Saturday, June 30, 2007

OECD sets international privacy cooperation framework

According to the (via the Register: International effort on privacy protection is launched The Register), the member states of the Organization for Economic Cooperation and Development have agreed upon a framework for international cooperation in privacy investigations. Each country will provide a point of contact for requests for assistance and standard reporting/request forms are in development. The OECD's 11 page recommendation is here: OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy

The effort was led by our own Jennifer Stoddart, Privacy Commissioner of Canada.

Facebook glitch may have exposed private information

Earlier in the week, Wired exposed a glitch in the Facebook architecture that may expose information that users had marked as "private". (Threat Level - Wired Blogs: Facebook Private Profiles Not As Private As You Think They Are -- UPDATED With Facebook Changes) For example, a lesbian in Halifax who had marked their profile as private would still appear in an advanced search of women who like women in that city. The glitch has been fixed. In a followup, Wired spoke with Facebook's Chief Privacy Officer, Chris Kelly, who had some provided some insight into the company's privacy outlook:

Threat Level - Wired Blogs

Facebook Fixes Search Glitch, Explains Privacy Strategy

...Kelly, who became the social networking site's privacy officer in September 2005 after a stint as the original general counsel, hopes instead to mimic the social protections in real world interactions, where it might be possible to find out through normal social channels what neighborhood a person lives in, but not learn their exact address, for instance.

Kelly contends that 100 percent of Facebook users avail themselves of the site's privacy features since users are visible only to members of groups that they join or to their friends. Some 20 percent tweak these setting using Facebook's fine-grained privacy settings page, according to Kelly.

"To me that shows that despite what some people say who want to assert that privacy is going away, we think users care a lot about privacy and control and we aim to give them a lot of privacy and control," Kelly said.

Despite a minor coding glitch that might have caused some serious disclosure of private information, I do think that Facebook has gotten the privacy thing right. I haven't seen any other online service that provides users with such fine-grained control over their personal information.

Thursday, June 28, 2007

Privacy Commissioners call for suspension of no-fly list pending reforms

The Federal and Provincial Privacy Commissioners are meeting in Fredericton this week. About an hour or so ago, they jointly released the following joint resolution calling for the suspension of the "Passenger Protect" program (aka no fly list).

Canada's privacy guardians call for comprehensive changes to no-fly list program

Federal-Provincial-Territorial Meeting of Privacy Commissioners & Ombudsmen

FREDERICTON, June 28 /CNW Telbec/ - Federal, provincial and territorial privacy guardians are united in calling on the federal government to suspend its new no-fly list program, Passenger Protect, until it can be overhauled to ensure strong privacy protections for Canadians.

The information and privacy commissioners and ombudsmen today issued a joint resolution outlining reforms urgently required for Passenger Protect. (The resolution is available on the web site of the Office of the Privacy Commissioner of Canada:

The Commissioners, who are meeting in Fredericton to discuss issues of common concern, also released the following joint statement:

The Passenger Protect Program involves the secretive use of personal information in a way that will profoundly impact privacy and other related human rights such as freedom of association and expression and the right to mobility.

We are particularly troubled that Canadians will not have legally enforceable rights of appeal, to independent adjudication or to compensation for out-of-pocket expenses or other damages. Commissioners and Ombudsman are unanimously of the view that the use of such lists in the interests of airline security should only occur in a manner consistent with Canadian values in the area of privacy protection.

It is alarming that Transport Canada has not provided assurances that the names of individuals identified on its no-fly list will not be shared with other countries. We do not want,to see, through the failure to take adequate safeguards,other tragic situations arise where the security of Canadian citizens may be affected or compromised by security forces at home or abroad.

There is a very real risk people will be stopped from flying because they have been incorrectly listed or share the name of someone on the list. There have been many cases with the US no-fly list where false positives have meant that even children and well-known public figures such as Senator Edward Kennedy have been questioned or denied boarding.

Being placed on the list has serious repercussions for people. This is particularly worrisome since Canada's federal public-sector Privacy Act is in critical need of reform and offers no adequate protection or remedies to address the privacy risks that inappropriate use of the no-fly list creates.

Until the government substantially overhauls Passenger Protect in order to address significant risks of the no-fly list to the privacy and other rights of Canadians, the program should be suspended. Alternatively, Parliament should ensure that the program functions under strict ministerial scrutiny with regular public reports to Parliament until a comprehensive public Parliamentary review is completed and reforms are made.

See also:

I happen to be in Fredericton as well and was interviewed by Global TV. You should be able to see it online here, if you're interested.

Wednesday, June 27, 2007

Adoptees challenge disclosure legislation

Ontario's new Adoption Information Disclosure Act is being challenged in the courts and it looks like those arguing in favour of privacy are facing an uphill battle: - News - Adoptees challenge disclosure legislation

"I'm not ready to buy those three words: right to privacy," said Justice Edward Belobaba, who noted earlier that the lawyers mounting the constitutional challenge on behalf of three adoptees and a birth parent "have the tougher job."

Google calls censorship number one trade barrier; threatens to shut down German Gmail

This is interesting. Apparently Google is threatening to shut down their German Gmail service because of German laws that require identity verification. The Economics of Content - Google Threatens To Shut German Google Mail; Blames Germany’s Own Privacy Laws

Google Threatens To Shut German Google Mail; Blames Germany’s Own Privacy Laws

By Robert Andrews - Mon 25 Jun 2007 03:52 AM PST

Google’s global privacy counsel Peter Fleischer has warned the company may have to close its Google Mail service in Germany - because new government legislation does not afford citizens freedom of speech. It’s audacious - Google this month agreed to curtail the length of time it keeps users’ search records after concerns from an EU data protection watchdog that last week announced it would expand its inquiry. Schooled partly in Munich, Fleischer spoke out on proposed justice department laws, designed to combat terrorism, that would compel services to identify users by matching data to names (see Wirtschafts Woche). But his comment appears to drive a wedge between the EU and one of its key member states: ”Many users around the globe make use of this anonymity to defend themselves from spam, or government repression of free speech ... If the web community won’t trust us with handling their data with great care, we’ll go down in no time.”

The statement makes Google look like it’s now standing up for users’ privacy - aside from the EU inquiry, the company was earlier savaged this month in a Privacy International report on data protection. Gmail has already had mixed fortunes in Germany - a German postal and email service operator who registered the trademark locally and across much of Europe in 2003 has repeatedly refused to grant Google the rights, prompting the search giant to rename it “Google Mail” as it has done in the UK. Google also let Germany out o last week’s YouTube localized launches; Hollywood Reporter attributed it to a failure to strike a copyright deal with the country’s GEMA authors’ rights society.

Update: Google is now countering web censorship threats using the language of commerce, by asking the U.S. to regard such limits as international trade barriers, AP reports. Andrew McLaughlin, Google’s director of public policy and government affairs: “It’s fair to say that censorship is the No. 1 barrier to trade that we face.” AP: “McLaughlin has met with officials from the U.S. Trade Representative’s office several times this year to discuss the issue.” USTR spokeswoman Gretchen Hamel: “If censorship regimes create barriers to trade in violation of international trade rules, the USTR would get involved.” So it’s easier to protect against censorship on economic grounds than it is on freedom of speech?

Frank Work headed to re-appointment

From the OIPC website:


" On Friday, June 22, 2007, the Standing Committee on Legislative Offices voted to recommend to the Legislative Assembly that Frank Work will be reappointed as Information and Privacy Commissioner for a term of 4 years."

Tuesday, June 26, 2007

MySpace posting good enough for cross-examination

In case you were wondering, you really shouldn't expect that anything you post on your MySpace page will be kept private. If you are in the middle of litigation alleging that you're disabled, don't post pictures of your skiing vacation.

This recent case from earlier this month in Ontario is, I think, the first Canadian case to mention MySpace. The defendants attempted to use info from the plaintiff's MySpace page as a basis for further discoveries.

Weber v. Dyck, 2007 CanLII 22348 (ON S.C.)

PDF Format

Date: 2007-06-12

Docket: 05-CV-4343CM


Weber v. Dyck

Ontario Master

Master L.A.M. Pope

Judgment: June 12, 2007

Docket: 05-CV-4343CM

Master L.A.M. Pope:

1 This action was scheduled for trial at a settlement conference held on December 1, 2006. The trial is number one on the trial list to commence the week of June 18, 2007. The defendants seek leave to bring this motion and for production from the plaintiff of information and documents pursuant to Rule 48.04(1). The information and documents relate to three activities of the plaintiff that took place subsequent to the plaintiff's examination for discovery on October 13, 2005.

2 The relief sought subparagraphs 1 (iv) and (v) of the Moving Party's Record are no longer in issue for the purposes of this motion.

3 This action arises out of a motor vehicle accident that took place on February 11, 2003 in which the plaintiff alleges that she sustained serious and permanent injuries to her left wrist and to her body, as well as emotional and psychic trauma. The action is governed by the Bill 59 insurance regime and as such the plaintiff has the onus to establish that her injuries meet the "threshold"; that is, that she has sustained a permanent serious impairment of an important physical, mental or psychological function within the meaning of section 267.5(5) of the Insurance Act in order for her to be entitled to damages.

4 At that time of her examination for discovery on October 13, 2005, the plaintiff was enrolled in year one of the Masters of Business Administration (Co-op) program ("MBA") at the University of Windsor. She testified at her examination that she earned part-time income by teaching piano and playing piano at weddings and other functions, what her plans were for employment after graduation and her vacation plans.

5 The following is the defendants' evidence that gave rise to this motion. The defendants learned that the plaintiff had a MySpace web page wherein she posted photographs of herself and announced certain information about herself. The undated photographs are of the plaintiff, for example, involved in what can be described as a somewhat physical activity in the Swiss Alps, in Paris, playing piano and at her graduation. The information exchange on the web page indicates that the plaintiff resides in Toronto and has a "new job." Further investigation revealed that the plaintiff worked as a Brand & Marketing Analyst for Level 5 Strategic Brand Advisors, that she recently completed her MBA specializing in marketing and international strategy and that she earned an ARCT (Associate of Royal Conservatory Teachers) designation. By letter dated March 30, 2007, the defendants requested production from the plaintiff of certain documents and information arising out of the information on the MySpace web page. Having received no response to that letter, Mr. Dycha wrote again to Mr. Leschied by letter dated May 2, 2007 and in that letter, Mr. Dycha added to his request for production additional documents and information.

Should leave be granted pursuant to Rule 48.04(1)?

6 The defendants seek leave to bring this motion for production pursuant to Rule 48.04(1) which provides that the consequence of a party setting an action down for trial or a party consenting to an action being placed on a trial list (as is the case here), is that the party shall not initiate or continue any motion or form of discovery without leave of the court. (emphasis added).

7 As this case is subject to the civil case management rules of Rule 77, it was placed on the trial list at the settlement conference held on December 1, 2006. There is no evidence that either party did not consent to the action being placed on the trial list. In my view, the consequences of placing a case managed action on a trial list are more serious than with a non-case managed case. This is evidenced by comparing the provisions of Rule 48.07 with subrules 77.14(2) and (4). The latter rules require a certification by the plaintiff that all examinations, production of documents and motions arising out of examinations and production of documents have been completed before the settlement conference date. Essentially, the parties who consent to an action being placed on the trial list declare that they are ready for trial. Subrules 77.14(2) and (4) support the purpose of the civil case management rules of reducing unnecessary cost and delay, facilitating early and fair settlements and bringing proceedings expeditiously to a just determination while allowing sufficient time for the conduct of the proceeding. In this case, the parties consented to the case being placed on the trial list with two exceptions as requested by the defendants and as ordered by Justice Nolan; firstly that the plaintiff deliver her x-rays by December 15, 2006, and secondly that the case be assigned an alternate trial date in the event the defendants did not have their expert reports by the June 18, 2007 trial list. The x-rays were delivered by the date ordered.

8 In order for the plaintiff to succeed in obtaining the right to further production of information and documents after a case has been placed on a trial list, they must first meet the requirements of Rule 48.04(1). The test for granting leave was aptly described by E.M. Macdonald J. in Hill v. Ortho Pharmaceutical (Canada) Ltd., [1992] 11 C.P.C. (3d) 236 (Ont. Gen. Div.) at 239, as follows:

The authorities make it clear that setting a matter down for trial is not a mere technicality of procedure. Before it can be vacated to permit any further discovery or other interlocutory proceedings, there must be a substantial or unexpected change in circumstances such that a refusal to make an order under s. 48.04(1) would be manifestly unjust.(emphasis added)

9 Plaintiff's counsel argues that the defendants were aware at the time of the mediation on July 26, 2006 and at settlement conference on December 1, 2006, that the plaintiff had graduated and therefore they should have brought this motion before agreeing to place the matter on the trial list. They further argue that given that the defendants consented to placing this matter on the trial list with the knowledge of the plaintiff's graduation, they should not be granted leave.

10 Firstly, there is no evidence before me of the above-noted allegations of the plaintiff. Secondly, it appears that Mr. Leschied provided Mr. Dycha with a copy of the plaintiff's transcript by letter dated December 20, 2006, several weeks following the settlement conference, (when the matter was placed on the trial list.) Moreover, the only evidence before me is that the defendants learned that the plaintiff had graduated on or about December 20, 2006, and that she had obtained a job and moved to Toronto when they discovered her MySpace web page. Therefore, it is my view that not only has the plaintiff had a substantial change in circumstances since this mater was placed on the trial list relating to her educational status, there has been a substantial change relating to her career, employment status and her place of residence. Albeit not all of these changes could be considered unexpected given her educational status at the time of her examinations for discovery, the test for leave does not require that the change in circumstances be substantial and unexpected. Therefore, I find that because there has been a substantial change in circumstances of the plaintiff since placing this matter on the trial list, it would be manifestly unjust in these circumstances not to grant leave for the defendants to bring this motion.

Rule 48.04(2)(b)(i) exception

11 The defendants submit that this motion falls within the exception set out in subrules 48.04(2)(b)(i). That rule provides that notwithstanding this matter being placed on the trial list, the plaintiff has a continuing obligation, pursuant to Rule 30.07, to disclose further relevant documents that come into her possession after serving an affidavit of documents or discovers that the affidavit is inaccurate or incomplete. If the plaintiff fails to make production of relevant documents she will be subject to the consequences set out in Rule 30.08. Rule 1.03 provides that a "document" includes data and information in electronic form.

12 The exception allowed in Rule 48.04(2)(b)(i) relates to subsequently discovered documents. The reason for this exception was explained by Master Dash in White v. Winfair Management Ltd., (2006) 16 C.P.C. (6th) (S.C.J.) at 48 as follows:

If a document is discovered and produced by the defendant after the plaintiff has completed his oral and documentary discovery and set the action down, it would constitute an unexpected change in circumstance that could mandate leave for further discovery thereon.

13 The defendants have requested the following documents:

1. a copy of the plaintiff's file from any employment placement agencies;

2. a copy of the plaintiff's current employment file and contact information relative to her immediate supervisor and individual in charge of Human Resources;

3. all photographs and video recordings from trips.

14 The defendants clarified that they were only seeking these documents for the last year and a half.

15 The first two documents set out above were not in the plaintiff's possession at the time of her examination for discovery on October 13, 2005 because they would have been created as a result of her graduating in the summer of 2006 and her subsequent job search. I am inclined to order production of these documents given the change in circumstances in the plaintiff's employment status and the fact that her income and job responsibilities are relevant to the threshold issue and the assessment of damages. Furthermore, there is no evidence before me that the defendants were aware that the plaintiff had graduated and/or had obtained a job at the time of the settlement conference on December 1, 2006. In fact, the plaintiff's evidence is that she did not provide the defendants with a copy of her transcript until December 20, 2006, following the settlement conference, as evidenced by Mr. Lescheid's letter of that date.

16 Regarding the third request above, clearly the photographs and video recordings requested were not in the plaintiff's possession at her examination for discovery such that the defendants could have requested them. The defendants urge me to grant the order based on the reasoning of the Master in the British Columbia case of Watt v. Meier , 2005 CarswellBC 3302 (S.C.) wherein it was the Master's opinion that in the hypothetical case where the main issue were a broken leg, where the plaintiff was claiming a significant disability and the defendant wanting to challenge the extent of the disability, then it would seem inherently possible that photographs from a vacation, where you may find somebody swimming or playing beach volleyball or all sorts of activities traditional on holidays, might be highly relevant to the question of the degree of a broken leg disability. I agree with the Master's reasoning; however, based on the reasons for my decision which follow, I have distinguished the Master's hypothetical case.

17 The defendants also rely on another case from the British Columbia Supreme Court of Tupper (Guardian ad litem of) v. Holding, [2003] B.C.J. No. 216wherein the plaintiff was ordered to produce vacation photographs. In that case the plaintiff sought damages for loss of her ability to enjoy life. The court stated that the documents sought include photographs of the plaintiff on vacation, posing or sitting with friends on the beach, and in front of various tourist sites; that is, they show her enjoying life. The court held that it was reasonable to conclude that the vacation photographs may assist the defendant in its defence of the plaintiff's claim. In both this case, as well as the Watt case, the motions were brought before the actions were set down for trial; therefore, the test for leave was not an issue before those courts.

18 I decline to order production of the photographs and video recordings for several reasons. Firstly, the parties consented to this action being placed on the trial list; therefore, they were deemed to admit that they were ready for trial. Secondly and more importantly, the defendants did not request production of the plaintiff's photographs and video recordings of her trip to Vancouver which she took the year before the examination. I fail to understand how the defendants would be entitled to photographs and video recordings of trips the plaintiff took after her examination for discovery when they did not see the relevancy in seeking production of photographs and video recordings of her pre-examination trips. The change in circumstances of the plaintiff relate to her career and employment status and has no relationship to her ability to travel which she testified to the fact that her injuries do not impact on her ability to travel. Lastly, the defendants have several images of the plaintiff from her MySpace web page with which they can cross examine the plaintiff at trial. This appears to be a form of further discovery to which the defendant is not entitled.

Rule 48.04(2)(b)(iv) exception

19 The defendants submit that this motion falls within the exception set out in subrule 48.04(2)(b)(iv). That rule provides that subrule (1) does not relieve a party from any obligation imposed by Rule 31.09 to correct answers given at an examination for discovery notwithstanding that the case was placed on the trial list. They further submit that in addition to the threshold issue at trial, another issue will be to what extent, if any, the plaintiff's avocational pursuits have been affected by her alleged injuries.

20 The information sought by the defendants is as follows:

1. a list of places the plaintiff sought employment;

2. details of the plaintiff's piano performances and piano lessons including sufficient details to identify and locate the persons for whom the plaintiff performed, along with the amounts received in compensation for services;

3. details of the plaintiff's travels for recreation or otherwise including particulars engaged in during her travels.

21 The defendants clarified that they were only seeking the above information for the last year and a half.

22 The questions and answers at issue are as follows:

Re: Career goals

154. Q. What's your ultimate ambition in terms of a career?

A. I'd like to get into international marketing, work for an international firm.

155. Q. Well, what do you mean by "international marketing"?

A. Global brand strategy.

156. Q. Okay. I'm going to guess that in order to do that you're going to have to potentially move from the city?

A. Yes.

157. Q. And do you have any objection to doing that?

A. No.

Re: Travel since the accident

377. Q. And have you had to travel anywhere since the accident for recreation or otherwise?

A. yes. I've travelled --

378. Q. (Interposing) Where have you been?

A. -- last September. I went to Vancouver last September.

Re: Piano

45. Q. Right, and the material that we've been given indicates that you also like to play piano. You teach piano --

A. (Interposing) I teach piano part-time.

387. Q. And you've got, you're still teaching the kids, right?

A. Correct.

388. Q. And how many hours?

A. Between 12 and 15. It's three, three evenings a week.

23 There is no evidence before me to suggest that these answers were not correct or were incomplete when given and that any time thereafter they became incorrect. Certainly certain aspects of the plaintiff's life have changed since her examination but that alone does not mean that her answers were incorrect or incomplete when made on October 13, 2005.

24 In particular, regarding the request for a list of the places the plaintiff sought employment, it is my view that notwithstanding the fact that there has been a substantial change in circumstances, this information is not relevant to any of the issues in this action therefore it is not to be produced. Regarding the requests for production of information about the plaintiff's piano performances, piano lessons and trips, I refuse to grant these orders because it can hardly be said that the defendants are now entitled to this information when they failed to ask for the same information for the period of time prior to the examination for discovery. To order production of this information would constitute a further form of discovery to which the defendant is not entitled.


25 Both parties filed Cost Outlines, however neither of them were complete in failing to specify the partial indemnity rate and actual rate or any of the points listed which are to be made in support of the costs sought. Both counsel attached a billing statement; however, a billing statement is not a substitute for setting out the partial indemnity and actual rates. These rates are some of the considerations in determining the cost order and without them an appropriate amount for costs cannot be determined. The Court cannot be expected to extrapolate the hourly rates from the billing statement and then calculate the partial indemnity rates. As the Costs Outlines were essentially useless for the purpose intended by the Rules, and given that the defendants were successful, at least in part, with their motion, costs are fixed at $750.00 payable by the plaintiff and the defendants forthwith.


26 There shall be an order as follows:

1. The plaintiff shall produce the following within 7 days;
a) a copy of the plaintiff's file from any employment placement agencies; and

b) a copy of the plaintiff's current employment file and contact information relative to her immediate supervisor and individual in charge of Human Resources;

2. Costs to the defendants fixed in the amount of $750.00 payable forthwith.


Monday, June 25, 2007

US Appeals Court holds that law enforcement need a warant to search e-mail

According to Wired, the Sixth Circuit Court of Appeals last week held that portions of the Stored Communications Act violate the Fourth Amendment and that law enforcement requires a warrant to review e-mails stored on a third party's server: Threat Level - Wired Blogs - Appeals Court Says Feds Need Warrants to Search E-Mail.

Friday, June 22, 2007

Names of defaulted student loan debtors sent in mass e-mail

I got a call yesterday from Lindsay Jones of the Halifax Daily News (Canada's top journalist) to discuss an interesting sitution that has popped up here in Nova Scotia. It appears that an e-mail was sent out to hundreds of defaulted student loan recipients to advise that their case officer was changing. Whoever hit the send button didn't notice that everyone was on the "TO:" line, so each receipient also got a list of all the other defaulted debtors. Not good form.

Of course, the e-mail was forwarded to the Halifax Daily News and the rest is history... (I understand that a journalist from another publication was on the list.)

I've been saying for years that security and safeguards are probably the most important principles in any privacy plan. You won't be on the front page of the newspaper for having a confusing privacy policy or for using opt-out consent instead of opt-in. But if you have a security breach like this, the odds are that you're in for a rough ride.

(Also interesting: part of the response is a hotline for personal apologies.)

Here's Lindsay's article:

Halifax, The Daily News: News Names of student-loan defaulters sent in mass e-mail

Last updated at 7:32 AM on 22/06/07


The Daily News

An embarrassing breach of personal privacy has led to policy changes at the provincial government department that deals with student loans.

Full names, and in many cases workplaces, were inadvertently disclosed in a mass e-mail sent by a Service Nova Scotia and Municipal Relations collection officer.

The subject line of the June 8 e-mail said "Defaulted Nova Scotia government guaranteed student loans - new contact name."

The e-mail was to inform the employee's clients that she had been reassigned.

Ian Daye, whose name appeared on the list, is annoyed at the lack of discretion.

"It's just: 'You have student loan problems. And here's a list so you can see who else has student loan problems.' This really isn't right, as far as I'm concerned," said the 33-year-old, who works for Research In Motion.

"It's something that should've been done in confidence," Daye added. "It's not really very professional of her to put everyone's addresses out there."

Some of the e-mail addresses on the list belonged to people who work in government offices, banks and local businesses.

Canada's top privacy lawyer said the e-mail is a "highly embarrassing" violation of the freedom of information and protection of privacy (FOIPOP) act.

"People's financial information is some of the most sensitive information out there," David Fraser of Halifax said.

"It really needs to be protected with measured safeguards that are appropriate to the sensitivity of the information."

Fraser said people have the right to complain to the provincial FOIPOP office, though there's no legislation for redress.

"The bigger thing is likely the embarrassment for those individuals whose information was released into the wild," he said.

While accidental privacy breaches do sometimes occur, Fraser said it's also embarrassing for the government that an employee allowed this to happen.

A spokeswoman for Service Nova Scotia and Municipal Relations said steps were taken the day after the email went out to ensure no mass communication of this nature would happen again.

"Every employee that deals with clients has received education about the ongoing importance of protecting personal information," Donna Chislett said.

The computer system for student loans is being revamped to prohibit staff from sending such mass e-mails, she added.

About one third of the e-mails were returned as undeliverable mail.

"It was certainly done inadvertently and it was an oversight. We do apologize for that," Chislett said.

Staff are providing personal apologies and explanations of the privacy breach to anyone with concerns; call 494-4961 for details.

Thursday, June 21, 2007

Transport minister responds to critical coverage of no-fly list

In the wake of some critical comments in recent news coverage, the Minister of Transportation has an op-ed piece in today's Chronicle Herald.

Nova Scotia News -

Program protects safety, respects rights


In view of recent articles on the introduction of the Passenger Protect Program in Canada on Monday, I would like to clarify some issues.

I must stress, in particular, that Passenger Protect relates to individuals who may pose an immediate threat to aviation security. The program will enable government law-enforcement and security organizations, working with Transport Canada, to alert air carriers to individuals who may pose a threat to a flight, in order to prevent boarding and unlawful interference during the flight that could endanger the general public, passengers and crew.

Such an individual is identified under strict guidelines. It can be someone who is or has been involved in a terrorist group, for example, or an individual who has been convicted of one or more serious and life-threatening crimes against aviation security.

The government began consulting with industry on passenger assessment in May 2004. The program was developed to include the privacy rights provisions needed and in consultations with different groups of the civil society: airlines, airports, police, labour representatives as well as civil liberties and ethnocultural groups. We continue to work with the Office of the Privacy Commissioner.

In short, the program has benefited from parliamentary and public scrutiny, and is based on public law. This government also has as a priority the privacy concerns of Canadians. To this end, we must be clear: Canada’s program has learned lessons from countries all over the world with respect to watch lists, and has taken necessary precautions. This is why the Canadians Specified Persons List took three years of parliamentary consideration, and two years of policy development.

In addition, Transport Canada has established an Office of Reconsideration to permit individuals to challenge a denial-of-boarding decision in a non-judicial, efficient manner. The office will be able to assist individuals to clear up ID issues, and provide a mechanism for review of a case by persons independent of those who made the original decision.

To address terrorism, we must learn from past events, assess evolving threats, and initiate efficient and effective programs that protect public safety and respect the rights of Canadians. Passenger Protect does just that.

I invite readers to get more information on the website, or by phoning 1-800-O-Canada (1-800-622-6232), ATS: 1-800-926-9105.

Lawrence Cannon is Canada’s minister of transport, infrastructure and communities.

Wednesday, June 20, 2007

French officials warned about Blackberry eavesdropping

This appears to be a non-story as messages using the Blackberry Enterprise Server are encrypted end-to-end, but who knows?

The fact that your employer can read the messages much more easily than the NSA may give pause for thought.

France warns officials on BlackBerry use - Yahoo! News

By JOHN LEICESTER, Associated Press Writer Wed Jun 20, 5:04 PM ET

PARIS - BlackBerry handhelds have been called addictive, invasive, wonderful — and now, a threat to French state secrets.

That, at least, is the fear of French government defense experts, who have advised against their use by officials in France's corridors of power, reportedly to avoid snooping by U.S. intelligence agencies.

"It's not a question of trust," French lawmaker Pierre Lasbordes told The Associated Press. "We are friends with the Americans, the Anglo-Saxons, but it's economic war."

Le Monde newspaper, which broke the story, described BlackBerry withdrawal among those who have given them up. "We feel that we are wasting huge amounts of time, having to relearn how to work in the old way," the daily quoted a ministry office director as saying.

E-mails sent from "Le BlackBerry" pass through servers in the United States and Britain, and France fears that makes the system vulnerable to snooping by the U.S. National Security Agency, Le Monde reported. The company that makes BlackBerrys, however, denies such spying is possible.

Lasbordes, who was commissioned in 2005 by then-Prime Minister Dominique de Villepin to look into such issues, said he alerted the government to this "weakness" months ago. He said he met with BlackBerry maker Research In Motion Ltd. to discuss the problem in the course of preparing his report on the security of French information systems.

The Canadian company "admitted that there was a certain fragility in the protection of information when you use the e-mail system" and promised it would be resolved, said Lasbordes, adding: "That was more than a year ago."

BlackBerrys pose "a problem with the protection of information" and "the risks of interception are real," Alain Juillet, in charge of economic intelligence for the government, told Le Monde.

Research In Motion insisted that BlackBerry e-mails cannot be read by the NSA or other organizations. The e-mails are more heavily encrypted than online banking Web sites, Research In Motion said in a statement.

"No one, including RIM, has the ability to view the content of any data communication sent using the BlackBerry Enterprise Solution," the company said.

The BlackBerry system has been accredited by security agencies in the United States, Australia, New Zealand, Austria and Canada, Research in Motion said, adding that a certification process is under way in the Netherlands and Germany.

In France, the circular on BlackBerries from the General Secretariat for National Defense applies in theory to all ministries, and "it's up to everyone to be responsible," Lasbordes said.

Another official in a major ministry who got rid of his BlackBerry following the order said authorities are looking at other types of hand-held computers to use instead.

The prime minister's office would not confirm that it and the presidential palace were included in the circular, as Le Monde reported. But a spokesman, Severin Naudet, cited the General Secretariat for National Defense as saying that no type of hand-held computer is risk-free.

"It's not a problem if you're writing to your mother-in-law," Lasbordes said. But "one can imagine a minister coming from a meeting of the G-8 or G-7, et cetera, or a meeting in Brussels, and he sends information to his colleagues. It goes via Canada and the United States and that's it, game over."

Suspicion goes both ways. At a Group of Eight summit in Germany this month, White House aides were instructed to leave their wireless e-mail devices behind, apparently for fear of Russian eavesdropping.

Counting eyeballs

This is a bit creepy and perhaps a harbinger of things to come. Check out the Eyebox, which apparently can detect and record when people look at stationary ads (or other things). I bet it could be coupled with a camera to snap a picture of the viewer. Via Metafilter, where you'll find some discussion, too.

Tuesday, June 19, 2007

No-fly list has an apparently smooth takeoff

With the no-fly list coming online in the last twenty-four hours, I haven't heard of any instances of people being excluded from flying on the first day. It will be interesting to see how it all shakes out.

I spoke with Chris Lambie of the Chronicle Herald yesterday morning and he spent part of the afternoon at the airport seeing how it went on. Here's his article:

Smooth lift-off for no-fly list -

Airline passengers seemed keen on heightened security

By CHRIS LAMBIE Staff Reporter

The federal no-fly list caused no problems Monday at Halifax Stanfield International Airport.

Passengers seemed keen on the idea of a list meant to screen out anyone who poses a potential threat to aviation security.

"As long as my name’s not on it, I’m happy," Mike Moir said as he waited for a flight back to Ontario.

"If the people are bad, I don’t want them on my plane."

The 67-year-old Hamilton, Ont., man was in Nova Scotia to work as an official for last weekend’s national canoe team trials on Lake Banook in Dartmouth.

The only dilemma he can see with the scheme to flag potentially dangerous flyers is if an innocent person has the same name as someone on the list.

"How many Smiths are there in the world?" Mr. Moir said. "If they just pick everybody with the same name, it could be a problem."

Still, he thinks the list is a necessity.

"With all the terrorism going on in this world nowadays, it’s a good measure."

Dawson Wentzell and his wife, Bethany, were waiting with their toy poodle, Bailey, to board a plane for Edmonton.

The list could prompt lawsuits against the federal government if people lose money because they couldn’t board flights due to name mix-ups, Ms. Wentzell said.

"If someone is delayed from work and this is the reason why, someone is going to get sued," she said.

They didn’t even think about the new security measure before checking in for their flight to Nova Scotia.

"We got up at 5 a.m. and believe me my mind wasn’t on lists," she said.

The couple from Daniel’s Harbour, N.L., wasn’t on the no-fly list and neither was their dog.

"God help us if he was," Ms. Wentzell said. "We’d really be in trouble then."

The no-fly list didn’t cause any problems at the facility, said airport spokesman Peter Spurway.

"If you didn’t know it was on, you wouldn’t know it was on," he said. "It has not made a single impact on our operations today or the operations of our partners in the airline business. I checked around a couple of times and it’s just been chugging along."

But David Fraser, a privacy lawyer in Halifax, won’t be surprised to hear from clients who suddenly discover their names are on the no-fly list.

"We’re likely to hear people are going to have some difficulty in Canada simply because of the way that these sorts of lists have to be structured in order to catch or include in them people with non-English or French names that have to be transliterated or made into English equivalents, and some of them can be common names," Mr. Fraser said. "So there’s probably a fair amount of wiggle room in the way that they match against peoples’ names."

The Specified Persons List, announced last fall, includes the name, birth date and gender of anyone who might pose an immediate threat to aviation security. Airlines that fly into and out of Canada must check the names of their passengers against the list.

"There’s really the opportunity that a whole bunch of people who aren’t actually on the list, just people who have similar names and similar birthdates and other identifying characteristics (as those) on the list," Mr. Fraser said.

"I think that there’s a good chance that people will be not allowed to fly based on that sort of confusion."

Travellers only find out their name is on the list when they try to check in and get a boarding card.

"Vacation plans can be ruined," Mr. Fraser said. "There’s no real accountability at that end for the real sort of negative impact that inclusion on this list might have."

Ottawa has refused to release the number of people on the list.

"There’s always a very delicate balance when you’re dealing with national security issues, Mr. Fraser said. "It’s a delicate balance between openness and necessary secrecy. I think the whole process needs to be done in sunlight.

"Everything related to the process of the inclusion criteria and how it’s actually applied and recourse that individuals might have to get off the list really needs to be completely open and transparent and subject to significant scrutiny.

"We are talking about a potential infringement on an individual’s constitutional right to travel within Canada and also the right to leave Canada. It’s right there in the charter that you have those rights. And many of those rights, in a country as large as Canada, can only be exercised by air travel."

Imam Jamal Badawi, professor emeritus of religious studies at Saint Mary’s University, said Muslims, including himself, often have problems flying in the United States, where a similar list is already in place.

"I’ve heard of many horror stories where a child, for example, five years old, they say, ‘No, his name matches the potential terrorist to look for,’ and still they have to go through the clearance (process)," Mr. Badawi said.

The Canadian Council on American-Islamic Relations has called on Ottawa to scrap the no-fly list until it fixes fundamental flaws in the program.

"Some people suspect that the lists made here in Canada may not totally be homegrown," Mr. Badawi said. "It’s quite possible also that, because of the co-operation between the intelligence agencies in both countries, that some of the names on the watch list in the U.S. might end up here on our lists in Canada."

That could make some Canadian Muslims reluctant to fly, he said.

"It’s part of the very unfortunate trend in the post 9-11 era that, in the name of security, there is a great deal of encroachment on privacy, a great deal of encroachment on civil liberties," Mr. Badawi said.

He doubts the list will make flying safer.

"Anybody intent on wrongdoing, they probably will find some other way of carrying out their plans," Mr. Badawi said. "But even if there is some slight improvement in security, what is the price? The worst scenario, really, is that democratic countries would move toward totalitarian regimes in the name of security."

Monday, June 18, 2007

Canadian no-fly list takes effect today

Canada's No-fly list takes to the skies today and the media is full of reporting on what are seen as the program's many shortcomings:
Critics raise alarms over Canada's no-fly list CBC Mon, 18 Jun 2007 4:19 AM PDT Canada's no-fly list comes into effect Monday as privacy advocates warn checking airline passengers' names against those of potential security threats could lead to abuses.

Critics raise alarms over Canada's no-fly list CBC via Yahoo! Canada News Mon, 18 Jun 2007 1:01 AM PDT Canada's no-fly list comes into effect Monday as transportation experts and privacy advocates warn that checking domestic airline passengers' names against a list of people deemed to be potential threats could lead to abuses.

'No-fly' list could blacklist innocents: critics Sun, 17 Jun 2007 6:53 PM PDT
Canada's no-fly list takes effect on Monday, and the anti-terror move has at least one human rights group warning it could create another Maher Arar-like case.

Biometric data could be linked to names on list
Vancouver Province Mon, 18 Jun 2007 0:27 AM PDT
OTTAWA -- The federal government has not ruled out eventually linking Canada's new no-fly list with technology that identifies travellers by biological features such as eye patterns or even DNA, says Transport Minister Lawrence Cannon.

Sunday, June 17, 2007

Privacy Commissioner subpoenaed to appear before Air India Inquiry

This is a bit odd. Jennifer Stoddart has been ordered to appear before the Air India Inquiry. Apparently she had informed the Commission of Inquiry that she had nothing further to say but subsequently gave a media interview that was critical of the Government's no-fly list.

It all sounds a little snarky:

Privacy chief called on carpet over no-fly list

Air India inquiry head John Major has ordered Canada's privacy commissioner to appear before him after she publicly criticized a no-fly list being implemented next week.

Mr. Major said yesterday that his Ottawa inquiry was earlier informed by the office of Jennifer Stoddart that she had nothing more to say related to the mandate of his commission into the June 23, 1985, Air India bombing and subsequent investigation.

But Mr. Major said Ms. Stoddart then gave a "free-wheeling" media interview in which she commented on testimony at the inquiry last week about the introduction on June 18 of a Canadian no-fly list.

Mr. Major said Ms. Stoddart should have made her comments in evidence at the Air India inquiry and not to a reporter. He issued a subpoena for her to appear today.

A lawyer for Ms. Stoddart responded by telling inquiry counsel later yesterday that the privacy commissioner would be happy to appear "willingly" but is on her way to Beijing.

An appearance date is expected to be determined this afternoon.

Ms. Stoddart's views on the controversial no-fly list appeared on June 8.

She said the list could become "quite a nightmare" for ordinary Canadians.

"Every time we go to the airport, do we expect to be challenged? That may be the new world," she said.

Ms. Stoddart also said she was surprised when an Transport Canada official testified before Mr. Major that the list could end up in the hands of foreign governments if their state-owned airlines pass it on to them.

"The commission could have benefited in preparing recommendations on air security from hearing from informed points of view with respect to that," she said.

Mr. Major said of Ms. Stoddart's comments: "She apparently had no hesitation in giving information to the public and the press that should have properly been given to this commission when the opportunity presented itself."

Mr. Major has expressed impatience several times during the inquiry when agencies or companies have expressed reluctance or declined entirely to testify.

He said yesterday that some people do not understand what a royal commission is and that he has the power to compel their testimony.

As for the subpoena for Ms. Stoddart, Mr. Major said: "This should not cause her much inconvenience as she appeared to have no difficulty last Friday in expressing publicly those thoughts to the press."

Friday, June 15, 2007

Google demands photo ID to get off Street View. Or not.

Yesterday, it was reported that people who wanted their photos off Google Street View had to provide a copy of photo ID and a sworn statement. There was also concern that there was no limit to how the info provided could be used. Now, they're backing off all of that and are confirming that the info will only be used for this process. See: Threat Level -- Wired Blogs.

Methinks this is a sign that Google is listening to how its privacy practices are perceived and is taking action.

Thursday, June 14, 2007

FBI audit finds widespread abuse in data collection

I find this article to be very interesting. An audit of the FBI's has revealed "widespread abuse" in connection with FBI collection of information in the course of investigations. Many would not be surprised. But read a litte further and you happen upon this nugget:

The vast majority of newly discovered violations were instances in which telephone companies and Internet providers gave agents phone and e-mail records the agents did not request and were not authorized to collect, the Post said.

While the FBI is seen as the bad guy in most of these articles, it's interesting that the ISPs and phone companies have been handing over loads of data about customers that law enforcement didn't even ask for nor were they authorized to ask for it. Shame on the FBI for keeping it, but worse for the ISPs and telcos.

See: FBI audit finds widespread abuse in data collection - Yahoo! News .

Wednesday, June 13, 2007

Town gossip over sex assaults hits Facebook

In an unsolicited media blitz, I had three reporters call me yesterday about three different stories. The second was about a facebook group that popped up in the wake of a series of unsolved sexual assaults in Carman, Alberta. The group, called "Kiss my ass, Carman rapist", included speculation on who might be a suspect. I understand that the group has since been removed, but it raises the usual internet defamation issues:

Town gossip over sex assaults hits Facebook

... David Fraser, a Halifax lawyer who specializes in privacy and Internet law, said a host of legal issues arise when water-cooler chats move to the Net.

"What was a small conversation in the drug store or at the post office is now being broadcast globally," he said.

Fraser said anyone naming "suspects" or calling someone a rapist online is opening themselves to a potential lawsuit.

"The rules of defamation that apply in the real world also apply online," he said.

"The anonymity of the Internet ... actually makes it easier to say things that perhaps they wouldn't say in front of a crowded auditorium full of people, although there's probably more people seeing it online."

Google privacy counsel acknowledges policy 'is vague'

In a recent interview with the BBC, the global privacy counsel for Google has acknowledged their policy is vague and could be made more clear. It sounds like it will likely be revamped in light of recent criticism. See: BBC NEWS Technology Google privacy policy 'is vague'.

Tuesday, June 12, 2007

Google's uphill privacy battle

I spoke with Briony Smith of IT Business about the recent Privacy International report that put Google at the bottom of their study on the privacy practices of online businesses. She also spoke with Phillipa Lawson and Richard Rosenberg.

Here's a bit:

IT Business: The public life of Google's private data

David T.S. Fraser, a privacy lawyer with the Halifax-based McInnes-Cooper, is unsurprised that Google is coming under fire. Said Fraser: “This is probably inevitable because of their size and the diversity of their business interests: e-mail, social networking, search, classified ads, Google Documents.”

There are also no overarching privacy laws, comparable to PIPEDA, in the United States, according to the Vancouver-based Richard Rosenberg, president of the British Columbia Freedom of Information and Privacy Association.

Lawford said that Google’s business seems to be set up to cull the maximum amount of information about its users, and that he wouldn’t be at all surprised to find that Google was farming out profiled information to outside parties. Proving this can be difficult, according to Lawford. “Following the information through the chain can be hard,” he said.

Fraser suggests that Google’s privacy policies be made much more transparent, and that it tells its users as well just how long their information will be retained for (which, in North America, is indefinitely, according to Rosenberg).

One minor correction: Google has recently announced their retention schedule for their log information, but it still is likely beyond what's reasonably necessary (Canadian Privacy Law Blog: Why does Google remember information about searches?).

Radwanski's court date set

According to the Ottawa Sun, George Radwanski's trial for fraud and breach of trust is set to begin in April, 2008: - National/World - Trial date set for ex-privacy Czar.

Monday, June 11, 2007

Choicepoint almost regains pre-breach value

Though this article from Yahoo! Business is not about the privacy problems that plagued ChoicePoint and that made the company the poster boy for privacy breaches, I found it interesting to take a look at the chart of the company's stock value. In the last twelve months, the company's share value has slowly increased to barely recover the value lost by the high-profile breach. The total value lost between then and now is staggering.

See: Out of the Gate: ChoicePoint Jumps: Financial News - Yahoo! Finance.

Sunday, June 10, 2007

Google at the bottom of online privacy rankings

Michel-Adrien Sheppard, aka Libray Boy, is linking to a new report by Privacy International that ranks the privacy practices of online companies. What's most interesting is that Google is at the bottom and merits special mention:

A Race to the Bottom - Privacy Ranking of Internet Service Companies

Why Google?

We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google's approach to privacy that go well beyond those of other organizations. While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy. This is in part due to the diversity and specificity of Google's product range and the ability of the company to share extracted data between these tools, and in part it is due to Google's market dominance and the sheer size of its user base. Google's status in the ranking is also due to its aggressive use of invasive or potentially invasive technologies and techniques.

The view that Google "opens up" information through a range of attractive and advanced tools does not exempt the company from demonstrating responsible leadership in privacy. Google's increasing ability to deep-drill into the minutiae of a user's life and lifestyle choices must in our view be coupled with well defined and mature user controls and an equally mature privacy outlook. Neither of these elements has been demonstrated. Rather, we have witnessed an attitude to privacy within Google that at its most blatant is hostile, and at its most benign is ambivalent. These dynamics do not pervade other major players such as Microsoft or eBay, both of which have made notable improvements to the corporate ethos on privacy issues.

In the closing days of our research we received a copy of supplemental material relating to a complaint to the Federal Trade Commission concerning the pending merger between Google and DoubleClick. This material, submitted by the Electronic Privacy Information Center (EPIC) and coupled with a submission to the FTC from the New York State Consumer Protection Board, provided additional weight for our assessment that Google has created the most onerous privacy environment on the Internet. The Board expressed concern that these profiles expose consumers to the risk of disclosure of their data to third-parties, as well as public disclosure as evidence in litigation or through data breaches. The EPIC submission set out a detailed analysis of Google's existing data practices, most of which fell well short of the standard that consumers might expect. During the course of our research the Article 29 Working Group of European privacy regulators also expressed concern at the scale of Google's activities, and requested detailed information from the company.

In summary, Google's specific privacy failures include, but are by no means limited to:

  • Google account holders that regularly use even a few of Google's services must accept that the company retains a large quantity of information about that user, often for an unstated or indefinite length of time, without clear limitation on subsequent use or disclosure, and without an opportunity to delete or withdraw personal data even if the user wishes to terminate the service.
  • Google maintains records of all search strings and the associated IP-addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option. While it is true that many US based companies have not yet established a time frame for retention, there is a prevailing view amongst privacy experts that 18 to 24 months is unacceptable, and possibly unlawful in many parts of the world.
  • Google has access to additional personal information, including hobbies, employment, address, and phone number, contained within user profiles in Orkut. Google often maintains these records even after a user has deleted his profile or removed information from Orkut.
  • Google collects all search results entered through Google Toolbar and identifies all Google Toolbar users with a unique cookie that allows Google to track the user's web movement.17 Google does not indicate how long the information collected through Google Toolbar is retained, nor does it offer users a data expungement option in connection with the service.
  • Google fails to follow generally accepted privacy practices such as the OECD Privacy Guidelines and elements of EU data protection law. As detailed in the EPIC complaint, Google also fails to adopted additional privacy provisions with respect to specific Google services.
  • Google logs search queries in a manner that makes them personally identifiable but fails to provide users with the ability to edit or otherwise expunge records of their previous searches.
  • Google fails to give users access to log information generated through their interaction with Google Maps, Google Video, Google Talk, Google Reader, Blogger and other services.

Saturday, June 02, 2007

B.C. privacy commissioner probes tenant database firm

Today's Globe & Mail is reporting that the British Columbia Information and Privacy Commissioner has started an investigation into TVS Tenant Verification Services, a company that provides reports on prospective tenants. See: B.C. privacy commissioner probes tenant database firm.

Friday, June 01, 2007

ChoicePoint Settles Data Security Case

Choicepoint, the poster child of security breaches, reportedly has settled with the Attorneys General of 44 states. The settlement is nominal cash-wise ($500,000) and includes requirements for tougher security measures:

ChoicePoint Settles Data Security Case - New York Times

June 1, 2007

ChoicePoint Settles Data Security Case


ChoicePoint has settled with 44 states over a data breach that potentially gave criminals access to personal information from more than 145,000 consumers.

The company agreed to adopt stronger security measures and pay $500,000 to the states, Richard Blumenthal, the attorney general of Connecticut, said yesterday.

ChoicePoint, which sells information about consumers to employers, marketers and others, said in 2005 that criminals posing as legitimate businesses had gained access to consumer data, including Social Security numbers and credit histories.

The company, based in Alpharetta, Ga., was one of several to announce large-scale security breaches in 2005, raising identity theft as an issue for many legislators and regulators.

ChoicePoint characterized the settlement as “fair and reasonable.”

In January 2006, ChoicePoint settled a case with the Federal Trade Commission involving the security breach.

Google Street View raises privacy concerns

It seems there's nothing that Google can do without raising privacy concerns.

Yesterday, Boing Boing was buzzing with a number of postings about the newly introduced feature in Google Maps: Google Street View. A similar feature has been around for a while by other providers, but the resolution of the pictures posted by Google are the best I've seen. So good you can look in peoples' windows to (g)oogle their cats, see cats in blankets, see folks taking out the garbage (scroll down a little and click on the little man or the green arrow), scope out sunbathers (more sunbathers) and check out a homeless guy sleeping in an alley. I bet none of them thought they'd end up on the internet.

Is there a reasonable expectation of privacy when you're in a public area or at least visible from the street? Does this change the rules or should the rules be changed?

DRM-free iTunes downloads have embedded personal information

The rejoicing over DRM-free downloads from iTunes has been tempered slightly when it was revealed that these new premium downloads include the purchaser's name, e-mail address and account number. It has also been revealed that "regular", locked down iTunes downloads have the same information. See: BBC NEWS Technology Anger over DRM-free iTunes tracks.

Mind your data trail

The day after I gave a presentation on the privacy law issues of using Facebook and blogs as part of the hiring process (Canadian Privacy Law Blog: Workplace privacy issues - Facebook and blogs), I found a new study that shows a quarter of HR people surveyed have decided not a hire a person after seeing the results of a Google search. Beware of your data trail ... Job Search: A new study shows that... - Lifehacker.