Tuesday, October 30, 2007

Privacy and pre-employment screening

Yesterday, I spoke at the McInnes Cooper labour and employment group's annual conference. It's been going on for years, but it was my first time to attend. I was greatly impressed with the turnout of more than two hundred attendees.

I gave a presentation on privacy and pre-employment screening, which is here: Pre-employment screening.

Monday, October 29, 2007

Hitachi develops world's smallest RFID chip

Hitachi has just unveiled a new generation of tiny RFID chips that are .15 mm X .15 mm. They're so small, they're nicknamed "dust".

See: Hitachi Develops World's Smallest RFID Chip - TFOT.

Sunday, October 28, 2007

E-mail screw-up blows the whistle on whistleblowers

If this is true, it's pretty staggering.

The House Judiciary Commitee of the US Congress set up a form on its website to collect tips on misdeeds in the US Department of Justice from whistleblowers. A staffer recently sent an e-mail to all the would-be whistleblowers and put all the addresses in the "TO:" field on the outgoing e-mail. Oh, and s/he copied vice_president@whitehouse.gov. Not good at all.

See: TPMmuckraker Talking Points Memo D'Oh: House Panel Screw-Up Reveals Whistleblower Email Addresses.

Friday, October 26, 2007

Privacy and Personal Health Information

I spoke with the Health Law class at Dalhousie Law School about personal health information today. It focuses mainly on the situation in Nova Scotia, where we don't yet have personal health information legislation. Private practice physicians, physiotherapists, dentists, etc. are still subject to PIPEDA.

My presentation is here, if you're interested.

Facebook seeks identity of Canadian hackers

The National Post is reporting that Facebook is suing unnamed Canadian hackers for stealing pesonal information from the social networking site. In order to unmask the identity of the hackers, the company has taken Rogers and Look to court. Quite rightly (in my view), both ISPs are requiring a court order to hand over the info. See: Court urged to force Rogers, Look to release customer data. Via: Michael Geist - Facebook Seeks Court Order For Canadian ISP Customer Info.

Thursday, October 25, 2007

NB releases personal health information task force

Yesterday, the Government of New Brunswick's Task Force on Personal Health Information released its report, calling for the province to adopt legislation modeled on Ontario's Pesonal Health Information Protection Act. Newfoundland is advanced in this process and Nova Scotia is just about to embark on a similar project. For the report and all the background documents, see: Health - Personal Health Information Task Force.

Privacy and Law Enforcement

I was invited to be the keynote speaker at a half-day session put on today by the Canadian Bar Association - New Brunswick. I spoke about the current law related to the law enforcement access to personal information and an update on what's happing with "lawful access". Here's the presentation: click here (google Docs) or here (pdf).

I tried embedding it but it only worked if you are logged into a google account, which wasn't my intention.

Wednesday, October 24, 2007

Apparently, it's as simple as one word

The National Post has been running a series of articles on child abuse and child pornography. The last instalment delves into (just sticks its toe into, really) some of the debate that has been swirling around on "lawful access". The article is entitled "Words get in way of saving children" and the word being discussed is "may" in Section 7(2) of PIPEDA. If we could just change "may" to "shall" -- requiring ISPs to identify their customers -- the world would be a safer place for children. If only life were that simple. There really needs to be a much more nuanced debate about this.

Words get in way of saving children

Adrian Humphreys

National Post, with files from Allison Hanes, National Post

Wednesday, October 24, 2007

With a proliferation of horrific allegations in the headlines, Canadians can be forgiven for thinking that child molesters are everywhere. But what is the actual prevalence of the problem, and how should we be dealing with it? In this, the final instalment of a four-part series, the National Post looks at what the law-and-order approach prescribes and how the current system could be fixed.


Changing a single word in a seven year-old piece of legislation -- that was designed to support and promote electronic commerce in Canada -- could help save children from horrific sexual abuse, police officers and child protection advocates say.

It suggests that not all solutions to the problem of child sexual exploitation need to be buoyed by millions in capital infusion, backed by sweeping new laws, clouded by medical debate on effectiveness or spark public controversy over whether being soft or hard on pedophiles best helps curb their urges.

Experts who investigate pedophiles and work to help their child victims say that much more can be done in the realm of law and order to reduce the impact of the sexual predators among us. One of their targets is changing a three-letter word: "may."

Simply swapping the word "may" to "shall" in Section 7, Subsection 2 of the Personal Information Protection and Electronic Documents Act (PIPEDA) would be an easy step towards helping police intercept child molesters and pornographers, child advocates say.

The distinction may seem irrelevant to non-lawyers, but in the backrooms of some of Canada's Internet service providers and in the squad rooms of police forces across Canada there is a world of difference.

"The problem is, these cases move at the speed of light. Files are sent around the world, copied, downloaded and erased in seconds --by the time you get a search warrant it can be too late," said Paul Gillespie, who recently retired as the pioneering head of the Toronto police's Child Exploitation Section.

The existing guidelines on electronic documents state: "an organization may disclose personal information without the knowledge or consent of the individual," under certain circumstances, one of which is to police "carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law."

Police have found that when they have evidence of someone trading in child pornography over the Internet and they want to know where the activity is coming from, not all Internet service providers are forthcoming.

When some providers read the regulations, they see the disclosure of the customer's name and address as an option, not an obligation, and tell officers to come back when they have a court-authorized warrant.

Changing the rules from allowing ISPs to give a customer's name and address to police to requiring them to provide it would help, say police.

Staff Sergeant Rick Greenwood, manager of the RCMP's National Child Exploitation Coordination Centre, understands there are privacy concerns.

"All we care about is the starting point. We're after the customer's name and address," he said. The ISPs are not being asked to turn over billing records or credit card information; they are not giving police access to email in-boxes or Internet histories.

He likens it to a licence plate on a car.

"If you jump in your car and race off along a highway and hit a child, there is something we can do to investigate it. Someone can get a licence plate number or a description of the car," said Staff-Sgt. Greenwood.

"The same should be true for the Internet. If you jump onto the information freeway, you need to be accountable. "

Police would still need to get court authorization for any invasive investigation, such as reading email or tracking Internet activity, officers say.

However, red tape, a lack of resources, and poor enforcement of existing laws all help child abusers escape detection, or at least successful prosecution, activists say.


Professor Valerie Steeves on Children's Privacy Online

From the Terra Incognita conference, Google Video has a very interesting twenty minute presentation by Professor Valerie Steeves on kids privacy online. If you have a kid who uses Webkinz or similar sites, you should really check it out.

Professor Valerie Steeves on Children's Privacy Online - Google Video:

Via Office of the Privacy Commissioner » Blog » How children’s sites see your kids as marketing goldmines.

Monday, October 22, 2007

Study profiles ID thieves

An interesting study of identity thieves has been released by the Center for Identity Management and Information Protection, which suggests that less than one fifth of criminals get their data from the internet. In most cases it they get their data by re-routing mail, dumpster diving and intercepting mail.

I would read the report itself, but they want your personal information before allowing access. Hmmm....

Study IDs identity thieves on Yahoo! News

Study IDs identity thieves

By WILLIAM KATES, Associated Press Writer

Mon Oct 22, 11:19 AM ET Identity thieves are typically young, work solo and rely on the Internet for fewer than one-fifth of their crimes, according to a new study of Secret Service cases.

The Center for Identity Management and Information Protection also found that "insider" employees were the offenders in just one-third of the cases. Employees who stole identity information often worked in the retail industry, the report found.

"There are some common perceptions we have that identity theft involves a person sitting at a computer hacking into corporate or individual computers. ... Certainly it is happening, but it is a crime that is happening in a multitude of ways, some of it as simple as stealing mail out of a mailbox," said Gary Gordon, a professor of economic crime programs who founded and heads the center at Utica College.

The Department of Justice-funded study, which was to be released Monday at a news conference in Washington, D.C., differs from previous studies because it focused on identity thieves and their methods, rather than victims, said Michael Stenger, Assistant Director of Investigations for the Secret Service, which agreed to open its case files to the center.

Researchers reviewed 517 cases closed by the Secret Service between 2000 and 2006. Two-thirds of the cases were concentrated in the Northeast and South and there were 933 defendants. The Federal Trade Commission has said about 3 million Americans have their identities stolen annually.

The study found that 42.5 percent of offenders were between the ages of 25 and 34. Another 18 percent were between the ages of 18 and 24. Two-thirds of the identity thieves were male.

Nearly a quarter of the offenders were born outside the United States.

Eighty percent of the cases involved an offender working solo or with a single partner, the report found.

While identity thieves used a wide combination of methods, fewer than 20 percent of the crimes involved the Internet. The most frequently used non-technological method was the rerouting of mail through change of address cards. Other prevalent non-technological methods were mail theft and dumpster diving.

Of the 933 offenders, 609 said they initiated their crime by stealing fragments of personal identifying information, as opposed to stealing entire documents, such as bank cards or driver's licenses.

Most of the offenses were committed by non-employees who victimized strangers. Employee insiders were the offenders in just one-third of the 517 cases. When an employee did commit identity theft, the offenders were employed in a retail business in two out of every five instances, the report said. Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals were all considered retail operations in the study.

In about a fifth of the cases, the employee worked in the financial services industry.

"This is important research," said Ann Wallace, executive director of the Identity Theft Assistance Center, a national nonprofit group that helps victims and law enforcement agencies fight identity theft crimes.

Wallace had not read the study but said she was familiar with its findings, which were "consistent with what we hear from victims."

"We have to know more about the crime in order to fight it. This will help law enforcement understand the problem and it will help consumers better understand the risk."


On the Net:

Center for Identity Management and Information Protection: http://www.cimip.org

Identity Theft Assistance Center: http://www.identitytheftassistance.org

Saturday, October 20, 2007

Tory database draws ire

There's been a minor bruhaha in Canada over a recent batch of Rosh Hashanah cards sent out by Prime Minister Stephen Harper. Many recipients wondered why they received them and also wondered why the PM's office would have a mailing list indicating their religion.

Former Tory member of parliament blogged about the Tory's Constituency Information Management System (The Turner Report: Nowhere to hide) as the likely source of the lists, and wrote that all manner of info about constituents goes into the political database. I was interviewed last week about the privay law aspects of this:

The Canadian Press: Tory database draws ire of privacy experts for including constituency files

1 day ago

OTTAWA - The federal Conservative party's central database is set up to track the confidential concerns of individual constituents without their knowledge or consent, says a former Tory MP.

The issue spilled onto the floor of the House of Commons on Thursday when Garth Turner, the expelled Tory-turned-Liberal MP, accused Prime Minister Stephen Harper of an "unethical invasion of Canadians' privacy."

Privacy experts agree the practice is a clear breach of standard privacy ethics - but probably not the law, because federal political parties fall into a legislative grey area.

A recent mailing by the prime minister to some Jewish households, and households with Jewish-sounding names, highlighted the micro targeting that sophisticated modern databases now facilitate.

The Rosh Hashanah greeting from Harper prompted several recipients to complain to the federal privacy commissioner, who has begun a preliminary inquiry.

It's cast a light on the 21st century art of political communication that may make some Canadians uneasy.

Virtually all federal and provincial parties have computerized databases, but the federal Conservatives are the acknowledged leader in the field of data management and mining.

Their fundraising efforts, based on small donations by thousands of donors, are unparalleled in federal politics.

Both the federal Liberals and the NDP have separate databases for constituency work and voter tracking. Data does not migrate between the two.

But the Conservatives use a single clearing house for all data collection, storage, datamining, mailing lists, voter tracking and any other partisan use such information may serve.

Turner, the Liberal maverick who was elected as a Conservative in 2006 and subsequently turfed from the party, says every Conservative MP is required to use something called CIMS, an acronym for Constituent Information Management System.

CIMS is used not only to track voter allegiance in a given riding - something every political party attempts - but also a host of other data gathered in the course of an MP's constituency office duties.

"Any time a constituent is engaged with the member of Parliament, they get zapped into the database," Turner said in an interview. "It's unethical and it's a shocking misuse of data.

"Because once you cotton on to what's going on here, it's not good constituency work at all to allow that data to fall into any kind of hands. But the party is desperate to get more and more data in there because the primary use is fundraising. The secondary use is voter tracking to get out the vote."

Logging constituent files in a central party database that may also be used as part of election planning, fundraising, advertising strategy and policy deliberation appears to be clearly offside, two nationally respected privacy experts told The Canadian Press.

"If somebody contacts their MP because they're having a problem with their CPP benefit or their military pension, they don't expect to end up on a mailing list for a political party," said David Fraser, a Halifax lawyer who specializes in privacy issues with the firm McInnes Cooper.

"If they are going to end up on a mailing list, I think there's an ethical obligation to inform them and give them the opportunity to opt out."

Michael Geist, a law professor who serves as the Canada research chair of Internet and e-commerce law at the University of Ottawa, agrees.

"When you're going to your local MP with a concern or a problem, there is a certain level of confidentiality," said Geist.

"The notion that it's simply a data point that gets used to characterize the particular constituent could have a bit of a chilling effect."

Nonetheless, the Conservatives are likely within the letter of Canada's privacy laws, because they are neither a government agency nor considered a commercial operation.

Geist argues that political parties' fundraising efforts might make them liable under the commercial privacy law, known as PIPEDA, but Fraser says the legislation as written suggests otherwise.

"Generally, political parties aren't regulated with respect to how they collect, use and disclose personal information," said Fraser.

The Conservatives, who openly boasted about their state-of-the-art CIMS database after purchasing it in 2004, now refuse to discuss it.

"I will not talk about internal party databases," said party spokesman Ryan Sparrow. "I'm not disclosing what is in our database, who is in our database."

When asked if Canadians can request to see their file on the CIMS database, Sparrow responded: "What would be their specific need to see?"

Asked a second time, Sparrow shut down the inquiry.

"I'm not going to help you with your story. It's internal party matters."

The Liberal party says it voluntarily follows the principles of PIPEDA - including showing any individual who asks what is on their file - even though the act does not apply to political parties.

"We do not keep any information on individuals without their expressed consent," said Elizabeth Whiting, the party's communications director.

The NDP also said citizens are free to ask to see their file, although the party is not aware it has ever received such a request.

Fraser said political parties, regardless of the law, should follow the best-practice standards established by the Canadian Standards Association, upon which both federal privacy acts are based.

"Those best practices, which are almost universally recognized in most western democracies, would suggest that political parties should give notice, get consent and provide people access to their information," said Fraser.

"Whether or not they choose to do that would speak volumes to how they see themselves as responsible custodians of this personal information."

The St. John's Telegram is calling for the system to be stopped.

The Telegram, St. John’s: Editorials Someone is watching you

The Telegram

Maybe Big Brother now has a name. Maybe it’s Stephen, as in Stephen Harper. Or maybe it’s CIMS, the acronym for the federal Conservative party’s computerized Constituent Information Management System.

Garth Turner, a former Tory Member of Parliament who now sits as a Liberal, has now said that when he sat as a Tory, Conservatives were required to use the system to not only track a constituent’s allegiance to the party, but also to collect personal information about constituents that might come to light when the constituent contacted the parliamentarian.

“Any time a constituent is engaged with a member of Parliament, they get zapped into the database,” Turner said. “It’s unethical and it’s a shocking misuse of data.”

For their part, the Tories have now denied gathering partisan data through the regular daily work of Members of Parliament. At the same time, they have been tremendously tight-lipped about what information is being collected and how it’s being used: when Turner first made comments about CIMS, Conservative officials flatly refused to talk about the system, and eventually would only say “No information in CIMS is compiled through MP casework.”

Beyond that, the spokesman would only say “I will not talk about internal party databases. … I’m not disclosing what is in our database, who is in our database.”

CIMS is already under increased scrutiny, after Jewish families began receiving unexpected Rosh Hashanah greetings from Prime Minister Stephen Harper. Some of the families, especially non-practising Jewish families, found the greetings unsettling.

CIMS is also believed to be tracking information collected by responses to Parliamentary mail-outs.

The system has been touted as the most advanced tracking system for constituents in the country — it’s also one of the strongest systems for collecting small donations by scores of ordinary donors.

The issue, however, is how much personal information the Conservative party is collecting, especially because strict federal privacy laws that apply to businesses in Canada — and others who have their hands on personal information — don’t seem to apply to political parties.

There’s a simple answer to the questions being raised about CIMS, and it can be spelled out in the concept of what’s fair for the goose, is fair for the gander. Companies across the nation have done backflips to ensure that they live up to the letter and the intent of commercial privacy laws, and political parties should be required to live up to the same standard.

If it’s an abuse for a business to stockpile personal data for commercial reasons, it should be illegal for a political party to stockpile the same sorts of information for use in its political business.

The federal Conservatives have no more right to trade on details about your age, religion, personal sexual preferences or interests than anyone else does. Governments collect massive amounts of statistical information, and have a duty to keep that information private.

CIMS is blurring the line between the use and the abuse of personal, private information.

It’s about time this tracking system was stopped in its tracks.

Thursday, October 18, 2007

Government response to the PIPEDA review

The government has issued its response to the five year PIPEDA review report, issued earlier this year by the Parliamentary Committee on Access to Information, Privacy and Ethics. No big surprises.

The government proposes even more "consultations".

See: Industry Canada Site - Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics.

NJ hospital suspends 27 for peeking at celebrity's medical record

CNN is reporting that 27 employees of the Palisades Medical Center in North Bergen, New Jersey, hav been suspended for a month without pay for looking at actor George Clooney's medical records without a valid reason for doing to. See: 27 suspended for Clooney file peek - CNN.com. (via Schneier on Security: 27 Suspended for Looking at George Clooney's Personal Data).

Privacy Commissioner tables report on public sector Privacy Act

The Privacy Commissioner of Canada has tabled her annual report on the Privacy Act in parliament today. The Commissioner notes that the Privacy Act became law when the Commodore 64 was new on the shelves and is getting long in the tooth.

Canadians continue to think personal information not well protected: Tabling of Privacy Commissioner of Canada’s Annual Report on the Privacy Act

October 17, 2007

Canadians continue to think personal information not well protected: Tabling of Privacy Commissioner of Canada’s Annual Report on the Privacy Act

Ottawa, October 17, 2007 — Canadians overwhelmingly feel their personal information is less well protected than it was a decade ago, and they are right to be worried, says the Privacy Commissioner of Canada, Jennifer Stoddart.

Commissioner Stoddart’s 2006-2007 Annual Report on the Privacy Act was tabled today in Parliament. At the same time, the Privacy Commissioner’s Office released new research confirming that Canadians are unsure of how their personal information is protected, and by whom.

Increasingly, Canadians’ personal information is being exchanged with law enforcement and security agencies in other countries. The government has claimed that this transborder flow of information will improve transportation safety and enhance our national security. “We are particularly concerned about the number of travel-related security programs that have been put in place,” says Commissioner Stoddart. “Parliament may not be sufficiently informed about how these programs work and their individual and collective impact on the privacy rights of Canadians.”

The increased collection of personal information under these programs increases the risk that Canadians will be the victims of inappropriate data matching, intrusive data mining, or the unintended consequences of the disclosure of personal information. This increases the risk of surveillance, rendition and unwarranted attention from law and security enforcement both at home and abroad.

These concerns could be addressed, in part, by a review and modernization of the Privacy Act. As the Annual Report notes, “Parliament passed Canada’s public sector privacy law back in 1982 – the same year the Commodore 64 computer hit the market. At the time, both were considered pioneering.”

The Privacy Act, unfortunately, is not equipped to deal with the pressures imposed by tremendous technological change. In fact, Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act, provides more protection for Canadians.

As the results of an audit of the government’s Privacy Impact Assessment (PIA) Policy confirm, government departments are not doing enough to protect Canadians’ personal information as they plan new programs or redesign existing programs.

“While we did not identify cases of pervasive non-compliance, many institutions are not fully meeting their commitments under the policy and, by extension, the intent or spirit of the Privacy Act,” says Commissioner Stoddart.

Under the PIA policy, federal institutions are required to assess the potential privacy risks of programs before they are implemented. These institutions must also identify the measures in place to protect personal information as it is collected, stored, used, disclosed and ultimately destroyed.

The Office of the Privacy Commissioner audit found that some institutions made serious efforts to apply the PIA policy but many are lagging behind. PIAs are sometimes completed well after the program has been implemented and, in some cases, not done even when potential privacy issues are evident.

“Privacy protection should be a key consideration in the initial framing of a program or service,” says Commissioner Stoddart. “Current PIA reports offer little assurance to Canadians who want to understand how a government service or program will affect their privacy.”

Canadians not only want to be reassured that their personal information is being protected; they also want to be informed when it is disclosed inappropriately.

Research conducted for the OPC shows that a majority of Canadians (seven in ten) expect to be informed if a security breach leads to the disclosure of information – whether that information is sensitive or not.

That research, a survey of 2,001 Canadians conducted by EKOS Research Associates earlier this year but released for the first time today, also found that:

  • Seven in ten Canadians feel their personal information is less protected than it was ten years ago.
  • A bare majority of Canadians agree that they have enough information to know how new technologies might affect their personal privacy.
  • About seven in ten Canadians believe that they are doing a relatively good job of protecting their own personal information.
  • Despite this, almost half of Canadians (46 per cent) carry a Social Insurance Number (SIN) card in their wallet, although this number is a key piece of information used by identity thieves.

“These survey results underline that we – my Office, privacy advocates, regulators and consumer protection authorities – have to work harder to reassure Canadians that their privacy rights are protected,” says Commissioner Stoddart. “We also have to give them the information and tools so they can better protect their own information.”The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

To view the reports:

Friday, October 12, 2007

SWIFT to move data centre to Switzerland to avoid long arm of the US law

It appears that SWIFT is going to move its global data centre from the United States to Switzerland, to avoid having to deal with US fishing expeditions. See:

heise online - SWIFT puts EU data beyond the immediate reach of the US

SWIFT puts EU data beyond the immediate reach of the US

The supervisory board of SWIFT has approved the plans for the restructuring of the systems architecture of the financial messaging network the outlines of which had been known for some time. The core of the realignment is the creation of a global data processing center in Switzerland. To this will be added a command-and-control center in Hong Kong. The first step toward the realization of the project that has now been approved by the supervisory board will involve the expansion of the central news platform of SWIFT, in an attempt to aid the setting up of several processing zones.

By engaging in the restructuring effort that is scheduled to be completed by the end of 2009 the financial messaging network based in Belgium is trying to accomplish a score of targets aimed at satisfying the desires of customers. Thus by preventing immediate access by US authorities to international transfer data -- as is currently the case via the network's computing center in the United States -- data privacy concerns are to be dispelled. In addition SWIFT hopes that the new message architecture will boost the processing capacity of the system, improve reliability, lower information transfer costs and, into the bargain, open up new business opportunities in general.

The financial messaging service intends to create two message processing zones: Europe and Transatlantic. The new global computing center would as a partner of the extant European data processing center, among other things, take on the mirror function of the current US facility, the organization declared. Transfer information belonging to the European zone would be processed and, if need be, stored there. The Swiss location would also process and store data emanating from the US center, it was said. "Messages within a zone will in future remain in their region of origin," SWIFT CEO Lázaro Campos said by way of explaining the new principle, which takes account to a greater degree of concerns voiced by data privacy watchdogs and members of the European Parliament and which will define the future modus operandi for the European Economic Area at least.

According to statements made by SWIFT the choice of Switzerland as the seat of its global data processing center was the result of a comprehensive survey of possible European locations. The decisive factors determining the choice of location had been the suitability of existing infrastructure, the availability of skilled staff and the presence of an appropriate framework of data privacy legislation, SWIFT noted. Switzerland had fulfilled these criteria to an outstanding degree, the organization observed. The financial messaging network has put the costs of the approved initiative at the one-off sum of 150 million euros. In addition some 50 jobs would be created in the European and Asian branches of SWIFT, it was said.

The network has managed to secure a safe harbor agreement for the existing data center in the United States that will stay in effect until the new Swiss computing center commences operations. The company has thus volunteered to abide in the US by data protection provisions that accord with European standards, allowing it thereby to benefit from the transatlantic safe harbor concept. A breach of the data protection provisions agreed to could in theory cause the Federal Trade Commission (FTC) to intervene. However, as the United States can on its territory order data to be handed over the seizure order of the US government remains in force for the time being. SWIFT has, however, assured its customers that it has implemented "unique protective measures" and has received "security guarantees" from the US government for the remaining period of time. These fulfilled the obligation to protect the privacy of customer data and the requirements of EU and US law, the organization stated. One of the most important data access restrictions was the one according to which the US Treasury Department was only given access to data that met specific search criteria in the context of a terror investigation, SWIFT explained. There was moreover a supervision regime in place when data requested by a US authority was made available to the authority in question, the organization added.

SWIFT processes international bank transfers with a volume of about 4.8 trillion euros every day. About 8,100 banks from 208 countries and regions are connected to the network. On its busiest day to date 13,663,975 bank transfer messages shot through SWIFT's data lines. Last year it emerged that US security authorities have access to SWIFT servers and are in a position to analyze the information that is being collected. Following the safe harbor assurances given by SWIFT the European Commission has given its blessing to the current financial-data access regime in the United States. In the US two customers of US banks have filed lawsuit alleging that bank transfer data of theirs was illegally passed on to security authorities by the network; the government for its part is trying to block these lawsuits. (Stefan Krempl)

For previous posts on this topic, see SWIFT.

Monday, October 08, 2007

Ann Cavoukian on Privacy by Design

Earlier this week, Boing Boing linked to a video of a presentation given by Ontario's Information and Privacy Commissioner to the Engineering School at the University of Waterloo. It's about the seven laws of identity, a topic about which Ann Cavoukian has spoken extensively. See: Privacy by Design. The page includes download links, so you can watch on your iPod if you'd rather.

Wednesday, October 03, 2007

Canadian government to introduce identity theft legislation

The Canadian Government (which may be accused of impersonating a "new" government) is planning to introduce legislation to battle identity theft. The details are sketchy at the moment, but here's what the government had to say:
Speaking Notes for the Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada for the Announcement of Intent to Introduce Legislation Dealing with Identity Theft

Montréal, Quebec

October 2, 2007

Check against delivery

Good afternoon, ladies and gentlemen.

I am pleased to be here with my colleague Minister Blackburn to announce another step in our Government’s plan toward safer communities.

Our Government was elected to build a strong, safer, better Canada. We said we would tackle crime, and we remain committed to that goal – targeting crimes that affect Canadians most.

Identity theft has been identified as one of the fastest growing problems in North America, and one that easily crosses borders. Every day, the issue of identity theft affects or threatens more Canadian families, seniors and businesses.

Identity theft is costly to banks, retailers and consumers alike. The Canadian Council of Better Business Bureaus estimates that identity theft may cost Canadian consumers, banks and credit card firms, stores and other businesses more than $2 billion annually.

Technology has made it possible for individuals, governments and companies to collect and store huge quantities of personal information more efficiently. Consequently, technology has also made it easier, quicker and more lucrative for organized criminals to access and steal that information.

Identity theft has an impact on the daily lives of Canadians. It can affect our families, our businesses, our homes, our health and our bank accounts. And that is quite apart from the enormous emotional impact it has on its victims.

As it stands now, the misuse of another person’s identity information is covered by current offences in the Criminal Code, such as identity fraud, personation and forgery. But the preliminary steps of collecting, possessing and trafficking identity information are generally not captured by existing offences.

This is why today, along with my colleague the Minister of Labour and Minister of the Economic Development Agency of Canada for the Regions of Quebec , I am here to announce our Government’s intention to introduce legislation to amend the Criminal Code in the area of identity theft when Parliament resumes.

This new legislation will have one goal: to protect Canadians from identity theft by giving police the tools they need to stop this activity before the damage is done .

For any government, there is no greater duty than the protection of its citizens.

Our Government remains unwavering in its determination to keep Canadians safe. This new legislation is but one part of our tackling-community-crime agenda.

Thank you. Now my colleague Minister Blackburn will now say a few words…

Canada's New Government to Tackle Identity Theft

MONTREAL, October 2, 2007 – Minister of Justice and Attorney General of Canada, the Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, together with the Honourable Jean-Pierre Blackburn, Minister of Labour and Minister of the Economic Development Agency of Canada for the Regions of Quebec, today announced that Canada's New Government has developed a strategy to help combat identity theft, which is a serious criminal activity that has become more lucrative than ever before.

“ Canada's New Government understands that new and rapidly-evolving technologies have made identity theft a widespread criminal activity, especially involving organized crime. This growing issue is harming Canada's families, seniors and businesses, and we are committed to addressing it,” said Minister Nicholson. “By introducing Criminal Code amendments, our government will be giving police the tools to better protect Canadians by stopping identity theft activity before the damage is done .”

When Parliament resumes, Canada's New Government will introduce new legislation proposing Criminal Code amendments that will permit police to intervene at an earlier stage of criminal operations, before identity fraud or other crimes which actually cause financial or other harms are attempted or committed.

The Criminal Code currently covers offences involving the misuse of another person's identity information (such as personation and forgery), which are generally referred to as identity fraud. But the preparatory steps of collecting, possessing and trafficking in identity information are generally not captured by existing offences.

“Canadians are entitled to have their identities and personal information protected to the highest degree possible,” said Minister Blackburn. “That is why our Government will move quickly when Parliament returns to introduce legislation that targets identity theft.”

Canadians are concerned about becoming victims of identity theft, which has been identified as one of the fastest growing problems in North America and one that easily crosses borders. In 2006, almost 8000 victims reported losses of $16 million to PhoneBusters, the Canadian Anti-fraud Call Centre. Many more cases are thought to go unreported. The Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadian consumers, banks and credit card firms, stores and other businesses more than $2 billion annually.

Backgrounder: Identity Theft

Distinction between Identity Theft and Identity Fraud

While the term “identity theft” has no universal definition, it typically refers to the preliminary steps of collecting, possessing, and trafficking in identity information for the purpose of eventual use in crimes such as personation, fraud or misuse of debit card or credit card data. Identity theft can be contrasted with “identity fraud”, i.e., the subsequent actual deceptive use of the identity information of another person in connection with various crimes. Identity theft therefore takes place in advance of and in preparation for identity fraud, and constitutes the criminal use of information.

New Model of Crime

Canadian and U.S. law enforcement agencies have seen a growing trend in both countries towards greater use of identity theft as a means of furthering or facilitating other types of crime, from fraud to organized criminal activity to terrorism.

Also, instead of one person committing an offence, there may be a complex operation involving a number of different people. No one person may be individually responsible for committing an offence, but each may contribute a small part to the larger criminal operation. New legislation on identity theft will give police and prosecutors additional tools to address such complex criminal activities.

Scale of the problem

One incident of identity fraud may have many victims, from the person whose identity is stolen and whose credit rating and reputation may be damaged, to the commercial and financial institutions that may cover losses resulting from use of stolen information, to the Canadian taxpayer, who may be harmed when false identities are used to obtain government documents or benefits.

It is difficult to determine an accurate number of victims of identity theft or identity fraud because they are not always reported, and when they are, they may be reported to a number of different authorities or organizations. However, a November 2006 Ipsos-Reid survey indicated that 73 per cent of Canadians are concerned about becoming victims of identity theft, and 28 per cent say they or someone they know has already been a victim of identity theft.

Useful Tips on Identity Theft for Canadians

Office of the Privacy Commissioner of Canada: http://www.privcom.gc.ca/keyIssues/ki-qc/mc-ki-idt_e.asp

Royal Canadian Mounted Police: http://www.rcmp-grc.gc.ca/scams/identity_theft_e.htm

PhoneBusters: http://www.phonebusters.com/english/recognizeit_identitythe.html

Canada 's Office of Consumer Affairs: http://consumer.ic.gc.ca/epic/site/oca-bc.nsf/en/h_ca02226e.html

The Privacy Commissioner of Canada thinks the initiative is lacking:

News Release: Privacy Commissioner Welcomes Government Action on Identity Theft (October 2, 2007) - Privacy Commissioner of Canada

Privacy Commissioner Welcomes Government Action on Identity Theft Ottawa, October 2, 2007 – The federal government’s plan to amend the Criminal Code to better address identity theft is a welcome first step towards stopping the explosion of a costly and emotionally devastating fraud, says Jennifer Stoddart, the Privacy Commissioner of Canada.

“Canadians have reason to fear being the victim of identity theft,” says Commissioner Stoddart. “The financial repercussions of losing their personal information can be crippling, and can affect victims for years to follow. The problem of identity theft highlights the value of personal information and the need to protect it.”

“Today’s announcement is encouraging. It promises to provide law enforcement officers with the tools to pursue identity thieves or fraudsters before Canadians suffer actual financial harm,” says the Commissioner, who will be closely reviewing details of the government’s plan in the coming days.

While this is a welcome step, the Commissioner still believes that the federal government must develop a broad-based strategy for tackling this type of fraud.

A comprehensive strategy should also include, for example:

  • Measures to halt the dramatic proliferation of spam, which ID thieves often use to trick people into revealing personal information. Canada is the only G-8 country without anti-spam legislation.
  • A plan to address “pretexting” – where a fraudster tries to obtain personal information about an individual, such as financial or telephone records, by posing as that person or someone else authorized to have the information.
  • Reform of the badly out-of-date Privacy Act to ensure that personal information collected by federal departments and agencies is adequately protected.
  • More extensive public education campaigns aimed at helping Canadians better protect their personal information.

Past efforts to combat identity theft and fraud using personal information have been hampered by a lack of coordination among various government departments and agencies, the provinces, law enforcement agencies and private-sector organizations.

As the Commissioner told the Standing Committee on Access to Information, Privacy and Ethics in May 2007: “We need better information about identity theft. One reason for the lack of information is the lack of a centre of responsibility. Everyone is interested in preventing identity theft, but no one has overall responsibility for doing anything about it,” said the Commissioner.

The Privacy Commissioner’s submission to the committee is available at http://www.privcom.gc.ca/parl/2007/sub_070508_e.asp.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.