Tuesday, April 29, 2014

Government demands telco customer data more than a MILLION times per year

Paul McLeod of the Halifax Chronicle Herald and Alex Boutilier of the Toronto Star have both reported on a dramatic revelation made by Interim Privacy Commissioner Chantal Bernier after testifying before a Senate committee about Bell Canada's new privacy policy.

Following previous revelations, I would have expected a relatively high number but this is an order of magnitude more than I expected.

Bernier disclosed that law enforcement (and presumably national security agencies) ask Canadian telecommunications providers for customer information more than A MILLION times a year. That statistic comes from a report provided to Bernier's predecessor, Jennifer Stoddart, by the CWTA, which combined the answers of nine telcos to questions put by Stoddart to 12 telcos which refused to answer individually. The purpose for combining their answers was clearly to prevent any particular telco being singled out. The report was received by Jennifer Stoddart on December 15, 2011 but has not seen the light of day since then.

The report includes the following:

  • Government agencies requested customer information an average of 1,193,630 times annually.
  • Approximately 784,756 users and accounts were subject to disclosure, based on responses from three of the nine providers. One provider responded that the ratio worked out to 1.74 requests per customer.
  • Telecom companies keep detailed records of access requests by government authorities, but do not report them publicly.
  • Telecom companies responded they are not willing to make this information public.
  • Telecom companies do not report access requests to their customers, when the law allows it. Customers therefore have no way to challenge the access in court.

These numbers are staggering and raises many questions:

  • This staggering number comes from only nine of Canada's 30 telcos. What's the actual number and will we ever know (since government and telcos are refusing to be transparent about this)?
  • How many of these requests were with a warrant and how many were without?
  • Why do telcos keep a database of these requests and under what lawful authority?
  • Why did Jennifer Stoddart not disclose the information sooner, particularly while the horrible "lawful access" Bill C-30 was being hotly debated.

I expect we'll hear much more about this in the coming days.

Monday, April 28, 2014

Presentation on Canada's new Anti-Spam law

For the lawyers who read this blog, this topic may be getting tired but I'm regularly confronted by business folks who have heard very little about Canada's new Anti-SPAM law (CASL). I was asked to give a presentation on the topic on behalf of Digital Nova Scotia as part of its Business 101 seminar series.

For anyone who may benefit, here is my presentation:

Data location doesn't matter: US Federal Judge

Just posted to the Canadian Cloud Law Blog:

Canadian Cloud Law Blog: Data location doesn't matter: US Federal Judge:

In a decision that should not come as a big surprise, a US Federal Court judge has determined that the location of data under Microsoft's custody is not relevant. If Microsoft can produce it, it is required to do so.

As reported in Computerworld, the decision relates to a search warrant that directed Microsoft to produce the contents of one of its customer’s e-mails, where that information is stored on a server located in Dublin, Ireland. Microsoft contended that courts in the US cannot issue warrants for extraterritorial search and seizure, but the judge denied Microsoft's motion to quash the warrant. It argued, in part, that a US court can't issue a search warrant for premises outside of the United States so they should not be able to do so virtually.

However, the Court found that these orders may look like search warrants but they are more like subpoenas. They order an American company to do something entirely in the Unites States:

But the concerns that animate the presumption against extraterritoriality are simply not present here: an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. At least in this instance, it places obligations only on the service provider to act within the United States....

This case, for some Canadian readers will be reminiscent of the Canadian Federal Court decision in eBay Canada Ltd. v. M.N.R., 2008 FCA 348, where the Court ordered eBay in Canada to turn over information about Canadian "powersellers" regardless of the fact that the data was not within the territorial jurisdiction of the Court.

Microsoft is appealing this decision, but for now it stands for the proposition that the location of data is largely irrelevant in determining whether a government can order it to be turned over. The location or nationality of the custodian is much more relevant.

Friday, April 25, 2014

Documents related to the loss of the hard drive from the Office of the Privacy Commissioner of Canada

Readers of this blog may be interested to see the following documents related to the recent loss of a hard drive which occurred while the staff of the Office of the Privacy Commissioner of Canada moved offices from Ottawa to Gatineau:

Thursday, April 24, 2014

Supreme Court upholds Ontario's Information and Privacy Commissioner's order to disclose anonymised sex offender information

The Supreme Court has just issued its decision in the case of Ontario (Community Safety and Correctional Services) v. Ontario (Information and Privacy Commissioner), 2014 SCC 31. The case relates to a request for access to statistical information about the geographic distribution of information about individuals listed on Ontario's sex offender registry.

The requester sought information about the number of people on the list according to the first three digits of postal codes. The province had refused to provide the requester with access, citing the exemptions of the Freedom of Information and Protection of Privacy Act related to privacy and law enforcement information. The IPC found that the information was not subject to such exemptions and should be disclosed. On the ultimate appeal, the Supreme Court of Canada agreed with the Commissioner.

From the headnote:

Access to Information — Exemptions — Confidentiality provisions — Requester seeking disclosure of number of offenders registered under sex offender registry residing in areas designated by first three digits of Ontario’s postal codes — Government institution denying request on grounds of exemptions contained in Freedom of Information and Protection of Privacy Act — Information and Privacy Commission ordering disclosure — Standard of review of Commission’s decision — Whether Commission made reviewable error in interpreting applicable legislation — Whether Commission applied appropriate evidentiary standard with regards to harms‑based exemptions — Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F‑31, ss. 14, 67 — Christopher’s Law (Sex Offender Registry), 2000, S.O. 2000, c. 1, ss. 10, 13.

A requester sought disclosure from the Ministry of Community Safety and Correctional Services of the number of offenders registered under its sex offender registry residing within the areas designated by the first three digits of Ontario’s postal codes. The registry is established and maintained under Christopher’s Law (Sex Offender Registry), 2000. The information contained in the Registry is kept confidential by the Ministry and police. The Ministry refused to disclose, citing law enforcement and personal privacy exemptions in the Freedom of Information and Protection of Privacy Act. The Information and Privacy Commissioner held that the exemptions do not apply and ordered disclosure. The Commissioner’s decision was upheld on judicial review and on appeal.

Held: The appeal should be dismissed.

The Commissioner made no reviewable error in ordering disclosure. The applicable standard of review is reasonableness. The Commissioner was required to interpret Christopher’s Law for the narrow purpose of determining whether it contained a confidentiality provision that prevails over the Freedom of Information and Protection of Privacy Act. This task was intimately connected to her core functions. The Commissioner reasonably concluded that the Ministry did not provide sufficient evidence that disclosure could lead to the identification of offenders or of the risks of the harms that the exemptions seek to prevent.

The Commissioner did not grant a right of access that is inconsistent with either Act. Section 67(2) of the Freedom of Information and Protection of Privacy Act does not specifically provide that a confidentiality provision in Christopher’s Law prevails and, although s. 10 of Christopher’s Law is a confidentiality provision, neither it nor any other part of Christopher’s Law prevails over the Freedom of Information and Protection of Privacy Act. Explicit references to Freedom of Information and Protection of Privacy Act in Christopher’s Law indicate that the Legislature considered the manner in which both statutes operate together. Had the Legislature intended the confidentiality provision in Christopher’s Law to prevail, it would have included specific language to that effect. Neither s. 13 of Christopher’s Law nor Christopher’s Law working together with the Police Services Act, R.S.O. 1990, c. P.15, ousts the application of the Freedom of Information and Protection of Privacy Act. The Commissioner did not take too narrow a view of the law enforcement exemptions under s. 14(1)(e) and (l) of the Freedom of Information and Protection of Privacy Act. Based on the evidence and arguments before her, she properly focused on the reasonableness of any expectation that the requested disclosure would lead to the identification of sex offenders or their home addresses. Because the law enforcement exemptions do not apply, the discretion not to disclose a record under s. 14 of the Freedom of Information and Protection of Privacy does not apply.

The Commissioner made no reviewable error with respect to the standard of proof applicable to the law enforcement exemptions. There is no difference in substance between “a reasonable expectation of probable harm” and a “reasonable basis for believing” that harm will occur. The “reasonable expectation of probable harm” formulation simply captures the need to demonstrate that disclosure will result in a risk of harm that is well beyond the merely possible or speculative, but also that it need not be proved on the balance of probabilities that disclosure will in fact result in such harm. The “reasonable expectation of probable harm” formulation should be used wherever the phrase “could reasonably be expected to” is used. The Commissioner reasonably concluded that the Ministry did not prove that the Record could be used to identify sex offenders or that it will ignite among sex offenders a subjective fear of being identified that will lead to lower compliance rates with Christopher’s Law.

Privacy Commissioner loses hard-drive with unencrypted personal information about 800 employees

Mark Goldberg over at Telecom Trends is blogging about an article in the print edition of the Toronto Star (Did Privacy Commissioner lose private information? that reports the Privacy Commissioner of Canada's office lost a hard-drive with the unencrypted personal information on 800 current and former employees.

The loss occurred when the OPC moved offices from downtown Ottawa to Gatineau and apparently went undetected for quite some time. I expect more details will emerge before long.

Of course, this is supreme irony and likely delicious irony to those agencies who the OPC has chided for inadequate security.

It also highlights that the greatest risk to personal information is mobile and portable devices, whether they are computers or phones, or portable storage devices. These things are small, easy to steal and very easy to lose. They are lost and compromised ALL THE TIME. If Canada and the OPC had a comprehensive cloud strategy that kept all the sensitive personal information in secure data centres, behind firewalls and properly secured, this sort of thing would never happen.

Stay tuned for more ...

Wednesday, April 23, 2014

Cyberbullying legislation and freedom of expression

I was invited to lead a discussion at the Canadian Centre for Ethics and Public Affairs on Nova Scotia's cyberbullying legislation and its impact on freedom of expression. It was part of their "everyday ethics" series. Though it was much more of a discussion than a presentation with powerpoint, did did prepare the below presentation which may be of interest to readers of this blog. Feel free to share it.


Monday, April 14, 2014

Sensitive mental health info goes into police databases, shared with US government

The Information and Privacy Commissioner has released her investigation report to allegations that Ontario police are routinely inputting sensitive mental health information into national police databases, which are not only accessible to all Canadian police departments, but also the US Federal Bureau of Investigation and Department of Homeland Security.

You can get the full report here: IPC - Office of the Information and Privacy Commissioner/Ontario | Commissioner Cavoukian calls for Ontario Police Services to stop the indiscriminate disclosure of attempted suicide information.

This indiscriminate disclosure of information is not in compliance with Ontario's privacy laws, she concluded.

Tuesday, April 08, 2014

Updates to Canadian federal privacy law tabled in the Senate

As expected, the government has tabled amendments to the Personal Information Protection and Electronic Documents Act, but this time in the Senate as Senate Government Bill - S-4.

The highlights are breach notification and an exception to the consent rule for business transactions. I'll have more to say once I've given it a thorough going-over. Watch this space.

The Bill is sometimes hard to follow with the amendments out of place and out of context. So, for your handy reference, here is a redline of PIPEDA with the first reading amendments from Bill S-4 in place.

Friday, April 04, 2014

PIPEDA amendments coming next week to a Parliament near you

In a speech at the Digital Canada 150 Launch, Industry Minister James Moore hinted very strongly that amendments to Canada's private sector privacy law is just around the corner. From his speaking notes:

Digital Canada 150 Launch - Canada News Centre

Digital Canada 150 will protect Canadians online.

As we encourage even more individuals and businesses to get online, Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from cyberbullying and other online threats.

So what's new?

  • Next week I will table new legislation in Parliament to strengthen our laws to better protect the online privacy of Canadians.
  • New cyberbullying legislation will protect our families from invasion of privacy, intimidation and personal abuse.
  • We will make sure the communications networks and devices that connect Canadians will be secure from threats, protecting the privacy of families, business and governments.
  • The anti-spam laws coming into force on July 1 this year will protect Canadians from malicious online attacks.

Watch this space ...

Thursday, April 03, 2014

No expecation of privacy at a nude beach, Ontario judge finds

The latest edition of the Canadian IT Law Association Newsletter (full disclosure: I'm a contributor, but didn't write this piece) has a very good summary of a recent case from Ontario (R v [Redacted on request], 2014 ONCJ 130) that held, among other things, that a person at a nude beach has no expectation of privacy. (See: Nude Beach Photography is not “Voyeurism” - Canadian IT Law Association - l’Association canadienne du droit des technologies de l’information). In this case, the accused was charged with voyeurism under the Criminal Code after he overtly took photographs of people at a clothing optional beach. The accused was found not guilty because he was acting overtly (and not surreptitiously, as the Code requires) and because the complainant did not have a reasonable expectation of privacy.

In particular, the offence required that the accused be acting “surreptitiously” and that he infringe upon the complainant’s reasonable expectation of privacy, and the trial judge found that neither of these requirements were met. Although MW was not aware that her photograph was being taken, the accused was making no attempt to conceal his activities, his camera was not concealed or disguised, the presence of the stroller attracted rather than deflected attention, and the accused’s testimony that he was indifferent to whether other people saw him take photographs was not only uncontradicted but consistent with the facts. Further, although MW testified that she subjectively expected privacy, and although she was annoyed by the accused’s behavior in taking her photograph without permission, her expectation of privacy was not a reasonable one. The beach was a public one which was a clothing-optional one, there were no signs forbidding cameras or the taking of photographs, no City policy addressed the taking of photographs, and indeed many other people at the beach in addition to the accused were taking photographs on that day (including, ironically, MW herself at the time she was being photographed). Although there might have been some evidence that the accused’s behavior was a breach of etiquette and disappointing to some people, this was not the equivalent of a reasonable expectation of privacy. Accordingly the elements of the voyeurism offence were not made out, and for similar reasons the accused was also not guilty of mischief.

U.S. (correctly) identifies some Canadian privacy laws as trade barriers

The United States Trade Representative has released its latest Report on Foreign Trade Barriers [PDF] which specifically identifies certain Canadian provincial privacy laws as non-tariff trade barriers. It points to the public sector privacy laws in British Columbia and Nova Scotia and singles out Canadian federal government procurement of cloud services:

Cross-Border Data Flows

The strong growth of cross-border data flows resulting from widespread adoption of broadband-based services in Canada and the United States has refocused attention on the restrictive effects of privacy rules in two Canadian provinces, British Columbia, and Nova Scotia. These provinces mandate that personal information in the custody of a public body must be stored and accessed only in Canada unless one of a few limited exceptions applies. These laws prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.

The Canadian federal government is consolidating information technology services across 63 email systems under a single platform. The request for proposals for this project includes a national security exemption which prohibits the contracted company from allowing data to go outside of Canada. This policy precludes some new technologies such as “cloud” computing providers from participating in the procurement process. The public sector represents approximately one-third of the Canadian economy, and is a major consumer of U.S. services. In today’s information-based economy, particularly where a broad range of services are moving to “cloud” based delivery where U.S. firms are market leaders; this law hinders U.S. exports of a wide array of products and services.

This has prompted Daniel Tencer to write in the Huffington Post that "U.S. Pushes Canada To Loosen Privacy Laws". These laws were designed to thwart the USA Patriot Act by requiring public bodies in those jurisdictions to only allow personal information to be stored in Canada and only accessed from within Canada.

As a practitioner of privacy law who has to deal with these statutes on a regular basis, I tend to agree and think the fine citizens of Nova Scotia and British Columbia would be better off without them. I have seen, on many occasions, government functionaries simply say "no" to non-Canadian vendors because of privacy risks they do not understand, denying their citizens access to leading-edge, cost saving technology. It is much simpler and easier to say "no"

The BC law came into being as a result of a public sector trade union objecting to the possible outsourcing of medicare claims processing to the Canadian subsidiary of a US corporation. When the union realized it would not get public support for their jobs, they might be able to create a spectre of the US government getting their mitts on sensitive information under the Patriot Act. The result was the BC legislation. (Ironically, the outsourcing still took place after a very convoluted corporate structure was put in place.)

Similarly, a back-bench NDP politician stood up in the legislature and raised the exact same spectre. A short while later, Nova Scotia passed the Personal Information International Disclosure Protection Act. While the Nova Scotia law is much more flexible than the B.C. statute, both are a ham-fisted response to a really nuanced issue. Instead of asking the question about the real risk to data, the default answer is always "no" when a non-Canadian vendor puts forward a cloud computing solution to a government agency.

If these laws were designed to prevent non-Canadian vendors from getting a piece of government business, they've done that quite well. But they do not actually accomplish the objective of keeping personal information out of the hands of U.S. authorities under all circumstances. To begin with, if the Americans want data that's in Canada, they are likely to get it. Canada, the United States and most western democracies engage in a very high level of cooperation that includes mutual legal assistance treaties and ad hoc information sharing. If US agencies are interested in an individual who has ties to Canada, the Federal Bureau of Investigation can make a formal request of the Royal Canadian Mounted Police or CSIS to obtain the relevant information on their behalf. (Most Canadian privacy laws actually permit this sort of information sharing under treaties or informal arrangements.) And if you are concerned about covert access to this sort of data, American laws do not prohibit federal agencies from infiltrating computers and networks outside of the United States. Some have suggested that information is safer from U.S. authorities in the U.S. because of this.

In addition, any person or corporation with sufficient ties to the United States can be compelled to hand over data regardless of where it is. This can include fully Canadian corporations with assets in the U.S. This can also take place if handing over the data would violate Canadian laws. The Huffington Post article refers to the Canadian federal government's decision to give a massive cloud "shared services" contract to Bell Canada when U.S. vendors were disqualified from even submitting a proposal. Does this make the data "safe" from the Americans? Not really, since the parent company of Bell Canada is publicly traded on the New York stock exchange. They simply can't ignore a U.S. court order.

So what's the solution to this "problem"? It would be the policy that the federal government purports to have, but does not seem to have followed in the shared services contracting. That is to do a full privacy impact assessment in all cases which fully evaluates all of the risks to privacy associated with the project, including what risks that cross-border data flows might introduce. And when I saw all the risks, I mean with a fully-informed understanding of the circumstances under which non-Canadian governments might get their hands on the data. In some cases, the risk introduced by crossing the border may be unpalatable, but at least it is an informed decision.

The current practice of simply saying no to non-Canadian vendors is a non-tariff trade barrier.

Tuesday, April 01, 2014

Charmaine Borg MP introduces private members bill to add breach notification to the federal Privacy Act

Charmaine Borg, the NDP's digital issues critic and the most activist MP in the area of privacy has tabled Bill C-580 to update the federal Privacy Act to require breach notification and a mandatory 5-year review of the Act. More info here: LEGISinfo - Private Member’s Bill C-580 (41-2).

In the wake of so many privacy breaches by federal government departments, I can get onboard with this.