Wednesday, January 28, 2009

Time for a privacy check-up

Today's Halifax Chronicle Herald has an opinion piece by Bob Doherty, the former head of privacy and access with the Nova Scotia Department of Justice:

Time for a privacy check-up - Nova Scotia News - TheChronicleHerald.ca

Time for a privacy check-up Laws need to be understandable, consistent

By BOB DOHERTY Wed. Jan 28 - 7:25 AM

With today being International Data Privacy Day, it is useful to see just how far society in Atlantic Canada has come in dealing with the complex issue of privacy since the last, almost unnoticed, celebration of this event locally a year ago.

Positive signs are emerging in the efforts to create more privacy consciousness in the region. Dalhousie University hosted a privacy event yesterday, and there have also been other events over the past 12 months. Most recently, CBC Radio’s Maritime Noon hosted a privacy "phone in" with Kostas Halavrezos and local privacy lawyer David Fraser. All of these events and others point to an increase in privacy consciousness in the past year.

However, as one listened to the calls that were received on the CBC Radio privacy segment, it became apparent there was substantial confusion as to what privacy choices, rights, obligations and remedies exist in a variety of settings. A good part of this confusion would seem to arise from a misunderstanding as to what "privacy" is.

In a nutshell, privacy is about legal choices, rights, obligations and remedies for the collection, use and disclosure of non-public, usually recorded, information about us, as individuals, in certain public and private-sector situations. However, even further than this, there are usually only four categories of personal information about us in which privacy choices, rights and obligations may or may not exist:

Our secrets: This includes information about our personal or work lives, such as employment record, sexual orientation, personal preferences, digital photos or video recordings, records of library loans, video rentals, etc.

Our identity: Such things as our social insurance number, health card number, blood type, society membership cards, etc., fall into this category.

Our health: This includes our medical and psychological history.

Our finances: Examples are our financial and credit status, bank account information, credit card identification and usage history, etc.

While some of the information in all categories may not be considered particularly sensitive and of little privacy interest to some individuals, for others this information is very personal and its disclosure would be viewed as highly privacy-invasive. Regardless of the sensitivity, there is always the potential for public embarrassment, denial of services or financial loss if the information is disclosed, or disseminated widely or indiscriminately.

However, while all of these categories involve our privacy choices, not all of the situations in these categories are subject to privacy laws.

All of this information we willingly (or reluctantly) give to selected individuals or organizations, either as a matter of trust, social interaction, contract or as required by law. However, there seems to be confusion among the general population on choices, rights, obligations and remedies (if any) in many of these situations where our personal information is involved.

In many cases, as Esther Dyson points out in a September 2008 Scientific American article entitled Reflections on Privacy 2.0, "People often have a better bargaining position than they realize, and are gaining the tools and knowledge to exploit that position."

So, how do we lessen that confusion and achieve that level of knowledge and understanding? For those who have tried to navigate the patchwork landscape of privacy laws in Canada, the answer should be obvious. Current laws need to be made more understandable to the average person and consistent across Canada. Penalties should be clear and significant for egregious privacy breaches, and oversight mechanisms must be provided with broad educational mandates and the budgets to implement them.

At the federal level, this would include passage of the proposed "identity theft" amendments to the Criminal Code, and development of clarity amendments to federal public and private-sector privacy legislation.

In Nova Scotia, this would mean proclamation of the recently passed Privacy Review Officer Act. It would also mean a provincial health information law, along with legislation to deal with privacy in the workplace and electronic surveillance (e.g. video, digital cameras including cellphone cameras, and computers).

If these changes, along with increased privacy education about choices, rights and obligations regarding our personal information in the schools, the workplace and the community are implemented, perhaps at this time next year we will not only have an increased level of privacy consciousness – we will also have a better understanding and the capacity to engage in a more informed debate on the future directions privacy-protection policy and laws should take.

Bob Doherty is a Halifax access and privacy consultant who teaches and works with access and privacy law courses in Nova Scotia and Alberta.

I think that Bob and I may think about privacy a bit differently. I probably wouldn't have used the categories he did. To me, words like "non-public" aren't very helpful and everything may fit into the category of "secrets". It just depends on how much an individual decides to disclose and how they propose to disclose it. Public information can be subject to privacy rights, as is the case in PIPEDA where publicly available information is still subject to legal limitations. But no matter what, the public should be educated about privacy rights and should have a say in shaping privacy laws.

Tuesday, January 27, 2009

Happy data privacy day!

Happy Data Privacy Day! Tomorrow is data privacy day and there are a range of events taking place all over the world. I'll be at a lunch today at Dalhousie (Data Protection Day) and then in St. John's tomorrow at Memorial University (Information Access and Privacy Protection Data Privacy Day).

To find events in your neighbourhood, check out Intel's Data Privacy Day 2009 page.

Monday, January 26, 2009

Telling community stories with Street View

Here's a nice departure from the usual privacy complaining about Google's Street View. The concept is simple: turn Google Street View into a community event. Its execution was perfect. I'll let the authors describe it:
STREET WITH A VIEW: a project by Robin Hewlett & Ben Kinsley

Street With A View introduces fiction, both subtle and spectacular, into the doppelganger world of Google Street View.

On May 3rd 2008, artists Robin Hewlett and Ben Kinsley invited the Google Inc. Street View team and residents of Pittsburgh’s Northside to collaborate on a series of tableaux along Sampsonia Way. Neighbors, and other participants from around the city, staged scenes ranging from a parade and a marathon, to a garage band practice, a seventeenth century sword fight, a heroic rescue and much more...

Street View technicians captured 360-degree photographs of the street with the scenes in action and integrated the images into the Street View mapping platform. This first-ever artistic intervention in Google Street View made its debut on the web in November of 2008.

An incredible cast of real-life characters contributed their time, energy and talents to creating pseudo-street life on Sampsonia Way. Please check out the scene breakdown, the participant page and the video documentation to learn more about the artists, groups and participants that made Street With A View possible.

Bravo!

Tuesday, January 20, 2009

Heartland data breach could be bigger than TJX's

Heartland Payment Systems has announced that it suffered a significant data breach last year after it was discovered that hackers had installed software on their systems to capture credit card information. The firm apparenly processes over 100 Million tranactions a month, leading to speculation that this may dwarf the 2007 TJX breach. See: Heartland data breach could be bigger than TJX's.

Tuesday, January 13, 2009

Alberta pawnshop owner loses privacy battle

According to the Edmonton Journal, an Edmonton pawnshop owner who has been waging a battle against the mandatory uploading of personal information of those who pawn items to a central database has lost his battle, at least in the Court of Queen's Bench. This reverses a decision of the Alberta Information and Privacy Commissioner.

Past posts on this story: Canadian Privacy Law Blog: Edmonton's pawnshop database violates privacy laws, Alberta commissioner rules, Canadian Privacy Law Blog: Edmonton pawnshop owner takes a stand over electronic reporting of personal information of customers to police.

Pawnshop owner loses privacy battle By Gordon Kent, The Edmonton Journal January 10, 2009

An Edmonton second-hand dealer vows to continue fighting for customer privacy after a judge quashed an order that would have forced the city to destroy pawnshop customer information.

In a decision released Friday, Court of Queen's Bench Justice Joanne Veit ruled Alberta Information and Privacy Commissioner Frank Work was wrong when he concluded the city can't force pawnshops to upload personal client details to an outside company's database.

"The requirement to record information about the pawnor, as well as about the goods, is clearly intended to discourage trades in stolen property, and to help police investigate reports of stolen property," Veit wrote.

"Uploading information electronically to a secure database ... is therefore just a system of doing, in 2005, the equivalent of what was done (on paper) in 1896." Changes made four years ago to Edmonton's licensing bylaw require stores to record each customer's name, address, birthday, gender, eye colour, hair colour and item pawned. The information is on a database managed for the police by Business Watch International Inc. of Saskatchewan.

Work determined last February that reasonable steps hadn't been taken to safeguard the information and instructed the city to eliminate it.

The judge, however, said the database is outside Edmonton's control and includes material that isn't covered by the bylaw.

Shops have continued to provide personal data and no information was destroyed during the appeal of Work's ruling.

The matter was raised as a test case by Pioneer Exchange owner Kelly Buryniuk, who sold a DVD player to Mill Woods Cash Converters in 2006 and then complained to Work about the process for handling his personal information.

He said he was disappointed by the judge's decision and will probably contact the federal privacy commissioner about the issue that's viewed differently in different provinces.

"I have had hundreds and hundreds, maybe thousands, of customers come up and thank me for proceeding with this because they thought it was an injustice and their rights were being violated," said Buryniuk, who didn't take part in the October court hearing.

"They understand the collection of information. They don't understand how that information can be given wholesale to another company." Local police have been gathering written details of pawnshop transactions for more than 100 years, but the old approach became so cumbersome that officers were picking up more than 200,000 sheets of paper a year and taking six weeks to enter them into computers.

Buryniuk said the electronic system isn't leading to the recovery of more property and allows police to go on "fishing expeditions" through personal material.

"Even if the decision came the other way, in my favour, the pawnshops would still be required to collect the information. It's just that the police would have to have just cause to access (it)." But Coun. Ed Gibbons, whose northeast Ward 3 has more than two dozen pawnshops, said he's glad the city won its case.

"I'm just a layman saying, 'What's the big problem?' I don't think they're all criminals. I think there's a percentage. We should be monitoring," he said.

"There's merit behind checking stuff and seeing whether it's stolen or not. If it comes with a little bit of cost with somebody's privacy, so be it."

Sunday, January 11, 2009

A rare peek at Homeland Security's files on travelers

In case you were wondering how much information the Department of Homeland Security keeps on travelers in the United States, look no further: A rare peek at Homeland Security's files on travelers - This Just In - Budget Travel. Via Gadling.

Wednesday, January 07, 2009

New system takes ID swiping to a new level

I've written on this blog before about the practice of swiping drivers' licenses and other IDs at bars. The Omega--an independent student newspaper from Thompson River University--is reporting about a company that takes it to a new level by photographing all bar patrons:

Big brother at the bar? - Cactus Jacks implements new way to screen attendees

“We have a new monitoring system called Treoscope that everyone that comes into the pub must go through,” said Cactus Jack’s manager Pete Backus. “It takes your picture and also records your name and where you are from.”

The entire system has brought up privacy concerns. The B.C. privacy commissioner is ruling on the legality of the way Treoscope collects and stores information.

The B.C. Civil Liberties Association said Tresocope violates the Personal Information Protection Act and the collection and storage of information from driver’s licenses is not necessary to provide the services drinking establishments offer. The association has qualms over who can access personal information and any resulting identity theft.

The electronic identification system has been put in place because of rising levels of violence in the club. Cactus Jack’s now requires identification cards that have a magnetic swipe stripe containing the user’s name, address and age in order for entrance to be granted.

According to the Treoscope website, patrons’ personal information is safe because only the name and age are displayed, not the birth date. It also claims information can only be accessed by police if they have a proper warrant.

Treoscope EnterSafe’s software database is connected to other clubs’ computers that operate the same software. When there is an incident, a “community alert” is attached to the person’s name allowing all those connected to determine whether to allow a club-goer in or not.

“We use it for security for the patrons of the club,” Backus said, who added they have been trying to cut down on gang violence in and around the club. When they learn someone is an Independent Soldier or other gang member they go back to the stored information and flag the individual. “We are trying to get rid of that,” Backus said. “We are not allowing people into the club that are gang-related or if they come into a club and start a fight. When that happens we now have their picture and we can suspend them from the club for as long as we want.”

A person disrobed in front of another still has a reasonable expectation of privacy

According to Yahoo! News, a Wisconsin court has held that a person who is voluntarily naked in front of others still has a reasonable expecation not to be videotaped. (See: Wis. court: Nude people still have privacy rights - Yahoo! News.) Unusual case but makes sense to me.

Via Photo Attorney.

Added: I've read the decision and have a bit more information (enough to make me change the title of this blog-post to be a bit more clear.

In this case, the defendant was charged with violating a Wisconsin law that criminalizes recording someone in the nude when they have a reasonable expectation of privacy. The complainant was voluntarily disrobed in front of her then-boyfriend, who had hidden a camera under some laundry. He argued that she had no expecation of privacy as she knew he was able to see her disrobed. The court took a much more context-specific reading of what is a reasonable expecation of privacy.

Monday, January 05, 2009

CBSA opens lawyer's mail

Cyndee Cherniak, at Trade Lawyers Blog, reports on receiving a peice of mail addressed to her -- clearly a lawyer -- that had been opened and "inspected" by the Canada Border Services Agency. She is understandably angry.

See: BEWARE - Canada Border Services Agency WILL Read Lawyer's Mail.

This is a gross affront to solicitor-client privilege and privacy. In my view, mail that is clearly sent to a lawyer should be subject to additional protection. Given the important role of privilege in our legal system, warrants to search lawyers' offices require additional safeguards. Surely similar protections for mail to lawyers are warranted.

Friday, January 02, 2009

The Canadian Privacy Law Blog is Five!

Five years ago, on January 2, 2004, a new age of privacy was creeping across Canada and this blog was born. The day before, at the stroke of midnight, the Personal Information Protection and Electronic Documents Act (Canada) had come fully into force. The Alberta and British Columbia Personal Information Protection Acts also became effective on the first day of 2004.

Since then, we have seen dramatic changes in privacy throughout the world: Identity theft is on the rise; there have been literally thousands of data breaches exposing the personal information of millions of people; governments are looking for easier access to personal information; video surveillance is more widespread; more personal information is generated digitally and aggregated in private hands.

And in the past year specifically, things have remained interesting on the privacy front. We've seen debate over changes to PIPEDA without anything definitive coming from the mandatory five year review. We've also seen arguments put forward to reform the public sector Privacy Act. Focus has also been drawn to the increasing practice of examining laptops at US border crossings. Litigation between Viacom and Google has raised awareness of log information that's often retained by internet companies. And Google has also been sued by a couple claiming their privacy has been violated by presenting pictures of their house in Google Street View. But in the last year, the one big privacy story that was supposed to have the largest impact on Canadians was the implementation of the National Do Not Call List. Whether it has, in fact, had an impact is the subject of debate.

I'd like to thank the many thousands of readers of the blog for visiting this site and thanks to those who have contacted me with comments, compliments, suggestions and links to interesting news. It's been a pleasure to write and I plan to keep it going as long as there's interesting privacy news to report.

Birthday cake graphic used under a creative commons license from K. Pierce.

Log retention initiatives

Just posted on Slaw:

Slaw: Log retention initiatives

I wrote two weeks ago about privacy issues related to the log files that are created and retained by internet companies. The moral of that story was that there is a significant amount of information that is collected in these logs and when they are retained and collated, they can reveal a lot of personal information. I concluded by saying:

I don’t think it’s too far fetched to think of a day when it will become standard for all investigations involving the internet to include a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

In Canada, many may remember "lawful access", which was the subject of a number of consultations beginning in 2002. The consultation backgrounder and FAQ solicited comment on preservation orders (here) but the topic was not addressed when the Liberal government introduced the Modernization of Investigative Techniques Act (MITA). I am sure that preservation orders remain on the wish lists for law enforcement in Canada, but they're not here yet.

Europe has taken a different path. In 2006, the European Union adopted Directive 2006/24/EC entitled "on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks". The Directive is meant to harmonize the retention rules of the members of the European Union. It requires that member states adopt rules or legislation to make it mandatory for communications providers to retain certain log-type data for at least six to twelve months. From the "Subject Matter and Scope" clause of the Directive:

1. This Directive aims to harmonise Member States' provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.

The Directive goes beyond web communications and includes e-mail, telephone, VOIP and mobile phones. The sort of data that has to be collected and retained is that which identifies the source of the communication, the destination of the communication, the device that was used to make the communication and the "user ID" (defined to mean "a unique identifier allocated to persons when they subscribe to or register with an Internet access service or Internet communications service"). The Directive makes is plain that communications providers are not to retain the content of the communication (Article 5(2)).

While the Directive is aimed at saving information so that it can be obtained after the fact in connection with investigations, the debate over data retention in the United States has mainly focused on what has been reported to be informal and secret arrangements made by the National Security Agency and various telephone companies to save telephone calling information. This story was broken by USA Today: USATODAY.com - NSA has massive database of Americans' phone calls.

In addition, US criminal law permits law enforcement to make a written request for the preservation of records for 90 days (renewable for a further 90 days) (US CODE: Title 18, s. 2703(f)):

(f) Requirement To Preserve Evidence.—

(1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

(2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

More recently, the Bush Administration has been pushing for broader retention requirements: FBI, politicos renew push for ISP data retention laws | Politics and Law - CNET News.

This posting has presented a brief snapshot of some legal initiatives that affect internet log retention in a selection of countries. It does not seem likely to me that the debate is over; we will likely see EU-type proposals put forward in both Canada and the US in the coming years.