Wednesday, March 27, 2013

It's not your job to collect or retain customer information for the cops

Let me preface this post by saying good on Telus for challenging the police for attempting to use a general warrant to get text messages instead of a wiretap order in the R v Telus case released by the Supreme Court of Canada (and summarized in Canadian Privacy Law Blog: Supreme Court of Canada says that wiretap order is required to obtain text messages).

However, I can't help but wonder why Telus chooses to keep text messages for thirty days when other telcos do not. The Court noted:

[6] When Telus subscribers send a text message, the transmission of that message takes place in the following sequence. It is first transmitted to the nearest cell tower, then to Telus’ transmission infrastructure, then to the cell tower nearest to the recipient, and finally to the recipient’s phone. If the recipient’s phone is turned off or is out of range of a cell tower, the text message will temporarily pause in Telus’ transmission infrastructure for up to five days. After five days, Telus stops trying to deliver the message and deletes it without notifying the sender.

[7] Unlike most telecommunications service providers, Telus routinely makes electronic copies of all the text messages sent or received by its subscribers and stores them on a computer database for a period of 30 days. Text messages that are sent by a Telus subscriber are copied to the computer database during the transmission process at the point in time when the text message enters Telus’ transmission infrastructure. Text messages received by a Telus subscriber are copied to the computer database when the Telus subscriber’s phone receives the message. In many instances, this system results in text messages being copied to the computer database before the recipient’s phone has received the text message and/or before the intended recipient has read the text message.

It obviously isn't material to the Court's decision, but I wonder why.

Actors in the private sector, such as internet service providers, often collect and retain information that may be useful for law enforcement or as part of private litigation. You may recall from the Privacy Commissioner's investigation of Nexopia that the kid-focused social networking site retained information indefinitely, at least in part, in case the police asked for it. In my view, that's not ok. It's not a service provider's job to police its customers, nor is it its job to deputize themselves as agents of the state.

So what should service providers to do? Here are my thoughts (and comments are welcome):

  1. Don't collect personal information that you don't need just because it could be useful, particularly if it could be useful to law enforcement or to private litigants. Even if you think you may be required to collect it later, that's no justification to collect it now.
  2. Don't keep personal information around any longer than you actually need it. If you are asked for personal information by law enforcement or private litigants, it is much easier to say you don't have it than to go to court to resist providing it (see below).
  3. Don't offer law enforcement unsolicited access to personal information just because you see something suspicious. Unless you come across evidence of fraud against your organization or compelling evidence of a serious crime, it is not your job to hand over reams of information to law enforcement.

    PIPEDA does allow you to disclose personal information to law enforcement on your own initiative under section 7(3) of the law:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

    (i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

    (ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

  4. If asked by law enforcement for personal information that is in your custody, don't hand it over without a warrant. This is the diciest situation and PIPEDA offers a bit of guidance. Under section 7(3), you are permitted to disclose personal information without consent in the following circumstances:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

    (c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

    (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

    (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

    (iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

    It must be noted that these provisions are permissive, meaning that they allow you to disclose the information in these circumstances without offending PIPEDA. Nothing in the above require you to disclose the information. Any compulsion has to come from another statute or rule of law. So, if asked, preserve the information and ask that they return with a warrant. If they have probable cause and a reasonable basis to compel the information, they'll be back.

  5. If you are served with a subpoena for personal information about a customer, you should immediately notify the customer. If you aren't able to, you should resist the disclosure. A subpoena is not a search warrant. In most jurisdictions, any lawyer representing any litigant can print out a subpoena and go to the court to get a fancy looking stamp on it. All a subpoena means is that you are required to attend at court with the information to have a judge make the final call. There may be no basis for the demand for information and your organization should avoid any situation where it has provided personal information that it was not legally required to hand over. When the internet service providers in the recent file sharing case resisted disclosure and took the matter to court, they emerged as staunch defenders of their users' privacy. That's certainly better than the alternatives.

Supreme Court of Canada says that wiretap order is required to obtain text messages

The Supreme Court of Canada released its decision this morning in the case of R. v. TELUS Communications Co., 2013 SCC 16.

The question the court had to answer was whether the police should be required to get an interception order under the Criminal Code to obtain the contents of text messages being sent and received by a customer of TELUS Communications. The answer was yes.

TELUS Communications, for reasons that are unclear to me, keeps all customer text messages for thirty days. The police sought from TELUS copies of all text messages sent and received by one of their customers, on a daily, rolling basis. So each day, the telco would have to hand over the text messages from the preceding 24 hours.

Instead of getting an interception order under the Criminal Code, the police used a residual, catch-all provision for a “general warrant”, which is usually only available if there is no other applicable form of order to obtain the information. The majority of the Supreme Court of Canada determined that, notwithstanding that the text messages were provided after the fact and from a cache, it amounted to an interception of private communications and an interception order – with its higher burden on the cops – should be applicable. There are some strong dissents, including from the Chief Justice, which are worth looking at.

Here is the headnote:

Criminal law — Interception of communications — General warrant — Telecommunications company employing unique process for transmitting text messages resulting in messages stored on their computer database for brief period of time — General warrant requiring telecommunications company to produce all text messages sent and received by two subscribers on prospective, daily basis — Whether general warrant power in s. 487.01 of Criminal Code can authorize prospective production of future text messages from service provider’s computer — Whether investigative technique authorized by general warrant in this case is an interception requiring authorization under Part VI of Criminal Code — Whether general warrant may properly issue where substance of investigative technique, if not its precise form, is addressed by existing legislative provision — Criminal Code, R.S.C. 1985, c. C‑46, ss. 487.01.

Unlike most telecommunications service providers, TELUS Communications Company routinely makes electronic copies of all the text messages sent or received by its subscribers and stores them on a computer database for a brief period of time. The police in this case obtained a general warrant and related assistance order under ss. 487.01 and 487.02 of the Criminal Code requiring Telus to provide the police with copies of any stored text messages sent or received by two Telus subscribers. The relevant part of the warrant required Telus to produce any messages sent or received during a two‑week period on a daily basis. Telus applied to quash the general warrant arguing that the prospective, daily acquisition of text messages from their computer database constitutes an interception of private communications and therefore requires authorization under the wiretap authorization provisions in Part VI of the Code. The application was dismissed. The focus of the appeal is on whether the general warrant power can authorize the prospective production of future text messages from a service provider’s computer.

Held (McLachlin C.J. and Cromwell J. dissenting): The appeal should be allowed and the general warrant and related assistance order should be quashed.

Per LeBel, Fish and Abella JJ.: Part VI of the Criminal Code provides a comprehensive scheme for “wiretap authorizations” for the interception of private communications. The purpose of Part VI is to restrict the ability of the police to obtain and disclose private communications.

Telus employs a unique process for transmitting text messages that results in the messages being stored on their computer database for a brief period of time. In considering whether the prospective, daily production of future text messages stored in Telus’ computer falls within Part VI, we must take the overall objective of Part VI into account.

Text messaging is, in essence, an electronic conversation. Technical differences inherent in new technology should not determine the scope of protection afforded to private communications. The only practical difference between text messaging and traditional voice communications is the transmission process. This distinction should not take text messages outside the protection to which private communications are entitled under Part VI.

Section 487.01 of the Code, the general warrant provision, was enacted in 1993 as part of a series of amendments to the Code in Bill C‑109, S.C. 1993, c. 40. It authorizes a judge to issue a general warrant permitting a peace officer to “use any device or investigative technique or procedure or do anything described in the warrant that would, if not authorized, constitute an unreasonable search or seizure”. Notably, s. 487.01(1)(c) stipulates that the general warrant power is residual and resort to it is precluded where judicial approval for the proposed technique, procedure or device or the “doing of the thing” is available under the Code or another federal statute.

Section 487.01(1)(c) should be broadly construed to ensure that the general warrant is not used presumptively to prevent the circumvention of the more specific or rigorous pre‑authorization requirements for warrants, such as those found in Part VI. To decide whether s. 487.01(1)(c) applies, namely, whether another provision would provide for the authorization sought in this case, requires interpreting the word “intercept” in Part VI. “Intercept” is used throughout Part VI with reference to the intercept of private communications. This means that in interpreting “intercept a private communication”, we must consider the broad scope of Part VI and its application across a number of technological platforms, as well as its objective of protecting individual privacy interests in communications by imposing particularly rigorous safeguards. The interpretation should not be dictated by the technology used to transmit such communications, like the computer used in this case, but by what was intended to be protected under Part VI. It should also be informed by the rights enshrined in s. 8 of the Charter, which in turn must remain aligned with technological developments.

A technical approach to “intercept” would essentially render Part VI irrelevant to the protection of the right to privacy in new, electronic and text‑based communications technologies, which generate and store copies of private communications as part of the transmission process. A narrow definition is also inconsistent with the language and purpose of Part VI in offering broad protection for private communications from unauthorized interference by the state.

The interpretation of “intercept a private communication” must, therefore, focus on the acquisition of informational content and the individual’s expectation of privacy at the time the communication was made. To the extent that there may be any temporal element inherent in the technical meaning of intercept, it should not trump Parliament’s intention in Part VI to protect an individual’s right to privacy in his or her communications. The use of the word “intercept” implies that the private communication is acquired in the course of the communication process. The process encompasses all activities of the service provider which are required for, or incidental to, the provision of the communications service. Acquiring the substance of a private communication from a computer maintained by a telecommunications service provider would, as a result, be included in that process.

Text messages are private communications and, even if they are stored on a service provider’s computer, their prospective production requires authorization under Part VI of the Code. If Telus did not maintain its computer database, there is no doubt that the police would be required to obtain an authorization under Part VI to secure the prospective, and in this case continuous, production of text messages. Most service providers do not routinely copy text messages to a computer database as part of their transmission service. Accordingly, if the police wanted to target an individual who used a different service provider, they would have no option but to obtain wiretap authorizations under Part VI to compel the prospective and continuous production of their text messages. This creates a manifest unfairness to individuals who are unlikely to realize that their choice of telecommunications service provider can dramatically affect their privacy. The technical differences inherent in Telus’ transmission of text messages should not deprive Telus subscribers of the protection of the Code that every other Canadian is entitled to.

The general warrant in this case was invalid because the police had failed to satisfy the requirement under s. 487.01(1)(c) of the Code that a general warrant could not be issued if another provision in the Code is available to authorize the technique used by police. Since the warrant purports to authorize the interception of private communications, and since Part VI is the scheme that authorizes the interception of private communications, a general warrant was not available.

Per Moldaver and Karakatsanis JJ.: There is agreement with Abella J. that the police are entitled to a general warrant only where they can show that “no other provision” of the Criminal Code or any other Act of Parliament would provide for the investigative technique, including a substantively equivalent technique, for which authorization is sought. The investigative technique in this case was substantively equivalent to an intercept. The general warrant is thus invalid. Resolution of whether what occurred in this case was or was not, strictly speaking, an “intercept” within the meaning of s. 183 of the Code is unnecessary. A narrower decision guards against unforeseen and potentially far‑reaching consequences in this complex area of the law.

The result is driven by the failure of the authorities to establish the requirement in s. 487.01(1)(c) that there be “no other provision” that would provide for the search. This provision ensures that the general warrant is used sparingly as a warrant of limited resort. In creating the general warrant, Parliament did not erase every other search authorization from the Code and leave it to judges to devise general warrants on an ad hoc basis as they deem fit. Courts must therefore be careful to fill a legislative lacuna only where Parliament has actually failed to anticipate a particular search authorization. The “no other provision” requirement must be interpreted so as to afford the police the flexibility Parliament contemplated in creating the general warrant, while safeguarding against its misuse. There is a need for heightened judicial scrutiny where Parliament has provided an authorization for an investigative technique that is substantively equivalent to what the police seek but requires more onerous pre-conditions. Thus, the test under s. 487.01(1)(c) must consider the investigative technique that the police seek to utilize with an eye to its actual substance and not merely its formal trappings.

The approach to the “no other provision” requirement accepts a measure of uncertainty by tasking judges with the job of inquiring into the substance of purportedly “new” investigative techniques. When uncertainty exists, the police would do well to err on the side of caution. General warrants may not be used as a means to circumvent other authorization provisions that are available but contain more onerous pre-conditions. Judges faced with an application where the investigative technique, though not identical, comes close in substance to an investigative technique covered by another provision for which more rigorous standards apply should therefore proceed with extra caution. Where careful scrutiny establishes that a proposed investigative technique, although similar, has substantive differences from an existing technique, judges may grant the general warrant, mindful of their obligation under s. 487.01(3) to impose terms and conditions that reflect the nature of the privacy interest at stake.

A literal construction of s. 487.01(1)(c) must be rejected. Such an approach strips the provision of any meaning and renders it all but valueless. Legislative history confirms that general warrants were to play a modest role, affording the police a constitutionally sound path for investigative techniques that Parliament has not addressed. Ensuring that general warrants are confined to their limited role is the true purpose of s. 487.01(1)(c). While the “best interest” requirement in s. 487.01(1)(b) serves to prevent misuse of the general warrant, this provision should not be interpreted as swallowing the distinct analytical question that the “no other provision” test asks. A purposive approach to s. 487.01(1)(c) has nothing to do with investigative necessity. Under the “no other provision” test, the police are not asked to show why an alternative authorization would not work on the facts of a particular case, but rather why it is substantively different from what Parliament has already provided.

In this case, the general warrant is invalid because the investigative technique it authorized was substantively equivalent to an intercept. What the police did — securing prospective authorization for the delivery of future private communications on a continual, if not continuous, basis over a sustained period of time — was substantively equivalent to what they would have done pursuant to a Part VI authorization. It was thus, at a minimum, tantamount to an intercept. Though there is no evidence to suggest that the police acted other than in good faith, the police failed to meet their burden to show that the impugned technique was substantively different from an intercept. On the facts here, the general warrant served only to provide a means to avoid the rigours of Part VI. The police could and should have sought a Part VI authorization.

Per McLachlin C.J. and Cromwell J. (dissenting): The question of whether what the police did under this general warrant is an interception of a private communication is one of statutory interpretation. When the text of the statutory provisions is read in its full context, it is clear that the general warrant does not authorize an interception that requires a Part VI authorization. While there is no doubt that the text message is a private communication and that text messages here were intercepted by Telus by means of an electro-magnetic, acoustic, mechanical or other device, the police in this case, did not intercept those messages when Telus turned over to them copies of sent and received messages previously intercepted by Telus and stored in its databases. Therefore, the investigative technique authorized by the general warrant in this case was not an interception of private communication.

Fundamental to both the purpose and to the scheme of the wiretap provisions is the distinction between the interception of private communications and the disclosure, use or retention of private communications that have been intercepted. The purpose, text and scheme of Part VI show that the disclosure, use or retention of intercepted private communications is distinct from the act of interception itself. That is, if disclosure or use of a private communication were an interception of it, there would be no need to create the distinct disclosure or use offence. Similarly, the exemptions from criminal liability show that Parliament distinguished between interception on one hand and retention, use and disclosure on the other.

In this case, it is not disputed that Telus was intercepting text messages when it copied them for its own systems administration purposes. However, it is also agreed that Telus lawfully intercepted private communications. Under the general warrant, the police sought disclosure from Telus of information that it had already lawfully intercepted. The general warrant did not require Telus to intercept communications, but to provide copies of communications that it had previously intercepted for its own lawful purposes. As the scheme of the legislation makes clear, disclosure or use of a lawfully intercepted communication is not an interception. It is inconsistent with the fundamental distinction made by the legislation to conclude that the police were intercepting private communications when Telus provided them with copies of previously intercepted and stored text messages. The distinction in the statute between interception and disclosure cannot be dismissed as a mere “technical difference”. The distinction is fundamental to the scheme of the provisions. When Telus turns over to the police the copies of the communications that it has previously intercepted, Telus is disclosing the communications, not intercepting them again. This disclosure by Telus from its databases cannot be an interception by the police.

Acquiring the content of a previously intercepted and stored communication cannot be an interception because that broad reading is inconsistent with the clear distinction between interception and disclosure in the provisions. Applied broadly, this interpretation of “acquire” would extend the scope of investigative techniques which require wiretap authorizations far beyond anything ever previously contemplated. Further, introducing a temporal aspect of interception would confuse the act of interception with the nature of its authorization. Interception is a technique, a way of acquiring the substance of a private communication. It could not be that exactly the same technique, which acquires information in exactly the same form may be either a seizure of stored material or an interception, depending on the point in time at which the technique is authorized.

The general warrant is not one of limited resort that should be used sparingly. On the contrary, as numerous authorities have acknowledged, the provision is cast in wide terms. Therefore, it is not accepted as an imperative that s. 487.01 must be interpreted with a view to heavily restricting its use. The focus of the inquiry is on two matters (in addition of course to reasonable grounds to believe that an offence has been committed and that information concerning the offence will be obtained): is authorization for the “technique, procedure or device to be used or the thing to be done” provided for in any other federal statute and is it in the best interests of the administration of justice to authorize it to be done? Section 487.01(1)(c) provides that a general warrant may issue if “there is no other provision . . . that would provide for a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done”. The words “technique”, “procedure”, “device to be used” and “thing to be done” all are concerned with what the police want to do, not why they want to do it. This paragraph does not require issuing judges to consider whether other techniques are similar or allow access to the same evidence; it simply asks if the same technique can be authorized by another provision. This is not simply a narrow, literal interpretation of s. 487.01. Rather, it is an interpretation that reflects its purpose of conferring a broad judicial discretion to authorize the police to “use any device or investigative technique or procedure or do any thing”, provided of course that the judge is satisfied that it is in the best interests of the administration of justice to do so, having due regard to the importance of the constitutional right to be free of unreasonable searches and seizures. However, courts should not authorize anything the police seek to do simply because it is not authorized elsewhere. The judicial discretion to issue the warrant must give full effect to the protection of reasonable expectations of privacy as set out under s. 8 of the Charter.

There is no support in the text or the purpose of s. 487.01(1)(c), or in the jurisprudence, for building into it a “substantive equivalency” test. The paragraph asks a simple question: Does federal legislation provide for “a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done”? Where this threshold is met, the judge is entitled to consider granting the requested authorization. The further question of whether the authorization ought to be granted is not the focus of this paragraph of the section. Rather, whether a general warrant ought to issue is properly considered under s. 487.01(1)(b), which asks whether authorizing the warrant would be in the best interests of the administration of justice. This approach is not only supported by the text, purpose and jurisprudence, but the application of a “substantive equivalency” test creates unnecessary uncertainty and distracts the issuing judge from the question of whether the technique sought to be authorized is inconsistent with the right to be free from unreasonable searches and seizures. Predictability and clarity in the law are particularly important in the area of judicial pre-authorization of searches. The primary objective of pre-authorization is not to identify unreasonable searches after the fact, but to ensure that unreasonable searches are not conducted. The requirements for pre-authorization should be as clear as possible to ensure that Charter rights are fully protected.

The technique sought to be authorized here is not the substantive equivalent of a wiretap authorization. On the facts of this case, a wiretap authorization alone would not allow the police to obtain the information that Telus was required to provide under the general warrant. Three separate authorizations would be required in order to provide the police with the means to access the information provided to them under the general warrant. Therefore, even if one were to accept reading into s. 487.01(1)(c) a “substantive equivalency” test, neither the facts nor the law would support its application in this case.

The police did not seek a general warrant in this case as a way to avoid the rigours of Part VI. The general warrant achieved the legitimate aims of the police investigation in a much more convenient and cost-effective manner than any other provision would have allowed. There is no evidence of “misuse” of s. 487.01. The effective and practical police investigation by a relatively small municipal police force was fully respectful of the privacy interests of the targets of the investigation and other Telus subscribers.

Friday, March 22, 2013

Microsoft releases first "transparency report" with stats on law enforcement user data requests

Following the lead of Google, Twitter and Facebook, Microsoft has released its first "Transparency report" which provides some visibility into the number of law enforcement requests for user data it receives and what its policies are regarding the disclosure of such data: 2012 Law Enforcement Requests Report. Well done, Microsoft.

Now let's see some Canadian telcos follow suit.

Thursday, March 21, 2013

Government's data management practices are badly broken

I've written in the last little while about how we need to put the government under the same level of scrutiny that has been given to the private sector, especially in light of the nature of the relationship citizens have with the government. It's nice to see others share that view.

Tyler Morgenstern has a guest blog over at OpenMedia.ca that's well worth reading: What the media is missing: Government privacy breaches | OpenMedia.ca:

... Over the past several months, we’ve seen time and again that this government’s data management practices are badly broken. Yet it continues to pursue a policy agenda that erodes legislated privacy protections at every turn, opening up new deficiencies and vulnerabilities.

This mismatch between privacy-invasive policies and privacy-deficient practices puts all Canadians at risk of fraud, identity theft, and other privacy-related crimes. As Jesse Brown recently pointed out in a series of blog posts for Maclean’s, what the Canadian government needs isn’t necessarily more information; it’s better, more secure, and more accountable ways of managing the information they already have.[11]

We’re long overdue for a serious discussion about what kind of solutions should be in play across government. And even more importantly, we need to think long and hard about what kind of policies, regulations, best practices, and accountability mechanisms are needed to ensure that those solutions put the privacy of Canadians first.

Saturday, March 16, 2013

Class action against LinkedIn for password breach dismissed for lack of harm

Earlier this month, a US district court judge dismissed a $5 million class action lawsuit brought against LinkedIn related to the breach of its password database. (Here's the decision [PDF].) The plaintiffs claimed that LinkedIn failed to use industry-standard best practices to secure passwords (hashes and salts) and also argued that LinkedIn Premium members paid for but didn't get a premium level of security.

What is most interesting about this case is how typical it is for many privacy-related class actions. Some security snafu results in a password database being compromised, so the service provider has to notify users and rest passwords. Seldom are they associated with actual misuse that causes actual harm to the user, other than some angst and the bother of having to reset passwords. But the most important thing is that there is no actual, discernable harm to the user. No out of pocket costs and no detected fraud against the user.

Negligence law, under which most of these claims are founded, is based on a breach of a legal duty that results in harm. If you have no harm, you have no negligence -- at least in law. So in this case, counsel for the plaintiffs argued that this was actually a breach of contract based on the LinkedIn terms of use. The argument was that premium members contracted for premium security. The judge dismissed this argument saying that premium members were promised the same security as free members. However, in contract cases, the court said that the degree of harm suffered by the plaintiff is relevant:

... in cases where the alleged wrong stems from allegations about insufficient performance or how a product functions, courts have required plaintiffs to allege “something more” than “overpaying for a ‘defective’ product.” Plaintiffs do not argue that they did not receive security services; rather, they argue the security services were defective in some way, as evinced by the 2012 hacking incident. This is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product’s packaging. Because Plaintiffs take issue with the way in which LinkedIn performed the security services, they must alleged “something more” than pure economic harm. This “something more” could be a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information. [citations omitted]

The court also dismissed the argument that the harm suffered by the plaintiff was a risk of future harm. This argument suggests that the password breach meant that the plaintiff was now at risk of identity theft or other financial fraud, and this is a harm in and of itself. The Court said:

C. Increased Risk of Future Theory

Plaintiff Wright offers an additional theory of injury-in-fact to support her claim of standing. She contends that, as a result of the 2012 hacking incident and the posting of her password on the Internet, there is now an increased risk of future harm. The Court finds that standing on this ground has not been met because these allegations have not been alleged in the FAC. Plaintiff Wright merely alleges that her LinkedIn password was “publically posted on the Internet on June 6, 2012.” In doing so, Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.

This case highlights an important characteristic of most data breaches that aren't directly linked to financial harm: it is difficult to show any kind of harm that the courts will consider compensating. That doesn't mean that the right facts will show up one day to permit a court to open the door, but for now privacy class actions are likely to be more of a nuisance to the defendant than a clear path to compensation for putative plaintiffs.

For more background, see: Infosecurity - LinkedIn's $5M class-action data breach lawsuit dismissed.

Friday, March 15, 2013

US federal district court judge rules National Security Letters are unconstitutional

The Electronic Frontier Foundation is reporting that a US Federal District Court judge in San Francisco has ruled that National Security Letters are unconstitutional as a violation of the First Amendment of the US Constitution and the separation of powers. The Judge's order has been stayed for 90 days to permit the federal government time to appeal.

National Security Letters (NSLs) are a form of administrative subpoena that can be issued by a senior official of the FBI, which requires the recipient to provide non-content or transactional information and is usually accompanied by a gag order.

According to EFF's media release, Judge Susan Illston ordered that the FBI stop issuing NSLs and cease enforcing the gag provision in this or any other case.

From the EFF: National Security Letters Are Unconstitutional, Federal Judge Rules | Electronic Frontier Foundation

A copy of the Judge's decision is available here, also on the EFF website.



Thursday, March 14, 2013

Canadian government's new standard on privacy and web analytics

The CBC is reporting on the Canadian Government's relatively new Standard on Privacy and Web Analytics, which was launched earlier this year. The Treasury Board standard came into effect, but government departments are being given time to adjust contracts with outside providers of website analytic services.
The key provisions related to privacy are set out in Appendix and and Section 3.2 of Appendix A sets out the requirements that government departments must impose on third party service providers:
3.2 That contract must, at a minimum, contain provisions meeting the requirements as set out below.
a. A definition of "personal information" as meaning information collected or generated in the performance of the contract about an individual, including the types of information specifically described in the Privacy Act and also including information that may be linked or is linkable to an individual such as the website visitor's IP address.
b. A requirement that the third party appoint an officer within the organization to act as representative for all matters related to personal information and that the name and contact information for this third-party contact be provided to the government institution within 10 days of the awarding of the contract.
c. A requirement that the third party provide all of its employees, contractors and subcontractors with information on their privacy obligations when dealing with personal information disclosed or transmitted in relation to the work being performed under the contract or subcontract (the "work").
d. A requirement that the third party depersonalize the IP address prior to its storage in order that the full IP address cannot be reconstituted. This must be done through irrevocable truncation of the last octet of the IP address or through some other methodology that offers comparable privacy protection and has been approved by the Chief Information Officer Branch of the Treasury Board of Canada Secretariat.
e. A requirement that the third party not link, or attempt to link, the IP address or some unique identifier associated with a digital marker with the identity of the individual computer user.
f. A requirement that the depersonalized IP address, along with other data disclosed to the third party for Web analytics, be used only in accordance with the work, and that no subsequent uses or reuses of such data for any other purpose be allowed without the institution's express prior written authorization.
g. A requirement that the third party not disclose or transfer the depersonalized IP address or any other data disclosed to it except in accordance with the work, with the express prior written authorization of the institution, or if required to do so by law.
h. A requirement that the third party use only first-party cookies.
i. A requirement that the third party be prohibited from using techniques such as, but not limited to, interlinking, cross-referencing, data mining or data matching from multiple sources on the personal information collected in relation to the work, unless expressly pre-authorized to do so, in writing, by the government institution.
j. A requirement that the third party have security in place for the personal and depersonalized information that is at least commensurate with the Policy on Government Security.
k. A requirement that the third party safeguard the depersonalized IP address and other information disclosed in relation to the work, and that this information be retained for a maximum period of 6 months, after which time that information, including any backup copies, must be destroyed.
l. An audit provision whereby the third party may be audited at least once annually, at a date to be determined by the Government of Canada, to ensure compliance with these requirements.










Private member's bill introduced to give Privacy Commissioner order-making powers

On February 26, 2013, Charmaine Borg introduced Private Member’s Bill C-475 (41-1), an Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), to the House of Commons. Bill C-475 is expected to see its first hour of debate at Second Reading on Monday, April 15th, 2013 and a vote on second reading is expected before the end of May.
The Bill proposes to amend PIPEDA to:
  1. Require organizations to notify the Privacy Commissioner of any breach to the security of personal information where there is a possible risk of harm to the affected individual(s);
  2. Allow the Privacy Commissioner to order organizations to notify affected individual(s) of a data breach if an appreciable risk of harm is found;
  3. Create order-making powers to be used by the Privacy Commissioner to enforce the Personal Information Protection and Electronic Documents Act in the event that an organization mishandles the personal information of Canadians ; and
  4. Empower the Federal Court to impose fines in cases of non-compliance with an enforcement order issued by the Privacy Commissioner.
I'm in favour of breach notification as long as the threshold is high enough to prevent "false positives" but low enough so that individuals are alerted when the breach is likely to actually affect them. I'm not in favour of giving the Privacy Commissioner general order making powers, particularly in the absence of completely revising the structure of the office to ensure that the somewhat contradictory powers of advocate, cop, prosecutor, judge, jury and executioner are not given to the same person.
While private members' bills historically don't go anywhere, it will be interesting to watch the debate over this one.


Tuesday, March 12, 2013

Insurance company inadvertently discloses personal information to complainant’s employer

In PIPEDA Report of Findings # 2012-009, the Office of the Privacy Commissioner of Canada considered a complaint brought by an individual against an insurance company for the disclosure of personal information to the complainant’s employer without her consent. The complainant was employed at a hair salon and was contemplating leaving her employer to set up a competing business. The complainant contacted an insurance company to obtain quotes on insurance for the new business and specifically requested that the company not call her back at her current workplace. Notwithstanding this direction, the company did and left a voice mail in the employer’s general inbox. The contents of a voice mail message were heard by the complainant’s employer, who terminated the complainant’s employment.

The Assistant Commissioner found that there had been a disclosure of personal without her consent, so the complaint was “well founded”. The Assistant Commissioner made specific recommendations to the insurance company, and it ultimately agreed to 1) implement a new procedure that minimizes the amount of information that employees leave in client telephone messages, and 2) amend existing procedures to ensure client contact information and messaging preferences are updated regularly to maintain accuracy. The insurance company also agreed to implement these procedures, so the complaint was also found to be “resolved”.

Privacy Commissioner faults two summer camps for exchanging information about camper

In two related complaints against two summer camps, the Assistant Privacy Commissioner of Canada faulted the camps for exchanging information about a camp applicant without adequate consent. In PIPEDA Report of Findings #2012-007, the parent of a prospective camper complained to the Office of the Privacy Commissioner of Canada because the camp contacted another summer camp that the child had attended previously. The camp in question first stated that they had not contacted the second camp at all, but exchanging such background information was relatively standard in their business and, if they had, they would have had adequate consent by virtue of their privacy policy and privacy statement that was available to the complainant.  

In speaking with the second camp, the Assistant Commissioner determined that the exchange of background information had taken place, notwithstanding the company’s initial statements. With respect to adequate consent, the Assistant Commissioner reviewed the relevant privacy statements and concluded they were too vague and uncertain to result in consent for this sort of information collection. The Assistant Commissioner recommended that the camp obtain better consent for such collections and uses of personal information, and provide privacy training to employees. The recommendations were accepted and the complaint was determined to be “well founded and conditionally resolved”.

With respect to the second summer camp, which had disclosed information to the first summer camp, the Assistant Commissioner found that it violated PIPEDA in PIPEDA Report of Findings # 2012-008.  Specifically, the complainant alleged that it had disclosed the former camper’s personal information without consent. The camp admitted that it had disclosed the information, but stated it was a standard practice and that adequate consent had been obtained. The Assistant Commissioner examined the camp’s privacy statements and concluded the information was minimal and not a sufficient basis for consent.

The Assistant Commissioner concluded that the complaint was “well founded and conditionally resolved”, as the camp agreed to follow her recommendations to implement a better policy and to provide employee privacy training.

Tuesday, March 05, 2013

Google adds (rounded) numbers for National Security Letters on its Transparency Report

Again, Google leads the way in transparency about government demands for user information.

This time, they've added numbers for National Security Letters (a form of administrative subpoena that the FBI can use to get non-content information about users). The numbers are not precise, apparently because reporting actual information about NSLs is illegal under the relevant statutes. But some information is better than no information.

Check out the official Google blog post about this addition to the Transparency Report: Official Blog: Transparency Report: Shedding more light on National Security Letters.