediately. Whether the bar should be further reduced (or can be further reduced in light of the Charter), I leave to others to debate.

Friday, December 01, 2006

Phoenix airport rolling out backscatter x-ray tech

Interesting development:

Phoenix airport to test X-ray screening - Yahoo! News:

"PHOENIX - Sky Harbor International Airport here will test a new federal screening system that takes X-rays of passenger's bodies to detect concealed explosives and other weapons.

The technology, called backscatter, has been around for several years but has not been widely used in the U.S. as an anti-terrorism tool because of privacy concerns.

The Transportation Security Administration said it has found a way to refine the machine's images so that the normally graphic pictures can be blurred in certain areas while still being effective in detecting bombs and other threats.

The agency is expected to provide more information about the technology later this month but said one machine will be up and running at Sky Harbor's Terminal 4 by Christmas...."

CIPPIC calls for major changes to PIPEDA

Again on the topic of the PIPEDA review, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) has released its written submission to the Parliamentary Committee on Ethics, Access to Information and Privacy. Not surprisingly, they are calling for some major changes:

We therefore propose a number of amendments designed to clarify rights and obligations, to close gaps, and to give the regime the "teeth" it is clearly lacking. Such amendments include:
  • giving the Commissioner (or an associated Tribunal) order-making powers;
  • reducing barriers to the enforcement of PIPEDA rights via Federal Court;
  • permitting class actions under PIPEDA;
  • providing for punitive as well as compensatory damages in court;
  • mandatory naming of respondents in published Commissioner findings;
  • mandatory Commissioner reporting on complaints;
  • expanding the list of offences under PIPEDA;
  • removing the "reasonable grounds" requirement for audits; and
  • giving the Commissioner powers to share information with her counterparts.

While PIPEDA's redress and enforcement regime is most need of reform, some important substantive provisions of the Act suffer from lack of clarity, and others leave strange gaps. We have therefore proposed amendments to clarify and add provisions dealing with:

  • the criteria for valid consent;
  • data breach notification;
  • reasonable limits on collection, use and disclosure;
  • children's privacy;
  • openness and individual access;
  • attempted collection, use and disclosure;
  • state surveillance; and
  • the definition of "organization".

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Day four of the PIPEDA hearings

Michael Giest has a summary of the fourth day of testimony before the Parliamentary Committee conducting the PIPEDA review hearings:

Michael Geist - PIPEDA Hearings - Day 04 (B.C. Privacy Commissioner Loukidelis and Professor Val Steeves):

"Wednesday's PIPEDA hearing featured B.C. Privacy Commissioner David Loukidelis and University of Ottawa professor Val Steeves. Commissioner Loukidelis went even further than the federal privacy commissioner in downplaying significant change. Loukidelis downplayed his order making power (a last resort), security breach notification (more evidence on impact needed), and even the concerns associated with cross-border transfers to the U.S. (can always pick a different private sector company). Professor Steeves highlighted the privacy challenges posed by new technologies and offered some specific reform recommendations. Natalie Senst was in attendance on Wednesday afternoon and she filed the following report:..."

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.