Sunday, June 29, 2008

Stop watching us watching you!

Slate always has a good selection of editorial cartoons here. This one's pretty good ...

Cross-border movement of personal health information

Earlier this week, I co-chaired Insight Information's conference on electronic health records here in Halifax. I was very pleased to see a lot of expertise in privacy developing in Atlantic Canada, which is necessary as Nova Scotia, New Brunswick and Newfoundland move towards developing and implementing health privacy laws and as electronic health record projects are driving forward.

I gave a presentation on the mess and uncertainty related to the cross-border movement of personal health information in Canada. The complicated overlap of laws that we see in provinces such as Nova Scotia is compounded when the information is disclosed out of the province.

If you're interested, the presentation is here and can be flipped through below:

Saturday, June 28, 2008

CCTV can cut both ways

Sometimes CCTV can prove that someone is innocent. And that the cops framed them. - Undercover NYPD Officers Frame 4 On Drug Charges

....The undercover NYPD officers are seen on video dancing in the street, then attempting to frame four innocent men.

"I asked police officer why are you arresting me," said Maximo Colon. "Never did I get an answer."

The investigators swore under oath they bought drugs from the four men. Jose and Maximo colon say that didn't happen.

"The cops are supposed to help us," said a shaken Jose Colon.

Defense lawyers say the surveillance cameras proved their clients were framed.

"It was nauseating," said defense lawyer Rochelle Berliner.

Two hours of video showed no contact at all between the four men arrested and undercover officers - proof that lead prosecutors to drop charges against the four men, and even declare in court the men did not commit the crime....

"If you need privacy, you should get your own computer."

The American Library Association has always been a reasoned and reasonable voice for privacy in libraries and the wider community. I was interested to learn they are doing a panel tomorrow at their annual get-together in Anaheim, California entitled "Privacy: Is it time for a revolution":

Protecting reader privacy and confidentiality has long been an integral part of the mission of ALA and its members. Should it continue to be a priority? In an age when people increasingly use social networking to expose intimate life details, does privacy still matter to information seekers? Does anyone care if their library records and online searches are being tracked? If they don't, why should they? A panel of thought leaders from the information economy including author Cory Doctorow, Wired senior writer Dan Roth, and Privacy Rights Clearinghouse director Beth Givens will debate the importance of privacy and what's at stake if the persistent erosion of privacy continues unchecked. Join us for a provocative examination of a librarian's role in the future of privacy.

I look forward to hearing what Jessamyn West and The Shifted Librarian have to say about the session.

In looking into the session, I happened upon the following outrageous story out of Cleveland.

Lakewood library aggressive on checking computer users for porn-

... Every 15 minutes, a staff member takes a stroll around the center to make sure library patrons are not looking at pornography, engaging in illegal gambling or visiting other questionable Web sites.

Now the library, which recently opened a new technology center, might expand its monitoring policy by using free software, called virtual network computing, that allows librarians to remotely monitor what a patron is viewing on a computer screen.

Warren has been an avid supporter of keeping an eye on the public access computers since the library first offered the Internet to patrons in 1995.

"If you need privacy, you should get your own computer," Warren said.

Warren's views on privacy for library computer users clash with those of the American Library Association, the oldest and largest library organization in the United States.

The association recommends that a library set a comprehensive, written Internet policy, distribute the policy widely and then respect the privacy of patrons.

I think this is the first time I've ever heard such sentiments from a library professional, who usually advocate computers in libraries as often the sole source of internet access for those without the resources to purchase their own. Should only those who can afford privacy have access to it?

Update: Notes from the session are up at: The Shifted Librarian » ALA2008 Privacy Revolution Panel and Loose Cannon Librarian » Privacy Panel ALA 2008.

Marina Hyde: This surveillance onslaught is draconian and creepy

Because actions speak louder than words, one can easily assume that the British populace is completely passive and accepting of the explosion of CCTV surveillance throughout the green and pleasant lands of England. There is some dissent. Witness: Marina Hyde who has an interesting opinion piece in The Guardian.

Marina Hyde: This surveillance onslaught is draconian and creepy Comment is free The Guardian

Closed-circuit TV cameras are the crime-fighting tool so fiendishly sophisticated that they can be foiled by the wearing of a hood. Yet having stuck 4.2 million of the things around this country, with nary a consultation on the matter - nor any significant impact on crime statistics - efforts to pimp them to 2.0 status continue

This week it emerged that scientists at Portsmouth University are developing "listening" cameras. Artificial intelligence software will be able to recognise sounds such as breaking glass, so that, when such a noise is detected, they can rotate in its direction and capture the act of vandalism/terrorism/God that resulted in a milk bottle falling off your doorstep. I paraphrase slightly, but given that the most recent Home Office report on the matter found that better street lighting is seven times more effective at cutting crime than CCTV, the truly suspicious behaviour is our deepening obsession with surveillance.

The past few years have thrown up dozens of instances which made one wince to be a citizen of this septic isle, but a personal low came with the discovery that 500,000 bins had been fitted with electronic tracking devices. Transponders in bins ... Could any morning news item be more designed to force one back against the pillows, too embarrassed about one's country to start the day? Yes, as it turned out. A couple of months ago it was discovered that Poole borough council, in Dorset, had used the Regulation of Investigatory Powers Act - designed to track serious criminals and terrorists - to determine whether a school applicant and her parents lived where they said they did. They did, and were appalled to discover they had been spied on for three weeks, the subject of surveillance notes such as "female and three children enter target vehicle and drive off". Target vehicle, if you please! The thought of some deep-cover council drone jotting this stuff down as though it were an elite Delta Force operation is not as funny as it is horrifying.

Just who are these people, these swelling legions of unelected, ill-qualified monitors who wield such extraordinary power in our surveillance society? Clarification in one case came last year, when the civilian in charge of a Worcester police station's surveillance team was suspended after detectives found, among one day's footage, a 20-minute sequence of close-ups of a woman's cleavage and backside as she walked oblivious through the streets. Whether the woman ever discovered she was the star of a kind of pervert Truman Show is not recorded. But the offending monitor escaped with a warning and was - unbelievably - back in post within weeks.

In some city centres, such as Middlesbrough, speakers have been put on the cameras, so that those monitoring can interact with potential miscreants. Let's hope these remote bossy boots imagine they're involved in some high-level negotiation, in which they talk down a teenager from his decision to drop a hamburger wrapper on the pavement.

The former home secretary John Reid, on whose draconian watch the Middlesbrough scheme was approved, even suggested at its launch that schoolchildren should enter a competition to become the voice of the cameras - once again laying bare the government's desire to co-opt its citizens into the surveillance process at all levels. We are, of course, coming up to the time of year when we are ordered to shop our neighbours for acts of hosepipe, while the Shoreditch Trust recently trialled a scheme encouraging residents to watch live CCTV feeds on a special local channel, the better to assist in policing.

For all this creepy "outreach", though, the only hands-down beneficiaries of our CCTV obsession (apart from the revenue gatherers) have been broadcasters. For no good reason, all manner of TV networks have been furnished with hours of footage to pad out their witless police chase documentaries, or offensively cheap "street crime UK" shows. Britain's CCTV network: proudly supporting the Bravo channel.

The worst thing is the blithe insistence that this is all necessary and normal. We are watched more closely, by more cameras, with each passing day. But so faultlessly designed is our society that we have never come close to having a say on it.

There's a great bit in Woody Allen's movie Deconstructing Harry when Robin Williams's character goes out of focus, appearing as a sort of fuzzy version of himself, which sounds increasingly like the sort of sickness that should be courted by any attractive woman keen to walk through Worcester. That said, she could always don a hood. Yet there does seem a vaguely depressing irony in governments insisting that constant surveillance is essential to prevent our being overrun by repressive regimes who'd make us all cover our heads and the like. It's these initiatives that drive even the most pliant members of society to dream of taking just that precaution themselves, if only for a bit of privacy.

US and Europe closer to information sharing pact

For over a year now, the United States and the European Union have been negotiating an arrangement so that US law enforcement and national security organizations can have easier access to data in Europe and about Europeans. The New York Times is reporting that that the two parties are closer to an arrangement that would permit trolling through personal information for suspicious activities, such as the review of SWIFT data that the American government undertook as the data was resident in the United States. One of the remaining issues is whether European citizens will have an ability to sue the Americans for misuse of their data.

The fact that Europe and the Bush administration are engaged in this process is a good thing. The alternatives are to shut off the tap entirely, which may not be a good idea, or to allow American authorities to freely troll through European data as easily as information about Americans, which would be worse. In Canada, Maher Arar learned the hard way about what can happen if an unstructured, unregulated information sharing "system" results in the transfer of unreliable information to the Bush administration.

Recently, the Canadian Bar Association presented its recommendations to Parliament, demanding that all information sharing arrangements be in writing with safeguards and oversight to make sure that information is accurate and does not unreasonably invade personal privacy.

The NYTimes article is here: U.S. and Europe Near Accord on Privacy -

Thanks to Rob Hyndman for the link.

Tuesday, June 24, 2008

Maritime noon phone-in

I was the guest on Maritime Noon's phone-in show today, discussing privacy and protecting personal information. (Someone who shall remain nameless doubted one could fill an hour with privacy questions, but she was proven wrong. Apparently the board lit up for the hour.)

Here is the audio, if you're interested ...


Last week, I got a call first thing in the morning from my bank. According to their fraud department, it appeared that my debit card had been used fraudulently. Someone had taken a few hundred bucks out of my account at what appeared to be a no-name cash machine. I guess the bank's systems didn't think this was part of my usual routine or that this machine had been connected with other fraudulent withdrawals. In any event, my card was in my wallet and it hadn't beeny anywhere sketchy the day before.

It was a surprise to think that my card could have been cloned, since I am paranoid about my PIN and I think I'd know a skimmer if I saw one. I also watch my card like a hawk, so would hopefully notice if someone was double-swiping. But in any event, this was not my problem but one that the fraud department is better equipped to deal with.

So off to the bank I go, fill out some paperwork and I have a shiny new debit card.

I may not be a fan of my bank using my information for marketing purposes, or to call me about the latest and greatest product, but I sure appreciate it that the bank takes the time to know me, my habits and my purchase patterns to protect me. But this time they were right and I'm not out the few hundred dollars.

Monday, June 23, 2008

Marketers, meet the privacy officer. Privacy officer, meet the marketers.

According to a study by the Ponemon Institute and reported in Forbes today, there is a large disconnect between marketing departments and those charged with overseeing privacy compliance. This underscores the importance of a multi-disciplinary approach to privacy within large organizations.

What Privacy Policy? -

...In response to a survey answered by 500 privacy and 900 marketing executives in industries ranging from health care to financial services, more than a third of marketing execs said they don't place any limits on the data they share with third parties, such as e-mail marketing agencies or online advertisers. By contrast, 75% of privacy officers believe that their companies limit the sharing of customer data.

More specifically, 80% of marketers said their organizations share e-mail addresses with third parties, compared with 47% of security and privacy officers. Other examples: 65% of marketers said they would distribute a customer's cellphone number, while only 47% of privacy execs said their companies allowed the data to be shared. Forty-five percent of marketers believe their companies shared credit card data, compared with 32% of privacy officers, and 29% of marketers believe their firms distribute social security numbers, compared with 7% of privacy professionals...

Saturday, June 21, 2008

Data Breaches Made Possible By Incompetence, Carelessness

A study by Verizon Business Security Solutions has found that 87% of data breaches are the result of incompetence and carelessness. Even when hacking was to blame, the intrusion was made possible by systems that were unpatched after fixes had been available for some time. See: Data Breaches Made Possible By Incompetence, Carelessness -- Security -- InformationWeek.

Passengers virtually stripped naked by 3-D airport scanner being tested in Canada

We've seen this coming up through development, but the electronic virtual stripping machine is finally making its way to an airport in Canada, though just for a pilot project. The scanner was unveiled on Thursday. It uses "millimetre waves" to create a detailed 3-D image of the subject's body and any contraband they may have under their clothes. Interestingly, the operator -- who is right by the scanner -- sees a fuzzy image but another officer in a "private room" gets a much more detailed peep at the person's body. See: Passengers virtually stripped naked by 3-D airport scanner.

Wednesday, June 18, 2008

Ask the privacy lawyer: Use of contact information for marketing purposes

I've been overwhelmed by the number of questions I've received in response to "Ask the privacy lawyer". Some of them are too specific and would cross over the line between legal advice and educational. But I got this question, which is relatively generic and probably is something that many people have to deal with:

HI - In September 2007 I subscribed to a well known Canadian magazine. I did not check a box on the form saying I wanted to receive 'mail' from them. However in December 2007 I and my neighbour (whose subscription to the same magazine had just ended) started receiving unsolicited requests for magazine subscripts at a rate of about 1 a week. I knew where the subscription was coming from since they mispelled my name on all the subscriptions in the same way.

I've emailed the magazine and the company responsible for these bulk mailings and have been told they 'occasionally send mailings we think our customs will enjoy' although that's only if you check the box requesting that 'service'.

They tell me the mailings will stop soon - but they haven't and now the mailing have my correctly spelled name.

I know there is a lot of work being done with SPAM laws and no phone anti-telemarketer laws - but is there any way I can legally stop this magazine for falsely advertising that they would to share my name and information with anyone else?

They don't seem to be taking my angry emails very seriously.

This situation sounds like a classic SNAFU, which might only take some more gentle persuasion to fix. But if one wants to take the legal route ....

The first question one has to ask is what privacy law applies. The questioner wasn't specific, so one should consider the options. This is a private sector matter, since we are not dealing with a government institution. Magazines are engaged in commercial activity, so one of the Canadian private sector laws would apply. The default would be PIPEDA, which applies to the collection, use and disclosure of personal information in the course of commercial activities except where there exists an applicable provincial law that has been declared to be "substantially similar" to PIPEDA. The substantially similar laws are the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and An Act Respecting the Protection of Personal Information in the Private Sector (Quebec). The PIPAs of Alberta and BC are very similar to PIPEDA and are built on the same foundation.

For the purposes of considering this question, I'll assume that PIPEDA applies. PIPEDA requires the knowledge and consent of all individuals for all collection, use and disclosure of personal information. Importantly, an organization cannot require an individual to consent to uses that are not necessary.

4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

Privacy lawyers often refer to marketing as "secondary purposes" as they are secondary to the original purpose for the collection, use and disclosure of personal information (which, in this case, would be sending a subscriber the magazine and for billing purposes). There is some debate as to whether "opt in" or "opt out" is sufficient for these secondary purposes.

In any event, consent ,if previously granted, may be withdrawn:

4.3.8 - An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

Even if an individual had previously consented to the use of personal information for marketing purposes, this consent can be withdrawn "subject to legal or contractual restrictions and reasonable notice". Assuming there is no such impediment, a subscriber should be able to tell a magazine publisher that he or she no longer wishes to receive marketing materials or to have personal information disclosed to other publishers. This is consistent with the Commissioner's finding in Summary #308:

Commissioner's Findings - PIPEDA Case Summary #308: Opting-out of marketing inserts in account statements - April 7, 2005

"The Assistant Commissioner therefore determined that by not providing a means of withdrawing consent to secondary marketing, the bank was requiring the complainant to consent to a use of his personal information beyond that required to fulfil the purpose of servicing his credit card account, in contravention of Principles 4.3.3 and 4.3.8 of Schedule 1."

So what recourse does an indvidual have? He or she can complain to the Office of the Privacy Commissioner, who will investigate and hopefully persuade the publisher to change their practices. If they do not comply, the individual or the Commissioner can take the matter to the Federal Court.

Monday, June 16, 2008

Pedophile fears as student profiles, pictures go in Queensland education database

Just because you can doesn't mean you should.

Parents' groups are up in arms in Australia after it was revealed that an intranet database of all students in Queensland State is being implemented that will be available to all employees of the education system. The database will include a vast range of information:

The intranet database, dubbed OneSchool, will profile each of the state's 480,000 public school students enrolled from Prep to Year 12.

Photographs, personal details, career aspirations, off-campus activities and student performance records are being collected from all 1251 state schools.

Parents fear that it will become a catalog for pedophiles while the Eduation Minister for the State says inclusion will be mandatory.

However Civil Liberties Council vice-president Terry O'Gorman yesterday said parents should be concerned, warning the OneSchool system could put students' privacy at risk.

Mr O'Gorman called for the system to be restricted so principals and teachers could access data only on their own students, with non-teaching staff excluded and no access for home computers or laptops.

"Why should anyone other than the teacher of a particular student and the principal of that school have a right to know what a child's academic performance is, behavioural status is or what their life aims are?" he said.

"It just puzzles me as to how it can have any possible benefit to centralise that information, whereas it has a clear privacy downside."

See: Pedophile fears as student profiles, pictures go on net The Courier-Mail. Via Australian educational authority forcing kids into invasive database - Boing Boing.

Saturday, June 14, 2008

Watch those Facebook apps!

One of the most problematic features of Facebook, from a privacy point of view, is that Facebook shares data with the owners of Facebook Apps, whose privacy practices are not well articulated or well understood. This week, the Washington Post had an interesting article highlighting this problem. See: A Flashy Facebook Page, at a Cost to Privacy -

Wednesday, June 11, 2008

Youth Privacy Online: Thursday, September 4, 2008

The Information and Privacy Commissioner of Ontario is hosting a special one-day conference, Youth Privacy Online: Take Control, Make It Your Choice, being held on September 4, 2008, at the Marriott Eaton Centre in downtown Toronto.

According to the Commissioner's invitation:

"My office is hosting this conference in order to provide a forum for discussion, debate and inquiry that will focus on exploring approaches to safeguarding the privacy of children and youth on the Internet. The conference will bring together professionals from a diverse range of public and private sector organizations who have a keen interest in helping children and youth protect their privacy online.

Online social networking, and innumerable other interactive applications on the Internet, have become a part of everyday life for youth today. There are growing concerns, however, that many young people do not fully understand the risks associated with revealing too much information about themselves. These risks range from cyberbullying, identity theft and Internet luring, to putting future job prospects at risk. Speakers and panelists at this special one-day event will identify the key issues and explore a variety of innovative approaches.

Please join us on Thursday, September 4, at the Marriott Eaton Centre in Toronto, for this important conference. There is extensive information about the conference, including about how to register, at"

Monday, June 09, 2008

International standard for privacy impact assessments

The International Standards Organization has earlier this year established ISO 22307:2008, which is a new international standard for privacy impact assessments. Here is the blurb, but you'll have to shell out 114 Swiss Francs for the real deal:

ISO 22307:2008 - Financial services -- Privacy impact assessment

ISO 22307:2008 recognizes that a privacy impact assessment (PIA) is an important financial services and banking management tool to be used within an organization, or by “contracted” third parties, to identify and mitigate privacy issues and risks associated with processing consumer data using automated, networked information systems.

ISO 22307:2008

  • describes the privacy impact assessment activity in general,
  • defines the common and required components of a privacy impact assessment, regardless of business systems affecting financial institutions, and
  • provides informative guidance to educate the reader on privacy impact assessments.

A privacy compliance audit differs from a privacy impact assessment in that the compliance audit determines an institution's current level of compliance with the law and identifies steps to avoid future non-compliance with the law. While there are similarities between privacy impact assessments and privacy compliance audits in that they use some of the same skills and that they are tools used to avoid breaches of privacy, the primary concern of a compliance audit is simply to meet the requirements of the law, whereas a privacy impact assessment is intended to investigate further in order to identify ways to safeguard privacy optimally.

ISO 22307:2008 recognizes that the choices of financial and banking system development and risk management procedures are business decisions and, as such, the business decision makers need to be informed in order to be able to make informed decisions for their financial institutions. ISO 22307:2008 provides a privacy impact assessment structure (common PIA components, definitions and informative annexes) for institutions handling financial information that wish to use a privacy impact assessment as a tool to plan for, and manage, privacy issues within business systems that they consider to be vulnerable.

TSA announces new ID policy

According to the website of the Transportation Security Administration, the policy on flying without ID has been changed. If you refuse to provide ID, citing your constitutional rights, you'll be denied boarding. But if you tell them you would show them ID if you could, they'll let you fly.

In short, you can fly without ID. But only if you tell them it's because you've lost your ID. If you tell them that you aren't showing ID because you don't have to show ID, that's a security risk of a different variety.

See: TSA: TSA Announces Enhancements to Airport ID Requirements to Increase Safety.

Saturday, June 07, 2008

Ask the privacy lawyer

Despite the disclaimer on the side of this blog, I often get e-mails from people asking questions about privacy laws and how they affect their own particular circumstances. They are usually from people who are not in a position to pay for legal advice. Often, I get the same basic question (with slight variations) a number of times.

I'm very sympathetic to their circumstances but can't always take the time to provide a full answer. Since there is obviously a need out there, I thought I'd try something new: Ask The Privacy Lawyer. Readers can send me their questions and, assuming it is a question that lends itself to being answered in a public forum, I will post my thoughts on the topic on the blog.

Questions should be sent to or can be left as an anonymous comment to this post. Please try to keep your questions as general as possible and DO NOT NAME ANY PEOPLE, COMPANIES OR ORGANIZATIONS in your query. I will not identify the submitter or anyone else in the response and may edit your e-mail to to make it applicable to a wider audience. Any response will be written to be educational but should not be contrived to be legal advice.

If you are looking to retain a lawyer to assist you with your matter, please e-mail me directly at

Friday, June 06, 2008

CBA calls for sweeping reform of federal Privacy Act

The Canadian Bar Association has been urging a comprehensive review of Canada's public sector Privacy Act for some time. Two years ago, the national assembly of the organization representing more than thirty thousand Canadian lawyers unanimously called for a review of the law. The Privacy, Access to Information and Ethics Committee of the House of Commons has recently been holding hearings on the question and I appeared before the Committee on Tuesday on behalf of the CBA. Once it is posted, I'll link to the transcript.

Here's the CBA's media release with a link to our submission:

CBA Supports Overdue Changes and Encourages Full Review of the <em>Privacy Act</em>

For Immediate Release

June 3, 2008

OTTAWA – The Canadian Bar Association (CBA) is urging the federal government to undertake a comprehensive review of the Privacy Act to ensure it will fulfill its objectives into the future.

“The Privacy Act was passed in 1982 and is, quite frankly, showing its age,” says David Fraser, Treasurer of the CBA’s National Privacy and Access Law Section. “Technological and societal changes in the last quarter century since its enactment have significantly diminished its effectiveness in providing privacy protection to Canadians.”

The CBA would like to see the Act strengthened to ensure better guidelines for the collection of personal information and then for its protection once gathered. The CBA notes that information should not be collected unless necessary, recommending that federal institutions be required “to identify the specific purpose for collecting personal information, and to ensure that the information is necessary for that purpose or is authorized by law.”

Once gathered, information must be properly safeguarded, notes the CBA. “The Act must impose a general duty on federal institutions to protect personal information with safeguards appropriate to the sensitivity of the information.”

As well, the CBA recommends a “balanced” approach regarding breaches of the Act. The Association suggests that the Act be amended to require federal institutions to notify individuals if their personal information has been improperly disclosed.

The CBA puts forward seven recommendations for arrangements for disclosing personal information to a foreign government, including that they be written, formal, detailed and public. As well, the CBA recommends that “arrangements with foreign governments that do not respect fundamental principles of democracy, human rights and the rule of law be very carefully considered.” The CBA refers to the findings and recommendations of the Commission of Inquiry into the case of Maher Arar, which supports the CBA’s recommendations for reform.

David Fraser and Greg DelBigio, of the CBA’s National Criminal Law Section, will present the CBA’s submission to the Commons Access to Information, Privacy and Ethics on Privacy Act Reform on Tuesday, June 3, at 3:30 p.m. in room 269, West Block.

The CBA submission is available at:

The Canadian Bar Association is dedicated to improvement in the law and the administration of justice. Some 37,000 lawyers, law teachers, and law students from across Canada are members.

Thursday, June 05, 2008

Commissioners launch youth privacy initiative

The federal, provincial and territorial privacy commissioners are meeting this week in Regina and have jointly started a new initiative, Here's the media release describing it:

News Release: Privacy Advocates Express Concern About Child Privacy Online (June 4, 2008) - Privacy Commissioner of Canada

Privacy Advocates Express Concern About Child Privacy Online

Regina, June 4, 2008 — As Canadian youth spend more time online, they run the risk of losing control of their personal information and, potentially, facing complications at home, school or work.

Canada’s privacy commissioners and ombudspersons issued a joint resolution today expressing their commitment to work together to improve the state of online privacy for children and young people.

“It’s time to stop the commercial exploitation of our children. It’s high time we came to terms with the impact of the Internet on youth and their lives,” says Saskatchewan Information and Privacy Commissioner, Gary Dickson.

The resolution was the product of the semi-annual meeting of Canada’s privacy commissioners and ombudsmen from federal, provincial and territorial jurisdictions across Canada, being held June 4 and 5 in Regina, Saskatchewan.

During the meeting, the commissioners and ombudspersons heard from a panel of young people about their online activities and their attitudes towards, and concerns about, privacy online.

"Young people are very adept and comfortable with electronic communication. As advocates, we have to help young Canadians find the information they need to be their own privacy watchdogs," says Irene Hamilton, Manitoba Ombudsman.

Many of Canada’s privacy commissioners and ombudsmen have already proposed tools and learning materials on youth privacy, frequently in cooperation with provincial ministries of education and local school boards.

Beginning today, young people will be able to turn to, an interactive website that offers advice about how youth can protect their personal information and take charge of how their identity is being shaped online. also features a blog where young Canadians can discuss how technology is affecting their privacy.

“Young Canadians are among the most wired in the world,” says the Assistant Privacy Commissioner of Canada, Elizabeth Denham. “They need to understand that all these new technologies can have a significant impact on their privacy, and they need to know what they can do to prevent others from accessing and using this information without permission.”

Ms. Denham also announced that the Office of the Privacy Commissioner is launching a contest for youth, ages 12 to 18. The “My Privacy and Me” National Video Competition invites youth to create their own video public service announcements on the issue of privacy. Detailed information about the contest is featured on the new web site.

“The video can be about any aspect of privacy they want to explore—like the ever-growing presence of security cameras, the popularity of social networking sites like MySpace, Facebook, Bebo or Xanga, or how their favourite store collects personal information for marketing purposes,” says Assistant Commissioner Denham. “We want to encourage young people to explore the issues around online privacy and empower them to stand up for their right to privacy.”

In coming months, Canadians can expect to see more tools and learning materials designed to help Canadian youth tackle the challenge of managing their personal information and identity in an increasingly dynamic online world.

— 30 —

For more information and/or media interview requests, contact:

Colin McKay

Office of the Privacy Commissioner of Canada

Tel: (613) 947-7226


Bastionhost debuts "Dataville"

I am thrilled that a client of mine just successfully debuted its secure data centre concept at an industry event in Florida. The company, Bastionhost Ltd., is building secure data centres to take advantage of the lower risk and European/Canadian privacy compliance to serve customers in both New York and London from Canada.

News Release

For immediate release

Wednesday, June 4 2008


(Halifax, Canada): Bastionhost, a Canadian data center services and IT infrastructure provider, today unveiled its “Dataville” concept in a presentation at an IT industry event in Boca Raton, Florida.

Dataville is designed to address the fundamental infrastructure problems of the booming data centre industry, the power-hungry but nearly invisible sector that underlies a growing portion of the modern economy.

Besides its insatiable demand for space and power, the industry has been challenged to find better ways to manage risk--from terrorist attacks such as 9/11, to extreme weather and power outages, to changing regulatory environments.

The conference, End-to-End Reliability: The Green Outlook, is hosted by industry association 7x24 Exchange, the leading knowledge exchange for the enterprise information infrastructure sector.

“Our aim is to help Wall Street and the City of London address a critical infrastructure problem,” says Anton E. Self, Bastionhost’s founder and Chief Executive.

Bastionhost is creating a secure campus of state-of-the-art data centers in repurposed military surplus data center buildings that benefit from reliable and affordable power sources and geothermal cooling. From a single unobtrusive location in Dataville, Bastionhost can perform functions that used to require two or more data center sites.

As the economy becomes more data dependent, there is a growing shortage of data centers to serve mission-critical enterprise functions such as on-line banking and airline reservation systems. Moreover, data centers also house the millions of computer servers that power the Internet.

According to data center industry association AFCOM, global demand for data center space outpaces supply by three to one. In Europe, the ratio is six-to-one. Meanwhile, the data center sector has become a leading consumer of power, on a par with the global airline industry.

Dataville is located in Atlantic Canada, on the Great Circle Route between New York and London, where it benefits from highly scalable telecommunications, power, and cooling infrastructure. Serving most major markets in North America and Europe – from a safe distance – the Dataville campus is reached in milliseconds through multi-terabit fiber optic cables that cross the Atlantic and branch to cities on both continents.

“Data center operators today are looking for new ways to create much-needed energy efficiencies and ‘green’ initiatives from the ground up,” says Scott Good, Manager of Technologies, Turner Logistics. “Dataville appeared on our radar for just these reasons.”

Bastionhost has analyzed the banking industry, where firms require 24/7 access to secure and reliable data. All major global banks have operations in both New York and London. Each location has its own primary data center, plus an alternate backup site. Along with the shortage of data center space in metropolitan areas, each backup site is exposed to the same risks as the primary site. “Many institutions are still exposed to too much risk, while paying tens or even hundreds of millions of dollars for one data center too many,” says Mr. Self.

Bastionhost serves both markets from a convenient “mid-Atlantic” location. “New York is looking west for alternate data center sites,” says Mr. Self. “Meanwhile, London is looking east. If they looked toward one-another instead of away, they just might find what they seek. Why pay for two alternate or even primary data centers in New York and London, when one Dataville in the middle will serve you better?”

Mr. Self also notes that “what’s good for the environment can be good for the bottom line.” He points out that Dataville’s operating and power costs are lower than most locations. Instead of cooling blade servers with chillers, which account for one-third of power consumption in the data center, Bastionhost is able to tap a vast geothermal cooling resource.

Bastionhost also offers protection from the prying eyes of Big Brother. Canadian privacy laws, unlike those in the United States, meet the stringent standards of the European Union. Companies operating on both continents are challenged by the fact that European data cannot be hosted in the United States, a situation exacerbated by the US Patriot Act.

Mr. Self is a native New Yorker now operating out of Halifax. He and his colleagues have spent their careers building data centers and the telecommunications networks that link them to Wall Street banks, Fortune 500 Companies, and Internet service providers.


About Bastionhost

Bastionhost is a data services / IT infrastructure company that provides hosting, storage, co-location and protection of mission-critical applications and data to enterprises and governments throughout North America and Europe. From Dataville in Atlantic Canada, Bastionhost offers business continuity with superior privacy protections at lower cost. Advantages to large North American and European corporations include geopolitical stability, low risk of natural disaster or terrorism, scalable secure closed system environments, geographical and cultural proximity to multiple key international markets, and world-class technological infrastructure.

For further information:

Ms. Tzigany Cameron

Bastionhost Ltd.


Wednesday, June 04, 2008

Privacy Commissioner tables annual PIPEDA report

The Privacy Commissioner of Canada tabled her annual report to Parliament on the Personal Information Protection and Electronic Documents Act for 2007 on June 3, 2008.

The report is here: Annual Report to Parliament 2007 Report on the Personal Information Protection and Electronic Documents Act - Privacy Commissioner of Canada.

Here is the accompanying media release:

Lack of basic privacy and security measures causing major data breaches, Privacy Commissioner says

Tabling of Privacy Commissioner of Canada's 2007 Annual Report on the Personal Information Protection and Electronic Documents Act

Ottawa, June 3, 2008 — Too many data breaches are occurring because companies have ignored some of the most basic steps to protect personal information, says the Privacy Commissioner of Canada, Jennifer Stoddart.

The Commissioner’s 2007 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

“Many companies need to do more to prevent inexcusable security breaches,” Commissioner Stoddart says. “Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops.”Voluntary privacy breach guidelines which the Office of the Privacy Commissioner (OPC) developed with business and consumer groups, and published last summer, appear to be prompting more organizations to report breaches.

The OPC has received 21 voluntary breach reports in the first five months of 2008. Last year, there were 34 voluntary reports of breaches to the OPC – up from a total of 20 reports in 2006.

Over the last few years, hundreds of thousands of Canadians have been affected by data breaches.

“Many organizations want to be good corporate citizens and do the right thing,” says Commissioner Stoddart. “While the increased number of reports is a positive sign, it’s clear we still aren’t hearing about every breach which could have a harmful impact on people.”

Financial institutions are reporting the largest number of breaches to the OPC. Some telecommunications, insurance and retail companies have also reported breaches.

The OPC is concerned that few small- and medium-sized enterprises are reporting breaches.

Examples of reported breaches include the theft of laptops containing unencrypted personal information, data tapes lost in transit, improperly discarded paper records, and misdirected faxes.

Information the OPC is collecting from the voluntary reports is helping to shed light on some of the common problems which are leading to breaches.

It is clear, for example, that unprotected laptops remain a huge issue which companies must address. Many breaches related to electronically stored data, often customer information stored on stolen laptop computers. Almost nine in 10 people whose data was compromised by a self-reported breach in 2007 were put at risk because their personal information was held in an electronic format that was either not secured or lacked adequate protection mechanisms such as firewalls and encryption.

Other breaches occurred because employees had not followed established company practices. Companies can address this problem by providing ongoing privacy training, yet a poll commissioned by the OPC last year found only a third of all businesses had trained staff about their responsibilities under Canada’s privacy laws.

The OPC strongly supports a plan by Industry Canada to introduce mandatory breach notification. Reporting requirements will encourage businesses to do more to reduce the risk of a data breach and ensure all organizations are playing by the same rules. They will also ensure Canadians are notified about serious breaches.

Industry Canada has prepared draft breach notification reporting rules and is now fine-tuning this model based on stakeholder input.

The current proposals suggest the federal government is generally headed in the right direction and that Canada will have a breach reporting regime which is both reasonable and flexible.

As the federal government completes its work on reporting requirements, the OPC continues to investigate a wide range of privacy complaints.

The OPC received 350 new PIPEDA complaints during 2007. Almost one third of complaints involved financial institutions. As in past years, other major sectors for complaints were telecommunications, insurance, sales and transportation. The annual report is available on the OPC website.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the report:

Annual Report to Parliament 2007 — Report on the Personal Information Protection and Electronic Documents Act (Adobe format)

Monday, June 02, 2008

UK daycare starts fingerprinting parents

The BBC says that two daycares in the UK have started fingerprinting parents (BBC NEWS England Kent Nursery scans parent fingerprints), but I prefer the comments at Boing Boing:

English nurseries fingerprinting parents "for security" - Boing Boing

Two nurseries in Kent, England are fingerprinting parents as they drop off and pick up kids "for safety." Nevermind that statistically, your kids are far more likely to be snatched and/or abused by a parent (or someone who works at a nursery!) than by a stranger. On the other hand, giving out copies of your fingerprints to every weenie who's got a wild safety hair up their arse puts you at risk of having your identity snatched -- and the whole rigmarole just makes it harder for you to arrange for someone to pick up your kid if you're delayed, which makes your kid less safe too.

Sunday, June 01, 2008

Mobile phones used as "cookies" in the offline world to track shoppers

According to the Times, some shopping centres in the UK have started using a system that tracks shoppers using the unique signals produced by customers' mobile phones. The Information Commissioner has cautiously approved the technology:
Shops track customers via mobile phone - Times Online

The surveillance mechanism works by monitoring the signals produced by mobile handsets and then locating the phone by triangulation ­ measuring the phone’s distance from three receivers.


The Information Commissioner's Office (ICO) expressed cautious approval of the technology, which does not identify the owner of the phone but rather the handset's IMEI code -- a unique number given to every device so that the network can recognise it.

But an ICO spokesman said, "we would be very worried if this technology was used in connection with other systems that contain personal information, if the intention was to provide more detailed profiles about identifiable individuals and their shopping habits.”

Only the phone network can match a handset's IMEI number to the personal details of a customer.

Path Intelligence, the Portsmouth-based company which developed the technology, said its equipment was just a tool for market research. "There's absolutely no way we can link the information we gather back to the individual,” a spokeswoman said. “There's nothing personal in the data."

Liberty, the campaign group, said that although the data do not meet the legal definition of ‘personal information’, it "had the potential" to identify particular individuals' shopping habits by referencing information held by the phone networks.

This is similar to a form of "cookies" for the offline world. On the one hand, we have assurances that the phones' serial number will not be connected with other personal information, but there really is no assurance that will not happen. And once this information is collected, it will be in the system available to law enforcement and others who do have the ability to match it to personal information.

Via Schneier on Security: Tracking People with their Mobile Phones.

Google starts collecting street view data in Europe

According to Computerworld Security, Google has started collecting images of European streets for its Street View feature, but is holding off putting the data online until it has figured out the local privacy law challenges. See: Google takes Street View snaps in Paris; lawsuits could follow.