Monday, April 30, 2012

Alberta Commissioner faults Calgary police employee for logging into colleague's personal e-mail account

The Office of the Information and Privacy Commissioner of Alberta has found that a civilian employee violated the province's public sector privacy law by logging into a police service employee's personal e-mail account.

Here's a summary of ORDER F2012-07 [PDF], made against the Calgary Police Service:

Summary: The Complainant was a civilian employee with the Calgary Police Service (“Public Body”). In March 2010, the Public Body’s HR consultant was informed by the Complainant’s manager that several of the Complainant’s coworkers had made allegations about the Complainant’s behavior at work, including allegations of inappropriate sexual conduct.

The Public Body began to monitor the Complainant’s computer activities, as well as reviewing her past work email activity. While reviewing her work email, the IT Security Manager (“IT Manager”) found a personal email that the Complainant had sent to a family member, which included the login ID and password information for the Complainant’s personal web-based email account. The IT Manager used this information to access the Complainant’s personal email account and found photographs of a sexual nature, which appeared to have been taken on the Public Body’s premises. The IT Manager copied these photographs, and provided them to the Complainant’s manager and the HR consultant. These photographs were used in the Public Body’s decision to terminate the Complainant’s employment, and were also used by the Public Body during the subsequent grievance process.

The Complainant made a complaint to this office, stating that the Public Body collected, used, and disclosed her personal information in contravention of Part 2 of the Freedom of Information and Protection of Privacy Act (“FOIP Act”). Specifically, the Complainant objected to the Public Body accessing her personal email account, and the subsequent collection, use, and disclosure of photographs found by the Public Body in that email account.

The Public Body argued that the collection of the Complainant’s personal information occurred during the course of investigating the allegations of workplace misconduct against the Complainant, and that the subsequent use and disclosure of the photographs found in the Complainant’s personal email account were for the same purpose as they were collected.

The Adjudicator found that the Public Body collected the Complainant’s login ID and password to her personal email account in the course of reviewing the Complainant’s work email, to which the Complainant did not object. However, Adjudicator found that the use of the Complainant’s personal email login ID to access the Complainant’s personal email was not for the purpose of employee management, since the IT Manager had not been requested to monitor the Complainant’s personal email, rather only her work email. There was also no evidence of wrongdoing that would justify accessing a personal email account. The Adjudicator also noted that even were the use of the Complainant’s personal information for the purpose of the workplace investigation, a Public Body may only use personal information to the extent necessary to carry out its purposes in a reasonable manner; logging in to the Complainant’s personal web-based email account was exceptionally invasive, and patently unreasonable in the circumstances.

The Adjudicator found that the collection of the photographs from the Complainant’s personal email account could not be considered separately from the fact that they were collected from the Complainant’s personal email account. Because the photographs, even if relevant to the workplace investigation, were found as a result of an unauthorized use of personal information, their collection and subsequent use could not be justified as “necessary” for the purpose of the Public Body’s investigation.

The Adjudicator determined that the Complainant’s personal information was not disclosed to, but rather used by, various employees of the Public Body. The Adjudicator had already determined that the use was not authorized under the Act, but found that even if the personal information had been disclosed to the employees, the disclosure would not have been authorized, for similar reasons.

Friday, April 27, 2012

CSIS oversight and accountability to be slashed to save $1M

One of the arguments made in favour of Bill C-30 by the government when it was introduced was that it had accountability: Internal audits and a veneer of oversight by the Office of the Privacy Commissioner of Canada. Accountability is key.

Now, it is being reported that the federal government is eliminating the position of Inspector General of the Canadian Security Intelligence Services. (See: CSIS watchdog to be cut in budget - Politics - CBC News). It's hard to believe that the government is committed to oversight and accountability in the use of incredibly intrusive powers when steps such as these are taken.

What's worse is that it is being done for fiscal reasons and will only save $1,000,000. If you ask me, that's a million dollars well spent.

Sunday, April 08, 2012

RIM reportedly gives Indian government access to full range of BlackBerry messages

The Toronto Star is reporting that RIM has agreed to provide the Indian Government with access to the full range of Blackberry communications (RIM gives India access to BlackBerry messages - thestar.com). The article this is based on (http://indiatoday.intoday.in/story/govt-to-tap-blackberry-messenger-security-privacy/1/183403.html) suggests that the Indian Government has been given some sort of backdoor into Blackberry Enterprise Servers, which is something that RIM has staunchly refused to do until now.


If this is true, the era in which Blackberry was the ultra-secure communications platform is over.


This also shows that what was once Blackberry's main strength is also its greatest weakness. Blackberry is a system and RIM controls everything, from the device to the servers. If they compromise one aspect of it, the whole system is compromised. On my Android phone, on the other hand, I can configure just about anything, including what VPN to use and what communications apps to run.

Tuesday, April 03, 2012

House committee looking to require telcos and device manufacturers to decrypt communications

Bill C-30, with warrantless access to subscriber data and real-time internet monitoring, is the tip of the iceberg if the recommendations of the House Committee on Justice and Human Rights are followed. In a report just issued, The State of Organized Crime [PDF], the committee recommends changes to the law to require telcos to provide access to unencrypted communications:

RECOMMENDATION

The Committee recommends that the Government of Canada pursue legislation requiring telecommunications service providers and telecommunications device manufacturers to build the ability to intercept telecommunications into their equipment and networks.

RECOMMENDATION

The Committee recommends that the Government of Canada introduce legislation requiring telecommunications service providers and telecommunications device manufacturers to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard.

From the Motreal Gazette:

Proposal would force telecoms to decrypt messages

Telecommunications companies would be forced to decrypt messages for law-enforcement agencies if the federal government legislates recommendations outlined in a report by a House standing committee.

"Law-enforcement agencies are way behind, or have been way behind, in the ability to deal with the new modes of communications," said Conservative MP Dave MacKenzie, chair of the House standing committee on justice and human rights.

The report, the State of Organized Crime, states that although telecommunications can be intercepted, the service providers don't always release standardized information to law-enforcement agencies.

The committee argues that federal legislation could address this lack of standards by furthering ideas found in Bill C-30, the online surveillance bill.

"When you're dealing with organized crime, they're very well-funded and wellorganized .... They move communications abilities around in different ways: passing cellphones around is just the very beginning," said MacKenzie.

NDP MP Jack Harris added: "There has to be some sort of modernization of the law with respect to surveillance. We've got laws with respect to telephone surveillance and some of those laws should apply to use of other electronic devices, whether they be cellphones, emails and things like that."

The committee wants federal legislation requiring both telecommunications service providers and their manufacturers "to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard."

Under the committee's plan, all telecommunications companies would have to have access to decryption techniques or tools - something that wasn't provided for in Bill C-30.

Bill C-30 would require service providers to have the ability to intercept communications on their networks and to provide this information in the form specified by law enforcement.

Typically, law enforcement would want encrypted data decrypted to facilitate use of the information gathered.

Encryption is often used by organizations - both lawful and criminal - to protect the transmission of sensitive and private information.

As it stands, some service providers do not have the tools or techniques to decrypt these communications, exempting them from the requirement to provide decrypted information to police.

Although Harris said he believes that surveillance methods need to be updated, he has doubts about making decryption abilities mandatory.

"It certainly may be impractical and perhaps technologically infeasible," he said.

Telecommunication companies seemed to share that worry.

"Our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost," said Bell Canada spokesperson Jacqueline Michelis.

Should the recommendation become legislated, telecommunications manufacturers also would be affected.


Updated (April 4, 2012) - Apparently the article has been removed from the Gazette, Vancouver Sun and other PostMedia sites ...


Michael Geist adds:

The report includes a dissenting opinion from the NDP on the lawful access recommendations. There does not appear to be a similar dissent from the Liberals, who were represented on the committee by Irwin Cotler. Postmedia covered the release of the report but the article is no longer available on its media sites. The article included specific comments from Bell that suggest its primary concern associated with these demands boils down to questions of who will bear the costs. A company spokesperson stated "our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost." That is a troubling position for many Canadians who rightly expect their telecom companies to also be concerned with the privacy of their customers. After the outcry in February over Bill C-30, many also expected the government to be open to change on lawful access, yet this report suggests that the changes may not be what many were anticipating.