Monday, April 27, 2009

Canadian anti-spam bill introduced

The Industry Minister tabled the Electronic Commerce Protection Act (ECPA) in Parliament at the end of last week. Here's the government's press release and backgrounder:

Industry Canada Site - Government of Canada Protects Canadians with the Electronic Commerce Protection Act

Government of Canada Protects Canadians with the Electronic Commerce Protection Act OTTAWA, April 24, 2009 — The Honourable Tony Clement, Minister of Industry, today announced that the Government of Canada is delivering on its commitment to protect consumers and businesses from the most dangerous and damaging forms of spam. The government has introduced legislation in Parliament that aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.

The proposed Electronic Commerce Protection Act (ECPA) will deter the most dangerous forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and will help drive spammers out of Canada.

“Our government knows how damaging spam can be to Canadians and Canadian businesses and that is why we are cracking down on Internet fraud and other forms of malicious activities,” said Minister Clement. “With this landmark legislation, our government will help protect consumers from Internet spam and related threats and boost confidence in the electronic marketplace.”

Spam and related online threats are a real concern to all Internet users as they can lead to the theft of personal data, such as credit card information (identity theft), online fraud involving counterfeit websites (phishing), the collection of personal information through illicit access to computer systems (spyware), and false or misleading representations in the online marketplace. The proposed legislation would also treat unsolicited text messages, or “cellphone spam,” as “unsolicited commercial electronic messages.”

This bill would allow businesses and consumers to take civil action against anyone who violates the ECPA. The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner will be given the power to share information and evidence with their counterparts in other countries who enforce similar laws internationally, so that violators beyond our borders cannot use Canada as a spam safe haven. The proposed ECPA would allow the CRTC and the Competition Bureau to charge offenders with administrative monetary penalties of up to $1 million for individuals, and $10 million for all other offenders.

Under the new legislation, Industry Canada will act as a “national coordinating body” in order to increase consumer and business awareness and education, to further coordinate work with the private sector in support of voluntary guidelines, and to conduct research and intelligence gathering.

As part of the proposed ECPA, new legislative measures would complement the federal government's previous efforts to address spam and related online threats.

In introducing this legislative proposal, the Government of Canada wishes to thank Senators Donald Oliver and Yoine Goldstein for their efforts to help address this issue. The bill also addresses the legislative recommendations of the Task Force on Spam. The Government of Canada, Canadian business and Canadian consumers owe a debt of thanks to Senators Oliver and Goldstein and to the Task Force for their contributions to the protection of electronic commerce and the online economy.

--------------------------------------------------------------------------------

April 24, 2009

Backgrounder

Government of Canada Introduces the Electronic Commerce Protection Act On April 24, 2009, the Government of Canada introduced anti-spam legislation, entitled the Electronic Commerce Protection Act (ECPA). In doing so, the government is delivering on a key commitment made by Prime Minister Harper to Canadians and Canadian businesses in September 2008.

This bill addresses the legislative recommendations of the Task Force on Spam, which brought together industry, consumers and academic experts to design a comprehensive package of measures to combat threats to the online economy.

The intention of the proposed legislation is to deter the most dangerous and damaging forms of spam from occurring in Canada and to help to drive spammers out of Canada.

The government studied successful legislative models in other countries and, based on their experiences, has developed a focused plan to address spam and related threats. By tabling legislation now, the government is able to address the latest technology and online threats.

This bill proposes a private right of action, modelled on U.S. legislation, which would allow businesses and consumers to take civil action against anyone who violates the ECPA. The proposed ECPA's technology-neutral approach allows all forms of commercial electronic messages to be treated the same way. This means that the proposed bill would also address unsolicited text messages, or “cellphone spam,” as a form of “unsolicited commercial electronic message.”

The bill would establish a clear regulatory enforcement regime consistent with international best practices and a multi-faceted approach to enforcement that protects consumers and empowers the private sector to take action against spammers.

An important component of the proposed ECPA is the enforcement regime whereby the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner would be given the authority to share information and evidence with their counterparts who enforce similar laws internationally, in order to pursue violators beyond our borders.

The proposed ECPA would enable the CRTC to impose administrative monetary penalties (AMPS) of up to $1 million for individuals and $10 million in all other cases. The Competition Bureau would use a similar AMPS regime already provided for in the Competition Act,and the Office of the Privacy Commissioner would use its existing tools and enforcement framework to enforce the provisions of this legislation. The bill also proposes that the Privacy Commissioner's powers to cooperate and exchange information with her counterparts be expanded, in respect of the Personal Information Protection and Electronic Documents Act.

Consultations show support from consumers, Internet service providers, marketers, businesses, educators, the financial sector, legal and consumer groups, and enforcement agencies.

Under the proposed ECPA, Industry Canada would act as a “national coordinating body” in order to expand awareness and education of consumers, network operators and small businesses, coordinate work with the private sector, and conduct research and intelligence gathering.

The government also intends to create a Spam Reporting Centre that would receive reports of spam and related threats allowing it to collect evidence and gather intelligence to assist the three enforcement agencies (the CRTC, the Competition Bureau and the Office of the Privacy Commissioner).

Businesses will benefit from improved protection against harm to the network and from consumers' strengthened confidence in the online marketplace.

The Internet has become the primary platform for online commerce and general communications. The online marketplace represents a major segment of Canada's economy, with $62.7 billion in sales in 2007. Worldwide, electronic commerce is projected to exceed $8.75 trillion in 2009.

At the same time, there has been an enormous increase in the vulnerabilities and threats to the Internet and online commerce. Spam now makes up over 80 percent of global email traffic, imposing huge costs on businesses and consumers.

Saturday, April 18, 2009

Presentation on Twittering Lawyers

Vancouver Skyline

I was honoured to be invited to the ABA Business Section's spring meeting in Vancouver to give a presentation on Twitter and Lawyers. For those who are interested, here's the presentation:

If Google isn't showing you proper respect, here's a PDF of the slides: http://www.privacylawyer.ca/blog/twittering_lawyers.pdf.

Tuesday, April 14, 2009

New technology watches the watchers to tell them what they should have watched

Or, a new technology that supervises the people who are paid to stare at screens, tracking their eyes to let them know what parts of the screens they've been missing. See: Eyeball spy turns the tables on Big Brother - tech - 14 April 2009 - New Scientist via Boing Boing, which doesn't miss a thing and never needs a newfangled gadget tell it that.

Monday, April 13, 2009

Live from the ABA in Vancouver

If you're going to be in Vancouver for the American Bar Association's Business law meeting later this week, drop by my sessions on Thursday from 1:30 - 3:00 to talk about lawyers and social networking and on Saturday from 8:30 - 9:30 for lawyers on twitter. Here's the full schedule: Business Law: Section of Business Law.

Sunday, April 12, 2009

Next generation in CCTV

The New York Times has an interesting piece on developments in CCTV technology. The Digital Window D7 uses a number of compact cameras to piece together a full 180 degree panorama without any distortion. This means that a small camera installation can have a very wide field of view, capturing more than you might think. See "On the Lookout, With a Digital Security Camera".

Saturday, April 11, 2009

Thursday, April 09, 2009

Mind your trash

The Supreme Court of Canada today released its decision in R. v. Patrick, 2009 SCC 17 (CanLII), an important privacy decision. The case considers whether it is an unreasonable invasion of privacy for the police to rummage through your trash without a warrant. Some may see the case as standing for carte blanche for the cops to pilfer your garbage, but I'm not sure it's really something to panic about. Justice Binnie, I think, carefully considered the test for unreasonable search and seizure under the Charter. Did the subject have a subjective expectation of privacy and was that expectation reasonable?

If you throw something out into the garbage, it is hard to say you've not abandoned it. You've given it up. You expect that it will probably be rummaged through by garbage-pickers, bottle collectors and in some cases it will be opened and sorted by your municipality. It really is a bit of a stretch to say that you expect that something you put in your trash will remain confidential in most cases. If you don't want it pilfered, get a shredder. Or wrap it in duct tape or encase it in cement. If you have an ecstasy lab in your house and you throw out evidence of that, can you really say that evidence should be excluded.

What I think may be problematic would be extending this too far in the civil (non-litigation) context. Maybe it will be cited to support clear garbage bags, which is something some municipalities are gunning for to enhance compliance with trash sorting rules. What's in your garbage is a little window into your lifestyle that has nothing to do with criminality. Dozens of chip bags? Empty chocoate wrappers? You're on your way to a heart-attack. Maybe your insurance company has a right to your garbage?

But I think I agree with Abella J's dissenting (but concurring in the result) judgment that there is a diminished expectation of privacy in garbage and the cops should have at least a reasonable suspicion before rooting through your trash.

Maybe I'm getting jaded in my old age.

Here's the headnote of the case:

Constitutional law — Charter of Rights — Search and seizure — Privacy interest — Abandonment — Police taking garbage bags placed for collection at edge of accused’s property without warrant — Whether police breached accused’s right to be free from unreasonable search and seizure — Whether accused abandoned his privacy interest in contents of garbage bags when he placed them at edge of his property for collection — Canadian Charter of Rights and Freedoms, s. 8.

The police suspected that P was operating an ecstasy lab in his home. On several occasions, they seized bags of garbage that P had placed for collection at the rear of his property adjacent to a public alleyway. The police did not have to step onto P’s property to retrieve the bags but they did have to reach through the airspace over his property line. The police used evidence of criminal activity taken from the contents of P’s garbage to obtain a warrant to search P’s house and garage. More evidence was seized during the search. At his trial, P argued that the taking of his garbage bags by the police constituted a breach of his right guaranteed by s. 8 of the Canadian Charter of Rights and Freedoms to be free from unreasonable search and seizure. The trial judge held that P did not have a reasonable expectation of privacy in the items taken from his garbage and, therefore, the seizure of the garbage bags, the search warrant and the search of P’s dwelling were lawful. He admitted the evidence and convicted P of unlawfully producing, possessing and trafficking in a controlled substance. A majority of the Court of Appeal upheld the convictions.

Held: The appeal should be dismissed.

Per McLachlin C.J. and Binnie, LeBel, Fish, Charron and Rothstein JJ.: The police did not breach P’s right to be free from unreasonable search and seizure. When P’s conduct is assessed objectively, he abandoned his privacy interest when he placed his garbage for collection at the rear of his property where it was accessible to any passing member of the public. P did everything required to rid himself of the items taken as evidence. His conduct was incompatible with any reasonable expectation of confidentiality. Neither the search of the contents of P’s garbage nor the subsequent search of P’s dwelling breached s. 8 of the Charter. The evidence seized in both searches was admissible at P’s trial. [2] [12‑13]

To describe something as “garbage” tends to presuppose the point in issue, namely whether P had any continuing privacy interest in it. It seems that while he had no further interest in physical possession he had a continuing interest (viewed subjectively) in keeping private the information embedded in the contents. In such a case, however, the question becomes whether he so dealt with the items put out for collection in such a way as to forfeit any reasonable expectation (objectively speaking) of keeping the contents confidential, i.e. whether there had been abandonment. [13]

Expectation of privacy is a normative standard. Privacy analysis is laden with value judgments which are made from the independent perspective of the reasonable and informed person who is concerned about the long‑term consequences of government action for the protection of privacy. [14]

In assessing the reasonableness of a claimed privacy interest the Court is to look at the “totality of the circumstances” and this is so whether the claim involves aspects of personal privacy, territorial privacy, or informational privacy. Frequently the claimant will assert overlapping interests. The assessment always requires close attention to context and first involves an analysis of the nature or subject matter of the evidence in issue. Here both P and the police rightly regarded the subject matter to be information about what was going on inside his home. The court must then consider whether the claimant had a direct interest in the evidence and a subjective expectation of privacy in its informational content. The “reasonableness” of that belief in the totality of the circumstances of a particular case is to be tested only at the second objective branch of the privacy analysis. [26] [36]

Abandonment is a conclusion inferred from the conduct of the individual claiming the s. 8 right that he or she had ceased to have a reasonable expectation of privacy with regard to it at the time it was taken by the police or other state authority. Being an inference from the claimant’s own conduct, a finding of abandonment must relate to something done or not done by that individual, and not to anything done or not done by the garbage collectors, the police or anyone else involved in the subsequent collection and treatment of the “bag of information”. [23] [54]

The reasonableness of an expectation of privacy varies with the nature of the matter sought to be protected, the circumstances in which and the place where state intrusion occurs, and the purposes of the intrusion. In this case, P’s garbage was put out for collection in the customary location for removal at or near his property line and there was no manifestation of a continuing assertion of privacy or control. Territorial privacy is implicated in this case because the police reached across P’s property line to seize the bags; however, the physical intrusion by the police was relatively peripheral and, viewed in context, is better seen as pertaining to a claim of informational privacy. P’s concern was with the concealed contents of the garbage bags which, unlike the bags, were clearly not in public view. [36‑37] [39-41] [44-45] [51] [53]

Objectively speaking, P abandoned his privacy interest in the information when he placed the garbage bags for collection at the back of his property adjacent to the lot line. He had done everything required of him to commit the bags to the municipal collection system. The bags were unprotected and within easy reach of anyone walking by in the public alley way, including street people, bottle pickers, urban foragers, nosey neighbours and mischievous children, not to mention dogs and assorted wildlife, as well as the garbage collectors and the police. However, until garbage is placed at or within reach of the lot line, the householder retains an element of control over its disposition. It could not be said to have been unequivocally abandoned if it is placed on a porch or in a garage or within the immediate vicinity of a dwelling. Abandonment in this case is a function both of location and P’s intention. [53‑55] [62]

Since P had abandoned his garbage before it was seized by the police, he had no subsisting privacy interest at the time it was seized. The police conduct was objectively reasonable. P’s lifestyle and biographical information was exposed, but the effective cause of the exposure was the act of abandonment by P, not an intrusion by the police into a subsisting privacy interest. [69] [71]

Per Abella J.: Concurring in the conclusion that no Charter violation occurred but disagreeing with the characterization of the privacy issues at stake. The home is the most private of places. Personal information emanating from the home that has been transformed into household waste is entitled to protection from indiscriminate state intrusion. Household waste left for garbage disposal is “abandoned” for a specific purpose — so that garbage will reach the waste disposal system. What has not been abandoned is the homeowner’s privacy interest attaching to personal information. Individuals do not intend that this information, such as medical or financial information, will be generally accessible to public scrutiny, let alone to the state. [76] 78] [84] [87-89]

The fact that what is at issue is waste left out for collection, however, argues for a diminished expectation of privacy. But the state should have at least a reasonable suspicion that a criminal offence has been or is likely to be committed before conducting a search. In this case, the evidence amply supported such a suspicion. [77] [89‑91]

Lessons From the Identity Trail

Ian Kerr and Val Steeves have been heading up "On the Identity Trail" (research on privacy and identity in the networked world) for the last few years and are launching a book by Oxford University Press. But it's available online under a CC license. Read on: On the Identity Trail - Lessons From the Identity Trail Book Launch.

If you want to fly, show us your body or we'll feel you up

An interesting review of the increasing intrusiveness of airport security: The expanding invasion of the naked body scanners. - By William Saletan - Slate Magazine.

Monday, April 06, 2009

European internet firms must start logging communications as of today

As of today, all internet service providers in Europe are required by law to retain information about every e-mail and VOIP call made by their users thanks to the European Data Retention Directive.

BBC NEWS Technology Net firms start storing user data

Details of user e-mails and net phone calls will be stored by internet service providers (ISPs) from Monday under an EU directive.

The plans were drawn up in the wake of the London bombings in 2005.

ISPs and telecoms firms have resisted the proposals while some countries in the EU are contesting the directive.

Jim Killock, executive director of the Open Rights Group, said it was a "crazy directive" with potentially dangerous repercussions for citizens.

All ISPs in the European Union will have to store the records for a year. An EU directive which requires telecoms firms to hold on to telephone records for 12 months is already in force.

The data stored does not include the content of e-mails or a recording of a net phone call, but is used to determine connections between individuals.

Authorities can get access to the stored records with a warrant.

Governments across the EU have now started to implement the directive into their own national legislation.

The UK Home Office, responsible for matters of policing and national security, said the measure had "effective safeguards" in place.

There is concern that access to our data is widening to include many public bodies ISPs across Europe have complained about the extra costs involved in maintaining the records. The UK government has agreed to reimburse ISPs for the cost of retaining the data.

Mr Killock said the directive was passed only by "stretching the law".

The EU passed it by "saying it was a commercial matter and not a police matter", he explained.

"Because of that they got it through on a simple vote, rather than needing unanimity, which is required for policing matters," he said.

Sense of shock

He added: "It was introduced in the wake of the London bombings when there was a sense of shock in Europe. It was used to push people in a particular direction."

Sweden has decided to ignore the directive completely while there is a challenge going through the German courts at present.

"Hopefully, we can see some sort of challenge to this directive," said Mr Killock.

Isabella Sankey, Policy Director at Liberty, said the directive formalised what had already been taking place under voluntary arrangement for years.

"The problem is that this regime allows not just police to access this information but hundreds of other public bodies."

In a statement, the Home Office said it was implementing the directive because it was the government's priority to "protect public safety and national security".

It added: "Communications data is the where and when of the communication and plays a vital part in a wide range of criminal investigations and prevention of terrorist attacks, as well as contributing to public safety more generally.

"Without communications data resolving crimes such as the Rhys Jones murder would be very difficult if not impossible.

"Access to communications data is governed by the Regulation of Investigatory Powers Act 2000 (Ripa) which ensures that effective safeguards are in place and that the data can only be accessed when it is necessary and proportionate to do so."

And, as an aside, I'm not sure many will find comfort in the idea that RIPA will act to protect privacy: RIPA surveillance may break human rights laws - ZDNet.co.uk.

Wednesday, April 01, 2009

Cheating husband caught on Google Street View

The Sun in the UK is reporting that a cheating husband has been caught by his curious wife after she checked out a friend's house on Google Street View and noticed her husband's Range Rover parked in front of the house. She says he was supposed to be away on business at the time, which seems a bit hard to understand as the time the photos are taken aren't published by Google. But regardless of that detail, she recognized the car because of a dinged hubcap. So maybe blurring faces and licence plates isn't quite enough. See: Cheating husband caught on Google Street View The Sun News.

Addendum: Apparently the story wasn't true, but was a bid to seek attention. It should have been obvious, as Google Street View doesn't provide any indication of when the photo was taken. It may provide the "what" and the "who", but there's no "when".