Saturday, April 27, 2013

I want better and more targeted ads

Perhaps not surprisingly, I spend a lot of time thinking about privacy. I also spend a lot of time thinking about personalization, particularly in online services. When I lived in a village of 500 people in the '90s, I had a personal relationship with the owner of the grocery store, the pharmacy and the general store. They knew what I liked and what I bought. They would often tell me when they were getting in some product that I might like or would even ask me if there was something they could order in for me. They understood their customers and my service could be appropriately personalized.

The internet allows you to massively scale this idea, but much "personalization" of advertising too often misses the mark. Or creeps people out. But it doesn't have to.

If you look at the sort of advertising that often appears on Facebook, you're sometimes left scratching your head. If Facebook knows so much about me, why are the ads so ill-targeted or based on gross demographic assumptions? Ask any woman in her late thirties or forties: their Facebook ad column is full of advertisements for weight loss products and the other sort of junk that appears in Glamour magazine. Some are relevant to many in that demographic, but not to all. Poorly personalized ads are worse than the clutter of untargeted ads since they tend to perturb people. Well-targeted ads are more like information. And this is the information age.

A number of months ago, I was looking for a very good, durable backpack that I could use to schlep my technology and paper-based detritus to and from work that would not look too sporty or out of place in a business environment. I did a lot of searching online and browsing online vendors. It didn't take long before most of the ads I saw were about backpacks and briefcases. I finally bought one that I'm happy with, but for weeks afterwards most of my ads were for backpacks. I wanted to tell them that I'd bought a backpack, I was happy with it and they should move on to anticipating my other needs.

I am really looking forward to better targeted ads, especially location-aware advertising. I will not hesitate to share my location in real-time with an advertising company that I can trust to deliver value to me in exchange for understanding me better. If I am meandering up Spring Garden Road in Halifax with time to spare, I'd appreciate it if my phone let me know that Dugger's menswear is having a sale or a reminder that I'm due for a free coffee at Starbucks with my next check-in on Foursquare. It would be cool to get a notice that I'm within fifty feet of a store where I have in-store credit to spend (and, by the way, they have that widget I was looking for).

If online retailers are really eating the lunches of brick and mortar operations, targeted and location-aware advertising has the possibility of resetting the balance. Online, buying something is a few clicks away, but when I'm travelling in real space I am simply more receptive to serendipity and the possibility of impulse purchases. And if my device knows I'm in a retail district, or outside my usual geography, even moreso.

I travel a lot for work and that's where location-aware information could be the silver bullet of convenience with no intrusion. I use TripIt to organize all the details of my travel. It would be great if, along with my itinerary, it would provide me a list of Thai and Indian restaurants near my hotel (because I like 'em) and offer to make a reservation. Better yet would be something social, such as a list of restaurants and stores my friends like in that city. I would be delighted to tell the nice folks at TripIt all sorts of info about what I like when I travel if it would use that info to serve me better. Until then, I'm triangulating among Google Places, FourSquare, Untappd and Yelp. All of them are getting better, but aren't quite there yet.

But the day will come, and I'm actually looking forward to it.

Analysis of the Nova Scotia Anti-Cyberbullying legislation

As I blogged yesterday, the Nova Scotia provincial government has tabled a bill in the provincial legislature to address cyberbullying. The Bill, dubbed the Cyber-safety Act, does a number of notable things. Notably, it is not limited to protecting minors from cyberbullying and is equally available to adult and child victims.

It must be borne in mind that the Bill has only just been tabled, so it may be amended as it works its way though the legislature and its committees.

It the Bill, cyberbullying is defined:

(b) "cyberbullying" means any electronic communication through the use of technology including, without limiting the generality of the foregoing, computers, other electronic devices, social networks, text messaging, instant messaging, websites and electronic mail, typically repeated or with continuing effect, that is intended or ought reasonably be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person's health, emotional well-being, self-esteem or reputation, and includes assisting or encouraging such communication in any way;

Interestingly, the Bill deems some parents to be cyberbullies themselves if they don't do enough to prevent their minor children from engaging in cyberbullying:

(2) For the purpose of this Act, w here a person who is a minor engages in an activity that is cyberbullying and a parent of the person

(a) knows of the activity;

(b) knows or ought reasonably to expect the activity to cause fear, intimidation, humiliation, distress or other damage or harm to another person's health, emotional well-being, self-esteem or reputation; and

(c) fails to take steps to prevent the activity from continuing,

the parent engages in cyberbullying.

Cyberbullying Protection Orders

First of all, the Bill creates "cyberbullying protection orders", which are orders issued by the courts to require an individual to cease activities that will be prescribed in the order. The order can be broad or narrow, and the bill gives the courts wide latitude:

9 (1) A protection order may include any of the following provisions that the justice considers necessary or advisable for the protection of the subject:

(a) a provision prohibiting the respondent from engaging in cyberbullying;

(b) a provision restricting or prohibiting the respondent from, directly or indirectly, communicating with or contacting the subject or a specified person;

(c) a provision restricting or prohibiting the respondent from, directly or indirectly, communicating about the subject or a specified person;

(d) a provision prohibiting or restricting the respondent from using a specified or any means of electronic communication;

(e) an order confiscating, for a specified period or permanently, any electronic device capable of connecting to an Internet Protocol address associated with the respondent or used by the respondent for cyberbullying;

(f) an order requiring the respondent to discontinue receiving service from an Internet service provider;

(g) any other provision that the justice considers necessary or advisable for the protection of the subject.

One thing that I find very interesting -- and disappointing -- is that if the victim is a minor, he or she cannot seek such an order him or herself. His or her parents have to seek the order on their behalf. One would think that at least older teenagers should be able to help themselves, even if their parents don't want to get involved.

A new tort of cyberbullying

Next, the Bill creates a brand-new tort of cyberbullying, which gives a victim of cyberbullying the right to sue in the civil courts for damages. This part is pretty short on details, so I expect the provincial government is leaving it to the courts to sort out.

21 A person who subjects another person to cyberbullying commits a tort against that person.

22 (1) In an action for cyberbullying, the Court may

(a) award damages to the plaintiff, including general, special, aggravated and punitive damages;

(b) issue an injunction on such terms and with such conditions as the Court determines appropriate in the circumstances; and

(c) make any other order that the Court considers just and reasonable in the circumstances.

(2) In awarding damages in an action for cyberbullying, the Court shall have regard to all of the circumstances of the case, including

(a) any particular vulnerabilities of the plaintiff;

(b) all aspects of the conduct of the defendant; and

(c) the nature of any existing relationship between the plaintiff and the defendant.

In addition, the Bill makes the parents of a minor cyberbully jointly and severally liable for all the damages unless the parents are able to show due diligence. It is understandable that the government would include this provision, since young cyberbullies likely do not have any assets of their own (making a civil lawsuit futile) and to perhaps dip into the homeowners or renters insurance policies that parents may have.

(3) Where the defendant is a minor, a parent of the defendant is jointly and severally liable for any damages awarded to the plaintiff unless the parent satisfies the Court that the parent was exercising reasonable supervision over the defendant at the time the defendant engaged in the activity that caused the loss or damage and made reasonable efforts to prevent or discourage the defendant from engaging in the kind of activity that resulted in the loss or damage.

(4) For the purpose of subsection (3), in determining whether a parent exercised reasonable supervision over the defendant at the time the defendant engaged in the activity that caused the loss or damage or made reasonable efforts to prevent or discourage the defendant from engaging in the kind of activity that resulted in the loss or damage, the Court may consider

(a) the age of the defendant;

(b) the prior conduct of the defendant;

(c) the physical and mental capacity of the defendant;

(d) any psychological or other medical disorders of the defendant;

(e) whether the defendant used an electronic device supplied by the parent, for the activity;

(f) any conditions imposed by the parent on the use by the defendant of an electronic device;

(g) whether the defendant was under the direct supervision of the parent at the time when the defendant engaged in the activity;

(h) in the event that the defendant was not under the direct supervision of the parent at the time at the time when the defendant engaged in the activity, whether the parent acted unreasonably in failing to make reasonable arrangements for the supervision of the defendant; and

(i) any other matter that the Court considers relevant.

The tort of cyberbullying would be in addition to any other causes of action that might be brought to bear, including defamation and intentional infliction of emotional distress.

Powers given to the Director of Public Safety

The provincial government has promised, as part of this legislation, to create a specialized unit to combat cyberbullying. This is being done as amendments to the existing Safer Communities and Neighbourhoods Act. This Act has generally been used to deal with crackhouses and the like, but an additional part allows for the designation of "Directors of Public Safety" who will have particular powers to investigate and respond to cyberbullying. (To show how this Act is amended by the bill, I've created a Google doc that shows the proposed changes.)

The Director is given the power to investigate cyberbullying and can seek the assistance of the courts to unmask anonymous miscreants. Once identified, the Director can make an application to the court for a cyberbullying prevention order. The prevention orders are very similar to the protection orders outlined above (I'm not sure why it is duplicated in the Safer Communities and Neighbourhoods Act and the Cyber-safety Act).

It is an offense to defy such an order when issued.

Amendments to the Education Act

The Bill also proposes amendments to the existing Education Act. First of all, it adds the promotion and encouragement of safe and respectful electronic communications to the mandate of the school system. But more importantly, it gives school principals explicit jurisdiction over outside of school activities that are disruptive to the school environment:

122 Where a student enrolled in a public school engages in

(a) disruptive behaviour or severely disruptive behaviour on school grounds, on property immediately adjacent to school grounds, at a school-sponsored or school-related activity, function or program whether on or off school grounds, at a school bus stop or on a school bus; or

(b) severely disruptive behaviour at a location, activity, function or program that is off school grounds and is not school-sponsored or school-related, if the behaviour significantly disrupts the learning climate of the school,

the principal, or the person in charge of the school, may take appropriate action as specified in the Provincial school code of conduct policy including suspending the student for a period of not more than five school days.

My overall impression

Overall, I think this legislation is an important step. Up until this Bill was tabled, most of the discussion of the issue recently has focused on possible amendments to the Criminal Code. Based on what I've seen reported about the Rehtaeh Parsons case points to a serious failing on the part of the criminal justice system (and the mental health system), not the criminal law. But in any event, the phenomenon of cyberbullying is a very complicated one, and one that cannot be fixed or even properly addressed by the criminal law alone. This bill specifically puts a degree of responsibility in the school system and provides the means to establish a group of specialists who have appropriate tools to investigate and respond to cyberbullying. Finally, it gives victims and their parents the ability to proceed through the civil justice system for the harm of cyberbullying. Of course, much depends on how this is implemented and I'm sure many here in Nova Scotia will be paying close attention to that.

Thursday, April 25, 2013

Government of Nova Scotia introduces anti-cyberbullying bill

The Government of Nova Scotia today tabled Bill 61 to create the Cyber-safety Act. In response to high-profile cyberbullying incidents in the province, some of which have had tragic outcomes, the Bill seeks to do a number of things, including:

  • Providing for protective orders in cases of cyberbullying
  • Creating a free-standing tort of cyberbullying, for which a young cyberbully's parents are jointly and severally responsible unless they can prove they exercised reasonable supervision
  • Creates cyber-bullying prevention orders

I haven't had a chance to review it clause by clause, but I expect I'll have some comments to add later.

(Added 2013-04-27) To see the "in place" amendments to the Safer Communities and Neighbourhoods Act, I've created a redlined Google Doc.

Newfoundland lays charges against health district employees for record snooping

Charges have been laid in Newfoundland against two individuals employed by separate health districts related to inappropriate and unauthorized access to patient information. I have to say I'm happy to see how seriously many privacy regulators take these sorts of intrusive and unjustified invasions of individual privacy. I'm also happy to see that they are "former employees".

VOCM.COM|Charges Laid in Hospital Privacy Breaches | Article.

The Information and Privacy Commissioner says two people have been charged with offences under the Personal Health Information Act. Two former employees at Eastern Health and Western Health have been charged.

The two individuals are alleged to have improperly accessed the personal health information of a number of patients. The charges are the result of two separate investigations by staff of the Office of the Information and Privacy Commissioner stemming from complaints received in 2012. Both health authorities alerted Commissioner Ed Ring about the privacy breaches when they were discovered. Patients affected by the breaches were contacted by Eastern and Western Health. Audits of electronic medical records were conducted by the boards, and the two separate investigations by the commissioner's staff confirmed that charges are warranted under the Personal Health Information Act. The first appearance involving the former worker at Eastern Health is May 3 in St. John's, and the former employee at Western Health will make a first appearance on May 28 in Corner Brook.

Wednesday, April 24, 2013

Parliamentary Committee releases report on Canadian privacy laws and social media

The House of Commons Standing Committee on Access to Information, Privacy and Ethics has just released its report on Canadian privacy laws and social media: House of Commons Committees - ETHI (41-1) - Privacy and Social Media - Report.

The Report contains a number of recommendations, including the following:

Recommendation 1 - The Committee recommends that the Privacy Commissioner of Canada establish guidelines directed at social media and data management companies to help them develop practices that fully comply with PIPEDA, particularly accountability and openness.

Recommendation 2 - The Committee recommends that the Privacy Commissioner of Canada establish guidelines directed at social media and data management companies to help them develop policies, agreements and contracts that are drafted in clear, accessible language that facilitates meaningful and ongoing consent.

Recommendation 3 - The Committee recommends that the Privacy Commissioner of Canada establish guidelines directed at social media and data management companies to help them put in place mechanisms that ensure individuals have access to any personal information that those companies may hold about them, that limit how long those companies hold on to that information and that facilitate the deletion of such information.

Recommendation 4 - The Committee recommends that the Government of Canada and social media companies continue to provide support to organizations that provide education and training on digital activities and privacy.

Recommendation 5 - The Committee urges social media companies to play a larger role in promoting safe and active online activities that protect the privacy and personal information of individuals, particularly in regard to vulnerable
groups such as children and young persons.

Recommendation 6 - The Committee recommends that the Government of Canada and social media companies continue to provide support to organizations dedicated to educating and promoting awareness to children, their parents and teachers to protect their personal information and privacy online.

Recommendation 7 - The Committee recommends that the Government of Canada continue to provide support to digital literacy programs.

The NDP members of the Committee also added the following recommendations:

Recommendation 1: New Democrats recommend that the government grant enforcement powers to the Privacy Commissioner such as order making powers and the authority to impose administrative monetary penalties.

Recommendation 2: New Democrats recommend that the government require all organizations to report data breaches or losses to the Privacy Commissioner where a reasonable person would find that the breach or loss presents any risk of harm to the individuals affected.

Recommendation 3: New Democrats recommend that the government modernize Canadian privacy laws to measure up to privacy protections in comparable democracies and to ensure that the personal information of Canadians is well protected in the digital age.

Recommendation 4: New Democrats recommend that the government review Schedule 1 of PIPEDA to clarify that express consent should generally be sought for disclosure of personal information to third parties and that this is especially necessary where such disclosure is a requirement of an end-user license agreement.

Recommendation 5: New Democrats recommend that privacy issues constitute an essential part of a comprehensive digital economy strategy for Canada.

Recommendation 6: New Democrats recommend that the government consider reviewing PIPEDA and corresponding regulations to encourage organizations to implement the practice of privacy by design.

Recommendation 7: New Democrats recommend that PIPEDA, corresponding regulations, and any relevant statutes be amended to encourage organizations to implement Do Not Track functions.

Recommendation 8: New Democrats recommend that the government continue to study ways in which to best protect the personal information of children online while encouraging that they too benefit from the social, cultural, and democratic benefits of the online world.

Recommendation 9: New Democrats recommend that the government conduct a study on the privacy policy known as the “right to be forgotten” and report back to Parliament.

Edit: The first version of this posting inadvertently only showed the NDP recommendations. Sorry. Fixed that.

Tuesday, April 23, 2013

Statistics on Federal Government data breaches are staggering

According to documents filed in Parliament in response to a request for information filed by the opposition, the Federal Government has experienced thousands of data breaches over the past decade, affecting the personal information of hundreds of thousands of Canadians. And the vast majority were not reported to the affected individuals.

Government data breached thousands of times in last decade, documents say

OTTAWA — The federal government has seen more than 3,000 data and privacy breaches over the past 10 years, breaches that have affected more than 725,350 Canadians, according to documents tabled in Parliament on Tuesday.

The responses from departments, given to the New Democrats in response to an order paper question, also show that less than 13 per cent of all breaches have been reported, including a handful from the Department of Fisheries and Oceans that affected more than 4,400 individuals.

“There may be issues where Canadians have been put at risk and they haven’t been informed,” said NDP critic Charlie Angus, who submitted the written question. “As a standard, we should involve the privacy commissioner when Canadians’ privacy is breached.”

The list, however, is not a complete accounting of breaches, suggesting that there the number of breaches may be higher than reported. For instance, the Canada Revenue Agency didn’t provide any numbers, saying that a search of the hard copy records of breaches would be too cumbersome to be completed.

The list also turned up at least three instances where the data loss led to criminal activity, including one at the Public Service Commission in the 2007-2008 fiscal year that led to the termination of a contract with the recycling firm JC Fiber. Another data loss at the Department of Finance ended with one worker being charged with breach of trust.

The Department of Foreign Affairs, according to the documents, has 11 ongoing investigations into data breaches that affect at least 42 individuals.

The tabling of the figures prompted the government to release a statement signed by three cabinet ministers, including two whose departments have either come under scrutiny for losing the information of Canadians: Veterans Affairs Minister Steven Blaney, and Human Resources Minister Diane Finley.

“Our Government takes the privacy of Canadians very seriously, especially the critical importance of the proper handling of sensitive personal information,” Treasury Board President Tony Clement said in the statement.

“We will continue to work closely with the Office of the Privacy Commissioner to ensure that the privacy of Canadians is protected.”

Finley’s department has been dealing with fallout from two data breaches. In one incident, the department lost a portable hard drive with the personal information of about 583,000 Canada Student Loan recipients, including their social insurance numbers. In a second incident, a lawyer on loan to HRSDC from the Department of Justice lost a USB key with personal information about more than 5,000 employment insurance recipients.

Both have prompted investigations by the privacy commissioner, Jennifer Stoddardt, who was notified of both incidents.

“This came out of the massive data breach at HRSDC and the fact they spent a number of months keeping it quiet while they searched for it,” Angus said. “Now we see we’ve got well over 3,000 breaches.”

“What we’re seeing here is this about covering the rear-ends of ministers trying to keep their jobs,” Angus said.

Monday, April 22, 2013

Nunavut privacy commissioner to receive expanded powers to investigate privacy complaints

Following the passage of Bill 38, An Act to Amend the Access to Information and Protection of Privacy Act, the Information and Privacy Commissioner will be given new powers investigate privacy breaches when the bill is proclaimed into force this spring.

You should not be faulted for wondering why this was not a power given to the Commissioner in the first place, but it's not unique. Nova Scotia's Review Officer appointed under the Freedom of Information and Protection of Privacy Act was only recently given such powers.

For more details, see: NunatsiaqOnline 2013-04-19: NEWS: Nunavut information and privacy czar to get more powers.

Wednesday, April 17, 2013

No more virtual strip-searches for Canadian travelers

The Canadian Press and the CBC are reporting that the virtual strip-search machines installed in Canadian airports will have their software upgraded so that passengers will no longer have their nude images presented to screeners. Instead, the technology will project a stick figure with highlights of possible hidden objects. See: 'Naked' airport scans switching to stick figure images - New Brunswick - CBC News.

I expect that passengers who remain concerned about either radiation exposure or the residual intrusion can ask for a manual pat-down. That's what I'll continue to do: if they're going to invade my personal space, I want to look the person in the eye while he does it.

Monday, April 15, 2013

New blog with tips, tricks, gadgets, hacks, miscellany and legal geekery

Pardon the interruption ... normal privacy-related posting will continue after this brief promotional message ...

I recently attended the American Bar Association's annual TechShow in Chicago. The highlight was the annual "60 Tools in 60 Minutes" in which four hard-core geeky lawyers shared their top tips and tools in rapid-fire succession.

Having now seen the 60 Tools show up close and personal, I've been inspired to share some of my own tips, tricks, gadgets, hacks and other micellany that might be of interest to lawyers and other professionals who like efficiency and technology. Without any further ado: Stuff Dave Likes.

I've already put up a few posts:

I am acutely aware that readers of the Canadian Privacy Law Blog are here to read about privacy and not legal geekery, so I will not be cross-posting unless there really is a crossover. However, if you're into legal geekery please drop by Stuff Dave Likes from time to time. And if there's stuff you like too, let me know about it.

Saturday, April 13, 2013

Investment regulator loses portable storage device containing personal info on 52,000 Canadians

The Investment Industry Regulatory Organization of Canada, the agency that regulates Canada's investment industry, has announced that a portable storage device has been lost containing the personal information of 52,000 individuals.

Their statement says it was an "isolated incident", which it may well be within their organization but it certainly is happening a lot across all industries. Given the publicity surrounding some very high-profile breaches in Canada, it is puzzling that people are still putting sensitive information on portable storage devices.

From the Toronto Star: Investment regulator “regrets” loss of clients’ personal info | Toronto Star.

Wednesday, April 10, 2013

Missing HRSDC hard drive also contained sensitive investigation reports

The Ottawa Citizen is reporting that the hard drive that went missing from HRSDC not only contained files on five hundred thousand student loan applicants, but also contained sensitive investigation reports and corporate business plans.

This story isn't getting any better: Missing hard drive included business plans, financial information and investigative reports on applicants, emails suggest.