Wednesday, March 30, 2011

Are there keyloggers on Samsung laptops?

As someone who owns a Samsung smartphone and bought a Samsung netbook around Christmas, I'd like to know the answer to this question: Why are there keyloggers on Samsung laptops? | InSecurity Complex - CNET News.

Update: It appears that it was a false alarm. Here's the latest from Network World:

UPDATE: Samsung keylogger could be false alarm

[UPDATE: Samsung has launched an investigation into the matter and is working with Mich Kabay and Mohamed Hassan in the investigation. Samsung engineers are collaborating with the computer security expert, Mohamed Hassan, MSIA, CISSP, CISA, with faculty at the Norwich University Center for Advanced Computing and Digital Forensics, and with the antivirus vendor whose product identified a possible keylogger (or which may have issued a false positive). The company and the University will post news as fast as possible on Network World. A Samsung executive is personally delivering a randomly selected laptop purchased at a retail store to the Norwich scientists. Prof. Kabay praises Samsung for its immediate, positive and collaborative response to this situation.]

[UPDATE 3/31/11: Samsung has issued a statement saying that the finding is false. The statement says the software used to detect the keylogger, VIPRE, can be fooled by Microsoft's Live Application multi-language support folder. This has been confirmed at F-Secure and two other publications, here and here.The headline on this article has been changed to reflect this new information.]

[UPDATE 3/31/11: GFI Labs, the maker of VIPRE, has issued an explanation and apology for generating the false positives that led to these articles: "We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive."]

Tuesday, March 29, 2011

The social network for lawyers

This week's Lawyer's Weekly has an article on blogging for lawyers. I couldn't agree more with its about being part of an online community and an interesting conversation.

Here's an excerpt:

The social network

...But attracting attention doesn’t mean posting an ad online. Some lawyers are gaining reputations and followings on the web by blogging or tweeting about different subjects or practice areas for which they have some expertise and familiarity, according to University of Ottawa technology law professor Michael Geist, whose website (MichaelGeist.ca), which attracts more than 10,000 daily hits, is a go-to online destination for the latest buzz on technology issues.

An avid blogger and keen Twitter user, Geist has spotted some rising stars in the digital universe.

One of them is Bram Abramson, an associate in the business law group at McCarthy Tétrault LLP in Toronto, who was only called to the Ontario Bar in 2008 and has already made a name for himself on the web.

“There are a number of people — myself included — who note his presence on Twitter,” says Geist, who holds the Canada Research Chair in Internet and E-commerce Law at the U of O.

“He’s very knowledgeable on things related to the CRTC and telecommunications.”

Abramson says that it’s important for him to connect with clients and colleagues, and social media tools, such as Twitter, are important methods of having a “conversation” with them.

“If you view social media as purely an avenue of self-marketing, it won’t work.

“However, people will appreciate honest participation and efforts online to provide useful information.”

Another lawyer whose Internet presence has earned him respect from his peers is David Fraser, a partner with Halifax-based law firm, McInnes Cooper, who has harnessed his expertise in privacy law into a wildly popular website and blog (PrivacyLawyer.ca).

“How does a privacy lawyer from Halifax become one of the best-known privacy lawyers in this country? He does it through his blog,” says Geist.

“I don’t think there’s any doubt his social media work has had a big impact on his reputation across the country.”

Fraser has set the “gold standard” for blogging, according to Jacob Glick, Canada policy counsel for Google Inc. in Ottawa.

“I created the blog on Jan. 1, 2004, when the federal Personal Information Protection and Electronic Documents Act [PIPEDA] came fully into effect, to join in the online conversation about technology and law,” explains Fraser, adding that he sees his blogging as an extension of the writing lawyers have always done since the beginnings of the profession.

“Blogging provided me, as a junior lawyer when I began, the opportunity to reach a global audience and eventually build an international practice from my office in Halifax.”

Glick says that lawyers are using electronic tools like Facebook, Twitter and Google AdWords “to promote themselves, to find people, and connect with colleagues and clients.”

He also believes that lawyers engaged in blogging and tweeting are the e-equivalent to writing a law journal article but reach “an audience of more than half a dozen.”

“Some lawyers who blog develop a strong brand associated with a particular point of view on an issue,” says Glick.

“That may scare away some clients, but may well endear them to other clients.”....

Monday, March 28, 2011

Tracing users via IP addresses

PC Pro from the UK has an interesting article on the reality of tracing individual users using IP addresses. Check it out: Can you really be traced from your IP address? | Analysis | Features | PC Pro.

Wednesday, March 23, 2011

Court says there's no tort of invasion of privacy in Ontario

The Ontario Superior Court of Justice just released a decision today in Jones v. Tsige, 2011 ONSC 1475 (PDF), which states, clearly and without ambiguity that there is no free-standing tort of invasion of privacy in Ontario.

The facts involve a claim against an employee of a bank who reviewed the plaintiff's confidential banking records on at least 174 occasions. Whitaker J. canvassed a number of authorities, including the well-known case of Somwar v MacDonalds, but concluded that there is no such tort. The Court notes that the plaintiff had a remedy under PIPEDA:

In Ontario, it cannot be said that there is a legal vacuum that permits wrongs to go unrighted - requiring judicial intervention.

[54] More particularly here, there is no doubt that PIPEDA applies to the banking sector and Ms. Jones had the right to initiate a complaint to the Commissioner under that statute with eventual recourse to the Federal Court. For this reason I do not accept the suggestion that Ms. Jones would be without any remedy for a wrong, if I were to determine that there is no tort for the invasion of privacy.

[55] Notwithstanding the careful reasoning in Somwar and its adoption in Nitsopoulos, conclude that the decision of the Court of Appeal in Euteneier is binding and dispositivc of the question as to whether the tort of invasion of privacy exists at common law.

[56] I would also note that this is not an area of law that requires judge-made rights and obligations. Statutory schemes that govern privacy issues are, for the most part, carefully nuanced and designed to balance practical concerns and needs in an industry-specific fashion.

[57] I conclude that there is no tort of invasion of privacy in Ontario.

It will be interesting to see if this conclusion may be avoided if there is no remedy available under PIPEDA or any other statute. It'll also be interesting to see if it's appealed.

Major tip o' the hat to Dan Michaluk: No Invasion of Privacy Tort in Ontario « All About Information.

Privacy-related bills to die on the order paper if Canadian election called

With talk of an election heating up in Canada, I thought I'd provide a list of the government bills that will likely die on the order paper if the government is brought down or if the PM wanders over to speak with the Governor General about dissolving parliament:


C-29An Act to amend the Personal Information Protection and Electronic Documents Act
(Safeguarding Canadians’ Personal Information Act)
First Reading in the House of Commons (May 25, 2010)XML


C-50An Act to amend the Criminal Code (interception of private communications and related warrants and orders)
(Improving Access to Investigative Tools for Serious Crimes Act)
First Reading in the House of Commons (October 29, 2010)XML
C-51An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act
(Investigative Powers for the 21st Century Act)
First Reading in the House of Commons (November 1st, 2010)XML
C-52An Act regulating telecommunications facilities to support investigations
(Investigating and Preventing Criminal Electronic Communications Act)
First Reading in the House of Commons (November 1st, 2010)XML




Bills C-50, C-51 and C-52 need some major work so I'm fine to see them go back into parliamentary purgatory, but the PIPEDA amendments (C-29) were pretty good and I'd hate to think we're back to the drawing board.

Ontario Appeal court on employee expectation of privacy on a work-provided laptop

Dan Michaluk, over at slaw.ca, writes about an interesting case from the Ontario Court of Appeal that has an interesting (and now leading) case on an employee's expectation of privacy on a work-provided laptop computer. Here's a portion of the post, which can be found here: Ontario Work Computer Search Case – Privacy Concerns Real but Employers Still may Govern — Slaw.

Justice Karakatsanis wrote for the Court of Appeal. She assumed that the Charter applied to the board and found the teacher had a reasonable expectation of privacy in the contents of his laptop based on the following factors:
  • he had exclusive possession of the laptop;
  • he had permission to use it for personal use;
  • he had permission to take it home on evenings, weekends and summer vacation;
  • there was no evidence the board actively monitored teachers’ use of laptops;
  • the board had no clear and unambiguous policy to monitor, search or police the teacher’s use of his laptop.

The case is here: R. v. Cole, 2011 ONCA 218.

Wednesday, March 16, 2011

Is the US closer than ever to a general privacy law?

Just more than thirty years after the adoption of the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the United States seems closer than ever to adopting a general privacy law. Today, before the US Senate Committee on Commerce, Science, and Transportation, Lawrence E. Strickling (Assistant Secretary for Communications and Information National Telecommunications and Information Administration of the U.S. Department of Commerce) called on Congress to adopt a privacy law that amounts to a "Consumer Privacy Bill of Rights."

From Strickling's testimony:

National Telecommunications and Information Administration

A. Enacting a Consumer Privacy Bill of Rights.

The Administration urges Congress to enact a "consumer privacy bill of rights" to provide baseline consumer data privacy protections. Legislation should consider statutory baseline protections for consumer data privacy that are enforceable at law and are based on a comprehensive set of FIPPs. Comprehensive FIPPs, a collection of agreed-upon principles for the handling of consumer information, would provide clear privacy protections for personal data in commercial contexts that are not covered by existing Federal privacy laws or otherwise require additional protection. To borrow from one of the responses we received, baseline FIPPs are something that consumers want, companies need, and the economy will appreciate.

The Administration recommends that the baseline should be broad and flexible enough to allow consumer privacy protection and business practices to adapt as new technologies and services emerge. As noted by two privacy scholars, "[b]roadly worded legislation . . . motivates firms to produce an industry code of conduct as a way to construe and clarify the statutory scheme. Thus, baseline privacy legislation and incentives for industry to develop codes of conduct can go hand-in-hand."

Finally, a baseline law holds the promise of making our consumer data privacy framework more interoperable with international frameworks. Again, leading Internet innovators support baseline legislation as a means of achieving this objective. For example, a leading online company noted that "FIPPs is a common language used by many governments worldwide, so use of similar terminology will enhance opportunities for agreement and practical approaches to data policy." A Web standards organization stated that "[e]stablishing baseline commercial data privacy principles contribute[s] to the further harmonization of the global ecommerce market at least for the countries attached to the OECD, and improve[s] the transatlantic relations on online services of all sorts." Other comments, which represent a wide variety of American companies, consumer advocates, and academic scholars, also supported this position, often noting that improving global interoperability could benefit companies by reducing their compliance burdens overseas.

The Green Paper suggested that comprehensive FIPPs can serve as a basis for stronger consumer trust while also providing the flexibility necessary to define more detailed rules that are appropriate for the relationships and personal data exchanges that arise in a specific commercial context. The FIPPs that the Green Paper presented for discussion were transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing. We received many thoughtful comments on how each of these principles might apply to the commercial context, and we are continuing to assess whether these principles provide the right framework for online consumer data privacy. The Administration looks forward to working further with Congress and stakeholders to define these baseline protections.

Tuesday, March 15, 2011

Missing Alberta health care provider hard drive had thousands of patient images

An unencrypted hard-drive has gone missing at Covenant Health in Alberta, leading to an investigation by the province's Information and Privacy Commissioner. The drive, it appears, contained exclusively images, but many of them would be considered to be highly sensitive including video of surgeries. The names and hospital numbers of the 3,600 relevant patients are also apparent from the directory and file naming systems. The drive apparently went missing when an employee was moving offices. Because it was not a "portable" drive, the data was not encrypted.

See: Missing hard drive had thousands of patient images - Calgary - CBC News.

Monday, March 14, 2011

4Chan founder on privacy online

The founder of the (in)famous 4Chan website, Christopher Poole, has garnered a bit of press recently (including a profile in this month's Vanity Fair), but has also generated a bit of buzz due to his recent presentation given at South By Southwest Interactive about online privacy.

His views are often contrasted to those of Facebook's Mark Zuckerberg.

Hopefully this will prompt more discussion on this important topic.

4chan founder: Zuckerberg is “totally wrong” about online identity | VentureBeat

...Poole argued that anonymity allows users to reveal themselves in a “completely unvarnished, unfiltered, raw way.” One of the things that’s lost when you carry the same identity everywhere is “the innocence of youth.” (“Innocence” isn’t the first word that would come to mind when I think of 4chan, but okay, I’ll go with him here.) In other words, when everyone knows everything you’ve done online, you’re a lot more worried about screwing up, and you’re less willing to experiment. Poole compared this to being a kid, moving to a new neighborhood, and having the opportunity to start over. On the Internet, you don’t get that opportunity.

“The cost of failure is really high when you’re contributing as yourself,” Poole said.

In the case of 4chan, users feel a lot more comfortable trying to create funny images that can become memes, because content that doesn’t catch on disappears quickly, and they’re not weighed down by their failures. Poole said another benefit to 4chan’s anonymity is that content becomes more important than the creator, which is unlike virtually any other online community. Rather than prioritizing the most valued and experienced users, 4chan allows anyone to access the site and post something that might take off....

IP, privacy and defamation issues for magazine publishers

This afternoon, my partner Rob Cowan (@cowanlaw) and I jointly presented at Magazines East 2011 on legal issues of relevance to magazine publishers, writers, editors and freelancers. We focused on IP law, privacy and defamation.

Here's the presentation, in case it's of interest:

If the presentation isn't embedded above for you, you can find it here: https://docs.google.com/present/view?id=ddpx56cg_434ffcgtqcx&interval=30.

Most data breaches caused by negligence: Ponemon

The Ponemon Institute has just released its 2010 report on the cost of data breaches (PDF) for organizations, which concludes that the leading cause of breaches is negligence and the average cost of such breaches is $7.2 million.

See:

Ponemon Cost of a Data Breach

The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.

Wednesday, March 09, 2011

New European rules on cookies coming in May

The European Union is about to impose a directive effective May 25, 2011 requiring explicit consent for the use of most forms of internet cookies, particularly those that are associated with the delivery of advertising.

This tight deadline is being put in place, even though regulators have no idea how to technically make it work.

For two different perspectives, read the BBC's coverage: BBC News - New net rules set to make cookies crumble and GigaOm's report: Why the Cookie Monster Won’t Kill European Startups.

Monday, March 07, 2011

From Blackberry to Android

Just posted on slaw.ca:

A few months ago, I left my Blackberry in favour of an Android device and I thought I'd share my experience for any lawyers out there who have been drooling over the many devices that have been hitting the market in the past while and may be wondering about making the switch.

I've had my Samsung Galaxy S Vibrant on the Bell Canada network for a few months now and I have to say that I adore it. It's my first Android device and I switched from a Blackberry Bold that was on the Rogers network.

I'm the only person at my firm, other than some IT guys who pilot different devices from time to time, who is not using a Blackberry. One of the conditions of getting it was that I would be "self supporting," which is not a big problem for a geek like me. But the degree of self-support hasn't been that high, though it's difficult to say where the supporting ends and the tinkering/tweaking starts.

In order to get the OK to hook the device up to the firm's network, the device had to use a password/PIN to login, had to securely link to our infrastructure via SSL (at least) and I had to be able to be remotely wiped if I lost it. Check, check and check.

For me, the most important considerations was that it had to work with my firm's existing Microsoft-exchange based e-mail infrastructure. I didn't wan to have to use a Blackberry for e-mail/calendar and my Android for everything else. That was a bit of a challenge, but easily overcome.

I installed Android 2.2 Froyo, which has better exchange support. It wasn't perfect, though. The device came with two different e-mail applications, the stock one and one that's part of Samsung's Social Hub. The stock one wasn't updating my contacts from the Exchange Server and the Social Hub one wasn't updating my calendar. So I had to have them both running to make sure all my bases were covered. And though they purported to have push functionality, mail was delayed a bit. Not by much, but I wanted instant.

So I did some looking around and found Nitrodesk's Touchdown. I installed the 30-day trial two weeks ago and within a week forked out the US$20 to get the license (the only difference between the 30-day trial and the licensed version is you can't change your signature in the trial version). The Exchange integration with Touchdown is head and shoulders above the programs that came with the device. Now, my mail is instant, my contacts are always synched and changes to my calendar are updated almost instantly.

I've also downloaded a program called Office Talk, which gives me access to my firm's Microsoft OCS instant messaging platform and presence notifications. (None of my Blackberry-toting colleagues have access to the firm's IM away from their desks.)

One of the cool features that comes stock on the Galaxy S Vibrant is the Swype keyboard. Since there's no built-in keyboard, users can choose from dozens out there. The Swype keyboard allows you to just drag your finger from letter to letter on the keyboard image, and it knows what you're typing. You don't even need to be very accurate, since it knows when you drag your finger dear the "D" to the "A", then close to "V" and back around near the "E", you're probably typing "Dave." Much easier, at least to me, than trying to poke at small keys. Another keyboard layout that's included allows for voice input that is shockingly accurate.

Once I got my messaging/calendar/contacts arrangement perfectly sorted out, my Android phone is head and shoulders above my old Blackberry. Comparing the screens and the web-browsers is not a fair fight. I can watch a full movie on it without eye strain. The web-browser is a real browser that runs flash. I can stream content without a hiccup. The Google Maps app is awesome and I use the turn-by-turn navigation regularly. (No need for an in-car GPS, particularly since the navigation app now caches mapping info so it works without a wireless signal.)

Some of my clients use Skype to connect far-flung employees, and it works great on the device (no video support yet, but it's coming). There are other really useful apps in the Android market, like Tasker which allows you to customize all of the phone's settings. I've used it to automatically set it to silent mode when when the phone is face-down in meetings. Similarly, it detects when it's in my car-dock and changes to "car mode", which can read incoming e-mails and redirects all calls to the speaker phone. It can even be programmed to change settings when you're in a particular place, like shutting off e-mail downloading when you're at home.

Another great feature for mobile lawyers is that you can turn the device into a mobile WiFi hot-spot. I've found myself in meetings where I needed a document from our document management system, but had no WiFi. Within seconds, I can turn my phone into a WiFi router so I can connect my laptop to my office network and get the document. Piece o' cake.

My kids, of course, love the games. I never had my kids ask if they could use my Blackberry, but they're constantly asking to use my phone to play Angry Birds, Doodle Jump, Fruit Ninja and Raging Thunder 2. (While I'm writing this, my eight-year-old just walked up and asked "Can I play on your phone?")

So, overall, I'd say that RIM no longer has a stranglehold on the enterprise. I could go back to a Blackberry, but I sure don't want to. The only downside is that there's so much innovation and iteration going on that I'm envious of newer Nexus S. And the just-announced Galaxy S II. And the Xoom tablet with Honeycomb.

Sunday, March 06, 2011

DHS reportedly seeking covert naked scanners

Computerworld is reporting that the Electronic Privacy Information Center has obtained documents under the Freedom of Information Act that suggest the Department of Homeland Security is on the hunt for portable body scanners. This is not surprising, but what is most chilling is the suggestion that they're seeking devices that can be deployed to covertly see through clothing of unsuspecting people.

See:

DHS seeks systems for covert body scans, documents show - Computerworld

Computerworld - Documents obtained Tuesday by the Electronic Privacy Information Center suggest that the U.S. Department of Homeland Security has signed contracts for the development of mobile and static systems that can be used scan pedestrians and people at rail and bus stations and special event venues -- apparently at times without their knowledge.

The documents indicate that DHS moved to develop the technology as part of an effort to bolster the ability of law enforcement personnel to quickly detect concealed bombs and other explosives on individuals.

EPIC obtained the documents from the DHS under a Freedom of Information Act request for data on mobile and static scanning systems it filed last year....

Time to check your permissions

Yesterday, a posting by twitter user @warrenehart prompted me to go into my Twitter settings to double-check my sharing settings. Here's what reminded me:

http://twitter.com/#!/WarrenEHart/status/44166823645687808

With all the recent scams & malware, worth checking Ur Twitter 3rd Party access: http://twitter.com/account/connections

I did just that and revoked permissions for a number of apps I no longer use. It also prompted me to check out Facebook, Flickr and Google.

Thanks @warrenehart and please, for both of us, take a few minutes to check your settings:

Take control over your accounts.

Saturday, March 05, 2011

BC NDP demanding social media login credentials

In the last week, there have been reports that the British Columbia New Democratic Party has been demanding the social media login credentials from candidates for the leadership of the party (see: B.C. NDP candidate in social-media standoff with party bosses - The Globe and Mail). All of the candidates have provided this info, except for one who -- quite rightly -- challenges this an an invasion of privacy.

We've heard in the past about employers asking for this sort of information and then backing off when facing a fire-storm of criticism. I can appreciate that the party is hoping to avoid any surprises, but this, in my view, seriously crosses the line. People use their Facebook accounts not only as a trove of embarrassing photos and journals of indiscretions, but also as a primary means of communicating with friends and family. I have close friends who I exclusively communicate with via Facebook. Would it be reasonable for an employer or a political party to ask for my GMail login? Phone records? All my photo albums? My journals? Crappy poetry written in high school (for the record: that was hypothetical; I wrote no poetry in high school)? The notes my mother left me in my lunchbox?

Come on, people. Just because it's easy and just because some people relent and hand it over, does not make it reasonable. It is not reasonable to ask and it is not reasonable to provide it.

It should also be noted that handing over your Facebook login credentials is a violation of the site's terms of use, which could not be more clear:

4.8 You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

The Information and Privacy Commissioner of BC is on the case and it will be interesting to see what she concludes.

My personal conclusion: any political party that demands this sort of information doesn't care at all about privacy and doesn't deserve to govern. Any candidate who acquiesces to this doesn't deserve to be elected.

Nova Scotia Court of Appeal favours open courts over youth privacy in Facebook defamation case

Yesterday, the Nova Scotia Court of Appeal issued a decision (AB v Bragg Communications Inc, 2011 NSCA 26) denying a child-plaintiff's application to proceed in a defamation action under a pseudonym and to impose a publication ban on the defamatory materials. The case involves a fake Facebook profile created by an unknown person and the dissemination of defamatory messages via that profile. The plaintiff sought the court's assistance in tracking town the intended defendant based on the IP address. At the original hearing, the judge denied the application to proceed under a pseudonym, which was upheld by the Court of Appeal. In short, the open courts principle trumps her concerns.

Since I was one of the lawyers working for the young girl who sought the application, you should read Dan Michaluk's summary for an unbiased view: Nova Scotia CA Favours Open Courts Over Youth Privacy in Facebook Defamation Case « All About Information.

Wednesday, March 02, 2011

Is university faculty e-mail subject to access and privacy laws?

Dan Michaluk has just blogged about an interesting case out of Alberta (University of Alberta v. Alberta (Information and Privacy Commissioner), 2011 ABQB 100) that may have a significant impact on freedom of information law, particularly in universities. It will also have an impact on cloud computing decisions by universities. The Canadian Association of University Teachers takes the position that faculty e-mail are not under the "custody and control" of the educational institution. If this is found to be the case, faculty e-mail is not within the ambit of access to information laws at all and the privacy protection provisions of those laws. And, if that's the case, such e-mails are not covered by laws that are meant to regulate the export of personal information (out of fear of the USA Patriot Act). Stay tuned ....

See Dan's post: Alberta Court set to Hear Faculty E-mail Case « All About Information

Tuesday, March 01, 2011

US Supreme Court: Corporations do not have personal privacy rights under US Freedom of Information law

The United States Supreme Court has just ruled today that the personal privacy exemptions in the US Freedom of Information Act do not protect information about corporations. In short, corporations do not have a personal privacy right.

This is consistent with the Canadian approach.

FCC v. AT&T Inc. :: Volume 562 :: Docket Number 09-1279 :: 2011 :: Syllabus :: US Supreme Court Cases from Justia & Oyez

SYLLABUS

OCTOBER TERM, 2010

FCC V. AT&T INC.

SUPREME COURT OF THE UNITED STATES

FEDERAL COMMUNICATIONS COMMISSION et al. v. AT&T INC. et al. certiorari to the united states court of appeals for the third circuit No. 09–1279. 

Argued January 19, 2011—Decided March 1, 2011

The Freedom of Information Act requires federal agencies to make records and documents publicly available upon request, subject to several statutory exemptions. One of those exemptions, Exemption 7(C), covers law enforcement records the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” 5 U. S. C. §552(b)(7)(C). CompTel, a trade association, submitted a FOIA request for documents AT&T had provided to the Federal Communications Commission Enforcement Bureau during an investigation of that company. The Bureau found that Exemption 7(C) applied to individuals identified in AT&T’s submissions but not to the company itself, concluding that corporations do not have “personal privacy” interests as required by the exemption. The FCC agreed with the Bureau, but the Court of Appeals for the Third Circuit did not. It held that Exemption 7(C) extends to the “personal privacy” of corporations, reasoning that “personal” is the adjective form of the term “person,” which Congress has defined, as applicable here, to include corporations, §551(2).

Held: Corporations do not have “personal privacy” for the purposes of Exemption 7(C). Pp. 3–12.

(a) AT&T argues that the word “personal” in Exemption 7(C) incorporates the statutory definition of “person,” which includes corporations, §551(2). But adjectives do not always reflect the meaning of corresponding nouns. “Person” is a defined term in the statute; “personal” is not. When a statute does not define a term, the Court typically “give[s] the phrase its ordinary meaning.” Johnson v. United States, 559 U. S. ___, ___. “Personal” ordinarily refers to individuals. People do not generally use terms such as personal characteristics or personal correspondence to describe the characteristics or correspondence of corporations. In fact, “personal” is often used to mean precisely the opposite of business-related: We speak of personal expenses and business expenses, personal life and work life, personal opinion and a company’s view. Dictionary definitions also suggest that “personal” does not ordinarily relate to artificial “persons” like corporations.

AT&T contends that its reading of “personal” is supported by the common legal usage of the word “person.” Yet while “person,” in a legal setting, often refers to artificial entities, AT&T’s effort to ascribe a corresponding legal meaning to “personal” again elides the difference between “person” and “personal.” AT&T provides scant support for the proposition that “personal” denotes corporations, even in a legal context.

Regardless of whether “personal” can carry a legal meaning apart from its ordinary one, statutory language should be construed “in light of the terms surrounding it.” Leocal v. Ashcroft, 543 U. S. 1, 9. Exemption 7(C) refers not just to the word “personal,” but to the term “personal privacy.” “Personal” in that phrase conveys more than just “of a person”; it suggests a type of privacy evocative of human concerns—not the sort usually associated with an entity like AT&T. AT&T does not cite any other instance in which a court has expressly referred to a corporation’s “personal privacy.” Nor does it identify any other statute that does so. While AT&T argues that this Court has recognized “privacy” interests of corporations in the Fourth Amendment and double jeopardy contexts, this case does not call for the Court to pass on the scope of a corporation’s “privacy” interests as a matter of constitutional or common law. AT&T contends that the FCC has not demonstrated that the phrase “personal privacy” necessarily excludes corporations’ privacy. But construing statutory language is not merely an exercise in ascertaining “the outer limits of [a word’s] definitional possibilities,” Dolan v. Postal Service, 546 U. S. 481, 486, and AT&T has provided no sound reason in the statutory text or context to disregard the ordinary meaning of the phrase. Pp. 3–9.

(b) The meaning of “personal privacy” in Exemption 7(C) is further clarified by two pre-existing FOIA exemptions. Exemption 6, which Congress enacted eight years before Exemption 7(C), covers “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” §552(b)(6). This Court has regularly referred to Exemption 6 as involving an “individual’s right of privacy,” Department of State v. Ray, 502 U. S. 164, 175, and Congress used in Exemption 7(C) the same phrase—“personal privacy”—used in Exemption 6. In contrast, FOIA Exemption 4, which protects “trade secrets and commercial or financial information obtained from a person and privileged or confidential,” §552(b)(4), clearly applies to corporations. Congress did not use any language similar to that in Exemption 4 in Exemption 7(C). Pp. 9–11. 582 F. 3d 490, reversed.

Roberts, C. J., delivered the opinion of the Court, in which all other Members joined, except Kagan, J., who took no part in the consideration or decision of the case.