Monday, February 25, 2013

Commissioner expands HRSDC breach investigation to Justice Canada

The Toronto Star is reporting that the Privacy Commissioner's investigation of the loss of a USB device containing the sensitive personal information, health information and financial information of 5000 people has expanded to include Justice Canada. From the Star:

Privacy watchdog expands probe over lost USB key to include justice department | Toronto Star

Marian Ngo, a spokeswoman for the human resources department, said the department notified legal services on Nov. 16 that a USB key containing the personal information of 5,045 Canadians who had applied for CPP disability benefits went missing from an employee’s desk.

Information found on the USB stick included social insurance numbers, surnames, occupations, birth dates, medical conditions, level of education, whether there are other payers, such as workers’ compensation, and which Service Canada processing centre was dealing with their applications.

The USB key was not encrypted or protected by a password. Ngo said the memory stick had been delivered by hand two days earlier to legal services for work on a project dealing with transitioning files to the Social Security Tribunal, which opens Apr. 1.

Officials from both HRSDC and Justice Canada searched for USB key extensively on Nov. 16, including at the home of the employee, but could not find it and it was considered lost Nov. 27.

Friday, February 22, 2013

Password protect your phone if you care about your privacy: What R v Fearon means

The portions of the twitterverse that I follow were abuzz yesterday with posts about how, in Canada, the police can search your cell phone without a warrant unless it is password protected following the release of the Ontario Court of Appeal decision in R. v. Fearon, 2013 ONCA 106.

I think this is an important case (which I also don't agree with), but it bears mentioning that the case isn't as bad as some tweets would suggest. Don't get me wrong; I think it's wrongly decided, but some of the tweets and Facebook posts I saw were a bit misleading.

In this case, the defendant was arrested after a robbery. He was properly arrested and the police found his cell phone on his person. It was an LG feature phone, not a smart phone. The phone was on and did not have a password on it. The police went looking through its contents and found incriminating photos and text messages. The police later got a warrant to forensically examine the device.

At trial, the defendant tried to have this evidence excluded arguing that there was a reasonable expectation of privacy in the contents of the phone and they police should have first gotten a warrant. The Canadian Civil Liberties Association and others intervened on appeal, arguing that there should be a cell phone exception to the general rule that allows the police to search "incident to arrest". The Court did not agree. Here's what the Court said:

[72] The problem I have with the appellant’s position and, in particular, the position of the Canadian Civil Liberties Association, is that it would appear to mark a significant departure from the existing state of the law on the basis of a record that does not suggest it is necessary. While I appreciate the highly personal and sensitive nature of the contents of a cell phone and the high expectation of privacy that they may attract, I am of the view that it is difficult to generalize and create an exception based on the facts of this case. The facts of this case, with the correct application of the existing law, suggest that the search and seizure of the cell phone at the scene of the arrest were carried out appropriately and within the limits of the law articulated by the Supreme Court in Caslake.

[73] In this case, it is significant that the cell phone was apparently not password protected or otherwise “locked” to users other than the appellant when it was seized. Furthermore, the police had a reasonable belief that it would contain relevant evidence. The police, in my view, were within the limits of Caslake to examine the contents of the cell phone in a cursory fashion to ascertain if it contained evidence relevant to the alleged crime. If a cursory examination did not reveal any such evidence, then at that point the search incident to arrest should have ceased.

[74] The appellant directed this court to statements made by the trial judge in Little, where she concluded at para. 147 that the cell phone in issue “functioned as a mini-computer”. Furthermore, the court in Little found that the contents of the cell phone “were not immediately visible to the eye” and were “extracted by a police officer with specialized skills using specialized equipment.” There was no suggestion in this case that this particular cell phone functioned as a “mini-computer” nor that its contents were not “immediately visible to the eye”. Rather, because the phone was not password protected, the photos and the text message were readily available to other users.

[75] If the cell phone had been password protected or otherwise “locked” to users other than the appellant, it would not have been appropriate to take steps to open the cell phone and examine its contents without first obtaining a search warrant.

[76] In short, I find myself in the same position as this court found itself in Manley. To quote from the reasons of Sharpe J.A. again, it is “neither necessary nor desirable to attempt to provide a comprehensive definition of the powers of the police to search the stored data in cell phones seized upon arrest.”

[77] It may be that some future case will produce a factual matrix that will lead the court to carve out a cell phone exception to the law as articulated in Caslake. This is not that case. To put it in the modern vernacular: “If it ain’t broke, don’t fix it.”

So what does this case really mean?

  • Police cannot just search your cell phone if they want to. It has to be a search incident to arrest.
  • If you are legitimately arrested AND the phone is likely to contain relevant evidence AND it is unlocked, they can do a cursory search.

So what should everyone do, regardless of this case? If you have personal information on your [smart/dumb/feature/other] phone, put a password on it. Your phone is more likely to fall into the hands of the owner of the taxicab you left it in than the police (hopefully), but you never want sensitive personal information in the hands of ANYONE. Put a password on it and use the feature that puts your "If found, contact ..." on the lock screen.

Friday, February 15, 2013

HRSDC appears before Parliamentary Committee to account for massive data breaches

Representatives of Human Resources and Skills Development Canada appeared before the House of Commons Standing Committee on Human Resources, Skills and Social Development and the Status of Persons with Disabilities (HUMA) to account for HRSDC's data loss. The testimony will appear here, when the transcript is prepared: House of Commons Committees - HUMA (41-1) - Study Home - Ensuring the protection of personal information held by HRSDC. You can watch the testimony by clicking on the Webaast icon here.

Though the HUMA committee has oversight of HRSDC, they should also be dragged in front of the Standing Committee on Access to Information, Privacy and Ethics (ETHI), which has oversight of privacy more generally.

Here is the Toronto Star's coverage of the appearance: Ottawa sorry for losing data on 500,000 Canadians.

Despite the Silicon Valley boogeymen, the Canadian government is the greatest threat to your privacy

Jesse Brown at Macleans.ca has had a great series of four posts on his blog there, which highlight that despite all the attention being lavished on Facebook, Google, WhatsApp and other American internet companies, the most ignored threat to the privacy of Canadians is the Government.

Government information security practices are laughable, fear of the cloud means that public servants have to use insecure USB storage devices to move data, the regulatory regime is antiquated and not up to the task, and the Privacy Commissioner spends a disproportionate amount of time chasing Silicon Valley companies. It's a perfect storm that's not getting adequate attention.

The Privacy Act is completely not up to the task. If the Commissioner needs order-making powers and the ability to levy fines, that power should be directed to the government where her sensible advice is sorely needed and often ignored.

Privacy is generally about choice: you get to choose with whom you share your information, what they can do with it and with whom it can be disclosed. But personal information protection by governments is dramatically different from the private sector. If I don't like my bank's practices, I can go to another bank. If I don't like how Twitter or Facebook work, I can shut down my accounts or go somewhere else. Individuals do not have any choice about their governments. If you are disabled and want benefits you paid for, you have no choice but to go to HRSDC, which is -- by all appearances -- contemptuous of your privacy. In my view, governments have a much higher duty to protect your privacy because choice has been completely removed from the equation. It's time that government starts living by the same rules they impose on your bank and the Internet boogeymen.

Check Jesse's posts out:

Monday, February 11, 2013

Lawful access dead, says Justice Minister

According to the CBC, Bill C-30 is officially dead and any replacement measure will not have a provision for warrantless access to customer information:

Government killing online surveillance bill - Politics - CBC News

Federal Justice Minister Rob Nicholson says the controversial Bill C-30, known as the online surveillance or warrantless wiretapping bill, won't go ahead due to opposition from the public.

Canadians rallied against the bill after the public safety minister told an opposition MP that he could "either stand with us or with the child pornographers."

"We will not be proceeding with Bill C-30 and any attempts that we will continue to have to modernize the Criminal Code will not contain the measures contained in C-30, including the warrantless mandatory disclosure of basic subscriber information or the requirement for telecommunications service providers to build intercept capability within their systems," Nicholson said.

"We've listened to the concerns of Canadians who have been very clear on this and responding to that."

Nicholson made the announcement after introducing a bill to update provisions that would allow for warrantless phone tapping in emergencies.

Canadian law allows police to wiretap without authorization from a court when there is the risk of imminent harm, such as a kidnapping or bomb threat, but the Supreme Court last year struck down the law and gave Parliament 12 months to rewrite another one.

Friday, February 01, 2013

BC hospital employees point to privacy concerns to prevent outsourcing of transcription services

Once again, a public sector trade union is using supposed privacy concerns as a lever to prevent outsourcing: Hospital Employees’ Union requests investigation into transcription privatization.

Some may recall that it was union pressure to prevent outsourcing services in British Columbia that led to much of the hysteria about the USA PATRIOT Act.