Sunday, December 30, 2007

2007 "worst year ever" for data breaches

Looking back, 2007 has been the worst year ever for privacy breaches. This may only be the case because of mandatory breach reporting in many US jurisdictions, but the numbers are pretty staggering. See: Personal data theft reaches all-time high - Houston Chronicle, which includes:

Major 2007 breaches

Some major data breaches disclosed in 2007:

  • Discount retailer TJX Cos. reports hackers broke into its computer systems and accessed at least 46 million customer records, primarily credit card data. Banks later sue TJX and estimate the breach involved at least 94 million records.
  • Britain's tax and customs department loses two computer disks containing personal information such as addresses and bank account numbers for about 25 million people. The disks were sent via internal government mail to the government's audit agency, but never arrived.
  • Dai Nippon Printing Co., a Japanese commercial printing company, says a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients.
  • A check-authorizing subsidiary of Fidelity National Information Services says information on 8.5 million consumers was stolen, allegedly by a former employee.
  • Online brokerage TD Ameritrade Holding Corp. said one of its databases was hacked and contact information for its more than 6.3 million customers was stolen.
  • The online job site Monster Worldwide Inc. discovered that con artists had grabbed contact information from resumes of 1.3 million people.

Source: Associated Press research

The Year in Law and Technology from A to Z

Continuing the "year in review" trend, Michael Geist's annual A to Z of techlaw in Canada is heavy on privacy content. See: Michael Geist - The Letters of the Law: The Year in Law and Technology from A to Z.

Offsite surveillance in Halifax bar may set precedent

I was interviewed the other day by Chris Lambie of the Halifax Chronicle Herald in response to the recent decision to restore the liquor license of a well-known Halifax bar on the condition that it double its surveillance cameras and allow the feeds to be reviewed off-site by the police (See: Canadian Privacy Law Blog: Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system). I didn't realize that my comments would form its own article ...

Dome agreeing to let cops monitor patrons via in-house cameras could set precedent, privacy expert fears - Nova Scotia News -

By CHRIS LAMBIE Staff Reporter

Sun. Dec 30 - 5:27 AM

The decision to give law enforcement officials access to surveillance cameras at the Dome bar complex in downtown Halifax could mean other bars will be forced to do the same if they want to keep selling booze, says a privacy expert.

Authorities closed the Dome after a brawl early on Dec. 24 resulted in 38 arrests. The bar is back in business now, but only after it agreed to implement a long list of security measures, which include giving police and liquor inspectors full access to surveillance cameras at the premises or via the Internet.

"The biggest risk is this can become more common, and once you start doing that it’s very easy to extend it further and extend it further," said David Fraser, a privacy lawyer in Halifax.

"They see it work in once place and they extend it all over the place. And then it’s impossible to go out and have a drink without actually being watched by the police. A lot of people would get freaked out by that."

Once police and liquor inspectors get access to surveillance cameras in bars with a history of violence, authorities could make it mandatory in establishments with potential for problems, Mr. Fraser said.

"As these things become more normal or more standard, the less jarring it is for those who actually care about privacy.

"If you put a frog in a pot of cold water and you turn up the heat, it’s not going to jump out because it doesn’t notice the incremental changes."

There would be few limits on what authorities could do with the information they gather from surveillance cameras, Mr. Fraser said.

"It’s really no different than, theoretically, having a cop sitting at the bar or walking around the establishment. It’s just a whole lot more convenient and probably more pervasive."

Mr. Fraser said he’d be less likely to have a drink in a bar if he knew authorities could be watching.

"The idea of being watched at all has a psychological kind of a factor. For some people, it adds enough of a creep-out factor that, if you’re given the choice of two places that are otherwise identical, one has video surveillance which you know is being watched by cops and the other one doesn’t, regardless of whether or not you intend to do anything unlawful, you’d probably go to the place that was slightly less creepy. At least that would be my own inclination."

The more people watching surveillance cameras in bars, the more room there is for abuse, Mr. Fraser said.

"Sometimes on cable (TV) you’ll see these shows of weird things caught on surveillance," he said.

"Many of them come from the United Kingdom, where there’s pervasive surveillance by law enforcement. And people are making copies of these tapes when they see funny things. And you can tell, when you see how the cameras zoom, that they follow attractive women’s bottoms and things like that. Stuff like that really has the potential to be abused."

Police aren’t sure yet how they’ll use 64 surveillance cameras at the Dome.

"This is something new to us. We’ve never had access to their cameras, other than, as in any establishment, you would have after (a crime) for the purpose of investigation," Halifax Regional Police Supt. Don Spicer said after Friday’s Utility and Review Board hearing that reinstated the Dome’s liquor licence.

"So we really have to look at what we really will be doing with the access that we will be gaining."

There are signs outside the Dome indicating the bar is under video surveillance.

"When you go to a public place, which a bar is, and the signs are posted, I don’t think there will be any problems," said Environment and Labour Minister Mark Parent, who is responsible for the alcohol and gaming division.

The new camera system means liquor inspectors will be able to monitor the bar without being there, Mr. Parent said.

"That was something that the bar owner offered voluntarily and it makes our job that much easier," he said.

It does set a precedent "for bars like the Dome," Mr. Parent said.

"It clearly sends a signal to any other establishment that’s having problems that they need to take some dramatic steps."

At first, Mr. Parent said it’s not akin to the all-seeing Big Brother in George Orwell’s novel Nineteen Eighty-four.

"I guess Big Brother if you want to put it in that sense, if you’re out to do something wrong," he said. "If you’re not out to do something wrong, then I think you’d see it as a safeguard."

The cameras are "an effective low-cost tool because we don’t have the staffing to be everywhere at once," Mr. Parent said. "So I think the important thing is that notices are up so people know, so that it’s not a surprise to them."

Surveillance video could be used to both indict and clear people of any wrongdoing, he said.

"Certainly there are privacy concerns that need to be addressed," Mr. Parent said. "The tapes would need to be used only by official people. You’d have to be very careful how you used them and they would have to make sure that there was no abuse of that in any way. . . . It’s always a balance between public safety and public privacy."

Update: I was just interviewed by CBC Radio News here in Halifax on the story. Here's the piece:

Here, also, is the order of reinstatement from the Utility and Review Board of Nova Scotia.

Update: Here's a CBC online report: Police plans for Halifax bar surveillance cameras cause concerns.

The Worst Privacy Quotes of the Year for 2007

More "year in review" content, this time the worst privacy quotes of the year from CSO Magazine:

Privacy: The Worst Quotes of the Year - Web Exclusives - Online Column - CSO Magazine

...And the Privvy for Doubleplusgood Newspeak of the Year goes to... Deputy Director of National Intelligence Donald Kerr

"Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture.... But in our interconnected and wireless world, anonymity—or the appearance of anonymity—is quickly becoming a thing of the past.... We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment. Protecting anonymity isn’t a fight that can be won. Anyone that’s typed in their name on Google understands that."

Privacy advocates seized on Kerr’s Orwellian attempt to singlehandedly change the definition of privacy because, hey, it’s really hard. (Source: Office of the Director of Naval Intelligence.)

Thanks to Pogo for the link.

TJX creates executive jobs to deal with privacy issues

In the better late than never department: TJX creates executive jobs to deal with privacy issues - The Boston Globe. (Thanks to Pogo for the link.)

Saturday, December 29, 2007

UK considers proposal that execs be directly accountable for personal information

In the wake of the UK's recent huge privacy incident, parliamentarians are considering a proposal that executives be directly accoutable for information security and perhaps even have to certify -- a la Sarbox -- its information practices. See: Call for CEOs to carry can for data leaks - Times Online.

Canada on top in international privacy survey

Privacy International's latest report puts Canada at the top of the heap (along with Greece and Romania), but sinking into the mire.

The Canadian Press: Canada, Greece and Romania have best privacy records, global report says

Canada, Greece and Romania have best privacy records, global report says 59 minutes ago

LONDON - Individual privacy is best protected in Canada but is under threat in the United States and the European Union as governments introduce sweeping surveillance and information-gathering measures in the name of security and border control, an international rights group said in a report released Saturday.

Canada, Greece and Romania had the best privacy records of 47 countries surveyed by London-based watchdog Privacy International. Malaysia, Russia and China were ranked worst.

Both Britain and the United States fell into the lowest-performing group of "endemic surveillance societies."

"The general trend is that privacy is being extinguished in country after country," said Simon Davies, director of Privacy International. "Even those countries where we expected ongoing strong privacy protection, like Germany and Canada, are sinking into the mire.

"I'm afraid that Canada has kind of lost the plot a plot a little bit this year and hence its move downwards," Davies told the Canadian Press in comments about Canada.

He cites the C-I-A's accessing the banking records of Canadians through the SWIFT banking information system, the Canadian no-fly list, and the Toronto Transit Commission's installation of security cameras as examples of the erosion of privacy rights.

He also decried the increasing number of programs involving the United States, which he said unfortunately has no federal privacy law.

"What's happening, is that Canadian information, sensitive information, is flowing across the border in increasing volumes," Davies said.

"Frankly, that's the sort of situation where government should put pressure on the U.S. government to protect that information legally," he said, "But it's not doing so."

The report came two days after Privacy Commissioner Jennifer Stoddart warned in a release that 2008 will be "another challenging one for privacy in Canada."

"Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent - and growing - threats to privacy rights," Stoddart said.

In the United States, President George W. Bush's administration has come under fire from civil liberties groups for its domestic wiretapping program, which allows monitoring - without a warrant - of international phone calls and e-mails involving people suspected of having terrorist links.

"The last five years has seen a litany of surveillance initiatives," Davies said.

He said little had changed since the Democrats took control of Congress a year ago.

"We would expect the cancellation of some programs, the review of others, but this hasn't occurred," Davies said.

Britain was criticized for its plans for national identity cards, a lack of government accountability and the world's largest network of surveillance cameras.

Davies said the loss earlier this year of computer disks containing personal information and bank details on 25 million people in Britain highlighted the risks centralizing information on huge government databases.

The report said privacy protection was worsening across western Europe, although it was improving in the former Communist states of eastern Europe.

It said concern about terrorism, immigration and border security was driving the spread of identity and fingerprinting systems, often without regard to individual privacy.

The report said the trends "have been fuelled by the emergency of a profitable surveillance industry dominated by global IT companies and the creation of numerous international treaties that frequently operate outside judicial or democratic processes."

The survey considers a range of factors including legal protection of privacy, enforcement, data sharing, the use of biometrics and prevalence of CCTV cameras.

The 2007 Security Hall of Shame

Another "year in review" ... this time the Computerworld nominees to the security hall of shame:

The 2007 Security Hall of Shame

A brace of breaches: 2007's five worst

In a league of its own: The TJX Companies Inc.

The U.K.'s VA: HMRC misplaces records on 25 million kids In November

The system was broken brokered: Fidelity National Information Services

Some honor among thieves: TD Ameritrade Holding Corp. Brokerage firm Ameritrade

Creatures from the hack lagoon:

Ummm ... oops?

Notable meltdowns

Do you copy?: DHS's self-created DDoS attack

Bag that: Supervalu gets phished

Undiplomatic relations: Symantec in China

Hear me, see me: House outs whistle-blowers

Arrrrr! WGA sees pirate people

... and your 2007 poster boys

Consultant turns bot herder: John Schiefer

Exit strategy: Gary Min

Don't drop the soap: Ivory Dickerson

Unbirthday boy: Yung-Hsun Lin

Pick a hat already: Maxwell Butler

Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system

Early on Christmas Eve a huge brawl at one of Halifax's largest bars resulted in the suspension of the property's liquor license. After a hearing yesterday, the license was restored on a number of conditions. Among them, the bar has to double the number of surveillance cameras on the premises and has to provide liquor regulators and the police with real-time access via the internet.

This is a first in Nova Scotia, but likely not the last time we'll hear of this. Why not have them mandatory in all licensed establishments? In all hotels? Hmm. Drinking takes place in university residences, so maybe we should require police surveillance of those places? The thin edge of the wedge.

See: Buck-a-drink binge nights bite the dust: Dome gets liquor licence back with vow to hike prices, beef up security

Friday, December 28, 2007

Security breach affects hundreds of thousands of porn consumers

Personal information on hundreds of thousands of users of adult websites may have been compromised in a breach that is said to have the potential to undermine the confidence that most consumers have in porn websites. Hmm.

See: Porn Industry Frets Over Security Breach Internet: Customers' Personal Data Accessed. - Technology - RedOrbit.

Privacy resolutions from the PCC

Privacy resolutions from the Privacy Commissioner of Canada:

News Release: Do you resolve to protect your privacy in 2008? (December 27, 2007) - Privacy Commissioner of Canada

Do you resolve to protect your privacy in 2008?

OTTAWA, December 27, 2007 – Threats to the privacy rights of Canadians will intensify in 2008 unless organizations resolve to do more to protect personal information, warns Privacy Commissioner of Canada Jennifer Stoddart.

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” says Commissioner Stoddart.

“The coming year will be another challenging one for privacy in Canada.”

With that prediction in mind, Commissioner Stoddart today released her 2008 list of top 10 suggested New Year’s resolutions for businesses, individuals and government.

Resolutions for businesses in Canada:

1. Protect personal information with strong security.

More than 162 million records were compromised by theft or loss in 2007, triple the number of data losses for the previous year, according to a USA Today analysis of breaches in the US, Canada and other countries. This alarming trend can be reversed if businesses begin to recognize the value of personal information. The disastrous breach involving Winner’s and HomeSense stores is an example of what can go wrong if businesses don’t invest in the latest security.

2. Use encryption to protect personal information on mobile devices such as laptops.

We are seeing too many headlines about personal information at risk because a laptop has been lost or stolen. Organizations must ensure personal information on a mobile device is encrypted – protecting information stored on a laptop with a password is simply not enough.

3. Ensure credit card processing equipment masks complete card numbers on receipts.

Complete credit card numbers should not be printed on receipts for electronically processed transactions. Businesses were supposed to switch to electronic processing equipment that masks card numbers – for example, by printing Xes – by the end of 2007. Printing complete card numbers exposes customers to the risk of identity theft. (Some very small businesses may still be manually taking imprints of cards because it is not economically feasible for them to purchase electronic equipment. They should still take all steps necessary to protect the information they collect.)

Resolutions for Canadians:

4. Think twice before posting personal information on social networking sites.

Many Facebook and Myspace users think of these sites as private, when, in reality, the information they post can often be seen by just about anyone. Before posting something, ask questions such as: How would I feel defending this comment or photo during a job interview five years from now? Am I harming someone else or invading someone’s privacy by posting this comment, photo or video? We like this simple rule of thumb: If Grandma shouldn't know, it shouldn't be posted.

5. Ask questions when someone asks for personal information.

It’s a good idea to understand why information such as your phone number or postal code, or driver’s licence is being requested and how it will be used. If you are concerned about receiving junk mail or telemarketing calls, decline to provide the information. Canada’s privacy laws offer you a choice about providing personal information that is not necessary for a transaction.

6. Take steps to protect your personal information.

Invest in a good shredder or burn all documents that include your name, address, SIN, financial information or other sensitive personal information. Papers containing personal information don’t belong in the recycling bin.

Resolutions for the federal government:

7. Overhaul the no-fly list to ensure strong privacy protections for Canadians.

The no-fly list involves the secretive use of personal information in a way that has very serious impact on privacy and other human rights. Innocent Canadians face the very real risk they will be stopped from flying because they’ve been incorrectly listed or share the name of someone on the list.

8. Move forward with proposed reforms to Canada’s privacy laws.

The federal government is currently holding consultations on important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These proposed changes include mandatory breach notification, a step that would encourage businesses to take security more seriously and protect Canadians against identity theft.

We also urge the federal government to open a review of the Privacy Act, which will be celebrating its 25th anniversary in 2008. Canadians should be offered the same level of legal protection under the Privacy Act as they have, as consumers, under PIPEDA.

9. Ensure that identity theft legislation is swiftly passed.

The government has introduced Criminal Code amendments to help police stop identity thieves or fraudsters before Canadians suffer actual financial harm. The changes include explicit penalties for collecting, possessing and trafficking in personal information.

10. Develop anti-spam legislation.

Canada remains the only G-8 country without anti-spam legislation, raising the danger that we will become a harbour for spammers. Halting the proliferation of spam is another important measure necessary to address identity theft.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Thursday, December 27, 2007

The top science-and-tech privacy threats of 2007

'Tis the season for the year in review. Slate kicks it off with the The top science-and-tech privacy threats of 2007. The list includes:

  1. Surveillance cameras.
  2. The war on smoking.
  3. The war on junk food.
  4. The war on salt.
  5. Pedestrian cell-phone use.
  6. Naked body scanners.
  7. Phone-surveillance ads.
  8. Human chip implants.
  9. Mind-reading.
  10. Manipulating sexual orientation.

Identity Theft Cartoon

Thanks to Schneier on Security for the link.

Sunday, December 23, 2007

More UK data breaches come to light

I think we'll be seeing even more of these out of the UK as government authorities and the media turn their attentiont to the issue.

It's being reported that a number of National Health System trusts have "lost" the personal information of hundreds of thousands of British residents in the past little while. See: BBC NEWS UK Nine NHS trusts lose patient data

Saturday, December 22, 2007

FTC green lights Google and DoubleClick merger

This past week, the US Federal Trade Commission gave the green light to the merger of Google and DoubleClick. As is highlighted in the official Google blog entry on the topic, privacy didn't play any part in the FTC's decision:

Official Google Blog: Analysis: The FTC clears our acquisition of DoubleClick

Privacy not a part of the merger review. Though we strongly believe in protecting our users' privacy, the FTC clearance decision reaffirmed the law by noting that privacy concerns played no role in its merger review. This is an important principle, as privacy issues need to be addressed on an industry-wide basis, and not on a company-by-company basis. The FTC wrote, "although such issues may present important policy questions for the Nation, the sole purpose of federal antitrust review of mergers and acquisitions is to identify and remedy transactions that harm competition. Not only does the Commission lack legal authority to require conditions to this merger that do not relate to antitrust, regulating the privacy requirements of just one company could itself pose a serious detriment to competition in this vast and rapidly evolving industry." The FTC also noted, however, "that the evidence does not support a conclusion" that this particular transaction will harm consumer privacy.

Data combination wouldn't pose problems. The FTC rejected the suggestion from competitors that Google would combine user information with DoubleClick's customers' data to obtain an advantage in the market, writing that the data is owned by DoubleClick’s customers and that "at bottom, the concerns raised by Google’s competitors regarding the integration of these two data sets -- should privacy concerns not prevent such integration -- really amount to a fear that the transaction will lead to Google offering a superior product to its customers." Moreover, "a number of Google’s competitors have at their disposal valuable stores of data not available to Google. For instance, Google’s most significant competitors in the ad intermediation market, Microsoft, Yahoo!, and Time Warner have access to their own unique data stores."

FBI aims for world's largest biometrics database

This sort of stuff no longer surprises me, but this bit of the story on Yahoo! News is interesting:
FBI aims for world's largest biometrics database - Yahoo! News

... At an employer's request, the FBI will also retain the fingerprints of employees who have undergone criminal background checks, the paper said....

Thursday, December 20, 2007

Surgeon snaps pictures of patient's privates

I don't think there's much debate that the relationship between a physician and a patient is one where confidentiality and trust are absolutely critical. This is why there's such outrage when a physician takes advantage of this position of trust.

Yahoo! News is running an article about a Chief Resident of General Surgery from an Arizona hospital who took a picture of a patent's tattooed genitals when the patient was sedated. The surgeon apparently was showing the picture around to other doctors, thinking the tattoo "HOT ROD" was funny. It may be funny, but the actions of this physician are appalling and bring the whole profession into disrepute. See: Tattooed privates prove not so private - Yahoo! News.

UPDATE: No HIPAA charges expected: Doctor in penis case likely will avoid federal charges.

Wednesday, December 19, 2007

Alberta faults Ticketmaster for requiring consent to secondary purposes

The Alberta Information and Privacy Commissioner has found that Ticketmaster violated that province's privacy law by requiring that purchasers consent to use of their information by concert promoters. From the Commissioner:


Office of the Information and

Privacy Commissioner of Alberta

December 19, 2007

Ticketmaster investigated under Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that Ticketmaster Canada Ltd (Ticketmaster) contravened the Personal Information Protection Act (PIPA) by requiring on-line customers to consent to the use of personal information for the event provider’s marketing purposes, as a condition of a ticket sales transaction. The investigation also determined Ticketmaster’s on-line opt-out process did not allow customers to make an informed decision about consent nor did it offer customers a reasonable opportunity to decline or object to the use of their personal information for event providers’ marketing purposes. Ticketmaster’s on-line privacy policy was also found to be complex and ambiguous.

The Complainant went on Ticketmaster’s website, to purchase tickets for an event. During the on-line transaction, the Complainant was unable to proceed with his on-line ticket purchase unless he consented to Ticketmaster’s “Use of Personal Information” privacy statement. The Complainant was particularly concerned with the contents of this privacy statement, which authorized Ticketmaster to share his email address with event providers for the event providers’ marketing purposes.

Ticketmaster agreed to implement the Investigator’s recommendations, which included launching, across Canada, a new on-line and telephone opt-in mechanism for event providers’ marketing communications. This mechanism offers on-line and telephone customers the opportunity to opt-in to receiving marketing materials from event providers by checking a box during the on-line ticket purchase process. In conjunction with the new on- line opt-in mechanism, Ticketmaster posted its revised on-line privacy policy with an easily navigable table of contents linking to appropriate section of the policy. To obtain a copy of Investigation Report P2007-IR-007, please visit our website at:

CBC has some coverage of the story here: Arts - Ticketmaster's online sales violated Alberta privacy law.

Tuesday, December 18, 2007

Google Maps with "my location"

I just got a new Blackberry Curve 8310, with built-in GPS. But just before giving up my old Blackberry 8700 I installed the new Google Maps with the "my location" feature. The "my location" feature is somewhat handy but the privacy geek in my has a few questions.

The feature uses signals from the cell phone network to approximate your location within a few hundred metres (depending on the density of cell towers in your area). When I installed it, I didn't have to give it any special permission to get access to carrier information or other stuff. Handy if I want it, but it makes me wonder whether any software installed on my Blackberry can get access to this data and perhaps transmit it in the background. That certainly raises privacy issues.

If anyone knows, please let me know.

In the meantime, here's a Google promotional video on the new Google Maps:

Monday, December 17, 2007

New device may end drunk driving?

Friend and compatriot PGuy pointed me to this story about a new device that would be built into new cars that would prevent the car from starting if the driver shows evidence of having too much alcohol in their blood. The technology would sense it from the driver's skin through the steering wheel: New device may end drunk driving The News is He asked if I thought it raises privacy issues.

I don't really see privacy issues per se, unless the thing records the readings. But I'm not sure it's a good idea. Those most likely to otherwise drink and drive will bypass the system or will hit the reefer if they intend to take the car home.

I just wonder where these things will end. A sensor that you're too tired, too jittery, too easily distracted, listening to an iPod, eating a cheese burger, have squabbling kids in the back?

Thursday, December 13, 2007

People don't really like surprises

Seth Godin has an interesting take on privacy, particularly online:

Seth's Blog: People don't truly care about privacy

People don't truly care about privacy

There's been a lot of noise about privacy over the last decade, but what most pundits miss is that most people don't care about privacy, not at all.

If they did, they wouldn't have credit cards. Your credit card company knows an insane amount about you.

What people care about is being surprised.

If your credit card company called you up and said, "we've been looking over your records and we see that you've been having an extramarital affair. We'd like to offer you a free coupon for VD testing..." you'd freak out, and for good reason.

If the local authorities start using what's on the corner surveillance cameras to sell you a new kind of commuter token, you'd be a little annoyed at that as well.

So far, government and big companies have gotten away with taking virtually all our privacy away by not surprising most of us, at least not in a vivid way. Libertarians are worried (probably with cause) that once the surprises start happening, it'll be too late.

This leads us to's new Eraser service, which promises to not remember stuff about your searching. The problem they face: most people want Google and Yahoo and Amazon to remember their searches, because it leads to better results and (so far) rarely leads to surprises.

The irony is that the people who most want privacy are almost certainly the worst possible customers for a search engine. These are the folks who are unlikely to click on ads and most likely to visit the dark corners of the Net. If I were running a web property, I'd work hard to attract the people who least want privacy and want to share their ideas with everyone else

Make promises, keep them, avoid surprises. That's what most people (and the profitable people) want.

Monday, December 10, 2007

Boy awaits bone-marrow transplant

This has nothing to do with privacy, but I'm trying to get the word out as widely as I can.

Many in Atlantic Canada may recall hearing about Zachery Hall in the newspapers and on the regional television news some time ago. Zachery was a little boy who suffered from the disease Adrenoleukodystrophy (ALD) []. It is a very rare disease in which the body's myelin is progressively destroyed by a mechanism that is not well understood. (Myelin is the insulation for our body's nerve cells.) The disease causes progressive deterioration of the nervous system, leading to failure to develop, seizures, loss of coordination, then blindness, deafness, dementia and ultimately death.

Members of the community were very generous to support Zachery's family while he was undergoing treatment. Our support also helped him to go to Disneyland with his family while he was still able to enjoy it. Zachery Hall died in 2006 at age 10.

Zachery's little brother, Bretton, has been diagnosed with the same horrendous disease. They have been able to identify it at a much earlier stage than Zachery's and are hopeful that earlier treatment may be able to provide him with a longer life with greater quality of life.

Bretton's family is not well off to begin with. He will be receiving very long and expensive treatments in Ontario. We hope to be able to assist the family with their expenses in this.

Bretton's aunt and I have set up a trust account at ScotiaBank to assist the family. We hope to be able to help with his treatments, assist with his quality of life and to help the family in what is a devastatingly difficult time. The community has been very generous in the past and I'm hopeful that we may be able to help this family in our community. If you are able to make a donation, please let us know. You can send a cheque to either of us, payable to “Jo Anne Conrod and David Fraser in Trust”, or you can make a deposit at any Scotiabank Branch (Name: Jo-Anne Conrod & David T. Fraser (In Trust for Bretton Kinslow) / Act#: 700030255629 / Transit#: 70003).

David Fraser

c/o McInnes Cooper

1300-1969 Upper Water Street

PO Box 730

Halifax, NS B3J 2V1

Jo-Ann Conrod

c/o St. Matthew’s United Church

1479 Barrington Street

Halifax, NS B3J 1Z2

Donations are gratefully received through the account shown above, or via PayPal.

From today's Halifax Daily News:

Halifax, The Daily News: News Boy awaits bone-marrow transplant

Not unlike other boys his age, six-year-old Bretton Kinslow spent a good chunk of time before bed last night jumping off the couch, trying out new wrestling moves and practising tricks on his skateboard.

Unlike other boys his age, Bretton and his family are standing by at their Hatchet Lake home for a call from Sick Kids Hospital in Toronto with the news that there's a stem-cell match for the grade primary student.

On Nov. 8, Bretton was diagnosed with the same genetic disease that killed his brother Zachery Hall just last year at the age of 10.

Adrenoleukodystrophy or ALD - a rare disease that was depicted in the 1992 film Lorenzo's Oil - causes damage to the myelin sheath that insulates the nerve cells in the brain.

Severely affected

The most common type of ALD is linked to the x-chromosome and, with only one x-chromosome, men are more severely affected.

Young boys are the most common victims of the disease, which causes progressive deterioration of the nervous system leading to loss of co-ordination, blindness, deafness, dementia and, ultimately, death.

By the time doctors realized what was wrong with Zach, his mother Lisa Kinslow said, it was too late.

But after he became sick, the IWK kept a close eye on Bretton.

"They monitored Bretton every six months," Kinslow said.

At the last six-month checkup, it was confirmed Bretton had developed ALD.

He's now on the list for a bone- marrow transplant, which is conducted using the stem cells from an umbilical cord.

With the transplant, every cell in Bretton's body will be renewed, hopefully staving off the deterioration of his nervous system.

"He won't even have the same blood type anymore," Kinslow said.

While Bretton bounced himself off the couch, showing off for the photographer, Kinslow and her husband Mark explained there are no guarantees the transplant will save Bretton, but he has a better chance than his older brother, who was diagnosed too late.

"With Zach, it was different; we knew the outcome," she said.

"With this one, we're fighting for it."

Some understanding

Kinslow said Bretton has some understanding of what's going on.

He knows he's going to Toronto for the doctors to make him better; he knows he'll have to take a lot of medication; and because of chemo-therapy before the transplant, he knows he'll probably lose his hair.

"I don't want to be bald," he said at one point last night, grinning and rubbing his head.

Kinslow admitted it's been a rough go for the family.

She's trying to keep it together for Bretton and trying not to let his illness become the focus.

"We spend every day with him, we play with him, we talk with him," she said.

"There's nothing that he wants to do that we don't try."

Bretton's aunt, Jo-Anne Conrod, and family lawyer David Fraser with McInnes Cooper have set up a trust fund for Bretton and his family to help get them through their time in Toronto and future challenges.

Donations can be deposited at any Scotiabank branch under the name Jo-Anne Conrod and David T. Fraser (In Trust for Bretton Kinslow/Acct. # 700030255629/ Transit #70003)

Wednesday, December 05, 2007

Credit-card company facing liquidation

I am surprised this hasn't received more coverage. Cardsystems is facing bankruptcy as a result of the very high profile data breach in 2005. See: Credit-card company facing liquidation | ®.

Alberta drug testing case one to watch

Daniel J. Michaluk has a great comment on an Alberta case that's pending dealing with employee drug testing, which is a very common practice in that province's oil sands projects. Check it out: One to watch - Drug testing case at Alberta CA « All About Information.

US judge denies feds' request for Amazon customer list

A US federal judge has denied a request by the Federal Government for a subpoen of a list of customers, citing the chilling effect that such a subpoena may have:

The Associated Press: Feds Cancel Amazon Customer ID Request


"The (subpoena's) chilling effect on expressive e-commerce would frost keyboards across America," U.S. Magistrate Judge Stephen Crocker wrote in a June ruling.

"Well-founded or not, rumors of an Orwellian federal criminal investigation into the reading habits of Amazon's customers could frighten countless potential customers into canceling planned online book purchases," the judge wrote in a ruling he unsealed last week.

Seattle-based Amazon said in court documents it hopes Crocker's decision will make it more difficult for prosecutors to obtain records involving book purchases. Assistant U.S. Attorney John Vaudreuil said Tuesday he doubted the ruling would hamper legitimate investigations.

Crocker — who unsealed documents detailing the showdown against prosecutors' wishes — said he believed prosecutors were seeking the information for a legitimate purpose. But he said First Amendment concerns were justified and outweighed the subpoena's law enforcement purpose.

"The subpoena is troubling because it permits the government to peek into the reading habits of specific individuals without their knowledge or permission," Crocker wrote. "It is an unsettling and un-American scenario to envision federal agents nosing through the reading lists of law-abiding citizens while hunting for evidence against somebody else."

Tuesday, December 04, 2007

Incident: Passport applicant finds massive privacy breach

This is interesting: Passport applicant finds massive privacy breach

A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports....

Thanks to Michael Geist for the link.

Nevada Passes Data Encryption Law

The Business and Technology blog from Scott & Scott reports that Nevada has just passed a law requiring the encryption of personal information when in transit. See:

Nevada Passes Data Encryption Law (Business and Technology Law)

Nevada recently passed a law requiring businesses to encrypt customers’ personal information during transmission of an electronic transaction. While other data protection laws require the shredding of records or the implementation of reasonable security measures to protect sensitive information, Nevada’s mandates use of encryption technology....

Monday, December 03, 2007

Identity theft bill will help in battle

David Canton's most recent Canoe column provides a good overview of the anti-ID theft legislation: Identity theft bill will help in battle.

Sunday, December 02, 2007

TJX Agrees to Pay $40.9 Million to Visa Card Issuers

According to the New York Times, TJX has agreed to settle claims brought against it by Visa card issuing banks if they accept the offer by December 19. Claims will be paid by year end. See: TJX Agrees to Pay $40.9 Million to Visa Card Issuers - New York Times.

Saturday, December 01, 2007

There's No Such Thing As An Anonymized Dataset

Techdirt has an interesting report, culled from Slashdot, about an experiment that went in an unanticipated direction. Neflix released a chunk of deidentified data hoping that researchers could use thed data to tweak and improve the company's recommendation algorithm. Other researchers used the data to match Neflix reviewers to IMDB reviewers, which identified many of the supposedly anonymous Neflix users. See: Techdirt: There's No Such Thing As An Anonymized Dataset (and thanks to Rob Hyndman for sending me the link.)

What's the big deal? Two things: first, those Neflix viewers thought their information would remain private and some of it would reveal personal attitudes toward sex, violence and other matters. Secondly, it is a lesson for anyone else who thinks that releasing an "anonymized" dataset would be ok.

Friday, November 30, 2007

Law enforcement access to personal information

Today I had the privilege of speaking at the annual professional development event of the Nova Scotia Criminal Lawyers Association, in association with the Nova Scotia Barristers' Society. The theme of the conference was very privacy-centric: Listening, Snooping and Searching: What's Right, What's Wrong.

I was also privileged to speak alongside S/Sgt Al Langille of the RCMP's integrated technology crime unit. He is a thirty-year veteran of law enforcement, including fifteen in technology crimes and computer forensics. A great guy and very privacy conscious.

My presentation, for those who may be interested, is here:

Wednesday, November 28, 2007

Reckless corporations may violate ID theft law

Fellow blogger David Canton is quoted in this interesting article that suggests reckless corporations may find themselves guilty of violating the new ID theft law:

Reckless Data Handling Could Violate ID Theft Law - Security Feed - News - CSO Magazine

Nov 27, 2007

Reckless Data Handling Could Violate ID Theft Law

The recently proposed amendment to the Criminal Code that would make "reckless" handling of personal information a crime can be troubling given the broad definition of the word, said one lawyer.

If Bill C-27 is passed, it will be an offense to make available or sell personal information (such as names, addresses bank account information and social insurance numbers) knowing it will be used to commit fraud -- or if the person or company selling the information is reckless as to whether the data will be used for fraud by a third party.

Bill C-27, an Act to Amend the Criminal Code (identity theft and related misconduct) was tabled in the House of Commons last week and passed first reading.

As reported by ITWorld Canada, vendors say Feds should enforce data encryption

The problem with measuring recklessness is a valid concern for organizations whose business relies on collecting customer personal information given the lack of industry standards, said Howard Simkevitz, lawyer with Toronto, Ont.-based law firm Lang Michener LLP.

Some international standards, from bodies such as the International Standards Organization (ISO), handle security compliance, but there is no equivalent for privacy, Simkevitz said.

"When we’re talking about identity theft and it’s the theft of personal information, that’s a distinct privacy-oriented term."

He added the term reckless includes the absence of precautions around securing customer personal data, so organizations should implement policies and procedures based around this. Overall, such precautions are mainly based on common sense and good corporate values around how to handle another person’s sensitive data, he said.

The privacy commissioner, he added, also makes available helpful guidelines around policies.

Actually, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides a good starting point, he said, by advising organizations to determine whether the information they are collecting is personal, and if it is, to figure out if they have received consent to collect and use it for certain purposes.

"The risk of running afoul is at least minimalized, but there are tons of issues here, and the fact that now there are criminal sanctions that could be applied, is an issue," said Simkevitz.

The recklessness aspect of the bill is probably intended to capture people who do more than just act negligently, but "turn a blind eye" to securing personal information, said David Canton, a lawyer with London, Ont.-based law firm Harrison Pensa LLP.

When transferring that type of data to a third party, the organization should seek assurances that the recipient of the information is going to do what it has said it will do with the data, he said. Often, having contractual provisions to limit use of the data by a third party is useful, he added.

If companies seek such assurances, he said, "I would suspect that they haven’t crossed the reckless threshold."

But a rogue employee stealing customer personal information for the purposes of fraud could, depending on the circumstance, mean the company has been reckless, said Simkevitz. However, he said, if the company can demonstrate it took necessary actions to mitigate such risk, then it may not be held liable.

Typically, organizations are "vicariously liable" for actions of their employees, said Canton. Specifically, if the act committed falls within the ambit of that person’s job, then the organization can be held liable, he added, but "it’s not always an easy line to draw."

But given that Bill C-27 complements PIPEDA and other existing privacy legislation, said Canton, companies who have already dealt with privacy probably have dealt with the issues that this new bill presents.

The bill’s proposals do not add anything to existing legislation, said Canton, "but raises the bar and is maybe one way of putting criminal teeth in the security aspect of [PIPEDA], although it’s probably not its prime intention."

Canton said it’s hard to argue against some of the contents of the bill and it’s usually difficult to tell if such things will help deter identity theft, but it’s nonetheless a useful tool.

If anything, said Simkevitz, the bill "sensitizes corporations to the importance of protecting personal information."

In particular, he said, it’s great that it includes compensating victims of identity fraud, but it doesn’t address the issue of quantifying damages like the loss of a driver’s license versus hassle at the border because of issues with stolen identity.

"It certainly does [add teeth to PIPEDA]. Is this sufficient? I would be more reluctant to say that it is," said Simkevitz.

Besides that, he said the proposed amendment doesn’t address the use of spam to collect personal information, nor the issue of breach notification.

Alberta Commissioner investigating Barlink on ID swiping

I've blogged on this topic of bars swiping patrons' identification a number of times (see label "id swiping"), but it appears that we'll have a decision from the Alberta Commissioner on the topic in the next few months: - Edmonton News - Barlink probed by privacy watchdog.

Sunday, November 25, 2007

Consultant causes security breach of patient information in Newfoundland

An investigation has been launched in Newfoundland after a consultant working for public health authorities inadvertently breached security for personal health information, including HIV status, by allowing the information to be accessible on the internet. See: N.L. police probe security breach of patient information.

Friday, November 23, 2007

Mandatory gunshot reporting bill hits Nova Scotia legislature

Today, following yesterday's speech from the throne, the Conservative government of Nova Scotia introduced a bill in the legislature to make it mandatory that medical professionals call the cops when a person seeks treatment for a gunshot or stabbing wound. I hope to see some sensible debate about this. Already, a leading physician from the IWK Health Centre (our childrens' hospital) is saying he's concerned that it will discourage hurt young people from seeking treatment (see: Doctor pans mandatory reporting plan).

Personally, I am concerned that this may have the tendency to impair the critical relationship of trust between patients and physicians. As professionals are forced to be agents of the state -- and law enforcement in particular -- patients can trust them less with their confidences.

Cellphone Tracking Powers on Request

The Washington Post has an article on how, in some cases, law enforcement in the US is getting access to real-time tracking information about suspects' cell phones, without warrants or without probable cause. I was particularly reminded of some of the debate over lawful access in Canada:

Cellphone Tracking Powers on Request -

Cellphone Tracking Powers on RequestSecret Warrants Granted Without Probable Cause

By Ellen Nakashima

Washington Post Staff Writer

Friday, November 23, 2007; A01

Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers.

In some cases, judges have granted the requests without requiring the government to demonstrate that there is probable cause to believe that a crime is taking place or that the inquiry will yield evidence of a crime. Privacy advocates fear such a practice may expose average Americans to a new level of government scrutiny of their daily lives.

Such requests run counter to the Justice Department's internal recommendation that federal prosecutors seek warrants based on probable cause to obtain precise location data in private areas. The requests and orders are sealed at the government's request, so it is difficult to know how often the orders are issued or denied.

The issue is taking on greater relevance as wireless carriers are racing to offer sleek services that allow cellphone users to know with the touch of a button where their friends or families are. The companies are hoping to recoup investments they have made to meet a federal mandate to provide enhanced 911 (E911) location tracking. Sprint Nextel, for instance, boasts that its "loopt" service even sends an alert when a friend is near, "putting an end to missed connections in the mall, at the movies or around town."

With Verizon's Chaperone service, parents can set up a "geofence" around, say, a few city blocks and receive an automatic text message if their child, holding the cellphone, travels outside that area.

"Most people don't realize it, but they're carrying a tracking device in their pocket," said Kevin Bankston of the privacy advocacy group Electronic Frontier Foundation. "Cellphones can reveal very precise information about your location, and yet legal protections are very much up in the air."

In a stinging opinion this month, a federal judge in Texas denied a request by a Drug Enforcement Administration agent for data that would identify a drug trafficker's phone location by using the carrier's E911 tracking capability. E911 tracking systems read signals sent to satellites from a phone's Global Positioning System (GPS) chip or triangulated radio signals sent from phones to cell towers. Magistrate Judge Brian L. Owsley, of the Corpus Christi division of the Southern District of Texas, said the agent's affidavit failed to focus on "specifics necessary to establish probable cause, such as relevant dates, names and places."

Owsley decided to publish his opinion, which explained that the agent failed to provide "sufficient specific information to support the assertion" that the phone was being used in "criminal" activity. Instead, Owsley wrote, the agent simply alleged that the subject trafficked in narcotics and used the phone to do so. The agent stated that the DEA had " 'identified' or 'determined' certain matters," Owsley wrote, but "these identifications, determinations or revelations are not facts, but simply conclusions by the agency."

Instead of seeking warrants based on probable cause, some federal prosecutors are applying for orders based on a standard lower than probable cause derived from two statutes: the Stored Communications Act and the Pen Register Statute, according to judges and industry lawyers. The orders are typically issued by magistrate judges in U.S. district courts, who often handle applications for search warrants.

In one case last month in a southwestern state, an FBI agent obtained precise location data with a court order based on the lower standard, citing "specific and articulable facts" showing reasonable grounds to believe the data are "relevant to an ongoing criminal investigation," said Al Gidari, a partner at Perkins Coie in Seattle, who reviews data requests for carriers.

Another magistrate judge, who has denied about a dozen such requests in the past six months, said some agents attach affidavits to their applications that merely assert that the evidence offered is "consistent with the probable cause standard" of Rule 41 of the Federal Rules of Criminal Procedure. The judge spoke on condition of anonymity because of the sensitivity of the issue.

"Law enforcement routinely now requests carriers to continuously 'ping' wireless devices of suspects to locate them when a call is not being made . . . so law enforcement can triangulate the precise location of a device and [seek] the location of all associates communicating with a target," wrote Christopher Guttman-McCabe, vice president of regulatory affairs for CTIA -- the Wireless Association, in a July comment to the Federal Communications Commission. He said the "lack of a consistent legal standard for tracking a user's location has made it difficult for carriers to comply" with law enforcement agencies' demands.

Gidari, who also represents CTIA, said he has never seen such a request that was based on probable cause.

Justice Department spokesman Dean Boyd said field attorneys should follow the department's policy. "We strongly recommend that prosecutors in the field obtain a warrant based on probable cause" to get location data "in a private area not accessible to the public," he said. "When we become aware of situations where this has not occurred, we contact the field office and discuss the matter."

The phone data can home in on a target to within about 30 feet, experts said.

Federal agents used exact real-time data in October 2006 to track a serial killer in Florida who was linked to at least six murders in four states, including that of a University of Virginia graduate student, whose body was found along the Blue Ridge Parkway. The killer died in a police shooting in Florida as he was attempting to flee.

"Law enforcement has absolutely no interest in tracking the locations of law-abiding citizens. None whatsoever," Boyd said. "What we're doing is going through the courts to lawfully obtain data that will help us locate criminal targets, sometimes in cases where lives are literally hanging in the balance, such as a child abduction or serial murderer on the loose."

In many cases, orders are being issued for cell-tower site data, which are less precise than the data derived from E911 signals. While the E911 technology could possibly tell officers what building a suspect was in, cell-tower site data give an area that could range from about three to 300 square miles.

Since 2005, federal magistrate judges in at least 17 cases have denied federal requests for the less-precise cellphone tracking data absent a demonstration of probable cause that a crime is being committed. Some went out of their way to issue published opinions in these otherwise sealed cases.

"Permitting surreptitious conversion of a cellphone into a tracking device without probable cause raises serious Fourth Amendment concerns especially when the phone is in a house or other place where privacy is reasonably expected," said Judge Stephen William Smith of the Southern District of Texas, whose 2005 opinion on the matter was among the first published.

But judges in a majority of districts have ruled otherwise on this issue, Boyd said. Shortly after Smith issued his decision, a magistrate judge in the same district approved a federal request for cell-tower data without requiring probable cause. And in December 2005, Magistrate Judge Gabriel W. Gorenstein of the Southern District of New York, approving a request for cell-site data, wrote that because the government did not install the "tracking device" and the user chose to carry the phone and permit transmission of its information to a carrier, no warrant was needed.

These judges are issuing orders based on the lower standard, requiring a showing of "specific and articulable facts" showing reasonable grounds to believe the data will be "relevant and material" to a criminal investigation.

Boyd said the government believes this standard is sufficient for cell-site data. "This type of location information, which even in the best case only narrows a suspect's location to an area of several city blocks, is routinely generated, used and retained by wireless carriers in the normal course of business," he said.

The trend's secrecy is troubling, privacy advocates said. No government body tracks the number of cellphone location orders sought or obtained. Congressional oversight in this area is lacking, they said. And precise location data will be easier to get if the Federal Communication Commission adopts a Justice Department proposal to make the most detailed GPS data available automatically.

Often, Gidari said, federal agents tell a carrier they need real-time tracking data in an emergency but fail to follow up with the required court approval. Justice Department officials said to the best of their knowledge, agents are obtaining court approval unless the carriersprovide the data voluntarily.

To guard against abuse, Congress should require comprehensive reporting to the court and to Congress about how and how often the emergency authority is used, said John Morris, senior counsel for the Center for Democracy and Technology.

Staff researcher Richard Drezen contributed to this report.

Thursday, November 22, 2007

Take security seriously

David Canton's most recent Canoe column on information security is a good summary of the issues and includes the factors that any custodian of information should keep in mind. See: eLegal Canton: Data security must be ensured.

Geist on Canada's ID theft bill

Michael Geist, insightful and thoughtful as always, has some interesting comments on the proposed new identity theft legislation introduced yesterday. Check it out: Michael Geist - Canada's Identity Theft Bill: What It Says and What's Missing.

Bill C-27 - An Act to amend the Criminal Code (identity theft and related misconduct)

The full text of Bill C-27 has been posted on the Parlimentary website: C-27 - An Act to amend the Criminal Code (identity theft and related misconduct).

Here's the bill's summary

This enactment amends the Criminal Code to create a new offence of identity theft, of trafficking in identity information and of unlawful possession or trafficking in certain government-issued identity documents, to clarify and expand certain offences related to identity theft and identity fraud, to exempt certain persons from liability for certain forgery offences, and to allow for an order that the offender make restitution to a victim of identity theft or identity fraud for the expenses associated with rehabilitating their identity.

Wednesday, November 21, 2007

Tory legislation to target identity theft

The Canadian federal government is planning to table legislation in Parliament today to add additional offenses to the criminal code to deal with activities that are precursors to identity theft.

I was interviewed earlier today by CTV Newsnet on the topic (on Google Video):

Here is the media release:

Government of Canada Introduces Legislation to Tackle Identity Theft


OTTAWA, November 21, 2007 – Minister of Justice and Attorney General of Canada, the Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, today introduced legislation to help combat identity theft, which has been identified as a fast-growing problem throughout North America.

“This Government is following through on its commitment to give police the tools they need to better protect Canadians by stopping identity theft activity before the damage is done,” said Minister Nicholson. “I have tabled legislation that will make it an offence to obtain, possess or traffic in other people's identity information if it is to be used to commit a crime.”

The misuse of another person's identity information, generally referred to as identity fraud, is covered by current offences in the Criminal Code , such as personation and forgery. But the preparatory steps of collecting, possessing and trafficking in identity information are generally not captured by existing offences. The proposed legislation would create three new offences directly targeting aspects of the identity theft problem, all subject to five-year maximum sentences:

  • obtaining or possessing identity information with intent to use it to commit certain crimes;
  • trafficking in identity information with knowledge of or recklessness as to its intended use in the commission of certain crime; and
  • unlawfully possessing and trafficking in government-issued identity documents.

Additional Criminal Code amendments would create new offences of fraudulently redirecting or causing redirection of a person's mail, possessing a counterfeit Canada Post mail key and possessing instruments for copying credit card information, in addition to the existing offence of possessing instruments for forging credit cards.

Moreover, a new power would also be added permitting the court to order, as part of a sentence, that an offender be required to pay restitution to a victim of identity theft or identity fraud where the victim has incurred expenses related to rehabilitating their identity, such as the cost of replacement cards and documents and costs in relation to correcting their credit history.

“Our Government understands that new and rapidly evolving technologies have made identity theft a widespread criminal activity that often involves organized crime,” added Minister Nicholson. “This is an issue that is harming Canada 's families, seniors and businesses. We are therefore taking action to tackle this serious problem.”

This legislative proposal is one in a new series of tackling community crime bills the Government of Canada will be introducing in this new session of Parliament. This series is in addition to the comprehensive Tackling Violent Crime Act that aims to better protect youth from sexual predators, protect society from dangerous offenders, get serious with drug impaired drivers and toughen sentencing and bail for those who commit serious gun crimes.

In addition to its plan to protect Canadians against identity theft, the Government of Canada has:

  • introduced a National Anti-Drug Strategy, including legislation that would provide mandatory jail time for serious drug crimes;
  • tabled legislation to strengthen the Youth Criminal Justice Act ; and announced a comprehensive review of this Act in 2008;
  • invested in crime prevention community projects across Canada that target youth;
  • passed legislation to increase penalties for those convicted of street racing; and
  • passed legislation to end conditional sentences for serious crimes such as personal injury offences.

An online version of the legislation will be available at

Here is additional coverage from CTV: Tory legislation to target identity theft

Tory legislation to target identity theft

Updated Wed. Nov. 21 2007 11:58 AM ET News Staff

The federal Conservatives will introduce legislation today aimed at charging people accused of identity theft even before stolen information is used to commit a crime.

Currently, the law makes it illegal to misuse someone's personal information to create false identification or for other fraudulent purposes.

However, it is not against the law to collect, possess or traffic another person's identity information.

The Tories want to amend the Criminal Code to make it an offence to possess someone's personal identifying information with the intent of selling it or using it to commit fraud.

"I think there's always a challenge in proving intent but we have a number of offences in our Criminal Code where intent is an important portion of proving the charge," David Fraser, a lawyer that specializes in privacy issues, told

"You can do that by looking at the totality of the circumstances -- you don't necessarily have to look directly into the head of the accused."

In 2006, almost 8,000 victims reported losses of $16 million to PhoneBusters, the Canadian Anti-fraud Call Centre.

"There are probably even more who don't report it... (and) there isn't mandatory reporting from the banks or the credit bureaus who might be the first to hear about it," said Fraser.

He said the Tory initiative will give law enforcement an additional tool to help them deal with identity theft offences.

However, Fraser said attention should also be given to ensuring that businesses properly secure personal information in the first place.

"That's one of the places where information often gets into the hands of identity thieves," he said.

"Another part of it might be simply to make it a little more challenging in order for credit granters to extend credit to individuals."

Consumers can also take practical steps to protect their information by regularly checking bank statements and shredding personal documents, said Fraser.

The identity theft legislation is the latest in a flurry of anti-crime initiatives the Tories have announced this week.

On Tuesday, the Harper government introduced new legislation proposing mandatory sentencing for individuals convicted of serious drug-related crimes.

Federal Justice Minister Robert Nicholson said the new bill is designed to impose tough sentences on Canadians profiting from organized crime and violence.

If passed, Bill C-2 will impose the first mandatory sentences under the Controlled Drugs and Substances Act for people convicted of drug-related crimes.

On Monday, the Tories proposed changes to the Youth Criminal Justice Act.

The key proponents of their proposal are:

  • Tougher sentences
  • Allowing for pre-trial detention
  • Allow courts to consider deterrence and denunciation as objectives of youth sentences

Tuesday, November 20, 2007

UK loses sensitive personal data on 25m people

A lot of stuff I read about privacy incidents leaves me scratching my head in wonder. In thinking about the staggering number of privacy breaches coming out of governments (Canadian, US, UK, etc.), I wonder:

  1. Are we hearing about all these incidents because employees who handle personal information for governments are idiots?
  2. Are we hearing about all these incidents because governments are more likely to come clean when bad things happen?
  3. Are we hearing about all these incidents because citizens are more likely to go to the media?
  4. Are we hearing about all these incidents because governments handle such vast quantities of personal information, but statistically are no more likely -- per capita / per employee / per whatever -- to mishandle personal information?

I am thinking that it probably isn't #2.

The latest is from the UK. An employee of the Revenue & Customs sent CDs of unencrypted personal information about almost every child and parent in the UK via regular internal mail. The CDs never reached their destination. The minister responsible has admitted that this has occurred on multiple occasions. When are governments going to learn?

See: Taxman loses sensitive personal data on 25m people - Times Online, via UK tax-man repeatedly hemorrhages personal financial info of 25 MILLION Brits - Boing Boing.

Sunday, November 18, 2007

Incident: Laptop containing pensioners' personal information stolen from bureaucrat's home

CBC is reporting that a laptop containing personal information on more than a thousand pensioners was stolen from a bureaucrat's home in Gatineau, Quebec. The government has notified the 1600 affected individuals. It appears the laptop was not supposed to leave the building. The Privacy Commissioner is investigating. See: Private information stolen from civil servant's home.

Saturday, November 17, 2007

Facebook, Social ads and the Data Protection Act 1998

DP Thinker has an interesting post on Facebook's proposed social advertising system and the Data Protection Act. Check it out: DP thinker: Facebook, Social ads and the Data Protection Act 1998.

Friday, November 16, 2007

The Canadian Response to the USA Patriot Act

I was recently invited to contribute an article to the IEEE Security & Privacy magazine on the Canadian response to the USA Patriot Act. Here's the abstract:

The Canadian Response to the USA Patriot Act

Since the attacks of September 11, 2001, US authorities have spent untold millions of dollars guarding their frontiers to regulate what gets into the country. On the other side of the border, many Canadian jurisdictions have turned their thoughts to regulating what information flows southward into the US. This isn't out of concern about terrorism but rather about the US response to it.

Citation: David Fraser, "The Canadian Response to the USA Patriot Act," IEEE Security and Privacy, vol. 5, no. 5, pp. 66-68, Sept/Oct, 2007

I think I reserved the right to publish the article on the blog after the publication by IEEE, but I'll have to track down that release .... stay tuned.

Update: Definitely Not the Opera

I found out that tomorrow's Definitely Not the Opera is "all privacy, all the time".

Here's the synopsis from the website:

Definitely Not the Opera

Broadcast time: Saturdays at 1:00 p.m. (1:30 NT) on CBC Radio One

On the street, on stage or behind the scenes, DNTO takes listeners on a fast paced trip through the cultural landscape of Canada and around the world. Definitely Not the Opera is the ideal audio guide to the fast-changing world of popular culture. It's your tip sheet to what's hot, what to watch, who to listen to and what's going on.

This Week on DNTO!

Every breath you take… every move you make… DNTO will be watching you. ‘Cause this week, we’re looking at privacy, and asking the question – how far will you go to protect it?

From 1-2

To begin, Sook-Yin hits the streets to see what kind of bribe it take to get strangers to give up their deeply personal information.

Nick Purdon struggles to rid himself of that ancient violation of his mailbox’s privacy… junk mail.

So maybe the question isn’t so much how far you’ll go to protect your privacy… but why you should bother. Halifax-based lawyer and privacy expert David Fraser will come by to explain how your privacy is at risk in everyday situations… like turning on your computer at work.

Then it’s over to paranoid contributor Clare Lawlor, who has formed a special bond with her shredder.

Musicians put their private lives on the stage… so how do they maintain their privacy? Sook-Yin will chat with Neverending White Lights, and they’ll play us a tune live in studio.

And we’ll head south of the border to hear from funnyman John Wing with his take on privacy.

Plus tunes from the New Pornographers, Chris Walla, Crowded House and Hawksley Workman.

From 2-3

Sook-Yin pays a visit to Canadian science-fiction icon Robert J. Sawyer, who maintains that our notion of “privacy” might be a bit overrated… but to get to know Robert a little better, she’ll start by paying a visit to his garbage.

We’ll ask Robert to stick around for this week’s edition of Parlour Games.

Sook-Yin takes her mic back to the streets to find out how you’ve invaded the privacy of others. We willingly surrender a lot of our privacy online these days… but is it worth it? DNTO’s Wab Kinew looks into it.

Comedian Fraser Young loves the GPS chip. Privacy… not so much. He’ll explain why.

And Sook-Yin will talk with artist Hasan Elahi, who’s taken a unique approach to privacy… by making his every move public.

All that, and music from Immaculate Machine, Metric, the Russian Futurists, George Michael,and Prince.

DNTO airs Saturday afternoons across Canada at 1:00 p.m. (1:30 in Newfoundland) on CBC Radio One.

You can also catch the show on Sirius Satellite Radio channel 137 - Saturdays at 11:00 a.m. and 9:00 p.m.

And if you're in Chicago or Seattle, you can catch us on public radio... we're on WBEZ in Chicago Sunday at midnight, and on KXOT in Seattle Saturday at 9:00 a.m.

Plus, if you can't catch us on the air, download our weekly podcast of highlights from DNTO!

DNTO's theme music is "Bentley's Gonna Sort You Out" by Bentley Rhythm Ace.

UPDATE: My interview wasn't on the post-show podcast, but if you're interested, here's an MP3 of the interview (2931Kb).

Thursday, November 15, 2007

Alberta commissioner: "It' just nuts that we're not looking after this stuff better"

After an investigation into a stolen laptop from Alberta Capital Health, Frank Work has expressed some exasperation about how personal information is being protected:

Safeguard cyber-privacy

The Edmonton Journal

Thursday, November 15, 2007

Crafting sophisticated privacy legislation has never been more important, as lawmakers struggle to keep up with technological advances. And yet all the statutes in the world are no excuse for common sense.

"It's just nuts that we're not looking after this stuff better," exclaimed an exasperated Frank Work on Tuesday. Work, Alberta's information and privacy commissioner, had just released a report investigating the May theft of four laptop computers at a Capital Health office.

The study concluded that Capital Health had contravened the Health Information Act by not taking adequate security precautions. This was in spite of two previous warnings about the need for encryption programs. Capital Health has promised that it will have encryption for laptops installed by January and will soon provide the commissioner with a detailed implementation plan for other changes. Let's hope so.

Not that Capital Heath is alone. Work also announced another investigation into the theft of a memory stick storing personal details of 560 students attending Edmonton Catholic Schools. An employee of the board's school bus company kept the stick in her purse. The school board now insists bus carriers' memory sticks must be encrypted.

The hope is that other organizations are paying attention. Breaches in consumer information security have made all of us think twice when ordering online or even at the local cash register.

To be fair, a lot of bright people are working on this and lessons have been learned. Still, coming to terms with the storehouse of private information most of us carry around daily in various devices is everyone's business. As technology moves forward, we must remember that privacy is too precious to be taken lightly. That begins at home, at work and at school.

Tune into Definitely Not the Opera's privacy segment

On Saturday, tune into CBC Radio One's Definitely Not the Opera, where they are doing a segment on privacy. I'm meeting the host, Sook-Yin Lee, on Friday for an interview to be broadcast Saturday afternoon.

Monday, November 12, 2007

US Intel Official wants to change the definition of privacy

In a speech to a conference on GEOINT, Donald Kerr (principal deputy director of national intelligence) called for a redefinition of what is privacy. And his definition excludes the concept of anonymity.

The speech is worth a read as it contains such nuggets:

And that leads you directly into the concern for privacy. Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture. The Long Ranger wore a mask but Tonto didn’t seem to need one even though he did the dirty work for free. You’d think he would probably need one even more. But in our interconnected and wireless world, anonymity – or the appearance of anonymity – is quickly becoming a thing of the past.

Anonymity results from a lack of identifying features. Nowadays, when so much correlated data is collected and available – and I’m just talking about profiles on MySpace, Facebook, YouTube here – the set of identifiable features has grown beyond where most of us can comprehend. We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment. Protecting anonymity isn’t a fight that can be won. Anyone that’s typed in their name on Google understands that. Instead, privacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured. And it is that framework that we need to grow and nourish and adjust as our cultures change.

I think people here, at least people close to my age, recognize that those two generations younger than we are have a very different idea of what is essential privacy, what they would wish to protect about their lives and affairs. And so, it’s not for us to inflict one size fits all. It’s a need to have it be adjustable to the needs of local societies as they evolve in our country. Eventually, we can only hope that people’s perceptions – in Hollywood and elsewhere – will catch up.

Our job now is to engage in a productive debate, which focuses on privacy as a component of appropriate levels of security and public safety. This is work that the Office of the DNI has started to do, and must continue and make a high priority. This careful balance we need to strike, however, is nothing new. With the advent of telephones, we entered a new frontier that required careful balancing between safety and privacy. We faced this challenge again at the end of the ’70s in the aftermath of the Church-Pike Hearings. And now, in the era of new technologies, we have to work to continue to keep that balance, to earn that trust, and re-earn it every day through our actions. But we also have to be willing to reopen the laws and regulations that were based on technologies that existed 1978 and adjust them to the realities of 2007 and 2008.

For some reaction to the speech, see: The Associated Press: Definition Changing for People's Privacy and US intelligence honcho channels Orwell, redefines privacy - Boing Boing.

Saturday, November 10, 2007

The Shocking Truth! Comcast manual suggests it takes privacy seriously

I thought this was interesting and a sign of the times in the US ...

It is now newsworthy that a confidential manual from Comcast written to assist law enforcement in properly requesting customer information suggests they take privacy seriously! I'll repeat: they appear to take customer privacy seriously. Declan McCullagh has more: Secret manual shows Comcast (gasp!) protects customers' privacy The Iconoclast - politics, law, and technology - CNET leak leads to targeting phishing attacks

An employee of has been taken in by a phishing scam and had his credentials compromised. The fraudsters have since used data from the vast ASP an in attempt to defraud a handful of users. See Schneier on Security: Targeted Phishing from Leak and Acknowledges Data Loss - Security Fix.

What do you want a friend of a friend of a friend to know about you?

The Office of the Privacy Commissioner of Canada has put together a snazzy flash presentation that looks at social networking sites and suggests you think about how much you want people -- including your mother and your boss -- to know about you. See: Office of the Privacy Commissioner » Blog Archive » A friend of a friend of a friend knows you’re on vacation.

Commissioner questions no-fly list in inquiry testimony

In testimony before Justice Major's Air India Inquiry, Privacy Commissioner Jennifer Stoddart questioned whether the "opaque" no fly list is effective. Justice Major's comments suggest he agrees. The Inquiry's mandate is to review, among other things, air travel security in Canada. See: Privacy watchdog questions 'opaque' federal no-fly list.

PIPEDA consultation marches onward

In case you haven't been consulted enough ...

The Government of Canada issued its response to the PIPEDA review report from the Standing Commitee on Access to Information, Privacy and Ethics, agreeing in parts and disagreeing in others with the committee's recommendations. So the government is now seeking public input on the topics that were relatively well canvassed before the parliaentary commitee.

If you have additional thoughts, you have until January 15 to make them known to Industry Canada.

Canada Gazette



Deadline for submission of views: January 15, 2008

On October 17, 2007, the Government of Canada tabled in Parliament its response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). In support of the Minister of Industry's responsibility for PIPEDA, Industry Canada is seeking the views of Canadians on a number of issues related to the response, including proposals for legislative amendments to PIPEDA.

PIPEDA, which came into force on January 1, 2001, sets rules for the collection, use and disclosure of personal information in the course of commercial activity in Canada. In a modern, information-based economy, an effective and efficient model for the protection of personal information is vitally important to ensure that the privacy of Canadian consumers remains protected. The ETHI Report contains 25 recommendations for how PIPEDA could be fine-tuned to ensure that the Act continues to achieve this objective. The government response expresses agreement with a majority of the Committee's recommendations and reflects the view held by a number of stakeholders that PIPEDA is working well and is not in need of dramatic change at this time. However, a small number of specific amendments may be warranted, and this consultation process provides Canadians with the opportunity to present further information, advice and views regarding the implementation of key proposals for legislative change.

In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.

Industry Canada is also seeking further views on the issue of "work product" information (ETHI recommendation 2). The question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information has been a matter of significant debate. Industry Canada would therefore appreciate a wider range of views on whether an amendment to PIPEDA is needed, and, if so, how this should be implemented.

Furthermore, in order to ensure that PIPEDA is consistent with the needs of Canadian law enforcement agencies, the Government intends to clarify the meaning of lawful authority in PIPEDA as recommended by the Committee (ETHI recommendation 12). Industry Canada is seeking views and specific advice on how the concept of lawful authority could be better defined.

The Committee also recommended a number of issues for further consideration and/or consultation, including witness statements (ETHI recommendation 10), consent by minors (ETHI recommendation 15), and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form (ETHI recommendation 17). Industry Canada welcomes submissions on these matters.

Finally, Industry Canada is considering alternatives to the current process for the designation of investigative bodies (ETHI recommendation 6) and would appreciate any further views on this issue.

Submissions on the above, or on any other issues related to the government response that you may wish to raise, can be sent by email to, by fax to 613-941-1164, or by mail to Richard Simpson, Director General, Industry Canada, Electronic Commerce Branch, 300 Slater Street, Ottawa, Ontario K1A 0C8.

The Government's response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics is available electronically on the World Wide Web at the following address:

For printed copies, please contact Publishing and Depository Services, Public Works and Government Services Canada, Ottawa, Ontario K1A 0S5; 1-800-635-7943 (Canada and U.S. toll-free telephone), 613-941-5995 (telephone), 1-800-465-7735 (TTY), 1-800-565-7757 (Canada and U.S. toll-free fax), 613-954-5779 (fax), (email), www.