Tuesday, January 30, 2007

EU parliament debates personal data rules in wake of SWIFT scandal

In the wake of the SWIFT privacy scandal, the European parliament will be debating the scandal, European data protection laws and broader issues of access to personal data. Should be interesting to watch:

theparliament.com - EU parliament debates personal data rules

EU parliament debates personal data rules

MEPs are this week expected to intensify pressure on the European commission to act over the controversial Swift case.

In November, an independent panel found that the Belgian-based money transfer company Swift had breached EU privacy laws by secretly giving personal financial data to the US authorities.

Swift denied breaking the law, saying it was subpoenaed to give limited data for use in the fight against terrorism.

On 31 January, in the first Brussels parliamentary plenary of the year, deputies will debate the issue of current personal data legislation and table a series of questions to the commission on the Swift case.

Included in the list of questions is a demand to know whether the commission is aware of any other requests to private companies to make their data available to the US.

MEPs also want to know what action the commission intends to take given that access to data handled by Swift makes it possible to get information on the economic activities of individuals and businesses.

The ongoing row involving Swift, which handles 11 million transactions a day, could further exacerbate tensions between the EU and the US over the use of personal flight data in the fight against terrorism.

The EU and US recently resolved a long-running dispute over the issue and is confident of reaching an agreement on passenger name records (PNR).

US negotiator Michael Chertoff and his EU counterpart Wolfgang Schauble said at the weekend that despite continued differences of opinion on the use of the personal data they were confident of reaching a deal by July.

Some MEPs, however, are currently raising concerns which they would like the commission to take on board when the executive alone negotiates a new agreement with the US.

The plenary, though, will be urged by British Conservative MEP Timothy Kirkhope to back the deal brokered by the EU and US.

"Some of these concerns are warranted but the most important thing to adopt are appropriate air safety and anti-terrorism measures and provide certainty for the airlines, while also ensuring that data protection norms are respected,” Kirkhope said.

Monday, January 29, 2007

X-ray cameras 'see through clothes'

I just checked my calendar to see if I accidentally slept in and woke up on April 1. According to Yahoo News, the British government is considering taking all encompassing surveillance to the next level by installing cameras in public places that can see through clothes. According to a memo obtained by the Sun, the measure will make the detection of weapons and explosives easier.

X-ray cameras 'see through clothes' - Yahoo! News UK:

However, officials acknowledged that it would be highly controversial as the cameras can "see" through clothing.

"The social acceptability of routine intrusive detection measures and the operational response required in the event of an alarm are likely to be limiting factors," the memo warned.

"Privacy is an issue because the machines see through clothing."

The Sun reported that the memo, dated January 17, was drawn up by the Home Office for the Prime Minister's working group on security crime and justice.

It noted that some technologies used for airport security had already been used in police operations searching for drugs and weapons in nightclubs.

"These and other could be developed for a much more widespread use in public places," it said.

"Street furniture could routinely house detection systems that would indicate the likely presence of a gun for example."

A Home Office spokeswoman said: "We don't comment on leaked documents".

Sunday, January 28, 2007

Five Things You Didn't Know About Me

Earlier this week, I was tagged by Michel Adrien aka "Library Boy" (Library Boy: Five Things You Didn't Know About Me) to eschew some personal privacy and disclose five things you may not know about me.

Here goes ...

  1. Like Michel, I can swear and give a taxi driver directions in a number of languages. I grew up as a foreign service brat, so picked up some local language on my travels. So if you need to be able to say "straight", "faster", "slow down", "left", "right" and "right here" in English, French, Arabic, German, Italian and Romanian, I'm your man. (Funny ... typing that made me think that this lexicon may be useful in other contexts.)
  2. Like many normal people, I do occasionally trade some privacy for convenience. I collect points/miles on the airline I fly most often. With points, I took my son to Toronto for a week and was bumped to business class about a dozen times last year. They already know when and where I fly, so I might as well get something out of it. I don't let loyalty programs into my grocery cart or book purchases.
  3. I was a headbanger in junior high school. And that's all I'll say, since I don't want to think about it any further.
  4. I have eaten rat on dozens of occasions. Well, cane rat to be precise (photo). When my parents were living in Ghana and I was in boarding school, I used to visit every summer and over the winter holidays. Weekday afternoons were spent on the beach at Labadi. In addition to the delicious beer and fresh pineapple, vendors on the beach sold delicious and spicy kebabs. We assumed they were made from beef, but the heavy spices made it virtually impossible to tell for sure. On my last visit, my parents said to avoid the kebabs on the beach because of an anthrax outbreak in the local cattle. We asked the vendor if the beef was imported and he just smiled. It wasn't beef. It was grass cutter (the local moniker for cane rats). So we ordered more.
  5. I am a happy lawyer. I get to do stuff that I find interesting and challenging with clients I enjoy spending time with. I like to teach, and I get ample opportunities to do so at Dalhousie Law School. No day is like the one before it. I like to write, and this blog is evidence that I manage to do so from time to time. I like my family and my kids, and somehow I'm able to be at home for dinner as a rule, rather than the exception. I'm never in the office on the weekends. I like to travel and my work takes me to exotic locales like Fredericton and Stockholm. I get to work at an amazing law firm (that has supported my odd practice) with people whom I enjoy and respect. It really doesn't get any better than this.

Tag, you're it: David Canton.

Norway Investigates Google on Privacy

Michael Zimmer has noted that the Norwegian government is investigating the privacy practices o Google, particularly its habit of retaining users' IP addresses. See: michaelzimmer.org » Archives » Norway Investigates Google on Privacy.

Are Privacy Notices Worthless?

In Computerworld, Jay Cline asks "Are Privacy Notices Worthless?".

In my not so humble opinion, most of them are. Too many are overly long and full of legalese that is meaningless to most of the prospective readers. Too many are simply a regurgitation of blue sky principles that don't provide any information.

In many cases, they are referred to as "privacy policies". I prefer to call them privacy statements, since they are supposed to communicate with customers. Policies are those things in thick three-ring binders in the back office.

You can tell a lot about a company by their privacy statement. They really are an indicator of how the company approaches its customers. If it reads like at fifteenth century indenture, the company sees the privacy policy as another piece of regulatory compliance that can be tossed over to the lawyer who usually drafts their corporate documents. Often there is a real disconnect between the words in the statement and what the company actually does. (Too often, you see privacy statements that are clearly poached from another company, often in another industry.) On the other hand, if you can read it and gain an understanding about what will actually happen to your information, the company is doing a good job.

What's the real purpose of a privacy statement? At least in Canada, it is part of the openness requirement in PIPEDA:

4.8 An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

The information made available shall include

(a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;

(b) the means of gaining access to personal information held by the organization;

(c) a description of the type of personal information held by the organization, including a general account of its use;

(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and

(e) what personal information is made available to related organizations (e.g., subsidiaries).

An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.

If your statement doesn't contain that minimum, go back to the beginning.

However, privacy statements are more than that. Companies really need to think about who is going to read it and under what circumstances. Just because very few people read them doesn't mean that we should underestimate their importance.

When someone actually takes the time to read the statement, they are usually either upset about something or actually care about privacy and want to know how you handle personal information. This customer can become a real problem and your privacy statement is your first (and perhaps last) opportunity to keep them as a customer and prevent any problems from arising. (On a purely practical level, the customer who reads the statement is one who cares about privacy and these are the kinds of customers than can become difficult.)

If a customer wants to know how you handle personal information, make it staggeringly easy by spelling it out in your privacy statement. If you don't, they will go somewhere else or will ask one of your employees. A privacy statement is an opportunity to clearly answer that question in a very controlled way. The trend towards layered privacy statements, or those with a snapshot summary at the top is a good way to provide a quick answer to the customer without forcing them to wade through details that may not be relevant to them.

If a customer has a problem or a potential complaint, a clear and meaningful privacy statement will go a long way to providing some comfort. If it's full of legalese, the customer becomes less trusting and increasingly alienated. The statement should answer their question and lead them quickly to the resolution they are looking for. If not, they'll be madder when they finally reach the right person.

Your privacy statement should not be worthless. You should treat it as an important communication opportunity with your customers. It is perhaps the first and last chance to keep your customer and to avoid an unpleasant complaint.

And, as an aside, privacy should permeate all aspects of your business. If you ask customers to input information online, make sure that the form includes explanations about why you are looking for the information and what will be done with it. If you actually operate in the real world, train employees to explain without prompting what information is used for. If you don't provide an explanation, customers will assume the worst.

Of course, you should also treat it like a contract with your customers and follow it accordingly. The FTC in the United States considers not following your privacy statement to be an unfair trade practice and imposes penalties accordingly.

More Privacy Podcasts

Earlier this week, I posted about Privacy podcasts. I've since received an e-mail from Pogo Was Right, which pointed to two recent privacy podcasts:

Saturday, January 27, 2007

Incident: Club Monaco associated with privacy breach

Fashion retailer Club Monaco is now associated with a third information breach, though the details are very sketchy. From the Globe & Mail:

globeandmail.com : globeinvestor.com : Clothing chain tipped to security breach:

Fashion retailer Club Monaco has called in the RCMP to investigate a possible privacy breach involving customers' credit card numbers -- the third time in the past week that a major Canadian company has been plagued by security issues.

Club Monaco confirmed it was alerted to the problem by a credit card processor late last year and said it immediately hired a forensic firm to help the Mounties with their probe. Banks and other card issuers were also notified of the problem, and have been combing client records for any signs of fraud, according to sources in the financial community.

Investigators have found no evidence to suggest a breach occurred, a spokeswoman for the clothing chain said yesterday, adding that the data under investigation do not include names, addresses or phone numbers. She said the company has not determined how many customers might be affected.

'We've been told through the report thus far that our systems are very secure,' Wendy Smith said. 'It's an active investigation.'...

Will this be beginning of breach notification in Canada?

The recent personal information breaches in Canada have prompted a lot of discussion about breach notification.

This may be the upswell of citizen concern that will prompt legislative change in Canada. From today's Halifax Chronicle Herald:

The ChronicleHerald.ca - Should retailers come clean? Businesses not obligated to alert consumers when information is stolen

By CLARE MELLOR Business Reporter

Retailers and financial institutions in Canada don’t have to tell customers when thieves have stolen their personal information.

Recent cases of data theft at Winners and the loss of a hard drive at CIBC have made headlines across the country, alerting Canadian consumers to be on guard for identity theft, but these security breaches could be the tip of the iceberg, privacy experts say.

"There are probably a whole lot more incidents out there that we haven’t heard about because the businesses have no legal reason that requires them to tell the consumers involved," Halifax lawyer David Fraser, a privacy specialist, said Friday.

"One of the big questions on law reform in this area is whether a business should have a duty to notify people whose information has been compromised."

CIBC, which was earlier taken to task by federal privacy commissioner Jennifer Stoddart for lapses in security involving misdirected faxes, issued a news release and sent letters to Talvest mutual-fund holders last week. The company said a backup computer file containing their personal information had gone missing in transit.

TJX Cos., American operator of Winners and HomeSense, recently revealed that computer hackers had broken into its system, but the firm has not said how many customers had personal data stolen.

About 30 states have laws requiring businesses to notify their customers when their personal information has been stolen or lost, Mr. Fraser said.

A parliamentary committee has been reviewing Canada’s federal privacy law. Requirements to notify the public when a breach happens are being discussed.

When Ms. Stoddart appears before the committee, she will likely call for changes to the law requiring businesses to inform consumers when their information has been stolen or gone missing, Anne-Marie Hayden, spokeswoman for the privacy commissioner’s office, said Friday.

Under Canada’s privacy law, businesses and banks must keep personal information secure and not share it without client consent.

While Ms. Stoddart’s office can’t fine or penalize businesses that repeatedly break the law, it can pursue legal action through the Federal Court, Ms. Hayden said.

"It would be safe to say that most of the time when the commissioner makes recommendations (to tighten privacy practices), those changes are implemented," she said .

But David Malamed, a forensic accountant, said it is clear many companies are not taking their privacy obligations seriously enough.

"A lot of the reason that it is happening is that the focus for a lot of companies is on the bottom line," said Mr. Malamed, who works at Grant Thornton in Toronto

"As systems advance, people get smarter and the question is how money is being invested into protecting these systems. . . . There are different methods that you can go about to protect your customer information that will help prevent this from happening or at least reduce it to a greater degree."

There have been media reports of fraudulent purchases made with customer information stolen from Winners.

A Canadian law firm, Merchant Law Group, which has offices in Saskatchewan and Alberta, has already launched a class-action suit over the security breach.

But there is some question about whether Canadian consumers can successfully sue for theft or mishandling of their personal information, Mr. Fraser said.

"If you are the subject of fraud, you may be able to successfully sue them," he said. "But if you can’t prove harm, it is much more difficult."

(cmellor@herald.ca)

Friday, January 26, 2007

Second video voyeurism conviction in NS

The second (that I know of) conviction under Canada's new voyeurism laws took place yesterday in Halifax.

The Daily News: News Former sailor pleads guilty after trying to videotape neighbour

LINDSAY JONES The Daily News

CRIME – A former sailor has pleaded guilty to trying to videotape a woman while she was changing in her own apartment.

In August of 2006 the woman was getting dressed in her walk-in closet when she spotted a video camera in the window pointed towards that part of the room. She was changing in the closet because her window was only partially covered by a blanket.

Karlson Glen Chaulk, who had been in the armed forces for nearly seven years, lived in the apartment above her. The two did not know each other, the court heard.

The woman called police and Chaulk admitted to committing the offence. He asked police if there was any way to make it go away, the court heard. Police found no images on the video camera.

Chaulk has two previous convictions, for impaired driving and possessing narcotics.

The court heard the victim moved from the residence because she no longer felt safe, costing her her damage deposit and moving expenses.

Chaulk told the court he was “truly sorry” for his actions and promised it would never happen again. “I do realize now that I shouldn’t have conducted myself in the way I did with the camera,” he said.

Judge Michael Sherar said not only is the charge sad and juvenile, but also deplorable. He asked Chaulk what he intended when he surreptitiously looked into someone else’s apartment. He also outlined how everyone has the right to privacy in their own home.

Chaulk has since resigned from the Defence Department and plans to move to Alberta tomorrow.

He was sentenced in Halifax provincial court yesterday to 90 days probation, ordered to pay a $500 fine and $450 restitution to the victim, as well as undergo counseling. He must also stay 150 metres from the woman’s home and workplace.

Chaulk is the second person in Canada to be sentenced for voyeurism, since the law was enacted in November 2005. The law makes it illegal to “surreptitiously observe or make a visual recording” for a sexual purpose.

The only other prosecuted case of voyeurism in Canada also took place in the province.

Winston Charles Patriquin of Port Howe, Cumberland Co., pleaded guilty last August to using a video camera to tape a girl in the bathtub.

ljones@hfxnews.ca


Technology takes place of peeping Toms: lawyer

A Halifax privacy lawyer says technology is taking the place of the guy lurking outside the window.

David Fraser said what’s traditionally considered trespassing is now occurring digitally, without the physical presence of a perpetrator.

“People can be observed in a number of different contexts,” he said. “Hidden cameras in change rooms in stores. Hidden cameras in bathrooms in hotels.”

Canada’s voyeurism law was enacted in November 2005 to better protect children and other vulnerable victims from harm. The law makes it illegal to “surreptitiously observe or make a visual recording” for a sexual purpose.

Fraser said the law reflects the potential seriousness and intrusiveness of voyeurism. Enacting it was necessary, he says, to keep up with technological advances and the advent of miniature, wireless cameras.

“Thousands of companies sell wireless cameras and it’s pretty plain in the description of their products that they’re selling them for this sort of voyeurism,” he said. “Once this information is in digital form, it’s very easily transmitted.”

— Lindsay Jones

B.C. privacy commissioner to rule on ID scans in bars

According to the CBC, the Information and Privacy Commissioner has completed his inquiry related to the practice of swiping drivers' licenses at bars in that province. A decision is expected next month. See: B.C. privacy commissioner to rule on ID scans in bars.

Thursday, January 25, 2007

Alberta Commissioner on Freedom of Expression and disclosure of personal information

The Information and Privacy Commissioner of Alberta released a very interesting order today, considering whether the right to freedom of expression in the Charter overrides the restriction on disclosure of personal information without consent. In this case, a shopper at Safeway was allegedly caught shoplifting. The "shopper" was an employee of another grocery chain and a representative of Safeway reported the incident to her employer, and she was fired. She then complained that Safeway had disclosed her information without her consent, in breach of the Personal Information Protection Act. At an inquiry under that Act, Safeway argued that the restriction on disclosure was unconstitutional. In the order, the Commissioner disagreed.

Order P2005-006

Summary: The Complainant, an employee of another food retail chain, entered a store of Canada Safeway Limited (the “Organization”) while wearing her employee uniform. The Complainant gathered several goods, paying for some and not for others. When the Complainant left the store, security for the Organization stopped the Complainant and accused the Complainant of theft. The unpaid items were returned and the police were notified. Upon review of the incident, no charges were laid.

The Organization, without the consent of the Complainant, advised the Complainant’s employer about the incident. As a result the Complainant was dismissed. The Complainant initiated a complaint with the Office of the Information and Privacy Commissioner, and the matter proceeded to a written inquiry. The Organization argued that it did not require consent to disclose personal information of the Complainant under section 7(1)(d) (consent to disclose) of the Personal Information Protection Act, (the “Act”) as the section is contrary to section 2(b) (freedom of expression) of the Canadian Charter of Rights and Freedoms (the “Charter”). The Organization also argued that if it is found that section 7(1)(d) of the Act is not contrary to the Charter, then section 20(b) (disclosure pursuant to a statute of Canada that authorizes or requires disclosure) of the Act and section 20(m) (disclosure reasonable for investigation or legal proceeding) of the Act apply and permit the disclosure of the Complainant’s personal information.

The Commissioner found that section 7(1)(d) of the Act did not contravene section 2(b) of the Charter; that sections 20(b) and 20(m) of the Act did not authorize the Organization to disclose the Complainant’s personal information without consent; and that the Organization disclosed the Complainant’s personal information contrary to section 7(1)(d) of the Act.

Suing for privacy invasion

David Canton's regular Canoe.ca and London Free Press column this week discusses the movement toward recognizing the right to sue for invasion of privacy. See: eLegal Canton: Can we sue for privacy invasion?.

Winners security breach hits home

The Globe & Mail is reporting that significant fraud has been linked to the Winners information breach:

globeandmail.com: Winners security breach hits home

Thousands of Canadian credit-card holders have been victimized by fraud after a security meltdown at the U.S. parent company of retail chains Winners and HomeSense, according to sources in the financial community.

They suggested that number could rise as banks and other credit-card issuers continue to gather information on what has become one of the most high-profile privacy thefts in recent memory.

“We have seen fraud on some of those accounts that we can directly link back to [the breach],” said an official with one card issuer, who cautioned his company is still determining how many of its clients could be left vulnerable by the hacking incident. He added that issuers are directly contacting any customers whose cards appear to have been used fraudulently.

Privacy podcasts

I've recently subscribed to a couple of Podcasts about privacy. There aren't many out there, but these two have been really good so far:

If you know of any good privacy podcasts, please leave the details in the comments.

Privacy breaches and notification in Canada

Yesterday's weekly Globe & Mail law page had a good article on issues related to breach notification in Canada. It quotes three privacy lawyers with whom I've had the pleasure of serving on the CBA Privacy Section executive: David Young of Lang Michener, Michael Power of Gowlings and John Beardwood of Faskens. See: globeandmail.com: Privacy breaches.

Wednesday, January 24, 2007

This is staggeringly stupid and dangerous

A company has developed an RFID tattoo, that has all the benefits of RFID implantation, but without the messy chip. The chip is replaced by a tattoo. The company is touting its benefits in traceability of the meat supply, but is also suggesting that it may be useful in soldiers:

Industrial Control Designline RFID Ink

... The ink also could be used to track and rescue soldiers, Pydynowski said.

"It could help identify friends or foes, prevent friendly fire, and help save soldiers' lives," he said. "It's a very scary proposition when you're dealing with humans, but with military personnel, we're talking about saving soldiers' lives and it may be something worthwhile."

I can't imagine anything more dangerous than tagging all soliders with a tracking device that may be hacked by the other side. Instead of saving lives, it may result in wholesale destruction. I wonder how long it would be before we saw RFID activated IEDs? Not long, I expect.

Thanks to Schneier for the link.

Settled Case summary #27: Clinic discloses client information when trying to collect a debt

The Privacy Commissioner of Canada has released a summary of a recently settled case, in which a dental clinic disclosed the fact that a patient's account was in arrears to another patient who had referred the first:

Settled Case summary #27: Clinic discloses client information when trying to collect a debt (May 16, 2006)

Complaint

An individual complained that her dental clinic disclosed information about her overdue account to the person who had referred her to the clinic.

Outcome

The complainant noted that she had been in hospital and in respite care for several months, and thus did not receive the invoices sent by the dental clinic. When the invoices remained unpaid, the clinic telephoned the client who had made the referral in order to determine the complainant’s whereabouts. The clinic confirmed that it had not only asked the client how it could reach the complainant, but it had also disclosed that her bill was overdue, the amount owing, and that it would be sent to collections unless paid.

The clinic acknowledged that the disclosures went against its privacy policy, and that it should only have requested contact information. In the course of investigating the complaint, the clinic and the complainant agreed to a monetary settlement which also included a letter of apology to the complainant.

The OPC and the complainant agreed that in light of the settlement the matter should be considered settled.

Anne Cavoukian's perspectives

The Winter 2007 edition of the Ontario Information and Privacy Commissioner's Perspectives was just released. It includes a look at some of the major projects relating to privacy or freedom of information that her office has been working on.

The newsletter also contains reviews of recent significant orders issued under the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, or the Personal Health Information Protection Act, information about recent IPC publications, upcoming presentations and more.

Tuesday, January 23, 2007

Live in NJ? You apparently have a right to online privacy

Wired's 27B Stroke 6 is reporting on an interesting decision from New Jersey in which an appeals court has held that internet users have a right to privacy in their "ISP Address" or "screen name". While technologically incorrect, I'll leave it to others to comment on whether it's technically correct. See: WIRED Blogs: 27B Stroke 6: Jerseyites Have Right to Protect "ISP Address".

Tracked in America

The American Civil Liberties Union, along with a coalition of civil liberties groups, has put up an interesting web site with stories of state surveillance in America, from pre-WWI to post 9/11. Check it out: Tracked in America.

More info on the Canadian "no fly list"

CanWest News Service is running a very interesting feature-length report on the upcoming Canadian "no fly" list. Read the entire article ...

Canadian airline passengers will be kept under close scrutiny

Canadian airline passengers will be kept under close scrutiny

Don Butler

CanWest News Service

Tuesday, January 23, 2007

OTTAWA - The RCMP and the Canadian Security Information Service will be able to examine up to 34 pieces of information about everyone who flies in Canada under a comprehensive passenger screening program being developed by Public Safety and Emergency Preparedness Canada.

Among other things, the program will require airlines to gather and share the full legal name, date of birth, citizenship or nationality and gender of all passengers - information they don't currently collect for domestic flights.

The new program will affect about 90 million passenger trips a year, two-thirds of which are purely domestic.

The program is authorized under Section 4.82 of the Aeronautics Act, which gives CSIS and the RCMP the right to receive and analyse Advance Passenger Information (API) and Passenger Name Record (PNR) data from air carriers and operators of aviation reservation systems without a warrant.

API data is collected at check-in and include name, date of birth, gender, citizenship or nationality and travel document information. PNR data is collected at the time of booking and includes information relating to a traveller's reservation and itinerary.

Section 4.82, added to the Aeronautics Act in 2004 when the Public Safety Act was passed but not yet in force, also authorizes CSIS and the RCMP to match passenger information against any other data under their control.

The Section 4.82 program ''is envisioned as the next step'' in a two-pronged strategy to use airline passenger information to combat terrorist threats, said Philip McLinton, a spokesman for Public Safety and Emergency Preparedness Canada.

The first step - Canada's new no-fly list - will be introduced in March for domestic flights and in June for international flights.

McLinton said it's ''impossible to speculate how 4.82 would impact the no-fly list. It's just too early to say.''

Since 2002, airlines flying to Canada from abroad have had to provide API and PNR data to the Canadian Border Services Agency, which analyses and risk-scores it to identify passengers who require further review on arrival in Canada. The agency doesn't get the information until flights have departed for Canada.

Under the Section 4.82 program, the collection and analysis of passenger information will dramatically expand. Airlines and operators of reservation systems will have to send passenger information to the RCMP and CSIS for all domestic and international flights. And they'll have to do so before flights depart.

The no-fly program, known as Passenger Protect, obliges airlines to vet the names of passengers against the no-fly list and notify Transport Canada is there is a match. That responsibility will shift to the RCMP and CSIS under the Section 4.82 program.

...

Section 4.82 also authorizes CSIS and the RCMP to disclose passenger information to other organizations or individuals to promote public safety. They include the minister of Transport, the Canadian Air Transport Security Authority, air carriers, airport operators and police officers. ...

It is unclear how, or even whether, the passenger information gathered under the Section 4.82 program would be shared with the U.S. and other allies. The feasibility study cites two issues with the PNR data that would be collected and shared under the section 4.82 program.

...

Another issue is passenger information that is currently not collected during the reservation process, but is essential for the new Section 4.82 program to operate effectively.

Most important is full name, date of birth and gender, which the study says is ''widely viewed as the core set of information required'' to match existing law enforcement records. That information is not currently collected for domestic passengers, so regulations may be needed to make provision of that information mandatory.

''For domestic flights, if the government regulates a requirement for passengers to provide full name, date of birth and gender, the air carriers' view is that passengers would comply, and that air carriers would provide this data,'' the feasibility study says.

To avoid causing delays to the travelling public, the study also says swift and timely information flow is required that can take account of last-minute changes such as no-shows.

...

Ottawa Citizen

Here's the list of 34 pieces of information to be collected by airlines on everyone who travels on domestic or international flights flying in or out of Canada:

1. Surname, first name and initial or initials.

2. Date of birth.

3. Citizenship or nationality or, if not known, the country that issued the travel documents for the person's flight.

4. Gender.

5. Passport number and, if applicable, visa number or residency document number.

6. The date on which passenger name was first recorded with airline.

7. If applicable, a notation the person arrived at the departure gate with a ticket but without a reservation for the flight.

8. If applicable, the names of the travel agency and travel agent who made the person's travel arrangements.

9. Date airline ticket was issued.

10. If applicable, a notation the person exchanged their ticket for another flight.

11. The date, if any, by which a ticket for a flight had to be paid to avoid cancellation of the reservation; or the date, if any, on which the request for a reservation was activated by the air carrier or travel agency.

12. Airline ticket number.

13. Whether the flight is a one way.

14. If applicable, a notation the person's ticket for the flight is valid for one year and is issued for travel between specified points with no dates.

15. The city or country where the flight begins.

16. All points where a passenger will embark or disembark.

17. The name of airline.

18. The names of all airlines to be used on trip.

19. The aircraft operator's code and flight ID number.

20. The person's destination.

21. The travel date for the person's flight.

22. Any seat assignment on the person's flight selected for the person before departure.

23. Number of pieces of baggage checked by the person.

24. The baggage tag numbers

25. Class of service (first class, business class, economy).

26. Any specific seat request.

27. The passenger name record number.

28. Phone numbers of the person and, if applicable, of the travel agency that made the arrangements.

29. Passenger's address and, if applicable, that of the travel agency.

30. How the passenger paid for the ticket.

31. If applicable, a notation the ticket was paid for by another person

32. If applicable, a notation there are gaps in the passenger's itinerary that necessitate travel by an undetermined method.

33. Departure and arrival points, codes of the aircraft operators, stops and surface segments.

34. If applicable, a notation the ticket is in electronic form and stored in an aviation reservation system.

Publicity for Nova Scotia's Patriot Act blocker

Nova Scotia's Personal Information International Disclosure Protection Act has kept a pretty low profile as of late, but the Halifax Chronicle Herald has devoted a quarter page in its technology supplement to the legislation. It includes a fair amount of content provided by yours truly, but may have the effect of making Nova Scotians more aware of this important development.

Click on the image to download the article in PDF format.

This e-mail address will self destruct in ten minutes

I've had one of my e-mail addresses for almost ten years, but there appears to be a demand for email addresses that'll only last ten minutes.

Enter 10 Minute Mail.

Have you ever signed up for a service that required a "validation address", though they promised they'd never use it to send you junk? Woe betide the person who uses their most favourite, ten-year address for such a purpose. Use one that'll only last long enough to suit the purpose. From the site:

Welcome to 10 Minute Mail.

By clicking on the link below, you will be given a temporary e-mail address. Any e-mails sent to that address will show up automatically on the web page. You can read them, click on links, and even reply to them. The e-mail address will expire after 10 minutes.

Why would you use this? Maybe you want to sign up for a site which requires that you provide an e-mail address to send a validation e-mail to. And maybe you don't want to give up your real e-mail address and end up on a bunch of spam lists. This is nice and disposable. And it's free. Enjoy!

Get my 10 Minute Mail e-mail address.

When I launched 10minutemail.com, tons of forum admins decried the idea. They screamed that it would let spammers on to their forums, and that they wouldn't sell e-mail lists to spammers, etc...

A month goes by, and let's see what we have. My server used to get around 200-300 e-mail a day. In the past week it averaged 20,000-30,000 e-mail a day. Virtually all of those were to old (expired) 10minutemail.com accounts. Presumably virtually all spam.

30,000 a day!? This proves that the average person simply CAN'T trust a random site or forum with their real e-mail address. Are there some forums/sites that are trustworthy? Sure! Does the average net user have any ability to tell with certainty if a given site or forum will sell their e-mail address or spam them direction? Unfortunately not.

This drives home the importance of the service.

In order to save my server from the crushing spam, I've swapped out the e-mail domain to fificorp.com, and then fificorp.net, and will continue to swap out the e-mail domain on a regular basis. This will serve two purposes. One, it will save my server from dying under the flood of spam. Two, it will keep admins who block registrations by domain on their toes at least once a month.

One important thing to note ... In some cases you may want an address that lasts longer. For example, if you forget your password to a service, they'll often e-mail it to the address on file. With 10minutemail, you're outta luck. For those sites where longevity may matter, try the Fake Name Generator. They'll supply an e-mail address that you can read as long as you bookmark it.

Monday, January 22, 2007

A call for Canadian breach notification

Michael Geist's latest Law Bytes column in the Toronto Star presses the case for mandatory breach notification in the wake of the recent TJX and CIBC privacy breaches. See: Michael Geist - Privacy Breaches Expose Flaws in Law.

Sunday, January 21, 2007

Colorado: No involutary chipping

If you have been run out of Wisconsin and were thinking you'd while away the day wandering through Colorado, implanting RFID chips in unsuspecting citizens, think again. Colorado has joined the aforementioned cheesy state to make it a misdemeanor to require chipping of individuals. See: Rocky Mountain News - Bill would nip chips in humans.

There are still a few states left that haven't abridged the right to chip.

Thanks to Objective Justice for the link.

Surveillance evidence in arbitrations

If you have any connection to a unionized workplace or advise any party in such an environment, run -- do not walk -- to Michael Fitzgibbon's latest post: Thoughts from a Management Lawyer: A Breath of Fresh Air - Surveillance Evidence.

House bill would boost power of DHS privacy chief

If a current bill introduced in the US Congress is passed, the chief privacy officer will have expanded powers, including the ability to issue subpoena and to report directly to Congress. See: House bill would boost power of DHS privacy chief (1/19/07).

Litany of small scale privacy breaches

Last week, Global Television's main news program has aired a number of reports relating to privacy breaches at Canada Revenue Agency. This has led to a number of viewers contacting the TV network to report their own versions, involving Revenue Canada and others.

The Global Maritimes ran a report on Thursday about a woman in Nova Scotia who was repeatedly sent the credit card information, including the "secret code" for a cardholder in Ontario. When she informed them of the screw-up, they told her she was wrong and kept resending the info to her. When contacted by Global's reporter, the Ontario cardholder was furious that he had no idea that a woman in Bridgewater, Nova Scotia, could have gone to town on his Visa account and the company apparently never did anything to protect his account.

There are also a number of small scale breaches recounted as comments to the CRA breach story on the Global TV website:

Taxman moves to protect privacy

Australia's Attorney General presses India on privacy

Individual countries tend to leave each other alone in the area of law reform, privacy and data protection. So it is rather unusual that the Attorney General of Australia is pushing India's government to strengthen privacy in the outsourcing sector. Currently, NSSCOM (the Indian outsourcing advocacy group) is working on voluntary guidelines for data protection, which the Indian government says may be replaced with legislation if they are not robust enough. See: Australia's Attorney General presses India on privacy data .:. NewKerala.Com, India News Channel.

Thursday, January 18, 2007

Incidents: Rash of info breaches with Canadian connections

This has been a crazy week for privacy breaches in Canada and the week isn't over yet. I can't recall the last time I had so many media inquiries.

In addition to those below, I've been asked about two other incidents that will likely break in the next few days. (Since I heard about them from journalists, it would be rude to scoop them on the blog.)

Today we've heard of a significant announcement made by Talvest Mutual Funds

Talvest Mutual Funds issues statement regarding missing back up computer file

MONTREAL, Jan. 18 /CNW/ - Talvest Mutual Funds today announced that a backup computer file containing client information has recently gone missing while in transit between its offices.

The backup file contained information relating to the process used to open and administer approximately 470,000 current and former Talvest client accounts and may have included client names, addresses, signatures, date of birth, bank account numbers, beneficiary information and / or Social Insurance Numbers. Talvest has retained original copies of their files on its secure website.

While Talvest has no evidence to suggest this backup file has been inappropriately accessed, the manager of Talvest Mutual Funds, CIBC Asset Management, has taken precautionary measures to protect its clients. These actions include:

  • Notifying all affected clients by letter.
  • Compensating any affected Talvest clients for monetary loss that arises directly from unauthorized access of personal information contained on this file.
  • Providing affected Talvest clients the opportunity to enrol in a credit monitoring service at no cost. This service will provide added security on client credit files at major Credit Reporting agencies.
  • Establishing a dedicated call centre and website to deal with any affected Talvest client inquiries.
  • Advising affected Talvest clients to regularly review activity on all their financial accounts and report any unauthorized activity immediately to their financial institution.
  • Working with the police to investigate this incident and retrieve this backup file.

"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, President of CIBC Asset Management. "Although, we have no evidence that the information contained in the backup file has been accessed in any way, we are acting out of an abundance of caution and want to assure our clients that we are taking all steps possible to address this matter. Any issue that causes disruption to our clients is of great concern to us and we regret the inconvenience this may cause our Talvest Mutual Fund Clients."

For more information on this matter, Talvest Mutual Fund clients are advised to visit www.talvest.com.

And with a report from the CBC:

CIBC loses data on 470,000 Talvest fund customers

CIBC Asset Management says a backup computer file containing information on almost half a million of its Talvest Mutual Funds clients has gone missing.

The company says the missing data was in a file that disappeared "while in transit between our offices." The file had personal and financial details on current and former clients of Talvest Mutual Funds, which is a CIBC subsidiary.

The information may have included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information and/or Social Insurance Numbers.

Talvest says there's no indication that the missing backup file has been "inappropriately accessed," but says CIBC will be taking a number of precautions.

"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, president of CIBC Asset Management.

Computer fraud expert Thomas Keenan from the University of Calgary said there's good reason for the company to alert their customers. "Because what's on there [the missing file] is everything you need to know to do identity theft," he told CBC News.

The privacy commissioner of Canada, Jennifer Stoddart, announced that she is launching an investigation.

"Although I appreciate that the bank notified us of this incident and that it is working co-operatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians," Stoddart said in a statement.

Talvest has set up special phone lines for clients who want more information.

The report follows news of a potential corporate privacy breach that could affect as many as two million Visa credit card holders in Canada.

The owner of Winners and HomeSense stores warned Thursday that hackers gained access to its computer system and credit card numbers may have been improperly accessed.

Also, a breach involving TJX, the parent of TJ Maxx, Winners and Homesense, may have exposed the personal information of Canadian customers of that store:

globeandmail.com: Computer breach exposes TJX shoppers to fraud

SECURITY

Parent of Winners, HomeSense targeted

MARINA STRAUSS AND SINCLAIR STEWART

Tens of millions of credit card customers in Canada and the United States may have been exposed to fraud during a computer security breach at discount retailer TJX Cos., the U.S. parent of Winners and HomeSense.

TJX, which also owns T. J. Maxx and Marshalls, said yesterday it discovered the "unauthorized intrusion" in mid-December and has been working with police and security experts on both sides of the border to investigate the incident and tighten security procedures.

The retailer declined to say exactly how many customers are affected. But sources close to Visa said the company notified banks and other issuers last week that approximately 20 million of its cards around the world may have been involved. Some in the financial industry estimate the number in Canada could be as high as two million. It's not clear how many customers of other credit card companies have been left vulnerable.

The problem was tied to the computer systems that process and store information about customer transactions involving credit cards, debit cards, cheques and merchandise returns -- some of them going back to 2003. The Royal Canadian Mounted Police and the U.S. Secret Service have been called in to investigate.

"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the Framingham, Mass-based retailer said in a statement.

...

"I was stunned," said retail analyst John Chamberlain at Canadian Bond Rating Service. "That's not what you expect from a big retailer. You really expect that they would have stronger systems than that. You get to the point that you trust a retailer to keep that information."

Customers consider the shopping at TJX stores as a "treasure hunt," never quite sure what they'll find, he said. As a result, customers probably use plastic there more often because they don't always know how much they'll spend, he said.

Company officials didn't return calls. Their statement said the retailer kept the matter secret until yesterday at the request of law enforcement. The company said it promptly notified credit card companies and firms that process customer transactions.

An intruder grabbed information dealing with credit and debit cards sales in TJX stores during 2003 and part of 2006, according to the company. However, a source said that the debit transactions were confined to the U.S. market. TJX has been able to identify "a limited number" of credit card and debit card holders whose information was taken.

Canadian banks are scrambling to assess the potential damage. Tania Freedman, a Visa spokeswoman, said the company is forwarding information to banks. "These accounts were potentially exposed, [but] not all accounts that are exposed will experience fraud," she said, adding that customers are protected by the card's zero-liability policy.

...

In Canada, TJX runs 184 Winners and 68 HomeSense stores.

Expect much more info to come.....

Update (20070118): The Privacy Commissioner of Canada has inititated a complaint on her own accord related to the Talvest breach: Privacy Commissioner launches investigation of CIBC breach of Talvest customers' personal information.

Wednesday, January 17, 2007

Taxman moves to protect privacy

I was interviewed today for Global National's most recent report on privacy problems at the Canada Revenue Agency (our IRS, for my American readers). Since earlier reports on misdirected tax information, many more people have come out to report they have also been the unwitting recipients of information about other taxpayers. See: Taxman moves to protect privacy and also note the many comments in which others relate receiving others' personal information.

I think you can get the video of the feature here: http://video.canada.com/VideoContent.aspx?13750&vc=1&popup=1, but it seems hit and miss to me.

Bush administration to seek warrants for terrorism investigation wiretapping

In what appeas to be a significant retreat from its previous position, the Bush administration is reportedly going to turn to the Foreign Intelligence Surveillance Court to remove the word "warrantless" from the controversial warrantless wiretapping program. AP, via ABC News: Secret Court to Govern Wiretapping Plan.

Data protection in Europe

I just got an e-mail from Dr. Jóri András ügyvéd in Budapest to let me know about his new online resource on European Data Protection. I've had a chance to check it out and I'm definitely bookmarking it. You can find it here: Data protection in Europe.

Here's the welcome message from the main page:

Welcome to www.dataprotection.eu!

There is much talk about the crisis of data protection legislation in Europe. I've been dealing with data protection law for seven years. I can still recall the atmosphere in the late 90s that was pervasive in the office led by the first data protection commissioner of Hungary. We were enthusiastic, our task was to make a new constitutional right known for the public. We were more members of a workshop, champions of the new constitutional right, than mere bureaucrats.

I am no longer involved in this work: for six years I've been helping my clients - companies and goverment agencies - in complying with data protection law, and sometimes I have the opportunity to contribute to the creation of legal instruments with data protection relevance. Standing on the "other side" my perspective is not the same, of course. From this point of view you can see what is hidden to civil servants: how hard is it - even with great efforts - to apply legal texts that have deficiencies, how important it is to formulate coherent, acceptable and concistent interpretations in this field of law, and what are the results (and costs) of a given decision by the data protection authority. On the "other side", one can think more freely, and can ask questions like "is informational self-determination worth its price?"; "is an institution organized following the ombudsman-model the best one to control the compliance with data protection law?". The answer is not necessarily "no" - but the arguments raised by the sceptics of data protection are sometimes worth the consideration.

Is data protection in crisis? Is informational self-determination just a toy for constitutional lawyers? Can it be reinvented to meet the challenges of the information age?

These are questions yet to be answered. My aim with this project - www.dataprotection.eu - is to carry out a comparative analysis of European data protection legislations, that can help the data protection community of Europe to answer them.

Saskatchewan PI fined for accessing police computer system

Last month, a Saskatoon private investigator pleaded guilty to charges stemming from unauthorized access to police databases at an RCMP detachment. A few years ago, the PI's firm was investigated for a similar incident in which 6 government employees were ultimately suspended. See: CBC - Private eye fined for accessing police computer system.

Thanks to PI Buzz for the link.

Tuesday, January 16, 2007

PIPEDA Review Transcripts

All the evidence to date in the statutory review of PIPEDA is up on the committee's website. Links are below for your convenience:

Meeting Information

Study/Activity

Minutes

Evidence

Meeting 25
December 13, 2006
15:28 - 17:03

Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Minutes of meeting 25 for ETHI - December 13, 2006 - Opens a new window

The Evidence of meeting 25 for ETHI - December 13, 2006 - Opens a new window

Meeting 24
December 12, 2006
09:31 - 10:20

Certificate of nomination of Robert Marleau to the position of Information Commissioner

The Minutes of meeting 24 for ETHI - December 12, 2006 - Opens a new window

The Evidence of meeting 24 for ETHI - December 12, 2006 - Opens a new window

Meeting 23
December 11, 2006
15:30 - 17:29

  1. Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
  2. Committee Business

The Minutes of meeting 23 for ETHI - December 11, 2006 - Opens a new window

The Evidence of meeting 23 for ETHI - December 11, 2006 - Opens a new window

Meeting 22
December 6, 2006
15:33 - 17:29

Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Minutes of meeting 22 for ETHI - December 6, 2006 - Opens a new window

The Evidence of meeting 22 for ETHI - December 6, 2006 - Opens a new window

Meeting 21
December 4, 2006
15:30 - 17:29

  1. Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
  2. Committee Business

The Minutes of meeting 21 for ETHI - December 4, 2006 - Opens a new window

The Evidence of meeting 21 for ETHI - December 4, 2006 - Opens a new window

Meeting 20
November 29, 2006
15:30 - 17:02

Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Minutes of meeting 20 for ETHI - November 29, 2006 - Opens a new window

The Evidence of meeting 20 for ETHI - November 29, 2006 - Opens a new window

Meeting 19
November 27, 2006
15:31 - 17:19

Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Minutes of meeting 19 for ETHI - November 27, 2006 - Opens a new window

The Evidence of meeting 19 for ETHI - November 27, 2006 - Opens a new window

Meeting 18
November 22, 2006
15:48 - 17:28

Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Minutes of meeting 18 for ETHI - November 22, 2006 - Opens a new window

The Evidence of meeting 18 for ETHI - November 22, 2006 - Opens a new window

Meeting 17
November 20, 2006
15:33 - 17:34

  1. Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
  2. Committee Business

The Minutes of meeting 17 for ETHI - November 20, 2006 - Opens a new window

The Evidence of meeting 17 for ETHI - November 20, 2006 - Opens a new window

Law enforcement access to e-mail in the US

Today's Washington Post is running an interesting article on the unique legal regime in the US related to law enforcement / intelligence access to e-mail stored by third parties. A bit ...

The Legal Tangles Of Data Collection - washingtonpost.com

... E-mail is a slightly different matter. The law makes a distinction between intercepting e-mail in transit and obtaining stored e-mail from a service provider's servers. The distinction made sense in the 1980s and early 1990s when downloaded e-mail often sat only on the user's computer. If the government wanted the records, it had to go to the e-mail recipient.

These days, most e-mail is held and stored by third parties. So the government claims the authority to read someone's most intimate communications, including stored chat sessions, by serving a subpoena -- no probable cause required. A person may never even know that this has been done, as there is no legal requirement for an Internet service provider to provide notice. In most cases where the government subpoenas the e-mail, it demands that the third party keep that fact confidential, at least for a while.

The same holds true for virtually any information held by a third party: phone company records that indicate who called you, when they called and how long the call lasted; Internet service provider records on what Web sites you visited, when and for how long; tollbooth records; security camera footage; records of emergency calls made from a car; supermarket purchase records. All that and more can be requested by the government with a search warrant, or sometimes with an administrative subpoena or other demand, frequently without judicial review....

New Information Commissioner takes up post

Canada's new Information Commissioner, Robert Marleau, took up his post yesterday. You may recall that he was the interim Privacy Commissioner after George Radwanski's resignation until the current Commissioner's appointment.

From the Government of Canada news release:

Prime Minister Welcomes New Information Commissioner

15 January 2007

Ottawa, Ontario

Prime Minister Stephen Harper today welcomed Canada’s new Information Commissioner, Mr. Robert Marleau, whose appointment was recently approved by the Senate and the House of Commons. This appointment is effective January 15, 2007.

The Prime Minister took the opportunity to commend Mr. John Reid, who had been serving as Information Commissioner since August 1, 1999 and whose term expired on September 30, 2006, for the commitment, diligence, and professionalism he demonstrated during his tenure. The Prime Minister wished him well in his future endeavours.

The Office of the Information Commissioner was created in 1983 under the Access to Information Act - Canada’s freedom of information legislation. An agent of Parliament, the Information Commissioner oversees the implementation of the Access to Information Act by government institutions. The Information Commissioner investigates complaints from individuals who believe they have been denied rights under the Act. The Information Commissioner is also responsible for mediating between dissatisfied applicants and government institutions.

Biographical notes on Mr. Marleau are attached.

* * * *

ROBERT MARLEAU, B.A., D.U.

Robert Marleau served Parliament and the members of the House of Commons for 31 years, 13 of which were spent as Clerk of the House of Commons. Mr. Marleau left a rich legacy of achievement, including the guide book, House of Commons Procedure and Practice, which he co-authored with then Deputy Clerk Camille Montpetit.

During his parliamentary career, Mr. Marleau held several senior positions as an advisor to seven Speakers and to Members and Senators for nine Parliaments. A franco-Ontarian, Mr. Marleau is a graduate of the University of Ottawa, where he earned a B.A. in French Literature. He joined the House of Commons in 1970 as a Committee Clerk and went on to hold such positions as Clerk Assistant of the House of Commons and Deputy Secretary General of Parliamentary Relations. In July 1987, he was appointed Clerk of the House of Commons, and served in that capacity until July 2000.

From July 2000 until his retirement at the end of January 2001, he served as Senior Advisor to the Speaker of the House of Commons. On his retirement, the House of Commons made Mr. Marleau an Honorary Officer of the House by unanimous resolution. Following his retirement from the House of Commons, Mr. Marleau was Principal of RDM Consulting, a parliamentary consulting practice with work in Canada, Africa and the Caribbean. From July 2, 2003 until November 30, 2003, he was appointed to serve as Interim Privacy Commissioner.

Mr. Marleau is the recipient of an Honorary Doctorate degree from Ottawa University, his alma mater. He is a member of the Commonwealth Society of Clerks at the Table, the Association of Canadian Clerks at the Table, and the Canada/USA Association of Clerks and Legislative Secretaries

Finding: PIPEDA access right exists during litigation

In a finding under PIPEDA published on the OPC website, the Assistant Privacy Commissioner of Canada found that an airline's obligation to provide an individual with access to his information continues to exist even if there is litigation pending between the applicant and the organization. See: Commissioner's Findings - PIPEDA Case Summary #352: Airline delays granting access to personal information, citing ongoing litigation (September 8, 2006).

It is also worth noting that the Commissioner's office had to commence an application before the Federal Court in order to get the airline to follow her recommendation.

Sunday, January 14, 2007

Secure your wireless surfing

Over the last little while, I've been using wireless more and more. When traveling, an unsecured hotspot is often all you can get. For access to my work resources, there's secured VPN to keep things safe and sound but what about the more mundate stuff?

By messing around, I've discovered that many of the sites you may use on a regular basis have secure alternatives. For example, instead of hitting GMail at http://www.gmail.com, try https://mail.google.com. Or for bloglines users, you can use https://www.bloglines.com/myblogs. When you're not sure of the security of your connection, check to see if there's an SSL version you can use. You never know ...

UK intelligence outsources terror alert service to US direct marking company

People who want to stay on top of the UK terror alert level can sign up to receive periodic e-mail updates from MI5. Sorta but not quite, since MI5 has outsourced managing the e-mail service to an American company. See: MI5 terror alert blunder sends private data to US mailshot firm | the Daily Mail.

This is not a disaster, but clearly the UK intel folks didn't think about the perception of doing things this way.

What's the lesson here? When you are dealing with personal information, think about every facet of how the service is being offered and how it may be perceived.

Update (20070117): According to Spy Blog, MI5 is now handling its email subscriptions in-house.

Military and CIA seeking access to financial info of US residents

The New York Times, always on the leading edge of reporting in this area, is reporting that US military intelligence is expanding its role in domestic intelligence gathering. It, and the CIA, have been using non-compulsory letters to get access to financial information on residents of the United States. Perhaps more troubling from a privacy point of view is that most recipients of these letters volunteer the info. Check it out: Military Is Expanding Its Intelligence Role in U.S. - New York Times.

In related news, changes to an American army manual have raised concerns that the Army also takes the position that warrants are not required for domestic wiretapping. See: Deletions in Army Manual Raise Wiretapping Concerns - New York Times.

Update (20070114): On Fox News Sunday, VP Dick Cheney says the practice isn't illegal:

Cheney: Credit checks aren't illegal - Yahoo! News

"The Defense Department gets involved because we've got hundreds of bases inside the United States that are potential terrorist targets," Cheney said.

"The Department of Defense has legitimate authority in this area. This is an authority that goes back three or four decades. It was reaffirmed in the Patriot Act," he said. "It's perfectly legitimate activity. There's nothing wrong with it or illegal. It doesn't violate people's civil rights."

The Pentagon and the CIA, to a lesser extent, have used this little-known power, officials said. The FBI, the lead agency on domestic counterterrorism and espionage, has issued thousands of such letters since the attacks of Sept. 11, 2001.

Saturday, January 13, 2007

Stop the secret skimmers

Engadget featured an interesting product this week that you can put in your wallet or attach to your cell phone to supposedly thwart would-be skimmers from gaining access to the data on contactless (read: RFID) cards. See: Elecom intros skim prevention kit for wallet, cellphone - Engadget.

Friday, January 12, 2007

Privacy Commissioner's contributions program - Round four

The Office of the Privacy Commissioner of Canada has today launched the fourth round of its contributions program:

News Release: Privacy Commissioner's Office launches fourth annual privacy research program (January 12, 2007)

News Release

Privacy Commissioner's Office launches fourth annual privacy research program

Ottawa, January 12, 2007 –The Privacy Commissioner of Canada, Jennifer Stoddart, announced today the renewal of funding for privacy research through her Office's 2007-2008 Contributions Program. 

"It is with great enthusiasm that I announce the launch of this program early in 2007, so that privacy experts and researchers can contribute to enriching the program of the 29th International Conference of Data Protection and Privacy Commissioners, which I am proud to be hosting in September 2007, in Montreal. The event is an excellent opportunity to showcase the wealth of knowledge and expertise we have here in Canada in the field of privacy protection. The conference will also help crystallize Canada’s leadership in this area."
 
Officially launched in June 2004 to further the development of a national research capacity in Canada, the Contributions Program was set up to catalyze independent research in Canada in areas that have been identified as priorities by the Office. According to a leading privacy expert, Professor Michael Geist, "the OPC’s privacy research program has been applauded by the research community and privacy experts as vital to galvanizing action on the broad spectrum of issues that have an impact on privacy".

Professor Geist is a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce law. He is also a nationally syndicated columnist on technology law issues and the author of the Canadian Privacy Law Review.

This year, the Program will have three separate streams for which the Office of the Privacy Commissioner of Canada (OPC) is encouraging the submission of separate proposals:

Stream 1: Research proposals

In line with its plans and priorities for 2007-08, the OPC is interested in funding research in three core areas:

  • The protection of personal information on the Internet;
  • The challenges inherent in secure identification or authentication of individuals and entities; and
  • The intersection of the public and private sectors with regard to use and protection of personal information.

While the OPC is particularly interested in funding research in the above-noted areas, it should be noted that it will also consider requests to fund research on issues that fall outside of these. 

Stream 2:  Research results workshop

One of the goals of the Contributions Program is to promote the awareness of different privacy research activities in Canada, with a view to reinforcing a broader public education agenda.  In order to promote this goal, the OPC has allocated part of this year’s funding to the organization of a workshop to engage many of the researchers who have been funded under the Program in previous years. 

Stream 3:  Coordination and planning of a civil society workshop

This year, the Office is hosting the 29th International Data Protection and Privacy Commissioners Conference.  At many past conferences, the dialogue has been greatly enriched by the presence of civil society representatives, from human rights workers to privacy advocates, civil liberties organizations to consumer representatives.  These groups, however, are chronically under-funded.  The OPC has therefore set aside funds under this year’s Program to assist these groups in organizing a workshop one day before the international conference.

Projects must be completed within the fiscal year in which the funding was provided. The deadline to submit applications for streams 1 and 2 is February 19, 2007. The deadline for proposals stream 3 is January 29, 2007.
  
Links to the projects completed under the previous Contributions Programs are available on the OPC Web site at http://www.privcom.gc.ca/information/cp/index_e.asp.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

Nova Scotia's new FOIPOP review officer

As of February 5, 2007, Nova Scotia will have a new review officer under the Freedom of Information and Protection of Privacy Act:

News Release: Department of Justice

New FOIPOP Review Officer Appointed

Department of Justice

January 11, 2007 8:20


Dulcie McCallum, former Ombudsman for the Province of British Columbia, is Nova Scotia's new Freedom of Information and Protection of Privacy Review Officer.

Ms. McCallum will oversee how provincial and municipal governments protect the privacy of Nova Scotians and respond to requests for access to information.

"I'm pleased that Ms. McCallum has agreed to take on this important role," said Justice Minister Murray Scott. "The courts have recognized our legislation as being among the most open, progressive information and privacy laws in the country. Ms. McCallum brings tremendous expertise and knowledge to this office, particularly in the areas of the rights of persons with disabilities and children, constitutional matters and justice issues."

Ms. McCallum received her law degree from the University of Victoria and has expertise in administrative and human rights law. Over the past 30 years, Ms. McCallum has held positions in private practice and in the public sector. She was Ombudsman for the Province of British Columbia for seven years, until 1999. Since then, Ms. McCallum has worked for government and a number of organizations, including representative on the Canadian Delegation to the United Nations, to draft the new UN Convention on the Rights of Persons with Disabilities.

"I am thrilled to be named the new FOIPOP Review Officer and am ready to serve Nova Scotians in this important office," said Ms. McCallum. "I moved to rural Nova Scotia just over a year and a half ago from Victoria, British Columbia.

"Living in Sherbrooke has been one of the most rewarding times of my life. This new opportunity, which will enable me to work throughout the province to ensure citizens' rights of access and privacy are respected, is both a great honour and privilege."

The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer will accept appeals from people and organizations who are not satisfied with the response they received from government departments or other public bodies such as hospitals, universities and school boards.

The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.

The selection process for a new review officer was led by the Public Service Commission. An independent selection advisory committee, chaired by Auditor General Jacques Lapointe, recruited candidates for the position. The committee reviewed 70 applications and interviewed six candidates.

Ms. McCallum will assume office on Feb. 5.