Wednesday, January 30, 2013

PIPEDA Finding: In joint investigation with Dutch DPA, Commissioner finds WhatsApp didn't comply with Canadian privacy laws

Earlier this week, the Privacy Commissioner of Canada released its report of findings against the popular, cross-platform instant messaging app. (Commissioner’s Findings - PIPEDA Report of Findings #2013-001: Investigation into the personal information handling practices of WhatsApp Inc.) It's a long and interesting read in and of itself, but it also notable as the first time that the Commissioner has participated in a join investigation with another country's data protection authority. It is also notable that she "named names" and that the investigation was undertaken on her own initiative, rather than as a response to complaints.

Here's the Commissioner's media release, which summarises the investigation:

WhatsApp’s violation of privacy law partly resolved after investigation by data protection authorities

Canadian and Dutch data privacy guardians release findings from investigation of popular mobile app

Ottawa, Canada and The Hague, The Netherlands, January 28, 2013 —The Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (College bescherming persoonsgegevens, (CBP)) today released their findings from a collaborative investigation into the handling of personal information by WhatsApp Inc., a California-based mobile app developer.

The coordinated investigation is a global first, as two national data protection authorities conducted their work together to examine the privacy practices of a company with hundreds of millions of customers worldwide. This marks a milestone in global privacy protection.

“Our Office is very proud to mark an important world-first along with our Dutch counterparts, especially in light of today’s increasingly online, mobile and borderless world,” said Jennifer Stoddart, Privacy Commissioner of Canada. “Our investigation has led to WhatsApp making and committing to make further changes in order to better protect users’ personal information.”

Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, adds: “But we are not completely satisfied yet. The investigation revealed that users of WhatsApp – apart from iPhone users who have iOS 6 software – do not have a choice to use the app without granting access to their entire address book. The address book contains phone numbers of both users and non-users. This lack of choice contravenes (Dutch and Canadian) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.”

Key findings and outcomes

  • The investigation focused on WhatsApp’s popular mobile messaging platform, which allows users to send and receive instant messages over the Internet across various mobile platforms. While WhatsApp was found to be in contravention of Canadian and Dutch privacy laws, the organization has taken steps to implement many recommendations to make its product safer from a privacy standpoint. At this time however, outstanding issues remain to be fully addressed.
  • The investigation revealed that WhatsApp was violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data. For example:
  • In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users. Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically.
  • At the time the investigation began, messages sent using WhatsApp’s messenger service were unencrypted, leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks. In September 2012, in partial response to our investigation, WhatsApp introduced encryption to its mobile messaging service.
  • Over the course of the investigation, it was found that WhatsApp was generating passwords for message exchanges using device information that can be relatively easily exposed. This created the risk that a third party may send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened its authentication process in the latest version of its app, using a more secure randomly generated key instead of generating passwords from MAC (Media Acess Control) or IMEI (International Mobile Station Equipment Identity) numbers (which uniquely identify each device on a network) to generate passwords for device to application message exchanges. Anyone who has downloaded WhatsApp, whether they are active users or not, should update to the latest version to benefit from this security upgrade.

Next steps

The OPC and CBP have worked closely together, but have issued separate reports, respecting each country’s data protection law (Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the Dutch Data Protection Act (Wet bescherming persoonsgegevens (Wbp)). Following the issuance of their respective reports of findings, the OPC and CBP will pursue outstanding matters independently.

Following investigation, the Dutch Data Protection Act provides for a second phase in which the CBP will examine whether the breaches of law continue and will decide whether it will take further enforcement actions. The Dutch legal framework contains the possibility to enforce the Dutch privacy law by imposing sanctions.

Under Canada’s PIPEDA, the OPC will monitor the company’s progress in meeting commitments made in the course of investigation. In most cases, companies are cooperative in meeting their obligations, and WhatsApp has demonstrated a willingness to fully comply with the OPC’s recommendations. Unlike the CBP, the OPC does not have order making powers.

Monday, January 28, 2013

Happy data privacy day!

Today is international data privacy day. I am sure there'll be some interesting content posted through the day around the world to acknowledge the event and I'll try to post links as I'm able.

First, Google's top lawyer, David Drummond, has posted on the Official Google Blog greater detail about Google's approach to government requests for user data (Google’s approach to government requests for user data). In the post, he points to a new part of their groundbreaking Transparency Report that provides even more information on "User Data Requests". It's great that Twitter has followed suit with its own Transparency Report. More companies should do so.

And speaking of Twitter, follow the #DPD13 hashtag to see what others are saying about Data Privacy Day.

Facebook has launched "Ask our CPO", where users can submit questions to be answered by Chief Privacy Officer Erin Egan.
If you are in Halifax, you should also check out Dalhousie University's annual Data Privacy Day. It's being celebrated all afternoon on Wednesday, January 30, 2013 with a great lineup of speakers, including Jill Clayton, the Information and Privacy Commissioner of Alberta. I'll be your emcee for the event.

Saturday, January 26, 2013

Members of the privacy community demand transparency from Skype/Microsoft on disclosure of user information

A group of civil society organizations and privacy activists are calling upon Microsoft and Skype to be much more forthcoming about Skype's privacy practices, particularly those related to disclosures of user information to governments and law enforcement. The open letter to Skype calls for Microsoft to follow the lead of Google's and Twitter's transparency reports:

Open Letter to Skype

We call on Skype to release a regularly updated Transparency Report that includes:

  1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.
  2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.
  3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.
  4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.
  5. Skype's interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.

Friday, January 25, 2013

HRSDC to provide credit protection for those affected by missing hard drive

HRSDC has decided to do the right thing -- which it should have done one day one: provide credit protection services to the more than half a million individuals affected by the HRSDC missing hard drive fiasco. The department's release only refers to this breach, which leaves me wondering why they are not providing the same protection to people whose information was compromised with the missing USB thumb drive full of equally sensitive information.

I expect this really takes the wind out of the sails of the many class actions against the government.

Canada News Centre - Department to provide credit protection for clients with information on missing hard drive

Ottawa, Ontario, January 25, 2013 — The Department of Human Resources and Skills Development (HRSDC) is responding to the concerns of Canadians and providing credit protection at no cost to Canada Student Loans Program (CSLP) clients whose personal information was contained in a missing hard drive.

In addition to the strong measures that the Minister recently directed the Department to implement, the Department has contracted with Equifax, a credit bureau, to provide the affected clients with credit and identity protection services for a period of up to six years.

“While there is no evidence that information has been fraudulently accessed or used, I want to reassure Canadians that we are serious about protecting their personal information,” said Minister Finley. “That is why we will provide potentially affected individuals with credit protection at no cost, which will flag their credit files and help detect any potential compromise of their personal information.”

While HRSDC has no evidence that any of the information has been accessed or used for fraudulent purposes, those clients who could potentially have been affected by this incident have the choice to request the credit protection services, and can contact the HRSDC call centre at 1-866-885-1866 within North America. For calls from outside of North America, affected citizens can call 1-416-572-1113 and dial 0 to speak to an operator in order to reverse the charges. Callers with a hearing or speech impairment and who use a teletypewriter (TTY) can call at 1-800-263-5883.

To protect privacy, the Department is asking that affected individuals call to provide their consent for their information to be shared with Equifax. The process will be simple and efficient.

A hard drive containing personal information on approximately 583,000 individuals who were Canada Student Loans clients from 2000-2006 has been deemed missing from an HRSDC office in Gatineau, Quebec, although the search is ongoing.

Credit protection services will be arranged once clients make contact with the HRSDC call centre.

HRSDC continues to take all efforts to reassure Canadians that rigorous new protocols are in place to protect their data.

With respect to the last sentence, shouldn't they be reassuring Canadians that they are taking all efforts to protect data rather than taking all efforts to reassure Canadians?

Tuesday, January 15, 2013

Massive BC privacy breach involves millions of health records

The Canadian Press, via the CBC, is reporting on a series of new data breaches from British Columbia that likely involved millions of health records. And, as with the HRSDC breaches, portable electronic USB storage devices are involved.

It appears that the province is not planning to notify everyone involved.

B.C. privacy breach shows millions affected - British Columbia - CBC News:

Ministry notifying more than 38,000 people about shared data

The personal-health data of millions of British Columbians has been accessed without proper authorization, and in the most serious cases, the provincial government says it will notify 38,486 individuals of the breaches by letter.
Health Minister Margaret MacDiarmid made the announcement as part of an ongoing investigation into research-grant practices between ministry employees and researchers at the universities of B.C. and Victoria.

MacDiarmid said that during three separate instances in October 2010 and June 2012, the health information was saved on USB sticks and shared with researchers or contractors without the proper permission or protocols.

McDiarmid said the data did not include names, addresses or financial information, but it wasn't supposed to be shared with other health researchers.

Also included was data from Statistics Canada's Canadian Community Health Survey, including information on the mental, physical and sexual health of individuals, as well as their lifestyles and the use of health services.

“We don't have any evidence at all that any of this information was used for any purpose other than health research. There is minimal if any risk that this information that would be used in a way that would be harmful to these individuals.”
MacDiarmid said her ministry decided to write the letters following discussions with the Office of the Information and Privacy Commissioner.

Elizabeth Denham, the information and privacy commissioner, also said Monday her independent investigation should be complete in the coming weeks, and she will then issue a public report with findings and recommendations.

Seven ministry workers have already been fired, sparking two separate lawsuits.

Monday, January 14, 2013

Note to HRSDC: Cloud computing and remote access dramatically reduces the risk of portable device data breaches

I posted this, this morning, on the Canadian Cloud Law Blog but it should be equally of interest to readers of this blog:
Canadian Cloud Law Blog: Note to HRSDC: Cloud computing and remote access dramatically reduces the risk of portable device data breachesNote to HRSDC: Cloud computing and remote access dramatically reduces the risk of portable device data breaches

The Canadian news has been full of reports related to two significant privacy breaches emanating from the federal ministry of Human Resources and Skills Development Canada. The first to be reported was the loss of a USB thumb drive containing the personal information (including personal health information) of more than 5,000 disabled Canadians who were receiving benefits under programs administered by HRSDC. In the course of investigating that first breach, a second came to light. Apparently someone at HRSDC thought it would be wise to backup the data of over half a million student loan recipients onto a portable USB hard-drive, which could be easily lost or misplaced. Guess what happened ... it was lost or misplaced.

Problems with storing sensitive personal information on USB storage devices are not unknown. The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has recently been on a tear over a USB-related breach by Elections Ontario resulting from poorly understood policies, bad training and a lack of accountability. In fact, she's published reams of reports on the breach, its root causes and what should be done to prevent it from happening again. (The TL;DR version: Employees were engaged in a project where they had to clean up electoral lists at an off-site location. They decided to transfer the data using USB thumb drives and didn't even do that well.)

The HRSDC Minister's media release says that, as a response to the second breach, employees will be given training on a new information security policy. That suggests to me that the reckless practice of placing unencrypted personal information on portable storage devices was A-OK. Well, it's not. Never has been and never will be.

The full facts of the HRSDC breaches are still very sparse, but we know that the second breach was caused by an employee or employees who wanted to make a backup of data (probably a good idea) and put the backup on a small portable device (a very bad idea). It may be that the first breach was caused by an employee who either needed to work offsite with the data or needed to move it from one computer to another. Both are reasonable things to want to do. And in some computing environments, can only be accomplished by making a copy of the data and USB devices are a handy way of accomplishing that.

A large part of my practice is advising clients on cloud computing. And I also often get invited to speak to groups of IT professionals and fellow lawyers on legal issues related to cloud computing. For the past few years, the majority of questions about the risk of cloud computing have focused on the fact that the data may be outside of Canada and that the customer is trusting someone else to secure the data. Those are both important questions to ponder, but few turn their minds to the fact that, in most cases, cloud computing is much safer for the data and significantly lowers the risk to data.

If Elections Ontario or HRSDC were using a cloud computing model, none of these breaches would have happened in any of the scenarios outlined above. Cloud computing keeps the data on a server or series of servers in highly secured data centres. There's no need to copy or move the data to get access to it remotely. This is accomplished through secured connections between an authorized computer or browser and the data centre. If you want it backed up, that's usually done on tapes in the data center and the data seldom has to leave the secured premises. In any data centre worth its salt, disk inventory is carefully controlled and audit tools are used to keep track of who has accessed what data. If tapes are moved offsite for redundancy's sake, there is usually a much higher level of diligence exercised as it follows documented processes.

When questions are being asked about how this happened and what can be done to prevent such breaches from happening again, the government should carefully consider how cloud computing or other remote access models dramatically reduce the risk of such breaches.

Friday, January 11, 2013

Government release on the loss of personal information of 583,000 Canadian student loan recipients

Here is the (ironically titled) media release regarding the loss of personal information of more half a million Canadians' personal information. Note that the government has been aware of this breach for over a month and chose to issue the release on a Friday afternoon. Also note that the "new policy" described suggests that storing this information on an unencrypted portable hard-drive was acceptable under the previous policy.

Protecting Canadians' Personal Information at HRSDC

January 11, 2013 13:02 ET

Protecting Canadians' Personal Information at HRSDC

OTTAWA, ONTARIO--(Marketwire - Jan. 11, 2013) - The Honourable Diane Finley, Minister of Human Resources and Skills Development, has issued the following statement regarding the loss of an external hard drive from an HRSDC office in Gatineau, Quebec which contained personal information of 583,000 Canada Student Loans Program borrowers between 2000-2006:

Full details are available in the attached backgrounder.

"I want all Canadians to know that I have expressed my disappointment to departmental officials at this unacceptable and avoidable incident in handling Canadians' personal information. As a result, I have directed that departmental officials take a number of immediate actions to ensure that such an unnecessary situation does not happen again.

"The department will be making every effort to contact the individuals whose information was lost. This includes direct notification to those for whom we have current contact information. I am releasing all details on the breach publicly and we will be working with a number of external partners to ensure that Canadians are made aware of the data loss. The Department is continuing its investigation. The Office of the Privacy Commissioner has been consulted. My office has engaged the Royal Canadian Mounted Police on this matter, given its serious nature.

"I have requested that HRSDC employees across Canada receive comprehensive communications on the seriousness of these recent incidents and that they participate in mandatory training on a new security policy to ensure that similar situations do not occur again. Further, I have instructed that the new policy contain disciplinary measures that will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed.

"On behalf of our Government, I want to reassure Canadians that we are serious about protecting their personal information. As Minister, I will ensure that every effort is taken so that HRSDC meets the expectations of Canadians in keeping their information safe and secure."

This news release is available in alternative formats on request.

BACKGROUNDER

In late 2012, the department of Human Resources and Skills Development Canada (HRSDC) informed the Office of the Privacy Commissioner of the loss of a USB key, which contained the personal information of over 5,000 Canadians.

While reviewing this incident, departmental officials learned of a subsequent serious loss of Canadians' personal information.

Although the search is ongoing, an external hard drive has been deemed lost from an HRSDC office in Gatineau, Quebec.

The Department is continuing its investigation. The Office of the Privacy Commissioner has been consulted. The office of the Minister has engaged the Royal Canadian Mounted Police on this matter, given its serious nature.

Details regarding loss of the hard drive

A hard drive containing personal information on 583,000 Canada Student Loans borrowers dated from 2000-2006 has been deemed lost at an HSRDC office in Gatineau, Quebec, although the search is ongoing.

The file contained information including student names, dates of birth, Social Insurance Numbers, addresses and student loan balances from recipients across the country (except Quebec, Nunavut and the Northwest Territories as they manage their own student loan programs). Personal contact information of 250 HRSDC employees was also on the hard drive.

No banking or medical information was included on the drive.

The client information was saved onto an external hard drive as a back-up storage option.

Timeline of events

November 5, 2012: A HRSDC employee discovered that an external hard drive was missing. Search efforts began.

November 28: The Departmental Security Officer was notified.

December 6: Discovery that personal information of Canada Student Loans Program clients was on the hard drive.

December 14: The Office of the Privacy Commissioner was notified.

January 7: The incident was referred to the Royal Canadian Mounted Police.

January 11: Canadian public was informed of the incident.

Process for inquiries and more information

HRSDC is sending letters to individuals affected, for whom we have current contact information, to advise them of the incident and what steps to take to help protect their personal information.

A toll-free number has been set-up at 1-866-885-1866 (or 416-572-1113 for those outside of North America) for individuals to verify if they are affected by this incident, and to ask additional questions regarding this issue. Hours of operation will be 8:00 a.m.-8:00 p.m. (EST), 7 days a week, starting Monday, January 14, 2013, for as long as needed.

People with a hearing or speech impairment and using a teletypewriter (TTY) can call 1-800-263-5883. Hours of operation will be 8:00 a.m. -8:00 p.m. (EST), 7 days a week, starting Monday, January 14, 2013, for as long as needed.

All details on this incident and how Canadians can protect their personal information are available at http://www.canlearn.ca/eng/main/spotlighton/privacy/index.shtml

New HRSDC policy for storing secure information

The Minister has directed that the overall policy for security and storage of personal information at HRSDC be strengthened and improved. The highlights are:

  • New, stricter protocols to be implemented immediately. Portable hard drives are no longer permitted. Unapproved USB keys are not to be connected to the network;
  • Immediate risk assessments of all portable security devices used in the Department's work environment to ensure that appropriate safeguards are in place; these assessments will continue on a regular, ongoing basis;
  • Mandatory training for all employees regarding the proper handling of sensitive information, including personal information;
  • Implement new data loss prevention technology, which can be configured to control or prevent the transfer of sensitive information;
  • Disciplinary measures that will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed.

HRSDC "loses" sensitive personal information of another half MILLION Canadians

The CBC is reporting tonight that Human Resources and Skills Development Canada has lost a hard drive containing very sensitive personal information on more than five hundred thousand Canadians. This time, it was a portable hard drive and the information is about 583,000 student loan recipients.


Federal agency loses data on 583,000 Canadians - Nova Scotia - CBC News:
A portable hard drive containing personal information about more than half a million people who got student loans has gone missing, the federal government revealed Friday.

Human Resources and Skills Development Canada says the device disappeared from an HRSDC office in Gatineau, Que., in early November.

The hard drive had personal information on 583,000 Canadians who were clients of the Canada Student Loans program from 2000 to 2006. Borrowers from Quebec, Nunavut and the Northwest Territories are not affected.

The information on the missing hard drive includes:

  • Student names, social insurance numbers, dates of birth, contact information and loan balance of Canada Student Loan borrowers. 
  • Personal contact information for 250 HRSDC employees. 
The government says no banking or medical information was on the hard drive.

Letters are going out to everyone affected to tell them what steps to take to protect themselves.  

No evidence of fraud

So far, there's no sign that any of the missing data has been accessed or used for fraudulent purposes, but the government has called in the RCMP and alerted the office of the privacy commissioner.

"I want all Canadians to know that I have expressed my disappointment to departmental officials at this unacceptable and avoidable incident in handling Canadians’ personal information," said Human Resources and Skills Development Minister Diane Finley in a statement.

"I have requested that HRSDC employees across Canada receive comprehensive communications on the seriousness of these recent incidents and that they participate in mandatory training on a new security policy to ensure that similar situations do not occur again."
She says employees who fail to adhere to the new policy could be fired.

This is the second incident involving missing personal information that her department has faced in less than a month.

In late December, HRSDC revealed that a USB key containing personal information on about 5,000 Canadians disappeared in November.

Update: Check out the Government of Canada media release on this breach.

Tuesday, January 08, 2013

Privacy Commissioner proposes lawful access compromise

According to the Canadian Press, the Privacy Commissioner of Canada has commissioned law professor Karim Benyekhlef of the University of Montreal to design a compromise for lawful access and has submitted it to the government. The proposal is characterised as "warrant light" and is similar to procedures currently used for production orders.

Though the article, below, is short on details, it may be similar to the detailed proposal I put forward in my blog post, Lawful Access: There, I fixed it for you..

Privacy czar tries to broker Internet surveillance bill solution

OTTAWA - The federal privacy watchdog is trying to help the Conservative government find a compromise in its contentious bid to bolster Internet surveillance powers.

A blueprint solicited by the privacy commissioner's office proposes new procedures to give police and spies key information about Internet users while retaining the principle of judicial oversight, a memo obtained under the Access to Information Act shows.

The internal memo reveals assistant privacy commissioner Chantal Bernier asked University of Montreal law professor Karim Benyekhlef to come up with the proposal — "to help find a middle ground between security and privacy" — following intense public outcry about the government's planned approach in Bill C-30.

The federal legislation would allow police, intelligence and Competition Bureau officers access to Internet subscriber information — including name, address, telephone number, email address and Internet protocol address — without a warrant. An IP address is the numeric label assigned to a computer on the Internet.

Currently, release of such data, held by Internet service providers, is voluntary.

Opponents of the bill say allowing authorities access to Internet subscriber information without a court-approved warrant would be a dangerous infringement of privacy because even that limited data can be revealing.

The bill would also require telecommunication service providers to have the technical capability to enable police and spies to intercept messages and conversations.

The government indicated the bill would go directly to a House of Commons committee, skipping the usual second reading, to allow for amendments. But it has not yet resurfaced.

The internal memo — prepared last July for Bernier, Privacy Commissioner Jennifer Stoddart, and the office's senior lawyer — brands Benyekhlef's plan a "warrant light" approach to judicial authorization.

Benyekhlef, a former federal prosecutor who is now director of the university's Centre de Recherche en Droit Public, concludes that the federal bill is inconsistent with the Charter of Rights because it allows warrantless access to subscriber information.

"There is tradition in Canadian law that the state must have a warrant before exercising its search or seizure powers," Benyekhlef said in an interview.

He proposes a five-step process in which the authorities would first apply to a court for an order seeking subscriber data. This could be done in person, by paper or on the phone.

A judge or justice of the peace would review the application to ensure it sets out "reasonable suspicion" that the Criminal Code or other federal law has been breached and that the information sought relates to the alleged offence.

If the application conditions are met, a signed order would be provided to the investigator, who could then present it to the legal division of an Internet provider. The provider would then be required to hand the investigator the data and maintain a record of the transaction.

The privacy commissioner's analysis of the proposal points out its similarity to the production order powers currently available to authorities seeking financial and commercial information, in place since 2004.

The memo notes this power allows police, after receiving court approval, to present a financial institution or other commercial firm with an individual's name. The firm must then produce account numbers, date of birth and current and previous addresses.

The privacy commissioner's office understands the challenges faced by law enforcement in fighting online crime "at a time of rapidly changing communications technologies and the need to modernize their tactics and tools accordingly," said Scott Hutchinson, a spokesman for the commissioner.

The office wanted to see whether there was a tool that would help authorities get judicial approval to obtain the information they want within desired time limits, he said in a written response to questions.

"Our office has thus far consulted with the Canadian Chiefs of Police on this document and we continue our analysis of this issue," Hutchinson said.

The privacy commissioner "continues to try and stay on top of developments" relating to the online surveillance bill and has kept the lines of communications open with the departments involved, he added.

"We await to see what the government’s intentions will be for this bill, and will be ready to share our observations and expertise to help ensure that the privacy rights of Canadians are protected."

Friday, January 04, 2013

Police shouldn't get to choose to disregard privacy laws

Victoria lawyer Michael Mulligan has an interesting opinion piece in today's Victoria Times Colonist about the recent fuss over the city police's disregard of privacy laws.

For those who are just tuning in, the Information and Privacy Commissioner recently did a review of the practice of automated license plate scanning. She found that the collection, retention and possible re-use of the data violated the Freedom of Information and Protection of Privacy Act.

Local Sannich police stopped the practice. The Mayor of Victoria urged the police to follow the OIPC's ruling, but the police board met in secret and decided to continue the practice.

In my view, the police above all else don't get to choose which laws they follow and which they disregard. If they thought the Commissioner's interpretation of the statute is incorrect, they could stop the practice and seek judicial review. Instead, they simply chose to continue the practice. Similarly, Mr. Mulligan calls the police to account for the use of the Bar Watch program in that city.

Here's the commentary from today's paper:

Comment: Police use of vehicle, bar data misguided - Op-Ed - Times Colonist

MICHAEL MULLIGAN , TIMES COLONIST JANUARY 4, 2013

There was a time when the nature of paper records ensured us all some measure of privacy. Only so many records could be kept and searching them took time. Those days are long gone.

Modern computer storage, combined with automated data-collection devices, has fundamentally altered the privacy landscape. This technological reality makes the civilian oversight of police agencies even more critical if we are to balance the need for law enforcement with our desire for privacy.

The recent controversy concerning the police use of automated licence-plate scanners has brought this issue into sharp relief. The local municipal police forces have been utilizing automated licence-plate recognition devices supplied by the RCMP to scan and record the licence plates of every car that passes by a police vehicle equipped with one of these devices.

The original rationale for the ALPR device was to permit police to identify stolen vehicles and drivers who were prohibited or who had an expired licence. There was little cause for privacy concerns, as there would be no need to capture and store information on every innocent passerby.

The objectionable element of the ALPR devices, as recently elucidated by the B.C. information and privacy commissioner, is that they have been configured to capture and store data on every vehicle that passes by in combination with GPS and timing information.

While the RCMP claims the information is deleted shortly after they receive it from other police forces, they intend to keep it longer to be able to determine where vehicles were spotted in the past. Used in this fashion, the ALPR devices are an affront to personal privacy. They also violate existing privacy legislation, according to the privacy commissioner.

Following the commissioner’s report, Saanich police stopped using the devices. Victoria’s police chief has, however, refused to comply. While Mayor Dean Fortin suggested that the Victoria police department should stop using the device until the privacy concerns are addressed, the police board recently decided to hold an in-camera meeting and, in secret, voted to allow the Victoria police department to carry on collecting, storing and forwarding the information to the RCMP.

Our firm recently made a request pursuant to provincial freedom of information legislation that revealed a similarly disturbing practice with respect to the collection, storage and use of personal information obtained through the Bar Watch program in Victoria.

The purpose of the Bar Watch program is to prevent people associated with gang activity, drug trafficking or other problematic behaviour from entering bars. It involves identification being obtained and scanned electronically by bar employees as people enter licensed establishments.

Again, if the Bar Watch program was operated so as to deny entry to problematic patrons, there would be little cause for privacy concerns. No information would need to be collected and stored. The identification scanning devices could simply alert bar staff when identification was associated with someone who should be denied entry.

The internal police communications we obtained paint a different picture of how the Bar Watch technology is being used and what is being done with the information. The Victoria police discuss the importance of having the identification of every patron who enters a participating establishment scanned, regardless of whether the people entering are known not to be problematic by bar staff.

The Victoria police officer in charge of the program reminds fellow officers about how useful it can be to search the database of information they have collected through the program to determine where and when people were at some time in the past.

The police are collecting and storing information concerning every individual who enters a bar or whose car is passed by a police car. Storing this information to permit the retrospective tracking of people is a serious privacy concern.

In their approach to both licence-plate scanning and the collection, storage and use of Bar Watch information, the Victoria police have demonstrated the need for careful civilian scrutiny of their practices relating to the collection and use of personal information.

Failing appropriate internal police leadership on these issues, the first level of protection for the public ought to be vigorous oversight and direction by the police board. This ought not to occur in a closed meeting. An unwillingness to publicly explain and justify the proactive tracking of anyone who drives a car or enters a bar is a serious concern.

Should the police not correct these practices, the next step may well be a court application by the privacy commissioner to compel compliance with provincial privacy legislation. If this becomes necessary, it will be an example of a seriously misguided approach by a police chief and a failure on the part of the police board to get the department in compliance with its legal and ethical obligations.

Michael Mulligan is a lawyer in Victoria.

Privacy Commissioner confirms investigation into HRSDC privacy breach

The Canadian Press is reporting that the Office of the Privacy Commissioner will be investigating the huge privacy breach within Human Resources and Skills Development Canada that resulted in the loss of personal information of about 5,000 Canadians.

Very few details have emerged about this breach other than the fact that a USB device was lost that contained names, social insurance numbers, and disability/health information about the affected individuals. Surely HRSDC must know some important details, such as what HRSDC program was the information connected to, was the USB device used to move the data between HRSDC sites or for an employee to take work home? This is the sort of basic information that the victims need to know in order to gauge whether they're at risk of fraud or identity theft.

Hopefully, the investigation will be swift since there are 5,000 people waiting to find out.

From the Canadian Press:

Privacy czar to probe department's loss of USB key containing personal info

OTTAWA - The privacy watchdog will investigate a federal data breach in which the personal information of thousands of Canadians went astray.

The office of privacy commissioner Jennifer Stoddart says it received formal complaints after a Human Resources and Skills Development Canada employee lost a USB key containing the personal information — including social insurance numbers — of about 5,000 Canadians.

Anne-Marie Hayden, a spokeswoman for Stoddart, says the privacy commissioner has also taken close to 200 calls from people expressing concern about the breach.

Human Resources says an extensive search for the key continues.

The department has no evidence that information on the missing key has been used for fraudulent purposes.

A spokeswoman for Human Resources Minister Diane Finley calls the loss of the key a serious and completely unacceptable incident.

Alberta Commissioner chastises speed dating service for erroneous e-mail disclosure

The Office of the Information and Privacy Commissioner of Alberta has chastised, in Order P2012-12 [PDF], a "speed dating service" for erroneously disclosing the e-mail address of a participant to a person who was not supposed to obtain it. Here is the summary from the Order:
Summary: The Complainant complained that her e-mail address was disclosed by Fast Life International (“the Organization”) contrary to the Personal Information Protection Act (“the Act”) when the Organization sent her e-mail address to an individual she met, but who she did not indicate was a “match” at a speed dating event.
The Adjudicator found that the Complainant’s e-mail address was her personal information and that it had been disclosed without her consent contrary to section 7 of the Act. The Adjudicator also found that the Organization had met its burden to prove that it had made reasonable security arrangements in compliance with section 34 of the Act. Finally, the Adjudicator found that the Organization had some policies and practices in compliance with section 6(1) of the Act but decided that the Organization needed to ensure that its employees were aware of the Organization’s obligations under the Act.

Thursday, January 03, 2013

A happy birthday present for the Canadian Privacy Law Blog

Barry Sookman must have been busy over the holidays, as he just released very interesting and thorough listing of leading IT/IP blogs, including both home-grown Canadian content and international leaders. I was pleasantly surprised to see this blog listed as number six in Canada and was flattered to be referred to as having the most popular privacy law blog. (I will note that when I named this THE Canadian Privacy Law Blog, it was the only one.)

When I started this blog, there may well have only been in the neighbourhood of six legal blogs in Canada and the field has grown significantly with a great amount of content produced on a daily basis. In fact, Barry's post reminded me that this blog turned eight years old yesterday and his recognition is a pleasant birthday present.

Here's my first post, welcoming readers to the blog: Canadian Privacy Law Blog: Welcome to the Canadian Privacy Law blog.

It's been a great eight years and I'm most pleased that readers still find it of value. Though the volume of posts has ebbed and flowed, depending on the tempo of developments in this area, I plan to keep it going as long as there are readers. And readers whose eyes are getting tired of the circa 2004 design will be happy to know there's a complete redesign in the works.