White paper compares government access to cloud data in ten jurisdictions

In the last week, law firm Hogan Lovells released a very interesting white paper on government access to cloud data across ten jurisdictions, mainly focused on debunking many of the myths associated with the USA Patriot Act. The white paper was released in association with a Round Table on Government Access to Data with European policy makers at the Openforum Academy.

More information is available at the Hogan Lovells Chronicle of Data Protection: Hogan Lovells White Paper on Governmental Access to Data in the Cloud Debunks Faulty Assumption That US Access is Unique : HL Chronicle of Data Protection.

Here's the white paper: A Global Reality: Governmental Access to Data in the Cloud -- A comparative analysis of ten international jurisdictions.

Globe & Mail: Lawful Access bill should be sent back to the drawing board

John Ibbitson's column in the Globe & Mail suggests that Bill C-30 should be sent back to the drawing board since it will never be passed in its present (comatose) state. Once re-drafted from scratch, it should be introduced by a different minister because of the way Vic Toews mishandled it the first time:

Tory law-and-order agenda meets its match online - The Globe and Mail

The Internet surveillance legislation sponsored by Public Safety Minister Vic Toews has disappeared down a dark legislative hole. For all intents and purposes, the bill is dead.

If the Harper government still wants to pass a law that would make it easier for police to track people who use the web to commit crimes, it will have to start from scratch.

That new bill, if there is one, will probably be shepherded by a different minister. That’s how much damage this botched legislation inflicted on the government and on Mr. Toews.

Bill C-30, also known as the lawful access legislation, would allow police to compel Internet service providers to cough up identifying information about anyone using the Internet.

The authorities would not be able to track a person’s activity on the web without a warrant. But they could find out whose name is attached to an IP address without that warrant, and without the person’s knowledge or consent, which is why both the federal and provincial privacy commissioners strongly objected to the bill as an unjustified violation of privacy rights.

Many Tory MPs are also said to be unhappy with the bill. They wonder why the government would abolish both the mandatory long-form census and the long-gun firearms registry in the name of privacy rights, and then violate those same rights with a bill that lets the government snoop on people who go online.

Mr. Toews responded to the criticism by declaring critics “can either stand with us or with the child pornographers.” This was fatal. As the Public Safety Minister reeled from online attacks – including from a Liberal staffer who tweeted the details of his divorce – the government hastily retreated, declaring the bill needed further study.

What has happened since? Nothing. And that nothing is everything.

Normally, after a bill receives first reading, debate begins on second reading, which is approval in principle. Once the bill passes second reading, it goes to a committee, where only minor amendments are permitted before the bill returns for third and final reading.

Instead of this usual route, House Leader Peter Van Loan decided to send C-30 to the public safety committee first, where it is supposed to be extensively revised, before returning to the House for second and third reading.

But before any of that can happen, the rules state that the House must debate the motion to send the bill to committee. That debate must last at least five hours – in effect, one sitting day.

But that debate hasn’t happened. And sources report that it won’t happen before the House rises for summer recess. That makes C-30 dead in the water.

Of course, the Conservatives could decide to send C-30 it to the public safety committee in the autumn. But it would take months to rewrite the bill, and then weeks to get it through second and third reading, before the bill went to the Senate for further study.

Long before then, Stephen Harper is expected to prorogue Parliament in preparation for a new Throne Speech. With that prorogation, Bill C-30 will quietly expire.

Before proroguing the House, Mr. Harper is expected to shuffle his cabinet. Public Safety is near the top of the list of portfolios in need of a fresh face. A new minister will have the job of putting together a new lawful-access bill, one that doesn’t unite opposition parties, privacy commissioners and the Tory caucus.

To assuage these concerns, the new bill will have to restrict the right of police to acquire any information about someone’s online identity without first obtaining a judicial warrant.

“If they truly removed the warrantless access provisions of the bill, across the board, then we would be delighted to sit with the government and work with them on additional amendments that we would still be seeking, but that would be doable,” said Ann Cavoukian, Ontario’s Information and Privacy Commissioner, in an interview.

But C-30 in its present form will never become law. The Conservatives’ law-and-order agenda has finally had a comeuppance. It was delivered by everyone who wants to be left alone online.

Cloud Computing and the Patriot Act: A Red Herring?

The 2012 International Association of Privacy Professionals Canada Symposium has just wrapped up. I had the pleasure of giving a presentation on cloud computing and the USA PATRIOT Act with Lindsey Finch, the Senior Global Privacy Counsel with salesforce.com. Our presentation is here:

Cloud Computing and the Patriot Act: A Red Herring?

Cloud computing is revolutionizing the information technology industry by providing cost savings, flexibility and innovation. But many Canadian companies are concerned that use of cloud computing services may cause them to violate Canadian privacy laws, particularly because of potential non-Canadian government access to data stored in the cloud. Join our expert panel as they address persistent Canadian myths regarding cloud computing and privacy, discuss how cloud computing services can be used in compliance with Canadian privacy laws and the real impact of the Patriot Act, and provide tips to use during RFP cycles and contractual negotiations.

Lindsey Finch, CIPP/US, Senior Global Privacy Counsel, salesforce.com
David T.S. Fraser, Partner, McInnes Cooper, Halifax

What you’ll take away:

• Learn how to manage privacy risk and legal compliance in cloud computing decisions, including both public and private sector privacy laws
• Understand the similarities and differences between U.S. and Canadian government powers to access data in the course of a terrorism investigation and how the two governments share data to assist each other in such investigations
• Learn when Canadian privacy law permits the transfer of personal information outside of country for processing purposes
• Leave with a checklist, based on established best practices, to facilitate decisions about moving information to the cloud and a checklist to use in a RFP or contract with a cloud provider

Most of the other conference presentations are here.

Privacy icons a la creative commons

A group of law students have put together a scheme of icons to describe in a succinct way a website's privacy practices (much like the creative commons icons), so you'll know at a glance what to expect. Check it out: Privacy Simplified.

One big problem, however, is that they are binary (yes/no). For example, there is no "not applicable" option if, for example, the website does not collect user data.

Interesting nonetheless.

Alberta Court of Appeal finds applying provincial privacy law to picket-line activities unconstitutional

You may recall in September of last year when the Alberta Court of Queen's Bench declared portions of the province's Personal Information Protection Act to be unconstitutional (See: Alberta court declares portions of provincial privacy law unconstitutional). As expected, the case was appealed and the Court of Appeal has just recently handed down its decision. In United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130, the Court of Appeal upheld the decision of the Court of Queen's Bench.

The Court of Queen's Bench had found that the exception in the Act for journalistic collection was too narrowly drafted, as it required that the collection of personal information be for journalistic purposes and for no other purposes. This was an unreasonable restriction; if the collection were, in part, for journalistic purposes, then the Act should not restrict or regulate it. The Court of Appeal, in contrast, concluded that the purposes were not really journalistic, but were nevertheless constitutionally protected freedom of expression.

[58] The Act contains no general exemption for forms of expression that are constitutionally protected. To the extent that the exemptions in the Act are not sufficient to permit the type of collection and use of information engaged in by the union, its constitutionality should be analyzed directly, not indirectly through an artificial screen of journalistic purposes. Whether the restrictions on the union’s expression are demonstrably justified in a free and democratic society should not be based on the premise that a journalistic purpose was involved. The issue is whether it is justifiable to restrain expression in support of labour relations and collective bargaining activities such as existed here.

[59] In summary, it is not helpful to analyze this situation as “journalism”. Not every piece of information posted on the Internet qualifies. If the union wished to publish information about the activities on the picket line in a newspaper or on television, that would likely qualify as journalism. But that need not be decided here, because that is not what the complaints were about.

The collection of information at a picketline is inherently expressive and is limited by the Act:

[67] It is clear that there are many aspects of the Adjudicator’s order that had a direct impact on the right of the union to free expression:

• Newsletters and strike leaflets are entirely expressive; preventing the use of the images in them was a serious infringement on free expression;
• Spreading news of the existence of the strike, and attempting to dissuade people from entering the casino are essentially expressive activities;
• The use of the vice president’s image was also expressive. Satire has always been a powerful form of persuasion;
• Education of union members, and providing information to other unions is expressive at its core.

Dissuading people from crossing the picket line, enhancing morale of the strikers, deterring violence and threats, and achieving a favourable end to the strike are all legitimate purposes supported by the right to free expression. Persuading people to think or act in a certain way is a direct purpose of free expression.

[72] The union has established a prima facie breach of its s. 2 Charter rights. Are the provisions of the Act demonstrably justified in a free and democratic society? Is the Adjudicator’s decision unreasonable because its effect on the union’s expressive rights is disproportional? To paraphrase Doré at para. 66, the appellant must demonstrate that the Adjudicator’s decision gave due regard to the importance of the expressive rights at issue, both in light of the union’s right to expression and the public’s interest in open discussion.

In order to determine if the infringement of the freedom guaranteed in s. 2 of the Charter is justified, the Court carried out the traditional Oakes test and found the legislation wanting in the proportionality branch of the test:

[77] There is, however, a problem relating to proportionality. The constitutional problems with the Act arise because of its breadth. It does not appear to have been drafted in a manner that is adequately sensitive to protected Charter rights. There are a number of aspects to the over-breadth of the Act:

• It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.
• The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.
• The definition of “publicly available information” is artificially narrow.
• There is no general exemption for information collected and used for free expression.
• There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.

This appeal clearly demonstrates the impact that the Act can have on protected rights. The legitimate right of the union to express itself and communicate about the strike and its economic objectives have been directly impacted by the Adjudicator’s order. The appellant has not demonstrated why this heavy handed approach to privacy is necessary, given the impact it has on expressive rights.

The result is that the Court declared the application of the Act to the union's constitutionally protected activities was unconstitutional.

This case will almost undoubtedly be appealed to the Supreme Court of Canada. Stay tuned.

It's also notable that the decision contains the following observation, quoted above but worth restating: "There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses." This statement was not necessary for the determination of the case under appeal, but potentially has significant consequences for the future.

FBI seeking wiretap-ready internet, like Canada

There's a lot of buzz around the internet on the FBI's quiet effort to have the Communications Assistance to Law Enforocement Act expanded beyond traditional telcos to include anyone who provides communications services online. (See: FBI: We need wiretap-ready Web sites -- now.)

If this sounds oddly familiar to Canadians, it should. While most of the buzz about Bill C-30 was connected to warrantless access to subscriber information, a large part of the Bill requires any teleecommunications service provider to provide real-time, simultaneous access to transmissions. What's under-reported is the incredibly expansive definition of "telecommunications service provider", which depends on other definitions as well:

“telecommunications facility” means any facility, apparatus or other thing that is used for telecommunications or for any operation directly connected with telecommunications.

“telecommunications service” means a service, or a feature of a service, that is provided by means of telecommunications facilities, whether the provider owns, leases or has any other interest in or right respecting the telecommunications facilities and any related equipment used to provide the service.

“telecommunications service provider” means a person that, independently or as part of a group or association, provides telecommunications services.

This definition, though convoluted, is pretty broad and goes well beyond what many would consider to be traditional telcos.

So before you look south of the border and sneer about the FBI's latest initiative, look toward Ottawa as well.

Alberta Commissioner faults Calgary police employee for logging into colleague's personal e-mail account

The Office of the Information and Privacy Commissioner of Alberta has found that a civilian employee violated the province's public sector privacy law by logging into a police service employee's personal e-mail account.

Here's a summary of ORDER F2012-07 [PDF], made against the Calgary Police Service:

Summary: The Complainant was a civilian employee with the Calgary Police Service (“Public Body”). In March 2010, the Public Body’s HR consultant was informed by the Complainant’s manager that several of the Complainant’s coworkers had made allegations about the Complainant’s behavior at work, including allegations of inappropriate sexual conduct.

The Public Body began to monitor the Complainant’s computer activities, as well as reviewing her past work email activity. While reviewing her work email, the IT Security Manager (“IT Manager”) found a personal email that the Complainant had sent to a family member, which included the login ID and password information for the Complainant’s personal web-based email account. The IT Manager used this information to access the Complainant’s personal email account and found photographs of a sexual nature, which appeared to have been taken on the Public Body’s premises. The IT Manager copied these photographs, and provided them to the Complainant’s manager and the HR consultant. These photographs were used in the Public Body’s decision to terminate the Complainant’s employment, and were also used by the Public Body during the subsequent grievance process.

The Complainant made a complaint to this office, stating that the Public Body collected, used, and disclosed her personal information in contravention of Part 2 of the Freedom of Information and Protection of Privacy Act (“FOIP Act”). Specifically, the Complainant objected to the Public Body accessing her personal email account, and the subsequent collection, use, and disclosure of photographs found by the Public Body in that email account.

The Public Body argued that the collection of the Complainant’s personal information occurred during the course of investigating the allegations of workplace misconduct against the Complainant, and that the subsequent use and disclosure of the photographs found in the Complainant’s personal email account were for the same purpose as they were collected.

The Adjudicator found that the Public Body collected the Complainant’s login ID and password to her personal email account in the course of reviewing the Complainant’s work email, to which the Complainant did not object. However, Adjudicator found that the use of the Complainant’s personal email login ID to access the Complainant’s personal email was not for the purpose of employee management, since the IT Manager had not been requested to monitor the Complainant’s personal email, rather only her work email. There was also no evidence of wrongdoing that would justify accessing a personal email account. The Adjudicator also noted that even were the use of the Complainant’s personal information for the purpose of the workplace investigation, a Public Body may only use personal information to the extent necessary to carry out its purposes in a reasonable manner; logging in to the Complainant’s personal web-based email account was exceptionally invasive, and patently unreasonable in the circumstances.

The Adjudicator found that the collection of the photographs from the Complainant’s personal email account could not be considered separately from the fact that they were collected from the Complainant’s personal email account. Because the photographs, even if relevant to the workplace investigation, were found as a result of an unauthorized use of personal information, their collection and subsequent use could not be justified as “necessary” for the purpose of the Public Body’s investigation.

The Adjudicator determined that the Complainant’s personal information was not disclosed to, but rather used by, various employees of the Public Body. The Adjudicator had already determined that the use was not authorized under the Act, but found that even if the personal information had been disclosed to the employees, the disclosure would not have been authorized, for similar reasons.

CSIS oversight and accountability to be slashed to save $1M

One of the arguments made in favour of Bill C-30 by the government when it was introduced was that it had accountability: Internal audits and a veneer of oversight by the Office of the Privacy Commissioner of Canada. Accountability is key.

Now, it is being reported that the federal government is eliminating the position of Inspector General of the Canadian Security Intelligence Services. (See: CSIS watchdog to be cut in budget - Politics - CBC News). It's hard to believe that the government is committed to oversight and accountability in the use of incredibly intrusive powers when steps such as these are taken.

What's worse is that it is being done for fiscal reasons and will only save $1,000,000. If you ask me, that's a million dollars well spent.

RIM reportedly gives Indian government access to full range of BlackBerry messages

The Toronto Star is reporting that RIM has agreed to provide the Indian Government with access to the full range of Blackberry communications (RIM gives India access to BlackBerry messages - thestar.com). The article this is based on (http://indiatoday.intoday.in/story/govt-to-tap-blackberry-messenger-security-privacy/1/183403.html) suggests that the Indian Government has been given some sort of backdoor into Blackberry Enterprise Servers, which is something that RIM has staunchly refused to do until now.


If this is true, the era in which Blackberry was the ultra-secure communications platform is over.


This also shows that what was once Blackberry's main strength is also its greatest weakness. Blackberry is a system and RIM controls everything, from the device to the servers. If they compromise one aspect of it, the whole system is compromised. On my Android phone, on the other hand, I can configure just about anything, including what VPN to use and what communications apps to run.

House committee looking to require telcos and device manufacturers to decrypt communications

Bill C-30, with warrantless access to subscriber data and real-time internet monitoring, is the tip of the iceberg if the recommendations of the House Committee on Justice and Human Rights are followed. In a report just issued, The State of Organized Crime [PDF], the committee recommends changes to the law to require telcos to provide access to unencrypted communications:

RECOMMENDATION

The Committee recommends that the Government of Canada pursue legislation requiring telecommunications service providers and telecommunications device manufacturers to build the ability to intercept telecommunications into their equipment and networks.

RECOMMENDATION

The Committee recommends that the Government of Canada introduce legislation requiring telecommunications service providers and telecommunications device manufacturers to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard.

From the Motreal Gazette:

Proposal would force telecoms to decrypt messages

Telecommunications companies would be forced to decrypt messages for law-enforcement agencies if the federal government legislates recommendations outlined in a report by a House standing committee.

"Law-enforcement agencies are way behind, or have been way behind, in the ability to deal with the new modes of communications," said Conservative MP Dave MacKenzie, chair of the House standing committee on justice and human rights.

The report, the State of Organized Crime, states that although telecommunications can be intercepted, the service providers don't always release standardized information to law-enforcement agencies.

The committee argues that federal legislation could address this lack of standards by furthering ideas found in Bill C-30, the online surveillance bill.

"When you're dealing with organized crime, they're very well-funded and wellorganized .... They move communications abilities around in different ways: passing cellphones around is just the very beginning," said MacKenzie.

NDP MP Jack Harris added: "There has to be some sort of modernization of the law with respect to surveillance. We've got laws with respect to telephone surveillance and some of those laws should apply to use of other electronic devices, whether they be cellphones, emails and things like that."

The committee wants federal legislation requiring both telecommunications service providers and their manufacturers "to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard."

Under the committee's plan, all telecommunications companies would have to have access to decryption techniques or tools - something that wasn't provided for in Bill C-30.

Bill C-30 would require service providers to have the ability to intercept communications on their networks and to provide this information in the form specified by law enforcement.

Typically, law enforcement would want encrypted data decrypted to facilitate use of the information gathered.

Encryption is often used by organizations - both lawful and criminal - to protect the transmission of sensitive and private information.

As it stands, some service providers do not have the tools or techniques to decrypt these communications, exempting them from the requirement to provide decrypted information to police.

Although Harris said he believes that surveillance methods need to be updated, he has doubts about making decryption abilities mandatory.

"It certainly may be impractical and perhaps technologically infeasible," he said.

Telecommunication companies seemed to share that worry.

"Our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost," said Bell Canada spokesperson Jacqueline Michelis.

Should the recommendation become legislated, telecommunications manufacturers also would be affected.

---

Updated (April 4, 2012) - Apparently the article has been removed from the Gazette, Vancouver Sun and other PostMedia sites ...

---

Michael Geist adds:

The report includes a dissenting opinion from the NDP on the lawful access recommendations. There does not appear to be a similar dissent from the Liberals, who were represented on the committee by Irwin Cotler. Postmedia covered the release of the report but the article is no longer available on its media sites. The article included specific comments from Bell that suggest its primary concern associated with these demands boils down to questions of who will bear the costs. A company spokesperson stated "our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost." That is a troubling position for many Canadians who rightly expect their telecom companies to also be concerned with the privacy of their customers. After the outcry in February over Bill C-30, many also expected the government to be open to change on lawful access, yet this report suggests that the changes may not be what many were anticipating.