The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, October 30, 2006
The most recent Law Times includes an article on different perspectives likely to be presented as PIPEDA is up for its five year review. Included is a brief summary of the suggestions put forward by the Canadian Bar Association:
Law Times: Privacy commissioner needs teeth:
The Canadian Bar Association noted that PIPEDA should follow the tribunal model adopted by the Canadian Human Rights Commission in its recommendations to the Privacy Commissioner last month, elaborating on its formal submission from 2005.
'An impartial, rotating panel should be established with order-making powers and ability to award damages, with a cap on general damages. The Office of the Privacy Commissioner should retain investigative powers and advocacy role. If the commissioner determines that a complaint is 'well founded,' the commissioner should be required to issue a finding within six months and this finding should be referred to the tribunal.
Both complainants and respondents would be able to seek judicial review of a decision of the tribunal,' says the CBA's submission.
Brian Bowman of Pitblado LLP in Winnipeg, chair of the national privacy and access law section of the CBA, told Law Times, 'Currently the privacy commissioner's findings can only be advanced to Federal Court by the complainant or the commissioner with the complainant's consent and there isn't the ability for the organization which, in some cases, has been labelled a privacy infringer by the commissioner . . . to appeal that to the Federal Court.
'The danger is that organizations will be accused of invading privacy by the commissioner but won't be able to take steps to get judicial review to possibly defend themselves.'
Bowman said there has been a lot of debate about the role and powers of the privacy commissioner. "Some would argue that the commissioner has all the power that they need and they simply should use them more fully. We simply took the position that the structure should be changed and a new tribunal should be adopted and that tribunal, however, would have order-making power," he said.
Michael Geist's most recent Law Bytes column in the Toronto Star discusses documents obtained under the Access to Information Act which provide a behind the scenes view of the government and consulted stakeholders on "lawful access". There's no link to the documents themselves, but the column makes interesting reading. See: Michael Geist - Ottawa's Divide and Conquer Strategy for Net Surveillance.
What I find particularly interesting is this:
With the government working to diminish the effectiveness of the privacy community, it is particularly disheartening to learn that officials also recognize that Canadian privacy legislation suffers from serious shortcomings. A Department of Justice memorandum candidly notes that "current privacy laws may not be sufficient to protect Canadians' personal information," acknowledging that "federal privacy legislation is not responsive to new technologies, including the Internet, biometrics, data matching and data mining, video and infrared surveillance, the decoding of the human genome, the need for protection of genetic information and the ability to store and manipulate large personal data banks."This suggests a strong interest in reopening PIPEDA as part of the five year review that's just beginning. Or it suggests that real changes will be put off until after the online privacy task force has completed its work.
Officials are open to reform, stating that "as the privacy and personal information of citizens and businesses is increasingly vulnerable in the online environment, substantive measures to protect personal information need to be considered." Potential solutions apparently considered by the Department of Justice include the establishment of a new Task Force on online privacy.
Sunday, October 29, 2006
The United States District Court for Maryland has recently (October 18, 2006) granted summary judgment against a woman who sued Easyrider magazine for invasion of privacy after a photo of her flashing her breasts at a BBQ attended by one hundred bikers appeared in the magazine. The claim in Barnhart v. Paisano Publications was based on three traditional bases of "invasion of privacy":
"Barnhart’s display of her breasts “cannot reasonably be said to have constituted a private act,” Motz wrote. “She exposed herself at an outdoor fundraising event open to any members of the public who purchased a ticket.”
Her claim that the image presented her in a false light also failed because she never claimed that the picture distorted “her true appearance,” but only that it created the impression she was the sort of person who would consent to posing topless for a magazine, Motz ruled.
Finally, Motz held that Barnhart’s claim for appropriation of her likeness failed because her image has no commercial value. Maryland courts have held that someone whose picture is taken in a public place at a newsworthy event does not have an appropriation claim, the judge noted."
Saturday, October 28, 2006
Both the Toronto Star (TheStar.com - No-fly list cleared for takeoff) and the Globe & Mail (globeandmail.com: No-fly list will add layer of security to air travel) are reporting that the Canadian government is about to release regulations to allow for a "made in Canada" do not fly list.
From the Globe:
globeandmail.com: No-fly list will add layer of security to air travel:
The government says people will be added to the new no-fly list only under specific circumstances: past involvement in a terrorist group and reasonable suspicion of being a threat to air safety; or having at least one conviction for a life-threatening crime against aviation security or another target that would indicate a possible threat to air safety.
The government also said it will set up an efficient, non-judicial appeal process for those who believe their names don't belong on the list and want to be removed quickly. Individuals can also appeal to the Commission for Public Complaints against the RCMP, or take the case to Federal Court.
We'll have to wait and see how exactly this is implemented, but I have one suggestion: the screening should happen when the booking is made, not just when the person shows up at the airport. At least that will provide some opportunity to challenge a decision without having to necessarily miss a flight.
Tuesday, October 24, 2006
The blogosphere has recently been buzzing about what appears to be a growing practice of laptop searches when entering the United States. The NYT had a piece on this yesterday (At U.S. Borders, Laptops Have No Right to Privacy - New York Times) and Boing Boing is linking to it.
It's a long established soverign right to strictly regulate what comes into a country. Increasingly, information has value and is even regulated from both the export perspective and the import perspective. This appears to be a simple extension of customs officers having the right to go through your dirty clothes on your way back from vacation, but certainly has privacy effects.
More and more people keep intimate information on their laptops and crossing a border with one is akin to crossing the border with your personal archives. If they were in paper form, there's no doubt the customs folks would have the right to take a peek. But laptops also often contain information that is a cut above the routine. A lawyer's laptop is full of privileged material and a physician's laptop is full of confidential information. It doesn't sound like there are any protections built into the system to acknolwedge this and that's particularly troubling.
Monday, October 23, 2006
Today's New York Times is running a very interesting article on the next battle over RFID: the mass rollout out proximity-based consumer credit cards. The latest fuss particularly relates to alleged defects in the implementation of RFID that allow researchers (and perhaps malevolent folks) to read cards en clair from a distance. See: Researchers See Privacy Pitfalls in No-Swipe Credit Cards - New York Times.
Sunday, October 22, 2006
Virante, an internet marketing company, has made an interesting proposal to protect the privacy of search engine users. It suggests that users should be able to opt out of having their search tracked by IP address or cookie by appending "#privacy" to the search query. Here's the release from Virante:
Press Release - Search Engine Privacy Standard Proposed To Protect Users:
New website proposes a new search standard, #privacy, to protect user privacy when performing search engine queries.
/24-7PressRelease/ - DURHAM, NC, October 22, 2006 - With recent data leaks at AOL, governments seeking information from Google on its users, and no simple user privacy solutions available, a standard for empowering user search privacy has finally been proposed. PoundPrivacy.org is spearheading a search privacy revolution with its proposed #privacy standard. Our proposal is that the #privacy flag could be added to the end of searches by users to tell the search engine 'don't track this query.' In response, the search engine should not track the user by IP address or cookie, and the query should not be made public in keyword tools. The website carefully addresses the one exception to this capability - queries in which a crime is likely being committed (like the solicitation of child pornography) should be excluded from the #privacy flag.
PoundPrivacy.org contains an open letter addressed to the major four search engines - Google, Yahoo, Microsoft, and Ask - requesting that they adopt the #privacy standard. Additionally, the site offers ideas on ways individuals who agree with the standard can support the campaign, including blogging about it, linking to poundprivacy.org, and sending out emails to friends.
About Virante, Inc.
Virante, Inc., is a leading internet marketing solution provider. For more information please visit Virante Web Marketing Solutions or contact us at Email Virante, (919) 459-1088, 1-800-650-0820.
Also check out www.poundprivacy.org.
UPDATE: Adam over at Emergent Chaos thinks this is a silly idea and I must say I agree with just about everything he says, other than the bit about the goat. I'm sure they're not that expensive.
Emergent Chaos: A Very Silly Idea: #privacy, and poundprivacy.org:
"This is silly on a number of levels:
- It propagates the simplistic 'opt-in/opt-out' thinking that the US marketing industry has been promulgating for decades. Look where that thinking has taken us.
- It defaults all queries to opt-in, implied by absence of an opt-out. Privacy should be a default, and the 'right' way to implement this would be with #trackthis.
- It will be prone to user error (typos) and forgetting. It offers no way to say, set a privacy cookie. Even Doubleclick does that.
- Implementation is left as an exercise for the search engines, who are supposed to both magically not track your queries, and magically track them if you might be violating a law. (I say magically because I have some understanding of how web logs actually work.)
- For some remarkable reason, no search engine has actually bothered to comment on the proposal. Certainly, no one has accepted it yet. So why am I blogging about it?
- Really, this idea is one level above an idea I had at the pub last night. Unfortunately, as it turns out, goats are expensive, and probably won't walk on treadmills. It's a good thing I sobered up before setting up a web site."
Thursday, October 19, 2006
The Federal Court of Appeal yesterday released its decision in Blood Tribe Department of Health v. Canada (Privacy Commissioner). This is the important decision in which the Federal Court had held that the Privacy Commissioner had jurisdiction to review documents that are claimed to be privileged to determine if the privilege was properly claimed in a request for access (FCT case).
The Court of Appeal held (and forgive the bad OCR of a faxed copy of the decision -- a cleaned up version will appear shortly):
(e) How to Deal with a Claim of Solicitor-Client Privilege under PIPEDA
 Section 15 of PIPEDA permits the Commissioner to apply to the Federal Court in relation to any matter referred to in section 14 which in turn encompasses solicitor-client privilege pursuant to subsection 9(3) of that Act (supra, at paragraph 4).
 The Intervener, the Law Society of Alberta, directed the panel to the Supreme Court of Canada of R v, McClure, 2001 SCC 14 [McClure]. That case outlined useful principles to be applied regarding a review of solicitor-client privilege by civil and criminal courts. McClure faced sexual charges from twelve former students, including one 'J.C.' who had also commenced a civil action. In the criminal action, McClure sought production of JC's civil litigation file in order to determine the nature of his allegations and to test his motivation in fabricating or exaggerating incidents of abuse. Major J. outlhed a three stage procedural test to protect the solicitor-client privilege. In the first two stages, the party seeking privileged material must establish that there i s no other compellable source for the privileged information as well as an evidentiary basis upon which to conclude that the information would be legally useful. In the third stage, the judge must then examine the documents and will not release them unless satisfied that they would likely give rise to an issue of relevance pertinent to the ,ultimate disposition of the case.
 In my analysis, the Commissioner's ability to conduct her investigation is not fettered by a rule that protects privileged communication. In circumstances where a broad claim of solicitor client privilege is used as a shield to thwart on investigation, judges of the Federal Court are equal to the task of developing procedures that adequately minimize the potential invasion of the privilege (see also Goodis v. Ontario (Ministry of Correctional Services}, 2006 SCC 3 1 at paragraph 2 1).
 In summay, the Judge erred in adopting a purposive and liberal interpretation of paragraphs 12(l)(a) and (c) of PIPEDA and in adopting AIA principles in a PIPEDA review. The appeal should be allowed, the order of the Judge dated March 8, 2005 should be set aside and the Commissioner's order for production of rccords dated October 22, 2003 should be vacated. Costs to the appellant in this appeal. No costs were sought by the intervener, the Law Society of Alberta.
Yesterday in Toronto, Microsoft publicly released its internal Privacy Guidelines for Developing Software Products and Services. The company has not always enjoyed a reputation as being the most privacy sensitive and the guidelines are said to be based on lessons learned in past experiences (and backlashes). See: Microsoft releases guidelines for customer privacy.
The release has been greeted by a fair measure of cynicism, as is evident by the discussion at Slashdot.
Wednesday, October 18, 2006
As alluded to earlier this week, the Information and Privacy Commissioner of Ontario has released her whitepaper, 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age. It's interesting reading but probably will not be comprehensible to lay readers. Here's the media release and links for more info:
IPC - Commissioner Ann Cavoukian unveils plan for privacy-embedded Internet identity
TORONTO – Consumers today are being spammed, phished, pharmed, hacked and otherwise defrauded out of their personal information in alarming numbers, in large part because there are few reliable ways for them to distinguish the “good guys” from the “bad” online.
Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, today announced her support for a global online identity system framework by outlining seven far-reaching “privacy-embedded” laws, which would help consumers verify the identity of legitimate organizations before making online transactions.
These laws were inspired by the 7 Laws of Identity formulated through a global dialogue among security and privacy experts, headed by Kim Cameron, Chief Identity Architect at Microsoft. The 7 Laws of Identity propose the creation of a revolutionary “identity layer” for the Internet, providing a broad conceptual framework for a universal, interoperable identity system.
Dr. Cavoukian’s 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age incorporates additional key insights from the privacy arena. An extension of the original 7 Laws, they encourage privacy-enhanced features to be embedded into the design of the IT architecture and be made available early in the emerging universal identity system.
The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do and exposes computer users to potential fraud. If the IT industry and government do nothing, the result will be rapidly proliferating episodes of theft and deception that will cumulatively erode public trust. That confidence is already eroding as a result of spam, phishing and identity theft, which leaves online consumers vulnerable to the misuse of their personal information and minimizes the future potential of e-commerce. The Privacy-Embedded Laws of Identity support the global initiative to empower consumers to manage their own digital identities and personal information in a much more secure, verifiable and private manner.
“Just as the Internet saw explosive growth as it sprang from the connection of different proprietary networks, an ‘Identity Big Bang’ is expected to happen once an open, non-proprietary and universal method to connect identity systems and ensure user privacy is developed in accordance with privacy principles,” said Dr. Cavoukian. “Microsoft started a global privacy momentum. Already, there is a long and growing list of companies and individuals who now endorse the7 Laws of Identity and are working towards developing identity systems that conform to them.”
“We are honoured to work with Dr. Cavoukian on this project, who along with us and other IT companies are endorsing global privacy laws and fair information practices,” said Peter Cullen, Chief Privacy Strategist, Microsoft. “Best business practices that ensure both security and identity are what is needed to help keep the Internet’s integrity intact. These 7 Laws, with specific articulation of privacy protections, are a big step in that direction.”
Other privacy-enhanced laws will help to minimize the risk that one’s online identities and activities will be linked together, said Dr. Cavoukian. “We already expect this in the real world when we present a library card, for example, to check out a book, and present our passport to cross a national border. We don’t expect these to be linked together. Nor is the access card we use to enter our office the same as the transit pass we use to board a bus. In the physical world, different transactions require different identity credentials, but they need not be linked together. It should be no different in the online environment.”
The next generation of intelligent and interactive web services (“Web 2.0”) will require more, not fewer, verifiable identity credentials, and much greater mutual trust to succeed.
Identity systems that are consistent with the Privacy-Embedded Laws of Identity will help consumers verify the identity of legitimate organizations before they decide to continue with an online transaction.
These Privacy-Embedded Laws offer individuals:
- easier and more direct user control over their personal information when online;
- enhanced user ability to minimize the amount of identifying data revealed online;
- enhanced user ability to minimize the linkage between different identities and actions;
- enhanced user ability to detect fraudulent messages and websites, thereby minimizing the incidence of phishing and pharming.
Corresponding Privacy-Embedded Principles
Take, for example, Law #1, Personal Control and Consent, which emphasizes that individuals should be in full local control of their own identity information, and exercise informed consent over how their identity information is collected and used by others. One privacy benefit of applying this principle is that identity credentials could be stored locally and securely on a user’s own computer rather than in a centralized online database.
Another example: Law #2, Minimal Disclosure for Limited Use: Data Minimization, speaks to building technical identity systems that minimize the amount of identity information used and disclosed in a given online transaction. In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one’s age? Put another way, why isn’t there a credential that allows people to prove they’re over 65 without revealing all of their other identity information? If someone can prove she is a bona fide university student to gain preferential access to online resources at other educational institutions, then why is her name needed? These privacy-enhanced solutions are all possible under the Privacy-Embedded Laws of Identity.
“We call upon software developers, the privacy community and public policymakers to consider the Privacy-Embedded Laws of Identity closely, to discuss them publicly, and take them to heart,” Dr. Cavoukian declared. “In joining with us to promote privacy-enhanced identity solutions at a critical time in the development of the Internet and e-commerce, both privacy and identity/security will more likely be strongly protected.”
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.
The LAWS OF IDENTITY The key to this site: an introduction to Digital Identity – the missing layer of the Internet.
The IDENTITY METASYSTEM A proposal for building an identity layer for the Internet
Tuesday, October 17, 2006
The Office of the Privacy Commissioner of Canada has just released another bunch of new findings. I haven't read them yet, but I'll probably have a comment or two when I get a chance:
- "PIPEDA Case summary #346: E-mail message raises questions about purposes, credibility and accountability
- PIPEDA Case summary #345: Private school not covered by PIPEDA
- PIPEDA Case summary #344: Couple's safety deposit box opened in error
- PIPEDA Case summary #343: Insurance company requires property owners to collect tenants' personal information
- PIPEDA Case summary #342: Owner allowed to disclose tenants’ rent information
- PIPEDA Case summary #341: Fees and the role of a medical practitioner considered in denial of access complaint
Monday, October 16, 2006
Anne Cavoukian, the Information and Privacy Commissioner of Ontario, always has interesting things to say. The Canadian Press is running an article foreshadowing a press conference to take place in Toronto on Wednesday:
CANOE -- CNEWS - Tech News: Internet Privacy commish calls for Net ID system
TORONTO (CP) — Ontario Privacy Commissioner Ann Cavoukian warns online fraud is threatening to cripple e-commerce on the Internet.
She says because of the growth of online fraud, the identity infrastructure of the Internet is no longer sustainable.
Cavoukian will hold a news conference in Toronto on Wednesday to outline what could, and should, be done to foster the development of a universal identity system....
I think I need to be convinced that a university identity system is needed and how it will work without becoming incredibly intrusive. But I'll keep an open mind until Wednesday.
MSNBC is running an interesting article on privacy in America. A goodly chunk (60%) of the American population are concerned about the erosion of privacy, but a smaller sliver (7%) actually do anyting about it. It's a rather lengthy article but worth a read: Privacy Lost: Does anybody care? - Privacy Lost - MSNBC.com.
In Canada, I'd say the situation is similar. When asked, most people will say they they worry about their privacy and are concerned about identity theft, but most willingly hand over information without a thought.
Maybe I have a different perception because I deal with privacy issues all day, but there is a notable portion of the population who care and a significant minority who care a lot and are loud about it. Any business that cares about customers and customer service has to focus its efforts on avoiding problems with this loud minority. If you manage your business in such a way that you'll satisfy the rabid privacy folks, you'll actually improve your relationship with those customers who quietly care about privacy but won't pipe up.
Sunday, October 15, 2006
The police force Merseyside, UK is looking into deploying an unmanned aerial drone to crack down on "anti-social behaviour". I guess blanket surveillance at ground level isn't enough: BREITBART.COM - Police want spy planes to fight anti-social behaviour.
The University of San Francisco Law Review Fall Symposium, taking place later this month, is Companies Caught in the Middle: Legal Responses to Government Requests for Customer Information.
A growing number of companies have faced the difficult challenge of preserving their customers’ data in the face of government demands for surveillance assistance. Privacy law specialists from business, academia, non-profits, and private practice will discuss recently adopted solutions and present possible approaches to helping companies reconcile these competing demands. (MCLE credit available).
Albert Gidari, Jr.; Perkins Coie, LLP (Defense Counsel in Gonzales v. Google)
Kevin Bankston Electronic Frontier Foundation
Lothar Determann Baker & McKenzie LLP
Susan Freiwald USF School of Law
Scott Frewing Baker & McKenzie LLP
Chris Hoofnagle Samuelson Law, Technology and Public Policy Clinic
Paul Ohm University of Colorado School of Law
Nicole Ozer American Civil Liberties Union
Hilary Ware Google, Inc.
Pre-Symposium Tutorial, given by Prof. Susan Friewald, USF School of Law
5:30-7:00pm (1.5 MCLE Credits).
9:45-4:00pm (4.0 MCLE Credits).
When arresting someone for identity theft, at least make an effort to make sure you've got the right guy: Identity theft lands wrong man in local jail: Family upset police took a night before realizing mistake.
UPDATE: Fixed the link.
Saturday, October 14, 2006
Yesterday, I had the opportunity to speak at the annual conference of Canadian clinical department administrators from teaching hospitals. The members of this group have an interesting situation, usually occupying positions in both the university and the hospital while coordinating contractor-physicians. This leaves them often having to deal with overlapping privacy laws. To use Nova Scotia as an example, the hospitals and the universities are subject to the information privacy obligations of the Freedom of Information and Protection of Privacy Act. At the same time, the hospital part of their jobs are subject to the provisions of the Hospitals Act governing patient records. Increasingly, they are dealing with incorporated groups of physicians who are contracted to provide particular services to the univesity and the hospital. These groups are (at least partially) subject to PIPEDA. It's a bit of a mess and the discussion following the formal presentation was very interesting. Here's a copy of my presentation, if you're interested.
Friday, October 13, 2006
Swiss Data Protection authorities have found that Swiss banks, usually known for their emphasis on privacy, broke that country's data protection laws for not telling clients that their information could be obtained by third parties via the banks' use of SWIFT. See: Official: Swiss Banks Broke Privacy Law: Financial News - Yahoo! Finance.
According to the Supreme Court's decision in R. v. Shoker (handed down today), a sentencing judge does not have the power to "fill in the blanks" of the Criminal Code to require a probationer to submit to random blood, breath and urine samples to determine if he or she is obeying the condition to abstain from drugs and alcohol. It is up to Parliament to try to devise a scheme that includes adequate respect for the Charter rights of probationers.
R. v. Shoker:
"25 The establishment of these standards and safeguards cannot be left to the discretion of the sentencing judge in individual cases. There is no question that a probationer has a lowered expectation of privacy. However, it is up to Parliament, not the courts, to balance the probationers’ Charter rights as against society’s interest in effectively monitoring their conduct. Since the purpose of s. 8 is preventative, the following principle in Hunter v. Southam Inc.,  2 S.C.R. 145, at p. 169, is particularly apposite here:While the courts are guardians of the Constitution and of individuals’ rights under it, it is the legislature’s responsibility to enact legislation that embodies appropriate safeguards to comply with the Constitution’s requirements. It should not fall to the courts to fill in the details that will render legislative lacunae constitutional.
In this case, the Crown argues that reasonable and probable grounds are not required for the search and seizure of bodily substances from probationers and that the seizure of blood samples is also reasonable. Hall J.A. disagreed. He would have deleted the requirement to provide blood samples as too intrusive and conditioned the requirement to provide urine and breath samples upon the establishment of reasonable and probable grounds. Those are precisely the kinds of policy decisions for Parliament to make having regard to the limitations contained in the Charter. Parliament has specifically addressed the issue of alcohol and intoxicating substances in ss. 732.1(3)(c), (g.1) and (g.2) but it has not provided for a scheme for the collection of bodily samples as it has done in respect of parolees. Such a scheme cannot be judicially enacted on the ground that the court may find it desirable in an individual case. In addition to the constitutional concerns raised by the collection of bodily samples, the establishment of such a scheme requires the expenditure of resources and usually the cooperation of the provinces. This reality is exemplified in this case where the funding for urinalysis has been discontinued in British Columbia rendering the probation condition moot. This is yet another reason why the matter is one for Parliament.
Back over to you, Parliament ....
Thursday, October 12, 2006
BBC News, via Boing Boing! is reporting that a British research instutite is field testing a new surveillance system at an airport in Hungary. The system combines RFID and video surveillance to track people throughout the airport. There are two wrinkles to be worked out: (i) making sure that passengers can't remove or swap their tags and (ii) those pesky things called "civil liberties". Hmm. Might I be so bold as to suggest (i) tracking collars and (ii) saying that only evildoers need worry about civil liberties?
BBC NEWS Technology Air passengers 'could be tagged':
Electronically tagging passengers at airports could help the fight against terrorism, scientists have said.
The prototype technology is to be tested at an airport in Hungary, and could, if successful, become a reality "in two years".
The work is being carried out at a new research centre, based at University College London, set up to find technological solutions to crime.
Other projects include scanners for explosives and dirty bomb radiation.
Dr Paul Brennan, an electrical engineer, is leading the tagging project, known as Optag.
He said: "The basic idea is that airports could be fitted with a network of combined panoramic cameras and RFID (radio frequency ID) tag readers, which would monitor the movements of people around the various terminal buildings."
The plan, he said, would be for each passenger to be issued with a tag at check-in.
He said: "In our system, the location can be detected to an accuracy of 1m, and video and tag data could be merged to give a powerful surveillance capability."
The tags do not store any data, but emit a signal containing a unique ID which could be cross-referenced with passenger identification information. In the future, added Dr Brennan, this could incorporate biometric data.
The project still needs to overcome some hurdles, such as finding a way of ensuring the tags cannot be switched between passengers or removed without notification.
The issue of infringement of civil liberties will also be key.
But potentially, said Dr Brennan, the tags could aid security by allowing airports to track the movement patterns of passengers deemed to be suspicious and prevent them from entering restricted areas.
It could also aid airports by helping evacuation in case of a fire, rapidly locating children, and finding passengers who are late to arrive at the gate.
The "proof of concept" of the system is about to be tested at Debrecen airport in Hungary. If successful, claimed Dr Brennan, it could be available elsewhere within two years.
The new centre will also be investigating a range of other airport security tools.
I have generally stopped reporting privacy and security incidents, since the sheer numbers are overwhelming. But I'll make an exception for this one, since it involves a Canadian university...
Hackers steal personal information from Brock University computers:
The personal information — including some credit card and bank account numbers — of about 70,000 people who gave money to Brock University has been stolen from the school's computers by a hacker.
Terry Boak, Brock's vice-president academic, said the digital intruder had the secret passwords needed to access the file listing of possibly every individual to ever donate to the university.
'It wasn't just someone who hacked in by playing around with it,' Boak said. 'So, you start thinking about how these passwords were obtained.'
Boak said the hacker tapped into the system on Sept. 22 at 5:27 p.m. ET, taking only four minutes to make off with the file containing thousands of names, birthdates and e-mail addresses.
About 90 credit card numbers and some 270 bank account details were also in the file.
Boak said those people were called within 24 hours, while the remaining thousands received a letter in the mail explaining what had happened.The personal information — including some credit card and bank account numbers — of about 70,000 people who gave money to Brock University has been stolen from the school's computers by a hacker.
Terry Boak, Brock's vice-president academic, said the digital intruder had the secret passwords needed to access the file listing of possibly every individual to ever donate to the university.
'It wasn't just someone who hacked in by playing around with it,' Boak said. 'So, you start thinking about how these passwords were obtained.'
Boak said the hacker tapped into the system on Sept. 22 at 5:27 p.m. ET, taking only four minutes to make off with the file containing thousands of names, birthdates and e-mail addresses.
About 90 credit card numbers and some 270 bank account details were also in the file.
Boak said those people were called within 24 hours, while the remaining thousands received a letter in the mail explaining what had happened.
Sunday, October 08, 2006
In another black eye to the Indian call centre industry, a British television show "Dispatches" is reporting on the black market in personal information that has emerged there. From the Disptaches website:
The Data Theft Scandal
In a 12-month undercover investigation, Turton infiltrates criminal networks which trade British consumers' bank and other confidential information for huge profits in India, the world's new call centre capital.
Uncovering the methods used to thieve confidential data ranging from credit card numbers to passport details, Turton exposes the alarming security failures in a number of commercial call centres which allow detailed financial data on individuals to be gathered and sold on with ease. She discovers shocking data protection breaches and a new phenomenon known as 'data farming' – the unauthorised 'harvesting' of personal data to be sold on or exchanged for profit.
This investigation also reveals the scale of some of the call centre scams as Turton is offered hundreds of thousands of 'hot leads', full banking and financial profiles, to purchase.
In the UK, Turton meets a former data thief and people who have fallen victim to this international trade. She also shows her undercover footage and findings to a UK data protection lawyer who is appalled, saying: 'You couldn't scare me more. This is as bad as it gets. This is evidence of serious criminal offences.'
For the response from the Indian call centre industry, see: Indian call center staff sold data, TV show says - Security - News - ZDNet Asia.
In response to the most recent debate over the role of internet service providers as potential agents of law enforcement in Canada (see Bell warns customers about privacy loss with lawful access, et seq), OnlineRights.ca and CIPPIC are calling for all internet service providers to take the ISP Privacy Pledge:
ISP Privacy Pledge
As an Internet Service Provider, we pledge to:
1. Not respond to government/law enforcement requests for personal information about users unless the request is supported by a warrant or court order, or unless the request is being made explicitly under ss.184.4 or 487.11 of the Criminal Code.
2. Not collect personally identifying information about users or monitor user content for law enforcement, national security, or other state purposes except where required by law to do so. If we see evidence of illegal activity, we may notify law enforcement authorities for further action.
3. Notify the subscriber as soon as possible after we receive a legal request or court order for that subscriber's personal information, unless the order does not permit such notification.
This issue has more recently come to the fore in an Ontario application for a search warrant (Canadian Privacy Law Blog: Ontario court considers "lawful authority" under PIPEDA) and I've blogged on a similar topic in Canadian Privacy Law Blog: It's not your job to police your customers.
Simply put, commercial entities such as internet service providers should not arrange their service offerings to act as agents or adjuncts to law enforcement. This does not mean that ISPs should turn a blind eye to criminal activity. If clearly illegal conduct comes to their attention, they can and should report it. I say "clearly" because most commercial entities do not have the nuanced understanding of the law to be able to identify many kinds of allegedly unlawful conduct. Many think that downloading copyright material, such as songs, is illegal but the debate about it rages on in Canada. Whether any content is obscene depends upon a very sophisticated legal analysis, which most ISPs probably don't know, don't understand and aren't trained to apply. Other conduct is more clearly illegal, such as a death threat or sexual depictions of pre-pubescent children. If we expect private companies to make these nuanced judgements, we are opening the door to many "false positives" that may have a chilling effect on the use of the Internet by individual Canadians. If I thought that my ISP was acting as a deputy of the law enforcement apparatus, I may hesitate to post academic debates on religious fundamentalism for fear I may be reported for inciting hatred.
There really isn't anything specifically "anti-law enforcement" in the privacy pledge. It only demarcates the boundary between law enforcement and commercial service providers, who have privileged access to personal information. This boundary already exists in our laws, which provide a balance between the interests of the individual and those of the state. Our Charter and privacy laws provide for specific procedures that must be followed and thresholds that must be met before law enforcement are given access to these troves of data. These are in place to allow individuals to be free from unwarranted intrusions except in specific circumstances. If law enforcement can meet these thresholds, the intrusion is warranted. Deputizing private service providers interferes with that critical balance.
Mathew Englander, who endured the PIPEDA process from a formal complaint to the Federal Court of Appeal, has written an interesting piece for the Ontario Bar Associaton's Eye On Privacy. Mathew always has interesting things to say on the topic and offers a very unique perspective on these issues. He is the only complainant under the Act who has written and spoken about the experience from that perspective. He initiated a complaint and had to deal with carrying the case on his own to the courts. He lost at the Commissioner stage, and at the Federal Court stage. He originally had tens of thousands of dollars of costs levied against him until he finally won at the Federal Court of Appeal.
In his article, he calls for the creation of a specific tribunal to deal with complaints. In the alternative, he calls for changes to the remedies available under the Act:
Remedying PIPEDA: Two Proposals for More Effective and Accessible Privacy Mathew Englander, LL.B.
... First, there should be a procedure whereby a complaint to the Commissioner results in a legally-binding resolution, if the organization agrees to it. For example, the legislation could provide that after the Commissioner issues recommendations, the organization must respond within a set period of time, either accepting or rejecting the recommendations. If the organization rejects the recommendations, then the complainant or the Commissioner can proceed by filing an application in Federal Court. The Commissioner may also choose to publicize the names of organizations that reject the Commissioner’s recommendations on the basis that they have not only contravened the Act, but now expressly refuse to correct their practices. On the other hand, if the organization accepts the recommendations, it would then become legally bound to implement them. The organization could be subject to a fine if it then failed to do so.13 This proposed amendment would not change the ombudsman role of the Commissioner, because it is entirely the organization’s choice whether to accept or reject her recommendations.
Second, Parliament should clarify that the Privacy Commissioner’s report can include a recommendation as to the amount of damages that an organization should pay to the individual as compensation for an infringement of the individual’s PIPEDA rights. At present, the Commissioner’s Office does not make damage recommendations, which would be a useful negotiation point for both individuals and organizations.
Third, the Commissioner should be required to conclude investigations within eight months, not one year.14 Individuals who complain about a breach of their privacy rights do not want a long, drawn-out ordeal. This may require additional funding of the Commissioner’s office to reduce complaint backlogs.
Fourth, complainants should have the option of bringing a complaint directly to the Federal Court. Bypassing the Commissioner would make sense in situations where the complainant believes that it would be an unnecessary delay. In addition, if it emerges in the course of a Commissioner’s investigation that there are other individuals whose rights were breached in the same manner as the complainant, then those other individuals should have the option of bringing the matter to court directly, either individually or as a class proceeding. Under the present system, filing a complaint with the Commissioner would merely delay an anticipated day in court.
Fifth, at the complainant’s option, proceedings under PIPEDA in the Federal Court should be identified by docket number only, not the complainant’s name. The court file in PIPEDA proceedings should be automatically sealed (with only the parties having access), and all hearings should be in camera unless the complainant consents otherwise. Such provisions are necessary because otherwise, the court proceedings themselves could constitute a further violation of the complainant’s privacy.
Sixth, the proceeding in the Federal Court should encourage viva voce evidence, because drafting effective affidavit evidence is difficult for unrepresented lay litigants. Parliament should amend PIPEDA to provide that at the hearing of an application under s. 14, all parties shall be invited to give viva voce evidence.
Seventh, the legislation should provide that costs on a PIPEDA application will not be awarded against an individual unless the individual proceeded on an unreasonable basis.
Thanks to the Canadian Information Technology Law Association's blog (http://www.it-can.ca/blog/?p=70) for ferreting out this interesting case from Ontario.
In Re S.C., 2006 ONCJ 343 (CanLII), a Justice of the Peace denied a police officer's application for a search warrant related to a specific individual. The police had obtained the individual's name and address from Bell, his internet service provider, who had provided it in response to a request "pursuant to PIPEDA". Oddly, the demand for information faxed to Bell strongly suggested that the ISP was required to provide the information because of PIPEDA.
The Justice of the Peace considered the consent exception contained in s. 7(3)(c.1)(iii) of PIPEDA, which reads:
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
. . .(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority (emphasis added) to obtain the information and indicated that . . .(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or
The Justice of the Peace considered (the correct, in my view) application of that section:
 However, s. 7(3) stipulates that the information can be provided without consent only if the body seeking the information has "identified its lawful authority to obtain the information" and has indicated that the disclosure is requested (in this case) for law enforcement purposes. The Act does not set out that the existence of a criminal investigation is, in and of itself, “lawful authority” within the meaning of the Act nor, therefore, does a “Letter of Request for Account Information Pursuant to a Child Sexual Exploitation Investigation” establish such authority. Accordingly, there must still be some “legal authority” to obtain the information; in the view of this Court s. 7(3)(c.1)(ii) by itself does not establish what that “lawful authority” is. The section provides authority for disclosing information. It does not establish the authority for obtaining and possessing the information.
 The Information to Obtain does not otherwise reflect that the Informant established to Bell Canada the lawful authority, within the meaning of the Act, by which the investigators were seeking to obtain the requested information. Accordingly, Bell Canada did not have a basis upon which to disclose the information.
 In the absence of express authority within the legislation, the Charter right not to have one’s reasonable expectation of privacy interfered with, except through prior judicial authorization with all the protections that affords, must govern. Accordingly, it is the view of this Court that the Informant is not lawfully in possession of the information that was provided by Bell Canada. Therefore, that information must be set aside in the overall consideration of this application to obtain a search warrant.
 The balance of the information contained in the Information to Obtain does not, however, establish a reasonable nexus between the matters being investigated and the individual and residence identified as the targets for the warrant to search.
 Therefore, the request for a search warrant is denied.
In short, just because someone has a badge or official looking letterhead doesn't mean they have "lawful authority". The appropriate response to a request such as this is "come back with a warrant".
The Information and Privacy Commissioner of Alberta is urging that the City of Calgary carry out a privacy impact assessment before allowing the police to install video cameras throughout that city. The Commissioner's release:
Commissioner urges City of Calgary to be diligent about surveillance cameras:
Alberta Information and Privacy Commissioner, Frank Work, has written a letter to the Mayor of Calgary urging due diligence if the City plans to install video surveillance cameras in public places.
In his letter, the Commissioner asks the City to thoroughly research the use of surveillance cameras and to develop a full Privacy Impact Assessment before passing a bylaw to allow video surveillance. The Commissioner also asks Calgary Mayor, Dave Bronconnier, to ensure full and open public debate on the proposal and requests that he be able to appear before Calgary City Council to address the issue.
Work says the Privacy Impact Assessment must address a number of issues, including:
- The scale and scope of the program
- The objective of the program
- Will cameras be used to identify litterbugs, jaywalkers and panhandlers or will it be focused on more serious incidents?
- Will cameras be monitored or will they simply record?
- Who will be allowed to view tapes?
Work says municipalities are allowed to pass surveillance bylaws under the Freedom of Information and Protection of Privacy Act, but he adds that he has concerns that people embrace video surveillance as being synonymous with safety and security, when that is not the case.
The Commissioner says a full 'PIA' makes sense for the City because it will be legally responsible for the subsequent use, disclosure and security of personal information collected.
The full text of the Commissioner's letter is available on our website, www.oipc.ab.ca"
Here is the letter:
October 4, 2006
His Worship Mayor David Bronconnier Office of the Mayor The City of Calgary P.O. Box 2100, Station M Calgary AB T2P 2M5
Dear Mayor Bronconnier:
Re: Surveillance Cameras in Calgary
I understand that consideration is being given to place surveillance cameras in public locations in Calgary. Unfortunately, I do not know much more than this.
I am not categorically opposed to surveillance cameras. It wouldn’t matter if I was, since the Act allows for them in certain circumstances. I am concerned that people embrace surveillance as being synonymous with safety and security when this is simply not the case.
I urge the City of Calgary to thoroughly research the use of surveillance cameras and to facilitate an open and informed public debate before acting. With that in mind, I strongly recommend that the City of Calgary prepare a “privacy impact assessment” (PIA) of this program as a part of the process of passing any bylaw. The PIA should be made public and would, I hope, form part of the Council debate on any bylaw. I would like to address Council on this issue during its deliberations as well.
PIAs are not required under the Freedom of Information and Protection of Privacy Act. However, they are often prepared by Government of Alberta public bodies prior to embarking on significant information gathering programs. They are required under the Health Information Act and a template can be found on our website (www.oipc.ab.ca).
The preparation of a PIA and the subsequent informed debate, I would suggest, is critical before embarking upon a program of general public surveillance. If a decision to implement surveillance is made, it should be fully informed and the program itself must be carefully thought out. This is not only for the sake of Calgarians, but also for the sake of Albertans in other cities which may decide to follow Calgary’s lead.
A second reason for preparing a PIA is that under the FOIP Act, the City of Calgary is legally responsible for the subsequent use, disclosure and security of personal information that it collects. A PIA is good due diligence.
By way of example, I would think that the following issues should be addressed in a PIA:
- What is the scale and scope of the program?
- What is the object of the program (ie to discourage lawbreakers in that area, to catch lawbreakers, etc)?
- Will the cameras be used to identify everyone from litterbugs to jaywalkers to panhandlers or will they focus on “more serious” incidents?
- What evidence is there that this program will succeed with respect to the objective?
- Will the cameras be actively monitored or will they simply record? If actively monitored, will they have a speaker “voice over” function, allowing the operator to speak to people within camera range?
- Will the camera images be compared to any digital photographic database to identify people?
- Who will operate the cameras (City of Calgary employees or will it be outsourced)?
- If the operation is outsourced, what would the terms and conditions of the contract be?
- Who will be allowed to view the tapes (ie police, people looking for lost children or wayward spouses, researchers)?
- How long would the tapes be kept?
- What is the likelihood that the cameras will “displace” criminal or other activities to adjacent neighbourhoods like the Beltline or Sunnyside where there are no cameras?
I might add that the Edmonton Police Service ran a limited surveillance program on Whyte Avenue. They dismantled the program after 2 years but their protocols and their findings would be relevant to the debate in Calgary.
I will release a copy of this letter publicly on Friday, October 6, 2006.
Thank you for your consideration of these matters.
Frank Work, Q.C. Information and Privacy Commissioner of Alberta
Wednesday, October 04, 2006
The Privacy Commissioner is investigating a practice that is said to have been common under the former Liberal government: disclosing the identity of individuals making requests under the Access to Information Act. ATIP coordinators for government departments are put in a difficult position as they are bound to keep the identity of requestors confidential, but they have faced strong pressure to disclose this information to senior bureaucrats. See: Privacy violations common in access to information requests.
Update: Check out Speech: Study on issues related to the alledged disclosure of the names of Acess to Information applicants, Standing Committee on Access to Information, Privacy and Ethics, October 2, 2006 - Opening Statement by Wayne Watson,Director General of Investigation and Inquiries.
InterGovWorld.com is running an interesting article, Privacy puzzlers, on privacy and the movement towards electronic health records in Canada. The article does a good job of considering the different viewpoints on this issue and most of the stakeholders. But, as I have often found in this discussion, there is no voice of patients. Bureaucrats, physicians, researchers, drug companies and healthcare administrators are well represented, but the most important constituency is being left out.
Last Saturday's Ottawa Citizen ran an article on the RCMP's practice of purchasing personal informaton from some of the larger data brokers operating in North America, including Lexis Nexis and Cornerstone. The Canadian Internet and Public Interest Clinic at the University of Ottawa isn't impressed:
Mounties buying Canadians' personal info:
"OTTAWA - Since September 2001, the Mounties have been buying and storing personal information on Canadians from private data brokers, which have been used by U.S. authorities to combat terrorism even though the information they sell has been criticized for its inaccuracy.
Data brokers collect personal information from all kinds of sources, ranging from warranty forms, gold credit card use, travel agencies and donations to charitable and religious groups.
Traditionally, the information is sold to third parties, usually marketers looking to target a consumer niche.
Privacy experts say the RCMP's purchase and storage of such information raises questions about the reach of law-enforcement agencies into the lives of Canadians, particularly in the wake of the Arar inquiry.
The inquiry concluded the Mounties forwarded inaccurate intelligence to U.S. counterparts who in turn deported Maher Arar, a Canadian citizen, back to his homeland, Syria, only to be wrongfully jailed and tortured.
'Why are (the Mounties) gathering information from these sources?' asked Philippa Lawson, executive director at the Canadian Internet Policy and Public Interest Clinic, a technology-law group at the University of Ottawa. 'What are they using it for? To what extent are they relying on it and for what purposes?"
Tuesday, October 03, 2006
The Office of the Belgian Privacy Commissioner has released its report into the subpoena of large quantities of transactional data from the inter-bank SWIFT system: here.
On the basis of her general investigation, the Commission is of the opinion that
- The DPL is applicable to the exchange of data via the SWIFTNet FIN service;
- SWIFT and the financial institutions bear joint responsibility in light of the DPL for the processing of personal data via the SWIFTNet FIN service;
- SWIFT is a data controller of the personal data which are processed via the SWIFTNet FIN service;
- The financial institutions are data controllers as they co-determine the objective and the means to perform payment instructions in the inter-bank traffic. The financial institutions in particular, at an inter-bank level, choose to process financial messages with regard to these payment messages via the SWIFTNet Fin service;
- As far as the normal processing of personal data in the framework of the SWIFTNet FIN service is concerned, SWIFT should have complied with its obligations under the DPL, amongst which, the duty to provide information, the notification of the processing and the obligation to provide an appropriate level of protection conform to articles 21 § 2 of the DPL;
As far as the communication of personal data to the UST is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas. Iit must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law;
- In this context SWIFT should from the beginning have been aware that, apart from the application of American law, also the fundamental principles under European law must be complied with, such as the principle of proportionality, the limited storage period, the principle of transparency, the requirement for independent control and the requirement for an appropriate level of protection. These requirements are indeed formulated in the second paragraph of article 8 of the ECHR, Treaty no. 108, the Directive 95/46/EC and the DPL and are applicable to SWIFT. The Commission also refers to the international precedent in the PNR-case. The authorities competent in data protection (the Commission, its peers and the European Commission) should have been informed from the beginning, which would have made it possible to work out a solution at European level for the communication of personal data to the UST, with respect for the above-mentioned principles which apply under European law. For this purpose, the Belgian government could have been asked for an initiative at European level.
Considering the complexity of the issue and its importance, the Commission remains available to issue further guidance.
(sign.) Jo BARET (sign.)
In the absence of the President, The Vice-President,
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.