Monday, December 31, 2012

Privacy commissioner to investigate HRSDC privacy breach

According to a report in the London Free Press, the Office of the Privacy Commissioner of Canada appears to be planning to investigate the appalling privacy breach that was announced last week. The language is not as definitive as I would like, however:

Privacy commissioner to investigate security lapse | Canada | News | The London Free Press

LONDON, Ont. - The federal privacy commissioner is poised to launch a full investigation into a security lapse that lost the private information of about 5,000 Canadians.

“I think you can expect that we will be investigating the matter,” Anne-Marie Hayden, spokesperson for the Privacy Commissioner of Canada, said Monday.

The commissioner’s office has already received 100 calls and several official complaints about the loss of a USB stick that contained private medical, employment and education information, as well as Social Insurance numbers.

It would be gravely disappointing if the OPC does not do a full investigation of this breach along with strong recommendations to prevent it from happening again.

Government needs to be held to an even higher standard than the private sector. People do not have a consensual relationship with government. If you do not like how your bank handles your personal information, you can easily switch to another one. If you're not happy with Instagram's new privacy policy, you can close your account. You cannot do that with government. If Human Resources and Skills Development Canada is incompetent in safeguarding sensitive personal information and cavalier in its response, you can't go looking for another Canada Pension Plan provider.

If this breach involved one of the big California-based internet giants, you can bet there would be a full investigation and further calls for order-making powers and the ability to levy fines.

I hope to see a full and public investigation, followed by calls to amend the Privacy Act to bring it into line with more modern provincial statutes that make it an offense to willfully violate the privacy of Canadians.

Saturday, December 29, 2012

Government "loses" sensitive personal information on thousands of Canadians

Over the past week, Human Resources and Skills Development Canada has been notifying approximately 5000 people that their personal information has been lost. According to reports, the information was on a USB device that has been "misplaced". The information includes Social Insurance Number(SIN); surname; primary and, if applicable, secondary medical condition; birthdate; presence of other payers (e.g., workers' compensation); level of education; occupation type; and, Service Canada processing centre.

This is an ENORMOUS screw up by the Government of Canada. Unencrypted personal information should never be put on these devices as they are notoriously easy to lose. I am also surprised that the Privacy Commissioner's office, at least as quoted in the media, has not yet decided whether to do a formal investigation.
Personal info for thousands lost by federal government - Politics - CBC News

A federal government department says there is no evidence that missing personal information about thousands of Canadians has been used for fraudulent purposes.Human Resources and Skills Development Canada says an employee reported on Nov. 16 that a USB key containing personal information, including Social Insurance Numbers, of about 5,000 Canadians was missing.

The department, which handles a variety of files including pensions, old age security, employment insurance and childcare tax credits, says all those affected have been contacted.

A spokesperson said in an email Friday evening that the affected people have been advised of the incident and informed of the steps they can take to help protect their personal information.

HRSDC notified the privacy commissioner's office on Dec. 21 that the data had been lost.

About 60 people have already called an information line at the privacy commissioner's office expressing concern about the incident and complaints have already been filed.
"It's too early to say whether or not these will turn into official, full, investigations," said Anne-Marie Hayden, a spokeswoman for the privacy commissioner.
"We'd have to look at what we receive first and determine next steps from there."
HRSDC said it has seen no evidence that any of the information contained on the missing USB key has been used for fraudulent purposes.

"Nonetheless, we have advised affected individuals to carefully review and verify bank information, credit card information and other financial transaction statements as a means of safeguarding their personal information as a precautionary measure," the email said.

"We are currently analyzing this incident with the view of preventing a similar occurrence in the future," it added.

The commissioner's office is working with HRSDC in an effort to figure out what happened.

Each year, federal departments are required to report on how well they comply with privacy legislation.

In the 2010-2011 report — the most recent one posted on HRSDC's website — the department noted that it had been the subject of three complaints regarding how it handled personal information.

Sunday, December 23, 2012

Lawful Access: There, I fixed it for you.

Regular readers of this blog will know that I am not a fan, at all, of the government's lawful access bill, Bill C-30. In particular, I have a big problem with warrantless access to subscriber information. And I have a bigger problem with the fact that the current Bill C-30 does not put any meaningful limitation on the circumstances under which the police or national security agencies can require subscriber information without a warrant.

(If you want to see why I have a problem with Bill C-30, you just have to read my previous posts or check out my YouTube video on the topic.)

I have tried to be productive in my criticism and, that end, offer the following to replace the warrantless access to subscriber information in the current bill. I have taken into account many of the productive conversations I've had with members of the policing community and the privacy community.

What follows would be an amendment to the Criminal Code of Canada that creates a new form of production order -- a subscriber information production order -- and can, in my view, just be dropped into the Code. It offers judicial oversight, real accountability and notice to the subscriber that their information has been obtained. It is limited only to serious crimes or where the information sought would identify the victim of a serious crime, but can't be used for fishing expeditions. And unlike a search warrant, it is effective nation-wide. And it includes the possibility of obtaining such an order from a judge over the telephone in urgent situations.

I welcome any comments you may have...
Subscriber information production order
*(1) A justice or judge, including a designated judge under the Canadian Security Intelligence Act, may order a telecommunications service provider to produce subscriber information.
Production to peace officer
(2) The order shall require the subscriber information or information regarding multiple subscribers to be produced within the time, at the place and in the form specified and given
(a) to a peace officer named in the order; or
(b) to a public officer named in the order, who has been appointed or designated to administer or enforce a federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament.
Conditions for issuance of order
(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that
(a) there are reasonable grounds to believe that an offense designated under this Section has been, is being or is about to be committed;
(b) there are reasonable grounds to believe that the subscriber information will afford evidence respecting the identity of the person or persons believed to be responsible for the commission of the offence, or the identity of the persons believed to be the victim or the intended victim of such offense;
(c) there are reasonable grounds to believe that the person who is subject to the order has possession or control of the documents or data; and
(d) the issuing of the order will not unduly infringe the relevant subscriber’s rights set out in the Charter of Rights and Freedoms, including freedom of expression, based on the totality of the circumstances.
Terms and conditions
(4) The order may contain any terms and conditions that the justice or judge considers advisable in the circumstances, including terms and conditions to protect a privileged communication between a lawyer and their client or, in the province of Quebec, between a lawyer or a notary and their client.
Power to revoke, renew or vary order
(5) The justice or judge who made the order, or a judge of the same territorial division, may revoke, renew or vary the order on an ex parte application made by the peace officer or public officer named in the order.
(6) Unless the justice or judge who made the order, or a judge of the same territorial division orders otherwise, any person whose information is obtained as a result of such order shall be notified of the order and the disclosure of his or her subscriber information within six months of the date of the order. An order to delay the giving of notice under this paragraph shall only be applicable for a maximum of six months and shall only be made if such justice or judge is satisfied, based on information on oath in writing, that the giving of such notice will likely compromise an active investigation or prosecution of an offence under this or any other Act of Parliament.
Probative force of copies
(7) Every copy of a document produced under this section, on proof by affidavit that it is a true copy, is admissible in evidence in proceedings under this or any other Act of Parliament and has the same probative force as the original document would have if it had been proved in the ordinary way.
Return of copies
(8) Copies of documents produced under this section need not be returned.
Subscriber information
(9) For the purposes of this section, “subscriber information” means the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.
Use and retention of subscriber information
(10) Unless otherwise ordered by the justice or judge who made the order, or a judge of the same territorial division,
(a) subscriber information obtained pursuant to an order under this Section shall only be used for the investigation and prosecution of the offense or offenses referred to in the information used to obtain the order; and
(b) if the person about whom the subscriber information relates has not been charged with an offense referred to in the information to obtain the order, subscriber information shall only be retained until six months following the date on which the relevant person is notified pursuant to paragraph (6) herein.
Designated offences
(11) For the purposes of this Section, a designated offense means
(a) any offence that may be prosecuted as an indictable offence under this or any other Act of Parliament, or
(b) a conspiracy or an attempt to commit, being an accessory after the fact in relation to, or any counselling in relation to, an offence referred to in paragraph (a).
Tele-production Orders
(12) Section 487.1 respecting telewarrants shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies with respect to search warrants.
National effect
(13) A subscriber information production order issued under this Section shall be applicable with respect to the telecommunciations service provider in any territorial division of Canada without requirement of endorsement by a justice or judge in the territorial division where the telecommunications service provider is located.
(14) The telecommunciations service provider named in a subscriber information production order shall be compensated for the production of subscriber information in the manner and in the amount prescribed. Nothing herein shall require a telecommunications service provider to collect or retain any subscriber information beyond that which is ordinarily collected or retained in the course of the telecommunciations service provider’s business.
Report to Parliament
(15) Each calendar year, the Minister shall lay before Parliament a report regarding the use of subscriber information production orders, which report shall include:
(a) the number of subscriber information production orders issued in total for the previous calendar year;
(b) the number of subscriber information production orders issued per designated offense for the previous calendar year;
(c) the number of subscriber information production orders issued per territorial division of Canada for the previous calendar year;
(d) the number of and nature of the charges, prosecutions and convictions respecting each use of subscriber information production orders, including information respecting cases where charges do not result; and
(d) any other information the Minister considers relevant regarding the use of subscriber information production orders.

Friday, December 21, 2012

Be prepared for cloud computing, it's the future of data accessibility

I was interviewed yesterday on Radio Canada International, the CBC's international arm, on privacy, security and cloud computing from a Canadian perspective. You can listen to the interview here: RCI // Highlights // Be prepared for cloud computing, it's the future of data accessibility.

(I'm sure the interview also can be used off-label to get excited kids to sleep on Christmas eve.)

Beware of juice-jacking: That free charge may not be entirely free

Here's a tip for you, just in time for the holiday traveling season: Be cautious about where you plug in your phone or other smart device, looking for a charge. For some devices, simply plugging in your USB to get some juice can give whatever you're connecting to free access to the contents of your device.

My Galaxy Nexus will not give anyone access through the USB unless the device is unlocked. Find out of your device is similarly protected.

Beware of Juice-Jacking — Krebs on Security:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

Thanks to Milan for passing this tip along.

Wednesday, December 19, 2012

Keeping data in Canada provides illusory protection against foreign government access

I was invited by CATA to give a presentation on cloud computing, privacy and cross border data flows for a number of its members and stakeholders who are involved with the fledgling Shared Services initiative coming out of the Government of Canada.

Here is the presentation, in case it is of interest:

IT World Canada was in attendance and has posted the following article:

Keeping data here no protection against US: Lawyer:

Ottawa may not allow cloud providers to store citizens' data across the border. But a lawyer says a better protection against US law is risk mitigation

By: Howard Solomon

ComputerWorld Canada (19 Dec 2012)

The refusal of some federal government departments to allow outsourcers to store personal data of citizens outside Canada won’t keep foreign governments from getting legal access to it, says a lawyer who specializes in cloud computing.

“Data sovereignty is a bit of an illusion because we’re so interconnected (with law enforcement agencies) and there’s so much data sharing taking place,” David Fraser told an audio conference call Tuesday sponsored by the Canadian Advanced Technology Alliance (CATA).

In particular, fears that the USA Patriot Act acts as a “huge vacuum cleaner” for American law enforcement agencies to get at personal data is baseless, he said.

The Patriot Act is a “boogey man,” he said.

The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders, Fraser said.

Fraser, a partners with the Halifax firm McInnes Cooper, argued the real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk.

The teleconference is part of a campaign by CATA, which represents IT manufacturers, solution providers, system integrators and consultants trying to sell products and services to governments, to get Ottawa to clarify its position on outsourcing data.

In an interview John Reid, CATA chief executive officer, said that since the creation last year of Shared Services Canada, an agency trying to consolidate federal IT services, the government has suggested it may mandate that personal data of citizens must be held in data centres here.

There isn’t a formal federal policy on cross-border data storage, Fraser told the conference call. Nor is there federal law that prohibits it. Instead, it is up to individual departments to do a risk assessment if they decide cross-border data storage is justified and take appropriate privacy measures. Only two provinces, British Columbia and Nova Scotia, have policies forbidding cloud providers from storing provincial data outside Canada.

Shared Services Canada has been trying to create new buying and outsourcing policies, setting up several committees on which CATA and other private sector groups sit. It is those committees, Reid said, that CATA is getting signals of SSC’s only-in-Canada intent.

Earlier this month CATA sent a letter to SSC asking for the department’s intentions, but Reid said he hasn’t had a reply yet.

The department didn’t respond to a request Tuesday from IT World Canada for clarification

One person on the conference call said some government departments already demand in requests for proposals (RPFs) her organization that any outsourced solution has to keep data in Canada.

Reid wants to persuade Ottawa to be more open to cloud solutions where data is stored outside the country in part so his members get opportunities to bid on business, and in part, he said, because the government shouldn’t turn aside possible solutions that will make it more efficient.

Fraser noted that according to international law, U.S. law enforcement authorities have the right to subpoena data even if the data is held outside its borders, as long as there are connecting factors. (The same is true for police here, he added.)

For example, he said, if the data is held in Canada the U.S. could subpoena it through a person working for a company there.

For that reason, he said, a Canadian data centre owner might be able to safeguard data here if none of its executives ever crossed the border.

More practically, he said the Canadian government could take a number of steps to reduce the odds of the personal data of its citizens being misused by U.S. authorities.

The first is to encrypt the data – which should be a standard procedure anyway, he said ---- and make sure control of the encryption keys is held here.

Second, the government could decide that only “low risk” data can be sent out of the country.

Third, the government could demand certain contractual provisions with a service provider, such as clauses that says the data belongs to the customer, not the data centre, that the service provider won’t turn data over unless legally required to so, and that it will notify the customer of any subpoenas.

There could also be a requirement the provider to go a U.S. court to resist a subpoena, although Fraser admitted there’s no guarantee will be successful.

“There isn’t a shortage of ideas of how to mitigate risk,” he said.

Fraser didn’t say, but these risk mitigation options also apply to private sector companies who have been shy about adopting American cloud-based solutions.

Tuesday, December 18, 2012

German privacy regulators tell Facebook to allow pseudonyms. Really?

According to Techcrunch, German privacy regulators have ordered Facebook to cease enforcing its "Real Names" policy in that country, saying it is in violation of German law (See Facebook Users Must Be Allowed To Use Pseudonyms, Says German Privacy Regulator; Real-Name Policy ‘Erodes Online Freedoms’ | TechCrunch).

I am not in a position to comment on whether or how this is consistent with German law, but my initial reaction is "Really? Regulators are getting into the product design business?" This is getting a little ridiculous. The real names policy is an inherent feature of Facebook. If you want to use Facebook, that's what the service includes. If you don't want to use your real name, don't use Facebook. As long as the user is informed at the beginning that real names are required, and as long as there is no "bait and switch", knowledge and consent are satisfied. Nobody is being forced to use Facebook.

People are autonomous, sentient beings who should be able to make choices -- good and bad -- about the products they use. If all products and services online had to be designed based on the lowest common denominator of paranoia and sensitivity, there would be no Facebook or Twitter. Imagine what would have happened to Twitter if it had been forced to implement "protect my tweets" by default. It would be a group messaging service, not the incredible force for good we've seen it become. (The fact that pseudonyms are permitted on Twitter is a choice the company made, not one that should be forced on the company and its users.)

Privacy should be about informed choices about how personal information is collected, used and disclosed. It should not be about taking away those choices.

Monday, December 17, 2012

Vancouver health authority employee fired for snooping on celebrities' records

An employee of Vancouver Coastal Health has been fired for snooping on the records of a number of local celebrities. The employee needed routine access to electronic medical records as part of her job. The inappropriate access was discovered through a routine, internal audit of the use of the electronic records system.

We are seeing a handful of cases like these, and the employees have consistently been terminated for the violation. It will be interesting if labour arbitrators and others uphold such automatic terminations, but they certainly send a strong message that this sort of snooping will not be tolerated.

See: Three Vancouver CTV personalities' private records accessed by health authority employee.

Thursday, December 13, 2012

Privacy Commissioner calls for stronger enforcement powers

Until now, the discussion about giving the Privacy Commissioner stronger enforcement powers has been pretty low key. The conversation has ramped up a few notches as Jennifer Stoddart is more explicitly suggesting that she should have much greater powers. On December 11, 2012, she appeared before the parliamentary Access to Information, Privacy and Ethics standing committee as part of the committee's study of privacy and social media.

Her prepared statement is on her website ( Statement: Second appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on Privacy and Social Media - December 11, 2012).

In the statement, she suggests that the current model is not working and that her office can handle the role of "judge, jury and executioner." I didn't see any detail on how it is not working. The study that she commissioned on whether the ombudsman model is working suggested that the problem is lack of compliance by small and medium sized businesses, but her comments were directed at "internet giants".

Regardless, we are going to hear a lot more of this in the coming years.

Why privacy matters even when you have 'nothing to hide'

Daniel J. Solove, noted privacy scholar from George Washington University law school, has a very good essay in the Chronicle of Higher Education that thoroughly debunks the myth that privacy is only for those who have something to hide. The essay is an excerpt from Nothing to Hide: The False Tradeoff Between Privacy and Security, published earlier this year by Yale University Press.

See Why Privacy Matters Even if You Have 'Nothing to Hide' - The Chronicle Review - The Chronicle of Higher Education.

Tuesday, December 11, 2012

Border guard union rejects name tags on privacy grounds

The union representing front-line border guards in Canada has vowed to fight the modernization of uniforms that includes nametags. The union cites officer safety and privacy as grounds for their objections. See: Name tags for Canada border agents rejected by union - Windsor - CBC News.

In my view, accountability to the public trumps whatever meagre privacy interest they think they might have.

UK Data Anonymization code of practice released

The United Kingdom Information Commissioner has released a guidance document on data anonymisation, Anonymisation: Managing data risk [PDF], which is intended to be a code of practice on that subject. The code is, in part, a response to open government and open data initiatives, which are placing large data sets in the public domain. The code sets standards on how to protect the privacy rights of individuals while providing rich sources of data.

While this is obviously only controlling in the UK, it should be helpful for those elsewhere who have to turn their minds to anonymisation of data sets.

Thursday, December 06, 2012

Video: An overview of Bill C-30, how it's broken and how it can be fixed

My first foray into the world of video blogging ... please forgive the production values.

Feel free to leave any comments below...

Monday, December 03, 2012

Privacy Commissioner on Bill C-30: Police need to get behind privacy

The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has a long opinion piece in the National Post on Bill C-30:

Privacy Commissioner on Bill C-30: Police need to get behind privacy | Full Comment | National Post

Ann Cavoukian: Police need to get behind privacy

Special to National Post | Dec 2, 2012 11:56 PM ET

As Ontario’s Information and Privacy Commissioner, I have a deep respect for law enforcement. I frequently work closely with the police to help them succeed in fulfilling their important functions without sacrificing our vital right to privacy. The guidance I have provided over the years on the privacy implications of new technologies has given the police a roadmap on how to be effective, yet also protect our privacy.

That is why I am perplexed by the ongoing disagreement between law enforcement and Canada’s privacy commissioners over the federal government’s highly intrusive surveillance legislation, Bill C-30. Repeatedly, privacy commissioners have identified a pragmatic and principled approach to fixing the flawed aspects of the Bill. Time and again, members of the law enforcement community have insisted they need overly broad powers, while failing to recognize that they can have both new and effective law enforcement powers, while still protecting the privacy of individual Canadians.

The police want access to “subscriber data,” such as Internet Protocol and email addresses, because the data is powerful. The actual content of your communications does not need to be accessed in order to obtain a digital snapshot of your surfing habits and who you associate with — access to subscriber data can unlock this and more. It can be used to track people and their activities. It’s the key to revealing your identity online. Should the police be granted warrantless access in genuine emergencies? Absolutely. Should the police have unfettered access. No!

What is required is quite simple. The Bill must be amended to ensure that any police power to compel telecoms to disclose subscriber information requires a warrant in all but urgent circumstances — the police would then be required to report their use of such powers.

Our solution-driven approach would mean that urgent police investigations need never be stalled. Terrorists, organized criminals and those who try to harm the vulnerable by misusing the right to anonymity could be exposed and prosecuted in a timely fashion. At the same time, the public’s confidence in law enforcement would be heightened as a result of rules that prevent the identification and profiling of law-abiding citizens. In free societies such as ours, citizens should be entitled to go about their business without being forced to identify themselves. That right must be as strongly protected online as on the street.

The public understands this. Most of us recognize that our digital rights are no less important than other rights and freedoms. This is why Canadians across the country so strongly opposed the introduction of Bill C-30.

The same principles should guide Parliament in amending other provisions in Bill C-30. For example, we do not object to preservation orders. However, the power to compel telecoms to preserve data should be carefully tailored and subject to modern oversight and accountability, as is expected in a free and democratic society.

Citizens and lawmakers in the U.K. and the United States also recognize the importance of digital rights. That’s why elected representatives in those countries continue to express skepticism about the merits of privacy-invasive proposals. It’s not surprising that Bill C-30, and the proposals that our international allies are struggling with, will not be advancing until they receive in-depth scrutiny.

As Justice Sotomayor of the U.S. Supreme Court recognized in that court’s recent GPS monitoring decision, “Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse [that] may alter the relationship between citizen and government in a way that is inimical to democratic society.”

It is unfortunate that Bill C-30 would demand such a draconian privacy price from Canadians. Fortunately, the required solutions have already been identified: judicial oversight, allowance for warrantless access only in emergencies, transparency, and openness. Canadians should be proud that we are at the forefront of an international push to ensure that democracies provide for robust privacy protections. By proactively adopting Privacy by Design, the international standard for embedding privacy assurances into information technologies and organizational practices, we can have privacy and security, in unison. Canadians do not need to write a blank cheque for effective law enforcement. Together, we must commit to preserving our privacy ­ now, and well into the future.

National Post