Friday, December 19, 2008

Privacy and internet log files

Just posted on slaw.ca:

In the past two weeks, the New York Times reported that Microsoft has made a minor concession with European privacy authorities about how long it retains its log files. A committee of European privacy regulators had asked that these logs be kept for only six months. Microsoft's response? Eighteen months.Yahoo used to keep them for thirteen months and just announced it will cut retention to 90 days. Google keeps them for nine.

The privacy implictions of these innocuous log files have been underestimated, particularly when you think about the fulsome picture of your private life that companies like Google may be assembling about you. The information in an ordinary web-server log usually contains the just a tid-bit of information. One "hit" on a website may look like this (but all on one line):

127.0.0.1 - frank 
[10/Oct/2000:13:55:36 -0700] 
"GET /apache_pb.gif HTTP/1.0" 200 2326 
"http://www.example.com/start.html" 
"Mozilla/4.08 [en] (Win98; I ;Nav)" 

The first bundle of numbers is the IP address of the computer that requested a particular web-page. "Frank" refers to a userid, which is usually not eabled. The next field is the date" Following that, and usually preceded by "GET" is the command your web-browser sent to the server. The next bits are the status code returned by the server and then the size of the entity requested. Next is something called a "referer" (mis-spelled) , followed by details about your browser.

Since many people often share the same IP address (it could be one IP for an entire company or just a group of people in a house using the same internet connection), some have argued it is not personal information and a log-file doesn't contain personal information. The problem is that even if an IP address is not directly connected to one individual, one can do some easy analysis to make the connections. After AOL released supposedly de-identified search logs to researchers, an intrepid reporter was able to track down at least one of the users who had some very personal health-related searches in the logs (see: Users identifiable by AOL search data).

What's additionally troubling from a privacy point of view is that the large inernet companies, like Google, Yahoo and Microsoft, don't just have your search queries. Increasingly, they have a huge trove of data sources in their logs.

Take Google, for example. Google has their famous Google search. They also have GMail, Google Analytics, Google AdSense, Google Documents, Google Toolbar and more. Each time you "hit" one of their sites, you're in their logs. Most internet users hit Google's logs dozens of times a day and on many of those occasions aren't even aware that they're using a Google service. Google has what is probably the most popular and widely used network of online advertising: AdSense. Each time you go to a website that features Google's ads, your computer sends a request to Google's servers and that "hit" goes into their logs, along with the information about what site you were visiting, when you visited and what ad was served. If you click on the ad, even more information is collected and logged. But even if you don't visit a site with Google's ads, there's a very good chance that the webmaster is using Google Analytics to find out about useage of his or her site. (Full disclosure: I use Google Analytics for my site at www.privacylawyer.ca.) I should also note that Yahoo! and MSN also have advertising networks, which collect the same sort of information.What this means is that Google, Yahoo and Microsoft register in their logs a significant portion of your usage of the internet.

And if you have a Google, Yahoo! or MSN account, that hit can be connected to your account details, includig your name.

I don't think it's too far fetched to think of a day when it will become standard for all investigations involving the internet to inlcude a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

Next week, I'll discuss efforts being made by governments and law enforcement to make log rentention mandatory.

Monday, December 15, 2008

A Christmas story from the Commissioners

T'was just weeks before Christmas

T’was just weeks before Christmas, and all through the land privacy commissioners were taking a stand.

While shoppers were lined up to purchase their treasures, The commissioners were urging them to take privacy measures.

Protecting your personal information should be top of mind, To ensure ID thieves don’t leave you in a bind.

Amidst the crowds and noise and the Christmas clatter, You are reminded that ID theft and fraud is a very serious matter.

If possible purchase your goods with cash, and make sure your receipts don’t end up in the trash.

Shred receipts, sales records and other personal information, And ask plenty of questions when asked to produce identification.

Clear your mailbox every day, carry a minimum amount of ID, And keep your SIN to yourself, to avoid financial agony.

The Commissioners have tips for retailers as well, Tips to protect the information of their Clientele.

If you don’t need it, don’t collect it the commissioners advise, Protecting your customer’s information is prudent and wise.

Shred what you don’t need and protect the rest, And make sure point of sale terminals are visible to guests.

Keep all information away from prying eyes, So your customers don’t get a nasty surprise.

From BC, Alberta and Ottawa too, We hope these tips will keep personal information from bidding adieu.

From all who provide privacy oversight, One last reminder...make sure your credit card is always in sight.

Wednesday, December 10, 2008

The importance of audits

Bruce Schenier has a great piece on his blog, which previously appeared in the Wall Street Journal, on the importance of audits. It's a must-read:
Schneier on Security: Audit

... When we think about security, we commonly think about preventive measures: locks to keep burglars out of our homes, bank safes to keep thieves from our money, and airport screeners to keep guns and bombs off airplanes. We might also think of detection and response measures: alarms that go off when burglars pick our locks or dynamite open bank safes, sky marshals on airplanes who respond when a hijacker manages to sneak a gun through airport security. But audit, figuring out who did what after the fact, is often far more important than any of those other three.

Most security against crime comes from audit. Of course we use locks and alarms, but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit....

Sunday, December 07, 2008

Intel, Google Asked to Help Revise EU Data Protection Laws

This is interesting ...

Intel, Google Asked to Help Revise EU Data Protection Laws (PC World) by PC World: Yahoo! Tech

Intel, Google Asked to Help Revise EU Data Protection Laws (PC World)

Posted on Fri Dec 5, 2008 6:55PM EST

- The European Commission has set up an advisory panel including executives from Google and Intel to help it revise European Union laws on data protection.

"The aim of the group is to identify issues and challenges raised by new technologies. We are not reviewing the main data protection laws at present, but this could be a first step," said European Commission spokesman Michele Cercone.

He added that the executives were chosen in a private capacity, rather than as representatives of their companies.

Peter Fleischer, Google global privacy counsel, along with David Hoffman, Intel's group counsel for eBusiness and privacy will sit alongside data protection lawyers and regulators on the panel, which held its inaugural meeting Thursday.

"I am delighted to have been asked," Fleischer told journalists.

Many aspects of the existing E.U. legislation have been made obsolete by advances in technology, Fleischer said, referring to the E.U.'s cornerstone law, the 1995 data protection directive.

He will urge the Commission to adopt a system where companies only have to deal with one national data protection authority, instead of having to meet the demands of all 27, as they do at present.

"There is a need for harmonization of data protection enforcement in Europe," he said, adding that a system of mutual recognition among national authorities will go a long way in achieving that aim.

He also will try to persuade the Commission to move away from a location-based approach. "It worked when data was stored on paper, but with the Internet that concept is obsolete because data travels around the world and is commonly stored in many different locations at once. There is a strong need for data protection laws to take the new technology into consideration," Fleischer said.

He pointed to Canada's approach, which is not location-based, but calls on data controllers, such as companies, to be responsible for data safety.

Finally, he wants data protection laws to apply to public institutions as well as to private companies, pointing out that some of the most serious threats' to potential threats to people's data and their privacy are posed by governments, not corporations. The 1995 law only applies to the private sector.

Privacy campaign groups are critical of Google's own approach to privacy. However, none were available to comment.

Friday, December 05, 2008

Privacy Commssioner focuses on protection of personal information in accessible tribunal records

Just posted on Slaw, but like of interest to readers of this blog:

Slaw: Privacy Commssioner focuses on protection of personal information in accessible tribunal records

by David T. S. Fraser on December 5th, 2008

Yesterday, the Privacy Commissioner of Canada tabled her annual report on the Privacy Act. While she came down hard on a number of federal bodies such as the passport office, one aspect of the report should be of interest to lawyers generally.

The Commissioner reports on a whole range of complaints against tribunals and quasi-judicial bodies for publishing sensitive personal information about parties and non-parties. Decisions and tribunal records have always contained such information, but now that more of these decisions are readily available online, complainants are not happy that searching for their names online will bring up these decisions in the results.

The Commissioner is hampered by the fact that she can’t order them to change their practices and that many of the disclosures are arguably permissible under the Privacy Act. In any event, she has issued a number of recommendations that have been ignored by many of the tribunals at issue:

  • Reasonably depersonalize future decisions that will be posted on the Internet through the use of randomly assigned initials in place of individuals’ names; or post only a summary of the decision with no identifying personal information.
  • Observe suggested guidelines respecting the exercise of discretion to disclose personal information in any case where an institution proposes to disclose personal information in decisions in electronic form on the Internet.
  • Remove decisions that form the basis of the complaints to the OPC from the Internet on a priority basis until they can be reasonably depersonalized through the use of randomly assigned initials and re-posted in compliance with the Privacy Act.
  • Restrict the indexing by name of past decisions by global search engines through the use of an appropriate “web robot exclusion protocol;” or remove from or reasonably depersonalize all past decisions on the Internet through the use of randomly assigned initials, within a reasonable amount of time.

And in case you were thinking this may sound somewhat familiar, the Canadian Judicial Council tackled this issue in its 2005: Use of Personal Information in Judgments and Recommended Protocol (PDF).

Privacy right extends to drugs in luggage

A Judge of the Supreme Court of Newfoundland has made an interesting evidentiary ruling when considering the constitutionality of a search that resulted in finding drugs and cash in the luggage of an airline passenger.

Acting on a tip, a sniffer dog alerted police, the bag was searched and the accused was arrested. He has argued that he had a reasonable expectation of privacy in his luggage and wanted the evidence excluded. The prosecutors argued that you have no expectation of privacy when traveling because luggage is routinely screened.

The Judge had this to say, according to the National Post:

"Obviously, searching or screening the accused's bags for the presence of drugs does not fit into the category of purposes for which screening was authorized," wrote Mr. Hall.

"I conclude that Brian Crisby had a reasonable expectation of privacy with respect to the contents of his luggage, save and except for searches by [airport] personnel for items that could be used to jeopardize the security of an aerodrome or aircraft. The drugs and money found in his baggage, which are the subject of this proceeding, are not such items and thus Brian Crisby had a reasonable expectation of privacy."

Mr. Rogers described the win as clearing the first hurdle toward having the charges dropped.

Interesting.

See: Privacy right extends to drugs in luggage: judge.

Thursday, December 04, 2008

Federal Commissioner tables annual report on Privacy Act

The Federal Privacy Commissioner has today tabled her annual report on the Privacy Act. And she isn't happy with how certain government departments handle personal information:

News Release: Privacy issues given short shrift in passport operations and tribunal Internet postings, Commissioner says (December 4, 2008) - Privacy Commissioner of Canada

News Release

Privacy Commissioner’s 2007-2008 Annual Report to Parliament on the Privacy Act outlines audit of Passport Canada; investigative findings regarding online posting of personal information by administrative and quasi-judicial bodies

Ottawa, December 4, 2008 — Privacy concerns are not given enough weight in the day-to-day operations of a number of federal government institutions, the Privacy Commissioner of Canada says.

The Commissioner’s latest Annual Report to Parliament on the Privacy Act, which was tabled today, describes how privacy and security problems in Canada’s passport operations added up to a significant risk for Canadians applying for passports.

The annual report also highlights the Commissioner’s concerns that the online posting of personal information by some federal administrative and quasi-judicial bodies does not strike the right balance between the public interest and privacy rights.

Privacy Commissioner Jennifer Stoddart says her Office’s audit of passport operations raised a broad range of concerns about how personal information was handled.

“Given the high sensitivity of the personal information involved in processing passport applications, better privacy and security measures are needed,” says Commissioner Stoddart. “Unfortunately, the shortcomings we found raised the risk that Canadians’ information could wind up in the wrong hands.”

The audit found that passport applications and supporting documents were kept in clear plastic bags on open shelves; documents containing personal information were sometimes tossed into regular garbage and recycling bins; and some documents that were shredded could be easily put back together. Meanwhile, computer systems allowed too many employees to access passport files. The investigation also concluded there was inadequate privacy training for employees – an issue which is a concern across government institutions.The Commissioner is pleased that Passport Canada and the Department of Foreign Affairs and International Trade have indicated they will act on her recommendations and improve privacy and security safeguards.

The annual report also outlines the Commissioner’s concerns about the online posting of federal administrative and quasi-judicial bodies’ decisions which contain highly sensitive personal information.

The OPC investigated 23 complaints regarding the disclosure of personal information on the Internet by seven bodies created by Parliament to adjudicate disputes. The complaints involved: the Canada Appeals Office on Occupational Health and Safety; the Military Police Complaints Commission; the Pension Appeals Board; the Public Service Commission; the Public Service Staff Relations Board; the RCMP Adjudication Board; and Umpire Benefits decisions.

Decisions of these bodies often include highly personal information such as an individual’s financial status, health and personal history.

“This is private information. Law-abiding citizens fighting for a government benefit should not be forced to expose the intimate details of their lives to everyone with an Internet connection,” says Commissioner Stoddart.

The Commissioner agreed that the “open court” principle is an important part of Canada’s legal system, but noted there is a crucial distinction between the courts and the bodies the OPC investigated: The Privacy Act does not apply to the courts, but it does apply to many administrative tribunals and quasi-judicial bodies.

In order to respect their obligations under the Privacy Act, the Commissioner recommended, among other steps, that the bodies reasonably depersonalize decisions posted online by replacing names with random initials. However, the Commissioner noted that, where there is a genuine and compelling public interest in such a disclosure, these bodies have the legal authority under the Act to exercise discretion in disclosing personal information.

Service Canada and Human Resources Development Canada agreed to fully implement the OPC’s recommendations. Other bodies took important but incomplete steps towards compliance with the Commissioner’s recommendations.

Currently, unlike its private-sector counterpart, the Privacy Act does not empower the Privacy Commissioner to enforce her recommendations through legal actions. The OPC has recommended an overhaul of the legislation to address this and other concerns.

The OPC has also asked Treasury Board Secretariat to develop centralized policy guidance on the online posting of personal information by administrative and quasi-judicial bodies.The annual report outlines key activities undertaken by the OPC during 2007-2008, including audits, investigations and policy work. The report notes that new complaints against government institutions dropped slightly to 759 in 2007-2008 from 839 the previous year.

The report is available on the OPC website.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Wednesday, December 03, 2008

Privacy Commissioner's 2007-2008 Annual Report to be tabled

The Commissioner is going to be tabling her annual report on the Privacy Act before parliament tomorrow:

CNW Group OFFICE OF THE PRIVACY COMMISSIONER OF CANADA Media Advisory - Privacy Commissioner's 2007-2008 Annual Report to be tabled

OTTAWA, Dec. 3 /CNW Telbec/ - The Privacy Commissioner of Canada's 2007-2008 Annual Report to Parliament on the Privacy Act is expected to be tabled in Parliament on Thursday, December 4, 2008.

The report will highlight:

  • Findings of an audit of Canada's passport operations;
  • Investigative finding related to complaints about several federal administrative tribunals and quasi-judicial bodies posting decisions containing highly sensitive personal information to the Internet;
  • The Commissioner's call for improved privacy training in the federal government; and
  • Other investigations, audits and policy work undertaken by the Office of the Privacy Commissioner.

After the report is tabled, copies will be available to the media through the Parliamentary Press Gallery and on the Privacy Commissioner's website at www.privcom.gc.ca.

Privacy commissioner urged to probe Tory eavesdropping

This may be a legitimate complaint, but a futile one under the Privacy Act:

TheStar.com Canada Privacy commissioner urged to probe Tory eavesdropping

Dec 03, 2008 03:18 PM

OTTAWA — A public interest researcher has filed a formal complaint with Privacy Commissioner Jennifer Stoddart, charging top prime ministerial aides, a parliamentary secretary and an MP with "serious breaches" of the privacy laws.

Ken Rubin is asking Stoddart to investigate the eavesdropping, recording and distribution of a New Democratic conference call by a Conservative MP last weekend about a proposed alternative coalition government.

The office of Prime Minister Stephen Harper claimed that the MP was "invited" to participate by email, but the NDP suggested Conservative MP John Duncan mistakenly received an email intended for their MP Linda Duncan, and should not have participated in the call, let alone tape it.

The party has asked the RCMP to investigate whether an offence under the Criminal Code occurred.

Rubin contends that even if criminal law wasn't broken, there were serious breaches of privacy by a government that has claimed it would fight identity theft with tougher criminal code provisions.

In a letter sent to Stoddart today, Rubin writes that provisions in privacy legislation "mean you cannot collect or share personal information or conversations of others that you are not a legitimate party to."

He alleges several breaches, all related to the "wrongful" and wide distribution to the media of the contents of the conference call "by a government entity (who receives significant taxpayers' monies)."

He suggests it is a case of potential "identity theft" when a person (in this case one elected MP) "allegedly assumes the identity of another elected MP with the same last name, whether there was a mix up in the communications sent or not."

Rubin described himself as "both a privacy and access to information advocate with no partisan axe to grind."

He urged an investigation by Stoddart, the Ethics Commissioner, and a Parliamentary committee, reminding Stoddart of her advocacy for stronger protections against identity theft.

"No public official should be seen to be or partake in any such activity."

"These privacy breaches are all the more onimous when they are carried out by the central state and with the Prime Minister's Office in the lead. This is the very institution whose elected head and parliamentary secretary (Pierre Poilievre, who commented on the call) are supposed to be leaders in upholding Canadians' privacy protections."

Rubin acknowledged the PMO is not "directly covered under either privacy or access legislation."

But he reminded Stoddart that Ontario ministers have had to resign in the past when they misused personal data derived from government institutions.

"Someone in this case needs to be held accountable and to offer Parliament and the appropriate parliamentary committee an explanation."

"It is disturbing too to see that on one hand, the government denies public access to much of its key operations, including the PMO. But it then feels it can gain intelligence on the operations of others by using deceptive means."

Dimitri Soudas, a spokesman for the Prime Minister's Office, said "no comment" in response to a request from the Star.

Meantime, Rubin's complaint my reach a dead end.

Valerie Lawton, a spokesperson for Stddart, said in an emailed: "The Privacy Act does not cover political parties or members of Parliament."

The privacy commissioner also does not have jurisdiction over either political parties or MPs.

Tuesday, December 02, 2008

Slaw Makes the ABA’s Top 100 List of Legal Blogs

Congratulations to Slaw, the Canadian collaborative weblog of all things legal on being named to the American Bar Association's Top 100 list of blogs. Very cool. See: Slaw: Slaw Makes the ABA’s Top 100 List.

Collection of Driver’s Licence Numbers Under Private Sector Privacy Legislation

The Canadian, Alberta and British Columbia Privacy Commissioners have today jointly released a guidance document on the collection of drivers' license information by retailers.

It's here: Collection of Driver’s Licence Numbers Under Private Sector Privacy Legislation - Privacy Commissioner of Canada.

And here's the media release:

Retailers must limit collection of driver's licence information, Commissioners say

Ottawa, December 2, 2008 - Retailers have to exercise caution when it comes to collecting information from consumers' driver's licences and recording the numbers, according to three of Canada's privacy guardians. And Canadians are concerned about this growing trend.

To address consumers' unease and retailers' confusion, the Privacy Commissioner of Canada and the Information and Privacy Commissioners of Alberta and British Columbia today released new guidance on this issue.

"More and more retailers are asking to see driver's licences and are recording numbers, often in contravention of privacy laws," says the federal Privacy Commissioner, Jennifer Stoddart.

The new guidelines will help retailers determine whether it is appropriate to collect driver's licence numbers.

Retailers say they are asking for driver's licence information for a number of reasons. For example, they use it to verify the identity of someone using a credit card or picking up merchandise that has already been paid for. Many also use driver's licence numbers to deter and detect fraud, particularly when merchandise is being returned without a receipt.

"A driver's licence is proof that someone is allowed to drive a car. It is not a universal identity card. Nor is it an appropriate identifier for use in analyzing shopping return habits," says B.C. Information and Privacy Commissioner David Loukidelis.

The Commissioners noted that a driver's licence number is a particularly sensitive piece of information which can be valuable to identity thieves.

All three Commissioners have received many complaints about retailers requesting driver's licence information.

"Many Canadians are uncomfortable with retailers recording their driver's licence numbers. In most cases, we agree that this going too far," says Frank Work, Alberta's Information and Privacy Commissioner.

Polling by the Office of the Privacy Commissioner of Canada has found that more than half of Canadians say they are concerned about giving their personal information to retailers.Alberta, British Columbia and Quebec have adopted privacy laws covering the private sector. Everywhere else in Canada, federal privacy legislation applies.

The common criteria in all this legislation requires that the collection of the personal information from the driver's licence must be for a specific and reasonable purpose.

Retailers need to limit the collection of personal information to the least amount needed to achieve a specific purpose – such as confirming a customer's identity. They must be able to explain to customers why they are collecting this information. They are also required to protect it with appropriate security measures.

The new guidelines explain that many business purposes can be satisfied by simply looking at identification, or, at most, recording the name and address appearing on the licence.

There is a major difference between examining a driver's licence and recording the number on it – or even photocopying the whole document. Recording this kind of sensitive information raises the risk of a privacy breach down the road, while a photocopy involves the collection of information well beyond a name and address, including a photo, signature and physical descriptions.

"Retailers want to foster good relationships with their customers, and they understand that respecting their privacy is a key issue. These guidelines help clarify the rules for both consumers and retailers, and we encourage all our members to ensure that they put the appropriate practices in place," says Derek Nighbor of the Retail Council of Canada.

Consumers should ask for an explanation of why their driver's licence information is being requested – particularly when a retailer attempts to record the number or photocopy the licence. If consumers are not satisfied with the explanation, they can ask to speak to a manager or the person responsible for privacy issues.

Consumers can also contact the appropriate Privacy Commissioner's Office if they still have doubts about whether the collection of their personal information is appropriate.

The guidelines are available on the Commissioners' websites: http://www.privcom.gc.ca/; http://www.oipc.ab.ca/; and http://www.oipcbc.org/.

Collection of Driver's Licence Numbers Under Private Sector Privacy Legislation – A Guide for Retailers (PDF Version)

Canada's Privacy Commissioner Launches 6th Annual Privacy Research Contributions Program

The Commissioner has launched the sixth year of the research contributions program. From the Government of Canada website:

Canada's Privacy Commissioner Launches 6th Annual Privacy Research Contributions Program

Ottawa, December 1, 2008 — The Office of the Privacy Commissioner of Canada (OPC) today announced the launch of the 2009-2010 privacy research Contributions Program. This is the sixth year for the annual program, and up to $500,000 in funding will be available for research, as well as public education and awareness initiatives.

The OPC is inviting research proposals focused on four key privacy priority areas: 1) national security; 2) identity integrity and protection; 3) information technology; and 4) genetic privacy.

Last year, for the first time, the OPC expanded the program to include funding for public education and regional outreach initiatives as well. The response to this new aspect of the program was very positive and yielded a number of innovative initiatives across Canada. In recognition of this success, the Office will continue to provide public education and regional outreach funding as part of the 2009-2010 Contributions Program.

Created in 2004 to support non-profit research on privacy that furthers the development of a national research capacity in Canada, the Contributions Program is highly regarded internationally and considered one of the foremost privacy research funding programs in the world. To date, the program has allocated over $1.5 million to more than 40 initiatives in Canada.

In an effort to give researchers and organizations more time to complete their projects, the OPC is launching this year’s program earlier than in the past. The new deadline for applications has been set for January 30, 2009. We expect to have agreements in place by the end of March 2009.

Information about the four priority areas and how to apply for funding is posted on the Office of the Privacy Commissioner’s Web site. Project summaries of past successful applicants are also available on the site.

All proposals will be evaluated on the basis of merit by OPC officials, and the maximum amount that can be awarded for each research or public education project is $50,000. The maximum any single organization can receive is $100,000.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.