Friday, December 19, 2008

Privacy and internet log files

Just posted on slaw.ca:

In the past two weeks, the New York Times reported that Microsoft has made a minor concession with European privacy authorities about how long it retains its log files. A committee of European privacy regulators had asked that these logs be kept for only six months. Microsoft's response? Eighteen months.Yahoo used to keep them for thirteen months and just announced it will cut retention to 90 days. Google keeps them for nine.

The privacy implictions of these innocuous log files have been underestimated, particularly when you think about the fulsome picture of your private life that companies like Google may be assembling about you. The information in an ordinary web-server log usually contains the just a tid-bit of information. One "hit" on a website may look like this (but all on one line):

127.0.0.1 - frank 
[10/Oct/2000:13:55:36 -0700] 
"GET /apache_pb.gif HTTP/1.0" 200 2326 
"http://www.example.com/start.html" 
"Mozilla/4.08 [en] (Win98; I ;Nav)" 

The first bundle of numbers is the IP address of the computer that requested a particular web-page. "Frank" refers to a userid, which is usually not eabled. The next field is the date" Following that, and usually preceded by "GET" is the command your web-browser sent to the server. The next bits are the status code returned by the server and then the size of the entity requested. Next is something called a "referer" (mis-spelled) , followed by details about your browser.

Since many people often share the same IP address (it could be one IP for an entire company or just a group of people in a house using the same internet connection), some have argued it is not personal information and a log-file doesn't contain personal information. The problem is that even if an IP address is not directly connected to one individual, one can do some easy analysis to make the connections. After AOL released supposedly de-identified search logs to researchers, an intrepid reporter was able to track down at least one of the users who had some very personal health-related searches in the logs (see: Users identifiable by AOL search data).

What's additionally troubling from a privacy point of view is that the large inernet companies, like Google, Yahoo and Microsoft, don't just have your search queries. Increasingly, they have a huge trove of data sources in their logs.

Take Google, for example. Google has their famous Google search. They also have GMail, Google Analytics, Google AdSense, Google Documents, Google Toolbar and more. Each time you "hit" one of their sites, you're in their logs. Most internet users hit Google's logs dozens of times a day and on many of those occasions aren't even aware that they're using a Google service. Google has what is probably the most popular and widely used network of online advertising: AdSense. Each time you go to a website that features Google's ads, your computer sends a request to Google's servers and that "hit" goes into their logs, along with the information about what site you were visiting, when you visited and what ad was served. If you click on the ad, even more information is collected and logged. But even if you don't visit a site with Google's ads, there's a very good chance that the webmaster is using Google Analytics to find out about useage of his or her site. (Full disclosure: I use Google Analytics for my site at www.privacylawyer.ca.) I should also note that Yahoo! and MSN also have advertising networks, which collect the same sort of information.What this means is that Google, Yahoo and Microsoft register in their logs a significant portion of your usage of the internet.

And if you have a Google, Yahoo! or MSN account, that hit can be connected to your account details, includig your name.

I don't think it's too far fetched to think of a day when it will become standard for all investigations involving the internet to inlcude a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

Next week, I'll discuss efforts being made by governments and law enforcement to make log rentention mandatory.

Monday, December 15, 2008

A Christmas story from the Commissioners

T'was just weeks before Christmas

T’was just weeks before Christmas, and all through the land privacy commissioners were taking a stand.

While shoppers were lined up to purchase their treasures, The commissioners were urging them to take privacy measures.

Protecting your personal information should be top of mind, To ensure ID thieves don’t leave you in a bind.

Amidst the crowds and noise and the Christmas clatter, You are reminded that ID theft and fraud is a very serious matter.

If possible purchase your goods with cash, and make sure your receipts don’t end up in the trash.

Shred receipts, sales records and other personal information, And ask plenty of questions when asked to produce identification.

Clear your mailbox every day, carry a minimum amount of ID, And keep your SIN to yourself, to avoid financial agony.

The Commissioners have tips for retailers as well, Tips to protect the information of their Clientele.

If you don’t need it, don’t collect it the commissioners advise, Protecting your customer’s information is prudent and wise.

Shred what you don’t need and protect the rest, And make sure point of sale terminals are visible to guests.

Keep all information away from prying eyes, So your customers don’t get a nasty surprise.

From BC, Alberta and Ottawa too, We hope these tips will keep personal information from bidding adieu.

From all who provide privacy oversight, One last reminder...make sure your credit card is always in sight.

Wednesday, December 10, 2008

The importance of audits

Bruce Schenier has a great piece on his blog, which previously appeared in the Wall Street Journal, on the importance of audits. It's a must-read:
Schneier on Security: Audit

... When we think about security, we commonly think about preventive measures: locks to keep burglars out of our homes, bank safes to keep thieves from our money, and airport screeners to keep guns and bombs off airplanes. We might also think of detection and response measures: alarms that go off when burglars pick our locks or dynamite open bank safes, sky marshals on airplanes who respond when a hijacker manages to sneak a gun through airport security. But audit, figuring out who did what after the fact, is often far more important than any of those other three.

Most security against crime comes from audit. Of course we use locks and alarms, but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit....

Sunday, December 07, 2008

Intel, Google Asked to Help Revise EU Data Protection Laws

This is interesting ...

Intel, Google Asked to Help Revise EU Data Protection Laws (PC World) by PC World: Yahoo! Tech

Intel, Google Asked to Help Revise EU Data Protection Laws (PC World)

Posted on Fri Dec 5, 2008 6:55PM EST

- The European Commission has set up an advisory panel including executives from Google and Intel to help it revise European Union laws on data protection.

"The aim of the group is to identify issues and challenges raised by new technologies. We are not reviewing the main data protection laws at present, but this could be a first step," said European Commission spokesman Michele Cercone.

He added that the executives were chosen in a private capacity, rather than as representatives of their companies.

Peter Fleischer, Google global privacy counsel, along with David Hoffman, Intel's group counsel for eBusiness and privacy will sit alongside data protection lawyers and regulators on the panel, which held its inaugural meeting Thursday.

"I am delighted to have been asked," Fleischer told journalists.

Many aspects of the existing E.U. legislation have been made obsolete by advances in technology, Fleischer said, referring to the E.U.'s cornerstone law, the 1995 data protection directive.

He will urge the Commission to adopt a system where companies only have to deal with one national data protection authority, instead of having to meet the demands of all 27, as they do at present.

"There is a need for harmonization of data protection enforcement in Europe," he said, adding that a system of mutual recognition among national authorities will go a long way in achieving that aim.

He also will try to persuade the Commission to move away from a location-based approach. "It worked when data was stored on paper, but with the Internet that concept is obsolete because data travels around the world and is commonly stored in many different locations at once. There is a strong need for data protection laws to take the new technology into consideration," Fleischer said.

He pointed to Canada's approach, which is not location-based, but calls on data controllers, such as companies, to be responsible for data safety.

Finally, he wants data protection laws to apply to public institutions as well as to private companies, pointing out that some of the most serious threats' to potential threats to people's data and their privacy are posed by governments, not corporations. The 1995 law only applies to the private sector.

Privacy campaign groups are critical of Google's own approach to privacy. However, none were available to comment.

Friday, December 05, 2008

Privacy Commssioner focuses on protection of personal information in accessible tribunal records

Just posted on Slaw, but like of interest to readers of this blog:

Slaw: Privacy Commssioner focuses on protection of personal information in accessible tribunal records

by David T. S. Fraser on December 5th, 2008

Yesterday, the Privacy Commissioner of Canada tabled her annual report on the Privacy Act. While she came down hard on a number of federal bodies such as the passport office, one aspect of the report should be of interest to lawyers generally.

The Commissioner reports on a whole range of complaints against tribunals and quasi-judicial bodies for publishing sensitive personal information about parties and non-parties. Decisions and tribunal records have always contained such information, but now that more of these decisions are readily available online, complainants are not happy that searching for their names online will bring up these decisions in the results.

The Commissioner is hampered by the fact that she can’t order them to change their practices and that many of the disclosures are arguably permissible under the Privacy Act. In any event, she has issued a number of recommendations that have been ignored by many of the tribunals at issue:

  • Reasonably depersonalize future decisions that will be posted on the Internet through the use of randomly assigned initials in place of individuals’ names; or post only a summary of the decision with no identifying personal information.
  • Observe suggested guidelines respecting the exercise of discretion to disclose personal information in any case where an institution proposes to disclose personal information in decisions in electronic form on the Internet.
  • Remove decisions that form the basis of the complaints to the OPC from the Internet on a priority basis until they can be reasonably depersonalized through the use of randomly assigned initials and re-posted in compliance with the Privacy Act.
  • Restrict the indexing by name of past decisions by global search engines through the use of an appropriate “web robot exclusion protocol;” or remove from or reasonably depersonalize all past decisions on the Internet through the use of randomly assigned initials, within a reasonable amount of time.

And in case you were thinking this may sound somewhat familiar, the Canadian Judicial Council tackled this issue in its 2005: Use of Personal Information in Judgments and Recommended Protocol (PDF).

European court rules retention of innocents' DNA is illegal

The European Court of Human Rights has ruled that the indiscriminate retention of DNA samples by UK law enforcement is illegal. See: Spy Blog - ECHR judgment on the Marper case - rules that UK Government and Police indefinate retention of innocent people's tissue samples, DNA profiles and fingerprints is illegal.

Privacy right extends to drugs in luggage

A Judge of the Supreme Court of Newfoundland has made an interesting evidentiary ruling when considering the constitutionality of a search that resulted in finding drugs and cash in the luggage of an airline passenger.

Acting on a tip, a sniffer dog alerted police, the bag was searched and the accused was arrested. He has argued that he had a reasonable expectation of privacy in his luggage and wanted the evidence excluded. The prosecutors argued that you have no expectation of privacy when traveling because luggage is routinely screened.

The Judge had this to say, according to the National Post:

"Obviously, searching or screening the accused's bags for the presence of drugs does not fit into the category of purposes for which screening was authorized," wrote Mr. Hall.

"I conclude that Brian Crisby had a reasonable expectation of privacy with respect to the contents of his luggage, save and except for searches by [airport] personnel for items that could be used to jeopardize the security of an aerodrome or aircraft. The drugs and money found in his baggage, which are the subject of this proceeding, are not such items and thus Brian Crisby had a reasonable expectation of privacy."

Mr. Rogers described the win as clearing the first hurdle toward having the charges dropped.

Interesting.

See: Privacy right extends to drugs in luggage: judge.

Thursday, December 04, 2008

Federal Commissioner tables annual report on Privacy Act

The Federal Privacy Commissioner has today tabled her annual report on the Privacy Act. And she isn't happy with how certain government departments handle personal information:

News Release: Privacy issues given short shrift in passport operations and tribunal Internet postings, Commissioner says (December 4, 2008) - Privacy Commissioner of Canada

News Release

Privacy Commissioner’s 2007-2008 Annual Report to Parliament on the Privacy Act outlines audit of Passport Canada; investigative findings regarding online posting of personal information by administrative and quasi-judicial bodies

Ottawa, December 4, 2008 — Privacy concerns are not given enough weight in the day-to-day operations of a number of federal government institutions, the Privacy Commissioner of Canada says.

The Commissioner’s latest Annual Report to Parliament on the Privacy Act, which was tabled today, describes how privacy and security problems in Canada’s passport operations added up to a significant risk for Canadians applying for passports.

The annual report also highlights the Commissioner’s concerns that the online posting of personal information by some federal administrative and quasi-judicial bodies does not strike the right balance between the public interest and privacy rights.

Privacy Commissioner Jennifer Stoddart says her Office’s audit of passport operations raised a broad range of concerns about how personal information was handled.

“Given the high sensitivity of the personal information involved in processing passport applications, better privacy and security measures are needed,” says Commissioner Stoddart. “Unfortunately, the shortcomings we found raised the risk that Canadians’ information could wind up in the wrong hands.”

The audit found that passport applications and supporting documents were kept in clear plastic bags on open shelves; documents containing personal information were sometimes tossed into regular garbage and recycling bins; and some documents that were shredded could be easily put back together. Meanwhile, computer systems allowed too many employees to access passport files. The investigation also concluded there was inadequate privacy training for employees – an issue which is a concern across government institutions.The Commissioner is pleased that Passport Canada and the Department of Foreign Affairs and International Trade have indicated they will act on her recommendations and improve privacy and security safeguards.

The annual report also outlines the Commissioner’s concerns about the online posting of federal administrative and quasi-judicial bodies’ decisions which contain highly sensitive personal information.

The OPC investigated 23 complaints regarding the disclosure of personal information on the Internet by seven bodies created by Parliament to adjudicate disputes. The complaints involved: the Canada Appeals Office on Occupational Health and Safety; the Military Police Complaints Commission; the Pension Appeals Board; the Public Service Commission; the Public Service Staff Relations Board; the RCMP Adjudication Board; and Umpire Benefits decisions.

Decisions of these bodies often include highly personal information such as an individual’s financial status, health and personal history.

“This is private information. Law-abiding citizens fighting for a government benefit should not be forced to expose the intimate details of their lives to everyone with an Internet connection,” says Commissioner Stoddart.

The Commissioner agreed that the “open court” principle is an important part of Canada’s legal system, but noted there is a crucial distinction between the courts and the bodies the OPC investigated: The Privacy Act does not apply to the courts, but it does apply to many administrative tribunals and quasi-judicial bodies.

In order to respect their obligations under the Privacy Act, the Commissioner recommended, among other steps, that the bodies reasonably depersonalize decisions posted online by replacing names with random initials. However, the Commissioner noted that, where there is a genuine and compelling public interest in such a disclosure, these bodies have the legal authority under the Act to exercise discretion in disclosing personal information.

Service Canada and Human Resources Development Canada agreed to fully implement the OPC’s recommendations. Other bodies took important but incomplete steps towards compliance with the Commissioner’s recommendations.

Currently, unlike its private-sector counterpart, the Privacy Act does not empower the Privacy Commissioner to enforce her recommendations through legal actions. The OPC has recommended an overhaul of the legislation to address this and other concerns.

The OPC has also asked Treasury Board Secretariat to develop centralized policy guidance on the online posting of personal information by administrative and quasi-judicial bodies.The annual report outlines key activities undertaken by the OPC during 2007-2008, including audits, investigations and policy work. The report notes that new complaints against government institutions dropped slightly to 759 in 2007-2008 from 839 the previous year.

The report is available on the OPC website.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Wednesday, December 03, 2008

Privacy Commissioner's 2007-2008 Annual Report to be tabled

The Commissioner is going to be tabling her annual report on the Privacy Act before parliament tomorrow:

CNW Group OFFICE OF THE PRIVACY COMMISSIONER OF CANADA Media Advisory - Privacy Commissioner's 2007-2008 Annual Report to be tabled

OTTAWA, Dec. 3 /CNW Telbec/ - The Privacy Commissioner of Canada's 2007-2008 Annual Report to Parliament on the Privacy Act is expected to be tabled in Parliament on Thursday, December 4, 2008.

The report will highlight:

  • Findings of an audit of Canada's passport operations;
  • Investigative finding related to complaints about several federal administrative tribunals and quasi-judicial bodies posting decisions containing highly sensitive personal information to the Internet;
  • The Commissioner's call for improved privacy training in the federal government; and
  • Other investigations, audits and policy work undertaken by the Office of the Privacy Commissioner.

After the report is tabled, copies will be available to the media through the Parliamentary Press Gallery and on the Privacy Commissioner's website at www.privcom.gc.ca.

Privacy commissioner urged to probe Tory eavesdropping

This may be a legitimate complaint, but a futile one under the Privacy Act:

TheStar.com Canada Privacy commissioner urged to probe Tory eavesdropping

Dec 03, 2008 03:18 PM

OTTAWA — A public interest researcher has filed a formal complaint with Privacy Commissioner Jennifer Stoddart, charging top prime ministerial aides, a parliamentary secretary and an MP with "serious breaches" of the privacy laws.

Ken Rubin is asking Stoddart to investigate the eavesdropping, recording and distribution of a New Democratic conference call by a Conservative MP last weekend about a proposed alternative coalition government.

The office of Prime Minister Stephen Harper claimed that the MP was "invited" to participate by email, but the NDP suggested Conservative MP John Duncan mistakenly received an email intended for their MP Linda Duncan, and should not have participated in the call, let alone tape it.

The party has asked the RCMP to investigate whether an offence under the Criminal Code occurred.

Rubin contends that even if criminal law wasn't broken, there were serious breaches of privacy by a government that has claimed it would fight identity theft with tougher criminal code provisions.

In a letter sent to Stoddart today, Rubin writes that provisions in privacy legislation "mean you cannot collect or share personal information or conversations of others that you are not a legitimate party to."

He alleges several breaches, all related to the "wrongful" and wide distribution to the media of the contents of the conference call "by a government entity (who receives significant taxpayers' monies)."

He suggests it is a case of potential "identity theft" when a person (in this case one elected MP) "allegedly assumes the identity of another elected MP with the same last name, whether there was a mix up in the communications sent or not."

Rubin described himself as "both a privacy and access to information advocate with no partisan axe to grind."

He urged an investigation by Stoddart, the Ethics Commissioner, and a Parliamentary committee, reminding Stoddart of her advocacy for stronger protections against identity theft.

"No public official should be seen to be or partake in any such activity."

"These privacy breaches are all the more onimous when they are carried out by the central state and with the Prime Minister's Office in the lead. This is the very institution whose elected head and parliamentary secretary (Pierre Poilievre, who commented on the call) are supposed to be leaders in upholding Canadians' privacy protections."

Rubin acknowledged the PMO is not "directly covered under either privacy or access legislation."

But he reminded Stoddart that Ontario ministers have had to resign in the past when they misused personal data derived from government institutions.

"Someone in this case needs to be held accountable and to offer Parliament and the appropriate parliamentary committee an explanation."

"It is disturbing too to see that on one hand, the government denies public access to much of its key operations, including the PMO. But it then feels it can gain intelligence on the operations of others by using deceptive means."

Dimitri Soudas, a spokesman for the Prime Minister's Office, said "no comment" in response to a request from the Star.

Meantime, Rubin's complaint my reach a dead end.

Valerie Lawton, a spokesperson for Stddart, said in an emailed: "The Privacy Act does not cover political parties or members of Parliament."

The privacy commissioner also does not have jurisdiction over either political parties or MPs.

Tuesday, December 02, 2008

Slaw Makes the ABA’s Top 100 List of Legal Blogs

Congratulations to Slaw, the Canadian collaborative weblog of all things legal on being named to the American Bar Association's Top 100 list of blogs. Very cool. See: Slaw: Slaw Makes the ABA’s Top 100 List.

Collection of Driver’s Licence Numbers Under Private Sector Privacy Legislation

The Canadian, Alberta and British Columbia Privacy Commissioners have today jointly released a guidance document on the collection of drivers' license information by retailers.

It's here: Collection of Driver’s Licence Numbers Under Private Sector Privacy Legislation - Privacy Commissioner of Canada.

And here's the media release:

Retailers must limit collection of driver's licence information, Commissioners say

Ottawa, December 2, 2008 - Retailers have to exercise caution when it comes to collecting information from consumers' driver's licences and recording the numbers, according to three of Canada's privacy guardians. And Canadians are concerned about this growing trend.

To address consumers' unease and retailers' confusion, the Privacy Commissioner of Canada and the Information and Privacy Commissioners of Alberta and British Columbia today released new guidance on this issue.

"More and more retailers are asking to see driver's licences and are recording numbers, often in contravention of privacy laws," says the federal Privacy Commissioner, Jennifer Stoddart.

The new guidelines will help retailers determine whether it is appropriate to collect driver's licence numbers.

Retailers say they are asking for driver's licence information for a number of reasons. For example, they use it to verify the identity of someone using a credit card or picking up merchandise that has already been paid for. Many also use driver's licence numbers to deter and detect fraud, particularly when merchandise is being returned without a receipt.

"A driver's licence is proof that someone is allowed to drive a car. It is not a universal identity card. Nor is it an appropriate identifier for use in analyzing shopping return habits," says B.C. Information and Privacy Commissioner David Loukidelis.

The Commissioners noted that a driver's licence number is a particularly sensitive piece of information which can be valuable to identity thieves.

All three Commissioners have received many complaints about retailers requesting driver's licence information.

"Many Canadians are uncomfortable with retailers recording their driver's licence numbers. In most cases, we agree that this going too far," says Frank Work, Alberta's Information and Privacy Commissioner.

Polling by the Office of the Privacy Commissioner of Canada has found that more than half of Canadians say they are concerned about giving their personal information to retailers.Alberta, British Columbia and Quebec have adopted privacy laws covering the private sector. Everywhere else in Canada, federal privacy legislation applies.

The common criteria in all this legislation requires that the collection of the personal information from the driver's licence must be for a specific and reasonable purpose.

Retailers need to limit the collection of personal information to the least amount needed to achieve a specific purpose – such as confirming a customer's identity. They must be able to explain to customers why they are collecting this information. They are also required to protect it with appropriate security measures.

The new guidelines explain that many business purposes can be satisfied by simply looking at identification, or, at most, recording the name and address appearing on the licence.

There is a major difference between examining a driver's licence and recording the number on it – or even photocopying the whole document. Recording this kind of sensitive information raises the risk of a privacy breach down the road, while a photocopy involves the collection of information well beyond a name and address, including a photo, signature and physical descriptions.

"Retailers want to foster good relationships with their customers, and they understand that respecting their privacy is a key issue. These guidelines help clarify the rules for both consumers and retailers, and we encourage all our members to ensure that they put the appropriate practices in place," says Derek Nighbor of the Retail Council of Canada.

Consumers should ask for an explanation of why their driver's licence information is being requested – particularly when a retailer attempts to record the number or photocopy the licence. If consumers are not satisfied with the explanation, they can ask to speak to a manager or the person responsible for privacy issues.

Consumers can also contact the appropriate Privacy Commissioner's Office if they still have doubts about whether the collection of their personal information is appropriate.

The guidelines are available on the Commissioners' websites: http://www.privcom.gc.ca/; http://www.oipc.ab.ca/; and http://www.oipcbc.org/.

Collection of Driver's Licence Numbers Under Private Sector Privacy Legislation – A Guide for Retailers (PDF Version)

Canada's Privacy Commissioner Launches 6th Annual Privacy Research Contributions Program

The Commissioner has launched the sixth year of the research contributions program. From the Government of Canada website:

Canada's Privacy Commissioner Launches 6th Annual Privacy Research Contributions Program

Ottawa, December 1, 2008 — The Office of the Privacy Commissioner of Canada (OPC) today announced the launch of the 2009-2010 privacy research Contributions Program. This is the sixth year for the annual program, and up to $500,000 in funding will be available for research, as well as public education and awareness initiatives.

The OPC is inviting research proposals focused on four key privacy priority areas: 1) national security; 2) identity integrity and protection; 3) information technology; and 4) genetic privacy.

Last year, for the first time, the OPC expanded the program to include funding for public education and regional outreach initiatives as well. The response to this new aspect of the program was very positive and yielded a number of innovative initiatives across Canada. In recognition of this success, the Office will continue to provide public education and regional outreach funding as part of the 2009-2010 Contributions Program.

Created in 2004 to support non-profit research on privacy that furthers the development of a national research capacity in Canada, the Contributions Program is highly regarded internationally and considered one of the foremost privacy research funding programs in the world. To date, the program has allocated over $1.5 million to more than 40 initiatives in Canada.

In an effort to give researchers and organizations more time to complete their projects, the OPC is launching this year’s program earlier than in the past. The new deadline for applications has been set for January 30, 2009. We expect to have agreements in place by the end of March 2009.

Information about the four priority areas and how to apply for funding is posted on the Office of the Privacy Commissioner’s Web site. Project summaries of past successful applicants are also available on the site.

All proposals will be evaluated on the basis of merit by OPC officials, and the maximum amount that can be awarded for each research or public education project is $50,000. The maximum any single organization can receive is $100,000.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

Sunday, November 30, 2008

Canada steps back from giving bulk "secure" drivers license data to US

According to the Canadian Press, Ottawa has quietly shelved plans that would have provided American authorities with personal information in bulk about the holders of so-called secure (read: chipped) drivers' licenses. The MOU with the American authorities would allegedly limit them to using it for cross-border purposes, but there's no way of enforcing that once the info is in the hands of US officials. See: The Canadian Press: Canada backpedals on sharing personal database with U.S.

Privacy and your digital data trail

Today's New York Times has a very interesting article on "sensor data" (such as your cell phone, blackberry, GPS, etc) and privacy. It starts with a discussion about an experiment giong on at MIT were researchers are minutely tracking study participants and goes through a range of privacy issues about the digital data trail that we leave in our wake every day.

There's an interesting quote from the MIT researcher who suggests that wider access to telemetry data may be in the public good:

At the same time, he argued that individual privacy rights must also be weighed against the public good.

Citing the epidemic involving severe acute respiratory syndrome, or SARS, in recent years, he said technology would have helped health officials watch the movement of infected people as it happened, providing an opportunity to limit the spread of the disease.

“If I could have looked at the cellphone records, it could have been stopped that morning rather than a couple of weeks later,” he said. “I’m sorry, that trumps minute concerns about privacy.”

See: You’re Leaving a Digital Trail. What About Privacy? - NYTimes.com.

Saturday, November 29, 2008

Nova Scotia startup seeks to build on privacy law advantage

A client company, Bastionhost Ltd., held a mini-summit earlier this week seeking to expand its vision of building data centres in Nova Scotia. A key part of its value proposition is the regulatory climate in Canada, paticularly its privacy laws that are deemed adequate under European Data Protection law and alow millisecond access to American markets without having the data accessible under laws like the USA Patriot Act.

Here's the press release for the event

PRESS RELEASE: FOR IMMEDIATE RELEASE Monday, December 1st, 2008

IT start-up Bastionhost announces initiative to attract business to Atlantic Canada Dataville, Canada

This economic downturn could provide an unprecedented opportunity for the Nova Scotia information technology sector, a technology entrepreneur told a Leadership and Innovation Mini-Summit held at the Halifax Club last week. The current economic crisis presents the Atlantic region with a unique business advantage, said Anton E. Self, founder and CEO of Halifax-based IT startup Bastionhost.

Self unveiled an ambitious strategy he calls "Creating Dataville" to develop a data centre industry in the province. Data centres are a fast-growing sector as corporations and governments struggle to store the massive amounts of information that underlie much of the economy.

"Massive losses stemming from the mortgage loan crisis have driven major financial institutions and enterprises with offices in both New York and London to look for ways to slash operating costs," said Self. "Their losses can be Nova Scotia's gain. Why pay millions to operate two backup data centres in North America and Europe, when one in Dataville will do?"

Self, announced his company's project to put Nova Scotia on the technological map by establishing a system of data centres and digital media storage facilities in the province.

"We can build a new billion dollar industry right here in Nova Scotia," he said, highlighting the region's dense and established infrastructure and relative affordability. "But we need to invest in improving and integrating our critical infrastructure here, now, if we are to seize the moment and realize our tremendous potential as a leading global data haven."

He said that Nova Scotia's location directly in-between New York City and London, England makes it an ideal location for catering to businesses on both continents from a single site, while taking advantage of multiple high speed fiber-optic cables already in place beneath the Atlantic Ocean.

The costs to build, maintain, and staff data centres in Nova Scotia are a fraction of those in most places in North America where this high-margin sector has taken hold, he said.

Nova Scotia's share of global ICT is about 0.3%, Jason Powell, Chairman of the Information Technology Association of Nova Scotia, told the gathering. He suggested that with more co-operation among companies, Nova Scotia could increase its share to 0.5% or even 1%, which would make a huge impact on the province's economy. "I know we've got the talent here," he said "Why can't our goal be to have IT be to Nova Scotia what energy is to Alberta?"

The province has all the tools to make this happen, he said, despite the fierce competition from low-cost countries such as India. "Innovation isn't about technology but about creativity mixed with business thinking," he said.

Privacy law expert David Fraser argued that Canada's and Nova Scotia's strong privacy laws offer another inherent advantage to the data centre sector, especially since the United States passed the USA Patriot Act in the wake of 9/11. He said, "we can become an information Switzerland."

Self also said that as the local financial services and IT sectors grow, companies are having trouble finding up-to-date data centres in this region. "There's a backlog of demand for adequate facilities, which is necessary infrastructure for attracting and retaining world-class companies. When our policymakers talk about the need to invest in Atlantic Gateway infrastructure, they mean transportation and shipping. But our most valuable commodity is data. To become a more significant global player we must integrate our technology assets and human resources and get the word out to our markets."

////////////////////////////////////////////////////////

Also speaking as part of the mini-summit was April MacLeod, a student employment and placement expert. All four spoke of the advantages of doing business in the Atlantic region, and highlighting niche technology skills, a large student population and potential workforce, and top-notch privacy laws not available in the US, vital to international data storage.

The crowd of more than 60 people who gathered for the talk included prominent business people from the Butterfield Fulcrum Group, Flagstone, Nova Scotia Business Inc, Halifax Finance, The Greater Halifax Partnership, Eastlink, Aliant, Armour Group, McInnes Cooper and Nicom IT Solutions, among many others. Allan Shaw, of The Shaw Group and former Premier, now Senator, John Buchanan were also in the audience.

Self invited attendees to "create Dataville with us" by joining forces to develop business in cities like New York and London. "Working together as partners, allies and friends we can win some serious business," he said. "As one Anton, I can only do so much heavy-lifting. But collaboratively, like 50 ants carrying a coconut, we can raise Nova Scotia to new heights."

Media contacts:

Anton E. Self

Founder and Chief Executive, Bastionhost Ltd.

(902) 482-6466

Anton.self (at) bastionhost.com

http://www.bastionhost.com/

Jason Powell

Chairman, Information Technology Association of Nova Scotia

(902) 221-1973

jkpowell (at) usa.net

http://www.itans.ns.ca/

David T. S. Fraser

Chair, Privacy Law Practice Group, McInnes Cooper

(902) 444-8535

David.fraser (at) mcinnescooper.com

http://www.privacylawyer.ca/

David Holt

Secretary of the Board, Bastionhost, Ltd.

(902) 401-5226

David.holt (at) bastionhost.com

Friday, November 28, 2008

Slaw: New US air security rules may cause problems for Canadian passengers

Just posted on Slaw.ca:

Slaw: New US air security rules may cause problems for Canadian passengers

The Canadian Press is reporting that the planned extension of US passenger screening is going ahead next year. Unlike existing rules, which require airlines to provide passenger information for flights headed to the US, the new rules will require them to provide this information even if the flight is only traversing US airspace. (See: The Canadian Press: New U.S. air security rules create turbulence in Canada.)

This raises a whole host of issues, particularly on the privacy front. The names are being scrubbed against the US no-fly list, which is notoriously of dubious quality. It has interfered with the travel plans of infants and a US Senators. It also includes the name of a certain Canadian who has been proven by a public inquiry to not be a terrorist. How many Canadians will be prevented from completing their travels to non-US destinations because they have a name similar to one on the no-fly list? I guarantee that no Canadian airline will change their route to avoid American airspace so that a passenger can be accommodated.

In addition, how is the information going to be used? Will it go into a massive database to be mined for future uses? Will US authorities force aircraft to land to arrest a passenger who is not a terrorist threat, but is otherwise wanted? Will there be a list of Canadians who regularly (and completely lawfully) travel to the embargoed island of Cuba?

This is a real conundrum. One can wave one’s arms in the air and yell about privacy, but the fact remains that the United States has sovereignty over its airspace and can refuse access for whatever reason it wants. It can put conditions on that access. At the end of the day, if you want to travel and your flight takes you through their airspace, this is one of those conditions.

Wednesday, November 26, 2008

Legal ethics and metadata, 2008 edition

In Febrauary of '06, I linked to a post by Jim Calloway on Metadata (Jim Calloway's Law Practice Tips Blog: The Mysteries (and Magic) of Metadata). Jim just wrote to tell me he's posted an update with more recent authority on legal ethics and metadata: Jim Calloway's Law Practice Tips Blog: The Ethics of Metadata 2008. Check it out.

Pre-employment polygraph screening

While my blog was down, I wrote on slaw.ca about an interesting story from Nova Scotia that made national news. For those who missed it on slaw, here it is:

Slaw: Pre-employment screening

A recent story from Nova Scotia has focused a lot of attention on pre-employment screening and the use of polygraphs. Hopefully, it will encourage a larger discussion on both sides of the issue.

According to media reports, anybody applying for a job that falls within the purview of the Halifax Police Service and Fire Service is required to pay for a polygraph examination that includes a range of questions, some of which have been considered to be objectionable. (See the full questionnaire here (pdf).)

Others have objected to the use of a polygraph, as many assert it is not a reliable indicator of truthiness truthfulness. (If you want a refresher on how Canadian courts are to treat polygraphs, check out R. v. Béland, 1987 CanLII 27 (S.C.C.)).

The media coverage has been plentiful, from the local papers to CBC's The National (Quicktime). The former FOIPOP Review Officer has made his thoughts known (Ex-watchdog: Ditch polygraphs) as has his successor Dulcie McCallum (Nova Scotians deserve same privacy protection as others).

Any debate and discussion is a good thing. It should, hopefully, focus the mind on one of the principes of privacy best practices that appears in almost every public and private sector privacy law: only collect information that's reasonably necessary for the (reasonable) purposes. If it's not necessary or not reasonable, don't collect it. Other important principles to consider: who has access to the information, how is it used and how long is it kept around?

And now for something completely different somewhat relevant, yet inadmissible:

Here's CBC The National's report:

Tuesday, November 25, 2008

Connecticut librarian requires a warrant in library child pornography investigation

The Republican-American of Connecticut has an interesting story about a vigilant and diligent librarian who required a court order before handing over computer records after a complaint that a patron had been using a library computer to view child pornography. Her two reasons were (i) to protect the privacy of all library patrons and (ii) to make sure that if the patron had been using the computer unlawfully, the evidence would be admissible. See: The Republican-American Porn complaint hits Waterbury library.

Verizon sacks employees for peeking at Obama's phone records

According to the Internet News, Verizon employees who took a peek at Barak Obama's e-mails have been sent packing: InternetNews Realtime IT News - Verizon Staff Fired After Peek at Obama's Calls. Interestingly, Patrick Leahy (chair of the Senate Judiciary Committee) is using this to call upon the Justice Department to account for the efficacy of the Telephone Records and Privacy Protection Act of 2006.

The Future Privacy Forum launched in Washington

There's a new privacy organization setting up shop in Washtington, DC. Initially funded by AT&T, the Future of Privacy Forum seems to be pushing for transparent consumer choice:

About the Future Privacy Forum : FUTURE OF PRIVACY FORUM

The Future of Privacy Forum (FPF) is a think tank led by privacy experts Jules Polonetsky and Christopher Wolf and includes an Advisory Board comprised of leading figures from industry, academia, law and advocacy groups. The Future of Privacy Forum’s initial underwriter is AT&T. We invite and welcome the support of other companies committed to advancing privacy practices.

FPF advocates for privacy advances that promote transparency and user control in a manner that is practical for business to implement to ensure personal autonomy for all who seek to embrace the benefits of our digital society.

Some additional coverage: A skeptical welcome for online privacy forum.

Facebook wins $873M judgment against spammer

Facebook has just won a multi-multi-million dollar judgment against a Montreal residet under the American CAN-SPAM Act after the individual was accused of sending millions of unsolicited commercial e-mails to Facebook users. The company will never see most of the cash, but Facebook has said they'll go after all they can.

Hopefully, this will be a strong, visible deterrent.

See: The Associated Press: Facebook wins $873M judgment against spammer.

Monday, November 24, 2008

Making privacy practices meaninful

A client pointed me to this great post, with which I couldn't agree more.

After discovering that, by default, friends of friends who comment on Facebook-posted pictures get access to the full album of photos, the author writes:

apophenia: Putting Privacy Settings in the Context of Use (in Facebook and elsewhere)

... Tech developers... I implore you... put privacy information into the context of the content itself. When I post a photo in my album, let me see a list of EVERYONE who can view that photo. When I look at a photo on someone's profile, let me see everyone else who can view that photo before I go to write a comment. You don't get people to understand the scale of visibility by tweetling a few privacy settings every few months and having no idea what "Friends of Friends" actually means. If you have that setting on and you go to post a photo and realize that it will be visible to 5,000 people included 10 ex-lovers, you're going to think twice. Or you're going to change your privacy settings....

Making people think? Good idea.

When privacy has been characterized as minimizing surprises, if you fully let people know what they're doing (particularly when it is somewhat behind the veil of not-well-understood technology) you're doing your job.

Federal Court of Appeal upholds disclosure of eBay PowerSeller records to CRA

In September of last year, I blogged about a decision of the Federal Court of Canada that ordered eBay to hand over to the Canada Revenue Agency information about Canadian "power sellers". (See: Canadian Privacy Law Blog: Federal court orders disclosure of eBay PowerSeller records to Canada Revenue Agency.)

That decision was appealed to the Federal Court of Appeal, which upheld the decision on November 7, 2008:

eBay Canada Ltd. v. Canada (National Revenue), 2008 FCA 348 (CanLII)

...

[46] In order to induce compliance with a requirement, subsection 231.6(8) provides that a judge may prohibit a person who has failed to comply substantially with the requirement from relying on foreign-based information covered by it in a civil proceeding relating to the enforcement or administration of the Act.

[47] The scheme of section 231.6 suggests that Parliament was concerned that it could be unduly onerous for a person to be required to produce material located outside Canada and in the possession of another person, and that the section may operate in an unduly extraterritorial manner. While these concerns may be taken into account on a review by a judge for unreasonableness, they are largely irrelevant to the information (bulky as it may be) that is the subject of the requirement in the present case.

[48] This is because, with the click of a mouse, the appellants make the information appear on the screens on their desks in Toronto and Vancouver, or anywhere else in Canada. It is as easily accessible as documents in their filing cabinets in their Canadian offices. Hence, it makes no sense in my view to insist that information stored on servers outside Canada is as a matter of law located outside Canada for the purpose of section 231.6 because it has not been downloaded. Who, after all, goes to the site of servers in order to read the information stored on them?

[49] Nor is the extraterritorial application of the Act a significant issue on the present facts. For example, the agreements with eBay Canada expressly provide that they may disclose confidential “eBay System Information” (which the appellants say includes information about PowerSellers) which “is required to be disclosed by order of any court”: Appeal Book, vol. II, pp. 295-96. Nor does the requirement oblige a person outside Canada to do anything.

[50] Counsel concedes that the information identifying PowerSellers registered as having an address in Canada would be located in Canada if the appellants had downloaded it to their computers. In my view, it is formalistic in the extreme for the appellants to say that, until this simple operation is performed, the information which they lawfully retrieve in Canada from the servers, and read on their computer screens in Canada, is not located in Canada.

[51] I would only add that, although Justice Hughes does not frame his reasons by reference to the statutory definition of “foreign-based information” in subsection 231.6(1), he clearly meant that the information in question could be “located” at places other than the site of the servers where it is stored. For example, he stated 2007 FC 930 (CanLII), (2007 FC 930 at para. 23) that information stored electronically outside Canada “cannot truly be said to ‘reside’ only in one place”, and (supra at para. 25) the information required by the Minister “is not foreign but within Canada” for present purposes.

[52] Having concluded that information in electronic form stored on servers outside Canada is in law capable of being located in Canada for the purpose of section 231.6, I now consider whether Justice Hughes’s application of the law to the particular facts of this case was vitiated by palpable and overriding error. In my view, it was not. In finding that the information in question was located in Canada within the meaning of section 231.6, Justice Hughes properly took into consideration the fact that eBay US and eBay International had granted the appellants access to information about Canadian PowerSellers for the purpose of their business, and that they indeed used it for this purpose. The facts support the following conclusion by Justice Hughes (supra at para. 25):

For perhaps corporate efficiency the information is stored elsewhere, but its purpose is in respect of Canadian business. The information is not foreign but within Canada for the purposes of section 231.2 of the Income Tax Act.

[53] Since the facts of this case do not engage section 231.6, it is not necessary to consider whether the presence of that section in the statutory scheme reduces the Minister’s powers under section 231.2 when the requirement relates to “foreign-based information”.

See also: Michael Geist - Federal Court of Appeal Upholds Ebay Power Seller Decision, EXCESS COPYRIGHT: eBay "PowerSeller" data is "both here and there".

Back in business

Due to a screw-up beyond my control [finger pointed directly at my hosting company], I haven't been able to update this blog for almost three weeks. But it's fixed and we're back in business.

Thursday, November 13, 2008

Testing

My apologies. Technical issues have meant that I haven't been able to post for a while now. I'm looking into it...

Thursday, November 06, 2008

What are these?

Last weekend, after a day of meetings, I wandered around downtown Ottawa. When I lived there in 1999-2000, I noticed that a number of light poles in the downtown area have directional antennas on top of them. I had only seen them in the vicitinty of Parliament Hill. Being paranoid, I wondered what they were. I even called the city and asked what they were and whose they are. The city was not able to answer my question, though they acknowledged that the poles are theirs and putting anything on them would require the city's ok.

You can read the text on the label on the back, which says it's made by TIL-TEK, model TA-2408. The TIL-TEK brochure describes it as:

The TA-2408 is a vertically or horizontally polarized panel antenna. The antenna consists of a printed broadband dipole array enclosed in an aluminum cavity with a UV stabilized ASA radome for superior weatherability. It is designed for wireless data in the ISM band and is at DC ground to aid in lightning protection.

Here are two other pictures:

Directional antennaDSC_3987

If anyone knows anything about these, please help satisfy my curiosity ... Email me or put something in the comments.

Wednesday, November 05, 2008

Toronto police relocate cameras

The good news: Toronto police are removing the CCTV cameras that have kept an eye on people at Queen Street West and Bathurst.

The bad news: Apparenly they're just being moved. Where to? I do not know.

See: Torontoist: Smile! You're Not on the Police Camera, via the eagle-eyed, ever-vigilant, but never intrusive Rob Hyndman.

Tuesday, November 04, 2008

Outrage over 'chastity belt' lingerie fitted with GPS tracking system

Rather than outrageous, it should be filed under stupid and pointless: Outrage over 'chastity belt' lingerie fitted with GPS tracking system Mail Online. Nothing covert here, if you take a close look at the photo. But if it was actually miniature, there may be some cause for concern.

Wednesday, October 22, 2008

Paris to dramatically boost surveillance cameras

Paris plans to try to bridge the gap between London's thousands of CCTV cameras and the city of lights' paltry 330 surveillance cameras linked to the police. It's an initiative dubbed "A Thousand Cameras for Paris." But in an effort to out-do London, the French plan to deploy spy drones to keep an eye on evil-doers. See: Paris to quadruple number of CCTV cameras - Telegraph.

Tuesday, October 21, 2008

Location Awareness: Cool or Creepy?

Lifehacker, one of the most popular gadget/personal productivity blogs out there, is doing a poll on new "location aware" devices and services. On one hand, it's helpful to have your phone tell you where the nearest coffee shop is. On the other hand, it opens a whole new world of surveillance. Check it out and let your views be known: Location Awareness: Cool or Creepy?

Ontario Commissioner speaks out about RFID licenses

The Information and Privacy Commissioner of Ontario is speaking out about the proposed new ehanced drivers license, which is planning to use an RFID chip: New ID card threatens our privacy Canada News Toronto Sun.

Monday, October 20, 2008

CCTV walk in Halifax

This past Saturday I found myself with an hour to kill downtown. I had my camera with me and my GPS-equipped blackberry, so I decided to do a quick inventory of surveillance cameras. I only took photos of cameras that are in public spaces or were pointed at public spaces.

You can check out the Flickr set or the map.

Sunday, October 19, 2008

OPCC begins consultation on covert surveillance guidance

The Office of the Privacy Commissioner of Canada is seeking comments on a draft guidance document on covert surveillance. If you have something to say, you have until November 14, 2008:

Consultation on Covert Video Surveillance Draft Guidance Document (October 2008)

The Privacy Commissioner of Canada has prepared a draft guidance document that sets out good practice rules for private sector organizations that are either contemplating or using covert video surveillance.

Through our experience in investigating complaints about covert video surveillance under the Personal Information Protection and Electronic Documents Act (PIPEDA), we have identified a need to educate organizations on the obligation to ensure that covert video surveillance is conducted in the most privacy sensitive way possible. Although the use of covert video surveillance may be appropriate in some circumstances, we view the technology as being inherently intrusive.

We welcome feedback on the draft guidance below. In particular, we seek the comments of those directly affected by covert video surveillance, including unions representing employees of federally regulated organizations as well as consumer associations.

Thank you for your time and attention and we look forward to your comments.

Elizabeth Denham, Assistant Privacy Commissioner

Passports will be needed to buy mobile phones in the UK

Just when you think you've seen it all from the UK, here's another one: Passports will be needed to buy mobile phones - Times Online.

Saturday, October 18, 2008

Further consideration of admissibility of evidence obtained in violation of PIPEDA

An Ontario arbitrator for the Financial Services Commission of Ontario has recently had an opportunity to consider whether a breach of PIPEDA in the collection or handling of intended evidence in a hearing will result in it not being admissible in the hearing. Arbitrator Rogers concluded, following Ferenczy v MCI Medical Clinics (see Canadian Privacy Law Blog: Admissibility of video surveillance evidence), that it does not. See Para 35, below.

Since the case isn't on CANLii yet, here's the full text:

Borowski v. Aviva Canada Inc.

Financial Services Commission of Ontario (Arbitration Decision)

J. Rogers Member

Heard: July 29, 2008 Judgment: September 12, 2008 Docket: FSCO A07-002593 J. Rogers Member:

Issues:

1 The Applicant moves for an order excluding the expert reports Aviva Canada Inc. ("Aviva") obtained from Brigham & Associates Inc. from the arbitration hearing and, in the alternative, an order requiring Aviva to fund replies to these reports.

2 The issues are:

1. Are the reports Aviva obtained from Brigham & Associates Inc. admissible at the arbitration hearing regarding Mr. Borowski's entitlement to a catastrophic designation?

2. If the reports are admissible, does Aviva have an obligation to fund replies to these reports under section 24 or 42 of the Schedule?

Result:

3

1. The reports Aviva obtained from Brigham & Associates Inc. are admissible at the arbitration hearing.

2. Aviva does not have an obligation to fund replies to these reports under section 24 or 42 of the Schedule.

Scope of Motion:

4 Mr. Borowski sought a ruling precluding Aviva from submitting that it is premature to decide whether to exclude the subject reports on the grounds that they are of little probative value. Mr. Borowski argued that Aviva was estopped from taking this position because Aviva agreed that admissibility of the reports would be determined in advance of the hearing.

5 Aviva submitted that its objection was properly made because, when it agreed that the issue would be determined by way of a pre-hearing motion, the only position that Mr. Borowski had taken was that the reports should be excluded since they were obtained in breach of section 42 of the Schedule.

6 I ruled that Aviva's agreement was not a concession that every argument that Mr. Borowski chose to raise on admissibility of the reports was properly the subject of this motion. I also informed the parties that the issue was largely moot, because Aviva's concern that a pre-hearing determination of probative value would usurp the role of the hearing Arbitrator was resolved by the fact that I will be presiding at the hearing as well as the motion.

Facts:

7 The facts are not in dispute. Mr. Borowski was injured in a motor vehicle accident on October 24, 2001. He applied for and received statutory accident benefits from Aviva, payable under the Schedule. The parties disagree on his entitlement to certain further benefits and on whether Mr. Borowski sustained a catastrophic impairment as a result of the accident.

8 In January 2007 Mr. Borowski submitted an Application for Determination of Catastrophic Impairment, supported by a report authored by Dr. Ronald Kaplan. Pursuant to section 42 of the Schedule, Aviva gave Mr. Borowski notice in March 2007 that it required him to attend medical examinations regarding this issue. Mr. Borowski attended the examinations deemed necessary by the three-person medical team Aviva chose. The team delivered its reports in August 2007 and, based on these reports, Aviva determined that Mr. Borowski did not sustain a catastrophic impairment as a result of the accident. Mr. Borowski obtained rebuttal reports, authored by a three-person team of his choice, pursuant to section 42.1 of the Schedule.

9 Mr. Borowski applied for mediation and, after mediation failed to resolve the dispute, he applied for arbitration. A pre-hearing was held on April 29, 2008. Aviva served Mr. Borowski with the three reports at issue in this motion on May 4, 2008. They were authored by three doctors from the United States who conduct business under the name of Brigham & Associates. Counsel for Aviva retained Brigham & Associates to conduct a "paper review" of the material in Aviva's possession and give their opinion on whether Mr. Borowski had sustained a catastrophic impairment. Aviva provided Brigham & Associates with copies of Mr. Borowski's medical records it had received and copies of the reports of its doctors and Mr. Borowski's doctors. Aviva did not seek Mr. Borowski's consent. Brigham & Associates concluded that Mr. Borowski did not sustain a catastrophic impairment as a result of the accident.

Parties' Positions:

10 Mr. Borowski's position is that the reports from Brigham & Associates should be excluded because his contract with Aviva and the Schedule provide a complete code of Aviva's rights of access to his medical records and its use of those records. He argues that, since neither his contract nor the Schedule specifically provides that Aviva may disclose his medical records except in the context of an examination under section 42 of the Schedule, Aviva is precluded from disclosing those records, except for the purpose of a section 42 examination. Aviva therefore obtained the reports from Brigham & Associates by breaching his right to privacy.

11 Mr. Borowski further submits that the reports should be excluded because Aviva breached the provisions of the Personal Information Protection and Electronic Documents Act, 2000 (the PIPED Act) and its own Privacy Policy by sending his medical records to Brigham & Associates. He also submits that the reports should be excluded because the authors usurp the function of the Arbitrator by offering their opinion on the interpretation of the relevant legislation, criticizing the judicial approach to the legislation and impugning Mr. Borowski's credibility. Finally, Mr. Borowski submits that the reports should be excluded because they are of little probative value.

12 Aviva submits that, although its contract with Mr. Borowski and the Schedule provide a complete code of the parties' substantive rights, neither addresses the scope of procedural rights in the context of adversarial proceedings. It concedes that the subject reports were not obtained pursuant to section 42 of the Schedule, but argues that it is permitted to obtain them, unless specifically prohibited by statute or legal principle. Its position is that, because Mr. Borowski's medical condition is at issue in the arbitration, there is a diminished expectation of privacy regarding his relevant medical records. It therefore did not breach his right to privacy in providing his records to Brigham & Associates. It argues that, even if it did breach Mr. Borowski's rights in obtaining the reports, the breach was minor and the jurisprudence does not support exclusion of the reports in those circumstances.

13 Aviva denies that it breached the PIPED Act or its Privacy Policy and submits that, although the Brigham & Associates' venture into statutory interpretation might mean that some sections of the reports would be excluded or given no weight, that does not lead to exclusion of the reports in their entirety.

Complete Code of Rights:

14 As noted above, Mr. Borowski's position is that his contract with Aviva and the Schedule circumscribe the information he is required to provide to Aviva, the purposes for which Aviva may use the information and the persons to whom Aviva may disclose it. He argued that he only provided Aviva with his medical records because he was required to do so for the purpose of the examination permitted by section 42 of the Schedule, therefore Aviva was only permitted to use them for that purpose.

15 Section 33(1.1) of the Schedule imposes a general obligation on insured persons to provide insurers with "[A]ny information reasonably required to assist the insurer in determining the person's entitlement to a benefit." In addition, Rule 32 of the Dispute Resolution Practice Code (the "Code") imposes the requirement for "prompt and complete exchange of documents that are reasonably necessary to determine the issues being arbitrated". It is therefore not accurate to say that Mr. Borowski disclosed his medical records only because Aviva had the right to have him examined pursuant to section 42. Mr. Borowski was required to provide that information in any event. Neither the Schedule nor the Code prescribes limits on the insurer's use of the information it receives.

16 Section 42 of the Schedule does not address information to be provided to an insurer. Section 42(10)(a) addresses information to be provided to "the person or persons conducting the examination" where an insured person is required to attend an examination under section 42. Section 42(10)(a) places an obligation on both the insured person and the insurer to "provide to the person or persons conducting the examination all reasonably available information and documents that are relevant or necessary for the review of the insured person's medical condition". That means that the insurer is required to provide to the person conducting the examination any relevant information it has received from the insured person and any other relevant information in its possession. The insured person also has a similar obligation to provide information directly to the person conducting the examination.

17 The thrust of section 42(10)(a) is to ensure that examinations of insured persons are conducted with all relevant knowledge. In providing for the insured person to provide information directly to the person conducting the examination, it safeguards the interest of an insured person in having the examination conducted on the basis of a complete record. It regulates neither the information to which insurers are entitled, nor the uses that insurers may make of the information they acquire.

18 Section 42(10)(a) certainly allows insurers to provide information to persons conducting examinations on their behalf. However, that does not mean that this is the only permitted use. To accept Mr. Borowski's position would mean that Aviva would be precluded from filing his medical records as evidence in the very proceeding in which he was required to disclose them, because there is no provision that specifically permits Aviva to do so.

19 Mr. Borowski relies on the decision of the Court of Appeal in Haldenby v. Dominion of Canada General Insurance Co. in support of his position that the Schedule contains a complete code of the rights of the parties. In that case the Court held that the insured person had no right to reapply for further income replacement benefits, after the insurer had terminated those benefits, because there was no provision in the Insurance Act or the Schedule to allow it. The Court noted that the suggested approach would "extend a claimant's entitlement to benefits for an indeterminate period of time" and that it was contrary to the scheme of the Schedule. The Court did not rule that the Schedule is a complete code of all procedural and substantive rights of the parties. I accept Aviva's submission that this decision reaffirms the trite maxim that the substantive rights of the parties must be found in the Insurance Act or the Schedule.

20 If one were required to look to the Schedule for every step in the dispute resolution process, it would grind to a screeching halt. For instance, although Mr. Borowski concedes that Aviva had the right to share his medical information with its counsel, the Schedule does not confer that right. Similarly, the Schedule does not contemplate the standard practice of retaining accountants and providing them with the insured person's financial records, where the quantum of entitlement to income replacement benefits is at issue. The Schedule does not contemplate that insurers would retain experts in accident reconstruction, often providing them with the medical records of the insured person, where there is a dispute about whether an accident occurred. The Schedule does not permit the common practice of applicants who obtain expert opinions by non-treating doctors, for the sole purpose of presenting them as evidence in the arbitration.

21 The admissibility of evidence at an arbitration hearing is addressed in Rule 39.3 of the Code and section 15 of the Statutory Powers Procedure Act. The only limits on the admissibility of relevant evidence found in those provisions are:

  • Evidence that would not be admissible in a court by reason of any privilege under the law of evidence;

  • Evidence that is not admissible under the Insurance Act; or

  • Evidence that is not admissible under any other statute.

22 None of those restrictions applies here.

23 Aviva is by no means the first Insurer to have obtained an opinion based on a paper review. Arbitrators have commented on the practice in several decisions. The practice has never been censured. In Hart and Allstate Insurance Company of Canada, the Arbitrator made the following comment in refusing to find that proposed section 42 examinations were reasonable and necessary:

I have no evidence as to how examinations today will shed greater light on Mrs. Hart's physical or emotional condition four years ago (regarding the partial inability test) or six years ago (regarding causation) than a paper review by experts of Allstate's choice (given the extensive document production over and above the prior DAC assessments), which has been and continues to be an option at the Insurer's disposal.

24 In Rushlow and ING Insurance Company of Canada, the Arbitrator made the following comment in similar circumstances:

If ING desires further input of a neurophysical nature, there is nothing to prevent it from obtaining a "paper" opinion based on the documents and reports...

25 The theme was revisited in Wilson and Aviva Canada Inc. In that decision, the Arbitrator noted as follows:

While the law and the jurisprudence are clear that section 42 of the Schedule gives the insurers a right to override such normal privacy concerns, provided that the legal pre-conditions for the examination are met in this matter, I have found that those pre-conditions were not met.

While it may well have been reasonable to perform an unintrusive paper review of Ms. Wilson's condition, based on the extensive material potentially available to the Insurer, this is not what was proposed.

26 Although the issue of whether an insurer breaches the Schedule or the privacy interests of the Insured person in conducting a "paper review" was not raised in the above cases, the endorsement of the practice in these decisions suggests that a breach is not gross, plain and obvious, as Mr. Borowski submitted. The decisions recognize that a paper review is a relatively unintrusive means of obtaining evidence for a hearing.

27 The principle that a party to an adversarial proceeding is entitled to a diminished expectation of privacy concerning personal information relevant to the dispute is well established. Because Mr. Borowski was required to disclose his medical records to Aviva, the narrow question is whether it was reasonable to expect that Aviva was precluded from disclosing the information it received to its agents. Mr. Borowski concedes that Aviva had the right to disclose the information to counsel. I see no substantive difference between disclosure to counsel and Aviva's disclosure to medical experts for the purpose of obtaining an opinion on the issue in dispute. Aviva's recruitment of professional expertise is at the heart of both relationships.

28 I find that Aviva did not breach the provisions of the Schedule or violate Mr. Borowski's reasonable expectation of privacy in obtaining the reports from Brigham & Associates. This ruling does not mean that there would be no limits on what Aviva can do with the personal information it receives from Mr. Borowski, as he submitted. Aviva has simply provided information to its agent for a purpose related to an ongoing dispute. It is not necessary to speculate on what the limits might be, for the purpose of this decision.

29 Because the right to obtain the subject reports is not based on section 42 of the Schedule, I find that Aviva was not required to comply with the notice provisions of section 42, as Mr. Borowski submitted. For the same reason, Aviva is not required to fund rebuttal reports pursuant to section 42 of the Schedule.

Violation of the Piped Act or Privacy Policy:

30 The PIPED Act regulates the collection, use and distribution of personal information collected in the course of commercial activity.

31 Mr. Borowski relies on the decision of the Federal Court of Appeal in Rousseau v. Canada (Privacy Commissioner) in support of his position that his medical records were provided to Brigham & Associates, in breach of the provisions of the PIPED Act. The applicant in that case was receiving long-term disability benefits from an insurer. Pursuant to its right under the insurance policy, the insurer required the applicant to attend an independent medical examination (IME). The insurer terminated benefits on the basis of the report. The applicant sought production of the complete file of the doctor who had performed the examination. The doctor refused to disclose his handwritten notes. The issue on appeal was whether the handwritten notes of a doctor performing an IME in Ontario, at the request of an insurer, are personal information under the PIPED Act. The Court had to determine that issue in the applicant's favour in order to grant the only remedy sought under the PIPED Act: the right of the applicant to access to the information.

32 At the appeal, the applicant limited his request to the doctor's notes on the answers he gave to questions asked and the doctor's observations of the applicant's behaviour. The Court ruled that the doctor's notes contained the applicant's personal information to which he has a right of access and remitted that matter to the Privacy Commissioner for a determination of which portions of the notes should be disclosed. The Court noted as follows:

In light of the Privacy Commissioner's recognition that there are in the notes information which is personal to Mr. Rousseau and information which is not, it may be said that in the end, Mr. Rousseau has a right of access to the information he gave to the doctor, and to the final opinion of the doctor in the form of the report to the insurer. In accordance with Principle 4.9.1 of Schedule 1 to the PIPED Act, this enables Mr. Rousseau to correct any mistakes in the information he gave the doctor or which the doctor noted, as well as any mistakes in the doctor's reasoned final opinion about his medical condition. But the process of getting to that final opinion from the initial personal information of Mr. Rousseau belongs to the doctor.

33 This excerpt highlights the fact that the issue in Rousseau was quite different from the issue in this motion. Mr. Rousseau was seeking access to his records, not the exclusion of evidence. The PIPED Act provides no such remedy. The Court was not asked to address the question of whether the insurer or the doctor conducting the IME breached the Act in the transfer of the medical records.

34 The Court noted that, before the matter was heard, Mr. Rousseau and the insurer had settled an action he had commenced in the Superior Court. There is no mention of an order excluding the doctor's report from evidence in that action. In Rousseau, the focus of the Court was on determining whether the doctor conducting the IME was engaged in "commercial activity", a requirement for the PIPED Act to apply, and whether the doctor was in possession of the personal information of Mr. Rousseau.

35 In Ferenczy v. MCI Medical Clinics, the Ontario Superior Court directly addressed the question of whether a potential breach of the PIPED Act should result in the exclusion of evidence obtained as a result of the breach. In that case, the plaintiff in an action for damages for the alleged negligence of a doctor sought an order excluding surveillance evidence on the grounds that it was personal information, collected or recorded in violation of the PIPED Act. The Court refused to exclude the evidence, giving the following reasons:

At the outset I wish to point out that the Act does not contain a provision which prohibits the admissibility into evidence of personal information collected or recorded in contravention of the Act. Rather the Act provides that an individual or the Privacy Commissioner may bring a complaint which results in an investigation and report under the Act. Thereafter, certain steps described in the legislation may be taken in the Federal Court. Consequently, if the collection of surveillance evidence in this case is said to be a violation of the Act a complaint may be filed pursuant to the Act to commence that process. However, that has no direct impact on the issue of the admissibility of evidence in this trial.

The evidence at issue here is relevant, in my view, and the probative value of the evidence exceeds its prejudicial effect. By prejudicial effect, I mean the danger that the evidence will be misused. As stated, I have concluded that a proper limiting instruction is adequate in this case to ensure that the evidence is used for the limited purpose for which I propose to admit it.

This is not a case involving state action and consequently no consideration arises as to the applicability of the Canadian Charter of Rights and Freedoms or the exclusion of evidence pursuant to the provisions of the Charter.

Prima facie relevant evidence is admissible, subject to a discretion to exclude where the probative value is outweighed by its prejudicial effect. This is the test in both criminal and civil cases: R. v. Morris, [1983] 2 S.C.R. 190, 1 D.L.R. (4th) 385, 48 N.R. 341, 7 C.C.C. (3d) 97; and see Sopinka, Lederman and Bryant, The Law of Evidence in Canada, 2nd ed. (Toronto: Butterworths, 1999) at pp. 23-38.

There is also a discretion in a trial judge to exclude evidence that would render a trial unfair. In R. v. Harrer, [1995] 3 S.C.R. 562, 128 D.L.R. (4th) 98, Justice La Forest concluded that this historical concern with trial fairness has now been enshrined in s. 11(d) of the Charter. As I have indicated the Charter is not at issue in this case. However, that does not mean that the common law discretion to exclude evidence, to which Justice La Forest was referring as the underpinning of s. 11(d) of the Charter, does not continue to operate in a non-Charter context.

I conclude that the admission of the evidence here in question will not render the trial unfair. The video will be shown to the plaintiff and the jury. The jury will hear any explanation offered by the plaintiff concerning the contents of the video and will determine to what extent, if at all, the surveillance evidence assists them in assessing the complainant's credibility. The plaintiff has sued Dr. Weinstein and made a claim in her pleadings and in her evidence that her left hand has been disabled. The surveillance was undertaken in a public place and relates directly to the alleged disability. The introduction of such evidence has the potential to operate unfavourably to the plaintiff, but not to render the trial unfair.

36 I adopt the above reasons and approach, the key elements of which are:

  • The remedy that the applicant seeks is not provided in the PIPED Act and the provisions of the Act have no direct bearing on the admissibility of evidence;

  • Relevant evidence is prima facie admissible, subject to a discretion to exclude where the probative value is outweighed by its prejudicial effect;

  • Although the Charter has no direct application, it informs the discretion to exclude evidence on the grounds that it would render the trial unfair.

37 It is not disputed that the reports at issue in this motion are relevant. I have found that Mr. Borowski was not reasonably entitled to privacy regarding the information used to prepare the reports. I find that the admission of the reports will not render the arbitration hearing unfair. Relevant evidence will always have the potential to influence an unfavourable result, but that does not render the hearing unfair. I see no merit in Mr. Borowski's submission that allowing insurers to tender reports based on paper reviews would give them a licence to bludgeon insured persons into submission with numerous reports, because of the disparity in resources. That submission is undercut by the fact that the assessment of expert evidence is not influenced by the number of experts offering the opinion and opinions based on paper reviews are often discounted because the person conducting a paper review did not interview and assess the subject in person. Mr. Borowski's position is also undercut by his own submission that the subject reports are of little probative value.

38 As the Court noted in Ferenczy, the above findings are sufficient to dispose of the issue of admissibility. However, the Court went on to find that there was no breach of the PIPED Act in these circumstances. The Court gave extensive reasons for that conclusion. The following excerpt is relevant to the circumstances of this case:

One way to avoid this result, and I conclude it is the correct interpretation of the Act, is to apply the principles of agency. On this analysis it is the defendant in the civil case who is the person collecting the information for his personal use to defend against the allegations brought by the plaintiff. Those whom he employs, or who are employed on his behalf, are merely his agents. On this analysis s. 4(2)(b) of the Act governs. That section reads as follows:

4(2) This Part does not apply to

. . .

(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose.

The defendant through his representatives was employing and paying an investigator, to collect information for him. It is the defendant's purpose and intended use of the information that one should have regard to in determining the applicability of the Act. On the basis of this analysis I conclude that the defendant is not collecting or recording personal information in the course of commercial activity. He, through his agents, was collecting information to defend himself against the lawsuit brought by the plaintiff. This is a personal purpose in the context of the civil action brought against him by the plaintiff. In my view, this conclusion is consistent with the overall purpose of the Act which is aimed primarily at information collected as a part of commerce. Section 3 of the Act reads as follows:

Purpose

3. The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Closely related to this reasoning is my further conclusion, that in the circumstances here (where the recording was in a public place), the plaintiff has given implied consent to the defendant to collect, record and use her personal information insofar as it is related to defending himself against her lawsuit. A plaintiff must know that by commencing action against a defendant, rights and obligations will be accorded to the parties to both prosecute and defend. The complainant has effectively, by commencing this action and through her pleadings, put the degree of injury to her hand and its effect on her life into issue. One who takes such a step surely cannot be heard to say that they do not consent to the gathering of information as to the nature and extent of their injury or the veracity of their claim by the person they have chosen to sue. Consent is not a defined term under the Act, and there is no indication in the Act that consent cannot be implied.

39 I endorse and adopt the above approach. I find that Aviva retained Brigham & Associates as its agents, for the personal purpose of responding to Mr. Borowski's application, triggering the exemption in section 4(2)(b) of the Act. Neither Aviva nor its agent collected or distributed personal information that Mr. Borowski had not already disclosed. I find that, in commencing an application in which his medical condition was in issue, Mr. Borowski implicitly consented to the acquisition by Aviva of expert medical opinions, based on the personal information he was required to disclose.

40 I appreciate that the Court in Rousseau concluded that the doctor conducting the IME was engaged in "commercial activity", triggering the application of the Act, while the Court in Ferenczy found that the persons conducting the surveillance were not engaged in "commercial activity". I am bound by neither decision and I prefer the Ferenczy approach. As noted above, the issue in Rousseau was gaining access to personal information collected. That was not the issue in Ferenczy and it is not the issue here. Also as noted above, even had I found a breach of the Act, I would not exercise my discretion to exclude the reports.

41 The above reasons also dispose of Mr. Borowski's submission that the reports were obtained in breach of Aviva's Privacy Policy. The Privacy Policy largely adopts the provisions of the PIPED Act. The policy specifically contemplates disclosure of personal information to agents and adjusters. As noted above, based on the principles of agency, disclosure to an agent is not disclosure to a third party. The policy also specifically provides that consent to disclose is assumed for the purpose of evaluating claims. I find that the purpose of obtaining the subject reports was to assist in the evaluation of Mr. Borowski's claim and that Aviva did not agree, through its privacy policy, that it would not use personal information collected from Mr. Borowski for that purpose.

Probative Value vs. Prejudice

42 Mr. Borowski submits that the reports should be excluded because the authors usurp the role of the Arbitrator by offering their opinion on the proper application of the AMA Guides. Mr. Borowski also submits that the reports should be excluded because they are of little probative value since the opinions were formed without examining him and are based on an assessment of his credibility. He relies on the decision in Sharma and Allstate Insurance Company of Canada in which the Arbitrator refused to exercise his discretion to admit reports prepared by Brigham & Associates which Allstate had served late. In arriving at that decision, the Arbitrator commented unfavourably on the admissibility of opinions offered on how the AMA Guides should be applied. The Arbitrator concluded that the reports were "potentially inappropriate".

43 The issue in Sharma was whether extraordinary circumstances existed that would warrant the exercise of discretion to allow the filing of reports that were not properly served. Here, the reports have been served well in advance of the hearing. Although the opinions that Brigham & Associates offer on the interpretation of the AMA Guides are not properly the subject of expert evidence, the fact that those opinions are offered does not render the entire reports inadmissible. The expression of these opinions goes to the weight to be given to the medical opinions expressed, not their admissibility. The extent to which the medical conclusions are based on incorrect interpretation of the applicable law is a factor to be taken into account in assigning weight. An expert opinion would not be excluded merely because the expert expressed and applied a correct interpretation of the relevant legislation in arriving at an opinion within his or her expertise.

44 Similarly, the fact that Brigham & Associates did not assess Mr. Borowski in person and might have made assumptions about his credibility are questions of weight, not admissibility. The issue of weight cannot be determined in a vacuum. It must be assessed in light of all of the evidence. It is not possible to determine at this stage of the proceedings whether the assessors would have been in a better position to form an opinion, had they assessed Mr. Borowski in person. It is also not possible to determine whether any assumptions on credibility will accord with my conclusions at the end of the hearing.

Conclusion:

45 For all of the above reasons, I find that the reports Aviva obtained from Brigham & Associates are admissible at the Arbitration hearing.

Expenses:

46 I reserve my decision on the expenses of the motion until the Arbitration hearing has been completed. I remain seized of the issue, should the parties resolve all other issues without a hearing, but are unable to resolve the issue of expenses of this motion.

J. Rogers Member