Thursday, December 30, 2010

Ontario Commissioner to appeal personal email decision

You may recall my recent post on a decision of the Ontario courts that held that a government employee's personal email is outside of the jurisdiction of the Ontario freedom of information laws (Canadian Privacy Law Blog: Ontario access to information decision may affect cloud computing decisions). The Ontario Information and Privacy Commissioner has decided to appeal the decision, so stay tuned as the saga unfolds.

See: Privacy watchdog to appeal email ruling

Tuesday, December 28, 2010

London police claim CCTV solves six crimes a day

Any stats on the effectiveness of video surveillance are hard to find. The Met police in London are claiming that CCTV now accounts for six crimes solved per day:

BBC News - "Six crimes a day" solved by CCTV, Met says

... The number of cameras in Britain has gone up from 21,000 in 1999 to 59,753 in 2010, it added.

The Met said among the 2,512 suspects caught this year, four were suspected murderers, 23 rapists and sex attackers and five wanted gunmen.

I'm curious what that translates as in cost per arrest?

Class action lawsuit? There’s an app for that

Just posted over at slaw.ca:

Class action lawsuit? There’s an app for that — Slaw

You may have seen the recent Wall Street Journal article on the privacy implications of certain iPhone, iPod Touch and Android apps that disclose information to advertising networks without the explicit knowledge of the user. It didn't take long, but now a class action lawsuit filed in California against Apple for allowing this to happen. See: Apple sued over privacy in iPhone, iPad apps | Apple - CNET News.

I think that this lawsuit is directed at the wrong party (Apple Computer Inc.) and, if it is at all successful, will be harmful to the internet.

This is similar to going after Facebook for everything that their app developers do. Where on party provides a platform (in this case, a mobile device) and another party builds applications on that platform, the key issue that needs to be addressed where privacy is concerned is “where should accountability for privacy lie?” Getting it wrong will stifle innovation in this currently burgeoning area of the Internet ecosystem. Placing all the responsibility on the platform provider will discourage innovators from making new technologies available to the public, to the detriment of those users who are supposed to be protected by privacy rules. Instead, third-party service and application providers should be responsible to users (and to the courts) for their collection, use and disclosure of personal information.

Just imagine what might happen if the already restrictive Apple is found liable for providing app developers too much latitude in structuring their apps. Would this encourage innovation in applications for users? Nope.

Thursday, December 23, 2010

Interview with EU Privacy Chief

The Washington Post has an interesting interview with the head of privacy for the European Union, highlighting some of the differences between continental and American approaches to consumer privacy. The video and a written summary are here: Post Tech - Video: E.U. privacy chief Reding to meet with Holder.

(via Schneier on Security)

Santa's privacy policy

This is a must read: McSweeney's Internet Tendency: Santa's Privacy Policy.

Hat-tip to @privacyprivee for the link.

Tuesday, December 21, 2010

Federal Court awards PIPEDA damages due to inaccurate credit report

In what appears to be a break from the recent cases that have declined to award damages to applicants under PIPEDA, the Federal Court in Nammo v. Transunion of Canada Inc., 2010 FC 1284 has just recently awarded damages to an individual whose loan application was declined due to inaccurate information provided by a credit bureau.

The court awarded $5000 in damages after considering the principles to be applied by the court in awarding damages under the statute. It is really worth noting how cases such as Randall v Nubody's is distinguished.

[71] As indicated, PIPEDA provides the Court broad remedial powers and, in my view, s. 16 of PIPEDA permits the Court, in an appropriate case, to award damages even when no actual financial loss has been proven. In Randall v Nubodys Fitness Centres, 2010 FC 681, Justice Mosley found that an award of damages under s. 16 is not to be made lightly and that such an award should only be made “in the most egregious situations.” This is such a situation. In Randall, which involved the disclosure of how often the applicant used his gym membership to his former employer, Justice Mosley determined that the impugned disclosure of personal information was “minimal,” that there had been no injury to the applicant sufficient to justify an award of damages, that the respondent did not benefit commercially from the breach of PIPEDA, that the respondent did not act in bad faith, and, perhaps most importantly, that there was no link between the disclosure and the employer’s alleged retaliation against the applicant. The same cannot be said here. Not only was the disclosure of inaccurate information directly linked to the refusal of the loan and the associated injury to the applicant, but the respondent also profited from the disclosure and acted in bad faith in failing to take responsibility for its error and failing to rectify the problem in a timely manner. The violation of Mr. Nammo’s rights under PIPEDA was not “the result of an unfortunate misunderstanding,” as was the case in Randall. It was a serious breach involving financial information of high personal and professional importance. The fact that there is no precedent for an award of damages under PIPEDA should not impact the Court from making an award of damages where the circumstances and justice demands it. In my view, for the reasons that follow, this is such a case.

...

[74] The Supreme Court found that “to be ‘appropriate and just’, an award of damages must represent a meaningful response to the seriousness of the breach and the objectives of compensation, upholding Charter values, and deterring future breaches.” In my view, the same reasoning applies to a breach of PIPEDA, which is quasi-constitutional legislation.

[75] In Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, the Supreme Court held that the Privacy Act, R.S.C.1985, c. P-21, was quasi-constitutional legislation that must be interpreted with its special purposes in mind. In Eastmond v Canadian Pacific Railway, 2004 FC 852, at para. 100, Justice Lemieux confirmed that PIPEDA also enjoys quasi-constitutional status:

I have no hesitation in classifying PIPEDA as a fundamental law of Canada just as the Supreme Court of Canada ruled the federal Privacy Act enjoyed quasi-constitutional status (see Justice Gonthier's reasons for judgment in Lavigne v. Canada (Office of the Commissioner of Official Languages, [2002] 2 S.C.R. 773 at paragraphs 24 and 25).

[76] Applying the Supreme Court’s reasoning in Ward to PIPEDA applications before this Court indicates that both the question of whether damages should be awarded and the question of the quantum of damages should be answered with regard to whether awarding damages would further the general objects of PIPEDA and uphold the values it embodies. Furthermore, deterring future breaches and the seriousness or egregiousness of the breach would be factors to consider.

[77] One of the central objects of PIPEDA is to encourage those who collect, use and disclose personal information to do so with a degree of accuracy appropriate to the use to which the information is to be put and to correct errors quickly and effectively. I have found that TransUnion failed to collect accurate information on the applicant. Further, when apprised of its error, it failed to address the complaint quickly and effectively. It further failed to quickly and effectively correct the inaccurate information it had disseminated. Lastly, it failed to take responsibility for its error, first blaming CBV, and then in this action attempting to attribute some blame to the applicant. In my judgment, these are circumstances that warrant an award of damages based on the considerations of vindication and deterrence.

Check out the following commentary:

Monday, December 20, 2010

Washington Post on Monitoring America

The Washington Post has a monumental investigative report on "Top Secret America" focused on Monitoring America. Here's a summary:

Monitoring America | washingtonpost.com

Top Secret America is a project two years in the making that describes the huge security buildup in the United States after the Sept. 11, 2001, attacks. Today’s story is about those efforts at the local level, including law enforcement and homeland security agencies in every state and thousands of communities. View previous stories, explore relationships between government organizations and the types of work being done, and view top-secret geography on an interactive map.


Today's story, along with related material on The Post's Web site, examines how Top Secret America plays out at the local level. It describes a web of 4,058 federal, state and local organizations, each with its own counterterrorism responsibilities and jurisdictions. At least 935 of these organizations have been created since the 2001 attacks or became involved in counterterrorism for the first time after 9/11.

The months-long investigation, based on nearly 100 interviews and 1,000 documents, found that:

  • Technologies and techniques honed for use on the battlefields of Iraq and Afghanistan have migrated into the hands of law enforcement agencies in America.
  • The FBI is building a database with the names and certain personal information, such as employment history, of thousands of U.S. citizens and residents whom a local police officer or a fellow citizen believed to be acting suspiciously. It is accessible to an increasing number of local law enforcement and military criminal investigators, increasing concerns that it could somehow end up in the public domain.
  • Seeking to learn more about Islam and terrorism, some law enforcement agencies have hired as trainers self-described experts whose extremist views on Islam and terrorism are considered inaccurate and counterproductive by the FBI and U.S. intelligence agencies.
  • The Department of Homeland Security sends its state and local partners intelligence reports with little meaningful guidance, and state reports have sometimes inappropriately reported on lawful meetings.

Thursday, December 16, 2010

Facebook implements facial recognition, silent on privacy

Facebook has just announced that it is implementing facial recognition software to "make it easier to tag your friends" in photos. It will make tagging the same person over and over in an album much easier, but their blog post (Making Photo Tagging Easier) doesn't address privacy at all. I'm surprised by this, given that Facebook has been much more vocal and upfront about privacy as of late.

Canada's anti-spam act passes and receives royal assent

Bill C-28, Fighting Internet and Wireless Spam Act, also known as the anti-spam act, has passed through the sentate and received royal assent on December 15, 2010. It comes into force on the day or days set by the Governor in Council.

Check it out: LEGISINFO - The Library of Parliament's research tool for finding information on legislation.

Ontario access to information decision may affect cloud computing decisions

Dan Michaluk has a great summary of a recent and important access to information case from Ottawa, City of Ottawa v. Ontario (Information and Privacy Commissioner) (13 December 2010, Ont Div. Ct.): Case Report – Personal e-mails not subject to FOI legislation « All About Information.

I think this is probably one of the most important access decisions of the past year. It's similar to Johnson v Bell Canada, but seems to go even further. It will have a big impact in universities, where professors have generally been wrangling for exclusion of their e-mail from access legislation.

Most importantly, I think: This case may also have an impact on cloud computing for universities and USA Patriot Act-blocking statutes, because these statutes only apply to information under the "custody or control" of the public body. This case can be interpreted to support the proposition that student e-mail, at least, is not under the custody or control of the public body for the purposes of such statutes.

Update (30 December 2010): Canadian Privacy Law Blog: Ontario Commissioner to appeal personal email decision.

Wednesday, December 15, 2010

Caption this photo (TSA)

I was going to link to this interesting photo (which is devoid of additional context) from Boing Boing, but then noticed the ad which makes an interesting juxtaposition. Check it out, though you ad may vary: TSA WTF OTD - Boing Boing.

Tuesday, December 14, 2010

American Appeals Court says cops need warrants (with probable cause) to get e-mails

This is great news, both for e-mail users and for greater adoption of cloud computing. Contrary to Department of Justice lawyers (and too many precedents on their side), the US Court of Appeals for the Sixth Circuit has found that stored e-mails can't be accessed by law enforcement without a valid warrant.

The court struck down portions of the Stored Communications Act, which had permitted law enforcement to get their hands on e-mails over 180 days old with only a subpoena.

This may have big implications for cloud computing. One of the problems with US law on this is that the Fourth Amendment has been interpreted to say it doesn't protect the privacy of information held by a third party. So if you hand info over to someone like a bank, a cloud provider, an e-mail provider, etc. the protection is very different than if you have it in your personal possession. Finally the courts may be seeing that handing over data to service providers is the modern reality and privacy protections should keep up.

This is a victory for The Digital Due Process Coalition and its supporters in the United States who are advocating for bringing due process into line with modern technology.

Check out some interesting commentary:

And the decision is here: http://www.ca6.uscourts.gov/opinions.pdf/10a0377p-06.pdf.

Monday, December 13, 2010

Wikileaks and Privacy

A friend of mine who is now at Lattice Engines sent me this link written by one of his friends about WikiLeaks and privacy: Wish you were beer: Wikileaks and Privacy.

I'm not sure where I am on this debate yet. I am in favour of transparency and generally agree with the idea of a work product exception to privacy regulations (e.g. if it's about you in your work or professional capacity, it's not really "personal" information) but it's an important debate to have.

Saturday, December 11, 2010

University of Alberta signs on to Gmail

Interesting development, from the Edmonton Journal:

University of Alberta signs on to Gmail

EDMONTON — The University of Alberta and Google concluded legal negotiations this week, preparing the way for better e-mail service for students and entry into the Canadian university market for the Internet giant.

The contract makes legally binding Google’s promises not to data mine university Gmails or share data with a third party. University staff and students get all of Google’s Gmail applications for free, and get to retain their @ualberta.ca tags.

The contract is the first of its kind in Canada and expected to be adopted other Canadian universities now that Alberta has paved the way, University of Alberta vice-provost Jonathan Schaeffer said.

The University of Alberta currently uses more than 30 different e-mail systems across campus.

Using Gmail could save the university $2 million a year, allow a common calendar and improve the emergency response system. But when the idea was first touted publicly last January, many staff and students had privacy concerns.

Signing the contract to ease those concerns means increased legal risks for Google, which sees the free services as a way to build market loyalty but can’t otherwise profit from the deal.

“That, in part, is why it took so long,” Schaeffer said. Now, “we have a legal contract that would allow us to go after them.”

The contract took 15 months to negotiate, which was much longer than the university expected, Schaeffer said. But a legally binding framework was also needed to meet the requirements of the Alberta Freedom of Information and Protection of Privacy Act.

The shift to Gmail will begin in January.

More than 20 Canadian universities, as well as the Canadian University Council of Chief Information Officers, sent Google letters of support during a low point in negotiations last July, indicating it would also be interested in accepting Gmail if a legal framework like the one the U of A wanted was in place.

Jennifer Stoddart: making your privacy her business

Today's Globe & Mail has an interesting profile of the Canadian Privacy Commissioner, Jennifer Stoddart. It's a bit lightweight, but an interesting read. See: Jennifer Stoddart: making your privacy her business - The Globe and Mail.

Friday, December 10, 2010

The first truly honest privacy policy

This is pretty amusing (cynical, but amusing). The author has "open sourced" it, so here it is in all its glory but follow the link to get the accompanying commentary:

The first truly honest privacy policy

... Instead of a welter of new laws or regulations, how about just one: The Honest Privacy Policy Act. The HPPA would require every company to post a simple, direct, and brutally honest policy detailing what really happens to your data.

To help this proposal along I’ve come up with one of my own – and it’s 5,085 words shorter than Facebook’s. Here’s what a real privacy policy might look like:

"At COMPANY _______ we value your privacy a great deal. Almost as much as we value the ability to take the data you give us and slice, dice, julienne, mash, puree and serve it to our business partners, which may include third-party advertising networks, data brokers, networks of affiliate sites, parent companies, subsidiaries, and other entities, none of which we’ll bother to list here because they can change from week to week and, besides, we know you’re not really paying attention.

We’ll also share all of this information with the government. We’re just suckers for guys with crew cuts carrying subpoenas.

Remember, when you visit our Web site, our Web site is also visiting you. And we’ve brought a dozen or more friends with us, depending on how many ad networks and third-party data services we use. We’re not going to tell which ones, though you could probably figure this out by carefully watching the different URLs that flash across the bottom of your browser as each page loads or when you mouse over various bits. It’s not like you’ve got better things to do. Each of these sites may leave behind a little gift known as a cookie -- a text file filled with inscrutable gibberish that allows various computers around the globe to identify you, including your preferences, browser settings, which parts of the site you visited, which ads you clicked on, and whether you actually purchased something.

Those same cookies may let our advertising and data broker partners track you across every other site you visit, then dump all of your information into a huge database attached to a unique ID number, which they may sell ad infinitum without ever notifying you or asking for permission.

Also: We collect your IP address, which might change every time you log on but probably doesn’t. At the very least, your IP address tells us the name of your ISP and the city where you live; with a legal court order, it can also give us your name and billing address (see guys with crew cuts and subpoenas, above).

Besides your IP, we record some specifics about your operating system and browser. Amazingly, this information (known as your user agent string) can be enough to narrow you down to one of a few hundred people on the Webbernets, all by its lonesome. Isn’t technology wonderful?

The data we collect is strictly anonymous, unless you’ve been kind enough to give us your name, email address, or other identifying information. And even if you have been that kind, we promise we won’t sell that information to anyone else, unless of course our impossibly obtuse privacy policy says otherwise and/or we change our minds tomorrow.

We store this information an indefinite amount of time for reasons even we don’t fully understand. And when we do eventually get around to deleting it, you can bet it’s still kicking around on some network backup drives in somebody’s closet. So once we have it, there’s really no getting it back. Hell, we can’t even find our keys half the time -- how do you expect us to keep track of this stuff?

Not to worry, though, because we use the very bestest security measures to protect your data against hackers and identity thieves, though no one has actually ever bothered to verify this.

You’ll pretty much just have to take our word for it.

So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.

(Hey, Did somebody hold a gun to your head and force you to visit this site? No, they did not. Did you run into a pay wall on the home page demanding your Visa number? No, you did not. You think we just give all this stuff away because we’re nice guys? Bet you also think every roomful of manure has a pony buried inside.)

This privacy policy may change at any time. In fact, it’s changed three times since we first started typing this. Good luck figuring out how, because we’re sure as hell not going to tell you. But then, you probably stopped reading after paragraph three."

I am hereby open sourcing this privacy policy. Feel free to use it on your own sites or suggest it to any that seem deserving (but I’d appreciate a credit and a link, if you’re so inclined).

ITworld TY4NS blogger Dan Tynan writes privacy policies in his sleep -- which may be why he always wakes up cranky. Catch his brand of juvenile snark at eSarcasm (Geek Humor Gone Wild) or follow him on Twitter: @tynan_on_tech.

Ottawa crafts plan to ward off privacy criticism over U.S. border deal

The Globe &amp Mail has received a secret briefing document on developing a communications plan for selling an upcoming deal with the United States to create a common security perimeter around Canada and the US. The document list the Privacy Commissioner as a likely critic of the plan:

Ottawa crafts plan to ward off criticism over U.S. border deal - The Globe and Mail

... It also provides a rare insight into how the government regards Canadians: as a nation ignorant of the true scale of the security threat it faces and more concerned with privacy rights.

The communications strategy for the perimeter security declaration – which the document says will be unveiled in January, 2011 – predicts one of the biggest potential critics will be the federal privacy commissioner Jennifer Stoddart. That’s because the deal is expected to increase the amount of data exchanged between law enforcement and other government authorities in both countries.

Missing laptops spark strong reaction from Alberta Privacy Commissioner

A rash of missing or stolen laptops has prompted Alberta's Information and Privacy Commissioner to speak out strongly on the issue of encryption and data security:

CBC News - Calgary - Stolen Alta. laptops held health data

Seven laptops or digital devices with unencrypted health, employee and financial information have been lost or stolen in Alberta in the past month, prompting disbelief Thursday from Alberta Privacy Commissioner Frank Work.

"It just makes me crazy," Work said. "I think that's just utterly irresponsible now in this day and age."

Medical charts belonging to 2,700 pediatric gastroenterology patients participating in a study were on one of the stolen laptops, which belonged to a researcher at the University of Alberta.

A missing digital recorder stolen from Alberta Sustainable Resources contained statements related to wildlife investigations. And a laptop stolen from the same department contained contact information for junior forest rangers, as well as an employee evaluation.

A laptop from an unnamed trust company had emails containing mortgage application information, social insurance numbers, credit bureau reports and other personal financial information for 135 people, a loss that worried Work the most.

"In that case, that's information that can really be used for an identity theft," Work said.

Two laptops containing information about patients, all under six years old, were stolen from a speech pathology office.

Another laptop from a marketing firm that contained information on 27 Alberta employees was left in a European airport. The last missing laptop belonged to a genetic research company. It contained employee information that included social insurance numbers.

Encryption programs easily available

Work says people shouldn't put personal information on laptops if they don't have to. Many internet security companies, such as Norton and Symantec, offer encryption programs that make it easy for people to protect data.

"It's not like we're asking people to do anything incredibly difficult here," Work said, "especially if you weigh that against telling 35 employees that you lost their RSP information, their employment files and so on."

Police have told Work that most laptop thefts involve criminals who try to resell them quickly for $50 or $70 to someone who simply overwrites the files and does little with the personal information.

However, the information is out there, which is still troubling, Work said.

"You have a responsibility to your patients, your clients, your employees to encrypt their information when you're carrying it around with you. And the law says you have to do that."

Alberta law doesn't have any provisions for Work to penalize individuals, organizations or government agencies for privacy breaches. He can only work with offenders on remedial measures.

People who've been the victim of privacy breaches by private sector businesses can sue for damages under Alberta law, Work said.

Wednesday, December 08, 2010

Asia Pacific Privacy Authorities commit to collaboration

We are seeing the growth of formal and informal structures being put in place by privacy commissioners and their counterparts worldwide to foster interjurisdictional collaboration. We've recently seen the establishment of the Global Privacy Enforcement Network and now the Asia Pacific Privacy Authorities form has concluded in Auckland with a further commitment to cross-border collaboration:

Privacy Commissioners Commit To Continue International Collaboration | Voxy.co.nz

The importance of privacy to the public on both sides of the Pacific Ocean has been demonstrated in a meeting of privacy and data protection commissioners from three continents in the Asia Pacific region.

Hosted by the Office of the New Zealand Privacy Commissioner, the Asia Pacific Privacy Authorities (APPA) forum concluded in Auckland yesterday, with members affirming their commitment to continue to collaborate on international data protection issues.

The New Zealand Privacy Commissioner, Marie Shroff was delighted with the success of the meeting.

"This APPA meeting was one of the largest that we have held and it was pleasing to welcome three new members: Mexico, United States and Queensland. The last two days have reinforced our commitment to continue international collaboration amongst members. This will strengthen our ability to get the best possible outcome for the public's privacy rights."

The APPA members discussed a variety of contemporary privacy issues that face members right across the Asia Pacific region including ways to tackle privacy concerns about social networking, direct marketing and credit reporting.

"I think it is no surprise that issues such as online privacy are a common concern for all jurisdictions but there are practical steps that we can all take to educate the public and the business community on their privacy rights and responsibilities," Australian Privacy Commissioner Timothy Pilgrim said.

For instance, APPA members affirmed their commitment to jointly promote Privacy Awareness Week, which will be held from 1-7 May 2011. APPA has also established a working group on technology issues.

The next APPA meeting will be in South Korea in June 2011.

South Korea investigates Facebook for allegedly breaching privacy laws

Facebook is facing scrutiny and an investigation by data protection authorities in South Korea for allegedly not getting user consent before collecting personal information, though the site's terms and conditions do a standard job of covering the topic. See: South Korea: Facebook Doesn't Comply With Our Privacy Laws

This is interesting, but also should be a reminder that online properties effectively operate in multiple jurisdictions and need to keep in mind that there are a myriad of privacy laws out there.

Tuesday, December 07, 2010

Back online!

After a week of 404's, the Canadian Privacy Law Blog back in business. Sorry for any inconvenience.

Tuesday, November 30, 2010

Visa proposes to use location info to prevent fraud

I usually am not a fan of being profiled and data mined by companies without my knowledge, but there is one clear exception: I am delighted my bank takes such an interest in who I am and what I buy to prevent fraud. Loyal readers my recall my experience with having my debit card cloned, which was detected because my bank knows that I am not in the habit of withdrawing a few hundred dollars from my bank account at ATMs located in strip clubs.

Now, Visa is apparently interested in looking for corroboration from customers' cell phones to figure out whether purchases are legit. The logic is that if you are making a purchase where the card is allegedly present, your mobile phone is likely nearby. I would gladly opt in to this.

Check out the details from Fast Company:

Visa to Use Your Phone's Location to Prevent Credit Card Fraud | Fast Company.

Sure, you like all the great benefits of having your phone know where you are. Looking up directions or local weather information becomes that much faster. But outside companies and agencies are equally delighted to have access to your location information--and not just to send you coupons. Increasingly, they’re going to be using that information for purposes that have nothing to do with your convenience and fancy.

Some of those purposes you’ll like. Others you might not be so keen about. One you’ll probably be okay with was just announced by Visa Europe. The credit card company is going to start using information about the location of customers’ mobile phones to prevent credit card fraud.

Visa Europe has partnered with a company called ValidSoft that can establish whether your mobile phone is in the same place as the merchant or ATM where your card is being used. The assumption is that if the two devices are in close proximity, it’s probably you using the card, even if you’re far afield from your usual stomping grounds. If the two devices are not in the same place, the system may send up an alert.

Proximity information will only be one of a number of variables the system will use to assess the likelihood of fraud during any particular transaction. The companies say the system will both reduce card misuse and cut down on the number of “false positives.” That, they say, will create a better experience for users when a particular purchase deviates from their expected patterns--no more annoying calls or locking your card up when you're simply on vacation--and it will cut down on case-management processing costs for card issuers.

Earlier this year, Gartner issued a report predicting that by 2015, at least 15% of payment card transactions will be validated using mobile location information. “Visa Europe’s move is the start of this trend,” author Avivah Litan wrote on the Gartner blog. “These services have great value when it comes to protecting payment accounts and preventing fraud,” she wrote. “Many more banks and card companies will adopt them once they see the value.”

Facebook sued for HAVING privacy controls

TechCrunch is reporting that Facebook is facing a patent infringement lawsuit in the US for having privacy controls. Yup, you heard that right. The plaintiff is alleging that Facebook's privacy controls infringe a prior patent.

You simply can't win in this world.

Here's a blurb:

Facebook Sued For Having Privacy Controls In Place. Yes, Seriously.

... In short, because Facebook enables people to have some control over their privacy on the popular social networking sites by effectively letting users decide which information you share with whom, Walker Digital believes the company infringes one of its “inventions”.

Provided I’ve understood the complaint correctly and the whole thing isn’t an early April Fools joke, this whole suit is just plain laughable.

In a reaction to the Bloomberg piece, a Facebook spokesperson said they would fight the suit vigorously, calling it “completely frivolous”. This time, I can’t help but agree with them.

You can read the full docket over at Justia.

Monday, November 29, 2010

Ottawa Citizen: On guard for privacy

The Privacy Commissioner, Jennifer Stoddart, is the subject of a very complimentary editorial in today's Ottawa Citizen.

On guard for privacy

OTTAWA CITIZEN NOVEMBER 29, 2010 7:55 AM

The rule for political survival under Stephen Harper's government seems to be: smile and nod, and hope no one notices you. So it's a nice surprise that the prime minister has nominated Canada's high-profile privacy commissioner for re-appointment.

Jennifer Stoddart is no sycophant. And she seems to have avoided the administrative and budgetary pitfalls that claimed the careers or marred the work of other officers of Parliament. Seven years ago, she took over an office in disarray, and turned it into an internationally recognized storehouse of expertise. Her office deals with a large workload. She often has to pronounce on questions while they are in the headlines. There's an urgency to every matter she takes on, because when an individual's privacy is under threat, a remedy delayed is a remedy denied.

Most recently, she's expressed concern about how governments will manage the information they gather on airline passengers. Notably, though, she doesn't rail against the whole concept of data collection. She's not a slavish defender of privacy at the cost of every other consideration. Her advice on airline security, as in all matters, is balanced and sensible. If a policy has an unwarranted or unnecessary effect on privacy, Stoddart will point out ways the government can mitigate those effects. When there is a clear breach, though, she doesn't mince words. She recently said Veterans Affairs' treatment of veteran Sean Bruyea was "alarming" and might be an indicator of a systemic problem. Stoddart's office has been pushing Facebook to make changes for several years, and has criticized a careless mistake Google Inc. made in collecting information for its Street View application.

In any era, Canadians would be lucky to have a privacy commissioner ready to denounce and recommend fixes for an egregious but conventional breach of an individual's rights, as happened in the Bruyea case. Stoddart, though, is particularly suited for this age, when new kinds of co-operation between states, new global business models and new territories in cyberspace are forcing privacy advocates to keep one step ahead.

Technology is changing fast. One gets the sense, though, that Stoddart finds that exciting, as well as challenging. She's no Luddite. She wants to improve the world of social media, not sneer at it. She treats privacy as an essential living element of 21st-century citizenship. That's important, because when privacy advocates buy into a binary world view that sees privacy and engagement as opposing principles, that encourages the developers of new technology to dismiss privacy as the concern of a bygone era.

There will be a lot of work to do in the next few years, as governments continue to refine their security protocols and as cyberspace takes on new forms. No public servant should develop a sense of entitlement, but Stoddart shows no signs of doing so. She's working hard, getting results and is eminently qualified to keep leading this fight for the next few years.

Stoddart has been nothing but fair to this government, and has given it no reason to punish her. It's quite possible, though, that her independent spirit and sharp mind will prove inconvenient to any government on the receiving end of one of her reports. The Harper government, to its credit, has shown itself willing to take that political risk for the good of the country.

Sunday, November 28, 2010

Privacy in the cloud for Canadian universities

This past week, I was invited to speak at the annual get-together of The Canadian University Council of CIOs (CUCCIO) in Toronto on the topic of cloud computing. Many universities in Canada are struggling with the legal and privacy issues of adopting cloud computing, particularly when Google and Microsoft are both offering very attractive (and free!) offerings that would relieve universities of the costs and burdens of administering student and alumni e-mail.

Universities in Alberta, British Columbia and Nova Scotia are particularly hampered by legislation that was designed to thwart the boogeyman represented by the USA Patriot Act.

BC and Nova Scotia have each adopted legislation that either categorically prohibits the "export" of personal information by public bodies, or put in place administrative hurdles. Alberta joins this pack by making it an offense under their public sector privacy law to disclose personal information in response to a "foreign demand for disclosure".

Part of the problem is that the legal framework is not particularly nuanced, as each decision about whether to outsource a service should be guided by a detailed risk assessment and privacy impact assessment instead of ham-fisted categorical rules that don't take particular circumstances into account.

Here is my presentation, which was well received.

If the embedded slideshow isn't showing you the love, click here: https://docs.google.com/present/view?id=ddpx56cg_320fx7rkbhh&interval=30

Canadian courts set high bar for privacy damage awards

Michael Geist's latest Toronto Star column addresses the two recent Federal Court decisions (Stevens and Randall) where the bar for damages has been set (unreasonably?) high. See: Geist: Canadian courts set high bar for privacy damage awards - thestar.com.

Thursday, November 25, 2010

Supreme Court considers privacy in electricity consumption

Yesterday, the Supreme Court of Canada released its decision in R. v. Gomboc, 2010 SCC 55 (CanLII), where the Court considered the use of a digital recording ammeter to determine the electricity consumption of a private home to form the basis (in part) for a search warrant related to a suspected marijuana grow-op.

The facts are somewhat unique, given that Alberta's Electrical Utilities Act and related Code of Conduct Regulation would have given the homeowner the ability to keep electricity consumption information confidential and that the cooperating party -- the utility -- was also a victim of the illegal consumption of electricity.

Check out Brian Bowman's blog post about the case, too.

Here's the headnote:

ON APPEAL FROM THE COURT OF APPEAL FOR ALBERTA

Constitutional law ― Charter of Rights ― Search and Seizure ― Warrantless request by police to electric utility company for installation of digital recording ammeter to measure flow of electricity into a residence suspected of housing a marijuana grow operation ― Information from digital recording ammeter indicating pattern consistent with grow operation ― Observations of police and information from digital recording ammeter basis for warrant to search residence ― Whether reasonable expectation of privacy existed in the information obtained from the digital recording ammeter ― Whether installation of digital recording ammeter violated the rights of the accused to be secure against unreasonable search and seizure ― Canadian Charter of Rights and Freedoms, s. 8 ― Electric Utilities Act, S.A. 2003, c. E-5.1 ― Code of Conduct Regulation, Alta. Reg. 160/2003

Police ― Powers ― Search powers ― Warrantless request by police to electric utility company for installation of digital recording ammeter to measure flow of electricity into a residence suspected of housing a marijuana grow operation ― Information from digital recording ammeter indicating pattern consistent with grow operation ― Observations of police and information from digital recording ammeter basis for warrant to search residence ― Whether police search powers exercised in manner that infringed right of accused to be secure against unreasonable search ― Canadian Charter of Rights and Freedoms, s. 8.

An officer with the Calgary Police Service Drug Unit informed the Southern Alberta Marijuana Investigation Team about a residence in Calgary that he believed might be involved in producing marijuana. That same afternoon, officers conducted a reconnaissance of the residence and made inquiries of neighbours. Based on the observations of the officers and the neighbours questioned, the police contacted the utility company to request the installation of a digital recording ammeter (“DRA”) which would measure electrical power flowing into the residence which was owned by G. The resulting DRA graph showed a pattern of cycling of approximately 18 hours, a pattern consistent with a marijuana grow operation. An officer re-attended at G’s residence to conduct a second external viewing. On the basis of her observations and the information provided to her, including the DRA graph, the officer obtained a search warrant. As a result of the search, the police seized 165.33 kilograms of bulk marijuana, 206.8 grams of processed and bagged marijuana located in a freezer, and numerous items relating to a marijuana grow operation. G was charged with possession of marijuana for the purposes of trafficking and production of marijuana and theft of electricity. A voir dire was conducted to consider G’s application to exclude the evidence disclosed by the search on the basis that no warrant had been obtained prior to the installation of the DRA. The trial judge relied on the Code of Conduct Regulation made pursuant to Alberta’s Electric Utilities Act as statutory support for police access to the DRA data. The DRA evidence was therefore admitted and G was found guilty of the drug-related offences. A majority of the Alberta Court of Appeal allowed G’s appeal and ordered a new trial, concluding that G had a subjective expectation of privacy in the DRA information which was also objectively reasonable. The majority further concluded that the Regulation could not be interpreted to imply the homeowner’s consent to allow a utility company to gather information at the request of the state.

Held (McLachlin C.J. and Fish J. dissenting): The appeal is allowed and the conviction entered at trial is restored.

Per Deschamps, Charron, Rothstein and Cromwell JJ.: A critical factual consideration, on which much of the disagreement in this case turns, is the degree to which the use of DRA technology reveals private information. The evidence was that marijuana grow operations are not investigated using only DRA data and that DRA technology is employed late in an investigation and after conventional investigative methods support the inference that marijuana is being grown in the home. DRA data are used as one more investigative tool to dispel the belief that a grow operation is on the premises and even operate in favour of the defence in approximately half of the times. The importance of what the DRA discloses and what inferences the DRA data support is central to this case. The findings of the lower court concluding that a reasonable expectation of privacy in the DRA data does exist because some information about what is taking place in a house could be inferred are not supported by any evidence on the record. The DRA is a technique that reveals nothing about the intimate or core personal activities of the occupants. It reveals nothing but one particular piece of information: the consumption of electricity.

Before reaching the question of whether a search is reasonable within the meaning of the Charter, the accused must first establish that a reasonable expectation of privacy existed to trigger the protection of s. 8. The facts of this case straddle two privacy interests recognized in the jurisprudence: informational and territorial. There is every reason, however, for proceeding with caution when deciding what independent constitutional effect disclosure clauses similar to those in the Regulation may have on determining a reasonable expectation of privacy.

Determining the expectation of privacy requires examination of whether disclosure involved biographical core data, revealing intimate and private information for which individuals rightly expect constitutional privacy protection. The appropriate question is whether the information is the sort that society accepts should remain out of the state’s hands because of what it reveals about the person involved, the reasons why it was collected, and the circumstances in which it was intended to be used. The combined effect of the Regulation and s. 487.014 of the Criminal Code establishes that not only was there no statutory barrier to the utility company’s voluntary cooperation with the police request, but express notice that such cooperation might occur existed. This is one factor amongst many which must be weighed in assessing the totality of the circumstances. The central issue in this case is thus whether the DRA discloses intimate details of the lifestyle and personal choices of the individual that form part of the biographical core data protected by the Charter’s guarantee of informational privacy. The evidence available on the record offers no foundation for concluding that the information disclosed by the utility company yielded any useful information at all about household activities of an intimate or private nature that form part of the inhabitants’ biographical core data. The DRA’s capabilities depend of course on the state of the technology at the time of its use. As DRA technology now stands, it is not capable of giving access to the occupants’ personal information. Instead, the DRA data merely yield an additional piece of information to evaluate suspicions — based on an independent evidentiary foundation — police already have about a particular activity taking place in the home.

A final factor affecting the informational privacy analysis is the fact that G’s interest in the electricity use data was not exclusive. G’s electricity consumption history was not confidential or private information which he had entrusted to the utility company. As the supplier of electricity, the utility company had a legitimate interest of its own in the quantity of electricity its customers consumed. Consequently, it is beyond dispute that the utility company was within its rights to install a DRA on a customer’s line on its own initiative to measure the electricity being consumed. The utility company was not an interloper exploiting its access to private information to circumvent the Charter at the behest of the state; rather, its role is limited to the wholly voluntary cooperation of a potential crime victim.

While a territorial privacy interest involving the home is a relevant aspect of the totality of the circumstances informing the reasonable expectation of privacy determination, the Charter’s protection of territorial privacy in the home is not absolute. Where, as in the case at bar, there was no direct search of the home itself, the informational privacy interest should be the focal point of the analysis. The fact that the home was the focus of an otherwise non-invasive and unintrusive search should be subsidiary to what the investigative technique was capable of revealing about the home and what information was actually disclosed. The fact that the search includes a territorial privacy aspect involving the home should not be allowed to inflate the actual impact of the search to a point where it bears disproportionately on the expectation of privacy analysis.

Per Binnie, LeBel and Abella JJ. ― Throughout the development of its s. 8 jurisprudence, the Court has consistently recognized the overriding constitutional importance of the privacy interests connected with activities taking place inside the home. Given the overriding significance of protecting these privacy interests, the concerns regarding the warrantless use of DRAs are well founded. And this case may well have been differently decided but for a crucial factor: the relationship between G and his utilities provider is governed by a recently enacted public statute, which entitles G to request confidentiality of his customer information. He made no such request. Nor did he challenge the constitutionality of the relevant provision. This combines to determinately erode the objective reasonableness of any expectation of privacy in the DRA data.

DRA data indicating a certain cyclical pattern permits a strong inference of the presence of a marijuana grow operation in a residence. The existence of such activity is presumptively information about which individuals are entitled to expect privacy because it is information about an activity inside the home and is, therefore, personal information. The fact that the activity is criminal does not, under our jurisprudence, remove it from the expectation of and entitlement to privacy protection and, therefore, the requirement of a warrant. The DRA is a surveillance technique that yields usually reliable inferences as to the presence within the home of one particular activity: a marijuana grow operation.

The fact, however, that the customer in this case can request that his or her information be protected means essentially that under the Code of Conduct Regulation, the customer is presented with the unrestricted ability to control the expectation of privacy in his or her relationship with the utility company. G made no such request, yet urges the Court to treat his expectation of privacy as if he had. There is no room for interpretive creativity in this case because there is no ambiguity in the language of the provisions. DRA information, whenever it is collected, is, necessarily, “customer information” pursuant to the Regulation and, as such, information under s. 10(3)(f) of the Regulation that can be collected by the utility company and disclosed “without the customer’s consent” to the police investigating an offence. An examination of the totality of the circumstances involves consideration of all, not just some, of the relevant circumstances. There can be no examination of the totality of the relevant circumstances without including the fact that the Regulation exists. It cannot, therefore, be seen as neutral or irrelevant. The contractual terms the Regulation creates are not only clear and unambiguous; they are also clearly relevant to an objective assessment of the reasonableness of any expectations of privacy G may have had in the DRA information, regardless of whether he decided to inform himself of the legal parameters of his relationship with his utility provider. When considered among all the circumstances of this case, the legislative authority provided by the Regulation is in fact determinative and leads to the conclusion that any expectation of privacy that G may have had was objectively unreasonable. In the absence of a reasonable expectation of privacy, the collection of the DRA information in this case did not constitute a “search” within the meaning of s. 8.

Per McLachlin C.J. and Fish J. (dissenting): This appeal raises core issues regarding the protection of privacy safeguarded by s. 8 of the Charter. When we subscribe for public services, we do not authorize the police to conscript the utilities concerned to enter our homes, physically or electronically, for the purpose of pursuing their criminal investigations without prior judicial authorization. Considering the totality of the circumstances, a reasonable person would not accept that the type of information at issue, collected for the reasons and in the manner that it was, should be freely available to the state without prior authorization. G is presumed to have a subjective expectation of privacy within his home. The existence of an obscure regulation that the reasonable person is unlikely to understand does nothing to render G’s subjective expectation objectively unreasonable. G had a reasonable expectation of privacy in the DRA data, the intrusion and transmittal of the information gleaned constituted a search and this search was not authorized by law.

A search occurs when state conduct interferes with an individual’s reasonable expectation of privacy. Whether an expectation of privacy is reasonable depends on whether the individual concerned has (1) a subjective expectation of privacy in the subject matter of the alleged search, and (2) whether that subjective expectation is objectively reasonable. The test for subjective expectation of privacy is a low hurdle and individuals are presumed to have a subjective expectation of privacy regarding information about activities within the home. Thus, resolution of this issue turns on whether G’s expectation of privacy was objectively reasonable. The factors relevant to determining an objectively reasonable expectation of privacy include the subject matter of the search, the place of the search, whether the privacy interest was abandoned or waived, the degree of intrusiveness, and, in some cases, the presence of a regulatory framework that would diminish any expectation of privacy. In our view, the resolution of this issue turns on the last two factors above: the degree of intrusiveness and the presence of a regulatory framework.

We begin with the issue of intrusiveness. While the DRA does not indicate the source of electrical consumption within the residence, it produces detailed information as to the amount of electricity being used in a home and when it is being used. In addition, DRAs are extremely accurate in disclosing the existence of plant growing operations within a house. The fruits of a search need not produce conclusive determinations about activities within a home in order to be considered informative and thus intrusive. The significance of the DRA data derives from its utility in making informed predictions concerning the probable activities taking place within a home. Predictions of this sort, while not conclusive, nonetheless convey useful private information to the police. Such evidence of criminal activity, or of a connection to criminality, has previously been considered by this Court to be very personal biographical information.

The constitutionality of a search does not hinge on whether there are even more intrusive search methods the police could have improperly used. It is unhelpful to compare a DRA search conducted without a warrant to a physical search conducted with a warrant. It is hardly apparent that the use of DRAs will reduce the total intrusion into a suspect’s territorial privacy as the use of a DRA only serves as a substitute for a physical search of a suspect’s home if the police could have obtained a warrant to search the home.

The remaining issue in determining whether a search occurred is whether the Regulation negates or reduces the objectively reasonable privacy interest the other factors suggest. A reasonable person would not have concluded that his or her expectation of privacy in activities inside the home was negated because of the Regulation. The average consumer signing up for electricity cannot be expected to be aware of the details of a complex regulatory scheme which permits the utility company to pass information on electricity usage to the police, especially when a presumption of awareness operates to, in effect, narrow the consumer’s constitutional rights. In addition, if they were made aware of the Regulation — something that did not happen in this case — reasonable consumers would likely not read it as permitting the intrusion at issue. Finally, although the Regulation is not a criminal law, the provisions relied upon by the Crown are explicitly criminal rather than regulatory in purpose. We conclude that G had a reasonable expectation of privacy in the DRA data and that the intrusion and transmittal of the information gleaned thus constituted a search.

If a search is established, the court must then determine whether the search was reasonable. The search in this case was not reasonable. The warrantless use of the DRA was not shown to be reasonably necessary to the police activity, as the police unit in this case has demonstrated by virtue of its general policy of applying for warrants before attaching DRAs to transformers located on private property. Moreover, while the Regulation permits the disclosure of “customer information”, it does not authorize the utility company to operate as an agent for the police for the purpose of spying on consumers. The DRA data that concerns us here was not pre-existing information in a utility company subscriber’s file. Although the utility company might have chosen to collect this data on its customers on its own initiative and for its own purposes, it neither did so nor manifested any intention to do so in this case. Accordingly, it has not been demonstrated that the search was authorized by law and as such, G’s rights under s. 8 of the Charter were infringed. We would affirm the judgment of the Court of Appeal and dismiss the appeal against that judgment to this Court.

Check out Brian Bowman's blog post about the case, too.

Jennifer Stoddart nominated for reappointment as Privacy Commissioner

The Prime Minister's Office has announced that the current Privacy Commissioner of Canada has been nominated for reappointment for a further three year term. It's worth noting that this is shorter than the usual full term.

From the Prime Minister's press release:

24 November 2010

Ottawa, Ontario

Prime Minister Stephen Harper today announced the nomination of Jennifer Stoddart for reappointment as Privacy Commissioner of Canada for a three-year term. Ms Stoddart has been serving as the Privacy Commissioner of Canada since December 2003.

“Jennifer Stoddart is extremely well qualified to continue in the role of Privacy Commissioner of Canada”, said the Prime Minister. “She brings to the position considerable expertise in privacy protection issues and a deep understanding of the importance of open and transparent government. I am pleased that she has agreed to be nominated to continue in this important role”.

The Leader of the Government in the House of Commons and Minister of the Environment will be tabling this nomination for consideration by the House of Commons.

The Office of the Privacy Commissioner was created in 1977 under the Canadian Human Rights Act, Part IV. The Privacy Act, which currently governs the functions of the Privacy Commission, was adopted in 1983.

As an Agent of Parliament, the Privacy Commissioner oversees compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act, Canada’s private sector privacy law. The mission of the Office of the Privacy Commissioner of Canada is to protect and promote the privacy rights of individuals.

Friday, November 19, 2010

Federal Court dismisses damages claims, considers what is compensable under PIPEDA

Dan Michaluk has a good summary of a very recent case from the Federal Court in Stevens v. SNF Maritime Metal Inc., 2010 FC 1137, where a claim for damages was dismissed as essentially an end-run around other potential causes of action. In this case, for wrongful termination. The applicant had apparently defrauded his employer and another company breached PIPEDA by disclosing the applicant's information to the employer. The employee was terminated and claimed damages for the resulting loss.

See: Case Report – Federal Court dismisses application, articulates what damages are compensable under PIPEDA « All About Information.

Monday, November 15, 2010

Opt out, while you still can: Airport security reaches new levels of absurdity

"Ask the Pilot", over at Salon.com, has a great/sad illustration of the absurdity of idiotic policies and slavish adherence to these policies at airport screening: Airport security reaches new levels of absurdity - Ask the Pilot - Salon.com.

Over the past year, I've been "randomly" selected for the virtual stip-search about a half dozen times. Each time, I've opted out and have gone for the pat-down. I don't really have a problem with modesty and would probably streak through the terminal for a reasonable fee, but I do so just to make a point. The machines are pointless security theatre.

On my last trip to Ottawa, the CATSA screener guy directed me to the naked machine after I went through the metal detector. He didn't tell me it was optional. I said "I decline." And he was visibly surprised. When I opted out, he tried to sell me on the benefits of going into naked machine: "It only takes two seconds."

"No thanks. I opt out."

He was also the guy who got to give me the rub-down, and I'm sure I got extra-special treatment because I defied him.

A few weeks before, when I opted out to a woman CATSA person, she said I'd have to wait for a male guy. I said I didn't care if it was her, but I still had to wait. But she had to hold onto my boarding pass to make sure I didn't make a break for it (though I'd been through the metal detector). A few minutes passed and there was no male CATSA guy available. Obviously upset she was having to loiter with me, she quickly ran the explosive decting swab on my hands, gave me the all-clear and sent me on my way.

Does this make you any safer?

Body scanning, which started as random, is becoming de rigeur in the United States and I will not be surprised to see it make a similar change in Canada. It's the classic bait and switch: don't worry ... it's optional and we randomly choose people for secondary screening through the scanner. Now that we have them installed in all the airports, it's the scanner or the glove. Then it'll be the scanner or the train.

Recently, an American blogger wrote about his surreal experience in trying to opt-out at San Diego airport and it has garnered over 4000 comments so far.

Not surprisingly, this has led to a backlash. A number of groups in the US are calling for national opt-out day in airports on the busiest travel day of the year. I expect that it will have an impact on Thanksgiving travelers and will get some notice.

Thursday, November 11, 2010

Obama administration has plans for online privacy law

The Wall Street Journal is reporting that the Obama administration is preparing to table proposals for a new, comprehensive online privacy regime in the United States.

Initiatives like this have been floated before, so it will be interesting to see what it looks like when it sees the light of day.

See: Obama Administration Seeks Internet Privacy Protections, New Policy Office - WSJ.com.

Federal website leaked personal information

The CBC is reporting that an important government website had a significant security glitch that led to the disclosure of sensitive personal information of about 75 people. The site, Access Key, was launched on September 26 and the problem occurred within days. The error was reported by users and it took the site's operators a number of days before reporting it to the Privacy Commissioner. See: CBC News - Ottawa - Federal online glitch leaked private info.

Tuesday, November 09, 2010

Nova Scotia to table health information legislation today

The Nova Scotia Minister of Health is expected to table the latest iteration of the Personal Health Information Act in the Nova Scotia legislature this afternoon. Expect to see the text of the bill here as soon as it's tabled.

See: Health minister expected to table personal information bill today - NovaScotia - TheChronicleHerald.ca.


Update: The text of Bill 89 is available here.

Thursday, November 04, 2010

Eroding Financial Privacy: PIPEDA & FATCA

Last week, Michael Power blogged about the Foreign Accounts Tax Compliance Act. This week, he's got a more detailed post about that Act and how it affects organizations' obligations under PIPEDA. Check it out: Michael Power * Eroding Financial Privacy: PIPEDA & FATCA.

Tuesday, November 02, 2010

The new lawful access bills

Here is the first reading text of the Investigative Powers for the 21st Century Act:

BILL C-51 An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act.

I will post a link to the Investigating and Preventing Criminal Electronic Communications Act when it is posted on the parliamentary website.

(Note: I had previously linked to the wrong bill on this post ...)

Monday, November 01, 2010

Lawful access back before Parliament

Once again, the Government of Canada has put "lawful access" back before Parliament.

Notice that it again allows for the police and "national security agencies" to require the personal information of telecommunications customers without a warrant.

I will post a link to the bill itself as soon as I can get my hands on it, but in the meantime here's the press release from the Department of Justice:

Government of Canada Introduces Legislation to Fight Crime in Today’s High-Tech World

GOVERNMENT OF CANADA INTRODUCES LEGISLATION TO FIGHT CRIME IN TODAY’S HIGH-TECH WORLD

OTTAWA, November 1, 2010 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, together with Dave MacKenzie, M.P. for Oxford and Parliamentary Secretary to the Minister of Public Safety, and Daniel Petit, M.P. for Charlesbourg–Haute-Saint-Charles and Parliamentary Secretary to the Minister of Justice, today re-introduced in the House of Commons two bills that would provide law enforcement and national security agencies with up-to-date tools to fight crimes such as gang- and terrorism-related offences and child sexual exploitation.

“New and evolving technologies provide new ways of committing crimes, making them harder to investigate,” said Minister Nicholson. “We must ensure that law enforcement has the means to bring to justice those who would break the law. Twenty-first-century technology demands twenty-first-century tools for police to effectively investigate crime.”

The proposed Investigative Powers for the 21st Century Act would provide law enforcement agencies with new, specialized investigative powers to help them take action against Internet child sexual exploitation, disrupt on-line organized crime activity and prevent terrorism by:

  • enabling police to identify all the network nodes and jurisdictions involved in the transmission of data and trace the communications back to a suspect. Judicial authorizations would be required to obtain transmission data, which provides information on the routing but does not include the content of a private communication;
  • requiring a telecommunications service provider to temporarily keep data so that it is not lost or deleted in the time it takes law enforcement agencies to return with a search warrant or production order to obtain it;
  • making it illegal to possess a computer virus for the purposes of committing an offence of mischief; and
  • enhancing international cooperation to help in investigating and prosecuting crime that goes beyond Canada’s borders.

“We are giving our police the tools they need to keep up with criminals who are increasingly using new technology in carrying out their crimes. High-tech criminals must be met by high-tech police,” said Mr. MacKenzie. “This announcement once again demonstrates our commitment to give our law enforcement agencies the tools they need to make our communities safer.”

The Investigating and Preventing Criminal Electronic Communications Act would address challenges posed by today’s technologies that did not exist when the legal framework for interception was last updated nearly 40 years ago. The Act would require service providers to include interception capability in their networks, thereby allowing law enforcement and national security agencies to execute authorizations for interception in a more timely and efficient manner with a warrant. The proposed Act also calls for service providers to supply basic subscriber information upon request to designated law enforcement, Competition Bureau and national security officials.

Requirements to obtain court orders to intercept communications will not be changed by this Act. This legislation will simply help ensure that, when warrants are issued, telecommunications companies have the technical ability required to intercept communications for the police and the Canadian Security Intelligence Service.

Other countries, such as the United Kingdom, the United States, Australia, New Zealand, Germany and Sweden, already have similar legislation in place.

“Both of these pieces of legislation will provide vital tools to allow law enforcement officers to trace serious computer crimes such as child pornography and hate crime,” said Mr. Petit. “Both acts help to address Canadians’ privacy concerns by including strict privacy safeguards which, in the case of the Investigative Powers for the 21st Century Act, includes heightened requirements for obtaining judicial authorization before police can obtain data relating to a suspect’s location.”

The Government carefully considered input provided by a broad range of stakeholders in developing these two pieces of legislation, including the telecommunications industry, civil liberties groups, victims’ advocates, police associations and provincial/territorial justice officials. As a result, the Government has ensured that the Investigative Powers for the 21st Century Act and the Investigating and Preventing Criminal Electronic Communications Act adopt a balanced approach, taking full account of the need to protect the safety and security of Canadians, the competitiveness of the telecommunications industry, and the privacy rights of Canadians.

An on-line version of the legislation will be available at www.parl.gc.ca.

Backgrounder: Investigative Powers for the 21st Century Act.

Saturday, October 30, 2010

Presentation: Location Based Services

The fourteenth annual Canadian IT Law Association conference just wrapped up and I had the distinct pleasure of sitting on a panel moderated by Michael Erdle, with Lisa Lifshitz and Mark Hayes on the topic of privacy and social media, online advertising and location-based services.

I addressed location based services and, in case you're interested, here is my slide deck setting out the background for discussion:

Monday, October 25, 2010

Michael Power would like to introduce you to FATCA

Michael Power would like to introduce you to FATCA (Foreign Accounts Tax Compliance Act).

Don't blame the messenger; Michael's a nice guy:

Michael Power - It’s Time You Met FATCA

... So affected institutions (remember FATCA covers both financial and non-financial entities) must identify clients who are American (which means asking the question of every client since “U.S. persons” do live abroad); obtain their consent to the disclosure of sensitive personal information to the IRS or withhold the provision of a service for a failure to provide consent to disclose. How these organizations reconcile FATCA compliance with PIPEDA compliance is a topic for another day.

Privacy Commissioner releases draft report on 2010 consumer privacy consultations

The Privacy Commissioner of Canada has released her draft report on her 2010 Consumer Privacy Consultations that focused on "Online Tracking, Profiling and Targeting and Cloud Computing." You can get to the report here: http://www.priv.gc.ca/resource/consultations/index_e.cfm.

Sunday, October 24, 2010

Privacy for Sale: The Real Cost of Social Networking

This month's edition of The National magazine (National (English) - October/November 2010) has a significant multi-page article on privacy and social networking, featuring interviews with me, Michael Geist, Ariane Siegel and Jennifer Stoddart.

You can download the entire article in PDF here.

Tuesday, October 19, 2010

Using the Best and Ignoring the Rest: Connecting Social Media to Business Results

I've been invited to participate in a panel discussion at the Annual CBA Law Firm Leadership Conference on the use of social media by lawyers and law firms. Here's the description of the panel I'm on:
Using the Best and Ignoring the Rest: Connecting Social Media to Business Results

Blogging? Twitter? Facebook? There is no finishing line in the world of technology. While most law firm leaders are now comfortable with websites, this does not mean that the IT challenge is over. The next challenge is to make the most of social media - to identify, for example, the most promising uses of Twitter and Facebook in communicating and collaborating with clients. To help delegates sort the wheat from the chaff will be leading legal analyst, Jordan Furlong, and panelists moderated by Richard Susskind, with emphasis on case studies of what has worked for law firms in Canada and beyond.

Featured Speaker: Jordan Furlong, Senior Consultant, Stem Legal Web Enterprises, Ottawa

Panelists: Jeremy Grushcow, Lawyer, Ogilvy Renault, Toronto

David Fraser, Partner, McInnes Cooper, Halifax

Scott Wolfe, Jr., Member, Wolfe Law Group, LLC, New Orleans

Commissioner to initiate new investigation of Facebook, perhaps?

It appears that another investigation of Facebook by the Privacy Commissioner may be in the offing as it is revealed that the site passed -- perhaps unwittingly -- user info to advertisers and applications. See: Personal info slips through Facebook into advertisers’ hands - The Globe and Mail.

Monday, October 18, 2010

Privacy enforcement transcends borders

Read David Canton's London Free Press column on the Global Privacy Enforcement Network (that I blogged about previously) here: eLegal Canton � Privacy enforcement transcends all borders.

Wednesday, October 13, 2010

Stalking celebrities just got easier

Celebrity stalking is about to get much, much, much easier thanks to a soon-to-be released app called Just Spotted. Read more at TechCrunch: Celebrity Geo-Stalking In Real-Time. Finally. JustSpotted Launches Next Week.

Of course, this raises issues about celebrity privacy and then one has to ask what is the threshold for "celebrity". It's a bar that's dropping with each new D-lister reality show.

Tuesday, October 12, 2010

Mirror, mirror on the web

This week's Lawyers Weekly quotes me in an article by donalee moulton on monitoring and protecting your online defamation. See: Mirror, mirror on the web.

Monday, October 11, 2010

The Slow Demise of Defamation and the Privacy Torts

Daniel Solove at Concurring Opinions has some interesting thoughts on the progressive demise of defamation and privacy tort cases in the United States:

Concurring Opinions - The Slow Demise of Defamation and the Privacy Torts

I think this turn of events is unfortunate. People used to resort to self-help (violence and duels) to vindicate their reputations. Civilized society replaced these methods with a more humane alternative — using the court system to resolve disputes. Sadly, that method is increasingly becoming too expensive and cumbersome for people to use.

Some commentators argue that today, people can more readily have the record corrected or improve their reputations by posting good things about themselves online. But it is hard to manipulate Google and other search engines to make the good information crowd out the bad. The problem is that bad information is often more interesting and juicy — and hence more popular. And popularity is the key to getting information to the top of search engine results. Many people have short attention spans and don’t care to dig to find out the boring truth or other facts about a person.

We need to have an outlet in civilized society for people to vindicate their reputations. We need to have some meaningful way to prevent defamation and invasion of privacy. Otherwise, people will spread all sorts of damaging rumors and gossip about each other online, and victims will return to self-help methods. That would be a big step backwards.

I don't have any Canadian stats at my fingertips, but I would hazard a guess that defamation is flourishing in Canada while the privacy torts are stuck in neutral.

Friday, October 08, 2010

Teens Want More Privacy Online Too | Fast Company

Fast Company is reporting on a recent US survey that suggests that there is no generation gap when it comes to concern about privacy. Teens want control over their personal information in overwhelming numbers. See: Teens Want More Privacy Online Too | Fast Company.

This really isn't a surprise. Almost everyone, when asked, says they are concerned about their privacy. What really matters is what people do about it. If there is a generation gap, it's the comfort level about carrying out a large portion of their social lives online. But this has spread to the oldies, who are following suit in large numbers.

Wednesday, October 06, 2010

Facebook offers additional privacy features

Today, in what has been speculated to be phase one of significant announcements in the coming days, Facebook has revealed some important new features to increase user control over personal information. First, the company has unveiled a completely redesigned "groups" feature that allows you to more easily share information with smaller groups of friends, rather than all your "friends" or the world at large. The second is the ability to download the information that Facebook has about you. Read: Gawker: New Facebook Offers Cliques for Privacy, Techcrunch: This Was Just Phase One Of Facebook’s “Lockdown” — Redesign Still Coming and the Official Facebook Blog: Giving You More Control.

Tuesday, October 05, 2010

Privacy Commissioner's Annual Report on the Privacy Act tabled

Jennifer Stoddart has today tabled her Annual Report to Parliament on the Privacy Act (2009-2010). The report deals with her duties and the administration of the federal public sector privacy law.

Some highlights from her accompanying press release include:

  • Wireless audit: Of five federal entities examined, none had fully assessed the threats and risks inherent in wireless communications. Gaps in policies and/or practices resulted in weak password protection for smart phones and inadequate encryption for Wi-Fi networks and data stored on mobile devices. Shortcomings were also noted in the disposal of surplus handheld devices and the use of PIN-to-PIN messaging, a form of direct communication between two smart phones that is vulnerable to interception.
  • Disposal audit: Satisfactory policies and procedural rules were in place for paper shredding and the disposal of surplus computer equipment among the federal institutions audited. There were, however, disturbing deficiencies in practice. For example, tests on a sample of computers donated to a recycling program for schools revealed that 90 percent of the donating institutions had not properly wiped their computers’ hard drives, leaving behind data that was confidential, highly sensitive and, in some cases, even classified.
  • Unauthorized access to tax records: An OPC investigation confirmed that a former Canada Revenue Agency worker had posted to an Internet chat group some personal tax information of high-profile sports figures, which he appears to have gleaned while working at the agency. The investigation further found that other staff still with the agency had similarly accessed tax records without authorization. They were subsequently suspended or fired and new measures were introduced to safeguard the data.
  • RCMP Automated Licence Plate Recognition Program: A surveillance technology rolled out by the RCMP in British Columbia, which aims to spot stolen or uninsured vehicles, raised concerns about the collection and retention of incidental licence plate data from cars that were lawfully on the roads. In response to OPC recommendations, the RCMP made privacy-sensitive modifications to the program.
  • Political Impartiality Monitoring Approach: The OPC reviewed a Privacy Impact Assessment for the Political Impartiality Monitoring Approach, a program developed by the Public Service Commission to monitor media outlets, personal websites and social networking sites for signs of inappropriate political activity by government employees and appointees. The review raised concerns about the scope and privacy implications of the initiative. In response, the Commission undertook to modify its approach and to provide the OPC with a new Privacy Impact Assessment in the fall of 2010.
  • Technical malfunctions: Several investigations turned up mechanical or computer glitches that led to the unauthorized disclosure of personal information by federal institutions. For instance, a programming flaw allowed a hacker to access personal information submitted through the Canada Post Ombudsman’s online complaint system.
  • Federal administrative tribunals: The OPC continues to express concerns about the disclosure of personal information by administrative tribunals and other quasi-judicial bodies. In one case, the Public Service Staffing Tribunal improperly shared sensitive medical information about an individual with hundreds of his former colleagues. In 2009-2010, the Office published guidelines for tribunals on balancing transparency and privacy in the Internet era.

Tuesday, September 28, 2010

Right to Know Week in Canada

September 27 to October 1 is Right to Know Week, which is meant to raise awareness about people's right to access to information (also known as freedom of information in some jurisdictions). For a list of all the events across the country, check out the Right to Know website: HOME - Right To Know - Right To Know.

Monday, September 27, 2010

Canada's Anti-Spam Act back on the order paper

Bill C-28, called the Fighting Internet and Wireless Spam Act (or, more formally: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act) is back on the order paper in Parliament today. Here's the bill's status and a link to the full-text: LEGISINFO - The Library of Parliament's research tool for finding information on legislation.

Via @kaplanmyrth.

Sunday, September 26, 2010

Facebook now anticipating and responding to privacy questions in Canada

CTV News is reporting that when Facebook launched their location-based service "Places" in Canada, the company did more than just have a teleconference with reporters to gush about how cool it is. Much of the call was spent talking about privacy, which is key to managing the inevitable privacy questions that any such product will raise in Canada. That's simply the new reality and good on Facebook for anticipating the questions and dealing with them up front. See: CTV News | Facebook tries to head privacy critics off at the pass.

Fear and loathing and a dude named “Third Party”

Dissent, over at PogoWasRight, has a good post on what I see as the most problematic characteristic of privacy law in the United States. Under American constitutional jurisprudence, as soon as you hand personal information over to a third party, you lose all expectation that it will be kept private. That makes it fair game for the authorities to compel it, subject only to antiquated statutes like the Electronic Communications Privacy Act. Read on: Fear and loathing and a dude named “Third Party” | Privacy News - PogoWasRight.org.

Friday, September 24, 2010

Striking a blow for cyber-privacy

Canadian Privacy Commissioner Jennifer Stoddart has a fan at the Edmonton Journal:

Striking a blow for cyber-privacy

Privacy commissioner Jennifer Stoddart has been a true friend of Canadians -- both in the old analog meaning of that word, and in the digitized, social media sense.

For seven years, she has been rock solid in recognizing that we are in the midst of a rapidly unfolding communications universe that is popular with consumers but has the capacity to do real damage to them if unchecked. Straddling the exploding information revolution while protecting the basic rights of individuals and organizations is a tricky, potentially dangerous business, a no-win scenario in shaky hands.

Stoddart has single-handedly put Canada on the global map among tech-savvy nations seeking to find an acceptable balance that encourages innovation while determined to protect privacy rights. Once a little-known bureaucrat in a middle-sized country that certain multinational corporate tech giants took for granted, Stoddart no longer has to worry about her e-mails and phone calls being returned by the heavyweights of Google, Apple and dozens more. She's got their attention by being smart, tough and informed.

And she's getting results. Tuesday, following a year-long investigation, Stoddart's office ruled that Facebook has made significant strides in complying with Canadian privacy law.

"Facebook has put in place measures to limit the sharing of personal information with third-party application developers and is now providing users with clear information about its policy practices," she said in a statement.

That said, the commissioner also announced a new probe on Facebook's popular "Like" button, which allows users to "vote" on products and services, media stories and other content.

In fact, those preferences are being widely shared on the Internet with interested parties to attract more web traffic. Other investigations are also underway.

Still, Stoddart pushed her own "Like" button, allowing that "we're also pleased that Facebook has developed simplified privacy settings and has implemented a tool that allows users to apply a privacy setting to each photo or comment they post."

No doubt, she will continue to be assiduous at the task of keeping global tech firms sensitive to the needs of legitimate privacy protection without smothering creators with undue bureaucratic strictures.

US Senate considers update to Electronic Communications Privacy Act

This past week, the United States Senate Judiciary Committee held hearings on the possible update of the American Electronic Communications Privacy Act. The statute, passed in the 1980s, is in urgent need of an overhaul in an age of cloud computing. The law has its origin in (in my view, perverse) caselaw that says you have no expectation of privacy from the government once you've handed your information over to a third party. The law provides different standards (subpoena vs search warrant) based on the age of the message and whether it has been previously read by the intended recipient. In an age of cloud computing and the widespread use of text messaging, one high standard is required.

From the industry side, the effort for reform is led by the Digital Due Process Coalition, made up of industry leaders such as Google and Microsoft. For a great overview of the issue and the hearings, see here: Senate considers update to Electronic Communications Privacy Act | Gov 2.0. The Google Public Policy blog has information on Google's position, including the written statement by Richard Salgado, their senior lawyer responsible for this area: Digital Due Process: The Time is Now.

The Judiciary Committee page has a webcast link if you want to see the hearing.