Thursday, September 27, 2007

Federal court orders disclosure of eBay PowerSeller records to Canada Revenue Agency

Michael Geist, on his great blog, is pointing to an article in yesterday's Globe & Mail, in which the Federal Court of Canada has ordered that eBay Canada turn over records related to Canadian PowerSellers. As the Court's decision says, the Income Tax Act authorizes such fishing expeditions.

What is probably of greatest relevance from a privacy point of view is that the location of the information is not entirely relevant:

[23] The issue as to the reach of section 231.2 when information, though stored electronically outside Canada, is available to and used by those in Canada, must be approached from the point of view of the realities of today’s world. Such information cannot truly be said to “reside” only in one place or be “owned” by only one person. The reality is that the information is readily and instantaneously available to those within the group of eBay entities in a variety of places. It is irrelevant where the electronically-stored information is located or who as among those entities, if any, by agreement or otherwise asserts “ownership” of the information. It is “both here and there” to use the words of Justice Binnie in Society of Composers, Authors and Music Publishers of Canada v. Canadian Ass’n of Internet Providers, 2004 SCC 45 (CanLII), [2004] 2 S.C.R. 427 at paragraph 59. ...

[24] In the present case, eBay Canada has access to and uses information respecting PowerSellers. It is not determinative of the issue that the electronic apparatus storing the information which eBay Canada accesses is outside Canada. The information can be summoned up in Canada and for the usual business purposes of eBay Canada. The situation may be different if the information never had been used in Canada.

[25] To analogize to R. v. Spencer, supra, the information that the bank manager had is summonable from his memory but it was placed in his memory through transactions he witnessed in the Bahamas. Nonetheless, he was required to summon up the information in Canada. Here eBay Canada has access to and uses information stored in a computer for the very purpose of dealing with Canadian PowerSellers. For perhaps corporate efficiency the information is stored elsewhere, but its purpose is in respect of Canadian business. The information is not foreign but within Canada for the purposes of section 231.2 of the Income Tax Act.

See: globeandmail.com: Taxman goes browsing on eBay and Michael Geist - Federal Court Orders eBay To Disclose Power Sellers to CRA.

Wednesday, September 26, 2007

Inadequate security safeguards led to TJX breach, Commissioners say

The federal Privacy Commissioner and the Information and Privacy Commissioner of Canada have released their reports on the TJX/Winners breach (Report of Findings (September 25, 2007) Privacy Commissioner of Canada and Investigation Report P2007-IR-006). The moral of the story: don't collect information you don't need, don't keep it any longer than you need and properly secure the information you have.

Here's the media release:

News Release: Inadequate security safeguards led to TJX breach, Commissioners say (September 25, 2007) - Privacy Commissioner of Canada

Inadequate security safeguards led to TJX breach, Commissioners say

September 25, 2007 –The risk of a breach of sensitive personal information held by TJX Companies Inc., the US parent company of Winners and HomeSense stores in Canada, was foreseeable, but the company failed to put in place adequate security safeguards, an investigation by the Privacy Commissioners of Canada and Alberta has found.

“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.

“Criminal groups actively target credit card numbers and other personal information,” says Commissioner Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures.

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”

The joint investigation by the two Commissioners was launched after TJX disclosed in January that its computer system had been breached. This breach involved millions of credit and debit card numbers as well as other personal information, such as driver’s license numbers collected when customers returned merchandise without receipts.

“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.

“One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with unreceipted returns which strikes an appropriate balance between privacy rights and a retailer’s need to take steps to prevent fraud.”

TJX believes the intruder may have initially gained to customer information via the wireless local area networks at two of its US stores. Customer information was stolen from mid-2005 through December 2006, a TJX investigation found. Some stolen information involved transactions dating back to 2002.

Stolen information included credit card account data as well as data collected when customers returned merchandise without a receipt (drivers’ license numbers, names and addresses).

The investigation concluded TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation found:

  • TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
  • The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion process took two years to complete, during which time the breach occurred.
  • TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
  • The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

The investigation also found the company did not have a reasonable purpose to collect driver’s license and other identification numbers when unreceipted merchandise was returned. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely.

In response to these concerns, TJX proposed a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver’s license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver’s license numbers in its system.

The Commissioners called on TJX to take a number of steps to improve its security measures and privacy practices and are pleased the company has agreed to follow these recommendations.

Commissioner Stoddart says the Winners/HomeSense breach illustrates the need to get security right in the first place to avoid the potentially huge costs of mopping up after a security breach. “Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies. The cost of failing to do this can be enormous – not only to a company, but to its customers,” she says, adding that a data breach can also have a major impact on credit card companies, banks, law enforcement agencies and regulatory bodies.

A summary of the findings in the case is available on the Commissioners’ websites.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

The Information and Privacy Commissioner of Alberta has a mandate to promote a society where personal privacy is respected and public bodies are open and accountable.

Tuesday, September 25, 2007

Mom upset after son's photos scalped from website

CBC is reporting that a Portugese social networking website has been taking pictures of kids from Flickr.com and has been giving them fictitious biographical profiles. Parents of those kids who have discovered this are pretty upset. See: Mom upset after son's photos scalped from website.

Monday, September 24, 2007

Federal and Alberta Commissioners to release report on TJX breach

According to a media advisory released by the Privacy Commissioner of Canada, both the federal and Alberta commissioners are going to release their findings on the TJX/Winners/Home Sense privacy breach tomorrow morning in Montreal. See: Media Advisory: September 24, 2007 - Privacy Commissioners to release report on Winners/HomeSense breach - Privacy Commissioner of Canada.

Report calls for revamped privacy laws in New Brunswick

A consultant's report is calling for a significant overhaul of public sector privacy laws in New Brunswick. Via the CBC: N.B. privacy laws 'hopelessly outdated': report.

Ad-supported phone service listens to calls to customize advertising

Does this creep you out?

Is there any difference between this and Gmail's ads?

Company Will Monitor Phone Calls to Tailor Ads StarNewsOnline.com Star-News Wilmington, NC

Pudding Media is introducing an Internet phone service that will be supported by advertising related to what people are talking about during their calls.

Companies like Google scan their e-mail users’ in-boxes to deliver ads related to those messages. Will people be as willing to let a company listen in on their phone conversations to do the same?

Pudding Media, a start-up based in San Jose, Calif., is introducing an Internet phone service today that will be supported by advertising related to what people are talking about in their calls. The Web-based phone service is similar to Skype’s online service — consumers plug a headset and a microphone into their computers, dial any phone number and chat away. But unlike Internet phone services that charge by the length of the calls, Pudding Media offers calling without any toll charges.

The trade-off is that Pudding Media is eavesdropping on phone calls in order to display ads on the screen that are related to the conversation. Voice recognition software monitors the calls, selects ads based on what it hears and pushes the ads to the subscriber’s computer screen while he or she is still talking.

A conversation about movies, for example, will elicit movie reviews and ads for new films that the caller will see during the conversation. Pudding Media is working on a way to e-mail the ads and other content to the person on the other end of the call, or to show it on that person’s cellphone screen...

Google modifying street view to meet Canadian privacy expectations

According to the Globe & Mail, Google is looking into blurring faces and license plates in its Canadian version of Street View to satisfy the requirements of local privacy laws. This is in the wake of earlier reports that the Canadian Privacy Commissioner, Jennifer Stoddart, had written to Google and Immersive Media with her view that rolling out the service would likely infringe Canada's Personal Information Protection and Electronic Documents Act. (See: Canadian Privacy Law Blog: Privacy Commissioner questions legality of Google Street View in Canada.)

globeandmail.com: Google: we hear (and see a fuzzy rendition of you), Canada

The man in charge of Google's privacy policy says the Internet giant is working on a version of its controversial Street View service that won't breach Canadian privacy rules, after federal privacy commissioner Jennifer Stoddart raised concerns about the service earlier this month.

Peter Fleischer, Google's global privacy counsel, said in an interview from Montreal on Monday the company understands Canada has "struck a different balance" than the U.S. has in terms of what is public and what is private, and that Google is sensitive to those differences.

Street View, which has data available from seven U.S. cities but does not yet include any Canadian sites, is a tool that shows users street-level photographs of the addresses they are searching for. Some of the photos, which are being taken by a fleet of cars belonging to Immersive Media of Calgary, show individuals entering adult-video stores and urinating in public.

In comments earlier this month, Ms. Stoddart said that she had contacted Google and Immersive Media to express her concerns that taking photos of people -- even in public -- for such a service might violate Canadian privacy laws.

The United States has "a long tradition of saying that it is legal and appropriate to take pictures from public spaces and publish them," Mr. Fleischer said. "But clearly, we're aware that different countries around the world strike a different balance between this idea of a public place on the one hand and people's expectation of privacy."

...

Mr. Fleischer said the Internet company doesn't have "an exact timeline" of when Street View might be available in Canada, but said Google is working on it now. Altering the quality of the photos "makes it a little harder for us [to launch Street View in Canada], because it takes a little more work," he said.

Commissioner says we're all "little brothers" in surveillance society

The Privacy Commissioner of Canada, who is promoting an international privacy conference taking place in Montreal this week, is interviewed in the National Post. The focus of the interview is the "little brothers" that have an impact on privacy, including the proliferation of digital cameras. See:

Print Story - canada.com network

Ordinary citizens part of 'surveillance society': Privacy czar

Carly Weeks

CanWest News Service

Sunday, September 23, 2007

OTTAWA -- If you think the oppressive hand of Big Brother is the only threat to personal privacy in today's digital society, think again.

Our camera phone-toting friends and strangers in the online universe can be just as responsible for the erosion of the truly private life as the corporations and government agencies that keep tabs on citizens in the name of product sales and national security, warns federal Privacy Commissioner Jennifer Stoddart.

"It's not just Big Brother who's akin to a government watching you in the Orwellian dystopia," Ms. Stoddart said in an interview. "We're all little brothers. We're all fascinated with the gadgets that allow you to do this."

The pervasive presence of technology, and its unprecedented capacity to surreptitiously track the lives of others, is one of the issues to be addressed at a major international privacy conference that will be hosted by Ms. Stoddart in Montreal this week.

...

But Ms. Stoddart says people who complain about the watchful eye of governments and corporations should first take a long look in the mirror.

That's because technology and the Internet are turning ordinary citizens into spies who can post pictures of the neighbours' yards online. Even social networking sites like Facebook, intended to let people tell friends and co-workers what they're up to, can be corrupted by the unwanted circulation of false or malicious postings.

"We're all participating in the surveillance society," Ms. Stoddart said, adding that "knowledge gives us power."

She notes that more people are living alone and turn to technological gadgets to satisfy a craving for human contact....

Sunday, September 23, 2007

DHS collected more info on travelers than previously disclosed

Yesterday's Washington Post ran a front page story on the amount of information collected by the Department of Homeland Security as part of its Automated Targeting System.

Collecting of Details on Travelers Documented - washingtonpost.com

The U.S. government is collecting electronic records on the travel habits of millions of Americans who fly, drive or take cruises abroad, retaining data on the persons with whom they travel or plan to stay, the personal items they carry during their journeys, and even the books that travelers have carried, according to documents obtained by a group of civil liberties advocates and statements by government officials.

The personal travel records are meant to be stored for as long as 15 years, as part of the Department of Homeland Security's effort to assess the security threat posed by all travelers entering the country. Officials say the records, which are analyzed by the department's Automated Targeting System, help border officials distinguish potential terrorists from innocent people entering the country.

But new details about the information being retained suggest that the government is monitoring the personal habits of travelers more closely than it has previously acknowledged. The details were learned when a group of activists requested copies of official records on their own travel. Those records included a description of a book on marijuana that one of them carried and small flashlights bearing the symbol of a marijuana leaf....

Saturday, September 22, 2007

Ontario court quashes adoption disclosure law

Earlier this week, the Ontario Court of Justice struck down the opening of adption records in that provice under the Adoption Information Disclosure Act. The decision is here.

The Information and Privacy Commissioner of Ontario has issued a press release about the decision:

IPC - Office of the Information and Privacy Commissioner/Ontario

News Release September 19, 2007

Court ruling strikes down privacy-invasive provisions of adoption disclosure law: Commissioner Cavoukian

TORONTO – Today’s court decision quashing the opening of past adoption records through Ontario’s Adoption Information Disclosure Act confirms the importance of an individual’s right to privacy, said Ontario Information and Privacy Commissioner, Ann Cavoukian.

The ruling declares that the law is unconstitutional – it breaches section 7 of the Canadian Charter of Rights and Freedoms and thus, the sections of the Act relating to access to birth registration information “are declared invalid and of no force and effect.” As the Court noted, the Charter, “… is intended primarily to protect individuals and minorities against the excesses of the majority.”

The Commissioner constantly urged the government to amend the legislation to protect the privacy of past adoptions, giving birth parents and adoptees the right to file a “disclosure veto,” which would allow them the option of blocking access to their birth registration information. While this would provide much-needed protection for the minority, it would, as the Court noted, “… in fact allow the vast majority to get the information they were seeking.”

“While I supported the overall thrust of this Act, I fought long and hard to convince the Ontario government to introduce a crucial amendment that would provide much-needed protection for a number of deeply worried birth mothers and adoptees. Some literally feared that the Act – without the amendment I proposed – would shatter their lives. Now their prayers have been answered.”

Commissioner Cavoukian did not object to the opening of future records, but repeatedly cautioned that changing the rules retroactively, and exposing the identities of birth parents who entered into the adoption process in an era when secrecy was the norm, could have major repercussions. Despite the passing of the Act last year, the Commissioner continues to receive heart-wrenching letters, e-mails and calls from birth parents and adoptees expressing their concern – and in some cases great fear and despondency.

This court ruling will mean that Ontario residents no longer have less privacy protection than persons in the three other Canadian provinces that have adoption disclosure laws where the legislation is applied retroactively. Each of those provinces – unlike Ontario – passed laws with a provision for a disclosure veto for those who were involved in adoptions prior to the new legislation. “This is what should have happened here” says Commissioner Cavoukian.

In the words of the Court, “People expect, and are entitled to expect, that the government will not share [confidential personal] information without their consent. The protection of privacy is undeniably a fundamental value in Canadian society, especially when aspects of one’s individual identity are at stake.”

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.

Guidance on asking for ID in credit card transactions

The Information and Privacy Commissioners of Alberta and British Columbia, along with the Privacy Commissioner of Canada, have released a guidance document on requiring photo ID of individuals paying for goods and services by credit card. All three have concluded it is reasonable.

See the OIPC website and the guidance document: Photo Identification Guidance.

Friday, September 21, 2007

Public Safety minister speaks on lawful access consultation

Michael Geist has posted a summary of interviews with him and Public Safety Minister on the CBC yesterday. He writes:

Michael Geist - Stockwell Speaks

Search Engine, CBC's excellent new show on the Internet and technology, focused this week [MP3 podcast] on recent lawful access controversy. I appear in the first part of the show, but more important is the response from Public Safety Minister Stockwell Day. Leaving aside the Minister's inaccurate claims that the consultation was been "wide open" and the suggestion that perhaps the consultation was old Liberal wording, it is good to hear him again confirm that the government will not introduce legislation compelling the disclosure of CNA information without a court order. According to the Public Safety Minister:

"We are not, in any way, shape or form, wanting extra powers to police to pursue items without a warrant. That is not what our purported legislation is going to be doing. That is previous Liberal legislation and that's not the path we're walking down at all."

This is both a clear confirmation of the government's position and a good indicator that it smartly intends to use this to score political points by emphasizing the Liberals' support for disclosure without court oversight.

Thursday, September 20, 2007

British police rolling out bikini-scoping spy drone

Wired blog Danger Room is reporting that British Police are rolling out a small, helicopter spy drone that is virtually silent from 350 feet above. And the demo video shows its useful for scoping out women in bikinis. See: Danger Room - Wired Blogs.

Thanks to David Canton for passing along the link.

Office of the Privacy Commissioner launches official blog

I knew it, in my heart of hearts, that all the cool kids want their own privacy law blog.

The Privacy Commissioner of Canada has launched an official blog: blog.privcom.gc.ca. I think this is the first within the Canadian federal government. Interestingly, it is only in English, which is also unusual in the federal government.

Worth bookmarking...

Wednesday, September 19, 2007

CIPPIC Releases Study on DRM and Privacy

Funded by the Privacy Commissioner's contributions program, the Canadian INternet Policy and Public Interest Clinic has produced a report on digital rights management and privacy. From CIPPIC:

CIPPIC News

CIPPIC Releases Study on DRM & Privacy

CIPPIC today released the results of a comprehensive investigation into the privacy implications of digital rights management technologies, or “DRM”. The study, funded by the contributions program of the Office of the Privacy Commissioner of Canada and titled "Digital Rights Management and Consumer Privacy: An Assessment of DRM Applications Under Canadian Privacy Law", investigated DRM used in 16 different digital products and services. The study concluded that many DRM technologies in fact pose threats to privacy and that organizations using those technologies often fail to comply with basic requirements of Canadian privacy law.

Tuesday, September 18, 2007

European Commission finds shortcomings in UK implementation of Data Protection Directive

Out-Law, run by Pinsent Masons, has an exclusive article on a European Commission report that concludes the United Kingdom has not adequately implemented the Data Protection Directive. Check out the article: Europe claims UK botched one third of Data Protection Directive | OUT-LAW.COM.

The forgotten privacy principle: data quality

Jay Cline has an interesting article in Computerworld about what really is the most forgotten privacy principle.

Data quality -- the forgotten privacy principle

Nearly every major privacy law requires "data quality," but it’s become the most forgotten of all of the internationally recognized privacy principles. Why? Three reasons: The laws provide few details on what "data quality" means; companies violating this principle don’t make the headlines; and it’s not exactly clear what data quality has to do with privacy, anyhow.

Why is this important? Because companies around the globe are spending more time and resources assessing their internal privacy practices, and they need to know what is "good enough" when it comes to data accuracy.....

Sunday, September 16, 2007

New video on National Security Letters and the US Constitution

The US Bill of Rights Defence Committee has produced a two-part video on National Security Letters under the USA Patriot Act. There are additional materials on their website: FBI Unbound: How National Security Letters Violate Our Privacy

Hitting reverse on the shredder: Putting history back together

I'm a bit torn about this: The historian in me thinks this is really cool, but the privacy guy is a bit nervous about the development of this technology.

Historians are trying to deal with sixteen thousand bags of shredded documents from the repressive East German regime. They are testing a pilot project with technology that will scan and automagically assemble the billions of pieces.

See: Puzzling Together the Past: New Computer Program to Reassemble Shredded Stasi Files - International - SPIEGEL ONLINE - News. Thanks to the Lazy Genius for the link (The Lazy Genius :: New Computer Program to Reassemble Shredded Stasi Files).

British commentator looks to Canadian example for privacy

A comment in the Guardian by Henry Porter decries preceived intrusions into the private lives of the British and suggests that Canada is a good model to follow. He agrees strongly with what Pierre Trudeau said, that the Government has no business in the bedrooms of the nation.

Our sex lives are our own business Comment Guardian Unlimited Politics

... A few years ago, this sentence appeared at the beginning of a bill: 'Her Majesty by and with the advice of the House of Commons enacts as follows: rules to govern the collection, use and disclosure of personal information in a manner that recognises the right of privacy of individuals with respect to their personal information.'

The only words I have missed out are the 'senate' and 'of Canada'. Same queen, but different country and one which has placed the respect for privacy at the heart of its national life. It seems extraordinary that two countries which used to share so many political values have taken such different directions. There's a lot that Canada can teach the Mother of Parliaments, especially the opposition, which has lost the habit of thinking outside the terms that Labour has set for the national agenda.

There are two important acts which serve as good templates for the sorts of reforms Liberty calls for. The first is the Privacy Act which took effect in 1983 and which imposes obligations on some 150 government and federal departments and agencies to respect the privacy rights by limiting the collection, use and disclosure of personal information. It gives the individual a right to access and correction of personal information held by agencies. The second act is the Personal Information Protection and Electronic Documents Act (Pipeda), a law which means a company like Tesco, which accumulates enormous amounts of personal data, must have consent from its customers. Underlying these is the Canadian charter of rights and freedoms which states: 'Everyone has the right to be secure against unreasonable search and seizure', a guarantee which I would like to see in a British bill of rights.

It is argued that we have the Data Protection Act and the information commissioner, but despite the latter's agitation, nothing has stopped the 500,000 interceptions of private communication each year, the total surveillance of motorways, the building of the ID card data base, the creepy children's database and expansion of the police DNA database.

The Canadian system hasn't worked perfectly, especially since 9/11, but Canadians shudder at what is happening in the UK, at the abandon with which we allow government more and more control over our lives and our futures....

Saturday, September 15, 2007

Some necessary background to the fuss over warrantless access to Canadian personal information

Over the last week, there's been a huge fuss in the media and among bloggers about the consultation that was initiated by the Department of Public Safety over an apparent revival of "lawful access" in Canada. Two things really seemed to catch the attention of commentators: first, the suggestion that the government is again contemplating a system of warrantless access to personal information and, second, that the consultation was taking place in secret. I first heard about it from Michael Geist, who deserves a lot of credit for making it well-known (Public Safety Canada Quietly Launches Lawful Access Consultation). Since then it has been widely reported on in the media and among bloggers.

So what is the fuss about? I hope I can provide some background and context for some of the discussion that is taking place.

Canadian law enforcement and national security agencies are looking for a quick and easy way to obtain access to the names, phone numbers, IP addresses, etc of customers of Canadian telecommunications service providers. (Quick and easy, in this context, means without the delay and paperwork involved in applying to a judge for a search warrant.) This information is sought in a number of contexts, including in the very beginning of investigations or as part of "intelligence gathering." It is also sought, at times, when there is insufficient evidence to connect an individual to a crime so that a judge would not issue a warrant. (Which raises the question: Why should the police be able to require the information without oversight in circumstances where a judge says that the Charter of Rights and Freedoms doesn't permit them to require the information?)

So why shouldn't telecommunications service providers, being good citizens, hand over this information when asked by the police or by national security agents? Simply put, because it is illegal for them to do so. Since 2001, Canadian telecommunications service providers have been subject to the Personal Information Protection and Electronic Documents Act (aka "PIPEDA"). PIPEDA requires the consent of the individual for all collection, use and disclosure of personal information, subject to a number of exceptions. "Personal information" includes any information about an identifiable individual. If it is information and it's about an identifiable individual (either alone or in combination with information that it accompanies), it's "personal information". This would include my name, my address, my phone number, the IP address of my computer, etc.

Some might say that's public information, because my name and phone number may be in a phone book. Interesting point, but that doesn't remove the protections to the information if it is in the hands of my TSP. If the police get it from the phone book, then they can do what they want with it. But if they want to get it from my TSP, then it is personal information and the TSP can't disclose it unless a "consent exception" applies. (See s. 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of PIPEDA and, very importantly, the Regulations Specifying Publicly Available Information (SOR/2001-7)).

The police (who are not bound by PIPEDA) may be within their rights to ask for the information, but TSPs (who are bound by PIPEDA are not able to hand it over without consent unless a PIPEDA consent exception applies. Section 7 contains many consent exceptions, some of which might apply in the circumstances described in the consultation document put out by Public Safety Canada:

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

Under PIPEDA, TSPs can likely disclose information about a customer in an emergency. Section 7(3)(e) permits a disclosure without consent if the disclosure is:

(e) made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;

What it doesn't permit is disclosures to law enforcement unless they have a warrant. In this context, s. 7(3)(c.1) is the subject of a bit of debate. This reads:

7(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...
(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

It must be noted that these provisions are permissive, meaning that they allow the TSP to disclose the information in these circumstances without offending PIPEDA. Nothing in the above requires a TSP to disclose the information. Any compulsion has to come from another statute or rule of law. Section 7(3)(c) says if they have a warrant, the TSP can hand it over. (The obligation comes from the warrant, not PIPEDA.) There is authority from the Ontario Courts that an investigation does not create the "lawful authority" to obtain the information. "Lawful access" is an effort to change the law to have an investigation constitute "lawful authority". Or just remove the "lawful authority" requirement altogether.

What is also very interesting from the consultation document is that many TSPs currently hand over the information when asked by law enforcement (worth quoting again):

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

I have it on reliable authority from within the industry that most internet service providers will provide a customer's full name and billing address when given an IP address. It doesn't seem to be because they think they legally can, but because they have succumbed to pressure from law enforcement who take a position that not providing the information puts them in league with child molesters and terrorists.

The fact remains, and must be borne in mind, that if a person's life or safety is in jeopardy, the TSP can disclose information without consent. This would include the ticking bomb scenario, a child being abused, etc. In exigent circumstances, the police always have access to the expedited telewarrant procedures in the Criminal Code. There isn't an exception in PIPEDA, the Criminal Code or the Charter for compelled disclosures of personal information absent lawful authority.

Friday, September 14, 2007

Public Safety minister says warrants required for customer names and numbers

This is interesting and weird ... Stockwell Day appears to say that he agrees that law enforcement access to customer names and numbers requires a warrant today and should always. [Insert head scratch here.]

Check it out yourself:

Warrant needed to pull data on Internet users: Day Safety minister opens closed consultations

Carly Weeks

The Ottawa Citizen

Friday, September 14, 2007

Public Safety Minister Stockwell Day announced late yesterday that the federal government will not force Internet service providers to hand over customers' personal information to police without a warrant -- a move that will surprise critics who have been expressing alarm this week that the Harper government appeared poised to intrude on the civil liberties of Canadians.

"We have not and we will not be proposing legislation to grant police the power to get information from Internet companies without a warrant. That's never been a proposal," Mr. Day said. "It may make some investigations more difficult, but our expectation is rights to our privacy are such that we do not plan, nor will we have in place, something that would allow the police to get that information."

...

Mr. Day said the consultation document was circulated without his knowledge or consent and emphasized that all groups, regardless of their perspective, should have a chance to voice their opinions on the contentious issue.

"That document never would have gone out if I had seen it," Mr. Day said. "This particular document just somehow went out without my approval."

...

But, Mr. Day added, the purpose of the consultation is not to look for ways to make it easier for police to obtain customers' personal information without a warrant. Instead, the federal consultation is seeking to ensure Internet companies are aware of their need to comply when presented with court orders, Mr. Day said. ...

Public Safety Canada lawful access consultation now public

The lawful access consultation information is now online on the Public Safety Canada website.

(It refers to telecommunications service providers who are "not cooperative", which should read who "choose not to violate the law respecting the privacy of subscriber information.)

Public Safety Canada :: Home :: Programs :: National security :: Policy advice and support

Customer Name and Address Information Consultation

Public Safety Canada and Industry Canada are seeking current views and/or new issues associated with the question of accessing customer name and address in the modern telecommunications world. We are consulting with a range of stakeholders, such as the police, industry representatives, civil liberties groups as well as other groups interested in privacy and victim of crimes issues. If you and/or your organization would like to provide input on any or all of the issues identified in the posted consultation document, please submit written comments, by October 12th, 2007 to:

Customer Name and Address Consultation

Public Safety Canada

16C, 269 Laurier Avenue West

Ottawa , ON, Canada K1A 0P8

Email: cna-consultations@ps-sp.gc.ca

Modern telecommunications and computer networks such as the Internet are a great source of economic and social benefits, but they can also be used in the planning, coordination, financing and perpetration of crimes and threats to public safety and the national security of Canada. By extension, the rapidly evolving nature of these technologies can pose a significant challenge to law enforcement and national security officials who are entrusted with combating these threats, and who employ lawful access to communications and information to do so.

The principles and powers of lawful access must be exercised in a manner consistent with the rights and freedoms guaranteed in the Canadian Charter of Rights and Freedoms and while adapting to the rapid pace of technological change.

The consultation process

Public Safety Canada, in collaboration with Industry Canada, is presently examining how to address the challenges faced by police, the Canadian Security Intelligence Service (CSIS) and the Competition Bureau when seeking timely access to basic CNA information in a modern telecommunications milieu. This question was previously considered by stakeholders in broader consultation processes on lawful access issues held in 2002 and 2005.

The purpose of this consultation is to provide a range of stakeholders - including police and industry representatives and groups interested in privacy and victims of crime issues - with an opportunity to identify their current views on possible approaches to updating Canada’s lawful access provisions as they relate to law enforcement and national security officials’ need to gain access to CNA information in the course of their duties. The possible scope of CNA information to be obtained is later identified, but it should be noted from the outset that it would not, in any formulation, include the content of communications or the Web sites an individual visited while online.

The objectives of this process are to maintain lawful access for law enforcement and national security agencies in the face of new technologies while preserving and protecting the privacy and other rights and freedoms of all people in Canada. In striving to attain these goals, it is essential to ensure that the competitiveness of Canadian industry is taken into account and that the solutions adopted do not place an unreasonable burden on the Canadian public.

Current context

Timely access to CNA information is an important tool used by law enforcement and national security agencies to fulfil their public safety mandates. This type of information can be vital in the context of investigations of online criminal activity, such as child exploitation.

Law enforcement agencies have been experiencing difficulties in consistently obtaining basic CNA information from telecommunications service providers (TSPs). In the absence of explicit legislation, a variety of practices exists among TSPs with respect to the release of basic customer information, e.g., name, address, telephone number, or their Internet equivalents. Some companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation.

CNA information

In the context of options under consideration by Public Safety Canada and its partner departments and agencies, CNA information refers to basic identifiers that would assist law enforcement and national security agencies to determine the identity of a telecommunications service subscriber, if this information was necessary to the performance of their duties.

The scope of CNA information obtained could include the following basic identifiers associated with a particular subscriber:

  • name;
  • address(es);
  • ten-digit telephone numbers (wireline and wireless);
  • Cell phone identifiers, e.g., one or more of several unique identifiers associated with a subscriber to a particular telecommunications service (mobile identification number or MIN; electronic serial number or ESN; international mobile equipment or IMEI number; international mobile subscriber identity or IMSI number; subscriber identity module card number of SIM Card Number);
  • e-mail address(es);
  • IP address; and/or,
  • Local Service Provider Identifier, i.e., identification of the TSP that owns the telephone number or IP address used by a specific customer.

Possible model

Options based on an administrative model are being considered closely by officials.

Possible safeguards

Further to input received during 2002 and 2005 consultations, a number of safeguards could be included under a possible administrative model requiring the release of limited basic CNA information to law enforcement and national security agencies upon request. These could include:

  • clear limitations on what customer information could be obtained upon request;
  • limiting the number of employees who would have access to CNA;
  • requiring that individuals with access be designated by senior officials within their organizations;
  • limiting requests to those made for the purpose of performing an official duty or function;
  • requiring that requests be made in writing, except in exceptional circumstances;
  • requiring that designated officials provide associated information with their request, e.g., identification of a specific date and time for a request relating to an IP address;
  • requiring designated officials to record their status as such when making a request, as well as the duty or function for which a particular request is made;
  • limiting the use of any information obtained to the agency that obtained it for the purpose for which the information was obtained, or for a use consistent with that purpose, unless permission is granted by the individual to whom it relates;
  • requiring regular internal audits by agency heads to ensure that any requests for CNA information are being made in accordance with the protocols and safeguards in place;
  • reporting to responsible ministers on the result of any internal audits;
  • provision of any audit results to the Privacy Commissioner of Canada, the Security Intelligence Review Committee, or provincial privacy commissioners, as appropriate; or
  • provision for the Privacy Commissioner and SIRC to conduct audits related to the release of CNA information.

Under no option being examined would TSPs be compelled to track the actions of customers or to collect information about them in the absence of necessary court authorizations governing such activity in Canada, nor would law enforcement or national security agencies be permitted to obtain the content of a customer’s communications without such authorizations.

  • Conclusion
  • Officials plan to meet with a range of interested parties in September, 2007 to discuss the issues raised in this paper.
  • Thursday, September 13, 2007

    Government moving to access personal info, sparking privacy fears

    The CBC has a lengthy piece on the quiet consultation I referred to the other day (Canadian Privacy Law Blog: Public Safety Canada Quietly Launches Lawful Access Consultation):

    Government moving to access personal info, sparking privacy fears

    Government agencies are moving to gain access to telephone and internet customers' personal information without first getting a court order, according to a document obtained by CBCNews.ca that is raising privacy issues.

    Public Safety Canada and Industry Canada have begun a consultation on how law enforcement and national security agencies can gain lawful access to customers' information. The information would include names, addresses, land and cellphone numbers, as well as additional mobile phone identification, such as a device serial number and a subscriber identity module (SIM) card number.

    The consultation also seeks input on access to e-mail addresses and IP addresses. An IP address is a number that can be used to identify a computer's location.

    The document says the objective of the consultation is to provide law enforcement and national security agencies with the ability to obtain the information while protecting the privacy of Canadians.

    The document says that under current processes, enforcement agencies have been experiencing difficulties in gaining the information from telecommunications service providers, some of which have been demanding a court-issued warrant before turning over the data.

    "If the custodian of the information is not co-operative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer," the document says. "This poses a problem in some contexts."

    It says enforcement agencies may need the information for matters other than probes, such as informing next-of-kin of emergency situations, or because they are at the early stages of an investigation.

    "The availability of such building-block information is often the difference between the start and finish of an investigation," according to the document.

    Privacy advocates, however, expressed displeasure over both the content and the process of the consultation.

    Criticizes short consultation time

    Michael Geist, chair of internet and e-commerce law at the University of Ottawa, said the process is not being conducted publicly as two previous consultations have been, in 2002 and in 2005.

    The consultation has not been published in the Canada Gazette, where such documents are normally publicized, or on the agencies' websites.

    Interested parties have been given until Sept. 27 to submit their comments, which is a short consultation time, Geist said. Several organizations and individuals contacted by CBCNews.ca only received their documents this week.

    More pointedly, a number of parties that took part in the previous consultations, including privacy and civil liberty advocates — and even some telecommunication service providers — have not been made aware of the discussion, he said.

    "It's really disturbing particularly in light of the fact that they've had two prior consultations on lawful access in the past, so it's not as if they don't know the parties that are engaged on this issue," Geist said.

    Officials with the Canadian Civil Liberties Association were not aware of the consultation.

    All about appearances?

    Jacqueline Michelis, an Ottawa-based spokeswoman at Bell Canada Inc., the country's largest telecommunications provider, said the company was aware of the consultation but would not comment further. Rogers Communications Inc. and Telus Corp., the country's next biggest providers, did not have immediate comment.

    Geist said the other problem with the consultation is that it appears as if the government agencies have already made up their minds on how to proceed and are simply conducting it for appearances' sake.

    "The fear is that law enforcement knows what it would like to do — it would like to be able to obtain this information without court oversight — and so it has pulled together this consultation in the hope that they can use that to say they have consulted, and here are the safeguards that the consultation thought was appropriate."

    Denies document secrecy

    Mélisa Leclerc, a spokeswoman for Public Safety Minister Stockwell Day, said the government was not trying to keep the consultation secret and would post the document on the internet on Thursday. The deadline for submissions would also be extended, although no decision on a date has been made yet.

    Colin McKay, a spokesman for the privacy commissioner of Canada, said the government agencies have not yet proven that accessing information without a court order is necessary. The commissioner will be making a submission to the consultation on that matter.

    "We'd like to see some proof that this is a necessary step because at the moment there is provision in privacy law if necessary and if presented with a legal authority to do it, in most cases that's a court order," McKay said. "That gives Canadians some level of protection."

    The Information Technology Association of Canada, which will also be making a submission, agreed and said it would like to see details on instances where telecommunication providers have refused to co-operate with authorities.

    "This is about transposing to new technology the same kind of law enforcement we used to have on wire-line phone networks," said Bernard Courtois, president and chief executive officer of ITAC. "Conversely, just because you're going to do law enforcement on new technology people should not lose any of their privacy protection or rights in terms of the nature of investigation."

    Canada's move is in contrast to one by the United States, where last week a federal judge overturned a part of the Patriot Act that allowed the Federal Bureau of Investigation to secretly obtain personal records about customers from internet providers, phone companies, banks, libraries and other businesses without a court's permission.

    Speaking on the phone from Paris, Peter Fleischer, global privacy counsel for internet search giant Google Inc., told CBCNews.ca that even in the security-conscious United States, courts have moved to curtail excessive attempts by the government at extracting personal information.

    A year and a half ago, the Department of Justice obtained a warrant demanding Google turn over users' personal information as part of an investigation into the effectiveness of anti-pornography software that was being tested. Google refused and a judge ending up siding with the company.

    "The order we had from the U.S. Department of Justice was a valid legal order under the U.S. legal system, but even then it was excessive and infringed privacy, and was curtailed by a U.S. court when we challenged it," Fleischer said.

    Companies operating in Canada, and their customers, should have the same rights here, he said.

    "There should be judicial authorization and a valid legal process before a government should be able to compel companies to hand over information about their users."

    Ironically, Google on Wednesday came under fire from Privacy Commissioner Jennifer Stoddart for its Street View web photo application. The commissioner said many of the images used by the application could break Canada's privacy laws.

    Fleischer would not comment on the matter, but said he would address it when he visits Canada later this month.

    Wednesday, September 12, 2007

    Your cell phone may drop a dime on your attendance

    If you have an employer issued cell phone, put this on your list of things to do:

    1. Find out if it has GPS.
    2. Find out if your employer has access to those records.

    And you'd better do that before you leave work early for 83 days in a six month period.

    It's a lesson learned by a former employee of the New York Department of Education. See: Ride The Lightning: HAVE A COMPANY CELL PHONE? IS YOUR BOSS WATCHING?.

    Thanks to info diva Connie Crosby for the link.

    Australian law reform commission calls for overhaul of country's privacy laws

    The Australian Law Reform Commission has just released a hefty report calling for reforms to the country's privacy laws: ALRC Discussion Paper 72 Review of Privacy Laws - Contents.

    Here's the media release accompanying the report:

    ALRC - On-line

    Australian Law Reform Commission

    Wednesday 12 September 2007

    ALRC proposes overhaul of ‘complex and costly’ privacy laws

    The Australian Law Reform Commission (ALRC) today released a blueprint with 301 proposals for overhauling Australia’s complex and costly privacy laws and practices.

    Releasing Discussion Paper 72, Review of Australian Privacy Law, ALRC President Prof David Weisbrot said it was the product of the largest public consultation process in ALRC history: “We have received over 300 submissions and held over 170 meetings to date, including with business, consumers, young people, health officials, technology experts and privacy advocates and regulators.

    “The clearest message from the community is that we must streamline our unnecessarily complex system. The federal Privacy Act sets out different principles for private organisations and for government agencies. On top of that, each state and territory has its own privacy laws or guidelines and some also have separate laws on health privacy.

    “The ALRC is proposing there be a single set of privacy principles for information-handling across all sectors, and all levels of government. This will make it easier and less expensive for organisations to comply, and much more simple for people to understand their rights.

    “The protection of personal information stored or processed overseas, as is now routine, is another serious concern. The ALRC wants to ensure that such information has at least the same level of protection as is provided domestically. We propose that a government agency or company that transfers personal information overseas without consent should remain accountable for any breach of privacy that occurs as a result of the transfer”, Prof Weisbrot said.

    Commissioner in charge of the Inquiry, Prof Les McCrimmon, said that the ALRC also is proposing a new system of data breach notification: “There is currently no requirement to notify individuals when there has been unauthorised access to their information, such as when lists of credit card details are inadvertently published. Where there is a real risk of serious harm to individuals, we say they must be notified.”

    Professor McCrimmon said that the ALRC also proposes the removal of the exemption for political parties from the Privacy Act. “Political parties and MPs should be required to take the same level of care when handling personal information as any other agency or organisation.”

    Other key proposals include:

    • introducing a new statutory cause of action where an individual’s reasonable expectation of privacy has been breached;
    • abolishing the fee for ‘silent’ telephone numbers;
    • expanding the enforcement powers of the Privacy Commissioner;
    • imposing civil penalties for serious breaches of the Act; and
    • introducing a more comprehensive system of credit reporting.

    Review of Australian Privacy Law is available at no cost from the ALRC website, www.alrc.gov.au. The ALRC is seeking community feedback on these proposals before a final report and recommendations are completed in March 2008. Submissions close on 7 December 2007.

    Thanks to Michel-Adrien Sheppard for the link: Library Boy: Review of Australian Privacy Law.

    Ontario Commissioner issues unprecedented order against used goods vendors databases

    In an apparently unprecedented move, the Information and Privacy Commissioner for Ontario, Ann Cavoukian, has issued a cease and desist order and an order to destroy personal information related to the collection of personal information from people who sell second hand goods to resellers. This follows a battles in the Ontario courts, where the Commissioner's position was ultimately upheld by the Court of Appeal (See: Canadian Privacy Law Blog: Oshawa second-hand store bylaw invades privacy). For more info from the Commissioner's office, see: Privacy Commissioner Ann Cavoukian issues seminal Order to cease collecting detailed personal information from individuals selling used goods, and to destroy all existing records.

    I think this is a very important move on the part of the Commissioner.

    We are seeing a growing trend in Canada that forces some serious thought about privacy. Private businesses are increasingly being conscripted to collect information on behalf of law enforcement or for law enforcement purposes. For example, money laundering legislation, no-fly lists operated by airlines, "lawful access" and databases of used goods sellers. Meanwhile, the Privacy Commissioners and privacy advocates are taking a stronger stand against this. We've seen various statements and submissions to legislative committees, unanimous declarations against the no-fly list and now the exercise of dramatic coersive powers. It will be very interesting to see how this all plays out.

    Tuesday, September 11, 2007

    Public Safety Canada Quietly Launches Lawful Access Consultation

    Michael Geist writes that Public Safety Canada has quietly begun a secret, quiet quasi-pubilc consultation on lawful access. Apparently, Public Safety asked Michael not to write about it.

    Apparently, telecommunications service providers are inconsistent about handing over customer information in the absence of judicial authorization. I understand from other sources that, with only two exceptions, all large Canadian ISPs provide account information to law enforcement when presented with an IP address. This is likely based on a misinterpretation of PIPEDA or due to pressure from law enforcement.

    This is a significant development. Canadians and businesses with an interest in the line between law enforcement and commercial enterprises should make their thoughts known, even if they haven't been invited to do so. See: Michael Geist - Public Safety Canada Quietly Launches Lawful Access Consultation.

    For some related blogging, see: It's not your job to police your customers, The ISP Privacy Pledge, and Ontario court considers "lawful authority" under PIPEDA.

    Privacy Commissioner questions legality of Google Street View in Canada

    This is interesting ...

    The Privacy Commissioner of Canada has written to Google, asking for comments on the proposition that Google Street View may violate Canadian privacy laws.

    Letter regarding the 3D online mapping technology (September 11, 2007) - Privacy Commissioner of Canada:

    Letter to Mr. David C. Drummond, Senior Vice President, Corporate Development and Chief Legal Officer, Google, regarding 3D online mapping technology

    ...

    Our Office considers images of individuals that are sufficiently clear to allow an individual to be identified to be personal information within the meaning of PIPEDA. The images contained in Immersive Media’s GeoImmersive Database appear to have been collected largely without the consent and knowledge of the individuals who appear in the images. These images now appear in your company’s Street View application. I understand that there is a function within Street View which allows viewers to request that certain images be removed. This is only a partial solution, however, given that individuals may not be aware that images relating to them are on Street View. As well, by the time individuals become aware that images relating to them are contained in Street View, their privacy rights may already have been affected.

    I am concerned that, if the Street View application were deployed in Canada, it might not comply with our federal privacy legislation. In particular, it does not appear to meet the basic requirements of knowledge, consent, and limited collection and use as set out in the legislation. I would appreciate your response to the issues that I have raised as soon as possible, given the importance of these questions to the privacy rights of Canadians. Please contact me if you have any questions.

    Past postings on this topic: Canadian Privacy Law Blog: Google Street View raises privacy concerns & Canadian Privacy Law Blog: Google demands photo ID to get off Street View. Or not.

    There's been loads of coverage of this issue in the mainstream media. See:

    Facebook plans to offer targeted ads

    According to an article in USA Today, Facebook is following in the footsteps of Google and others by using targeted ads. I'm not at all surprised, since most online advertising is moving in this direction. See: Facebook plans to offer targeted ads - USATODAY.com. Thanks to Michael Zimmer for the link.

    Monday, September 10, 2007

    Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

    Earlier this week, Wired reported that a Swedish security researcher had set up a rogue node on the Tor network and snagged over 100 usernames and passwords.

    TOR, also called The Onion Router, a popular online privacy and anonymity tool distributed by the Electronic Frontier Foundation, relies on a number of nodes to relay web traffic. But if the end point, where the data is finally unencrypted, is operated by some malevolent person, privacy and anonymity goes out the window. See: Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise.

    Sunday, September 09, 2007

    Japanese media and others call for changes to privacy law

    From the Japan Times Online comes a call for changes to the Japanese privacy law, which came into efect in 2005. It appears, from this following editorial, that the law has been interpreted in a rigid way that "goes too far". Check it out:

    Revise the personal information law | The Japan Times Online

    ....Necessary or benign information has been withheld for at least two reasons: (1) a misunderstanding of the law, and (2) an overly cautious attitude on the part of organizations possessing information. Organizations tend to think that withholding information is the safest way to avoid legal trouble. Moreover, some organizations may be taking advantage of the law to protect individuals close to them, with the ultimate aim of protecting themselves.

    One absurd situation that was widely reported occurred after the April 25, 2005, West Japan Railway accident in Hyogo Prefecture, which killed 107 people and injured 562 others. Many people contacted hospitals, thinking that their relatives or friends might have been taken there. But the hospitals refused to answer their questions, citing the personal information law.

    The law is also making it difficult for lawyers to properly carry out their duties. According to the Japan Federation of Bar Associations, there are many cases in which local governments and other administrative organizations refuse to provide information on individuals to lawyers who are legally seeking information for use in trials. Thus court proceedings are affected.

    Furthermore, the law is destroying the formation of personal bonds between people. Community groups that want to aid the elderly and infirm in the event of natural disasters often have difficulty obtaining information on such people from local government sections in charge of disaster prevention or social welfare. It has also become virtually impossible for parents of school children to make a list of emergency contact numbers, or for a neighborhood association to issue a membership list.

    Government ministries and agencies are withholding information to which the public is entitled. In some cases, they withhold not only the names of people who have passed state qualifying examinations but also the career records of high-ranking bureaucrats. It is unreasonable to shield information on public persons such as lawmakers and high-ranking public servants. Police, meanwhile, often have refused to disclose the names of crime victims to the media. And recalls of defective products are hindered because retailers refuse to disclose client lists when contacted by manufacturers of the products.

    A panel of the Council for Stabilization of National Life in the Cabinet Office, which studied problems caused by the law, recently submitted a report to Ms. Sanae Takaichi, the state minister in charge of the law's implementation. The report says that an "examination of more measures including a law revision" is necessary. But this is not a call for an immediate law revision; instead, the panel takes the position that a review plus full implementation of 35 guidelines for applying the law, already written by government ministries and agencies, will suffice. It should be noted, though, that all the problems mentioned have occurred despite the existence of these guidelines. Clearly, nothing short of a revision of the law will do.

    The government should heed a statement issued by the Japan Newspaper Publishers and Editors Association, which calls for a measure to stop abuse of the law that leads to the withholding of socially necessary information. It warns that if the spirit of the law continues to be bent in this way, the people's right to know will be violated and the foundations of democratic society undermined.

    China privacy law due next year

    According to China Daily, China will be enacting a privacy law in the next year or so:

    Law on personal info 'next year'

    ...Zhou said the draft clarifies the legal duty of entities, especially enterprises, to protect personal information by following some basic principles.

    For example, it says, an entity must specify the purpose personal information will be used for while collecting them. The entity has to make it clear that the information will not be used for any other purpose without the prior consent of the persons.

    The draft bans any entity from providing personal information to a third party without the prior approval of the persons. Anyone found violating that could be fined and/or imprisoned, Zhou said.

    There are exemptions, though. For instance, such information can be divulged to save a life or in public interest, or for criminal and tax investigations. To ensure press freedom, the media under certain conditions have also been exempted.

    "The law has to protect personal rights, but it cannot disrupt the normal flow of information or social governance and supervision," Zhou said.

    The draft's review has so far not been included in the legislation agenda of the Standing Committee of the National People's Congress, the country's top legislature.

    Experts have hailed the move to have such a law. "It's a milestone in privacy protection in China," Heilongjiang University civil law professor Sun Yi said.

    China doesn't have clear legal provisions to protect privacy at present, so victims can't protect themselves even through lawsuits.

    Thursday, September 06, 2007

    National Security Letters unconstitutional

    US District Court Judge Victor Marrero (U. S. District Court, Southern District of New York) has struck down portions of the USA Patriot Act as unconstitutional. Specifically, the provisions related to National Security Letters and the prohibition of disclosing their existence has been found to violate the First Amendment and the separation of powers under the US Constitution. From the Washington Post:

    Judge Rules Provisions of Patriot Act Unconstitutional - washingtonpost.com

    A federal judge today struck down portions of the USA Patriot Act as unconstitutional, ordering the FBI to stop issuing "national security letters" that secretly demand customer information from Internet service providers and other businesses.

    U.S. District Judge Victor Marrero in New York ruled that the landmark anti-terrorism law violates the First Amendment and the Constitution's separation of powers provisions because it effectively prohibits recipients of the FBI letters (NSLs) from revealing their existence and does not provide adequate judicial oversight of the process.

    Marrero wrote in his 106-page ruling that Patriot Act provisions related to NSLs are "the legislative equivalent of breaking and entering, with an ominous free pass to the hijacking of constitutional values."

    The decision has the potential to eliminate one of the FBI's most widely used investigative tactics. It comes amid widespread concern on Capitol Hill over reported abuses in the way the FBI has used its NSL powers....

    Thanks to fellow privacy lawyer Cappone D'Angelo at McCarthy's for passing along the news, hot off the presses.

    Wednesday, September 05, 2007

    California outlaws the forced subdermal RFID tagging of humans

    California has led the way in privacy legislation, much of which has largely been followed by other states. Will they follow with legislation similar to this to solve a problem that is more theoretical than real?

    California outlaws the forced subdermal RFID tagging of humans:

    "Worrying that your employer will force you to stick a small chip beneath your skin ranks low on the list of employee concerns in most parts of the country, but that didn't stop the state of California from passing a bill last week to ban such forced tagging of humans. The state senator who sponsored the bill called forced RFID tagging the 'the ultimate invasion of privacy,' and his bill is now on its way to the governor's desk for his signature. ..."

    Facebook to allow public viewing and indexing of profile extracts

    Today, I logged into my Facebook account and was greeted by an announcement that Facebook is intending to make it possible for non-members to search the directory and for the directory to be indexed by search engines.

    There's more info at the Facebook official blog.

    You can change your settings to opt out from all of it. Or, if you're on Facebook to be found by others, you can make it available. I have to give Facebook credit for making it obvious to users that they are planning to do and giving a full month to decide what they want to do.

    For other thoughts on the topic, you can check out the discussion over at Compiler - Wired Blogs

    .

    If you touch personal information, act like a privacy officer

    Thanks to David Canton for leading me to this interesting article from IT Business. It discusses the recent breach in which unencrypted health information on a portable hard drive was lost in Toronto's airport. Looking at the issue from a practical angle, it concludes that all employees who touch personal information have to take responsibility for it.

    IT Business: Everyone's a CPO: Why privacy needs to spread across every line of business

    ...Departmental executives need to do a couple of things. First, they need to perform an inventory on the devices they personally own but which may be used for work. What level of security is already in place and what might need to be upgraded? Are there technologies that could be added to help easily recover a device if it goes missing for some reason? Are there organization-wide guidelines or procedures with which personal devices need to comply before they can be used for work purposes? This is where a dialogue with IT should probably begin, and it may lead some IT managers to reject requests that such devices be able to access a corporate network.

    A potentially bigger challenge will be for line of business executives to think in "big picture" terms of what kind of data they are managing, and what kind of responsibilities they have towards protecting the privacy of that information. We usually tackle these cases by looking at what kind of safeguards IT departments or senior management could have put in place from the beginning. As time goes on, the focus will be much more on what individual employees are doing to bolster those safeguards. No one is merely a VP of marketing, finance or HR anymore. If you touch customer or employee data in any way, shape or form, you're a chief privacy officer, too.

    Tuesday, September 04, 2007

    Australian Commissioner fears breach notification could backfire

    The Australian Privacy Commissioner is coming out against mandatory breach notification, which is a bit surprising given that the trends elsewhere are clearly in favour of notification. Just last week, the NZ Commissioner introduced breach notification guidelines.

    Also of interest in this article is the fear over how pubs and bars use patrons' drivers license information:

    Computerworld > 'Name-and-shame' disclosure could backfire

    Australian federal privacy commissioner Karen Curtis is warning that calls for Australian companies to be subject to a compulsory name-and-shame data breach regime could backfire and create a compliance nightmare.

    The statement is the strongest indication yet that a looming shake-up of the private sector provisions of the Privacy Act in Australia will not take the lead of US regulators, which have compelled corporations and government agencies to publish details of even minor infractions against customer data protection laws.

    The warning comes as New Zealand organisations get to grips with our own Privacy Commissioner’s draft data breach disclosure guidelines, unveiled last week. Privacy Commissioner Marie Shroff has indicated she will consider whether breach guidelines should become a mandatory.

    Curtis says serious consideration is being given to publicly identifying companies or agencies involved in incidents when there was a tangible risk of harm to consumers.

    This is backed by research undertaken by her office over the past nine years that shows consumers favour pragmatism and common sense over onerous bureaucracy.

    “The guts of it is that mandatory reporting for breaches should be examined, but you have to find the right threshold,” Curtis says. “We think there is merit, but not in all circumstances. Direct comparisons [with the US] are not ideal.”

    ...

    Curtis says the ALRC review, which will make formal recommendations to Attorney-General Philip Ruddock next year, was needed because there was a mishmash of private, public, federal, state and local privacy regimes that sometimes acted to confuse people as to where they could go to seek advice and justice.

    ...

    Curtis confirms her office is looking at a number of complaints about the alleged circulation of the personal details of pub patrons, who had been forced to provide identification that is electronically scanned and retained. Many licensed pubs and clubs now claim they are required to collect such information under liquor licensing laws. Curtis says she wants to know where the information collected from scans of drivers’ licences or other documents is going and how it is being used. Australia’s Office of the Privacy Commissioner was expected to release new guidelines for pubs last week and will warn establishments that have an annual turnover of more than A$3 million that they are subject to federal privacy protection laws. The pub ID problem has become a serious issue in Queensland. The state’s licensing authority, Queensland Transport, has started to remove addresses from drivers’ licences because they were being used by pub bouncers to find out where female patrons live.

    Curtis says she intends to use Privacy Awareness Week, which started in Australia as in New Zealand last weekend, to emphasise the benefits that good privacy protections bring the community at large.

    Monday, September 03, 2007

    BC Commissioner: Student records can be shared to protect public safety

    Proably not a surprise for those who regularly work with the provincial public sector privacy laws in Canada, which usually contain a public interest and "health and safety" override:

    Records of troubled B.C. students can be shared: privacy commissioner

    Universities in British Columbia can share confidential medical records about troubled students if there's a perceived a threat to public safety, the province's privacy commissioner says.

    Responding to a U.S. government report issued June 13 on the April 16 massacre at Virginia Tech that left 33 people dead — including the student who fired the gun — David Loukidelis said a university student's confidential medical records can be shared — regardless of the student's age.

    "The laws in B.C. fully enable university and college officials to take steps to protect individual and indeed public safety," Loukidelis told CBC News on Monday.

    The U.S. report says schools, doctors and police often do not share information about potentially dangerous students because they can't figure out complicated and overlapping privacy laws.

    Loukidelis said there's a long list of exemptions in B.C.'s privacy laws that allow a student's private information to be shared for the good of public safety.

    Tim Rahilly, senior director of student and community life at Simon Fraser University in Vancouver, said he often noticed the beginning of problems with students and wondered whether that information could be shared.

    He said the university would ask the student whether it can talk to the student's parents about the concerns.

    "The student can say no and if they are above the age of majority we are a little bit hamstrung," Rahilly said.

    Loukidelis said if a student denies a request to share personal information with their parents or school officials, an assessment can be made.

    Video

    Nil Koksal reports for CBC-TV (Runs: 2:28)

    Play: QuickTime »

    Play: Real Media »

    Protecting Your Privacy and Anonymity at yourprivacy.co.uk

    I just heard about a new website, www.yourprivacy.co.uk, from its creators. The site, based in the UK, provides over sixty articles related to privacy. They say they'll be adding ten articles a month to the site. They also have an rss feed to keep up on what they're publishing.

    Protecting Your Privacy and Anonymity at yourprivacy.co.uk

    Saskatchewan implements mandatory gunshot reporting

    Saskatchewan, as of September 1, 2007, has become the second province in Canada to require healthcare professionals to report gunshot and stabbing wounds to the police. See: Sask. closes gun loophole: Lloydminster Meridian Booster, Lloydminster, AB.

    Nova Scotia is considering doing the same; the Deputy Minister of Justice has been circulating a discussion paper on the topic this past week, seeking comments on the topic.

    Facebook making changes to apps, to protect privacy and cut down on spam

    Wired is reporting that Facebook is making changes to its Applications platform, to protect privacy and to prevent abuse of the service. See: Compiler - Wired Blogs.

    Inside DCSNet, the FBI's Nationwide Eavesdropping Network

    Wired recently published a summary of materials obtained under a Freedom of Information request related to DCSNet, the national surveillance infrastructure built on the Communications Assistance to Law Enforcement Act.

    Inside DCSNet, the FBI's Nationwide Eavesdropping Network

    NZ doctors resist insurance firms' pleas for full patient records

    More news from down under; this time from New Zealand.

    Family doctors are complaining to the New Zealand Privacy Commissioner about the increasing tendency of insurance companies to ask for full patient records for their insureds. The New Zealand Medical Association has complained to the Commissioner, who is considering whether to investigate. See: Christchurch doctors resist insurance firms' pleas for full patient records - Christchurch News - The Press.

    Sunday, September 02, 2007

    Kid's Facebook posting used to question mum's parenting

    I've posted in the past about Facebook postings that users have presumably thought were private, but have wound up as fodder in litigation. Here's another one.

    V. (W.R.) v. V. (S.L.), 2007 NSSC 251, is an application to vary a custody order with respect to the fourteen year old daughter of the parties. Initially, S.V., the father, was granted custody as the mother, W.V., was in addiction treatment. Some years later, the mother apparently is doing better and the daughter wishes to live with the mother.

    During a follow-up hearing, the father produced photos posted by the daughter on Facebook as evidence of the mother's parenting deficiencies. This didn't seem to be of consequence for Justice MacAdam in his decision, but it is a further example of the collateral use of materials posted on social networking sites.

    Here's the relevant paragraph:

    W.R.V. (Petitioner / Respondent) v. S.L.V. (Respondent / Applicant)

    Nova Scotia Supreme Court

    A.D. MacAdam J.

    Heard: May 2 - August 8, 2007

    Judgment: August 28, 2007

    Docket: SBW 1203-001812

    ...

    31 Following the initial hearing, S.V. applied to reopen the presentation of evidence. For the subsequent hearing, he provided affidavits and at the hearing testified to a concern about S.V.'s parenting skills as a result of J.V. posting photographs of herself on a website known as "Facebook". He viewed S.V.'s handling of this as inadequate. He also deposed and testified to his lack of contact with his daughter since the initial hearing. S.V. responded that she spoke to J.V. about the Facebook postings and some of the photographs had been removed. She also confirmed the lack of contact by J.V. with her father, other than seeing and speaking to him a few times since the hearing. She says she has encouraged J.V. to speak to her father, but she does not wish to do so until this matter is concluded. S.V. says J.V. is upset that the legal proceedings have dragged on....

    Saturday, September 01, 2007

    Australian Commissioner: ID scanners may breach privacy laws

    I've blogged a few times before about the growing practice of bars and nightclubs scanning patrons' ID (see: Canadian Privacy Law Blog: New technologies for scanning IDs, Canadian Privacy Law Blog: Calgary student challenges nightclub over scanning ID, Canadian Privacy Law Blog: Article: Swiping driver's licenses - instant marketing lists?).

    It appears to also be a concern for the Privacy Commissioner in Australia.

    ID scanners may breach privacy laws - Queensland - brisbanetimes.com.au

    ...

    The Australian Privacy Commissioner Karen Curtis yesterday warned publicans to "seriously consider their obligations" under the Privacy Act.

    "If pubs and clubs that scan people's ID fail to heed their obligations under the Privacy Act, they run the risk of breaching their customers' privacy and having a privacy complaint lodged against them," Ms Curtis said.

    At least 12 licensed venues in and around Brisbane use the technology to combat what they see as a rise in alcohol-fuelled violence.

    ...

    "People are understandably concerned that having their ID scanned could lead to identity theft or that their details will be used by the pubs or clubs for unrelated purposes, such as direct marketing," she said.

    Ms Curtis said her office received its first complaint about the devices in 2001 - but more than 100 phone calls and numerous written complaints had been made in recent months.

    Companies should take a close look at their duties under the Privacy Act, she said, which include allowing customers to interact anonymously where possible and only scanning an ID if a business can prove it is totally necessary.....