Friday, July 27, 2012

British Columbia first responder protection law clashes with privacy rights, Commissioner says

I rarely disagree with Liz Denham, the very bright Information and Privacy Commissioner of British Columbia, but I do in this case. The BC government has passed a law that allows police officers, firefighters and paramedics to seek a court order to access someone else’s medical records if the first responder has come into contact with bodily fluids. (I'll admit a possible source of bias in this case: I am related to two first responders who live in BC: a police officer and a paramedic.) The Commissioner has stated in a letter to the minister responsible which says that the bill will not be useful, as there are “very few instances where emergency responders contract communicable diseases.” (I have only seen reports about the letter, not the letter itself.)

But even if there are very few instances of first responders contracting communicable diseases, the possible outcome of those few cases can be very harmful to the first responder. And we're talking about those situations where the individual stubbornly (and selfishly, in my view) refuses to disclose whether he or she has put a first responder at risk.

Most of the risk of many forms of infection can be proactively mitigated if not eliminated immediately following contact. If there's a flaw with the bill, it's the time that it likely takes to get into court to get the requisite court order. The information disclosure can be very carefully handled to protect the privacy of the individual as much as possible in the circumstances ("nothing to worry about" or "you need prophylaxis for HIV"), but the possible outcome of untreated contact can be disastrous for the cops, paramedics and firefighters who put themselves at risk.

We are often called to balance privacy rights against other societal values. That balancing should be done by a judge within a framework of accountability and transparency. I think the legislation gets the balance right.

For more coverage, see: Victoria News - First responder protection law clashes with privacy rights.

Thursday, July 26, 2012

Skype makes chats and user data more available to police

The Washington Post has entered the discussion on Skype and cooperation with law enforcement with an interesting and more through canvass of the debate and the facts. It includes information obtained from unnamed insiders who the Post says are familiar with the situation.

But it does seem to affirm that Microsoft, consistent with its past track record of cooperation with law enforcement, can and does make customer information and chat records available to law enforcement. (Customer information would require a subpoena, which chat records would require a court order. What their thresholds are for non-US legal process or whether they will abide by non-American court orders is unclear.)

With respect to the actual contents of Skype audio or video calls, the article notes:

Surveillance of the audio and video feeds remains impractical — even when courts issue warrants, say industry officials with direct knowledge of the matter.

That could change if the FBI gets its wish to have VoIP services added to the Communications Assistance to Law Enforcement Act. Currently, such services are not required to be wiretap-ready.

Here's the Washington Post article:

Skype makes chats and user data more available to police - The Washington Post

Skype makes chats and user data more available to police

By Craig Timberg and Ellen Nakashima, Published: July 25

Skype, the online phone service long favored by political dissidents, criminals and others eager to communicate beyond the reach of governments, has expanded its cooperation with law enforcement authorities to make online chats and other user information available to police, said industry and government officials familiar with the changes.

Surveillance of the audio and video feeds remains impractical — even when courts issue warrants, say industry officials with direct knowledge of the matter. But that barrier could eventually vanish as Skype becomes one of the world’s most popular forms of telecommunication.

The changes to online chats, which are written messages conveyed almost instantaneously between users, result in part from technical upgrades to Skype that were instituted to address outages and other stability issues since Microsoft bought the company last year. Officials of the United States and other countries have long pushed to expand their access to newer forms of communications to resolve an issue that the FBI calls the “going dark” problem.

Microsoft has approached the issue with “tremendous sensitivity and a canny awareness of what the issues would be,” said an industry official familiar with Microsoft’s plans, who like several people interviewed for this story spoke on the condition of anonymity because they weren’t authorized to discuss the issue publicly. The company has “a long track record of working successfully with law enforcement here and internationally,” he added.

The changes, which give the authorities access to addresses and credit card numbers, have drawn quiet applause in law enforcement circles but hostility from many activists and analysts.

Authorities had for years complained that Skype’s encryption and other features made tracking drug lords, pedophiles and terrorists more difficult. Jihadis recommended the service on online forums. Police listening to traditional wiretaps occasionally would hear wary suspects say to one another, “Hey, let’s talk on Skype.”

Hacker groups and privacy experts have been speculating for months that Skype had changed its architecture to make it easier for governments to monitor, and many blamed Microsoft, which has an elaborate operation for complying with legal government requests in countries around the world.

“The issue is, to what extent are our communications being purpose-built to make surveillance easy?” said Lauren Weinstein, co-founder of People for Internet Responsibility, a digital privacy group. “When you make it easy to do, law enforcement is going to want to use it more and more. If you build it, they will come.’’

Skype was slow to clarify the situation, issuing a statement recently that said, “As was true before the Microsoft acquisition, Skype cooperates with law enforcement agencies as is legally required and technically feasible.”

But changes allowing police surveillance of online chats had been made since late last year, a knowledgeable industry official said Wednesday.

In the United States, such requests require a court order, though in other nations rules vary. Skype has more than 600 million users, with some in nearly every nation in the world. Political dissidents relied on it extensively during the Arab Spring to communicate with journalists, human rights workers and each other, in part because of its reputation for security.

Skype’s resistance to government monitoring, part of the company ethos when European engineers founded it in 2003, resulted from both uncommonly strong encryption and a key technical feature: Skype calls connected computers directly rather than routing data through central servers, as many other Internet-based communication systems do. That makes it more difficult for law enforcement to intercept the call. The authorities long have been able to wiretap Skype calls to traditional phones.

The company created a law-enforcement compliance team not long after eBay bought the company in 2005, putting it squarely under the auspices of U.S. law. The company was later sold to private investors before Microsoft bought it in May 2011 for $8.5 billion.

The new ownership had at least an indirect role in the security changes. Skype has endured periodic outages, including a disastrous one in December 2010. Company officials concluded that a more robust system was needed if the company was going to reach its potential.

Industry officials said the resulting push for the creation of so-called “supernodes,” which routed some data through centralized servers, made greater cooperation with law enforcement authorities possible.

The access to personal information and online chats, which are kept in Skype’s systems for 30 days, remains short of what some law enforcement officials have requested.

The FBI, whose officials have complained to Congress about the “going dark” problem, issued a statement Wednesday night saying it couldn’t comment on a particular company or service but that surveillance of conversations “requires review and approval by a court. It is used only in national security matters and to combat the most serious crimes.”

Hackers in recent years have demonstrated that it was possible to penetrate Skype, but it’s not clear how often this happened. Microsoft won a patent in June 2011 for “legal intercept” of Skype and similar Internet-based voice and video systems. It is also possible, experts say, to monitor Skype chats as well as voice and video by hacking into a user’s computer, doing an end run around encryptions.

“If someone wants to compromise a Skype communication, all they have to do is hack the endpoint — the person’s computer or tablet or mobile phone, which is very easy to do,” said Tom Kellermann, vice president of cybersecurity for Trend Micro, a cloud security company.

Some industry officials, however, say Skype loses some competitive edge in the increasingly crowded world of Internet-based communications systems if users no longer see it as more private than rival services.

“This is just making Skype like every other communication service, no better, no worse,” said one industry official, speaking on the condition of anonymity. “Skype used to be very special because it really was locked up. Now it’s like Superman without his powers.”

Monday, July 23, 2012

InfoWorld critical of Microsoft-Skype snooping accusations, calls for greater transparency

InfoWorld has posted a response to the Salon blog post that I blogged about yesterday (Skype cooperation with law enforcement and privacy policy weasel words), arguing that the post was inflamatory and designed to "push all the paranoia buttons". (See: Microsoft-Skype snooping accusations push all the paranoia buttons | Cringely - InfoWorld.)

The conclusion of the InfoWorld post echoes that of the Slate post and my own post:

What Microsoft should do is issue a transparency report similar to the ones released recently by Google and Twitter, detailing the many requests it receives for user data from various and sundry government authorities. It should also officially publish the guidelines authorities must follow in order to request information, as well as what types of data are available and how long they are retained. That document [PDF] was made available via a leak to Cryptome.org and is now four years old; I'd like a fresh copy, please.

That would be one way to dispel the notion that Microsoft is the evil bogeyman -- at least, more evil than all the other bogeymen. But it won't make for a very sexy headline.

It is about transparency. As I said yesterday, "Transparency/clarity = good. Weasel words = bad".

If Microsoft and Skype aren't clear about their abilities and their practices, people will make assumptions and they'll assume the worst. If calls for transparency are evaded, it's even worse.

Sunday, July 22, 2012

Skype cooperation with law enforcement and privacy policy weasel words

Ryan Gallagher at Slate's Future Tense blog asks whether Skype can intercept VOIP conversations and whether they provide such content to law enforcement. What's more troubling is how evasive Microsoft/Skype appears to be when asked a direct question:

But when I repeatedly questioned the company on Wednesday whether it could currently facilitate wiretap requests, a clear answer was not forthcoming. Citing “company policy,” Skype PR man Chaim Haas wouldn’t confirm or deny, telling me only that the chat service “co-operates with law enforcement agencies as much as is legally and technically possible.”

The post refers to the Skype privacy policy, which appears clear but is really sketchy:

Under Section 3 of the privacy policy, it is stated that Skype or its partners “may provide personal data, communications content and/or traffic data to an appropriate judicial, law enforcement or government authority lawfully requesting such information.” It also notes that instant messages sent over Skype will be stored for a maximum 30 days “unless otherwise permitted or required by law.”

Note the use of "lawfully requesting such information". There's a very real difference between a lawful request and a lawful demand. We have in our Canadian Criminal Code the following section:

Power of peace officer

487.014 (1) For greater certainty, no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

In Canada, the police are permitted to ask, lawfully, in circumstances where they have no court order or production order, and therefore can't legally compel the information. (As an aside, I have seen on many, many occasions in my practice "request letters" from law enforcement that use this section as their "lawful authority" to demand information from service providers. Most service providers read this as a legally-enforceable demand that can't be declined.)

Skype isn't alone in this .... many other privacy policies use this sort of language which reserves to the operator the discretion of whether they'll require legal process that compels the production of information.

Transparency/clarity = good. Weasel words = bad.

See: Skype won't comment on whether it can now eavesdrop on conversations.

Friday, July 20, 2012

Infographic: What social networks know about you

Mashable has a nice, big infographic about "What Social Networks Know About You". I haven't had a chance to really dig into it, but what's probably most remarkable is that only one (Pandora) shares any of your information with marketers or outside organizations (other than when required by law, presumably).

Many people, when they see an ad on a social network assume, wrongly, that their info has been shared with the company whose products are being advertised. That's generally not the case at all.

Check it out: See: Here's What Social Networks Know About You.

Thursday, July 19, 2012

Interview - CBC Radio Maritime Noon - Social Media and the Law

I was interviewed on CBC Radio's Maritime Noon about the effects of social media on the courts and the administration of justice. The audio is available below.

CBC.ca | Maritime Noon | Social Media and the Law, Plumbing Questions, Glass Ban

July 19, 2012 - A judge declares a mistrial after finding out about a juror post on Facebook. We discuss the implications with lawyer David Fraser.

Wednesday, July 11, 2012

Briefing memos tried to connect Magnotta case and "lawful access"

The CBC has uncovered a briefing memo prepared on the day that Luka Magnotta was arrested in Europe designed to convince that the Magnotta investigation would have benefited from the police powers proposed in the government's lawful access internet surveillance bills.

Quite rightly, Michael Geist dismisses these assertions:

But Geist disputes the proposed internet surveillance legislation would have anything to do with a case like Magnotta's.

"By the time the evidence began to accumulate, he was already in Europe," Geist told CBC News. "The claim that C-30 would have made a difference is simply false — there is no evidence that law enforcement ran into problems tracking down his location to Europe and ultimately making the arrest."

Magnotta fled to Paris, then Berlin, after body parts were mailed to the Conservative and Liberal party offices in Ottawa. The torso, later confirmed to be the body of Jun Lin, was discovered earlier in a trash bin at a Montreal apartment building.

As for the specific four claims made in the documents, Geist says there is "far less than meets the eye." He notes:

  • ISPs already disclose subscriber information 94 per cent of the time without a court order. For the remainder, there is no evidence that obtaining a warrant for this kind of case poses a problem.
  • A preservation order still requires a warrant — it is not immediate as suggested in the Q&A documents.
  • There is no evidence that there are delays in obtaining warrants

It really seems that those who wrote and promote the Bill don't understand it.

See: Magnotta case and online surveillance bill linked in memos - Politics - CBC News.

Monday, July 09, 2012

Canada’s privacy commissioner calls into question ombudsman model

Luis Millan at Law In Quebec has a very interesting article on the Privacy Commissioner's recent calls for order making powers and the ability to levy fines.

In addition to my comments on how it may be problematic from a procedural fairness point of view, others have some very interesting comments.

The article refers to recent report that calls for increased powers to encourage compliance by small and medium sized businesses.

“The ombudsman model is based on finding solutions through consensus, and to fine a business that does not comply with the statute is contrary to the very foundation of the ombudsman model,” noted Houle, an administrative law scholar who, along with Sossin, is part of a team assisting the Privacy Commissioner with the review she is now conducting. “We believe that if Parliament agrees with the Commissioner that order-making power should be conferred to the OPC then the OPC should be transformed into another type of board like a regulatory board such as the Canadian Radio-television and Telecommunications Commission.”

Despite the report's findings, the Commissioner has mainly been talking about it to coerce very large, American internet companies that have very large compliance departments and expend significant resources on privacy.

Check it out: Canada’s privacy commissioner calls into question ombudsman model « Law in Quebec.

Federal Court: No damages for trivial privacy breach

Once again, the Federal Court has shown that nominal or no damages will be paid for trivial breaches of PIPEDA. In Townsend v. Sun Life Financial, 2012 FC 550, the Applicant brought an application against Sun Life Financial for having misaddressed a piece of mail (which was returned unopened) and disclosing some medical information to the financial advisor involved in underwriting the policy.

The Applicant sought

(i) Payment of $352.56 for costs associated with the closing of the Investors Group retirement plans;
(ii) Declaration that the Respondent breached the PIPEDA and the fiduciary duties owed to the Applicant;
(iii) Declaration compelling the Respondent to publish notices of measures taken to avoid contravening the PIPEDA;
(iv) An award of $25,000.00 in damages;
(v) Costs before this Court; and
(vi) Any other relief this Court deems appropriate.

Though a (relatively trivial) breach was found, the application was dismissed.

The court noted, in its discussion of damages:

[34] In fact, contrary to the Applicant’s bald assertions, I do not accept that the Respondent has acted in an intentional, callous or egregious manner or in any other way that would indicate a complete disregard for the Applicant’s privacy interests. The fact that the Respondent has never denied having committed the errors is commendable. Plus, there is no evidence that the Respondent acted in bad faith or benefited commercially from the error, as acknowledged by the Applicant. It is also duly noted that the Respondent has apologized to the Applicant on numerous occasions (Respondent’s Record, Affidavit of Rosemary Knez, Exhibit “B”, p 8; Exhibit “D”, pp 11-12; Exhibit “F”, p 14) and even informed the Applicant of the measures implemented to avoid the re-occurrence of such errors (Ibid, Exhibit “D”, p 11). In my opinion, the Respondent promptly and effectively corrected its errors. It may be, as alleged by the Applicant, that the Respondent should have put these measures in place before the error occurred. Nobody should be held to a standard of perfection, and the Respondent already had a detailed protocol before the occurrence of what can only be considered as a human error.

[35] Moreover, the amount of damages sought is greatly out of proportion to the jurisprudence of this Court. Even in cases where the Court has found evidence of bad faith on the part of a respondent, the quantum of damages has been lesser than the order sought by the applicant. ...

[38] Taking into consideration the facts of this case, I am of the view that the disclosure of personal information was minimal and the inaccuracy in the Applicant’s address caused no injury. I accept that medical information is of the utmost sensitivity and should receive the highest degree of protection. In the instant case, and without diminishing the Applicant’s grief, the extent of the disclosure was minimal and was only disclosed to Mr. Townsend’s Advisor, who appeared not to have noticed the personal information and then promptly destroyed the letter upon request. Moreover, the Respondent genuinely apologized for the breach and promptly took steps to correct its policies and procedures. For those reasons, I do not consider it necessary to order the Respondent to correct its practices or to publish a notice of any action taken or proposed to be taken to correct its practices, or to award damages to the Applicant.

[39] Moreover, the Applicant has not provided any arguments or evidence for disbursing $352.56 for costs, associated with the closing of the Investors Group retirement plans. In any event, I see no plain and obvious link between these costs and the Respondent’s conduct. Accordingly, the Court exercises its discretion not to award these costs.

[40] For all of the foregoing reasons, this application is dismissed and each party shall bear its own costs.

Tuesday, July 03, 2012

Twitter publishes its first "transparency report"

Kudos to Twitter for following Google's example and releasing its first "Transparency Report", which summarises the number of government requests for user data and government demands to take down user data. You can find it here and they've blogged about it here: Twitter Blog: Twitter Transparency Report.

For the first half of 2012, Twitter received 11 requests from Canada related to 11 user accounts and complied with 18% of them.