Thursday, December 31, 2009

CLawBie results are in

2009 Canadian Law Blog FinalistThe CLawBies (the Canadian Law Blog awards) for 2009 are out and I'm absolutely delighted to be a runner-up in the category of "Best Canadian Law Blog". It's particularly humbling to be in the same paragraph as slaw.ca, the hands-down, undoubtedly best Canadian legal blog out there.

Congrats also to Dan Michaluk, whose All about information blog was tied for Best Practitioner Blog, along with Erik MacGraken’s BC Injury Law and ICBC Claims Blog.

I voted for Slaw and Dan's blog, and Michael Geist's blog, which won "Best Legal Technology Blog".

It's been a good year for Canadian legal bloggers. Read all the results here.

Wednesday, December 30, 2009

Prime Minister prorogues parliament, privacy legislation in limbo

It's official, the Prime Minister is proroguing parliament until the beginning of March: CBC News - Politics - PM seeks Parliament shutdown until March. (Never mind that they've been on vacation since November.)

This means that a number of privacy-affecting bills are being forced into a coma. The list includes:

  • Bill C-27 - Electronic Commerce Protection Act (Second Reading in the Senate and Referred to Committee on December 15, 2009) (aka Anti-spam Act);
  • Bill C-46 - Investigative Powers for the 21st Century Act (Referred to Committee on October 27, 2009);
  • Bill C-47 - Technical Assistance for Law Enforcement in the 21st Century Act (Referred to Committee on October 29, 2009);

The media is also reporting that, in the meantime, Harper plans to fill five vacant senate seats, which will give the Conservatives the majority they need to ensure safe passage of their legislation.

Sunday, December 20, 2009

NB Court orders production of ISP data to litigant

Check out Dan Michaluk's summary of Carter v. Connors, 2009 NBQB 317, in which the New Brunswick Court of Queen's Bench ordered a litigant to obtain from her internet service provider a record of all her internet usage since the accident in issue to produce to the other side: Case Report – Another FaceBook production order made « All About Information.

I would be very surprised (shocked, actually) if the ISP kept a record of websites visited, going back five years.

From the first paragraph of the case:

[1] The Applicant-Defendant has brought a motion for an order that the Plaintiff, who is currently undergoing discovery examination by the Applicant’s counsel, provide an undertaking to have her Internet Service Provider, Bell-Aliant, disclose the history of her Internet use at her home from the date of a motor vehicle accident in 2004 until today. Included in that request is a specific ancillary request that, in the event the motion succeeds, the technician that assembles the Internet use record segregate as a discrete record, if possible, the time spent on the Internet social network site Facebook that may be disclosed in the Plaintiff’s Internet use account record. The Plaintiff has conceded in her examination that she also has an account on the social networking site Facebook. The motion is brought pursuant to Rule 33.12 of The Rules of Court but, practically speaking, under the auspices of Rule 32.06 and 33.08(3) of The Rules of Court.

Thursday, December 10, 2009

Telco and ISP snooping? Don't hate the player, hate the game

The 'net and twitter have been all abuzz this past week with revelations about telco and ISP cooperation with law enforcement. We've seen Wikileaks post the internal policies of MySpace and Cryptome's posting of Yahoo!'s internal policies.

Blame for this appears to be laid at the feet of the service providers.

I'm all in favour of privacy and completely in favour of government restraint. I'm even more keen on court oversight and requirements that warrants be produced in order for cops and national security types to get access to customer information. I'm also in favour of transparently and accountability. But I haven't seen much nuance in any of the online discussion of this topic. Perhaps that's just the analytical limitations of twitter and the general tone of much of the blogosphere.

Two important issues are being missed. First: just about any time you interact with any business these days, a data trail of some sort is left. If you buy a book using any credit or debit card, there's a record that can connect that purchase to you. If you check out a book from the library, there's a record. If you use a transponder-based tolling system, there's a record of where you were, when and maybe where you are going. If you use any loyalty program to collect points on your purchases, there's an even denser data trail. Your mobile phone provider knows where you phone is at all times and who you have called. This is not unique to online companies. It's simply the reality of our digital lives. Some information collection or retention may be gratuitous, but more often than not it is essential to provide the service that users are asking for. It is not unreasonable, however, to question how much information is collected and how long it is retained. Fair information practices demand that service providers only collect the amount of information necessary to provide the service and that they keep it for only as long as they need to in order to provide the service.

The second, and more important, issue: love it or loathe it, it is the law. If a third party has information about you, the government can get access to it with a court order, a warrant or a subpoena. The third party can sometimes go to court to challenge the legality of the request, but it seldom has enough information to do so. And in many cases, it really has no ability to do so. The fact is, if there is a lawful demand for information, the service provider has to comply or face criminal sanctions itself.

And that's not just unique to the US and the USA Patriot Act. In Canada, take a look at the Anti-Terrorism Act, the Criminal Code, the Canadian Security Intelligence Service Act or the National Defence Act. European democracies have similar rules, too. These companies are generally following their legal obligations. If you have a problem with that, energies and outrage might be more usefully channelled to changing those laws.

ISPs and telcos may influence the laws, but they generally don't make they rules they have to abide by. In short: don't hate the player, hate the game.

Monday, December 07, 2009

My nominations for the Clawbies 2009!

As announced earlier this week, the nominations are now open for the annual Canadian Legal Blogging Awards, affectionately known as the Clawbies: Nominations Open for the 2009 Clawbies – Law Firm Web Strategy.

This blog was a runner-up in 2007.

The hardest part about nominating blogs for the award is the abundance of great Canadian law blogs out there. I follow dozens that provide interesting, relevant and timely information. I know it takes a lot of time and effort to produce one, so all of them deserve recognition. The best of the best need a special shout-out.

But if I am forced to single out three blogs, I will focus on three that provide me with "practitioner support". These provide a mental and professional return on my investment of time and attention. If I could follow only three Canadian legal blogs, here they are:

All About Information - Dan Michaluk from Hicks Morley puts a lot of thought into everything he posts. His blog has the best commentary and analysis on just about every important privacy and access to information case in Canada. And, he's a great guy.

Michael Geist - Blog - Everyone I know reads Michael's blog and his columns. Not everyone agrees with his perspective, but there is no denying that he is one of the most prolific, plugged-in Canadian legal bloggers. If your practice touches on IP law or privacy, you have to follow him.

Slaw - For me, Slaw is a must-follow because of the regular content that's relevant to my practice. But reading Slaw also reminds me of the Sunday New York Times or wandering through the library stacks: there's amazing stuff that you probably never thought of looking for. You can easily get lost in all the good stuff.

If you read any Canadian legal blogs, please take the time nominate your three faves. All the details are here.

Lifting the veil on telco cooperation with law enforcement

Over the last little while, there has been much discussion about cooperation between telcos and ISPs, on one hand, and law enforcement, on the other hand. We've certainly seen a lot of talk about "lawful access" in Canada.

If you're curious about some of the goings on behind the scenes at American telcos and ISPs in this regard, Cryptome and Wikileaks both have some interesting leaked documentation about policies and procedures for companies like MySpace, Sprint, Yahoo! and others. Just go to Cryptome.org and WikiLeaks.org and do a little digging around.

Wednesday, December 02, 2009

Thanks to Delaware Employment Law Blog

A quick thanks to the Delaware Employment Law Blog for including this blog in their Top 100 Employment Law Blogs. Thanks!

If you're a regular reader of this blog because of workplace privacy issues, head on over there and check out the great resources they provide.

Zuckerberg on the future of Facebook privacy

At least since I've been using Facebook, this is the first time that Mark Zuckerberg has addressed the Facebook community through an open letter linked from the main user page. I find it interesting that the focus of this is privacy and the future of privacy on Facebook.

An Open Letter from Facebook Founder Mark Zuckerberg Facebook

by Mark Zuckerberg Yesterday at 6:23pm

It has been a great year for making the world more open and connected. Thanks to your help, more than 350 million people around the world are using Facebook to share their lives online.

To make this possible, we have focused on giving you the tools you need to share and control your information. Starting with the very first version of Facebook five years ago, we've built tools that help you control what you share with which individuals and groups of people. Our work to improve privacy continues today.

Facebook's current privacy model revolves around "networks" — communities for your school, your company or your region. This worked well when Facebook was mostly used by students, since it made sense that a student might want to share content with their fellow students.

Over time people also asked us to add networks for companies and regions as well. Today we even have networks for some entire countries, like India and China.

However, as Facebook has grown, some of these regional networks now have millions of members and we've concluded that this is no longer the best way for you to control your privacy. Almost 50 percent of all Facebook users are members of regional networks, so this is an important issue for us. If we can build a better system, then more than 100 million people will have even more control of their information.

The plan we've come up with is to remove regional networks completely and create a simpler model for privacy control where you can set content to be available to only your friends, friends of your friends, or everyone.

We're adding something that many of you have asked for — the ability to control who sees each individual piece of content you create or upload. In addition, we'll also be fulfilling a request made by many of you to make the privacy settings page simpler by combining some settings. If you want to read more about this, we began discussing this plan back in July.

Since this update will remove regional networks and create some new settings, in the next couple of weeks we'll ask you to review and update your privacy settings. You'll see a message that will explain the changes and take you to a page where you can update your settings. When you're finished, we'll show you a confirmation page so you can make sure you chose the right settings for you. As always, once you're done you'll still be able to change your settings whenever you want.

We've worked hard to build controls that we think will be better for you, but we also understand that everyone's needs are different. We'll suggest settings for you based on your current level of privacy, but the best way for you to find the right settings is to read through all your options and customize them for yourself. I encourage you to do this and consider who you're sharing with online.

Thanks for being a part of making Facebook what it is today, and for helping to make the world more open and connected. Mark Zuckerberg

For all the grief Facebook gets, I think they deserve a lot of credit for finally becoming very responsive to user (and regulatory) privacy demands and are providing much more detailed and customizable privacy controls.

Monday, November 30, 2009

EU Clears SWIFT Data Transfers to United States Treasury Department

The New York Times is reporting on an agreement reached between European ministers and the United States for restored access to information about bank transfers processed by the Society for Worldwide Interbank Financial Telecommunications (SWIFT). See: EU Clears Bank Data Transfers to United States - NYTimes.com.

There has been some coverage of this already on blogs, particularly the Brussels Blogger (SWIFT - EU to grant USA nearly unlimited access to all EU banking data). Much of the tone has suggested that wholesale transfers of information will take place with massive datamining operations to be set up, but take a look at the actual agreement between the US and Europeans. It's available at wikileaks: EU draft council decision on sharing of banking data with the US and restructuring of SWIFT, 10 Nov 2009 - Wikileaks.

The agreement doesn't contemplate wholesale, massive data downloads of the kind one would expect if the database were in the United States. Instead, targeted requests must be made and these are directed through European authorities rather than to SWIFT directly. There are covenants on the US side that it will not be used for data mining purposes and other privacy-protective promises. And, to top it off, the term of the agreement is one year so that it can be renegotiated if it's not working out.

While all of this needs to be examined with a critical eye and it's not perfect, the cynic in me was pleasantly surprised by the details of the agreement.

Thursday, November 26, 2009

Use, overuse and abuse of privacy laws

A very good commentary from the Victoria Times Colonist. Fave quote: "It was a good example of how privacy law has vastly enhanced officials' first inclination to say "no" to every request."

Privacy law helps the government hide

Les Leyne

Times Colonist

Thursday, November 26, 2009

When reporters were briefed a couple of weeks ago on how the Olympic torch relay would go down, they were told no identities of the runners would be supplied, because of "privacy law."

Apparently the people who eagerly volunteered to wear bright white suits while carrying burning torches in front of TV cameras and thousands of people wanted their privacy, along with all the fame and glory.

They wanted no such thing, of course. They were only too happy to joyously volunteer their names on their own. The edict was simply the decision of torch functionaries eager to exercise some of their authority. It was a good example of how privacy law has vastly enhanced officials' first inclination to say "no" to every request.

So it's very enlightening to see how the "privacy law" is bearing up in the scandalous situation uncovered by the Times Colonist last week.

It's useless. It's being cited and ignored at the same time. In the face of a crystal-clear gross violation of taxpayers' privacy -- by a bureaucrat, no less -- the vaunted privacy law is a joke. It's only been handy so far when it comes to trying to cover up this botch.

A ministry caseworker in Victoria with what's likely malevolent intent carted home documents with personal information of some 1,400 clients of the government.

Police are still investigating, but at this point it looks like the man had a lot of the material you'd need to go into the lucrative fake ID business in a fairly big way.

It fell to Citizens' Services Minister Ben Stewart to explain this mess. And his explanation has turned into a mess itself.

He gave every indication last week to Times Colonist reporters Lindsay Kines and Rob Shaw that the government was responding with alacrity to this emergency. His version of the government's reaction looked pretty good -- for him.

He's the action figure who alerted some officials, contacted all the citizens involved, helped get the employee fired and started an investigation.

What he left out of the story was the fact that the government knew about this for months, and did nothing. Stewart skated right past the central point -- government officials have been aware for seven months that the privacy of 1,400 people had been violated. And they only started acting on the emergency last month.

Confronted with this yesterday, Stewart offered some explanations that are nothing short of baffling.

"The reality is, I as minister responsible, when I found out about it, I immediately asked my staff . . . to make an investigation into the matters as to the timelines and why in fact it had taken as long as it did."

So the investigation isn't just about the employee. It's about why nobody bothered to tell the minister responsible about the breach for several months. That's quite a refinement on the original version.

Stewart also said: "One of the things about the dates in this thing is that nobody is exactly clear in terms of what actually transpired from when the RCMP first made their discovery of these records."

Well, why on earth not?

It looks like some scam artist was interrupted while trying to run a con of some sort. RCMP nabbed him and told the government about it. And the government did nothing for months on end, other than continue employing and paying the suspect right up until last month.

Meanwhile, the personal ID information of 1,400 clients went God knows where. It doesn't look like illicit use was made of it. But it sure wasn't for lack of opportunity.

Why was the guy kept on the payroll? Why did it take so long? What was the government doing?

There must be some answers. But you likely won't get them for a while. Because we've got a privacy law.

Just So You Know: The ministry sent a letter to the individuals involved.

It's a gracious, heartfelt apology with an assurance that the government is working hard to correct the problem.

Only some of the letters went to the wrong people. So people who got letters addressed to other people were advised to send them back, or destroy them.

Social networking for lawyers seminar

Some readers of this blog may be interested in this seminar that I'm giving for the Nova Scotia Barristers Society in a couple of weeks. Those who aren't lucky enough to be in Halifax can attend by webinar:

NSBS - Development

Lunch & Law: Social Networking in a Global Market

Wednesday, December 9, 2009

Lunch & Law - Social Networking in a Global Market: Marketing Strategies for Lawyers

Nova Scotia Barristers' Society - Continuing Professional Development Wednesday, December 9, 2009, 12:00 - 1:30 pm

Location: CPD Center, Suite 408, 1645 Granville Street, Halifax

View PDF

The Program: New technologies provide a plethora of unique opportunities for lawyers to raise their profiles and reach new clients.

Join David T.S. Fraser of McInnes Cooper who will provide an overview of blogs, social networking websites and other innovative means of marketing your law practice.

Even if blogs, Facebook, LinkedIn, and Twitter leave you scratching your head and wondering what it's all about, this seminar will provide practical insight into these dynamic marketing channels.

David will also explore the issues of associated ethics challenges based on the CBA's new Guidelines for Ethical Marketing Practices Using New Information Technologies.

Don't miss this unique opportunity to learn the latest and greatest trends in marketing your legal practice.

Register online - If you do not already have a username and password, (or to activate your account), please contact Pierre Benoit at (902) 422-1491. Outside of Metro? Please register and join us via conference call. There are no cancellations for this program; substitutions are welcome.

Fee: $40 per person plus tax (lunch included)

Can't travel to Halifax? Why not join us from the comfort of your office!

Webinar/Teleconference option is available. Fee is $40 plus tax (includes long-distance charges). Instructions will be emailed one day in advance.

Feel free to pass this along to anyone who may be interested. You can share the invitation on Facebook via the event page, which is here.

Wednesday, November 25, 2009

Owner of massive genomics database goes bankrupt. What will happen to the data?

The owners of one of the largest databases of genomics information and biological samples, in Iceland, has gone bankrupt.

The article in Nature says that the database and the samples cannot be sold, but it remains to be seen what will happen with this trove of incredibly valuable and deeply sensitive personal information.

Icelandic genomics firm goes bankrupt : Nature News

... deCODE intends to sell most of its assets, including its drug-discovery and development services and the unit that conducts its genetic research, to Saga Investments, a US venture-capital-backed company, unless a better offer is made. The database and biological samples themselves cannot be sold, Stefánsson says, because of legal restrictions on their use. He says that the Wellcome Trust in Britain had approached deCODE to try to fund a non-profit institute to manage the database in Iceland, but was unable to do so.

"The database will never be managed by a foreign organization," he says. "The data are sensitive. We are a proud nation, and the data are not for others to manage."

Tuesday, November 24, 2009

UK police routinely arresting people to get DNA

According to the Guardian, citing a report to be released tomorrow, police in the UK have been routinely arresting people wihtout justification just to get their DNA into the national database:

Police routinely arresting people to get DNA, inquiry claims Politics The Guardian

Police officers are now routinely arresting people in order to add their DNA sample to the national police database, an inquiry will allege tomorrow.

The review of the national DNA database by the government's human genetics commission also raises the possibility that the DNA profiles of three-quarters of young black males, aged 18 to 35, are now on the database.

The human genetics commission report, Nothing to hide, nothing to fear?, says the national DNA database for England and Wales is already the largest in the world, at 5 million profiles and growing, yet has no clear statutory basis or independent oversight....

Via Boing Boing.

US added to CDA, AUS and UK immigration information sharing program

The Secretary of Homeland Security and our Minister of Public Safety just wrapped up a bi-annual meeting and announced the addition of the United States to an existing program that uses biometric information to match immigration and refugee applicants to information in foreign databases. From the media release:

Secretary Napolitano and Minister Van Loan announce initiatives to combat common threats and expedite travel and trade

Immigration Information Sharing: Secretary Napolitano announced that the United States will join a biometric data sharing initiative involving Canada, Australia, the United Kingdom and, eventually, New Zealand – an initiative designed to strengthen the integrity of immigration systems and the security of each country while protecting privacy and civil rights. Minister Van Loan, with the Canadian Minister of Citizenship, Immigration and Multiculturalism, Jason Kenney, welcomed the United States’ participation.

“Previous trials show that biometric information sharing works. For example, when the fingerprints of some asylum claimants in Canada were checked against the U.S. database, more than a third matched and 12 percent of these individuals presented a different identity in the United States,” said Minister Kenney. “The data sharing helps uncover details about refugee claimants such as identity, nationality, criminality, travel and immigration history, all of which can prove relevant to the claim.”

I'm trying to get my hands on the Privacy Impact Assessment for the program, but as with most such documents they are well hidden on the department's website.

Monday, November 23, 2009

BC employee fired over social assistance info breach

A British Columbia government employee has been fired and the Commissioner has launched an investigation after it was discovered that a spreadsheet with sensitive personal information on social assistance recipients was taken to the employee's home. See: Privacy czar to probe files breach.

Tuesday, November 17, 2009

Commissioner tables annual Privacy Act Report for 2008-2009

The Privacy Commissioner of Canada has tabled her annual report on the public sector privacy law, the Privacy Act: Annual Report to Parliament 2008-2009 - Report on the Privacy Act.

At the same time, she has also tabled additional privacy audits, related to FINTRAC and the Canadian no-fly list:

Here's the media release that accompanied the tabling of the reports:

Audits of major national security programs raise concerns for privacy Excessive reporting of personal information to FINTRAC and potential information technology risks with Canada’s “no-fly list” are among concerns identified in audits highlighted in the Privacy Commissioner’s annual report on public sector issues.

OTTAWA, November 17, 2009 — The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has more personal information in its database than it needs, uses or has the legislative authority to receive.

This was one of the key findings of the Privacy Commissioner of Canada’s in-depth audit of the independent agency mandated to analyze financial transactions and identify suspected money laundering and terrorist financing in Canada.

A separate audit, also published today, examined the Passenger Protect Program – better-known to Canadians as the no-fly list. It identified several concerns, such as the fact that the Deputy Minister ultimately in charge of who is on the list was not provided with complete information to allow for informed decision-making.

“Since the terrorist attacks of 9/11, we’ve seen a proliferation of new national security programs. We fully appreciate the underlying aim of many security programs – protecting Canadians. However, it is critical – a point reinforced by our new audits – for government officials to integrate privacy protections into all of these programs at the outset,” says Privacy Commissioner Jennifer Stoddart.

The findings of the two audits are highlighted in the Commissioner’s 2008-2009 report to Parliament on Canada’s federal public-sector privacy legislation, the Privacy Act.

FINTRAC Audit

Legislative changes passed in 2006 expanded the types of transactions that must be reported to FINTRAC, as well as the number of professionals and organizations that are required to collect information about clients and to report it to FINTRAC. Examples of entities required to report to FINTRAC include financial institutions, life insurance companies, accountants and casinos.

The audit found that FINTRAC needs to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum. A random sample of files examined in the audit turned up several reports that did not clearly demonstrate reasonable grounds to suspect money laundering or terrorist financing. For example:

A reporting entity filed several reports stating it was “taking a conservative approach in reporting this … because there are no grounds for suspecting that this transaction is related to the commission of a money laundering offence, but there is a lack of evidence to prove that the transaction is legitimate.”

An individual deposited a government cheque for an amount less than $300 and then withdrew the entire amount. The financial institution filed a suspicious-transaction report, but did not indicate why the transaction was deemed suspicious.

A financial institution filed a report about an individual who had deposited a cheque from a law firm. The institution was satisfied that the individual had provided legitimate reasons for the source of funds, but decided to notify FINTRAC anyway because of the individual’s ethnic origin and the fact that this person had visited a particular country.

“It is clear that such reports, containing not a shred of evidence of money laundering and terrorist financing, should not be making their way into the FINTRAC database,” says Commissioner Stoddart.

“It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose,” she says. “The federal government needs to have a justifiable need to collect someone’s personal information. Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.”

The audit recommended enhanced front-end screening of reports; stronger ongoing monitoring and review to ensure that information holdings are relevant and not excessive, and the permanent deletion of information that FINTRAC did not have the statutory authority to receive.

Under amendments passed in 2006, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires the Privacy Commissioner to review FINTRAC every two years and report the results to Parliament.

Passenger Protect Program Audit

The “no-fly list” is a passenger screening tool introduced in 2007 to prevent people named on a “specified persons list” from boarding domestic and international flights from or to Canadian airports.

The program has sparked privacy concerns, in part because it is secretive in that it uses personal information without the knowledge of the individuals concerned. Moreover, the repercussions for a person named on the list being denied boarding on an aircraft can be profound in terms of privacy and other human rights, such as freedom of association and expression and the right to mobility.

The focus of the audit, however, was to determine whether the program has adequate controls and safeguards in place to protect personal information.

“We were concerned to learn that officials did not always provide the Deputy Minister – who is ultimately responsible for adding to or removing people’s names from the ‘specified persons’ list – all the information needed to make these sorts of decisions,” says Assistant Privacy Commissioner Chantal Bernier.

Other concerns identified during the audit included:

Transport Canada has not verified that airlines are complying with federal regulations related to the handling and safeguarding of the “specified persons list.” The risk of this information being inappropriately disclosed is particularly high for the small number of air carriers that rely on paper copies of the list.

There were no requirements that air carriers report to Transport Canada security breaches involving personal information related to the no-fly list.

Transport Canada did not demonstrate that the application used to transmit information to air carriers met government security standards.

The Passenger Protect Program and the FINTRAC audits, as well as the latest Privacy Act annual report, are available at http://www.priv.gc.ca/.

The annual report also includes details of privacy-related complaints against federal departments and agencies investigated during the 2008-2009 fiscal year. The Office received 748 formal complaints in 2008-2009, down slightly from the previous year. The most common complaints related to access to personal information and to the length of time government departments and agencies were taking to respond to access requests.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the reports:

Sunday, November 15, 2009

Social networks for reference checks

I am often asked whether potential employers are legally able to use Facebook or other social networking sites to do background checks on candidates. A recent "update" email from LinkedIn contained the following blurb at the bottom:

"DID YOU KNOW you can conduct a more credible and powerful reference check using LinkedIn? Enter the company name and years of employment or the prospective employee to find their colleagues that are also in your network. This provides you with a more balanced set of feedback to evaluate that new hire."

This is a different model: rather than scoping the info a candidate may have on his or her profile, you can find people who may have something to say about a candidate. Interesting and potentially useful. But make sure you have consent from the applicant for broad-ranging reference checks.

A look at video surveillance in Halifax

The Sunday Chronicle Herald has two articles on the increasing use of video surveillance by police and private organizations in Halifax. They are interesting reading, but what I find most interesting is that this is the first time that I've seen any dicussion of how the police manage the feeds and access to recordings. Check them out:

  • Eyes in the sky - Nova Scotia News - TheChronicleHerald.ca
  • Wireless cameras add to police toolbox - Nova Scotia News - TheChronicleHerald.ca
    The cameras in place now are not monitored all day long, although they are recording, Supt. Moore said. The images are automatically deleted if there’s no request to see them within 14 days.

    The department used guidelines from the province’s Freedom of Information office as well as the federal Office of the Privacy Commissioner to develop its guidelines for using the images, he said.

    All viewing requests are made to him and only he and his technical staff have access to the recordings.

    "They’re very much locked down and once they’re collected, there’s a formalized process for someone looking to go in and find these images," he said.

    Supt. Moore said police haven’t used video from those downtown cameras to solve "big" crimes – yet.

    "We are still optimistic that it will, but to date it has not been pivotal," he said.

Any discussion of the policies regulating the use of video surveillance is a good thing, and better late than never.

Friday, November 06, 2009

Regulators agree on proposed global privacy standards

Privacy regulators from around the world, meeting this week in Madrid, have agreed to a framework for international privacy standards. From what I've been able to glean, it would all be consistent with what we currently have in Canada under PIPEDA.
AFP: Experts agree on proposed global privacy standards

Experts agree on proposed global privacy standards

MADRID — Experts from 50 nations meeting in Madrid have reached a draft agreement on international standards for the protection of privacy and personal data, participants said Friday.

Under the proposed standards, data may only be processed after obtaining the "free, unambiguous and informed consent" of the data subjects and it should be deleted when it is no longer necessary for the purposes for which it was gathered.

Data collectors must identify themselves, state in clear language the purpose of the data processing and the recipients of the gathered data.

International transfers of personal data may only be carried out to a country which "affords, as a minimum, the level of protection provided for in the document," according to the proposed standards, agreed by representatives from privacy protection agencies.

"This agreement was reached with the active participation and support of civil society and industry," the head of the Spanish Data Protection Agency, Artemi Rallo Lombarte, said at the end of the three-day gathering.

Participants hope the draft international standards will serve as the basis for a universal, binding legal instrument on data protection. But several cautioned that this is still a long way off given the different rules around the world.

"We have jumped over a first step but we have a long road, a very long road, ahead to arrive at a common, restricting legal framework," said the president of France's CNIL data protection agency, Alex Turk.

Over 1,000 participants from around the world took part in the 31st International Conference of Data Protection and Privacy which is billed as the world's largest forum dedicated to privacy.

US Homeland Security Secretary Janet Napolitano and representatives from key Internet firms like Google and Facebook were among those who took part in the event, which was organized by the Spanish Data Protection Agency.

The next such conference is scheduled for October 2010 in Jerusalem. Previous gatherings have taken place in Strasbourg, Hong Kong, Sydney and Montreal.

Thanks to Alex Cameron for the pointer.

Thursday, November 05, 2009

Nova Scotia to probe juror vetting

From today's National Post:

Nova Scotia launches probe into jury vetting

Shannon Kari, National Post

Published: Thursday, November 05, 2009

The Public Prosecution Service in Nova Scotia is conducting an internal review into whether or not its Crown attorneys have been conducting improper background checks of potential jurors.

The review was prompted by a request for information from the Nova Scotia Criminal Lawyers' Association following a National Post story last month that suggested jury vetting was taking place in the province.

A report issued about the scope of the practice in Ontario by the provincial Privacy Commissioner also cited a senior Crown official in Nova Scotia who said it was common for jury lists to be given to police to do background checks. The information was "generally not shared with the defence," the Nova Scotia official told the Ontario agency. The Public Prosecution Service in Nova Scotia initially suggested the Ontario report was inaccurate. But in a written response to the lawyers' association, the director of public prosecutions in Nova Scotia announced that he had initiated an internal review.

"I anticipate that our review will ultimately result in a policy statement or practice advice being prepared which will be distributed to our Crown attorneys. A copy of that advice piece will be provided to you," wrote Martin Herschorn in the letter dated Oct. 20.

Mr. Herschorn also imposed an interim directive. It states that if a background check is requested, it should only be to see if an individual has been previously sentenced to more than two years in prison, which would make the person ineligible to serve as a juror in Nova Scotia.

A spokeswoman for the prosecution service confirmed yesterday that it is asking its 20 Crown offices whether confidential databases were used to probe potential jurors and if the data was disclosed to the defence. "We hope to have a policy in place by the end of the calendar year," Chris Hansen said.

While he welcomes the review, the president of the Criminal Lawyers' Association said he wants to know more about what happened previously. "Our membership certainly has many more questions," Josh Arnold said. "So far, all the talk has been on a go forward basis."

Dulcie McCallum, the Nova Scotia Freedom of Information and Protection of Privacy review officer, said yesterday that she will wait for the internal review to be completed before deciding whether to launch her own investigation.

The Ontario Privacy Commissioner's report revealed that one in three Crown offices in the province engaged in improper jury vetting in just the past three years.

The Ontario Court of Appeal is hearing its first case on this issue this fall, in which three defendants convicted of murder are seeking a new trial. The Ontario government announced on Oct. 27 that it is amending the Juries Act so that any checks for eligibility will be done by an independent agency and the information will be kept confidential. Mr. Arnold urged the Nova Scotia government to consider similar changes to its Juries Act.

Read more: http://www.nationalpost.com/news/canada/story.html?id=2187075#ixzz0VzXDWvNI

Text of Bill 64, Personal Health Information Act (Nova Scotia) now available

The text of Bill 64, the Personal Health Information Act has now been posted on the Nova Scotia Legislature website.

Wednesday, November 04, 2009

Personal Health Information Act introduced in Nova Scotia

The Minister of Health for Nova Scotia has today introduced the Personal Health Information Act in the legislature. I'll have a link to the text of the bill tomorrow, but in the meantime you can read the release:

Personal Health Information Legislation Introduced News Releases Government of Nova Scotia

Personal Health Information Legislation Introduced

Department of Health

November 4, 2009 2:46 PM

Nova Scotian's personal health information would be better managed under proposed legislation introduced today, Nov. 4.

The Personal Health Information Act would provide consistent provincial rules for the management of personal information in health care.

"Patient privacy is a fundamental principle in delivering health care. At the same time, it is important that health care professionals can share information in ways that can improve care," said Health Minister Maureen MacDonald. "This legislation balances these important objectives."

The proposed legislation sets out rules for how health information is collected, used, disclosed, retained and destroyed by the health-care sector in Nova Scotia. It better supports a system that uses electronic as well as paper health records and helps provide a more seamless flow of information.

Specific rules include provisions for privacy breach notification audit reports to track who has had access to electronic health records, and requests for people to access to their health information.

Nova Scotia does not have clear health information legislation. It is governed by a mix of federal and provincial laws, health profession codes, and organizational policies and procedures. Nova Scotia joins eight other provinces who have comprehensive legislation to manage personal health information.

I understand that the legislature session ends shortly, so the Bill will not be debated until the new year. It's also reported that the Department plans to have the Bill come into force in January 2011.

Friday, October 30, 2009

Privacy Commissioner speaks out on lawful access

The Privacy Commissioner of Canada has recently provided parliamentarians with her opinion on the new lawful access bills that are winding their way through the Commons. I have to say I was nodding my head while I read it:

Letter to the Standing Committee on Public Safety and National Security regarding the Commissioner's initial analysis on the privacy implications on Bills C-46 and C-47 - October 27, 2009

The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Standing Committee on Public Safety and National Security, regarding her initial analysis on the privacy implications on Bills C-46, the Investigative Powers for the 21st Century Act (IP21C), and C-47, the Technical Assistance for Law Enforcement in the 21st Century Act (TALEA)

October 27, 2009

Mr. Garry Breitkreuz, MP Chair of the Standing Committee on Public Safety and National Security 131 Queen Street – 6th floor House of Commons Ottawa, Ontario K1A 0A6

Dear Mr. Breitkreuz:

I am writing to provide the members of the Standing Committee on Public Safety and National Security with some preliminary views on the privacy implications stemming from Bills C-46 and C-47. As you are aware, I am often called upon to comment on legislation that will result in new or expanded forms of personal information being collected by federal government institutions. Those views, and analysis conducted by my Office, are specifically undertaken to support the deliberations of Parliament.

It must be stated at the outset that we recognize the concerns of law enforcement and national security authorities with the speed of developments in information technology and the anonymity they afford. Bills C-46 and C-47 seek to address the consequent public safety challenges and that objective is valid. That said, whenever new surveillance powers or programs are proposed, it is my view that there must be demonstrated necessity, proportionality and effectiveness. They should also be the least-invasive alternative available. These tests are all the more important in the area of public safety, as the use of surveillance powers by authorities can have deep and lasting impact on peoples’ lives.

The consequences for individuals as their personal information is collected and shared among authorities in various countries can escalate far beyond the initial objectives of public safety. Recent international reports, Canadian court rulings and federal commissions of inquiry have shown this clearly. Proper protections for privacy in this area reside in the strict limitation of invasive powers to what is demonstrably necessary to ensure public safety and in strong measures for accountability, commensurate with the powers vested. It is a matter of protecting human rights and assuring public trust.

Taking into account the real challenges of law enforcement and national security agencies in the Internet age and the fundamental right to privacy that underpins our democratic society, and after careful study and extensive consultation this past summer, I have concluded that elements of the proposed legislation raise significant privacy concerns. These must be addressed by proponents of the bills.

I would draw to the attention of this Committee, and all Parliamentarians, that the proposed legislation contains many provisions that would increase the level of access by law enforcement and national security authorities to personal information. In that regard, it is important that Parliament be satisfied that:

The need for these provisions has been clearly demonstrated,

The lowered legal requirements for use of invasive powers is justified,

The lessons of similar initiatives in other countries are considered, and

The oversight, reporting and accountability mechanisms are carefully calibrated, to ensure they mirror the breadth and scope of new powers

Analytical approach and consultations

It is important to note that our Office approached the examination of both pieces of legislation with fresh eyes and an open mind. While previous iterations or initiatives – like the 1999 Justice Canada initiative, the 2005 public consultation or the 2007 Public Safety request for submissions on Customer Name and Address access – may have served as background, they did not colour our analysis. Instead, since the legislation was tabled this past summer, our Office carefully read and analysed the two bills anew.

We also wanted to hear from informed experts, therefore between June and September of this year, my staff met with representatives of Justice Canada and Public Safety Canada, provincial privacy commissioners, the telecommunications industry (manufacturers, service providers and associations), law enforcement (RCMP and the Canadian Association of Chiefs of Police), civil society groups, academic specialists, as well as subject experts in the fields of information policy, network security, criminal law and intelligence operations. These conversations helped our Office identify the privacy issues raised by the two bills, which relate to the following areas:

Necessity: Though isolated anecdotes abound, and extreme incidents are generally referred to, no systematic case has yet been made that demonstrates a need to circumvent the current legal regime for judicial authorization to obtain personal information. Before all else, law enforcement and national security authorities need to explain how the current provisions on judicial warrants do not meet their needs.

Necessity given international obligations: A principal rationale cited for the need to update Canada’s interception and surveillance regime – as proposed in C-46 and C-47 – is ratification of the Council of Europe Convention on Cybercrime. However, many of the powers introduced in the proposed legislation go far beyond the legal requirements of the Convention. Our analysis would suggest that Canada has already met most of the substantive legal changes required. Certainly some caution should be exercised, given the fact that similar legal initiatives in the US and UK led to significant concerns in relation to privacy.

Proportionality of thresholds: Canadian law imposes rigorous thresholds of evidence for authorities to obtain access to personal information. They form the heart of protections that Parliament put in place to protect privacy in Canada. The downward movement from reasonable grounds to believe to reasonable grounds to suspect in some cases (for some production orders) - or to no threshold of evidence at all (for subscriber data access) - must be shown to be a proportionate response to safety and security imperatives. As it stands, the new powers envisaged are not limited to a specific range or seriousness of criminality, or to a specific level of urgency. In the case of Bill C-47, there is not even a requirement for the commission of a crime to justify access to personal information without a warrant. The onus lies with proponents of the legislation to demonstrate the need for lowered thresholds to obtain personal information.

Proportionality of oversight and review mechanisms: Only prior court authorization serves as rigorous privacy protection. Should Parliament allow law enforcement and national security authorities to circumvent the courts to obtain personal information, the corresponding oversight mechanisms must be established. My Office is clearly implicated at several points in Bill C-47, wherein my staff may review the records created by officers at the RCMP or Competition Bureau as they exercise new powers. Given the scale envisaged, with upwards of thousands of individuals in the RCMP alone potentially empowered to access subscriber data, it would be difficult for us, within our current resources, to offer any assurance to

Parliamentarians or Canadians of proper auditing. Still, review after the fact arrives too late. Privacy has already been breached, it is difficult to properly assess the circumstances, and there is no remedy for the ultimate outcome of the breach.

Demonstrated effectiveness through clear public reporting and accountability: In Bill C-47, audits are conducted internally and not required annually, while follow-up reporting to the responsible Minister and my Office are discretionary, as opposed to regular requirements. This will not afford objective, timely assessment of privacy risks or breaches. It is my view that, should the powers envisaged be granted, copies of those reports from the RCMP and Competition Bureau should be provided to the Minister and my Office on an annual basis. My audit and review staff can then proceed accordingly.

Flowing from these concerns, we would look forward to a constructive dialogue with the Committee on the following points or alternatives:

Examine warrant provisions in the Criminal Code. Rather than creating blanket, open access for authorities to search subscriber data, as in Bill C-47, there are other investigative options or legal changes to consider. Emergency provisions to conduct search, seizure or interception without a warrant in exigent circumstances are already in the Criminal Code. A similar provision for production and assistance orders should be considered to address the issue police have described in obtaining data.

Review the process for court authorization in Canada. If the underlying problem resides in Canada’s current warrant system, this is where the government’s attention should be directed, as opposed to limiting court oversight. Law enforcement and national security authorities should state the shortcomings they identify in the court warrant system so they can be addressed to adapt the system to the new challenges of the Internet age rather than sacrifice the principles that underpin the very society we seek to protect.

Tailor the scope of new powers. Any regime that circumvents court authorization raises significant privacy issues. If Parliament chooses to grant the proposed powers, they must be restricted in their application to the investigation of crimes or threats where such an invasion of privacy is justified. That is the Canadian legal tradition.

Revisit oversight regime. Internal audit, reporting with self-discretion and the role of external review bodies need to be strengthened with provisions for specific reporting requirements, regular review, dedicated resources for oversight and transparent mechanisms for accountability to assure the Canadian public.

Parliament should consider a five-year review for Bill C-46. While Bill C-47 has such a provision, Bill C-46 would also merit close review by Parliament, given how the two pieces of legislation interact. These reviews should be conducted with an eye to demonstrated evidence of effectiveness, minimal invasion of privacy and clear operation within bounds of the law.

Require annual public reporting. Yearly statistics on the use, results and effectiveness of new powers (subscriber data requests, preservation demands, tracking warrants, etc.) should be required by statute. Besides bolstering accountability, these reports would usefully support Parliament’s five-year review of the powers.

Review the regulations flowing from both bills. Given the important administrative, procedural and technical details involved, Parliament should conduct full committee reviews and hear from all interested stakeholders on both legislation and regulations. This should occur before either bill comes into force.

In summary, we urge Parliament to review Bills C-46 and C-47 in light of the following questions:

In specific terms, how is the current regime of judicial authorization not meeting the needs of law enforcement and national security authorities in relation to the Internet? What law enforcement or national security duty justifies access without a warrant by authorities to personal information or preservation of private communication?

Why are some of these powers unrestricted, when the spirit of Canadian law clearly reflects the view that access or seizure without court authorization should be exceptional?

And finally, are the mechanisms for accountability commensurate to the unprecedented powers envisaged?

Based on this initial analysis, my Office will be preparing a full submission for your consideration, in anticipation of your Committee’s study of the legislation. Given the public interest in this issue, we anticipate posting this letter on our website in the near future. I would like to thank you for your attention to this critical issue and look forward to discussing the initiative further when meetings on the bills commence.

Sincerely,

Original signed by

Jennifer Stoddart

Privacy Commissioner of Canada

Well said.

Privacy Commissioner OKs airport body scanners

Apparently the Privacy Commissioner has given the thumbs up body scanners for aviations security:

The Canadian Press: Privacy watchdog OKs see-through scanners

Privacy watchdog OKs see-through scanners

By Jim Bronskill (CP) – 46 minutes ago

OTTAWA — Airport scanners that see through the clothes of travellers have received the blessing of Canada's privacy czar.

Chantal Bernier, the assistant federal privacy commissioner, said Friday the national air security agency has successfully answered her office's questions about the project. The system, tested in British Columbia at the Kelowna airport, allows a screening officer to see whether someone is carrying plastic explosives or other dangerous items.

The proposal has stirred controversy because the scanner produces a three-dimensional outline of a person's naked body.

"It is a very touchy issue, and we have addressed it with exactly that level of care," Bernier told a gathering of security officials and academics.

Under the plan approved by the privacy chief, the officer would view the image in a separate room and never see the actual traveller.

Only people singled out for extra screening would be scanned, and they would have the option of getting a physical pat-down instead.

Bernier said the holographic image generated by the scanner makes it difficult to identify the traveller's face.

"You would not know who it is, even if you knew the person was in line," she said at the annual meeting of the Canadian Association for Security and Intelligence Studies. "We've actually tested it.

"In addition, the image would be deleted the moment the person leaves the screening portal.

"In our view, these privacy safeguards meet the test for the proper reconciliation of public safety and privacy," Bernier said.

The Canadian Air Transport Security Authority has done thorough threat assessments that reveal a need to search passengers for weapons that might elude a conventional metal detector, she said.

Giving a traveller who undergoes secondary screening the choice of either a full-body scan or a pat-down reduces the "sense of invasion" posed by the new tool, Bernier added.

In a preliminary assessment early last year, the air-security authority said the scanner project amounted to a "low privacy risk" due to the built-in safeguards.

The scanners are already in use at airports in cities including Amsterdam, Moscow and Phoenix. They are also found in the high-security "green zone" of Baghdad and at some U.S. courthouses and prisons.

The air-security authority says the low-level radio frequency wave emitted by the body scanner meets Canadian health-and-safety standards.

Data from the Kelowna pilot project will help the security authority determine which Canadian airports would most benefit from scanners.

Transport Canada would then decide whether to approve use of the devices across the country.

Thursday, October 29, 2009

University of Akron may demand DNA from job applicants

Wow. All I can say is wow.
Want A Job In Akron? Hand Over Your DNA - Taking Liberties - CBS News It's not unusual for employers to conduct criminal background checks during the hiring process. But the University of Akron has taken this to a surprising new level.

The Ohio school now reserves the right to require any prospective faculty, staff, or contractor to submit a DNA sample, which genetic-testing experts say makes it the first employer in the nation to take such an extreme and potentially intrusive step.

The new policy, which says a "DNA sample for purpose of a federal criminal background check" may be collected, took the campus by surprise after it was announced last week. An adjunct faculty member has resigned in protest and is contemplating a lawsuit, and the local chapter of the American Association of University Professors says that genetic testing violates a collective bargaining agreement. ...

Reacting To Lawful Access: Comparing the Conservatives, Liberals, and NDP

Check out Michael Geist's post: Michael Geist - Reacting To Lawful Access: Comparing the Conservatives, Liberals, and NDP. The title says it all.

Wednesday, October 28, 2009

Amendments to PIPA tabled, including breach notification and regulation of export of personal information

Yesterday (October 27, 2009), the Alberta Government introduced Bill 54, the Personal Information Protection Amendment Act, 2009. The Bill includes notification requirements for export of personal information to a service provider outside of Canada and breach notification. The principal export provision is:
Notification respecting service provider outside Canada

13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).

(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).

(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of

(a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and

(b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.

(4) The notice required under this section is in addition to any notice required under section 13.

Permitted "as required by law" disclosures are now limited to required by Canadian or Alberta law. The breach notification provisions require notice to the Commissioner and the Commissioner may order that individuals be notified. I'm sure we'll be hearing more about this. Here's an extract from yesterday's Hansard:

ISYSweb 8 Search Results for Bill 54

Bill 54

Personal Information Protection Amendment Act, 2009

Mr. Denis: Thank you very much, Mr. Speaker. I rise to introduce Bill 54, the Personal Information Protection Amendment Act, 2009. Mr. Speaker, this bill is a direct result of the hard work of the SelectSpecialPersonalInformation Protection ActReviewCommittee, an all-party special committee of the Legislature that in 2006 undertook a complete review of the act and tabled a report to the Legislature in November 2007 outlining recommendations for amendments. This bill incorporates a number of their proposed amendments.The main proposals for change include emerging issues such as notifying the commissioner or individuals about security breaches that place personal information at risk and informing individuals when services involving personal information are occurring outside of Canada. Mr. Speaker, as required for any new legislation in a rapidly evolving area, this bill also does some updating and finetuning of the existing provisions of this act.

Thank you very much, Mr. Speaker.

[Motion carried; Bill 54 read a first time]

The Speaker: The hon. Government House Leader.

Mr. Hancock: Thank you, Mr. Speaker. I move that Bill 54 be moved onto the Order Paper under Government Bills and Orders.

[Motion carried]

Monday, October 26, 2009

The future of privacy on the internet

I was honoured to be one of the speakers at the Halifax Internet Town Hall hosted at Dalhousie University this evening, sponsored by the Chebucto Community Net and Dalhousie Student Union. My portion of the proceedings -- surprise -- was about privacy. I only had ten minutes, so needed to be short and sweet.

I decided to focus my presentation on the abomination that is Bill C-47, in particular the provision that allows law enforcement to have wholesale access to customer information without a warrant. It is frankly appalling and should not be allowed to pass.

Look at this provision:

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

You can disagree on the finer aspects of whether an ISP should be permitted to match an IP address provided by the cops with the customer name and address information in their files. That's a reasonable debate. But I do not see any limitation in Section 16. There's no oversight. There's no real accountability. There's no nuance. All ISPs will be required to provide any (or all) of the following:

  • name,
  • address,
  • telephone number,
  • electronic mail address,
  • Internet protocol address,
  • mobile identification number,
  • electronic serial number,
  • local service provider identifier,
  • international mobile equipment identity number,
  • international mobile subscriber identity number and
  • subscriber identity module card number

It doesn't have to be connected to a child exploitation investigation. Or a parking ticket. In fact, there's no requirement that there be an underlying lawful investigation. The police will be able to hand a list of names to the ISP and require all of the above information, for an unlimited number of targets.

This is appalling legislation and should not stand.

For other postings on this topic, check out my previous postings tagged Lawful Access.

Saturday, October 17, 2009

Laptop searches at airports infrequent, DHS privacy report says

Computerworld is reporting on the first report of the Department of Homeland Security Privacy Office since the changeover to the Obama administration. The report itself is interesting, but perhaps most interesting are the statistics related to the number of searches of laptops at border crossings. This has been a controversial practice since reports on it came to light some time ago. I was surprised to read that fewer than two thousand took place in the year under review, in light of the millions of people (and laptops) that have crossed the border during that time.

Here's Computerworld's coverage: Laptop searches at airports infrequent, DHS privacy report says.

Thursday, October 15, 2009

Government declines proposed reforms to access and privacy laws

The Minister of Justice has responded to the Standing Committee on Access to Information, Privacy and Ethics' reports on reform to the Privacy Act and the Access to Information Act with a robust "thanks, but no thanks".

House of Commons Committees - ETHI (40-2) - Reports and Government Responses Report 11 - The Access to Information Act: First Steps Towards Renewal (Adopted by the Committee on June 15, 2009; Presented to the House on June 18, 2009)
Government Response: 11th Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Access to Information Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)
Report 10 - The Privacy Act: First Steps Towards Renewal (Adopted by the Committee on June 8, 2009; Presented to the House on June 12, 2009)
Government Response: Tenth Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Privacy Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)

Thanks to Michael Geist for the pointer.

Some media coverage from the Canadian Press:

The Canadian Press: Harper government refuses to expand information, privacy laws

Harper government refuses to expand information, privacy laws

By Joan Bryden (CP) – 2 hours ago

OTTAWA — The Harper government has quietly nixed recommendations to expand and modernize Canada's access-to-information and privacy laws.

Justice Minister Rob Nicholson's rejection of reforms to the 26-year-old laws sparked accusations Thursday that the Tories have reneged on campaign promises to bring openness and transparency to the federal government.

"The access system now does not work," said Michel Drapeau, a lawyer and a leading expert on accessing government documents.

"They appear to like it this way."

Nicholson's rejection was also greeted with disappointment by privacy experts, who warned that Canada's outdated Privacy Act does not cover modern technologies, such as surveillance cameras and DNA samples collected from suspects.

Nor does it give the privacy commissioner any recourse to the courts when the government inappropriately discloses personal information, no matter how serious the breach.

"We're very disappointed, actually," said Chantal Bernier, assistant privacy commissioner.

"While we agree with the minister that privacy is well protected in Canada, we feel we can do better."

A Commons committee had recommended, among other things, that the information commissioner be given more power to force the government to disclose information in a timely manner.

Drapeau said only 10 to 20 per cent of access requests receive a response within 30 days, as intended under the law. The rest routinely take up to two years with some dragging on as long as four years.

Suzanne Legault, interim information commissioner, said Drapeau's view of the access system is overly pessimistic. She said 57 per cent of requests get a response within 30 days.

Still, she acknowledged there's an "urgent need" to modernize legislation to remedy some "very long delays" in responding to access requests.

Legault pointed out that the act was drafted in the days when bureaucrats kept paper records "in a neat file folder." Now, they are inundated with digital information, such as streams of emails with attachments, that is harder to manage and takes longer to sift through.

"We really live in a world of digital information and the system hasn't adjusted," Legault said.

The Commons committee had also wanted the privacy law expanded to cover new technologies. And it wanted to beef up provisions governing the disclosure of personal information by the Canadian government to foreign states - one of the most urgent needs in the wake of the Maher Arar case, according to Bernier.

Based on information provided by Canadian security authorities, Arar was detained in the U.S. and deported to Syria, where he was tortured.

In responses to the committee tabled quietly last week, Nicholson rejected the proposed reforms as too cumbersome, unnecessary or ill-considered.

He said giving the information commissioner more powers would shift the nature of the job "from an ombudsman model towards a quasi-judicial model," which would be inconsistent with other independent parliamentary watchdogs.

He rejected the notion that information requesters should have direct recourse to the Federal Court if access is refused, arguing that such a reform "would increase the caseload burden on the Federal Court."

On the privacy recommendations, Nicholson ruled out legislative restrictions on the disclosure of personal information to foreign states, arguing that law enforcement and security agencies "require a flexible approach" to information sharing.

"They must be able to share their intelligence within Canada and well as with their foreign partners," he wrote.

Moreover, Nicholson argued that efforts to combat international child abductions, forced marriages and worldwide health threats would be "seriously hampered" by restrictions on information sharing.

Nicholson maintained both the Access to Information Act and the Privacy Act are strong pieces of legislation. And he suggested "administrative alternatives, such as enhanced guidance and training" could be "equally effective" in improving both the access and privacy regimes.

Copyright © 2009 The Canadian Press. All rights reserved.

Wednesday, October 14, 2009

The lawful access debate

The Ottawa Citizen has an interesting article on the debate surrounding "lawful access". Check it out: Security vs. privacy. Via Michael Geist.

Friday, October 09, 2009

The debate about warrantless access to ISP customer information

Just posted on slaw: The debate about warrantless access to ISP customer information >> Slaw

In the privacy community, there has been a debate over whether it is lawful, under PIPEDA, for a custodian of personal information to provide customer information when then police come knocking. The debate has been most heated in the arena of internet service providers customer names and addresses to the police when presented with an IP address. PIPEDA allows a number of disclosures of personal information without consent pursuant to Section 7(3) of the statute. One exception to the general rule relates directly to law enforcement requests:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

The debate has raged over differing interpretations of “lawful authority”, and there are conflicting decisions from the Courts over whether internet service providers can disclose customer name and address information to the police in response to a request.

For example, in Re S.C., 2006 ONCJ 343, the court set aside a search warrant that was based on information obtained from an ISP in response to a law enforcement request. In R. v. Kwok, the court found that the customer had a reasonable expectation of privacy in his name and address information and that the police should have obtained a warrant to get this information from the internet service provider. From paragraph 35 of that decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

More recently, in R. v. Ward, 2008 ONCJ 355 (CanLII), the court determined that the customer did not have a reasonable expectation of privacy with respect to this information because the service agreement imposed upon him by Bell’s Sympatico service reduced, if not destroyed, whatever expectation of privacy he might otherwise have had. Similarly, in R. v. Wilson, the court also found no reasonable expectation of privacy.

The pendulum may be swinging the other way. Last week, the Ontario Court of Justice released its decision in R. v. Cuttell. The Court concluded there is a reasonable expectation of privacy in customer account records, but this expectation can be destroyed by an ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepted that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy but there was no proof brought by the police that the Bell contract applied to this customer. What is perhaps most interesting is that the Judge lamendted the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

All of this may become moot (and then some!) thanks to currently pending legislation. Bill C-47, entitled Technical Assistance for Law Enforcement in the 21st Century Act, is about to come up for committee review in parliament. Introduced along with Bill C-46, Investigative Powers for the 21st Century Act, both bills represent a significant shift in the powers of law enforcement. Though marketed as updating current police powers to keep pace with technology, C-47 would give law enforcement virtually unfettered access to customer information from internet and telecommunications service providers without any judicial oversight. The particular provision is at Section 16:

Provision of subscriber information

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

I am of the view that there should be appropriate judicial oversight of any regime in which service providers are required to identify their users to law enforcement officials. (Subject to exceptions in exigent circumstances.) It is only with judicial oversight that society can be assured that the appropriate balance between privacy and public safety is maintained. The government’s proposal provides no oversight and the powers of law enforcement are completely unfettered. If the concern is that search warrants are too time consuming, then appropriate resources should be put in place to provide for rapid review by independent judicial officers. Removing all the stops from law enforcement powers it not appropriate in this case.

Currently there is a disparity of practices among telecommunication service providers and internet service providers across Canada when dealing with a request from a law enforcement agent to provide a customer name and address connected with a specific IP address. This is due to at least a measure of uncertainty in interpreting the service provider’s obligations under the Personal Information Protection and Electronic Documents Act. Most ISPs will provide customer name and address information if law enforcement officers make a written request in the course of investigation related to child exploitation. In other sorts of investigations, a search warrant is required. Other internet service providers require a search warrant in all circumstances to disclose this information.

For example, Clause 16 as drafted does much more than impose the obligation for service providers to carry out a “reverse look-up” to match one piece of information (such as an IP address) with customer billing information. Instead, it would require the service provider to give law enforcement a laundry list of information in response to any request. This sort of information would be IP address, mobile identification number, electronic serial number, phone number, equipment identifiers and others. This, on its face, goes beyond what law enforcement has been asking for, at least in public.

This power is not subject to meaningful review and is completely unfettered. There is no restriction on the circumstances under which these powers can be used. Currently, requests of this nature generally relate to child exploitation investigations or compelling national security/public safety matters. As drafted, law enforcement would be able to use these powers in connection with parking violations and very minor concerns. In fact, these powers could be used in the complete absence of a lawful investigation. In addition, there is no limitation whatsoever on the volume of these sorts of requests. It would be possible for a law enforcement agency to require the name, address, e-mail address and IP address of every single one of their customers. I think most would say this goes over the line.

It has been said before that a customer’s name and address is not “personal information” or if it is, it is not sensitive information. That misses the point. A customer’s name and address, when connected with an IP address or a mobile phone serial number, is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their “offline” life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that individual’s IP address. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. These provisions do not maintain the traditional balance as has developed in Canada under the Charter and in fact go dramatically and unreasonably in favour of law enforcement.

I've been surprised that discussion of this topic has mostly been contained within the privacy community and hope that the upcoming parliamentary hearings on C-46/C-47 will bring the debate into the wider community, where it belongs.

Thursday, October 08, 2009

New decision on warrantless access to ISP customer data

A friend just provided me with a copy of a recent decision of the Ontario Court of Justice considering the admissibility of information obtained without a warrant from the suspect's internet service provider, Bell. R. v. Cuttell is not on CanLii yet, but I've put a copy here.

The Court concluded there is a reasonable expectation of privacy in your account records, but this expectation can be destroyed by your ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepts that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy. (I would also question whether a form contract that the customer likey has not read would be enough to mean that subjectively there is no reasonable expectation of privacy.)

In this case, there was no proof brought by the police that the Bell contract applied to this customer so a Charter breach was found.

The Court importantly notes that PIPEDA does not give the police the right to seek information and rejects every crown argument that the police may have had "lawful authority" in the circumstances.

But, in the end, the records were admissible as the police acted in good faith.

What is perhaps most interesting is that the Judge laments the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

Tuesday, October 06, 2009

Privacy Commissioner releases annual PIPEDA report, focus on online privacy

The Privacy Commissioner of Canada has this morning tabled her annual report on PIPEDA, the country's private sector privacy law. Not suprisingly, there is much discussion about online privacy and social networking. Here's the release and a link to the report:

News Release: Canadians need to take control of their online personal information: Privacy Commissioner - October 6, 2009

Canadians need to take control of their online personal information: Privacy Commissioner Privacy Commissioner of Canada’s annual report focuses on importance of making informed choices about sharing personal information online.

OTTAWA, October 6, 2009 — As more and more Canadians live their lives online, the Privacy Commissioner is cautioning them to take greater responsibility for securing their privacy and thinking twice about what they post on the Internet.

“Many young people are choosing to open their lives in ways their parents would have thought impossible and their grandparents unthinkable. Their lives play out on a public stage of their own design as they strive for visibility, connectedness and knowledge,” says Jennifer Stoddart, the Privacy Commissioner of Canada.

“Such openness can lead to greater creativity, literacy, networking and social engagement. But putting so much of their personal information out into the open can also … leave an enduring trail of embarrassing moments that could haunt them in future,” the Commissioner says in her annual report to Parliament, which was tabled today.

The Commissioner’s 2008 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA) highlights the issue of youth privacy. It also looks at 2008 privacy complaint investigations; technology and privacy issues; and the Commissioner’s efforts to encourage the development of international privacy standards.

Commissioner Stoddart noted that many people have been fired, missed out on job interviews and academic opportunities, and been suspended from school for instant messages, wall posts and other types of online correspondence they mistakenly thought were private conversations with friends.

There is also a risk that unguarded personal information could be exploited by identity thieves.

The Office of the Privacy Commissioner recently completed an investigation into the privacy policies and practices of the popular social networking site Facebook. While that investigation focused on Facebook’s obligations under Canadian privacy law, the Commissioner emphasized at the time that, with nearly 12 million Canadians on Facebook, it’s also important for users to adopt the appropriate privacy settings and to understand how their personal information may be used or shared online.

The Privacy Commissioner’s Office has made online youth privacy a key priority, using contests, communications materials and a dedicated youth privacy website to reach out to young people and to encourage them to reflect on privacy issues and to “Think Before You Click.”

“As Canada’s privacy guardian, it is our role to create awareness of privacy risks, show people how to address those risks, and make it easy for them to make informed decisions,” says Commissioner Stoddart.

Adds Assistant Commissioner Elizabeth Denham: “We’re not suggesting the clock be turned back; we just want to ensure Canadians have the information they need to make more privacy-conscious decisions.”

The annual report, available on the OPC website at http://www.priv.gc.ca/, includes details of complaints received and investigated by the Office in 2008.

The OPC received 422 new PIPEDA-related complaints for investigation in 2008, ending a downward trend that had lasted for several years. In 2007, there had been 350 complaints, fewer than half the 723 received in 2004.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Annual Report to Parliament 2008 – Report on the Personal Information Protection and Electronic Documents Act

Ontario Commissioner orders end of juror background checks

The Information and Privacy Commissioner of Ontario has ordered crown attorneys to immediately stop performing intrusive background checks on prospective jurors. From the IPC:

IPC - Office of the Information and Privacy Commissioner/Ontario Commissioner Cavoukian Orders Crown attorneys to stop collecting personal information on prospective jurors – Recommends single screening process, in light of widespread back

News Release October 5, 2009

Commissioner Cavoukian Orders Crown attorneys to stop collecting personal information on prospective jurors – Recommends single screening process, in light of widespread background checks

Investigation finds one-third of Crown attorney offices engaged in excessive background checks, in a practice that “should have been put to a stop 16 years ago.”

TORONTO – Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, today ordered Crown attorneys to cease collecting any personal information of potential jurors, beyond that which is necessary under the Juries Act and Criminal Code. Proposing a fundamental shift in the way that prospective jurors are screened, the Commissioner also called on the Ministry of the Attorney General (MAG) to implement a single, centralized juror screening process through the existing Provincial Jury Centre, minimizing the need for numerous background checks to be conducted across multiple offices. The new process addresses the lack of consistency in the “patchwork of practices” presently employed by Crown attorney offices and the police.

The Commissioner’s office (IPC) conducted a major investigation into whether the privacy rights of prospective jurors were breached when the police, on behalf of Crown attorneys, conducted background checks through a variety of means, ranging from accessing confidential databases, to informally gathering anecdotal information. Key findings include:

• One third, or 18 of the 55 Crown attorney offices in Ontario had received background information about prospective jurors since March 31, 2006 – this practice extended well beyond the four locales previously identified in the media;

• All 18 Crown attorney offices had gathered personal information that exceeded the criminal conviction eligibility criteria set out in the Juries Act and Criminal Code – in doing so, they had also failed to comply with applicable privacy legislation; and

• There were varying practices regarding the disclosure of this information by Crown attorney offices to defence counsel.

“I want to be clear that we are not talking about a sweeping epidemic – in a relatively small number of cases, the violation of jurors’ privacy was a routine practice,” said Commissioner Cavoukian. “However, while these practices varied in terms of their invasiveness, the fact remains that 18 Crown attorney offices across the province gathered personal information that exceeded the criminal conviction eligibility criteria set out in the Juries Act and Criminal Code. What I find regrettable is that this invasive practice should have been put to a stop 16 years ago.

Under the Juries Act and Criminal Code, an individual is ineligible to serve as a juror if they have been convicted of an indictable offence for which they have not received a pardon. The Criminal Code also allows a juror to be successfully challenged for cause by the Crown and defence counsel if they have been convicted of an offence for which a term of imprisonment exceeding 12 months has been given. The investigation found that practices had developed across Ontario that, in some cases, went far beyond these limits.

This issue of jury vetting was formally flagged by MAG in 1993, after Ontario Superior Court Justice Humphrey questioned the appropriateness of jury background checks. Within weeks, a memorandum on the issue had been written by a senior Crown attorney, culminating in a recommendation that the practice should stop. But it did not stop, and no further action was taken, at that time. Since then, a series of opportunities to provide clear guidance to Crown attorneys were missed, despite this issue surfacing again and again over the years. It was not until March 31, 2006 that a formal instruction to Crown attorneys came into effect, in the form of a MAG ‘Practice Memorandum.’

“Unfortunately, the 2006 Practice Memorandum was not sufficiently clear as to what practices were acceptable,” added the Commissioner. “We found that a patchwork of practices developed across the province, with a wide variety of opinions across Crown attorney offices as to what background checks were appropriate. My Order will hopefully provide clear direction as to what personal information may or may not be collected in the jury selection process.”

The Investigation

On May 25, 2009, media reports emerged that, in Barrie, Ontario, police services had been conducting background checks of prospective jurors, at the request of Crown attorneys. Upon learning that the practice extended beyond Barrie to include other Ontario locations, Commissioner Cavoukian launched an investigation under the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act into the practices of conducting background checks of prospective jurors, and whether these practices violated the privacy provisions of the legislation. The Commissioner’s investigation received the full support of the Ontario Government. The Premier, the Honourable Dalton McGuinty, expressed the following view as part of a news conference: “The Attorney General has made it perfectly clear this is unacceptable, it’s not in keeping with practice and in fact, it’s against the law …. We will offer whatever cooperation is required in order to ensure that [Commissioner Cavoukian] can conduct whatever full review that she might and we look forward to receiving any recommendations.”

To ensure a comprehensive investigation, the Commissioner’s office pursued multiple channels of inquiry, including:

1. Conducting in-person interviews at four different Ontario locations with various parties: Crown attorneys, court staff, police officials and defence counsel;

2. Undertaking an intensive province-wide empirical survey of all 55 Crown attorney offices;

3. Receiving sworn affidavits from senior Crown attorneys;

4. Retaining the services of the Auditor General’s staff to review the document capture process involving jury lists; and

5. Receiving legal submissions from the Ministry of the Attorney General, the Ministry of Community Safety and Correctional Services, the Criminal Lawyers’ Association, the University of Toronto’s David Asper Centre for Constitutional Rights, and the Canadian Civil Liberties Association.

“We have made every effort to deliver a full review of the issues associated with background checks, and to provide workable solutions, to bring to an end any unacceptable practices,” said Commissioner Cavoukian.

The Order and Recommendations

Based on the findings of the investigation, the Commissioner is ordering Crown attorneys to cease collecting any personal information of potential jurors beyond that which is permitted under the Juries Act and the Criminal Code, relevant to criminal conviction eligibility. Further, the Commissioner is recommending a fundamental shift in the way that prospective jurors are screened in Ontario. Proposing a complete overhaul of the existing system, the Commissioner has recommended that MAG, through its Provincial Jury Centre (PJC), be the only central body to screen jurors who are ineligible for jury duty, based on criminal conviction. As the single entity already in receipt of the names and personal information of all prospective jurors, the PJC is the obvious candidate to perform this role. Operating from a single location in London, Ontario, the PJC is also in an ideal position to implement strict privacy and security measures that can be strongly enforced, thereby providing a consistently high degree of protection for personal information.

In total, the Commissioner made 22 recommendations directed primarily at Ministry of the Attorney General (MAG), including:

• The Provincial Jury Centre of MAG should be the only central body to screen out jurors who are ineligible for jury duty, based on criminal conviction;

• Crown attorneys should cease the practice of requesting the police to provide criminal conviction information relating to potential jurors, barring exceptional and compelling circumstances;

• Where Crown attorneys do obtain criminal conviction information relating to prospective jurors, they should share this information with defence counsel, in accordance with MAG policy;

• MAG should re-write and re-design the jury service qualification questionnaire in order to make it more clear, transparent and user-friendly for all prospective jurors;

• MAG should develop and implement a policy for Crown attorneys on the appropriate retention and disposal of jury panel lists.

“Any practice that taints, or is perceived to taint, the jury process strikes at the heart of the values we share as citizens of a free and democratic society,” said Commissioner Cavoukian. “My Order and Recommendations should ensure that a number of important goals are met. Juror privacy will be enhanced, all parties to a criminal proceeding will have equal access to relevant information on prospective jurors, and we will have increased accountability surrounding the entire jury selection process.”

For a complete copy of the Order, visit www.ipc.on.ca