The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Friday, September 08, 2006

Pretexting and Canadian law 

Rob Hyndman has some interesting things to say about the whole surveillance fiasco that appears to be blowing up in faces of HP's management. (See: » Blog Archive » Surveillance - is this the HP Way?) I also have to say thanks to Rob for posting a link to the Smoking Gun's reproduction of a letter from one board member who resigned in protest (Hewlett-Packard Targeted Board In Leak Probe - September 5, 2006). That letter includes, as an attachment, a letter from AT&T describing the outcome of their investigation of how someone managed to establish online accounts in the name of the board member to review his calling activity. Apparently, HP's management also hacked the accounts of journalists to get similar info on them (Reporters' records hacked in HP probe CNET

[What follows is very general and should not be taken as legal advice.]

If this case had arisen in Canada, PIPEDA would probably not be much help to go after the pretexter. In connection with an investigation, you can collect personal information without consent under 7(1)(b). And then you can use it without consent under 7(2)(d). The only check on this is likely the "reasonableness" provision in s. 5(3):

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Unfortunately, this section doesn't really speak of the manner of collection. Principle 4.4 of Schedule I, however, says that "Information shall be collected by fair and lawful means." Hacking into a system and impersonating the individual is probably not fair and (see below) lawful.

(I would emphasise that PIPEDA does not apply to private individuals pretexting for their own purposes or to journalists. But the Criminal Code applies to everyone. )

In Canada, our Criminal Code has a number of provisions that could be used to prosecute anyone doing this sort of pretexting. To begin with, there's the fraud section (s. 380) that reads:

Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service,
(a) is guilty of an indictable offence and liable to a term of imprisonment not exceeding fourteen years, where the subject-matter of the offence is a testamentary instrument or the value of the subject-matter of the offence exceeds five thousand dollars; or

(b) is guilty (i) of an indictable offence and is liable to imprisonment for a term not exceeding two years, or

(ii) of an offence punishable on summary conviction,

where the value of the subject-matter of the offence does not exceed five thousand dollars.

Courts have held, generally speaking, that an individual commits fraud when (a) deceit; (b) unfair disclosure; or (c) unfair exploitation is used to induce any person to part with any property or suffer a financial loss. But is setting up an online account really within "any service"? It's not 100% clear.

The Criminal Code also contains a section dealing specifically with impersonation. Section 403 reads:

403. Every one who fraudulently personates any person, living or dead,
(a) with intent to gain advantage for himself or another person,

(b) with intent to obtain any property or an interest in any property, or

(c) with intent to cause disadvantage to the person whom he personates or another person,

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years or an offence punishable on summary conviction.

There are also the "hacking" provisions in s. 342.1, which in my experience the crown and police are too bashful to apply to hacking to obtain information:

342.1 (1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

(2) In this section,

“computer password” means any data by which a computer service or computer system is capable of being obtained or used;

“computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

“computer service” includes data processing and the storage or retrieval of data;

“computer system” means a device that, or a group of interconnected or related devices one or more of which,

(a) contains computer programs or other data, and (b) pursuant to computer programs,

(i) performs logic and control, and

(ii) may perform any other function;

“data” means representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system;

“electro-magnetic, acoustic, mechanical or other device” means any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing;

“function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system;

“intercept” includes listen to or record a function of a computer system, or acquire the substance, meaning or purport thereof;

“traffic” means, in respect of a computer password, to sell, export from or import into Canada, distribute or deal with in any other way.

Several aspects of this provision make it extremely broad or at least allow a very broad interpretation. The definition of computer service includes data processing and the storage or retrieval of data. Computer system is quite broad, covering every device that contains some software-related functionality. The definition of data is also rather expansive, including data “in a form suitable for use in a computer system,” which would include data in the process of being transmitted, or in offline storage, in addition to data inside a computer.

It may appear that Canadian law is up to the task of dealing with pretexting, but I'd conclude that we could use some clarification. The courts have held that information is not property and there may be enough wiggle room to argue that pretexting doesn't fit within the above sections of the Criminal Code. Perhaps we need an amendment or two to clearly criminalize impersonation of a person to obtain information about that person.

Labels: , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs